]> git.ipfire.org Git - thirdparty/bind9.git/log
thirdparty/bind9.git
3 years agoUpdate BIND version for release v9.19.14
Michal Nowak [Fri, 9 Jun 2023 10:17:36 +0000 (12:17 +0200)] 
Update BIND version for release

3 years agoAdd a CHANGES marker
Michal Nowak [Fri, 9 Jun 2023 10:16:22 +0000 (12:16 +0200)] 
Add a CHANGES marker

3 years agoMerge branch 'michal/prepare-documentation-for-bind-9.19.14' into 'security-main'
Michal Nowak [Fri, 9 Jun 2023 10:11:45 +0000 (10:11 +0000)] 
Merge branch 'michal/prepare-documentation-for-bind-9.19.14' into 'security-main'

Prepare documentation for BIND 9.19.14

See merge request isc-private/bind9!530

3 years agoAdd release note for #4049
Michał Kępień [Fri, 2 Jun 2023 10:17:16 +0000 (12:17 +0200)] 
Add release note for #4049

3 years agoReorder release notes
Michał Kępień [Fri, 2 Jun 2023 10:29:53 +0000 (12:29 +0200)] 
Reorder release notes

3 years agoTweak and reword release notes
Michał Kępień [Fri, 2 Jun 2023 10:28:23 +0000 (12:28 +0200)] 
Tweak and reword release notes

3 years agoPrepare release notes for BIND 9.19.14
Michał Kępień [Fri, 2 Jun 2023 10:24:48 +0000 (12:24 +0200)] 
Prepare release notes for BIND 9.19.14

3 years agoDrop "Known Issues" entry for #4006 as it is fixed
Michał Kępień [Fri, 2 Jun 2023 10:17:16 +0000 (12:17 +0200)] 
Drop "Known Issues" entry for #4006 as it is fixed

3 years agoRe-add a code comment to the "hooks" system test
Michał Kępień [Fri, 2 Jun 2023 10:17:16 +0000 (12:17 +0200)] 
Re-add a code comment to the "hooks" system test

Commit 5a84c7a09bccf124b9f10a2bc25bb635d822eec2 removed a useful code
comment from the "hooks" system test.  Add it back to prevent confusion.

3 years agoAdd a missing word to the release note for #4004
Michał Kępień [Fri, 2 Jun 2023 10:17:16 +0000 (12:17 +0200)] 
Add a missing word to the release note for #4004

3 years agoMerge branch '4055-improve-the-overmem-cache-cleaning' into 'security-main'
Michal Nowak [Fri, 9 Jun 2023 09:50:19 +0000 (09:50 +0000)] 
Merge branch '4055-improve-the-overmem-cache-cleaning' into 'security-main'

Improve RBT overmem cache cleaning

See merge request isc-private/bind9!520

3 years agoSet max-cache-size expectations for low values
Michal Nowak [Wed, 7 Jun 2023 12:03:01 +0000 (14:03 +0200)] 
Set max-cache-size expectations for low values

3 years agoAdd CHANGES and release note for [GL #4055]
Ondřej Surý [Thu, 1 Jun 2023 13:46:23 +0000 (15:46 +0200)] 
Add CHANGES and release note for [GL #4055]

3 years agoImprove RBT overmem cache cleaning
Ondřej Surý [Tue, 30 May 2023 06:46:17 +0000 (08:46 +0200)] 
Improve RBT overmem cache cleaning

When cache memory usage is over the configured cache size (overmem) and
we are cleaning unused entries, it might not be enough to clean just two
entries if the entries to be expired are smaller than the newly added
rdata.  This could be abused by an attacker to cause a remote Denial of
Service by possibly running out of the operating system memory.

Currently, the addrdataset() tries to do a single TTL-based cleaning
considering the serve-stale TTL and then optionally moves to overmem
cleaning if we are in that condition.  Then the overmem_purge() tries to
do another single TTL based cleaning from the TTL heap and then continue
with LRU-based cleaning up to 2 entries cleaned.

Squash the TTL-cleaning mechanism into single call from addrdataset(),
but ignore the serve-stale TTL if we are currently overmem.

Then instead of having a fixed number of entries to clean, pass the size
of newly added rdatasetheader to the overmem_purge() function and
cleanup at least the size of the newly added data.  This prevents the
cache going over the configured memory limit (`max-cache-size`).

Additionally, refactor the overmem_purge() function to reduce for-loop
nesting for readability.

3 years agoMerge branch '4105-QryDropped-stats-counter-documentation-update' into 'main'
Arаm Sаrgsyаn [Wed, 7 Jun 2023 14:00:50 +0000 (14:00 +0000)] 
Merge branch '4105-QryDropped-stats-counter-documentation-update' into 'main'

QryDropped stats counter documentation update

Closes #4105

See merge request isc-projects/bind9!8006

3 years agoQryDropped stats counter documentation update
Aram Sargsyan [Tue, 6 Jun 2023 13:01:03 +0000 (13:01 +0000)] 
QryDropped stats counter documentation update

Document which dropped queries are calculated by the QryDropped
statistics counter.

3 years agoMerge branch 'mnowak/placeholder-for-issue-4055' into 'main'
Michal Nowak [Wed, 7 Jun 2023 11:42:58 +0000 (11:42 +0000)] 
Merge branch 'mnowak/placeholder-for-issue-4055' into 'main'

Add CHANGES placeholder for [GL #4055]

See merge request isc-projects/bind9!8010

3 years agoAdd CHANGES placeholder for [GL #4055]
Michal Nowak [Wed, 7 Jun 2023 11:39:12 +0000 (13:39 +0200)] 
Add CHANGES placeholder for [GL #4055]

3 years agoMerge branch 'mnowak/placeholder-for-issue-4089' into 'main'
Michal Nowak [Wed, 7 Jun 2023 11:18:10 +0000 (11:18 +0000)] 
Merge branch 'mnowak/placeholder-for-issue-4089' into 'main'

Add CHANGES placeholder for [GL #4089]

See merge request isc-projects/bind9!8009

3 years agoAdd CHANGES placeholder for [GL #4089]
Michal Nowak [Wed, 7 Jun 2023 11:07:51 +0000 (13:07 +0200)] 
Add CHANGES placeholder for [GL #4089]

3 years agoMerge branch 'mnowak/placeholder-for-issue-3835' into 'main'
Michal Nowak [Wed, 7 Jun 2023 09:00:42 +0000 (09:00 +0000)] 
Merge branch 'mnowak/placeholder-for-issue-3835' into 'main'

Add CHANGES placeholder for [GL #3835]

See merge request isc-projects/bind9!8008

3 years agoAdd CHANGES placeholder for [GL #3835]
Michal Nowak [Wed, 7 Jun 2023 08:47:37 +0000 (10:47 +0200)] 
Add CHANGES placeholder for [GL #3835]

3 years agoMerge branch '4115-fix-extra-dns_validator-detach' into 'main'
Ondřej Surý [Tue, 6 Jun 2023 17:34:22 +0000 (17:34 +0000)] 
Merge branch '4115-fix-extra-dns_validator-detach' into 'main'

Fix extra detach when dns_validator create_fetch() detects deadlock

Closes #4115

See merge request isc-projects/bind9!8003

3 years agoAdd CHANGES note for [GL #4115]
Ondřej Surý [Tue, 6 Jun 2023 11:05:35 +0000 (13:05 +0200)] 
Add CHANGES note for [GL #4115]

3 years agoFix extra detach when dns_validator create_fetch() detects deadlock
Ondřej Surý [Tue, 6 Jun 2023 10:48:23 +0000 (12:48 +0200)] 
Fix extra detach when dns_validator create_fetch() detects deadlock

When create_fetch() in the dns_validator unit detects deadlock, it
returns DNS_R_NOVALIDSIG, but it didn't attach to the validator.  The
other condition to returning result != ISC_R_SUCCESS would be error from
dns_resolver_createfetch().  The caller (in two places out of three)
would detect the error condition and always detach from the validator.

Move the dns_validator_detach() on dns_resolver_createfetch() error
condition to create_fetch() function and cleanup the extra detaches in
seek_dnskey() and get_dsset().

3 years agoMerge branch '4038-resize-send-buffers-to-avoid-excessive-memory-allocation' into...
Ondřej Surý [Tue, 6 Jun 2023 11:41:44 +0000 (11:41 +0000)] 
Merge branch '4038-resize-send-buffers-to-avoid-excessive-memory-allocation' into 'main'

Use appropriately sized send buffers for DNS messages over TCP

Closes #4038

See merge request isc-projects/bind9!8004

3 years agoMerge branch 'ondrej/print-library-versions' into 'main'
Ondřej Surý [Tue, 6 Jun 2023 11:40:51 +0000 (11:40 +0000)] 
Merge branch 'ondrej/print-library-versions' into 'main'

Print the libuv, liburcu and OpenSSL versions from configure script

See merge request isc-projects/bind9!7998

3 years agoUpdate CHANGES and release note [GL #4038]
Artem Boldariev [Fri, 2 Jun 2023 09:49:15 +0000 (12:49 +0300)] 
Update CHANGES and release note [GL #4038]

Mention that memory usage was reduced by allocating properly sized
send buffers for stream-based transports.

3 years agoUse appropriately sized send buffers for DNS messages over TCP
Artem Boldariev [Fri, 2 Jun 2023 11:28:50 +0000 (14:28 +0300)] 
Use appropriately sized send buffers for DNS messages over TCP

This commit changes send buffers allocation strategy for stream based
transports. Before that change we would allocate a dynamic buffers
sized at 64Kb even when we do not need that much. That could lead to
high memory usage on server. Now we resize the send buffer to match
the size of the actual data, freeing the memory at the end of the
buffer for being reused later.

3 years agoPrint the libuv, liburcu and OpenSSL versions from configure script
Ondřej Surý [Thu, 1 Jun 2023 11:38:42 +0000 (13:38 +0200)] 
Print the libuv, liburcu and OpenSSL versions from configure script

The configure summary now prints versions of the mandatory libraries
found when configuring.

3 years agoMerge branch '4116-building-with-with-liburcu-qsbr-fails' into 'main'
Mark Andrews [Mon, 5 Jun 2023 23:46:49 +0000 (23:46 +0000)] 
Merge branch '4116-building-with-with-liburcu-qsbr-fails' into 'main'

Resolve "Building with --with-liburcu=qsbr fails"

Closes #4116

See merge request isc-projects/bind9!8002

3 years agoFix typo in synchronize_rcu macro (add h)
Mark Andrews [Mon, 5 Jun 2023 22:08:57 +0000 (08:08 +1000)] 
Fix typo in synchronize_rcu macro (add h)

synchronize_rcu has not been used until now in BIND9 and there
was a typo in the define (a 'h' was missing).

3 years agoMerge branch '4093-use-rcu-for-view-zonetable' into 'main'
Mark Andrews [Fri, 2 Jun 2023 00:39:07 +0000 (00:39 +0000)] 
Merge branch '4093-use-rcu-for-view-zonetable' into 'main'

Use RCU for view->zonetable

Closes #4093

See merge request isc-projects/bind9!7990

3 years agoAdd CHANGES note for [GL #4093]
Mark Andrews [Wed, 31 May 2023 07:20:27 +0000 (17:20 +1000)] 
Add CHANGES note for [GL #4093]

3 years agoUse dns_view_findzone instead of dns_zt_find
Mark Andrews [Wed, 31 May 2023 06:13:29 +0000 (16:13 +1000)] 
Use dns_view_findzone instead of dns_zt_find

This ensures that rcu locking is properly applied for
view->zonetable.

3 years agoExtend dns_view_findzone to take an options argument
Mark Andrews [Wed, 31 May 2023 06:03:56 +0000 (16:03 +1000)] 
Extend dns_view_findzone to take an options argument

This is in preparation to allow the few remaining direct
dns_zt_find(view->zonetable, ...) to use it for rcu mediated
access to view->zonetable.

3 years agoAdd dns_view_apply
Mark Andrews [Wed, 31 May 2023 05:52:36 +0000 (15:52 +1000)] 
Add dns_view_apply

Add dns_view_apply to allow dns_zt_apply to be called on
view->zonetable with rcu locking applied.

3 years agoAdd dns_view_delzone
Mark Andrews [Wed, 31 May 2023 02:59:03 +0000 (12:59 +1000)] 
Add dns_view_delzone

dns_view_delzone performs the rcu locking required around accessing
view->zonetable.

3 years agoUse rcu methods to lock access view->zonetable
Mark Andrews [Wed, 31 May 2023 02:40:37 +0000 (12:40 +1000)] 
Use rcu methods to lock access view->zonetable

dns_view_find* may be called after the final call to dns_view_detach
is made which detaches view->zonetable to permit the server to
shutdown.  We need to detect if view->zonetable is NULL during this
stage and appropriately recover.

3 years agoDisable URCU inlining if inlined rcu_dereference() fails to compile
Ondřej Surý [Thu, 1 Jun 2023 11:38:42 +0000 (13:38 +0200)] 
Disable URCU inlining if inlined rcu_dereference() fails to compile

In some cases, the inlined version rcu_dereference() would not compile
when working on pointer to opaque struct (namely Ubuntu Jammy).  Detect
such condition in the autoconf and disable the inlining of the small
functions if it breaks the build.

3 years agoMerge branch '4074-fix-stale-answer-client-timeout-with-clients-per-query' into ...
Arаm Sаrgsyаn [Thu, 1 Jun 2023 09:21:10 +0000 (09:21 +0000)] 
Merge branch '4074-fix-stale-answer-client-timeout-with-clients-per-query' into 'main'

Fix a clients-per-query miscalculation bug

Closes #4074

See merge request isc-projects/bind9!7977

3 years agoAdd CHANGES and release notes for [GL #4074]
Aram Sargsyan [Sat, 27 May 2023 11:30:56 +0000 (11:30 +0000)] 
Add CHANGES and release notes for [GL #4074]

3 years agoFix a clients-per-query miscalculation bug
Aram Sargsyan [Sat, 27 May 2023 11:01:28 +0000 (11:01 +0000)] 
Fix a clients-per-query miscalculation bug

The number of clients per query is calculated using the pending
fetch responses in the list. The dns_resolver_createfetch() function
includes every item in the list when deciding whether the limit is
reached (i.e. fctx->spilled is true). Then, when the limit is reached,
there is another calculation in fctx_sendevents(), when deciding
whether it is needed to increase the limit, but this time the TRYSTALE
responses are not included in the calculation (because of early break
from the loop), and because of that the limit is never increased.

A single client can have more than one associated response/event in the
list (currently max. two), and calculating them as separate "clients"
is unexpected. E.g. if 'stale-answer-enable' is enabled and
'stale-answer-client-timeout' is enabled and is larger than 0, then
each client will have two events, which will effectively halve the
clients-per-query limit.

Fix the dns_resolver_createfetch() function to calculate only the
regular FETCHDONE responses/events.

Change the fctx_sendevents() function to also calculate only FETCHDONE
responses/events. Currently, this second change doesn't have any impact,
because the TRYSTALE events were already skipped, but having the same
condition in both places will help prevent similar bugs in the future
if a new type of response/event is ever added.

3 years agoAdd clients-per-query checks for the fetchlimit system test
Aram Sargsyan [Mon, 29 May 2023 17:47:55 +0000 (17:47 +0000)] 
Add clients-per-query checks for the fetchlimit system test

Check if clients-per-query quota works as expected with or without
a positive stale-answer-client-timeout value and serve-stale answers
enabled.

3 years agoLight refactoring of the fetchlimit system test
Aram Sargsyan [Mon, 29 May 2023 17:34:13 +0000 (17:34 +0000)] 
Light refactoring of the fetchlimit system test

Prepare the fetchlimit system test for adding a clients-per-query
check. Change some functions and commands to accept a destination
NS IP address instead of using the hardcoded 10.53.0.3.

3 years agoFix fetchlimit system test issues
Aram Sargsyan [Mon, 29 May 2023 14:17:01 +0000 (14:17 +0000)] 
Fix fetchlimit system test issues

1. Fix the numbering.
2. Fix an artifacts rewriting issue.
3. Add missing checks of 'ret' after some checks.

3 years agoMerge branch 'mnowak/alpine-3.18' into 'main'
Michal Nowak [Wed, 31 May 2023 10:02:52 +0000 (10:02 +0000)] 
Merge branch 'mnowak/alpine-3.18' into 'main'

Add Alpine Linux 3.18

See merge request isc-projects/bind9!7985

3 years agoAdd Alpine Linux 3.18
Michal Nowak [Mon, 29 May 2023 13:48:56 +0000 (15:48 +0200)] 
Add Alpine Linux 3.18

3 years agoMerge branch 'aram/statschannel-spilled-clients-counter' into 'main'
Arаm Sаrgsyаn [Wed, 31 May 2023 09:52:29 +0000 (09:52 +0000)] 
Merge branch 'aram/statschannel-spilled-clients-counter' into 'main'

Add ClientQuota statistics channel counter

See merge request isc-projects/bind9!7978

3 years agoAdd a CHANGES note for [GL !7978]
Aram Sargsyan [Mon, 29 May 2023 18:01:31 +0000 (18:01 +0000)] 
Add a CHANGES note for [GL !7978]

3 years agoUpdate the documentation of the resolver statistics counters
Aram Sargsyan [Mon, 29 May 2023 15:20:02 +0000 (15:20 +0000)] 
Update the documentation of the resolver statistics counters

The reference manual doesn't document all the available resolver
statistics counters. Add information about the missing counters.

3 years agoAdd ClientQuota statistics channel counter
Aram Sargsyan [Mon, 29 May 2023 15:19:49 +0000 (15:19 +0000)] 
Add ClientQuota statistics channel counter

This counter indicates the number of the resolver's spilled
queries due to reaching the clients per query quota.

3 years agoMerge branch '4012-remove-win2k-hacks' into 'main'
Evan Hunt [Wed, 31 May 2023 08:29:20 +0000 (08:29 +0000)] 
Merge branch '4012-remove-win2k-hacks' into 'main'

remove win2k gss-tsig hacks

Closes #4012

See merge request isc-projects/bind9!7843

3 years agoCHANGES and release notes for [GL #4012]
Evan Hunt [Fri, 14 Apr 2023 20:03:27 +0000 (13:03 -0700)] 
CHANGES and release notes for [GL #4012]

3 years agoremove win2k gss-tsig hacks
Evan Hunt [Fri, 14 Apr 2023 19:56:24 +0000 (12:56 -0700)] 
remove win2k gss-tsig hacks

Remove the code implementing nonstardard behaviors that were formerly
needed to allow GSS-TSIG to work with Windows 2000, which passed
End-of-Life in 2010.

Deprecate the "oldgsstsig" command and "-o" command line option
to nsupdate; these are now treated as synonyms for "gsstsig" and "-g"
respectively.

3 years agoMerge branch 'mnowak/custom-userspace-rcu-library' into 'main'
Michal Nowak [Tue, 30 May 2023 18:27:12 +0000 (18:27 +0000)] 
Merge branch 'mnowak/custom-userspace-rcu-library' into 'main'

Drop liburcu-related TSAN suppressions

See merge request isc-projects/bind9!7971

3 years agoChange images for TSAN jobs
Michal Nowak [Fri, 26 May 2023 08:50:58 +0000 (10:50 +0200)] 
Change images for TSAN jobs

Fedora 38 and Debian "bullseye" images were "forked" to images used only
for TSAN CI jobs. The new images contain TSAN-aware liburcu that does
not fit well with ASAN CI jobs for which original images were also used.

Also, drop liburcu-related TSAN suppressions because they are
unnecessary with TSAN-aware liburcu.

3 years agoMerge branch 'mnowak/look-for-core-files-in-TOP_BUILDDIR' into 'main'
Michal Nowak [Tue, 30 May 2023 17:54:48 +0000 (17:54 +0000)] 
Merge branch 'mnowak/look-for-core-files-in-TOP_BUILDDIR' into 'main'

Look for core files in $TOP_BUILDDIR

See merge request isc-projects/bind9!7869

3 years agoLook for core files in $TOP_BUILDDIR
Michal Nowak [Wed, 26 Apr 2023 09:21:28 +0000 (11:21 +0200)] 
Look for core files in $TOP_BUILDDIR

The get_core_dumps.sh script couldn't find and process core files of
out-of-tree configurations because it looked for them in the source
instead of the build directory.

3 years agoMerge branch 'tkrizek-fix-pytest-base-port' into 'main'
Tom Krizek [Tue, 30 May 2023 13:36:42 +0000 (13:36 +0000)] 
Merge branch 'tkrizek-fix-pytest-base-port' into 'main'

Fix base_port calculation in pytest runner

See merge request isc-projects/bind9!7981

3 years agoFix base_port calculation in pytest runner
Tom Krizek [Tue, 30 May 2023 12:11:14 +0000 (14:11 +0200)] 
Fix base_port calculation in pytest runner

The selected base port should be in the range <port_min, port_max), the
formula was incorrect.

Credit for discovering this fault goes to Ondrej Sury.

3 years agoMerge branch '3950-serve-stale-strikes-again' into 'main'
Matthijs Mekking [Tue, 30 May 2023 11:02:13 +0000 (11:02 +0000)] 
Merge branch '3950-serve-stale-strikes-again' into 'main'

Fix serve-stale bug when cache has no data

Closes #3950

See merge request isc-projects/bind9!7856

3 years agoAdd release note and changes for #3950
Matthijs Mekking [Mon, 1 May 2023 13:04:42 +0000 (15:04 +0200)] 
Add release note and changes for #3950

Fixing another serve-stale bug is still news.

3 years agoExtend serve-stale logging
Matthijs Mekking [Mon, 1 May 2023 12:43:59 +0000 (14:43 +0200)] 
Extend serve-stale logging

Print the database lookup result in serve-stale logs for debugging
potential future serve-stale issues.

3 years agoFix serve-stale bug when cache has no data
Matthijs Mekking [Thu, 20 Apr 2023 14:22:53 +0000 (16:22 +0200)] 
Fix serve-stale bug when cache has no data

We recently fixed a bug where in some cases (when following an
expired CNAME for example), named could return SERVFAIL if the target
record is still valid (see isc-projects/bind9#3678, and
isc-projects/bind9!7096). We fixed this by considering non-stale
RRsets as well during the stale lookup.

However, this triggered a new bug because despite the answer from
cache not being stale, the lookup may be triggered by serve-stale.
If the answer from database is not stale, the fix in
isc-projects/bind9!7096 erroneously skips the serve-stale logic.

Add 'answer_found' checks to the serve-stale logic to fix this issue.

3 years agoAdd serve-stale test case for GL #3950
Matthijs Mekking [Mon, 1 May 2023 12:46:29 +0000 (14:46 +0200)] 
Add serve-stale test case for GL #3950

Add a test case where when priming the cache with a slow authoritative
resolver, the stale-answer-client-timeout option should not return
a delegation to the client (it should wait until an applicable answer
is found, if no entry is found in the cache).

3 years agoMerge branch '3905-placeholder' into 'main'
Ondřej Surý [Mon, 29 May 2023 06:02:51 +0000 (06:02 +0000)] 
Merge branch '3905-placeholder' into 'main'

Add CHANGES placeholder for [GL #3905]

Closes #3905

See merge request isc-projects/bind9!7976

3 years agoAdd CHANGES placeholder for [GL #3905]
Ondřej Surý [Mon, 29 May 2023 06:00:16 +0000 (08:00 +0200)] 
Add CHANGES placeholder for [GL #3905]

3 years agoMerge branch '4098-remove-cruft-epoll-kqueue-configure-options' into 'main'
Ondřej Surý [Mon, 29 May 2023 05:57:03 +0000 (05:57 +0000)] 
Merge branch '4098-remove-cruft-epoll-kqueue-configure-options' into 'main'

Remove obsolete epoll/kqueue/devpoll configure options

Closes #4098

See merge request isc-projects/bind9!7973

3 years agoAdd CHANGES note for [GL #4098]
Ondřej Surý [Sat, 27 May 2023 06:51:47 +0000 (08:51 +0200)] 
Add CHANGES note for [GL #4098]

3 years agoRemove obsolete epoll/kqueue/devpoll configure options
Ondřej Surý [Sat, 27 May 2023 06:47:55 +0000 (08:47 +0200)] 
Remove obsolete epoll/kqueue/devpoll configure options

Since we don't use networking directly but rather via libuv, these
configure options were no-op.  Remove the configure checks for epoll
(Linux), kqueue (BSDs) and /dev/poll (Solaris).

3 years agoMerge branch '4090-corrected-bad-insist-logic-in-isc_radix_remove' into 'main'
Mark Andrews [Mon, 29 May 2023 02:22:18 +0000 (02:22 +0000)] 
Merge branch '4090-corrected-bad-insist-logic-in-isc_radix_remove' into 'main'

Resolve "Corrected bad INSIST logic in isc_radix_remove()"

Closes #4090

See merge request isc-projects/bind9!7966

3 years agoAdd regression test for [GL # 4090]
Mark Andrews [Fri, 26 May 2023 01:09:33 +0000 (11:09 +1000)] 
Add regression test for [GL # 4090]

These insertions are added to produce a radix tree that will trigger
the INSIST reported in [GL #4090].  Due to fixes added since BIND 9.9
an extra insert in needed to ensure node->parent is non NULL.

3 years agoMove isc_mem_put to after node is checked for equality
Mark Andrews [Fri, 26 May 2023 00:28:39 +0000 (10:28 +1000)] 
Move isc_mem_put to after node is checked for equality

isc_mem_put NULL's the pointer to the memory being freed.  The
equality test 'parent->r == node' was accidentally being turned
into a test against NULL.

3 years agoMerge branch '4085-httpd-shutdown-issue' into 'main'
Evan Hunt [Sat, 27 May 2023 04:12:09 +0000 (04:12 +0000)] 
Merge branch '4085-httpd-shutdown-issue' into 'main'

don't set SHUTTINGDOWN until after calling the request callbacks

Closes #4085

See merge request isc-projects/bind9!7961

3 years agodon't set SHUTTINGDOWN until after calling the request callbacks
Evan Hunt [Tue, 23 May 2023 21:33:28 +0000 (14:33 -0700)] 
don't set SHUTTINGDOWN until after calling the request callbacks

if we set ISC_HTTPDMGR_SHUTTINGDOWN in the http manager before
calling the pending request callbacks, it can trigger an assertion.

3 years agoMerge branch '4091-syncrhonise-access-to-the-client-tlsctx-cache' into 'main'
Artem Boldariev [Fri, 26 May 2023 12:07:43 +0000 (12:07 +0000)] 
Merge branch '4091-syncrhonise-access-to-the-client-tlsctx-cache' into 'main'

ZMGR: TLS contexts cache - properly synchronise access

Closes #4091

See merge request isc-projects/bind9!7967

3 years agoZMGR: TLS contexts cache - properly synchronise access
Artem Boldariev [Fri, 26 May 2023 08:06:59 +0000 (11:06 +0300)] 
ZMGR: TLS contexts cache - properly synchronise access

This commit ensures that access to the TLS context cache within zone
manager is properly synchronised.

Previously there was a possibility for it to get unexpectedly
NULLified for a brief moment by a call to
dns_zonemgr_set_tlsctx_cache() from one thread, while being accessed
from another (e.g. from got_transfer_quota()). This behaviour could
lead to server abort()ing on configuration reload (under very rare
circumstances).

That behaviour has been fixed.

3 years agoMerge branch '4082-rrl-would-limit-log-line' into 'main'
Tom Krizek [Fri, 26 May 2023 10:26:41 +0000 (10:26 +0000)] 
Merge branch '4082-rrl-would-limit-log-line' into 'main'

Disable rrl check in slow environments

Closes #4082

See merge request isc-projects/bind9!7963

3 years agoDisable rrl check in slow environments
Tom Krizek [Wed, 24 May 2023 11:58:01 +0000 (13:58 +0200)] 
Disable rrl check in slow environments

The check for 'would limit' log message is triggered by sending at least
three messages within one second. However, in extremely slow conditions
(currently when running with clang+TSAN in CI), the individual queries
might take too much time to send enough of them within one second.

Since this is a pretty rare condition, let's just silently skip this
test in environments where a single query takes more than 500 ms, since
there's no way to perform the check under such conditions.

Closes #4082

3 years agoMerge branch 'mnowak/gitlab-runner-autoscaling' into 'main'
Michal Nowak [Fri, 26 May 2023 09:45:53 +0000 (09:45 +0000)] 
Merge branch 'mnowak/gitlab-runner-autoscaling' into 'main'

Run most Docker CI jobs in AWS with autoscaler

See merge request isc-projects/bind9!7960

3 years agoRun most Docker CI jobs in AWS with autoscaler
Michal Nowak [Wed, 17 May 2023 12:33:12 +0000 (14:33 +0200)] 
Run most Docker CI jobs in AWS with autoscaler

All but the "respdiff-long" job, for which our AWS instances do not have
enough memory, are now being spawned in the AWS by the autoscaler
executor.

3 years agoMerge branch '4072-tcp-dispatch-timeout' into 'main'
Evan Hunt [Fri, 26 May 2023 08:49:52 +0000 (08:49 +0000)] 
Merge branch '4072-tcp-dispatch-timeout' into 'main'

fix handling of TCP timeouts

Closes #4072

See merge request isc-projects/bind9!7937

3 years agofix handling of TCP timeouts
Evan Hunt [Tue, 16 May 2023 22:35:00 +0000 (15:35 -0700)] 
fix handling of TCP timeouts

when a TCP dispatch times out, we call tcp_recv() with a result
value of ISC_R_TIMEDOUT; this cancels the oldest dispatch
entry in the dispatch's active queue, plus any additional entries
that have waited longer than their configured timeouts. if, at
that point, there were more dispatch entries still on the active
queue, it resumes reading, but until now it failed to restart
the timer.

this has been corrected: we now calculate a new timeout
based on the oldest dispatch entry still remaining.  this
requires us to initialize the start time of each dispatch entry
when it's first added to the queue.

in order to ensure that the handling of timed-out requests is
consistent, we now calculate the runtime of each dispatch
entry based on the same value for 'now'.

incidentally also fixed a compile error that turned up when
DNS_DISPATCH_TRACE was turned on.

3 years agoMerge branch '4079-multiple-keyrings' into 'main'
Evan Hunt [Thu, 25 May 2023 22:01:33 +0000 (22:01 +0000)] 
Merge branch '4079-multiple-keyrings' into 'main'

prevent TSIG keys from being added to multiple rings

Closes #4079

See merge request isc-projects/bind9!7955

3 years agoCHANGES for [GL #4079]
Evan Hunt [Sun, 21 May 2023 20:44:26 +0000 (13:44 -0700)] 
CHANGES for [GL #4079]

3 years agoprevent TSIG keys from being added to multiple rings
Evan Hunt [Sun, 21 May 2023 19:59:38 +0000 (12:59 -0700)] 
prevent TSIG keys from being added to multiple rings

it was possible to add a TSIG key to more than one TSIG
keyring at a time, and this was in fact happening with the
session key, which was generated once and then added to the
keyrings for each view as it was configured.

this has been corrected and a REQUIRE added to dns_tsigkeyring_add()
to prevent it from happening again.

3 years agoMerge branch '3765-interfacemgr-use-after-afree-on-shutdown' into 'main'
Arаm Sаrgsyаn [Thu, 25 May 2023 08:29:01 +0000 (08:29 +0000)] 
Merge branch '3765-interfacemgr-use-after-afree-on-shutdown' into 'main'

Fix an interfacemgr use-after-free error in zoneconf.c:isself()

Closes #3765

See merge request isc-projects/bind9!7962

3 years agoAdd a CHANGES note for [GL #3765]
Aram Sargsyan [Wed, 24 May 2023 14:38:53 +0000 (14:38 +0000)] 
Add a CHANGES note for [GL #3765]

3 years agoFix an interfacemgr use-after-free error in zoneconf.c:isself()
Aram Sargsyan [Wed, 24 May 2023 14:26:04 +0000 (14:26 +0000)] 
Fix an interfacemgr use-after-free error in zoneconf.c:isself()

The 'named_g_server->interfacemgr' pointer is saved in the zone
structure using dns_zone_setisself(), as a void* argument to be
passed to the isself() callback, so there is no attach/detach,
and when shutting down, the interface manager can be destroyed
by the shutdown_server(), running in exclusive mode, and causing
isself() to crash when trying to use the pointer.

Instead of keeping the interface manager pointer in the zone
structure, just check and use the 'named_g_server->interfacemgr'
itself, as it was implemented originally in the
3aca8e5bf3740bbcc3bb13dde242d7cc369abb27 commit. Later, in the
8eb88aafee951859264e36c315b1289cd8c2088b commit, the code was
changed to pass the interface manager pointer using the additional
void* argument, but the commit message doesn't mention if there
was any practical reason for that.

Additionally, don't pass the interfacemgr pointer to the
ns_interfacemgr_getaclenv() function before it is checked
against NULL.

3 years agoMerge branch 'tkrizek/ci-clang-tsan-allow-failure' into 'main'
Tom Krizek [Wed, 24 May 2023 08:38:46 +0000 (08:38 +0000)] 
Merge branch 'tkrizek/ci-clang-tsan-allow-failure' into 'main'

Allow the system:clang:tsan job to fail in CI

See merge request isc-projects/bind9!7958

3 years agoAllow the system:clang:tsan job to fail in CI
Tom Krizek [Tue, 23 May 2023 13:28:22 +0000 (15:28 +0200)] 
Allow the system:clang:tsan job to fail in CI

There are couple of known failures currently affecting this test:
- rrl (GL #4082)
- upforwd (GL #4072)

3 years agoMerge branch '2710-fix-inline-signing-multisigner-bugs-matthijs' into 'main'
Matthijs Mekking [Tue, 23 May 2023 12:05:46 +0000 (12:05 +0000)] 
Merge branch '2710-fix-inline-signing-multisigner-bugs-matthijs' into 'main'

Make multisigner server capabilities work with inline-signing

Closes #2710

See merge request isc-projects/bind9!6901

3 years agoFix dnssec system test
Matthijs Mekking [Mon, 6 Mar 2023 15:48:17 +0000 (16:48 +0100)] 
Fix dnssec system test

The 'update-nsec3.example' requires to be DNSSEC maintained via
dynamic update. Commit 03b22983cd20cec51ad8b9f25f2e7d0e472dc79c adds
checks to make sure the raw zone is not signed. So the test case neesd
to be updated to allow for DNSSEC maintenance.

3 years agoAdd new dns_rdatatype_iskeymaterial() function
Matthijs Mekking [Wed, 15 Mar 2023 10:51:33 +0000 (11:51 +0100)] 
Add new dns_rdatatype_iskeymaterial() function

The following code block repeats quite often:

    if (rdata.type == dns_rdatatype_dnskey ||
        rdata.type == dns_rdatatype_cdnskey ||
        rdata.type == dns_rdatatype_cds)

Introduce a new function to reduce the repetition.

3 years agoMake make_dnskey() a public funcion
Matthijs Mekking [Fri, 3 Mar 2023 13:15:59 +0000 (14:15 +0100)] 
Make make_dnskey() a public funcion

It can be used to compare DNSKEY, CDNSKEY, and CDS records with
signing keys.

3 years agoAdd more multisigner tests, removing records
Matthijs Mekking [Fri, 3 Mar 2023 10:51:55 +0000 (11:51 +0100)] 
Add more multisigner tests, removing records

A zone in multisigner model 2 should also be possible to remove
previously added DNSKEY, CDS and CDNSKEY records from the zone operated
by the other provider.

3 years agoAdd bump in the wire multisigner test
Matthijs Mekking [Fri, 3 Mar 2023 10:46:48 +0000 (11:46 +0100)] 
Add bump in the wire multisigner test

Add a test case where updates are being made against a hidden primary
and two bump in the wire signers (the providers in the multisigner
model) serve the zone.

The test covers the same cases as for two primary providers that is:
- Add DNSKEY
- Remove (previously added) DNSKEY
- Add CDNSKEY
- Remove (previously added) CDNSKEY
- Add CDS
- Remove (previously added) CDS

3 years agoDon't sign the raw zone
Mark Andrews [Wed, 12 Oct 2022 06:01:57 +0000 (17:01 +1100)] 
Don't sign the raw zone

The raw zone is not supposed to be signed.  DNSKEY records in a raw zone
should not trigger zone signing.  The update code needs to be able to
identify when it is working on a raw zone.  Add dns_zone_israw() and
dns_zone_issecure() enable it to do this. Also, we need to check the
case for 'auto-dnssec maintain'.

3 years agoEnsure no DNSSEC records are in the raw journal
Matthijs Mekking [Thu, 13 Oct 2022 07:09:12 +0000 (09:09 +0200)] 
Ensure no DNSSEC records are in the raw journal

Add checks to the multisigner test to make sure no DNSSEC related
records (NSEC, NSEC3, NSEC3PARAM, RRSIG) end up in the raw journal.