Mark Andrews [Tue, 14 Mar 2023 02:13:14 +0000 (13:13 +1100)]
When signing with a new algorithm preserve NSEC/NSEC3 chains
If the zone already has existing NSEC/NSEC3 chains then zone_sign
needs to continue to use them. If there are no chains then use
kasp setting otherwise generate an NSEC chain.
Aram Sargsyan [Fri, 10 Mar 2023 11:07:13 +0000 (11:07 +0000)]
Improve dnstap system test reliability
The dnstap system test fails intermittently, and it appears to be
a timing issue - adding a short delay after running 'fstrm_capture',
and before running 'dnstap -reopen' improves the situation from
50% failures (5 out of 10 times) to 0% failures (0 out of 20 times),
tested locally.
The reason is that 'fstrm_capture' is executed in the background,
and due to OS scheduling and other factors, the listener socket
may not be ready when the following command runs and tells 'named'
to (re)open it.
Ondřej Surý [Sat, 11 Mar 2023 04:03:54 +0000 (05:03 +0100)]
Install liburcu-dev to GitHub Actions
The CodeQL and SonarCloud GitHub Actions would FTBFS because of missing
liburcu-dev package resulting. Install the required package to both
GitHub Action files.
Tony Finch [Wed, 8 Mar 2023 19:22:27 +0000 (19:22 +0000)]
CHANGES and release notes for [GL #3935]
[func] BIND now requires liburcu for lock-free data structures
and concurrent safe memory reclamation. It replaces the
home-grown lock-free linked list and QSBR machinery
added in changes 6108 and 6109. The qp-trie code has
been adjusted to use liburcu.
Ondřej Surý [Tue, 7 Mar 2023 14:13:03 +0000 (15:13 +0100)]
Build with liburcu, Userspace RCU
BIND needs a collection of standard lock-free data structures,
which we can find in liburcu, along with its RCU safe memory
reclamation machinery. We will use liburcu's QSBR variant instead
of the home-grown isc_qsbr.
Aram Sargsyan [Thu, 9 Mar 2023 21:38:04 +0000 (21:38 +0000)]
Fix ISC_REFCOUNT_TRACE_IMPL usage
ISC_REFCOUNT_TRACE_IMPL uses isc_tid(), but the corresponding header
file is not included, which breaks, for example, compiling BIND with
DNS_CATZ_TRACE defined in lib/dns/include/dns/catz.h.
Add '#include <isc/tid.h>' in lib/isc/include/isc/refcount.h.
Michal Nowak [Thu, 9 Mar 2023 10:10:53 +0000 (11:10 +0100)]
Drop parallel build from stress tests
BUILD_PARALLEL_JOBS environmental variable is set to 6, which does not
align well with 4 and 8 CPU core systems dedicated to CI "stress" tests.
When multiple parallel jobs run on the host, they compete for resources
with an undesirable result: 6 compiler processes of one job may starve
named, resulting in lower-than-expected throughput and minutes-long
query response latency spikes.
Better drop the build parallelism of BIND-under-test. About 1-2 minutes
are added to the 60-65 minutes long job duration.
Michal Nowak [Tue, 7 Mar 2023 18:42:19 +0000 (19:42 +0100)]
Adapt tarball comparison to dropped pregenerated man pages
Since pregenerated manual pages were removed from the BIND 9 repository,
Sphinx must be present in the build environment for manual pages to be
created and placed to release tarball. release-tarball-comparison.sh
script needs to be adapted to keep up with how to release tarballs are
prepared.
Aram Sargsyan [Tue, 7 Mar 2023 14:08:52 +0000 (14:08 +0000)]
Fix the placement of printing dig output comments in doth system test
There can be comments in dig output for a zone transfer only in case
of an error, so we should print those errors not when wait_for_tls_xfer
succeeds, but when it fails.
Also, there is no point in printing those comments when a failure was
indeed expected.
Michal Nowak [Tue, 28 Feb 2023 16:49:43 +0000 (17:49 +0100)]
Build BIND in stress test jobs with common CFLAGS
By omission, BIND was not built with common CFLAGS in the stress test
jobs. Building with common CFLAGS and -Og should help GDB produce a
backtrace with more information.
Mark Andrews [Wed, 8 Mar 2023 04:16:44 +0000 (15:16 +1100)]
Silence uninitialized value false positives
In base32_decode_char the GCC 12 static analyser fails to determine
that ctx->val[1], ctx->val[3], ctx->val[4] and ctx->val[6] are
assigned values by the previous call to base32_decode_char. Initialise
ctx->val to zeros when initalising the rest of ctx to silence the
false positive.
Mark Andrews [Wed, 8 Mar 2023 05:38:11 +0000 (16:38 +1100)]
Add additional contraints to dns_rdata_checksvcb
REQUIRE that rdata->type is dns_rdatatype_svcb to detect when
dns_rdata_checksvcb is called with the wrong rdata type. There are
no code paths that currently pass the wrong rdata to dns_rdata_checksvcb.
The serve-stale system test was intermittently failing due to a timing
issue:
I:serve-stale:check stale data.example TXT was refreshed...
I:serve-stale:failed
The RRset is refreshed, however, it first checks for an expected log
line, prior checking that the stale data.example TXT was refreshed
(using dig). This log line is there to ensure the record is actually
refreshed before we start querying again. Alternatively we could just
retry_quiet 10 <wait for dig output matches expectations>. It would
lower the chances for intermittent test failures, since there is no
longer a "check for log line, sleep one second if check fails, check
for log line, ...", prior to the check.
Rename and simplify dst__openssl_compare_keypair() to
dst__openssl_keypair_compare(), and introduce two additional functions
dst__openssl_keypair_isprivate and dst__openssl_keypair_destroy.
Use those to de-duplicated openssl{rsa,ecdsa}_isprivate, and
openssl{rsa,ecdsa}_destroy.
Evan Hunt [Tue, 28 Feb 2023 23:28:29 +0000 (15:28 -0800)]
further cleanup after removing diffie-hellman TKEY mode
without diffie-hellman TKEY negotiation, some other code is
now effectively dead or unnecessary, and can be cleaned up:
- the rndc tsig-list and tsig-delete commands.
- a nonoperational command-line option to dnssec-keygen that
was documented as being specific to DH.
- the section of the ARM that discussed TKEY/DH.
- the functions dns_tkey_builddeletequery(), processdeleteresponse(),
and tkey_processgssresponse(), which are unused.
Ondřej Surý [Tue, 28 Feb 2023 15:05:34 +0000 (16:05 +0100)]
Remove TKEY Mode 2 (Diffie-Hellman)
Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from
BIND 9 (from named, named.conf and all the tools). The TKEY usage is
fringe at best and in all known cases, GSSAPI is being used as it should.
The draft-eastlake-dnsop-rfc2930bis-tkey specifies that:
4.2 Diffie-Hellman Exchanged Keying (Deprecated)
The use of this mode (#2) is NOT RECOMMENDED for the following two
reasons but the specification is still included in Appendix A in case
an implementation is needed for compatibility with old TKEY
implementations. See Section 4.6 on ECDH Exchanged Keying.
The mixing function used does not meet current cryptographic
standards because it uses MD5 [RFC6151].
RSA keys must be excessively long to achieve levels of security
required by current standards.
We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key
exchange mode 6 if the draft ever reaches the RFC status. Meanwhile the
insecure DH mode needs to be removed.
Tom Krizek [Thu, 2 Mar 2023 12:02:48 +0000 (13:02 +0100)]
Add release metadata update to release checklist
The release engineering automation we have relies on up-to-date
information about our upcoming release plans. Ensure these are updated
at the end of each release cycle.
Michal Nowak [Thu, 2 Mar 2023 10:42:45 +0000 (11:42 +0100)]
Move "disallow merging to maintained branches" closer to tagging
Updating GitLab settings for all maintained branches to disallow merging
to them has an unfortunate consequence: daily scheduled pipelines won't
be executed anymore. This is a problem because we need the pipelines to
ensure no new bugs were introduced just before a code freeze.
The "Announce (on Mattermost) that the code freeze is in effect" item is
still in place but is now more of a social "disallow merging to
maintained branches".
Mark Andrews [Fri, 3 Mar 2023 03:04:34 +0000 (14:04 +1100)]
Now logs UV versions when starting up
Named now logs both compile time and run time UV versions when
starting up. This is useful information to have when debugging
network issues involving named.
Aram Sargsyan [Thu, 2 Mar 2023 08:52:25 +0000 (08:52 +0000)]
catz: use two pairs of dns_db_t and dns_dbversion_t in a catalog zone
As it is done in the RPZ module, use 'db' and 'dbversion' for the
database we are going to update to, and 'updb' and 'updbversion' for
the database we are working on.
Doing this should avoid a race between the 'dns__catz_update_cb()' and
'dns_catz_dbupdate_callback()' functions.
Aram Sargsyan [Wed, 1 Mar 2023 12:30:46 +0000 (12:30 +0000)]
Fix view's zones reverting bug during reconfiguration
During reconfiguration, the configure_view() function reverts the
configured zones to the previous view in case if there is an error.
It uses the 'zones_configured' boolean variable to decide whether
it is required to revert the zones, i.e. the error happened after
all the zones were successfully configured.
The problem is that it does not account for the case when an error
happens during the configuration of one of the zones (not the first),
in which case there are zones that are already configured for the
new view (and they need to be reverted), and there are zones that
are not (starting from the failed one).
Since 'zones_configured' remains 'false', the configured zones are
not reverted.
Replace the 'zones_configured' variable with a pointer to the latest
successfully configured zone configuration element, and when reverting,
revert up to and including that zone.
Aram Sargsyan [Wed, 1 Mar 2023 12:47:25 +0000 (12:47 +0000)]
Add a catz system test check for [GL #3911]
The trick is to configure a duplicate zone, which comes after the
catalog zone, where the duplicate zone is an existing member zone.
In that scenario, all the zones which come before the "faulty" zone
in the configuration file will fail to be reverted to the previous
version of the view after a reconfiguration error, and in this
particular case that will result in an assertion failure when the
catalog zone update is initiated, because it will be still tied to
the new version of the view, which was dismissed.
Mark Andrews [Thu, 23 Feb 2023 22:39:34 +0000 (09:39 +1100)]
Extract test coverage statistics from the gcov job
In older GitLab versions, the regular expression used for extracting
test coverage statistics from the output of GitLab CI jobs was
configured in the project's settings, using GitLab's web interface.
That changed in recent GitLab versions [1]; the previous configuration
method was removed from the web interface altogether as of GitLab 15.0.
The relevant regular expression is now supposed to be set in the
relevant job's definition in .gitlab-ci.yml.
Set the regular expression used for extracting test coverage
statistics in the definition of the "gcov" GitLab CI job. Use the
regular expression suggested in GitLab's documentation [2].
Ondřej Surý [Tue, 28 Feb 2023 13:14:06 +0000 (14:14 +0100)]
Decouple view->resolver and friends shutdown and detach
In !7538, the shutdown procedure was simplified, but the ordering was
wrong, we need to shutdown the resolver, adb and requestmgr before
detaching those objects from the view, because there are cross
dependencies between at least the resolver and the adb.
Execute the shutdown(s) first, only when all three shutdowns have been
executed, detach those objects from the view.
Michał Kępień [Tue, 28 Feb 2023 11:54:02 +0000 (12:54 +0100)]
Add a DNSRPS-enabled build to regular CI pipelines
DNSRPS-enabled builds have recently been silently broken a few times due
to that feature not being tested in regular CI pipelines. Add the
--enable-dnsrps --enable-dnsrps-dl switches to the ./configure
invocation in one of the CI jobs run for all merge requests so that
DNSRPS-related build issues can be detected in advance.
It is important to note that this change by itself does NOT enable
actual testing of the DNSRPS feature as doing that requires a DNSRPS
provider library to be present on the test host.
Michał Kępień [Tue, 28 Feb 2023 11:54:02 +0000 (12:54 +0100)]
(Mostly) fix building bin/tests/system/rpz/dnsrps
Building the bin/tests/system/rpz/dnsrps helper binary is currently not
possible at all as the necessary compiler and linker flag definitions
are missing from bin/tests/system/Makefile.am. Add these as a basis for
addressing the problem.
Unfortunately, this is where the "mostly" bit mentioned in this commit's
subject line comes into play. The dlopen() parts of DNSRPS code have
not yet been reworked to use libuv's dlopen() API (uv_dlopen() etc.)
(See commit 37b9511ce1dd9ba66a6620c5ff617016eb81188f for prior work in
this area.) While it is certainly possible to do that, implementing
such a change without testing it in practice against a usable librpz.so
(i.e. a DNSRPS provider library) is bound to cause more trouble and
confusion than keeping the code the way it is right now. However,
making that code buildable as-is requires linking against a C standard
library that exports the dlopen(), dlsym(), and dlclose() symbols used
by the DNSRPS dynamic loading code. glibc 2.34+ satisfies that
requirement, but older glibc versions do not (these come with a separate
libdl shared library that would need to be linked in as well). (Other
C standard library implementations have not been examined.) Since the
long-term plan is to rely on libuv's dlopen() API exclusively and
detecting the shared object containing dlopen() & friends would only
pull in build system complexity for no good reason, assume for now that
the target system provides the dlopen() API in its C standard library.
This change enables the system test suite to be run for a BIND 9 build
prepared using --enable-dnsrps --enable-dnsrps-dl (on systems satisfying
the requirement explained above). However, it is important to note that
this change by itself does NOT enable actual testing of the DNSRPS
feature as doing that requires a DNSRPS provider library to be present
on the test host.
Ondřej Surý [Thu, 5 Jan 2023 08:12:35 +0000 (09:12 +0100)]
Implement dns_db node tracing
This implements node reference tracing that passes all the internal
layers from dns_db API (and friends) to increment_reference() and
decrement_reference().
It can be enabled by #defining DNS_DB_NODETRACE in <dns/trace.h> header.
Matthijs Mekking [Tue, 21 Feb 2023 07:50:04 +0000 (08:50 +0100)]
dnssec-signzone can now create multiple CDS RRs
Change the commandline option -G to take a string that determines what
sync records should be published. It is a comma-separated string with
each element being either "cdnskey", or "cds:<algorithm>", where
<algorithm> is a valid digest type. Duplicates are suppressed.