]>
git.ipfire.org Git - thirdparty/pdns.git/log
Remi Gacogne [Wed, 17 Jun 2020 09:09:20 +0000 (11:09 +0200)]
Merge pull request #9229 from rgacogne/dnsdist-webserver-allow-from
dnsdist: Implement an ACL in the internal web server
Remi Gacogne [Wed, 17 Jun 2020 09:07:47 +0000 (11:07 +0200)]
Merge pull request #9238 from rgacogne/ddist-config-sample
dnsdist: Clean up dnsdistconf.lua as a default configuration file
Remi Gacogne [Wed, 17 Jun 2020 07:51:31 +0000 (09:51 +0200)]
Use example.org instead of powerdns.org in pdns/dnsdistconf.lua
Co-authored-by: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
Remi Gacogne [Wed, 17 Jun 2020 07:51:22 +0000 (09:51 +0200)]
Use example.org instead of powerdns.org in pdns/dnsdistconf.lua
Co-authored-by: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
Remi Gacogne [Tue, 16 Jun 2020 14:31:39 +0000 (16:31 +0200)]
dnsdist: Clean up dnsdistconf.lua as a default configuration file
Peter van Dijk [Tue, 16 Jun 2020 08:10:28 +0000 (10:10 +0200)]
Merge pull request #9217 from Habbie/doc-nits-
1591715730
auth doc nits
Peter van Dijk [Mon, 15 Jun 2020 14:27:54 +0000 (16:27 +0200)]
Merge pull request #9228 from mind04/pdns-sqlite-schema
auth: gsqlite3backend: add missing indexes
Peter van Dijk [Mon, 15 Jun 2020 13:55:40 +0000 (15:55 +0200)]
Merge pull request #9215 from Habbie/pkcs11-fixes
auth: PKCS11 improvements
Remi Gacogne [Mon, 15 Jun 2020 13:25:40 +0000 (15:25 +0200)]
dnsdist: Parse the new web ACL before clearing the existing one
Otherwise we end up with an empty ACL (everything will be refused)
if the new one is not valid.
Otto Moerbeek [Mon, 15 Jun 2020 12:20:52 +0000 (14:20 +0200)]
Merge pull request #9226 from omoerbeek/rec-fix-shared-cache-pruning
rec: Fix three shared cache issues
Otto Moerbeek [Fri, 12 Jun 2020 10:24:26 +0000 (12:24 +0200)]
Fix three shared cache issues:
- Only prime share cache once on startup
- Cache pruning could go into an infinite loop if not enough expired
entries could be pruned.
- Handler thread isn't run very often, but now the record cache
pruning is done by it, so increase frequency of the housekeeping
call for the handler thread.
Kees Monshouwer [Mon, 15 Jun 2020 09:54:05 +0000 (11:54 +0200)]
auth: gsqlite3backend: add missing indexes
Sqlite3 backend was performing terrible in environments with many updates.
On a slaved root zone the performance increase was huge, 71ms -> 1ms.
Since the lack of proper indexes is causing a lot of trouble in larger environments, I target this update at 4.3.1
Peter van Dijk [Mon, 15 Jun 2020 09:15:22 +0000 (11:15 +0200)]
Merge pull request #9223 from mind04/pdns-supersomething
auth: use real remote for supermaster createSlaveDomain()
Peter van Dijk [Mon, 15 Jun 2020 09:02:56 +0000 (11:02 +0200)]
clarify key missing message a bit
Kees Monshouwer [Fri, 12 Jun 2020 09:52:36 +0000 (11:52 +0200)]
auth: use real remote for supermaster createSlaveDomain()
Peter van Dijk [Thu, 11 Jun 2020 19:35:28 +0000 (21:35 +0200)]
restore flag symmetry
Peter van Dijk [Thu, 11 Jun 2020 18:33:09 +0000 (20:33 +0200)]
update pkcs11 docs for softhsm2 on Debian Buster
Peter van Dijk [Thu, 11 Jun 2020 17:01:19 +0000 (19:01 +0200)]
pkcs11 create key: error for unknown algos
Peter van Dijk [Thu, 11 Jun 2020 16:39:28 +0000 (18:39 +0200)]
rectify zones after securing them
Peter van Dijk [Thu, 11 Jun 2020 16:39:07 +0000 (18:39 +0200)]
centralise constants
Remi Gacogne [Wed, 10 Jun 2020 15:18:58 +0000 (17:18 +0200)]
Merge pull request #9211 from rgacogne/ddist-doh-non-blocking
dnsdist: Use non-blocking pipes to pass DoH queries/responses around
Remi Gacogne [Wed, 10 Jun 2020 08:48:10 +0000 (10:48 +0200)]
dnsdist: Log at verbose level when we couldn't write to the pipe
Remi Gacogne [Wed, 10 Jun 2020 06:58:35 +0000 (08:58 +0200)]
dnsdist: Implement an ACL in the internal web server
Otto Moerbeek [Wed, 10 Jun 2020 05:45:04 +0000 (07:45 +0200)]
Merge pull request #9214 from omoerbeek/rec-docs-warnins
rec: fix doc generation warnings in recursor.
Otto Moerbeek [Wed, 10 Jun 2020 05:44:52 +0000 (07:44 +0200)]
Merge pull request #9203 from omoerbeek/rec-gettag-answer-rpz
Rec: rpz policy should override gettag_ffi answer by default
Otto Moerbeek [Wed, 10 Jun 2020 05:41:39 +0000 (07:41 +0200)]
Merge pull request #9216 from rgacogne/rec-scan-cname-loop-ref
rec: Don't copy the records when scanning for CNAME loops
Peter van Dijk [Tue, 9 Jun 2020 18:15:39 +0000 (20:15 +0200)]
Merge pull request #9190 from zeha/psql-prep
gpgsql: Reintroduce prepared statements
Peter van Dijk [Tue, 9 Jun 2020 18:02:51 +0000 (20:02 +0200)]
Merge pull request #9189 from zeha/query-logging
gpgsqlbackend: add parameters to query logging
Peter van Dijk [Tue, 9 Jun 2020 17:49:24 +0000 (19:49 +0200)]
Merge pull request #9187 from zeha/systemd-syslog-instances
Set SyslogIdentifier for multiple instances
Peter van Dijk [Tue, 9 Jun 2020 17:44:25 +0000 (19:44 +0200)]
Merge pull request #9183 from zeha/api-rectify-slave
API: Allow rectifying Slave zones
Peter van Dijk [Tue, 9 Jun 2020 15:22:29 +0000 (17:22 +0200)]
point to pdnsutil create-bind-db in bind-dnssec-db docs
Peter van Dijk [Tue, 9 Jun 2020 15:20:44 +0000 (17:20 +0200)]
format metrics example correctly
Remi Gacogne [Tue, 9 Jun 2020 15:19:09 +0000 (17:19 +0200)]
rec: Don't copy the records when scanning for CNAME loops
Peter van Dijk [Tue, 9 Jun 2020 08:59:26 +0000 (10:59 +0200)]
circleci: test softhsm
Otto Moerbeek [Tue, 9 Jun 2020 12:11:25 +0000 (14:11 +0200)]
Fix doc generation warnings in recursor.
Fixes #9167.
Otto Moerbeek [Tue, 9 Jun 2020 11:31:48 +0000 (13:31 +0200)]
Merge pull request #9213 from omoerbeek/dnsdist-stringview-ambiguous
Do not use `using namespace std;`
Remi Gacogne [Tue, 9 Jun 2020 11:19:12 +0000 (13:19 +0200)]
dnsdist: Chck that we don't write more than PIPE_BUF at once on pipes
Otto Moerbeek [Tue, 9 Jun 2020 11:18:58 +0000 (13:18 +0200)]
Do not use using namespace std; it causes ambiguity if
both std::string_view and boost::string_view are in scope
Otto Moerbeek [Tue, 9 Jun 2020 10:07:45 +0000 (12:07 +0200)]
Merge pull request #9202 from omoerbeek/rec-cname-loop
rec: more sophisticated cname loop detection.
Peter van Dijk [Tue, 9 Jun 2020 09:18:11 +0000 (11:18 +0200)]
Merge pull request #9212 from Habbie/generate-repo-files-master
add master support to generate-repo-files.sh
Peter van Dijk [Fri, 5 Jun 2020 15:33:56 +0000 (17:33 +0200)]
add master support to generate-repo-files.sh
Otto Moerbeek [Tue, 9 Jun 2020 08:22:58 +0000 (10:22 +0200)]
Do not process passthru in a special way. RPZ hit always takes
precedence unless overridesGettag is set to false.
Otto Moerbeek [Tue, 9 Jun 2020 06:29:13 +0000 (08:29 +0200)]
Merge pull request #9205 from rgacogne/rec-rrsig-ttl
rec: Limit the TTL of RRSIG records as well
Otto Moerbeek [Tue, 9 Jun 2020 06:27:36 +0000 (08:27 +0200)]
Merge pull request #9207 from neheb/string
use std::string_view when available
Peter van Dijk [Mon, 8 Jun 2020 20:38:25 +0000 (22:38 +0200)]
circle auth: build with pkcs11
Peter van Dijk [Fri, 5 Jun 2020 23:05:22 +0000 (01:05 +0200)]
auth pkcs11: add ECDSA support, use softhsm2-util, other fixes
Remi Gacogne [Mon, 8 Jun 2020 14:45:03 +0000 (16:45 +0200)]
dnsdist: Update the tests for the new 'doh-*-pipe-full' metrics
Remi Gacogne [Mon, 8 Jun 2020 14:28:42 +0000 (16:28 +0200)]
dnsdist: Use non-blocking pipes to pass DoH queries/responses around
This commit makes the internal sockets non-blocking so we don't freeze if
they ever fill up, and log errors/increment metrics instead.
It also replaces the socket pairs by pipes, since the default buffer
size for sockets seems to allow only ~278 pending queries which might
be reached given how libh2o batches events. On Linux, a pipe gives us
8192 pending queries by default due to the lower overhead, and it
can easily be incremented to 131072 pending queries by setting the
pipe size to
1048576 . This commits adds a new setting to do just
that.
Otto Moerbeek [Mon, 8 Jun 2020 11:11:12 +0000 (13:11 +0200)]
Docs added
Remi Gacogne [Mon, 8 Jun 2020 07:57:55 +0000 (09:57 +0200)]
Merge pull request #9204 from rgacogne/rec-doc-gettag-ffi
rec: Better document the gettag hook and its FFI counterpart
Peter van Dijk [Sun, 7 Jun 2020 18:30:30 +0000 (20:30 +0200)]
Merge pull request #9182 from supervacuus/auth-metrics-endpoint
Implemented prometheus metrics-endpoint for auth
Rosen Penev [Sat, 6 Jun 2020 18:33:55 +0000 (11:33 -0700)]
use std::string_view when available
There's a standard C++ macro to check for its existence.
libstdc++ from GCC makes it available under C++17 and up. libcxx from
LLVM makes it available everywhere.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Mischan Toosarani-Hausberger [Fri, 5 Jun 2020 21:17:21 +0000 (23:17 +0200)]
auth: Declare ring-size metrics as gauges
ring-buffer size metrics are affected in three ways:
* incremented and saturated as items are added
* set to zero, when the ring-buffer is reset
* decremented when the ring-buffer is resized to a smaller capacity
that cannot hold the number of items currently stored
The latter qualifies ring-buffer size metrics as gauges.
Mischan Toosarani-Hausberger [Thu, 4 Jun 2020 17:26:05 +0000 (19:26 +0200)]
auth: Declare ring-capacity metrics as gauges.
Mischan Toosarani-Hausberger [Tue, 2 Jun 2020 18:40:03 +0000 (20:40 +0200)]
auth: Change StatType for some metrics from counter to gauge
"packetcache-size" and "query-cache-size" are both decremented and
incremented and thus clearly gauges.
"security-status" is an ordered category and thus also qualifies as a
gauge.
Mischan Toosarani-Hausberger [Mon, 1 Jun 2020 20:26:51 +0000 (22:26 +0200)]
Implemented prometheus metrics-endpoint for auth
Peter van Dijk [Fri, 5 Jun 2020 13:54:03 +0000 (15:54 +0200)]
Merge pull request #9163 from zeha/fix-7795
Optimize IXFR-to-AXFR fallback path
Peter van Dijk [Fri, 5 Jun 2020 13:45:31 +0000 (15:45 +0200)]
Merge pull request #9040 from Habbie/auth-readme
auth README: some fixes; remove manual doc build instructions
Peter van Dijk [Fri, 5 Jun 2020 13:43:57 +0000 (15:43 +0200)]
Merge pull request #9180 from Habbie/4.2-changes-8497
auth: add #8497 to changelog
Remi Gacogne [Fri, 5 Jun 2020 13:14:35 +0000 (15:14 +0200)]
rec: Limit the TTL of RRSIG records as well
Remi Gacogne [Fri, 5 Jun 2020 12:40:38 +0000 (14:40 +0200)]
rec: Better document the gettag hook and its FFI counterpart
Otto Moerbeek [Fri, 5 Jun 2020 10:37:47 +0000 (12:37 +0200)]
Add a flag to the RPZ indicating if it should override the answer from gettag.
Defaults to true.
Otto Moerbeek [Fri, 5 Jun 2020 09:51:18 +0000 (11:51 +0200)]
First stab at solving the issue when gettag_ffi sets an answer but
we also have an RPZ hit.
Otto Moerbeek [Fri, 5 Jun 2020 08:37:28 +0000 (10:37 +0200)]
Add/modify tests. Also re-check for the cache case. It *is* a bit
unsettling that case causes an ImmediateServFailException, but I do
not like to touch the general flow right now. That would be required
to make the CNAME cache case more similar to the non-cached case.
Peter van Dijk [Fri, 5 Jun 2020 09:08:21 +0000 (11:08 +0200)]
Merge pull request #8943 from pieterlexis/remote-commit-false
Remote Backend: Throw DBException in functions that allow it
Peter van Dijk [Fri, 5 Jun 2020 08:34:28 +0000 (10:34 +0200)]
Merge pull request #8995 from kpfleming/local-port-docs
Clarify local-address documentation
Peter van Dijk [Fri, 5 Jun 2020 08:25:54 +0000 (10:25 +0200)]
Merge pull request #9178 from franklouwers/master
Clarify allow-axfr-ips behaviour in combination with TSIG
Otto Moerbeek [Fri, 5 Jun 2020 08:19:08 +0000 (10:19 +0200)]
Use seperate function to test for loop; empty result vector on loop
detection (like other resolvers I tested do).
Otto Moerbeek [Wed, 3 Jun 2020 14:31:57 +0000 (16:31 +0200)]
More sophisticated cname loop detection.
Remi Gacogne [Fri, 5 Jun 2020 07:28:53 +0000 (09:28 +0200)]
Merge pull request #9151 from rgacogne/rec-root-ds
rec: Fix the handling of DS queries for the root
Remi Gacogne [Fri, 5 Jun 2020 07:27:48 +0000 (09:27 +0200)]
rec: Remove trailing whitespace in a comment
Otto Moerbeek [Wed, 3 Jun 2020 13:38:21 +0000 (15:38 +0200)]
Merge pull request #9194 from omoerbeek/rec-cname-self-referral
rec: If a CNAME target is found in the cache, check if it's equal to qname and ServFail if so.
Chris Hofstaedtler [Wed, 3 Jun 2020 11:40:17 +0000 (13:40 +0200)]
spgsql: tidy up
Otto Moerbeek [Wed, 3 Jun 2020 10:58:51 +0000 (12:58 +0200)]
Merge pull request #9192 from omoerbeek/rec-depth-incr
rec: Correct depth increments.
Otto Moerbeek [Wed, 3 Jun 2020 10:15:46 +0000 (12:15 +0200)]
If a CNAME target is found in the cache, check if it's equal
to qname and ServFail if so.
Fixes the easy case of #9153. Longer chains with self-refs remain an issue.
Otto Moerbeek [Wed, 3 Jun 2020 07:07:56 +0000 (09:07 +0200)]
Correct depth increments.
With the introduction of qname minimization, a function
doResolveNoQNameMinimization() was introduced. This function is
called by doResolve() with depth incremented. Due to the recursive
nature of the resursor algortihm (Nomen est Omen) we end up
incrementing the depth too much. This prompted a review of the other
places depth was incremented, and I believe it should only be done
when calling doResolve(). Especially the case "+ 2" in the getAddrs()
call looks strange to me, as the doResolve() calls in getAddrs()
already call doResolve() with depth + 1.
This fixes #9184 and likely other cases of deep recursion caused
by long CNAME chains.
Chris Hofstaedtler [Tue, 2 Jun 2020 18:40:29 +0000 (20:40 +0200)]
gpgsql: Reintroduce prepared statements
And a toggle.
Chris Hofstaedtler [Tue, 2 Jun 2020 17:27:24 +0000 (19:27 +0200)]
gpgsqlbackend: add parameters to query logging
Addresses #5292 (for postgres only).
Chris Hofstaedtler [Tue, 2 Jun 2020 16:45:52 +0000 (18:45 +0200)]
API: forbid rectify for presigned zones, only
Frank Louwers [Tue, 2 Jun 2020 12:55:06 +0000 (14:55 +0200)]
Update docs/tsig.rst
Co-authored-by: Peter van Dijk <peter.van.dijk@powerdns.com>
Remi Gacogne [Tue, 2 Jun 2020 12:54:09 +0000 (14:54 +0200)]
Merge pull request #9142 from rgacogne/rec-defer-nod-lookup
rec: Defer the NOD lookup until after the response has been sent
Remi Gacogne [Tue, 2 Jun 2020 12:53:18 +0000 (14:53 +0200)]
Merge pull request #9172 from rgacogne/rec-rpz-several-ixfr-deltas
rec: Fix RPZ removals when an update has several deltas
Remi Gacogne [Tue, 2 Jun 2020 11:51:11 +0000 (13:51 +0200)]
Merge pull request #9127 from rgacogne/fix-gethostname-no-hostnamemax
Fix compilation on systems that do not define HOST_NAME_MAX
Remi Gacogne [Tue, 2 Jun 2020 10:24:34 +0000 (12:24 +0200)]
Fix compilation on systems that do not define HOST_NAME_MAX
On FreeBSD at least, HOST_NAME_MAX is not defined and we need to
use sysconf() to get the value at runtime instead.
Based on a work done by @RvdE to make the recursor compile on
FreeBSD (many thanks!).
Chris Hofstaedtler [Tue, 2 Jun 2020 09:49:32 +0000 (11:49 +0200)]
Set SyslogIdentifier for multiple instances
Fixes #8490.
Chris Hofstaedtler [Tue, 2 Jun 2020 08:57:42 +0000 (10:57 +0200)]
API: Allow rectifying Slave zones
Fixes #9066.
Peter van Dijk [Sun, 31 May 2020 21:46:02 +0000 (23:46 +0200)]
auth: add #8497 to changelog
Frank Louwers [Fri, 29 May 2020 13:37:58 +0000 (15:37 +0200)]
Clarify allow-axfr-ips behaviour in combination with TSIG
Chris Hofstaedtler [Fri, 29 May 2020 12:12:38 +0000 (14:12 +0200)]
Address feedback from #9176
aerique [Thu, 28 May 2020 21:45:34 +0000 (23:45 +0200)]
Merge pull request #9152 from aerique/feature/add-supported-for-unsigned-packages
Make sure we can install unsigned packages.
Remi Gacogne [Thu, 28 May 2020 16:54:20 +0000 (18:54 +0200)]
rec: Add a regression test for the RPZ updates with several deltas
Remi Gacogne [Thu, 28 May 2020 16:15:53 +0000 (18:15 +0200)]
rec: Fix RPZ removals when an update has several deltas
Peter van Dijk [Thu, 28 May 2020 09:33:07 +0000 (11:33 +0200)]
Merge pull request #9160 from Habbie/spelling-only-docs
limit spell checking to docs
Peter van Dijk [Thu, 28 May 2020 08:55:53 +0000 (10:55 +0200)]
Merge pull request #9166 from cmouse/patch-
1590648655
opensslsigners: Add missing 'static' keyword
Remi Gacogne [Thu, 28 May 2020 07:19:39 +0000 (09:19 +0200)]
Merge pull request #9162 from jsoref/clarify-docs
Clarify docs
Aki Tuomi [Thu, 28 May 2020 06:50:04 +0000 (09:50 +0300)]
opensslsigners: Add missing 'static' keyword
openssl_pthreads_locking_callback and openssl_pthreads_id_callback are
local functions, so they need static.
Chris Hofstaedtler [Wed, 27 May 2020 21:20:08 +0000 (23:20 +0200)]
Optimize IXFR-to-AXFR fallback path
Avoid making new backends when we are going to either deny the XFR, or
fall back to AXFR anyway.
This cuts down the number of new backends from four (three for IXFR
pre-checks plus one for AXFR) to one (just the AXFR one).
When replying in IXFR mode, we keep making _one_ new backend, which is
also better than before.
While we now hold the s_plock for a while longer, we only take it once
in doIXFR; before we took it twice -- for TSIG retrieval, which now
re-uses the IXFR backend.
Josh Soref [Wed, 27 May 2020 19:40:50 +0000 (15:40 -0400)]
rewrite pdns-distributes-queries
Peter van Dijk [Wed, 27 May 2020 15:40:41 +0000 (17:40 +0200)]
spellcheck: only run when docs have been changed
Josh Soref [Wed, 27 May 2020 14:48:30 +0000 (10:48 -0400)]
clarify: reuseports behavior re worker threads