Michał Kępień [Mon, 29 Oct 2018 21:29:31 +0000 (22:29 +0100)]
Release all resources when shutting down an RPZ zone during an update
If an RPZ zone is to be freed during an update, canceling the
update_quantum() event is not enough because the resources released when
an update completes also need to be accounted for. Failure to do this
results in a hang upon shutdown. Fix by copying cleanup code from the
end of update_quantum() to rpz_detach().
Witold Kręcicki [Thu, 25 Oct 2018 18:49:28 +0000 (18:49 +0000)]
Fix a race in RPZ with min-update-interval set to 0
If another RPZ update is pending when processing the previous one nears
completion and min-update-interval is set to 0, isc_timer_reset() gets
called with 'interval' set to 0, which triggers an assertion failure.
To prevent such a scenario from causing a crash, queue the update event
directly instead of asking the timer thread to do it.
Witold Kręcicki [Thu, 25 Oct 2018 19:37:32 +0000 (19:37 +0000)]
statschannel test: try 5 times to check if compressed and regular output of statschannel is the same - some counters can change, minimize risk of bad timing
Witold Kręcicki [Fri, 12 Oct 2018 11:59:33 +0000 (11:59 +0000)]
Use non-cryptographically-secure PRNG to generate a nonce for cookies.
Rationale: the nonce here is only used to make sure there is a low
probability of duplication, according to section B.2 of RFC7873.
It is only 32-bit, and even if an attacker knows the algorithm used
to generate nonces it won't, in any way, give him any platform to
attack the server as long as server secret used to sign the
(nonce, time) pair with HMAC-SHA1 is secure.
On the other hand, currently, each packet sent requires (unnecessarily)
a CS pseudo-random number which is ineffective.
Michał Kępień [Thu, 25 Oct 2018 08:03:03 +0000 (10:03 +0200)]
Display a per-view list of zones in the web interface
The XSL stylesheet used by the web interface does not currently include
any element which would cause a list of zones configured in each view to
be displayed, making the "Zones" section of the web interface empty
unless some zone has been configured with "zone-statistics full;" and
queried. Since this can be confusing, modify the XSL stylesheet so that
a list of zones configured in each view is displayed in the web
interface.
Ondřej Surý [Wed, 24 Oct 2018 08:21:10 +0000 (10:21 +0200)]
Add CHANGES entry for GL #305.
XXXX. [func] Replace old message digest and hmac APIs with more
generic isc_md and isc_hmac APIs, and convert their
respective tests to cmocka. [GL #305]
Michał Kępień [Tue, 9 Oct 2018 08:54:51 +0000 (10:54 +0200)]
Add CHANGES entry
XXXX. [func] A default list of primary servers for the root zone is
now built into named, allowing the "masters" statement
to be omitted when configuring an IANA root zone
mirror. [GL #564]
XXXX. [func] Attempts to use mirror zones with recursion disabled
are now considered a configuration error. [GL #564]
XXXX. [func] The only valid zone-level NOTIFY settings for mirror
zones are now "notify no;" and "notify explicit;".
[GL #564]
XXXX. [func] Mirror zones are now configured using "type mirror;"
rather than "mirror yes;". [GL #564]
Michał Kępień [Tue, 9 Oct 2018 08:54:51 +0000 (10:54 +0200)]
Define a default master server list for the root zone
To minimize the effort required to set up IANA root zone mirroring,
define a default master server list for the root zone and use it when
that zone is to be mirrored and no master server list was explicitly
specified. Contents of that list are taken from RFC 7706 and are
subject to change in future releases.
Since the static get_masters_def() function in bin/named/config.c does
exactly what named_zone_configure() in bin/named/zoneconf.c needs to do,
make the former non-static and use it in the latter to prevent code
duplication.
Michał Kępień [Tue, 9 Oct 2018 08:54:51 +0000 (10:54 +0200)]
Prevent mirror zones from being used when recursion is disabled
Since mirror zone data is treated as cache data for access control
purposes, configuring a mirror zone and disabling recursion at the same
time would effectively prevent mirror zone data from being used since
disabling recursion also disables cache access to all clients by
default. Even though this behavior can be inhibited by configuration,
mirror zones are a recursive resolver feature and thus recursion is now
required to use them.
Ignore the fact that certain configurations might still trick named into
assuming recursion is enabled when it effectively is not since this
change is not meant to put a hard policy in place but rather just to
prevent accidental mirror zone misuse.
Michał Kępień [Tue, 9 Oct 2018 08:54:51 +0000 (10:54 +0200)]
Clean up handling of NOTIFY settings for mirror zones
Previous way of handling NOTIFY settings for mirror zones was a bit
tricky: any value of the "notify" option was accepted, but it was
subsequently overridden with dns_notifytype_explicit. Given the way
zone configuration is performed, this resulted in the following
behavior:
- if "notify yes;" was set explicitly at any configuration level or
inherited from default configuration, it was silently changed and so
only hosts specified in "also-notify", if any, were notified,
- if "notify no;" was set at any configuration level, it was
effectively honored since even though zone->notifytype was silently
set to dns_notifytype_explicit, the "also-notify" option was never
processed due to "notify no;" being set.
Effectively, this only allowed the hosts specified in "also-notify" to
be notified, when either "notify yes;" or "notify explicit;" was
explicitly set or inherited from default configuration.
Clean up handling of NOTIFY settings for mirror zones by:
- reporting a configuration error when anything else than "notify no;"
or "notify explicit;" is set for a mirror zone at the zone level,
- overriding inherited "notify yes;" setting with "notify explicit;"
for mirror zones,
- informing the user when the "notify" setting is overridden, unless
the setting in question was inherited from default configuration.
Michał Kępień [Tue, 9 Oct 2018 08:54:51 +0000 (10:54 +0200)]
Replace the "mirror" zone option with "type mirror;"
Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR
option for checking whether it is a mirror zone. This makes said zone
option and its associated helper function, dns_zone_mirror(), redundant,
so remove them. Remove a check specific to mirror zones from
named_zone_reusable() since another check in that function ensures that
changing a zone's type prevents it from being reused during
reconfiguration.
Michał Kępień [Tue, 9 Oct 2018 08:54:51 +0000 (10:54 +0200)]
Define a separate dns_zonetype_t for mirror zones
Rather than overloading dns_zone_slave and discerning between a slave
zone and a mirror zone using a zone option, define a separate enum
value, dns_zone_mirror, to be used exclusively by mirror zones. Update
code handling slave zones to ensure it also handles mirror zones where
applicable.
Michał Kępień [Tue, 9 Oct 2018 08:54:51 +0000 (10:54 +0200)]
Handle "type mirror;" when parsing zone configuration
Add a new zone type, CFG_ZONE_MIRROR, to libisccfg, in order to limit
the list of options which are considered valid for mirror zones. Update
the relevant configuration checks.
Michał Kępień [Thu, 18 Oct 2018 13:48:44 +0000 (15:48 +0200)]
Fix the configuration type used by the "server-addresses" option
Contrary to what the documentation states, the "server-addresses"
static-stub zone option does not accept custom port numbers. Fix the
configuration type used by the "server-addresses" option to ensure
documentation matches source code. Remove a check_zoneconf() test which
is unnecessary with this fix in place.
Michał Kępień [Tue, 23 Oct 2018 12:50:00 +0000 (14:50 +0200)]
libirs: handle scoped IPv6 addresses in /etc/resolv.conf
Commonly used network configuration tools write scoped IPv6 nameserver
addresses to /etc/resolv.conf. libirs only handles these when it is
compiled with -DIRS_HAVE_SIN6_SCOPE_ID, which is not the default, and
only handles numeric scopes, which is not what network configuration
tools typically use. This causes dig to be practically unable to handle
scoped IPv6 nameserver addresses in /etc/resolv.conf.
Fix the problem by:
- not requiring a custom compile-time flag to be set in order for
scoped IPv6 addresses to be processed by getaddrinfo(),
- parsing non-numeric scope identifiers using if_nametoindex(),
- setting the sin6_scope_id field in struct sockaddr_in6 structures
returned by getaddrinfo() even if the AI_CANONNAME flag is not set.
projects / thirdparty / bind9.git / log
