Michał Kępień [Fri, 8 Nov 2019 11:52:10 +0000 (12:52 +0100)]
Add missing dnssec-keygen dependency on libisccfg
Commit 09ac224c5c881824c7b6649905f16b7d3f1036f4 made dnssec-keygen
depend on libisccfg but the Visual Studio solution file was not updated
to reflect that change. Make sure the dnssec-keygen Visual Studio
project depends on the libisccfg project to prevent compilation issues
during parallel builds.
Michał Kępień [Tue, 5 Nov 2019 11:33:40 +0000 (12:33 +0100)]
Split release notes into per-version sections
Intertwining release notes from different BIND releases in a single XML
file has caused confusion in the past due to different (and often
arbitrary) approaches to keeping/removing release notes from older
releases on different BIND branches. Divide doc/arm/notes.xml into
per-version sections to simplify determining the set of changes
introduced by a given release and to make adding/reviewing release notes
less error-prone.
Evan Hunt [Wed, 6 Nov 2019 00:14:06 +0000 (16:14 -0800)]
adjust system tests to deal with possible timing issues
With the netmgr in use, named may start answering queries before zones
are loaded. This can cause transient failures in system tests after
servers are restarted or reconfigured. This commit adds retry loops
and sleep statements where needed to address this problem.
Evan Hunt [Tue, 5 Nov 2019 23:34:35 +0000 (15:34 -0800)]
convert ns_client and related objects to use netmgr
- ns__client_request() is now called by netmgr with an isc_nmhandle_t
parameter. The handle can then be permanently associated with an
ns_client object.
- The task manager is paused so that isc_task events that may be
triggred during client processing will not fire until after the netmgr is
finished with it. Before any asynchronous event, the client MUST
call isc_nmhandle_ref(client->handle), to prevent the client from
being reset and reused while waiting for an event to process. When
the asynchronous event is complete, isc_nmhandle_unref(client->handle)
must be called to ensure the handle can be reused later.
- reference counting of client objects is now handled in the nmhandle
object. when the handle references drop to zero, the client's "reset"
callback is used to free temporary resources and reiniialize it,
whereupon the handle (and associated client) is placed in the
"inactive handles" queue. when the sysstem is shutdown and the
handles are cleaned up, the client's "put" callback is called to free
all remaining resources.
- because client allocation is no longer handled in the same way,
the '-T clienttest' option has now been removed and is no longer
used by any system tests.
- the unit tests require wrapping the isc_nmhandle_unref() function;
when LD_WRAP is supported, that is used. otherwise we link a
libwrap.so interposer library and use that.
Evan Hunt [Tue, 5 Nov 2019 23:23:33 +0000 (15:23 -0800)]
add isc_task_pause() and isc_task_unpause() functions
This allows a task to be temporary disabled so that objects won't be
processed simultaneously by libuv events and isc_task events. When a
task is paused, currently running events may complete, but no further
event will added to the run queue will be executed until the task is
unpaused.
Evan Hunt [Tue, 5 Nov 2019 23:23:33 +0000 (15:23 -0800)]
optionally associate a netmgr with a task manager when creating
When a task manager is created, we can now specify an `isc_nm`
object to associate with it; thereafter when the task manager is
placed into exclusive mode, the network manager will be paused.
Witold Kręcicki [Tue, 5 Nov 2019 21:55:54 +0000 (13:55 -0800)]
netmgr: libuv-based network manager
This is a replacement for the existing isc_socket and isc_socketmgr
implementation. It uses libuv for asynchronous network communication;
"networker" objects will be distributed across worker threads reading
incoming packets and sending them for processing.
UDP listener sockets automatically create an array of "child" sockets
so each worker can listen separately.
TCP sockets are shared amongst worker threads.
A TCPDNS socket is a wrapper around a TCP socket, which handles the
the two-byte length field at the beginning of DNS messages over TCP.
(Other wrapper socket types can be implemented in the future to handle
DNS over TLS, DNS over HTTPS, etc.)
Evan Hunt [Tue, 5 Nov 2019 21:18:37 +0000 (13:18 -0800)]
temporarily move ISC_QUEUE to list.h
The double-locked queue implementation is still currently in use
in ns_client, but will be replaced by a fetch-and-add array queue.
This commit moves it from queue.h to list.h so that queue.h can be
used for the new data structure, and clean up dependencies between
list.h and types.h. Later, when the ISC_QUEUE is no longer is use,
it will be removed completely.
Michał Kępień [Thu, 7 Nov 2019 11:25:39 +0000 (12:25 +0100)]
Use "set -e" in the "tcp" system test
Ensure any unexpected failure in the "tcp" system test causes it to be
immediately interrupted with an error to make the aforementioned test
more reliable. Since the exit code for "expr 0 + 0" is 1, the status
variable needs to be updated using arithmetic expansion.
Michał Kępień [Thu, 7 Nov 2019 11:25:39 +0000 (12:25 +0100)]
Fix argument order in assert_int_equal()
assert_int_equal() calls in bin/tests/system/tcp/tests.sh pass the found
value as the first argument and the expected value as the second
argument, while the function interprets its arguments the other way
round. Fix argument handling in assert_int_equal() to make sure the
error messages printed by that function are correct.
Michał Kępień [Thu, 7 Nov 2019 11:25:39 +0000 (12:25 +0100)]
Allow retries when checking TCP high-water stats
In the TCP high-water checks, "rndc stats" is run after ans6 reports
that it opened the requested number of TCP connections. However, we
fail to account for the fact that ns5 might not yet have called accept()
for these connections, in which case the counts output by "rndc stats"
will be off. To prevent intermittent "tcp" system test failures, allow
the relevant connection count checks to be retried (just once, after one
second, as that should be enough for any system to accept() a dozen TCP
connections under any circumstances).
Evan Hunt [Thu, 7 Nov 2019 17:09:28 +0000 (09:09 -0800)]
temporarily disable jitter tests in the 'autosign' system test
the current method used for testing distribution of signatures
is failure-prone. we need to replace it with something both
effective and portable, but in the meantime we're commenting
out the jitter test.
Ondřej Surý [Thu, 7 Nov 2019 09:39:43 +0000 (10:39 +0100)]
Relax the requirement for check_next_key_event() to <-60;60>
The original requirement for the check to pass was <-10;10> interval and
the first test was failing by 1 second. As the minimum interval for
checking is 7200 seconds, the commit relaxes the requirement to <-60;60>
interval, which is still sane, but not that draconic.
Ondřej Surý [Thu, 7 Nov 2019 09:26:04 +0000 (10:26 +0100)]
Fix the get_keyids() usage as it could return multiple key ids
The get_keyids() function can return multiple keyids, when the
return value was not quoted, only the first keyid would be checked
with check_key() function. This MR fixes both the error that came
with quoting the "$id" with value "12345 54321", and the code now
checks all returned keyids.
'dnssec-policy' can now also be set on the options and view level and
a zone that does not set 'dnssec-policy' explicitly will inherit it
from the view or options level.
This requires a new keyword to be introduced: 'none'. If set to
'none' the zone will not be DNSSEC maintained, in other words it will
stay unsigned. You can use this to break the inheritance. Of course
you can also break the inheritance by referring to a different
policy.
The keywords 'default' and 'none' are not allowed when configuring
your own dnssec-policy statement.
Add appropriate tests for checking the configuration (checkconf)
and add tests to the kasp system test to verify the inheritance
works.
Edit the kasp system test such that it can deal with unsigned zones
and views (so setting a TSIG on the query).
The kasp system tests are updated with 'check_cds' calls that will
verify that the correct CDS and CDNSKEY records are published during
a rollover and that they are signed with the correct KSK.
This requires a change in 'dnssec.c' to check the kasp key states
whether the CDS/CDNSKEY of a key should be published or not. If no
kasp state exist, fall back to key timings.
The 'sign_apex()' function has special processing for signing the
DNSKEY RRset such that it will always be signed with the active
KSK. Since CDS and CDNSKEY are also signed with the KSK, it
should have the same special processing. The special processing is
moved into a new function 'tickle_apex_rrset()' and is applied to
all three RR types (DNSKEY, CDS, CDNSKEY).
In addition, when kasp is involved, update the DNSKEY TTL accordingly
to what is in the policy.
Matthijs Mekking [Wed, 30 Oct 2019 15:45:41 +0000 (16:45 +0100)]
Test CSK rollover
Test two CSK rollover scenarios, one where the DS is swapped before the zone
signatures are all replaced, and one where the signatures are replaced sooner
than the DS is swapped.
Matthijs Mekking [Wed, 30 Oct 2019 13:38:28 +0000 (14:38 +0100)]
Code changes for CSK
Update dns_dnssec_keyactive to differentiate between the roles ZSK
and KSK. A key is active if it is signing but that differs per role.
A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
This means that a key can be actively signing for one role but not
the other. Add checks in inline signing (zone.c and update.c) to
cover the case where a CSK is active in its KSK role but not the ZSK
role.
Matthijs Mekking [Thu, 17 Oct 2019 13:27:06 +0000 (15:27 +0200)]
Add kasp tests
Add more tests for kasp:
- Add tests for different algorithms.
- Add a test to ensure that an edit in an unsigned zone is
picked up and properly signed.
- Add two tests that ensures that a zone gets signed when it is
configured as so-called 'inline-signing'. In other words, a
secondary zone that is configured with a 'dnssec-policy'. A zone
that is transferred over AXFR or IXFR will get signed.
- Add a test to ensure signatures are reused if they are still
fresh enough.
- Adds two more tests to verify that expired and unfresh signatures
will be regenerated.
- Add tests for various cases with keys already available in the
key-directory.
Matthijs Mekking [Thu, 17 Oct 2019 12:22:38 +0000 (14:22 +0200)]
Refactor kasp system test
A significant refactor of the kasp system test in an attempt to
make the test script somewhat brief. When writing a test case,
you can/should use the functions 'zone_properties',
'key_properties', and 'key_timings' to set the expected values
when checking a key with 'check_key'. All these four functions
can be used to set environment variables that come in handy when
testing output.
Matthijs Mekking [Thu, 17 Oct 2019 09:57:20 +0000 (11:57 +0200)]
Adjust signing code to use kasp
Update the signing code in lib/dns/zone.c and lib/dns/update.c to
use kasp logic if a dnssec-policy is enabled.
This means zones with dnssec-policy should no longer follow
'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
KASP keys configured dictate which RRset gets signed with what key.
Also use the next rekey event from the key manager rather than
setting it to one hour.
Mark the zone dynamic, as otherwise a zone with dnssec-policy is
not eligble for automatic DNSSEC maintenance.
Matthijs Mekking [Thu, 17 Oct 2019 09:51:58 +0000 (11:51 +0200)]
DNSSEC hints use dst_key functions and key states
Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
functions and thus if dnssec-policy/KASP is used the key states are
being considered.
Add a new variable to 'struct dns_dnsseckey' to signal whether this
key is a zone-signing key (it is no longer true that ksk == !zsk).
Also introduce a hint for revoke.
Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
to also read the key state file, if available.
Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
hint for logging.
Also make get_hints() (now dns_dnssec_get_hints()) public so that
we can use it in the key manager.
Create keys according to DNSSEC policy. Zones configured with
'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
to dnssec-keymgr) if not available.
KEY ROLLOVER
Rather than determining the desired state from timing metadata,
add a key state goal. Any keys that are created or picked from the
key ring and selected to be a successor has its key state goal set
to OMNIPRESENT (this key wants to be signing!). At the same time,
a key that is being retired has its key state goal set to HIDDEN.
The keymgr state machine with the three rules will make sure no
introduction or withdrawal of DNSSEC records happens too soon.
KEY TIMINGS
All timings are based on RFC 7583.
The keymgr will return when the next action is happening so
that the zone can set the proper rekey event. Prior to this change
the rekey event will run every hour by default (configurable),
but with kasp we can determine exactly when we need to run again.
Matthijs Mekking [Thu, 17 Oct 2019 08:21:12 +0000 (10:21 +0200)]
Useful dst_key functions
Add a couple of dst_key functions for determining hints that
consider key states if they are available.
- dst_key_is_unused:
A key has no timing metadata set other than Created.
- dst_key_is_published:
A key has publish timing metadata <= now, DNSKEY state in
RUMOURED or OMNIPRESENT.
- dst_key_is_active:
A key has active timing metadata <= now, RRSIG state in
RUMOURED or OMNIPRESENT.
- dst_key_is_signing:
KSK is_signing and is_active means different things than
for a ZSK. A ZSK is active means it is also signing, but
a KSK always signs its DNSKEY RRset but is considered
active if its DS is present (rumoured or omnipresent).
- dst_key_is_revoked:
A key has revoke timing metadata <= now.
- dst_key_is_removed:
A key has delete timing metadata <= now, DNSKEY state in
UNRETENTIVE or HIDDEN.
Matthijs Mekking [Wed, 16 Oct 2019 16:36:38 +0000 (18:36 +0200)]
kasp: Expose more key timings
When doing rollover in a timely manner we need to have access to the
relevant kasp configured durations.
Most of these are simple get functions, but 'dns_kasp_signdelay'
will calculate the maximum time that is needed with this policy to
resign the complete zone (taking into account the refresh interval
and signature validity).
When signing a zone with dnssec-policy, we don't mind DNSSEC records.
This is useful for testing purposes, and perhaps it is better to
signal this behavior with a different configuration option.
Introduce a new option '-s' for dnssec-settime that when manipulating
timing metadata, it also updates the key state file.
For testing purposes, add options to dnssec-settime to set key
states and when they last changed.
The dst code adds ways to write and read the new key states and
timing metadata. It updates the parsing code for private key files
to not parse the newly introduced metadata (these are for state
files only).
Introduce key goal (the state the key wants to be in).
Write functions to access various elements of the kasp structure,
and the kasp keys. This in preparation of code in dnssec-keygen,
dnssec-settime, named...
Add a number of metadata variables (lifetime, ksk and zsk role).
For the roles we add a new type of metadata (booleans).
Add a function to write the state of the key to a separate file.
Only write out known metadata to private file. With the
introduction of the numeric metadata "Lifetime", adjust the write
private key file functionality to only write out metadata it knows
about.
Code and documentation were not in line:
- Remove -z option from code
- Remove -k option from docbook
- Add -d option to docbook
- Add -T option to docbook
This stores the dnssec-policy configuration and adds methods to
create, destroy, and attach/detach, as well as find a policy with
the same name in a list.
Also, add structures and functions for creating and destroying
kasp keys.
This commit introduces the initial `dnssec-policy` configuration
statement. It has an initial set of options to deal with signature
and key maintenance.
Add some checks to ensure that dnssec-policy is configured at the
right locations, and that policies referenced to in zone statements
actually exist.
Add some checks that when a user adds the new `dnssec-policy`
configuration, it will no longer contain existing DNSSEC
configuration options. Specifically: `inline-signing`,
`auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
`update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
and `sig-validity-interval`.
Test a good kasp configuration, and some bad configurations.
The ttlval configuration types are replaced by duration configuration
types. The duration is an ISO 8601 duration that is going to be used
for DNSSEC key timings such as key lifetimes, signature resign
intervals and refresh periods, etc. But it is also still allowed to
use the BIND ttlval ways of configuring intervals (number plus
optional unit).
A duration is stored as an array of 7 different time parts.
A duration can either be expressed in weeks, or in a combination of
the other datetime indicators.
Add several unit tests to ensure the correct value is parsed given
different string values.
This commit does not change anything significant, it just makes
the file more readable in preparation for upcoming changes related
to the `dnssec-policy` configuration option.
Michał Kępień [Wed, 6 Nov 2019 14:31:47 +0000 (15:31 +0100)]
Do not use <sys/sysctl.h> on Linux
glibc 2.30 deprecated the <sys/sysctl.h> header [1]. However, that
header is still used on other Unix-like systems, so only prevent it from
being used on Linux, in order to prevent compiler warnings from being
triggered.
projects / thirdparty / bind9.git / log
