Remi Gacogne [Tue, 21 Jan 2020 14:00:01 +0000 (15:00 +0100)]
dnsdist: Load an openssl configuration file, if any, during startup
This way dnsdist will load the default OpenSSL configuration, or a
custom one specified via the OPENSSL_CONF environment variable.
It allows loading an engine or configuration various options supported
by OpenSSL.
This requires OpenSSL >= 1.1.0.
Remi Gacogne [Mon, 20 Jan 2020 18:24:13 +0000 (19:24 +0100)]
rec: Add unit tests for the NSEC3 Opt-Out case
An Opt-Out NSEC3 only proves that there is no delegation, so we
should not consider a DS NODATA or a NXDOMAIN proved by that RR
secure but insecure.
This was fixed in 18c8faae6c67f734583c5c881d0d083d3253b49e and this
commit adds a few unit tests to cover the fix.
Remi Gacogne [Fri, 17 Jan 2020 13:56:27 +0000 (14:56 +0100)]
auth: Enforce a strict maximum size for the packet and records caches
Before this change, both the query and packet caches in the authoritative
server can exceed their maximum size by a lot, until the next cleaning
cycle.
This is particularly nasty since the current cleaning algorithm will
never remove entries from the cache until they expire, as opposed to
what we do in the recursor, for example, where we nuke the least-recently
used entries, even if they are still valid, when the cache is full.
This commit changes that by removing the least recently inserted or
updated entry from the cache after inserting a new one when the cache
is full, thus enforcing the maximum size more strictly.
Note that this is really the least recently inserted/updated and not
the least recently used one, as is done in the recursor. Having a
proper LRU in the auth would require acquering a write lock for a
simple lookup, instead of a potentially concurrent read-lock at the
moment. We might want to consider changing that at some point, as
a LRU might be fairer and the lock contention might be very small
since the caches are sharded.
Remi Gacogne [Wed, 15 Jan 2020 13:28:25 +0000 (14:28 +0100)]
rec: Only the first filtering policy should match
Subsequent ones should not be applied.
Also make sure that NSDNAME and NSIP triggers really stop the
processing of the query, instead of just causing the current NS to
be skipped.
Remi Gacogne [Tue, 14 Jan 2020 15:26:23 +0000 (16:26 +0100)]
rec: Fix the evaluation order for filtering policies (RPZ)
Since 272e9a0034e8c5ea29d1ab7d24630424f178e926 we scanned all policies
for an exact match before looking for wildcard matches. It brokes
the promise that filtering policies are evaluated in the order they
are defined.
Remi Gacogne [Fri, 13 Dec 2019 10:16:20 +0000 (11:16 +0100)]
dnsdist: Require Python libnacl < 1.7
Otherwise we need libsodium >= 1.0.12 (required by this change:
https://github.com/saltstack/libnacl/commit/8c8b2f8bc05a5b67f39acf9a6bc0bef6fa839166
) and we don't have it in Trusty, which we still use in Travis.
Otto Moerbeek [Mon, 6 Jan 2020 14:04:25 +0000 (15:04 +0100)]
Introduce test for PR 8648.
While there, explicitly init qname-minimization in test-syncres to
false. The current code gave the impression it was turned on by
default for unit tests. We have a lot of test that count queries,
and that is highly depedent on qname minimization being on or off.
Remi Gacogne [Mon, 23 Dec 2019 17:15:49 +0000 (18:15 +0100)]
dnsdist: Allow retrieving and deleting a backend via its UUID
Backends have a UUID since the introduction of the consistent hashing
load-balancing policy, but until now it was not possible to retrieve
or delete a backend via its UUID.
Remi Gacogne [Fri, 20 Dec 2019 12:04:23 +0000 (13:04 +0100)]
auth: Clear the TSIG algo between iterations in the API
Otherwise `GSQLBackend::getTSIGKey()` will try to match the
algorithm in `keyAlgo` if it's set, which will prevent retrieving
a key with a different algorithm that the previous one.
Otto Moerbeek [Fri, 20 Dec 2019 09:08:50 +0000 (10:08 +0100)]
QName Minimization consults the cache first to see work needs to
be done. Via doCacheCheck() this can lead to a call to computeZoneCuts()
which might/does not work properly on only cached records, so always
make sure it can go out if needed. Should fix #8642.
Sander Hoentjen [Mon, 16 Dec 2019 21:44:43 +0000 (22:44 +0100)]
Fix build with gcc-10
From an e-mail from Jeff Law <law@redhat.com>:
Subject: Minor problem in pdns, dnsdist and pdns-recursor packages in Fedora
[ All three packages have embedded copies of the same problematic code
and the same patch fixes all three. ]
Red Hat's compiler team continues to try and be proactive in identifying
issues that will arise as a result of the introduction of a new GCC
release into Fedora each spring.
You're being contacted because a package you maintain in Fedora is going
to fail to build with gcc-10 in the spring. Yes, I know that's a few
months away, but it's far easier to fix this stuff proactively now than
wait.
Fixing it now also means that your package will continue to be built
with testing versions of gcc-10 as we proceed through the development
process thus allowing additional issues to be caught early.
Your particular package will fail due to an uninstantiated template for
AsyncLoader<Request>. These kinds of problems are relatively common due to
changes in the tuning of the inliner for gcc-10:
> BUILDSTDERR: /usr/bin/ld: webserver.o: in function `WebServer::serveConnection(std::shared_ptr<Socket>) const':
> BUILDSTDERR: /builddir/build/BUILD/pdns-4.2.1/pdns/webserver.cc:373: undefined reference to `YaHTTP::AsyncLoader<YaHTTP::Request>::feed(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)'
> BUILDSTDERR: collect2: error: ld returned 1 exit status
> BUILDSTDERR: make[3]: *** [Makefile:2751: ixfrdist] Error 1
>
The attached patch arranges for an instance to be instantiated when
compiling reqresp.cpp and is sufficient to fix this problem. The
choice of reqresp.cpp fairly arbitrary IIRC.
Ideally you'll with upstream to get this fixed, but a Fedora patch is
clearly OK as well. I'll install the attached fix into Fedora in a
week or so if I haven't heard from you.
projects / thirdparty / pdns.git / log
