Evan Hunt [Wed, 11 Dec 2024 19:07:53 +0000 (11:07 -0800)]
set "multi-master" automatically with multiple primaries
By default, named logs a message at level info if a secondary
zone receives an update indicating that the serial number has
gone backwards. The "multi-master" option was provided to
allow this message to be suppressed if a zone was configured
with multiple primary servers.
That option has now been marked obsolete. The message is now
logged at debug level 1 when there are multiple primary server
addresses configured for the zone. It is still logged at level
info if there is only address.
Evan Hunt [Wed, 11 Dec 2024 17:12:18 +0000 (17:12 +0000)]
fix: dev: clean up incorrect logging module names
Some files used logmodule names that had been copied in from elsewhere; these have now been given module names of their own. Also, the RBT and RBTDB logmodules have been removed, since they are now unused.
Merge branch 'each-cleanup-logmodules' into 'main'
Evan Hunt [Wed, 11 Dec 2024 03:11:26 +0000 (19:11 -0800)]
clean up log module names
- remove obsolete DNS_LOGMODULE_RBT and DNS_LOGMODULE_RBTDB
- correct the misuse of the wrong log modules in dns/rpz.c and
dns/catz.c, and add DNS_LOGMODULE_RPZ and DNS_LOGMODULE_CATZ
to support them.
Evan Hunt [Wed, 11 Dec 2024 03:39:21 +0000 (03:39 +0000)]
fix: nil: update style guideline to reflect current practice
The style guide now mentions clang-format, doesn't parenthesize return values, and no longer calls for backward compatibility in public function names.
Pavel Březina [Thu, 5 Dec 2024 11:37:37 +0000 (12:37 +0100)]
mark loop as shuttingdown earlier in shutdown_cb
`shutdown_trigger_close_cb` is not called in the main loop since
queued events in the `loop->async_trigger`, including loop teardown
(shutdown_server) are processed first, before the `uv_close` callback
is executed..
In order to pass the information to the queued events, it is necessary
to set the flag earlier in the process and not wait for the `uv_close`
callback to trigger.
Michal Nowak [Thu, 5 Dec 2024 14:50:40 +0000 (15:50 +0100)]
Set cross-version-config-tests to allow_failure in CI
The December releases suffer from the ns2/managed1.conf file not being
in the mkeys extra_artifacts. This manifests only when pytest is run
with the --setup-only option, which is the case in the
cross-version-config-tests CI job. The original issue is fixed in !9815,
but the fix will be effective only when subsequent releases are out.
The #4666 issue removed the "fixed" value for the "rrset-order" option
which is still present in the December release system test and which the
current named can't handle. This will be addressed when when the January
9.21 release is published.
The #4482 issue removed the "dnssec-must-be-secure" feature.
Petr Menšík [Fri, 4 Oct 2019 22:20:54 +0000 (00:20 +0200)]
Remove artificial search limit from libirs
Search directive from resolv.conf had a maximum of 8 domains. Any
more were ignored. Do not ignore them anymore; iterate over any
number of domains.
Test resolv.conf support by checking the first and last domain in
the search list. Ignore the domains between; just ensure that the
last domain in the configuration is the last domain parsed.
Mark Andrews [Tue, 10 Dec 2024 00:45:44 +0000 (00:45 +0000)]
fix: usr: Unknown directive in resolv.conf not handled properly
The line after an unknown directive in resolv.conf could accidentally be skipped, potentially affecting dig, host, nslookup, nsupdate, or delv. This has been fixed.
Closes #5084
Merge branch '5084-plain-unknown-keyword-in-resolv-conf-not-handled-propely' into 'main'
Mark Andrews [Mon, 9 Dec 2024 03:45:38 +0000 (14:45 +1100)]
Fix parsing of unknown directives in resolv.conf
Only call eatline() to skip to the next line if we're not
already at the end of a line when parsing an unknown directive.
We were accidentally skipping the next line when there was only
a single unknown directive on the current line.
Ondřej Surý [Fri, 6 Dec 2024 17:12:15 +0000 (18:12 +0100)]
Replace remaining usage of DNS_R_MUSTBESECURE with DNS_R_NOVALIDSIG
The DNS_R_MUSTBESECURE lost its meaning with removal of
dnssec-must-be-secure option, so replace the few remaining (and a bit
confusing) use of this result code with DNS_R_NOVALIDSIG.
Ondřej Surý [Fri, 6 Dec 2024 12:11:59 +0000 (13:11 +0100)]
Remove dnssec-must-be-secure feature
The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature. There are no
reasons to keep this feature in the production code anymore.
Michal Nowak [Mon, 9 Dec 2024 11:55:53 +0000 (11:55 +0000)]
fix: usr: disable deterministic ecdsa for fips builds
FIPS 186-5 [1] allows the usage deterministic ECDSA (Section 6.3) which
is compabile with RFC 6979 [2] but OpenSSL seems to follow FIPS 186-4
(Section 6.3) [3] which only allows for random k values, failing
k value generation for OpenSSL >=3.2. [4]
Fix signing by not using deterministic ECDSA when FIPS mode is active.
Aydın Mercan [Wed, 4 Dec 2024 10:11:45 +0000 (13:11 +0300)]
disable deterministic ecdsa for fips builds
FIPS 186-5 [1] allows the usage deterministic ECDSA (Section 6.3) which
is compabile with RFC 6979 [2] but OpenSSL seems to follow FIPS 186-4
(Section 6.3) [3] which only allows for random k values, failing
k value generation for OpenSSL >=3.2. [4]
Fix signing by not using deterministic ECDSA when FIPS mode is active.
Commit af7db8951364a89c468eda1535efb3f53adc2c1f as part of #4141 was supposed to apply the 'max-recursion-queries' quota to validator queries, but the counter was never actually passed on to 'dns_resolver_createfetch()'. This has been fixed, and the global query counter ('max-query-count', per client request) is now also added.
Related to #4980
Merge branch '4980-pass-counters-in-validator-createfetch' into 'main'
Commit af7db8951364a89c468eda1535efb3f53adc2c1f as part of #4141 was
supposed to apply the 'max-recursion-queries' quota to validator
queries, but the counter was never actually passed on to
dns_resolver_createfetch(). This has been fixed, and the global query
counter ('max-query-count', per client request) is now also added.
Ondřej Surý [Fri, 6 Dec 2024 17:29:39 +0000 (18:29 +0100)]
Update picohttpparser.{c,h} with upstream repository
Upstream code doesn't do regular releases, so we need to regularly
sync the code from the upstream repository. This is synchronization up
to the commit f8d0513 from Jan 29, 2024.
Evan Hunt [Fri, 6 Dec 2024 21:34:15 +0000 (21:34 +0000)]
fix: usr: Preserve cache across reconfig when using attach-cache
When the `attach-cache` option is used in the `options` block with an arbitrary name, it causes all views to use the same cache. Previously, this configuration caused the cache to be deleted and a new cache created every time the server was reconfigured. This has been fixed.
Evan Hunt [Wed, 27 Nov 2024 08:35:16 +0000 (00:35 -0800)]
preserve cache across reload when using attach-cache
when the attach-cache option is used in the options block
with an arbitrary name, it causes all views to use the same
cache. however, previously, this could cause the cache to be
deleted and a new cache created every time the server was
reconfigured. this did *not* occur when attach-cache was
used at the view level to refer back to another view's cache.
in this commit we correct the problem by checking for
pre-existing caches during reconfiguration, and moving
them from the old server cache list to the new cache list
before cleaning up and freeing the old cache list.
While implementing the global limit 'max-query-count', initially I
thought adding the variable to the resolver structure. But the limit
is per client request so it was moved to the view structure (and
counter in ns_query structure). However, I forgot to remove the
variable from the resolver structure again. This commit fixes that.
Mark Andrews [Fri, 6 Dec 2024 05:32:05 +0000 (05:32 +0000)]
fix: dev: Lock and attach when returning zone stats
When returning zone statistics counters, the statistics sets are now attached while the zone is locked. This addresses Coverity warnings CID 468720, 468728 and 468729.
Closes #4934
Merge branch '4934-lock-and-attach-when-return-zone-stats' into 'main'
Michal Nowak [Thu, 5 Dec 2024 09:37:19 +0000 (10:37 +0100)]
Use os.getenv() instead of os.environ
If ECDSAP256SHA256_SUPPORTED or ECDSAP384SHA384_SUPPORTED variables were
not present in the environment, os.environ would raise KeyError that is
not being handled in the decorator. Use os.getenv() instead.
fix: usr: Fix nsupdate hang when processing a large update
To mitigate DNS flood attacks over a single TCP connection, we throttle the connection when the other side does not read the data. Throttling should only occur on server-side sockets, but erroneously also happened for nsupdate, which acts as a client. When nsupdate started throttling the connection, it never attempts to read again. This has been fixed.
Closes #4910
Merge branch '4910-nsupdate-hangs-when-processing-large-update' into 'main'
The root cause is the fix for CVE-2024-0760 (part 3), which resets
the TCP connection on a failed send. Specifically commit 4b7c61381f186e20a476c35032a871295ebbd385 stops reading on the socket
because the TCP connection is throttling.
When the tcpdns_send_cb callback thinks about restarting reading
on the socket, this fails because the socket is a client socket.
And nsupdate is a client and is using the same netmgr code.
This commit removes the requirement that the socket must be a server
socket, allowing reading on the socket again after being throttled.
new: usr: Add a new option to configure the maximum number of outgoing queries per client request
The configuration option 'max-query-count' sets how many outgoing queries per client request is allowed. The existing 'max-recursion-queries' is the number of permissible queries for a single name and is reset on every CNAME redirection. This new option is a global limit on the client request. The default is 200.
This allows us to send a bit more queries while looking up a single name. The default for 'max-recursion-queries' is changed from 32 to 50.
Closes #4980
Closes #4921
Merge branch '4980-global-limit-outgoing-queries' into 'main'
Changing the default for max-recursion-queries from 100 to 32 was too
strict in some cases, especially lookups in reverse IPv6 trees started
to fail more frequently. From issue #4921 it looks like 50 is a better
default.
Now that we have 'max-query-count' as a global limit of outgoing queries
per client request, we can increase the default for
'max-recursion-queries' again, as the number of recursive queries is
no longer bound by the multiple of 'max-recursion-queries' and
'max-query-restarts'.
Matthijs Mekking [Mon, 25 Nov 2024 15:27:21 +0000 (16:27 +0100)]
Add a CAMP test case
This adds a new test directory specifically for CAMP attacks. This first
test in this test directory follows multiple CNAME chains, restarting
the max-recursion-queries counter, but should bail when the global
maximum quota max-query-count is reached.
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.
Michal Nowak [Thu, 5 Dec 2024 10:07:46 +0000 (10:07 +0000)]
fix: ci: Add ns2/managed1.conf to mkeys extra_artifacts
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.
Merge branch 'mnowak/mkeys-add-ns2-managed1-conf-to-extra-artifacts' into 'main'
Michal Nowak [Wed, 4 Dec 2024 17:17:40 +0000 (18:17 +0100)]
Add ns2/managed1.conf to mkeys extra_artifacts
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.
Mark Andrews [Tue, 19 Nov 2024 14:20:42 +0000 (01:20 +1100)]
Keep a local copy of the update rules to prevent UAF
Previously, the update policy rules check was moved earlier in the
sequence, and the keep rule match pointers were kept to maintain the
ability to verify maximum records by type.
However, these pointers can become invalid if server reloading
or reconfiguration occurs before update completion. To prevent
this issue, extract the maximum records by type value immediately
during processing and only keep the copy of the values instead of the
full ssurule.
Evan Hunt [Thu, 5 Dec 2024 02:36:47 +0000 (02:36 +0000)]
fix: doc: document optional statements the same, enabled or not
The automatically-generated grammar for named.conf clauses that may or may not be enabled at compile time will now include the same comment, regardless of whether or not they are. Previously, the grammar didn't include a comment if an option was enabled, but said "not configured" if it was disabled. Now, in both cases, it will say "optional (only available if configured)".
Evan Hunt [Wed, 2 Oct 2024 02:16:55 +0000 (19:16 -0700)]
document optional statements the same, enabled or not
the generated grammar for named.conf clauses that may or may not be
enabled at compile time will now print the same comment regardless of
whether or not they are.
previously, the grammar didn't print a comment if an option was enabled,
but printed "not configured" if it was disabled. now, in both cases,
it will say "optional (only available if configured)".
as an incidental fix, clarified the documentation for "named-checkconf -n".
Artem Boldariev [Wed, 4 Dec 2024 16:50:36 +0000 (16:50 +0000)]
fix: ci: tests: Use FIPS compatible DH-param files
When the tests were added, the files were generated without FIPS
compatibility in mind. That made the tests fail on recent OpenSSL
versions in FIPS mode.
So, the files were regenerated on a FIPS compliant system using the
following stanza:
```
$ openssl dhparam -out <file> 3072
```
Apparently, the old files are not valid for FIPS starting with OpneSSL
3.1.X release series as "FIPS 140-3 compliance changes" are mentioned
in the [changelog](https://openssl-library.org/news/openssl-3.1-notes/).
Closes #5074.
Merge branch '5074-fips-compatible-dhparams' into 'main'
Artem Boldariev [Tue, 3 Dec 2024 10:38:34 +0000 (12:38 +0200)]
Use FIPS compatible DH-param files
When the tests were added, the files were generated without FIPS
compatibility in mind. That made the tests fail on recent OpenSSL
versions in FIPS mode.
So, the files were regenerated on a FIPS compliant system using the
following stanza:
$ openssl dhparam -out <file> 3072
Apparently, the old files are not valid for FIPS starting with OpneSSL
3.1.X release series as "FIPS 140-3 compliance changes" are mentioned
in the changelog:
Colin Vidal [Wed, 4 Dec 2024 15:52:16 +0000 (15:52 +0000)]
new: usr: Add Extended DNS Error Code 22 - No Reachable Authority
When the resolver is trying to query an authority server and eventually timed out, a SERVFAIL answer is given to the client. Add the Extended DNS Error Code 22 - No Reachable Authority to the response.
Closes #2268
Merge branch '2268/ede-no-reachable-authority' into 'main'
Colin Vidal [Fri, 8 Nov 2024 17:18:30 +0000 (18:18 +0100)]
Add EDE 22 No reachable authority code
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.
Petr Špaček [Mon, 2 Dec 2024 13:53:38 +0000 (13:53 +0000)]
chg: doc: gitchangelog: don't break lines on hyphens in relnotes
When release notes are generated, the text is wrapped and line breaks
are inserted into each paragraph (sourced from the commit message's
body). Prevent line breaks after hyphens, as these are often used for
option names. This makes it possible to easily find the options
afterwards.
Merge branch 'nicki/gitchangelog-dont-break-on-hyphens' into 'main'
Nicki Křížek [Mon, 2 Dec 2024 10:10:01 +0000 (11:10 +0100)]
gitchangelog: don't break lines on hyphens in relnotes
When release notes are generated, the text is wrapped and line breaks
are inserted into each paragraph (sourced from the commit message's
body). Prevent line breaks after hyphens, as these are often used for
option names. This makes it possible to easily find the options
afterwards.
Ondřej Surý [Wed, 27 Nov 2024 17:04:29 +0000 (17:04 +0000)]
fix: usr: Improve the memory cleaning in the SERVFAIL cache
The SERVFAIL cache doesn't have a memory bound and the
cleaning of the old SERVFAIL cache entries was implemented
only in opportunistic manner. Improve the memory cleaning
of the SERVFAIL cache to be more aggressive, so it doesn't
consume a lot of memory in the case the server encounters
many SERVFAILs at once.
Closes #5025
Merge branch '5025-improve-badcache-cleaning' into 'main'
Ondřej Surý [Fri, 22 Nov 2024 14:10:26 +0000 (15:10 +0100)]
Remove dns_badcache usage in the resolver (lame-ttl)
The lame-ttl processing was overriden to be disabled in the config,
but the code related to the lame-ttl was still kept in the resolver
code. More importantly, the DNS_RESOLVER_BADCACHETTL() macro would
cause the entries in the resolver badcache to be always cached for at
least 30 seconds even if the lame-ttl would be set to 0.
Remove the dns_badcache code from the dns_resolver unit, so we save some
processing time and memory in the resolver code.
Ondřej Surý [Thu, 14 Nov 2024 18:51:29 +0000 (19:51 +0100)]
Improve the badcache cleaning by adding LRU and using RCU
Instead of cleaning the dns_badcache opportunistically, add per-loop
LRU, so each thread-loop can clean the expired entries. This also
allows removal of the atomic operations as the badcache entries are now
immutable, instead of updating the badcache entry in place, the old
entry is now deleted from the hashtable and the LRU list, and the new
entry is inserted in the LRU.
alessio [Tue, 5 Nov 2024 08:36:24 +0000 (09:36 +0100)]
Optimize memory layout of core structs
Reduce memory footprint by:
- Reordering struct fields to minimize padding.
- Using exact-sized atomic types instead of *_least/*_fast variants
- Downsizing integer fields where possible
Ondřej Surý [Wed, 27 Nov 2024 14:23:11 +0000 (14:23 +0000)]
chg: dev: Assume IPv6 is universally available (on the kernel level)
Instead of various probing, just assume that IPv6 is universally available
and cleanup the various checks and defines that we have accumulated over
the years.
Merge branch 'ondrej/cleanup-IPv6-networking-support' into 'main'
projects / thirdparty / bind9.git / log
