+4727. [bug] Retransferring an inline-signed slave using NSEC3
+ around the time its NSEC3 salt was changed could result
+ in an infinite signing loop. [RT #45080]
+
4726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN
from being logged on FreeBSD if the kernel does not
support it. Notify the user when the kernel does
} ns_dzctx_t;
/*
- * Carry out a zone deletion scheduled by named_server_addzone().
+ * Carry out a zone deletion scheduled by named_server_delzone().
*/
static void
rmzone(isc_task_t *task, isc_event_t *event) {
rm -f ns5/bits.bk.jnl
rm -f ns5/bits.bk.signed
rm -f ns5/bits.bk.signed.jnl
+rm -f ns7/K*
+rm -f ns7/nsec3-loop.db
+rm -f ns7/nsec3-loop.db.signed
+rm -f ns7/nsec3-loop.db.signed.jnl
rm -f */*.jbk
rm -f dig.out.ns*
rm -f signing.out*
allow-update { any; };
notify no;
};
+
+zone "nsec3-loop" {
+ type master;
+ file "nsec3-loop.db";
+ notify no;
+};
--- /dev/null
+; Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+; NOTE: This zone's data has been crafted in order to reproduce a very specific
+; scenario (see ns7/named.conf for more details). Please do not modify this
+; file.
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns2 . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
--- /dev/null
+/*
+ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * NS7
+ *
+ * NOTE: This named instance is used to reproduce a scenario which involves a
+ * number of functions getting called in a very specific order which results in
+ * an infinite loop while iterating over NSEC3 red-black tree. Ensuring this
+ * happens requires carefully setting the number of signing keys, NSEC3
+ * parameters (number of iterations and salt value), zone data and named
+ * configuration. Changing any of these and/or influencing this instance's
+ * behavior (e.g. by sending extra queries to it) might render this test moot
+ * as it will no longer be able to reproduce the exact scenario it attempts to.
+ *
+ * Given the above, please do not use this instance for any other test than the
+ * one it was meant for.
+ */
+
+include "../../common/rndc.key";
+
+controls { inet 10.53.0.7 port 9953 allow { any; } keys { rndc_key; }; };
+
+options {
+ query-source address 10.53.0.7;
+ notify-source 10.53.0.7;
+ transfer-source 10.53.0.7;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.7; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ try-tcp-refresh no;
+ allow-new-zones yes;
+ sig-signing-nodes 100;
+ sig-signing-signatures 10;
+};
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# NOTE: The number of signing keys generated below is not coincidental. More
+# details can be found in the comment inside ns7/named.conf.
+
+zone=nsec3-loop
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
(cd ns3; $SHELL -e sign.sh)
(cd ns1; $SHELL -e sign.sh)
+(cd ns7; $SHELL -e sign.sh)
done
n=`expr $n + 1`
-echo "I:checking that rrsigs are replaced with ksk only"
+echo "I:checking that rrsigs are replaced with ksk only ($n)"
ret=0
$DIG @10.53.0.3 -p 5300 axfr nsec3. |
awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-n=`expr $n + 1`
+n=`expr $n + 1`
echo "I:checking that the zone is signed on initial transfer, noixfr ($n)"
ret=0
for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking removal of private type record via 'rndc signing -clear' (master) ($n)"
sleep 1
done
if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking master zone that was updated while offline is correct ($n)"
done
if [ $ans != 1 ]; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
-n=`expr $n + 1`
+n=`expr $n + 1`
echo "I:check rndc retransfer of a inline slave zone works ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 retransfer retransfer 2>&1 || ret=1
sleep 1
done
[ $ans = 1 ] && ret=1
-n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
echo "I:check rndc retransfer of a inline nsec3 slave retains nsec3 ($n)"
ret=0
for i in 0 1 2 3 4 5 6 7 8 9
sleep 1
done
[ $ans = 1 ] && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# NOTE: The test below should be considered fragile. More details can be found
+# in the comment inside ns7/named.conf.
n=`expr $n + 1`
+echo "I:check rndc retransfer of a inline nsec3 slave does not trigger an infinite loop ($n)"
+ret=0
+zone=nsec3-loop
+# Add slave zone using rndc
+$RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 addzone $zone \
+ '{ type slave; masters { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };'
+# Wait until slave zone is fully signed using NSEC
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+ ret=1
+ $RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 signing -list $zone > signing.out.test$n 2>&1
+ keys=`grep '^Done signing' signing.out.test$n | wc -l`
+ [ $keys -eq 3 ] && ret=0 && break
+ sleep 1
+done
+# Switch slave zone to NSEC3
+$RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1
+# Wait until slave zone is fully signed using NSEC3
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+ ret=1
+ nsec3param=`$DIG +short @10.53.0.7 -p 5300 nsec3param $zone`
+ test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
+ sleep 1
+done
+# Attempt to retransfer the slave zone from master
+$RNDC -c ../common/rndc.conf -s 10.53.0.7 -p 9953 retransfer $zone
+# Check whether the signer managed to fully sign the retransferred zone by
+# waiting for a specific SOA serial number to appear in the logs; if this
+# specific SOA serial number does not appear in the logs, it means the signer
+# has either ran into an infinite loop or crashed; note that we check the logs
+# instead of sending SOA queries to the signer as these may influence its
+# behavior in a way which may prevent the desired scenario from being
+# reproduced (see comment in ns7/named.conf)
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+ ret=1
+ grep "ns2.$zone. . 10 20 20 1814400 3600" ns7/named.run > /dev/null 2>&1
+ [ $? -eq 0 ] && ret=0 && break
+ sleep 1
+done
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
'{ type slave; masters { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };'
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 delzone test-$zone > /dev/null 2>&1
done
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:testing adding external keys to a inline zone ($n)"
test ${dnskeys:-0} -eq 3 || { echo "I: failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
test ${rrsigs:-0} -eq 2 || { echo "I: failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
done
+if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
[ ${newserial:-0} -eq ${serial:-1} ] || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-n=`expr $n + 1`
+n=`expr $n + 1`
echo "I:testing updating dynamic serial via 'rndc signing -serial' ($n)"
ret=0
$DIG bits. SOA -p 5300 @10.53.0.2 > dig.out.ns2.pre.test$n
* pointers, chains might be going away in a future release, though the
* movement functionality would remain.
*
+ * Chains may be used to iterate over a tree of trees. After setting up the
+ * chain's structure using dns_rbtnodechain_init(), it needs to be initialized
+ * to point to the lexically first or lexically last node in the tree of trees
+ * using dns_rbtnodechain_first() or dns_rbtnodechain_last(), respectively.
+ * Calling dns_rbtnodechain_next() or dns_rbtnodechain_prev() then moves the
+ * chain over to the next or previous node, respectively.
+ *
* In any event, parent information, whether via parent pointers or chains, is
* necessary information for iterating through the tree or for basic internal
* tree maintenance issues (ie, the rotations that are done to rebalance the
* Reached the root without having traversed
* any left pointers, so this level is done.
*/
- if (chain->level_count == 0)
+ if (chain->level_count == 0) {
+ /*
+ * If the tree we are iterating over
+ * was modified since this chain was
+ * initialized in a way that caused
+ * node splits to occur, "current" may
+ * now be pointing to a root node which
+ * appears to be at level 0, but still
+ * has a parent. If that happens,
+ * abort. Otherwise, we are done
+ * looking for a successor as we really
+ * reached the root node on level 0.
+ */
+ INSIST(PARENT(current) == NULL);
break;
+ }
current = chain->levels[--chain->level_count];
new_origin = ISC_TRUE;
}
if (successor != NULL) {
+ /*
+ * If we determine that the current node is the successor to
+ * itself, we will run into an infinite loop, so abort instead.
+ */
+ INSIST(chain->end != successor);
+
chain->end = successor;
/*
unsigned int node_lock_count;
rbtdb_nodelock_t * node_locks;
dns_rbtnode_t * origin_node;
+ dns_rbtnode_t * nsec3_origin_node;
dns_stats_t * rrsetstats; /* cache DB only */
isc_stats_t * cachestats; /* cache DB only */
/* Locked by lock. */
rdatasetheader_t * current;
} rbtdb_rdatasetiter_t;
+/*
+ * Note that these iterators, unless created with either DNS_DB_NSEC3ONLY or
+ * DNS_DB_NONSEC3, will transparently move between the last node of the
+ * "regular" RBT ("chain" field) and the root node of the NSEC3 RBT
+ * ("nsec3chain" field) of the database in question, as if the latter was a
+ * successor to the former in lexical order. The "current" field always holds
+ * the address of either "chain" or "nsec3chain", depending on which RBT is
+ * being traversed at given time.
+ */
static void dbiterator_destroy(dns_dbiterator_t **iteratorp);
static isc_result_t dbiterator_first(dns_dbiterator_t *iterator);
static isc_result_t dbiterator_last(dns_dbiterator_t *iterator);
* have to be protected, but we must avoid a race condition where multiple
* threads are decreasing the reference to zero simultaneously and at least
* one of them is going to free the node.
+ *
* This function returns ISC_TRUE if and only if the node reference decreases
* to zero.
+ *
+ * NOTE: Decrementing the reference count of a node to zero does not mean it
+ * will be immediately freed.
*/
static isc_boolean_t
decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
nodelock = &rbtdb->node_locks[bucket];
#define KEEP_NODE(n, r) \
- ((n)->data != NULL || (n)->down != NULL || (n) == (r)->origin_node)
+ ((n)->data != NULL || (n)->down != NULL || \
+ (n) == (r)->origin_node || (n) == (r)->nsec3_origin_node)
/* Handle easy and typical case first. */
if (!node->dirty && KEEP_NODE(node, rbtdb)) {
* change.
*/
if (!IS_CACHE(rbtdb)) {
- dns_rbtnode_t *nsec3node;
-
rbtdb->origin_node = NULL;
result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
&rbtdb->origin_node);
* return partial matches when there is only a single NSEC3
* record in the tree.
*/
- nsec3node = NULL;
+ rbtdb->nsec3_origin_node = NULL;
result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin,
- &nsec3node);
+ &rbtdb->nsec3_origin_node);
if (result != ISC_R_SUCCESS) {
INSIST(result != ISC_R_EXISTS);
free_rbtdb(rbtdb, ISC_FALSE, NULL);
return (result);
}
- nsec3node->nsec = DNS_RBT_NSEC_NSEC3;
+ rbtdb->nsec3_origin_node->nsec = DNS_RBT_NSEC_NSEC3;
/*
* We need to give the nsec3 origin node the right locknum.
*/
dns_name_init(&name, NULL);
- dns_rbt_namefromnode(nsec3node, &name);
+ dns_rbt_namefromnode(rbtdb->nsec3_origin_node, &name);
#ifdef DNS_RBT_USEHASH
- nsec3node->locknum = nsec3node->hashval %
+ rbtdb->nsec3_origin_node->locknum =
+ rbtdb->nsec3_origin_node->hashval %
rbtdb->node_lock_count;
#else
- nsec3node->locknum = dns_name_hash(&name, ISC_TRUE) %
+ rbtdb->nsec3_origin_node->locknum =
+ dns_name_hash(&name, ISC_TRUE) %
rbtdb->node_lock_count;
#endif
}
}
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
- dns_db_attach(zone->db, &db);
+ /*
+ * This function is called when zone timer fires, after the latter gets
+ * set by zone_addnsec3chain(). If the action triggering the call to
+ * zone_addnsec3chain() is closely followed by a zone deletion request,
+ * it might turn out that the timer thread will not be woken up until
+ * after the zone is deleted by rmzone(), which calls dns_db_detach()
+ * for zone->db, causing the latter to become NULL. Return immediately
+ * if that happens.
+ */
+ if (zone->db != NULL) {
+ dns_db_attach(zone->db, &db);
+ }
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+ if (db == NULL) {
+ return;
+ }
result = dns_db_newversion(db, &version);
if (result != ISC_R_SUCCESS) {
}
/*
- * Walk the list of the nsec3 chains desired for the zone, converting
- * parameters to private type records using dns_nsec3param_toprivate(),
- * and insert them into the new zone db.
+ * Populate new zone db with private type records found by save_nsec3param().
*/
static isc_result_t
restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
rdata.data = nsec3p->data;
rdata.type = zone->privatetype;
rdata.rdclass = zone->rdclass;
- CHECK(update_one_rr(db, version, &diff, DNS_DIFFOP_ADD,
- &zone->origin, 0, &rdata));
- }
-
- result = ISC_R_SUCCESS;
-
-failure:
- for (nsec3p = ISC_LIST_HEAD(*nsec3list);
- nsec3p != NULL;
- nsec3p = next)
- {
- next = ISC_LIST_NEXT(nsec3p, link);
- ISC_LIST_UNLINK(*nsec3list, nsec3p, link);
- isc_mem_put(zone->mctx, nsec3p, sizeof(nsec3param_t));
+ result = update_one_rr(db, version, &diff, DNS_DIFFOP_ADD,
+ &zone->origin, 0, &rdata);
+ if (result != ISC_R_SUCCESS) {
+ break;
+ }
}
dns_diff_clear(&diff);
* Call restore_nsec3param() to create private-type records from
* the old nsec3 parameters and insert them into db
*/
- if (!ISC_LIST_EMPTY(nsec3list))
- restore_nsec3param(zone, db, version, &nsec3list);
+ if (!ISC_LIST_EMPTY(nsec3list)) {
+ result = restore_nsec3param(zone, db, version, &nsec3list);
+ if (result != ISC_R_SUCCESS) {
+ goto failure;
+ }
+ }
dns_db_closeversion(db, &version, ISC_TRUE);