Get rid of DNS_GEOIP_DATABASE_INIT explicit initializer for geoip dbs
Instead of the explicit struct initializer with all member, rely on the fact
that static variables are explicitly initialized to 0 if not explicitly
initialized.
Evan Hunt [Fri, 28 Jun 2019 19:45:26 +0000 (12:45 -0700)]
fix broken windows build
The MSVS C compiler requires every struct to have at least one member.
The dns_geoip_databases_t structure had one set of members for
HAVE_GEOIP and a different set for HAVE_GEOIP2, and none when neither
API is in use.
This commit silences the compiler error by moving the declaration of
dns_geoip_databases_t to types.h as an opaque reference, and commenting
out the contents of geoip.h when neither version of GeoIP is enabled.
Michał Kępień [Wed, 3 Jul 2019 12:25:11 +0000 (14:25 +0200)]
Define ATOMIC_VAR_INIT() on Windows
Commit b104a9bc503033b4c3174f088e2c5bdbc5d8bb51 introduced unconditional
use of the ATOMIC_VAR_INIT() macro in bin/dnssec/dnssec-signzone.c even
though that macro is only defined on Unix platforms. Define it on
Windows systems as well in order to prevent build failures.
Ondřej Surý [Mon, 13 May 2019 17:19:11 +0000 (00:19 +0700)]
Make isc_rwlock.c thread-safe
The ThreadSanitizer found several possible data races in our rwlock
implementation. This commit changes all the unprotected variables to atomic and
also changes the explicit memory ordering (atomic_<foo>_explicit(..., <order>)
functions to use our convenience macros (atomic_<foo>_<order>).
Remove SO_BSDCOMPAT usage, it's ignore since Linux 2.4
The SO_BSDCOMPAT socket option is no-op since Linux 2.4, see the manpage:
SO_BSDCOMPAT
Enable BSD bug-to-bug compatibility. This is used by the UDP protocol
module in Linux 2.0 and 2.2. If enabled, ICMP errors received for a UDP
socket will not be passed to the user program. In later kernel
versions, support for this option has been phased out: Linux 2.4
silently ignores it, and Linux 2.6 generates a kernel warning (printk())
if a program uses this option. Linux 2.0 also enabled BSD bug-to-bug
compatibility options (random header changing, skipping of the broadcast
flag) for raw sockets with this option, but that was removed in Linux
2.2.
Matthijs Mekking [Fri, 28 Jun 2019 10:19:13 +0000 (12:19 +0200)]
Mark some managed-keys instances deprecated
The 'managed-keys' (and 'trusted-keys') options have been deprecated
by 'dnssec-keys'. Some documentation references to 'managed-keys'
had not yet been marked or noted as such.
Michał Kępień [Fri, 28 Jun 2019 11:11:26 +0000 (13:11 +0200)]
Add and use keyfile_to_key_id() helper function
When trying to extract the key ID from a key file name, some test code
incorrectly attempts to strip all leading zeros. This breaks tests when
keys with ID 0 are generated. Add a new helper shell function,
keyfile_to_key_id(), which properly handles keys with ID 0 and use it in
test code whenever a key ID needs to be extracted from a key file name.
Michał Kępień [Fri, 28 Jun 2019 10:12:46 +0000 (12:12 +0200)]
dnstap-read: clear buffer before expanding it
When printing a packet, dnstap-read checks whether its text form takes
up more than the 2048 bytes allocated for the output buffer by default.
If that is the case, the output buffer is automatically expanded, but
the truncated output is left in the buffer, resulting in malformed data
being printed. Clear the output buffer before expanding it to prevent
this issue from occurring.
Matthijs Mekking [Tue, 25 Jun 2019 07:41:51 +0000 (09:41 +0200)]
named-checkconf -i: ignore deprecate warnings
Adds a new option to named-checkconf, -i. If set, named-checkconf
will not warn you about deprecated options. This allows people
to use named-checkconf in automated deployment precoesses where an
operator only cares if their conf is valid, even if it is not optimal.
This was added as a request as part of introducing a policy on
removing named.conf options.
Evan Hunt [Wed, 12 Jun 2019 03:32:21 +0000 (20:32 -0700)]
implement searching of geoip2 database
- revise mapping of search terms to database types to match the
GeoIP2 schemas.
- open GeoIP2 databases when starting up; close when shutting down.
- clarify the logged error message when an unknown database type
is configured.
- add new geoip ACL subtypes to support searching for continent in
country databases.
- map geoip ACL subtypes to specific MMDB database queries.
- perform MMDB lookups based on subtype, saving state between
queries so repeated lookups for the same address aren't necessary.
Evan Hunt [Tue, 11 Jun 2019 22:59:31 +0000 (15:59 -0700)]
add a search for GeoIP2 libraries in configure
- "--with-geoip" is used to enable the legacy GeoIP library.
- "--with-geoip2" is used to enable the new GeoIP2 library
(libmaxminddb), and is on by default if the library is found.
- using both "--with-geoip" and "--with-geoip2" at the same time
is an error.
- an attempt is made to determine the default GeoIP2 database path at
compile time if pkg-config is able to report the module prefix. if
this fails, it will be necessary to set the path in named.conf with
geoip-directory
- Makefiles have been updated, and a stub lib/dns/geoip2.c has been
added for the eventual GeoIP2 search implementation.
Ondřej Surý [Wed, 19 Jun 2019 09:21:36 +0000 (11:21 +0200)]
Enforce usage -zrelax=transtls when GNU C Compiler is used on Solaris
When GNU C Compiler is used on Solaris (11), the Thread Local Storage
is completely broken. The behaviour doesn't manifest when GNU ld is
used. Thus, we need to enforce usage of GNU ld when GNU C Compiler is
the compiler of choice.
For more background for this change, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90912
Evan Hunt [Tue, 18 Jun 2019 00:11:00 +0000 (17:11 -0700)]
allow glue in authoritative responses to root priming queries
- when processing authoritative queries for ./NS, set 'gluedb' so
that glue will be included in the response, regardless of how
'minimal-responses' has been configured.
Evan Hunt [Wed, 26 Jun 2019 00:53:32 +0000 (17:53 -0700)]
don't overwrite the dns_master_loadfile() result before calling zone_postload()
if "rndc reload" fails, the result code is supposed to be passed to
zone_postload, but for inline-signing zones, the result can be
overwritten first by a call to the ZONE_TRYLOCK macro. this can lead
to the partially-loaded unsigned zone being synced over to the signed
zone instead of being rejected.
Michał Kępień [Wed, 26 Jun 2019 12:20:17 +0000 (14:20 +0200)]
Prevent "idna" test failures with libidn2 2.2.0+
libidn2 2.2.0+ parses Punycode more strictly than older versions and
thus "dig +idnin +noidnout xn--19g" fails with libidn2 2.2.0+ but
succeeds with older versions.
We could preserve the old behavior by using the IDN2_NO_ALABEL_ROUNDTRIP
flag available in libidn2 2.2.0+, but:
- this change in behavior is considered a libidn2 bug fix [1],
- we want to make sure dig behaves as expected, not libidn2,
- implementing that would require additional configure.ac cruft.
Removing the problematic check appears to be the simplest solution as it
does not prevent the relevant block of checks in the "idna" system test
from achieving its purpose, i.e. ensuring dig properly handles invalid
U-labels.
Michał Kępień [Wed, 26 Jun 2019 06:37:31 +0000 (08:37 +0200)]
Include <stdlib.h> in lib/dns/dnsrps.c
Since commit 0771dd3be8bad18f669de978f3be5e08cf2dbd6e, <isc/mem.h> no
longer includes <isc/xml.h>. On some systems (e.g. FreeBSD), this means
that no header included by lib/dns/dnsrps.c (and no header included by
those headers) contains a definition of free() any more, which triggers
a compiler warning as lib/dns/dnsrps.c calls that function. Add the
missing #include directive to prevent that warning from being triggered.
Michał Kępień [Tue, 25 Jun 2019 20:27:01 +0000 (22:27 +0200)]
Remove nonexistent function from libdns.def.in
No function called dns_dnssecsignstats_decrement() actually exists.
Putting it into lib/dns/win32/libdns.def.in breaks at least some Windows
builds. Remove the nonexistent function from that file.
Michał Kępień [Tue, 25 Jun 2019 12:30:16 +0000 (14:30 +0200)]
Wait for outgoing transfer statistics to be logged
Since the message confirming outgoing transfer completion is logged
asynchronously, it may happen that transfer statistics may not yet be
logged by the time the dig command triggering a given transfer returns.
This causes false positives for the "ixfr" and "xfer" system tests.
Prevent this from happening by checking outgoing transfer statistics up
to 10 times, in 1-second intervals.
Ondřej Surý [Mon, 24 Jun 2019 12:06:56 +0000 (14:06 +0200)]
Rename OPENSSL_INCLUDES to OPENSSL_CFLAGS in AX_CHECK_OPENSSL() macro
The ax_check_openssl m4 macro used OPENSSL_INCLUDES. Rename the
subst variable to OPENSSL_CFLAGS and wrap AX_CHECK_OPENSSL() in
action-if-not-found part of PKG_CHECK_MODULE check for libcrypto.
Ondřej Surý [Mon, 24 Jun 2019 10:21:47 +0000 (12:21 +0200)]
Make the usage of json-c objects opaque to the caller
The json-c have previously leaked into the global namespace leading
to forced -I<include_path> for every compilation unit using isc/xml.h
header. This MR fixes the usage making the caller object opaque.
Ondřej Surý [Mon, 24 Jun 2019 12:25:55 +0000 (14:25 +0200)]
Make the usage of libxml2 opaque to the caller
The libxml2 have previously leaked into the global namespace leading
to forced -I<include_path> for every compilation unit using isc/xml.h
header. This MR fixes the usage making the caller object opaque.
Matthijs Mekking [Fri, 21 Jun 2019 08:30:05 +0000 (10:30 +0200)]
Also collect DNSSEC refresh signature statistics
In addition to gather how many times signatures are created per
key in a zone, also count how many of those signature creations are
because of DNSSEC maintenance. These maintenance counters are
incremented if a signature is refreshed (but the RRset did not
changed), when the DNSKEY RRset is changed, and when that leads
to additional RRset / RRSIG updates (for example SOA, NSEC).
projects / thirdparty / bind9.git / log
