Evan Hunt [Wed, 26 Jun 2019 00:53:32 +0000 (17:53 -0700)]
don't overwrite the dns_master_loadfile() result before calling zone_postload()
if "rndc reload" fails, the result code is supposed to be passed to
zone_postload, but for inline-signing zones, the result can be
overwritten first by a call to the ZONE_TRYLOCK macro. this can lead
to the partially-loaded unsigned zone being synced over to the signed
zone instead of being rejected.
Michał Kępień [Wed, 26 Jun 2019 12:20:17 +0000 (14:20 +0200)]
Prevent "idna" test failures with libidn2 2.2.0+
libidn2 2.2.0+ parses Punycode more strictly than older versions and
thus "dig +idnin +noidnout xn--19g" fails with libidn2 2.2.0+ but
succeeds with older versions.
We could preserve the old behavior by using the IDN2_NO_ALABEL_ROUNDTRIP
flag available in libidn2 2.2.0+, but:
- this change in behavior is considered a libidn2 bug fix [1],
- we want to make sure dig behaves as expected, not libidn2,
- implementing that would require additional configure.ac cruft.
Removing the problematic check appears to be the simplest solution as it
does not prevent the relevant block of checks in the "idna" system test
from achieving its purpose, i.e. ensuring dig properly handles invalid
U-labels.
Witold Kręcicki [Thu, 13 Jun 2019 12:29:52 +0000 (14:29 +0200)]
Make sure that recursclient gauge is calculated correctly.
We increase recursclients when we attach to recursion quota,
decrease when we detach. In some cases, when we hit soft
quota, we might attach to quota without increasing recursclients
gauge. We then decrease the gauge when we detach from quota,
and it causes the statistics to underflow.
Fix makes sure that we increase recursclients always when we
succesfully attach to recursion quota.
Brian Conry [Tue, 18 Jun 2019 19:37:20 +0000 (14:37 -0500)]
Bump DNS_CLIENTINFOMETHODS_VERSION/_AGE to 2/1 in clientinfo.h
BIND 9.11.0 has bumped DNS_CLIENTINFOMETHODS_VERSION and _AGE to
version 2 and 1 in the dlz_minimal.h because a member was addet to the
dnsclientinfo struct. It was found out that the new member is not
used anywhere and there are no accessor functions therefore the change
was reverted.
Later on, it was found out that the revert caused some problems to the
users of BIND 9, and thus this changes takes a different approach by
syncing the values other way around.
Michał Kępień [Tue, 18 Jun 2019 07:14:07 +0000 (09:14 +0200)]
Always fail a system test if crashes are detected
In certain situations (e.g. a named instance crashing upon shutdown in a
system test which involves shutting down a server and restarting it
afterwards), a system test may succeed despite a named crash being
triggered. This must never be the case. Extend run.sh to mark a test
as failed if core dumps or log lines indicating assertion failures are
detected (the latter is only an extra measure aimed at test environments
in which core dumps are not generated; note that some types of crashes,
e.g. segmentation faults, will not be detected using this method alone).
Michał Kępień [Mon, 17 Jun 2019 12:15:18 +0000 (14:15 +0200)]
Fix key ID processing
If ns1/setup.sh generates a key with ID 0, the "KEYID" token in
ns1/named.conf.in will be replaced with an empty string, causing the
following broken statement to appear in ns1/named.conf:
tkey-dhkey "server" ;
Such a statement triggers false positives for the "tkey" system test due
to ns1 being unable to start with a broken configuration file. Fix by
tweaking the regular expression used for removing leading zeros from the
key ID, so that it removes at most 4 leading zeros.
Michał Kępień [Fri, 31 May 2019 12:34:34 +0000 (14:34 +0200)]
Address GCC 9.1 -O3 compilation warnings
Compiling with -O3 triggers the following warnings with GCC 9.1:
task.c: In function ‘isc__taskmgr_create’:
task.c:1456:44: warning: ‘%04u’ directive output may be truncated writing between 4 and 10 bytes into a region of size 6 [-Wformat-truncation=]
1456 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~
task.c:1456:33: note: directive argument in the range [0, 4294967294]
1456 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~~~~~~~~~~~~~
task.c:1456:4: note: ‘snprintf’ output between 15 and 21 bytes into a destination of size 16
1456 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rrl.c: In function ‘debit_rrl_entry’:
rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~
rrl.c:602:30: note: directive argument in the range [0, 2147483647]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~
rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~
rrl.c:602:30: note: directive argument in the range [0, 2147483647]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~
rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~
rrl.c:602:30: note: directive argument in the range [0, 2147483647]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~
rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
private_test.c: In function ‘private_nsec3_totext_test’:
private_test.c:114:9: warning: array subscript 4 is outside array bounds of ‘uint32_t[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
114 | while (*sp == '\0' && slen > 0) {
| ^~~
private_test.c:107:11: note: while referencing ‘salt’
107 | uint32_t salt;
| ^~~~
Prevent these warnings from being triggered by increasing the size of
the relevant arrays (task.c, rrl.c) and reordering conditions
(private_test.c).
Witold Kręcicki [Fri, 31 May 2019 08:43:53 +0000 (10:43 +0200)]
Address GCC 8.3 -O3 compilation warning
Compiling with -O3 triggers the following warning with GCC 8.3:
driver.c: In function ‘dlz_findzonedb’:
driver.c:198:29: warning: ‘%u’ directive output may be truncated writing between 1 and 5 bytes into a region of size between 0 and 99 [-Wformat-truncation=]
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~
driver.c:198:25: note: directive argument in the range [0, 65535]
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~~~~~~
driver.c:198:2: note: ‘snprintf’ output between 3 and 106 bytes into a destination of size 100
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Increase the size of the relevant array to prevent this warning from
being triggered.
Michał Kępień [Fri, 31 May 2019 12:34:34 +0000 (14:34 +0200)]
Make some build jobs use -O3 optimizations
Change the compiler optimization level for Debian sid build jobs from
-O2 to -O3 in order to enable triggering compilation warnings which are
not raised when -O2 is used.
Evan Hunt [Mon, 10 Jun 2019 04:26:55 +0000 (21:26 -0700)]
specify title metadata and markdown format when calling pandoc
this change silences a warning message and prevents the unwanted
use of smart quotes when using pandoc 2.7.1 to generate human-readable
versions of README and other markdown files.
Michał Kępień [Fri, 31 May 2019 10:43:31 +0000 (12:43 +0200)]
Backport missing "legacy" system test checks
Backport "legacy" system test checks which are present in master and
v9_14 branches, but missing in the v9_11 branch, in order to improve the
consistency of this test across all maintained branches. Note that the
"ednsnotimp" check is expected to succeed with 9.11 whereas it is
expected to fail with 9.14 and later versions.
Backport named command line switches implemented in commit c81c9660f5050a064976276883399554c7e5e9df as they are needed by the
"legacy" system checks which are currently present in master and v9_14
branches, but missing in the v9_11 branch.
Michał Kępień [Wed, 29 May 2019 09:05:01 +0000 (11:05 +0200)]
Optimize dig parameters to decrease test run time
Performing server setup checks using "+tries=3 +time=5" is redundant as
a single query is arguably good enough for determining whether a given
named instance was set up properly. Only use multiple queries with a
long timeout for resolution checks in the "legacy" system test, in order
to significantly reduce its run time (on a contemporary machine, from
about 1m45s to 0m40s).
Michał Kępień [Wed, 29 May 2019 09:05:01 +0000 (11:05 +0200)]
Add more EDNS checks for dig output files
In the "legacy" system test, in order to make server setup checks more
consistent with each other, add further checks for either presence or
absence of the EDNS OPT pseudo-RR in the responses returned by the
tested named instances.
Michał Kępień [Wed, 29 May 2019 09:05:01 +0000 (11:05 +0200)]
Use helper functions for checking resolution
Extract repeated dig and grep calls into two helper shell functions,
resolution_succeeds() and resolution_fails(), in order to reduce code
duplication in the "legacy" system test, emphasize the similarity
between all the resolution checks in that test, and make the conditions
for success and failure uniform for all resolution checks in that test.
Michał Kępień [Wed, 29 May 2019 09:05:01 +0000 (11:05 +0200)]
Use +dnssec instead of separate TXT records
When testing named instances which are configured to drop outgoing UDP
responses larger than 512 bytes, querying with DO=1 may be used instead
of querying for large TXT records as the effect achieved will be
identical: an unsigned response for a SOA query will be below 512 bytes
in size while a signed response for the same query will be over 512
bytes in size. Doing this makes all resolution checks in the "legacy"
system test more similar. Add checks for the TC flag being set in UDP
responses which are expected to be truncated to further make sure that
tested named instances behave as expected.
Michał Kępień [Wed, 29 May 2019 09:05:01 +0000 (11:05 +0200)]
Properly test servers with TCP support disabled
Sending TCP queries to test named instances with TCP support disabled
should cause dig output to contain the phrase "connection refused", not
"connection timed out", as such instances never open the relevant
sockets. Make sure that the "legacy" system test fails if the expected
phrase is not found in any of the relevant files containing dig output.
Ondřej Surý [Mon, 27 May 2019 14:11:11 +0000 (16:11 +0200)]
Use getconf LFS_{CFLAGS,LDFLAGS,LIBS} to get flags to compile lib/dns/gen
On some systems (namely Debian buster armhf) the readdir() call fails
with `Value too large for defined data type` unless the
_FILE_OFFSET_BITS=64 is defined. The correct way to fix this is to
get the appropriate compilation parameters from getconf system
interface.
Michał Kępień [Wed, 24 Apr 2019 09:17:15 +0000 (11:17 +0200)]
Make NTAs work with validating forwarders
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders. As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.
Ondřej Surý [Fri, 10 May 2019 02:29:00 +0000 (09:29 +0700)]
Improve the error message about missing PLY Python package
Previously, only a message about missing Python was printed, which was
misleading to many users. The new message clearly states that Python
AND PLY is required and prints basic instructions how to install PLY
package.
Witold Kręcicki [Thu, 14 Feb 2019 16:35:25 +0000 (17:35 +0100)]
Fix race in unix socket code when closing a socket that has
already sent a recv/send event.
When doing isc_socket_cancel we need to purge the event that might
already be in flight. If it has been launched already we need
to inform it that it has to bail.
projects / thirdparty / bind9.git / log
