Mark Andrews [Wed, 28 Apr 2021 02:05:02 +0000 (12:05 +1000)]
Update ZONEMD to match RFC 8976
* The location of the digest type field has changed to where the
reserved field was.
* The reserved field is now called scheme and is where the digest
type field was.
* Digest type 2 has been defined (SHA256).
Michal Nowak [Wed, 10 Feb 2021 13:21:08 +0000 (14:21 +0100)]
Suppress TSAN errors from libfstrm.so
dnstap_test produces TSAN errors which originate in libfstrm.so. Unless
libfstrm is TSAN clean or a workaround is placed in libfstrm sources,
suppressing TSAN coming from libfstrm is necessary to test DNSTAP under
TSAN.
Michal Nowak [Tue, 26 Jan 2021 16:57:34 +0000 (17:57 +0100)]
Configure with --enable-dnstap by default
All platforms but OpenBSD have dnstap dependencies readily in their
respective repositories, and dnstap thus can be tested there. Given that
majority of images have dnstap dependencies available, it seems fitting
to make dnstap enabled by default.
Also dnstap is disabled for TSAN jobs configured with --disable-atomic
as it's known to produce TSAN errors (#2664) and for the gcc:noatomics
job because it has threads disabled, which is a requirement for dnstap.
Mark Andrews [Mon, 1 Mar 2021 05:46:07 +0000 (16:46 +1100)]
Handle DNAME lookup via itself
When answering a query, named should never attempt to add the same RRset
to the ANSWER section more than once. However, such a situation may
arise when chasing DNAME records: one of the DNAME records placed in the
ANSWER section may turn out to be the final answer to a client query,
but there is no way to know that in advance. Tweak the relevant INSIST
assertion in query_find() so that it handles this case properly. The
rdataset is freed later anyway, so there is no need to clean it up
immediately.
Mark Andrews [Thu, 25 Feb 2021 03:11:05 +0000 (14:11 +1100)]
Unload a zone if a transfer breaks its SOA record
If a zone transfer results in a zone not having any NS records, named
stops serving it because such a zone is broken. Do the same if an
incoming zone transfer results in a zone lacking an SOA record at the
apex or containing more than one SOA record.
Mark Andrews [Wed, 3 Feb 2021 00:10:20 +0000 (11:10 +1100)]
Check SOA owner names in zone transfers
An IXFR containing SOA records with owner names different than the
transferred zone's origin can result in named serving a version of that
zone without an SOA record at the apex. This causes a RUNTIME_CHECK
assertion failure the next time such a zone is refreshed. Fix by
immediately rejecting a zone transfer (either an incremental or
non-incremental one) upon detecting an SOA record not placed at the apex
of the transferred zone.
Michał Kępień [Mon, 26 Apr 2021 05:16:38 +0000 (07:16 +0200)]
Test "--without-gssapi" in GitLab CI
GitLab CI pipelines do not currently include a Linux job that would have
GSSAPI support disabled. Add the "--without-gssapi" option to the
./configure invocation on Debian 9 to address that deficiency and also
to continuously test that build-time switch.
Michał Kępień [Mon, 26 Apr 2021 05:16:38 +0000 (07:16 +0200)]
Test "tkey-gssapi-credential" conditionally
If "tkey-gssapi-credential" is set in the configuration and GSSAPI
support is not available, named will refuse to start. As the test
system framework does not support starting named instances
conditionally, ensure that "tkey-gssapi-credential" is only present in
named.conf if GSSAPI support is available.
Petr Špaček [Fri, 16 Apr 2021 16:05:43 +0000 (18:05 +0200)]
Add tests for the "tkey-gssapi-credential" option
Four named instances in the "nsupdate" system test have GSS-TSIG support
enabled. All of them currently use "tkey-gssapi-keytab". Configure two
of them with "tkey-gssapi-credential" to test that option.
As "tkey-gssapi-keytab" and "tkey-gssapi-credential" both provide the
same functionality, no test modifications are required. The difference
between the two options is that the value of "tkey-gssapi-keytab" is an
explicit path to the keytab file to acquire credentials from, while the
value of "tkey-gssapi-credential" is the name of the principal whose
credentials should be used; those credentials are looked up in the
keytab file expected by the Kerberos library, i.e. /etc/krb5.keytab by
default. The path to the default keytab file can be overridden using by
setting the KRB5_KTNAME environment variable. Utilize that variable to
use existing keytab files with the "tkey-gssapi-credential" option.
The KRB5_KTNAME environment variable should not interfere with the
"tkey-gssapi-keytab" option. Nevertheless, rename one of the keytab
files used with "tkey-gssapi-keytab" to something else than the contents
of the KRB5_KTNAME environment variable in order to make sure that both
"tkey-gssapi-keytab" and "tkey-gssapi-credential" are actually tested.
Michał Kępień [Fri, 16 Apr 2021 12:40:06 +0000 (14:40 +0200)]
Fix handling undefined GSS_SPNEGO_MECHANISM macro
BIND 9 attempts to look up GSSAPI OIDs for the Kerberos 5 and SPNEGO
mechanisms in the relevant header files provided by the Kerberos/GSSAPI
library used. Due to the differences between various Kerberos/GSSAPI
implementations, if any of the expected preprocessor macros
(GSS_KRB5_MECHANISM, GSS_SPNEGO_MECHANISM) is not defined in the header
files provided by the library used, the code in lib/dns/gssapictx.c
defines its own version of each missing macro, so that BIND 9 can
attempt to use the relevant security mechanisms anyway.
Commit 7f08c756aa54d10a71bdf8242479ffeb82e52396, which contains a
partial backport of the changes introduced in commit 978c7b2e89aa37a7ddfe2f6b6ba12ce73dd04528, left a block of code in the
lib/dns/include/dst/gssapi.h header which defines the
GSS_SPNEGO_MECHANISM preprocessor macro to NULL if it is not defined by
any header file provided by the Kerberos/GSSAPI library used. This
causes the gss_add_oid_set_member() call in the mech_oid_set_create()
helper function to always return an error. This in turn causes the
dst_gssapi_acquirecred() function to also always return an error, which
ultimately prevents any named instance whose configuration includes the
"tkey-gssapi-credential" option from starting.
Remove the offending conditional definition of the GSS_SPNEGO_MECHANISM
preprocessor macro from lib/dns/include/dst/gssapi.h, so that a proper
GSSAPI OID is assigned to that macro in lib/dns/gssapictx.c when the
Kerberos/GSSAPI library used does not define it.
Michał Kępień [Fri, 16 Apr 2021 12:40:06 +0000 (14:40 +0200)]
Roll back unnecessary libtool updates
Commit 7f08c756aa54d10a71bdf8242479ffeb82e52396 inadvertently included
libtool updates which were unrelated to the removal of custom SPNEGO
code. Roll these updates back to avoid confusion.
Michał Kępień [Thu, 8 Apr 2021 08:33:44 +0000 (10:33 +0200)]
Free resources when gss_accept_sec_context() fails
Even if a call to gss_accept_sec_context() fails, it might still cause a
GSS-API response token to be allocated and left for the caller to
release. Make sure the token is released before an early return from
dst_gssapi_acceptctx().
Michał Kępień [Wed, 7 Apr 2021 20:31:09 +0000 (22:31 +0200)]
Fix triggering rules for the "tarball-create" job
Commit de35d321f03799c6ca723121d97af6ff82611ef4 (a backport of commit 4d5d3b75da12a6e4c1180bc003d88badf52cb514) did not account for the fact
that the "tarball-create" GitLab CI job is not created for manually
triggered pipelines. This prevents manual pipeline creation from
succeeding as it causes the "gcc:tarball" job to have unsatisfied
dependencies. Make sure the "tarball-create" job is created for
manually triggered pipelines to allow such pipelines to be started
again.
Diego Fronza [Wed, 7 Apr 2021 13:48:12 +0000 (10:48 -0300)]
Resolve TSAN data race in zone_maintenance
Fix race between zone_maintenance and dns_zone_notifyreceive functions,
zone_maintenance was attempting to read a zone flag calling
DNS_ZONE_FLAG(zone, flag) while dns_zone_notifyreceive was updating
a flag in the same zone calling DNS_ZONE_SETFLAG(zone, ...).
The code reading the flag in zone_maintenance was not protected by the
zone's lock, to avoid a race the zone's lock is now being acquired
before an attempt to read the zone flag is made.
Ondřej Surý [Wed, 31 Mar 2021 12:01:48 +0000 (14:01 +0200)]
Move the dummy shims to single ifndef GSSAPI block
Previously, every function had it's own #ifdef GSSAPI #else #endif block
that defined shim function in case GSSAPI was not being used. Now the
dummy shim functions have be split out into a single #else #endif block
at the end of the file.
This makes the gssapictx.c similar to 9.17.x code, making the backports
and reviews easier.
Mark Andrews [Wed, 20 Jan 2021 23:59:14 +0000 (10:59 +1100)]
Add Heimdal compatibility support
The Heimdal Kerberos library handles the OID sets in a different manner.
Unify the handling of the OID sets between MIT and Heimdal
implementations by dynamically creating the OID sets instead of using
static predefined set. This is how upstream recommends to handle the
OID sets.
Mark Andrews [Wed, 20 Jan 2021 02:55:43 +0000 (13:55 +1100)]
Remove custom ISC SPNEGO implementation
The custom ISC SPNEGO mechanism implementation is no longer needed on
the basis that all major Kerberos 5/GSSAPI (mit-krb5, heimdal and
Windows) implementations support SPNEGO mechanism since 2006.
This commit removes the custom ISC SPNEGO implementation, and removes
the option from both autoconf and win32 Configure script. Unknown
options are being ignored, so this doesn't require any special handling.
Mark Andrews [Wed, 20 Jan 2021 02:53:50 +0000 (13:53 +1100)]
Handle expected signals in tsiggss authsock.pl script
When the authsock.pl script would be terminated with a signal,
it would leave the pidfile around. This commit adds a signal
handler that cleanups the pidfile on signals that are expected.
Michal Nowak [Wed, 31 Mar 2021 08:20:35 +0000 (10:20 +0200)]
Run gcc:tarball CI job in web-triggered pipelines
The gcc:tarball CI job may identify problems with tarballs created by
"make dist" of the tarball-create CI job. Enabling the gcc:tarball CI
job in web-triggered pipelines provides developers with a test vector.
Michal Nowak [Mon, 22 Feb 2021 12:50:11 +0000 (13:50 +0100)]
Initialize checknames field in dns_view_create()
The 'checknames' field wasn't initialized in dns_view_create(), but it
should otherwise AddressSanitizer identifies the following runtime error
in query_test.c.
runtime error: load of value 190, which is not a valid value for type '_Bool'
Michal Nowak [Tue, 16 Feb 2021 10:33:58 +0000 (11:33 +0100)]
Prevent Git to expand $systest
CentOS 8 "git status" unexpectedly expands search directory "tsig" to
also search in the "tsiggss" directory, thus incorrectly identifying
files as "not removed" in the "tsig" directory:
$ git status -su --ignored tsig
$ touch tsiggss/ns1/{named.run,named.memstats}
$ git status -su --ignored tsig
!! tsiggss/ns1/named.memstats
!! tsiggss/ns1/named.run
Michał Kępień [Wed, 17 Feb 2021 22:01:29 +0000 (23:01 +0100)]
Add doc/arm/notes-9.11.29.xml to util/copyrights
Commit 81446d61c3554c07f41c3b502266d5dfa2e77fcf did not update
util/copyrights as it should have. Add the missing line to prevent the
"misc" GitLab CI job from failing.
projects / thirdparty / bind9.git / log
