Evan Hunt [Sat, 3 Nov 2018 18:33:27 +0000 (11:33 -0700)]
support dns64 modules in multiple views
- add a test with two dns64 configurations in separate views.
- set up a single SDB _dns64 implementation only once on the first
load of the dns64 module, and tear it down on the last unload;
this prevents a failure when attempting to register the SDB twice.
- in zone_free(), detach the view after detachiing the zone database,
to prevent an occasional shutdown race in which the SDB implementation
was deleted before the zone was shut down.
Evan Hunt [Fri, 2 Nov 2018 04:46:49 +0000 (21:46 -0700)]
allow filter-aaaa and dns64 modules to be configured in either order
- this is done by having dns64 abort before ns_query_lookup() if the
client is already recursing.
- I'm not entirely satisfied with this solution: I would prefer the
modules to be totally independent, not to be written to make
allowances for each other. but, it's an effective workaround.
Evan Hunt [Thu, 1 Nov 2018 17:11:26 +0000 (10:11 -0700)]
move dns64 SDB zone implementation into module
- remove _dns64 SDB implementation from bin/named/builtin.c
and add it to the dbs64 module implementation. load and unload a copy
of the implementation for each instance of the dyndb module.
Evan Hunt [Thu, 1 Nov 2018 16:30:33 +0000 (09:30 -0700)]
revise dns64 module to support multiple module instances
- this enables the use of more than one dns64 block in the same named.conf.
instead of having a single hash table and memory pool shared by
all instances of dns64, set up unique ones for each instance and
store them in an instance structure which is passed to hook functions
as action_data.
- also removed some hook actions from dns64 that turned out not to be
needed.
Evan Hunt [Thu, 1 Nov 2018 16:06:51 +0000 (09:06 -0700)]
continue migration of dns64 code into module
- added a persistent-data memory pool to the module.
- removed dns64 fields from ns_client_t and query_ctx_t.
- removed DNS64 flags from client attributes.
Evan Hunt [Thu, 1 Nov 2018 15:53:49 +0000 (08:53 -0700)]
continue with implementation of dns64 as an external module
- namedconf.c now has dns64-related options flagged as obsolete.
- lib/dns/dns64.c and lib/dns/include/dns/dns64.h are gone. their
code has been migrated into bin/plugins/dns64.c, with corresponding
nomenclature changes, and some style cleanup.
- dns64-related fields have been removed from the dns_view struct.
- dns64 configuration parsing code has been moved from named into
the plugin module.
- checkconf tests have been removed from the dns64 system test
these will be restored later, when named-checkconf has been
modified to be able to load plugin modules and check their
configuration syntax.
- dns64-related configuration checks have been removed from
lib/bind9/check.c.
- zonemgr is now attached to the view so that modules will be able
to access it.
Evan Hunt [Thu, 1 Nov 2018 15:48:43 +0000 (08:48 -0700)]
move DNS64 implementation into an external module
- dns64 implementation has been moved from query.c to the dns64 module.
- the code in lib/dns/dns64.c has not yet been moved.
- the module does not yet parse dns64 options in named.conf; that's
still done by named.
- the module does not have persistent storage; we still use the client
object.
- made more functions globally accessible so they can be called from
modules: ns_query_lookup(), ns_query_addsoa(), ns_query_nodata(),
ns_query_ncache(), ns_query_setorder().
Evan Hunt [Thu, 1 Nov 2018 15:28:38 +0000 (08:28 -0700)]
simplification: search on rpz_st.p_name whenever RPZ is in use
- this is part of an effort to reduce interdependency between dns64 and
other features, so that dns64 can more easily be compartmentalized
into a module.
- this change keeps us from having to know whether dns64 is in use
when updating the name to be searched for in query_lookup() because
of RPZ processing. it seems to have no ill effects.
- also incorporated the test case from the CVE-2017-3135, which related
to simultaneous use of dns64 and rpz.
Ondřej Surý [Thu, 29 Aug 2019 08:29:53 +0000 (10:29 +0200)]
isc_event_allocate() cannot fail, remove the fail handling blocks
isc_event_allocate() calls isc_mem_get() to allocate the event structure. As
isc_mem_get() cannot fail softly (e.g. it never returns NULL), the
isc_event_allocate() cannot return NULL, hence we remove the (ret == NULL)
handling blocks using the semantic patch from the previous commit.
Evan Hunt [Wed, 28 Aug 2019 20:11:35 +0000 (13:11 -0700)]
use an rbtnodechain to walk up labels
when looking for a possible wildcard match in the RPZ summary database,
use an rbtnodechain to walk up label by label, rather than using the
node's parent pointer.
Ondřej Surý [Thu, 29 Aug 2019 12:27:19 +0000 (14:27 +0200)]
Make use of DAG for GitLab Pipelines
GitLab 12.2 has introduced Directed Acyclic Graphs in the GitLab CI[1] that
allow jobs to run out-of-order and not wait for the whole previous stage to
complete.
When updating the statistics for RRset types, if a header is marked
stale or ancient, the appropriate statistic counters are decremented,
then incremented.
Having the decrement/increment logic in stats makes the code hard
to follow. Remove it here and adjust the unit test. The caller
will be responsible for maintaining the correct increments and
decrements for statistics counters (in the following commit).
The stale RR types are now printed with '#'. This used to be the
prefix for RR types that were marked ancient, but commit df50751585b64f72d93ad665abf0f485c8941a3b changed the meaning. It is
probably better to keep '#' for stale RR types and introduce a new
prefix for reintroducing ancient type stat counters.
Michał Kępień [Mon, 12 Aug 2019 07:46:12 +0000 (09:46 +0200)]
Clarify relationship between ACLs and RPZ
In the ARM section about RPZ, add text explicitly stating that ACLs take
precedence over RPZ to prevent users from expecting RPZ actions to be
applied to queries coming from clients which are not permitted access to
the resolver by ACLs.
Evan Hunt [Wed, 7 Aug 2019 17:31:19 +0000 (10:31 -0700)]
update docbook grammar, removing dnssec-looksaide
- this required modification to the code that generates grammar text for
the documentation, because the "dnssec-lookaside" option spanned more
than one line in doc/misc/options, so grepping out only the lines
marked "// obsolete" didn't remove the whole option. this commit adds
an option to cfg_test to print named.conf clauses only if they don't
have the obsolete, ancient, test-only, or not-yet-implemented flags
set.
Michał Kępień [Thu, 8 Aug 2019 12:27:55 +0000 (14:27 +0200)]
Implement a convenience function for "rndc dumpdb"
Add a helper shell function, rndc_dumpdb(), which provides a convenient
way to call "rndc dumpdb" for a given server with optional additional
arguments. Since database dumping is an asynchronous process, the
function waits until the dump is complete before returning, which
prevents false positives in system tests caused by inspecting the dump
before its preparation is finished. The function also renames the dump
file before returning so that it does not get overwritten by subsequent
calls; this retains forensic data in case of an unexpected test failure.
`pause` insutruction exists only on `-mcpu=niagara4` (`T4`) and upper.
The change adds `pause` configure-time autodetection and uses it if available.
config.h.in got new `HAVE_SPARC_PAUSE` knob. Fallback is a fall-through no-op.
projects / thirdparty / bind9.git / log
