Artem Boldariev [Fri, 29 Oct 2021 15:43:40 +0000 (18:43 +0300)]
Be less strict regarding "tls" statements in the configuration file
In the 9.17.19 release "tls" statements verification code was
added. The code was too strict and assumed that every such a statement
should have both "cert-file" and "key-file" specified. This turned out
to be a regression, as in some cases we plan to use the "tls"
statement to specify TLS connection parameters.
This commit fixes this behaviour; now a "tls" statement should either
have both "cert-file" and "key-file" specified, or both should be
omitted.
Petr Špaček [Thu, 28 Oct 2021 12:26:09 +0000 (14:26 +0200)]
remove last remaining reference to _REENTRANT macro and fix DLZ example
It was used only as guard against unused variable declaration, but the
surrounding code depends on strtok_r being defined unconditionally, so
there is no point in guarding a variable.
Glibc documentation suggests it is obsolete anyway and e.g. Meson build
system decided to ignore it. It seems to be required only by old
Solaris compiler and OpenIndiana uses gcc.
Petr Špaček [Thu, 28 Oct 2021 14:39:20 +0000 (16:39 +0200)]
retain diff output if clang-format changes something
It's major PITA trying to guess what exactly clang-format has changed,
so how CI stores patch file with changes which can be applied locally if
needed.
Michał Kępień [Thu, 28 Oct 2021 12:03:04 +0000 (14:03 +0200)]
Disable PyLint warning C0209
PyLint 2.11 reports a new warning, C0209 (consider-using-f-string).
Since f-strings are only available in Python 3.6+, existing scripts
cannot be updated to use this feature just yet because they would stop
working with older Python versions. Instead, disable PyLint warning
C0209 for the time being. Sort all disabled warnings in .pylintrc.
Michał Kępień [Thu, 28 Oct 2021 10:05:58 +0000 (12:05 +0200)]
Move CHANGES entry for GL #2308
GL #2308 was originally referenced by CHANGES entry 5727. However, the
corresponding code change turned out to be flawed and had to be reverted
in BIND 9.17.19, causing CHANGES entry 5727 to be turned into a
placeholder on the release branch.
Commit 63145fb1d328eb66f9c786d2273bc2e3f6a3ecf5 subsequently addressed
the flaw, so the fix for GL #2308 will be included in BIND 9.17.20.
Move the relevant CHANGES entry to reflect that.
Enable lame response detection even with disabled lame cache
Previously, when lame cache would be disabled by setting lame-ttl to 0,
it would also disable lame answer detection. In this commit, we enable
the lame response detection even when the lame cache is disabled. This
enables stopping answer processing early rather than going through the
whole answer processing flow.
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>. This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.
Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
Aram Sargsyan [Wed, 6 Oct 2021 14:18:49 +0000 (14:18 +0000)]
Use OpenSSL version macro instead of function check
Unless being configured with the `no-deprecated` option, OpenSSL 3.0.0
still has the deprecated APIs present and will throw warnings during
compilation, when using them.
Make sure that the old APIs are being used only with the older versions
of OpenSSL.
Mark Andrews [Wed, 8 Sep 2021 06:31:56 +0000 (16:31 +1000)]
Use EVP_PKEY_eq() instead of deprected EVP_PKEY_cmp()
EVP_PKEY_eq() is the replacement with a smaller result range (0, 1)
instead of (-1, 0, 1). EVP_PKEY_cmp() is mapped to EVP_PKEY_eq() when
building with older versions of OpenSSL.
Use thinner shims for OpenSSL's EVP_MD_CTX_new() and EVP_MD_CTX_free()
The EVP_MD_CTX_new() and EVP_MD_CTX_free() functions are renamed APIs
which were previously available as EVP_MD_CTX_create() and
EVP_MD_CTX_destroy() respectively, which means that we can use them
instead of providing our own shim functions.
Use ERR_get_error_all() instead of deprecated ERR_get_error_line_data()
OpenSSL 3.0.0 deprecates the ERR_get_error_line_data() function.
Use ERR_get_error_all() instead of ERR_get_error_line_data() and create
a shim to use the old variant for the older OpenSSL versions which don't
have the newer ERR_get_error_all().
Use EVP_MD_CTX_get0_md() instead of deprecated EVP_MD_CTX_md()
OpenSSL 3.0.0 deprecates the EVP_MD_CTX_md() function.
Use EVP_MD_CTX_md() instead of EVP_MD_CTX_get0_md() and create a shim
to use the old variant for the older OpenSSL versions which don't have
the newer EVP_MD_CTX_get0_md().
Make the configure.ac script compatible with OpenSSL 3.0.0
OpenSSL 3.0.0 deprecates many low level API functions.
In preparation for the future support of linking BIND with OpenSSL 3.0.0
without the deprecated API functions, change the configure.ac script to
use functions which are available on all supported versions of OpenSSL
and LibreSSL.
Aram Sargsyan [Wed, 27 Oct 2021 19:52:05 +0000 (19:52 +0000)]
Add dst_key_pubcompare and dst_key_compare unit test
The dst_key_pubcompare() and dst_key_compare() didn't have a unit test,
add the unit tests which test comparing the same keys, different keys,
and, where possible, similar keys with a manually altered parameter.
dst_key_pubcompare() internally uses the *_todns() functions of the
lib/dns/openssl*_link.c modules.
dst_key_compare() internally uses the *_compare() functions of the
lib/dns/openssl*_link.c modules.
Mark Andrews [Wed, 22 Sep 2021 05:21:45 +0000 (15:21 +1000)]
Handle duplicate catalog zone entries gracefully
Duplicate catalog zone entries caused an assertion failure
in named during configuration. This is now a soft error
that is detected earlier by named and also by named-checkconf.
Matthijs Mekking [Wed, 20 Oct 2021 14:38:37 +0000 (16:38 +0200)]
Update tests to match new nsec3param default
Update the nsec3 system tests to use the new default values. Change
the policy for "nsec3-other" so that we still have a test case for
non-zero salt length.
Matthijs Mekking [Wed, 20 Oct 2021 14:36:11 +0000 (16:36 +0200)]
Change nsec3param default to iter 0 salt-length 0
When using 'nsec3param' in 'dnssec-policy' and no specific parameters
are provided, default to zero additional iterations and no salt, as
recommended by draft-ietf-dnsop-nsec3-guidance.
Michal Nowak [Thu, 18 Feb 2021 15:19:57 +0000 (16:19 +0100)]
Use Fedora image for GCC ASAN and TSAN CI jobs
For the sake of running ASAN and TSAN jobs with the latest stable GCC,
replace "base image" (Debian Buster with GCC 8.3.0) with Fedora 34 image
with GCC 11.
Mark Andrews [Thu, 21 Oct 2021 06:22:58 +0000 (17:22 +1100)]
Accept either 2 or 3 old versions of log file
Depending upon when the directory is sampled there may be 2
(oldest version removed and rename / reopen is in progresss) or
3 old versions of the log file.
Ondřej Surý [Wed, 20 Oct 2021 11:01:13 +0000 (13:01 +0200)]
Add missing DNS_ZONEFLG_DUMPING to setmodtime()
It was found, that the original commit adding the setmodtime() was
incompletely squashed and there was double check for
DNS_ZONEFLG_NEEDDUMP instead of check for DNS_ZONEFLG_NEEDDUMP and
DNS_ZONEFLG_DUMPING.
Change the duplicate check to DNS_ZONEFLG_DUMPING.
Evan Hunt [Tue, 19 Oct 2021 06:14:28 +0000 (23:14 -0700)]
add a system test with an ADB loop
Add a lame delegation to lame.example.org with only an A record
in the additional section; on failure, this will trigger a retry
with AAAA, which will loop. Test that dig returns SERVFAIL, in
addition to confirming that named doesn't hang on shutdown.
Evan Hunt [Wed, 6 Oct 2021 20:42:09 +0000 (13:42 -0700)]
check for loops in ADB finds
If an ADB find is started on behalf of a resolver fetch, and fails to
find any addresses but has a pending resolver fetch associated with it,
then we need to check whether the fetch it's waiting on is the one
that created it. If so, it can never finish and needs to be terminated.
Evan Hunt [Tue, 19 Oct 2021 00:57:58 +0000 (17:57 -0700)]
incidental cleanup
The NAME_FETCH_A and NAME_FETCH_AAAA macros were meant to be
boolean, indicating whether the pointers were set or not, while
the NAME_FETCH_V4 and NAME_FETCH_V6 macros were meant to return
the pointer values. The latter were only used as booleans, so
they've been removed in favor of the former.
Also did some style cleanup and removed an unreachable code block.
Evan Hunt [Wed, 20 Oct 2021 18:39:13 +0000 (11:39 -0700)]
don't set DNS_DISPATCHSTATE_CONNECTED until attaching handle
there was a race possible in which a dispatch was put into
the 'connected' state before it had a TCP handle attached,
which could cause an assertion failure in dns_dispatch_gettcp().
Ondřej Surý [Wed, 20 Oct 2021 10:06:09 +0000 (12:06 +0200)]
Add isc_time_add and isc_time_subtract unit test
The isc_time_add() and isc_time_subtract() didn't have a unit test, add
the unit test with couple of edge case vectors to check whether overflow
and underflow is correctly handled.
Ondřej Surý [Wed, 20 Oct 2021 09:22:52 +0000 (11:22 +0200)]
Use __builtin_*_overflow for isc_time_{add,subtract}()
Use the __builtin_uadd_overflow() and __builtin_usub_overflow() for
overflow checks in isc_time_add() and isc_time_subtract(). This
generates more efficient and safe code.
Evan Hunt [Tue, 19 Oct 2021 18:34:52 +0000 (11:34 -0700)]
fix qmin system test
The qmin system test was printing spurious output. On investigation,
the test case turned out to be both broken and ineffective: its
expectations were wrong, and it was printing the output because its
wrong expectations were not met, and those failed expectations were
not causing a test failure. All of this has been corrected.
Petr Mensik [Fri, 15 Oct 2021 20:07:53 +0000 (22:07 +0200)]
Enable building documentation with Sphinx < 2.0.0
The ReferenceRole class is only available in Sphinx >= 2.0.0, which
makes building BIND 9 documentation impossible with older Sphinx
versions:
Running Sphinx v1.7.6
Configuration error:
There is a programable error in your configuration file:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/sphinx/config.py", line 161, in __init__
execfile_(filename, config)
File "/usr/lib/python3.6/site-packages/sphinx/util/pycompat.py", line 150, in execfile_
exec_(code, _globals)
File "conf.py", line 21, in <module>
from sphinx.util.docutils import ReferenceRole
ImportError: cannot import name 'ReferenceRole'
Work around the problem by defining a stub version of the ReferenceRole
class if the latter cannot be imported. This allows documentation
(without GitLab hyperlinks in release notes) to be built with older
Sphinx versions.
projects / thirdparty / bind9.git / log
