Ondřej Surý [Mon, 13 May 2019 05:17:21 +0000 (12:17 +0700)]
Add most useful relaxed and acquire-relase stdatomic convenience macros
The header file <isc/atomic.h> now contains convenience macros for
most useful explicit memory ordering for C11 stdatomics, only relaxed
and acquire-release semantics is being used. These macros SHOULD be
used instead of atomic_<func>_explicit functions.
Michał Kępień [Wed, 24 Apr 2019 09:17:15 +0000 (11:17 +0200)]
Make NTAs work with validating forwarders
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders. As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.
Ondřej Surý [Fri, 10 May 2019 02:29:00 +0000 (09:29 +0700)]
Improve the error message about missing PLY Python package
Previously, only a message about missing Python was printed, which was
misleading to many users. The new message clearly states that Python
AND PLY is required and prints basic instructions how to install PLY
package.
Tony Finch [Mon, 4 Feb 2019 13:46:51 +0000 (13:46 +0000)]
Deprecate SHA-1 in `dnssec-checkds`
This changes the behaviour so that it explicitly lists DS records that
are present in the parent but do not have keys in the child. Any
inconsistency is reported as an error, which is somewhat stricter than
before.
This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
Tony Finch [Thu, 31 Jan 2019 17:05:57 +0000 (17:05 +0000)]
Deprecate SHA-1 in `dnssec-dsfromkey`
This makes the `-12a` options to `dnssec-dsfromkey` work more like
`dnssec-cds`, in that you can specify more than one digest and you
will get multiple records. (Previously you could only get one
non-default digest type at a time.)
The default is now `-2`. You can get the old behaviour with `-12`.
Tests and tools that use `dnssec-dsfromkey` have been updated to use
`-12` where necessary.
This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
Mark Andrews [Fri, 1 Mar 2019 02:46:48 +0000 (13:46 +1100)]
dns_rdata_fromwire_text fuzzer
Fuzz input to dns_rdata_fromwire(). Then convert the result
to text, back to wire format, to multiline text, and back to wire
format again, checking for consistency throughout the sequence.
Evan Hunt [Thu, 31 Jan 2019 02:16:07 +0000 (18:16 -0800)]
move the test lists into conf.sh.common
there is now a common list of tests in conf.sh.common, with the
tests that are either unique to windows or to unix, or which are
enabled or disabled by configure or Configure, being listed in
separate variables in conf.sh.in and conf.sh.win32.
Evan Hunt [Sat, 26 Jan 2019 18:36:47 +0000 (10:36 -0800)]
enable parallel system tests on windows
this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.
Michał Kępień [Fri, 26 Apr 2019 18:38:02 +0000 (20:38 +0200)]
Simplify trailing period handling in system tests
Windows systems do not allow a trailing period in file names while Unix
systems do. When BIND system tests are run, the $TP environment
variable is set to an empty string on Windows systems and to "." on Unix
systems. This environment variable is then used by system test scripts
for handling this discrepancy properly.
In multiple system test scripts, a variable holding a zone name is set
to a string with a trailing period while the names of the zone's
corresponding dlvset-* and/or dsset-* files are determined using
numerous sed invocations like the following one:
In order to improve code readability, use zone names without trailing
periods and replace sed invocations with variable substitutions.
To retain local consistency, also remove the trailing period from
certain other zone names used in system tests that are not subsequently
processed using sed.
Michał Kępień [Fri, 26 Apr 2019 09:05:56 +0000 (11:05 +0200)]
Make root zone data match root hints
In the "allow-query" system test, ns3 uses a root hints file which
contains a single entry for a.root-servers.nil (10.53.0.1). This name
is not present in the root zone served by ns1, which means querying it
for that name and any type will yield an NXDOMAIN response. When
combined with unfavorable thread scheduling, this can lead to ns3
caching an NXDOMAIN response for the only root server it is aware of and
thus to false positives for the "allow-query" system test caused by ns3
returning unexpected SERVFAIL responses. Fix by modifying the root zone
served by ns1 so that authoritative responses to a.root-servers.nil
queries match the root hints file used by ns3.
Evan Hunt [Fri, 22 Feb 2019 22:53:30 +0000 (14:53 -0800)]
restore allowance for tcp-clients < interfaces
in the "refactor tcpquota and pipeline refs" commit, the counting
of active interfaces was tightened in such a way that named could
fail to listen on an interface if there were more interfaces than
tcp-clients. when checking the quota to start accepting on an
interface, if the number of active clients was above zero, then
it was presumed that some other client was able to handle accepting
new connections. this, however, ignored the fact that the current client
could be included in that count, so if the quota was already exceeded
before all the interfaces were listening, some interfaces would never
listen.
we now check whether the current client has been marked active; if so,
then the number of active clients on the interface must be greater
than 1, not 0.
Evan Hunt [Wed, 6 Feb 2019 19:27:11 +0000 (11:27 -0800)]
refactor tcpquota and pipeline refs; allow special-case overrun in isc_quota
- if the TCP quota has been exceeded but there are no clients listening
for new connections on the interface, we can now force attachment to the
quota using isc_quota_force(), instead of carrying on with the quota not
attached.
- the TCP client quota is now referenced via a reference-counted
'ns_tcpconn' object, one of which is created whenever a client begins
listening for new connections, and attached to by members of that
client's pipeline group. when the last reference to the tcpconn
object is detached, it is freed and the TCP quota slot is released.
- reduce code duplication by adding mark_tcp_active() function
- convert counters to stdatomic
Evan Hunt [Wed, 6 Feb 2019 19:26:36 +0000 (11:26 -0800)]
better tcpquota accounting and client mortality checks
- ensure that tcpactive is cleaned up correctly when accept() fails.
- set 'client->tcpattached' when the client is attached to the tcpquota.
carry this value on to new clients sharing the same pipeline group.
don't call isc_quota_detach() on the tcpquota unless tcpattached is
set. this way clients that were allowed to accept TCP connections
despite being over quota (and therefore, were never attached to the
quota) will not inadvertently detach from it and mess up the
accounting.
- simplify the code for tcpquota disconnection by using a new function
tcpquota_disconnect().
- before deciding whether to reject a new connection due to quota
exhaustion, check to see whether there are at least two active
clients. previously, this was "at least one", but that could be
insufficient if there was one other client in READING state (waiting
for messages on an open connection) but none in READY (listening
for new connections).
- before deciding whether a TCP client object can to go inactive, we
must ensure there are enough other clients to maintain service
afterward -- both accepting new connections and reading/processing new
queries. A TCP client can't shut down unless at least one
client is accepting new connections and (in the case of pipelined
clients) at least one additional client is waiting to read.
Witold Kręcicki [Fri, 4 Jan 2019 11:50:51 +0000 (12:50 +0100)]
tcp-clients could still be exceeded (v2)
the TCP client quota could still be ineffective under some
circumstances. this change:
- improves quota accounting to ensure that TCP clients are
properly limited, while still guaranteeing that at least one client
is always available to serve TCP connections on each interface.
- uses more descriptive names and removes one (ntcptarget) that
was no longer needed
- adds comments
Witold Kręcicki [Thu, 3 Jan 2019 13:17:43 +0000 (14:17 +0100)]
fix enforcement of tcp-clients (v1)
tcp-clients settings could be exceeded in some cases by
creating more and more active TCP clients that are over
the set quota limit, which in the end could lead to a
DoS attack by e.g. exhaustion of file descriptors.
If TCP client we're closing went over the quota (so it's
not attached to a quota) mark it as mortal - so that it
will be destroyed and not set up to listen for new
connections - unless it's the last client for a specific
interface.
Matthijs Mekking [Tue, 26 Feb 2019 14:55:29 +0000 (15:55 +0100)]
Fix nxdomain-redirect assertion failure
- Always set is_zonep in query_getdb; previously it was only set if
result was ISC_R_SUCCESS or ISC_R_NOTFOUND.
- Don't reset is_zone for redirect.
- Style cleanup.
projects / thirdparty / bind9.git / log
