Michał Kępień [Tue, 7 Sep 2021 07:28:48 +0000 (09:28 +0200)]
Update release checklist
Add an item to the release checklist to make sure regression tests
reproducing publicly disclosed security issues are eventually merged
into each maintained branch.
Document caveats related to single source port in the ARM
Discourage the single source port on general level and document that the
source port cannot be same as the listening port. This applies to
query-source, transfer-source, notify-source, parental-source, and their
respective IPv6 counterparts.
check port in *-source and *-source-v6 options in named.conf
- when transfer-source(-v6), query-source(-v6), notify-source(-v6)
or parental-source(-v6) are specified with a port number, issue a
warning.
- when the port specified is the same as the DNS listener port (i.e.,
53, or whatever was specified as "port" in "options"), issue a fatal
error.
- check that "port" is in range. (previously this was only checked
by named, not by named-checkconf.)
- added checkconf tests.
- incidental fix: removed dead code in check.c:bind9_check_namedconf().
(note: if the DNS port is specified on the command line with "named -p",
that is not conveyed to libbind9, so these checks will not take it into
account.)
Adjust system forward test to also use IPv6 addresses
The ns3->ns2 forwarding is now done using the IPv6 addresses, so we also
test that the query-source-v6 address is still operational after removal
of interface adjustment.
Remove the code to adjust listening interfaces for *-source-v6
Previously, named would run with a configuration
where *-source-v6 (notify-source-v6, transfer-source-v6 and
query-source-v6) address and port could be simultaneously used for
listening. This is no longer true for BIND 9.16+ and the code that
would do interface adjustments would unexpectedly disable listening on
TCP for such interfaces.
This commit removes the code that would adjust listening interfaces
for addresses/ports configured in *-source-v6 option.
Disable softhsm2.4 and softhsm2.6 builds and tests from the CI
Until we have a system test that would directly test the engine_pkcs11
integration, we need to disable the system tests that enabled native
PKCS#11 in the CI because it's currently broken.
Ondřej Surý [Thu, 20 May 2021 14:26:53 +0000 (16:26 +0200)]
Remove native PKCS#11 support
The native PKCS#11 support has been removed in favour of better
maintained, more performance and easier to use OpenSSL PKCS#11 engine
from the OpenSC project.
when "checking lame server clients are dropped below the hard limit",
periodically a query is sent for a name for which the server is
authoritative, to verify that legitimate queries can still be
processed while the server is dealing with a flood of lame delegation
queries. those queries used the same dig options as elsewhere in the
fetchlimit test, including "+tries=1 +timeout=1". on slow systems, a
1-second timeout may be insufficient to get an answer even if the server
is behaving well. this commit increases the timeout for the check
queries to 2 seconds in hopes that will be enough to eliminate test
failures in CI.
Mark Andrews [Thu, 2 Sep 2021 05:28:45 +0000 (15:28 +1000)]
Update sig-validity-interval description
Document that the interval on new RRSIG records is randomally
chosen between the limits specified by sig-validity-interval.
document the operatations when this occurs.
Evan Hunt [Tue, 24 Aug 2021 19:22:32 +0000 (12:22 -0700)]
map files over 2GB could not be loaded
- fixed a size comparison using "signed int" that failed if the file
size was more than 2GB, since that was treated as a negative number.
- incidentally renamed deserialize32() to just deserialize(). we no
longer have separate 32 and 64 bit rbtdb implementations.
Re-enable some TLS-related options for non-DoH builds
This commit fixes a regression introduced at ea80bcc41c933efaf4572a36c961913a6e8a58b0. Some options, which are
common to both DoH and DoT were mistakenly disabled for non-DoH
builds. That is a mistake, because DoH does not imply DoT and vice
versa. Not fixing this would make DoT functionality not accessible
without DoH.
This commit modifies the MTU of the loopback interface on
Linux systems to 1500, so that oversized UDP packets can
trigger EMSGSIZE errors, and tests that named handles
such errors correctly.
Note that the loopback MTU size has not yet been modified
for other platforms.
Artem Boldariev [Thu, 12 Aug 2021 09:42:13 +0000 (12:42 +0300)]
Extend the doth system test with IPv6 support [GL #2861]
This commit ensures that DoH (and DoT) functionality works well via
IPv6 as well.
The changes were made because it turned out that dig could not make
DoH queries against an IPv6 IP address. These tests ensure that such a
bug will not remain unnoticed.
The commit also increases the servers' startup timeout to 25 seconds
because the initial timeout of 14 seconds was too short to generate
(!) eight 4096 bit ephemeral RSA certificates on a heavily loaded CI
runner in some pipeline runs.
Artem Boldariev [Thu, 12 Aug 2021 07:18:26 +0000 (10:18 +0300)]
Make dig generate DoH URI using isc_nm_http_makeuri()
This commit replaces ad-hoc code for DoH connect URI construction with
isc_nm_http_makeuri(), making it handle IPv6 adresses properly (among
other things).
Evan Hunt [Thu, 12 Aug 2021 20:51:47 +0000 (13:51 -0700)]
clean up dns_client API
- removed unused functions
- changed some public functions to static that are never called
from outside client.c
- removed unused types and function prototypes
- renamed dns_client_destroy() to dns_client_detach()
Ondřej Surý [Tue, 1 Oct 2019 07:47:19 +0000 (09:47 +0200)]
Remove support for external applications to register libisc
The previous versions of BIND 9 exported its internal libraries so that
they can be used by third-party applications more easily. Certain
library functions were altered from specific BIND-only behavior to more
generic behavior when used by other applications.
This commit removes the function isc_lib_register() that was used by
external applications to enable the functionality.
Petr Špaček [Thu, 19 Aug 2021 17:54:44 +0000 (19:54 +0200)]
increase MAPAPI
bump the map zonefile version number to avoid an assertion
failure when loading map files from versions of BIND prior to
the most recent change to the in-memory structure of zone
databases.
test server now has tcp-idle-timeout set to 5 seconds and
tcp-keepalive-timeout set to 7, so queries that follow a 6-second sleep
should either succeed or fail depending on whether the keepalive option
was sent.
replace per-protocol keepalive functions with a common one
this commit removes isc__nm_tcpdns_keepalive() and
isc__nm_tlsdns_keepalive(); keepalive for these protocols and
for TCP will now be set directly from isc_nmhandle_keepalive().
protocols that have an underlying TCP socket (i.e., TLS stream
and HTTP), now have protocol-specific routines, called by
isc_nmhandle_keeaplive(), to set the keepalive value on the
underlying socket.
Evan Hunt [Tue, 3 Nov 2020 02:33:20 +0000 (18:33 -0800)]
enable keepalive when the keepalive EDNS option is seen
previously, receiving a keepalive option had no effect on how
long named would keep the connection open; there was a place to
configure the keepalive timeout but it was never used. this commit
corrects that.
this also fixes an error in isc__nm_{tcp,tls}dns_keepalive()
in which the sense of a REQUIRE test was reversed; previously this
error had not been noticed because the functions were not being
used.
Evan Hunt [Tue, 3 Nov 2020 02:33:20 +0000 (18:33 -0800)]
cleanup netmgr-int.h
- fix some duplicated and out-of-order prototypes declared in
netmgr-int.h
- rename isc_nm_tcpdns_keepalive to isc__nm_tcpdns_keepalive as
it's for internal use
Diego Fronza [Fri, 26 Jun 2020 21:53:04 +0000 (18:53 -0300)]
Remove redundant function 'newchain'
The removed function 'newchain(a, b)' was almost the same as calling
!chain_equal(a, b), varying only in the amount of data compared
in the non-fixed-length data portion of given chain nodes.
A third argument 'data_size' has been introduced into 'chain_equal'
function in order to allow it to know how many bytes to compare in the
variable-length data portion of the chain nodes.
A helper function 'chain_length(e)' has been introduced to allow
easy calculation of the total length of the non-fixed-length data part
of chain nodes.
Check the thread below for more details:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12184
Diego Fronza [Thu, 18 Jun 2020 20:23:27 +0000 (17:23 -0300)]
Initialize buffers with { 0 } instead of memset
More details on threads:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12178
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12181
Artem Boldariev [Fri, 20 Aug 2021 10:44:23 +0000 (13:44 +0300)]
Make no assumptions regarding HTTP headers processing order
This commit changes the DoH code in such a way that it makes no
assumptions regarding which headers are expected to be processed
first. In particular, the code expected the :method: pseudo-header to
be processed early, which might not be true.
projects / thirdparty / bind9.git / log
