Witold Kręcicki [Thu, 21 May 2020 12:31:09 +0000 (14:31 +0200)]
Fix a data access race in resolver
We were passing client address to dns_resolver_createfetch as a pointer
and it was saved as a pointer. The client (with its address) could be
gone before the fetch is finished, and in a very odd scenario
log_formerr would call isc_sockaddr_format() which first checks if the
address family is valid (and at this point it still is), then the
sockaddr is cleared, and then isc_netaddr_fromsockaddr is called which
fails an assertion as the address family is now invalid.
Michal Nowak [Thu, 4 Jun 2020 17:02:27 +0000 (19:02 +0200)]
Fix "make dist"
Make various adjustments necessary to enable "make dist" to build a BIND
source tarball whose contents are complete enough to build binaries, run
unit & system tests, and generate documentation on Unix systems.
Known outstanding issues:
- "make distcheck" does not work yet.
- Tests do not work for out-of-tree source-tarball-based builds.
- Source tarballs are not complete enough for building on Windows.
Michal Nowak [Thu, 4 Jun 2020 16:53:47 +0000 (18:53 +0200)]
Get rid of "helper" *.c files
Merge lib/isc/unix/ifiter_getifaddrs.c into lib/isc/unix/interfaceiter.c
and lib/isc/xoshiro128starstar.c into lib/isc/random.c. This avoids the
need for extra Automake directives required to process the "helper" *.c
files properly and makes the code more localized.
Michał Kępień [Fri, 5 Jun 2020 11:19:49 +0000 (13:19 +0200)]
Refactor lib/isc/fsaccess.c
Turn the static check_bad_bits() function used by both Unix and Windows
systems into a "private" function and extract the "private" parts of
lib/isc/fsaccess.c to lib/isc/fsaccess_common_p.h. Instead of including
lib/isc/fsaccess.c from lib/isc/{unix,win32}/fsaccess.c, make the former
an independent C source file.
Rename lib/isc/fsaccess.c to lib/isc/fsaccess_common.c to prevent build
issues on Windows caused by multiple source files (lib/isc/fsaccess.c,
lib/isc/win32/fsaccess.c) being compiled into the same object file.
These changes improve consistency with the way "private" functions and
macros are treated elsewhere in the source tree.
Mark Andrews [Tue, 17 Mar 2020 04:25:47 +0000 (15:25 +1100)]
Verify the question section when transfering in.
There was a case where an primary server sent a response
on the wrong TCP connection and failure to check the question
section resulted in a truncated zone being served.
Mark Andrews [Tue, 28 Apr 2020 05:37:19 +0000 (15:37 +1000)]
Reject primary zones with an DS record at the zone apex.
DS records only belong at delegation points and if present
at the zone apex are invariably the result of administrative
errors. Additionally they can't be queried for with modern
resolvers as the parent servers will be queried.
Mark Andrews [Fri, 29 May 2020 06:12:50 +0000 (16:12 +1000)]
Preserve PATH and LD_LIBRARY_PATH when calling make
When ./run.sh <test> is invoked, it acts as a wrapper around
`env - TESTS="<test>" make -e check` to preserve the ability to build
files defined only in the `check` target. Unfortunately, cleaning the
full environment had a side-effect of some tests failing due to missing
binaries and libraries. We now preserve the two most important
variables - PATH and LD_LIBRARY_PATH.
Michał Kępień [Thu, 4 Jun 2020 12:11:46 +0000 (14:11 +0200)]
Embed SoftHSM version in CI job names
To indicate the SoftHSM version used in each CI job while avoiding the
need to add another token to job names, replace "pkcs11" with
"softhsm2.4" and "fedora31:amd64" with "softhsm2.6".
Michał Kępień [Thu, 4 Jun 2020 12:11:46 +0000 (14:11 +0200)]
Make Fedora CI jobs PKCS#11-enabled
Various SoftHSM versions differ in algorithm support. Since Fedora
tends to have the latest SoftHSM version available in its stock package
repositories, enable PKCS#11 support in Fedora jobs to test multiple
SoftHSM versions in GitLab CI.
Michal Nowak [Fri, 22 May 2020 13:44:27 +0000 (15:44 +0200)]
Revise installation locations for BIND binaries
Move BIND binaries which are neither daemons nor administrative programs
to $bindir. This results in only the following binaries being left in
$sbindir:
- ddns-confgen
- named
- rndc
- rndc-confgen
- tsig-confgen
Petr Mensik [Fri, 27 Mar 2020 20:03:40 +0000 (21:03 +0100)]
Delay kserver cleanup until all tasks finishes
It might be possible some pending task would run when kserver is already
cleaned up. Postpone gsstsig structures cleanup after task and timer
managers are destroyed. No pending threads are possible after it.
Make action in maybeshutdown only if doshutdown was not already called.
Might be called from getinput event.
Ondřej Surý [Thu, 4 Jun 2020 09:09:27 +0000 (11:09 +0200)]
Stop building release notes as a separate sphinx-doc document
The release notes were previously built as a separate document
(including the PDF version). It was agreed that this doesn't make much
sense, so the release notes are now included only as an appendix to the
BIND 9 ARM.
This includes reorganization of the lists of RFCs supported by BIND 9.
I included all the RFCs and notes from the list identified by Vicky in
any DNS-related RFCs written by current ISC engineers, on the assumption
that BIND would comply with them.
Witold Kręcicki [Tue, 2 Jun 2020 08:39:05 +0000 (10:39 +0200)]
isc_uv_import must pass UV__IPC_SOCKET_XFER_TCP_CONNECTION, not SERVER.
As a leftover from old TCP accept code isc_uv_import passed TCP_SERVER
flag when importing a socket on Windows.
Since now we're importing/exporting accepted connections it needs to
pass TCP_CONNECTION flag.
Michał Kępień [Wed, 3 Jun 2020 13:45:28 +0000 (15:45 +0200)]
Prevent invalid warnings about missing identifiers
The Danger script inspects differences between the current version of a
given merge request's target branch and the merge request branch. If
the latter falls behind the former, the Danger script will wrongly warn
about missing GitLab/RT identifiers because it incorrectly treats the
"+++" diff marker as an indication of the merge request adding new lines
to a file. Tweak the relevant conditional expression to prevent such
invalid warnings from being raised.
Michał Kępień [Wed, 3 Jun 2020 13:45:28 +0000 (15:45 +0200)]
Make fetching target branch reliable
As GitLab Runner Docker executor caches Git repositories between jobs,
prevent the Danger script from attempting to update local refs to ensure
"git fetch" returns with an exit code of 0. Use the FETCH_HEAD ref for
determining the differences between the merge request branch and its
target branch.
Michał Kępień [Wed, 3 Jun 2020 13:45:28 +0000 (15:45 +0200)]
Tweak condition for missing log message warning
Commits adding CHANGES entries and/or release notes do not need a commit
log message. Do not warn about a missing commit log message for such
commits to make the warning more meaningful.
Ondřej Surý [Wed, 3 Jun 2020 09:01:19 +0000 (11:01 +0200)]
Don't check the result of setting SO_INCOMING_CPU
The SO_INCOMING_CPU is available since Linux 3.19 for getting the value,
but only since Linux 4.4 for setting the value (see below for a full
description). BIND 9 should not fail when setting the option on the
socket fails, as this is only an optimization and not hard requirement
to run BIND 9.
SO_INCOMING_CPU (gettable since Linux 3.19, settable since Linux 4.4)
Sets or gets the CPU affinity of a socket. Expects an integer flag.
int cpu = 1;
setsockopt(fd, SOL_SOCKET, SO_INCOMING_CPU, &cpu, sizeof(cpu));
Because all of the packets for a single stream (i.e., all
packets for the same 4-tuple) arrive on the single RX queue that
is associated with a particular CPU, the typical use case is to
employ one listening process per RX queue, with the incoming
flow being handled by a listener on the same CPU that is
handling the RX queue. This provides optimal NUMA behavior and
keeps CPU caches hot.
Ondřej Surý [Wed, 27 May 2020 15:48:39 +0000 (17:48 +0200)]
Reduce the default value for max-stale-ttl from 1 week to 12 hours
Originally, the default value for max-stale-ttl was 1 week, which could
and in some scenarios lead to cache exhaustion on a busy resolvers.
Picking the default value will always be juggling between value that's
useful (e.g. keeping the already cached records after they have already
expired and the upstream name servers are down) and not bloating the
cache too much (e.g. keeping everything for a very long time). The new
default reflects what we think is a reasonable to time to react on both
sides (upstream authoritative and downstream recursive).
Matthijs Mekking [Thu, 14 May 2020 13:36:13 +0000 (15:36 +0200)]
If prepub > retire, prepub now
Catch a case where if the prepublication time of the successor key
is later than the retire time of the predecessor. If that is the
case we should prepublish as soon as possible, a.k.a. now.
Matthijs Mekking [Thu, 14 May 2020 13:34:13 +0000 (15:34 +0200)]
Put new key rollover logic in separate function
The `dns_keymgr_run()` function became quite long, put the logic
that looks if a new key needs to be created (start a key rollover)
in a separate function.
Matthijs Mekking [Thu, 14 May 2020 13:06:54 +0000 (15:06 +0200)]
Fix bug in keymgr_key_has_successor
The logic in `keymgr_key_has_successor(key, keyring)` is flawed, it
returns true if there is any key in the keyring that has a successor,
while what we really want here is to make sure that the given key
has a successor in the given keyring.
Rather than relying on `keymgr_key_exists_with_state`, walk the
list of keys in the keyring and check if the key is a successor of
the given predecessor key.
Matthijs Mekking [Mon, 11 May 2020 13:12:32 +0000 (15:12 +0200)]
Test keytimes on CSK rollover
This improves keytime testing on CSK rollover. It now
tests for specific times, and also tests for SyncPublish and
Removed keytimes.
Since an "active key" for ZSK and KSK means something
different, this makes it tricky to decide when a CSK is
active. An "active key" intuitively means the key is signing
so we say a CSK is active when it is creating zone signatures.
This change means a lot of timings for the CSK rollover tests
need to be adjusted.
The keymgr code needs a slight change on calculating the
prepublication time: For a KSK we need to include the parent
registration delay, but for CSK we look at the zone signing
property and stick with the ZSK prepublication calculation.
This commit adds testing keytiming metadata. In order to facilitate
this, the kasp system test undergoes a few changes:
1. When finding a key file, rather than only saving the key ID,
also save the base filename and creation date with `key_save`.
These can be used later to set expected key times.
2. Add a test function `set_addkeytime` that takes a key, which
keytiming to update, a datetime in keytiming format, and a number
(seconds) to add, and sets the new time in the given keytime
parameter of the given key. This is used to set the expected key
times.
3. Split `check_keys` in `check_keys` and `check_keytimes`. First we
need to find the keyfile before we can check the keytimes.
We need to retrieve the creation date (and sometimes other
keytimes) to determine the other expected key times.
4. Add helper functions to set the expected key times per policy.
This avoids lots of duplication.
Check for keytimes for the first test cases (all that do not cover
rollovers).
Using dnssec-setttime after dnssec-keygen in the kasp system test
can lead to off by one second failures, so reduce the usage of
dnssec-settime in the setup scripts. This commit deals with
setting the key rollover relationship (predecessor/successor).
In the kasp system test, we are going to set the keytimes on
dnssec-keygen so we can test them against the key creation time.
This prevents off by one second in the test, something that can
happen if you set those times with dnssec-settime after
dnssec-keygen.
While kasp relies on key states to determine when a key needs to
be published or be used for signing, the keytimes are used by
operators to get some expectation of key publication and usage.
Update the code such that these keytimes are set appropriately.
That means:
- Print "PublishCDS" and "DeleteCDS" times in the state files.
- The keymgr sets the "Removed" and "PublishCDS" times and derives
those from the dnssec-policy.
- Tweak setting of the "Retired" time, when retiring keys, only
update the time to now when the retire time is not yet set, or is
in the future.
This also fixes a bug in "keymgr_transition_time" where we may wait
too long before zone signatrues become omnipresent or hidden. Not
only can we skip waiting the sign delay Dsgn if there is no
predecessor, we can also skip it if there is no successor.
Finally, this commit moves setting the lifetime, reducing two calls
to one.
projects / thirdparty / bind9.git / log
