Witold Kręcicki [Tue, 23 Oct 2018 11:45:30 +0000 (13:45 +0200)]
Set result to SERVFAIL if upstream responded with FORMERR
Commit ba912435427cf884fdc1ca26743eba6c00439106 causes the resolver to
respond to a client query with FORMERR when all upstream queries sent to
the servers authoritative for QNAME elicit FORMERR responses. This
happens because resolver code returns DNS_R_FORMERR in such a case and
dns_result_torcode() acts as a pass-through for all arguments which are
already a valid RCODE.
The correct RCODE to set in the response returned to the client in the
case described above is SERVFAIL. Make sure this happens by overriding
the RCODE in query_gotanswer(), on the grounds that any format errors in
the client query itself should be caught long before execution reaches
that point. This change should not reduce query error logging accuracy
as the resolver code itself reports the exact reason for returning a
DNS_R_FORMERR result using log_formerr().
Ondřej Surý [Sun, 14 Oct 2018 12:32:02 +0000 (14:32 +0200)]
Add support for enabling and enforcing FIPS mode in OpenSSL:
* Add configure option --enable-fips-mode that detects and enables FIPS mode
* Add a function to enable FIPS mode and call it on crypto init
* Log an OpenSSL error when FIPS_mode_set() fails and exit
* Report FIPS mode status in a separate log message from named
Michał Kępień [Sat, 20 Oct 2018 21:09:08 +0000 (23:09 +0200)]
Automatically trigger GitLab Pages pipelines
Whenever master or one for the v9_* branches gets updated, the current
ARM should be published on GitLab Pages. Add a pipeline stage which
takes care of triggering GitLab Pages pipelines. Extend the lifetime of
artifact archives containing the ARM to prevent GitLab Pages pipelines
from failing due to artifacts being unavailable.
Michał Kępień [Fri, 19 Oct 2018 20:42:44 +0000 (22:42 +0200)]
Generate the ARM during CI
Add a CI job which generates the HTML version of the ARM and makes it
available for download. Since this is expected to be a quick process,
the new job is enabled for all pipelines.
Evan Hunt [Thu, 4 Oct 2018 02:04:46 +0000 (19:04 -0700)]
retain a minimal "methods" struct in the mctx
- this enables memory to be allocated and freed in dyndb modules
when named is linked statically. when we standardize on libtool,
this should become unnecessary.
- also, simplified the isc_mem_create/createx API by removing
extra compatibility functions
Michał Kępień [Mon, 8 Oct 2018 10:47:28 +0000 (12:47 +0200)]
Do not set qctx->result to DNS_R_SERVFAIL unless necessary
In some cases, setting qctx->result to DNS_R_SERVFAIL causes the value
of a 'result' variable containing a more specific failure reason to be
effectively discarded. This may cause certain query error log messages
to lack specificity despite a more accurate problem cause being
determined during query processing.
In other cases, qctx->result is set to DNS_R_SERVFAIL even though a more
specific error (e.g. ISC_R_NOMEMORY) could be explicitly indicated.
Since the response message's RCODE is derived from qctx->result using
dns_result_torcode(), which handles a number of possible isc_result_t
values and returns SERVFAIL for anything not explicitly listed, it is
fine to set qctx->result to something more specific than DNS_R_SERVFAIL
(in fact, this is already being done in a few cases). Modify most
QUERY_ERROR() calls so that qctx->result is set to a more specific error
code when possible. Adjust query_error() so that statistics are still
calculated properly. Remove the RECURSE_ERROR() macro which was
introduced exactly because qctx->result could be set to DNS_R_SERVFAIL
instead of DNS_R_DUPLICATE or DNS_R_DROP, which need special handling.
Modify dns_sdlz_putrr() so that it returns DNS_R_SERVFAIL when a DLZ
driver returns invalid RDATA, in order to prevent setting RCODE to
FORMERR (which is what dns_result_torcode() translates e.g. DNS_R_SYNTAX
to) while responding authoritatively.
Michał Kępień [Mon, 8 Oct 2018 10:47:28 +0000 (12:47 +0200)]
Set up stale response lookup before query_done() is called
When something goes wrong while recursing for an answer to a query,
query_gotanswer() sets a flag (qctx->want_stale) in the query context.
query_done() is subsequently called and it can either set up a stale
response lookup (if serve-stale is enabled) or conclude that a SERVFAIL
response should be sent. This may cause confusion when looking at query
error logs since the QUERY_ERROR() line responsible for setting the
response's RCODE to SERVFAIL is not in a catch-all branch of a switch
statement inside query_gotanswer() (like it is for authoritative
responses) but rather in a code branch which appears to have something
to do with serve-stale, even when the latter is not enabled.
Extract the part of query_done() responsible for checking serve-stale
configuration and optionally setting up a stale response lookup into a
separate function, query_usestale(), shifting the responsibility for
setting the response's RCODE to SERVFAIL to the same QUERY_ERROR() line
in query_gotanswer() which is evaluated for authoritative responses.
Petr Menšík [Tue, 25 Sep 2018 16:08:46 +0000 (18:08 +0200)]
Disable IDN from environment as documented
Manual page of host contained instructions to disable IDN processing
when it was built with libidn2. When refactoring IDN support however,
support for disabling IDN in host and nslookup was lost. Use also
environment variable and document it for nslookup, host and dig.
- tried to improve struct variable alignment
- ignore braces on function definitions so we can keep the existing
BIND style; braces can be on a new line or not
Add an uncrustify config file as $TOP/.uncrustify.cfg
to update file, run: uncrustify --replace -c $TOP/.uncrustify.cfg <filename>
- note that if this is in the user's $HOME dir, it's the default
uncrustify config path name. this can be overridden with
'uncrustify -c filenaeme' or the UNCRUSTIFY_CONFIG environment
variable
clarify relationship between dnssec-enable and dnssec-validation
- if dnssec-enable is no, then dnssec-validation now also defaults to
no. if dnssec-enable is yes, dnssec-validation defaults to auto or yes
depending on --disable-auto-validation.
- correct the doc
Evan Hunt [Wed, 3 Oct 2018 05:33:17 +0000 (22:33 -0700)]
make update_log() work if zone is not set
- update_log() is called to log update errors, but if those errors
occur before the zone is set (for example, when returning NOTAUTH)
it returns without logging anything.
Mark Andrews [Wed, 15 Aug 2018 07:17:41 +0000 (17:17 +1000)]
zero: send grep output to /dev/null; set ret=0 at start of 'check repeated recursive lookups of non recurring TTL=0 responses get new values' test so the failed subtest count is correct