Artem Boldariev [Wed, 10 Jan 2024 17:24:46 +0000 (19:24 +0200)]
Add a system test to verify listener transport change functionality
This commit adds a system test that helps to verify that changing a
listener transport by editing "listen-on" statements before
reconfiguration works as expected.
Artem Boldariev [Tue, 9 Jan 2024 17:16:26 +0000 (19:16 +0200)]
Recreate listeners on DNS transport change
This commit ensures that listeners are recreated on reconfiguration in
the case when their type changes (or when PROXY protocol type changes,
too).
Previously, if a "listen-on" statement was modified to represent a
different transport, BIND would not pick-up the change on
reconfiguration if listener type changes (e.g. DoH -> DoT) for a given
interface address and port combination. This commit fixes that by
recreating the listener.
Initially, that worked for most of the new transports as we would
recreate listeners on each reconfiguration for DoH and DoT. But at
some point we changed that in such a way that listeners were not
recreated to avoid rebinding a port as on some platforms only root can
do that for port numbers <1000, making some ports binding possible
only on start-up. We chose to asynchronously update listener socket
settings (like TLS contexts, HTTP settings) instead.
Now, we both avoid recreating the sockets if unnecessary and recreate
listeners when listener type changes.
Artem Boldariev [Fri, 1 Dec 2023 19:11:22 +0000 (21:11 +0200)]
Add a 'cipher-suites' option system test
This commit adds a new system test which verifies that using the
'cipher-suites' option actually works as expected (as well as adds
first TLSv1.3 specific tests).
Artem Boldariev [Thu, 30 Nov 2023 18:57:07 +0000 (20:57 +0200)]
Add TLS cipher-suites related low-level functionality
This commits adds low-level wrappers on top of
'SSL_CTX_set_ciphersuites()'. These are going to be a foundation
behind the 'cipher-suites' option of the 'tls' statement.
Aram Sargsyan [Tue, 9 Jan 2024 11:51:34 +0000 (11:51 +0000)]
Print a dig comment about the failed query consistently
Dig failed to print a comment about the reason of the unacceptable
query reply got from a server when there was no other query to
start in the lookup's chain.
Add an "else" block to print out the comment even when not starting
up the next query.
Aram Sargsyan [Tue, 9 Jan 2024 11:35:11 +0000 (11:35 +0000)]
Fix a possible dig/host crash in "NS search" mode
When getting a SERVFAIL reply from a query, 'host' tries to start
the next query in the lookup's list (also true for 'dig +nofail').
However, when running with the '-C' switch (or +nssearch for 'dig'),
all the queries in the lookup start from the beginning, so that logic
brings to a crash because of the attempted start of the query which
was already started.
Don't start the next query in the affected code path when in +nssearch
mode.
Mark Andrews [Wed, 10 Jan 2024 03:35:36 +0000 (14:35 +1100)]
Defer control channel message invalidation
The conn_shutdown() function is called whenever a control channel
connection is supposed to be closed, e.g. after a response to the client
is sent or when named is being shut down. That function calls
isccc_ccmsg_invalidate(), which resets the magic number in the structure
holding the messages exchanged over a given control channel connection
(isccc_ccmsg_t). The expectation here is that all operations related to
the given control channel connection will have been completed by the
time the connection needs to be shut down.
However, if named shutdown is initiated while a control channel message
is still in flight, some netmgr callbacks might still be pending when
conn_shutdown() is called and isccc_ccmsg_t invalidated. This causes
the REQUIRE assertion checking the magic number in ccmsg_senddone() to
fail when the latter function is eventually called, resulting in a
crash.
Fix by splitting up isccc_ccmsg_invalidate() into two separate
functions:
- isccc_ccmsg_disconnect(), which initiates TCP connection shutdown,
- isccc_ccmsg_invalidate(), which cleans up magic number and buffer,
and then:
- replacing all existing uses of isccc_ccmsg_invalidate() with calls
to isccc_ccmsg_disconnect(),
- only calling isccc_ccmsg_invalidate() when all netmgr callbacks are
guaranteed to have been run.
Tom Krizek [Wed, 10 Jan 2024 09:53:18 +0000 (10:53 +0100)]
Allow nsupdate test rerun on FreeBSD
The "exceeded time limit waiting for literal 'too many DNS UPDATEs
queued' in ns1/named.run" is prone to fail due to a timing issue.
Despite out efforts to stabilize it, the check still often fails on
FreeBSD in our CI. Allow the test to be re-run on this platform.
Tom Krizek [Mon, 8 Jan 2024 17:30:47 +0000 (18:30 +0100)]
Add missing dnssec-validation to ns4 in xfer test
This file was missing explicit dnssec-validation. Seems like it was
missed in our previous efforts, probably because of the different
filename / extension. Rename it to end with *.in to reflect that it is a
template file used by copy_setports.
Michał Kępień [Fri, 5 Jan 2024 11:51:13 +0000 (12:51 +0100)]
Fix Danger rules for flagging release note issues
The logic contained in dangerfile.py incorrectly warns about missing
release note changes for merge requests preparing release documentation
as such merge requests rename files in the doc/notes/ directory. This
(correctly) causes these files to be passed to dangerfile.py via
danger.git.created_files and danger.git.deleted_files rather than via
danger.git.modified_files, which in turn causes the logic checking the
use of the "Release Notes" label to assume that no release notes are
added, removed, or modified by a given merge request.
Fix by considering all types of file changes (modifications, additions,
and removals - which also covers file renaming) when checking whether a
given merge request modifies release notes. Update the warning messages
accordingly.
However, when trying to find release notes added by a given merge
request, deleted files must not be considered. Tweak the logic looking
for GitLab identifiers in the release notes added by a given merge
request so that it only scans modified and added (or renamed) files.
Michał Kępień [Thu, 4 Jan 2024 12:39:27 +0000 (13:39 +0100)]
Limit isc_async_run() overhead for tree pruning
Instead of issuing a separate isc_async_run() call for every RBTDB node
that triggers tree pruning, maintain a list of nodes from which tree
pruning can be started from and only issue an isc_async_run() call if
pruning has not yet been triggered by another RBTDB node.
In some older BIND 9 branches, the extra queuing overhead eliminated by
this change could be remotely exploited to cause excessive memory use.
Due to architectural shift, this branch is not vulnerable to that issue,
but applying the fix to the latter is nevertheless deemed prudent for
consistency and to make the code future-proof.
Mark Andrews [Thu, 12 Oct 2023 01:01:46 +0000 (12:01 +1100)]
Restore dns64 state during serve-stale processing
If we are in the process of looking for the A records as part of
dns64 processing and the server-stale timeout triggers, redo the
dns64 changes that had been made to the orignal qctx.
Mark Andrews [Mon, 9 Oct 2023 23:58:18 +0000 (10:58 +1100)]
Save the correct result value to resume with nxdomain-redirect
The wrong result value was being saved for resumption with
nxdomain-redirect when performing the fetch. This lead to an assert
when checking that RFC 1918 reverse queries where not leaking to
the global internet.
When parsing messages use a hashmap instead of a linear search to reduce
the amount of work done in findname when there's more than one name in
the section.
There are two hashmaps:
1) hashmap for owner names - that's constructed for each section when we
hit the second name in the section and destroyed right after parsing
that section;
2) per-name hashmap - for each name in the section, we construct a new
hashmap for that name if there are more than one rdataset for that
particular name.
Mark Andrews [Thu, 14 Dec 2023 04:02:22 +0000 (15:02 +1100)]
sync_secure_db failed to handle some TTL changes
If the DNSKEY, CDNSKEY or CDS RRset had different TTLs then the
filtering of these RRset resulted in dns_diff_apply failing with
"not exact". Identify tuple pairs that are just TTL changes and
allow them through the filter.
Mark Andrews [Tue, 12 Dec 2023 02:47:30 +0000 (13:47 +1100)]
Test dnssec-policy dnskey-ttl behaviour
If the dnskey-ttl in the dnssec-policy doesn't match the DNSKEY's
ttl then the DNSKEY, CDNSKEY and CDS rrset should be updated by
named to reflect the expressed policy. Check that named does this
by creating a zone with a TTL that does not match the policy's TTL
and check that it is correctly updated.
Mark Andrews [Tue, 2 Jan 2024 04:39:58 +0000 (15:39 +1100)]
Support Net::DNS::Nameserver 1.42
In Net::DNS 1.42 $ns->main_loop no longer loops. Use current methods
for starting the server, wait for SIGTERM then cleanup child processes
using $ns->stop_server(), then remove the pid file.
Michał Kępień [Fri, 22 Dec 2023 18:27:37 +0000 (19:27 +0100)]
Silence a scan-build warning in dns_rbt_addname()
Clang Static Analyzer is unable to grasp that when dns_rbt_addnode()
returns ISC_R_EXISTS, it always sets the pointer passed to it via its
'nodep' parameter to a non-NULL value. Add an extra safety check in the
conditional expression used in dns_rbt_addname() to silence that
warning.
projects / thirdparty / bind9.git / log
