The stub_request_nameserver_address() used 'request' as name for
struct stub_glue_request leading to confusion between 'request'
(stub_glue_request) and 'request->request' (dns_request_t).
Unify the name to 'sgr' already used in struct stub_glue_response().
Ondřej Surý [Mon, 26 Jun 2023 08:58:30 +0000 (10:58 +0200)]
Refactor isc_stats_create() and its downstream users to return void
The isc_stats_create() can no longer return anything else than
ISC_R_SUCCESS. Refactor isc_stats_create() and its variants in libdns,
libns and named to just return void.
Tom Krizek [Mon, 24 Jul 2023 14:29:31 +0000 (16:29 +0200)]
Reproducer for CVE-2023-2911
The conditions that trigger the crash:
- a stale record is in cache
- stale-answer-client-timeout is 0
- multiple clients query for the stale record, enough of them to exceed
the recursive-clients quota
- the response from the authoritative is sufficiently delayed so that
recursive-clients quota is exceeded first
The reproducer attempts to simulate this situation. However, it hasn't
proven to be 100 % reproducible, especially in CI. When reproducing
locally, the priming query also seems to sometimes interfere and prevent
the crash. When the reproducer is ran twice, it appears to be more
reliable in reproducing the issue.
Tom Krizek [Mon, 24 Jul 2023 16:35:13 +0000 (18:35 +0200)]
Clean up keys directory in checkconf test
The keys directory should be cleaned up in clean.sh. Doing that in the
test itself isn't reliable which may lead to failing mkdir which causes
the test to fail with set -e.
After commit f4eb3ba4, that is part of removing 'auto-dnssec', the
inline system test started to fail in FIPS CI jobs. This is because
the 'nsec3-loop' zone started to use a RSASHA256 key size of 1024 and
this is not FIPS compliant.
This commit changes the key size from 1024 to 4096, in order to
become FIPS compliant again.
1. Change the _new, _add and _copy functions to return the new object
instead of returning 'void' (or always ISC_R_SUCCESS)
2. Cleanup the isc_ht_find() + isc_ht_add() usage - the code is always
locked with catzs->lock (mutex), so when isc_ht_find() returns
ISC_R_NOTFOUND, the isc_ht_add() must always succeed.
3. Instead of returning direct iterator for the catalog zone entries,
add dns_catz_zone_for_each_entry2() function that calls callback
for each catalog zone entry and passes two extra arguments to the
callback. This will allow changing the internal storage for the
catalog zone entries.
4. Cleanup the naming - dns_catz_<fn>_<obj> -> dns_catz_<obj>_<fn>, as an
example dns_catz_new_zone() gets renamed to dns_catz_zone_new().
Mark Andrews [Wed, 19 Jul 2023 23:16:03 +0000 (09:16 +1000)]
Mark a primary as unreachable on timed out in xfin
When a primary server is not responding, mark it as temporarialy
unreachable. This will prevent too many zones queuing up on a
unreachable server and allow the refresh process to move onto
the next primary sooner once it has been so marked.
Restore the IS_STUB() condition in zone_zonecut_callback
After the refactoring the condition whether to use DNAME or NS for the
zonecut was incorrectly simplified and the !IS_STUB() condition was
removed. This was flagged by Coverity as:
/lib/dns/rbt-zonedb.c: 192 in zone_zonecut_callback()
186 found = ns_header;
187 search->zonecut_sigheader = NULL;
188 } else if (dname_header != NULL) {
189 found = dname_header;
190 search->zonecut_sigheader = sigdname_header;
191 } else if (ns_header != NULL) {
>>> CID 462773: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "found = ns_header;".
192 found = ns_header;
193 search->zonecut_sigheader = NULL;
194 }
195
196 if (found != NULL) {
197 /*
Instead of removing the extra block, restore the !IS_STUB() condition
for the first if block.
These two configuration options worked in conjunction with 'auto-dnssec'
to determine KSK usage, and thus are now obsoleted.
However, in the code we keep KSK processing so that when a zone is
reconfigured from using 'dnssec-policy' immediately to 'none' (without
going through 'insecure'), the zone is not immediately made bogus.
Add one more test case for going straight to none, now with a dynamic
zone (no inline-signing).
Matthijs Mekking [Thu, 29 Jun 2023 09:23:34 +0000 (11:23 +0200)]
Update views system test
Change test configuration to make use of 'dnssec-policy' instead of
'auto-dnssec'.
Because we now use 'dnssec-policy', there is no need to create an
explicit key in the final test that adds multiple inline zones
followed by a reconfig.
Matthijs Mekking [Thu, 29 Jun 2023 08:57:01 +0000 (10:57 +0200)]
Update statschannel system test
Change test configuration to make use of 'dnssec-policy' instead of
'auto-dnssec'.
Because we now add a DNSKEY with dynamic update, the sign statistics
change. When adding signatures triggered by dynamic update, the
dnssec-refresh stats are not incremented (this is only incremented
when signing is triggered by resign in lib/dns/zone.c).
Matthijs Mekking [Wed, 28 Jun 2023 13:38:42 +0000 (15:38 +0200)]
Alter mkeys system test
The mkeys system test configured 'auto-dnssec' on the root zone to do
smart signing and simulate root key changes that should be picked up
by the automated trust anchor management of BIND.
This does not require 'auto-dnssec' or 'dnssec-policy', so change the
tests to use manual smart signing with 'dnssec-signzone'.
Matthijs Mekking [Tue, 27 Jun 2023 14:25:30 +0000 (16:25 +0200)]
Remove dupsigs system test
This test uses key timing metadata to do rollovers, this is no longer
applicable with 'dnssec-policy'. Note that with 'dnssec-policy' key
timing metadata is still written, but it is not used for determining
what and when to do key rollovers.
Matthijs Mekking [Tue, 20 Jun 2023 08:08:29 +0000 (10:08 +0200)]
Copy DNSKEY record from unsigned zone db
Since external DNSKEY records may exist in the unsigned version of the
zone (for example DNSKEY records from other providers), handle these
RRsets also when copying non DNSSEC records from the unsigned zone
database to the signed version.
Matthijs Mekking [Tue, 20 Jun 2023 08:06:01 +0000 (10:06 +0200)]
Allow rndc signing commands with dnssec-policy
Some 'rndc signing' commands can still be used in conjunction with
'dnssec-policy' because it shows the progress of signing and
private type records can be cleaned up. Allow these commands to be
executed.
However, setting NSEC3 parameters is incompatible with dnssec-policy.
Matthijs Mekking [Mon, 19 Jun 2023 14:21:11 +0000 (16:21 +0200)]
Change inline system test
The inline system test tests 'auto-dnssec' in conjunction with
'inline-signing'. Change the tests to make use of 'dnssec-policy'.
Remove some tests that no longer make sense:
- The 'retransfer3.' zone tests changing the parameters with
'rndc signing -nsec3param'. This command is going away and NSEC3
parameters now need to be configured with nsec3param within
'dnssec-policy'.
- The 'inactivezsk.' and 'inactiveksk.' zones test whether the ZSK take
over signing if the KSK is inactive, or vice versa. This fallback
mode longer makes sense when using a DNSSEC policy.
Some tests need to be adapted more than just changing 'auto-dnssec'
to 'dnssec-policy':
- The 'delayedkeys.' zone first needs to be configured as insecure,
then we can change it to start signing. Previously, no existing
keys means that you cannot sign the zone, with 'dnssec-policy'
new keys will be created.
- The 'updated.' zone needs to have key states in a specific state
so that the minimal journal check still works (otherwise CDS/
CDNSKEY and related records will be in the journal too).
- External keys are now added to the unsigned zone and no longer
are maintained with key files. Adjust the 'externalkey.' zone
accordingly.
- The 'nsec3-loop.' zone requires three signing keys. Since
'dnssec-policy' will ignore duplicates in the 'keys' section,
create RSASHA256 keys with different role and/or key length.
Finally, the 'externalkey.' zone checks for an expected number of
DNSKEY and RRSIG records in the response. This used to be 3 DNSKEY
and 2 RRSIG records. Due to logic behavior changes (key timing
metadata is no longer authoritative, these expected values are
changed to 4 DNSKEY records (two signing keys and two external keys
per algorithm) and 1 RRSIG record (one active KSK per signing
algorithm).
Matthijs Mekking [Fri, 16 Jun 2023 15:06:28 +0000 (17:06 +0200)]
Update dnssec system test
The dnssec system test has some tests that use auto-dnssec. Update
these tests to make use of dnssec-policy.
Remove any 'rndc signing -nsec3param' commands because with
dnssec-policy you set the NSEC3 parameters in the configuration.
Remove now duplicate tests that checked if CDS and CDNSKEY RRsets
are signed with KSK only (the dnssec-dnskey-kskonly option worked
in combination with auto-dnssec).
Also remove the publish-inactive.example test case because such
use cases are no longer supported (only with manual signing).
The auto-nsec and auto-nsec3 zones need to use an alternative
algorithm because duplicate lines in dnssec-policy/keys are ignored.
Matthijs Mekking [Fri, 16 Jun 2023 11:52:14 +0000 (13:52 +0200)]
Alter autosign system test
The autosign system test mainly tests the auto-dnssec configuration
option. Since this option is going to be removed, update the system
test so that it uses dnssec-policy.
We could remove the complete system test, but keeping an altered
version of the system test may still be useful to detect unexpected
behavior after code changes.
Change the ns1 (test root server) to use manual signing. This zone
has some weird corner cases that do not fit the dnssec-policy model
very well.
The ns2 bar zone also needs to use manual signing, because it revokes
its key, and RFC 5011 key revocation is not supported with
dnssec-policy.
There are also a couple of weird corner test cases that can be removed:
- Inactive KSK or ZSK. With dnssec-policy there is no such thing as
ZSK taking over the role of a KSK when the KSK is deleted, or vice
versa.
- The CDS and CDNSKEY DELETE records are now automated with
dnssec-policy and so the tests for persistence are no longer required.
In tests.sh, bump the expected number of root DNSKEY records to 11,
because with manual signing the activation before publication is
actually honored.
Also remove any 'rndc signing -nsec3param' commands because with
dnssec-policy you set the NSEC3 parameters in the configuration.
Remove any check interval tests, these "next key event" times are
now calculated and tested in the kasp system test.
Evan Hunt [Sun, 28 May 2023 02:20:47 +0000 (19:20 -0700)]
use isc_loop_now() for dispentry timeouts
store a pointer to the running loop when creating a dispatch entry
with dns_dispatch_add(), and use isc_loop_now() to get the timestamp for
the current event loop tick when we initialize the dispentry start time
and check for timeouts.
Michal Nowak [Mon, 17 Jul 2023 16:33:50 +0000 (18:33 +0200)]
Remove remnants of Windows support in system test
The "uname -o" command is harmful on OpenBSD because this platform does
not know about the "-o" option. It is a permanent failure since system
tests are started with "set -e".
Matthijs Mekking [Thu, 29 Jun 2023 08:43:40 +0000 (10:43 +0200)]
Don't add signing records for dyn update DNSKEY
We removed DNSSEC management via dynamic update (see issue #3686),
this means we also should no longer add signing records (of private
type) for DNSKEY records added via dynamic update.
Evan Hunt [Thu, 29 Jun 2023 21:58:56 +0000 (14:58 -0700)]
Make query chain processing asynchronous
Under some circumstances when processing a query response - for example,
when it contains a CNAME or DNAME - a query will have to be restarted
from the beginning to look up a new target.
This was previously handled by recursively calling the ns__query_start()
function directly from ns_query_done(). However, performance test data
indicated that chains of CNAMEs could consume quite a bit of time inside
the worker thread, increasing latency for other waiting queries. This
has now been changed so that restarted queries are run asynchronously.
Evan Hunt [Wed, 10 May 2023 06:07:50 +0000 (23:07 -0700)]
move slab rdataset implementation to rdataslab.c
ultimately we want the slab implementation of dns_rdataset to
be usable by more database implementaions than just rbtdb. this
commit moves rdataset_methods to rdataslab.c, renamed
dns_rdataslab_rdatasetmethods.
new database methods have been added: locknode, unlocknode,
addglue, expiredata, and deletedata, allowing external functions to
perform functions that previously required internal access to the
database implementation.
database and heap pointers are now stored in the dns_slabheader object
so that header is the only thing that needs to be passed to some
functions; this will simplify moving functions that process slabheaders
out of rbtdb.c so they can be used by other database implementations.
Evan Hunt [Mon, 8 May 2023 18:47:18 +0000 (11:47 -0700)]
clean up unused dns_db methods
to reduce the amount of common code that will need to be shared
between the separated cache and zone database implementations,
clean up unused portions of dns_db.
the methods dns_db_dump(), dns_db_isdnssec(), dns_db_printnode(),
dns_db_resigned(), dns_db_expirenode() and dns_db_overmem() were
either never called or were only implemented as nonoperational stub
functions: they have now been removed.
dns_db_nodefullname() was only used in one place, which turned out
to be unnecessary, so it has also been removed.
dns_db_ispersistent() and dns_db_transfernode() are used, but only
the default implementation in db.c was ever actually called. since
they were never overridden by database methods, there's no need to
retain methods for them.
in rbtdb.c, beginload() and endload() methods are no longer defined for
the cache database, because that was never used (except in a few unit
tests which can easily be modified to use the zone implementation
instead). issecure() is also no longer defined for the cache database,
as the cache is always insecure and the default implementation of
dns_db_issecure() returns false.
for similar reasons, hashsize() is no longer defined for zone databases.
implementation functions that are shared between zone and cache are now
prepended with 'dns__rbtdb_' so they can become nonstatic.
Evan Hunt [Thu, 11 May 2023 16:38:26 +0000 (09:38 -0700)]
clean up rbtdb.c
in preparation for splitting up rbtdb.c, rename some types so they
can be defined in dns/types.h instead of only locally. these include:
- struct noqname, which is used to hold no-qname and closest-encloser
proofs, and is now named dns_proof_t;
- rbtdb_rdatatype_t, which is used to hold a pair of rdatatypes and
is now called dns_typepair_t and defined in rdatatype.h;
- rbtdb_serial_t, which is now just a uint32_t;
- rdatasetheader_t and rdatasetheaderlist_t, now called
dns_slabheader_t and dns_slabheaderlist_t;
- rbtdb_version_t, now called dns_rbtdb_version_t.
the helper functions header_from_raw() and raw_from_header() are
renamed dns_slabheader_fromrdataset() and dns_slabheader_raw().
also made further style changes:
- fixing uninitialized pointer variables throughout rbtdb.c;
- switching some initializations to struct literals;
- renaming some functions and struct members more descriptively;
- replacing dns_db_secure_t with a simple bool since it no longer needs
to be tri-valued.
Evan Hunt [Wed, 3 May 2023 03:56:25 +0000 (20:56 -0700)]
remove unused DNS_DBFIND options
the DNS_DBFIND_VALIDATEGLUE and DNS_DBFIND_FORCENSEC options
were never set, so the code implementing them (which in the case
of _VALIDATEGLUE appears to have been quite outdated anyway) was
never reached. they have now been removed.
Tony Finch [Fri, 28 Apr 2023 00:12:39 +0000 (01:12 +0100)]
Give the rdataset->privateN fields more helpful names
BIND's rdataset structure is a view of some DNS records. It is
polymorphic, so the details of how the records are stored can vary.
For instance, the records can be held in an rdatalist, or in an
rdataslab in the rbtdb.
The dns_rdataset structure previously had a number of fields called
`private1` up to `private7`, which were used by the various rdataset
implementations. It was not at all clear what these fields were for,
without reading the code and working it out from context.
This change makes the rdataset inheritance hierarchy more clear. The
polymorphic part of a `struct dns_rdataset` is now a union of structs,
each of which is named for the class of implementation using it. The
fields of these structs replace the old `privateN` fields. (Note: the
term "inheritance hierarchy" refers to the fact that the builtin and
SDLZ implementations are based on and inherit from the rdatalist
implementation, which in turn inherits from the generic rdataset.
Most of this change is mechanical, but there are a few extras.
In keynode.c there were a number of REQUIRE()ments that were not
necessary: they had already been checked by the rdataset method
dispatch code. On the other hand, In ncache.c there was a public
function which needed to REQUIRE() that an rdataset was valid.
I have removed lots of "reset iterator state" comments, because it
should now be clear from `target->iter = NULL` where before
`target->private5 = NULL` could have been doing anything.
Initialization is a bit neater in a few places, using C structure
literals where appropriate.
The pointer arithmetic for translating between an rdataslab header and
its raw contents is now fractionally safer.
- use externally accessible functions for attachnode/detachnode
so these functions can be moved outside rbtdb.c
- simplify and tidy up some other functions
- use struct initializers when appropriate
- remove the flag RDATASET_ATTR_RETAIN; it was never being set
- renamed the rdataset attributes to
- remove the 'slab_methods' rdataset implementation. this was
a reduced set of slab rdataset methods, omitting 'setownercase()'
and 'getownercase()'. we can get the identical result by using
an DNS_RDATASETATTR_KEEPCASE attribute in rdatasets that
shouldn't have their case modified, and then we only need one
set of rdataset methods.
Tom Krizek [Fri, 14 Jul 2023 15:10:58 +0000 (17:10 +0200)]
Check return codes from commands in inline test
To improve the compatibility of the inline test with the `set -e`
option, ensure all commands which are expected to pass are explicitly
checked for return code and non-zero return codes are handled.
Tom Krizek [Mon, 26 Jun 2023 16:35:04 +0000 (18:35 +0200)]
Use $(...) notation for subshells in system tests
The changes were mostly done with sed:
find . -name '*.sh' | xargs sed -i 's/`\([^`]*\)`/$(\1)/g'
There have been a few manual changes where the regex wasn't sufficient
(e.g. backslashes inside the `...`) or wrong (`...` referring to docs or
in comments).
projects / thirdparty / bind9.git / log
