Mark Andrews [Mon, 30 Jan 2023 07:06:57 +0000 (18:06 +1100)]
named-rrchecker: have fatal cleanup
It is trivial to fully cleanup memory on all the error paths in
named-rrchecker, many of which are triggered by bad user input.
This involves freeing lex and mctx if they exist when fatal is
called.
Evan Hunt [Thu, 2 Feb 2023 21:35:32 +0000 (13:35 -0800)]
add source port configuration tests
check in the log files of receiving servers that the originating
ports for notify and SOA query messages were set correctly from
configured notify-source and transfer-source options.
Evan Hunt [Thu, 2 Feb 2023 20:16:49 +0000 (12:16 -0800)]
use configured source ports for UDP requests
the optional 'port' option, when used with notify-source,
transfer-source, etc, is used to set up UDP dispatches with a
particular source port, but when the actual UDP connection was
established the port would be overridden with a random one. this
has been fixed.
(configuring source ports is deprecated in 9.20 and slated for
removal in 9.22, but should still work correctly until then.)
Evan Hunt [Fri, 3 Feb 2023 22:57:17 +0000 (14:57 -0800)]
remove /etc/bind.keys
the built-in trust anchors in named and delv are sufficent for
validation. named still needs to be able to load trust anchors from
a bind.keys file for testing purposes, but it doesn't need to be
the default behavior.
we now only load trust anchors from a file if explicitly specified
via the "bindkeys-file" option in named or the "-a" command line
argument to delv. documentation has been cleaned up to remove references
to /etc/bind.keys.
Evan Hunt [Fri, 27 Jan 2023 22:43:11 +0000 (14:43 -0800)]
delay trust anchor management until zones are loaded
it was possible for a managed trust anchor needing to send a key
refresh query to be unable to do so because an authoritative zone
was not yet loaded. this has been corrected by delaying the
synchronization of managed-keys zones until after all zones are
loaded.
Tony Finch [Fri, 3 Feb 2023 12:29:00 +0000 (12:29 +0000)]
Fix ISC_MEM_ZERO on allocators with malloc_usable_size()
ISC_MEM_ZERO requires great care to use when the space returned by
the allocator is larger than the requested space, and when memory is
reallocated. You must ensure that _every_ call to allocate or
reallocate a particular block of memory uses ISC_MEM_ZERO, to ensure
that the extra space is zeroed as expected. (When ISC_MEMFLAG_FILL
is set, the extra space will definitely be non-zero.)
When BIND is built without jemalloc, ISC_MEM_ZERO is implemented in
`jemalloc_shim.h`. This had a bug on systems that have malloc_size()
or malloc_usable_size(): memory was only zeroed up to the requested
size, not the allocated size. When an oversized allocation was
returned, and subsequently reallocated larger, memory between the
original requested size and the original allocated size could
contain unexpected nonzero junk. The realloc call does not know the
original requested size and only zeroes from the original allocated
size onwards.
After this change, `jemalloc_shim.h` always zeroes up to the
allocated size, not the requested size.
Michał Kępień [Fri, 3 Feb 2023 08:38:25 +0000 (09:38 +0100)]
Bump statistics channels versions
GL !7412 updated the set of counters exposed via the XML & JSON
statistics channels. Apply a corresponding version bump, which was
not included in that merge request.
Tom Krizek [Mon, 30 Jan 2023 12:48:55 +0000 (13:48 +0100)]
Add container rebuild step to release checklist
It was agreed that the monthly CI container image rebuild should be done
manually rather than be automated. This allows us to have control over
when things could break and the end of the release cycle is the most
convenient time to have that happen.
Michał Kępień [Wed, 1 Feb 2023 10:22:59 +0000 (11:22 +0100)]
Fix 'view' variable scope in load_configuration()
Commit b69e783164cd50e3306364668558e460617ee8fc changed the scope of the
local 'view' variable in load_configuration(), but the code section
guarded by the #ifdef USE_DNSRPS directive was not adjusted accordingly,
causing build errors for DNSRPS-enabled builds. Fix the latter by
declaring the 'view' variable inside the loop in the DNSRPS-specific
block of code.
Michał Kępień [Wed, 1 Feb 2023 10:22:59 +0000 (11:22 +0100)]
Handle iterator options in rpsdb_allrdatasets()
Commit 7695c36a5de01c441690f2a0e46f176321b58896 added a new parameter,
'options', to the prototype of the 'allrdatasets' function pointer in
struct dns_dbmethods. Handle this new parameter accordingly in
rpsdb_allrdatasets().
Michał Kępień [Wed, 1 Feb 2023 10:22:59 +0000 (11:22 +0100)]
Add DNSRPS builds to pairwise testing
The --enable-dnsrps-dl switch for ./configure enables preparing a
DNSRPS-enabled build of BIND 9 that is not directly linked against a
DNSRPS provider library (dlopen() at runtime is used instead). Employ
this switch to test DNSRPS-enabled builds in the pairwise testing job in
GitLab CI.
Evan Hunt [Wed, 26 Oct 2022 01:35:41 +0000 (18:35 -0700)]
refactor isc_ratelimiter to use loop callbacks
the rate limter now uses loop callbacks rather than task events.
the API for isc_ratelimiter_enqueue() has been changed; we now pass
in a loop, a callback function and a callback argument, and
receive back a rate limiter event object (isc_rlevent_t). it
is no longer necessary for the caller to allocate the event.
the callback argument needs to include a pointer to the rlevent
object so that it can be freed using isc_rlevent_free(), or by
dequeueing.
Mark Andrews [Mon, 30 Jan 2023 00:18:49 +0000 (11:18 +1100)]
Handle address lookup failure more gracefully
If the address lookup of the primary server fails just abort
the current update request rather than calling exit. This allows
nsupdate to cleanup gracefully.
Ondřej Surý [Mon, 30 Jan 2023 08:49:35 +0000 (09:49 +0100)]
Properly name ADB hashmap and named log memory contexts
The ADB hashmaps are stored in extra memory contexts, so the hash
tables are excluded from the overmem accounting. The new memory
context was unnamed, give it a proper name.
Same thing has happened with extra memory context used for named
global log context - give the extra memory context a proper name.
Ondřej Surý [Mon, 30 Jan 2023 08:49:35 +0000 (09:49 +0100)]
Properly name ADB hashmap and named log memory contexts
The ADB hashmaps are stored in extra memory contexts, so the hash
tables are excluded from the overmem accounting. The new memory
context was unnamed, give it a proper name.
Same thing has happened with extra memory context used for named
global log context - give the extra memory context a proper name.
Matthijs Mekking [Wed, 25 Jan 2023 15:36:48 +0000 (16:36 +0100)]
Force set DS state after 'rndc dnssec -checkds'
Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.
Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.
Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.
Tom Krizek [Thu, 26 Jan 2023 12:04:40 +0000 (13:04 +0100)]
danger: relax rules for single-line commits
The following are not also accepted as single-line commits without
generating warnings:
- CHANGES/release note may appear in the beginning of the commit message
- Release note may be capitalized
- Allow commits with "GL #" (e.g. Update documentation for [GL #XXXX])
Michał Kępień [Fri, 27 Jan 2023 13:10:09 +0000 (14:10 +0100)]
Update release checklist
Update the release checklist to incorporate some minor tweaks that we
have been applying manually for the past few months as a result of
release process evolution.
Michał Kępień [Fri, 27 Jan 2023 13:10:09 +0000 (14:10 +0100)]
Rework the Security Incident Handling Checklist
Rework the Security Incident Handling Checklist so that it does not only
contain the SWENG-side steps for handling a security incident, but also
all the other steps required by ISC procedures.
Michał Kępień [Fri, 27 Jan 2023 12:25:30 +0000 (13:25 +0100)]
Extend artifact lifetime for release-related jobs
Artifacts of the "stress" jobs in GitLab CI are used for generating the
QA summary for a given set of releases. It happened in the past that
these artifacts were purged before the QA summary was prepared,
unnecessarily prolonging the release process. A complete set of
artifacts from all such jobs for a single pipeline should be less than 1
GB in size, so extend their lifetime from one day to one week as a more
reasonable compromise between availability and disk space usage. (Note:
these jobs are also run in scheduled pipelines, but that is expected to
be acceptable in the context of artifact lifetime.)
Artifacts of the "release" jobs in GitLab CI are what we eventually
publish on the FTP server. It happened in the past that these artifacts
were purged before we copied them to their destination, unnecessarily
prolonging the release process, even though we usually press the "Keep"
button for the "release" jobs manually to keep them around indefinitely
(as they are the source of what we publish in other places). Since
there is only one "release" job per tag pipeline and its artifacts only
take up tens of megabytes of space, keep the artifacts of the "release"
jobs around indefinitely by default.
Mark Andrews [Fri, 27 Jan 2023 01:43:45 +0000 (12:43 +1100)]
Teach danger about amend
commit --fixup=amend:<hash> produces a subject starting with amend!
by default. Have danger look for this to ensure that it is squashed
before merging.
Michal Nowak [Mon, 23 Jan 2023 19:29:00 +0000 (20:29 +0100)]
Add release tarball comparison script
The util/release-tarball-comparison.sh script compares a release-ready
BIND 9 tarball to a temporary BIND 9 tarball created from the same
signed Git tag to ensure that their content does not differ
(significantly).
Timo Teräs [Wed, 25 Jan 2023 18:56:41 +0000 (20:56 +0200)]
Improve OpenSSL RSA key extraction
Add check for extracting the public 'n' component on OpenSSL 3.0
path. This is mandatory component, and it's presence is checked
already on the other code path.
Also document the reason why private key component getting errors
are ignored.
Ondřej Surý [Thu, 19 Jan 2023 15:57:18 +0000 (16:57 +0100)]
Restore Malloced memory counter as InUse alias + little cleanups
This restores the Malloced memory counter and it's now always equal to
InUse counter. This is only for backwards compatibility reason and
there is no separate counter.
The commit also cleanups little things like structure with a single
item (summary.inuse), and shuts up a wrong cppcheck warning (the
notorious NULL check after assignment).
Ondřej Surý [Thu, 19 Jan 2023 11:10:28 +0000 (12:10 +0100)]
Make the all inuse memory counter atomic operations relaxed
Instead of enforcing stronger synchronization between threads, make all
the atomic operations relaxed. We are not really interested in exact
numbers at all times - the single place where we need the exact number
is when the memory context is being destroyed. Even when there's a
overmem counter, we don't care about exact ordering or exact number.
Ondřej Surý [Thu, 19 Jan 2023 11:02:17 +0000 (12:02 +0100)]
Remove the Lost memory counter
The Lost memory counter would count the memory "lost" by external
libraries. There's really no such thing as `named` require the memory
contexts to be clean on destroy.
Ondřej Surý [Thu, 19 Jan 2023 11:00:04 +0000 (12:00 +0100)]
Remove stats buckets memory counters
The stats buckets were again more useful for internal allocator, because
we would see the individual "block" caches where the allocations would
fall into. Remove the stats buckets, and if needed, we can pull more
detailed statistics out of the jemalloc.
Ondřej Surý [Thu, 19 Jan 2023 10:50:39 +0000 (11:50 +0100)]
Remove the total memory counter
The total memory counter had again little or no meaning when we removed
the internal memory allocator. It was just a monotonic counter that
would count add the allocation sizes but never subtracted anything, so
it would be just a "big number".
Ondřej Surý [Thu, 19 Jan 2023 10:46:47 +0000 (11:46 +0100)]
Remove maxinuse memory counter
The maxinuse memory counter indicated the highest amount of
memory allocated in the past. Checking and updating this high-
water mark value every time memory was allocated had an impact
on server performance, so it has been removed. Memory size can
be monitored more efficiently via an external tool logging RSS.
Ondřej Surý [Thu, 19 Jan 2023 10:41:34 +0000 (11:41 +0100)]
Remove malloced and maxmalloced memory counter
The malloced and maxmalloced memory counters were mostly useless since
we removed the internal allocator blocks - it would only differ from
inuse by the memory context size itself.
Ondřej Surý [Mon, 23 Jan 2023 12:40:19 +0000 (13:40 +0100)]
Enforce receive_secure_serial() and setnsec3param() serialization
Both receive_secure_serial() and setnsec3param() run on the same zone
loop, therefore they are serialized. Remove the mechanism to enqueue
the nsec3param and secure serial updates in case one of them is
running (as they can not) and replace it with sanity check.
Ondřej Surý [Mon, 23 Jan 2023 11:13:43 +0000 (12:13 +0100)]
Replace the dns_io_t mechanism with offloaded threads
Previously, the zone loading and dumping was effectively serialized by
the dns_io_t mechanism. In theory, more IO operations could be run in
parallel, but the zone manager .iolimit was set to 1 and never increased
as dns_zonemgr_setiolimit() was never ever called.
As the dns_master asynchronous load and dump was already offloaded to
non-worker threads with isc_work mechanism, drop the whole dns_io_t
and just rely on the isc_work to do the load and dump scheduling.
Ondřej Surý [Thu, 12 Jan 2023 20:44:31 +0000 (21:44 +0100)]
Allow interrupting dnssec-signzone during signing
The signal handler in the isc_loop would wait for all the work to finish
before interrupting the signing. Add teardown handlers via
isc_loopmgr_teardown() to signal the assignwork() it should stop signing
and bail-out early.
NOTE: The dnssec-signzone binary still can't be interrupted during zone
loading, zone cleaning, nsec(3) chain generation or zone writing. This
might get addressed in the future if it becomes a problem.
Ondřej Surý [Thu, 12 Jan 2023 15:36:43 +0000 (16:36 +0100)]
Dump the signed zone in the text format at the end of dnssec-signzone
Instead of dumping the signed zone contents node by node during the
signing, dump the entire zone at the end. This was already done for the
raw zone format, but it shows that the IO is better utilized when the
zone dump is done in one single write rather than in small chunks.
A side effect of dumping node by node was that all names were printed
relative to the zone origin rather than being grouped under different
$ORIGINs as would normally be the case when dumping a zone. Also, state
was not maintained from one node to the next regarding whether the CLASS
has already been printed, so it was always included with the first
record of each node.
Since dnssec-signzone uses the dns_master_style_explicittl text format
style, and is the only application that does so, we can revise that
style and add a new DNS_STYLEFLAG_CLASS_PERNAME flag to get the output
back to what it was before this change.
projects / thirdparty / bind9.git / log
