Mark Andrews [Fri, 24 Jun 2022 02:29:23 +0000 (12:29 +1000)]
Expand name compression unit test
The name compression unit test is expanded to check that the compressed
form matches the expected wire pattern.
Record owner names are compressed differently to rdata names by
calling dns_name_towire2 instead of dns_name_towire so check that
owner names are compressed correctly as well.
Ondřej Surý [Thu, 23 Jun 2022 11:06:37 +0000 (13:06 +0200)]
Don't compress in the rrset if compression was disabled
Currently, when rrset is being compressed, the optimization has been put
in place to reuse offset to the previous name in the same rrset. This
skips the check for non-improving compression and thus compresses the
root zone making the wireformat worse by one byte.
Additionally, when the compression has been disabled for the name, it
would be repeatedly added to the compression table because we act as if
the name was not found and the dns_compress_add() doesn't check for the
existing entry.
Change the dns_name_towire2() to always lookup the name in the
compression table to prevent adding duplicates, but don't use it neither
in the wireformat nor in the rrset cache.
Evan Hunt [Thu, 26 May 2022 09:33:52 +0000 (02:33 -0700)]
add "rndc fetchlimit" to show fetchlimited servers
this command runs dns_adb_dumpquota() to display all servers
in the ADB that are being actively fetchlimited by the
fetches-per-server controls (i.e, servers with a nonzero average
timeout ratio or with the quota having been reduced from the
default value).
the "fetchlimit" system test has been updated to use the
new command to check quota values instead of "rndc dumpdb".
Mark Andrews [Thu, 9 Jun 2022 08:13:35 +0000 (18:13 +1000)]
update ifconfig.sh
* make it harder to get the interface numbers wrong by using 'max'
to specify the upper bound of the sequence of interfaces and use 'max'
when calculating the interface number
* extract the platform specific instruction into 'up' and 'down'
and call them from the inner loop so that the interface number is
calculated in one place.
* calculate the A and AAAA address in a single place rather than
in each command
* use /sbin/ipadm on Solaris 2.11 and greater
previously, when an iterative query returned FORMERR, resolution
would be stopped under the assumption that other servers for
the same domain would likely have the same capabilities. this
assumption is not correct; some domains have been reported for
which some but not all servers will return FORMERR to a given
query; retrying allows recursion to succeed.
Evan Hunt [Thu, 21 Oct 2021 09:28:48 +0000 (02:28 -0700)]
REQUIRE should not have side effects
it's a style violation to have REQUIRE or INSIST contain code that
must run for the server to work. this was being done with some
atomic_compare_exchange calls. these have been cleaned up. uses
of atomic_compare_exchange in assertions have been replaced with
a new macro atomic_compare_exchange_enforced, which uses RUNTIME_CHECK
to ensure that the exchange was successful.
Mark Andrews [Fri, 1 Jul 2022 01:13:51 +0000 (11:13 +1000)]
Tighten $GENERATE directive parsing
The original sscanf processing allowed for a number of syntax errors
to be accepted. This included missing the closing brace in
${modifiers}
Look for both comma and right brace as intermediate seperators as
well as consuming the final right brace in the sscanf processing
for ${modifiers}. Check when we got right brace to determine if
the sscanf consumed more input than expected and if so behave as
if it had stopped at the first right brace.
Mark Andrews [Fri, 1 Jul 2022 01:40:37 +0000 (11:40 +1000)]
Check for overflow in $GENERATE computations
$GENERATE uses 'int' for its computations and some constructions
can overflow values that can be represented by an 'int' resulting
in undefined behaviour. Detect these conditions and return a
range error.
Mark Andrews [Tue, 5 Jul 2022 03:05:58 +0000 (13:05 +1000)]
Increase the amount of time allowed for signing to occur in
On slow systems we have seen this take 9 seconds. Increased the
allowance from 3 seconds to 10 seconds to reduce the probabilty of
a false negative from the system test.
Mark Andrews [Tue, 5 Jul 2022 03:01:11 +0000 (13:01 +1000)]
Only report not matching stderr content when we look for it
The previous test code could emit "D:cds:stderr did not match ''" rather
that just showing the contents of stderr. Moved the debug line inside
the if/else block.
Replaced backquotes with $() and $(()) as approriate.
Mark Andrews [Fri, 17 Jun 2022 04:40:39 +0000 (14:40 +1000)]
Add system test for forward only grafted zone with synth-from-dnssec
We are grafting on an unsigned zone "example.internal" where the higher
zone (".") is signed and would otherwise cause named to synthesise a
NXDOMAIN for example.internal. We prime the cache by performing a
lookup for "internal" and then lookup "example.internal".
Mark Andrews [Fri, 17 Jun 2022 00:40:47 +0000 (10:40 +1000)]
Add synth-from-dnssec namespaces for keytable entries
We do this by adding callbacks for when a node is added or deleted
from the keytable. dns_keytable_add and dns_keytable_delete where
extended to take a callback. dns_keytable_deletekey does not remove
the node so it was not extended.
Mark Andrews [Thu, 16 Jun 2022 06:48:42 +0000 (16:48 +1000)]
Check the synth-form-dnssec namespace when synthesising responses
Call dns_view_sfd_find to find the namespace to be used to verify
the covering NSEC records returned for the given QNAME. Check that
the NSEC owner names are within that namespace.
Mark Andrews [Thu, 16 Jun 2022 06:31:10 +0000 (16:31 +1000)]
Add a mechanism to record namespaces for synth-from-dnssec
When namespace is grafted on, the DNSSEC proofs for non existance
need to come from that namespace and not a higher namespace. We
add 3 function dns_view_sfd_add, dns_view_sfd_del and dns_view_sfd_find
to add, remove and find the namespace that should be used when
checking NSEC records.
dns_view_sfd_add adds a name to a tree, creating the tree if needed.
If the name already existed in the tree the reference count is
increased otherwise it is initalised to 1.
dns_view_sfd_del removes a reference to a name in the tree, if the
count goes to 0 the node is removed.
dns_view_sfd_find returns the namespace to be used to entered name.
If there isn't an enclosing name in the tree, or the tree does not
yet exist, the root name is returned.
Access to the tree is controlled by a read/write lock.
Adding these calls (which ensure a given structure's reference count
equals 0 when it is destroyed, therefore detecting reference counting
issues) uncovered another flaw in the commits mentioned above: missing
isc_refcount_decrement() calls that would be logical counterparts of the
isc_refcount_increment*() calls these commits added. Add the missing
isc_refcount_decrement() calls to unlink_name() and unlink_entry().
Michał Kępień [Mon, 4 Jul 2022 14:02:12 +0000 (16:02 +0200)]
Add missing invocations of pthreads destructors
Add isc_mutex_destroy() and isc_rwlock_destroy() calls missing from the
commits that introduced the relevant isc_mutex_init() and
isc_rwlock_init() calls:
Petr Špaček [Mon, 4 Jul 2022 06:39:28 +0000 (08:39 +0200)]
Remove links from logging category names
Some logging categories have the same names as configuration statements.
This caused some category names to be replaced with links to statement
definitions, which confuses util/check-categories.sh script.
Petr Špaček [Fri, 1 Jul 2022 14:13:39 +0000 (16:13 +0200)]
Rework size_spec and size_or_percentage definitions
Except for a single case they were not referenced in the text, but at
the same time doc/misc grammar uses terms "size", "sizeval", and
"percetage".
Keywords "default" and "unlimited" are expanded in statement's grammar
anyway, but I kept their description in place because they are generally
allowed at places which accept sizes.
Percentage is also expanded in doc/misc grammars and thus requires
separate definition.
Petr Špaček [Fri, 1 Jul 2022 11:12:01 +0000 (13:12 +0200)]
Rename remoteserver_list to remote-servers
Name remoteserver_list was not referenced anywhere but the grammar uses
name remote-servers. Rename and add a reference to primaries for more
information.
Petr Špaček [Fri, 1 Jul 2022 10:40:39 +0000 (12:40 +0200)]
Remove unreferences dialup_option grammar
I dunno why it was a separate entity in the grammar glossary. It is not
referenced anywhere else except for the the dialup statement, and the
statement describes all its possible values verbosely.
Petr Špaček [Fri, 1 Jul 2022 10:29:18 +0000 (12:29 +0200)]
Manual fixups for new hyperlinks
It turns out that many manual edits were required:
- Heading underlines were too short because :any:`` is longer than ````
- Some statement names clashed with manually defined _link_anchors
(notify, trust-anchors etc.)
- Zone types are defined like "type primary" in the internal grammar and
that caused mayhem in the replacement script as it took "type" and
individual types ("primary", "secondary") as separate statements.
For that reason :any:`primary` had to be manually replaced with
:any:`primary <type primary>` where appropriate.
- Sometimes option name is also the same as a value name (e.g. "notify")
and then it did not make sense to do the replacement.
Petr Špaček [Mon, 4 Jul 2022 10:33:04 +0000 (12:33 +0200)]
Parse and render rst syntax in :short: statement descriptions in tables
Without this change tables generated by .. namedconf:statementlist::
contained raw text and displayed rst syntax to users.
The raw docutil node returned by rst parser can contain unresolved
references (pending_xref nodes). We just store those nodes and let
Sphinx to resolve them later on.
Beware: This would not work if we injected nodes in later stages of
processing. All unresolved references must be in place before
'doctree-resolved' event is emitted (i.e. before resolve_references() is
called inside Sphinx).
projects / thirdparty / bind9.git / log
