]>
git.ipfire.org Git - thirdparty/pdns.git/log
Otto Moerbeek [Thu, 16 Mar 2023 07:37:37 +0000 (08:37 +0100)]
PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable (CVE-2023-26437)
Otto Moerbeek [Mon, 28 Nov 2022 08:56:15 +0000 (09:56 +0100)]
Merge pull request #12238 from rgacogne/rec47-remove-binary-function
Remi Gacogne [Fri, 25 Nov 2022 17:42:53 +0000 (18:42 +0100)]
rec-4.7.x: Stop using deprecated std::binary_function
Otto Moerbeek [Wed, 23 Nov 2022 09:13:10 +0000 (10:13 +0100)]
Merge pull request #12231 from omoerbeek/backport-12046-to-rec-4.7.x
Otto Moerbeek [Wed, 23 Nov 2022 09:12:54 +0000 (10:12 +0100)]
Merge pull request #12230 from omoerbeek/backport-12198-to-rec-4.7.x
Otto Moerbeek [Wed, 23 Nov 2022 09:12:35 +0000 (10:12 +0100)]
Merge pull request #12227 from omoerbeek/backport-12199-to-rec-4.7.x
Remi Gacogne [Fri, 30 Sep 2022 08:55:19 +0000 (10:55 +0200)]
Fix compilation of the event ports multiplexer
Thanks to Jonathan Perkin for the patch!
(cherry picked from commit
7ea87a63ab48e938bdb8b73ebfde1ac6bc71704f )
Otto Moerbeek [Wed, 16 Nov 2022 12:49:59 +0000 (13:49 +0100)]
Correct skip record condition in processRecords.
Noted the other day by @rgacogne
(cherry picked from commit
d1321ff57909f8fb9d0bd7a20e3c4eb85a6b76e1 )
Otto Moerbeek [Wed, 16 Nov 2022 12:58:04 +0000 (13:58 +0100)]
Also consider recursive forward in the "forwarded DS should not end up in negCache code."
With @rgacogne and @phonedph1
Fixes #12189
(cherry picked from commit
af746aaf59a2e977bafabd5814635f59b01e5835 )
Otto Moerbeek [Tue, 15 Nov 2022 10:21:23 +0000 (11:21 +0100)]
Merge pull request #12190 from omoerbeek/backport-12125-to-rec-4.7.x
Otto Moerbeek [Thu, 3 Nov 2022 08:50:12 +0000 (09:50 +0100)]
Better wording in comment
Co-authored-by: Peter van Dijk <peter.van.dijk@powerdns.com>
(cherry picked from commit
240460d77be35a6a1c1e6fa22364efe19dc3ee84 )
Otto Moerbeek [Mon, 24 Oct 2022 14:25:59 +0000 (16:25 +0200)]
Timout handling for ixfrs as a client.
One complicating factor is that this is shared code, but auth and
rec do not agree on the definiton of the timeout value: auth states
it is a maximum idle time, while rec state it is the total xfr time.
While both apporaches make sense and in the end we would like to
enforce both, we now go for a more simple solution that respects
auth or rec behaviour based on a flag.
(cherry picked from commit
fee334ae0f5083d47f9adc207d5a1a6d36ebc2ac )
Otto Moerbeek [Fri, 4 Nov 2022 13:08:38 +0000 (14:08 +0100)]
Merge pull request #12173 from omoerbeek/backport-12066-to-rec-4.7.x
Otto Moerbeek [Fri, 4 Nov 2022 13:08:26 +0000 (14:08 +0100)]
Merge pull request #12171 from omoerbeek/backport-12081-to-rec-4.7.x
Otto Moerbeek [Fri, 4 Nov 2022 13:08:14 +0000 (14:08 +0100)]
Merge pull request #12168 from omoerbeek/backport-12038-to-rec-4.7.x
Remi Gacogne [Thu, 6 Oct 2022 08:14:50 +0000 (10:14 +0200)]
Apply Otto's suggestion
(cherry picked from commit
7f73a566805979f94bc1a23c9088372e00177bec )
Remi Gacogne [Thu, 6 Oct 2022 07:56:47 +0000 (09:56 +0200)]
misc: Switch to a std::array in makeHexDump()
(cherry picked from commit
8c7a1b8a671291e6ee2e7e4abdbdd41e9c714b31 )
Remi Gacogne [Thu, 6 Oct 2022 07:55:48 +0000 (09:55 +0200)]
auth: Detect invalid bytes in makeBytesFromHex()
Also only allocate the required number of bytes, not twice that.
(cherry picked from commit
50953de897023742e43d3feab976b891be1c6e63 )
Remi Gacogne [Mon, 10 Oct 2022 15:47:46 +0000 (17:47 +0200)]
rec: Log invalid RPZ content when obtained via IXFR
That kind of content was properly logged and handled when received
during the initial loading (AXFR) but not when received via an
incremental update.
(cherry picked from commit
55a99233728fc01e3946a97fb8dbb073a3003622 )
Otto Moerbeek [Wed, 28 Sep 2022 07:35:22 +0000 (09:35 +0200)]
rec: when an expired nsec3 entry is seen, move it to the front of the expiry queue
(cherry picked from commit
05a4985708988eb10f9291a40406b205e7d5d5b2 )
Peter van Dijk [Mon, 19 Sep 2022 17:56:49 +0000 (19:56 +0200)]
Merge pull request #11977 from Habbie/backport-11961-to-rec-4.7.x
Peter van Dijk [Thu, 15 Sep 2022 13:14:34 +0000 (15:14 +0200)]
docker: upgrade to bullseye
(cherry picked from commit
a0d3acff25a92627186ee43bead110aef416f59a )
Peter van Dijk [Thu, 15 Sep 2022 06:23:02 +0000 (08:23 +0200)]
Merge pull request #11947 from Habbie/backport-11788-to-rec-4.7.x
Peter van Dijk [Fri, 15 Jul 2022 14:27:22 +0000 (16:27 +0200)]
add 9-stream target and test it daily
(cherry picked from commit
f021d529629ef9dc7b7983b9d1c7e7ca589b6f13 )
Peter van Dijk [Wed, 13 Jul 2022 20:23:45 +0000 (22:23 +0200)]
add el-9 target
(cherry picked from commit
4728ab89f071c0d5f596638614efb85a26fafdd4 )
Otto Moerbeek [Mon, 12 Sep 2022 14:16:08 +0000 (16:16 +0200)]
Merge pull request #11936 from omoerbeek/backport-11904-to-rec-4.7.x
Otto Moerbeek [Mon, 12 Sep 2022 14:15:09 +0000 (16:15 +0200)]
Merge pull request #11940 from omoerbeek/backport-11890-to-rec-4.7.x
Otto Moerbeek [Wed, 31 Aug 2022 08:34:18 +0000 (10:34 +0200)]
Failure to retrieve DNSKEYs of an Insecure zone should not be fatal.
This issue happens if a record set is signed even though the zone
itself is Insecure. Syncres then tries to retrieve DNSKEYs and a
timeout on that would lead to an ImmediateServFailException.
Only throw exception later in validateRecordsWithSigs, after checking
zone cuts, when we are sure the zone is Secure.
(cherry picked from commit
6dc8b0b2c6fb2e628356f8dc5c5de4dfd919ec5d )
Otto Moerbeek [Tue, 6 Sep 2022 07:50:52 +0000 (09:50 +0200)]
For zones having many NS records, we are not interested in all so take a sample.
(cherry picked from commit
a49b0b40a0c1c1af9531b99e9266a8c2aa89cd68 )
Otto Moerbeek [Fri, 9 Sep 2022 08:13:07 +0000 (10:13 +0200)]
Merge pull request #11897 from omoerbeek/backport-11848-to-rec-4.7.x
Otto Moerbeek [Thu, 11 Aug 2022 12:30:48 +0000 (14:30 +0200)]
Also check qperq limit if throttling happened, as it increases counters.
This condition would be caught when going out previously, so is
an optimisation, not a behaviour difference.
(cherry picked from commit
c75d28f2b786b986ec10675e3c853a52eec11e37 )
Otto Moerbeek [Wed, 24 Aug 2022 07:03:31 +0000 (09:03 +0200)]
Merge pull request #11879 from fredmorcos/backport-11850-to-rec-4.7.x
Fred Morcos [Fri, 12 Aug 2022 11:25:25 +0000 (13:25 +0200)]
Rec: Move FrameStreamServersInfo to rec-main
(cherry picked from commit
4354beb50caffdc4cb45ef3004402a780a0e2d81 )
Fred Morcos [Thu, 11 Aug 2022 13:35:29 +0000 (15:35 +0200)]
Rec: Asynchronously destroy old connections to dnstap servers
With @omoerbeek
Closes #11795
(cherry picked from commit
2e0757d5c661c124b58ac69e91da440ad9705c62 )
Fred Morcos [Thu, 11 Aug 2022 13:27:38 +0000 (15:27 +0200)]
Rec: Don't reload Lua config if it hasn't changed
This also groups together 1) the list of frame stream servers, 2) the config from which
the list was created and 3) the config's generation into a single struct called
FrameStreamServersInfo. The struct is used to compare the old and new configuration to
decide whether to destroy the old config object or not.
Part of #11795
(cherry picked from commit
afaf1b5d87c4a4961eadaf114855a335711c33c8 )
Otto Moerbeek [Tue, 23 Aug 2022 11:18:39 +0000 (13:18 +0200)]
Merge pull request #11847 from omoerbeek/backport-11843-to-rec-4.7.x
Otto Moerbeek [Tue, 23 Aug 2022 11:18:23 +0000 (13:18 +0200)]
Merge pull request #11774 from omoerbeek/backport-11773-to-rec-4.7.x
Otto Moerbeek [Tue, 23 Aug 2022 10:17:35 +0000 (12:17 +0200)]
Merge pull request #11877 from omoerbeek/rec-backport-to-rec-4.7.x-pb-size
Otto Moerbeek [Wed, 10 Aug 2022 11:30:24 +0000 (13:30 +0200)]
Clear the caches *after* loading authzones.
(cherry picked from commit
799114529470923a5e633dadc47b59c4e2a7e220 )
Otto Moerbeek [Wed, 3 Aug 2022 13:30:44 +0000 (15:30 +0200)]
Backport of protobuf PSA 2022-02 (CVE-2022-37428) to rec-4.7.x
Otto Moerbeek [Mon, 11 Jul 2022 08:22:43 +0000 (10:22 +0200)]
Add regression test for #11771 (lenght of annswer in udpQueryResponse)
(cherry picked from commit
8ca70105ddd6fda10e98b6d3d8cb67523ebc81e1 )
Otto Moerbeek [Mon, 11 Jul 2022 08:21:48 +0000 (10:21 +0200)]
Rec: Resize answer length to actual received length in udpQueryResponse
Fixes #11771
(cherry picked from commit
cbb5ac45a90e4109ff1f8536bf5d99aafd62ef0c )
Otto Moerbeek [Tue, 5 Jul 2022 07:08:15 +0000 (09:08 +0200)]
Merge pull request #11750 from omoerbeek/backport-11726-to-rec-4.7.x
Otto Moerbeek [Tue, 5 Jul 2022 07:08:04 +0000 (09:08 +0200)]
Merge pull request #11748 from omoerbeek/backport-11692-to-rec-4.7.x
Otto Moerbeek [Tue, 5 Jul 2022 07:07:53 +0000 (09:07 +0200)]
Merge pull request #11747 from omoerbeek/backport-11641-to-rec-4.7.x
Otto Moerbeek [Mon, 4 Jul 2022 13:28:54 +0000 (15:28 +0200)]
Avoid log spam
Otto Moerbeek [Mon, 27 Jun 2022 09:25:06 +0000 (11:25 +0200)]
Otto Moerbeek [Mon, 27 Jun 2022 09:16:44 +0000 (11:16 +0200)]
Update structured logging for exceptions to be in line with rest of code
(cherry picked from commit
c85af1d0f0b560d1ed4150ba6d56b06eb290c913 )
Otto Moerbeek [Mon, 27 Jun 2022 09:07:45 +0000 (11:07 +0200)]
Convert generic format while parsing zone files for ZoneToCache.
Fixes #11724
(cherry picked from commit
52b2a1f2025906b34b8ac207c349773cf4e4b255 )
Otto Moerbeek [Mon, 4 Jul 2022 12:53:26 +0000 (14:53 +0200)]
Merge pull request #11740 from Habbie/backport-11735-to-rec-4.7.x
Otto Moerbeek [Fri, 10 Jun 2022 13:39:36 +0000 (15:39 +0200)]
Run tasks from houskeeping thread in a proper way.
Previously, this was only done if log-common-errors was true, due
to argument reversal. In general task *would* be executed, as they
are also run after each query processed by SyncRes (so not after
packet cache hits).
Thanks to @jelu!
(cherry picked from commit
c42b6632e00eaa93911ce88a0b4aa8c598441e2a )
Otto Moerbeek [Tue, 24 May 2022 10:36:28 +0000 (12:36 +0200)]
Move to v2 for CodeQL action, v1 will be deprecated dec 2022
(cherry picked from commit
a0c99342e7aa22e16a75d9e7daa4de69d087bc38 )
Peter van Dijk [Thu, 30 Jun 2022 11:51:00 +0000 (13:51 +0200)]
dh_builddeb: force gzip compression, thanks Zash!
(cherry picked from commit
bbfa37c0232b56e2227668717dbb97ce4f01d990 )
Otto Moerbeek [Fri, 17 Jun 2022 11:05:40 +0000 (13:05 +0200)]
Merge pull request #11699 from Habbie/backport-11658-to-rec-4.7.x
Peter van Dijk [Tue, 31 May 2022 10:13:57 +0000 (12:13 +0200)]
protobuf: use python implementation during tests
(cherry picked from commit
2dd4d60b8103a64c796296647ad7b45226d5a5bd )
Otto Moerbeek [Wed, 25 May 2022 08:31:04 +0000 (10:31 +0200)]
Merge pull request #11645 from omoerbeek/backport-11644-to-rec-4.7.x
Otto Moerbeek [Wed, 25 May 2022 07:45:08 +0000 (09:45 +0200)]
Deprecation warning for XPF settings.
(cherry picked from commit
7e32a0b96df460abd8fb98fbb63f4d336b9c3d03 )
Backport of #11644
Otto Moerbeek [Tue, 24 May 2022 06:23:54 +0000 (08:23 +0200)]
Merge pull request #11632 from omoerbeek/backport-11609-to-rec-4.7.x
Otto Moerbeek [Mon, 23 May 2022 13:02:38 +0000 (15:02 +0200)]
Merge pull request #11635 from omoerbeek/backport-11570-to-rec-4.7.x
Otto Moerbeek [Fri, 22 Apr 2022 09:02:12 +0000 (11:02 +0200)]
Reduce make -j parameter from 8 to 4, as dnsdist does.
This might fix the occasional build issues with the CodeQL GH Action.
(cherry picked from commit
d6b94fbd9664a7acac00f5dd8ebbacc4119ed045 )
Otto Moerbeek [Fri, 6 May 2022 09:54:23 +0000 (11:54 +0200)]
Document meaning of empty allow-from
(cherry picked from commit
a75c8e8019462827dae4599b6a24ef7a0645c30c )
Otto Moerbeek [Thu, 5 May 2022 08:19:47 +0000 (10:19 +0200)]
Add tests for empty allow-from and allow-notify-from case
(cherry picked from commit
bfa1ae26f5c174d6fe237dc0ed9d08043518648f )
Otto Moerbeek [Thu, 5 May 2022 08:04:20 +0000 (10:04 +0200)]
Fix API issue when asking config values for allow-from or allow-notify-from
(cherry picked from commit
3aa876deef257fc6d63da32df0742ed8cf91aaa1 )
Otto Moerbeek [Tue, 26 Apr 2022 10:20:00 +0000 (12:20 +0200)]
Merge pull request #11559 from omoerbeek/backport-11539-to-rec-4.7.x
Otto Moerbeek [Wed, 20 Apr 2022 14:26:03 +0000 (16:26 +0200)]
Merge pull request #11560 from omoerbeek/backport-11541-to-rec-4.7.x
Otto Moerbeek [Wed, 20 Apr 2022 14:25:49 +0000 (16:25 +0200)]
Merge pull request #11558 from omoerbeek/backport-11529-to-rec-4.7.x
Otto Moerbeek [Tue, 19 Apr 2022 07:57:23 +0000 (09:57 +0200)]
Decide to use Dot earlier.
To keep the nsspeed table good, we need to decide to use DoT earlier.
Now the lookup and updats of the speed table occur in a proper way
(using the port that is actually used for the connetion) and when
we switch from/to DoT, the old nsspeeds are cleared by the already
existing code.
(cherry picked from commit
dc777d96b2fedd5a33fbb94a8571ba1c0d11d284 )
Otto Moerbeek [Thu, 14 Apr 2022 19:36:47 +0000 (21:36 +0200)]
Missing newline in dump output, noted by ph1
(cherry picked from commit
a8bd214e7c2a9ad357beae27378f59f3007578bf )
Otto Moerbeek [Thu, 14 Apr 2022 17:44:06 +0000 (19:44 +0200)]
Fix port, as noted by ph1 on IRC
Without this, probed DoT actually becomes regular TCP.
(cherry picked from commit
9bea6fe3ee133b0075d34c30739298679393636e )
Remi Gacogne [Fri, 15 Apr 2022 09:15:02 +0000 (11:15 +0200)]
rec: Fix DNSSEC counters description in web/prometheus as well
(cherry picked from commit
d76a66060f94ccac92db5cee691f0f4bb1cde022 )
Remi Gacogne [Thu, 14 Apr 2022 15:20:15 +0000 (17:20 +0200)]
rec: DNSSEC counters track responses sent, not actual validations performed
Since 4.1 these counters are updated for every response sent, even if the DNSSEC
status was fetched from the records cache and did not involve any actual
validation.
(cherry picked from commit
3aebcb3af2cea8f85502fe070ece1da6a531f85e )
Otto Moerbeek [Wed, 13 Apr 2022 11:58:27 +0000 (13:58 +0200)]
Zap a leftover debug line in test code
(cherry picked from commit
ae901eb52569bc9eca6c4e871a3fc808c7e19002 )
Otto Moerbeek [Thu, 14 Apr 2022 11:11:19 +0000 (13:11 +0200)]
Merge pull request #11538 from omoerbeek/backport-11536-to-rec-4.7.x
rec: Backport 11536 to rec 4.7.x: Fix Coverity
1487923 Out-of-bounds read (wrong use of sizeof)
Otto Moerbeek [Thu, 14 Apr 2022 07:57:34 +0000 (09:57 +0200)]
Move to std:::array for name array, as suggested by rgacogne
(cherry picked from commit
611457a712e44f0000f8ba337c502881ea245a29 )
Otto Moerbeek [Thu, 14 Apr 2022 05:43:36 +0000 (07:43 +0200)]
Fix Coverity
1487923 Out-of-bounds read (wrong use of sizeof)
(cherry picked from commit
0aef4ca5459c907024bc83156dd19e91036e95b5 )
Otto Moerbeek [Wed, 13 Apr 2022 14:43:29 +0000 (16:43 +0200)]
Merge pull request #11528 from omoerbeek/rec-4.7.x-rec-only
Otto Moerbeek [Wed, 13 Apr 2022 11:07:53 +0000 (13:07 +0200)]
CircleCI parts for rec branch specialization
Otto Moerbeek [Wed, 13 Apr 2022 10:56:00 +0000 (12:56 +0200)]
rec: specialize to rec in rel/4.7.x branch
Otto Moerbeek [Wed, 13 Apr 2022 06:04:10 +0000 (08:04 +0200)]
Merge pull request #11487 from omoerbeek/rec-probe-auth-dot
Otto Moerbeek [Tue, 12 Apr 2022 12:47:40 +0000 (14:47 +0200)]
Update pdns/recursordist/docs/settings.rstCo-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Otto Moerbeek [Tue, 12 Apr 2022 10:26:09 +0000 (12:26 +0200)]
doResolveAtThisIP() can throw and do not throttle when DoT probing
Otto Moerbeek [Tue, 12 Apr 2022 10:25:17 +0000 (12:25 +0200)]
Review comments: document what happens on failure and use runOnce() as a building block for runTasks()
Otto Moerbeek [Tue, 12 Apr 2022 08:12:37 +0000 (10:12 +0200)]
Process review comments: use correct auth and nsname for task
Otto Moerbeek [Tue, 12 Apr 2022 07:31:18 +0000 (09:31 +0200)]
Apply suggestions from code reviewCo-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Otto Moerbeek [Wed, 6 Apr 2022 08:45:18 +0000 (10:45 +0200)]
Only probe somewhat popular auths; i.e. auths that are revisited at least once
Otto Moerbeek [Mon, 4 Apr 2022 15:27:42 +0000 (17:27 +0200)]
Docs
Otto Moerbeek [Mon, 4 Apr 2022 14:53:37 +0000 (16:53 +0200)]
Tweaks
Otto Moerbeek [Wed, 30 Mar 2022 13:41:54 +0000 (15:41 +0200)]
Add ttd pruning by using a multi-index table and update status after DoT use
Otto Moerbeek [Wed, 9 Mar 2022 13:37:16 +0000 (14:37 +0100)]
Initial code to Probe nameservers for DoT.
Otto Moerbeek [Wed, 9 Mar 2022 13:37:16 +0000 (14:37 +0100)]
wip
Otto Moerbeek [Tue, 12 Apr 2022 11:38:01 +0000 (13:38 +0200)]
Merge pull request #11525 from omoerbeek/dnsdist-docs-retain
Peter van Dijk [Tue, 12 Apr 2022 11:13:41 +0000 (13:13 +0200)]
Merge pull request #11521 from Habbie/auth-4.6.2-docs
Peter van Dijk [Mon, 11 Apr 2022 07:33:04 +0000 (09:33 +0200)]
auth-4.6.2: changelog + secpoll
Otto Moerbeek [Tue, 12 Apr 2022 10:36:28 +0000 (12:36 +0200)]
Merge pull request #11524 from omoerbeek/upddate-moment.js
Remi Gacogne [Tue, 12 Apr 2022 09:50:16 +0000 (11:50 +0200)]
Merge pull request #11523 from Y7n05h/master
Otto Moerbeek [Tue, 12 Apr 2022 08:22:14 +0000 (10:22 +0200)]
both CAP_SYS_ADMIN and CAP_BPF mightr be relevantCo-authored-by: Remi Gacogne <github@coredump.fr>
Otto Moerbeek [Tue, 12 Apr 2022 05:52:38 +0000 (07:52 +0200)]
Update moment.min.js (path tarversal fix; we are unaffected)
Otto Moerbeek [Tue, 12 Apr 2022 08:14:24 +0000 (10:14 +0200)]
Merge pull request #11507 from omoerbeek/rec-proxy-by-table-domain
Otto Moerbeek [Tue, 12 Apr 2022 07:25:31 +0000 (09:25 +0200)]
Typo spotted by reviewerCo-authored-by: Peter van Dijk <peter.van.dijk@powerdns.com>
Otto Moerbeek [Tue, 12 Apr 2022 06:23:28 +0000 (08:23 +0200)]
Mention addCapabilitiesToRetain in eBPF docs.
projects / thirdparty / pdns.git / log
