Ondřej Surý [Mon, 24 Aug 2020 12:40:39 +0000 (14:40 +0200)]
Make sure the maintainer files are clean after rebuild
When updating source files, we might forget to update pre-generated
files (generated by sphinx-build and cfg_gen) and then the extra changes
would get included in the random merge request.
This commit updates the tarball-create job to enable the maintainer
mode, then clean all maintainer files (`make maintainer-clean`) rebuild
all the file from scratch and compare the result which must be a clean
git directory.
Ondřej Surý [Tue, 11 Aug 2020 14:14:36 +0000 (16:14 +0200)]
Update and cleanup the readline library support
This commit updates and simplifies the checks for the readline support
in nslookup and nsupdate:
* Change the autoconf checks to pkg-config only, all supported
libraries have accompanying .pc files now.
* Add editline support in addition to libedit and GNU readline
* Add isc/readline.h shim header that defines dummy readline()
function when no readline library is available
Mark Andrews [Thu, 13 Aug 2020 02:18:57 +0000 (12:18 +1000)]
dns_rdata_fromwire_text fixes:
* Disallow compression pointers in names as we are not
reading from a packet and as a result length checks fail.
* Increase totext buffer size as fuzzer ran out of space on
big bitmaps.
* NUL terminate totext to make fault diagnosis easier.
* Add debugging messages to make fault diagnosie easier.
Mark Andrews [Thu, 13 Aug 2020 00:22:49 +0000 (10:22 +1000)]
base32_decode*() could incorrectly decode a input.
base32_decode_char() added a extra zero octet to the output
if the fifth character was a pad character. The length
of octets to copy to the output was set to 3 instead of 2.
Matthijs Mekking [Mon, 10 Aug 2020 15:09:44 +0000 (17:09 +0200)]
Fix check next key event check in kasp test
Prevent intermittent false positives on slow platforms by subtracting
the number of seconds which passed between key creation and invoking
'rndc dnssec -checkds'.
This particularly fails for the step3.csk-roll2.autosign zone because
the closest next key event is when the zone signatures become
omnipresent. Running 'rndc dnssec -checkds' some time later means
that the next key event is in fact closer than the calculated time
and thus we need to adjust the expected time by the time already
passed.
Ondřej Surý [Wed, 12 Aug 2020 19:06:26 +0000 (21:06 +0200)]
Add explicit support of OSS-Fuzz
The --enable-fuzzing option now allows third choice "ossfuzz" that just
adds $LIB_FUZZING_ENGINE to FUZZ_LDFLAGS to make the fuzzer builds
compatible with OSS-Fuzz project that has some special quirks (the
main() routine is provided in the static library the project provides).
Ondřej Surý [Wed, 12 Aug 2020 13:19:23 +0000 (15:19 +0200)]
Allow static linking in the developer mode
Previously, we have disallowed static linking (for good reasons).
However, there are legitimate reasons where static linking might be
useful, and one of the reasons is the OSS-Fuzz project that doesn't have
the libraries used for build, so static linking is the sane option here.
The static linking is still disallowed in the "production" builds, but
it's not possible to disable shared and enable static libraries when
used together with --enable-developer.
Ondřej Surý [Wed, 12 Aug 2020 09:29:30 +0000 (11:29 +0200)]
Really fuzz isc_lex_getmastertoken() in the test
There was a copy&paste error in fuzz/isc_lex_getmastertoken.c where we
didn't really test the function we wanted to test. Update the test to
have the input data to always include expected 'tokentype' in the first
byte, `eol` argument in the second byte and the rest of the input is the
data to parse.
Mark Andrews [Fri, 7 Aug 2020 08:00:41 +0000 (18:00 +1000)]
Address use after free between view, resolver and nta.
Hold a weak reference to the view so that it can't go away while
nta is performing its lookups. Cancel nta timers once all external
references to the view have gone to prevent them triggering new work.
Ondřej Surý [Mon, 10 Aug 2020 07:02:30 +0000 (09:02 +0200)]
Reduce the default RBT hash table size to 16 entries (4 bits)
The hash table rework MRs (!3865, !3871) increased the default RBT hash
table size from 64 to 65,536 entries (for 64-bit architectures, that is
512 bytes before vs. 524,288 bytes after). This works fine for RBTs
used for cache databases, but since three separate RBT databases are
created for every zone loaded (RRs, NSEC, NSEC3), memory usage would
skyrocket when BIND 9 is used as an authoritative DNS server with many
zones.
The default RBT hash table size before the rework was 64 entries, this
commit reduces it to 16 entries because our educated guess is that most
zones are just couple of entries (SOA, NS, A, AAAA, MX) and rehashing
small hash tables is actually cheap. The rework we did in the previous
MRs tries to avoid growing the hash tables for big-to-huge caches where
growing the hash table comes at a price because the whole cache needs to
be locked.
Ondřej Surý [Mon, 10 Aug 2020 07:02:30 +0000 (09:02 +0200)]
Reduce the default RBT hash table size to 16 entries (4 bits)
The hash table rework MRs (!3865, !3871) increased the default RBT hash
table size from 64 to 65,536 entries (for 64-bit architectures, that is
512 bytes before vs. 524,288 bytes after). This works fine for RBTs
used for cache databases, but since three separate RBT databases are
created for every zone loaded (RRs, NSEC, NSEC3), memory usage would
skyrocket when BIND 9 is used as an authoritative DNS server with many
zones.
The default RBT hash table size before the rework was 64 entries, this
commit reduces it to 16 entries because our educated guess is that most
zones are just couple of entries (SOA, NS, A, AAAA, MX) and rehashing
small hash tables is actually cheap. The rework we did in the previous
MRs tries to avoid growing the hash tables for big-to-huge caches where
growing the hash table comes at a price because the whole cache needs to
be locked.
Michał Kępień [Fri, 7 Aug 2020 12:35:05 +0000 (14:35 +0200)]
Do not run "make recheck" if the test suite fails
Running "make recheck" after the test suite fails hides intermittent
system test failures in GitLab CI. This makes it hard to identify which
branches are affected by a particular test failure mode and causes CI
results to be overly optimistic. Prevent "make recheck" from being run
when "make check" fails to ensure GitLab CI results properly reflect the
stability of the "main" branch.
Make sure the 'checkds' command correctly sets the right key timing
metadata and also make sure that it rejects setting the key timing
metadata if there are multiple keys with the KSK role and no key
identifier is provided.
With 'checkds' replacing 'parent-registration-delay', the kasp
test needs the expected times to be adjusted. Also the system test
needs to call 'rndc dnssec -checkds' to progress the rollovers.
Since we pretend that the KSK is active as soon as the DS is
submitted (and parent registration delay is no longer applicable)
we can simplify the 'csk_rollover_predecessor_keytimes' function
to take only one "addtime" parameter.
This commit also slightly changes the 'check_dnssecstatus' function,
passing the zone as a parameter.
Don't strip off the final character when printing times in key files.
With the introduction of 'rndc dnssec -status' we introduced
'isc_stdtime_tostring()'. This changed in behavior such that it was no
longer needed to strip of the final '\n' of the string format
datetime. However, in 'printtime()' it still stripped the final
character.
Add a new 'rndc' command 'dnssec -checkds' that allows the user to
signal named that a new DS record has been seen published in the
parent, or that an existing DS record has been withdrawn from the
parent.
Upon the 'checkds' request, 'named' will write out the new state for
the key, updating the 'DSPublish' or 'DSRemoved' timing metadata.
This replaces the "parent-registration-delay" configuration option,
this was unreliable because it was purely time based (if the user
did not actually submit the new DS to the parent for example, this
could result in an invalid DNSSEC state).
Because we cannot rely on the parent registration delay for state
transition, we need to replace it with a different guard. Instead,
if a key wants its DS state to be moved to RUMOURED, the "DSPublish"
time must be set and must not be in the future. If a key wants its
DS state to be moved to UNRETENTIVE, the "DSRemoved" time must be set
and must not be in the future.
By default, with '-checkds' you set the time that the DS has been
published or withdrawn to now, but you can set a different time with
'-when'. If there is only one KSK for the zone, that key has its
DS state moved to RUMOURED. If there are multiple keys for the zone,
specify the right key with '-key'.
projects / thirdparty / bind9.git / log
