Michał Kępień [Fri, 28 Jun 2019 10:12:46 +0000 (12:12 +0200)]
dnstap-read: clear buffer before expanding it
When printing a packet, dnstap-read checks whether its text form takes
up more than the 2048 bytes allocated for the output buffer by default.
If that is the case, the output buffer is automatically expanded, but
the truncated output is left in the buffer, resulting in malformed data
being printed. Clear the output buffer before expanding it to prevent
this issue from occurring.
Matthijs Mekking [Tue, 25 Jun 2019 07:41:51 +0000 (09:41 +0200)]
named-checkconf -i: ignore deprecate warnings
Adds a new option to named-checkconf, -i. If set, named-checkconf
will not warn you about deprecated options. This allows people
to use named-checkconf in automated deployment precoesses where an
operator only cares if their conf is valid, even if it is not optimal.
This was added as a request as part of introducing a policy on
removing named.conf options.
Evan Hunt [Wed, 12 Jun 2019 03:32:21 +0000 (20:32 -0700)]
implement searching of geoip2 database
- revise mapping of search terms to database types to match the
GeoIP2 schemas.
- open GeoIP2 databases when starting up; close when shutting down.
- clarify the logged error message when an unknown database type
is configured.
- add new geoip ACL subtypes to support searching for continent in
country databases.
- map geoip ACL subtypes to specific MMDB database queries.
- perform MMDB lookups based on subtype, saving state between
queries so repeated lookups for the same address aren't necessary.
Evan Hunt [Tue, 11 Jun 2019 22:59:31 +0000 (15:59 -0700)]
add a search for GeoIP2 libraries in configure
- "--with-geoip" is used to enable the legacy GeoIP library.
- "--with-geoip2" is used to enable the new GeoIP2 library
(libmaxminddb), and is on by default if the library is found.
- using both "--with-geoip" and "--with-geoip2" at the same time
is an error.
- an attempt is made to determine the default GeoIP2 database path at
compile time if pkg-config is able to report the module prefix. if
this fails, it will be necessary to set the path in named.conf with
geoip-directory
- Makefiles have been updated, and a stub lib/dns/geoip2.c has been
added for the eventual GeoIP2 search implementation.
Ondřej Surý [Wed, 19 Jun 2019 09:21:36 +0000 (11:21 +0200)]
Enforce usage -zrelax=transtls when GNU C Compiler is used on Solaris
When GNU C Compiler is used on Solaris (11), the Thread Local Storage
is completely broken. The behaviour doesn't manifest when GNU ld is
used. Thus, we need to enforce usage of GNU ld when GNU C Compiler is
the compiler of choice.
For more background for this change, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90912
Evan Hunt [Tue, 18 Jun 2019 00:11:00 +0000 (17:11 -0700)]
allow glue in authoritative responses to root priming queries
- when processing authoritative queries for ./NS, set 'gluedb' so
that glue will be included in the response, regardless of how
'minimal-responses' has been configured.
Evan Hunt [Wed, 26 Jun 2019 00:53:32 +0000 (17:53 -0700)]
don't overwrite the dns_master_loadfile() result before calling zone_postload()
if "rndc reload" fails, the result code is supposed to be passed to
zone_postload, but for inline-signing zones, the result can be
overwritten first by a call to the ZONE_TRYLOCK macro. this can lead
to the partially-loaded unsigned zone being synced over to the signed
zone instead of being rejected.
Michał Kępień [Wed, 26 Jun 2019 12:20:17 +0000 (14:20 +0200)]
Prevent "idna" test failures with libidn2 2.2.0+
libidn2 2.2.0+ parses Punycode more strictly than older versions and
thus "dig +idnin +noidnout xn--19g" fails with libidn2 2.2.0+ but
succeeds with older versions.
We could preserve the old behavior by using the IDN2_NO_ALABEL_ROUNDTRIP
flag available in libidn2 2.2.0+, but:
- this change in behavior is considered a libidn2 bug fix [1],
- we want to make sure dig behaves as expected, not libidn2,
- implementing that would require additional configure.ac cruft.
Removing the problematic check appears to be the simplest solution as it
does not prevent the relevant block of checks in the "idna" system test
from achieving its purpose, i.e. ensuring dig properly handles invalid
U-labels.
Michał Kępień [Wed, 26 Jun 2019 06:37:31 +0000 (08:37 +0200)]
Include <stdlib.h> in lib/dns/dnsrps.c
Since commit 0771dd3be8bad18f669de978f3be5e08cf2dbd6e, <isc/mem.h> no
longer includes <isc/xml.h>. On some systems (e.g. FreeBSD), this means
that no header included by lib/dns/dnsrps.c (and no header included by
those headers) contains a definition of free() any more, which triggers
a compiler warning as lib/dns/dnsrps.c calls that function. Add the
missing #include directive to prevent that warning from being triggered.
Michał Kępień [Tue, 25 Jun 2019 20:27:01 +0000 (22:27 +0200)]
Remove nonexistent function from libdns.def.in
No function called dns_dnssecsignstats_decrement() actually exists.
Putting it into lib/dns/win32/libdns.def.in breaks at least some Windows
builds. Remove the nonexistent function from that file.
Michał Kępień [Tue, 25 Jun 2019 12:30:16 +0000 (14:30 +0200)]
Wait for outgoing transfer statistics to be logged
Since the message confirming outgoing transfer completion is logged
asynchronously, it may happen that transfer statistics may not yet be
logged by the time the dig command triggering a given transfer returns.
This causes false positives for the "ixfr" and "xfer" system tests.
Prevent this from happening by checking outgoing transfer statistics up
to 10 times, in 1-second intervals.
Ondřej Surý [Mon, 24 Jun 2019 12:06:56 +0000 (14:06 +0200)]
Rename OPENSSL_INCLUDES to OPENSSL_CFLAGS in AX_CHECK_OPENSSL() macro
The ax_check_openssl m4 macro used OPENSSL_INCLUDES. Rename the
subst variable to OPENSSL_CFLAGS and wrap AX_CHECK_OPENSSL() in
action-if-not-found part of PKG_CHECK_MODULE check for libcrypto.
Ondřej Surý [Mon, 24 Jun 2019 10:21:47 +0000 (12:21 +0200)]
Make the usage of json-c objects opaque to the caller
The json-c have previously leaked into the global namespace leading
to forced -I<include_path> for every compilation unit using isc/xml.h
header. This MR fixes the usage making the caller object opaque.
Ondřej Surý [Mon, 24 Jun 2019 12:25:55 +0000 (14:25 +0200)]
Make the usage of libxml2 opaque to the caller
The libxml2 have previously leaked into the global namespace leading
to forced -I<include_path> for every compilation unit using isc/xml.h
header. This MR fixes the usage making the caller object opaque.
Matthijs Mekking [Fri, 21 Jun 2019 08:30:05 +0000 (10:30 +0200)]
Also collect DNSSEC refresh signature statistics
In addition to gather how many times signatures are created per
key in a zone, also count how many of those signature creations are
because of DNSSEC maintenance. These maintenance counters are
incremented if a signature is refreshed (but the RRset did not
changed), when the DNSKEY RRset is changed, and when that leads
to additional RRset / RRSIG updates (for example SOA, NSEC).
Matthijs Mekking [Thu, 20 Jun 2019 11:10:33 +0000 (13:10 +0200)]
Add tests for DNSSEC sign statistics
This adds tests to the statschannel system test for testing if
the dnskey sign operation counters are incremented correctly.
It tests three cases:
1. A zone maintenance event where all the signatures that are about
to expire are resigned.
2. A dynamic update event where the new RR and other relevant records
(SOA, NSEC) are resigned.
3. Adding a standby key, that means the DNSKEY and SOA RRset are
resigned.
Tony Finch [Fri, 14 Jun 2019 10:14:00 +0000 (11:14 +0100)]
When a server reload fails, print a note in `rndc status`.
After a failed reload I noticed two problems:
* There was a missing newline in the output of `rndc status` so it
finished "reload/reconfig in progressserver is up and running"
* The "reconfig in progress" note should have said "reconfig failed"
Ondřej Surý [Tue, 5 Feb 2019 14:14:21 +0000 (15:14 +0100)]
Get rid of overriding default --sysconfdir and --localstatedir autoconf options
Previously the autoconf script set sysconfdir to /etc and localstatedir to /var
if they were not explicitly set in the ./configure invocation. This MR reverts
the override and make it more in line with default and generally expected
autoconf behavior.
Ondřej Surý [Wed, 19 Jun 2019 12:26:49 +0000 (14:26 +0200)]
Add AM_MAINTAINER_MODE macro to configure.ac and enable it by default
AM_MAINTAINER_MODE macro adds ability to disable rebuilding build file
(Makefile.in, configure, ...) when the source file changes. This is
important in the CI where the timestamps could get skewed and that
triggers the rebuild on every ./configure run.
Ondřej Surý [Tue, 28 May 2019 21:15:38 +0000 (23:15 +0200)]
Merge unix/app.c and win32/app.c
The differences between two files are very minimal and most of the
code is common. Merge those two files and use #ifdef WIN32 to include
the right bits on Windows.
Michał Kępień [Fri, 7 Jun 2019 13:21:43 +0000 (15:21 +0200)]
Fix statistics for x86 Windows builds
Using atomic_int_fast64_t variables with atomic functions on x86 does
not cause Visual Studio to report build errors, but such operations
yield useless results. Since the isc_stat_t type is unconditionally
typedef'd to atomic_int_fast64_t, any code performing atomic operations
on isc_stat_t variables is broken in x86 Windows builds. Fix by using
the atomic_int_fast32_t type for isc_stat_t in x86 Windows builds.
Brian Conry [Tue, 18 Jun 2019 19:37:20 +0000 (14:37 -0500)]
Bump DNS_CLIENTINFOMETHODS_VERSION/_AGE to 2/1 in clientinfo.h
BIND 9.11.0 has bumped DNS_CLIENTINFOMETHODS_VERSION and _AGE to
version 2 and 1 in the dlz_minimal.h because a member was addet to the
dnsclientinfo struct. It was found out that the new member is not
used anywhere and there are no accessor functions therefore the change
was reverted.
Later on, it was found out that the revert caused some problems to the
users of BIND 9, and thus this changes takes a different approach by
syncing the values other way around.
Ondřej Surý [Tue, 18 Jun 2019 13:01:43 +0000 (15:01 +0200)]
Rename mctx in dnstest.c to dt_mctx to prevent any global/local name clashes
The common construct seen in the BIND 9 source is func(isc_mem_t *mctx, ...).
Unfortunately, the dnstest.{h,c} has been using mctx as a global symbol, which
in turn generated a lot of errors when update.c got included in update_test.c.
As a rule of thumb, we should avoid naming global symbols with generic names
(like mctx) and we should prefix them with "namespace" (like dt_mctx).
Ondřej Surý [Tue, 18 Jun 2019 12:56:41 +0000 (14:56 +0200)]
Make CHECK() macro local by moving it from dnstest.h to respective .c files
The CHECK() macro has been defined both in dnstest.h and update.c
files. This has created a conflict between macro definitions when
including both of the files in update_test.c. While the CHECK() macro
is convenient for the tests, it has been really used in just two
files, so the MR moves them into those respective .c files.
Ondřej Surý [Tue, 18 Jun 2019 12:48:00 +0000 (14:48 +0200)]
Fix spurious lib/dns/tests/update_test errors on macOS
lib/dns/tests/update_test was failing on macOS on random occasions. It
turned out this was a linker problem - it preferred isc_stdtime_get()
from libisc instead of the local version in lib/dns/tests/update_test.c.
Fix by including the original .c file in the unit test. This has two
benefits:
a) linking order may no longer cause issues as symbols found in the
same compilation unit are always preferred,
b) it allows writing tests for static functions in lib/dns/update.c.
Ondřej Surý [Wed, 19 Jun 2019 09:16:47 +0000 (11:16 +0200)]
Use couple more autoconf convenience macros to cleanup configure.ac
Pull and use several autoconf archive convenience macros to simplify
configure.ac.
* AX_CHECK_COMPILE_FLAG(FLAG, ...) - check whether given CFLAG works
* AX_CHECK_LINK_FLAG(FLAG, ...) - check whether given LDFLAG works
* AX_CHECK_PREPROC_FLAG(FLAG, ...) - check whether give CPPFLAG works
* AX_SAVE_FLAGS/AX_RESTORE_FLAGS - save and restore *FLAGS
Michał Kępień [Tue, 18 Jun 2019 07:14:07 +0000 (09:14 +0200)]
Always fail a system test if crashes are detected
In certain situations (e.g. a named instance crashing upon shutdown in a
system test which involves shutting down a server and restarting it
afterwards), a system test may succeed despite a named crash being
triggered. This must never be the case. Extend run.sh to mark a test
as failed if core dumps or log lines indicating assertion failures are
detected (the latter is only an extra measure aimed at test environments
in which core dumps are not generated; note that some types of crashes,
e.g. segmentation faults, will not be detected using this method alone).
Michał Kępień [Tue, 18 Jun 2019 06:51:50 +0000 (08:51 +0200)]
Fix transfer statistics extraction
Make the get_named_xfer_stats() helper shell function more precise in
order to prevent it from matching the wrong lines as that may trigger
false positives for the "ixfr" and "xfer" system tests. As an example,
the regular expression responsible for extracting the number of bytes
transmitted throughout an entire zone transfer could also match a line
containing the following string:
transfer of '<zone-name>/IN': sending TCP message of <integer> bytes
However, such a line is not one summarizing a zone transfer.
Also simplify both get_dig_xfer_stats() and get_named_xfer_stats() by
eliminating the need for "echo" statements in them.