Matthijs Mekking [Thu, 22 Aug 2024 10:11:29 +0000 (10:11 +0000)]
fix: usr: Fix algoritm rollover bug when there are two keys with the same keytag
If there is an algorithm rollover and two keys of different algorithm share the same keytags, then there is a possibility that if we check that a key matches a specific state, we are checking against the wrong key. This has been fixed by not only checking for matching key tag but also key algorithm.
Closes #4878
Merge branch '4878-fix-algorithm-rollover-keytag-conflict-bug' into 'main'
Matthijs Mekking [Wed, 21 Aug 2024 15:14:48 +0000 (17:14 +0200)]
Fix algorithm rollover bug wrt keytag conflicts
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.
Fix this by not only checking for matching key id but also key
algorithm.
Matthijs Mekking [Thu, 22 Aug 2024 07:15:00 +0000 (07:15 +0000)]
new: usr: Support for Offline KSK implemented
Add a new configuration option `offline-ksk` to enable Offline KSK key management. Signed Key Response (SKR) files created with `dnssec-ksr` (or other program) can now be imported into `named` with the new `rndc skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY records and generating signatures covering these types, these records are loaded from the currently active bundle from the imported SKR.
The implementation is loosely based on: https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt
Closes #1128
Merge branch '1128-offline-ksk-rndc-import-skr' into 'main'
Matthijs Mekking [Wed, 19 Jun 2024 11:41:07 +0000 (13:41 +0200)]
Update key states in offline-ksk mode
With offline-ksk enabled, we don't run the keymgr because the key
timings are determined by the SKR. We do update the key states but
we derive them from the timing metadata.
Then, we can skip a other tasks in offline-ksk mode, like DS checking
at the parent and CDS synchronization, because the CDS and CDNSKEY
RRsets also come from the SKR.
Matthijs Mekking [Wed, 19 Jun 2024 09:09:29 +0000 (11:09 +0200)]
Add code to store SKR
This added source code stores SKR data. It is loosely based on:
https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt
A SKR contains a list of signed DNSKEY RRsets. Each change in data
should be stored in a separate bundle. So if the RRSIG is refreshed that
means it is stored in the next bundle. Likewise, if there is a new ZSK
pre-published, it is in the next bundle.
In addition (not mentioned in the draft), each bundle may contain
signed CDS and CDNSKEY RRsets.
Each bundle has an inception time. These will determine when we need
to re-sign or re-key the zone.
Matthijs Mekking [Wed, 22 May 2024 09:19:20 +0000 (11:19 +0200)]
Test rndc skr import
Test importing a Signed Key Response. Files should be loaded and once
loaded the correct bundle should be used. Alsoe test cases where the
bundle is not the first bundle in the SKR.
Add the code and documentation required to provide KSR import using
rndc. This is just the command, and the feature is at this point in
time still not implemented.
Prepare the system test for tests that require a server to import
created SKR files. This means the test script needs adjustments to
take into account the directory test files are located.
In addition, the check_keys function is renamed to ksr_check_keys
because the name clashes with check_keys from kasp.sh. It also has an
extra parameter added, offset, that can be used to check ksr files that
are created in the past or future.
Matthijs Mekking [Fri, 22 Mar 2024 10:48:53 +0000 (11:48 +0100)]
Add offline-ksk option
Add a new configuration option to enable Offline KSK key management.
Offline KSK cannot work with CSK because it splits how keys with the
KSK and ZSK role operate. Therefore, one key cannot have both roles.
Add a configuration check to ensure this.
Ondřej Surý [Wed, 21 Aug 2024 11:56:10 +0000 (11:56 +0000)]
fix: usr: Fix rare assertion failure when shutting down incoming transfer
A very rare assertion failure can be triggered when the incoming transfer is either forcefully shut down or it is finished during printing the details about the statistics channel. This has been fixed.
Closes #4860
Merge branch '4860-destroy-xfrin-timers-on-the-loop' into 'main'
Ondřej Surý [Mon, 19 Aug 2024 08:14:19 +0000 (10:14 +0200)]
Destroy the dns_xfrin isc_timers on the correct loop
There are few places where we attach/detach from the dns_xfrin object
while running on a different thread than the zone's assigned thread -
xfrin_xmlrender() in the statschannel and dns_zone_stopxfr() to name the
two places where it happens now. In the rare case, when the incoming
transfer completes (or shuts down) in the brief period between the other
thread attaches and detaches from the dns_xfrin, the isc_timer_destroy()
calls would be called by the last thread calling the xfrin_detach().
In the worst case, it would be this other thread causing assertion
failure. Move the isc_timer_destroy() call to xfrin_end() function
which is always called on the right thread and to match this move
isc_timer_create() to xfrin_start() - although this other change makes
no difference.
Arаm Sаrgsyаn [Tue, 20 Aug 2024 17:30:26 +0000 (17:30 +0000)]
new: usr: Print the full path of the working directory in startup log messages
named now prints its initial working directory during startup and the
changed working directory when loading or reloading its configuration
file if it has a valid 'directory' option defined.
Closes #4731
Merge branch '4731-log-workdir-full-path' into 'main'
Aram Sargsyan [Tue, 20 Aug 2024 11:30:13 +0000 (11:30 +0000)]
Print the full path of the working directory in startup log messages
named now prints its initial working directory during startup and the
changed working directory when loading or reloading its configuration
file if it has a valid 'directory' option defined.
Ondřej Surý [Tue, 20 Aug 2024 14:58:39 +0000 (14:58 +0000)]
chg: dev: Use seteuid()/setegid() instead of setreseuid()/setresgid()
It looks like that all supported systems now have support for
_POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because
those will not change saved used/group IDs.
Closes #4862
Merge branch '4862-just-use-seteuid-and-setegid' into 'main'
Ondřej Surý [Tue, 20 Aug 2024 11:44:06 +0000 (13:44 +0200)]
Use seteuid()/setegid() instead of setreseuid()/setresgid()
It looks like that all supported systems now have support for
_POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because
those will not change saved used/group IDs.
Ondřej Surý [Tue, 20 Aug 2024 13:57:57 +0000 (13:57 +0000)]
fix: test: Allow TTL skew in the badcache print unit test
If the machine running the job is extra loaded (or extra slow), the
print test in the badcache unit test would fail because the TTL would be
59 (possibly even lower) and the test expects the badcache.out to only
have TTL 60. Refactor the test to check for the expected strings and
check whether the TTL is in the expected range.
Closes #4861
Merge branch '4861-allow-TTL-skew-in-badcache_test' into 'main'
Ondřej Surý [Mon, 19 Aug 2024 09:01:08 +0000 (11:01 +0200)]
Allow TTL skew in the badcache print unit test
If the machine running the job is extra loaded (or extra slow), the
print test in the badcache unit test would fail because the TTL would be
59 (possibly even lower) and the test expects the badcache.out to only
have TTL 60. Refactor the test to check for the expected strings and
check whether the TTL is in the expected range.
Ondřej Surý [Tue, 20 Aug 2024 12:56:04 +0000 (12:56 +0000)]
chg: dev: Use single logging context for everything
Instead of juggling different logging context, use one single logging
context that gets initialized in the libisc constructor and destroyed in
the libisc destructor.
Closes #4848
Merge branch '4848-refactor-isc_log-api-to-use-single-global-logging-context' into 'main'
Ondřej Surý [Wed, 14 Aug 2024 11:25:50 +0000 (13:25 +0200)]
Convert all categories and modules into static lists
Remove the complicated mechanism that could be (in theory) used by
external libraries to register new categories and modules with
statically defined lists in <isc/log.h>. This is similar to what we
have done for <isc/result.h> result codes. All the libraries are now
internal to BIND 9, so we don't need to provide a mechanism to register
extra categories and modules.
Ondřej Surý [Tue, 13 Aug 2024 15:16:57 +0000 (17:16 +0200)]
Remove isc_log_write1() and isc_log_vwrite1() functions
The isc_log_write1() and isc_log_vwrite1() functions were meant to
de-duplicate the messages sent to the isc_log subsystem. However, they
were never used in an entire code base and the whole mechanism around it
was complicated and very inefficient. Just remove those, there are
better ways to deduplicate syslog messages inside syslog daemons now.
Ondřej Surý [Tue, 13 Aug 2024 13:52:51 +0000 (15:52 +0200)]
Replace isc_log_create/destroy with isc_logconfig_get()
Add isc_logconfig_get() function to get the current logconfig and use
the getter to replace most of the little dancing around setting up
logging in the tools. Thus:
For thread-safety, isc_logconfig_get() should be surrounded by RCU read
lock, but since we never use isc_logconfig_get() in threaded context,
the only place where it is actually used (but not really needed) is
named_log_init().
Ondřej Surý [Tue, 13 Aug 2024 12:46:42 +0000 (14:46 +0200)]
Use single logging context for everything
Instead of juggling different logging context, use one single logging
context that gets initialized in the libisc constructor and destroyed in
the libisc destructor.
The application is still responsible for creating the logging
configuration before using the isc_log API.
This patch is first in the series in a way that it is transparent for
the users of the isc_log API as the isc_log_create() and
isc_log_destroy() are now thin shims that emulate the previous
functionality, but it isc_log_create() will always return internal
isc__lctx pointer and isc_log_destroy() will actually not destroy the
internal isc__lctx context.
Ondřej Surý [Tue, 20 Aug 2024 12:46:09 +0000 (12:46 +0000)]
fix: test: Ignore ISC_R_CONNECTIONRESET in the TCP tests
On FreeBSD, the TCP connection callback could spuriously receive
ISC_R_CONNECTIONRESET even when connection to the loopback interface.
Skip the other checks in such case and graciously shutdown the TCP
connection.
Closes #4849
Merge branch '4849-dispatch_test-fails-in-connected_shutdown-on-freebsd' into 'main'
Ondřej Surý [Wed, 14 Aug 2024 08:01:33 +0000 (10:01 +0200)]
Ignore ISC_R_CONNECTIONRESET in the TCP tests
On FreeBSD, the TCP connection callback could spuriously receive
ISC_R_CONNECTIONRESET even when connection to the loopback interface.
Skip the other checks in such case and graciously shutdown the TCP
connection.
Petr Špaček [Tue, 20 Aug 2024 12:36:36 +0000 (12:36 +0000)]
chg: Update Internal_use_only-CVE.md checklist changing some tasks
Update Internal_use_only-CVE.md checklist changing some tasks and responsibilities reflecting the new ASN process with RT vs SF. Support will now be sending ASNs to customers, although Marketing will announce the new releases (both publicly and to support customers).
Nicki Křížek [Tue, 13 Aug 2024 15:28:50 +0000 (17:28 +0200)]
Omit MR link from release notes
When manually handling the release notes (due to rst markup, fixups
etc.), the different MR number for backports causes needless friction.
Remove the reference from release notes and keep it only in changelog
which isn't manually redacted.
Nicki Křížek [Tue, 13 Aug 2024 15:20:54 +0000 (17:20 +0200)]
Sort changelog & relnotes entries by issue number
To reduce the friction when handling the release notes, it is preferable
to have the sections sorted by issue number, rather than merge order.
Fallback to commit subject line if unavailable (e.g. for changelog
entries).
Ondřej Surý [Tue, 20 Aug 2024 10:22:08 +0000 (10:22 +0000)]
fix: dev: Fix the resesuid() shim implementation for NetBSD
The shim implementation of setresuid() was wrong - there was a copy and
paste error and it was calling setresgid() instead. This only affects
NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and
setresgid() implementation available from the system library.
Closes #4862
Merge branch '4862-fix-setresuid-shim' into 'main'
Ondřej Surý [Tue, 20 Aug 2024 07:14:31 +0000 (09:14 +0200)]
Fix the resesuid() shim implementation for NetBSD
The shim implementation of setresuid() was wrong - there was a copy and
paste error and it was calling setresgid() instead. This only affects
NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and
setresgid() implementation available from the system library.
Nicki Křížek [Mon, 19 Aug 2024 14:10:10 +0000 (14:10 +0000)]
chg: ci: Allow rerun of unstable statschannel tests under TSAN
The test_traffic_json and test_traffic_xml occasionally fail when
running under TSAN. This happens in CI and is most likely a result of
some instability that doesn't seem to be easily reproduced.
Closes #4598
Merge branch '4598-mark-statschannel-test-flaky' into 'main'
Nicki Křížek [Mon, 12 Aug 2024 13:43:19 +0000 (15:43 +0200)]
Allow rerun of unstable statschannel tests under TSAN
The test_traffic_json and test_traffic_xml occasionally fail when
running under TSAN. This happens in CI and is most likely a result of
some instability that doesn't seem to be easily reproduced.
Arаm Sаrgsyаn [Mon, 19 Aug 2024 11:39:29 +0000 (11:39 +0000)]
chg: dev: Process also the ISC_R_CANCELED result code in rpz_rewrite()
Log canceled resolver queries (e.g. when shutting down a hung
fetch) in DEBUG3 level instead of DEBUG1 which is used for the
"unrecognized" result codes.
Closes #4797
Merge branch '4797-rpz_rewrite-add-ISC_R_CANCELED-processing' into 'main'
Ondřej Surý [Mon, 19 Aug 2024 09:57:48 +0000 (09:57 +0000)]
fix: dev: Check the result of dirfd() before calling unlinkat()
Instead of directly using the result of dirfd() in the unlinkat() call,
check whether the returned file descriptor is actually valid. That
doesn't really change the logic as the unlinkat() would fail with
invalid descriptor anyway, but this is cleaner and will report the right
error returned directly by dirfd() instead of EBADF from unlinkat().
Closes #4853
Merge branch '4853-check-result-of-dirfd-in-isc_log' into 'main'
Ondřej Surý [Thu, 15 Aug 2024 07:23:31 +0000 (09:23 +0200)]
Check the result of dirfd() before calling unlinkat()
Instead of directly using the result of dirfd() in the unlinkat() call,
check whether the returned file descriptor is actually valid. That
doesn't really change the logic as the unlinkat() would fail with
invalid descriptor anyway, but this is cleaner and will report the right
error returned directly by dirfd() instead of EBADF from unlinkat().
Ondřej Surý [Thu, 15 Aug 2024 07:12:18 +0000 (09:12 +0200)]
Ignore errno returned from rewind() in the interface iterator
The clang-scan 19 has reported that we are ignoring errno after the call
to rewind(). As we don't really care about the result, just silence the
error, the whole code will be removed in the development version anyway
as it is not needed.
Ondřej Surý [Mon, 19 Aug 2024 09:09:09 +0000 (09:09 +0000)]
fix: dev: Change the NS_PER_SEC (and friends) from enum to static const
New version of clang (19) has introduced a stricter checks when mixing
integer (and float types) with enums. In this case, we used enum {}
as C17 doesn't have constexpr yet. Change the time conversion constants
to be static const unsigned int instead of enum values.
Closes #4845
Merge branch '4845-change-NS_PER_SEC-type-from-enum-to-integer' into 'main'
Ondřej Surý [Wed, 14 Aug 2024 14:10:18 +0000 (16:10 +0200)]
Use constexpr for NS_PER_SEC and friends constants
The contexpr introduced in C23 standard makes perfect sense to be used
instead of preprocessor macros - the symbols are kept, etc. Define
ISC_CONSTEXPR to be `constexpr` for C23 and `static const` for the older
C standards. Use the newly introduced macro for the NS_PER_SEC and
friends time constants.
Ondřej Surý [Wed, 14 Aug 2024 14:10:18 +0000 (16:10 +0200)]
Change the NS_PER_SEC (and friends) from enum to static const
New version of clang (19) has introduced a stricter checks when mixing
integer (and float types) with enums. In this case, we used enum {}
as C17 doesn't have constexpr yet. Change the time conversion constants
to be static const unsigned int instead of enum values.
Ondřej Surý [Thu, 15 Aug 2024 21:03:26 +0000 (21:03 +0000)]
chg: test: For TSAN builds, use libraries from /opt/tsan
The new TSAN images, the TSAN-enabled images install libraries to
opt/tsan, synchronize the configure options and CFLAGS between gcc:tsan
and clang:tsan images and set the PKG_CONFIG_PATH to /opt/tsan/lib.
Additionally, drop Debian bullseye that's EOL now.
Merge branch 'ondrej/use-staging-tsan-images' into 'main'
Ondřej Surý [Thu, 15 Aug 2024 17:54:58 +0000 (19:54 +0200)]
For TSAN builds, use libraries from /opt/tsan
The new TSAN images, the TSAN-enabled images install libraries to
/opt/tsan, synchronize the configure options and CFLAGS between gcc:tsan
and clang:tsan images and set the PKG_CONFIG_PATH to /opt/tsan/lib.
Arаm Sаrgsyаn [Thu, 15 Aug 2024 12:55:28 +0000 (12:55 +0000)]
fix: dev: Check if logconfig is NULL before using it in isc_log_doit()
Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(),
because it's possible that isc_log_destroy() was already called, e.g.
when a 'call_rcu' function wants to log a message during shutdown.
Closes #4842
Merge branch '4842-shutdown-crash-in-isc_log_doit' into 'main'
Aram Sargsyan [Tue, 13 Aug 2024 09:45:26 +0000 (09:45 +0000)]
Check if logconfig is NULL before using it in isc_log_doit()
Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(),
because it's possible that isc_log_destroy() was already called, e.g.
when a 'call_rcu' function wants to log a message during shutdown.
Arаm Sаrgsyаn [Thu, 15 Aug 2024 12:51:03 +0000 (12:51 +0000)]
fix: dev: Add -Wno-psabi to CFLAGS for x86 (32-bit) builds
GCC 11.1+ emits a note during compilation when there are 64-bit
atomic fields in a structure, because it fixed a compiler bug
by changing the alignment of such fields, which caused ABI change.
Add -Wno-psabi to CFLAGS for such builds in order to silence the
warning. That shouldn't be a problem since we don't expose our
structures to the outside.
Closes #4841
Merge branch '4841-alignment-of-_Atomic-long-long-unsigned-int' into 'main'
Aram Sargsyan [Thu, 15 Aug 2024 10:28:40 +0000 (10:28 +0000)]
Add -Wno-psabi to CFLAGS for x86 (32-bit) builds
GCC 11.1+ emits a note during compilation when there are 64-bit
atomic fields in a structure, because it fixed a compiler bug
by changing the alignment of such fields, which caused ABI change.
Add -Wno-psabi to CFLAGS for such builds in order to silence the
warning. That shouldn't be a problem since we don't expose our
structures to the outside.
Ondřej Surý [Thu, 15 Aug 2024 11:56:49 +0000 (11:56 +0000)]
chg: test: Reduce the size of hashmap_nodes.h file
Instead of keeping the whole array of test_node_t objects, just keep the
hashvalues and generated the rest of the test_node_t on the fly. The
test still works this way and the file size has been reduced from 2M to
90k.
Closes #4851
Merge branch '4851-generate-problematic-isc_hashmap-test-data' into 'main'
Ondřej Surý [Thu, 15 Aug 2024 08:02:14 +0000 (10:02 +0200)]
Reduce the size of hashmap_nodes.h file
Instead of keeping the whole array of test_node_t objects, just keep the
hashvalues and generated the rest of the test_node_t on the fly. The
test still works this way and the file size has been reduced from 2M to
90k.
Since changelog entries are now generated from MR title&description,
they aren't sanity checked during a regular docs build. If these contain
special sequences that will be interpreted by sphinx, it might result in
breakage that would have to be amended manually.
Add a CI check to test a doc build with changelog after the MR is merged
to ensure that the docs can be built when generating changelog from
pristine git contents.
Related #4847
Merge branch 'nicki/add-changelog-entry-check' into 'main'
Nicki Křížek [Tue, 13 Aug 2024 12:00:43 +0000 (14:00 +0200)]
Use python3 in shebang lines for util scripts
Some distributions (notably, debian bookworm) have deprecated the
`python` interpreter in favor of `python3`. Since our scripts are
python3 anyway, use the proper numbered version in shebang to make
scripts easily executable.
Nicki Křížek [Mon, 12 Aug 2024 12:51:31 +0000 (14:51 +0200)]
Check that generated changelog entry doesn't break docs build
Since changelog entries are now generated from MR title&description,
they aren't sanity checked during a regular docs build. If these contain
special sequences that will be interpreted by sphinx, it might result in
breakage that would have to be amended manually.
Add a CI check to test a doc build with changelog after the MR is merged
to ensure that the docs can be built when generating changelog from
pristine git contents.
Ondřej Surý [Wed, 14 Aug 2024 15:19:11 +0000 (15:19 +0000)]
fix: dev: Fix the assertion failure in the isc_hashmap iterator
When the round robin hashing reorders the map entries on deletion, we
were adjusting the iterator table size only when the reordering was
happening at the internal table boundary. The iterator table size had
to be reduced by one to prevent seeing the entry that resized on
position [0] twice because it migrated to [iter->size - 1] position.
However, the same thing could happen when the same entry migrates a
second time from [iter->size - 1] to [iter->size - 2] position (and so
on) because the check that we are manipulating the entry just in the [0]
position was insufficient. Instead of checking the position [pos == 0],
we now check that the [pos % iter->size == 0], thus ignoring all the
entries that might have moved back to the end of the internal table.
Closes #4838
Merge branch '4838-fix-assertion-failure-in-hashmap-deletion-iterator' into 'main'
Ondřej Surý [Mon, 12 Aug 2024 13:22:54 +0000 (15:22 +0200)]
Skip already rehashed positions in the old hashmap table
When iterating through the old internal hashmap table, skip all the
nodes that have been already migrated to the new table. We know that
all positions with index less than .hiter are NULL.
Ondřej Surý [Mon, 12 Aug 2024 13:17:00 +0000 (15:17 +0200)]
Fix the assertion failure in the isc_hashmap iterator
When the round robin hashing reorders the map entries on deletion, we
were adjusting the iterator table size only when the reordering was
happening at the internal table boundary. The iterator table size had
to be reduced by one to prevent seeing the entry that resized on
position [0] twice because it migrated to [iter->size - 1] position.
However, the same thing could happen when the same entry migrates a
second time from [iter->size - 1] to [iter->size - 2] position (and so
on) because the check that we are manipulating the entry just in the [0]
position was insufficient. Instead of checking the position [pos == 0],
we now check that the [pos % iter->size == 0], thus ignoring all the
entries that might have moved back to the end of the internal table.
Add second iterator test with a well-known configuration of the nodes
array that causes the last element of the array to migrate two times to
the previous node.
Nicki Křížek [Tue, 13 Aug 2024 08:33:02 +0000 (10:33 +0200)]
Fix ordering of gitchangelog replacement regexs
Prior to this change, the issue number could be accidentally removed by
the `Backport of` text, depending on the order of the MR description
contents. Ensure all the removals for text in MR descriptions happen
first, and only then run the replacement regex for issue number, which
appends it to the end of the last non-empty line (which will no longer
be removed).
The only removals that happen after the replacement are guaranteed to
always happen after the end of MR description, since they're
auto-generated by gitlab when the merge commit is created, thus won't
affect the line with the issue number.
Also remove the needless isc-private/bind9 replacement. References
to private MRs are already removed by the very first regex.
Ondřej Surý [Wed, 14 Aug 2024 12:52:01 +0000 (12:52 +0000)]
fix: dev: Silence all warnings that stem from the default config
As we now setup the logging very early, parsing the default config would
always print warnings about experimental (and possibly deprecated)
options in the default config. This would even mess with commands like
`named -V` and it is also wrong to warn users about using experimental
options in the default config, because they can't do anything about
this. Add CFG_PCTX_NODEPRECATED and CFG_PCTX_NOEXPERIMENTAL options
that we can pass to cfg parser and silence the early warnings caused by
using experimental options in the default config.
Merge branch 'ondrej/silence-warnings-from-default-config' into 'main'
projects / thirdparty / bind9.git / log
