Ondřej Surý [Mon, 4 Dec 2023 11:21:33 +0000 (12:21 +0100)]
Use proper padding instead of using alignas()
As it was pointed out, the alignas() can't be used on objects larger
than `max_align_t` otherwise the compiler might miscompile the code to
use auto-vectorization on unaligned memory.
As we were only using alignas() as a way to prevent false memory
sharing, we can use manual padding in the affected structures.
Ondřej Surý [Thu, 8 Feb 2024 07:30:38 +0000 (08:30 +0100)]
Use DNS_QPGC_MAYBE instead of DNS_QPGC_ALL for more realistic load
In the benchmarks, DNS_QPGC_ALL was trying to hard to cleanup QP
and this was slowing down QP too much. Use DNS_QPGC_MAYBE instead
that we are going to use anyway for more realistic load - this also
shows the memory usage matching the real loads.
Ondřej Surý [Mon, 29 Jan 2024 15:36:30 +0000 (16:36 +0100)]
Optimize cname_and_other_data to stop as earliest as possible
Stop the cname_and_other_data processing if we already know that the
result is true. Also, we know that CNAME will be placed in the priority
headers, so we can stop looking for CNAME if we haven't found CNAME and
we are past the priority headers.
Ondřej Surý [Mon, 29 Jan 2024 15:36:30 +0000 (16:36 +0100)]
Optimize the slabheader placement for certain RRTypes
Mark the infrastructure RRTypes as "priority" types and place them at
the beginning of the rdataslab header data graph. The non-priority
types either go right after the priority types (if any).
Ondřej Surý [Tue, 6 Feb 2024 13:05:08 +0000 (14:05 +0100)]
Fix missing RRSIG for CNAME with different slabheader order
The cachedb was missing piece of code (already found in zonedb) that
would make lookups in the slabheaders to miss the RRSIGs for CNAME if
the order of CNAME and RRSIG(CNAME) was reversed in the node->data.
Ondřej Surý [Wed, 7 Feb 2024 14:25:13 +0000 (15:25 +0100)]
Remove isc__tls_setfatalmode() function and the calls
With _exit() instead of exit() in place, we don't need
isc__tls_setfatalmode() mechanism as the atexit() calls will not be
executed including OpenSSL atexit hooks.
Ondřej Surý [Wed, 7 Feb 2024 08:23:50 +0000 (09:23 +0100)]
Improve the rcu_barrier() call when destroying the mem context
Instead of crude 5x rcu_barrier() call in the isc__mem_destroy(), change
the mechanism to call rcu_barrier() until the memory use and references
stops decreasing. This should deal with any number of nested call_rcu()
levels.
Additionally, don't destroy the contextslock if the list of the contexts
isn't empty. Destroying the lock could make the late threads crash.
Ondřej Surý [Wed, 7 Feb 2024 13:44:39 +0000 (14:44 +0100)]
Use _exit() in the fatal() function
Since the fatal() isn't a correct but rather abrupt termination of the
program, we want to skip the various atexit() calls because not all
memory might be freed during fatal() call, etc. Using _exit() instead
of exit() has this effect - the program will end, but no destructors or
atexit routines will be called.
Aram Sargsyan [Fri, 10 Nov 2023 11:14:58 +0000 (11:14 +0000)]
Add a check for the 'first refresh' data in the stats channel
Currently we test the incoming zone transfers data in the statistics
channel by retransfering the zones in slow mode and capturing the XML
and JSON outputs in the meantime to check their validity. Add a new
transfer to the test, and check that the XML and JSON files correctly
indicate that we have 3 retransfers and 1 new (first time) transfer.
Aram Sargsyan [Fri, 10 Nov 2023 11:10:32 +0000 (11:10 +0000)]
Expose the 'first refresh' zone flag in rndc status
Expose the newly added 'first refresh' flag in the information
provided by the 'rndc staus' command, by showing the number of
zones, which are not yet fully ready, and their first refresh
is pending or is in-progress.
Aram Sargsyan [Thu, 14 Dec 2023 10:44:21 +0000 (10:44 +0000)]
Test trusted anchors configurations for 'dnssec-validation yes'
Add checks into the 'checkconf' system test to make sure that the
'dnssec-validation yes' option fails without configured trusted
anchors, and succeeds with configured non-empty, as well as empty
trusted anchors.
Aram Sargsyan [Thu, 14 Dec 2023 10:42:56 +0000 (10:42 +0000)]
Document new requirements for 'dnssec-validation yes'
Using the 'dnssec-validation yes' option now requires an explicitly
confgiured 'trust-anchors' statement (or 'managed-keys' or
'trusted-keys', both deprecated).
Aram Sargsyan [Thu, 14 Dec 2023 10:40:05 +0000 (10:40 +0000)]
Require trust anchors for 'dnnsec-validation yes'
Using the 'dnssec-validation yes' option now requires an explicitly
confgiured 'trust-anchors' statement (or 'managed-keys' or
'trusted-keys', both deprecated).
Matthijs Mekking [Mon, 15 Jan 2024 08:17:01 +0000 (09:17 +0100)]
Improve parental-agents definition in ARM
"A parental agent is the entity that is allowed to change a zone's
delegation information" is untrue, because it is possible to use some
hidden server or a validating resolver.
Also the new text makes it more clear that named sends DS queries to
these servers.
Aram Sargsyan [Wed, 31 Jan 2024 13:01:13 +0000 (13:01 +0000)]
Fix the DNS_GETDB_STALEFIRST flag
The DNS_GETDB_STALEFIRST flag is defined as 0x0C, which is the
combination of the DNS_GETDB_PARTIAL (0x04) and the
DNS_GETDB_IGNOREACL (0x08) flags (0x04 | 0x08 == 0x0C) , which is
an obvious error.
All the flags should be power of two, so they don't interfere with
each other. Fix the DNS_GETDB_STALEFIRST flag by setting it to 0x10.
Ondřej Surý [Mon, 11 Dec 2023 15:50:12 +0000 (16:50 +0100)]
Make the dns_validator validations asynchronous and limit it
Instead of running all the cryptographic validation in a tight loop,
spread it out into multiple event loop "ticks", but moving every single
validation into own isc_async_run() asynchronous event. Move the
cryptographic operations - both verification and DNSKEY selection - to
the offloaded threads (isc_work_enqueue), this further limits the time
we spend doing expensive operations on the event loops that should be
fast.
Limit the impact of invalid or malicious RRSets that contain crafted
records causing the dns_validator to do many validations per single
fetch by adding a cap on the maximum number of validations and maximum
number of validation failures that can happen before the resolving
fails.
Matthijs Mekking [Wed, 31 Jan 2024 10:44:07 +0000 (11:44 +0100)]
Don't also skip keymgr run if checkds is skipped
Checking the DS at the parent only happens if dns_zone_getdnsseckeys()
returns success. However, if this function somehow fails, it can also
prevent the keymgr from running.
Before adding the check DS functionality, the keymgr should only run
if 'dns_dnssec_findmatchingkeys()' did not return an error (either
ISC_R_SUCCESS or ISC_R_NOTFOUND). After this change the correct
result code is used again.
Matthijs Mekking [Wed, 31 Jan 2024 08:33:17 +0000 (09:33 +0100)]
dnssec-keygen man page still says it can do TSIG
Remove text in man page that says the program can also be used for
generate TSIG keys, this was removed in 9.13.0 but this text was still
not yet removed.
Evan Hunt [Tue, 31 Oct 2023 10:21:33 +0000 (11:21 +0100)]
check range of fetch-quota-param parameters
the 'low', 'high' and 'discount' parameters to 'fetch-quota-param'
are meant to be ratios with values between zero and one, but higher
values can be assigned. this could potentially lead to an assertion
in maybe_adjust_quota().
Aram Sargsyan [Fri, 19 Jan 2024 14:26:17 +0000 (14:26 +0000)]
fix another message parsing regression
The fix for CVE-2023-4408 introduced a regression in the message
parser, which could cause a crash if an rdata type that can only
occur in the question was found in another section.
Use 'dns__message_putassociatedrdataset()' instead of
'dns__message_puttemprdataset()', because after calling the
'dns_rdatalist_tordataset()' function earlier the 'rdataset'
is associated.
Evan Hunt [Tue, 16 Jan 2024 23:58:53 +0000 (15:58 -0800)]
fix a message parsing regression
the fix for CVE-2023-4408 introduced a regression in the message
parser, which could cause a crash if duplicate rdatasets were found
in the question section. this commit ensures that rdatasets are
correctly disassociated and freed when this occurs.
Matthijs Mekking [Fri, 26 Jan 2024 10:57:25 +0000 (11:57 +0100)]
Make max search depth variable in kasp system test
In the second test we are looking for key files and extract the key
id numbers. Because keys can be in different directories, we needed
to change the maxdepth when searching for keys.
For the second kasp system test, check that 'dnssec-keygen -k' (default
policy) creates valid files, the 'get_keyids' returned more than one
keytag, namely the ones that are inside the keys/ directory, that were
created for the predecessor test, check that 'dnssec-keygen -k'
(configuredd policy) creates valid files.
This caused the system test to spew out errors that key files were
missing (we were looking for key files in the current directory, but
when looking for key id numbers we included the keys/ directory). It
could also cause the next test to fail, check that 'dnssec-settime' by
default does not edit key state file, because the STATE_FILE environment
variable was overwritten with the key file path of one of the keys that
were created with the configured policy.
We fix this by adjusting the maxdepth for the test in question. Other
tests don't need adjusting because they use unique zone names.
Matthijs Mekking [Fri, 17 Nov 2023 16:09:00 +0000 (17:09 +0100)]
Refactor dns_keystore_directory()
Add a default key-directory parameter to the function that can
be returned if there is no keystore, or if the keystore directory
is NULL (the latter is also true for the built-in keystore).
Matthijs Mekking [Fri, 17 Nov 2023 09:45:05 +0000 (10:45 +0100)]
Better PKCS#11 label creation
When using the same PKCS#11 URI for a zone that uses different
DNSSEC policies, the PKCS#11 label could collide, i.e. the same
label could be used for different keys. Add the policy name to
the label to make it more unique.
Also, the zone name could contain characters that are interpreted
as special characters when parsing the PKCS#11 URI string. Mangle
the zone name through 'dns_name_tofilenametext()' to make it
PKCS#11 safe.
Move the creation to a separate function for clarity.
Furthermore, add a log message whenever a PKCS#11 object has been
successfully created.
Matthijs Mekking [Thu, 16 Nov 2023 14:24:19 +0000 (15:24 +0100)]
Remove "error reading" grep from kasp system test
This log may still occur if there is a DNSKEY in the unsigned zone.
This may happen in a multi-signer setup for example.
Ideally this should not log a warning, but that requires looking up
keys a different way (by searching for key files only). However, that
requires adapting a bunch of system tests, and is out of scope for now.
Matthijs Mekking [Thu, 16 Nov 2023 11:10:50 +0000 (12:10 +0100)]
Minor fixes in enginepkcs11 system test
- Shell function body should be in between curly braces.
- Some erroneous '|| return 1' are replaced with '|| ret=1'.
- Fix a variable name (was 'ret', should be '_ret').
- Clean up when setting up a new test.
Matthijs Mekking [Mon, 13 Nov 2023 13:40:59 +0000 (14:40 +0100)]
The use of isc_dir_t in keymgr is not needed
The internal keymgr used 'isc_dir_open(&dir)' and 'isc_dir_close(&dir)',
but was not using the variable 'dir`, other than checking if the
directory can be opened. Errors like these will be be caught already
in the dst_api function calls.
Matthijs Mekking [Mon, 16 Oct 2023 11:24:10 +0000 (13:24 +0200)]
No longer need to get generated key from label
The pkcs11-provider did not yet support getting X/Y coordinates
on newly generated EC PKEY keys, thus we attempted to get the
key from the label after it was generated in the keystore.
Matthijs Mekking [Tue, 10 Oct 2023 13:21:58 +0000 (15:21 +0200)]
Only run pkcs11engine test if pkcs11-provider is available
The bullseye and bookworm images are not set up with pkcs11-provider,
so we need to add an additional prerequisite for running the
pkcs11engine test. Check the path of OPENSSL_CONF.
Matthijs Mekking [Tue, 10 Oct 2023 13:18:11 +0000 (15:18 +0200)]
Specify key usage to be digital signature
If not set, the created keys allows signing plus decrypt which is bad
practice. Setting the key usage explicitly will generate keys that
allow only signing.
The pkcs11-provider has changed to take a PKCS#11 URI instead of an
object identifier. Change the BIND 9 code accordingly to pass through
the label instead of just the object identifier.
Matthijs Mekking [Tue, 20 Jun 2023 13:44:17 +0000 (15:44 +0200)]
Refactor findzonekeys
Move dns_dnssec_findzonekeys from the dnssec.{c,h} source code to
zone.{c,h} (the header file already commented that this should be done
inside dns_zone_t).
Alter the function in such a way, that keys are searched for in the
key stores if a 'dnssec-policy' (kasp) is attached to the zone,
otherwise keep using the zone's key-directory.
When using dnssec-policy with dnssec-keygen in combination with setting
the key-directory on the command line, the commandline argument takes
priority over the key-directory from the default named.conf.
Matthijs Mekking [Fri, 11 Mar 2022 14:33:08 +0000 (15:33 +0100)]
Test key-store with non-default directory
Add a test case where dnssec-policy uses key stores with a directory
other than the zone's key-directory.
This requires changing the kasp shell script to take into account that
keys can be in different directories. When looking for keys, the
'find' command now takes a maxdepth of 3 to also look for keys in
subdirectories. Note this maxdepth value is arbitrary, the added
'keystore.kasp' test only requires a maxdepth of 2.
Because of this change, the dnssec-keygen tests no longer work because
they are for the same zone (although different directories). Change
the test to use a different zone ('kasp2' instead of 'kasp').
When writing key files to disk, use the internally stored directory.
Add an access function 'dst_key_directory()'.
Most calls to keymgr functions no longer need to provide the
key-directory value. Only 'dns_keymgr_run' still needs access to
the zone's key-directory in case the key-store is set to the built-in
key-directory.
projects / thirdparty / bind9.git / log
