Instead of passing the edectx from the fetchctx into all subvalidators,
make the ede context ownership explict for dns_resolver_createfetch()
callers, and copy the ede result codes from the children validators to
the parent when finishing the validation process.
chg: dev: Remove zero initialization of large buffers
Profiles show that an high amount of CPU time spent in memset.
By removing zero initalization of certain large buffers we improve
performance in certain authoritative workloads.
Closes #5159
Merge branch '5159-do-not-zero-qp-search-buffers' into 'main'
alessio [Thu, 30 Jan 2025 11:33:48 +0000 (12:33 +0100)]
Remove zero initialization of large buffers
Profiles show that an high amount of CPU time spent in memset.
By removing zero initalization of certain large buffers we improve
performance in certain authoritative workloads.
chg: ci: Update issue closing regex in dangerfile.py
Update issue regex in danger file
The regular expression in `dangerfile.py` has been updated to match
the one in GitLab and bind9-qa (isc-projects/bind9-qa!41), i.e.
https://docs.gitlab.com/user/project/issues/managing_issues/#default-closing-pattern.
Merge branch 'andoni/update-issue-regex-in-danger-file' into 'main'
Update the regular expression used for extracting references to GitLab
issues closed by a given merge request so that it is identical to the
one used by GitLab [1].
TSAN reports a lock-order-inversion (potential deadlock) issue in
`add_trace_entry()`.
While it is true that in one case a lock in the `isc_mem_t` structure is
locked first, and then a lock in the `FILE` structure is locked second,
and in the the second case it is the other way around, this isn't an
issue, because those are `FILE` structures for totally different files,
used in different parts of the code.
Closes #5266
Merge branch '5266-freebsd-suppress-tsan-lock-order-inversion-false-positive' into 'main'
TSAN reports a lock-order-inversion (potential deadlock) issue in
add_trace_entry():
WARNING: ThreadSanitizer: lock-order-inversion (potential deadlock)
Cycle in lock order graph: M0001 (0x000000000001) => M0002 (0x000000000002) => M0001
Mutex M0002 acquired here while holding mutex M0001 in main thread:
#0 _pthread_mutex_lock /usr/src/contrib/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1342:3
#1 add_trace_entry lib/isc/mem.c:210:2
#2 isc__mem_get lib/isc/mem.c:606:2
#3 isc_buffer_allocate lib/isc/./include/isc/buffer.h:1080:23
#4 pushandgrow lib/isc/lex.c:321:3
#5 isc_lex_gettoken lib/isc/lex.c:445:22
#6 cfg_gettoken lib/isccfg/parser.c:3490:11
#7 cfg_parse_mapbody lib/isccfg/parser.c:2230:3
#8 cfg_parse_obj lib/isccfg/parser.c:247:11
#9 parse2 lib/isccfg/parser.c:628:11
#10 cfg_parse_file lib/isccfg/parser.c:668:11
#11 load_configuration bin/named/server.c:8069:13
#12 run_server bin/named/server.c:9518:2
#13 isc__async_cb lib/isc/async.c:110:3
#14 uv__async_io /tmp/libuv-1.50.0/src/unix/async.c:208:5
#15 uv__io_poll /tmp/libuv-1.50.0/src/unix/kqueue.c:369:9
#16 uv_run /tmp/libuv-1.50.0/src/unix/core.c:460:5
#17 loop_thread lib/isc/loop.c:327:6
#18 thread_body lib/isc/thread.c:89:8
#19 isc_thread_main lib/isc/thread.c:124:2
#20 isc_loopmgr_run lib/isc/loop.c:513:2
#21 main bin/named/main.c:1469:2
Mutex M0001 previously acquired by the same thread here:
#0 _pthread_mutex_lock /usr/src/contrib/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1342:3
#1 _flockfile /usr/src/lib/libc/stdio/_flock_stub.c:72:3
#2 cfg_gettoken lib/isccfg/parser.c:3490:11
#3 cfg_parse_mapbody lib/isccfg/parser.c:2230:3
#4 cfg_parse_obj lib/isccfg/parser.c:247:11
#5 parse2 lib/isccfg/parser.c:628:11
#6 cfg_parse_file lib/isccfg/parser.c:668:11
#7 load_configuration bin/named/server.c:8069:13
#8 run_server bin/named/server.c:9518:2
#9 isc__async_cb lib/isc/async.c:110:3
#10 uv__async_io /tmp/libuv-1.50.0/src/unix/async.c:208:5
#11 uv__io_poll /tmp/libuv-1.50.0/src/unix/kqueue.c:369:9
#12 uv_run /tmp/libuv-1.50.0/src/unix/core.c:460:5
#13 loop_thread lib/isc/loop.c:327:6
#14 thread_body lib/isc/thread.c:89:8
#15 isc_thread_main lib/isc/thread.c:124:2
#16 isc_loopmgr_run lib/isc/loop.c:513:2
#17 main bin/named/main.c:1469:2
Mutex M0001 acquired here while holding mutex M0002 in main thread:
#0 _pthread_mutex_lock /usr/src/contrib/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1342:3
#1 _flockfile /usr/src/lib/libc/stdio/_flock_stub.c:72:3
#2 print_active lib/isc/mem.c:629:3
#3 isc_mem_stats lib/isc/mem.c:694:2
#4 main bin/named/main.c:1498:4
Mutex M0002 previously acquired by the same thread here:
#0 _pthread_mutex_lock /usr/src/contrib/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1342:3
#1 isc_mem_stats lib/isc/mem.c:668:2
#2 main bin/named/main.c:1498:4
SUMMARY: ThreadSanitizer: lock-order-inversion (potential deadlock) lib/isc/mem.c:210:2 in add_trace_entry
In the first stack frame ('M0001'->'M0002' lock order) cfg_gettoken()
uses flockfile() to lock 'M0001' for the 'FILE' object associated with
the configuration file (e.g. the configuration file itself and
whatever it includes, like a zone database), then it locks a memory
context mutex M0002.
In the other stack frmae ('M0002'->'M0001' lock order) isc_mem_stats()
locks a memory context mutex M0002, then it uses fprintf(), which
internally locks a 'M0001' mutex with flockfile() to write into the
'named.memstats' memory statistics file.
While it is true that in one case a lock in the 'isc_mem_t' structure is
locked first, and then a lock in the 'FILE' structure is locked second,
and in the the second case it is the other way around, this isn't an
issue, because those are 'FILE' structures for totally different files,
used in different parts of the code.
It was also manually confirmed that 'named.memstats' doesn't get
processed by cfg_gettoken(), and is used only in the second stack
frame's code flow when named is exiting.
new: ci: Allow pushing branches and tags to customer git repos
For pipelines in the private repository, add an optional manual job,
which allows the current branch to be pushed into the specified
customer's git repository. This can be useful to provide patch previews
for early testing.
For tags created in a private repository, add a manual job which pushes
the created tag to all entitled customers.
Merge branch 'nicki/ci-customer-git-automation' into 'main'
Nicki Křížek [Tue, 25 Mar 2025 15:51:24 +0000 (16:51 +0100)]
Allow pushing branches and tags to customer git repos
For pipelines in the private repository, add an optional manual job,
which allows the current branch to be pushed into the specified
customer's git repository. This can be useful to provide patch previews
for early testing.
For tags created in a private repository, add a manual job which pushes
the created tag to all entitled customers.
chg: nil: Suppress FreeBSD-specific TSAN false-positive data race
TSAN reports a data race in FreeBSD's memset(), called by its
__crt_calloc() memory allocation function. There is a very similar
bug report [1] in FreeBSD bug tracker, and an existing code-review [2]
that tries to address an issue, the description of which is very
similar to what we are seeing.
Suppress this report by adding its signature to '.tsan-suppress'.
Suppress FreeBSD-specific TSAN false-positive data race
TSAN reports a data race in FreeBSD's memset(), called by its
__crt_calloc() memory allocation function. There is a very similar
bug report [1] in FreeBSD bug tracker, and an existing code-review [2]
that tries to address an issue, the description of which is very
similar to what we are seeing.
Suppress this report by adding its signature to '.tsan-suppress'.
Evan Hunt [Mon, 31 Mar 2025 21:21:06 +0000 (21:21 +0000)]
fix: dev: Switch to ISC_LIST_FOREACH everywhere
The pattern `for (x = ISC_LIST_HEAD(...); x != NULL; ISC_LIST_NEXT(...)` has been changed to `ISC_LIST_FOREACH` throughout BIND, except in a few
cases where the change would be excessively complex.
In most cases this was a straightforward change. In some places, however, the list element variable was referenced after the loop ended. Where possible, code has now been refactored to avoid this necessity.
`ISC_LIST_FOREACH` has also been modified to use `typeof(list.head)` to declare list elements automatically. When the list object to be iterated is declared with a `const` qualifier, the qualifier is passed along to the element declaration, causing a compilation failure. To avoid this problem, some `const` qualifiers have been removed; where that was not possible, `UNCONST` was used.
Evan Hunt [Sat, 22 Mar 2025 22:26:16 +0000 (15:26 -0700)]
use ISC_LIST_FOREACH in more places
use the ISC_LIST_FOREACH pattern in places where lists had
been iterated using a different pattern from the typical
`for` loop: for example, `while (!ISC_LIST_EMPTY(...))` or
`while ((e = ISC_LIST_HEAD(...)) != NULL)`.
Evan Hunt [Fri, 21 Mar 2025 05:25:56 +0000 (22:25 -0700)]
switch to ISC_LIST_FOREACH everywhere
the pattern `for (x = ISC_LIST_HEAD(...); x != NULL; ISC_LIST_NEXT(...)`
has been changed to `ISC_LIST_FOREACH` throughout BIND, except in a few
cases where the change would be excessively complex.
in most cases this was a straightforward change. in some places,
however, the list element variable was referenced after the loop
ended, and the code was refactored to avoid this necessity.
also, because `ISC_LIST_FOREACH` uses typeof(list.head) to declare
the list elements, compilation failures can occur if the list object
has a `const` qualifier. some `const` qualifiers have been removed
from function parameters to avoid this problem, and where that was not
possible, `UNCONST` was used.
Ondřej Surý [Mon, 31 Mar 2025 14:02:59 +0000 (14:02 +0000)]
rem: usr: Drop readline alternatives in favor of libedit
Libedit is now ubiquitous and has a license compatible with
MPL 2.0. We are now dropping readline (GPL 3.0) and editline (obsolete) support
in favor of libedit.
Merge branch 'ondrej/cleanup-various-readline-libraries' into 'main'
Artem Boldariev [Fri, 28 Mar 2025 07:20:16 +0000 (09:20 +0200)]
Add isc_tls_valid_sni_hostname()
Add a function that checks if a 'hostname' is not a valid IPv4 or IPv6
address. Returns 'true' if the hostname is likely a domain name, and
'false' if it represents an IP address.
Colin Vidal [Fri, 28 Mar 2025 14:51:59 +0000 (14:51 +0000)]
fix: test: fix out-of-tree mem_test
Previously changed mem_test (!10320) introduces a test which checks for
the value of `__FILE__`, which is different if the build is done
out-of-tree or not, even though this is not relevant for the test (only
the base filename is). This result in a broken test for out-of-tree
builds. Fix this by changing the way the "grep" is done in the test,
ignoring the optional path prefix in the filename.
Merge branch 'colin-fix-outoftree-memtest' into 'main'
Colin Vidal [Fri, 28 Mar 2025 11:55:49 +0000 (12:55 +0100)]
fix out-of-tree mem_test
Previously changed mem_test (!10320) introduces a test which checks for
the value of `__FILE__`, which is different if the build is done
out-of-tree or not, even though this is not relevant for the test (only
the base filename is). This result in a broken test for out-of-tree
builds. Fix this by changing the way the "grep" is done in the test,
ignoring the optional path prefix in the filename.
Evan Hunt [Fri, 28 Mar 2025 04:03:42 +0000 (04:03 +0000)]
fix: nil: Fix out-of-tree test
A recent change to the dnssec system test depended on a file
that is only in the source tree, not in the build tree, and was
therefore not available in out-of-tree builds.
Evan Hunt [Fri, 28 Mar 2025 02:59:53 +0000 (19:59 -0700)]
Fix out-of-tree test
A recent change to the dnssec system test depended on a file
that is only in the source tree, not in the build tree, and was
therefore not available in out-of-tree builds.
Aydın Mercan [Sun, 16 Mar 2025 16:54:18 +0000 (19:54 +0300)]
implement the systemd notification protocol manually, drop libsystemd
libsystemd, despite being useful, adds a huge surface area for just
using the sd_notify API. libsystemd's surface has been exploited in the
past [1].
Implement the systemd notification protocol by hand since it is just
sending newline-delimited datagrams to a UNIX socket. The code shouldn't
need more attention in the future since the notification protocol is
covered under systemd's stability promise [2].
We don't need to support VSOCK-backed service notifications since they
are only intended for virtual machine inits.
Colin Vidal [Thu, 27 Mar 2025 12:15:24 +0000 (12:15 +0000)]
fix: dev: copy __FILE__ when allocating memory
When allocating memory under -m trace|record, the __FILE__ pointer is
stored, so it can be printed out later in order to figure out in which
file an allocation leaked. (among others, like the line number).
However named crashes when called with -m record and using a plugin
leaking memory. The reason is that plugins are unloaded earlier than
when the leaked allocations are dumped (obviously, as it's done as late
as possible). In such circumstances, `__FILE__` is dangling because the
dynamically loaded library (the plugin) is not in memory anymore.
Fix the crash by systematically copying the `__FILE__` string
instead of copying the pointer. Of course, this make each allocation to
consume a bit more memory (and longer, as it needs to calculate the
length of `__FILE__`) but this occurs only under -m trace|record debugging
flags.
Colin Vidal [Tue, 25 Mar 2025 13:35:49 +0000 (14:35 +0100)]
copy __FILE__ when allocating memory
When allocating memory under -m trace|record, the __FILE__ pointer is
stored, so it can be printed out later in order to figure out in which
file an allocation leaked. (among others, like the line number).
However named crashes when called with -m record and using a plugin
leaking memory. The reason is that plugins are unloaded earlier than
when the leaked allocations are dumped (obviously, as it's done as late
as possible). In such circumstances, __FILE__ is dangling because the
dynamically loaded library (the plugin) is not in memory anymore.
Fix the crash by systematically copying the __FILE__ string
instead of copying the pointer. Of course, this make each allocation to
consume a bit more memory (and longer, as it needs to calculate the
length of __FILE__) but this occurs only under -m trace|record debugging
flags.
In term of unit test, because grepping in C is not fun, and because the
whole "syntax" of the dump output is tested in other tests, this simply
search for a substring in the whole buffer to make sure the expected
allocations are found.
Arаm Sаrgsyаn [Thu, 27 Mar 2025 09:35:14 +0000 (09:35 +0000)]
new: usr: Add an rndc command to reset some statistics counters
The new ``reset-stats`` command for ``rndc`` allows some statistics
counters to be reset during runtime. At the moment only two "high-water"
counters are supported, so the ability to reset them after the
initial peaks during the server's "warm-up" phase may be useful for
some operators.
Closes #5251
Merge branch '5251-feature-rndc-reset-high-water-statistics' into 'main'
Aram Sargsyan [Tue, 25 Mar 2025 10:44:20 +0000 (10:44 +0000)]
Implement rndc reset-stats counter-name
This new rndc option allows to reset some statistics counters during
runtime. At this moment only the high-water type counters are supported
as such an ability to reset them after the initial peaks during the
server's "warm-up" phase can be useful for some operators.
Alessio Podda [Thu, 27 Mar 2025 03:23:47 +0000 (03:23 +0000)]
fix: dev: Refactor to use list-like macro for message sections
In the code base it is very common to iterate over all names in a message
section and all rdatasets for each name, but various idioms are used for
iteration.
This commit standardizes them as much as possible to a single idiom,
through the macro `MSG_SECTION_FOREACH`, similar to the existing
`ISC_LIST_FOREACH`.
Merge branch 'alessio/message-namelist-refactor' into 'main'
alessio [Wed, 19 Mar 2025 19:29:17 +0000 (20:29 +0100)]
Refactor to use list-like macro for message sections
In the code base it is very common to iterate over all names in a message
section and all rdatasets for each name, but various idioms are used for
iteration.
This commit standardizes them as much as possible to a single idiom,
using the macro MSG_SECTION_FOREACH, similar to the existing
ISC_LIST_FOREACH.
Evan Hunt [Thu, 27 Mar 2025 00:06:22 +0000 (00:06 +0000)]
chg: nil: Move application of dns64 to a separate function
The code in `query_dns64()` that applies the dns64 prefixes to an A rdataset has been moved into the `dns_dns64` module, and `dns_dns64_destroy()` now unlinks the dns64 object from its containing list.
With these changes, we no longer need the list-manipulation API calls, `dns_dns64_next()` and `dns_dns64_unlink()`.
Evan Hunt [Sun, 23 Mar 2025 20:45:04 +0000 (13:45 -0700)]
move application of dns64 to a separate function
the code in query_dns64() that applies the dns64 prefixes to
an A rdataset has been moved into the dns_dns64 module, and
dns_dns64_destroy() now unlinks the dns64 object from its
containing list. with these changes, we no longer need the
list-manipulation API calls dns_dns64_next() and
dns_dns64_unlink().
Evan Hunt [Wed, 26 Mar 2025 23:21:15 +0000 (23:21 +0000)]
chg: usr: Improve the LRU cache-expiration mechanism
Improve the LRU cache-expiration mechanism to a SIEVE-LRU based mechanism that triggers when the cache is close to the `max-cache-size` limit. This improves the recursive server performance.
Ondřej Surý [Sun, 23 Feb 2025 13:36:35 +0000 (14:36 +0100)]
Add isc_sieve unit implementing SIEVE-LRU algorithm
This is the core implementation of the SIEVE algorithm described in the
following paper:
Zhang, Yazhuo, Juncheng Yang, Yao Yue, Ymir Vigfusson, and K V
Rashmi. “SIEVE Is Simpler than LRU: An Efficient Turn-Key Eviction
Algorithm for Web Caches,” n.d.. available online from
https://junchengyang.com/publication/nsdi24-SIEVE.pdf
Colin Vidal [Wed, 26 Mar 2025 13:30:01 +0000 (13:30 +0000)]
new: test: IPv6 case to isc_netaddr_masktoprefixlen tests
Unit test for isc_netaddr_masktoprefixlen were missing IPv6 mask cases.
Add those and few other IPv4 cases. Also, the test is refactored in
order to make it easy to add new cases.
Colin Vidal [Wed, 26 Mar 2025 09:44:11 +0000 (10:44 +0100)]
IPv6 case to isc_netaddr_masktoprefixlen tests
Unit test for isc_netaddr_masktoprefixlen were missing IPv6 mask cases.
Add those and few other IPv4 cases. Also, the test is refactored in
order to make it easy to add new cases.
The string literal initialalising compressed was too big for the
array as it has an unwanted NUL terminator. This is allowed for
in C for historical reasons but produces a warning with some
compilers. Adjust the declaration to include the NUL and adjust
the users to pass in an adjusted size which excludes the NUL rather
than sizeof(compressed).
Closes #5258
Merge branch '5258-avoid-warning-initialising-compresss' into 'main'
Mark Andrews [Wed, 26 Mar 2025 03:31:25 +0000 (14:31 +1100)]
Silence warning when initialising compress
The string literal initialalising compressed was too big for the
array as it has an unwanted NUL terminator. This is allowed for
in C for historical reasons but produces a warning with some
compilers. Adjust the declaration to include the NUL and adjust
the users to pass in an adjusted size which excludes the NUL rather
than sizeof(compressed).
Evan Hunt [Wed, 26 Mar 2025 01:37:49 +0000 (01:37 +0000)]
fix: nil: Fix broken dnssec test
When !10262 was rebased prior to merging, there was a new
use of dnssec-keygen -n in the dnssec system test that had
not been removed in the branch, causing a test failure.
This has been fixed.
Evan Hunt [Wed, 26 Mar 2025 01:01:24 +0000 (18:01 -0700)]
fix broken dnssec test
When !10262 was rebased prior to merging, there was a
use of dnssec-keygen -n in the dnssec system test that had
not been removed, causing a test failure. This has been fixed.
Evan Hunt [Tue, 25 Mar 2025 23:49:11 +0000 (23:49 +0000)]
rem: usr: Remove unnecessary options in dnssec-keygen and dnssec-keyfromlabel
The `dnssec-keygen` utility (and `dnssec-keyfromlabel`, which was derived from it) had several options dating to the time when keys in DNS were still experimental and not fully specified, and when `dnssec-keygen` had the additional function of generating TSIG keys, which are now generated by `tsig-keygen`. These options are no longer necessary in the modern DNSSEC environment, and have been removed.
The removed options are:
- `-t` (key type), which formerly set flags to disable confidentiality or authentication support in a key; these are no longer used.
- `-n` (name type), which is now always set to "ZONE" for DNSKEY and "HOST" for KEY.
- `-p` (protocol), which is now always set to 3 (DNSSEC); no other value has ever been defined.
- `-s` (signatory field), which was never fully defined.
- `-d` (digest bits), which is meaningful only for TSIG keys.
Merge branch 'each-remove-keygen-options' into 'main'
Evan Hunt [Sat, 15 Mar 2025 05:50:44 +0000 (22:50 -0700)]
Remove -s option from dnssec-keygen
The -s option (previously incorrectly documented as "strength")
actually set the signatory flags for KEY fields, which are unused.
The option is not needed.
Evan Hunt [Sat, 15 Mar 2025 05:41:12 +0000 (22:41 -0700)]
Remove -p option from dnssec-keygen/keyfromlabel
The -p (protocol) option for all keys defaults to 3 (DNSSEC).
There is currently no practical reason to use any other value;
we can simplify things by removing the option.
Evan Hunt [Fri, 14 Mar 2025 02:57:24 +0000 (19:57 -0700)]
Remove -n option from dnssec-keygen/keyfromlabel
The -n (nametype) option for keys defaults to ZONE for DNSKEY
type keys, and HOST for KEY type keys. There is currently no
practical reason to use any other name type; we can simplify
things by removing the option.
Evan Hunt [Thu, 13 Mar 2025 19:20:55 +0000 (12:20 -0700)]
Remove -t option from dnssec-keygen/keyfromlabel
The key type flag (indicating whether a key is valid for
authentication, confidentiality, or both) is essentially
unused. By default, all DNSKEY and KEY records are valid
for both uses. Non-authenticating DNSKEY records are undefined
and meaningless, and validity checks for flags in KEY records
are sporadic at best.
We can simplify the parameters to dnssec-keygen by removing
the -t option completely.
Michal Nowak [Tue, 25 Mar 2025 15:52:47 +0000 (15:52 +0000)]
fix: test: Limit X-Bloat header size to 100KB
Otherwise curl 8.13 rejects the line with:
I:Check HTTP/1.1 keep-alive with truncated stream (21)
curl: option --header: error encountered when reading a file
curl: try 'curl --help' or 'curl --manual' for more information
Also, see https://github.com/curl/curl/pull/16572.
Closes #5249
Merge branch '5249-statschannel-limit-http-header-size' into 'main'
Michal Nowak [Tue, 25 Mar 2025 13:14:52 +0000 (14:14 +0100)]
Limit X-Bloat header size to 100KB
Otherwise curl 8.13 rejects the line with:
I:Check HTTP/1.1 keep-alive with truncated stream (21)
curl: option --header: error encountered when reading a file
curl: try 'curl --help' or 'curl --manual' for more information
Also, see https://github.com/curl/curl/pull/16572.
Ondřej Surý [Tue, 25 Mar 2025 09:58:09 +0000 (09:58 +0000)]
rem: dev: Remove lock upgrading from the hot path in the QP cache
In QPcache, there were two places that tried to upgrade the lock. In `clean_stale_header()`, the code would try to upgrade the lock and clean up the header, and in `qpzonode_release()`, the tree lock would be optionally upgraded, so we can clean up the node directly if empty. These
optimizations are not needed and they have no effect on the performance.
Merge branch 'ondrej/no-lock-upgrade-in-check_stale_headers' into 'main'
Ondřej Surý [Fri, 21 Mar 2025 02:06:16 +0000 (03:06 +0100)]
Remove lock upgrading from the hot path in the cache
In QPcache, there were two places that tried to upgrade the lock. In
clean_stale_header(), the code would try to upgrade the lock and cleanup
the header, and in qpzonode_release(), the tree lock would be optionally
upgraded, so we can cleanup the node directly if empty. These
optimizations are not needed and they have no effect on the performance.
Evan Hunt [Tue, 25 Mar 2025 06:39:07 +0000 (06:39 +0000)]
fix: usr: Don't enforce NOAUTH/NOCONF flags in DNSKEYs
All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH` (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type, and are not applicable to DNSKEY. Previously, however, because the DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag prevented authentication in DNSKEYs as well. This has been corrected.
Closes #5240
Merge branch '5240-ignore-noauth-flag' into 'main'
Evan Hunt [Fri, 14 Mar 2025 00:44:49 +0000 (17:44 -0700)]
Don't check DNS_KEYFLAG_NOAUTH
All DNSKEY keys are able to authenticate. The DNS_KEYTYPE_NOAUTH
(and DNS_KEYTYPE_NOCONF) flags were defined for the KEY rdata type,
and are not applicable to DNSKEY.
Previously, because the DNSKEY implementation was built on top of
KEY, the NOAUTH flag prevented authentication in DNSKEYs as well.
This has been corrected.
Evan Hunt [Thu, 13 Mar 2025 19:20:40 +0000 (12:20 -0700)]
Tidy up keyvalue.h definitions
Use enums for DNS_KEYFLAG_, DNS_KEYTYPE_, DNS_KEYOWNER_, DNS_KEYALG_,
and DNS_KEYPROTO_ values.
Remove values that are never used.
Eliminate the obsolete DNS_KEYFLAG_SIGNATORYMASK. Instead, add three
more RESERVED bits for the key flag values that it covered but which
were never used.
Michał Kępień [Tue, 25 Mar 2025 04:06:01 +0000 (04:06 +0000)]
chg: test: Use isctest.asyncserver in the "upforwd" test
Replace the custom DNS server used in the "upforwd" system test with new
code based on the isctest.asyncserver module. The ans4 server currently
used in that test is a copy of bin/tests/system/ans.pl modified to
receive queries over UDP and TCP without ever responding to any of them.
Closes #5012
Merge branch '5012-upforwd-asyncserver' into 'main'
Michał Kępień [Tue, 25 Mar 2025 04:01:34 +0000 (05:01 +0100)]
Use isctest.asyncserver in the "upforwd" test
Replace the custom DNS server used in the "upforwd" system test with new
code based on the isctest.asyncserver module. The ans4 server currently
used in that test is a copy of bin/tests/system/ans.pl modified to
receive queries over UDP and TCP without ever responding to any of them.
Michał Kępień [Tue, 25 Mar 2025 04:01:34 +0000 (05:01 +0100)]
Add a response handler for ignoring all queries
Dropping all incoming queries is a typical use case for a custom server
used in BIND 9 system tests. Add a response handler implementing that
behavior so that it can be reused.
Michał Kępień [Tue, 25 Mar 2025 04:01:34 +0000 (05:01 +0100)]
Make response handlers global by default
Instead of requiring each class inheriting from ResponseHandler to
define its match() method, make the latter non-abstract and default to
returning True for all queries. This will reduce the amount of
boilerplate code in custom servers.
Evan Hunt [Tue, 25 Mar 2025 01:11:07 +0000 (01:11 +0000)]
chg: usr: When forwarding, query with CD=0 first
Previously, when queries were forwarded to a remote resolver, the CD (checking disabled) bit was used, which could lead to bogus data being retrieved that might have been corrected if validation had been permitted. The CD bit is now only used as a fallback if an initial query without CD fails. See #5132.
Evan Hunt [Sat, 25 Jan 2025 02:00:14 +0000 (18:00 -0800)]
when forwarding, try with CD=0 first
when sending a query to a forwarder for a name within a secure domain,
the first query is now sent with CD=0. when the forwarder itself
is validating, this will give it a chance to detect bogus data and
replace it with valid data before answering. this reduces our chances
of being stuck with data that can't be validated.
if the forwarder returns SERVFAIL to the initial query, the query
will be repeated with CD=1, to allow for the possibility that the
forwarder's validator is faulty or that the bogus answer is covered
by an NTA.
note: previously, CD=1 was only sent when the query name was in a
secure domain. today, validating servers have a trust anchor at the
root by default, so virtually all queries are in a secure domain.
therefore, the code has been simplified. as long as validation is
enabled, any forward query that receives a SERVFAIL response will be
retried with CD=1.
Mark Andrews [Mon, 24 Mar 2025 23:09:39 +0000 (23:09 +0000)]
new: usr: Add support for EDNS ZONEVERSION option
`dig` and `named` can now make requests with an EDNS `ZONEVERSION` option present.
Two new `named.conf` options have been added: `request-zoneversion` and
`provide-zoneversion`. `request-zoneversion` is `off` by default. `provide-zoneversion`
is `on` by default.
Closes #4767
Merge branch '4767-implement-zoneversion' into 'main'
Mark Andrews [Fri, 14 Jun 2024 01:23:53 +0000 (11:23 +1000)]
Add option request-zoneversion
This can be set at the option, view and server levels and causes
named to add an EDNS ZONEVERSION option to requests. Replies are
logged to the 'zoneversion' category.
Mark Andrews [Wed, 12 Jun 2024 22:36:32 +0000 (08:36 +1000)]
Return EDNS ZONEVERSION if requested
If there was an EDNS ZONEVERSION option in the DNS request and the
answer was from a zone, return the zone's serial and number of
labels excluding the root label with the type set to 0 (ZONE-SERIAL).
Michal Nowak [Mon, 24 Mar 2025 14:11:03 +0000 (14:11 +0000)]
fix: ci: Set more lenient respdiff limits
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
Merge branch 'mnowak/more-lenient-respdiff-limits' into 'main'
Michal Nowak [Wed, 19 Mar 2025 13:02:32 +0000 (14:02 +0100)]
Set more lenient respdiff limits
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
Evan Hunt [Thu, 20 Mar 2025 18:25:05 +0000 (18:25 +0000)]
fix: dev: Optimize key ID check when searching for matching keys
When searching through a DNSKEY or KEY rrset for the key matching a particular algorithm and ID, it's a waste of time to convert every key into a `dst_key` object; it's faster to compute the key ID from the rdata, then do the full key conversion after determining that we've found the right key. This optimization was already used in the validator, but it's been refactored for code clarity, and is now also used in query.c and message.c.
Merge branch 'each-refactor-key-search' into 'main'
Evan Hunt [Fri, 14 Mar 2025 23:41:47 +0000 (16:41 -0700)]
optimize key ID check when searching for matching keys
when searching a DNSKEY or KEY rrset for the key that matches
a particular algorithm and ID, it's a waste of time to convert
every key into a dst_key object; it's faster to compute the key
ID by checksumming the region, and then only do the full key
conversion once we know we've found the correct key.
this optimization was already in use in the validator, but it's
been refactored for code clarity, and is now also used in query.c
and message.c.
Evan Hunt [Thu, 13 Mar 2025 20:01:47 +0000 (13:01 -0700)]
move dns_zonekey_iszonekey() to dns_dnssec module
dns_zonekey_iszonekey() was the only function defined in the
dns_zonekey module, and was only called from one place. it
makes more sense to group this with dns_dnssec functions.
Alessio Podda [Thu, 20 Mar 2025 13:00:12 +0000 (13:00 +0000)]
chg: dev: Switch symtab to use fxhash hashing
This merge request resolves some performance regressions introduced
with the change from isc_symtab_t to isc_hashmap_t.
The key improvements are:
1. Using a faster hash function than both isc_hashmap_t and
isc_symtab_t. The previous implementation used SipHash, but the
hashflood resistance properties of SipHash are unneeded for config
parsing.
2. Shrinking the initial size of the isc_hashmap_t used inside
isc_symtab_t. Symtab is mainly used for config parsing, and the
when used that way it will have between 1 and 50 keys, but the
previous implementation initialized a map with 128 slots.
By initializing a smaller map, we speed up mallocs and optimize for
the typical case of few config keys.
3. Slight optimization of the string matching in the hashmap, so that
the tail is handled in a single load + comparison, instead of byte
by byte.
Of the three improvements, this is the least important.
alessio [Thu, 27 Feb 2025 06:37:04 +0000 (07:37 +0100)]
Switch symtab to use fxhash hashing
This merge request resolves some performance regressions introduced
with the change from isc_symtab_t to isc_hashmap_t.
The key improvements are:
1. Using a faster hash function than both isc_hashmap_t and
isc_symtab_t. The previous implementation used SipHash, but the
hashflood resistance properties of SipHash are unneeded for config
parsing.
2. Shrinking the initial size of the isc_hashmap_t used inside
isc_symtab_t. Symtab is mainly used for config parsing, and the
when used that way it will have between 1 and ~50 keys, but the
previous implementation initialized a map with 128 slots.
By initializing a smaller map, we speed up mallocs and optimize for
the typical case of few config keys.
3. Slight optimization of the string matching in the hashmap, so that
the tail is handled in a single load + comparison, instead of byte
by byte.
Of the three improvements, this is the least important.
projects / thirdparty / bind9.git / log
