Commit Graph
1031 Commits
Author SHA1 Message Date
alessio da0e48b611 Remove "port" from source address options
Remove the use of "port" when configuring query-source(-v6),
transfer-source(-v6), notify-source(-v6), parental-source(-v6),
etc. Remove the use of source ports for parental-agents.

Also remove the deprecated options use-{v4,v6}-udp-ports and
avoid-{v4,v6}udp-ports.
2024-09-12 08:15:58 +02:00
Mark Andrews b9246418e8 Fix named-checkconf and statistics-channels
If neither libxml2 nor libjson_c are available have named-checkconf
fail if a statistics-channels block is specified.
2024-09-12 09:21:44 +10:00
Mark Andrews 61faffd06f Add flag to named-checkconf to ignore "not configured" errors
named-checkconf now takes "-n" to ignore "not configured" errors.
This allows named-checkconf to check the syntax of configurations
from other builds which have support for more options.
2024-09-09 23:32:16 +00:00
Evan Hunt 642a1b985d remove the "dialup" and "heartbeat-interval" options
mark "dialup" and "heartbeat-interval" options as ancient and
remove the documentation and the code implementing them.
2024-08-22 11:11:10 -07:00
Aram Sargsyan c05a823e8b Implement the 'request-ixfr-max-diffs' configuration option
This limits the maximum number of received incremental zone
transfer differences for a secondary server. Upon reaching the
confgiured limit, the secondary aborts IXFR and initiates a full
zone transfer (AXFR).
2024-08-22 13:42:27 +00:00
Mark Andrews c5bc0a1805 Add optional range directive to keys in dnssec-policy 2024-08-22 12:12:02 +00:00
Matthijs Mekking 0598381236 Add offline-ksk option
Add a new configuration option to enable Offline KSK key management.

Offline KSK cannot work with CSK because it splits how keys with the
KSK and ZSK role operate. Therefore, one key cannot have both roles.
Add a configuration check to ensure this.
2024-08-22 08:21:52 +02:00
Ondřej Surý 091d738c72 Convert all categories and modules into static lists
Remove the complicated mechanism that could be (in theory) used by
external libraries to register new categories and modules with
statically defined lists in <isc/log.h>.  This is similar to what we
have done for <isc/result.h> result codes.  All the libraries are now
internal to BIND 9, so we don't need to provide a mechanism to register
extra categories and modules.
2024-08-20 12:50:39 +00:00
Ondřej Surý 8506102216 Remove logging context (isc_log_t) from the public namespace
Now that the logging uses single global context, remove the isc_log_t
from the public namespace.
2024-08-20 12:50:39 +00:00
Ondřej Surý b2dda86254 Replace isc_log_create/destroy with isc_logconfig_get()
Add isc_logconfig_get() function to get the current logconfig and use
the getter to replace most of the little dancing around setting up
logging in the tools. Thus:

    isc_log_create(mctx, &lctx, &logconfig);
    isc_log_setcontext(lctx);
    dns_log_setcontext(lctx);
    ...
    ...use lcfg...
    ...
    isc_log_destroy();

is now only:

    logconfig = isc_logconfig_get(lctx);
    ...use lcfg...

For thread-safety, isc_logconfig_get() should be surrounded by RCU read
lock, but since we never use isc_logconfig_get() in threaded context,
the only place where it is actually used (but not really needed) is
named_log_init().
2024-08-20 12:50:39 +00:00
Ondřej Surý 86f1ec34dc Silence all warnings that stem from the default config
As we now setup the logging very early, parsing the default config would
always print warnings about experimental (and possibly deprecated)
options in the default config.  This would even mess with commands like
`named -V` and it is also wrong to warn users about using experimental
options in the default config, because they can't do anything about
this.  Add CFG_PCTX_NODEPRECATED and CFG_PCTX_NOEXPERIMENTAL options
that we can pass to cfg parser and silence the early warnings caused by
using experimental options in the default config.
2024-08-14 12:50:31 +00:00
Evan Hunt 104f3b82fb implement 'max-query-restarts'
implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.
2024-08-07 13:20:05 -07:00
Ondřej Surý ef7aba7072 Remove OpenSSL Engine support
The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x
and is going to be removed.  Remove the OpenSSL Engine support in favor
of OpenSSL Providers.
2024-08-06 15:17:48 +02:00
Ondřej SurýandAydın Mercan 8ccfbcfe72 Remove no longer needed OpenSSL shims and checks
Since the minimal OpenSSL version is now OpenSSL 1.1.1, remove all kind
of OpenSSL shims and checks for functions that are now always present in
the OpenSSL libraries.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Aydın Mercan <aydin@isc.org>
2024-08-05 10:23:59 +00:00
Aram SargsyanandNicki Křížek d69fab1530 Mark SIG(0) quota settings as experimantal
A different solution in the future might be adopted depending
on feedback and other new information, so it makes sense to mark
these options as EXPERIMENTAL until we have more data.
2024-06-10 17:36:45 +02:00
Aram SargsyanandNicki Křížek ad489c44df Remove sig0checks-quota-maxwait-ms support
Waiting for a quota to appear complicates things and wastes
rosources on timer management. Just answer with REFUSE if
there is no quota.
2024-06-10 17:33:11 +02:00
Aram SargsyanandNicki Křížek c7f79a0353 Add a quota for SIG(0) signature checks
In order to protect from a malicious DNS client that sends many
queries with a SIG(0)-signed message, add a quota of simultaneously
running SIG(0) checks.

This protection can only help when named is using more than one worker
threads. For example, if named is running with the '-n 4' option, and
'sig0checks-quota 2;' is used, then named will make sure to not use
more than 2 workers for the SIG(0) signature checks in parallel, thus
leaving the other workers to serve the remaining clients which do not
use SIG(0)-signed messages.

That limitation is going to change when SIG(0) signature checks are
offloaded to "slow" threads in a future commit.

The 'sig0checks-quota-exempt' ACL option can be used to exempt certain
clients from the quota requirements using their IP or network addresses.

The 'sig0checks-quota-maxwait-ms' option is used to define a maximum
amount of time for named to wait for a quota to appear. If during that
time no new quota becomes available, named will answer to the client
with DNS_R_REFUSED.
2024-06-10 17:33:08 +02:00
Ondřej SurýandNicki Křížek 52b3d86ef0 Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k).  As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).

Add a configurable limit to cap the number of the RR types for a single
owner.  This is enforced at the database (rbtdb, qpzone, qpcache) level
and configured with new max-types-per-name configuration option that
can be configured globally, per-view and per-zone.
2024-06-10 16:55:09 +02:00
Ondřej SurýandNicki Křížek 32af7299eb Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.

Add a configurable limit to cap the number of the RRs in a single RRSet.
This is enforced at the database (rbtdb, qpzone, qpcache) level and
configured with new max-records-per-type configuration option that can
be configured globally, per-view and per-zone.
2024-06-10 16:55:07 +02:00
Matthijs Mekking c3d8932f79 Add checkconf check for signatures-jitter
Having a value higher than signatures-validity does not make sense
and should be treated as a configuration error.
2024-04-18 09:50:33 +02:00
Matthijs Mekking 2a4daaedca Add signatures-jitter option
Add an option to speficy signatures jitter.
2024-04-18 09:50:10 +02:00
Ondřej Surý 304b5ec1ad Deprecate fixed value for the rrset-order option
Mark the "fixed" value for the "rrset-order" option deprecated, so we
can remove it in the future.
2024-04-02 15:21:00 +00:00
Ondřej Surý 7c96bf3e71 Deprecate sortlist option
Mark the sortlist option deprecated, so we can remove it in the
future.
2024-04-02 16:26:39 +02:00
Matthijs Mekking e39de45adc Detect invalid durations
Be stricter in durations that are accepted. Basically we accept ISO 8601
formats, but fail to detect garbage after the integers in such strings.

For example, 'P7.5D' will be treated as 7 days. Pass 'endptr' to
'strtoll' and check if the endptr is at the correct suffix.
2024-03-14 08:51:46 +01:00
Evan HuntandMatthijs Mekking 92b305be4b add a compile-time option to select default zone and cache DB
by default, QPDB is the database used by named and all tools and
unit tests. the old default of RBTDB can now be restored by using
"configure --with-zonedb=rbt --with-cachedb=rbt".

some tests have been fixed so they will work correctly with either
database.

CHANGES and release notes have been updated to reflect this change.
2024-03-06 10:49:02 +01:00
Evan HuntandMatthijs Mekking bb4464181a switch database defaults from "rbt" to "qp"
replace the string "rbt" throughout BIND with "qp" so that
qpdb databases will be used by default instead of rbtdb.
rbtdb databases can still be used by specifying "database rbt;"
in a zone statement.
2024-03-06 09:57:24 +01:00
Michał Kępień 8610799317 Merge tag 'v9.19.21'
BIND 9.19.21
2024-02-14 13:24:56 +01:00
Mark Andrews 2f87c429a2 cleanup isc_symtab_define with isc_symexists_replace 2024-02-07 13:52:10 +11:00
Mark Andrews 1fb61494a8 Add RUNTIME_CHECK 2024-02-07 13:40:03 +11:00
Mark Andrews 95de7f829c Ensure keyname buffer is big enough
Use a temporary string rather than a fixed buffer to construct
the keyname.
2024-02-07 13:39:51 +11:00
Mark Andrews 7cced1732d cleanup isc_symtab_undefine callers
isc_symtab_undefine now only return ISC_R_SUCCESS and ISC_R_EXISTS.
Cleanup callers looking for other values.
2024-02-07 12:56:39 +11:00
Aram Sargsyan 4cdef214d2 Require trust anchors for 'dnnsec-validation yes'
Using the 'dnssec-validation yes' option now requires an explicitly
confgiured 'trust-anchors' statement (or 'managed-keys' or
'trusted-keys', both deprecated).
2024-02-02 19:53:45 +00:00
Ondřej SurýandMichał Kępień 15096aefdf Make the dns_validator validations asynchronous and limit it
Instead of running all the cryptographic validation in a tight loop,
spread it out into multiple event loop "ticks", but moving every single
validation into own isc_async_run() asynchronous event.  Move the
cryptographic operations - both verification and DNSKEY selection - to
the offloaded threads (isc_work_enqueue), this further limits the time
we spend doing expensive operations on the event loops that should be
fast.

Limit the impact of invalid or malicious RRSets that contain crafted
records causing the dns_validator to do many validations per single
fetch by adding a cap on the maximum number of validations and maximum
number of validation failures that can happen before the resolving
fails.
2024-02-01 21:45:06 +01:00
Evan Hunt 86fdc66ed3 check range of fetch-quota-param parameters
the 'low', 'high' and 'discount' parameters to 'fetch-quota-param'
are meant to be ratios with values between zero and one, but higher
values can be assigned. this could potentially lead to an assertion
in maybe_adjust_quota().
2024-01-31 18:19:38 -08:00
Matthijs Mekking 8602beecd1 Replace keystore attach/detach with ISC_REFCOUNT_IMPL/ISC_REFCOUNT_DECL
This is now the default way to implement attaching to/detaching from
a pointer.

Also update cfg_keystore_fromconfig() to allow NULL value for the
keystore pointer. In most cases we detach it immediately after the
function call.
2024-01-25 15:37:40 +01:00
Matthijs Mekking daaa70f48b Refactor dns_keystore_directory()
Add a default key-directory parameter to the function that can
be returned if there is no keystore, or if the keystore directory
is NULL (the latter is also true for the built-in keystore).
2024-01-25 15:37:40 +01:00
Matthijs Mekking cb12b42839 Rename "uri" to "pkcs11-uri"
The name "uri" was considered to be too generic and could potentially
clash with a future URI configuration option. Renamed to "pkcs11-uri".

Note that this option name was also preferred over "pkcs11uri", the
dash is considered to be the more clearer form.
2024-01-25 15:37:40 +01:00
Matthijs Mekking f096472eb4 Create private keys with PKCS#11 object
If there is a keystore configured with a PKCS#11 URI, zones that
are using a dnssec-policy that uses such a keystore should create keys
via the PKCS#11 interface. Those keys are generally stored inside an
HSM.

Some changes to the code are required, to store the engine reference
into the keystore.
2024-01-25 14:41:25 +01:00
Matthijs Mekking ffc41d1b14 Store key store reference instead of name
When creating the kasp structure, instead of storing the name of the
key store on keys, store a reference to the key store object instead.

This requires to build the keystore list prior to creating the kasp
structures, in the dnssec tools, the check code and the server code.

We will create a builtin keystore called "key-directory" which means
use the zone's key-directory as the key store.

The check code changes, because now the keystore is looked up before
creating the kasp structure (and if the keystore is not found, this
is an error). Instead of looking up the keystore after all
'dnssec-policy' clauses have been read.
2024-01-25 14:41:25 +01:00
Matthijs Mekking 792670c991 Check if key-store directory is not reused
Similar to key-directory, check for zones in different views and
different key and signing policies. Zones must be using different key
directories to store key files on disk.

Now that a key directory can be linked with a dnssec-policy key, the
'keydirexist' checking needs to be reshuffled.

Add tests for bad configuration examples, named-checkconf should catch
those. Also add test cases for a mix of key-directory and key-store
directory.
2024-01-25 14:41:24 +01:00
Matthijs Mekking 22d1fde1a5 Check if key-store directory exists
Similar to key-directory, check if the key-store directory exists and
if it is an actual directory.

This commit fixes an accidental test bug in checkconf where if
the "warn key-dir" test failed, the result was ignored.
2024-01-25 14:38:12 +01:00
Matthijs Mekking 594d4a81f1 Check if key-store exists
Add checkconf check to ensure that the used key-store in the keys
section exists. Error if that is not the case. We also don't allow
the special keyword 'key-directory' as that is internally used to
signal that the zone's key-directory should be used.
2024-01-25 14:38:12 +01:00
Matthijs Mekking f837bb2af8 Parse key-store config
Add the code that actually stores the key-store configuration into
structures, also store the reference into the kasp key.
2024-01-25 14:38:11 +01:00
Matthijs Mekking 3a86c07422 Add code for creating keystore from config
Add code for configuring keystore objects. Add this to the "kaspconf"
code, as it is related to 'dnssec-policy' and it is too small to create
a separate file for it.
2024-01-25 14:38:11 +01:00
Matthijs Mekking a035f3b10e Add configuration for key-store
Add new configuration for setting key stores. The new 'key-store'
statement allows users to configure key store backends. These can be
of type 'file' (that works the same as 'key-directory') or of type
'pkcs11'. In the latter case, keys should be stored in a HSM that is
accessible through a PKCS#11 interface.

Keys configured within 'dnssec-policy' can now also use the 'key-store'
option to set a specific key store.

Update the checkconf test to accomodate for the new configuration.
2024-01-25 14:38:11 +01:00
Artem Boldariev 3818c58bf6 Add TLS cipher suites configuration option to BIND
This commit extends the 'tls' statement with 'cipher-suites' option.
2024-01-12 13:27:59 +02:00
Michał Kępień b1baf7af3a "trust-anchor-telemetry" is no longer experimental
Remove the CFG_CLAUSEFLAG_EXPERIMENTAL flag from the
"trust-anchor-telemetry" statement as the behavior of the latter has not
been changed since its initial implementation and there are currently no
plans to do so.  This silences a relevant log message that was emitted
even when the feature was explicitly disabled.
2023-12-18 15:11:39 +01:00
Tom Krizek 059a63793a Remove obsolete check for resolver-nonbackoff-tries
With the resolver-nonbackoff-tries statement being removed in #4405,
this check can no longer be reached and can be safely removed.
2023-12-07 13:10:58 +01:00
Evan Hunt 66496d550b remove resolver-retry-interval and resolver-nonbackoff-tries
fully remove these options and mark them as ancient.
2023-12-06 11:54:59 -08:00
Evan Hunt 4aaa4f7dca deprecate resolver-retry-interval and resolver-nonbackoff-tries
these options control default timing of retries in the resolver
for experimental purposes; they are not known to useful in production
environments.  they will be removed in the future; for now, we
only log a warning if they are used.
2023-12-06 11:51:22 -08:00