Commit Graph

27497 Commits

Author SHA1 Message Date
Ondřej Surý
0dced2fa6a Make lib/dns/gen.c compatible with reproducible builds.
The gen.c will now use SOURCE_DATE_EPOCH[1] if found in environment
to make the build more reproducible build friendly.

1. https://reproducible-builds.org/specs/source-date-epoch/

(cherry picked from commit c8cb612d39)
2019-05-09 16:05:38 +07:00
Mark Andrews
aca6ebadc4 Merge branch '960-add-edns-client-tag-and-edns-server-tag-v9_11' into 'v9_11'
Resolve "Add EDNS Client Tag and EDNS Server Tag"

See merge request isc-projects/bind9!1911
2019-05-09 04:39:06 -04:00
Mark Andrews
10c53d2873 Recognise EDNS Client Tag and EDNS Server Tag
(cherry picked from commit ee7cf180b3)
2019-05-09 18:24:57 +10:00
Evan Hunt
ac9286b732 Merge branch '868-fix-trusted-keys-handling-with-dnssec-validation-auto-v9_14-v9_11' into 'v9_11'
fix incorrect behavior mixing trusted-keys with validation auto

See merge request isc-projects/bind9!1909
2019-05-09 02:13:16 -04:00
Evan Hunt
febbd90850 CHANGES, release notes 2019-05-08 23:02:42 -07:00
Evan Hunt
722d0f57ed warn about the use of trusted-keys and managed-keys for the same name 2019-05-08 23:02:42 -07:00
Mark Andrews
3c45f0dd0b Merge branch '852-bind-returning-malformed-packet-error-when-sshfp-record-has-fingerprint-value-less-than-4-characters-v9_11' into 'v9_11'
Resolve "Bind returning malformed packet error when sshfp record has fingerprint value less than 4 characters"

See merge request isc-projects/bind9!1906
2019-05-08 19:18:22 -04:00
Mark Andrews
702cc2dde3 enforce known SSHFP finger print lengths
(cherry picked from commit 1722728c80)
2019-05-09 08:49:19 +10:00
Mark Andrews
8cb78ee508 Merge branch '991-provide-ixfr-should-only-be-tests-on-tcp-clients-v9_11' into 'v9_11'
Resolve "provide-ixfr should only be tested on TCP clients."

See merge request isc-projects/bind9!1901
2019-05-07 00:46:17 -04:00
Mark Andrews
1cc0bf2cee add CHANGES
(cherry picked from commit ba1d7f3a07)
2019-05-07 14:34:00 +10:00
Mark Andrews
d72f659a35 add test for 'provide-ixfr no;' ; add forensics support
(cherry picked from commit d547465af5)
2019-05-07 14:34:00 +10:00
Mark Andrews
8b8f0dc160 only test provideixfr if the transport is TCP
(cherry picked from commit 18c49853e3)
2019-05-07 14:06:25 +10:00
Evan Hunt
510f8d9ff7 Merge branch 'each-win32-parallel-tests-v9_11' into 'v9_11'
enable parallel system tests on windows

See merge request isc-projects/bind9!1895
2019-05-06 22:04:51 -04:00
Evan Hunt
52347fa883 CHANGES
(cherry picked from commit d3cd0729c9)
2019-05-06 18:38:34 -07:00
Evan Hunt
50dfe1aa2b enable parallel system tests on windows
this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.

(cherry picked from commit bbae24c140)
2019-05-06 18:38:34 -07:00
Evan Hunt
274da3c24b Merge branch 'each-fix-rpz-test-v9_11' into 'v9_11'
RPZ test had spurious references to DNSRPS, which isn't in 9.11

See merge request isc-projects/bind9!1898
2019-05-06 21:17:38 -04:00
Evan Hunt
111c692efd RPZ test had spurious references to DNSRPS, which isn't in 9.11 2019-05-06 18:05:49 -07:00
Mark Andrews
90a6482985 Merge branch '983-delv-www-isc-org-any-rtrace-multiline-leaks-memory-v9_11' into 'v9_11'
Resolve "'delv www.isc.org ANY +rtrace +multiline' leaks memory"

See merge request isc-projects/bind9!1897
2019-05-06 20:52:47 -04:00
Mark Andrews
eef0430b75 add CHANGES note
(cherry picked from commit ce5520b695)
2019-05-07 10:35:03 +10:00
Mark Andrews
c26a421aab check that delv -t any works
(cherry picked from commit 6999bee7ef)
2019-05-07 10:34:30 +10:00
Mark Andrews
595544329a fix whitespace
(cherry picked from commit 32ba5a0494)
2019-05-07 10:28:48 +10:00
Mark Andrews
333116ac5c return rdatasets when processing ANY queries in client_resfind
(cherry picked from commit 127333c71f)
2019-05-07 10:28:47 +10:00
Mark Andrews
405738b62f Merge branch '1000-arm-doc-rpz-nodata-policy-says-ancount-1-v9_11' into 'v9_11'
Resolve "ARM doc RPZ NODATA policy says ANCOUNT=1"

See merge request isc-projects/bind9!1891
2019-05-06 04:06:56 -04:00
Mark Andrews
401f9c4a3d A NODATA response has ANCOUNT of 0 assuming no CNAME/DNAMES
(cherry picked from commit 4889e06c3a)
2019-05-06 17:54:18 +10:00
Michał Kępień
16bb74b1bc Merge branch 'michal/simplify-trailing-period-handling-in-system-tests-v9_11' into 'v9_11'
[v9_11] Simplify trailing period handling in system tests

See merge request isc-projects/bind9!1878
2019-04-26 15:12:12 -04:00
Michał Kępień
72c7bc03c9 Simplify trailing period handling in system tests
Windows systems do not allow a trailing period in file names while Unix
systems do.  When BIND system tests are run, the $TP environment
variable is set to an empty string on Windows systems and to "." on Unix
systems.  This environment variable is then used by system test scripts
for handling this discrepancy properly.

In multiple system test scripts, a variable holding a zone name is set
to a string with a trailing period while the names of the zone's
corresponding dlvset-* and/or dsset-* files are determined using
numerous sed invocations like the following one:

    dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"

In order to improve code readability, use zone names without trailing
periods and replace sed invocations with variable substitutions.

To retain local consistency, also remove the trailing period from
certain other zone names used in system tests that are not subsequently
processed using sed.

(cherry picked from commit da2c1b74ad)
2019-04-26 20:50:55 +02:00
Ondřej Surý
343fa39055 Merge branch 'prep-release-v9_11' into 'v9_11'
Prep release v9 11

See merge request isc-projects/bind9!1865
2019-04-25 10:09:51 -04:00
Tinderbox User
a648e07bed doc rebuild
(cherry picked from commit 40b034f5b8)
2019-04-25 15:56:01 +02:00
Tinderbox User
7c6b5f2eaa prep 9.11.6-P1
(cherry picked from commit 6195f229b6)
2019-04-25 15:55:59 +02:00
Ondřej Surý
aaee75288a Merge branch '999-tcp-client-crash-v9_11-locks' into 'v9_11'
Replace atomic operations in bin/named/client.c with isc_refcount reference counting

See merge request isc-projects/bind9!1864
2019-04-25 09:54:09 -04:00
Ondřej Surý
ef49780d30 Replace atomic operations in bin/named/client.c with isc_refcount reference counting 2019-04-25 15:40:06 +02:00
Ondřej Surý
581ae79528 Merge branch '615-tcp-client-crash-v9_11-v9_11_6_patch-v9_11' into 'v9_11'
Resolve "tcp-clients mostly ineffective"

See merge request isc-projects/bind9!1863
2019-04-25 09:38:41 -04:00
Evan Hunt
b96a3a0c79 CHANGES, release note
(cherry picked from commit 5e18ad05f4)
2019-04-25 15:05:12 +02:00
Evan Hunt
59434b987e restore allowance for tcp-clients < interfaces
in the "refactor tcpquota and pipeline refs" commit, the counting
of active interfaces was tightened in such a way that named could
fail to listen on an interface if there were more interfaces than
tcp-clients. when checking the quota to start accepting on an
interface, if the number of active clients was above zero, then
it was presumed that some other client was able to handle accepting
new connections. this, however, ignored the fact that the current client
could be included in that count, so if the quota was already exceeded
before all the interfaces were listening, some interfaces would never
listen.

we now check whether the current client has been marked active; if so,
then the number of active clients on the interface must be greater
than 1, not 0.

(cherry picked from commit 0b4e2cd4c3192ba88569dd344f542a8cc43742b5)
(cherry picked from commit d01023aaac)
2019-04-25 15:04:26 +02:00
Evan Hunt
c47ccf630f refactor tcpquota and pipeline refs; allow special-case overrun in isc_quota
- if the TCP quota has been exceeded but there are no clients listening
  for new connections on the interface, we can now force attachment to the
  quota using isc_quota_force(), instead of carrying on with the quota not
  attached.
- the TCP client quota is now referenced via a reference-counted
  'ns_tcpconn' object, one of which is created whenever a client begins
  listening for new connections, and attached to by members of that
  client's pipeline group. when the last reference to the tcpconn
  object is detached, it is freed and the TCP quota slot is released.
- reduce code duplication by adding mark_tcp_active() function.
- convert counters to atomic.

(cherry picked from commit 7e8222378ca24f1302a0c1c638565050ab04681b)
(cherry picked from commit 4939451275722bfda490ea86ca13e84f6bc71e46)
(cherry picked from commit 13f7c918b8)
2019-04-25 15:04:26 +02:00
Evan Hunt
2ab8a085b3 better tcpquota accounting and client mortality checks
- ensure that tcpactive is cleaned up correctly when accept() fails.
- set 'client->tcpattached' when the client is attached to the tcpquota.
  carry this value on to new clients sharing the same pipeline group.
  don't call isc_quota_detach() on the tcpquota unless tcpattached is
  set.  this way clients that were allowed to accept TCP connections
  despite being over quota (and therefore, were never attached to the
  quota) will not inadvertently detach from it and mess up the
  accounting.
- simplify the code for tcpquota disconnection by using a new function
  tcpquota_disconnect().
- before deciding whether to reject a new connection due to quota
  exhaustion, check to see whether there are at least two active
  clients. previously, this was "at least one", but that could be
  insufficient if there was one other client in READING state (waiting
  for messages on an open connection) but none in READY (listening
  for new connections).
- before deciding whether a TCP client object can to go inactive, we
  must ensure there are enough other clients to maintain service
  afterward -- both accepting new connections and reading/processing new
  queries.  A TCP client can't shut down unless at least one
  client is accepting new connections and (in the case of pipelined
  clients) at least one additional client is waiting to read.

(cherry picked from commit c7394738b2445c16f728a88394864dd61baad900)
(cherry picked from commit e965d5f11d3d0f6d59704e614fceca2093cb1856)
(cherry picked from commit 87d4311614)
2019-04-25 15:04:26 +02:00
Michał Kępień
366b4e1ede use reference counter for pipeline groups (v3)
Track pipeline groups using a shared reference counter
instead of a linked list.

(cherry picked from commit 513afd33eb17d5dc41a3f0d2d38204ef8c5f6f91)
(cherry picked from commit 9446629b73)
2019-04-25 15:04:25 +02:00
Witold Kręcicki
719f604e3f tcp-clients could still be exceeded (v2)
the TCP client quota could still be ineffective under some
circumstances.  this change:

- improves quota accounting to ensure that TCP clients are
  properly limited, while still guaranteeing that at least one client
  is always available to serve TCP connections on each interface.
- uses more descriptive names and removes one (ntcptarget) that
  was no longer needed
- adds comments

(cherry picked from commit 924651f1d5e605cd186d03f4f7340bcc54d77cc2)
(cherry picked from commit 55a7a458e3)
2019-04-25 15:04:25 +02:00
Witold Kręcicki
ec2d50da8d fix enforcement of tcp-clients (v1)
tcp-clients settings could be exceeded in some cases by
creating more and more active TCP clients that are over
the set quota limit, which in the end could lead to a
DoS attack by e.g. exhaustion of file descriptors.

If TCP client we're closing went over the quota (so it's
not attached to a quota) mark it as mortal - so that it
will be destroyed and not set up to listen for new
connections - unless it's the last client for a specific
interface.

(cherry picked from commit f97131d21b97381cef72b971b157345c1f9b4115)
(cherry picked from commit 9689ffc485)
2019-04-25 15:04:25 +02:00
Matthijs Mekking
f7f3b0cd8c Merge branch 'matthijs-fix-dnssec-test-intermittent-failure-kskonly-v9_11' into 'v9_11'
Fix dnssec test intermittent failure related to kskonly bugfix

See merge request isc-projects/bind9!1858
2019-04-24 03:54:42 -04:00
Matthijs Mekking
3c9a7ffac8 Wait for correct log message in dnssec/tests.sh
In 9.11 there are some log messages not existing, but the tests
rely on.  Adjust the grep call that gives confidence the rollover
step has occurred.
2019-04-24 09:41:22 +02:00
Matthijs Mekking
9c77cd8306 Harden grep key ID calls
Key IDs may accidentally match dig output that is not the key ID (for
example the RRSIG inception or expiration time, the query ID, ...).
Search for key ID + signer name should prevent that, as that is what
only should occur in the RRSIG record, and signer name always follows
the key ID.

(cherry picked from commit 83473b9758)
2019-04-24 09:41:22 +02:00
Matthijs Mekking
d8de28610d Remove sleeps
Remove sleep calls from test, rely on wait_for_log().  Make
wait_for_log() and dnssec_loadkeys_on() fail the test if the
appropriate log line is not found.

Slightly adjust the echo_i() lines to print only the key ID (not the
key name).

(cherry picked from commit 67f0635f3c)
2019-04-24 09:41:22 +02:00
Mark Andrews
216752e3b2 Merge branch '995-dlz_open_driver-fix-build-failure-without-dlfcn-h-v9_11' into 'v9_11'
Resolve "dlz_open_driver: fix build failure without dlfcn.h"

See merge request isc-projects/bind9!1855
2019-04-23 21:02:25 -04:00
Mark Andrews
29525f639f add CHANGES
(cherry picked from commit 19e4098139)
2019-04-24 09:31:51 +10:00
Mark Andrews
4ab8411c4c conditionally include <dlfcn.h>
(cherry picked from commit eee8084734)
2019-04-24 09:31:20 +10:00
Michał Kępień
22e81bdc82 Merge branch 'michal/minor-nsupdate-system-test-tweaks-v9_11' into 'v9_11'
[v9_11] Minor "nsupdate" system test tweaks

See merge request isc-projects/bind9!1849
2019-04-23 09:20:07 -04:00
Michał Kępień
4e2cc911d2 Wait more than 1 second for NSEC3 chain changes
One second may not be enough for an NSEC3 chain change triggered by an
UPDATE message to complete.  Wait up to 10 seconds when checking whether
a given NSEC3 chain change is complete in the "nsupdate" system test.

(cherry picked from commit f8746cddbc)
2019-04-23 14:59:30 +02:00
Michał Kępień
5d8147fa70 Remove redundant sleeps
In the "nsupdate" system test, do not sleep before checking results of
changes which are expected to be processed synchronously, i.e. before
nsupdate returns.

(cherry picked from commit 1c8e5ea333)
2019-04-23 14:59:29 +02:00
Mark Andrews
fc9b7cea99 Merge branch '962-bind-just-disables-gssapi-support-if-no-gssapi-krb5-headers-found-v9_11' into 'v9_11'
Resolve "Bind just disables GSSAPI support if no GSSAPI/KRB5 headers found"

See merge request isc-projects/bind9!1843
2019-04-22 23:15:15 -04:00