Commit Graph

8335 Commits

Author SHA1 Message Date
Evan Hunt
12c60e9a26 set loadtime during initial transfer of a secondary zone
when transferring in a non-inline-signing secondary for the first time,
we previously never set the value of zone->loadtime, so it remained
zero. this caused a test failure in the statschannel system test,
and that test case was temporarily disabled.  the value is now set
correctly and the test case has been reinstated.

(cherry picked from commit 9643281453)
2023-11-20 09:56:50 -08:00
Ondřej Surý
35630c9210 Reformat sources with up-to-date clang-format-17 2023-11-13 17:15:55 +01:00
Mark Andrews
066de399bd Suppress reporting upcoming changes in root hints
To reduce the amount of log spam when root servers change their
addresses keep a table of upcoming changes by expected date and time
and suppress reporting differences for them until then.

Add initial entry for B.ROOT-SERVERS.NET, Nov 27, 2023.

(cherry picked from commit b69100b747)
2023-11-03 03:44:43 +11:00
Mark Andrews
8924adca61 Update b.root-servers.net IP addresses
This covers both root hints and the default primaries for the root
zone mirror.  The official change date is Nov 27, 2023.

(cherry picked from commit 2ca2f7e985)
2023-11-03 03:44:43 +11:00
Mark Andrews
5f8ac682c9 Only declare 'engine' if it is used
Move the declaration of 'engine' within the appropriate #if/#endif
block.  Remove the UNUSED(engine) from the #else block.

(cherry picked from commit 8b11061b91)
2023-10-28 09:01:51 +11:00
Michal Nowak
531c96b8ed Update the source code formatting using clang-format-17 2023-10-17 17:56:31 +02:00
Ondřej Surý
b354e10793 Explicitly cast chars to unsigned chars for <ctype.h> functions
Apply the semantic patch to catch all the places where we pass 'char' to
the <ctype.h> family of functions (isalpha() and friends, toupper(),
tolower()).

(cherry picked from commit 29caa6d1f0)
2023-09-22 17:10:25 +02:00
Mark Andrews
426b575680 Correctly set the value of covered in dns_ncache_current
Fix the type and rdclass being passed to dns_rdata_tostruct so
that rrsig.covered is correctly set.

(cherry picked from commit 779980710c)
2023-09-18 16:40:54 +10:00
Ondřej Surý
c7d64009c2 Add test for dns_rbtdb overmem purging
Add a unit test to check if the overmem purging in the RBTDB is
effective when mixed size RR data is inserted into the database.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Jinmei Tatuya <jtatuya@infoblox.com>

(manually picked from 269c03831f)
2023-07-26 15:20:53 +02:00
Michał Kępień
d3b0df51cf Revert GL !8123
This reverts commit 302d0d36f7
(7e9e96ba01 and
bd912b7bed), reversing changes made to
fc6992b3fb.
2023-07-24 11:02:37 +02:00
Mark Andrews
7e9e96ba01 Mark a primary as unreachable on timed out in xfin
When a primary server is not responding, mark it as temporarialy
unreachable.  This will prevent too many zones queuing up on a
unreachable server and allow the refresh process to move onto
the next primary sooner once it has been so marked.
2023-07-22 09:06:42 +10:00
Ondřej Surý
f1d9e9ee38 Improve RBT overmem cache cleaning
When cache memory usage is over the configured cache size (overmem) and
we are cleaning unused entries, it might not be enough to clean just two
entries if the entries to be expired are smaller than the newly added
rdata.  This could be abused by an attacker to cause a remote Denial of
Service by possibly running out of the operating system memory.

Currently, the addrdataset() tries to do a single TTL-based cleaning
considering the serve-stale TTL and then optionally moves to overmem
cleaning if we are in that condition.  Then the overmem_purge() tries to
do another single TTL based cleaning from the TTL heap and then continue
with LRU-based cleaning up to 2 entries cleaned.

Squash the TTL-cleaning mechanism into single call from addrdataset(),
but ignore the serve-stale TTL if we are currently overmem.

Then instead of having a fixed number of entries to clean, pass the size
of newly added rdatasetheader to the overmem_purge() function and
cleanup at least the size of the newly added data.  This prevents the
cache going over the configured memory limit (`max-cache-size`).

Additionally, refactor the overmem_purge() function to reduce for-loop
nesting for readability.
2023-06-06 14:23:16 +02:00
Aram Sargsyan
537c2d2c68 Check whether zone->db is a valid pointer before attaching
The zone_resigninc() function does not check the validity of
'zone->db', which can crash named if the zone was unloaded earlier,
for example with "rndc delete".

Check that 'zone->db' is not 'NULL' before attaching to it, like
it is done in zone_sign() and zone_nsec3chain() functions, which
can similarly be called by zone maintenance.

(cherry picked from commit fae0930eb8)
2023-05-15 12:05:11 +00:00
Mark Andrews
300a2fb4ba Check the pointer alignments when deserialising
deserialize_corrupt_test may corrupt the pointers such that they
is no longer properly aligned.  Check that the alignment is consistent
with memory returned from isc_mem before checking the magic value.
2023-05-05 07:04:31 +00:00
Mark Andrews
3d8a223256 Cleanup orphaned empty-non-terminal NSEC3
When OPTOUT was in use we didn't ensure that NSEC3 records
for orphaned empty-non-terminals where removed.  Check if
there are orphaned empty-non-terminal NSEC3 even if there
wasn't an NSEC3 RRset to be removed in dns_nsec3_delnsec3.

(cherry picked from commit 27160c137f)
2023-04-25 06:46:17 +01:00
Petr Špaček
dc6a888ea3 Export dns_view_istrusted() on Windows 2023-04-03 18:18:43 +02:00
Mark Andrews
489cba33bb dns_view_untrust modifies dnskey->flags when it shouldn't
Copy the structure and declare dnskey as const.

(cherry picked from commit 21d828241b)
2023-04-03 17:48:31 +02:00
Mark Andrews
f708172d87 Handle dns_rdata_fromstruct failure dns_keytable_deletekey
dns_rdata_fromstruct in dns_keytable_deletekey can potentially
fail with ISC_R_NOSPACE.  Handle the error condition.

(cherry picked from commit b5df9b8591)
2023-04-03 17:48:31 +02:00
Mark Andrews
3cb366b1e0 Reduce the number of verifiations required
In selfsigned_dnskey only call dns_dnssec_verify if the signature's
key id matches a revoked key, the trust is pending and the key
matches a trust anchor.  Previously named was calling dns_dnssec_verify
unconditionally resulted in busy work.

(cherry picked from commit e68fecbdaa)
2023-04-03 17:48:31 +02:00
Mark Andrews
19f8033840 Add new view method dns_view_istrusted
dns_view_istrusted determines if the given key is treated as
being trusted by the view.

(cherry picked from commit 7278fff579)
2023-04-03 17:48:31 +02:00
Matthijs Mekking
89c000f356 Fix scan-build issue: initialized value never read
Value stored to 'source' during its initialization is never read.

(cherry picked from commit 4c33277446)
2023-03-29 15:08:36 +00:00
Mark Andrews
772cdf453d When signing with a new algorithm preserve NSEC/NSEC3 chains
If the zone already has existing NSEC/NSEC3 chains then zone_sign
needs to continue to use them.  If there are no chains then use
kasp setting otherwise generate an NSEC chain.

(cherry picked from commit 4b55201459)
2023-03-15 00:30:22 +11:00
Aram Sargsyan
ddb67b01b2 Check if catz is active in dns_catz_update_from_db()
A reconfiguration can deactivate the catalog zone, while the
offloaded update process was preparing to run.

(cherry picked from commit 6980e3b354)
2023-03-02 19:42:16 +00:00
Aram Sargsyan
641627838b Use catzs->lock in dns_catz_prereconfig()
There can be an update running in another thread, so use a lock,
like it's done in dns_catz_postreconfig().

(cherry picked from commit 3973724d67)
2023-03-02 19:36:26 +00:00
Aram Sargsyan
2a719e9df2 Revert "Process db callbacks in zone_loaddone() after zone_postload()"
This reverts commit 1254f37584.

The commit introduced a data race, because dns_db_endload() is called
after unfreezing the zone.

(not cherry picked from commit 593dea871a)
2023-03-02 19:19:55 +00:00
Aram Sargsyan
fff49a2ffb catz: unregister the db update-notify callback before detaching from db
When detaching from the previous version of the database, make sure
that the update-notify callback is unregistered, otherwise there is
an INSIST check which can generate an assertion failure in free_rbtdb(),
which checks that there are no outstanding update listeners in the list.

There is a similar code already in place for RPZ.

(cherry picked from commit cf79692a66)
2023-02-28 14:40:17 +00:00
Aram Sargsyan
79ee7353ad Searching catzs->zones requires a read lock
Lock the catzs->lock mutex before searching in the catzs->zones
hash table.

(cherry picked from commit 0ef0c86632)
2023-02-28 14:40:17 +00:00
Aram Sargsyan
1254f37584 Process db callbacks in zone_loaddone() after zone_postload()
The zone_postload() function can fail and unregister the callbacks.

Call dns_db_endload() only after calling zone_postload() to make
sure that the registered update-notify callbacks are not called
when the zone loading has failed during zone_postload().

Also, don't ignore the return value of zone_postload().

(cherry picked from commit ed268b46f1)
2023-02-28 14:40:17 +00:00
Aram Sargsyan
466a05eaf0 Fix a cleanup bug when isc_task_create() fails in dns_catz_new_zones()
Use isc_mem_putanddetach() instead of isc_mem_put() to detach from the
memory context.

(cherry picked from commit 9050481d1f)
2023-02-27 13:55:05 +00:00
Mark Andrews
b49a3a56c9 Fix dns_kasp_attach / dns_kasp_detach usage
The kasp pointers in dns_zone_t should consistently be changed by
dns_kasp_attach and dns_kasp_detach so the usage is balanced.

(cherry picked from commit b41882cc75)
2023-02-21 16:58:42 +01:00
Mark Andrews
d0c92a31a9 In hmac_createctx free ctx on isc_hmac_init failure
(cherry picked from commit d22257a370)
2023-02-18 10:27:11 +11:00
Mark Andrews
4df6019c16 Report the key name that failed in retry_keyfetch
When there are multiple managed trust anchors we need to know the
name of the trust anchor that is failing.  Extend the error message
to include the trust anchor name.

(cherry picked from commit fb7b7ac495)
2023-02-14 22:09:52 +00:00
Evan Hunt
aca10608b6 delay trust anchor management until zones are loaded
it was possible for a managed trust anchor needing to send a key
refresh query to be unable to do so because an authoritative zone
was not yet loaded. this has been corrected by delaying the
synchronization of managed-keys zones until after all zones are
loaded.

(cherry picked from commit bafbbd2465)
2023-02-14 10:23:28 -08:00
Michał Kępień
f7dc0a4708 Handle iterator options in rpsdb_allrdatasets()
Commit 4f3327cd41 added a new parameter,
'options', to the prototype of the 'allrdatasets' function pointer in
struct dns_dbmethods.  Handle this new parameter accordingly in
rpsdb_allrdatasets().

(cherry picked from commit f3def4e4ed)
2023-02-01 12:07:11 +01:00
Matthijs Mekking
3ffb63e9bb Force set DS state after 'rndc dnssec -checkds'
Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.

(cherry picked from commit ee42f66fbe)
2023-01-27 16:09:06 +01:00
Michał Kępień
7b0e57095a Merge tag 'v9_16_37' into v9_16
BIND 9.16.37
2023-01-25 21:34:55 +01:00
Mark Andrews
b548ee5815 Add missing node lock when setting node->wild in rbtdb.c
The write node lock needs to be held when setting node->wild in
add_wildcard_magic except when being called from loading_addrdataset
which is used to load the zone without locking during its initial
load.

(cherry picked from commit 81c24b8da2)
2023-01-20 00:38:43 +11:00
Ondřej Surý
e241a3f4db Don't use reference counting in isc_timer unit
The reference counting and isc_timer_attach()/isc_timer_detach()
semantic are actually misleading because it cannot be used under normal
conditions.  The usual conditions under which is timer used uses the
object where timer is used as argument to the "timer" itself.  This
means that when the caller is using `isc_timer_detach()` it needs the
timer to stop and the isc_timer_detach() does that only if this would be
the last reference.  Unfortunately, this also means that if the timer is
attached elsewhere and the timer is fired it will most likely be
use-after-free, because the object used in the timer no longer exists.

Remove the reference counting from the isc_timer unit, remove
isc_timer_attach() function and rename isc_timer_detach() to
isc_timer_destroy() to better reflect how the API needs to be used.

The only caveat is that the already executed event must be destroyed
before the isc_timer_destroy() is called because the timer is no longet
attached to .ev_destroy_arg.

(cherry picked from commit ae01ec2823)
2023-01-19 11:28:10 +01:00
Ondřej Surý
3cf7055286 Set quantum to infinity for the zone loading task
When we are loading the zones, set the quantum to UINT_MAX, which makes
task_run process all tasks at once.  After the zone loading is finished
the quantum will be dropped to 1 to not block server when we are loading
new zones after reconfiguration.

(cherry picked from commit 87c4c24cde)
2023-01-19 11:28:10 +01:00
Ondřej Surý
4b222f154b Detach the zone views outside of the zone lock
Detaching the views in the zone_shutdown() could lead to
lock-order-inversion between adb->namelocks[bucket], adb->lock,
view->lock and zone->lock.  Detach the views outside of the section that
zone-locked.

(cherry picked from commit 978a0ef84c)
2023-01-19 10:21:27 +01:00
Ondřej Surý
cb083876c1 Detach the views in zone_shutdown(), not in zone_free()
The .view (and possibly .prev_view) would be kept attached to the
removed zone until the zone is fully removed from the memory in
zone_free().  If this process is delayed because server is busy
something else like doing constant `rndc reconfig`, it could take
seconds to detach the view, possibly keeping multiple dead views in the
memory.  This could quickly lead to a massive memory bloat.

Release the views early in the zone_shutdown() call, and don't wait
until the zone is freed.

(cherry picked from commit 13bb821280)
2023-01-17 22:48:37 +01:00
Ondřej Surý
606fc6d4aa Merge branch 'feature/main/zt-rwlock.h' into 'main'
Include isc_rwlocktype_t type definition in zt.h

See merge request isc-projects/bind9!7376

(cherry picked from commit d7bcdf8bd6)

395d6fca Include isc_rwlocktype_t type definition in zt.h
2023-01-16 11:08:43 +00:00
Aram Sargsyan
6bebcedb80 Cancel all fetch events in dns_resolver_cancelfetch()
Although 'dns_fetch_t' fetch can have two associated events, one for
each of 'DNS_EVENT_FETCHDONE' and 'DNS_EVENT_TRYSTALE' types, the
dns_resolver_cancelfetch() function is designed in a way that it
expects only one existing event, which it must cancel, and when it
happens so that 'stale-answer-client-timeout' is enabled and there
are two events, only one of them is canceled, and it results in an
assertion in dns_resolver_destroyfetch(), when it finds a dangling
event.

Change the logic of dns_resolver_cancelfetch() function so that it
cancels both the events (if they exist), and in the right order.

(cherry picked from commit ec2098ca35)
2023-01-12 13:00:03 +01:00
Aram Sargsyan
60dece8277 Increase catalog zone entries hash table's bits size
The hash table implementation in the current branch does not
support automatic resize operation, so the initial value of
the table should be chosen carefully.

Catalog zones entries hash table's size is currently only 4 bits,
which is very low for a catalog zone with thousands of entries,
and causes CPU consumption spikes when working with the hash
table to add/delete/search entries.

Use 16 bits instead, which should make working with big catalog
zones much faster at the expense of slightly higher memory usage,
i.e. 512 KiB for a 64-bit system for each catalog zone.
2023-01-11 17:26:26 +00:00
Aram Sargsyan
144135415b Use sizeof(*ptr) for allocating/freeing memory in forward.c
As shown in the previous commit, using sizeof(type_t) is a little
bit more error-prone when copy-pasting code, so extracting the
size information from the pointer which is being dealt with seems
like a better alternative.

(cherry picked from commit cf4003fa58)
2023-01-11 13:42:00 +00:00
Aram Sargsyan
1950629ffa Fix dns_fwdtable_addfwd() error path cleanup bug
Free 'sizeof(dns_forwarder_t)' bytes of memory instead of
'sizeof(dns_sockaddr_t)' bytes, because `fwd` is a pointer
to a 'dns_forwarder_t' type structure.

(cherry picked from commit 0cc1b06d98)
2023-01-11 13:42:00 +00:00
Aram Sargsyan
272afcd999 Fix a use-after-free bug in dns_zonemgr_releasezone()
The dns_zonemgr_releasezone() function makes a decision to destroy
'zmgr' (based on its references count, after decreasing it) inside
a lock, and then destroys the object outside of the lock.

This causes a race with dns_zonemgr_detach(), which could destroy
the object in the meantime.

Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy
the object (if needed) using dns_zonemgr_detach(), outside of the
lock.

(cherry picked from commit c1fc212253)
2023-01-11 12:17:27 +00:00
Mark Andrews
2a9300a3bc Don't perform arithmetic on NULL pointers
When node is NULL when calling getparent() et al. they return NULL
but performing arithmetic on the NULL pointer is undefined.  Check
if 'node' or 'header' is NULL and skip the adjustment.
2023-01-10 17:45:51 +11:00
Matthijs Mekking
2696267b1f Consider non-stale data when in serve-stale mode
With 'stale-answer-enable yes;' and 'stale-answer-client-timeout off;',
consider the following situation:

A CNAME record and its target record are in the cache, then the CNAME
record expires, but the target record is still valid.

When a new query for the CNAME record arrives, and the query fails,
the stale record is used, and then the query "restarts" to follow
the CNAME target. The problem is that the query's multiple stale
options (like DNS_DBFIND_STALEOK) are not reset, so 'query_lookup()'
treats the restarted query as a lookup following a failed lookup,
and returns a SERVFAIL answer when there is no stale data found in the
cache, even if there is valid non-stale data there available.

With this change, query_lookup() now considers non-stale data in the
cache in the first place, and returns it if it is available.

(cherry picked from commit 91a1a8efc5)
2023-01-09 13:57:43 +01:00
Aram Sargsyan
a634488a24 Fix logging a uint32_t SOA serial value in dns_catz_update_from_db()
The dns_catz_update_from_db() function prints serial number as a signed
number (with "%d" in the format string), but the `vers` variable's type
is 'uint32_t'. This breaks serials bigger than 2^31.

Use PRIu32 instead of "d" in the format string.

(cherry picked from commit 72b1760ea6)
2022-12-15 13:49:58 +00:00