Commit Graph

4186 Commits

Author SHA1 Message Date
Aram Sargsyan
3fc322f07c Print the full path of the working directory in startup log messages
named now prints its initial working directory during startup and the
changed working directory when loading or reloading its configuration
file if it has a valid 'directory' option defined.

(cherry picked from commit fd8e1d161f)
2024-08-21 08:23:48 +00:00
Ondřej Surý
1a657766c3 Use seteuid()/setegid() instead of setreseuid()/setresgid()
It looks like that all supported systems now have support for
_POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because
those will not change saved used/group IDs.

(cherry picked from commit ab517fc6e4)
2024-08-20 17:36:27 +00:00
Ondřej Surý
6d59dcf167 Fix the resesuid() shim implementation for NetBSD
The shim implementation of setresuid() was wrong - there was a copy and
paste error and it was calling setresgid() instead.  This only affects
NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and
setresgid() implementation available from the system library.

(cherry picked from commit 5567407a82)
2024-08-20 10:24:32 +00:00
Ondřej Surý
2f1205443e Silence all warnings that stem from the default config
As we now setup the logging very early, parsing the default config would
always print warnings about experimental (and possibly deprecated)
options in the default config.  This would even mess with commands like
`named -V` and it is also wrong to warn users about using experimental
options in the default config, because they can't do anything about
this.  Add CFG_PCTX_NODEPRECATED and CFG_PCTX_NOEXPERIMENTAL options
that we can pass to cfg parser and silence the early warnings caused by
using experimental options in the default config.

(cherry picked from commit 86f1ec34dc)
2024-08-15 12:10:02 +00:00
Evan Hunt
053e01b9f0 implement 'max-query-restarts'
implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.

(cherry picked from commit 104f3b82fb)
2024-08-07 21:12:34 +00:00
Evan Hunt
5e1e33da6f reduce the max-recursion-queries default to 32
the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.

(cherry picked from commit 7e3b425dc2)
2024-08-07 21:12:34 +00:00
Ondřej Surý
36265057f9 Don't open route socket if we don't need it
When automatic-interface-scan is disabled, the route socket was still
being opened.  Add new API to connect / disconnect from the route socket
only as needed.

Additionally, move the block that disables periodic interface rescans to
a place where it actually have access to the configuration values.
Previously, the values were being checked before the configuration was
loaded.

(cherry picked from commit b26079fdaf)
2024-08-05 10:17:08 +00:00
Aram Sargsyan
aa6e388591 Rename dns_zone_forcereload() to dns_zone_forcexfr()
The new name describes the function more accurately.

(cherry picked from commit 63b8a75de9)
2024-08-01 17:04:27 +00:00
Aram Sargsyan
2886a08c1f Implement rndc retransfer -force
With this new optional argument if there is an ongoing zone
transfer it will be aborted before a new zone transfer is scheduled.

(cherry picked from commit 402ca316ae)
2024-08-01 17:04:27 +00:00
Aram Sargsyan
54ddd848fe Avoid running get_matching_view() asynchronously on an error path
Also create a new ns_client_async_reset() static function to decrease
code duplication.
2024-06-10 17:35:40 +02:00
Aram Sargsyan
ad489c44df Remove sig0checks-quota-maxwait-ms support
Waiting for a quota to appear complicates things and wastes
rosources on timer management. Just answer with REFUSE if
there is no quota.
2024-06-10 17:33:11 +02:00
Aram Sargsyan
f0cde05e06 Implement asynchronous view matching for SIG(0)-signed queries
View matching on an incoming query checks the query's signature,
which can be a CPU-heavy task for a SIG(0)-signed message. Implement
an asynchronous mode of the view matching function which uses the
offloaded signature checking facilities, and use it for the incoming
queries.
2024-06-10 17:33:10 +02:00
Aram Sargsyan
7f013ad05d Remove dns_message_rechecksig()
This is a tiny helper function which is used only once and can be
replaced with two function calls instead. Removing this makes
supporting asynchronous signature checking less complicated.
2024-06-10 17:33:10 +02:00
Aram Sargsyan
c7f79a0353 Add a quota for SIG(0) signature checks
In order to protect from a malicious DNS client that sends many
queries with a SIG(0)-signed message, add a quota of simultaneously
running SIG(0) checks.

This protection can only help when named is using more than one worker
threads. For example, if named is running with the '-n 4' option, and
'sig0checks-quota 2;' is used, then named will make sure to not use
more than 2 workers for the SIG(0) signature checks in parallel, thus
leaving the other workers to serve the remaining clients which do not
use SIG(0)-signed messages.

That limitation is going to change when SIG(0) signature checks are
offloaded to "slow" threads in a future commit.

The 'sig0checks-quota-exempt' ACL option can be used to exempt certain
clients from the quota requirements using their IP or network addresses.

The 'sig0checks-quota-maxwait-ms' option is used to define a maximum
amount of time for named to wait for a quota to appear. If during that
time no new quota becomes available, named will answer to the client
with DNS_R_REFUSED.
2024-06-10 17:33:08 +02:00
Ondřej Surý
52b3d86ef0 Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k).  As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).

Add a configurable limit to cap the number of the RR types for a single
owner.  This is enforced at the database (rbtdb, qpzone, qpcache) level
and configured with new max-types-per-name configuration option that
can be configured globally, per-view and per-zone.
2024-06-10 16:55:09 +02:00
Ondřej Surý
32af7299eb Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.

Add a configurable limit to cap the number of the RRs in a single RRSet.
This is enforced at the database (rbtdb, qpzone, qpcache) level and
configured with new max-records-per-type configuration option that can
be configured globally, per-view and per-zone.
2024-06-10 16:55:07 +02:00
Evan Hunt
c3d3d12911 change allow-transfer default to "none"
Changed the default value for 'allow-transfer' to 'none'; zone
transfers now require explicit authorization.

Updated all system tests to specify an allow-transfer ACL when needed.

Revised the ARM to specify that the default is 'none'.
2024-06-05 10:50:06 -07:00
Mark Andrews
87e3b9dbf3 Pass a memory context in to dns_cache_create 2024-05-31 15:40:32 +10:00
Aydın Mercan
df862f9fef Expand list in chaos authors response
The list isn't exactly maintained but it helped with some BIND history
tracking and is basically harmless so it might be worth holding onto it.
I have adapted the name to ASCII so IDN support won't be necessary.
2024-05-13 11:24:29 +03:00
Aydın Mercan
e037520b92 Keep track of the recursive clients highwater
The high-water allows administrators to better tune the recursive
clients limit without having to to poll the statistics channel in high
rates to get this number.
2024-05-10 12:08:52 +03:00
Mark Andrews
88c48dde5e Stop processing catalog zone changes when shutting down
Abandon catz_addmodzone_cb  and catz_delzone_cb processing if the
loop is shutting down.
2024-05-09 08:17:44 +10:00
Mark Andrews
941ad2b3c5 catz should use weak attachment to the view 2024-05-09 08:17:44 +10:00
Ondřej Surý
6c54337f52 avoid a race in the qpzone getsigningtime() implementation
the previous commit introduced a possible race in getsigningtime()
where the rdataset header could change between being found on the
heap and being bound.

getsigningtime() now looks at the first element of the heap, gathers the
locknum, locks the respective lock, and retrieves the header from the
heap again.  If the locknum has changed, it will rinse and repeat.
Theoretically, this could spin forever, but practically, it almost never
will as the heap changes on the zone are very rare.

we simplify matters further by changing the dns_db_getsigningtime()
API call. instead of passing back a bound rdataset, we pass back the
information the caller actually needed: the resigning time, owner name
and type of the rdataset that was first on the heap.
2024-04-25 15:48:43 -07:00
Ondřej Surý
9305ebdabe Add CHANGES and release note for [GL #1879] 2024-04-24 22:49:26 +02:00
Ondřej Surý
d69cd51f91 Properly document that named -U <n> is no-op now
We don't create <n> UDP dispatches anymore and -U <n> option to named is
a no-op for a while.  Properly document that in the named man page.
2024-04-24 22:49:14 +02:00
Michal Nowak
f454fa6dea Update sources to Clang 18 formatting 2024-04-23 13:11:52 +02:00
Matthijs Mekking
2a4daaedca Add signatures-jitter option
Add an option to speficy signatures jitter.
2024-04-18 09:50:10 +02:00
Evan Hunt
c47fa689d4 use a thread-local variable to get the current running loop
if we had a method to get the running loop, similar to how
isc_tid() gets the current thread ID, we can simplify loop
and loopmgr initialization.

remove most uses of isc_loop_current() in favor of isc_loop().
in some places where that was the only reason to pass loopmgr,
remove loopmgr from the function parameters.
2024-04-02 10:35:56 +02:00
Mark Andrews
49561277de Add RESOLVER.ARPA to the built in empty zones
RFC 9462 adds RESOLVER.ARPA to the list of built in empty zones.
2024-03-21 07:45:55 +11:00
Evan Hunt
92b305be4b add a compile-time option to select default zone and cache DB
by default, QPDB is the database used by named and all tools and
unit tests. the old default of RBTDB can now be restored by using
"configure --with-zonedb=rbt --with-cachedb=rbt".

some tests have been fixed so they will work correctly with either
database.

CHANGES and release notes have been updated to reflect this change.
2024-03-06 10:49:02 +01:00
Evan Hunt
bb4464181a switch database defaults from "rbt" to "qp"
replace the string "rbt" throughout BIND with "qp" so that
qpdb databases will be used by default instead of rbtdb.
rbtdb databases can still be used by specifying "database rbt;"
in a zone statement.
2024-03-06 09:57:24 +01:00
Aram Sargsyan
bd7463914f Disallow stale-answer-client-timeout non-zero values
Remove all the code and tests which support non-zero
stale-answer-client-timeout values, and adjust the
documentation.
2024-02-16 08:41:52 +00:00
Michał Kępień
8610799317 Merge tag 'v9.19.21'
BIND 9.19.21
2024-02-14 13:24:56 +01:00
Ondřej Surý
5964eb4796 Refactor the normal vs error path in control_senddone()
The code flow in control_senddone() was modified to be simpler to follow
and superfluous INSIST() was zapped from control_recvmessage().
2024-02-08 17:16:41 +01:00
Ondřej Surý
0c18ed7ec6 Remove isc__tls_setfatalmode() function and the calls
With _exit() instead of exit() in place, we don't need
isc__tls_setfatalmode() mechanism as the atexit() calls will not be
executed including OpenSSL atexit hooks.
2024-02-08 08:01:58 +01:00
Ondřej Surý
76997983fd Use EXIT_SUCCESS and EXIT_FAILURE
Instead of randomly using -1 or 1 as a failure status, properly utilize
the EXIT_FAILURE define that's platform specific (as it should be).
2024-02-08 08:01:58 +01:00
Ondřej Surý
4bec711fe3 Use _exit() in the fatal() function
Since the fatal() isn't a correct but rather abrupt termination of the
program, we want to skip the various atexit() calls because not all
memory might be freed during fatal() call, etc.  Using _exit() instead
of exit() has this effect - the program will end, but no destructors or
atexit routines will be called.
2024-02-08 08:01:58 +01:00
Aram Sargsyan
2ec041b719 Expose the 'first refresh' zone flag in rndc status
Expose the newly added 'first refresh' flag in the information
provided by the 'rndc staus' command, by showing the number of
zones, which are not yet fully ready, and their first refresh
is pending or is in-progress.
2024-02-05 17:41:14 +00:00
Aram Sargsyan
0a1f05987f Expose 'first refresh' zone flag in stats channel
Add a new zone flag to indicate that a secondary type zone is
not yet fully ready, and a first time refresh is pending or is
in progress.

Expose this new flag in the statistics channel's "Incoming Zone
Transfers" section.
2024-02-05 17:41:14 +00:00
Ondřej Surý
15096aefdf Make the dns_validator validations asynchronous and limit it
Instead of running all the cryptographic validation in a tight loop,
spread it out into multiple event loop "ticks", but moving every single
validation into own isc_async_run() asynchronous event.  Move the
cryptographic operations - both verification and DNSKEY selection - to
the offloaded threads (isc_work_enqueue), this further limits the time
we spend doing expensive operations on the event loops that should be
fast.

Limit the impact of invalid or malicious RRSets that contain crafted
records causing the dns_validator to do many validations per single
fetch by adding a cap on the maximum number of validations and maximum
number of validation failures that can happen before the resolving
fails.
2024-02-01 21:45:06 +01:00
Matthijs Mekking
8602beecd1 Replace keystore attach/detach with ISC_REFCOUNT_IMPL/ISC_REFCOUNT_DECL
This is now the default way to implement attaching to/detaching from
a pointer.

Also update cfg_keystore_fromconfig() to allow NULL value for the
keystore pointer. In most cases we detach it immediately after the
function call.
2024-01-25 15:37:40 +01:00
Matthijs Mekking
18b566ccea Refactor findzonekeys
Move dns_dnssec_findzonekeys from the dnssec.{c,h} source code to
zone.{c,h} (the header file already commented that this should be done
inside dns_zone_t).

Alter the function in such a way, that keys are searched for in the
key stores if a 'dnssec-policy' (kasp) is attached to the zone,
otherwise keep using the zone's key-directory.
2024-01-25 14:48:07 +01:00
Matthijs Mekking
80387532cd Use dst_key's directory when writing key files
When writing key files to disk, use the internally stored directory.

Add an access function 'dst_key_directory()'.

Most calls to keymgr functions no longer need to provide the
key-directory value. Only 'dns_keymgr_run' still needs access to
the zone's key-directory in case the key-store is set to the built-in
key-directory.
2024-01-25 14:47:43 +01:00
Matthijs Mekking
9081426313 Refactor findmatchingkeys and keylistfromrdataset
Refactor dns_dnssec_findmatchingkeys and dns_dnssec_keylistfromrdataset
to take into account the key store directories in case the zone is using
dnssec-policy (kasp). Add 'kasp' and 'keystores' parameters.

This requires the keystorelist to be stored inside the zone structure.

The calls to these functions in the DNSSEC tools can use NULL as the
kasp value, as dnssec-signzone does not (yet) support dnssec-policy,
and key collision is checked inside the directory where it is created.
2024-01-25 14:41:25 +01:00
Matthijs Mekking
d795710541 Add object parameter to dst_key_generate()
Add a parameter to store a possible PKCS#11 object that can later be used to
identify a key with a PKCS#11 URI string (RFC 7512).
2024-01-25 14:41:25 +01:00
Matthijs Mekking
ffc41d1b14 Store key store reference instead of name
When creating the kasp structure, instead of storing the name of the
key store on keys, store a reference to the key store object instead.

This requires to build the keystore list prior to creating the kasp
structures, in the dnssec tools, the check code and the server code.

We will create a builtin keystore called "key-directory" which means
use the zone's key-directory as the key store.

The check code changes, because now the keystore is looked up before
creating the kasp structure (and if the keystore is not found, this
is an error). Instead of looking up the keystore after all
'dnssec-policy' clauses have been read.
2024-01-25 14:41:25 +01:00
Matthijs Mekking
f837bb2af8 Parse key-store config
Add the code that actually stores the key-store configuration into
structures, also store the reference into the kasp key.
2024-01-25 14:38:11 +01:00
Aydın Mercan
2690dc48d3 Expose the TCP client count in statistics channel
The statistics channel does not expose the current number of TCP clients
connected, only the highwater. Therefore, users did not have an easy
means to collect statistics about TCP clients served over time. This
information could only be measured as a seperate mechanism via rndc by
looking at the TCP quota filled.

In order to expose the exact current count of connected TCP clients
(tracked by the "tcp-clients" quota) as a statistics counter, an
extra, dedicated Network Manager callback would need to be
implemented for that purpose (a counterpart of ns__client_tcpconn()
that would be run when a TCP connection is torn down), which is
inefficient. Instead, track the number of currently-connected TCP
clients separately for IPv4 and IPv6, as Network Manager statistics.
2024-01-17 11:11:12 +03:00
Artem Boldariev
eb924e460b Integrate TLS cipher suites support into BIND
This commit makes BIND use the new 'cipher-suites' option from the
'tls' statement.
2024-01-12 13:27:59 +02:00
Mark Andrews
d5103b742b Defer control channel message invalidation
The conn_shutdown() function is called whenever a control channel
connection is supposed to be closed, e.g. after a response to the client
is sent or when named is being shut down.  That function calls
isccc_ccmsg_invalidate(), which resets the magic number in the structure
holding the messages exchanged over a given control channel connection
(isccc_ccmsg_t).  The expectation here is that all operations related to
the given control channel connection will have been completed by the
time the connection needs to be shut down.

However, if named shutdown is initiated while a control channel message
is still in flight, some netmgr callbacks might still be pending when
conn_shutdown() is called and isccc_ccmsg_t invalidated.  This causes
the REQUIRE assertion checking the magic number in ccmsg_senddone() to
fail when the latter function is eventually called, resulting in a
crash.

Fix by splitting up isccc_ccmsg_invalidate() into two separate
functions:

  - isccc_ccmsg_disconnect(), which initiates TCP connection shutdown,
  - isccc_ccmsg_invalidate(), which cleans up magic number and buffer,

and then:

  - replacing all existing uses of isccc_ccmsg_invalidate() with calls
    to isccc_ccmsg_disconnect(),

  - only calling isccc_ccmsg_invalidate() when all netmgr callbacks are
    guaranteed to have been run.

Adjust function comments accordingly.
2024-01-10 15:48:25 +01:00