Commit Graph

9473 Commits

Author SHA1 Message Date
Ondřej Surý
afb345b0e8 Don't skip the counting if fcount_incr() is called with force==true (v2)
The fcount_incr() was not increasing counter->count when force was set
to true, but fcount_decr() would try to decrease the counter leading to
underflow and assertion failure.  Swap the order of the arguments in the
condition, so the !force is evaluated after incrementing the .count.

(cherry picked from commit 8e86e55af1)
2024-08-13 16:08:12 +02:00
Evan Hunt
5e1e33da6f reduce the max-recursion-queries default to 32
the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.

(cherry picked from commit 7e3b425dc2)
2024-08-07 21:12:34 +00:00
Evan Hunt
74d94707cd make "max_restarts" a configurable value
MAX_RESTARTS is no longer hard-coded; ns_server_setmaxrestarts()
and dns_client_setmaxrestarts() can now be used to modify the
max-restarts value at runtime. in both cases, the default is 11.

(cherry picked from commit c5588babaf)
2024-08-07 21:12:34 +00:00
Evan Hunt
be3b660e54 reduce MAX_RESTARTS to 11
the number of steps that can be followed in a CNAME chain
before terminating the lookup has been reduced from 16 to 11.
(this is a hard-coded value, but will be made configurable later.)

(cherry picked from commit 05d78671bb)
2024-08-07 21:12:34 +00:00
Evan Hunt
d201355739 add debug logging when creating or attaching to a query counter
fctx_create() now logs at debug level 9 when the fctx attaches
to an existing counter or creates a new one.

(cherry picked from commit 825f3d68c5)
2024-08-07 21:12:34 +00:00
Evan Hunt
6c941eda7e apply max-recursion-queries quota to validator queries
previously, validator queries for DNSKEY and DS records were
not counted toward the quota for max-recursion-queries; they
are now.

(cherry picked from commit af7db89513)
2024-08-07 21:12:34 +00:00
Evan Hunt
3fd795d84d attach query counter to NS fetches
there were cases in resolver.c when queries for NS records were
started without passing a pointer to the parent fetch's query counter;
as a result, the max-recursion-queries quota for those queries started
counting from zero, instead of sharing the limit for the parent fetch,
making the quota ineffective in some cases.

(cherry picked from commit d3b7e92783)
2024-08-07 21:12:34 +00:00
Ondřej Surý
46cfebac58 Fix the glue table in the QP and RBT zone databases
When adding glue to the header, we add header to the wait-free stack to
be cleaned up later which sets wfc_node->next to non-NULL value.  When
the actual cleaning happens we would only cleanup the .glue_list, but
since the database isn't locked for the time being, the headers could be
reused while cleaning the existing glue entries, which creates a data
race between database versions.

Revert the code back to use per-database-version hashtable where keys
are the node pointers.  This allows each database version to have
independent glue cache table that doesn't affect nodes or headers that
could already "belong" to the future database version.

(cherry picked from commit 5beae5faf9)
2024-08-05 14:43:18 +00:00
Evan Hunt
b4fc8e6294 minor findnode optimization
when searching the cache for a node so that we can delete an
rdataset, it is not necessary to set the 'create' flag. if the
node doesn't exist yet, we then we won't be able to delete
anything from it anyway.

(cherry picked from commit 6b720bfe1a)
2024-08-05 14:25:17 +00:00
Evan Hunt
f840b44401 raise the log level of priming failures
when a priming query is complete, it's currently logged at
level ISC_LOG_DEBUG(1), regardless of success or failure. we
are now raising it to ISC_LOG_NOTICE in the case of failure.

(cherry picked from commit a84d54c6ff)
2024-08-05 13:06:54 +00:00
Ondřej Surý
6df4fa58fd Don't skip the counting if fcount_incr() is called with force==true
The fcount_incr() was incorrectly skipping the accounting for the
fetches-per-zone if the force argument was set to true.  We want to skip
the accounting only when the fetches-per-zone is completely disabled,
but for individual names we need to do the accounting even if we are
forcing the result to be success.

(cherry picked from commit a513d4c07f)
2024-08-05 09:40:25 +00:00
Mark Andrews
7b238ba36a Remove unnecessary operations
Decrementing optlen immediately before calling continue is unneccesary
and inconsistent with the rest of dns_message_pseudosectiontoyaml
and dns_message_pseudosectiontotext.  Coverity was also reporting
an impossible false positive overflow of optlen (CID 499061).

    4176                        } else if (optcode == DNS_OPT_CLIENT_TAG) {
    4177                                uint16_t id;
    4178                                ADD_STRING(target, "; CLIENT-TAG:");
    4179                                if (optlen == 2U) {
    4180                                        id = isc_buffer_getuint16(&optbuf);
    4181                                        snprintf(buf, sizeof(buf), " %u\n", id);
    4182                                        ADD_STRING(target, buf);

    CID 499061: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW)
    overflow_const: Expression optlen, which is equal to 65534, underflows
    the type that receives it, an unsigned integer 16 bits wide.
    4183                                        optlen -= 2;
    4184                                        POST(optlen);
    4185                                        continue;
    4186                                }
    4187                        } else if (optcode == DNS_OPT_SERVER_TAG) {

(cherry picked from commit 47338c2c87)
2024-08-02 06:42:59 +00:00
Aram Sargsyan
003cb48f0f Allow shorter resolver-query-timeout configuration
There are use cases for which shorter timeout values make sense.
For example if there is a load balancer which sets RD=1 and
forwards queries to a BIND resolver which is then configured to
talk to backend servers which are not visible in the public NS set.
WIth a shorter timeout value the frontend can give back SERVFAIL
early when backends are not available and the ultimate client will
not penalize the BIND-frontend for non-response.

(cherry picked from commit 5f47c2b567)
2024-08-01 19:23:06 +00:00
Aram Sargsyan
aa6e388591 Rename dns_zone_forcereload() to dns_zone_forcexfr()
The new name describes the function more accurately.

(cherry picked from commit 63b8a75de9)
2024-08-01 17:04:27 +00:00
Aram Sargsyan
c76d083d4d Make dns_xfrin_shutdown() safe to run from a different loop
If the current loop is different than the zone transfer's loop then
run the shutdown operation asynchronously.

(cherry picked from commit 3d1179501a)
2024-08-01 17:04:27 +00:00
Aram Sargsyan
2886a08c1f Implement rndc retransfer -force
With this new optional argument if there is an ongoing zone
transfer it will be aborted before a new zone transfer is scheduled.

(cherry picked from commit 402ca316ae)
2024-08-01 17:04:27 +00:00
Aram Sargsyan
b6721db490 Do not automatically restart a canceled zone transfer
If a zone transfer is canceled there is no need to try the
next primary or retry with AXFR.

(cherry picked from commit b156531b29)
2024-08-01 17:04:27 +00:00
Mark Andrews
fc350f311a Add missing period to generated IPv4 6to4 name
The period between the most significant nibble of the IPv4 address
and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the wrong
name being checked.

(cherry picked from commit bca63437a1)
2024-08-01 06:41:47 +00:00
Mark Andrews
eea196fc78 Cleanup old clang-format string splitting
(cherry picked from commit 6d1c7beb15)
2024-08-01 05:24:00 +00:00
Mark Andrews
2789554dec Remove false positive qname minimisation error
Don't report qname minimisation NXDOMAIN errors when the result is
NXDOMAIN.

(cherry picked from commit f78beca942)
2024-08-01 05:24:00 +00:00
Mark Andrews
9fe19ffafa Fix yaml output
In yaml mode we emit a string for each question and record.  Certain
names and data could result in invalid yaml being produced.  Use single
quote string for all questions and records.  This requires that single
quotes get converted to two quotes within the string.

(cherry picked from commit 393d7fa78e)
2024-08-01 03:48:08 +00:00
Mark Andrews
b4fdd2f0df Properly reject zero length ALPN in commatxt_fromtext
ALPN are defined as 1*255OCTET in RFC 9460.  commatxt_fromtext was not
rejecting invalid inputs produces by missing a level of escaping
which where later caught be dns_rdata_fromwire on reception.

These inputs should have been rejected

	svcb in svcb 1 1.svcb alpn=\,abc
	svcb1 in svcb 1 1.svcb alpn=a\,\,abc

and generated 00 03 61 62 63 and 01 61 00 02 61 62 63 respectively.

The correct inputs to include commas in the alpn requires double
escaping.

	svcb in svcb 1 1.svcb alpn=\\,abc
	svcb1 in svcb 1 1.svcb alpn=a\\,\\,abc

and generate 04 2C 61 62 63 and 06 61 2C 2C 61 62 63 respectively.

(cherry picked from commit b51c9eb797)
2024-08-01 01:10:48 +00:00
Mark Andrews
450aa90309 Do not update find.result_v4 and find.result_v6
These values are supposed to be static for the life of the find and
clean_finds_at_name was updating them resulting in TSAN error
reports.

    WARNING: ThreadSanitizer: data race
    Write of size 4 at 0x000000000001 by thread T1 (mutexes: write M1, write M2):
      #0 clean_finds_at_name lib/dns/adb.c:1537
      #1 fetch_callback lib/dns/adb.c:4009
      #2 task_run lib/isc/task.c:815
      #3 isc_task_run lib/isc/task.c:896
      #4 isc__nm_async_task netmgr/netmgr.c:848
      #5 process_netievent netmgr/netmgr.c:920
      #6 process_queue netmgr/netmgr.c:1013
      #7 process_all_queues netmgr/netmgr.c:767
      #8 async_cb netmgr/netmgr.c:796
      #9 uv__async_io /usr/src/libuv-v1.44.1/src/unix/async.c:163
      #10 isc__trampoline_run lib/isc/trampoline.c:189

    Previous read of size 4 at 0x000000000001 by thread T2:
      #0 findname lib/dns/resolver.c:3749
      #1 fctx_getaddresses lib/dns/resolver.c:3993
      #2 fctx_try lib/dns/resolver.c:4390
      #3 rctx_nextserver lib/dns/resolver.c:10356
      #4 rctx_done lib/dns/resolver.c:10503
      #5 resquery_response lib/dns/resolver.c:8511
      #6 udp_recv lib/dns/dispatch.c:638
      #7 isc__nm_async_readcb netmgr/netmgr.c:2885
      #8 isc__nm_readcb netmgr/netmgr.c:2858
      #9 udp_recv_cb netmgr/udp.c:650
      #10 isc__nm_udp_read_cb netmgr/udp.c:1057
      #11 uv__udp_recvmsg /usr/src/libuv-v1.44.1/src/unix/udp.c:303
      #12 isc__trampoline_run lib/isc/trampoline.c:189

(cherry picked from commit 53a5f50e9d)
2024-07-31 06:20:45 +00:00
Mark Andrews
45e49640ce Log key calculation overflows
(cherry picked from commit 14a76ae498)
2024-07-30 10:22:48 +00:00
Mark Andrews
edb1df856e Check for overflow when adding lifetime
(cherry picked from commit 25845a866e)
2024-07-30 10:22:48 +00:00
Matthijs Mekking
b489e267d4 No longer update key lifetime if key is retired
The key lifetime should no longer be adjusted if the key is being
retired earlier, for example because a manual rollover was started.

This would falsely be seen as a dnssec-policy lifetime reconfiguration,
and would adjust the retire/removed time again.

This also means we should update the status output, and the next
rollover scheduled is now calculated using (retire-active) instead of
key lifetime.

(cherry picked from commit 129973ebb0)
2024-07-30 10:22:48 +00:00
Matthijs Mekking
bfb29acc7f Update key lifetime and metadata after reconfig
If dnssec-policy is reconfigured and the key lifetime has changed,
update existing keys with the new lifetime and adjust the retire
and removed timing metadata accordingly.

If the key has no lifetime yet, just initialize the lifetime. It
may be that the retire/removed timing metadata has already been set.

Skip keys which goal is not set to omnipresent. These keys are already
in the progress of retiring, or still unused.

(cherry picked from commit 1cec0b0448)
2024-07-30 10:22:48 +00:00
Ondřej Surý
57cd34441a Be smarter about refusing to add many RR types to the database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:

1. If the new header type is in our priority list, we always add either
   positive or negative entry at the beginning of the list.

2. If the new header type is negative entry, and we are over the limit,
   we mark it as ancient immediately, so it gets evicted from the cache
   as soon as possible.

3. Otherwise add the new header after the priority headers (or at the
   head of the list).

4. If we are over the limit, evict the last entry on the normal header
   list.
2024-07-01 12:48:51 +02:00
Ondřej Surý
b27c6bcce8 Expand the list of the priority types and move it to db_p.h
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
the priority types that are put at the beginning of the slabheader list
for faster access and to avoid eviction when there are more types than
the max-types-per-name limit.
2024-07-01 12:47:30 +02:00
Petr Špaček
9370acd3a7 Require local KEYs for SIG(0) verification
This is additional hardening. There is no known use-case for KEY RRs
from DNS cache and it potentially allows attackers to put weird keys
into cache.
2024-06-10 17:36:45 +02:00
Aram Sargsyan
7ca9bd6014 Limit the number of keys for SIG(0) message verification
Check at most two KEY RRs agains a SIG(0) signature. This should
limit potential abuse and at the same time allow key rollover.
2024-06-10 17:33:11 +02:00
Aram Sargsyan
70ff4a3f85 Run resolver message signature checking asynchronously 2024-06-10 17:33:11 +02:00
Aram Sargsyan
710bf9b938 Implement asynchronous message signature verification
Add support for using the offload threadpool to perform message
signature verifications. This should allow check SIG(0)-signed
messages without affecting the worker threads.
2024-06-10 17:33:10 +02:00
Aram Sargsyan
7f013ad05d Remove dns_message_rechecksig()
This is a tiny helper function which is used only once and can be
replaced with two function calls instead. Removing this makes
supporting asynchronous signature checking less complicated.
2024-06-10 17:33:10 +02:00
Matthijs Mekking
c1ac8b6ad0 Log rekey failure as error if too many records
By default we log a rekey failure on debug level. We should probably
change the log level to error. We make an exception for when the zone
is not loaded yet, it often happens at startup that a rekey is
run before the zone is fully loaded.
2024-06-10 16:55:12 +02:00
Evan Hunt
7dd6b47ace fix a memory leak that could occur when signing
when signatures were not added because of too many types already
existing at a node, the diff was not being cleaned up; this led to
a memory leak being reported at shutdown.
2024-06-10 16:55:12 +02:00
Ondřej Surý
52b3d86ef0 Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k).  As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).

Add a configurable limit to cap the number of the RR types for a single
owner.  This is enforced at the database (rbtdb, qpzone, qpcache) level
and configured with new max-types-per-name configuration option that
can be configured globally, per-view and per-zone.
2024-06-10 16:55:09 +02:00
Ondřej Surý
32af7299eb Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.

Add a configurable limit to cap the number of the RRs in a single RRSet.
This is enforced at the database (rbtdb, qpzone, qpcache) level and
configured with new max-records-per-type configuration option that can
be configured globally, per-view and per-zone.
2024-06-10 16:55:07 +02:00
Ondřej Surý
086b63f56d Use isc_queue to implement wait-free deadnodes queue
Replace the ISC_LIST based deadnodes implementation with isc_queue which
is wait-free and we don't have to acquire neither the tree nor node lock
to append nodes to the queue and the cleaning process can also
copy (splice) the list into a local copy without acquiring the list.

Currently, there's little benefit to this as we need to hold those
locks anyway, but in the future as we move to RCU based implementation,
this will be ready.

To align the cleaning with our event loop based model, remove the
hardcoded count for the node locks and use the number of the event loops
instead.  This way, each event loop can have its own cleaning as part of
the process.  Use uniform random numbers to spread the nodes evenly
between the buckets (instead of hashing the domain name).
2024-06-05 09:19:56 +02:00
Mark Andrews
56c3dcc5d7 Update resquery_senddone handling of ISC_R_TIMEDOUT
Treat timed out as an address specific error.
2024-06-04 00:15:48 +10:00
Mark Andrews
4e3dd85b8d Update resquery_senddone handling of ISC_R_CONNECTIONRESET
Treat connection reset as an address specific error.
2024-06-04 00:15:48 +10:00
Mark Andrews
180b1e7939 Handle ISC_R_HOSTDOWN and ISC_R_NETDOWN in resolver.c
These error codes should be treated like other unreachable error
codes.
2024-06-04 00:15:48 +10:00
Mark Andrews
05472e63e8 Don't do DS checks over disabled address families 2024-06-03 18:34:31 +10:00
Mark Andrews
d026dbe536 Don't forward UPDATE messages over disabled address families 2024-06-03 18:34:31 +10:00
Mark Andrews
5d99625515 Don't send NOTIFY over disabled address families 2024-06-03 18:34:31 +10:00
Mark Andrews
2cd4303249 Report non-effective primaries
When named is started with -4 or -6 and the primaries for a zone
do not have an IPv4 or IPv6 address respectively issue a log message.
2024-06-03 18:34:31 +10:00
Mark Andrews
ecdde04e63 Zone transfers should honour -4 and -6 options
Check if the address family has been disabled when transferring
zones.
2024-06-03 18:34:31 +10:00
Mark Andrews
87e3b9dbf3 Pass a memory context in to dns_cache_create 2024-05-31 15:40:32 +10:00
Mark Andrews
5e77edd074 Use a new memory context when flushing the cache
When the cache's memory context was in over memory state when the
cache was flushed it resulted in LRU cleaning removing newly entered
data in the new cache straight away until the old cache had been
destroyed enough to take it out of over memory state.  When flushing
the cache create a new memory context for the new db to prevent this.
2024-05-31 15:40:32 +10:00
Ondřej Surý
3310cac2b0 Create the new database for AXFR from the dns_zone API
The `axfr_makedb()` didn't set the loop on the newly created database,
effectively killing delayed cleaning on such database.  Move the
database creation into dns_zone API that knows all the gory details of
creating new database suitable for the zone.
2024-05-29 08:30:19 +02:00