Commit Graph

34512 Commits

Author SHA1 Message Date
Evan Hunt
1ed5eb38e4 clarify "max-zone-ttl" documentation
The "max-zone-ttl" option should now be configured as part of
dnssec-policy. Use of this option in zone/view/options will be ignored
in any zone that also has dnssec-policy configured.
2022-07-22 15:24:29 -07:00
Matthijs Mekking
111b215987 Reject zones with TTL higher than dnssec-policy max-zone-ttl
Reject loading of zones with TTL higher than the max-zone-ttl
from the dnssec-policy.

With this change, any zone with a dnssec-policy in use will ignore
the max-zone-ttl option in zone/view/options.
2022-07-22 13:40:12 -07:00
Matthijs Mekking
2022384b8d Test dnssec-policy max-zone-ttl rejects zone with too high TTL
Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
2022-07-22 13:39:17 -07:00
Petr Špaček
04c76d0055 Merge branch 'pspacek/minor-arm-tweaks-and-fixes-v9_16' into 'v9_16'
Fix dnssec-signzone examples in DNSSEC Guide [v9_16]

See merge request isc-projects/bind9!6604
2022-07-21 13:20:02 +00:00
Petr Špaček
a94c063c19 Avoid opt-out flag in dnssec-signzone examples
Since !6413 we discourage opt-out, so we should not be advertising it in
the examples. Even worse, it was just thrown into the command line
without even mentioning its meaning in the surrounding text.

Related: !6413
(cherry picked from commit beae857288)
2022-07-21 15:19:38 +02:00
Petr Špaček
445863c9fd Remove errorneous shell output redirection from dnssec-signzone example
The > looked like shell output redirection. It was present since we
imported DNSSEC Guide into the ARM.

(cherry picked from commit 1ab564d605)
2022-07-21 15:19:38 +02:00
Michal Nowak
a0e7b05aba Merge tag 'v9_16_31' into v9_16
BIND 9.16.31
2022-07-21 14:37:36 +02:00
Michał Kępień
55edba1dc6 Merge branch 'michal/run-a-short-respdiff-test-for-all-merge-requests-v9_16' into 'v9_16'
[v9_16] Run a short respdiff test for all merge requests

See merge request isc-projects/bind9!6591
2022-07-18 13:40:05 +00:00
Michał Kępień
1faaefd134 Run a short respdiff test for all merge requests
Running a respdiff test for every merge request would be useful for
catching protocol-breaking changes before they are applied to the source
code.  However, the existing respdiff-based tests take a while to
complete (about half an hour with our current CI infrastructure), which
does not make them a good fit for this purpose.  Add a new GitLab CI
job, "respdiff-short", which uses a smaller query set that gets
processed within a couple of minutes on our current CI infrastructure.
Rename the existing respdiff-based jobs to make distinguishing them
easier.

(cherry picked from commit 31ee43a314)
2022-07-18 15:28:21 +02:00
Michał Kępień
6b03f8bbfc Extract respdiff job definition to a YAML anchor
Ensure the common parts of all jobs using respdiff are available in the
form of a reusable YAML anchor, to reduce code duplication and to
simplify adding more respdiff-based jobs to GitLab CI.

(cherry picked from commit ca20a189f7)
2022-07-18 15:28:21 +02:00
Michał Kępień
d02d5b97f5 Use a pre-built executable as the reference named
The "respdiff" GitLab CI job compares DNS responses produced by the
current version of named with those produced by a reference version.
The latter is built from source in each "respdiff" job, despite the fact
that the reference version changes very rarely.  Use a pre-built named
executable as the reference version instead, assuming it is available in
the OS image used for "respdiff" tests.

(cherry picked from commit ab90a4705a)
2022-07-18 15:28:21 +02:00
Ondřej Surý
2e7e47f88d Merge branch '3453-cope-with-too-small-BUFSIZ-v9_16' into 'v9_16'
Increase the BUFSIZ-long buffers [v9.16]

See merge request isc-projects/bind9!6587
2022-07-15 19:48:15 +00:00
Ondřej Surý
c1b8f5f30c Increase the BUFSIZ-long buffers
The BUFSIZ value varies between platforms, it could be 8K on Linux and
512 bytes on mingw.  Make sure the buffers are always big enough for the
output data to prevent truncation of the output by appropriately
enlarging or sizing the buffers.

(cherry picked from commit b19d932262)
2022-07-15 21:21:03 +02:00
Michał Kępień
cacca9bdf9 Merge branch '3443-memory-related-cleanups-v9_16' into 'v9_16'
[v9_16] Memory-related cleanups

See merge request isc-projects/bind9!6569
2022-07-15 09:01:03 +00:00
Michał Kępień
b68851773c Make "named -h" output match option-handling code
The usage instructions printed by "named -h" are missing the "external"
and "internal" flags that can be passed to the -M command-line option.
Add the missing flags to "named -h" output.
2022-07-15 10:45:34 +02:00
Michał Kępień
31012c1c0d Update documentation for named's -M option
Add "internal" to the list of legal values for the -M command-line
option (commit 1f7d2d53f0 added that
flag).

Make the style of the relevant paragraph more in line with the next one
and split its contents up into an unordered list of options for improved
readability.

(cherry picked from commit f0c31ceb3b)
2022-07-15 10:45:34 +02:00
Michał Kępień
4d1986ebcb Handle ISC_MEM_DEFAULTFILL consistently
Contrary to what the documentation states, memory filling is only
enabled by --enable-developer (or by setting -DISC_MEM_DEFAULTFILL=1) if
the internal memory allocator is used.  However, the internal memory
allocator is disabled by default, so just using the --enable-developer
build-time option does not enable memory filling (passing "-M fill" on
the named command line is necessary to actually enable it).  As memory
filling is a useful tool for troubleshooting certain types of bugs, it
should also be enabled by --enable-developer when the system allocator
is used.

Furthermore, memory-related preprocessor macros are handled in two
distinct locations: lib/isc/include/isc/mem.h and bin/named/main.c.
This makes the logic hard to follow.

Move all code handling the ISC_MEM_DEFAULTFILL preprocessor macro to
lib/isc/include/isc/mem.h, ensuring memory filling is enabled by the
--enable-developer build-time switch, no matter which memory allocator
is used.
2022-07-15 10:45:34 +02:00
Michał Kępień
7df6070c02 Fix mempool stats bug in the internal allocator
Commit c96b6eb5ec changed the way mempool
code handles freed allocations that cannot be retained for later use as
"free list" items: it no longer uses different logic depending on
whether the internal allocator is used or the system one.  However, that
commit did not update a relevant piece of code in isc_mempool_destroy(),
causing memory context statistics to always be off upon shutdown when
BIND 9 is built with -DISC_MEM_USE_INTERNAL_MALLOC=1.  This causes
assertion failures.  Update isc_mempool_destroy() accordingly in order
to prevent this issue from being triggered.
2022-07-15 10:45:34 +02:00
Mark Andrews
5338fc9e19 Merge branch '3447-lib-dns-tkey-c-free_namelist-should-be-disassociating-associated-rdatatsets-v9_16' into 'v9_16'
disassociate rdatasets when cleaning up [v9_16]

See merge request isc-projects/bind9!6578
2022-07-14 01:08:57 +00:00
Mark Andrews
f2855facbe disassociate rdatasets when cleaning up
free_namelist could be passed names with associated rdatasets
when handling errors.  These need to be disassociated before
calling dns_message_puttemprdataset.

(cherry picked from commit 745d5edc3a)
2022-07-14 10:21:47 +10:00
Mark Andrews
29f0ac40f3 Merge branch '3449-kasp-system-test-failed-to-log-some-zones-during-setup-v9_16' into 'v9_16'
kasp: add missing logging during setup [v9_16]

See merge request isc-projects/bind9!6576
2022-07-14 00:18:27 +00:00
Mark Andrews
9980c7be8d kasp: add missing logging during setup
Some zones where not being logged when just DNSSEC keys where being
generated in system test setup phase.  Add logging for these zones.

(cherry picked from commit 04627997eb)
2022-07-14 09:46:16 +10:00
Mark Andrews
5e5232aa5b Merge branch '3446-autosign-s-checking-revoked-key-with-duplicate-key-id-test-was-incomplete-v9_16' into 'v9_16'
Make "checking revoked key with duplicate key ID" work [v9_16]

See merge request isc-projects/bind9!6558
2022-07-13 01:42:56 +00:00
Mark Andrews
5fec2fcbe7 Make "checking revoked key with duplicate key ID" work
There should be 2 keys with the same key id after the numerically
lower one is revoked (serial space arithmetic).  The DS points
at the non-revoked key so validation should still succeed.

(cherry picked from commit 513cb24b55)
2022-07-13 10:58:41 +10:00
Evan Hunt
492f614d0e Merge branch '2683-ixfr-logging-v9_16' into 'v9_16'
log the reason for falling back to AXFR from IXFR at level info

See merge request isc-projects/bind9!6552
2022-07-12 23:52:47 +00:00
Evan Hunt
0849fd2211 log the reason for falling back to AXFR from IXFR at level info
messages indicating the reason for a fallback to AXFR (i.e, because
the requested serial number is not present in the journal, or because
the size of the IXFR response would exceeed "max-ixfr-ratio") are now
logged at level info instead of debug(4).

(cherry picked from commit df1d81cf96)
2022-07-12 16:27:01 -07:00
Michal Nowak
d0bf87eab5 Merge branch 'mnowak/alpine-3.16-v9_16' into 'v9_16'
[v9_16] Add Alpine Linux 3.16

See merge request isc-projects/bind9!6549
2022-07-12 12:01:37 +00:00
Michal Nowak
0043999f54 Add Alpine Linux 3.16
(cherry picked from commit 0d0ab3db10)
2022-07-12 13:59:30 +02:00
Matthijs Mekking
77ee0f87b5 Merge branch '3438-dnssec-policy-does-not-set-inline-signing-v9_16' into 'v9_16'
[v9_16] Fix inheritance for dnssec-policy when checking for inline-signing

See merge request isc-projects/bind9!6547
2022-07-12 11:39:42 +00:00
Matthijs Mekking
60c297d717 Add release note and change entry for #3438
Bug worth mentioning.

(cherry picked from commit 689215a675)
2022-07-12 12:48:57 +02:00
Matthijs Mekking
0d5e0867df Inherit dnssec-policy in check for inline-signing
When dnssec-policy is used, and the zone is not dynamic, BIND will
assume that the zone is inline-signed. But the function responsible
for this did not inherit the dnssec-policy option from the view or
options level, and thus never enabled inline-signing, while the zone
should have been.

This is fixed by this commit.

(cherry picked from commit 576b21b168)
2022-07-12 12:48:21 +02:00
Matthijs Mekking
eb7d65b84d Test setting of inline-signing with dnssec-policy
When dnssec-policy is used, and the zone is not dynamic, BIND will
assume that the zone is inline-signed. Add test cases to verify this.

(cherry picked from commit efa8a4e88d)
2022-07-12 12:48:16 +02:00
Matthijs Mekking
2db23e475b Fix kasp system test bugs
Fix a comment, ensuring the right parameters are used (zone is
parameter $3, not $2) and add view and policy parameters to the comment.

Fix the view tests and test the correct view (example3 instead of
example2).

Fix placement of "n=$((n+1)" for two test cases.

(cherry picked from commit ff65f07779)
2022-07-12 12:48:08 +02:00
Mark Andrews
474bac53ba Merge branch '3389-unexpected-badkey-in-upforwd-system-test-v9_16' into 'v9_16'
Clone the message buffer before forwarding UPDATE messages [v9_16]

See merge request isc-projects/bind9!6545
2022-07-12 09:28:23 +00:00
Mark Andrews
17b2dc015e Add CHANGES note for [GL #3389]
(cherry picked from commit 09d8ed3970)
2022-07-12 19:02:00 +10:00
Mark Andrews
b485d95c66 Clone the message buffer before forwarding UPDATE messages
this prevents named forwarding a buffer that may have been over
written.

(cherry picked from commit 7a42417d61)
2022-07-12 19:01:32 +10:00
Michał Kępień
0e59965d6a Merge branch 'michal/set-up-version-and-release-notes-for-bind-9.16.32' into 'v9_16'
Set up version and release notes for BIND 9.16.32

See merge request isc-projects/bind9!6540
2022-07-11 07:05:57 +00:00
Michał Kępień
c660730ea3 Set up release notes for BIND 9.16.32 2022-07-11 08:52:51 +02:00
Michał Kępień
c4e010ebaa Update BIND version to 9.16.32-dev 2022-07-11 08:52:51 +02:00
Tinderbox User
1c4b350ca2 Merge branch 'prep-release' into v9_16_31-release v9.16.31 2022-07-11 04:55:00 +00:00
Tinderbox User
a2bd0075bb prep 9.16.31 2022-07-11 04:49:15 +00:00
Michał Kępień
163c0b8089 Merge branch 'michal/prepare-documentation-for-bind-9.16.31' into 'v9_16_31-release'
Prepare documentation for BIND 9.16.31

See merge request isc-private/bind9!414
2022-07-11 04:40:29 +00:00
Michał Kępień
5cbf8d3c18 Tweak and reword release notes 2022-07-11 06:32:55 +02:00
Michał Kępień
59da803e86 Prepare release notes for BIND 9.16.31 2022-07-11 06:32:55 +02:00
Michał Kępień
7b1d377562 Merge branch '3441-fix-fetch-context-use-after-free-bugs' into 'v9_16'
Fix fetch context use-after-free bugs

See merge request isc-projects/bind9!6537
2022-07-11 04:18:04 +00:00
Michał Kępień
6505056267 Fix fetch context use-after-free bugs
fctx_decreference() may call fctx_destroy(), which in turn may free the
fetch context by calling isc_mem_putanddetach().  This means that
whenever fctx_decreference() is called, the fetch context pointer should
be assumed to point to garbage after that call.  Meanwhile, the
following pattern is used in several places in lib/dns/resolver.c:

    LOCK(&res->buckets[fctx->bucketnum].lock);
    bucket_empty = fctx_decreference(fctx);
    UNLOCK(&res->buckets[fctx->bucketnum].lock);

Given that 'fctx' may be freed by the fctx_decreference() call, there is
no guarantee that the value of fctx->bucketnum will be the same before
and after the fctx_decreference() call.  This can cause all kinds of
locking issues as LOCK() calls no longer match up with their UNLOCK()
counterparts.

Fix by always using a helper variable to hold the bucket number when the
pattern above is used.

Note that fctx_try() still uses 'fctx' after calling fctx_decreference()
(it calls fctx_done()).  This is safe to do because the reference count
for 'fctx' is increased a few lines earlier and it also cannot be zero
right before that increase happens, so the fctx_decreference() call in
that particular location never invokes fctx_destroy().  Nevertheless,
use a helper variable for that call site as well, to retain consistency
and to prevent copy-pasted code from causing similar problems in the
future.
2022-07-08 11:26:34 +02:00
Petr Špaček
bf2ea74622 Merge branch '3320-rewrite-arm-dnssec-chapter-v9_16' into 'v9_16'
Rewrite DNSSEC ARM Chapter [v9_16]

See merge request isc-projects/bind9!6536
2022-07-07 11:25:11 +00:00
Petr Špaček
4caaff0afa Deduplicate Manual Signing between DNSSEC chapter and DNSSEC Guide
The two procedures were essentially the same, but each instance was
missing some details from the other. They are now combined into one text
in the DNSSEC Guide and linked from DNSSEC chapter.

(cherry picked from commit 7d25027898)
2022-07-07 12:04:39 +02:00
Suzanne Goldlust
71f3d521cb Minor grammar improvements in the Signing chapter of the DNSSEC Guide
(cherry picked from commit 6b1ad4dcfb)
2022-07-07 11:48:33 +02:00
Petr Špaček
dd46af7f59 Deduplicate key filename description in the DNSSEC Guide
Third time ...

(cherry picked from commit 7e96801841)
2022-07-07 11:40:45 +02:00