Commit Graph

13397 Commits

Author SHA1 Message Date
Aram Sargsyan
6bebcedb80 Cancel all fetch events in dns_resolver_cancelfetch()
Although 'dns_fetch_t' fetch can have two associated events, one for
each of 'DNS_EVENT_FETCHDONE' and 'DNS_EVENT_TRYSTALE' types, the
dns_resolver_cancelfetch() function is designed in a way that it
expects only one existing event, which it must cancel, and when it
happens so that 'stale-answer-client-timeout' is enabled and there
are two events, only one of them is canceled, and it results in an
assertion in dns_resolver_destroyfetch(), when it finds a dangling
event.

Change the logic of dns_resolver_cancelfetch() function so that it
cancels both the events (if they exist), and in the right order.

(cherry picked from commit ec2098ca35)
2023-01-12 13:00:03 +01:00
Mark Andrews
3cd0c32b0a Move the mapping of SIG and RRSIG to ANY
dns_db_findext() asserts if RRSIG is passed to it and
query_lookup_stale() failed to map RRSIG to ANY to prevent this.  To
avoid cases like this in the future, move the mapping of SIG and RRSIG
to ANY for qctx->type to qctx_init().

(cherry picked from commit 56eae06418)
2023-01-12 12:33:28 +01:00
Evan Hunt
eb98d96481 move update ACL and update-policy checks before quota
check allow-update, update-policy, and allow-update-forwarding before
consuming quota slots, so that unauthorized clients can't fill the
quota.

(this moves the access check before the prerequisite check, which
violates the precise wording of RFC 2136. however, RFC co-author Paul
Vixie has stated that the RFC is mistaken on this point; it should have
said that access checking must happen *no later than* the completion of
prerequisite checks, not that it must happen exactly then.)

(cherry picked from commit 964f559edb)
2023-01-12 12:21:36 +01:00
Evan Hunt
7fe2204a2e add a configuration option for the update quota
add an "update-quota" option to configure the update quota.

(cherry picked from commit f57758a730)
2023-01-12 12:21:36 +01:00
Evan Hunt
35711a29e5 add an update quota
limit the number of simultaneous DNS UPDATE events that can be
processed by adding a quota for update and update forwarding.
this quota currently, arbitrarily, defaults to 100.

also add a statistics counter to record when the update quota
has been exceeded.

(cherry picked from commit 7c47254a14)
2023-01-12 12:21:36 +01:00
Aram Sargsyan
60dece8277 Increase catalog zone entries hash table's bits size
The hash table implementation in the current branch does not
support automatic resize operation, so the initial value of
the table should be chosen carefully.

Catalog zones entries hash table's size is currently only 4 bits,
which is very low for a catalog zone with thousands of entries,
and causes CPU consumption spikes when working with the hash
table to add/delete/search entries.

Use 16 bits instead, which should make working with big catalog
zones much faster at the expense of slightly higher memory usage,
i.e. 512 KiB for a 64-bit system for each catalog zone.
2023-01-11 17:26:26 +00:00
Aram Sargsyan
144135415b Use sizeof(*ptr) for allocating/freeing memory in forward.c
As shown in the previous commit, using sizeof(type_t) is a little
bit more error-prone when copy-pasting code, so extracting the
size information from the pointer which is being dealt with seems
like a better alternative.

(cherry picked from commit cf4003fa58)
2023-01-11 13:42:00 +00:00
Aram Sargsyan
1950629ffa Fix dns_fwdtable_addfwd() error path cleanup bug
Free 'sizeof(dns_forwarder_t)' bytes of memory instead of
'sizeof(dns_sockaddr_t)' bytes, because `fwd` is a pointer
to a 'dns_forwarder_t' type structure.

(cherry picked from commit 0cc1b06d98)
2023-01-11 13:42:00 +00:00
Aram Sargsyan
272afcd999 Fix a use-after-free bug in dns_zonemgr_releasezone()
The dns_zonemgr_releasezone() function makes a decision to destroy
'zmgr' (based on its references count, after decreasing it) inside
a lock, and then destroys the object outside of the lock.

This causes a race with dns_zonemgr_detach(), which could destroy
the object in the meantime.

Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy
the object (if needed) using dns_zonemgr_detach(), outside of the
lock.

(cherry picked from commit c1fc212253)
2023-01-11 12:17:27 +00:00
Evan Hunt
0b40df8f8a deprecate dscp configuration
This commit deprecates the "dscp" configuration option and "dscp"
parameters to source-address configuration options (query-source,
transfer-source, etc.

(Note that the DSCP feature has not been fully operational since
the network manager was introduced in 9.16.0; outgoing DSCP values
can be configured, but incoming DSCP values are not detected.)
2023-01-10 11:16:18 -08:00
Mark Andrews
f1c08fe93b Accept 'in=NULL' with 'inlen=0' in isc_{half}siphash24
Arthimetic on NULL pointers is undefined.  Avoid arithmetic operations
when 'in' is NULL and require 'in' to be non-NULL if 'inlen' is not zero.

(cherry picked from commit 349c23dbb7)
2023-01-10 18:36:27 +11:00
Mark Andrews
2a9300a3bc Don't perform arithmetic on NULL pointers
When node is NULL when calling getparent() et al. they return NULL
but performing arithmetic on the NULL pointer is undefined.  Check
if 'node' or 'header' is NULL and skip the adjustment.
2023-01-10 17:45:51 +11:00
Michał Kępień
ba1306bfb4 Check for NULL before dereferencing qctx->rpz_st
Commit 9ffb4a7ba1 causes Clang Static
Analyzer to flag a potential NULL dereference in query_nxdomain():

    query.c:9394:26: warning: Dereference of null pointer [core.NullDereference]
            if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) {
                                    ^~~~~~~~~~~~~~~~~~~
    1 warning generated.

The warning above is for qctx->rpz_st potentially being a NULL pointer
when query_nxdomain() is called from query_resume().  This is a false
positive because none of the database lookup result codes currently
causing query_nxdomain() to be called (DNS_R_EMPTYWILD, DNS_R_NXDOMAIN)
can be returned by a database lookup following a recursive resolution
attempt.  Add a NULL check nevertheless in order to future-proof the
code and silence Clang Static Analyzer.

(cherry picked from commit 07592d1315)
(cherry picked from commit a4547a1093)
2023-01-09 13:57:44 +01:00
Matthijs Mekking
2696267b1f Consider non-stale data when in serve-stale mode
With 'stale-answer-enable yes;' and 'stale-answer-client-timeout off;',
consider the following situation:

A CNAME record and its target record are in the cache, then the CNAME
record expires, but the target record is still valid.

When a new query for the CNAME record arrives, and the query fails,
the stale record is used, and then the query "restarts" to follow
the CNAME target. The problem is that the query's multiple stale
options (like DNS_DBFIND_STALEOK) are not reset, so 'query_lookup()'
treats the restarted query as a lookup following a failed lookup,
and returns a SERVFAIL answer when there is no stale data found in the
cache, even if there is valid non-stale data there available.

With this change, query_lookup() now considers non-stale data in the
cache in the first place, and returns it if it is available.

(cherry picked from commit 91a1a8efc5)
2023-01-09 13:57:43 +01:00
Aram Sargsyan
a634488a24 Fix logging a uint32_t SOA serial value in dns_catz_update_from_db()
The dns_catz_update_from_db() function prints serial number as a signed
number (with "%d" in the format string), but the `vers` variable's type
is 'uint32_t'. This breaks serials bigger than 2^31.

Use PRIu32 instead of "d" in the format string.

(cherry picked from commit 72b1760ea6)
2022-12-15 13:49:58 +00:00
Tony Finch
f3d96ab1f1 Fix a typo RSASHA236 -> RSASHA256
Use dns_secalg_format() to avoid error-prone repetition.

(cherry picked from commit c18a9a208d)
2022-12-14 12:46:56 +00:00
Ondřej Surý
075c7f7562 Implement proper reference counting for dns_keyfileio_t
Instead of relying on hash table search when using the keys, implement a
proper reference counting in dns_keyfileio_t objects, and attach/detach
the objects to the zone.

(cherry picked from commit 79115a0c3b)
2022-12-09 15:20:11 +01:00
Ondřej Surý
98fca774b6 Release unused key file IO lock objects
Due to off-by-one error in zonemgr_keymgmt_delete, unused key file IO
lock objects were never freed and they were kept until the server
shutdown.  Adjust the returned value by -1 to accomodate the fact that
the atomic_fetch_*() functions return the value before the operation and
not current value after the operation.

(cherry picked from commit fb1acd6736)
2022-12-08 10:32:59 +01:00
Tom Krizek
da42fa7622 Revert "Merge branch '3678-serve-stale-servfailing-unexpectedly-v9_16' into 'v9_16'"
This reverts commit b2a4447af8, reversing
changes made to 8924f92956.

It also removes release note 6038, since the fix is reverted.
2022-12-08 10:23:40 +01:00
Mark Andrews
ea03c3d25c Remove different zero TTL handling for rdataset iterator
Zero TTL handling does not need to be different for 'rdatasetiter_first'
and 'rdatasetiter_next' and it interacts badly with 'bind_rdatadataset'
which makes different determinations.

(cherry picked from commit 1a39328feb)
2022-12-08 11:20:35 +11:00
Mark Andrews
a3bc62e4cd Add dns_db_allrdatasets options
'DNS_DB_STALEOK' returns stale rdatasets as well as current rdatasets.

'DNS_DB_EXPIREDOK' returns expired rdatasets as well as current
rdatasets. This option is currently only set when DNS_DB_STALEOK is
also set.

(cherry picked from commit 85048ddeee)
2022-12-08 11:20:35 +11:00
Mark Andrews
4f3327cd41 Extend dns_db_allrdatasets to control interation results
Add an options parameter to control what rdatasets are returned when
iteratating over the node.  Specific modes will be added later.

(cherry picked from commit 7695c36a5d)
2022-12-08 11:20:35 +11:00
Mark Andrews
8b6a30f59d Properly select active rdatasets when iterating across node
Active rdatasets where not being properly selected in rdatasetiter_first
and rdatasetiter_next.

(cherry picked from commit 3bdab2d111)
2022-12-08 10:47:23 +11:00
Mark Andrews
a85260fc19 Revert "Fix rndc dumpdb -expired for stuck cache contents"
This reverts commit f8d866c6ef.

(cherry picked from commit 90249e4aa5)
2022-12-08 10:46:18 +11:00
Ondřej Surý
72724b258c Propagate the shutdown event to the recursing ns_client(s)
Send the ns_query_cancel() on the recursing clients when we initiate the
named shutdown for faster shutdown.

When we are shutting down the resolver, we cancel all the outstanding
fetches, and the ISC_R_CANCEL events doesn't propagate to the ns_client
callback.

In the future, the better solution how to fix this would be to look at
the shutdown paths and let them all propagate from bottom (loopmgr) to
top (f.e. ns_client).

(cherry picked from commit d861d403bb9a7912e29a06aba6caf6d502839f1b)
2022-12-07 18:09:40 +01:00
Mark Andrews
f9845df6d6 Add missing DbC magic checks
Checking for value != NULL is not sufficient to detect use after
free errors.

(cherry picked from commit b1086a5561)
2022-12-07 09:47:39 +11:00
Mark Andrews
dd73306509 Call dns_db_updatenotify_unregister earlier
dns_db_updatenotify_unregister needed to be called earlier to ensure
that listener->onupdate_arg always points to a valid object.  The
existing lazy cleanup in rbtdb_free did not ensure that.

(cherry picked from commit 35839e91d8)
2022-12-07 09:47:37 +11:00
Mark Andrews
ffeda92cd8 Suppress duplicate dns_db_updatenotify_register registrations
Duplicate dns_db_updatenotify_register registrations need to be
suppressed to ensure that dns_db_updatenotify_unregister is successful.

(cherry picked from commit f13e71e551)
2022-12-07 09:46:50 +11:00
Michał Kępień
148608c7b2 Check for NULL before dereferencing qctx->rpz_st
Commit 9ffb4a7ba1 causes Clang Static
Analyzer to flag a potential NULL dereference in query_nxdomain():

    query.c:9394:26: warning: Dereference of null pointer [core.NullDereference]
            if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) {
                                    ^~~~~~~~~~~~~~~~~~~
    1 warning generated.

The warning above is for qctx->rpz_st potentially being a NULL pointer
when query_nxdomain() is called from query_resume().  This is a false
positive because none of the database lookup result codes currently
causing query_nxdomain() to be called (DNS_R_EMPTYWILD, DNS_R_NXDOMAIN)
can be returned by a database lookup following a recursive resolution
attempt.  Add a NULL check nevertheless in order to future-proof the
code and silence Clang Static Analyzer.

(cherry picked from commit 07592d1315)
2022-12-06 13:51:30 +00:00
Matthijs Mekking
e6e13c3e62 Consider non-stale data when in serve-stale mode
With 'stale-answer-enable yes;' and 'stale-answer-client-timeout off;',
consider the following situation:

A CNAME record and its target record are in the cache, then the CNAME
record expires, but the target record is still valid.

When a new query for the CNAME record arrives, and the query fails,
the stale record is used, and then the query "restarts" to follow
the CNAME target. The problem is that the query's multiple stale
options (like DNS_DBFIND_STALEOK) are not reset, so 'query_lookup()'
treats the restarted query as a lookup following a failed lookup,
and returns a SERVFAIL answer when there is no stale data found in the
cache, even if there is valid non-stale data there available.

With this change, query_lookup() now considers non-stale data in the
cache in the first place, and returns it if it is available.

(cherry picked from commit 86a80e723f)
2022-12-06 13:51:07 +00:00
Ondřej Surý
bf093e814c Don't log "final reference detached" on INFO level
The "final reference detached" message was meant to be DEBUG(1), but was
instead kept at INFO level.  Move it to the DEBUG(1) logging level, so
it's not printed under normal operations.

(cherry picked from commit 1816244725)
2022-11-30 11:51:29 +01:00
Michal Nowak
771fed4a14 Update sources to Clang 15 formatting 2022-11-29 10:30:34 +01:00
Michal Nowak
69f00278c3 Remove unused variable reported by Clang 15
resolver.c:4776:15: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
            unsigned int count = 0;
                         ^
2022-11-28 14:35:03 +01:00
Matthijs Mekking
ed8eba9180 Deprecate auto-dnssec
Deprecate auto-dnssec, add specific log warning to migrate to
dnssec-policy.

Cherry-picking triggered a lot of conflicts, so the changes
were manually picked.

(manually picked from commit f9845dd1)
2022-11-23 13:32:52 +01:00
Mark Andrews
3952f01cad Select the appropriate namespace when using a dual stack server
When using dual-stack-servers the covering namespace to check whether
answers are in scope or not should be fctx->domain.  To do this we need
to be able to distingish forwarding due to forwarders clauses and
dual-stack-servers.  A new flag FCTX_ADDRINFO_DUALSTACK has been added
to signal this.

(cherry picked from commit dfbffd77f9)
2022-11-17 13:07:58 +11:00
Mark Andrews
10083c2019 Have dns_zt_apply lock the zone table
There were a number of places where the zone table should have been
locked, but wasn't, when dns_zt_apply was called.

Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
all calls to using it.  Removed locks in callers.

(cherry picked from commit f053d5b414)
2022-11-11 16:13:55 +00:00
Mark Andrews
bf3a8c7de9 Add missing closing ')' to update-policy documentation
The opening '(' before local was not being matched by a closing
')' after the closing '};'.

(cherry picked from commit 044c3b2bb8)
2022-11-07 13:08:20 +01:00
Ondřej Surý
a6e3fc20d0 Don't use dns_zone_attach() in zone_refreshkeys()
The zone_refreshkeys() could run before the zone_shutdown(), but after
the last .erefs has been "detached" causing assertion failure when doing
dns_zone_attach().  Remove the use of .erefs (dns_zone_attach/detach)
and replace it with using the .irefs and additional checks whether the
zone is exiting in the callbacks.

(cherry picked from commit 80e66fbd2d)
2022-11-03 15:35:58 +01:00
Matthijs Mekking
949768b252 Don't allow DNSSEC records in the raw zone
There was an exception for dnssec-policy that allowed DNSSEC in the
unsigned version of the zone. This however causes a crash if the
zone switches from dynamic to inline-signing in the case of NSEC3,
because we are now trying to add an NSEC3 record to a non-NSEC3 node.
This is because BIND expects none of the records in the unsigned
version of the zone to be NSEC3.

Remove the exception for dnssec-policy when copying non DNSSEC
records, but do allow for DNSKEY as this may be a published DNSKEY
from a different provider.

(cherry picked from commit 332b98ae49)
2022-11-03 14:44:35 +01:00
Aram Sargsyan
78e04d8d0c Don't trust a placeholder KEYDATA record
When named starts it creates an empty KEYDATA record in the managed-keys
zone as a placeholder, then schedules a key refresh. If key refresh
fails for some reason (e.g. connectivity problems), named will load the
placeholder key into secroots as a trusted key during the next startup,
which will break the chain of trust, and named will never recover from
that state until managed-keys.bind and managed-keys.bind.jnl files are
manually deleted before (re)starting named again.

Before calling load_secroots(), check that we are not dealing with a
placeholder.

(cherry picked from commit 354ae2d7e3)
2022-11-01 10:55:38 +00:00
Evan Hunt
8010389902 Call dns_resolver_createfetch() asynchronously in zone_refreshkeys()
Because dns_resolver_createfetch() locks the view, it was necessary
to unlock the zone in zone_refreshkeys() before calling it in order
to maintain the lock order, and relock afterward. this permitted a race
with dns_zone_synckeyzone().

This commit moves the call to dns_resolver_createfetch() into a separate
function which is called asynchronously after the zone has been
unlocked.

The keyfetch object now attaches to the zone to ensure that
it won't be shut down before the asynchronous call completes.

This necessitated refactoring dns_zone_detach() so it always runs
unlocked. For managed zones it schedules zone_shutdown() to
run asynchronously; for unmanaged zones there is no task.
2022-11-01 01:46:17 -07:00
Aram Sargsyan
648e71b086 Match prefetch eligibility behavior with ARM
ARM states that the "eligibility" TTL is the smallest original TTL
value that is accepted for a record to be eligible for prefetching,
but the code, which implements the condition doesn't behave in that
manner for the edge case when the TTL is equal to the configured
eligibility value.

Fix the code to check that the TTL is greater than, or equal to the
configured eligibility value, instead of just greater than it.

(cherry picked from commit 863f51466e)
2022-10-21 10:30:28 +00:00
Aram Sargsyan
c3660564ce Call dns_adb_endudpfetch() on error path, if required
For UDP queries, after calling dns_adb_beginudpfetch() in fctx_query(),
make sure that dns_adb_endudpfetch() is also called on error path, in
order to adjust the quota back.

(cherry picked from commit 5da79e2be0)
2022-10-21 08:46:43 +00:00
Evan Hunt
8e4a1f3483 ensure RPZ lookups handle CD=1 correctly
RPZ rewrites called dns_db_findext() without passing through the
client database options; as as result, if the client set CD=1,
DNS_DBFIND_PENDINGOK was not used as it should have been, and
cache lookups failed, resulting in failure of the rewrite.

(cherry picked from commit 305a50dbe1)
2022-10-19 13:16:51 -07:00
Matthijs Mekking
cbdf23e5ec Change log level when doing rekey
This log happens when BIND checks the parental-agents if the DS has
been published. But if you don't have parental-agents set up, the list
of keys to check will be empty and the result will be ISC_R_NOTFOUND.
This is not an error, so change the log level to debug in this case.

(cherry picked from commit a1d57fc8cb)
2022-10-18 16:31:01 +02:00
Ondřej Surý
7b4cf67261 Replace (void *)-1 with ISC_LINK_TOMBSTONE
Instead of having "arbitrary" (void *)-1 to define non-linked, add a
ISC_LINK_TOMBSTONE(type) macro that replaces the "magic" value with a
define.

(cherry picked from commit 5e20c2ccfb)
2022-10-18 14:30:49 +02:00
Ondřej Surý
a317b2ea1c Add ISC_{LIST,LINK}_INITIALIZER for designated initializers
Since we are using designated initializers, we were missing initializers
for ISC_LIST and ISC_LINK, add them, so you can do

    *foo = (foo_t){ .list = ISC_LIST_INITIALIZER };

Instead of:

    *foo = (foo_t){ 0 };
    ISC_LIST_INIT(foo->list);

(cherry picked from commit cb3c36b8bf)
2022-10-18 14:30:49 +02:00
Aram Sargsyan
b6aeccf697 Fix ns_statscounter_recursclients counting bug
The incrementing and decrementing of 'ns_statscounter_recursclients'
were not properly balanced: for example, it would be incremented for
a prefetch query but not decremented if the query failed.

This commit ensures that the recursion quota and the recursive clients
counter are always in sync with each other.

(cherry picked from commit 82991451b4)
2022-10-18 10:38:04 +00:00
Aram Sargsyan
790db0a344 Handle large numbers when parsing/printing a duration
The duration_fromtext() function is truncating large numbers
to 32 bits instead of capping or rejecting them, i.e. 64424509445,
which is 0xf00000005, gets parsed as 32-bit value 5 (0x00000005).

Fail parsing a duration if any of its components is bigger than
32 bits. Using those kind of big numbers has no practical use case
for a duration.

The cfg_obj_asduration() function can overflow the 32 bit
seconds variable when calculating the duration from its component
parts.

To avoid that, use 64-bit calculation and return UINT32_MAX if the
calculated value is bigger than UINT32_MAX. Again, a number this big
has no practical use case anyway.

The buffer for the generated duration string is limited to 64 bytes,
which, in theory, is smaller than the longest possible generated
duration string.

Use 80 bytes instead, calculated by the '7 x (10 + 1) + 3' formula,
where '7' is the count of the duration's parts (year, month, etc.), '10'
is their maximum length when printed as a decimal number, '1' is their
indicator character (Y, M, etc.), and 3 is two more indicators (P and T)
and the terminating NUL character.

(cherry picked from commit fddaebb285)
2022-10-17 11:09:06 +00:00
Aram Sargsyan
d9a8c43107 Fix an off-by-one error in cfg_print_duration()
The cfg_print_duration() checks added previously in the 'duration_test'
unit test uncovered a bug in cfg_print_duration().

When calculating the current 'str' pointer of the generated text in the
buffer 'buf', it erroneously adds 1 byte to compensate for that part's
indicator character. For example, to add 12 minutes, it needs to add
2 + 1 = 3 characters, where 2 is the length of "12", and 1 is the length
of "M" (for minute). The mistake was that the length of the indicator
is already included in 'durationlen[i]', so there is no need to
calculate it again.

In the result of this mistake the current pointer can advance further
than needed and end up after the zero-byte instead of right on it, which
essentially cuts off any further generated text. For example, for a
5 minutes and 30 seconds duration, instead of having this:

    'P', 'T', '5', 'M', '3', '0', 'S', '\0'

The function generates this:

    'P', 'T', '5', 'M', '\0', '3', '0', 'S', '\0'

Fix the bug by adding to 'str' just 'durationlen[i]' instead of
'durationlen[i] + 1'.

(cherry picked from commit dc55f1ebb9)
2022-10-17 11:09:06 +00:00