Commit Graph

13381 Commits

Author SHA1 Message Date
Ondřej Surý
075c7f7562 Implement proper reference counting for dns_keyfileio_t
Instead of relying on hash table search when using the keys, implement a
proper reference counting in dns_keyfileio_t objects, and attach/detach
the objects to the zone.

(cherry picked from commit 79115a0c3b)
2022-12-09 15:20:11 +01:00
Ondřej Surý
98fca774b6 Release unused key file IO lock objects
Due to off-by-one error in zonemgr_keymgmt_delete, unused key file IO
lock objects were never freed and they were kept until the server
shutdown.  Adjust the returned value by -1 to accomodate the fact that
the atomic_fetch_*() functions return the value before the operation and
not current value after the operation.

(cherry picked from commit fb1acd6736)
2022-12-08 10:32:59 +01:00
Tom Krizek
da42fa7622 Revert "Merge branch '3678-serve-stale-servfailing-unexpectedly-v9_16' into 'v9_16'"
This reverts commit b2a4447af8, reversing
changes made to 8924f92956.

It also removes release note 6038, since the fix is reverted.
2022-12-08 10:23:40 +01:00
Mark Andrews
ea03c3d25c Remove different zero TTL handling for rdataset iterator
Zero TTL handling does not need to be different for 'rdatasetiter_first'
and 'rdatasetiter_next' and it interacts badly with 'bind_rdatadataset'
which makes different determinations.

(cherry picked from commit 1a39328feb)
2022-12-08 11:20:35 +11:00
Mark Andrews
a3bc62e4cd Add dns_db_allrdatasets options
'DNS_DB_STALEOK' returns stale rdatasets as well as current rdatasets.

'DNS_DB_EXPIREDOK' returns expired rdatasets as well as current
rdatasets. This option is currently only set when DNS_DB_STALEOK is
also set.

(cherry picked from commit 85048ddeee)
2022-12-08 11:20:35 +11:00
Mark Andrews
4f3327cd41 Extend dns_db_allrdatasets to control interation results
Add an options parameter to control what rdatasets are returned when
iteratating over the node.  Specific modes will be added later.

(cherry picked from commit 7695c36a5d)
2022-12-08 11:20:35 +11:00
Mark Andrews
8b6a30f59d Properly select active rdatasets when iterating across node
Active rdatasets where not being properly selected in rdatasetiter_first
and rdatasetiter_next.

(cherry picked from commit 3bdab2d111)
2022-12-08 10:47:23 +11:00
Mark Andrews
a85260fc19 Revert "Fix rndc dumpdb -expired for stuck cache contents"
This reverts commit f8d866c6ef.

(cherry picked from commit 90249e4aa5)
2022-12-08 10:46:18 +11:00
Ondřej Surý
72724b258c Propagate the shutdown event to the recursing ns_client(s)
Send the ns_query_cancel() on the recursing clients when we initiate the
named shutdown for faster shutdown.

When we are shutting down the resolver, we cancel all the outstanding
fetches, and the ISC_R_CANCEL events doesn't propagate to the ns_client
callback.

In the future, the better solution how to fix this would be to look at
the shutdown paths and let them all propagate from bottom (loopmgr) to
top (f.e. ns_client).

(cherry picked from commit d861d403bb9a7912e29a06aba6caf6d502839f1b)
2022-12-07 18:09:40 +01:00
Mark Andrews
f9845df6d6 Add missing DbC magic checks
Checking for value != NULL is not sufficient to detect use after
free errors.

(cherry picked from commit b1086a5561)
2022-12-07 09:47:39 +11:00
Mark Andrews
dd73306509 Call dns_db_updatenotify_unregister earlier
dns_db_updatenotify_unregister needed to be called earlier to ensure
that listener->onupdate_arg always points to a valid object.  The
existing lazy cleanup in rbtdb_free did not ensure that.

(cherry picked from commit 35839e91d8)
2022-12-07 09:47:37 +11:00
Mark Andrews
ffeda92cd8 Suppress duplicate dns_db_updatenotify_register registrations
Duplicate dns_db_updatenotify_register registrations need to be
suppressed to ensure that dns_db_updatenotify_unregister is successful.

(cherry picked from commit f13e71e551)
2022-12-07 09:46:50 +11:00
Michał Kępień
148608c7b2 Check for NULL before dereferencing qctx->rpz_st
Commit 9ffb4a7ba1 causes Clang Static
Analyzer to flag a potential NULL dereference in query_nxdomain():

    query.c:9394:26: warning: Dereference of null pointer [core.NullDereference]
            if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) {
                                    ^~~~~~~~~~~~~~~~~~~
    1 warning generated.

The warning above is for qctx->rpz_st potentially being a NULL pointer
when query_nxdomain() is called from query_resume().  This is a false
positive because none of the database lookup result codes currently
causing query_nxdomain() to be called (DNS_R_EMPTYWILD, DNS_R_NXDOMAIN)
can be returned by a database lookup following a recursive resolution
attempt.  Add a NULL check nevertheless in order to future-proof the
code and silence Clang Static Analyzer.

(cherry picked from commit 07592d1315)
2022-12-06 13:51:30 +00:00
Matthijs Mekking
e6e13c3e62 Consider non-stale data when in serve-stale mode
With 'stale-answer-enable yes;' and 'stale-answer-client-timeout off;',
consider the following situation:

A CNAME record and its target record are in the cache, then the CNAME
record expires, but the target record is still valid.

When a new query for the CNAME record arrives, and the query fails,
the stale record is used, and then the query "restarts" to follow
the CNAME target. The problem is that the query's multiple stale
options (like DNS_DBFIND_STALEOK) are not reset, so 'query_lookup()'
treats the restarted query as a lookup following a failed lookup,
and returns a SERVFAIL answer when there is no stale data found in the
cache, even if there is valid non-stale data there available.

With this change, query_lookup() now considers non-stale data in the
cache in the first place, and returns it if it is available.

(cherry picked from commit 86a80e723f)
2022-12-06 13:51:07 +00:00
Ondřej Surý
bf093e814c Don't log "final reference detached" on INFO level
The "final reference detached" message was meant to be DEBUG(1), but was
instead kept at INFO level.  Move it to the DEBUG(1) logging level, so
it's not printed under normal operations.

(cherry picked from commit 1816244725)
2022-11-30 11:51:29 +01:00
Michal Nowak
771fed4a14 Update sources to Clang 15 formatting 2022-11-29 10:30:34 +01:00
Michal Nowak
69f00278c3 Remove unused variable reported by Clang 15
resolver.c:4776:15: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
            unsigned int count = 0;
                         ^
2022-11-28 14:35:03 +01:00
Matthijs Mekking
ed8eba9180 Deprecate auto-dnssec
Deprecate auto-dnssec, add specific log warning to migrate to
dnssec-policy.

Cherry-picking triggered a lot of conflicts, so the changes
were manually picked.

(manually picked from commit f9845dd1)
2022-11-23 13:32:52 +01:00
Mark Andrews
3952f01cad Select the appropriate namespace when using a dual stack server
When using dual-stack-servers the covering namespace to check whether
answers are in scope or not should be fctx->domain.  To do this we need
to be able to distingish forwarding due to forwarders clauses and
dual-stack-servers.  A new flag FCTX_ADDRINFO_DUALSTACK has been added
to signal this.

(cherry picked from commit dfbffd77f9)
2022-11-17 13:07:58 +11:00
Mark Andrews
10083c2019 Have dns_zt_apply lock the zone table
There were a number of places where the zone table should have been
locked, but wasn't, when dns_zt_apply was called.

Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
all calls to using it.  Removed locks in callers.

(cherry picked from commit f053d5b414)
2022-11-11 16:13:55 +00:00
Mark Andrews
bf3a8c7de9 Add missing closing ')' to update-policy documentation
The opening '(' before local was not being matched by a closing
')' after the closing '};'.

(cherry picked from commit 044c3b2bb8)
2022-11-07 13:08:20 +01:00
Ondřej Surý
a6e3fc20d0 Don't use dns_zone_attach() in zone_refreshkeys()
The zone_refreshkeys() could run before the zone_shutdown(), but after
the last .erefs has been "detached" causing assertion failure when doing
dns_zone_attach().  Remove the use of .erefs (dns_zone_attach/detach)
and replace it with using the .irefs and additional checks whether the
zone is exiting in the callbacks.

(cherry picked from commit 80e66fbd2d)
2022-11-03 15:35:58 +01:00
Matthijs Mekking
949768b252 Don't allow DNSSEC records in the raw zone
There was an exception for dnssec-policy that allowed DNSSEC in the
unsigned version of the zone. This however causes a crash if the
zone switches from dynamic to inline-signing in the case of NSEC3,
because we are now trying to add an NSEC3 record to a non-NSEC3 node.
This is because BIND expects none of the records in the unsigned
version of the zone to be NSEC3.

Remove the exception for dnssec-policy when copying non DNSSEC
records, but do allow for DNSKEY as this may be a published DNSKEY
from a different provider.

(cherry picked from commit 332b98ae49)
2022-11-03 14:44:35 +01:00
Aram Sargsyan
78e04d8d0c Don't trust a placeholder KEYDATA record
When named starts it creates an empty KEYDATA record in the managed-keys
zone as a placeholder, then schedules a key refresh. If key refresh
fails for some reason (e.g. connectivity problems), named will load the
placeholder key into secroots as a trusted key during the next startup,
which will break the chain of trust, and named will never recover from
that state until managed-keys.bind and managed-keys.bind.jnl files are
manually deleted before (re)starting named again.

Before calling load_secroots(), check that we are not dealing with a
placeholder.

(cherry picked from commit 354ae2d7e3)
2022-11-01 10:55:38 +00:00
Evan Hunt
8010389902 Call dns_resolver_createfetch() asynchronously in zone_refreshkeys()
Because dns_resolver_createfetch() locks the view, it was necessary
to unlock the zone in zone_refreshkeys() before calling it in order
to maintain the lock order, and relock afterward. this permitted a race
with dns_zone_synckeyzone().

This commit moves the call to dns_resolver_createfetch() into a separate
function which is called asynchronously after the zone has been
unlocked.

The keyfetch object now attaches to the zone to ensure that
it won't be shut down before the asynchronous call completes.

This necessitated refactoring dns_zone_detach() so it always runs
unlocked. For managed zones it schedules zone_shutdown() to
run asynchronously; for unmanaged zones there is no task.
2022-11-01 01:46:17 -07:00
Aram Sargsyan
648e71b086 Match prefetch eligibility behavior with ARM
ARM states that the "eligibility" TTL is the smallest original TTL
value that is accepted for a record to be eligible for prefetching,
but the code, which implements the condition doesn't behave in that
manner for the edge case when the TTL is equal to the configured
eligibility value.

Fix the code to check that the TTL is greater than, or equal to the
configured eligibility value, instead of just greater than it.

(cherry picked from commit 863f51466e)
2022-10-21 10:30:28 +00:00
Aram Sargsyan
c3660564ce Call dns_adb_endudpfetch() on error path, if required
For UDP queries, after calling dns_adb_beginudpfetch() in fctx_query(),
make sure that dns_adb_endudpfetch() is also called on error path, in
order to adjust the quota back.

(cherry picked from commit 5da79e2be0)
2022-10-21 08:46:43 +00:00
Evan Hunt
8e4a1f3483 ensure RPZ lookups handle CD=1 correctly
RPZ rewrites called dns_db_findext() without passing through the
client database options; as as result, if the client set CD=1,
DNS_DBFIND_PENDINGOK was not used as it should have been, and
cache lookups failed, resulting in failure of the rewrite.

(cherry picked from commit 305a50dbe1)
2022-10-19 13:16:51 -07:00
Matthijs Mekking
cbdf23e5ec Change log level when doing rekey
This log happens when BIND checks the parental-agents if the DS has
been published. But if you don't have parental-agents set up, the list
of keys to check will be empty and the result will be ISC_R_NOTFOUND.
This is not an error, so change the log level to debug in this case.

(cherry picked from commit a1d57fc8cb)
2022-10-18 16:31:01 +02:00
Ondřej Surý
7b4cf67261 Replace (void *)-1 with ISC_LINK_TOMBSTONE
Instead of having "arbitrary" (void *)-1 to define non-linked, add a
ISC_LINK_TOMBSTONE(type) macro that replaces the "magic" value with a
define.

(cherry picked from commit 5e20c2ccfb)
2022-10-18 14:30:49 +02:00
Ondřej Surý
a317b2ea1c Add ISC_{LIST,LINK}_INITIALIZER for designated initializers
Since we are using designated initializers, we were missing initializers
for ISC_LIST and ISC_LINK, add them, so you can do

    *foo = (foo_t){ .list = ISC_LIST_INITIALIZER };

Instead of:

    *foo = (foo_t){ 0 };
    ISC_LIST_INIT(foo->list);

(cherry picked from commit cb3c36b8bf)
2022-10-18 14:30:49 +02:00
Aram Sargsyan
b6aeccf697 Fix ns_statscounter_recursclients counting bug
The incrementing and decrementing of 'ns_statscounter_recursclients'
were not properly balanced: for example, it would be incremented for
a prefetch query but not decremented if the query failed.

This commit ensures that the recursion quota and the recursive clients
counter are always in sync with each other.

(cherry picked from commit 82991451b4)
2022-10-18 10:38:04 +00:00
Aram Sargsyan
790db0a344 Handle large numbers when parsing/printing a duration
The duration_fromtext() function is truncating large numbers
to 32 bits instead of capping or rejecting them, i.e. 64424509445,
which is 0xf00000005, gets parsed as 32-bit value 5 (0x00000005).

Fail parsing a duration if any of its components is bigger than
32 bits. Using those kind of big numbers has no practical use case
for a duration.

The cfg_obj_asduration() function can overflow the 32 bit
seconds variable when calculating the duration from its component
parts.

To avoid that, use 64-bit calculation and return UINT32_MAX if the
calculated value is bigger than UINT32_MAX. Again, a number this big
has no practical use case anyway.

The buffer for the generated duration string is limited to 64 bytes,
which, in theory, is smaller than the longest possible generated
duration string.

Use 80 bytes instead, calculated by the '7 x (10 + 1) + 3' formula,
where '7' is the count of the duration's parts (year, month, etc.), '10'
is their maximum length when printed as a decimal number, '1' is their
indicator character (Y, M, etc.), and 3 is two more indicators (P and T)
and the terminating NUL character.

(cherry picked from commit fddaebb285)
2022-10-17 11:09:06 +00:00
Aram Sargsyan
d9a8c43107 Fix an off-by-one error in cfg_print_duration()
The cfg_print_duration() checks added previously in the 'duration_test'
unit test uncovered a bug in cfg_print_duration().

When calculating the current 'str' pointer of the generated text in the
buffer 'buf', it erroneously adds 1 byte to compensate for that part's
indicator character. For example, to add 12 minutes, it needs to add
2 + 1 = 3 characters, where 2 is the length of "12", and 1 is the length
of "M" (for minute). The mistake was that the length of the indicator
is already included in 'durationlen[i]', so there is no need to
calculate it again.

In the result of this mistake the current pointer can advance further
than needed and end up after the zero-byte instead of right on it, which
essentially cuts off any further generated text. For example, for a
5 minutes and 30 seconds duration, instead of having this:

    'P', 'T', '5', 'M', '3', '0', 'S', '\0'

The function generates this:

    'P', 'T', '5', 'M', '\0', '3', '0', 'S', '\0'

Fix the bug by adding to 'str' just 'durationlen[i]' instead of
'durationlen[i] + 1'.

(cherry picked from commit dc55f1ebb9)
2022-10-17 11:09:06 +00:00
Aram Sargsyan
b7c5e95d6d Test cfg_print_duration() in duration_test.c
Currently the 'duration_test' unit test checks only the
cfg_obj_asduration() function.

Extend the test so it checks also the reverse operation using the
cfg_print_duration() function, which is used in named-checkconf.

(cherry picked from commit 39290bb7cd)
2022-10-17 11:09:06 +00:00
Aram Sargsyan
f458f6496d Fix a logical bug in cfg_print_duration()
The cfg_print_duration() function prints a ISO 8601 duration value
converted from an array of integers, where the parts of the date and
time are stored.

durationlen[6], which holds the "seconds" part of the duration, has
a special case in cfg_print_duration() to ensure that when there are
no values in the duration, the result still can be printed as "PT0S",
instead of just "P", so it can be a valid ISO 8601 duration value.

There is a logical error in one of the two special case code paths,
when it checks that no value from the "date" part is defined, and no
"hour" or "minute" from the "time" part are defined.

Because of the error, durationlen[6] can be used uninitialized, in
which case the second parameter passed to snprintf() (which is the
maximum allowed length) can contain a garbage value.

This can not be exploited because the buffer is still big enough to
hold the maximum possible amount of characters generated by the "%u%c"
format string.

Fix the logical bug, and initialize the 'durationlen' array to zeros
to be a little safer from other similar errors.

(cherry picked from commit 9440910187)
2022-10-17 09:17:56 +00:00
Petr Špaček
d63bc6af08 Clarify error message about missing inline-signing & dnssec-policy
(cherry picked from commit 058c1744ba)
2022-10-06 10:31:15 +02:00
Evan Hunt
7b6140e756 compression buffer was not cleared properly
clear the compression buffer before use. this eliminates the
possibility of a latent bug that, when combined with other changes,
allowed an overread in a later version of BIND.
2022-10-04 10:12:24 -07:00
Mark Andrews
9bb5157adf Use strnstr implementation from FreeBSD if not provided by OS
(cherry picked from commit 5f07fe8cbb)
2022-10-04 17:05:18 +11:00
Mark Andrews
e396d5d72d Add support for 'dohpath' to SVCB (and HTTPS)
dohpath is specfied in draft-ietf-add-svcb-dns and has a value
of 7.  It must be a relative path (start with a /), be encoded
as UTF8 and contain the variable dns ({?dns}).

(cherry picked from commit 6d561d3886)
2022-10-04 15:33:49 +11:00
Mark Andrews
c6abcefee1 Check if RSASHA1 is supported by the OS
(cherry picked from commit 1690cb7bb4)
2022-10-03 13:28:25 +02:00
Mark Andrews
12f902796d Check BN_dup results in rsa_check
(cherry picked from commit a47235f4f5)
2022-09-28 10:06:39 +10:00
Mark Andrews
2c8e38f359 Free 'n' on error path in rsa_check
(cherry picked from commit 483c5a1978)
2022-09-28 10:06:39 +10:00
Mark Andrews
03c5db001e Check that 'e' and 'n' are allocated in opensslrsa_fromdns
(cherry picked from commit db70c30213)
2022-09-28 10:06:39 +10:00
Mark Andrews
0b0718fba3 Check that 'e' and 'n' are non-NULL in opensslrsa_todns
(cherry picked from commit 5603cd69d1)
2022-09-28 09:56:03 +10:00
Mark Andrews
6f1e04409a Free 'rsa' if 'e' is NULL in opensslrsa_verify2
(cherry picked from commit a2b51ca6ac)
2022-09-28 09:53:27 +10:00
Mark Andrews
9524c493c9 Check that primary key names have not changed
When looking for changes in a catalog zone member zone we need to
also check if the TSIG key name associated with a primary server
has be added, removed or changed.

(cherry picked from commit 9172bd9b5a)
2022-09-27 22:20:41 +10:00
Evan Hunt
2fdaa100c1 add assertions to isc_buffer macros
if ISC_BUFFER_USEINLINE is defined, then macros are used to implement
isc_buffer primitives (isc_buffer_init(), isc_buffer_region(), etc).
otherwise, functions are used. previously, only the functions had
DbC assertions, which made it possible for coding errors to go
undetected. this commit makes the macro versions enforce the same
requirements.
2022-09-26 23:48:21 -07:00
Mark Andrews
2905d70ad1 Stop passing mctx to dns_rdata_tostruct as it is unnecessary for SIG
dns_rdata_tostruct doesn't need a mctx passed to it for SIG (the signer
is already expanded at this point). About the only time when mctx is
needed is when the structure is to be used after the rdata has been
destroyed.

(cherry picked from commit d6ad56bd9e)
2022-09-26 12:45:21 +02:00
Petr Špaček
3e77d6bf87 Fix memory leak in dns_message_checksig() - SIG(0) sigs
Impact should be visible only in tests or tools because named never
uses view == NULL, which is a necessary condition to trigger this leak.

(cherry picked from commit 69256b3553)
2022-09-26 12:45:17 +02:00