Commit Graph

13465 Commits

Author SHA1 Message Date
Evan Hunt
0361d6ab70 correctly limit hash resize to RBTDB_GLUE_TABLE_MAX_BITS
Use < instead of <= when testing the new new hash bits size,
otherwise it can exceed the limit.

(cherry picked from commit 8f73814469)
2023-12-06 11:45:19 -08:00
Mark Andrews
e5e8e3f226 Adjust comment to have correct message limit value
(cherry picked from commit 560c245971)
2023-12-06 09:06:31 +11:00
Mark Andrews
c9147530fd Adjust message buffer sizes in test code
(cherry picked from commit cbfcdbc199)
2023-12-06 09:06:31 +11:00
Mark Andrews
057c12d29a Check that buffer length in dns_message_renderbegin
The maximum DNS message size is 65535 octets. Check that the buffer
being passed to dns_message_renderbegin does not exceed this as the
compression code assumes that all offsets are no bigger than this.

(cherry picked from commit a069513234)
2023-12-06 09:06:31 +11:00
Ondřej Surý
62cf6b2e7f Deprecate AES algorithm for DNS cookies
The AES algorithm for DNS cookies was being kept for legacy reasons,
and it can be safely removed in the next major release.  Mark is as
deprecated, so the `named-checkconf` prints a warning when in use.

(cherry picked from commit 67d14b0ee5)
2023-12-05 10:56:19 +01:00
Evan Hunt
12c60e9a26 set loadtime during initial transfer of a secondary zone
when transferring in a non-inline-signing secondary for the first time,
we previously never set the value of zone->loadtime, so it remained
zero. this caused a test failure in the statschannel system test,
and that test case was temporarily disabled.  the value is now set
correctly and the test case has been reinstated.

(cherry picked from commit 9643281453)
2023-11-20 09:56:50 -08:00
Ondřej Surý
35630c9210 Reformat sources with up-to-date clang-format-17 2023-11-13 17:15:55 +01:00
Mark Andrews
066de399bd Suppress reporting upcoming changes in root hints
To reduce the amount of log spam when root servers change their
addresses keep a table of upcoming changes by expected date and time
and suppress reporting differences for them until then.

Add initial entry for B.ROOT-SERVERS.NET, Nov 27, 2023.

(cherry picked from commit b69100b747)
2023-11-03 03:44:43 +11:00
Mark Andrews
8924adca61 Update b.root-servers.net IP addresses
This covers both root hints and the default primaries for the root
zone mirror.  The official change date is Nov 27, 2023.

(cherry picked from commit 2ca2f7e985)
2023-11-03 03:44:43 +11:00
Michał Kępień
4d4b209abd Revert GL !8447
This reverts commit bd572bb5af
(c02925763e,
3aeac8e2a9, and
57d8e2949d), reversing changes made to
28c92c9b26.
2023-11-01 18:26:33 +01:00
Matthijs Mekking
3aeac8e2a9 Don't ignore auth zones when in serve-stale mode
When serve-stale is enabled and recursive resolution fails, the fallback
to lookup stale data always happens in the cache database. Any
authoritative data is ignored, and only information learned through
recursive resolution is examined.

If there is data in the cache that could lead to an answer, and this can
be just the root delegation, the resolver will iterate further, getting
closer to the answer that can be found by recursing down the root, and
eventually puts the final response in the cache.

Change the fallback to serve-stale to use 'query_getdb()', that finds
out the best matching database for the given query.

(cherry picked from commit 2322425016)
2023-10-31 15:04:55 +01:00
Mark Andrews
5f8ac682c9 Only declare 'engine' if it is used
Move the declaration of 'engine' within the appropriate #if/#endif
block.  Remove the UNUSED(engine) from the #else block.

(cherry picked from commit 8b11061b91)
2023-10-28 09:01:51 +11:00
Mark Andrews
a846180a01 Add parentheses around macro arguement 'msec'
The is needed to ensure that the multiplication is correctly done.
This was reported by Jinmei Tatuya.

(cherry picked from commit ebfbad29c1)
2023-10-20 11:26:04 +11:00
Michal Nowak
531c96b8ed Update the source code formatting using clang-format-17 2023-10-17 17:56:31 +02:00
Ondřej Surý
b354e10793 Explicitly cast chars to unsigned chars for <ctype.h> functions
Apply the semantic patch to catch all the places where we pass 'char' to
the <ctype.h> family of functions (isalpha() and friends, toupper(),
tolower()).

(cherry picked from commit 29caa6d1f0)
2023-09-22 17:10:25 +02:00
Michał Kępień
2be533f469 Merge tag 'v9.16.44' into bind-9.16 2023-09-20 16:55:10 +02:00
Mark Andrews
426b575680 Correctly set the value of covered in dns_ncache_current
Fix the type and rdclass being passed to dns_rdata_tostruct so
that rrsig.covered is correctly set.

(cherry picked from commit 779980710c)
2023-09-18 16:40:54 +10:00
Mark Andrews
c4fac5ca98 Limit isccc_cc_fromwire recursion depth
Named and rndc do not need a lot of recursion so the depth is
set to 10.
2023-09-05 20:29:27 +02:00
Evan Hunt
674a62694a prevent query_coveringnsec() from running twice
when synthesizing a new CNAME, we now check whether the target
matches the query already being processed. if so, we do not
restart the query; this prevents a waste of resources.

(cherry picked from commit 0ae8b2e056)
2023-08-21 14:37:00 -07:00
Ondřej Surý
c7d64009c2 Add test for dns_rbtdb overmem purging
Add a unit test to check if the overmem purging in the RBTDB is
effective when mixed size RR data is inserted into the database.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Jinmei Tatuya <jtatuya@infoblox.com>

(manually picked from 269c03831f)
2023-07-26 15:20:53 +02:00
Michał Kępień
d3b0df51cf Revert GL !8123
This reverts commit 302d0d36f7
(7e9e96ba01 and
bd912b7bed), reversing changes made to
fc6992b3fb.
2023-07-24 11:02:37 +02:00
Mark Andrews
7e9e96ba01 Mark a primary as unreachable on timed out in xfin
When a primary server is not responding, mark it as temporarialy
unreachable.  This will prevent too many zones queuing up on a
unreachable server and allow the refresh process to move onto
the next primary sooner once it has been so marked.
2023-07-22 09:06:42 +10:00
Ondřej Surý
36aba0db8f Don't process detach and close as priority netmgr events
The detach (and possibly close) netmgr events can cause additional
callbacks to be called when under exclusive mode.  The detach can
trigger next queued TCP query to be processed and close will call
configured close callback.

Move the detach and close netmgr events from the priority queue to the
normal queue as the detaching and closing the sockets can wait for the
exclusive mode to be over.

(cherry picked from commit c2c2ec0c96)
2023-07-20 19:21:44 +02:00
Matthijs Mekking
c003c5bc3c Fix serve-stale hang at shutdown
The 'refresh_rrset' variable is used to determine if we can detach from
the client. This can cause a hang on shutdown. To fix this, move setting
of the 'nodetach' variable up to where 'refresh_rrset' is set (in
query_lookup(), and thus not in ns_query_done()), and set it to false
when actually refreshing the RRset, so that when this lookup is
completed, the client will be detached.
2023-06-09 15:53:10 +02:00
Evan Hunt
0101e28f91 Stale answer lookups could loop when over recursion quota
When a query was aborted because of the recursion quota being exceeded,
but triggered a stale answer response and a stale data refresh query,
it could cause named to loop back where we are iterating and following
a delegation. Having no good answer in cache, we would fall back to
using serve-stale again, use the stale data, try to refresh the RRset,
and loop back again, without ever terminating until crashing due to
stack overflow.

This happens because in the functions 'query_notfound()' and
'query_delegation_recurse()', we check whether we can fall back to
serving stale data. We shouldn't do so if we are already refreshing
an RRset due to having prioritized stale data in cache.

In other words, we need to add an extra check to 'query_usestale()' to
disallow serving stale data if we are currently refreshing a stale
RRset.

As an additional mitigation to prevent looping, we now use the result
code ISC_R_ALREADYRUNNING rather than ISC_R_FAILURE when a recursion
loop is encountered, and we check for that condition in
'query_usestale()' as well.
2023-06-09 15:52:51 +02:00
Ondřej Surý
f1d9e9ee38 Improve RBT overmem cache cleaning
When cache memory usage is over the configured cache size (overmem) and
we are cleaning unused entries, it might not be enough to clean just two
entries if the entries to be expired are smaller than the newly added
rdata.  This could be abused by an attacker to cause a remote Denial of
Service by possibly running out of the operating system memory.

Currently, the addrdataset() tries to do a single TTL-based cleaning
considering the serve-stale TTL and then optionally moves to overmem
cleaning if we are in that condition.  Then the overmem_purge() tries to
do another single TTL based cleaning from the TTL heap and then continue
with LRU-based cleaning up to 2 entries cleaned.

Squash the TTL-cleaning mechanism into single call from addrdataset(),
but ignore the serve-stale TTL if we are currently overmem.

Then instead of having a fixed number of entries to clean, pass the size
of newly added rdatasetheader to the overmem_purge() function and
cleanup at least the size of the newly added data.  This prevents the
cache going over the configured memory limit (`max-cache-size`).

Additionally, refactor the overmem_purge() function to reduce for-loop
nesting for readability.
2023-06-06 14:23:16 +02:00
Matthijs Mekking
2cce83e0d7 Fix serve-stale bug when cache has no data
We recently fixed a bug where in some cases (when following an
expired CNAME for example), named could return SERVFAIL if the target
record is still valid (see isc-projects/bind9#3678, and
isc-projects/bind9!7096). We fixed this by considering non-stale
RRsets as well during the stale lookup.

However, this triggered a new bug because despite the answer from
cache not being stale, the lookup may be triggered by serve-stale.
If the answer from database is not stale, the fix in
isc-projects/bind9!7096 erroneously skips the serve-stale logic.

Add 'answer_found' checks to the serve-stale logic to fix this issue.

(cherry picked from commit bbd163acf6)
2023-05-30 15:32:24 +02:00
Mark Andrews
a01c0e175a Properly process extra nameserver lines in resolv.conf
The whole line needs to be read rather than just the token "nameserver"
otherwise the next line in resolv.conf is not properly processed.

(cherry picked from commit 864cd08052)
2023-05-18 08:52:17 +10:00
Aram Sargsyan
537c2d2c68 Check whether zone->db is a valid pointer before attaching
The zone_resigninc() function does not check the validity of
'zone->db', which can crash named if the zone was unloaded earlier,
for example with "rndc delete".

Check that 'zone->db' is not 'NULL' before attaching to it, like
it is done in zone_sign() and zone_nsec3chain() functions, which
can similarly be called by zone maintenance.

(cherry picked from commit fae0930eb8)
2023-05-15 12:05:11 +00:00
Michal Nowak
ab9d43f814 Update sources to Clang 16 formatting 2023-05-11 14:26:14 +02:00
Mark Andrews
300a2fb4ba Check the pointer alignments when deserialising
deserialize_corrupt_test may corrupt the pointers such that they
is no longer properly aligned.  Check that the alignment is consistent
with memory returned from isc_mem before checking the magic value.
2023-05-05 07:04:31 +00:00
Mark Andrews
3d8a223256 Cleanup orphaned empty-non-terminal NSEC3
When OPTOUT was in use we didn't ensure that NSEC3 records
for orphaned empty-non-terminals where removed.  Check if
there are orphaned empty-non-terminal NSEC3 even if there
wasn't an NSEC3 RRset to be removed in dns_nsec3_delnsec3.

(cherry picked from commit 27160c137f)
2023-04-25 06:46:17 +01:00
Petr Špaček
dc6a888ea3 Export dns_view_istrusted() on Windows 2023-04-03 18:18:43 +02:00
Mark Andrews
489cba33bb dns_view_untrust modifies dnskey->flags when it shouldn't
Copy the structure and declare dnskey as const.

(cherry picked from commit 21d828241b)
2023-04-03 17:48:31 +02:00
Mark Andrews
f708172d87 Handle dns_rdata_fromstruct failure dns_keytable_deletekey
dns_rdata_fromstruct in dns_keytable_deletekey can potentially
fail with ISC_R_NOSPACE.  Handle the error condition.

(cherry picked from commit b5df9b8591)
2023-04-03 17:48:31 +02:00
Mark Andrews
3cb366b1e0 Reduce the number of verifiations required
In selfsigned_dnskey only call dns_dnssec_verify if the signature's
key id matches a revoked key, the trust is pending and the key
matches a trust anchor.  Previously named was calling dns_dnssec_verify
unconditionally resulted in busy work.

(cherry picked from commit e68fecbdaa)
2023-04-03 17:48:31 +02:00
Mark Andrews
19f8033840 Add new view method dns_view_istrusted
dns_view_istrusted determines if the given key is treated as
being trusted by the view.

(cherry picked from commit 7278fff579)
2023-04-03 17:48:31 +02:00
Matthijs Mekking
89c000f356 Fix scan-build issue: initialized value never read
Value stored to 'source' during its initialization is never read.

(cherry picked from commit 4c33277446)
2023-03-29 15:08:36 +00:00
Evan Hunt
6e422ae3ae fixed a bug in rolling timestamp logfiles
due to comparing logfile suffixes as 32 bit rather than 64 bit
integers, logfiles with timestamp suffixes that should have been
removed when rolling could be left in place. this has been fixed.

(cherry picked from commit 9a9e906306)
2023-03-28 10:03:33 +00:00
Mark Andrews
772cdf453d When signing with a new algorithm preserve NSEC/NSEC3 chains
If the zone already has existing NSEC/NSEC3 chains then zone_sign
needs to continue to use them.  If there are no chains then use
kasp setting otherwise generate an NSEC chain.

(cherry picked from commit 4b55201459)
2023-03-15 00:30:22 +11:00
Aram Sargsyan
ddb67b01b2 Check if catz is active in dns_catz_update_from_db()
A reconfiguration can deactivate the catalog zone, while the
offloaded update process was preparing to run.

(cherry picked from commit 6980e3b354)
2023-03-02 19:42:16 +00:00
Aram Sargsyan
641627838b Use catzs->lock in dns_catz_prereconfig()
There can be an update running in another thread, so use a lock,
like it's done in dns_catz_postreconfig().

(cherry picked from commit 3973724d67)
2023-03-02 19:36:26 +00:00
Aram Sargsyan
2a719e9df2 Revert "Process db callbacks in zone_loaddone() after zone_postload()"
This reverts commit 1254f37584.

The commit introduced a data race, because dns_db_endload() is called
after unfreezing the zone.

(not cherry picked from commit 593dea871a)
2023-03-02 19:19:55 +00:00
Aram Sargsyan
fff49a2ffb catz: unregister the db update-notify callback before detaching from db
When detaching from the previous version of the database, make sure
that the update-notify callback is unregistered, otherwise there is
an INSIST check which can generate an assertion failure in free_rbtdb(),
which checks that there are no outstanding update listeners in the list.

There is a similar code already in place for RPZ.

(cherry picked from commit cf79692a66)
2023-02-28 14:40:17 +00:00
Aram Sargsyan
79ee7353ad Searching catzs->zones requires a read lock
Lock the catzs->lock mutex before searching in the catzs->zones
hash table.

(cherry picked from commit 0ef0c86632)
2023-02-28 14:40:17 +00:00
Aram Sargsyan
1254f37584 Process db callbacks in zone_loaddone() after zone_postload()
The zone_postload() function can fail and unregister the callbacks.

Call dns_db_endload() only after calling zone_postload() to make
sure that the registered update-notify callbacks are not called
when the zone loading has failed during zone_postload().

Also, don't ignore the return value of zone_postload().

(cherry picked from commit ed268b46f1)
2023-02-28 14:40:17 +00:00
Aram Sargsyan
466a05eaf0 Fix a cleanup bug when isc_task_create() fails in dns_catz_new_zones()
Use isc_mem_putanddetach() instead of isc_mem_put() to detach from the
memory context.

(cherry picked from commit 9050481d1f)
2023-02-27 13:55:05 +00:00
Mark Andrews
b49a3a56c9 Fix dns_kasp_attach / dns_kasp_detach usage
The kasp pointers in dns_zone_t should consistently be changed by
dns_kasp_attach and dns_kasp_detach so the usage is balanced.

(cherry picked from commit b41882cc75)
2023-02-21 16:58:42 +01:00
Mark Andrews
d0c92a31a9 In hmac_createctx free ctx on isc_hmac_init failure
(cherry picked from commit d22257a370)
2023-02-18 10:27:11 +11:00
Ondřej Surý
100c20b470 Don't check for maximal version on Windows
The Windows doesn't have support for recvmmsg(), so we don't need to
check for maximal version on Windows (only for a minimal version).

Remove the MAXIMAL_VERSION when compiling on Windows.
2023-02-15 11:02:57 +01:00