Commit Graph

34656 Commits

Author SHA1 Message Date
Matthijs Mekking
309bf3578b Add inline-signing requirement to DNSSEC Guide
This change was made in !6403, but the appropriate documentation
changes were not applied to the DNSSEC Guide.

(cherry picked from commit 09522c8d73)
2022-09-28 10:54:52 +02:00
Mark Andrews
55faa5ab84 Merge branch '3562-assign-default-value-to-suffix-v9_16' into 'v9_16'
Suffix may be used before it is assigned a value [v9_16]

See merge request isc-projects/bind9!6837
2022-09-28 04:22:41 +00:00
Mark Andrews
7f2b46f4e5 Suffix may be used before it is assigned a value
CID 350722 (#5 of 7): Bad use of null-like value (FORWARD_NULL)
        12. invalid_operation: Invalid operation on null-like value suffix.
    145        r.authority.append(
    146            dns.rrset.from_text(
    147                "icky.ptang.zoop.boing." + suffix,
    148                1,
    149                IN,
    150                NS,
    151                "a.bit.longer.ns.name." + suffix,
    152            )
    153        )

(cherry picked from commit 432064f63c)
2022-09-28 11:19:50 +10:00
Mark Andrews
c2884d1a4b Merge branch '3551-missing-rsa_free-call-in-opensslrsa_verify2-v9_16' into 'v9_16'
Free 'rsa' if 'e' is NULL in opensslrsa_verify2 [v9_16]

See merge request isc-projects/bind9!6835
2022-09-28 00:42:18 +00:00
Mark Andrews
a2a06cf376 Add CHANGES note for [GL #3551]
(cherry picked from commit 1e3680193a)
2022-09-28 10:06:40 +10:00
Mark Andrews
12f902796d Check BN_dup results in rsa_check
(cherry picked from commit a47235f4f5)
2022-09-28 10:06:39 +10:00
Mark Andrews
2c8e38f359 Free 'n' on error path in rsa_check
(cherry picked from commit 483c5a1978)
2022-09-28 10:06:39 +10:00
Mark Andrews
03c5db001e Check that 'e' and 'n' are allocated in opensslrsa_fromdns
(cherry picked from commit db70c30213)
2022-09-28 10:06:39 +10:00
Mark Andrews
0b0718fba3 Check that 'e' and 'n' are non-NULL in opensslrsa_todns
(cherry picked from commit 5603cd69d1)
2022-09-28 09:56:03 +10:00
Mark Andrews
6f1e04409a Free 'rsa' if 'e' is NULL in opensslrsa_verify2
(cherry picked from commit a2b51ca6ac)
2022-09-28 09:53:27 +10:00
Mark Andrews
067dbde287 Merge branch '3557-catalog-zone-check-key-names-v9_16' into 'v9_16'
Check that primary key names have not changed [v9_16]

See merge request isc-projects/bind9!6827
2022-09-27 14:18:06 +00:00
Mark Andrews
3353529920 Add release note for [GL #3557]
(cherry picked from commit eacf41a20a)
2022-09-27 23:58:22 +10:00
Mark Andrews
034c34e634 Add CHANGES note for [GL #3557]
(cherry picked from commit 0774dacf2d)
2022-09-27 23:58:22 +10:00
Mark Andrews
4fc1975709 Check that changing the TSIG key is successful
Switch the primary to require 'next_key' for zone transfers then
update the catalog zone to say to use 'next_key'.  Next update the
zones contents then check that those changes are seen on the
secondary.

(cherry picked from commit 176e172210)
2022-09-27 23:58:22 +10:00
Mark Andrews
9524c493c9 Check that primary key names have not changed
When looking for changes in a catalog zone member zone we need to
also check if the TSIG key name associated with a primary server
has be added, removed or changed.

(cherry picked from commit 9172bd9b5a)
2022-09-27 22:20:41 +10:00
Michał Kępień
e72a275606 Merge branch 'mnowak/add-fedora-36-v9_16' into 'v9_16'
[v9_16] Add Fedora 36

See merge request isc-projects/bind9!6821
2022-09-27 07:44:52 +00:00
Michal Nowak
5b1ab4615a Add Fedora 36
(cherry picked from commit a313c49a3b)
2022-09-27 09:42:50 +02:00
Evan Hunt
0f68ad8830 Merge branch '3553-buffer-assertions-v9_16' into 'v9_16'
add assertions to isc_buffer macros

See merge request isc-projects/bind9!6802
2022-09-27 07:16:01 +00:00
Evan Hunt
2fdaa100c1 add assertions to isc_buffer macros
if ISC_BUFFER_USEINLINE is defined, then macros are used to implement
isc_buffer primitives (isc_buffer_init(), isc_buffer_region(), etc).
otherwise, functions are used. previously, only the functions had
DbC assertions, which made it possible for coding errors to go
undetected. this commit makes the macro versions enforce the same
requirements.
2022-09-26 23:48:21 -07:00
Petr Špaček
dd8c1f9f61 Merge branch 'bug/main/doc-arm-rhel9-v9_16' into 'v9_16'
Compatibility for building ARM on older sphinx [v9_16]

See merge request isc-projects/bind9!6818
2022-09-26 15:39:32 +00:00
Petr Menšík
8b07d457ef Simplify allowing warnings during ARM build
RHEL8 Sphinx does not support all features used in ARM building. But
with few emitted warnings it can build the documentation fine. Simplify
warnings acceptance by allowing make doc SPHINX_W=''.

(cherry picked from commit 3db7e241d2)
2022-09-26 17:30:48 +02:00
Petr Menšík
e036ac4d3d Compatibility for building ARM on older sphinx
Make documentation building successful even on RHEL9 sphinx 3.4.3. It
does not like case-insensitive matching of terms, so provide lowercase
text description with Uppercase word reference.

(cherry picked from commit bc6c6b1184)
2022-09-26 17:29:07 +02:00
Petr Špaček
81fd2d9874 Merge branch '3547-dns_message_checksig-leak-fix-v9_16' into 'v9_16'
Fix memory leak in dns_message_checksig() - SIG(0) sigs [v9_16]

See merge request isc-projects/bind9!6814
2022-09-26 11:06:42 +00:00
Mark Andrews
2905d70ad1 Stop passing mctx to dns_rdata_tostruct as it is unnecessary for SIG
dns_rdata_tostruct doesn't need a mctx passed to it for SIG (the signer
is already expanded at this point). About the only time when mctx is
needed is when the structure is to be used after the rdata has been
destroyed.

(cherry picked from commit d6ad56bd9e)
2022-09-26 12:45:21 +02:00
Petr Špaček
3e77d6bf87 Fix memory leak in dns_message_checksig() - SIG(0) sigs
Impact should be visible only in tests or tools because named never
uses view == NULL, which is a necessary condition to trigger this leak.

(cherry picked from commit 69256b3553)
2022-09-26 12:45:17 +02:00
Michał Kępień
e2448146cf Merge branch '3475-named-man-page-fix-ncpus' into 'v9_16'
Fix the description of named's -n option

See merge request isc-projects/bind9!6797
2022-09-21 17:48:25 +00:00
Michał Kępień
fe0b04d8d3 Fix the description of named's -n option
Since the advent of netmgr, named no longer creates a single thread per
CPU, but rather a set of two threads per CPU.  Update the man page for
named accordingly to prevent confusion.
2022-09-21 19:47:13 +02:00
Petr Špaček
9d5e7aca9c Merge branch '3542-arm-stats-socket-caution' into 'v9_16'
Provide stronger wording about the security of statistics channel

See merge request isc-projects/bind9!6795
2022-09-21 16:06:04 +00:00
Ondřej Surý
f830737c51 Provide stronger wording about the security of statistics channel
Add more text about the importance of properly securing the statistics
channel and what is and what is not considered a security vulnerability.

(cherry-picked from commit 6869c98d36)
2022-09-21 17:49:49 +02:00
Michał Kępień
69c38b5e1c Merge tag 'v9_16_33' into v9_16
BIND 9.16.33
2022-09-21 13:21:29 +02:00
Mark Andrews
6711d7d179 Merge branch '3525-key-id-clashes-across-algorithms-cause-problems-with-statistics-v9_18-v9_16' into 'v9_16'
Suppress manykeys test on duplicate key ids [v9_16]

See merge request isc-projects/bind9!6785
2022-09-16 00:21:12 +00:00
Mark Andrews
ff883fd75f Suppress manykeys test on duplicate key ids
If there are duplicate key ids across multiple algorithms expected
output is no met.  We have fixed this in on main but decided to not
back port the fix as it will change the statistics channel output.

This change detects when there are duplicate key id across algorithms
as skips the sub test.

(cherry picked from commit ea1d3476a8)
2022-09-16 09:49:41 +10:00
Evan Hunt
d244ff84ac Merge branch '3522-update-detach-v9_16' into 'v9_16'
fix an incorrect detach in update processing

See merge request isc-projects/bind9!6783
2022-09-15 20:14:30 +00:00
Evan Hunt
338663b1cd CHANGES for [GL #3522] 2022-09-15 11:36:37 -07:00
Evan Hunt
17924f4bdf fix an incorrect detach in update processing
when processing UDPATE requests, hold the request handle until
we either drop the request or respond to it.

(cherry picked from commit 00e0758e12)
2022-09-15 11:35:42 -07:00
Michal Nowak
97ea818086 Merge branch '3427-tcp-system-test-bump-socket.create_connection-timeout-v9_16' into 'v9_16'
[v9_16] Bump socket.create_connection() timeout to 10 seconds

See merge request isc-projects/bind9!6781
2022-09-15 12:41:03 +00:00
Michal Nowak
9b41b63607 Bump socket.create_connection() timeout to 10 seconds
The tcp Pytest on OpenBSD fairly reliably fails when receive_tcp()
on a socket is attempted:

    >           (response, rtime) = dns.query.receive_tcp(sock, timeout())

    tests-tcp.py:50:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /usr/local/lib/python3.9/site-packages/dns/query.py:659: in receive_tcp
        ldata = _net_read(sock, 2, expiration)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

    sock = <socket.socket [closed] fd=-1, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6>
    count = 2, expiration = 1662719959.8106785

        def _net_read(sock, count, expiration):
            """Read the specified number of bytes from sock.  Keep trying until we
            either get the desired amount, or we hit EOF.
            A Timeout exception will be raised if the operation is not completed
            by the expiration time.
            """
            s = b''
            while count > 0:
                try:
    >               n = sock.recv(count)
    E               socket.timeout: timed out

This is because the socket is already closed.

Bump the socket connection timeout to 10 seconds.

(cherry picked from commit 658cae9fad)
2022-09-15 12:36:14 +02:00
Tony Finch
f3766061e7 Merge branch '3531-initialize-struct-server-v9_16' into 'v9_16'
Ensure that named_server_t is properly initialized

See merge request isc-projects/bind9!6761
2022-09-12 10:40:40 +00:00
Tony Finch
dff843199f Ensure that named_server_t is properly initialized
There was a ubsan error reporting an invalid value for interface_auto
(a boolean value cannot be 190) because it was not initialized. To
avoid this problem happening again, ensure the whole of the server
structure is initialized to zero before setting the (relatively few)
non-zero elements.
2022-09-12 11:21:37 +01:00
Michał Kępień
208fc897b1 Merge branch 'michal/set-up-version-and-release-notes-for-bind-9.16.34' into 'v9_16'
Set up version and release notes for BIND 9.16.34

See merge request isc-projects/bind9!6760
2022-09-09 18:23:14 +00:00
Michał Kępień
666d315087 Set up release notes for BIND 9.16.34 2022-09-09 20:00:15 +02:00
Michał Kępień
990bd74104 Update BIND version to 9.16.34-dev 2022-09-09 20:00:15 +02:00
Michał Kępień
35e9c6e31d Merge branch 'prep-release' into security-v9_16 v9.16.33 2022-09-08 15:01:23 +02:00
Michał Kępień
31fdc767f7 prep 9.16.33 2022-09-08 15:01:10 +02:00
Michał Kępień
f4ad07e82d Merge branch 'michal/prepare-documentation-for-bind-9.16.33' into 'security-v9_16'
Prepare documentation for BIND 9.16.33

See merge request isc-private/bind9!460
2022-09-08 12:40:59 +00:00
Michał Kępień
907b764b2a Tweak and reword release notes 2022-09-08 14:33:43 +02:00
Michał Kępień
b54ee83d50 Prepare release notes for BIND 9.16.33 2022-09-08 14:33:43 +02:00
Michał Kępień
0657c81d59 Merge branch '3487-eddsa-verify-leak-v9_16' into 'security-v9_16'
[v9_16] [CVE-2022-38178] eddsa verify leak

See merge request isc-private/bind9!440
2022-09-08 10:18:54 +00:00
Mark Andrews
ffd69ff780 Add release note for [GL #3487]
(cherry picked from commit e6cb1de20b)
2022-09-08 12:16:36 +02:00
Mark Andrews
a385e884f5 Add CHANGES note for [GL #3487]
(cherry picked from commit b3277f2e10)
2022-09-08 12:16:36 +02:00