Commit Graph

35625 Commits

Author SHA1 Message Date
Ondřej Surý
3d206e918b Don't iterate from start every time we select new signing key
Remember the position in the iterator when selecting the next signing
key.  This should speed up processing for larger DNSKEY RRSets because
we don't have to iterate from start over and over again.

(cherry picked from commit 21af5c9a97)
2024-02-01 21:51:07 +01:00
Mark Andrews
6a65a42528 Fail processing incoming DNS message on first validation failure
Stop processing the DNS validation when first validation failure occurs
in the DNS message.

(cherry picked from commit 0add293477)
2024-02-01 21:51:07 +01:00
Mark Andrews
751b7cc475 Skip revoked keys when selecting DNSKEY in the validation loop
Don't select revoked keys when iterating through DNSKEYs in the DNSSEC
validation routines.

(cherry picked from commit 439e16e4de)
2024-02-01 21:51:07 +01:00
Ondřej Surý
c12608ca93 Split fast and slow task queues
Change the taskmgr (and thus netmgr) in a way that it supports fast and
slow task queues.  The fast queue is used for incoming DNS traffic and
it will pass the processing to the slow queue for sending outgoing DNS
messages and processing resolver messages.

In the future, more tasks might get moved to the slow queues, so the
cached and authoritative DNS traffic can be handled without being slowed
down by operations that take longer time to process.

(cherry picked from commit 1b3b0cef22)
2024-02-01 21:51:07 +01:00
Michał Kępień
a0c78d19f1 Merge branch '4234-confidential-parser-regression-9.16' into 'v9.16.47-release'
[9.16] fix a message parsing regression

See merge request isc-private/bind9!634
2024-02-01 20:29:35 +00:00
Michał Kępień
010a660624 Add a CHANGES entry
(cherry picked from commit 04ba284e1a)
2024-01-31 16:04:59 +01:00
Evan Hunt
f397ff5bb8 fix another message parsing regression
The fix for CVE-2023-4408 introduced a regression in the message
parser, which could cause a crash if an rdata type that can only
occur in the question was found in another section.

(cherry picked from commit 510f1de8a6)
2024-01-31 16:04:59 +01:00
Evan Hunt
0bbb0065e6 fix a message parsing regression
the fix for CVE-2023-4408 introduced a regression in the message
parser, which could cause a crash if duplicate rdatasets were found
in the question section. this commit ensures that rdatasets are
correctly disassociated and freed when this occurs.

(cherry picked from commit 4c19d35614)
2024-01-31 16:04:59 +01:00
Michal Nowak
28d7802525 Merge branch 'prep-release' into v9.16.46-release 2024-01-05 15:25:06 +01:00
Michal Nowak
ac85b33c27 prep 9.16.46 2024-01-05 15:19:34 +01:00
Michal Nowak
cd2bbf7f3e Merge branch 'michal/prepare-documentation-for-bind-9.16.46' into 'v9.16.46-release'
Prepare documentation for BIND 9.16.46

See merge request isc-private/bind9!626
2024-01-05 14:14:15 +00:00
Michał Kępień
0b43bf1a38 Fix Danger rules for flagging release note issues
The logic contained in dangerfile.py incorrectly warns about missing
release note changes for merge requests preparing release documentation
as such merge requests rename files in the doc/notes/ directory.  This
(correctly) causes these files to be passed to dangerfile.py via
danger.git.created_files and danger.git.deleted_files rather than via
danger.git.modified_files, which in turn causes the logic checking the
use of the "Release Notes" label to assume that no release notes are
added, removed, or modified by a given merge request.

Fix by considering all types of file changes (modifications, additions,
and removals - which also covers file renaming) when checking whether a
given merge request modifies release notes.  Update the warning messages
accordingly.

However, when trying to find release notes added by a given merge
request, deleted files must not be considered.  Tweak the logic looking
for GitLab identifiers in the release notes added by a given merge
request so that it only scans modified and added (or renamed) files.

(cherry picked from commit 0fec404c64)
2024-01-05 13:01:26 +01:00
Michał Kępień
86a78021fe Tweak and reword release notes 2024-01-05 13:01:26 +01:00
Michał Kępień
c53e81a800 Prepare release notes for BIND 9.16.46 2024-01-05 13:01:26 +01:00
Michał Kępień
24b52a62fb Merge branch '4383-security-limit-tree-pruning-overhead-9.16' into 'v9.16.46-release'
[9.16] [CVE-2023-6516] Limit isc_task_send() overhead for tree pruning

See merge request isc-private/bind9!621
2024-01-05 11:49:35 +00:00
Michał Kępień
1237d73cd1 Fix map offsets in the "masterformat" system test
The "masterformat" system test attempts to check named-checkzone
behavior when it is fed corrupt map-format zone files.  However, despite
the RBTDB and RBT structures having evolved over the years, the offsets
at which a valid map-format zone file is malformed by the "masterformat"
test have not been updated accordingly, causing the relevant checks to
introduce a different type of corruption than they were originally meant
to cause:

  - the "bad node header" check originally mangled the 'type' member of
    the rdatasetheader_t structure for cname.example.nil,

  - the "bad node data" check originally mangled the 'serial' and
    'rdh_ttl' members of the rdatasetheader_t structure for
    aaaa.example.nil.

Update the offsets at which the map-format zone file is malformed at by
the "masterformat" system test so that the relevant checks fulfill their
original purpose again.
2024-01-05 12:40:50 +01:00
Michał Kępień
f66150204c Add CHANGES entry and release note for GL #4383
(cherry picked from commit 04df558d57)
2024-01-05 12:40:50 +01:00
Michał Kępień
c3377cbfaa Limit isc_task_send() overhead for tree pruning
Instead of issuing a separate isc_task_send() call for every RBTDB node
that triggers tree pruning, maintain a list of nodes from which tree
pruning can be started from and only issue an isc_task_send() call if
pruning has not yet been triggered by another RBTDB node.

The extra queuing overhead eliminated by this change could be remotely
exploited to cause excessive memory use.

As this change modifies struct dns_rbtnode by adding a new 'prunelink'
member to it, bump MAPAPI to prevent any attempts of loading map-format
zone files created using older BIND 9 versions.

(cherry picked from commit 24381cc36d)
2024-01-05 12:40:50 +01:00
Michał Kępień
38a03e5ab9 Merge branch '4334-confidential-dns64-and-serve-stale-bind-9.16' into 'v9.16.46-release'
[9.16] [CVE-2023-5679] Fix a bad interaction between DNS64 and serve-stale

See merge request isc-private/bind9!603
2024-01-05 11:29:58 +00:00
Mark Andrews
549d860b33 Add release note for [GL #4334]
(cherry picked from commit c4faf5c69f)
2024-01-05 12:24:05 +01:00
Mark Andrews
10bfb3de95 Add CHANGES note for [GL #4334]
(cherry picked from commit 26671f8c47)
2024-01-05 12:24:05 +01:00
Mark Andrews
7db2796507 Restore dns64 state during serve-stale processing
If we are in the process of looking for the A records as part of
dns64 processing and the server-stale timeout triggers, redo the
dns64 changes that had been made to the orignal qctx.

(cherry picked from commit 1fcc483df1)
2024-01-05 12:24:05 +01:00
Michał Kępień
283efdde69 Merge branch '4281-confidential-redirect-rfc1918-check-failure-bind-9.16' into 'v9.16.46-release'
[9.16] [CVE-2023-5517] Fix handling of RFC 1918 reverse queries with "nxdomain-redirect" enabled

See merge request isc-private/bind9!613
2024-01-05 11:17:32 +00:00
Mark Andrews
20754ea186 Add release note for [GL #4281]
(cherry picked from commit 2fbafc2675)
2024-01-05 12:10:22 +01:00
Mark Andrews
47d4c0e5a6 Add CHANGES note for [GL #4281]
(cherry picked from commit 0748965b7c)
2024-01-05 12:10:22 +01:00
Mark Andrews
c732624936 Save the correct result value to resume with nxdomain-redirect
The wrong result value was being saved for resumption with
nxdomain-redirect when performing the fetch.  This lead to an assert
when checking that RFC 1918 reverse queries where not leaking to
the global internet.

(cherry picked from commit 9d0fa07c5e)
2024-01-05 12:10:22 +01:00
Michał Kępień
770bb71ce7 Merge branch '4234-confidential-use-hashmap-when-parsing-9.16' into 'v9.16.46-release'
[9.16] [CVE-2023-4408] Use hashtable when parsing DNS messages

See merge request isc-private/bind9!586
2024-01-05 10:58:57 +00:00
Matthijs Mekking
c44965af33 Fix windows build, remove external symbols
The functions dns_message_find and dns_message_movename have been
removed. Remove the symbols from libdns.def.in to fix the windows
build.
2024-01-05 11:52:05 +01:00
Ondřej Surý
1b76796c18 Add CHANGES and release note for [GL #4234]
(cherry picked from commit 30d27928cf)
2024-01-05 11:52:05 +01:00
Ondřej Surý
a4baf32415 Backport isc_ht API changes from BIND 9.18
To prevent allocating large hashtable in dns_message, we need to
backport the improvements to isc_ht API from BIND 9.18+ that includes
support for case insensitive keys and incremental rehashing of the
hashtables.
2024-01-05 11:52:05 +01:00
Ondřej Surý
608707b4f5 Use hashtable when parsing a message
When parsing messages use a hashtable instead of a linear search to
reduce the amount of work done in findname when there's more than one
name in the section.

There are two hashtables:

1) hashtable for owner names - that's constructed for each section when
we hit the second name in the section and destroyed right after parsing
that section;

2) per-name hashtable - for each name in the section, we construct a new
hashtable for that name if there are more than one rdataset for that
particular name.

(cherry picked from commit b8a9631754)
2024-01-05 11:52:05 +01:00
Michał Kępień
fc0434cc3b Merge branch '4182-confidential-fix-races-in-dns-tsigkey-find-9.16' into 'v9.16.46-release'
[9.16] Address race in dns_tsigkey_find()

See merge request isc-private/bind9!623
2024-01-05 10:33:56 +00:00
Mark Andrews
12a476fa9b Add CHANGES note for [GL #4182]
(cherry picked from commit a62cda787f)
2024-01-05 11:28:25 +01:00
Mark Andrews
ec28eb05db Address race in dns_tsigkey_find()
Restart the process with a write lock if we discover an expired key
while holding the read lock.

(cherry picked from commit d2ba96488e)
2024-01-05 11:28:25 +01:00
Mark Andrews
f6b7fa0338 Merge branch '4513-system-tests-fail-with-net-dns-1-42-bind-9.16' into 'bind-9.16'
[9.16] Resolve "System tests fail with Net::DNS 1.42"

See merge request isc-projects/bind9!8619
2024-01-03 01:30:58 +00:00
Mark Andrews
16f3d79052 Support Net::DNS::Nameserver 1.42
In Net::DNS 1.42 $ns->main_loop no longer loops.  Use current methods
for starting the server, wait for SIGTERM then cleanup child processes
using $ns->stop_server(), then remove the pid file.

(cherry picked from commit c2c59dea60)
2024-01-03 12:01:14 +11:00
Tom Krizek
719a8ee0e2 Merge branch 'tkrizek/update-sphinx_rtd_theme-9.16' into 'bind-9.16'
[9.16] Update sphinx_rtd_theme and docutils

See merge request isc-projects/bind9!8605
2023-12-20 17:55:08 +00:00
Tom Krizek
c309a04c88 Update sphinx_rtd_theme and docutils
(cherry picked from commit 4156fa09d9)
2023-12-20 18:05:24 +01:00
Mark Andrews
771b12a747 Merge branch '4498-gl-4495-followup-regression-test-was-too-strict-bind-9.16' into 'bind-9.16'
[9.16] Resolve "[GL #4494] followup: regression test was too strict" !8590

See merge request isc-projects/bind9!8599
2023-12-20 01:13:41 +00:00
Mark Andrews
ea7b92a348 The NSEC3 -> NSEC private record may be added later
Check each delta for the NSEC3 -> NSEC private record addition
as it may be added in the second delta.

(cherry picked from commit 80a4dff986)
2023-12-20 11:13:01 +11:00
Mark Andrews
00c5f362f2 Merge branch '4494-add_sigs-was-using-the-wrong-time-in-kasp-mode-bind-9.16' into 'bind-9.16'
[9.16] Resolve "add_sigs was using the wrong time in kasp mode"

See merge request isc-projects/bind9!8589
2023-12-19 02:36:23 +00:00
Mark Andrews
f9bf12d216 Add CHANGES note for [GL #4494]
(cherry picked from commit 94b00f44ae)
2023-12-19 12:57:33 +11:00
Mark Andrews
ba706a170d Regression check for missing RRSIGs
When transitioning from NSEC3 to NSEC the added records where not
being signed because the wrong time was being used to determine if
a key should be used or not.  Check that these records are actually
signed.

(cherry picked from commit bdb42d3838)
2023-12-19 12:56:57 +11:00
Mark Andrews
9c9adc137c Use 'now' rather than 'inception' in 'add_sigs'
When kasp support was added 'inception' was used as a proxy for
'now' and resulted in signatures not being generated or the wrong
signatures being generated.  'inception' is the time to be set
in the signatures being generated and is usually in the past to
allow for clock skew.  'now' determines what keys are to be used
for signing.

(cherry picked from commit 6066e41948)
2023-12-19 12:55:03 +11:00
Arаm Sаrgsyаn
2ffc27f76e Merge branch '4477-tests-statschannel-loadtime-bugfix-9.16' into 'bind-9.16'
[9.16] Resolve "statschannel test intermittently fails with incorrect zone loadtime"

See merge request isc-projects/bind9!8584
2023-12-18 10:57:20 +00:00
Aram Sargsyan
13dab06f60 Fix a statschannel system test zone loadtime issue
The check_loaded() function compares the zone's loadtime value and
an expected loadtime value, which is based on the zone file's mtime
extracted from the filesystem.

For the secondary zones there may be cases, when the zone file isn't
ready yet before the zone transfer is complete and the zone file is
dumped to the disk, so a so zero value mtime is retrieved.

In such cases wait one second and retry until timeout. Also modify
the affected check to allow a possible difference of the same amount
of seconds as the chosen timeout value.

(cherry picked from commit 4e94ff2541)
2023-12-18 09:39:11 +00:00
Michal Nowak
0e282066fb Merge branch 'mnowak/do-not-consider-bind9.xsl.h-in-docs-job-check' into 'bind-9.16'
Do not consider bin/named/bind9.xsl.h in docs job check

See merge request isc-projects/bind9!8568
2023-12-12 12:46:43 +00:00
Michal Nowak
eb5ae97083 Do not consider bin/named/bind9.xsl.h in docs job check
The BIND 9.16 build system occasionally produces a bin/named/bind9.xsl.h
file that differs slightly from the version in the bind-9.16 branch due
to a race condition. This poses an issue for the "docs" CI job, which
executes the "maintainer-clean" make target, regenerates the
bin/named/bind9.xsl.h file, and checks for differences with the
committed file. The race condition causes discrepancies in this check.

Since this problem doesn't occur in BIND 9.18+, we can hide it by adding
bin/named/bind9.xsl.h to the list of files excluded from the check.
2023-12-12 11:43:15 +01:00
Michal Nowak
11310cca77 Merge branch 'mnowak/alpine-3.19-9.16' into 'bind-9.16'
[9.16] Add Alpine Linux 3.19

See merge request isc-projects/bind9!8567
2023-12-12 10:43:04 +00:00
Michal Nowak
e34a8141a0 Add Alpine Linux 3.19
(cherry picked from commit 1fc56d705e)
2023-12-12 11:13:17 +01:00