Commit Graph
3705 Commits
Author SHA1 Message Date
Mark Andrews 1a94a31484 Embed NAMED_SYSCONFDIR contents in the bind.keys comment
(cherry picked from commit 1d7b1f74c9)
2021-11-17 08:46:07 +11:00
Mark Andrews 4ad84547c5 Update comments around built in trust anchors
The comments now say "# BEGIN TRUST ANCHORS" and "# END TRUST ANCHORS".

(cherry picked from commit 43a7f3f532)
2021-11-17 08:46:07 +11:00
Ondřej SurýandMichał Kępień 0ac270dff2 Disable lame-ttl cache
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>.  This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.

Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
2021-10-28 12:22:33 +02:00
Evan Hunt 6836e3c071 cleanup references to ancient named.conf options
some removed options were still referenced in config.c or the ARM.

(cherry picked from commit 69e25f41ae)
2021-10-12 23:52:39 -07:00
Ondřej Surý 093cd31ae2 Update the source code formatting using clang-format-13
clang-format-13 fixed some of the formatting that clang-format-12 got
wrong.  Update the formatting.

(cherry picked from commit ed95f9fba3)
2021-10-12 11:31:55 +02:00
Aram Sargsyan 311074f51e Handle a missing zone when reloading a catalog zone
Previously a missing/deleted zone which was referenced by a catalog
zone was causing a crash when doing a reload.

This commit will make `named` to ignore the fact that the zone is
missing, and make sure to restore it later on.

(cherry picked from commit 94a5712801)
2021-09-30 20:15:19 +00:00
Mark Andrews 7aa30aae38 Fix "check-names master" and "check-names slave"
check for type "master" / "slave" at the same time as checking
for "primary" / "secondary" as we step through the maps.

Checking "primary" then "master" or "master" then "primary" does
not work as the synomym is not checked for to stop the search.
Similarly with "secondary" and "slave".

(cherry picked from commit a3c6516a75)
2021-09-29 19:51:53 +10:00
Ondřej Surý f7adef5162 Mark the masterfile-format type 'map' as deprecated
The map masterfile-format is very fragile and it needs API bump every
time a RBTDB data structures changes.  Also while testing it, we found
out that files larger than 2GB weren't loading and nobody noticed, and
loading many map files were also failing (subject to kernel limits).

Thus we are marking the masterfile-format type 'map' as deprecated and
to be removed in the next stable BIND 9 release.

(cherry picked from commit 6b7a488cbc)
2021-09-17 09:10:29 +02:00
Evan Hunt 863dfed0b5 deprecate "cache-file"
this commit marks the "cache-file" option as deprecated.

(cherry picked from commit a67d008ba5)
2021-09-16 00:57:58 -07:00
Ondřej SurýandOndřej Surý 0807d8b058 Remove the code to adjust listening interfaces for *-source-v6
Previously, named would run with a configuration
where *-source-v6 (notify-source-v6, transfer-source-v6 and
query-source-v6) address and port could be simultaneously used for
listening.  This is no longer true for BIND 9.16+ and the code that
would do interface adjustments would unexpectedly disable listening on
TCP for such interfaces.

This commit removes the code that would adjust listening interfaces
for addresses/ports configured in *-source-v6 option.

(cherry picked from commit 8ac1d4e0da)
2021-09-14 16:59:18 +02:00
Aram Sargsyan 930f082027 Update the default IANA root zone primaries list
The default IANA root zone primaries list was outdated, this commit
updates it.
2021-09-08 10:39:17 +00:00
Ondřej SurýandArаm Sаrgsyаn ec64f4492b Initialize the main thread trampoline for Windows Service process
When BIND is running as a Windows Service the ISC library's
initializations initiated by the DLLMain loading procedure are
happening under the Windows Service Manager thread instead of
BIND's main thread.

This commit will make sure that BIND's main thread trampoline has
been initialized before running the main() function.
2021-08-31 17:53:30 +00:00
Evan Hunt fb88554bf0 switch to primary/secondary in config.c
some of the built-in configuration was still using outdated terms.

(cherry picked from commit ae8cfa4683)
2021-08-30 12:00:42 -07:00
Evan Hunt ddc677ae64 rename dns_zone_master and dns_zone_slave
dns_zone_master and dns_zone_slave are renamed as dns_zone_primary
and dns_zone_secondary.

(cherry picked from commit 916760ae46)
2021-08-30 11:58:29 -07:00
Mark Andrews c3db4acf61 Also delete journal file
(cherry picked from commit 0b83636648)
2021-08-25 15:17:51 +10:00
Mark Andrews 1f36600e5a Add DBC REQUIRE to check that 'text' is non NULL
for all control channel commands.  This should silence
gcc-10-analyzer reporting NULL pointer dereference of 'text'.

(cherry picked from commit ac0fc3c2de)
2021-07-12 14:55:46 +10:00
Evan Hunt 68a40622ef allow multiple key algorithms in the same control listener
if a control channel listener was configured with more than one
key algorithm, message verification would be attempted with each
algorithm in turn. if the first key failed due to the wrong
signature length, the entire verification process was aborted,
rather than continuing on to try with another key.

(cherry picked from commit 841b557df8)
2021-07-06 12:55:28 -07:00
Matthijs Mekking 850aed0219 Add helpful function 'dns_zone_getdnsseckeys'
This code gathers DNSSEC keys from key files and from the DNSKEY RRset.
It is used for the 'rndc dnssec -status' command, but will also be
needed for "checkds". Turn it into a function.

(cherry picked from commit 40331a20c4)
2021-07-01 14:48:23 +02:00
Matthijs Mekking 9c0e252e2b Add "parental-source[-v6]" config option
Similar to "notify-source" and "transfer-source", add options to
set the source address when querying parental agents for DS records.

(manually picked from commit 2872d6a12e)
2021-07-01 14:48:23 +02:00
Matthijs Mekking 63582dc778 Parse "parental-agents" configuration
Parse the new "parental-agents" configuration and store it in the zone
structure.

(cherry picked from commit 6f92d4b9a5)
2021-07-01 14:48:23 +02:00
Matthijs Mekking 72d97df483 Make "primaries" config parsing generic
Make the code to parse "primaries" configuration more generic so
it can be reused for "parental-agents".

(cherry picked from commit 6040c71478)
2021-07-01 14:48:23 +02:00
Matthijs Mekking 90ef2b9c81 Add parental-agents configuration
Introduce a way to configure parental agents that can be used to
query DS records to be used in automatic key rollovers.

(manually picked from commit 0311705d4b)
2021-07-01 14:48:23 +02:00
Matthijs Mekking 42da0e7790 Change primaries objects to remote-servers
Change the primaries configuration objects to the more generic
remote-servers, that we can reuse for other purposes (such as
parental-agents).

(manually picked from commit 39a961112f)
2021-07-01 14:48:21 +02:00
Ondřej Surý a5e837cfda Don't set locale globally, just use it when needed
Previously, we would set the locale on a global level and that could
possibly lead to different behaviour in underlying functions.  In this
commit, we change to code to use the system locale only when calling the
libidn2 functions and reset the locale back to "POSIX" when exiting the
libidn2 code.

(cherry picked from commit 0d35b3f1a9)
2021-06-23 11:50:09 +02:00
Michał Kępień 7427da27fa Hardcode "max-cache-size" for the "_bind" view
The built-in "_bind" view does not allow recursion and therefore does
not need a large cache database.  However, as "max-cache-size" is not
explicitly set for that view in the default configuration, it inherits
that setting from global options.  Set "max-cache-size" for the built-in
"_bind" view to a fixed value (2 MB, i.e. the smallest allowed value) to
prevent needlessly preallocating memory for its cache RBT hash table.

(cherry picked from commit 86698ded32)
2021-06-22 15:32:27 +02:00
Michał Kępień 126436cc96 Use minimal-sized caches for non-recursive views
Currently the implicit default for the "max-cache-size" option is "90%".
As this option is inherited by all configured views, using multiple
views can lead to memory exhaustion over time due to overcommitment.
The "max-cache-size 90%;" default also causes cache RBT hash tables to
be preallocated for every configured view, which does not really make
sense for views which do not allow recursion.

To limit this problem's potential for causing operational issues, use a
minimal-sized cache for views which do not allow recursion and do not
have "max-cache-size" explicitly set (either in global configuration or
in view configuration).

For configurations which include multiple views allowing recursion,
adjusting "max-cache-size" appropriately is still left to the operator.

(cherry picked from commit 86541b39d3)
2021-06-22 15:32:27 +02:00
Ondřej SurýandOndřej Surý c8eddf4f33 Refactor zone dumping code to use netmgr async threadpools
Previously, dumping the zones to the files were quantized, so it doesn't
slow down network IO processing.  With the introduction of network
manager asynchronous threadpools, we can move the IO intensive work to
use that API and we don't have to quantize the work anymore as it the
file IO won't block anything except other zone dumping processes.

(cherry picked from commit 8a5c62de83)
2021-05-31 16:57:19 +02:00
Mark AndrewsandOndřej Surý 0b8cd8f19d inline-signing should have been in zone_only_clauses
(cherry picked from commit b3301da262)
2021-05-27 15:27:03 +02:00
Matthijs Mekking 96be6473fc Lock kasp when looking for zone keys
We should also lock kasp when reading key files, because at the same
time the zone in another view may be updating the key file.

(cherry picked from commit 252a1ae0a1)
2021-05-20 09:52:53 +02:00
Evan HuntandOndřej Surý ef1d909fa9 backport of netmgr/taskmgr to 9.16
this rolls up numerous changes that have been applied to the
main branch, including moving isc_task operations into the
netmgr event loops, and other general stabilization.
2021-05-14 12:52:48 +02:00
Matthijs Mekking 72deed194d Use isdigit instead of checking character range
When looking for key files, we could use isdigit rather than checking
if the character is within the range [0-9].

Use (unsigned char) cast to ensure the value is representable in the
unsigned char type (as suggested by the isdigit manpage).

Change " & 0xff" occurrences to the recommended (unsigned char) type
cast.

(cherry picked from commit 1998ad6c776a9c17c27788b17765dee90d9e25df)
2021-05-05 18:23:53 +02:00
Matthijs Mekking ff4930951c rndc dnssec -status should include offline keys
The rndc command 'dnssec -status' only considered keys from
'dns_dnssec_findmatchingkeys' which only includes keys with accessible
private keys. Change it so that offline keys are also listed in the
status.

(cherry picked from commit b3a5859a9b)
2021-05-05 12:49:38 +02:00
Ondřej Surý 8d92112de9 Change the max-ixfr-ratio default value to unlimited
When the feature was backported, we should have leave it disabled by
default, it turns out the default `100%` is producing some unexpected
results (under investigation), so for the time being, we are going to to
disable the max-ixfr-ratio.
2021-05-05 10:24:42 +02:00
Matthijs Mekking 375112a623 Add built-in dnssec-policy "insecure"
Add a new built-in policy "insecure", to be used to gracefully unsign
a zone. Previously you could just remove the 'dnssec-policy'
configuration from your zone statement, or remove it.

The built-in policy "none" (or not configured) now actually means
no DNSSEC maintenance for the corresponding zone. So if you
immediately reconfigure your zone from whatever policy to "none",
your zone will temporarily be seen as bogus by validating resolvers.

This means we can remove the functions 'dns_zone_use_kasp()' and
'dns_zone_secure_to_insecure()' again. We also no longer have to
check for the existence of key state files to figure out if a zone
is transitioning to insecure.

(cherry picked from commit 2710d9a11d)
2021-04-30 13:58:22 +02:00
Mark Andrews 9324d2d295 Reduce nsec3 max iterations to 150
(cherry picked from commit 29126500d2)
2021-04-29 17:44:46 +10:00
Matthijs Mekking 4615cbb597 Serve-stale nit fixes
While working on the serve-stale backports, I noticed the following
oddities:

1. In the serve-stale system test, in one case we keep track of the
   time how long it took for dig to complete. In commit
   aaed7f9d8c, the code removed the
   exception to check for result == ISC_R_SUCCESS on stale found
   answers, and adjusted the test accordingly. This failed to update
   the time tracking accordingly. Move the t1/t2 time track variables
   back around the two dig commands to ensure the lookups resolved
   faster than the resolver-query-timeout.

2. We can remove the setting of NS_QUERYATTR_STALEOK and
   DNS_RDATASETATTR_STALE_ADDED on the "else if (stale_timeout)"
   code path, because they are added later when we know we have
   actually found a stale answer on a stale timeout lookup.

3. We should clear the NS_QUERYATTR_STALEOK flag from the client
   query attributes instead of DNS_RDATASETATTR_STALE_ADDED (that
   flag is set on the rdataset attributes).

4. In 'bin/named/config.c' we should set the configuration options
   in alpabetical order.

5. In the ARM, in the backports we have added "(stale)" between
   "cached" and "RRset" to make more clear a stale RRset may be
   returned in this scenario.

(cherry picked from commit 104b676235)
2021-04-28 13:53:52 +02:00
Diego Fronza 942b83d392 Fix deadlock between rndc addzone/delzone/modzone
It follows a description of the steps that were leading to the deadlock:

1. `do_addzone` calls `isc_task_beginexclusive`.

2. `isc_task_beginexclusive` waits for (N_WORKERS - 1) halted tasks,
   this blocks waiting for those (no. workers -1) workers to halt.
...
isc_task_beginexclusive(isc_task_t *task0) {
    ...
	while (manager->halted + 1 < manager->workers) {
		wake_all_queues(manager);
		WAIT(&manager->halt_cond, &manager->halt_lock);
	}
```

3. It is possible that in `task.c / dispatch()` a worker is running a
   task event, if that event blocks it will not allow this worker to
   halt.

4. `do_addzone` acquires `LOCK(&view->new_zone_lock);`,

5. `rmzone` event is called from some worker's `dispatch()`, `rmzone`
   blocks waiting for the same lock.

6. `do_addzone` calls `isc_task_beginexclusive`.

7. Deadlock triggered, since:
	- `rmzone` is wating for the lock.
	- `isc_task_beginexclusive` is waiting for (no. workers - 1) to
	   be halted
	- since `rmzone` event is blocked it won't allow the worker to halt.

To fix this, we updated do_addzone code to call isc_task_beginexclusive
before the lock is acquired, we postpone locking to the nearest required
place, same for isc_task_beginexclusive.

The same could happen with rndc modzone, so that was addressed as well.
2021-04-26 11:35:18 -03:00
Mark Andrews 4864b69e95 Update named's usage description
(cherry picked from commit 38449de93b)
2021-04-13 11:35:13 +10:00
Matthijs Mekking c63b533690 Change default stale-answer-client-timeout to off
Using "stale-answer-client-timeout" turns out to have unforeseen
negative consequences, and thus it is better to disable the feature
by default for the time being.

(cherry picked from commit e443279bbf)
2021-04-07 14:46:55 +02:00
Matthijs Mekking d12b40f6fb Rekey immediately after rndc checkds/rollover
Call 'dns_zone_rekey' after a 'rndc dnssec -checkds' or 'rndc dnssec
-rollover' command is received, because such a command may influence
the next key event. Updating the keys immediately avoids unnecessary
rollover delays.

The kasp system test no longer needs to call 'rndc loadkeys' after
a 'rndc dnssec -checkds' or 'rndc dnssec -rollover' command.

(cherry picked from commit 82f72ae249)
2021-03-22 15:35:22 +01:00
Ondřej Surý db49ffca20 Change the isc_nm_(get|set)timeouts() to work with milliseconds
The RFC7828 specifies the keepalive interval to be 16-bit, specified in
units of 100 milliseconds and the configuration options tcp-*-timeouts
are following the suit.  The units of 100 milliseconds are very
unintuitive and while we can't change the configuration and presentation
format, we should not follow this weird unit in the API.

This commit changes the isc_nm_(get|set)timeouts() functions to work
with milliseconds and convert the values to milliseconds before passing
them to the function, not just internally.
2021-03-18 15:16:13 +01:00
Matthijs Mekking 45dcabf411 Add purge-keys config option
Add a new option 'purge-keys' to 'dnssec-policy' that will purge key
files for deleted keys. The option determines how long key files
should be retained prior to removing the corresponding files from
disk.

If set to 0, the option is disabled and 'named' will not remove key
files from disk.

(cherry picked from commit 313de3a7e2)
2021-02-23 09:18:55 +01:00
Ondřej SurýandMark Andrews 4bbe3e75de Stop including dnstap headers from <dns/dnstap.h>
The <fstrm.h> and <protobuf-c/protobuf-c.h> headers are only directly
included where used and we stopped exposing those headers from libdns
headers.
2021-02-16 12:08:21 +11:00
Mark Andrews bf5aac225b Stop including <lmdb.h> from <dns/lmdb.h>
The lmdb.h header doesn't have to be included from the dns/lmdb.h
header as it can be separately included where used.  This stops
exposing the inclusion of lmdb.h from the libdns headers.
2021-02-16 12:08:21 +11:00
Mark Andrews b8fc8742e5 Re-order include directories
${FSTRM_CFLAGS} ${PROTOBUF_C_CFLAGS} ${OPENSSL_CFLAGS} ${LMDB_CFLAGS}
need to appear after all directories in the build tree.
2021-02-16 12:08:21 +11:00
Diego Fronza d89a8bf696 Fix dangling references to outdated views after reconfig
This commit fix a leak which was happening every time an inline-signed
zone was added to the configuration, followed by a rndc reconfig.

During the reconfig process, the secure version of every inline-signed
zone was "moved" to a new view upon a reconfig and it "took the raw
version along", but only once the secure version was freed (at shutdown)
was prev_view for the raw version detached from, causing the old view to
be released as well.

This caused dangling references to be kept for the previous view, thus
keeping all resources used by that view in memory.
2021-02-15 11:52:50 -03:00
Diego FronzaandMatthijs Mekking b89fc52cd1 Add documentation for stale-answer-client-timeout
(cherry picked from commit 6ab9070457)
2021-01-29 10:39:31 +01:00
Diego FronzaandMatthijs Mekking 0aebad96b5 Added option for disabling stale-answer-client-timeout
This commit allows to specify "disabled" or "off" in
stale-answer-client-timeout statement. The logic to support this
behavior will be added in the subsequent commits.

This commit also ensures an upper bound to stale-answer-client-timeout
which equals to one second less than 'resolver-query-timeout'.

(cherry picked from commit 0ad6f594f6)
2021-01-29 10:38:58 +01:00
Diego FronzaandMatthijs Mekking 3478794a5d Add stale-answer-client-timeout option
The general logic behind the addition of this new feature works as
folows:

When a client query arrives, the basic path (query.c / ns_query_recurse)
was to create a fetch, waiting for completion in fetch_callback.

With the introduction of stale-answer-client-timeout, a new event of
type DNS_EVENT_TRYSTALE may invoke fetch_callback, whenever stale
answers are enabled and the fetch took longer than
stale-answer-client-timeout to complete.

When an event of type DNS_EVENT_TRYSTALE triggers fetch_callback, we
must ensure that the folowing happens:

1. Setup a new query context with the sole purpose of looking up for
   stale RRset only data, for that matters a new flag was added
   'DNS_DBFIND_STALEONLY' used in database lookups.

    . If a stale RRset is found, mark the original client query as
      answered (with a new query attribute named NS_QUERYATTR_ANSWERED),
      so when the fetch completion event is received later, we avoid
      answering the client twice.

    . If a stale RRset is not found, cleanup and wait for the normal
      fetch completion event.

2. In ns_query_done, we must change this part:
	/*
	 * If we're recursing then just return; the query will
	 * resume when recursion ends.
	 */
	if (RECURSING(qctx->client)) {
		return (qctx->result);
	}

   To this:

	if (RECURSING(qctx->client) && !QUERY_STALEONLY(qctx->client)) {
		return (qctx->result);
	}

   Otherwise we would not proceed to answer the client if it happened
   that a stale answer was found when looking up for stale only data.

When an event of type DNS_EVENT_FETCHDONE triggers fetch_callback, we
proceed as before, resuming query, updating stats, etc, but a few
exceptions had to be added, most important of which are two:

1. Before answering the client (ns_client_send), check if the query
   wasn't already answered before.

2. Before detaching a client, e.g.
   isc_nmhandle_detach(&client->reqhandle), ensure that this is the
   fetch completion event, and not the one triggered due to
   stale-answer-client-timeout, so a correct call would be:
   if (!QUERY_STALEONLY(client)) {
        isc_nmhandle_detach(&client->reqhandle);
   }

Other than these notes, comments were added in code in attempt to make
these updates easier to follow.

(cherry picked from commit 171a5b7542)
2021-01-29 10:38:32 +01:00
Mark Andrews f217a0cbae Stop xmlFreeTextWriter being called twice
xmlFreeTextWriter could be called twice if xmlDocDumpFormatMemoryEnc
failed.

(cherry picked from commit b5cf54252a)
2021-01-28 21:42:44 +00:00