Commit Graph
15553 Commits
Author SHA1 Message Date
Ondřej Surý 624ea6c57e Move contributed DLZ modules into a separate repository
The DLZ modules are poorly maintained as we only ensure they can still
be compiled, the DLZ interface is blocking, so anything that blocks the
query to the database blocks the whole server and they should not be
used except in testing.  The DLZ interface itself should be scheduled
for removal.

(cherry picked from commit a6cce753e2)
2024-11-26 16:24:17 +01:00
Alessio Podda 0472494417 Incrementally apply AXFR transfer
Reintroduce logic to apply diffs when the number of pending tuples is
above 128. The previous strategy of accumulating all the tuples and
pushing them at the end leads to excessive memory consumption during
transfer.

This effectively reverts half of e3892805d6

(cherry picked from commit 99b4f01b33)
2024-11-26 07:17:06 +00:00
Mark Andrews 0e00e28ec6 Parse the URI template and check for a dns variable
The 'dns' variable in dohpath can be in various forms ({?dns},
{dns}, {&dns} etc.).  To check for a valid dohpath it ends up
being simpler to just parse the URI template rather than looking
for all the various forms if substring.

(cherry picked from commit af54ef9f5d)
2024-11-26 03:41:46 +00:00
Remi GacogneandMark Andrews cc9366031b '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath
See for example section 1.2. "Levels and Expression Types" of rfc6570.

(cherry picked from commit e74052ea71)
2024-11-26 03:41:45 +00:00
Mark Andrews 983d8a6821 Provide more visibility into configuration errors
by logging SSL_CTX_use_certificate_chain_file and
SSL_CTX_use_PrivateKey_file errors

(cherry picked from commit 9006839ed7)
2024-11-26 12:25:01 +11:00
Mark Andrews 1135bf9284 Re-split format strings
Re-split format strings that had been poorly split by multiple
clang-format runs using different versions of clang-format.

(cherry picked from commit a24d6e1654)
2024-11-21 04:22:11 +00:00
Ondřej Surý c22176c0f9 Remove redundant semicolons after the closing braces of functions
(cherry picked from commit 1a19ce39db)
2024-11-19 14:26:56 +01:00
Ondřej Surý 58a15d38c2 Remove redundant parentheses from the return statement
(cherry picked from commit 0258850f20)
2024-11-19 14:26:52 +01:00
Aram Sargsyan 19d4539926 Fix a data race between dns_zone_getxfr() and dns_xfrin_create()
There is a data race between the statistics channel, which uses
`dns_zone_getxfr()` to get a reference to `zone->xfr`, and the creation
of `zone->xfr`, because the latter happens outside of a zone lock.

Split the `dns_xfrin_create()` function into two parts to separate the
zone tranfer startring part from the zone transfer object creation part.
This allows us to attach the new object to a local variable first, then
attach it to `zone->xfr` under a lock, and only then start the transfer.

(cherry picked from commit dbf230650f)
2024-11-16 18:55:00 +00:00
Ondřej Surý 9b346bc6f1 Add OpenSSL includes as needed
The isc/crypto.h now directly includes the OpenSSL headers (evp.h) and
any application that includes that header also needs to have
OPENSSL_CFLAGS in the Makefile.am.  Adjust the required automake files
as needed.

(cherry picked from commit 88103e72d5)
2024-11-15 14:03:44 +00:00
Ondřej Surý d6f2dd79f6 Revalidate the adbname when canceling the ADB find
When canceling the ADB find, the lock on the find gets released for
a brief period of time to be locked again inside adbname lock.  During
the brief period that the ADB find is unlocked, it can get canceled by
other means removing it from the adbname list which in turn causes
assertion failure due to a double removal from the adbname list.

Recheck if the find->adbname is still valid after acquiring the lock
again and if not just skip the double removal.  Additionally, attach to
the adbname as in the worst case, the adbname might also cease to exist
if the scheduler would block this particular thread for a longer period
of time invalidating the lock we are going to acquire and release.

(cherry picked from commit 128e50e1ff)
2024-11-13 07:51:19 +00:00
Mark Andrews 57e84efd67 Update zone transfer summary
Print the expire option in the zone transfer summary. This is
currently emitted in a DEBUG(1) message.

(cherry picked from commit 5253c75b7a)
2024-11-04 18:30:10 +00:00
Matthijs MekkingandMark Andrews a92fb659d3 dnssec-ksr keygen -o to create KSKs
Add an option to dnssec-ksr keygen, -o, to create KSKs instead of ZSKs.
This way, we can create a set of KSKS for a given period too.

For KSKs we also need to set timing metadata, including "SyncPublish"
and "SyncDelete". This functionality already exists in keymgr.c so
let's make the function accessible.

Replace dnssec-keygen calls with dnssec-ksr keygen for KSK in the
ksr system test and check keys for created KSKs as well. This requires
a slight modification of the check_keys function to take into account
KSK timings and metadata.

(cherry picked from commit 680aedb595)
2024-11-04 01:10:34 +00:00
Timo EisenmannandMark Andrews 7a5b3c39fc Use TLS for notifies if configured to do so
(cherry picked from commit e9d54d798f)
2024-10-24 03:11:50 +00:00
Mark Andrews d5da28d1ca Fix TCP dispatches and transport
Dispatch needs to know the transport that is being used over the
TCP connection to correctly allow for it to be reused.  Add a
transport parameter to dns_dispatch_createtcp and dns_dispatch_gettcp
and use it when selecting a TCP socket for reuse.

(cherry picked from commit baab8a5d75)
2024-10-24 01:21:37 +00:00
Mark Andrews 6918c9d17a Fix parsing of hostnames in rndc.conf
When DSCP was removed the parsing of hostnames was accidentally
broken resulting in an assertion failure.  Call cfg_parse_tuple
rather than using custom code in parse_sockaddrnameport.

(cherry picked from commit 6c095f89f5)
2024-10-22 00:12:32 +00:00
Evan Hunt b5475c9cda corrected code style errors
- add missing brackets around one-line statements
- add paretheses around return values
2024-10-18 19:31:56 +00:00
Mark Andrews 887e874e93 Fix recursive-clients 0
Setting recursive-clients 0 triggered an assertion in isc_quota_soft.
This has now been fixed.

(cherry picked from commit 840eaa628d)
2024-10-17 22:05:22 +00:00
Petr MenšíkandMark Andrews 75a50925f7 Remove unused <openssl/{hmac,engine}.h> headers from OpenSSL shims
The <openssl/{hmac,engine}.h> headers were unused and including the
<openssl/engine.h> header might cause build failure when OpenSSL
doesn't have Engines support enabled.

See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
2024-10-16 04:39:43 +00:00
Mark Andrews 14bb1f8aa0 Use a binary search to find the NSEC3 closest encloser
maxlabels is the suffix length that corresponds to the latest
NXDOMAIN response.  minlabels is the suffix length that corresponds
to longest found existing name.

(cherry picked from commit 67f31c5046)
2024-10-14 23:55:08 +00:00
Matthijs Mekking 7aaa36f09f Small keymgr improvement
When a key is to be purged, don't run the key state machinery for it.

(cherry picked from commit af54e3dadc)
2024-10-14 10:03:31 +02:00
Matthijs Mekking 2494275a8e Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.

(cherry picked from commit 5fdad05a8a)
2024-10-14 10:03:00 +02:00
Matthijs Mekking d768dd1f5d Revert "fix: chg: Improve performance when looking for the closest encloser when returning NSEC3 proofs"
This reverts merge request !9436

(cherry picked from commit 0396bf98ee)
2024-10-10 09:29:52 +00:00
Aram Sargsyan 3b76aa01ba Refactor the way check_recursionquota() is used
Rename check_recursionquota() to acquire_recursionquota(), and
implement a new function called release_recursionquota() to
reverse the action. It helps with decreasing code duplication.

(cherry picked from commit 7bd44a4182)
2024-10-09 11:40:19 +00:00
Aram Sargsyan dbd308436f Fix error path bugs in the "recursing-clients" list management
In two places, after linking the client to the manager's
"recursing-clients" list using the check_recursionquota()
function, the query.c module fails to unlink it on error
paths. Fix the bugs by unlinking the client from the list.

Also make sure that unlinking happens before detaching the
client's handle, as it is the logically correct order, e.g.
in case if it's the last handle and ns__client_reset_cb()
can be called because of the detachment.

(cherry picked from commit 36c4808903)
2024-10-09 11:40:19 +00:00
Aram Sargsyan 407aba8840 Fix a data race in dns_zone_getxfrintime()
The dns_zone_getxfrintime() function fails to lock the zone before
accessing its 'xfrintime' structure member, which can cause a data
race between soa_query() and the statistics channel. Add the missing
locking/unlocking pair, like it's done in numerous other similar
functions.

(cherry picked from commit ab07803465)
2024-10-09 10:34:28 +00:00
Aram Sargsyan 3a5e683075 Clean up 'nodetach' in ns_client
The 'nodetach' member is a leftover from the times when non-zero
'stale-answer-client-timeout' values were supported, and currently
is always 'false'. Clean up the member and its usage.

(cherry picked from commit b8c068835e)
2024-10-09 09:16:21 +00:00
Ondřej Surý 4b4c550cd8 Don't enable SO_REUSEADDR on outgoing UDP sockets
Currently, the outgoing UDP sockets have enabled
SO_REUSEADDR (SO_REUSEPORT on BSDs) which allows multiple UDP sockets to
bind to the same address+port.  There's one caveat though - only a
single (the last one) socket is going to receive all the incoming
traffic.  This in turn could lead to incoming DNS message matching to
invalid dns_dispatch and getting dropped.

Disable setting the SO_REUSEADDR on the outgoing UDP sockets.  This
needs to be done explicitly because `uv_udp_open()` silently enables the
option on the socket.

(cherry picked from commit eec30c33c2)
2024-10-02 12:16:58 +00:00
Ondřej Surý b46108b428 Skip TCP dispatch responses that are not ours
When matching the TCP dispatch responses, we should skip the responses
that do not belong to our TCP connection.  This can happen with faulty
upstream server that sends invalid QID back to us.

(cherry picked from commit 4ef316e21e)
2024-10-02 10:45:05 +00:00
Aram Sargsyan ca966c396a Don't ignore the local port number in dns_dispatch_add() for TCP
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.

Set the 'resp->port' to the given local port value extracted from
'disp->local'.

(cherry picked from commit d49a8f518a)
2024-10-02 09:53:45 +00:00
Ondřej Surý 5701bf9dab Use release memory ordering when incrementing reference counter
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.

(cherry picked from commit 88227ea665)
2024-10-02 09:09:35 +02:00
Mark Andrews 7e8ffe3d63 Store static-stub addresses seperately in the adb
Static-stub address and addresses from other sources where being
mixed together resulting in static-stub queries going to addresses
not specified in the configuration or alternatively static-stub
addresses being used instead of the real addresses.

(cherry picked from commit b3a2c790f3)
2024-10-01 01:27:55 +00:00
Petr MenšíkandMark Andrews 59770f281c Move common flags logging to shared functions
Query and response log shares the same flags. Move flags logging out of
log_query to share it with log_response. Use buffer instead of snprintf
to fill flags a bit faster.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
(cherry picked from commit e6b19af2dd)
2024-09-30 00:10:47 +00:00
Petr MenšíkandMark Andrews d9d50f6274 Make responselog flags similar to querylog
Remove answer flag from log, log instead count of records for each
message section. Include EDNS version and few flags of response. Add
also status of result.

Still does not include body of responses rrset.

(cherry picked from commit 6f879aba65)
2024-09-30 00:10:47 +00:00
Mark Andrews 3968813724 Log the rcode returned to for a query
Log to the querylog the rcode of a previous query using
the identifier 'response:' to diffenciate queries from
responses.

(cherry picked from commit 5fad79c92f)
2024-09-30 00:10:47 +00:00
Aram Sargsyan 346850954c Add a missing rcu_read_unlock() call on exit path
An exit path in the dns_dispatch_add() function fails to get out of
the RCU critical section when returning early. Add the missing
rcu_read_unlock() call.

(cherry picked from commit 4123d59fbc)
2024-09-27 13:53:31 +00:00
Mark Andrews c6045acc41 Add the new record type WALLET (262)
This provides a mapping from a domain name to a cryptographic
currency wallet and is a clone of TXT.

(cherry picked from commit b919b9b4f3)
2024-09-25 12:07:52 +00:00
Nicki KřížekandOndřej Surý f2fa1b7d63 Update code formatting
clang 19 was updated in the base image.

(cherry picked from commit ebb5bd9c0f)
2024-09-21 12:45:27 +02:00
Ondřej Surý deba4670cb Don't enable timeouts in dns_dispatch for incoming transfers
The dns_dispatch_add() call in the dns_xfrin unit had hardcoded 30
second limit.  This meant that any incoming transfer would be stopped in
it didn't finish within 30 seconds limit.  Additionally, dns_xfrin
callback was ignoring the return value from dns_dispatch_getnext() when
restarting the reading from the TCP stream; this could cause transfers
to get stuck waiting for a callback that would never come due to the
dns_dispatch having already been shut down.

Call the dns_dispatch_add() without a timeout and properly handle the
result code from the dns_dispatch_getnext().

(cherry picked from commit 96ef98558c)
2024-09-21 08:53:25 +00:00
Ondřej Surý 4127068305 Modify dns_dispatch API to accept zero timeout
The dns_dispatch_add() has timeout parameter that could not be 0 (for
not timeout).  Modify the dns_dispatch implementation to accept a zero
timeout for cases where the timeouts are undesirable because they are
managed externally.

(cherry picked from commit 0f810b3144)
2024-09-21 08:53:25 +00:00
Nicki Křížek 38fb8bed49 Revert "Double the number of threadpool threads"
This reverts commit 6857df20a4.

(cherry picked from commit 842abe9fbf)
2024-09-20 14:51:33 +00:00
Evan Hunt c1b94dc622 rename 'rbtiterator' and similar names in qpcache
when the QP cache was adapted from the RBT database, some names
weren't changed. this could be confusing, so let's change them now.
also, we no longer need to include rbt.h.

(cherry picked from commit 5a444838db)
2024-09-19 15:02:23 -07:00
Nicki Křížek 379d7faeac Merge tag 'v9.20.2' into bind-9.20 2024-09-18 18:06:27 +02:00
Aram Sargsyan 0098ff6456 Set logging category for notify/xfer related messages
Some notify/xfer related log messages are logged at the general
category. Set a more suitable caterogry for those messages.

(cherry picked from commit 7c45caa8a5)
2024-09-17 16:14:52 +00:00
Ondřej Surý 6bff6df272 Limit the outgoing UDP send queue size
If the operating system UDP queue gets full and the outgoing UDP sending
starts to be delayed, BIND 9 could exhibit memory spikes as it tries to
enqueue all the outgoing UDP messages.  As those are not going to be
delivered anyway (as we argued when we stopped enlarging the operating
system send and receive buffers), try to send the UDP messages directly
using `uv_udp_try_send()` and if that fails, drop the outgoing UDP
message.

(cherry picked from commit b576c4c977)
2024-09-17 16:31:25 +02:00
alessio 6e42d96cf1 Do not set SO_INCOMING_CPU
We currently set SO_INCOMING_CPU incorrectly, and testing by Ondrej
shows that fixing the issue and setting affinities is worse than letting
the kernel schedule threads without constraints. So we should not set
SO_INCOMING_CPU anymore.

(cherry picked from commit 8b8149cdd2)
2024-09-16 12:57:08 +00:00
Aram Sargsyan 59cc292928 Fix a 'serverquota' counter calculation bug
The 'all_spilled' local variable in resolver.c:fctx_getaddresses()
is 'true' by default, and only becomes false when there is at least
one successfully found NS address. However, when a 'forward only;'
configuration is used, the code jumps over the part where it looks
for NS addresses and doesn't reset the 'all_spilled' to false, which
results in incorretly increased 'serverquota' statistics variable,
and also in invalid return error code from the function. The result
code error didn't make any differences, because all codes other than
'ISC_R_SUCCESS' or 'DNS_R_WAIT' were treated in the same way, and
the result code was never logged anywhere.

Set the default value of 'all_spilled' to 'false', and only make it
'true' before actually starting to look up NS addresses.

(cherry picked from commit e430ce7039)
2024-09-16 09:31:38 +00:00
Ondřej Surý 26c2cbe63b Move offloaded DNSSEC operations to different helper threads
Currently, the isc_work API is overloaded.  It runs both the
CPU-intensive operations like DNSSEC validations and long-term tasks
like RPZ processing, CATZ processing, zone file loading/dumping and few
others.

Under specific circumstances, when many large zones are being loaded, or
RPZ zones processed, this stops the CPU-intensive tasks and the DNSSEC
validation is practically stopped until the long-running tasks are
finished.

As this is undesireable, this commit moves the CPU-intensive operations
from the isc_work API to the isc_helper API that only runs fast memory
cleanups now.

(cherry picked from commit 8a96a3af6a)
2024-09-12 16:41:02 +02:00
Ondřej Surý 17f23224d1 Add isc_helper API that adds 1:1 thread for each loop
Add an extra thread that can be used to offload operations that would
affect latency, but are not long-running tasks; those are handled by
isc_work API.

Each isc_loop now has matching isc_helper thread that also built on top
of uv_loop.  In fact, it matches most of the isc_loop functionality, but
only the `isc_helper_run()` asynchronous call is exposed.

(cherry picked from commit 6370e9b311)
2024-09-12 14:39:07 +00:00
Aram Sargsyan 65fced42b9 Fix data race in offloaded dns_message_checksig()
When verifying a message in an offloaded thread there is a race with
the worker thread which writes to the same buffer. Clone the message
buffer before offloading.

(cherry picked from commit 35ef25e5ea)
2024-09-12 09:12:35 +00:00