Test that if a key to be purged is in the keyring, it does not
prevent the keymgr from running. Normally a key that is in the keyring
should be available again on the next run, but that is not true for
a key that can be purged.
In addition, fix some wait_for_log calls, by adding the missing
'|| ret=1' parts.
(cherry picked from commit a2317425bc)
Some test cases were working but for the wrong reasons. These started
to fail when I implemented the first approach for #4763, where the
existence of a DNSKEY together with an empty keyring is suspicious and
would prevent the keymgr from running.
These are:
1. kasp: The multisigner-model2.kasp zone has ZSKs from other providers
in the zone, but not yet its own keys. Pregenerate signing keys and
add them to the unsigned zone as well.
2. kasp: The dynamic-signed-inline-signing.kasp zone has a key generated
and added in the raw version of the zone. But the key file is stored
outside the key-directory for the given zone. Add '-K keys' to the
dnssec-keygen command.
(cherry picked from commit d1e263ef13)
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.
(cherry picked from commit 5fdad05a8a)
In this specific case the key files are temporary unavailable, for
example because of an operator error, or a mount failure). In such
cases, BIND should not try to roll over these keys.
(cherry picked from commit a3afbd9d6f)
This change ensures that the port is set before attempting a UDP query. Before that a situation could appear when previous query have completed over a different transport (that uses a dedicated port) and then a UDP query will be attempted over the port of the previous transport.
Backport of !9618.
Merge branch 'artem-debian-bug-1059582-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9619
This commit ensures that the port is set before attempting a UDP
query. Before that a situation could appear when previous query have
completed over a different transport (that uses a dedicated port) and
then a UDP query will be attempted over the port of the previous
transport.
(cherry picked from commit e390ed4421)
This release note was missing due to a malformed Merge Request title.
The text is not copied verbatim, but changed to something more release
note-like.
Backport of MR !9598
Merge branch 'backport-4460-add-missing-release-note-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9615
This release note was missing due to a malformed Merge Request title.
The text is not copied verbatim, but changed to something more release
note-like.
(cherry picked from commit 5860bafc60)
Revert "fix: chg: Improve performance when looking for the closest encloser when returning NSEC3 proofs"
This reverts merge request !9436Closes#4950
Backport of MR !9611
Merge branch 'backport-revert-78d48f7a-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9613
In two places, after linking the client to the manager's
"recursing-clients" list using the check_recursionquota()
function, the query.c module fails to unlink it on error
paths. Fix the bugs by unlinking the client from the list.
Backport of MR !9586
Merge branch 'backport-aram/unlink-recursing-clients-on-error-paths-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9604
Rename check_recursionquota() to acquire_recursionquota(), and
implement a new function called release_recursionquota() to
reverse the action. It helps with decreasing code duplication.
(cherry picked from commit 7bd44a4182)
In two places, after linking the client to the manager's
"recursing-clients" list using the check_recursionquota()
function, the query.c module fails to unlink it on error
paths. Fix the bugs by unlinking the client from the list.
Also make sure that unlinking happens before detaching the
client's handle, as it is the logically correct order, e.g.
in case if it's the last handle and ns__client_reset_cb()
can be called because of the detachment.
(cherry picked from commit 36c4808903)
The dns_zone_getxfrintime() function fails to lock the zone before
accessing its 'xfrintime' structure member, which can cause a data
race between soa_query() and the statistics channel. Add the missing
locking/unlocking pair, like it's done in numerous other similar
functions.
Closes#4976
Backport of MR !9591
Merge branch 'backport-4976-zone-xfrintime-data-race-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9601
The dns_zone_getxfrintime() function fails to lock the zone before
accessing its 'xfrintime' structure member, which can cause a data
race between soa_query() and the statistics channel. Add the missing
locking/unlocking pair, like it's done in numerous other similar
functions.
(cherry picked from commit ab07803465)
The 'nodetach' member is a leftover from the times when non-zero
'stale-answer-client-timeout' values were supported, and currently
is always 'false'. Clean up the member and its usage.
Backport of MR !9592
Merge branch 'backport-aram/cleanup-ns-client-nodetach-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9600
The 'nodetach' member is a leftover from the times when non-zero
'stale-answer-client-timeout' values were supported, and currently
is always 'false'. Clean up the member and its usage.
(cherry picked from commit b8c068835e)
The outgoing UDP sockets enabled `SO_REUSEADDR` that allows sharing of the UDP sockets, but with one big caveat - the socket that was opened the last would get all traffic. The dispatch code would ignore the invalid responses in the dns_dispatch, but this could lead to unexpected results.
Backport of MR !9569
Merge branch 'backport-ondrej/fix-outgoing-UDP-port-selection-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9583
Currently, the outgoing UDP sockets have enabled
SO_REUSEADDR (SO_REUSEPORT on BSDs) which allows multiple UDP sockets to
bind to the same address+port. There's one caveat though - only a
single (the last one) socket is going to receive all the incoming
traffic. This in turn could lead to incoming DNS message matching to
invalid dns_dispatch and getting dropped.
Disable setting the SO_REUSEADDR on the outgoing UDP sockets. This
needs to be done explicitly because `uv_udp_open()` silently enables the
option on the socket.
(cherry picked from commit eec30c33c2)
When matching the received Query ID in the TCP connection,
an invalid received Query ID can very rarely cause assertion
failure.
Closes#4952
Backport of MR !9580
Merge branch 'backport-4952-check-whether-QID-is-not-deleted-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9582
When matching the TCP dispatch responses, we should skip the responses
that do not belong to our TCP connection. This can happen with faulty
upstream server that sends invalid QID back to us.
(cherry picked from commit 4ef316e21e)
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.
Set the 'resp->port' to the given local port value extracted from
'disp->local'.
Closes#4969
Backport of MR !9576
Merge branch 'backport-4969-dispatch-tcp-source-port-bug-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9581
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.
Set the 'resp->port' to the given local port value extracted from
'disp->local'.
(cherry picked from commit d49a8f518a)
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.
Backport of MR !9460
Merge branch 'backport-ondrej/use-release-memory-ordering-for-reference-counting-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9567
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.
(cherry picked from commit 88227ea665)
When `sig-validity-interval` was obsoleted, the text that the signature validity interval should be multiples of the SOA expire interval was removed. Restore this text to the description of the `signatures-validity` option.
Closes#4951
Backport of MR !9566
Merge branch 'backport-4951-document-signatures-validity-soa-expire-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9573
The example.com zone file given in the "Configurations and Zone Files"
chapter has an SOA expire of 3 weeks, which is not a multiple of
the default signatures-validity value. Adjust the SOA expire so that
it is much lower than the signatures-validity default.
(cherry picked from commit 8aa94931c3)
When `sig-validity-interval` was obsoleted, the text that the signature
validity interval should be multiples of the SOA expire interval was
removed. Restore this text to the description of the
`signatures-validity` option.
(cherry picked from commit b09230004b)
The `dns.query.udp` and `dns.query.tcp` methods are [prone to timeouts](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4785053); their `isctest.query` equivalents should be used in system tests instead.
Backport of MR !9560
Merge branch 'backport-mnowak/convert-dns-query-udp-and-tcp-to-isctest-query-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9574
Static-stub addresses and addresses from other sources were being
mixed together, resulting in static-stub queries going to addresses
not specified in the configuration, or alternatively, static-stub
addresses being used instead of the correct server addresses.
Closes#4850
Backport of MR !9314
Merge branch 'backport-4850-add-an-additional-class-of-names-to-adb-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9571
Static-stub address and addresses from other sources where being
mixed together resulting in static-stub queries going to addresses
not specified in the configuration or alternatively static-stub
addresses being used instead of the real addresses.
(cherry picked from commit b3a2c790f3)
Log a query response summary using the new category `responses`. Logging can be controlled by the option `responselog` and `rndc responselog`.
Closes#459
Backport of MR !9449
Merge branch 'backport-459-log-query-response-status-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9526
Extends the resolver system test to to check whether responses are
logged to the query log in addition to the queries.
(cherry picked from commit 61415432ec)
Query and response log shares the same flags. Move flags logging out of
log_query to share it with log_response. Use buffer instead of snprintf
to fill flags a bit faster.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
(cherry picked from commit e6b19af2dd)
Remove answer flag from log, log instead count of records for each
message section. Include EDNS version and few flags of response. Add
also status of result.
Still does not include body of responses rrset.
(cherry picked from commit 6f879aba65)
Log to the querylog the rcode of a previous query using
the identifier 'response:' to diffenciate queries from
responses.
(cherry picked from commit 5fad79c92f)
An exit path in the dns_dispatch_add() function fails to get out of
the RCU critical section when returning early. Add the missing
rcu_read_unlock() call.
Backport of MR !9561
Merge branch 'backport-aram/add-missing-rcu_read_unlock-in-dns_dispatch_add-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9564
An exit path in the dns_dispatch_add() function fails to get out of
the RCU critical section when returning early. Add the missing
rcu_read_unlock() call.
(cherry picked from commit 4123d59fbc)
Add the new record type WALLET (262). This provides a mapping from a domain name to a cryptographic currency wallet. Multiple mappings can exist if multiple records exist.
Closes#4947
Backport of MR !9521
Merge branch 'backport-4947-add-wallet-type-to-named-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9554