Commit Graph
11709 Commits
Author SHA1 Message Date
Mark Andrews a520662ed4 allow dlz to signal that the view's transfer acl should be used 2019-03-11 14:27:13 +11:00
Ondřej Surý 7eea756858 Restore missing check for flockfile and getc_unlocked 2019-03-08 21:20:20 +01:00
Ondřej Surý a04a390195 Convert *.vcxproj.user to CRLF line endings 2019-03-08 18:01:48 +01:00
Ondřej Surý c2637c8429 Use ForcedIncludeFiles directive to include config.h everywhere automatically 2019-03-08 17:14:38 +01:00
Ondřej Surý 1b25d8a0ca Remove explicit '#include <config.h>' from the header files (the include should not have been there in the first place) 2019-03-08 15:15:05 +01:00
Ondřej Surý 78d0cb0a7d Use coccinelle to remove explicit '#include <config.h>' from the source files 2019-03-08 15:15:05 +01:00
Michał Kępień ada6846a10 Make delv use OS-supplied ephemeral port range
Make delv honor the operating system's preferred ephemeral port range
instead of always using the default 1024-65535 range for outgoing
messages.
2019-03-08 13:13:32 +01:00
Tony FinchandMark Andrews 0f219714e1 cleanup: use dns_secalg_t and dns_dsdigest_t where appropriate
Use them in structs for various rdata types where they are missing.
This doesn't change the structs since we are replacing explicit
uint8_t field types with aliases for uint8_t.

Use dns_dsdigest_t in library function arguments.

Improve dnssec-cds with these more specific types.
2019-03-08 18:37:50 +11:00
Mark Andrews 1fc7be36eb #include <limits.h> for PATH_MAX, define if not found 2019-03-08 17:15:01 +11:00
Evan Hunt 7f26cad247 silence a warning about potential snprintf overrun 2019-03-08 00:27:49 -05:00
Mark AndrewsandEvan Hunt 435ae2f29a Handle EDQUOT and ENOSPC errors 2019-03-07 21:02:48 -08:00
Mark AndrewsandEvan Hunt cb32cd98bd fix the use of dns_wildcardname as an optimisation in DLZ 2019-03-07 19:59:29 -08:00
Mark Andrews 3f2b7e1006 add noreturn attribute 2019-03-07 16:45:04 +11:00
Mark AndrewsandEvan Hunt d1fa8be611 add the ability to control whether SOA records are added response-policy modified answers 2019-03-06 20:47:28 -08:00
Witold KręcickiandEvan Hunt b57a38ae43 Fix a race in socket code when internal_{accept, send, receive} is called
from event loop on an socket and, in the meantime, someone has closed this
socket.
2019-03-06 12:56:11 -08:00
Michał KępieńandEvan Hunt af4b81f944 Log plugin unloading at debug level
During server reconfiguration, plugin instances set up for the old views
are unloaded very close to the end of the whole process, after new
plugin instances are set up.  As the log message announcing plugin
unloading is emitted at the default "info" level, the user might be
misled into thinking that it is the new plugin instances that are being
unloaded for some reason, particularly because all other messages logged
at the "info" level around the same time inform about setting things up
rather than tearing them down.  Since no distinction is currently made
between destroying a view due to reconfiguration and due to a shutdown
in progress, there is no easy way to vary the contents of the log
message depending on circumstances.  Since this message is not a
particularly critical one, demote it to debug level to prevent
confusion.
2019-03-06 15:19:07 -05:00
Michał KępieńandEvan Hunt 1a9fc624ca Look for named plugins in ${libdir}/named
When the "library" part of a "plugin" configuration stanza does not
contain at least one path separator, treat it as a filename and assume
it is a name of a shared object present in the named plugin installation
directory.  Absolute and relative paths can still be used and will be
used verbatim.  Get the full path to a plugin before attempting to
check/register it so that all relevant log messages include the same
plugin path (apart from the one logged when the full path cannot be
determined).
2019-03-05 16:06:25 -08:00
Michał KępieńandEvan Hunt d181c28c60 Add ns_plugin_expandpath()
Implement a helper function which, given an input string:

  - copies it verbatim if it contains at least one path separator,
  - prepends the named plugin installation directory to it otherwise.

This function will allow configuration parsing code to conveniently
determine the full path to a plugin module given either a path or a
filename.

While other, simpler ways exist for making sure filenames passed to
dlopen() cause the latter to look for shared objects in a specific
directory, they are very platform-specific.  Using full paths is thus
likely the most portable and reliable solution.

Also added unit tests for ns_plugin_expandpath() to ensure it behaves
as expected for absolute paths, relative paths, and filenames, for
various target buffer sizes.

(Note: plugins share a directory with named on Windows; there is no
default plugin path. Therefore the source path is copied to the
destination path with no modification.)
2019-03-05 16:06:24 -08:00
Mark AndrewsandEvan Hunt cb913177ae improve clang / cmocka integration 2019-03-05 10:20:29 -08:00
Evan Hunt 3e74c7e5ff fix crash in query_respond_any() from all records being hidden
in query_respond_any(), the assumption had previously been made that it
was impossible to get past iterating the node with a return value of
ISC_R_NOMORE but not have found any records, unless we were searching
for RRSIG or SIG. however, it is possible for other types to exist but
be hidden, such as when the zone is transitioning from insecure to
secure and DNSSEC types are encountered, and this situation could
trigger an assertion.  removed the assertion and reorganized the code.
2019-02-28 13:55:47 -08:00
Matthijs MekkingandMatthijs Mekking e5565808e4 Update CHANGES 2019-02-22 14:00:01 +01:00
Matthijs MekkingandMatthijs Mekking 6ed14eff25 Unregister RPZ CATZ db cbs when zone load fails
In case when a zone fails to load because the file does not exist
or is malformed, we should not run the callback that updates the
zone database when the load is done.  This is achieved by
unregistering the callbacks if at zone load end if the result
indicates something else than success.
2019-02-22 13:59:10 +01:00
Matthijs MekkingandMatthijs Mekking 6756280242 Remove rpz->db_registered
As pointed out in !813 db_registered is sort of redundant.  It is
set to `true` only in `dns_zone_rpz_enable_db()` right before the
`dns_rpz_dbupdate_callback()` callback is registered.  It is only
required in that callback and it is the only place that the callback
is registered.  Therefore there is no path that that `REQUIRE` can
fail.

The `db_registered` variable is only set to `false` in
`dns_rpz_new_zone`, so it is not like the variable is unset again
later.

The only other place where `db_registered` is checked is in
`rpz_detach()`.  If `true`, it will call
`dns_db_updatenotify_unregister()`.  However if that happens, the
`db_registered` is not set back to `false` thus this implies that
this may happen multiple times.  If called a second time, most
likely the unregister function will return `ISC_R_NOTFOUND`, but
the return value is not checked anyway.  So it can do without the
`db_registered` check.
2019-02-22 13:59:10 +01:00
Matthijs MekkingandMatthijs Mekking 2e5e429644 Add curly brackets on if statements 2019-02-22 13:59:10 +01:00
Matthijs MekkingandMatthijs Mekking a490c09121 named crashes on shutdown after load rpz failed
This may happen when loading an RPZ failed and the code path skips
calling dns_db_endload().  The dns_rpz_zone_t object is still kept
marked as having registered db.  So when this object is finally
destroyed in rpz_detach(), this code will incorrectly call
`dns_db_updatenotify_unregister()`:

   if (rpz->db_registered)
     dns_db_updatenotify_unregister(rpz->db,
                                    dns_rpz_dbupdate_callback, rpz);

and trigger this assertion failure:

   REQUIRE(db != NULL);

To fix this, only call `dns_db_updatenotify_unregister()` when
`rpz->db` is not NULL.
2019-02-22 13:59:10 +01:00
Mark Andrews 8758d36a5e use client->query.qname 2019-02-22 00:04:52 -05:00
Evan Hunt efb0d1e83d documentation changes setting up 9.15 development branch 2019-02-21 16:42:17 -08:00
Mark AndrewsandEvan Hunt a9307de85e denied axfr requests were not effective for writable DLZ zones 2019-02-20 19:44:38 -08:00
Mark AndrewsandEvan Hunt 35025b6e88 silently ignore additional keytag options 2019-02-20 19:44:36 -08:00
Matthijs MekkingandEvan Hunt f09352d20a Update keyfetch_done compute_tag check
If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.
2019-02-20 19:44:33 -08:00
Matthijs MekkingandEvan Hunt 235a64a5a4 Don't free key in compute_tag in case of failure
If `dns_dnssec_keyfromrdata` failed we don't need to call
`dst_key_free` because no `dstkey` was created.  Doing so
nevertheless will result in an assertion failure.

This can happen if the key uses an unsupported algorithm.
2019-02-20 19:44:32 -08:00
Mark Andrews c0d4ff5796 teach proto_c to look in the source directory for out of tree builds 2019-02-20 09:27:00 +11:00
Mark Andrews f475dc75b1 remove redundant assignment 2019-02-18 17:40:56 -05:00
Mark Andrews 9a9dc4072f declarations before assertions 2019-02-18 17:40:56 -05:00
Mark Andrews 63c03cdb2d remove seen_dname 2019-02-18 17:40:56 -05:00
Mark Andrews 4938f97c97 record when querytsig is valid 2019-02-18 17:39:08 -05:00
Mark Andrews 7114d16098 fix memory leak 2019-02-19 09:17:03 +11:00
Mark Andrews f87b88e520 remove dead assignments 2019-02-19 08:12:09 +11:00
Mark Andrews 76a1c1531a assert result is ISC_R_SUCCESS 2019-02-19 07:57:14 +11:00
Matthijs Mekking 24507abee3 Update to !1427: Make primary's transfer log more detailed 2019-02-18 06:33:15 -05:00
Michał Kępień 72c201733c Do not check SEP bit for mirror zone trust anchors
When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false.  This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor.  This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
2019-02-14 11:03:35 +01:00
Michał Kępień 9c611dd999 Prevent races when waiting for log messages
The "mirror" system test checks whether log messages announcing a mirror
zone coming into effect are emitted properly.  However, the helper
functions responsible for waiting for zone transfers and zone loading to
complete do not wait for these exact log messages, but rather for other
ones preceding them, which introduces a possibility of false positives.

This problem cannot be addressed by just changing the log message to
look for because the test still needs to discern between transferring a
zone and loading a zone.

Add two new log messages at debug level 99 (which is what named
instances used in system tests are configured with) that are to be
emitted after the log messages announcing a mirror zone coming into
effect.  Tweak the aforementioned helper functions to only return once
the log messages they originally looked for are followed by the newly
added log messages.  This reliably prevents races when looking for
"mirror zone is now in use" log messages and also enables a workaround
previously put into place in the "mirror" system test to be reverted.
2019-02-14 10:41:56 +01:00
Michał Kępień 2e4187afd5 Add a comment explaining a mirror zone glitch
Explain why in a certain edge case mirror zone data may not be used for
resolution purposes despite being available.
2019-02-08 05:49:22 -05:00
Mark Andrews a9fadafecd fix AMTRELAY name 2019-02-08 13:54:13 +11:00
Mark Andrews 8d69e15988 add top of range checks 2019-02-08 09:37:00 +11:00
Evan Hunt 3183663dd4 Add support for ZONEMD 2019-02-07 12:34:14 -08:00
Mark AndrewsandEvan Hunt 66922ee7af Add support for ATMRELAY 2019-02-07 10:28:19 -08:00
Tinderbox User b4d3f78293 prep 9.13.6 2019-02-06 22:13:05 +00:00
Matthijs MekkingandMichał Kępień 2c34023a5e Explain hook action calling order in more detail 2019-02-06 10:09:38 +01:00
Tony FinchandEvan Hunt 2e173bbd24 cleanup: allow building DS directly from CDNSKEY
Relax an assertion in lib/dns/ds.c so that dnssec-cds does
not have to work around it. This will also be useful for
dnssec-dsfromkey.
2019-02-05 22:57:13 -05:00