Commit Graph

11079 Commits

Author SHA1 Message Date
Evan Hunt
7de12aaa34 add a search for GeoIP2 libraries in configure
- "--with-geoip" is used to enable the legacy GeoIP library.
- "--with-geoip2" is used to enable the new GeoIP2 library
  (libmaxminddb), and is on by default if the library is found.
- using both "--with-geoip" and "--with-geoip2" at the same time
  is an error.
- an attempt is made to determine the default GeoIP2 database path at
  compile time if pkg-config is able to report the module prefix. if
  this fails, it will be necessary to set the path in named.conf with
  geoip-directory
- Makefiles have been updated, and a stub lib/dns/geoip2.c has been
  added for the eventual GeoIP2 search implementation.

(cherry picked from commit fea6b5bf10)
(cherry picked from commit 6a7e805796)
2019-07-02 12:28:14 -07:00
Evan Hunt
4dd46ba0f7 don't overwrite the dns_master_loadfile() result before calling zone_postload()
if "rndc reload" fails, the result code is supposed to be passed to
zone_postload, but for inline-signing zones, the result can be
overwritten first by a call to the ZONE_TRYLOCK macro. this can lead
to the partially-loaded unsigned zone being synced over to the signed
zone instead of being rejected.

(cherry picked from commit 0b792bd37b)
2019-06-26 08:51:24 -07:00
Mark Andrews
4110b9184d define ULLONG_MAX if not already defined 2019-06-25 09:42:49 +10:00
Brian Conry
1ff50a2f70 Bump DNS_CLIENTINFOMETHODS_VERSION/_AGE to 2/1 in clientinfo.h
BIND 9.11.0 has bumped DNS_CLIENTINFOMETHODS_VERSION and _AGE to
version 2 and 1 in the dlz_minimal.h because a member was addet to the
dnsclientinfo struct.  It was found out that the new member is not
used anywhere and there are no accessor functions therefore the change
was reverted.

Later on, it was found out that the revert caused some problems to the
users of BIND 9, and thus this changes takes a different approach by
syncing the values other way around.

(cherry picked from commit 39344dfb3e)
2019-06-20 14:24:29 +02:00
Tinderbox User
81c904f697 prep 9.11.8 2019-06-19 15:55:05 -07:00
Mark Andrews
3a9c7bb80d move item_out test inside lock in dns_dispatch_getnext()
(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
2019-06-19 15:55:04 -07:00
Michał Kępień
eeec8e8d83 Address GCC 9.1 -O3 compilation warnings
Compiling with -O3 triggers the following warnings with GCC 9.1:

    task.c: In function ‘isc__taskmgr_create’:
    task.c:1456:44: warning: ‘%04u’ directive output may be truncated writing between 4 and 10 bytes into a region of size 6 [-Wformat-truncation=]
     1456 |    snprintf(name, sizeof(name), "isc-worker%04u", i);
          |                                            ^~~~
    task.c:1456:33: note: directive argument in the range [0, 4294967294]
     1456 |    snprintf(name, sizeof(name), "isc-worker%04u", i);
          |                                 ^~~~~~~~~~~~~~~~
    task.c:1456:4: note: ‘snprintf’ output between 15 and 21 bytes into a destination of size 16
     1456 |    snprintf(name, sizeof(name), "isc-worker%04u", i);
          |    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    rrl.c: In function ‘debit_rrl_entry’:
    rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |                                   ^~
    rrl.c:602:30: note: directive argument in the range [0, 2147483647]
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |                              ^~~~~~~~
    rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |                                   ^~
    rrl.c:602:30: note: directive argument in the range [0, 2147483647]
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |                              ^~~~~~~~
    rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |                                   ^~
    rrl.c:602:30: note: directive argument in the range [0, 2147483647]
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |                              ^~~~~~~~
    rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
      602 |   snprintf(buf, sizeof(buf), "age=%d", age);
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    private_test.c: In function ‘private_nsec3_totext_test’:
    private_test.c:114:9: warning: array subscript 4 is outside array bounds of ‘uint32_t[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
      114 |  while (*sp == '\0' && slen > 0) {
          |         ^~~
    private_test.c:107:11: note: while referencing ‘salt’
      107 |  uint32_t salt;
          |           ^~~~

Prevent these warnings from being triggered by increasing the size of
the relevant arrays (task.c, rrl.c) and reordering conditions
(private_test.c).

(cherry picked from commit ce796ac1f4)
2019-06-11 10:19:26 +02:00
Mark Andrews
f684368053 POST(optlen)
(cherry picked from commit 4e97f7dccc)
2019-06-04 15:49:16 +10:00
Mark Andrews
0c0ddaf3d1 teach cppcheck that _assert_int_equal and _assert_int_not_equal don't return on failure
(cherry picked from commit 5d5d751c7f)
2019-06-04 15:24:18 +10:00
Mark Andrews
9618d822ab fix Ed448 length values for precomputed ASN.1 prefix blobs
(cherry picked from commit 5da97eeea6)
2019-05-30 22:51:04 +10:00
Ondřej Surý
f9880fcf6d Pull the values for LFS_{CFLAGS,LDFLAGS,LIBS} from autoconf instead using them directly in make
(cherry picked from commit d4596baed4)
2019-05-29 13:34:22 +02:00
Ondřej Surý
4203bdef8d Use getconf LFS_{CFLAGS,LDFLAGS,LIBS} to get flags to compile lib/dns/gen
On some systems (namely Debian buster armhf) the readdir() call fails
with `Value too large for defined data type` unless the
_FILE_OFFSET_BITS=64 is defined.  The correct way to fix this is to
get the appropriate compilation parameters from getconf system
interface.

(cherry picked from commit 4c7345bcb6)
2019-05-29 10:31:03 +02:00
Ondřej Surý
bcf4391ec6 Exit the ./gen program on failed readdir() call
(cherry picked from commit 05b7c08a16)
2019-05-29 10:31:03 +02:00
Witold Kręcicki
71d3823dab Remove UNSPEC rrtype
(cherry picked from commit a8e2ca6f7d)
2019-05-13 10:54:10 +07:00
Tinderbox User
d58e36b410 prep 9.11.7 2019-05-10 05:03:46 +00:00
Michał Kępień
f04f107b7e Make NTAs work with validating forwarders
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.

(cherry picked from commit 5e80488270)
2019-05-09 21:05:50 -07:00
Witold Kręcicki
1286d74c7d Fix race in unix socket code when closing a socket that has
already sent a recv/send event.

When doing isc_socket_cancel we need to purge the event that might
already be in flight. If it has been launched already we need
to inform it that it has to bail.
2019-05-09 18:48:06 +02:00
Ondřej Surý
0dced2fa6a Make lib/dns/gen.c compatible with reproducible builds.
The gen.c will now use SOURCE_DATE_EPOCH[1] if found in environment
to make the build more reproducible build friendly.

1. https://reproducible-builds.org/specs/source-date-epoch/

(cherry picked from commit c8cb612d39)
2019-05-09 16:05:38 +07:00
Mark Andrews
10c53d2873 Recognise EDNS Client Tag and EDNS Server Tag
(cherry picked from commit ee7cf180b3)
2019-05-09 18:24:57 +10:00
Evan Hunt
722d0f57ed warn about the use of trusted-keys and managed-keys for the same name 2019-05-08 23:02:42 -07:00
Mark Andrews
702cc2dde3 enforce known SSHFP finger print lengths
(cherry picked from commit 1722728c80)
2019-05-09 08:49:19 +10:00
Mark Andrews
595544329a fix whitespace
(cherry picked from commit 32ba5a0494)
2019-05-07 10:28:48 +10:00
Mark Andrews
333116ac5c return rdatasets when processing ANY queries in client_resfind
(cherry picked from commit 127333c71f)
2019-05-07 10:28:47 +10:00
Tinderbox User
7c6b5f2eaa prep 9.11.6-P1
(cherry picked from commit 6195f229b6)
2019-04-25 15:55:59 +02:00
Evan Hunt
c47ccf630f refactor tcpquota and pipeline refs; allow special-case overrun in isc_quota
- if the TCP quota has been exceeded but there are no clients listening
  for new connections on the interface, we can now force attachment to the
  quota using isc_quota_force(), instead of carrying on with the quota not
  attached.
- the TCP client quota is now referenced via a reference-counted
  'ns_tcpconn' object, one of which is created whenever a client begins
  listening for new connections, and attached to by members of that
  client's pipeline group. when the last reference to the tcpconn
  object is detached, it is freed and the TCP quota slot is released.
- reduce code duplication by adding mark_tcp_active() function.
- convert counters to atomic.

(cherry picked from commit 7e8222378ca24f1302a0c1c638565050ab04681b)
(cherry picked from commit 4939451275722bfda490ea86ca13e84f6bc71e46)
(cherry picked from commit 13f7c918b8)
2019-04-25 15:04:26 +02:00
Mark Andrews
ac77f8df02 using 0 instead of false
(cherry picked from commit da7f683abf)
2019-04-23 11:46:12 +10:00
Ondřej Surý
de4fe3ed32 On non-GNUC systems, use uintmax_t in the ISC_ALIGN macro
(cherry picked from commit 2e40cc94dc)
2019-04-18 13:18:10 +02:00
Ondřej Surý
376800b2ad Refactor the DNS_RDATASET_FIXED code to use constants instead of ifdefs
(cherry picked from commit 4edbb773a1)
2019-04-17 11:34:49 +02:00
Matthijs Mekking
4af2d5b6d6 With update-check-ksk also consider offline keys
The option `update-check-ksk` will look if both KSK and ZSK are
available before signing records.  It will make sure the keys are
active and available.  However, for operational practices keys may
be offline.  This commit relaxes the update-check-ksk check and will
mark a key that is offline to be available when adding signature
tasks.

(cherry picked from commit 3cb8c49c73)
(cherry picked from commit b508cffeee3bfb8bc7dcf39db59ec3782a5d9e4c)
2019-04-12 15:57:31 +02:00
Matthijs Mekking
9079ae03c7 Style: some curly brackets
(cherry picked from commit 2e83e3255a)
(cherry picked from commit 42b0bf4d3bab180876d4803fe2ec1f6e93064b28)
2019-04-12 15:57:15 +02:00
Mark Andrews
cba5989651 Add debug printfs
(cherry picked from commit b78e128a2f)
2019-04-11 19:52:38 +10:00
Mark Andrews
f3922dd9c1 Prevent WIRE_INVALID() being called without a argument
(cherry picked from commit e73a5b0ce3)
2019-04-11 19:51:06 +10:00
Mark Andrews
478de1f761 Check multi-line output from dns_rdata_tofmttext()
Check that multi-line output from dns_rdata_tofmttext() can be read
back in by dns_rdata_fromtext().

(cherry picked from commit b089f43b7a)
2019-04-11 19:51:06 +10:00
Mark Andrews
c6ca84a0c8 Process master file comments and make input invalid again
(cherry picked from commit 1a75a5cee6)
2019-04-11 19:51:05 +10:00
Mark Andrews
1a036f324f Set 'specials' to match 'specials' in 'lib/dns/master.c'
(cherry picked from commit 7941a9554f)
2019-04-11 19:51:05 +10:00
Mark Andrews
2c5652067f Fix whitespace so that the names align
(cherry picked from commit cc5e16e4d3)
2019-04-11 19:50:41 +10:00
Mark Andrews
8a7255c9fc Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire
Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire for
valid inputs to ensure that what we accept in dns_rdata_fromwire()
can be written out and read back in.

(cherry picked from commit 36f30f5731)
2019-04-11 19:48:02 +10:00
Mark Andrews
4e4d7d5b8b add ds unit test
(cherry picked from commit 6eb28eda1e)
2019-04-10 15:44:00 +10:00
Mark Andrews
8df14d2f89 enforce DS hash exists
(cherry picked from commit b274f3fad7)
2019-04-10 14:44:23 +10:00
Mark Andrews
94e852bdcf check that from fromtext produces valid towire input
(cherry picked from commit 7b0a653858)
2019-04-10 13:24:42 +10:00
Mark Andrews
b35eacbad2 for rkey flags MUST be zero
(cherry picked from commit 82d4931440)
2019-04-09 14:27:11 +10:00
Mark Andrews
bbd7a496be check flags for no key in fromwire for *KEY
(cherry picked from commit 2592e91516)
2019-04-09 14:27:03 +10:00
Witold Kręcicki
736d8c5b80 Fix assertion failure in nslookup/dig/mdig when message has multiple SIG(0) options.
When parsing message with DNS_MESSAGE_BESTEFFORT (used exclusively in
tools, never in named itself) if we hit an invalid SIG(0) in wrong
place we continue parsing the message, and put the sig0 in msg->sig0.
If we then hit another sig0 in a proper place we see that msg->sig0
is already 'taken' and we don't free name and rdataset, and we don't
set seen_problem. This causes an assertion failure.
This fixes that issue by setting seen_problem if we hit second sig0,
tsig or opt, which causes name and rdataset to be always freed.

(cherry picked from commit 51a55ddbb7)
2019-03-26 21:32:41 +11:00
Ondřej Surý
c927beea2d Make lib/dns/dnstap.pb-c.h private header
This changes dns_dtdata struct to not expose data types from dnstap.pb-c.h to
prevent the need for including this header where not really needed.

(cherry picked from commit 8ccce7e24b)
2019-03-22 12:08:16 +01:00
Mark Andrews
96b9f0340a Disallow empty ZONEMD hashes
This change is the result of discussions with the authors of
draft-wessels-dns-zone-digest.

(cherry picked from commit 473987d8d9)
2019-03-22 06:52:32 +11:00
Mark Andrews
30f10bf79e add brackets for multi-line output
(cherry picked from commit 40a770b932)
2019-03-21 20:26:52 +11:00
Mark Andrews
98a37c9aba add #include <isc/util.h> 2019-03-20 11:41:51 +11:00
Petr Menšík
6992c50240 Fix regression in dnstap_test with native pkcs11
Change to cmocka broken initialization of TZ environment. This time,
commit 1cf1254051 is not soon enough. Has
to be moved more forward, before any other tests. It library is not full
reinitialized on each test.

(cherry picked from commit 71c4fad592)
2019-03-15 16:19:44 +11:00
Petr Mensik
5480d26da4 Workaround to kyua bug
Kyua 0.13 is not able to correctly handle whole test skipping.
Make workaround to it, include skipping message.
2019-03-14 14:19:45 -07:00
Mark Andrews
8a85e3d924 force promotion to unsigned int
(cherry picked from commit 1eba2c5b06)
2019-03-14 13:53:04 -07:00