Commit Graph
7916 Commits
Author SHA1 Message Date
Ondřej Surý 78543ad5a7 Fix off-by-one error when calculating new hashtable size
When calculating the new hashtable bitsize, there was an off-by-one
error that would allow the new bitsize to be larger than maximum allowed
causing assertion failure in the rehash() function.
2020-08-28 16:21:21 +02:00
Mark AndrewsandOndřej Surý 2ca4d35037 Refactor totext_loc 2020-08-26 15:31:31 +02:00
Mark AndrewsandOndřej Surý 337cc878fa Correctly encode LOC records with non integer negative altitudes. 2020-08-26 15:31:31 +02:00
Mark AndrewsandOndřej Surý 888dfd78c7 Check LOC's altitude field is properly parsed and encoded. 2020-08-26 15:31:31 +02:00
Mark AndrewsandOndřej Surý 9225c67835 Tighten LOC parsing to reject period and/or m as a value. 2020-08-26 15:31:31 +02:00
Ondřej SurýandMark Andrews 01684cc219 Use the Fibonacci Hashing for the RBTDB glue table
The rbtdb version glue_table has been refactored similarly to rbt.c hash
table, so it does use 32-bit hash function return values and apply
Fibonacci Hashing to lookup the index to the hash table instead of
modulo.  For more details, see the lib/dns/rbt.c commit log.
2020-08-26 21:16:04 +10:00
Mark Andrews 33d0e8d168 rbtversion->glue_table_size must be read when holding a lock 2020-08-26 21:16:04 +10:00
Mark AndrewsandOndřej Surý a347641782 Cast the original rcode to (dns_ttl_t) when setting extended rcode
Shifting (signed) integer left could trigger undefined behaviour when
the shifted value would overflow into the sign bit (e.g. 2048).

The issue was found when using AFL++ and UBSAN:

    message.c:2274:33: runtime error: left shift of 2048 by 20 places cannot be represented in type 'int'
    SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior message.c:2274:33 in
2020-08-25 14:10:05 +00:00
Michal Nowak dd425254a7 Fix warnings in when build with --enable-buffer-useinline
sockaddr.c:147:49: error: pointer targets in passing argument 2 of ‘isc__buffer_putmem’ differ in signedness
    rdata.c:1780:30: error: pointer targets in passing argument 2 of ‘isc__buffer_putmem’ differ in signedness
2020-08-25 16:02:55 +02:00
Evan Hunt d7362ff16d Merge tag 'v9_17_4' into main
BIND 9.17.4
2020-08-20 12:05:01 -07:00
Mark AndrewsandOndřej Surý 8452404bd7 A6: return FORMERR in fromwire if bits are non zero.
oss_fuzz: Issue 24864: bind9:dns_rdata_fromwire_text_fuzzer: Overwrites-const-input in dns_rdata_fromwire_text_fuzzer
2020-08-18 11:04:05 +02:00
Mark AndrewsandOndřej Surý f6d7b8c20d RRSIG: reject records with empty SIG section 2020-08-18 11:04:05 +02:00
Mark Andrews 7e49689746 X25: Check that record is all ASCII digits 2020-08-13 23:06:55 +10:00
Mark Andrews 9d446142d8 WKS: reject records with zero octets at the end of the bitmap 2020-08-13 23:06:55 +10:00
Mark Andrews 3429c35f52 TLSA: fix fromwire length checks 2020-08-13 23:06:55 +10:00
Mark Andrews 9b93e5d684 SIG: reject records with a zero length signature 2020-08-13 23:06:55 +10:00
Mark Andrews 73dd849655 NXT: fix fromwire bitmap checks 2020-08-13 23:06:55 +10:00
Mark Andrews 7dc8e720ff NSEC3PARAM: check that saltlen is consistent with the rdata length 2020-08-13 23:06:55 +10:00
Mark Andrews 031ee9e279 NSEC3: reject records with a zero length hash field 2020-08-13 23:06:55 +10:00
Mark Andrews d7f7014803 IPSECKEY: require non-zero length public keys 2020-08-13 23:06:55 +10:00
Mark Andrews a238f37239 CERT: reject records with a empty certificate field 2020-08-13 23:06:55 +10:00
Mark Andrews 3c492b3ef1 Get rid of type 'RESERVED0'. 2020-08-13 23:06:55 +10:00
Mark Andrews 0b2555e8cf Address use after free between view, resolver and nta.
Hold a weak reference to the view so that it can't go away while
nta is performing its lookups.  Cancel nta timers once all external
references to the view have gone to prevent them triggering new work.
2020-08-11 11:00:49 +10:00
Mark Andrews c9f019c931 Update managed keys log messages to be less confusing. 2020-08-11 00:10:10 +00:00
Ondřej SurýandMichał Kępień 9a2a819817 Reduce the default RBT hash table size to 16 entries (4 bits)
The hash table rework MRs (!3865, !3871) increased the default RBT hash
table size from 64 to 65,536 entries (for 64-bit architectures, that is
512 bytes before vs. 524,288 bytes after).  This works fine for RBTs
used for cache databases, but since three separate RBT databases are
created for every zone loaded (RRs, NSEC, NSEC3), memory usage would
skyrocket when BIND 9 is used as an authoritative DNS server with many
zones.

The default RBT hash table size before the rework was 64 entries, this
commit reduces it to 16 entries because our educated guess is that most
zones are just couple of entries (SOA, NS, A, AAAA, MX) and rehashing
small hash tables is actually cheap.  The rework we did in the previous
MRs tries to avoid growing the hash tables for big-to-huge caches where
growing the hash table comes at a price because the whole cache needs to
be locked.

(cherry picked from commit 1e043a011b)
2020-08-10 12:08:09 +02:00
Ondřej Surý 1e043a011b Reduce the default RBT hash table size to 16 entries (4 bits)
The hash table rework MRs (!3865, !3871) increased the default RBT hash
table size from 64 to 65,536 entries (for 64-bit architectures, that is
512 bytes before vs. 524,288 bytes after).  This works fine for RBTs
used for cache databases, but since three separate RBT databases are
created for every zone loaded (RRs, NSEC, NSEC3), memory usage would
skyrocket when BIND 9 is used as an authoritative DNS server with many
zones.

The default RBT hash table size before the rework was 64 entries, this
commit reduces it to 16 entries because our educated guess is that most
zones are just couple of entries (SOA, NS, A, AAAA, MX) and rehashing
small hash tables is actually cheap.  The rework we did in the previous
MRs tries to avoid growing the hash tables for big-to-huge caches where
growing the hash table comes at a price because the whole cache needs to
be locked.
2020-08-10 10:31:19 +02:00
Matthijs Mekking 46fcd927e7 rndc dnssec -checkds set algorithm
In the rare case that you have multiple keys acting as KSK and that
have the same keytag, you can now set the algorithm when calling
'-checkds'.
2020-08-07 11:26:09 +02:00
Matthijs Mekking a25f49f153 Make 'parent-registration-delay' obsolete
With the introduction of 'checkds', the 'parent-registration-delay'
option becomes obsolete.
2020-08-07 11:26:09 +02:00
Matthijs Mekking e3eb55fd1c Fix time printing in key files
Don't strip off the final character when printing times in key files.

With the introduction of 'rndc dnssec -status' we introduced
'isc_stdtime_tostring()'. This changed in behavior such that it was no
longer needed to strip of the final '\n' of the string format
datetime. However, in 'printtime()' it still stripped the final
character.
2020-08-07 11:26:09 +02:00
Matthijs Mekking 04d8fc0143 Implement 'rndc dnssec -checkds'
Add a new 'rndc' command 'dnssec -checkds' that allows the user to
signal named that a new DS record has been seen published in the
parent, or that an existing DS record has been withdrawn from the
parent.

Upon the 'checkds' request, 'named' will write out the new state for
the key, updating the 'DSPublish' or 'DSRemoved' timing metadata.

This replaces the "parent-registration-delay" configuration option,
this was unreliable because it was purely time based (if the user
did not actually submit the new DS to the parent for example, this
could result in an invalid DNSSEC state).

Because we cannot rely on the parent registration delay for state
transition, we need to replace it with a different guard. Instead,
if a key wants its DS state to be moved to RUMOURED, the "DSPublish"
time must be set and must not be in the future. If a key wants its
DS state to be moved to UNRETENTIVE, the "DSRemoved" time must be set
and must not be in the future.

By default, with '-checkds' you set the time that the DS has been
published or withdrawn to now, but you can set a different time with
'-when'. If there is only one KSK for the zone, that key has its
DS state moved to RUMOURED. If there are multiple keys for the zone,
specify the right key with '-key'.
2020-08-07 11:26:09 +02:00
Michał Kępień b096a038e3 Update library API versions 2020-08-06 09:10:06 +02:00
Ondřej SurýandMichał Kępień 6b7629f323 Fix crash in pk11_numbits() when native-pkcs11 is used
When pk11_numbits() is passed a user provided input that contains all
zeroes (via crafted DNS message), it would crash with assertion
failure.  Fix that by properly handling such input.
2020-08-05 15:51:29 +02:00
Mark AndrewsandMichał Kępień 70a71de9c9 Always keep a copy of the message
this allows it to be available even when dns_message_parse()
returns a error.
2020-08-05 15:47:14 +02:00
Evan HuntandMichał Kępień 51c9ea98a3 permanently disable QNAME minimization in a fetch when forwarding
QNAME minimization is normally disabled when forwarding. if, in the
course of processing a fetch, we switch back to normal recursion at
some point, we can't safely start minimizing because we may have
been left in an inconsistent state.
2020-08-05 15:43:52 +02:00
Ondřej SurýandMatthijs Mekking 6ffa2ddae0 Expire the 0 TTL RRSet quickly rather using them for serve-stale
When a received RRSet has TTL 0, they would be preserved for
serve-stale (default `max-stale-cache` is 12 hours) rather than expiring
them quickly from the cache database.

This commit makes sure the RRSet didn't have TTL 0 before marking the
entry in the database as "stale".
2020-08-04 10:50:31 +02:00
Mark Andrews bde5c7632a Always check the return from isc_refcount_decrement.
Created isc_refcount_decrement_expect macro to test conditionally
the return value to ensure it is in expected range.  Converted
unchecked isc_refcount_decrement to use isc_refcount_decrement_expect.
Converted INSIST(isc_refcount_decrement()...) to isc_refcount_decrement_expect.
2020-07-31 10:15:44 +10:00
Michał Kępień 953d704bd2 Fix idle timeout for connected TCP sockets
When named acting as a resolver connects to an authoritative server over
TCP, it sets the idle timeout for that connection to 20 seconds.  This
fixed timeout was picked back when the default processing timeout for
each client query was hardcoded to 30 seconds.  Commit
000a8970f8 made this processing timeout
configurable through "resolver-query-timeout" and decreased its default
value to 10 seconds, but the idle TCP timeout was not adjusted to
reflect that change.  As a result, with the current defaults in effect,
a single hung TCP connection will consistently cause the resolution
process for a given query to time out.

Set the idle timeout for connected TCP sockets to half of the client
query processing timeout configured for a resolver.  This allows named
to handle hung TCP connections more robustly and prevents the timeout
mismatch issue from resurfacing in the future if the default is ever
changed again.
2020-07-30 10:58:39 +02:00
Diego FronzaandEvan Hunt c2928c2ed4 Fix rpz wildcard name matching
Whenever an exact match is found by dns_rbt_findnode(),
the highest level node in the chain will not be put into
chain->levels[] array, but instead the chain->end
pointer will be adjusted to point to that node.

Suppose we have the following entries in a rpz zone:
example.com     CNAME rpz-passthru.
*.example.com   CNAME rpz-passthru.

A query for www.example.com would result in the
following chain object returned by dns_rbt_findnode():

chain->level_count = 2
chain->level_matches = 2
chain->levels[0] = .
chain->levels[1] = example.com
chain->levels[2] = NULL
chain->end = www

Since exact matches only care for testing rpz set bits,
we need to test for rpz wild bits through iterating the nodechain, and
that includes testing the rpz wild bits in the highest level node found.

In the case of an exact match, chain->levels[chain->level_matches]
will be NULL, to address that we must use chain->end as the start point,
then iterate over the remaining levels in the chain.
2020-07-24 11:34:40 -07:00
Mark Andrews 78db46d746 Check walking the hip rendezvous servers.
Also fixes extraneous white space at end of record when
there are no rendezvous servers.
2020-07-24 04:15:56 +00:00
Ondřej Surý a9182c89a6 Change the dns_name hashing to use 32-bit values
Change the dns_hash_name() and dns_hash_fullname() functions to use
isc_hash32() as the maximum hashtable size in rbt is 0..UINT32_MAX
large.
2020-07-21 08:44:26 +02:00
Ondřej Surý e24bc324b4 Fix the rbt hashtable and grow it when setting max-cache-size
There were several problems with rbt hashtable implementation:

1. Our internal hashing function returns uint64_t value, but it was
   silently truncated to unsigned int in dns_name_hash() and
   dns_name_fullhash() functions.  As the SipHash 2-4 higher bits are
   more random, we need to use the upper half of the return value.

2. The hashtable implementation in rbt.c was using modulo to pick the
   slot number for the hash table.  This has several problems because
   modulo is: a) slow, b) oblivious to patterns in the input data.  This
   could lead to very uneven distribution of the hashed data in the
   hashtable.  Combined with the single-linked lists we use, it could
   really hog-down the lookup and removal of the nodes from the rbt
   tree[a].  The Fibonacci Hashing is much better fit for the hashtable
   function here.  For longer description, read "Fibonacci Hashing: The
   Optimization that the World Forgot"[b] or just look at the Linux
   kernel.  Also this will make Diego very happy :).

3. The hashtable would rehash every time the number of nodes in the rbt
   tree would exceed 3 * (hashtable size).  The overcommit will make the
   uneven distribution in the hashtable even worse, but the main problem
   lies in the rehashing - every time the database grows beyond the
   limit, each subsequent rehashing will be much slower.  The mitigation
   here is letting the rbt know how big the cache can grown and
   pre-allocate the hashtable to be big enough to actually never need to
   rehash.  This will consume more memory at the start, but since the
   size of the hashtable is capped to `1 << 32` (e.g. 4 mio entries), it
   will only consume maximum of 32GB of memory for hashtable in the
   worst case (and max-cache-size would need to be set to more than
   4TB).  Calling the dns_db_adjusthashsize() will also cap the maximum
   size of the hashtable to the pre-computed number of bits, so it won't
   try to consume more gigabytes of memory than available for the
   database.

   FIXME: What is the average size of the rbt node that gets hashed?  I
   chose the pagesize (4k) as initial value to precompute the size of
   the hashtable, but the value is based on feeling and not any real
   data.

For future work, there are more places where we use result of the hash
value modulo some small number and that would benefit from Fibonacci
Hashing to get better distribution.

Notes:
a. A doubly linked list should be used here to speedup the removal of
   the entries from the hashtable.
b. https://probablydance.com/2018/06/16/fibonacci-hashing-the-optimization-that-the-world-forgot-or-a-better-alternative-to-integer-modulo/
2020-07-21 08:44:26 +02:00
Michał Kępień 97a2733ef9 Update library API versions 2020-07-15 22:54:13 +02:00
Matthijs Mekking e645d2ef1e Check return value of dst_key_getbool()
Fix Coverity CHECKED_RETURN reports for dst_key_getbool().  In most
cases we do not really care about its return value, but it is prudent
to check it.

In one case, where a dst_key_getbool() error should be treated
identically as success, cast the return value to void and add a relevant
comment.
2020-07-14 12:53:54 +00:00
Mark Andrews 488eef63ca Only call gsskrb5_register_acceptor_identity if we have gssapi_krb5.h. 2020-07-14 08:55:13 +10:00
Mark Andrews 827746e89b Assert tsigout is non-NULL 2020-07-13 02:26:06 +00:00
Mark Andrews 9499adeb5e check returns from inet_pton() 2020-07-13 00:31:29 +00:00
Michał Kępień 53120279b5 Fix locking for LMDB 0.9.26
When "rndc reconfig" is run, named first configures a fresh set of views
and then tears down the old views.  Consider what happens for a single
view with LMDB enabled; "envA" is the pointer to the LMDB environment
used by the original/old version of the view, "envB" is the pointer to
the same LMDB environment used by the new version of that view:

 1. mdb_env_open(envA) is called when the view is first created.
 2. "rndc reconfig" is called.
 3. mdb_env_open(envB) is called for the new instance of the view.
 4. mdb_env_close(envA) is called for the old instance of the view.

This seems to have worked so far.  However, an upstream change [1] in
LMDB which will be part of its 0.9.26 release prevents the above
sequence of calls from working as intended because the locktable mutexes
will now get destroyed by the mdb_env_close() call in step 4 above,
causing any subsequent mdb_txn_begin() calls to fail (because all of the
above steps are happening within a single named process).

Preventing the above scenario from happening would require either
redesigning the way we use LMDB in BIND, which is not something we can
easily backport, or redesigning the way BIND carries out its
reconfiguration process, which would be an even more severe change.

To work around the problem, set MDB_NOLOCK when calling mdb_env_open()
to stop LMDB from controlling concurrent access to the database and do
the necessary locking in named instead.  Reuse the view->new_zone_lock
mutex for this purpose to prevent the need for modifying struct dns_view
(which would necessitate library API version bumps).  Drop use of
MDB_NOTLS as it is made redundant by MDB_NOLOCK: MDB_NOTLS only affects
where LMDB reader locktable slots are stored while MDB_NOLOCK prevents
the reader locktable from being used altogether.

[1] https://git.openldap.org/openldap/openldap/-/commit/2fd44e325195ae81664eb5dc36e7d265927c5ebc
2020-07-10 11:29:18 +02:00
Mark Andrews 092a159dcd Adjust range limit of unknown meta types 2020-07-08 02:04:16 +00:00
Ondřej SurýandMark Andrews 81d4230e60 Update STALE and ANCIENT header attributes atomically
The ThreadSanitizer found a data race when updating the stale header.
Instead of trying to acquire the write lock and failing occasionally
which would skew the statistics, the dns_rdatasetheader_t.attributes
field has been promoted to use stdatomics.  Updating the attributes in
the mark_header_ancient() and mark_header_stale() now uses the cmpxchg
to update the attributes forfeiting the need to hold the write lock on
the tree.  Please note that mark_header_ancient() still needs to hold
the lock because .dirty is being updated in the same go.
2020-07-08 10:50:52 +10:00
Mark Andrews 2fa2dbd5fb remove redundant rctx != NULL check 2020-07-05 23:52:19 +00:00