Commit Graph

34288 Commits

Author SHA1 Message Date
Mark Andrews
8f23d56fba Check the cache as well when glue NS are returned processing RPZ
(cherry picked from commit 8fb72012e3)
2022-05-04 23:53:21 +10:00
Mark Andrews
8c2ede6edc Process learned records as well as glue
(cherry picked from commit 07c828531c)
2022-05-04 23:53:21 +10:00
Mark Andrews
13129872eb Process the delegating NS RRset when checking rpz rules
(cherry picked from commit cf97c61f48)
2022-05-04 23:53:21 +10:00
Mark Andrews
967e5e09cd Add test cases using static and static-stub zones
RPZ NSIP and NSDNAME checks were failing with "unrecognized NS
rpz_rrset_find() failed: glue" when static or static-stub zones
where used to resolve the query name.

Add tests using stub and static-stub zones that are expected to
be filtered and not-filtered against NSIP and NSDNAME rules.

stub and static-stub queries are expected to be filtered

stub-nomatch and static-stub-nomatch queries are expected to be passed

(cherry picked from commit 30cb70c826)
2022-05-04 23:53:21 +10:00
Ondřej Surý
5d4e19ae05 Merge branch 'ondrej-add-missing-void-in-named_config_default-v9_16' into 'v9_16'
Add missing void in named_config_getdefault() definition [v9.16]

See merge request isc-projects/bind9!6261
2022-05-04 11:05:53 +00:00
Ondřej Surý
7a8e6d67a5 Add missing void in named_config_getdefault() definition
The named_config_getdefault() was missing void in the function
definition.  This broke clang-15 that didn't match the declaration that
had the void in the argument with the definition that hadn't.
2022-05-04 13:03:51 +02:00
Mark Andrews
c76a6349eb Merge branch '3266-rndc-system-test-fails-due-to-rate-limit-of-built-in-_bind-view-v9_16' into 'v9_16'
Improve forensics for the querylog section of rndc system test

See merge request isc-projects/bind9!6246
2022-05-02 19:54:44 +00:00
Mark Andrews
8ae4fda54a Improve forensics for the querylog section of rndc system test
The dig commands appear to be failing unexpectedly on some platforms
when rate limiting kicks in and the response is dropped.  Correct
behaviour should be for dig to retry the query.  Set +qr and capture
stdout and stderr of each of the dig commands involved.

(cherry picked from commit 614cf5a030)
2022-05-03 00:19:37 +10:00
Mark Andrews
3ad550f17a Merge branch '3307-socket-c-5111-setsockopt-20-ipv6_v6only-failed-invalid-argument-on-openbsd' into 'v9_16'
Resolve "socket.c:5111: setsockopt(20, IPV6_V6ONLY) failed: Invalid argument on OpenBSD"

See merge request isc-projects/bind9!6208
2022-05-02 04:27:49 +00:00
Mark Andrews
2a9ab8a732 Don't try to set IPV6_V6ONLY on OpenBSD
OpenBSD IPv6 sockets are always IPv6-only, so the socket option is read-only (not modifiable)
2022-05-02 14:09:31 +10:00
Matthijs Mekking
fe23b6e020 Merge branch 'matthijs-kasp-system-test-failure-v9_16' into 'v9_16'
[v9_16] Fix kasp system test failures

See merge request isc-projects/bind9!6237
2022-04-29 12:26:05 +00:00
Matthijs Mekking
22f3c453f0 Fix a kasp system test bug
In '_check_apex_dnskey' we check for each key (KEY1 to KEY4) if they
are present in the DNSKEY RRset if they should be.

However, we only grep the dig output for the first seven fields (owner,
ttl, class, type, flags, protocol, algorithm). This can be the same
for different keys.

For example, KEY1 may be KSK predecessor and KEY2 a KSK successor,
both DNSKEY records for these keys are the same up to the public key
field. This can cause test failures if KEY1 needs to be present, but
KEY2 not, because when grepping for KEY2 we will falsely detect the
key to be present (because the grep matches KEY1).

Fix the function by grepping looking for the first seven fields in the
corresponding key file and retrieve the public key part. Grep for this
in the dig output.

(cherry picked from commit 3e1d09ac66)
2022-04-29 13:59:49 +02:00
Matthijs Mekking
3625cf1f63 Minor fixes in kasp system test
Fix two typos and two grep calls.

(cherry picked from commit 2b34b326fc)
2022-04-29 13:59:41 +02:00
Petr Špaček
a62a672ce0 Merge branch 'feature/main/default-config-print-v9_16' into 'v9_16'
Export built-in default configuration for named binary [v9_16]

See merge request isc-projects/bind9!6235
2022-04-29 10:40:57 +00:00
Petr Menšík
c1127e3550 Export built-in default configuration for named binary
It might be useful to display built-in configuration with all its
values. It should make it easier to test what default values has changed
in a new release.

Related: #1326
(cherry picked from commit cf722d18b3)
2022-04-29 12:26:46 +02:00
Arаm Sаrgsyаn
fa9db55d59 Merge branch '3278-dig-+nssearch-hang-v9_16' into 'v9_16'
Resolve "dig +nssearch sometimes hangs in BIND v9.16, with an assertion failure after "ctrl+c"

See merge request isc-projects/bind9!6125
2022-04-29 10:00:34 +00:00
Aram Sargsyan
ab4ec2278e Add CHANGES note for [GL #3278] 2022-04-29 09:10:44 +00:00
Aram Sargsyan
1f2d2611ee Fix dig +nssearch race between recv_done() and send_done()
The `send_done()` callback needs to access query's `link.next` pointer
when running in `+nssearch` mode, even if the query is already canceled
or serviced, which can happen when `recv_done()` happens to be called
earlier than `send_done()`.

Keep the next query's pointer before unlinking the query from the
lookup's queries list in `clear_query()` so that `send_done()` can
use it even if the query is cleared.
2022-04-29 09:09:39 +00:00
Aram Sargsyan
e3b058bbcd Print more lookup and query pointers in dighost.c debug messages
Printing the pointers makes it clear, for example, for which query
exactly a recv_done() or send_done() callback was called, which
helps investigating and debugging issues easier.
2022-04-29 09:09:39 +00:00
Arаm Sаrgsyаn
6aac98bfa0 Merge branch '3313-dlz_ldap_driver.c-fix-fallthrough-v9_16' into 'v9_16'
Add missing FALLTHROUGH macros in a switch statement

See merge request isc-projects/bind9!6222
2022-04-29 07:48:23 +00:00
Aram Sargsyan
930cfe7d0f Add missing FALLTHROUGH macros in a switch statement
dzl_ldap_driver.c was missing some FALLTHROUGH macros in a switch
statement resulting in compiler warnings and a failed build when
configured with `--with-dlz-ldap` option.
2022-04-29 07:13:53 +00:00
Mark Andrews
44b8eea09e Merge branch 'bug/main/new-zones-dir-null-v9_16' into 'v9_16'
Don't test new-zones-directory argument validity

See merge request isc-projects/bind9!6231
2022-04-29 02:08:11 +00:00
Petr Menšík
c1b3862c4a Additional safety check for negative array index
inet_ntop result should always protect against empty string accepted
without an error. Make additional check to satisfy coverity scans.

(cherry picked from commit 656a0f076f)
2022-04-29 11:46:33 +10:00
Petr Menšík
1e88c0196c Initialize printed buffer
- var_decl: Declaring variable "tbuf" without initializer
- assign: Assigning: "target.base" = "tbuf", which points to
  uninitialized data
- assign: Assigning: "r.base" = "target.base", which points to
  uninitialized data

I expect it would correctly initialize length always. Add simple
initialization to silent coverity.

(cherry picked from commit 59132bd3ec)
2022-04-29 11:46:33 +10:00
Petr Menšík
1bc7552203 Ensure diff variable is not read uninitialized
Coverity detected issues:
- var_decl: Declaring variable "diff" without initializer.
- uninit_use_in_call: Using uninitialized value "diff.tuples.head" when
  calling "dns_diff_clear".

(cherry picked from commit 67e773c93c)
2022-04-29 11:46:33 +10:00
Petr Menšík
cde36497ba Don't test new-zones-directory argument validity
Parser ensures new-zones-directory has qstring parameter before it can
reach this place. dir == NULL then should never happen on any
configuration. Replace silent check with insist.

(cherry picked from commit 0a7d04367a)
2022-04-29 11:46:33 +10:00
Mark Andrews
a49ff2241f Merge branch '3306-undefined-macros-in-contrib-dlz-modules-wildcard-dlz_wildcard_dynamic-c-v9_16' into 'v9_16'
Define local instances of FALLTHROUGH and UNREACHABLE

See merge request isc-projects/bind9!6229
2022-04-29 01:16:30 +00:00
Mark Andrews
5e697b4f3c Add CHANGES note for [GL #3306]
(cherry picked from commit c57363fb7d)
2022-04-29 10:54:31 +10:00
Mark Andrews
13f8e879ab Define local instances of FALLTHROUGH and UNREACHABLE
FALLTHOUGH is a copy of how it is defined in <isc/util.h>

UNREACHABLE follows the model used in MacOS /usr/include/c++/v1/cstdlib
to determine if __builtin_ureachable is available

(cherry picked from commit 6d68a22954)
2022-04-29 10:53:54 +10:00
Mark Andrews
73a256f332 Merge branch '2813-build-named-with-dlz-is-broken-on-9-16-take-2' into 'v9_16'
Resolve "Build named with DLZ is broken on 9.16"

See merge request isc-projects/bind9!6227
2022-04-28 22:52:21 +00:00
Mark Andrews
4334674d93 Use MARIADB_BASE_VERSION instead of LIBMARIADB to detect Maria DB
It was discovered that MariaDB 10 didn't define LIBMARIADB leading
to compilation errors of MySQL DLZ modules on Debian stretch.

Use MARIADB_BASE_VERSION instead which is defined in all tested MariaDB
versions.
2022-04-29 07:13:57 +10:00
Ondřej Surý
9a2b1cf399 Merge branch '2813-build-named-with-dlz-is-broken-with-MariaDB-10-v9_16' into 'v9_16'
Use MARIADB_BASE_VERSION instead of LIBMARIADB to detect Maria DB [v9.16]

See merge request isc-projects/bind9!6226
2022-04-28 16:07:13 +00:00
Ondřej Surý
04c6d853c7 Use MARIADB_BASE_VERSION instead of LIBMARIADB to detect Maria DB
It was discovered that MariaDB 10 didn't define LIBMARIADB leading
to compilation errors of MySQL DLZ modules on Debian stretch.

Use MARIADB_BASE_VERSION instead which is defined in all tested MariaDB
versions.

(cherry picked from commit 5835aae694)
2022-04-28 18:05:24 +02:00
Mark Andrews
7351da4f24 Merge branch 'bug/v9_16/python3.11' into 'v9_16'
Move ignore case indication to flags passed to re

See merge request isc-projects/bind9!6157
2022-04-28 06:24:07 +00:00
Mark Andrews
236d39f20e Add CHANGES note for [GL !6157] 2022-04-28 16:05:03 +10:00
Petr Menšík
0ceba5a75a Remove universal newline mode when opening the file
It is default when open is called and obsolete. Removed in python 3.11,
where it triggers errors. Just use normal read-only text opening.
2022-04-28 05:38:42 +00:00
Petr Menšík
b98658a99a Move ignore case indication to flags passed to re
Recent python does not make parsetab.py successfully, because some token
regexp is starting with ?i flag. Remove that flag from regex and pass it
as extra flags parameter instead.
2022-04-28 05:38:42 +00:00
Petr Špaček
6800f552f2 Merge branch 'pspacek/pin-sphinx-packages-for-rtd-v9_16' into 'v9_16'
Pin Sphinx related package versions to match ReadTheDocs and our CI [v9_16]

See merge request isc-projects/bind9!6193
2022-04-27 12:36:26 +00:00
Petr Špaček
cf44faf6ae Pin Sphinx related package versions to match ReadTheDocs and our CI
This seems to be most appropriate way to ensure consistency between
release tarballs and public presentation on ReadTheDocs.

Previous attempt with removing docutils constraint, which relied on pip
depedency solver to pick the same packages as in CI was flawed. RTD
installs a bit different set of packages so it was inherently
unreliable.

As a result RTD pulled in sphinx-rtd-theme==0.4.3 while CI
had 1.0.0, and this inconsistency caused Table of Contents in Release
Notes to render incorrectly. Previous solution was to downgrade
docutils to < 0.17, but I think we should rather pin exact versions.

For the long history of messing with versions read also
isc-projects/bind9@2a8eda0084
isc-projects/images@d4435b97be
isc-projects/bind9@6a2daddf5b

(cherry picked from commit 6088ba3837)
2022-04-27 14:35:52 +02:00
Petr Špaček
fafa477c91 Merge branch 'pspacek/rtd-requirements-update-v9_16' into 'v9_16'
Fix mismatch between docutils version in CI and ReadTheDocs [v9_16]

See merge request isc-projects/bind9!6186
2022-04-26 13:49:59 +00:00
Petr Špaček
a5c06c0080 Fix mismatch between docutils version in CI and ReadTheDocs
Currently our CI images we use to build docs (which subsequently get
into release tarballs) are using docutils 0.17.1, which is latest version
which fulfills Sphinx 4.5.0 requirement for docutils < 0.18.

The old requirement for docutils < 0.17 was causing discrepancy between
the way we build release artifacts and the docs on ReadTheDocs.org which
uses doc/arm/requirements.txt from our repo.

Remove the limit for RDT with hope that it will pull latest permissible
version of docutils.

For the long history of messing with docutils version read also
isc-projects/images@d4435b97be
isc-projects/bind9@6a2daddf5b

(cherry picked from commit 2a8eda0084)
2022-04-26 15:48:46 +02:00
Ondřej Surý
a7f3951579 Merge branch 'ondrej-enforce-minimal-libuv-version-v9_16' into 'v9_16'
Abort when libuv at runtime mismatches libuv at compile time [v9.16]

See merge request isc-projects/bind9!6178
2022-04-26 10:21:26 +00:00
Ondřej Surý
4f30b16d96 Abort when libuv at runtime mismatches libuv at compile time
When we compile with libuv that has some capabilities via flags passed
to f.e. uv_udp_listen() or uv_udp_bind(), the call with such flags would
fail with invalid arguments when older libuv version is linked at the
runtime that doesn't understand the flag that was available at the
compile time.

Enforce minimal libuv version when flags have been available at the
compile time, but are not available at the runtime.  This check is less
strict than enforcing the runtime libuv version to be same or higher
than compile time libuv version.
2022-04-26 11:52:02 +02:00
Petr Špaček
64fb24a354 Merge branch '3294-support-ancient-sphinx' into 'v9_16'
Support Sphinx 1.6.7 again

See merge request isc-projects/bind9!6168
2022-04-26 09:34:28 +00:00
Petr Špaček
02f5e9c505 Support Sphinx 1.6.7 again
Older versions do not have "override" parameter in add_role_to_domain()
function signature. Luckily the override is _not_ required when
overidding the built-in standard domain roles for the first time, so we
just drop the paramter.

Tested with Sphinx 1.6.7 (does not have override) and Sphinx 4.5.0
(does have override).

Fixes: #3294
Related: !6086
2022-04-25 13:31:55 +02:00
Michał Kępień
2368359fe2 Merge branch '3297-use-setuptools-instead-of-distutils-if-possible' into 'v9_16'
Use setuptools instead of distutils if possible

See merge request isc-projects/bind9!6152
2022-04-22 10:38:12 +00:00
Michał Kępień
1f4667061f Use setuptools instead of distutils if possible
According to PEP 632 [1], the distutils module is considered deprecated
in Python 3.10 and will be removed in Python 3.12.  Setup scripts
using it should be migrated to the setuptools module, which contains
drop-in replacements for distutils functions [2].  The catch is that the
setuptools module is not part of the Python Standard Library.

While this problem could be addressed by adding a hard dependency on
setuptools, it only affects BIND 9.16, which is an Extended Support
Version.  To avoid unnecessary disruptions, try importing setup() from
the setuptools module and fall back to using distutils if that fails.
Add a PyLint suppression for this specific "deprecated-module" warning.

Since the setuptools module is not part of the Python Standard Library
and therefore it is not guaranteed that it is universally available in
every Python installation, update Python-related checks in configure.ac
to ensure Python module installation does not silently fail.

[1] https://peps.python.org/pep-0632/
[2] https://setuptools.pypa.io/en/latest/deprecated/distutils-legacy.html
2022-04-22 12:36:57 +02:00
Michał Kępień
eedf1df1f6 Merge branch '3287-prevent-memory-bloat-caused-by-a-jemalloc-quirk-v9_16' into 'v9_16'
[v9_16] Prevent memory bloat caused by a jemalloc quirk

See merge request isc-projects/bind9!6154
2022-04-21 12:45:48 +00:00
Michał Kępień
eb9a0c1fdd Add CHANGES entry for GL #3287
(cherry picked from commit e33aef4e39)
2022-04-21 14:23:59 +02:00
Michał Kępień
e850946557 Prevent memory bloat caused by a jemalloc quirk
Since version 5.0.0, decay-based purging is the only available dirty
page cleanup mechanism in jemalloc.  It relies on so-called tickers,
which are simple data structures used for ensuring that certain actions
are taken "once every N times".  Ticker data (state) is stored in a
thread-specific data structure called tsd in jemalloc parlance.  Ticks
are triggered when extents are allocated and deallocated.  Once every
1000 ticks, jemalloc attempts to release some of the dirty pages hanging
around (if any).  This allows memory use to be kept in check over time.

This dirty page cleanup mechanism has a quirk.  If the first
allocator-related action for a given thread is a free(), a
minimally-initialized tsd is set up which does not include ticker data.
When that thread subsequently calls *alloc(), the tsd transitions to its
nominal state, but due to a certain flag being set during minimal tsd
initialization, ticker data remains unallocated.  This prevents
decay-based dirty page purging from working, effectively enabling memory
exhaustion over time. [1]

The quirk described above has been addressed (by moving ticker state to
a different structure) in jemalloc's development branch [2], but not in
any numbered jemalloc version released to date (the latest one being
5.2.1 as of this writing).

Work around the problem by ensuring that every thread spawned by
isc_thread_create() starts with a malloc() call.  Avoid immediately
calling free() for the dummy allocation to prevent an optimizing
compiler from stripping away the malloc() + free() pair altogether.

An alternative implementation of this workaround was considered that
used a pair of isc_mem_create() + isc_mem_destroy() calls instead of
malloc() + free(), enabling the change to be fully contained within
isc__trampoline_run() (i.e. to not touch struct isc__trampoline), as the
compiler is not allowed to strip away arbitrary function calls.
However, that solution was eventually dismissed as it triggered
ThreadSanitizer reports when tools like dig, nsupdate, or rndc exited
abruptly without waiting for all worker threads to finish their work.

[1] https://github.com/jemalloc/jemalloc/issues/2251
[2] c259323ab3

(cherry picked from commit 7aa7b6474b)
2022-04-21 14:23:59 +02:00