Commit Graph

11348 Commits

Author SHA1 Message Date
Witold Kręcicki
8fffa3760d Post shutting down tasks always to manager 0 2018-10-24 07:06:57 +00:00
Witold Kręcicki
49eab869ba Separate structure for each thread/queue; 2-phase-locking for exclusive tasks 2018-10-24 07:06:57 +00:00
Witold Kręcicki
18b5f9dd92 Always restart dispatchers on empty readyq 2018-10-24 07:06:57 +00:00
Witold Kręcicki
cfb23c73f7 Taskmgr shutdown fixes 2018-10-24 07:06:57 +00:00
Witold Kręcicki
87e4e442d7 Multiple worker queues 2018-10-24 07:06:57 +00:00
Witold Krecicki
8447d2e80e isc_thread_setaffinity() 2018-10-24 07:06:57 +00:00
Mark Andrews
607c2d7441 free key on error 2018-10-23 20:19:07 -04:00
Michał Kępień
76d49c05be libirs: handle scoped IPv6 addresses in /etc/resolv.conf
Commonly used network configuration tools write scoped IPv6 nameserver
addresses to /etc/resolv.conf.  libirs only handles these when it is
compiled with -DIRS_HAVE_SIN6_SCOPE_ID, which is not the default, and
only handles numeric scopes, which is not what network configuration
tools typically use.  This causes dig to be practically unable to handle
scoped IPv6 nameserver addresses in /etc/resolv.conf.

Fix the problem by:

  - not requiring a custom compile-time flag to be set in order for
    scoped IPv6 addresses to be processed by getaddrinfo(),

  - parsing non-numeric scope identifiers using if_nametoindex(),

  - setting the sin6_scope_id field in struct sockaddr_in6 structures
    returned by getaddrinfo() even if the AI_CANONNAME flag is not set.
2018-10-23 14:50:00 +02:00
Mark Andrews
b6e2d7bca9 use ns_client_log 2018-10-23 12:15:25 +00:00
Mark Andrews
ffb9f721f0 log pre rrl check state 2018-10-23 12:15:25 +00:00
Mark Andrews
ba85bb1a85 whitespace 2018-10-23 12:15:04 +00:00
Mark Andrews
2b3b626cc1 set fctx->client to NULL 2018-10-23 12:15:04 +00:00
Mark Andrews
23766ff690 checkpoint 2018-10-23 12:15:04 +00:00
Witold Kręcicki
86246c7431 Initialize adbname->client properly; check for loops 2018-10-23 12:15:04 +00:00
Mark Andrews
2f36a62d16 use RUNTIME_CHECK 2018-10-23 12:15:04 +00:00
Mark Andrews
1a2a19c693 address fctx reference count leaks; style 2018-10-23 12:15:04 +00:00
Witold Kręcicki
f2af336dc4 Fix looping issues 2018-10-23 12:15:04 +00:00
Witold Kręcicki
70a1ba20ec QNAME miminimization should create a separate fetch context for each fetch -
this makes the cache more efficient and eliminates duplicates queries.
2018-10-23 12:15:04 +00:00
Witold Kręcicki
b5c9a8caad Set result to SERVFAIL if upstream responded with FORMERR
Commit ba91243542 causes the resolver to
respond to a client query with FORMERR when all upstream queries sent to
the servers authoritative for QNAME elicit FORMERR responses.  This
happens because resolver code returns DNS_R_FORMERR in such a case and
dns_result_torcode() acts as a pass-through for all arguments which are
already a valid RCODE.

The correct RCODE to set in the response returned to the client in the
case described above is SERVFAIL.  Make sure this happens by overriding
the RCODE in query_gotanswer(), on the grounds that any format errors in
the client query itself should be caught long before execution reaches
that point.  This change should not reduce query error logging accuracy
as the resolver code itself reports the exact reason for returning a
DNS_R_FORMERR result using log_formerr().
2018-10-23 13:50:27 +02:00
Ondřej Surý
4b47958163 Fix typo in isc_rwlock_pause() on sparc 2018-10-23 09:29:03 +02:00
Ondřej Surý
c4cee27f9b Add support for enabling and enforcing FIPS mode in OpenSSL:
* Add configure option --enable-fips-mode that detects and enables FIPS mode
* Add a function to enable FIPS mode and call it on crypto init
* Log an OpenSSL error when FIPS_mode_set() fails and exit
* Report FIPS mode status in a separate log message from named
2018-10-22 20:55:35 +02:00
Evan Hunt
e839972ee2 address unresolved externals 2018-10-19 00:49:53 -07:00
Evan Hunt
3f35ab8567 remove references to methods and app_api.c 2018-10-19 00:28:53 -07:00
Evan Hunt
c609a67ac7 change to bool constants; also fixed style error 2018-10-18 20:42:25 -07:00
Evan Hunt
09f58ab63f retain a minimal "methods" struct in the mctx
- this enables memory to be allocated and freed in dyndb modules
  when named is linked statically. when we standardize on libtool,
  this should become unnecessary.
- also, simplified the isc_mem_create/createx API by removing
  extra compatibility functions
2018-10-18 09:19:12 +00:00
Evan Hunt
6f7c9623c5 remove isc_bind9 usage from view.c 2018-10-18 09:19:12 +00:00
Evan Hunt
0e86fa16e8 complete removal of a few unneeded functions
- removed register functions from isc_app, isc_timer, isc_task
- added a task_p.h header for use by unit tests
2018-10-18 09:19:12 +00:00
Witold Kręcicki
38a127c35b Remove layering from isc_task, isc_app, isc_socket, isc_timer, isc_mem 2018-10-18 09:19:12 +00:00
Witold Kręcicki
cdbac34cba Get rid of isc_bind9 conditional 2018-10-18 09:19:12 +00:00
Michał Kępień
ba91243542 Do not set qctx->result to DNS_R_SERVFAIL unless necessary
In some cases, setting qctx->result to DNS_R_SERVFAIL causes the value
of a 'result' variable containing a more specific failure reason to be
effectively discarded.  This may cause certain query error log messages
to lack specificity despite a more accurate problem cause being
determined during query processing.

In other cases, qctx->result is set to DNS_R_SERVFAIL even though a more
specific error (e.g. ISC_R_NOMEMORY) could be explicitly indicated.

Since the response message's RCODE is derived from qctx->result using
dns_result_torcode(), which handles a number of possible isc_result_t
values and returns SERVFAIL for anything not explicitly listed, it is
fine to set qctx->result to something more specific than DNS_R_SERVFAIL
(in fact, this is already being done in a few cases).  Modify most
QUERY_ERROR() calls so that qctx->result is set to a more specific error
code when possible.  Adjust query_error() so that statistics are still
calculated properly.  Remove the RECURSE_ERROR() macro which was
introduced exactly because qctx->result could be set to DNS_R_SERVFAIL
instead of DNS_R_DUPLICATE or DNS_R_DROP, which need special handling.
Modify dns_sdlz_putrr() so that it returns DNS_R_SERVFAIL when a DLZ
driver returns invalid RDATA, in order to prevent setting RCODE to
FORMERR (which is what dns_result_torcode() translates e.g. DNS_R_SYNTAX
to) while responding authoritatively.
2018-10-08 12:47:28 +02:00
Michał Kępień
b3cd868c4b Remove the 'want_stale' field from struct query_ctx
As the previous commit makes the 'want_stale' field of struct query_ctx
redundant, remove it.
2018-10-08 12:47:28 +02:00
Michał Kępień
cb48d410d8 Set up stale response lookup before query_done() is called
When something goes wrong while recursing for an answer to a query,
query_gotanswer() sets a flag (qctx->want_stale) in the query context.
query_done() is subsequently called and it can either set up a stale
response lookup (if serve-stale is enabled) or conclude that a SERVFAIL
response should be sent.  This may cause confusion when looking at query
error logs since the QUERY_ERROR() line responsible for setting the
response's RCODE to SERVFAIL is not in a catch-all branch of a switch
statement inside query_gotanswer() (like it is for authoritative
responses) but rather in a code branch which appears to have something
to do with serve-stale, even when the latter is not enabled.

Extract the part of query_done() responsible for checking serve-stale
configuration and optionally setting up a stale response lookup into a
separate function, query_usestale(), shifting the responsibility for
setting the response's RCODE to SERVFAIL to the same QUERY_ERROR() line
in query_gotanswer() which is evaluated for authoritative responses.
2018-10-08 12:47:28 +02:00
Evan Hunt
c642f9970a move declaration to the top of the block 2018-10-05 11:13:54 -07:00
Tony Finch
7a2b0ac92a Fix crash at shutdown during an RPZ reload. [RT #46210] 2018-10-05 13:58:47 -04:00
Evan Hunt
f14445f13d remove references to deleted files 2018-10-05 09:10:40 -07:00
Ondřej Surý
5ccbb274d2 Remove HAVE_OPENSSL guard from openssl_shim.{c,h} and uncrustify it 2018-10-05 13:12:48 +02:00
Ondřej Surý
3994b1f9c2 Remove support for obsoleted and insecure DSA and DSA-NSEC3-SHA1 algorithms 2018-10-05 09:21:43 +02:00
Witold Kręcicki
87b07bf08a Fix creating and validating EdDSA signatures
Revert parts of commit c3b8130fe8 which
inadvertently broke creating and validating EdDSA signatures:

 1. EVP_DigestSignInit() returns 1 on success.

 2. EdDSA does not support streaming (EVP_Digest*Update() followed by
    EVP_Digest*Final()), only one shot operations.
2018-10-04 12:38:46 +02:00
Mark Andrews
f723a1247f Undo implict promotion to 64 bits in our Windows implementation of atomic_load_explicit() by casting to uint_fast32_t. 2018-10-04 06:59:28 +10:00
Evan Hunt
51c6f4b682 extend DNSTAP to record UPDATE requests and responses as a separate type 2018-10-03 01:03:56 -07:00
Evan Hunt
395f6a1474 make update_log() work if zone is not set
- update_log() is called to log update errors, but if those errors
  occur before the zone is set (for example, when returning NOTAUTH)
  it returns without logging anything.
2018-10-03 02:09:26 -04:00
Mark Andrews
d4cc0b98de use PRIuFAST32 instead of PRIdFAST32 2018-10-03 07:59:18 +10:00
Mark Andrews
0fc1b1bffa improve case presevation 2018-10-02 15:09:32 +10:00
Evan Hunt
b4dca44ad2 fix chaosnet address comparison 2018-09-28 00:42:03 -07:00
Evan Hunt
2b61b83199 check both allow-query-cache and allow-query-cache-on 2018-09-27 21:48:44 -07:00
Evan Hunt
6a3afe2778 fix a formatting error in logged RPZ error messages 2018-09-27 19:59:21 -04:00
Tony Finch
9407d9e266 RPZ now treats covering NSEC records the same as negative answers 2018-09-27 14:53:34 -07:00
Mark Andrews
ac1c3aaa27 only emit a single space between mac length and the orginal id if the mac length is zero 2018-09-27 16:34:49 -04:00
Zhaolong Zhang
21966423cd Fix crash caused by race condition in timer creation
The race condition is the timer elapses before isc__timer_create()
returns the pointer to the caller.  Assigning the return pointer before
enabling the timer will fix it.
2018-09-27 15:17:52 +02:00
Michał Kępień
56003e9f9f Prevent a race after zone load
Zone loading happens in a different task (zone->loadtask) than other
zone actions (zone->task).  Thus, when zone_postload() is called in the
context of zone->loadtask, it may cause zone maintenance to be queued in
zone->task and another thread can then execute zone_maintenance() before
zone_postload() gets a chance to finish its work in the first thread.
This would not be a problem if zone_maintenance() accounted for this
possibility by locking the zone before checking the state of its
DNS_ZONEFLG_LOADPENDING flag.  However, the zone is currently not locked
before the state of that flag is checked, which may prevent zone
maintenance from happening despite zone_postload() scheduling it.  Fix
by locking the zone in zone_maintenance() before checking the state of
the zone's DNS_ZONEFLG_LOADPENDING flag.
2018-09-26 19:35:51 -07:00