The XSL stylesheet used by the web interface does not currently include
any element which would cause a list of zones configured in each view to
be displayed, making the "Zones" section of the web interface empty
unless some zone has been configured with "zone-statistics full;" and
queried. Since this can be confusing, modify the XSL stylesheet so that
a list of zones configured in each view is displayed in the web
interface.
(cherry picked from commit aeda3f389e)
5051. [doc] Documentation incorrectly stated that the
"server-addresses" static-stub zone option accepts
custom port numbers. [GL #582]
(cherry picked from commit 6b1c0a8e6f)
Contrary to what the documentation states, the "server-addresses"
static-stub zone option does not accept custom port numbers. Fix the
configuration type used by the "server-addresses" option to ensure
documentation matches source code. Remove a check_zoneconf() test which
is unnecessary with this fix in place.
(cherry picked from commit b324576858)
5050. [bug] The libirs version of getaddrinfo() was unable to parse
scoped IPv6 addresses present in /etc/resolv.conf.
[GL #187]
(cherry picked from commit b7564cc898)
Commonly used network configuration tools write scoped IPv6 nameserver
addresses to /etc/resolv.conf. libirs only handles these when it is
compiled with -DIRS_HAVE_SIN6_SCOPE_ID, which is not the default, and
only handles numeric scopes, which is not what network configuration
tools typically use. This causes dig to be practically unable to handle
scoped IPv6 nameserver addresses in /etc/resolv.conf.
Fix the problem by:
- not requiring a custom compile-time flag to be set in order for
scoped IPv6 addresses to be processed by getaddrinfo(),
- parsing non-numeric scope identifiers using if_nametoindex(),
- setting the sin6_scope_id field in struct sockaddr_in6 structures
returned by getaddrinfo() even if the AI_CANONNAME flag is not set.
(cherry picked from commit 76d49c05be)
Commit 2bc4c92ed4 causes the resolver to
respond to a client query with FORMERR when all upstream queries sent to
the servers authoritative for QNAME elicit FORMERR responses. This
happens because resolver code returns DNS_R_FORMERR in such a case and
dns_result_torcode() acts as a pass-through for all arguments which are
already a valid RCODE.
The correct RCODE to set in the response returned to the client in the
case described above is SERVFAIL. Make sure this happens by overriding
the RCODE in query_gotanswer(), on the grounds that any format errors in
the client query itself should be caught long before execution reaches
that point. This change should not reduce query error logging accuracy
as the resolver code itself reports the exact reason for returning a
DNS_R_FORMERR result using log_formerr().
(cherry picked from commit b5c9a8caad)
* Add configure option --enable-fips-mode that detects and enables FIPS mode
* Add a function to enable FIPS mode and call it on crypto init
* Log an OpenSSL error when FIPS_mode_set() fails and exit
* Report FIPS mode status in a separate log message from named
(cherry picked from commit c4cee27f9b)
Whenever master or one for the v9_* branches gets updated, the current
ARM should be published on GitLab Pages. Add a pipeline stage which
takes care of triggering GitLab Pages pipelines. Extend the lifetime of
artifact archives containing the ARM to prevent GitLab Pages pipelines
from failing due to artifacts being unavailable.
(cherry picked from commit 31bde118db)
Add a CI job which generates the HTML version of the ARM and makes it
available for download. Since this is expected to be a quick process,
the new job is enabled for all pipelines.
(cherry picked from commit 3f443468e0)
5047. [bug] Messages logged for certain query processing failures
now include a more specific error description if it is
available. [GL #572]
(cherry picked from commit dc531dc340)
In some cases, setting qctx->result to DNS_R_SERVFAIL causes the value
of a 'result' variable containing a more specific failure reason to be
effectively discarded. This may cause certain query error log messages
to lack specificity despite a more accurate problem cause being
determined during query processing.
In other cases, qctx->result is set to DNS_R_SERVFAIL even though a more
specific error (e.g. ISC_R_NOMEMORY) could be explicitly indicated.
Since the response message's RCODE is derived from qctx->result using
dns_result_torcode(), which handles a number of possible isc_result_t
values and returns SERVFAIL for anything not explicitly listed, it is
fine to set qctx->result to something more specific than DNS_R_SERVFAIL
(in fact, this is already being done in a few cases). Modify most
QUERY_ERROR() calls so that qctx->result is set to a more specific error
code when possible. Adjust query_error() so that statistics are still
calculated properly. Remove the RECURSE_ERROR() macro which was
introduced exactly because qctx->result could be set to DNS_R_SERVFAIL
instead of DNS_R_DUPLICATE or DNS_R_DROP, which need special handling.
Modify dns_sdlz_putrr() so that it returns DNS_R_SERVFAIL when a DLZ
driver returns invalid RDATA, in order to prevent setting RCODE to
FORMERR (which is what dns_result_torcode() translates e.g. DNS_R_SYNTAX
to) while responding authoritatively.
(cherry picked from commit ba91243542)
When something goes wrong while recursing for an answer to a query,
query_gotanswer() sets a flag (qctx->want_stale) in the query context.
query_done() is subsequently called and it can either set up a stale
response lookup (if serve-stale is enabled) or conclude that a SERVFAIL
response should be sent. This may cause confusion when looking at query
error logs since the QUERY_ERROR() line responsible for setting the
response's RCODE to SERVFAIL is not in a catch-all branch of a switch
statement inside query_gotanswer() (like it is for authoritative
responses) but rather in a code branch which appears to have something
to do with serve-stale, even when the latter is not enabled.
Extract the part of query_done() responsible for checking serve-stale
configuration and optionally setting up a stale response lookup into a
separate function, query_usestale(), shifting the responsibility for
setting the response's RCODE to SERVFAIL to the same QUERY_ERROR() line
in query_gotanswer() which is evaluated for authoritative responses.
(cherry picked from commit cb48d410d8)
- update_log() is called to log update errors, but if those errors
occur before the zone is set (for example, when returning NOTAUTH)
it returns without logging anything.
(cherry picked from commit 395f6a1474)
getnameinfo() parameters are detected by configure. Current glibc uses
socklen_t for BUFLEN and int for flags. Because that parameters are
tested only as fallback, it does detect it different way on 32-bit
system. socklen_t is compatible with size_t type on these systems.
Try all variants with int flags, use unsigned flags as last resort.