Commit Graph

626 Commits

Author SHA1 Message Date
Witold Kręcicki
aa9866c390 If possible don't use forwarders when priming the resolver.
If we try to fetch a record from cache and need to look into
hints database we assume that the resolver is not primed and
start dns_resolver_prime(). Priming query is supposed to return
NSes for "." in ANSWER section and glue records for them in
ADDITIONAL section, so that we can fill that info in 'regular'
cache and not use hints db anymore.
However, if we're using a forwarder the priming query goes through
it, and if it's configured to return minimal answers we won't get
the addresses of root servers in ADDITIONAL section. Since the
only records for root servers we have are in hints database we'll
try to prime the resolver with every single query.

This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using
forwarders if possible (that is if we have forward-first policy).
Using this flag on priming fetch fixes the problem as we get the
proper glue. With forward-only policy the problem is non-existent,
as we'll never ask for root server addresses because we'll never
have a need to query them.

Also added a test to confirm priming queries are not forwarded.

(cherry picked from commit b49310ac06)
(cherry picked from commit f8963ad70e)
2019-01-16 22:27:52 -08:00
Mark Andrews
bf6133ea61 adjust timeout to allow for ECN negotiation failures
(cherry picked from commit dadb924be7)
2019-01-15 17:30:20 -08:00
Michał Kępień
3db9f56718 Track forwarder timeouts in fetch contexts
Since following a delegation resets most fetch context state, address
marks (FCTX_ADDRINFO_MARK) set inside lib/dns/resolver.c are not
preserved when a delegation is followed.  This is fine for full
recursive resolution but when named is configured with "forward first;"
and one of the specified forwarders times out, triggering a fallback to
full recursive resolution, that forwarder should no longer be consulted
at each delegation point subsequently reached within a given fetch
context.

Add a new badnstype_t enum value, badns_forwarder, and use it to mark a
forwarder as bad when it times out in a "forward first;" configuration.
Since the bad server list is not cleaned when a fetch context follows a
delegation, this prevents a forwarder from being queried again after
falling back to full recursive resolution.  Yet, as each fetch context
maintains its own list of bad servers, this change does not cause a
forwarder timeout to prevent that forwarder from being used by other
fetch contexts.

(cherry picked from commit 33350626f9)
2019-01-08 08:34:37 +01:00
Mark Andrews
3aafdbf160 errors initalizing badcaches were not caught or cleaned up on error paths
(cherry picked from commit 93776c4c81)
2018-11-15 00:16:31 +00:00
Ondřej Surý
2f8b28efad Hint the compiler with ISC_UNREACHABLE(); that code after INSIST(0); cannot be reached
(cherry picked from commit 23fff6c569)
(cherry picked from commit 4568669807)
2018-11-08 22:42:52 +07:00
Ondřej Surý
12a266211e Turn (int & flag) into (int & flag) != 0 when implicitly typed to bool
(cherry picked from commit b2b43fd235)
(cherry picked from commit fcd1569e2b)
2018-11-08 22:02:58 +07:00
Ondřej Surý
8ad12f613e Fix extra closing parenthesis in DNSTAP code 2018-08-12 16:12:14 +02:00
Ondřej Surý
1084b40b44 Replace custom isc_boolean_t with C standard bool type
(cherry picked from commit 994e656977)
(cherry picked from commit 884929400c)
2018-08-10 15:20:57 +02:00
Ondřej Surý
aaa76dc654 Replace custom isc_u?intNN_t types with C99 u?intNN_t types
(cherry picked from commit cb6a185c69)
(cherry picked from commit d61e6a3111)
2018-08-10 15:20:57 +02:00
Ondřej Surý
bfc6a25f2d Replace ISC_PRINT_QUADFORMAT with inttypes.h format constants
(cherry picked from commit 64fe6bbaf2)
(cherry picked from commit c863a076ae)
2018-08-10 15:20:57 +02:00
Evan Hunt
ba162bd0d4 caclulate nlabels and set *chainingp correctly
(cherry picked from commit e78e55f435)
2018-08-08 14:27:44 -07:00
Evan Hunt
98b2377de3 explicit DNAME query could trigger a crash if deny-answer-aliases was set
(cherry picked from commit a21c3810d3453548cc05ae19995125dabea9ca9c)
(cherry picked from commit 6e187b8656)
2018-08-08 14:27:17 -07:00
Witold Kręcicki
9b17be187f Don't fetch DNSKEY when fuzzing resolver
(cherry picked from commit cb3208aa43)
2018-06-06 15:27:27 +02:00
Evan Hunt
920eb326a5 Merge branch '183-add-dns_fixedname_initname-v9_11' into 'v9_11'
Add and use dns_fixedname_initname()

Closes #183

See merge request isc-projects/bind9!161
2018-04-10 14:08:27 -07:00
Michał Kępień
ecea678dac Use dns_fixedname_initname() where possible
Replace dns_fixedname_init() calls followed by dns_fixedname_name()
calls with calls to dns_fixedname_initname() where it is possible
without affecting current behavior and/or performance.

This patch was mostly prepared using Coccinelle and the following
semantic patch:

    @@
    expression fixedname, name;
    @@
    -	dns_fixedname_init(&fixedname);
    	...
    -	name = dns_fixedname_name(&fixedname);
    +	name = dns_fixedname_initname(&fixedname);

The resulting set of changes was then manually reviewed to exclude false
positives and apply minor tweaks.

It is likely that more occurrences of this pattern can be refactored in
an identical way.  This commit only takes care of the low-hanging fruit.

(cherry picked from commit 4df4a8e731)
(cherry picked from commit 0041aeb751)
2018-04-10 13:26:23 -07:00
Evan Hunt
8b205089b7 update file headers to remove copyright years 2018-03-14 16:40:20 -07:00
Mark Andrews
82b109bf5d adjust goto target and conditional compilation so that cleanup_spillattimer and cleanup_alglock labels match the element to be cleanup and so that they are always used
(cherry picked from commit 7b27be54ee)
2018-02-26 10:40:09 +11:00
Petr Menšík
6876501605 Reuse new function from rt46864 for similar block elsewhere.
(cherry picked from commit e7a93321f0)
(cherry picked from commit cb98ce8e67)
2018-02-23 13:52:43 -08:00
Mark Andrews
9cc1ea9566 use %u instead of %d 2018-02-16 14:32:24 +11:00
Mukund Sivaraman
929329d2d6 Fix various bugs reported by valgrind --tool=memcheck (#46978)
(cherry picked from commit f96133826e)
(cherry picked from commit 0374e1c3fd)
2018-01-13 11:47:46 +05:30
Tinderbox User
dc2a85bed7 update copyright notice / whitespace 2018-01-04 23:46:19 +00:00
Evan Hunt
7ff28f5bef [v9_11] block validator deadlock and prevent use-after-free
4859.	[bug]		A loop was possible when attempting to validate
			unsigned CNAME responses from secure zones;
			this caused a delay in returning SERVFAIL and
			also increased the chances of encountering
			CVE-2017-3145. [RT #46839]

4858.	[security]	Addresses could be referenced after being freed
			in resolver.c, causing an assertion failure.
			(CVE-2017-3145) [RT #46839]
2018-01-03 19:19:46 -08:00
Michał Kępień
2d517e233f [v9_11] Refactor reclimit system test
4823.	[test]		Refactor reclimit system test to improve its
			reliability and speed. [RT #46632]

(cherry picked from commit 6035d557c4)
2017-11-21 10:33:08 +01:00
Evan Hunt
5d7d67f82a [v9_11] ignore cache when sending 5011 refresh queries
4771.	[bug]		When sending RFC 5011 refresh queries, disregard
			cached DNSKEY rrsets. [RT #46251]

(cherry picked from commit b2597ce86b)
2017-10-11 14:24:52 -07:00
Evan Hunt
6216df5ccd [v9_11] reduce unnecessary priming queries
4770.	[bug]		Cache additional data from priming queries as glue.
			Previously they were ignored as unsigned
			non-answer data from a secure zone, and never
			actually got added to the cache, causing hints
			to be used frequently for root-server
			addresses, which triggered re-priming. [RT #45241]

(cherry picked from commit 5de02a075b)
2017-10-11 09:07:37 -07:00
Mark Andrews
62cce53589 tcp test got reversed
(cherry picked from commit b4c31c8795)
2017-09-27 15:20:16 +10:00
Mark Andrews
d72952cf25 4739. [cleanup] Address clang static analysis warnings. [RT #45952]
(cherry picked from commit f9f3f20d2d)
2017-09-27 10:58:44 +10:00
Evan Hunt
7cd594b842 [master] cleanup strcat/strcpy
4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
			strlcpy() and strlcat() for safety. [RT #45981]

(cherry picked from commit 114f95089c)
2017-09-13 00:17:16 -07:00
Evan Hunt
a2a0100e0f [v9_11] improve handling of qcount=0 replies
4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
			FORMERR if TC=0, and log the error correctly.
			[RT #45836]

(cherry picked from commit 25b33bede4)
2017-09-12 15:27:06 -07:00
Mark Andrews
bf216589c1 4675. [cleanup] Don't use C++ keyword class. [RT #45726] 2017-08-10 08:44:23 +10:00
Evan Hunt
7dbeb5e7f0 [v9_11] silence gcc 7 warnings
4673.	[port]		Silence GCC 7 warnings. [RT #45592]

(cherry picked from commit cdacec1dcb)
2017-08-09 00:24:16 -07:00
Mark Andrews
93049edb81 add comment 2017-08-09 10:48:33 +05:30
Evan Hunt
72f91848ef style 2017-08-09 10:48:29 +05:30
Mark Andrews
a5f6549534 style changes from [RT #45321]
(cherry picked from commit bcb2df226f)
2017-08-09 07:49:38 +10:00
Mukund Sivaraman
6e10f87913 Fix a race in resume_dslookup() (#45168)
(cherry picked from commit c88efb83b3)
2017-08-08 13:11:11 +05:30
Mark Andrews
bfde61d519 4654. [cleanup] Don't use C++ keywords delete, new and namespace.
[RT #45538]

(cherry picked from commit 4bf32aa587)
2017-07-21 12:28:58 +10:00
Mark Andrews
7fcbbd6fa9 4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]

(cherry picked from commit 638c7c635d)
2017-03-14 15:12:03 +11:00
Mark Andrews
c006cfc5a2 Reimplement:
4578.   [security]      Some chaining (CNAME or DNAME) responses to upstream
                        queries could trigger assertion failures.
                        (CVE-2017-3137) [RT #44734]

(cherry picked from commit f240f4a5de)
2017-03-01 12:02:39 +11:00
Evan Hunt
559cbe04e7 [v9_11] remove unnecessary INSIST and prep 9.11.1rc2
4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

(cherry picked from commit a1365a0042)
2017-02-23 14:55:10 -08:00
Evan Hunt
07b7a3eade [v9_11] store local and remote addresses in dnstap
4569.	[func]		Store both local and remote addresses in dnstap
			logging, and modify dnstap-read output format to
			print them. [RT #43595]

(cherry picked from commit 650b5e7592)
2017-02-03 17:11:06 -08:00
Evan Hunt
05fce8cfff [v9_11] address portability issues
(cherry picked from commit a2bd99a959)
2017-01-30 16:52:32 -08:00
Evan Hunt
781f6daa74 [v9_11] change 4558 was incomplete
(cherry picked from commit cd668ea57f)
2017-01-30 14:11:17 -08:00
Tinderbox User
5688a47c15 update copyright notice / whitespace 2017-01-24 23:45:58 +00:00
Mark Andrews
4441328a1d 4558. [bug] Synthesised CNAME before matching DNAME was still
being cached when it should have been.  [RT #44318]

(cherry picked from commit 9f4bf43b79)
2017-01-24 17:41:17 +11:00
Mark Andrews
701aa95d96 4510. [security] Named mishandled some responses where covering RRSIG
records are returned without the requested data
                        resulting in a assertion failure. (CVE-2016-9147)
                        [RT #43548]

(cherry picked from commit 6adf421e7e)
2016-12-29 11:49:06 +11:00
Mark Andrews
b243aa40f9 4508. [security] Named incorrectly tried to cache TKEY records which
could trigger a assertion failure when there was
                            a class mismatch. (CVE-2016-9131) [RT #43522]

(cherry picked from commit 2c1c4b99a1)
2016-12-29 11:17:14 +11:00
Mark Andrews
2595d1da35 4517. [security] Named could mishandle authority sections that were
missing RRSIGs triggering an assertion failure.
                        (CVE-2016-9444) [RT # 43632]

(cherry picked from commit 1df30cfd27c5a3c57fce357c54aaf6c702227d51)
2016-12-29 10:41:06 +11:00
Mark Andrews
d77cab69bf 4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
                        [RT #43779]

(cherry picked from commit 60cb462c56)
2016-12-09 12:51:09 +11:00
Mark Andrews
7c66fc9700 4489. [security] It was possible to trigger assertions when processing
a response. (CVE-2016-8864) [RT #43465]

(cherry picked from commit bd6f27f5c3)
2016-10-21 14:56:20 +11:00
Mark Andrews
47f8b47b8d 9.11.0rc3 2016-09-20 21:19:46 +10:00