Commit Graph

6888 Commits

Author SHA1 Message Date
Mark Andrews
b2ffe56fc5 add krb5-selfsub and ms-selfsub
(cherry picked from commit fbeefd4990)
2018-09-10 17:40:19 +10:00
Ondřej Surý
d20fd7b109 Remove excessive inclusion of isc/refcount.h from various header files 2018-09-07 16:55:22 +02:00
Ondřej Surý
b92a1791b3 Use isc/stdatomic.h to switch to __atomic builtins when compiling in C++ mode 2018-09-07 16:55:22 +02:00
Ondřej Surý
94a1c85366 Add C++ declarations to dns/fixedname.h 2018-09-05 18:00:32 -04:00
Ondřej Surý
302cae89f3 Bail-out early in the for install loops instead of continuing because for masks the error in the middle
(cherry picked from commit 25248eb097)
(cherry picked from commit 3fbceba0a8)
2018-09-03 13:49:35 +02:00
Mark Andrews
10fdd1aa23 increase jitter to cover the entire potential steady state expire range when initially signing the zone
(cherry picked from commit 050fca2139)
2018-08-31 13:09:40 +10:00
Mark Andrews
20c79090bd fclose origfile and zonefile
(cherry picked from commit 455bb23236)
2018-08-31 12:25:01 +10:00
Evan Hunt
d3add15848 silence "missing print.h" warning
(cherry picked from commit 3c18b7d3fd)
2018-08-28 16:22:15 -07:00
Witold Kręcicki
80a025d1a7 rndc reconfig should not stat on existing zones, just load new ones. 2018-08-28 16:53:43 +02:00
Michał Kępień
cf7557dce0 Fix reloading inline-signed zones
While "rndc reload" causes dns_zone_asyncload() to be called for the
signed version of an inline-signed zone, the subsequent zone_load() call
causes the raw version to be reloaded from storage.  This means that
DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
dns_zone_asyncload() before the reload is attempted, but zone_postload()
is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
cleared for the raw version, but not for the signed version.  This in
turn prevents zone maintenance from happening for the signed version of
the zone.

Until commit 749b3cacfc, this problem
remained dormant because DNS_ZONEFLG_LOADPENDING was previously
immediately, unconditionally cleared after zone loading was started
(whereas it should only be cleared when zone loading is finished or an
error occurs).  This behavior caused other issues [1] and thus had to be
changed.

Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
for the signed version of the zone once the raw version reload
completes.  Take care not to clear it prematurely during initial zone
load.  Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
zone_postload() encounters an error or returns early, to prevent other
scenarios from resulting in the same problem.  Add comments aiming to
help explain code flow.

[1] see RT #47076

(cherry picked from commit 5431583971)
2018-08-22 11:46:08 +02:00
Michał Kępień
de6b8ded56 Set DNS_JOURNALOPT_RESIGN when loading the secure journal for an inline-signed zone
When an inline-signed zone is loaded, the master file for its signed
version is loaded and then a rollforward of the journal for the signed
version of the zone is performed.  If DNS_JOURNALOPT_RESIGN is not set
during the latter phase, signatures loaded from the journal for the
signed version of the zone will not be scheduled for refresh.  Fix the
conditional expression determining which flags should be used for the
dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
zone_postload() is called for the signed version of an inline-signed
zone.

Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
of "rndc stop" as the former allows master file flushing upon shutdown
to be suppressed.

(cherry picked from commit 8db550c42f)
2018-08-22 10:56:42 +02:00
Mark Andrews
49b7ac4d44 add missing ATF_REQUIRE
(cherry picked from commit 0ce82e9d5f)
2018-08-14 19:59:06 -04:00
Michał Kępień
0d174c46ff Do not remove errors from the OpenSSL error queue in toresult()
dst__openssl_toresult3() first calls toresult() and subsequently uses
ERR_get_error_line_data() in a loop.  Given this, it is a mistake to use
ERR_get_error() in toresult() because it causes the retrieved error to
be removed from the OpenSSL error queue, thus preventing it from being
retrieved by the subsequent ERR_get_error_line_data() calls.  Fix by
using ERR_peek_error() instead of ERR_get_error() in toresult().

(cherry picked from commit 36436268b5)
2018-08-14 12:53:44 +02:00
Michał Kępień
c6d1239d90 Prevent rare rbt_insert_and_remove unit test failures
When two or more absolute, two-label names are added to a completely
empty RBT, an extra, empty node for the root name will be created due to
node splitting.  check_tree() expects that, but the extra node will not
be created when just one name is added to a completely empty RBT.  This
problem could be handled inside check_tree(), but that would introduce
unnecessary complexity into it since adding a single name will result in
a different node count for a completely empty RBT (node count will be 1)
and an RBT containing only an empty node for the root name, created due
to prior node splitting (node count will be 2).  Thus, first explicitly
create a node for the root name to prevent rare check_tree() failures
caused by a single name being added in the first iteration of the
insert/remove loop.

(cherry picked from commit 13fe763798)
2018-08-14 10:44:59 +02:00
Michał Kępień
cbd85e0137 Queue "rndc signing -nsec3param ..." requests if needed
If "rndc signing -nsec3param ..." is ran for a zone which has not yet
been loaded or transferred (i.e. its "db" field is NULL), it will be
silently ignored by named despite rndc logging an "nsec3param request
queued" message, which is misleading.  Prevent this by keeping a
per-zone queue of NSEC3PARAM change requests which arrive before a zone
is loaded or transferred and processing that queue once the raw version
of an inline-signed zone becomes available.

(cherry picked from commit cb40c5229a)
2018-08-14 09:29:54 +02:00
Ondřej Surý
8ad12f613e Fix extra closing parenthesis in DNSTAP code 2018-08-12 16:12:14 +02:00
Ondřej Surý
eb745a2125 Remove duplicate config.h
(cherry picked from commit 7351c505a0)
(cherry picked from commit 2844f6529d)
2018-08-10 15:20:58 +02:00
Ondřej Surý
1084b40b44 Replace custom isc_boolean_t with C standard bool type
(cherry picked from commit 994e656977)
(cherry picked from commit 884929400c)
2018-08-10 15:20:57 +02:00
Ondřej Surý
aaa76dc654 Replace custom isc_u?intNN_t types with C99 u?intNN_t types
(cherry picked from commit cb6a185c69)
(cherry picked from commit d61e6a3111)
2018-08-10 15:20:57 +02:00
Ondřej Surý
bfc6a25f2d Replace ISC_PRINT_QUADFORMAT with inttypes.h format constants
(cherry picked from commit 64fe6bbaf2)
(cherry picked from commit c863a076ae)
2018-08-10 15:20:57 +02:00
Evan Hunt
ba162bd0d4 caclulate nlabels and set *chainingp correctly
(cherry picked from commit e78e55f435)
2018-08-08 14:27:44 -07:00
Tinderbox User
4b0b459e5b prep 9.11.4-P1 2018-08-08 14:27:44 -07:00
Evan Hunt
98b2377de3 explicit DNAME query could trigger a crash if deny-answer-aliases was set
(cherry picked from commit a21c3810d3453548cc05ae19995125dabea9ca9c)
(cherry picked from commit 6e187b8656)
2018-08-08 14:27:17 -07:00
Mark Andrews
c4089d38cd treat the signed instance of a inline zone as dynamic
(cherry picked from commit 9130f055f4)
2018-08-02 14:27:41 +10:00
Mark Andrews
a65c8e27b1 handle dns_aclelementtype_geoip
(cherry picked from commit 57eadf4d4f)
2018-08-02 09:59:58 +10:00
Mark Andrews
c47f3abead test dns_acl_isinsecure with geoip element
(cherry picked from commit fb8bb4e306)
2018-08-02 09:59:58 +10:00
Mark Andrews
d024898f35 use tlsa and smime structs to set common values
(cherry picked from commit 63c9ec367f)
2018-08-02 08:52:30 +10:00
Mark Andrews
0a9f953a2f refcount errors on error paths
(cherry picked from commit 4093efc900)
2018-07-31 18:43:18 +10:00
Mark Andrews
43c6f0d801 remove re-initalisation of common structure
(cherry picked from commit 6e06d3e7c6)
2018-07-12 09:49:01 +10:00
Mark Andrews
f1f2c0c493 remove redundant test
(cherry picked from commit 6eec7fe092)
2018-07-10 19:05:12 -07:00
Mark Andrews
078962a616 fix spelling of 'telemetry'
(cherry picked from commit 4f18b6a09a)
2018-07-10 18:30:45 -07:00
Tinderbox User
3bbd725a2c prep 9.11.4rc2 2018-06-28 05:07:42 +00:00
Evan Hunt
65bf99c85a use ISC_INT32_MAX as maximum 2018-06-27 18:40:24 -07:00
Witold Kręcicki
e92d5421c3 Fallback to normal procedure if creating of ixfr-from-differences fails
(cherry picked from commit b1254430df)
2018-06-27 18:33:33 -07:00
Witold Kręcicki
1919f5c937 Fix some issues with large journal entries
(cherry picked from commit 0db7130f2b)
2018-06-27 18:33:32 -07:00
Mark Andrews
236ab4c453 fix casecompare return type for ninfo, tkey, txt
(cherry picked from commit 3ba1d1e43b)
2018-06-25 13:10:06 +10:00
Evan Hunt
a1690b24bc prepare 9.11.4rc1 2018-06-21 18:54:43 +02:00
Mark Andrews
09776e3e54 Declare the 'rdata' argument for dns_rdata_tostruct() to be const
(cherry picked from commit abb2fd1027)
2018-06-15 08:52:41 +02:00
Michał Kępień
2c09f7a06c Reimplement all zone logging functions using dns_zone_logv()
In order to decrease code duplication, express the logic contained in
all zone logging functions using dns_zone_logv() calls.

(cherry picked from commit 5c03cd339e)
2018-06-11 12:50:25 +02:00
Michał Kępień
4fab6fec76 Add dns_zone_logv()
Add a new libdns function, dns_zone_logv(), which takes a single va_list
argument rather than a variable number of arguments and can be used as a
base for implementing more specific zone logging functions.

(cherry picked from commit bb2dfb3f49)
2018-06-11 12:50:25 +02:00
Evan Hunt
b75a2b9730 improve readability of radix code
- use RADIX_V4, RADIX_V6, RADIX_V4_ECS, and RADIX_V6_ECS as array
  indices instead of 0 through 3.
- remove some unused macros

(cherry picked from commit f7f20b1202)
2018-06-08 12:11:19 -07:00
Evan Hunt
7a00ce2e77 ensure we try to validate glue records so RRSIG TTLs will be capped 2018-06-08 11:41:48 -07:00
Witold Kręcicki
9b17be187f Don't fetch DNSKEY when fuzzing resolver
(cherry picked from commit cb3208aa43)
2018-06-06 15:27:27 +02:00
Mark Andrews
dd05287a31 add support -T sigvalinsecs
(cherry picked from commit 87a3dc8ab9)
(cherry picked from commit 69340b5ac5)
2018-06-06 17:17:48 +10:00
Mark Andrews
298372d8d2 only sign with other keys when deleting a key if there are not already existing signature for the deleted algorithm
(cherry picked from commit 0667bf7ae7)
(cherry picked from commit c1e342cedb)
2018-06-06 17:10:01 +10:00
Mark Andrews
9a5f308287 add named.conf option root-key-sentinel
(cherry picked from commit 68e9315c7d)
(cherry picked from commit ee763ef281)
2018-06-04 17:41:22 -04:00
Mukund Sivaraman
2bbea4513f Add NSEC3 fromtext/totext unittests
(cherry picked from commit b0d9198e03)
2018-06-04 13:02:44 +10:00
Mukund Sivaraman
0aa9c410d7 Don't insert 2nd space between NSEC3 nexthash and typemap fields
(cherry picked from commit d4ea1edd2c)
2018-06-04 13:02:44 +10:00
Mark Andrews
e568d66db3 work around cppcheck false positive
(cherry picked from commit cb5802e854)
2018-05-29 09:45:23 +10:00
Evan Hunt
884e8df7ca copyrights 2018-05-23 09:55:41 -07:00