Commit Graph

34493 Commits

Author SHA1 Message Date
Michał Kępień
b68851773c Make "named -h" output match option-handling code
The usage instructions printed by "named -h" are missing the "external"
and "internal" flags that can be passed to the -M command-line option.
Add the missing flags to "named -h" output.
2022-07-15 10:45:34 +02:00
Michał Kępień
31012c1c0d Update documentation for named's -M option
Add "internal" to the list of legal values for the -M command-line
option (commit 1f7d2d53f0 added that
flag).

Make the style of the relevant paragraph more in line with the next one
and split its contents up into an unordered list of options for improved
readability.

(cherry picked from commit f0c31ceb3b)
2022-07-15 10:45:34 +02:00
Michał Kępień
4d1986ebcb Handle ISC_MEM_DEFAULTFILL consistently
Contrary to what the documentation states, memory filling is only
enabled by --enable-developer (or by setting -DISC_MEM_DEFAULTFILL=1) if
the internal memory allocator is used.  However, the internal memory
allocator is disabled by default, so just using the --enable-developer
build-time option does not enable memory filling (passing "-M fill" on
the named command line is necessary to actually enable it).  As memory
filling is a useful tool for troubleshooting certain types of bugs, it
should also be enabled by --enable-developer when the system allocator
is used.

Furthermore, memory-related preprocessor macros are handled in two
distinct locations: lib/isc/include/isc/mem.h and bin/named/main.c.
This makes the logic hard to follow.

Move all code handling the ISC_MEM_DEFAULTFILL preprocessor macro to
lib/isc/include/isc/mem.h, ensuring memory filling is enabled by the
--enable-developer build-time switch, no matter which memory allocator
is used.
2022-07-15 10:45:34 +02:00
Michał Kępień
7df6070c02 Fix mempool stats bug in the internal allocator
Commit c96b6eb5ec changed the way mempool
code handles freed allocations that cannot be retained for later use as
"free list" items: it no longer uses different logic depending on
whether the internal allocator is used or the system one.  However, that
commit did not update a relevant piece of code in isc_mempool_destroy(),
causing memory context statistics to always be off upon shutdown when
BIND 9 is built with -DISC_MEM_USE_INTERNAL_MALLOC=1.  This causes
assertion failures.  Update isc_mempool_destroy() accordingly in order
to prevent this issue from being triggered.
2022-07-15 10:45:34 +02:00
Mark Andrews
5338fc9e19 Merge branch '3447-lib-dns-tkey-c-free_namelist-should-be-disassociating-associated-rdatatsets-v9_16' into 'v9_16'
disassociate rdatasets when cleaning up [v9_16]

See merge request isc-projects/bind9!6578
2022-07-14 01:08:57 +00:00
Mark Andrews
f2855facbe disassociate rdatasets when cleaning up
free_namelist could be passed names with associated rdatasets
when handling errors.  These need to be disassociated before
calling dns_message_puttemprdataset.

(cherry picked from commit 745d5edc3a)
2022-07-14 10:21:47 +10:00
Mark Andrews
29f0ac40f3 Merge branch '3449-kasp-system-test-failed-to-log-some-zones-during-setup-v9_16' into 'v9_16'
kasp: add missing logging during setup [v9_16]

See merge request isc-projects/bind9!6576
2022-07-14 00:18:27 +00:00
Mark Andrews
9980c7be8d kasp: add missing logging during setup
Some zones where not being logged when just DNSSEC keys where being
generated in system test setup phase.  Add logging for these zones.

(cherry picked from commit 04627997eb)
2022-07-14 09:46:16 +10:00
Mark Andrews
5e5232aa5b Merge branch '3446-autosign-s-checking-revoked-key-with-duplicate-key-id-test-was-incomplete-v9_16' into 'v9_16'
Make "checking revoked key with duplicate key ID" work [v9_16]

See merge request isc-projects/bind9!6558
2022-07-13 01:42:56 +00:00
Mark Andrews
5fec2fcbe7 Make "checking revoked key with duplicate key ID" work
There should be 2 keys with the same key id after the numerically
lower one is revoked (serial space arithmetic).  The DS points
at the non-revoked key so validation should still succeed.

(cherry picked from commit 513cb24b55)
2022-07-13 10:58:41 +10:00
Evan Hunt
492f614d0e Merge branch '2683-ixfr-logging-v9_16' into 'v9_16'
log the reason for falling back to AXFR from IXFR at level info

See merge request isc-projects/bind9!6552
2022-07-12 23:52:47 +00:00
Evan Hunt
0849fd2211 log the reason for falling back to AXFR from IXFR at level info
messages indicating the reason for a fallback to AXFR (i.e, because
the requested serial number is not present in the journal, or because
the size of the IXFR response would exceeed "max-ixfr-ratio") are now
logged at level info instead of debug(4).

(cherry picked from commit df1d81cf96)
2022-07-12 16:27:01 -07:00
Michal Nowak
d0bf87eab5 Merge branch 'mnowak/alpine-3.16-v9_16' into 'v9_16'
[v9_16] Add Alpine Linux 3.16

See merge request isc-projects/bind9!6549
2022-07-12 12:01:37 +00:00
Michal Nowak
0043999f54 Add Alpine Linux 3.16
(cherry picked from commit 0d0ab3db10)
2022-07-12 13:59:30 +02:00
Matthijs Mekking
77ee0f87b5 Merge branch '3438-dnssec-policy-does-not-set-inline-signing-v9_16' into 'v9_16'
[v9_16] Fix inheritance for dnssec-policy when checking for inline-signing

See merge request isc-projects/bind9!6547
2022-07-12 11:39:42 +00:00
Matthijs Mekking
60c297d717 Add release note and change entry for #3438
Bug worth mentioning.

(cherry picked from commit 689215a675)
2022-07-12 12:48:57 +02:00
Matthijs Mekking
0d5e0867df Inherit dnssec-policy in check for inline-signing
When dnssec-policy is used, and the zone is not dynamic, BIND will
assume that the zone is inline-signed. But the function responsible
for this did not inherit the dnssec-policy option from the view or
options level, and thus never enabled inline-signing, while the zone
should have been.

This is fixed by this commit.

(cherry picked from commit 576b21b168)
2022-07-12 12:48:21 +02:00
Matthijs Mekking
eb7d65b84d Test setting of inline-signing with dnssec-policy
When dnssec-policy is used, and the zone is not dynamic, BIND will
assume that the zone is inline-signed. Add test cases to verify this.

(cherry picked from commit efa8a4e88d)
2022-07-12 12:48:16 +02:00
Matthijs Mekking
2db23e475b Fix kasp system test bugs
Fix a comment, ensuring the right parameters are used (zone is
parameter $3, not $2) and add view and policy parameters to the comment.

Fix the view tests and test the correct view (example3 instead of
example2).

Fix placement of "n=$((n+1)" for two test cases.

(cherry picked from commit ff65f07779)
2022-07-12 12:48:08 +02:00
Mark Andrews
474bac53ba Merge branch '3389-unexpected-badkey-in-upforwd-system-test-v9_16' into 'v9_16'
Clone the message buffer before forwarding UPDATE messages [v9_16]

See merge request isc-projects/bind9!6545
2022-07-12 09:28:23 +00:00
Mark Andrews
17b2dc015e Add CHANGES note for [GL #3389]
(cherry picked from commit 09d8ed3970)
2022-07-12 19:02:00 +10:00
Mark Andrews
b485d95c66 Clone the message buffer before forwarding UPDATE messages
this prevents named forwarding a buffer that may have been over
written.

(cherry picked from commit 7a42417d61)
2022-07-12 19:01:32 +10:00
Michał Kępień
0e59965d6a Merge branch 'michal/set-up-version-and-release-notes-for-bind-9.16.32' into 'v9_16'
Set up version and release notes for BIND 9.16.32

See merge request isc-projects/bind9!6540
2022-07-11 07:05:57 +00:00
Michał Kępień
c660730ea3 Set up release notes for BIND 9.16.32 2022-07-11 08:52:51 +02:00
Michał Kępień
c4e010ebaa Update BIND version to 9.16.32-dev 2022-07-11 08:52:51 +02:00
Michał Kępień
7b1d377562 Merge branch '3441-fix-fetch-context-use-after-free-bugs' into 'v9_16'
Fix fetch context use-after-free bugs

See merge request isc-projects/bind9!6537
2022-07-11 04:18:04 +00:00
Michał Kępień
6505056267 Fix fetch context use-after-free bugs
fctx_decreference() may call fctx_destroy(), which in turn may free the
fetch context by calling isc_mem_putanddetach().  This means that
whenever fctx_decreference() is called, the fetch context pointer should
be assumed to point to garbage after that call.  Meanwhile, the
following pattern is used in several places in lib/dns/resolver.c:

    LOCK(&res->buckets[fctx->bucketnum].lock);
    bucket_empty = fctx_decreference(fctx);
    UNLOCK(&res->buckets[fctx->bucketnum].lock);

Given that 'fctx' may be freed by the fctx_decreference() call, there is
no guarantee that the value of fctx->bucketnum will be the same before
and after the fctx_decreference() call.  This can cause all kinds of
locking issues as LOCK() calls no longer match up with their UNLOCK()
counterparts.

Fix by always using a helper variable to hold the bucket number when the
pattern above is used.

Note that fctx_try() still uses 'fctx' after calling fctx_decreference()
(it calls fctx_done()).  This is safe to do because the reference count
for 'fctx' is increased a few lines earlier and it also cannot be zero
right before that increase happens, so the fctx_decreference() call in
that particular location never invokes fctx_destroy().  Nevertheless,
use a helper variable for that call site as well, to retain consistency
and to prevent copy-pasted code from causing similar problems in the
future.
2022-07-08 11:26:34 +02:00
Petr Špaček
bf2ea74622 Merge branch '3320-rewrite-arm-dnssec-chapter-v9_16' into 'v9_16'
Rewrite DNSSEC ARM Chapter [v9_16]

See merge request isc-projects/bind9!6536
2022-07-07 11:25:11 +00:00
Petr Špaček
4caaff0afa Deduplicate Manual Signing between DNSSEC chapter and DNSSEC Guide
The two procedures were essentially the same, but each instance was
missing some details from the other. They are now combined into one text
in the DNSSEC Guide and linked from DNSSEC chapter.

(cherry picked from commit 7d25027898)
2022-07-07 12:04:39 +02:00
Suzanne Goldlust
71f3d521cb Minor grammar improvements in the Signing chapter of the DNSSEC Guide
(cherry picked from commit 6b1ad4dcfb)
2022-07-07 11:48:33 +02:00
Petr Špaček
dd46af7f59 Deduplicate key filename description in the DNSSEC Guide
Third time ...

(cherry picked from commit 7e96801841)
2022-07-07 11:40:45 +02:00
Petr Špaček
6c1b34e9b5 Use ECDSAP256SHA256 in DNSSEC signing examples
(cherry picked from commit 3eb6898a14)
2022-07-07 11:39:32 +02:00
Matthijs Mekking
0a13a85dff Add a section about key rollover
Describe how to do key rollovers with dnssec-policy. Update the
revert to unsigned recipe in the DNSSEC guide.

(cherry picked from commit f721986589)
2022-07-07 11:37:25 +02:00
Petr Špaček
75854c5e6b Rewrite DNSSEC Validation subchapter in the ARM
Mostly deduplicating and linking information across the ARM.
Generally people should not touch it unless they what they are doing, so
let's try to discourage them a bit.

(cherry picked from commit bffa3063f0)
2022-07-07 11:07:32 +02:00
Petr Špaček
c9e52437ca Resynchronize DNSSEC chapter with the main branch
This is essentially a backport of !6296.

Replace DNSSEC chapter with version from the main branch, commit
901b6425d2.

There were structural changes to the ARM in the main branch, and
replacing the whole file with a new version is an order of magniture
easier than attempting to cherry-pick individual changes which should, in
the end, produce the same file under a different name.

File names in the main branch and v9_16 are now in sync (for the DNSSEC
chapter).

Fixes: #3320
2022-07-07 10:34:06 +02:00
Mark Andrews
339668b2e4 Merge branch '3433-support-default-hmac-v9_18-v9_16' into 'v9_16'
Add DEFAULT_HMAC to conf.sh.common [v9_16]

See merge request isc-projects/bind9!6534
2022-07-07 05:29:39 +00:00
Mark Andrews
40c7096caf Add DEFAULT_HMAC to conf.sh.common
(cherry picked from commit 972d7fd682)
(cherry picked from commit ba45075acb)
2022-07-07 15:11:33 +10:00
Mark Andrews
19970f720d Merge branch '3061-ifconfig-sh-down-messes-up-loopback-interfaces-v9_16' into 'v9_16'
update ifconfig.sh [v9_16]

See merge request isc-projects/bind9!6531
2022-07-07 00:53:08 +00:00
Mark Andrews
e1b3d3d259 Add CHANGES note for [GL #3061]
(cherry picked from commit e0708c8950)
2022-07-07 10:16:07 +10:00
Mark Andrews
76ed6f32e8 update ifconfig.sh
* make it harder to get the interface numbers wrong by using 'max'
to specify the upper bound of the sequence of interfaces and use 'max'
when calculating the interface number
* extract the platform specific instruction into 'up' and 'down'
and call them from the inner loop so that the interface number is
calculated in one place.
* calculate the A and AAAA address in a single place rather than
in each command
* use /sbin/ipadm on Solaris 2.11 and greater

(cherry picked from commit abfb5b1173)
2022-07-07 10:15:35 +10:00
Mark Andrews
abf9a59b1a Merge branch '3429-detect-overflow-in-generate-directive-v9_16' into 'v9_16'
Check for overflow in $GENERATE computations [v9_16]

See merge request isc-projects/bind9!6527
2022-07-06 01:55:41 +00:00
Mark Andrews
3433983407 Add CHANGES note for [GL #3429]
(cherry picked from commit d935ead14b)
2022-07-06 11:36:10 +10:00
Evan Hunt
4897f3ccc0 Improve $GENERATE documentation
Clarify the documentation of $GENERATE modifiers and add an example.

(cherry picked from commit 13fb2faf7a)
2022-07-06 11:35:16 +10:00
Mark Andrews
d10e20da0d Tighten $GENERATE directive parsing
The original sscanf processing allowed for a number of syntax errors
to be accepted.  This included missing the closing brace in
${modifiers}

Look for both comma and right brace as intermediate seperators as
well as consuming the final right brace in the sscanf processing
for ${modifiers}.  Check when we got right brace to determine if
the sscanf consumed more input than expected and if so behave as
if it had stopped at the first right brace.

(cherry picked from commit 7be64c0e94)
2022-07-06 11:26:24 +10:00
Mark Andrews
16ac79a8f7 Check for overflow in $GENERATE computations
$GENERATE uses 'int' for its computations and some constructions
can overflow values that can be represented by an 'int' resulting
in undefined behaviour.  Detect these conditions and return a
range error.

(cherry picked from commit 5327b9708f)
2022-07-06 11:26:24 +10:00
Mark Andrews
357ac87986 Merge branch '3437-cds-error-window-too-small-v9_16' into 'v9_16'
Only report not matching stderr content when we look for it [v9_16]

See merge request isc-projects/bind9!6524
2022-07-05 18:33:05 +00:00
Mark Andrews
7cd7f7d2cb Increase the amount of time allowed for signing to occur in
On slow systems we have seen this take 9 seconds.  Increased the
allowance from 3 seconds to 10 seconds to reduce the probabilty of
a false negative from the system test.

(cherry picked from commit 4db847e80e)
2022-07-05 23:12:22 +10:00
Mark Andrews
351aa3d3b5 Only report not matching stderr content when we look for it
The previous test code could emit "D:cds:stderr did not match ''" rather
that just showing the contents of stderr.  Moved the debug line inside
the if/else block.

Replaced backquotes with $() and $(()) as approriate.

(cherry picked from commit 304d33fb32)
2022-07-05 23:12:22 +10:00
Michał Kępień
a9407704e6 Merge branch '3357-test_send_timeout-add-code-comment' into 'v9_16'
Add code comment to test_send_timeout test

See merge request isc-projects/bind9!6503
2022-07-04 21:12:33 +00:00
Michał Kępień
8ebc9c76a9 Add a code comment to the test_send_timeout() test 2022-07-04 23:10:59 +02:00