Commit Graph

27508 Commits

Author SHA1 Message Date
Tinderbox User
d58e36b410 prep 9.11.7 2019-05-10 05:03:46 +00:00
Evan Hunt
afc0f7f344 Merge branch '997-make-ntas-work-with-validating-forwarders-v9_11' into 'v9_11'
Make NTAs work with validating forwarders

See merge request isc-projects/bind9!1925
2019-05-10 00:18:30 -04:00
Michał Kępień
07c698469e Add CHANGES entry
5219.	[bug]		Negative trust anchors did not work with "forward only;"
			to validating resolvers. [GL #997]
2019-05-09 21:05:50 -07:00
Michał Kępień
f04f107b7e Make NTAs work with validating forwarders
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.

(cherry picked from commit 5e80488270)
2019-05-09 21:05:50 -07:00
Evan Hunt
651aaf5542 Merge branch '958-improve-message-about-python-ply-v9_11' into 'v9_11'
Improve the error message about missing PLY Python package

See merge request isc-projects/bind9!1920
2019-05-09 23:25:05 -04:00
Ondřej Surý
ab706cc6f2 Improve the error message about missing PLY Python package
Previously, only a message about missing Python was printed, which was
misleading to many users.  The new message clearly states that Python
AND PLY is required and prints basic instructions how to install PLY
package.

(cherry picked from commit 55b48700da)
2019-05-09 19:57:02 -07:00
Evan Hunt
45227c0a2e Merge branch 'each-sync-v9_11' into 'v9_11'
sync CHANGES from 9.11.6-P1

See merge request isc-projects/bind9!1917
2019-05-09 21:55:35 -04:00
Evan Hunt
b4c8599961 sync CHANGES from 9.11.6-P1 2019-05-09 18:53:51 -07:00
Witold Krecicki
ab1e4b5784 Merge branch '834-fix-races-in-socket-code-v2' into 'v9_11'
Fix race in unix socket code when closing a socket that has already sent a recv/send event.

See merge request isc-projects/bind9!1915
2019-05-09 13:57:11 -04:00
Witold Kręcicki
1286d74c7d Fix race in unix socket code when closing a socket that has
already sent a recv/send event.

When doing isc_socket_cancel we need to purge the event that might
already be in flight. If it has been launched already we need
to inform it that it has to bail.
2019-05-09 18:48:06 +02:00
Ondřej Surý
5f26556546 Merge branch 'ondrej/reproducible-build-v9_11' into 'v9_11'
Make lib/dns/gen.c compatible with reproducible builds.

See merge request isc-projects/bind9!1913
2019-05-09 05:24:35 -04:00
Ondřej Surý
0dced2fa6a Make lib/dns/gen.c compatible with reproducible builds.
The gen.c will now use SOURCE_DATE_EPOCH[1] if found in environment
to make the build more reproducible build friendly.

1. https://reproducible-builds.org/specs/source-date-epoch/

(cherry picked from commit c8cb612d39)
2019-05-09 16:05:38 +07:00
Mark Andrews
aca6ebadc4 Merge branch '960-add-edns-client-tag-and-edns-server-tag-v9_11' into 'v9_11'
Resolve "Add EDNS Client Tag and EDNS Server Tag"

See merge request isc-projects/bind9!1911
2019-05-09 04:39:06 -04:00
Mark Andrews
10c53d2873 Recognise EDNS Client Tag and EDNS Server Tag
(cherry picked from commit ee7cf180b3)
2019-05-09 18:24:57 +10:00
Evan Hunt
ac9286b732 Merge branch '868-fix-trusted-keys-handling-with-dnssec-validation-auto-v9_14-v9_11' into 'v9_11'
fix incorrect behavior mixing trusted-keys with validation auto

See merge request isc-projects/bind9!1909
2019-05-09 02:13:16 -04:00
Evan Hunt
febbd90850 CHANGES, release notes 2019-05-08 23:02:42 -07:00
Evan Hunt
722d0f57ed warn about the use of trusted-keys and managed-keys for the same name 2019-05-08 23:02:42 -07:00
Mark Andrews
3c45f0dd0b Merge branch '852-bind-returning-malformed-packet-error-when-sshfp-record-has-fingerprint-value-less-than-4-characters-v9_11' into 'v9_11'
Resolve "Bind returning malformed packet error when sshfp record has fingerprint value less than 4 characters"

See merge request isc-projects/bind9!1906
2019-05-08 19:18:22 -04:00
Mark Andrews
702cc2dde3 enforce known SSHFP finger print lengths
(cherry picked from commit 1722728c80)
2019-05-09 08:49:19 +10:00
Mark Andrews
8cb78ee508 Merge branch '991-provide-ixfr-should-only-be-tests-on-tcp-clients-v9_11' into 'v9_11'
Resolve "provide-ixfr should only be tested on TCP clients."

See merge request isc-projects/bind9!1901
2019-05-07 00:46:17 -04:00
Mark Andrews
1cc0bf2cee add CHANGES
(cherry picked from commit ba1d7f3a07)
2019-05-07 14:34:00 +10:00
Mark Andrews
d72f659a35 add test for 'provide-ixfr no;' ; add forensics support
(cherry picked from commit d547465af5)
2019-05-07 14:34:00 +10:00
Mark Andrews
8b8f0dc160 only test provideixfr if the transport is TCP
(cherry picked from commit 18c49853e3)
2019-05-07 14:06:25 +10:00
Evan Hunt
510f8d9ff7 Merge branch 'each-win32-parallel-tests-v9_11' into 'v9_11'
enable parallel system tests on windows

See merge request isc-projects/bind9!1895
2019-05-06 22:04:51 -04:00
Evan Hunt
52347fa883 CHANGES
(cherry picked from commit d3cd0729c9)
2019-05-06 18:38:34 -07:00
Evan Hunt
50dfe1aa2b enable parallel system tests on windows
this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.

(cherry picked from commit bbae24c140)
2019-05-06 18:38:34 -07:00
Evan Hunt
274da3c24b Merge branch 'each-fix-rpz-test-v9_11' into 'v9_11'
RPZ test had spurious references to DNSRPS, which isn't in 9.11

See merge request isc-projects/bind9!1898
2019-05-06 21:17:38 -04:00
Evan Hunt
111c692efd RPZ test had spurious references to DNSRPS, which isn't in 9.11 2019-05-06 18:05:49 -07:00
Mark Andrews
90a6482985 Merge branch '983-delv-www-isc-org-any-rtrace-multiline-leaks-memory-v9_11' into 'v9_11'
Resolve "'delv www.isc.org ANY +rtrace +multiline' leaks memory"

See merge request isc-projects/bind9!1897
2019-05-06 20:52:47 -04:00
Mark Andrews
eef0430b75 add CHANGES note
(cherry picked from commit ce5520b695)
2019-05-07 10:35:03 +10:00
Mark Andrews
c26a421aab check that delv -t any works
(cherry picked from commit 6999bee7ef)
2019-05-07 10:34:30 +10:00
Mark Andrews
595544329a fix whitespace
(cherry picked from commit 32ba5a0494)
2019-05-07 10:28:48 +10:00
Mark Andrews
333116ac5c return rdatasets when processing ANY queries in client_resfind
(cherry picked from commit 127333c71f)
2019-05-07 10:28:47 +10:00
Mark Andrews
405738b62f Merge branch '1000-arm-doc-rpz-nodata-policy-says-ancount-1-v9_11' into 'v9_11'
Resolve "ARM doc RPZ NODATA policy says ANCOUNT=1"

See merge request isc-projects/bind9!1891
2019-05-06 04:06:56 -04:00
Mark Andrews
401f9c4a3d A NODATA response has ANCOUNT of 0 assuming no CNAME/DNAMES
(cherry picked from commit 4889e06c3a)
2019-05-06 17:54:18 +10:00
Michał Kępień
16bb74b1bc Merge branch 'michal/simplify-trailing-period-handling-in-system-tests-v9_11' into 'v9_11'
[v9_11] Simplify trailing period handling in system tests

See merge request isc-projects/bind9!1878
2019-04-26 15:12:12 -04:00
Michał Kępień
72c7bc03c9 Simplify trailing period handling in system tests
Windows systems do not allow a trailing period in file names while Unix
systems do.  When BIND system tests are run, the $TP environment
variable is set to an empty string on Windows systems and to "." on Unix
systems.  This environment variable is then used by system test scripts
for handling this discrepancy properly.

In multiple system test scripts, a variable holding a zone name is set
to a string with a trailing period while the names of the zone's
corresponding dlvset-* and/or dsset-* files are determined using
numerous sed invocations like the following one:

    dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"

In order to improve code readability, use zone names without trailing
periods and replace sed invocations with variable substitutions.

To retain local consistency, also remove the trailing period from
certain other zone names used in system tests that are not subsequently
processed using sed.

(cherry picked from commit da2c1b74ad)
2019-04-26 20:50:55 +02:00
Ondřej Surý
343fa39055 Merge branch 'prep-release-v9_11' into 'v9_11'
Prep release v9 11

See merge request isc-projects/bind9!1865
2019-04-25 10:09:51 -04:00
Tinderbox User
a648e07bed doc rebuild
(cherry picked from commit 40b034f5b8)
2019-04-25 15:56:01 +02:00
Tinderbox User
7c6b5f2eaa prep 9.11.6-P1
(cherry picked from commit 6195f229b6)
2019-04-25 15:55:59 +02:00
Ondřej Surý
aaee75288a Merge branch '999-tcp-client-crash-v9_11-locks' into 'v9_11'
Replace atomic operations in bin/named/client.c with isc_refcount reference counting

See merge request isc-projects/bind9!1864
2019-04-25 09:54:09 -04:00
Ondřej Surý
ef49780d30 Replace atomic operations in bin/named/client.c with isc_refcount reference counting 2019-04-25 15:40:06 +02:00
Ondřej Surý
581ae79528 Merge branch '615-tcp-client-crash-v9_11-v9_11_6_patch-v9_11' into 'v9_11'
Resolve "tcp-clients mostly ineffective"

See merge request isc-projects/bind9!1863
2019-04-25 09:38:41 -04:00
Evan Hunt
b96a3a0c79 CHANGES, release note
(cherry picked from commit 5e18ad05f4)
2019-04-25 15:05:12 +02:00
Evan Hunt
59434b987e restore allowance for tcp-clients < interfaces
in the "refactor tcpquota and pipeline refs" commit, the counting
of active interfaces was tightened in such a way that named could
fail to listen on an interface if there were more interfaces than
tcp-clients. when checking the quota to start accepting on an
interface, if the number of active clients was above zero, then
it was presumed that some other client was able to handle accepting
new connections. this, however, ignored the fact that the current client
could be included in that count, so if the quota was already exceeded
before all the interfaces were listening, some interfaces would never
listen.

we now check whether the current client has been marked active; if so,
then the number of active clients on the interface must be greater
than 1, not 0.

(cherry picked from commit 0b4e2cd4c3192ba88569dd344f542a8cc43742b5)
(cherry picked from commit d01023aaac)
2019-04-25 15:04:26 +02:00
Evan Hunt
c47ccf630f refactor tcpquota and pipeline refs; allow special-case overrun in isc_quota
- if the TCP quota has been exceeded but there are no clients listening
  for new connections on the interface, we can now force attachment to the
  quota using isc_quota_force(), instead of carrying on with the quota not
  attached.
- the TCP client quota is now referenced via a reference-counted
  'ns_tcpconn' object, one of which is created whenever a client begins
  listening for new connections, and attached to by members of that
  client's pipeline group. when the last reference to the tcpconn
  object is detached, it is freed and the TCP quota slot is released.
- reduce code duplication by adding mark_tcp_active() function.
- convert counters to atomic.

(cherry picked from commit 7e8222378ca24f1302a0c1c638565050ab04681b)
(cherry picked from commit 4939451275722bfda490ea86ca13e84f6bc71e46)
(cherry picked from commit 13f7c918b8)
2019-04-25 15:04:26 +02:00
Evan Hunt
2ab8a085b3 better tcpquota accounting and client mortality checks
- ensure that tcpactive is cleaned up correctly when accept() fails.
- set 'client->tcpattached' when the client is attached to the tcpquota.
  carry this value on to new clients sharing the same pipeline group.
  don't call isc_quota_detach() on the tcpquota unless tcpattached is
  set.  this way clients that were allowed to accept TCP connections
  despite being over quota (and therefore, were never attached to the
  quota) will not inadvertently detach from it and mess up the
  accounting.
- simplify the code for tcpquota disconnection by using a new function
  tcpquota_disconnect().
- before deciding whether to reject a new connection due to quota
  exhaustion, check to see whether there are at least two active
  clients. previously, this was "at least one", but that could be
  insufficient if there was one other client in READING state (waiting
  for messages on an open connection) but none in READY (listening
  for new connections).
- before deciding whether a TCP client object can to go inactive, we
  must ensure there are enough other clients to maintain service
  afterward -- both accepting new connections and reading/processing new
  queries.  A TCP client can't shut down unless at least one
  client is accepting new connections and (in the case of pipelined
  clients) at least one additional client is waiting to read.

(cherry picked from commit c7394738b2445c16f728a88394864dd61baad900)
(cherry picked from commit e965d5f11d3d0f6d59704e614fceca2093cb1856)
(cherry picked from commit 87d4311614)
2019-04-25 15:04:26 +02:00
Michał Kępień
366b4e1ede use reference counter for pipeline groups (v3)
Track pipeline groups using a shared reference counter
instead of a linked list.

(cherry picked from commit 513afd33eb17d5dc41a3f0d2d38204ef8c5f6f91)
(cherry picked from commit 9446629b73)
2019-04-25 15:04:25 +02:00
Witold Kręcicki
719f604e3f tcp-clients could still be exceeded (v2)
the TCP client quota could still be ineffective under some
circumstances.  this change:

- improves quota accounting to ensure that TCP clients are
  properly limited, while still guaranteeing that at least one client
  is always available to serve TCP connections on each interface.
- uses more descriptive names and removes one (ntcptarget) that
  was no longer needed
- adds comments

(cherry picked from commit 924651f1d5e605cd186d03f4f7340bcc54d77cc2)
(cherry picked from commit 55a7a458e3)
2019-04-25 15:04:25 +02:00
Witold Kręcicki
ec2d50da8d fix enforcement of tcp-clients (v1)
tcp-clients settings could be exceeded in some cases by
creating more and more active TCP clients that are over
the set quota limit, which in the end could lead to a
DoS attack by e.g. exhaustion of file descriptors.

If TCP client we're closing went over the quota (so it's
not attached to a quota) mark it as mortal - so that it
will be destroyed and not set up to listen for new
connections - unless it's the last client for a specific
interface.

(cherry picked from commit f97131d21b97381cef72b971b157345c1f9b4115)
(cherry picked from commit 9689ffc485)
2019-04-25 15:04:25 +02:00