Commit Graph

11065 Commits

Author SHA1 Message Date
Tinderbox User
d58e36b410 prep 9.11.7 2019-05-10 05:03:46 +00:00
Michał Kępień
f04f107b7e Make NTAs work with validating forwarders
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.

(cherry picked from commit 5e80488270)
2019-05-09 21:05:50 -07:00
Witold Kręcicki
1286d74c7d Fix race in unix socket code when closing a socket that has
already sent a recv/send event.

When doing isc_socket_cancel we need to purge the event that might
already be in flight. If it has been launched already we need
to inform it that it has to bail.
2019-05-09 18:48:06 +02:00
Ondřej Surý
0dced2fa6a Make lib/dns/gen.c compatible with reproducible builds.
The gen.c will now use SOURCE_DATE_EPOCH[1] if found in environment
to make the build more reproducible build friendly.

1. https://reproducible-builds.org/specs/source-date-epoch/

(cherry picked from commit c8cb612d39)
2019-05-09 16:05:38 +07:00
Mark Andrews
10c53d2873 Recognise EDNS Client Tag and EDNS Server Tag
(cherry picked from commit ee7cf180b3)
2019-05-09 18:24:57 +10:00
Evan Hunt
722d0f57ed warn about the use of trusted-keys and managed-keys for the same name 2019-05-08 23:02:42 -07:00
Mark Andrews
702cc2dde3 enforce known SSHFP finger print lengths
(cherry picked from commit 1722728c80)
2019-05-09 08:49:19 +10:00
Mark Andrews
595544329a fix whitespace
(cherry picked from commit 32ba5a0494)
2019-05-07 10:28:48 +10:00
Mark Andrews
333116ac5c return rdatasets when processing ANY queries in client_resfind
(cherry picked from commit 127333c71f)
2019-05-07 10:28:47 +10:00
Tinderbox User
7c6b5f2eaa prep 9.11.6-P1
(cherry picked from commit 6195f229b6)
2019-04-25 15:55:59 +02:00
Evan Hunt
c47ccf630f refactor tcpquota and pipeline refs; allow special-case overrun in isc_quota
- if the TCP quota has been exceeded but there are no clients listening
  for new connections on the interface, we can now force attachment to the
  quota using isc_quota_force(), instead of carrying on with the quota not
  attached.
- the TCP client quota is now referenced via a reference-counted
  'ns_tcpconn' object, one of which is created whenever a client begins
  listening for new connections, and attached to by members of that
  client's pipeline group. when the last reference to the tcpconn
  object is detached, it is freed and the TCP quota slot is released.
- reduce code duplication by adding mark_tcp_active() function.
- convert counters to atomic.

(cherry picked from commit 7e8222378ca24f1302a0c1c638565050ab04681b)
(cherry picked from commit 4939451275722bfda490ea86ca13e84f6bc71e46)
(cherry picked from commit 13f7c918b8)
2019-04-25 15:04:26 +02:00
Mark Andrews
ac77f8df02 using 0 instead of false
(cherry picked from commit da7f683abf)
2019-04-23 11:46:12 +10:00
Ondřej Surý
de4fe3ed32 On non-GNUC systems, use uintmax_t in the ISC_ALIGN macro
(cherry picked from commit 2e40cc94dc)
2019-04-18 13:18:10 +02:00
Ondřej Surý
376800b2ad Refactor the DNS_RDATASET_FIXED code to use constants instead of ifdefs
(cherry picked from commit 4edbb773a1)
2019-04-17 11:34:49 +02:00
Matthijs Mekking
4af2d5b6d6 With update-check-ksk also consider offline keys
The option `update-check-ksk` will look if both KSK and ZSK are
available before signing records.  It will make sure the keys are
active and available.  However, for operational practices keys may
be offline.  This commit relaxes the update-check-ksk check and will
mark a key that is offline to be available when adding signature
tasks.

(cherry picked from commit 3cb8c49c73)
(cherry picked from commit b508cffeee3bfb8bc7dcf39db59ec3782a5d9e4c)
2019-04-12 15:57:31 +02:00
Matthijs Mekking
9079ae03c7 Style: some curly brackets
(cherry picked from commit 2e83e3255a)
(cherry picked from commit 42b0bf4d3bab180876d4803fe2ec1f6e93064b28)
2019-04-12 15:57:15 +02:00
Mark Andrews
cba5989651 Add debug printfs
(cherry picked from commit b78e128a2f)
2019-04-11 19:52:38 +10:00
Mark Andrews
f3922dd9c1 Prevent WIRE_INVALID() being called without a argument
(cherry picked from commit e73a5b0ce3)
2019-04-11 19:51:06 +10:00
Mark Andrews
478de1f761 Check multi-line output from dns_rdata_tofmttext()
Check that multi-line output from dns_rdata_tofmttext() can be read
back in by dns_rdata_fromtext().

(cherry picked from commit b089f43b7a)
2019-04-11 19:51:06 +10:00
Mark Andrews
c6ca84a0c8 Process master file comments and make input invalid again
(cherry picked from commit 1a75a5cee6)
2019-04-11 19:51:05 +10:00
Mark Andrews
1a036f324f Set 'specials' to match 'specials' in 'lib/dns/master.c'
(cherry picked from commit 7941a9554f)
2019-04-11 19:51:05 +10:00
Mark Andrews
2c5652067f Fix whitespace so that the names align
(cherry picked from commit cc5e16e4d3)
2019-04-11 19:50:41 +10:00
Mark Andrews
8a7255c9fc Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire
Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire for
valid inputs to ensure that what we accept in dns_rdata_fromwire()
can be written out and read back in.

(cherry picked from commit 36f30f5731)
2019-04-11 19:48:02 +10:00
Mark Andrews
4e4d7d5b8b add ds unit test
(cherry picked from commit 6eb28eda1e)
2019-04-10 15:44:00 +10:00
Mark Andrews
8df14d2f89 enforce DS hash exists
(cherry picked from commit b274f3fad7)
2019-04-10 14:44:23 +10:00
Mark Andrews
94e852bdcf check that from fromtext produces valid towire input
(cherry picked from commit 7b0a653858)
2019-04-10 13:24:42 +10:00
Mark Andrews
b35eacbad2 for rkey flags MUST be zero
(cherry picked from commit 82d4931440)
2019-04-09 14:27:11 +10:00
Mark Andrews
bbd7a496be check flags for no key in fromwire for *KEY
(cherry picked from commit 2592e91516)
2019-04-09 14:27:03 +10:00
Witold Kręcicki
736d8c5b80 Fix assertion failure in nslookup/dig/mdig when message has multiple SIG(0) options.
When parsing message with DNS_MESSAGE_BESTEFFORT (used exclusively in
tools, never in named itself) if we hit an invalid SIG(0) in wrong
place we continue parsing the message, and put the sig0 in msg->sig0.
If we then hit another sig0 in a proper place we see that msg->sig0
is already 'taken' and we don't free name and rdataset, and we don't
set seen_problem. This causes an assertion failure.
This fixes that issue by setting seen_problem if we hit second sig0,
tsig or opt, which causes name and rdataset to be always freed.

(cherry picked from commit 51a55ddbb7)
2019-03-26 21:32:41 +11:00
Ondřej Surý
c927beea2d Make lib/dns/dnstap.pb-c.h private header
This changes dns_dtdata struct to not expose data types from dnstap.pb-c.h to
prevent the need for including this header where not really needed.

(cherry picked from commit 8ccce7e24b)
2019-03-22 12:08:16 +01:00
Mark Andrews
96b9f0340a Disallow empty ZONEMD hashes
This change is the result of discussions with the authors of
draft-wessels-dns-zone-digest.

(cherry picked from commit 473987d8d9)
2019-03-22 06:52:32 +11:00
Mark Andrews
30f10bf79e add brackets for multi-line output
(cherry picked from commit 40a770b932)
2019-03-21 20:26:52 +11:00
Mark Andrews
98a37c9aba add #include <isc/util.h> 2019-03-20 11:41:51 +11:00
Petr Menšík
6992c50240 Fix regression in dnstap_test with native pkcs11
Change to cmocka broken initialization of TZ environment. This time,
commit 1cf1254051 is not soon enough. Has
to be moved more forward, before any other tests. It library is not full
reinitialized on each test.

(cherry picked from commit 71c4fad592)
2019-03-15 16:19:44 +11:00
Petr Mensik
5480d26da4 Workaround to kyua bug
Kyua 0.13 is not able to correctly handle whole test skipping.
Make workaround to it, include skipping message.
2019-03-14 14:19:45 -07:00
Mark Andrews
8a85e3d924 force promotion to unsigned int
(cherry picked from commit 1eba2c5b06)
2019-03-14 13:53:04 -07:00
Mark Andrews
25268aaf8c assert hevent->rdataset is non NULL
(cherry picked from commit d8d04edfba)
2019-03-14 13:17:10 -07:00
Mark Andrews
e6ab8fc7d0 add missing MAYBE_UNLOCK
(cherry picked from commit ff8bf617e7)
2019-03-14 09:01:31 +11:00
Witold Kręcicki
ff401e670f Fix a race in fctx_cancelquery.
When sending an udp query (resquery_send) we first issue an asynchronous
isc_socket_connect and increment query->connects, then isc_socket_sendto2
and increment query->sends.
If we happen to cancel this query (fctx_cancelquery) we need to cancel
all operations we might have issued on this socket. If we are under very high
load the callback from isc_socket_connect (resquery_udpconnected) might have
not yet been fired. In this case we only cancel the CONNECT event on socket,
and ignore the SEND that's waiting there (as there is an `else if`).
Then we call dns_dispatch_removeresponse which kills the dispatcher socket
and calls isc_socket_close - but if system is under very high load, the send
we issued earlier might still not be complete - which triggers an assertion
because we're trying to close a socket that's still in use.

The fix is to always check if we have incomplete sends on the socket and cancel
them if we do.

(cherry picked from commit 56183a3917)
2019-03-12 13:00:05 -07:00
Michał Kępień
78ecd57872 Make delv use OS-supplied ephemeral port range
Make delv honor the operating system's preferred ephemeral port range
instead of always using the default 1024-65535 range for outgoing
messages.

(cherry picked from commit ada6846a10)
2019-03-08 13:14:10 +01:00
Tony Finch
660c9af77b cleanup: use dns_secalg_t and dns_dsdigest_t where appropriate
Use them in structs for various rdata types where they are missing.
This doesn't change the structs since we are replacing explicit
uint8_t field types with aliases for uint8_t.

Use dns_dsdigest_t in library function arguments.

(cherry picked from commit 0f219714e1)
2019-03-08 22:25:27 +11:00
Mark Andrews
b3479ae5b0 #include <limits.h> for PATH_MAX, define if not found
(cherry picked from commit 1fc7be36eb)
2019-03-08 18:24:13 +11:00
Evan Hunt
148aa70127 silence a warning about potential snprintf overrun
(cherry picked from commit 7f26cad247)
2019-03-07 21:49:15 -08:00
Mark Andrews
28ea43ab35 Handle EDQUOT and ENOSPC errors
(cherry picked from commit 435ae2f29a)
2019-03-07 21:29:59 -08:00
Mark Andrews
09ce08a85f fix the use of dns_wildcardname as an optimisation in DLZ
(cherry picked from commit cb32cd98bd)
2019-03-07 20:34:59 -08:00
Mark Andrews
2671666ef8 improve clang / cmocka integration
(cherry picked from commit cb913177ae)
2019-03-05 11:04:46 -08:00
Tinderbox User
4738d62e1c doc rebuild 2019-02-20 19:54:40 -08:00
Tinderbox User
4b1b4e1f78 prep 9.11.6rc1 2019-02-20 19:54:38 -08:00
Matthijs Mekking
8f64928e2e Update keyfetch_done compute_tag check
If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.

(cherry picked from commit b1d5411569ae10830b63f07560091193646cc739)
2019-02-20 19:54:20 -08:00
Matthijs Mekking
acae423ef4 Don't free key in compute_tag in case of failure
If `dns_dnssec_keyfromrdata` failed we don't need to call
`dst_key_free` because no `dstkey` was created.  Doing so
nevertheless will result in an assertion failure.

This can happen if the key uses an unsupported algorithm.

(cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69)
2019-02-20 19:54:20 -08:00