Commit Graph

34802 Commits

Author SHA1 Message Date
Tom Krizek
edd923e8eb Support testcrypto.sh usage without including conf.sh
The only variable really needed for the script to work is the path to
the $KEYGEN binary. Allow setting this via an environment variable to
avoid loading conf.sh (and causing a chicken-egg problem). Also make
testcrypto.sh executable to allow its use from conf.sh.

(cherry picked from commit bb1c6bbdc7)
2022-11-01 19:51:52 +01:00
Tom Krizek
a51b0ad31f Unify indentation level in testcrypto.sh
(cherry picked from commit 01b293b055)
2022-11-01 19:51:49 +01:00
Arаm Sаrgsyаn
d690c55ed7 Merge branch '2895-named-can-create-unrecoverable-managed-keys-v9_16' into 'v9_16'
[v9_16] Don't trust a placeholder KEYDATA record

See merge request isc-projects/bind9!7009
2022-11-01 12:11:16 +00:00
Aram Sargsyan
854b2cf182 Add CHANGES and release notes for [GL #2895]
(cherry picked from commit 3bf4bc7336)
2022-11-01 11:20:25 +00:00
Aram Sargsyan
78e04d8d0c Don't trust a placeholder KEYDATA record
When named starts it creates an empty KEYDATA record in the managed-keys
zone as a placeholder, then schedules a key refresh. If key refresh
fails for some reason (e.g. connectivity problems), named will load the
placeholder key into secroots as a trusted key during the next startup,
which will break the chain of trust, and named will never recover from
that state until managed-keys.bind and managed-keys.bind.jnl files are
manually deleted before (re)starting named again.

Before calling load_secroots(), check that we are not dealing with a
placeholder.

(cherry picked from commit 354ae2d7e3)
2022-11-01 10:55:38 +00:00
Aram Sargsyan
f12260c435 Test managed-keys placeholder
Add a dnssec test to make sure that named can correctly process a
managed-keys zone with a placeholder KEYDATA record.

(cherry picked from commit 8c48eabbc1)
2022-11-01 10:55:19 +00:00
Evan Hunt
946c389254 Merge branch '3617-keyfetch-race-v9_18-v9_16' into 'v9_16'
Call dns_resolver_createfetch() asynchronously in zone_refreshkeys()

See merge request isc-projects/bind9!7007
2022-11-01 09:22:52 +00:00
Evan Hunt
90c41d41d7 CHANGES for [GL #3617] 2022-11-01 01:46:39 -07:00
Evan Hunt
8010389902 Call dns_resolver_createfetch() asynchronously in zone_refreshkeys()
Because dns_resolver_createfetch() locks the view, it was necessary
to unlock the zone in zone_refreshkeys() before calling it in order
to maintain the lock order, and relock afterward. this permitted a race
with dns_zone_synckeyzone().

This commit moves the call to dns_resolver_createfetch() into a separate
function which is called asynchronously after the zone has been
unlocked.

The keyfetch object now attaches to the zone to ensure that
it won't be shut down before the asynchronous call completes.

This necessitated refactoring dns_zone_detach() so it always runs
unlocked. For managed zones it schedules zone_shutdown() to
run asynchronously; for unmanaged zones there is no task.
2022-11-01 01:46:17 -07:00
Tom Krizek
2e7f973c6e Merge branch '3517-serve-stale-cache-timeout-0-test-v9_16' into 'v9_16'
[v9_16] [CVE-2022-3080] Test serve stale cache with timeout 0 and CNAME

See merge request isc-projects/bind9!6977
2022-10-24 13:08:48 +00:00
Tom Krizek
29782e5613 Remove misleading comment from serve-stale test
The stale-answer-client-timeout option is not set to 0 in the config
neither is it the default value. This was probably caused by a
copy-paste error.
2022-10-24 14:39:48 +02:00
Tom Krizek
01293b86d9 Test serve stale cache with timeout 0 and CNAME
Add a couple of tests that verify the serve-stale behavior when
stale-answer-client-timeout is set to 0 and a (stale) CNAME record is
queried.

Related #3517
2022-10-24 14:39:46 +02:00
Michał Kępień
d736356e3d Merge branch 'michal/bump-sphinx-version-to-5.3.0-v9_16' into 'v9_16'
[v9_16] Bump Sphinx version to 5.3.0

See merge request isc-projects/bind9!6974
2022-10-24 09:57:45 +00:00
Michał Kępień
f93e4c160c Bump Sphinx version to 5.3.0
Make the Sphinx version listed in doc/arm/requirements.txt match the
version currently used in GitLab CI, so that Read the Docs builds the
documentation using the same Python software versions as those used in
GitLab CI.

(cherry picked from commit a8f0ab7df6)
2022-10-24 11:45:25 +02:00
Arаm Sаrgsyаn
523fa7c3a9 Merge branch '3603-resolver-prefetch-eligibility-edge-case-bug-v9_16' into 'v9_16'
[v9_16] Synchronize prefetch "trigger" and "eligibility" code and documentation

See merge request isc-projects/bind9!6970
2022-10-21 11:48:32 +00:00
Aram Sargsyan
c65c6ecee5 Getting the "prefetch" setting from the configuration cannot fail
The "prefetch" setting is in "defaultconf" so it cannot fail, use
INSIST to confirm that.

The 'trigger' and 'eligible' variables are now prefixed with
'prefetch_' and their declaration moved to an upper level, because
there is no more additional code block after this change.

(cherry picked from commit 0227565cf1)
2022-10-21 10:30:56 +00:00
Aram Sargsyan
ee7179f482 Fix prefetch "trigger" value's documentation in ARM
For the prefetch "trigger" parameter ARM states that when a cache
record with a lower TTL value is encountered during query processing,
it is refreshed. But in reality, the record is refreshed when the TTL
value is lower or equal to the configured "trigger" value.

Fix the documentation to make it match with with the code.

(cherry picked from commit ef344b1f52)
2022-10-21 10:30:43 +00:00
Aram Sargsyan
2f5bd9c15d Add a CHANGES note for [GL #3603]
(cherry picked from commit 041ffac0d7)
2022-10-21 10:30:37 +00:00
Aram Sargsyan
648e71b086 Match prefetch eligibility behavior with ARM
ARM states that the "eligibility" TTL is the smallest original TTL
value that is accepted for a record to be eligible for prefetching,
but the code, which implements the condition doesn't behave in that
manner for the edge case when the TTL is equal to the configured
eligibility value.

Fix the code to check that the TTL is greater than, or equal to the
configured eligibility value, instead of just greater than it.

(cherry picked from commit 863f51466e)
2022-10-21 10:30:28 +00:00
Aram Sargsyan
822dd7b8b9 Add another prefetch check in the resolver system test
The test triggers a prefetch, but fails to check if it acutally
happened, which prevented it from catching a bug when the record's
TTL value matches the configured prefetch eligibility value.

Check that prefetch happened by comparing the TTL values.

(cherry picked from commit 89fa9a6592)
2022-10-21 10:30:13 +00:00
Arаm Sаrgsyаn
64fa7d0360 Merge branch '3598-adb-quota-might-not-be-decremented-v9_16' into 'v9_16'
[v9_16] Resolve "ADB quota might not be decremented"

See merge request isc-projects/bind9!6968
2022-10-21 10:01:07 +00:00
Aram Sargsyan
16a06d1dc3 Add CHANGES and release notes for [GL #3598]
(cherry picked from commit 6f50972e5f)
2022-10-21 09:04:13 +00:00
Aram Sargsyan
c3660564ce Call dns_adb_endudpfetch() on error path, if required
For UDP queries, after calling dns_adb_beginudpfetch() in fctx_query(),
make sure that dns_adb_endudpfetch() is also called on error path, in
order to adjust the quota back.

(cherry picked from commit 5da79e2be0)
2022-10-21 08:46:43 +00:00
Artem Boldariev
5e2c20a88c Merge branch '3563-fix-named-startup-on-manycore-solaris-systems-v9-16' into 'v9_16'
[Backport to v9.16] Fix named failing to start on Solaris systems with hundreds of CPUs

See merge request isc-projects/bind9!6963
2022-10-20 13:28:36 +00:00
Artem Boldariev
425fd36162 Modify release notes [GL #3563]
Mention that a startup problem on manycore Solaris systems is fixed.

(cherry picked from commit 2c9400f116)
2022-10-20 15:23:00 +03:00
Artem Boldariev
d6c0aed9df Modify CHANGES [GL #3563]
Mention that a startup problem on manycore Solaris systems is fixed.

(cherry picked from commit 03ee132e28)
2022-10-20 15:22:09 +03:00
Artem Boldariev
46664bfe5d Fix named failing to start on Solaris systems with hundreds of CPUs
This commit fixes a startup issue on Solaris systems with
many (reportedly > 510) CPUs by bumping RLIMIT_NOFILE. This appears to
be a regression from 9.11.

(cherry picked from commit fff01fe7eb)
2022-10-20 15:21:53 +03:00
Michal Nowak
1015ccf6a2 Merge tag 'v9_16_34' into v9_16
BIND 9.16.34
2022-10-20 12:51:06 +02:00
Michal Nowak
c4a2ea04d0 Merge branch '3394-cve-2022-2795-test-v9_16' into 'v9_16'
[v9_16] Add tests for CVE-2022-2795

See merge request isc-projects/bind9!6956
2022-10-20 08:22:19 +00:00
Michał Kępień
67319f1004 Add tests for CVE-2022-2795
Add a test ensuring that the amount of work fctx_getaddresses() performs
for any encountered delegation is limited: delegate example.net to a set
of 1,000 name servers in the redirect.com zone, the names of which all
resolve to IP addresses that nothing listens on, and query for a name in
the example.net domain, checking the number of times the findname()
function gets executed in the process; fail if that count is excessively
large.

Since the size of the referral response sent by ans3 is about 20 kB, it
cannot be sent back over UDP (EMSGSIZE) on some operating systems in
their default configuration (e.g. FreeBSD - see the
net.inet.udp.maxdgram sysctl).  To enable reliable reproduction of
CVE-2022-2795 (retry patterns vary across BIND 9 versions) and avoid
false positives at the same time (thread scheduling - and therefore the
number of fetch context restarts - vary across operating systems and
across test runs), extend bin/tests/system/resolver/ans3/ans.pl so that
it also listens on TCP and make "ns1" in the "resolver" system test
always use TCP when communicating with "ans3".

Also add a test (foo.bar.sub.tld1/TXT) that ensures the new limitations
imposed on the resolution process by the mitigation for CVE-2022-2795 do
not prevent valid, glueless delegation chains from working properly.

(cherry picked from commit 604d8f0b96)
2022-10-20 10:19:22 +02:00
Evan Hunt
828e7f5257 Merge branch '3247-rpz-ip-cd-v9_16' into 'v9_16'
ensure RPZ lookups handle CD=1 correctly

See merge request isc-projects/bind9!6958
2022-10-20 00:31:52 +00:00
Evan Hunt
08ed9185cd CHANGES for [GL #3247] 2022-10-19 13:18:49 -07:00
Evan Hunt
2cf5fd67c0 add a test with CD=1 query for pending data
this is a regression test for [GL #3247].
2022-10-19 13:17:32 -07:00
Evan Hunt
8e4a1f3483 ensure RPZ lookups handle CD=1 correctly
RPZ rewrites called dns_db_findext() without passing through the
client database options; as as result, if the client set CD=1,
DNS_DBFIND_PENDINGOK was not used as it should have been, and
cache lookups failed, resulting in failure of the rewrite.

(cherry picked from commit 305a50dbe1)
2022-10-19 13:16:51 -07:00
Tom Krizek
8097e97d9b Merge branch 'tkrizek/system-tests-fixes-v9_16' into 'v9_16'
Update various system tests and add them to default test suite [v9_16]

See merge request isc-projects/bind9!6950
2022-10-19 14:59:23 +00:00
Tom Krizek
a8f286c9a5 Remove generated controls.conf file from system tests
The controls.conf file shouldn't be used directly without templating it
first. Remove this no longer used hard-coded file to avoid confusion.

(cherry picked from commit cbd0355328)
2022-10-19 16:58:56 +02:00
Tom Krizek
456baa7f4a Revive dupsigs system test
Speed up the test from 20 minutes to 2.5 minutes and make it part of the
default test suite executed in CI.
- decrease number of records to sign from 2000 to 500
- decrease the signing interval by a factor of 6
- shorten the final part of the test after last signing (since nothing
  new happens there)

Finally, clarify misleading comments about (in)sufficient time for zone
re-signing. The time used in the test is in fact sufficient for the
re-signing to happen. If it wasn't, the previous ZSK would end up being
deleted while its signatures would still be present, which is a
situation where duplicate signatures can still happen.

(cherry picked from commit cb0a2ae1dd)
2022-10-19 16:58:56 +02:00
Tom Krizek
84d6484c5a Revive the stress system test
Ensure the port numbers are dynamically filled in with copy_setports.

Clarify test fail condition.

Make the stress test part of the default test suite since it doesn't
seem to run too long or interfere with other tests any more (the
original note claiming so is more than 20 years old).

Related !6883

(cherry picked from commit 7495deea3e)
2022-10-19 16:58:56 +02:00
Tom Krizek
81a224f418 Revive dialup system test
Properly template the port number in config files with copy_setports.

The test takes two minutes on my machine which doesn't seem like a
proper justification to exclude it from the test suite, especially
considering we run these tests in parallel nowadays. The resource usage
doesn't seems significantly increased so it shouldn't interfere with
other system tests.

There also exists a precedent for longer running system tests that are
already part of the default system test suite (e.g. serve-stale takes
almost three minutes on the same machine).

(cherry picked from commit 235ae5f344)
2022-10-19 16:58:55 +02:00
Matthijs Mekking
4c70fd2e21 Merge branch 'matthijs-fix-dnssec-signing-log-lovel-v9_16' into 'v9_16'
[v9_16] Change log level when doing rekey

See merge request isc-projects/bind9!6940
2022-10-19 14:27:58 +00:00
Matthijs Mekking
cbdf23e5ec Change log level when doing rekey
This log happens when BIND checks the parental-agents if the DS has
been published. But if you don't have parental-agents set up, the list
of keys to check will be empty and the result will be ISC_R_NOTFOUND.
This is not an error, so change the log level to debug in this case.

(cherry picked from commit a1d57fc8cb)
2022-10-18 16:31:01 +02:00
Petr Špaček
a6f9d0c7c4 Merge branch 'pspacek/ci-no-developer-mode-v9_16' into 'v9_16'
Add CI job with --disable-developer [v9_16]

See merge request isc-projects/bind9!6936
2022-10-18 13:48:35 +00:00
Petr Špaček
b57241ddbb Allow system tests to run under root user when inside CI
https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
says variable CI_SERVER="yes" is available in all versions of Gitlab.

(cherry picked from commit ddf46056ca)

Adapted to v9_16's version of run.sh.
2022-10-18 15:18:13 +02:00
Petr Špaček
6a7ec0c01c Build gcc:oraclelinux9:amd64 CI jobs with --disable-developer
Purpose of this is to guard against tests which rely on querytrace or
other optional features enabled by --enable-developer switch.

(cherry picked from commit d6db5c5335)
2022-10-18 15:16:16 +02:00
Ondřej Surý
b3cb637a67 Merge branch 'ondrej-add-ISC_LIST,LINK_INITIALIZER-v9_16' into 'v9_16'
Add ISC_{LIST,LINK}_INITIALIZER for designated initializers

See merge request isc-projects/bind9!6935
2022-10-18 13:15:29 +00:00
Ondřej Surý
7b4cf67261 Replace (void *)-1 with ISC_LINK_TOMBSTONE
Instead of having "arbitrary" (void *)-1 to define non-linked, add a
ISC_LINK_TOMBSTONE(type) macro that replaces the "magic" value with a
define.

(cherry picked from commit 5e20c2ccfb)
2022-10-18 14:30:49 +02:00
Ondřej Surý
a317b2ea1c Add ISC_{LIST,LINK}_INITIALIZER for designated initializers
Since we are using designated initializers, we were missing initializers
for ISC_LIST and ISC_LINK, add them, so you can do

    *foo = (foo_t){ .list = ISC_LIST_INITIALIZER };

Instead of:

    *foo = (foo_t){ 0 };
    ISC_LIST_INIT(foo->list);

(cherry picked from commit cb3c36b8bf)
2022-10-18 14:30:49 +02:00
Arаm Sаrgsyаn
3c34c54b6c Merge branch '3584-ns_statscounter_recursclients-bug-v9_16' into 'v9_16'
[v9_16] Fix ns_statscounter_recursclients counting bug

See merge request isc-projects/bind9!6929
2022-10-18 11:26:10 +00:00
Aram Sargsyan
8dbdf6bc1b Add a release note for [GL #3584]
(cherry picked from commit d83642b3ac)
2022-10-18 10:38:04 +00:00
Aram Sargsyan
f82f78d7f6 Add a CHANGES note for [GL #3584]
(cherry picked from commit 5b1ef41897)
2022-10-18 10:38:04 +00:00