Commit Graph

15542 Commits

Author SHA1 Message Date
Mark Andrews
57e84efd67 Update zone transfer summary
Print the expire option in the zone transfer summary. This is
currently emitted in a DEBUG(1) message.

(cherry picked from commit 5253c75b7a)
2024-11-04 18:30:10 +00:00
Matthijs Mekking
a92fb659d3 dnssec-ksr keygen -o to create KSKs
Add an option to dnssec-ksr keygen, -o, to create KSKs instead of ZSKs.
This way, we can create a set of KSKS for a given period too.

For KSKs we also need to set timing metadata, including "SyncPublish"
and "SyncDelete". This functionality already exists in keymgr.c so
let's make the function accessible.

Replace dnssec-keygen calls with dnssec-ksr keygen for KSK in the
ksr system test and check keys for created KSKs as well. This requires
a slight modification of the check_keys function to take into account
KSK timings and metadata.

(cherry picked from commit 680aedb595)
2024-11-04 01:10:34 +00:00
Timo Eisenmann
7a5b3c39fc Use TLS for notifies if configured to do so
(cherry picked from commit e9d54d798f)
2024-10-24 03:11:50 +00:00
Mark Andrews
d5da28d1ca Fix TCP dispatches and transport
Dispatch needs to know the transport that is being used over the
TCP connection to correctly allow for it to be reused.  Add a
transport parameter to dns_dispatch_createtcp and dns_dispatch_gettcp
and use it when selecting a TCP socket for reuse.

(cherry picked from commit baab8a5d75)
2024-10-24 01:21:37 +00:00
Mark Andrews
6918c9d17a Fix parsing of hostnames in rndc.conf
When DSCP was removed the parsing of hostnames was accidentally
broken resulting in an assertion failure.  Call cfg_parse_tuple
rather than using custom code in parse_sockaddrnameport.

(cherry picked from commit 6c095f89f5)
2024-10-22 00:12:32 +00:00
Evan Hunt
b5475c9cda corrected code style errors
- add missing brackets around one-line statements
- add paretheses around return values
2024-10-18 19:31:56 +00:00
Mark Andrews
887e874e93 Fix recursive-clients 0
Setting recursive-clients 0 triggered an assertion in isc_quota_soft.
This has now been fixed.

(cherry picked from commit 840eaa628d)
2024-10-17 22:05:22 +00:00
Petr Menšík
75a50925f7 Remove unused <openssl/{hmac,engine}.h> headers from OpenSSL shims
The <openssl/{hmac,engine}.h> headers were unused and including the
<openssl/engine.h> header might cause build failure when OpenSSL
doesn't have Engines support enabled.

See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
2024-10-16 04:39:43 +00:00
Mark Andrews
14bb1f8aa0 Use a binary search to find the NSEC3 closest encloser
maxlabels is the suffix length that corresponds to the latest
NXDOMAIN response.  minlabels is the suffix length that corresponds
to longest found existing name.

(cherry picked from commit 67f31c5046)
2024-10-14 23:55:08 +00:00
Matthijs Mekking
7aaa36f09f Small keymgr improvement
When a key is to be purged, don't run the key state machinery for it.

(cherry picked from commit af54e3dadc)
2024-10-14 10:03:31 +02:00
Matthijs Mekking
2494275a8e Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.

(cherry picked from commit 5fdad05a8a)
2024-10-14 10:03:00 +02:00
Matthijs Mekking
d768dd1f5d Revert "fix: chg: Improve performance when looking for the closest encloser when returning NSEC3 proofs"
This reverts merge request !9436

(cherry picked from commit 0396bf98ee)
2024-10-10 09:29:52 +00:00
Aram Sargsyan
3b76aa01ba Refactor the way check_recursionquota() is used
Rename check_recursionquota() to acquire_recursionquota(), and
implement a new function called release_recursionquota() to
reverse the action. It helps with decreasing code duplication.

(cherry picked from commit 7bd44a4182)
2024-10-09 11:40:19 +00:00
Aram Sargsyan
dbd308436f Fix error path bugs in the "recursing-clients" list management
In two places, after linking the client to the manager's
"recursing-clients" list using the check_recursionquota()
function, the query.c module fails to unlink it on error
paths. Fix the bugs by unlinking the client from the list.

Also make sure that unlinking happens before detaching the
client's handle, as it is the logically correct order, e.g.
in case if it's the last handle and ns__client_reset_cb()
can be called because of the detachment.

(cherry picked from commit 36c4808903)
2024-10-09 11:40:19 +00:00
Aram Sargsyan
407aba8840 Fix a data race in dns_zone_getxfrintime()
The dns_zone_getxfrintime() function fails to lock the zone before
accessing its 'xfrintime' structure member, which can cause a data
race between soa_query() and the statistics channel. Add the missing
locking/unlocking pair, like it's done in numerous other similar
functions.

(cherry picked from commit ab07803465)
2024-10-09 10:34:28 +00:00
Aram Sargsyan
3a5e683075 Clean up 'nodetach' in ns_client
The 'nodetach' member is a leftover from the times when non-zero
'stale-answer-client-timeout' values were supported, and currently
is always 'false'. Clean up the member and its usage.

(cherry picked from commit b8c068835e)
2024-10-09 09:16:21 +00:00
Ondřej Surý
4b4c550cd8 Don't enable SO_REUSEADDR on outgoing UDP sockets
Currently, the outgoing UDP sockets have enabled
SO_REUSEADDR (SO_REUSEPORT on BSDs) which allows multiple UDP sockets to
bind to the same address+port.  There's one caveat though - only a
single (the last one) socket is going to receive all the incoming
traffic.  This in turn could lead to incoming DNS message matching to
invalid dns_dispatch and getting dropped.

Disable setting the SO_REUSEADDR on the outgoing UDP sockets.  This
needs to be done explicitly because `uv_udp_open()` silently enables the
option on the socket.

(cherry picked from commit eec30c33c2)
2024-10-02 12:16:58 +00:00
Ondřej Surý
b46108b428 Skip TCP dispatch responses that are not ours
When matching the TCP dispatch responses, we should skip the responses
that do not belong to our TCP connection.  This can happen with faulty
upstream server that sends invalid QID back to us.

(cherry picked from commit 4ef316e21e)
2024-10-02 10:45:05 +00:00
Aram Sargsyan
ca966c396a Don't ignore the local port number in dns_dispatch_add() for TCP
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.

Set the 'resp->port' to the given local port value extracted from
'disp->local'.

(cherry picked from commit d49a8f518a)
2024-10-02 09:53:45 +00:00
Ondřej Surý
5701bf9dab Use release memory ordering when incrementing reference counter
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.

(cherry picked from commit 88227ea665)
2024-10-02 09:09:35 +02:00
Mark Andrews
7e8ffe3d63 Store static-stub addresses seperately in the adb
Static-stub address and addresses from other sources where being
mixed together resulting in static-stub queries going to addresses
not specified in the configuration or alternatively static-stub
addresses being used instead of the real addresses.

(cherry picked from commit b3a2c790f3)
2024-10-01 01:27:55 +00:00
Petr Menšík
59770f281c Move common flags logging to shared functions
Query and response log shares the same flags. Move flags logging out of
log_query to share it with log_response. Use buffer instead of snprintf
to fill flags a bit faster.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
(cherry picked from commit e6b19af2dd)
2024-09-30 00:10:47 +00:00
Petr Menšík
d9d50f6274 Make responselog flags similar to querylog
Remove answer flag from log, log instead count of records for each
message section. Include EDNS version and few flags of response. Add
also status of result.

Still does not include body of responses rrset.

(cherry picked from commit 6f879aba65)
2024-09-30 00:10:47 +00:00
Mark Andrews
3968813724 Log the rcode returned to for a query
Log to the querylog the rcode of a previous query using
the identifier 'response:' to diffenciate queries from
responses.

(cherry picked from commit 5fad79c92f)
2024-09-30 00:10:47 +00:00
Aram Sargsyan
346850954c Add a missing rcu_read_unlock() call on exit path
An exit path in the dns_dispatch_add() function fails to get out of
the RCU critical section when returning early. Add the missing
rcu_read_unlock() call.

(cherry picked from commit 4123d59fbc)
2024-09-27 13:53:31 +00:00
Mark Andrews
c6045acc41 Add the new record type WALLET (262)
This provides a mapping from a domain name to a cryptographic
currency wallet and is a clone of TXT.

(cherry picked from commit b919b9b4f3)
2024-09-25 12:07:52 +00:00
Nicki Křížek
f2fa1b7d63 Update code formatting
clang 19 was updated in the base image.

(cherry picked from commit ebb5bd9c0f)
2024-09-21 12:45:27 +02:00
Ondřej Surý
deba4670cb Don't enable timeouts in dns_dispatch for incoming transfers
The dns_dispatch_add() call in the dns_xfrin unit had hardcoded 30
second limit.  This meant that any incoming transfer would be stopped in
it didn't finish within 30 seconds limit.  Additionally, dns_xfrin
callback was ignoring the return value from dns_dispatch_getnext() when
restarting the reading from the TCP stream; this could cause transfers
to get stuck waiting for a callback that would never come due to the
dns_dispatch having already been shut down.

Call the dns_dispatch_add() without a timeout and properly handle the
result code from the dns_dispatch_getnext().

(cherry picked from commit 96ef98558c)
2024-09-21 08:53:25 +00:00
Ondřej Surý
4127068305 Modify dns_dispatch API to accept zero timeout
The dns_dispatch_add() has timeout parameter that could not be 0 (for
not timeout).  Modify the dns_dispatch implementation to accept a zero
timeout for cases where the timeouts are undesirable because they are
managed externally.

(cherry picked from commit 0f810b3144)
2024-09-21 08:53:25 +00:00
Nicki Křížek
38fb8bed49 Revert "Double the number of threadpool threads"
This reverts commit 6857df20a4.

(cherry picked from commit 842abe9fbf)
2024-09-20 14:51:33 +00:00
Evan Hunt
c1b94dc622 rename 'rbtiterator' and similar names in qpcache
when the QP cache was adapted from the RBT database, some names
weren't changed. this could be confusing, so let's change them now.
also, we no longer need to include rbt.h.

(cherry picked from commit 5a444838db)
2024-09-19 15:02:23 -07:00
Nicki Křížek
379d7faeac Merge tag 'v9.20.2' into bind-9.20 2024-09-18 18:06:27 +02:00
Aram Sargsyan
0098ff6456 Set logging category for notify/xfer related messages
Some notify/xfer related log messages are logged at the general
category. Set a more suitable caterogry for those messages.

(cherry picked from commit 7c45caa8a5)
2024-09-17 16:14:52 +00:00
Ondřej Surý
6bff6df272 Limit the outgoing UDP send queue size
If the operating system UDP queue gets full and the outgoing UDP sending
starts to be delayed, BIND 9 could exhibit memory spikes as it tries to
enqueue all the outgoing UDP messages.  As those are not going to be
delivered anyway (as we argued when we stopped enlarging the operating
system send and receive buffers), try to send the UDP messages directly
using `uv_udp_try_send()` and if that fails, drop the outgoing UDP
message.

(cherry picked from commit b576c4c977)
2024-09-17 16:31:25 +02:00
alessio
6e42d96cf1 Do not set SO_INCOMING_CPU
We currently set SO_INCOMING_CPU incorrectly, and testing by Ondrej
shows that fixing the issue and setting affinities is worse than letting
the kernel schedule threads without constraints. So we should not set
SO_INCOMING_CPU anymore.

(cherry picked from commit 8b8149cdd2)
2024-09-16 12:57:08 +00:00
Aram Sargsyan
59cc292928 Fix a 'serverquota' counter calculation bug
The 'all_spilled' local variable in resolver.c:fctx_getaddresses()
is 'true' by default, and only becomes false when there is at least
one successfully found NS address. However, when a 'forward only;'
configuration is used, the code jumps over the part where it looks
for NS addresses and doesn't reset the 'all_spilled' to false, which
results in incorretly increased 'serverquota' statistics variable,
and also in invalid return error code from the function. The result
code error didn't make any differences, because all codes other than
'ISC_R_SUCCESS' or 'DNS_R_WAIT' were treated in the same way, and
the result code was never logged anywhere.

Set the default value of 'all_spilled' to 'false', and only make it
'true' before actually starting to look up NS addresses.

(cherry picked from commit e430ce7039)
2024-09-16 09:31:38 +00:00
Ondřej Surý
26c2cbe63b Move offloaded DNSSEC operations to different helper threads
Currently, the isc_work API is overloaded.  It runs both the
CPU-intensive operations like DNSSEC validations and long-term tasks
like RPZ processing, CATZ processing, zone file loading/dumping and few
others.

Under specific circumstances, when many large zones are being loaded, or
RPZ zones processed, this stops the CPU-intensive tasks and the DNSSEC
validation is practically stopped until the long-running tasks are
finished.

As this is undesireable, this commit moves the CPU-intensive operations
from the isc_work API to the isc_helper API that only runs fast memory
cleanups now.

(cherry picked from commit 8a96a3af6a)
2024-09-12 16:41:02 +02:00
Ondřej Surý
17f23224d1 Add isc_helper API that adds 1:1 thread for each loop
Add an extra thread that can be used to offload operations that would
affect latency, but are not long-running tasks; those are handled by
isc_work API.

Each isc_loop now has matching isc_helper thread that also built on top
of uv_loop.  In fact, it matches most of the isc_loop functionality, but
only the `isc_helper_run()` asynchronous call is exposed.

(cherry picked from commit 6370e9b311)
2024-09-12 14:39:07 +00:00
Aram Sargsyan
65fced42b9 Fix data race in offloaded dns_message_checksig()
When verifying a message in an offloaded thread there is a race with
the worker thread which writes to the same buffer. Clone the message
buffer before offloading.

(cherry picked from commit 35ef25e5ea)
2024-09-12 09:12:35 +00:00
Mark Andrews
4dcfa7b580 Fix named-checkconf and statistics-channels
If neither libxml2 nor libjson_c are available have named-checkconf
fail if a statistics-channels block is specified.

(cherry picked from commit b9246418e8)
2024-09-12 03:27:38 +00:00
Michal Nowak
0aeefb9741 Update code formatting
clang 19 was updated in the base image.

(cherry picked from commit ff69d07fed)
2024-09-11 09:33:13 +00:00
JINMEI Tatuya
33dd3fbca2 allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS
This change allows fallback from an IXFR failure to AXFR when the
reason is DNS_R_TOOMANYRECORDS. This is because this error condition
could be temporary only in an intermediate version of IXFR
transactions and it's possible that the latest version of the zone
doesn't have that condition. In such a case, the secondary would never
be able to update the zone (even if it could) without this fallback.

This fallback behavior is particularly useful with the recently
introduced max-records-per-type and max-types-per-name options:
the primary may not have these limitations and may temporarily
introduce "too many" records, breaking IXFR. If the primary side
subsequently deletes these records, this fallback will help recover
the zone transfer failure automatically; without it, the secondary
side would first need to increase the limit, which requires more
operational overhead and has its own adverse effect.

This change also fixes a minor glitch that DNS_R_TOOMANYRECORDS wasn't
logged in xfrin_fail.

(cherry picked from commit 7289090683)
2024-09-10 12:39:36 +00:00
Aram Sargsyan
6706d2427e Fix RCU API usage in acl.c
The rcu_xchg_pointer() function can be used outside of a critical
section, and usually must be followed by a synchronize_rcu() or
call_rcu() call to detach from the resource, unless if there are
some guarantees in place because of our own reference counting.

(cherry picked from commit 0367c60759)
2024-09-10 10:34:32 +00:00
Matthijs Mekking
66f850f01c Nit logging change
Fix wrong function name (dns_dnssec_keymgr -> dns_keymgr_run).

Add error log if dns_keymgr_offline() fails.

(cherry picked from commit 911daeb306)
2024-09-09 19:27:28 +02:00
Matthijs Mekking
fa20a1df39 Fix bug in dns_keymgr_offline
If the ZSK has lifetime unlimited, the timing metadata "Inactive" and
"Delete" cannot be found and is treated as an error. Fix by allowing
these metadata to not exist.

(cherry picked from commit 5af53a329f)
2024-09-09 19:27:28 +02:00
Nicki Křížek
4d8491396d Double the number of threadpool threads
Introduce this temporary workaround to reduce the impact of long-running
tasks in offload threads which can block the resolution of queries.

(cherry picked from commit 6857df20a4)
2024-09-06 14:55:38 +02:00
Aram Sargsyan
bf549e32bb Process canceled/shut down results in validate_dnskey_dsset_done()
When a validator is already shut down, val->name becomes NULL. We
need to process and keep the ISC_R_CANCELED or ISC_R_SHUTTINGDOWN
result code before calling validate_async_done(), otherwise, when it
is called with the hardcoded DNS_R_NOVALIDSIG result code, it can
cause an assetion failure when val->name (being NULL) is used in
proveunsecure().

(cherry picked from commit d85918aebf)
2024-09-04 16:23:25 +02:00
Ondřej Surý
6db9f177b5 Destroy the dns_xfrin isc_timers on the correct loop
There are few places where we attach/detach from the dns_xfrin object
while running on a different thread than the zone's assigned thread -
xfrin_xmlrender() in the statschannel and dns_zone_stopxfr() to name the
two places where it happens now.  In the rare case, when the incoming
transfer completes (or shuts down) in the brief period between the other
thread attaches and detaches from the dns_xfrin, the isc_timer_destroy()
calls would be called by the last thread calling the xfrin_detach().
In the worst case, it would be this other thread causing assertion
failure.  Move the isc_timer_destroy() call to xfrin_end() function
which is always called on the right thread and to match this move
isc_timer_create() to xfrin_start() - although this other change makes
no difference.

(cherry picked from commit 3bca3cb5cf)
2024-09-03 15:51:35 +00:00
Ondřej Surý
5255843f9b Follow the number of CPU set by taskset/cpuset
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S), for example to achieve higher (or more stable) performance
by more closely associating threads with individual NIC rx queues. If
the admin has used taskset, it follows that BIND ought to
automatically use the given number of CPUs rather than the system wide
count.

Co-Authored-By: Ray Bellis <ray@isc.org>
(cherry picked from commit 5a2df8caf5)
2024-09-03 13:52:10 +00:00
Mark Andrews
1be660a1a2 Use atomics to access find->status
(cherry picked from commit a45e39d114)
2024-09-02 03:25:35 +00:00