Commit Graph

13418 Commits

Author SHA1 Message Date
Mark Andrews
b49a3a56c9 Fix dns_kasp_attach / dns_kasp_detach usage
The kasp pointers in dns_zone_t should consistently be changed by
dns_kasp_attach and dns_kasp_detach so the usage is balanced.

(cherry picked from commit b41882cc75)
2023-02-21 16:58:42 +01:00
Mark Andrews
d0c92a31a9 In hmac_createctx free ctx on isc_hmac_init failure
(cherry picked from commit d22257a370)
2023-02-18 10:27:11 +11:00
Ondřej Surý
100c20b470 Don't check for maximal version on Windows
The Windows doesn't have support for recvmmsg(), so we don't need to
check for maximal version on Windows (only for a minimal version).

Remove the MAXIMAL_VERSION when compiling on Windows.
2023-02-15 11:02:57 +01:00
Mark Andrews
4df6019c16 Report the key name that failed in retry_keyfetch
When there are multiple managed trust anchors we need to know the
name of the trust anchor that is failing.  Extend the error message
to include the trust anchor name.

(cherry picked from commit fb7b7ac495)
2023-02-14 22:09:52 +00:00
Evan Hunt
aca10608b6 delay trust anchor management until zones are loaded
it was possible for a managed trust anchor needing to send a key
refresh query to be unable to do so because an authoritative zone
was not yet loaded. this has been corrected by delaying the
synchronization of managed-keys zones until after all zones are
loaded.

(cherry picked from commit bafbbd2465)
2023-02-14 10:23:28 -08:00
Ondřej Surý
b163ca9f97 Enforce version drift limits for libuv
libuv support for receiving multiple UDP messages in a single system
call (recvmmsg()) has been tweaked several times between libuv versions
1.35.0 and 1.40.0.  Mixing and matching libuv versions within that span
may lead to assertion failures and is therefore considered harmful, so
try to limit potential damage be preventing users from mixing libuv
versions with distinct sets of recvmmsg()-related flags.

(cherry picked from commit 735d09bffe)
2023-02-10 06:50:32 +01:00
Ondřej Surý
9309589ad0 Avoid libuv 1.35 and 1.36 that have broken recvmmsg implementation
The implementation of UDP recvmmsg in libuv 1.35 and 1.36 is
incomplete and could cause assertion failure under certain
circumstances.

Modify the configure and runtime checks to report a fatal error when
trying to compile or run with the affected versions.

(cherry picked from commit 251f411fc3)
2023-02-10 06:50:32 +01:00
Michał Kępień
f7dc0a4708 Handle iterator options in rpsdb_allrdatasets()
Commit 4f3327cd41 added a new parameter,
'options', to the prototype of the 'allrdatasets' function pointer in
struct dns_dbmethods.  Handle this new parameter accordingly in
rpsdb_allrdatasets().

(cherry picked from commit f3def4e4ed)
2023-02-01 12:07:11 +01:00
Matthijs Mekking
3ffb63e9bb Force set DS state after 'rndc dnssec -checkds'
Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.

(cherry picked from commit ee42f66fbe)
2023-01-27 16:09:06 +01:00
Michał Kępień
7b0e57095a Merge tag 'v9_16_37' into v9_16
BIND 9.16.37
2023-01-25 21:34:55 +01:00
Mark Andrews
b548ee5815 Add missing node lock when setting node->wild in rbtdb.c
The write node lock needs to be held when setting node->wild in
add_wildcard_magic except when being called from loading_addrdataset
which is used to load the zone without locking during its initial
load.

(cherry picked from commit 81c24b8da2)
2023-01-20 00:38:43 +11:00
Mark Andrews
363b40b1da Unlink the timer event before trying to purge it
as far as I can determine the order of operations is not important.

    *** CID 351372:  Concurrent data access violations  (ATOMICITY)
    /lib/isc/timer.c: 227 in timer_purge()
    221     		LOCK(&timer->lock);
    222     		if (!purged) {
    223     			/*
    224     			 * The event has already been executed, but not
    225     			 * yet destroyed.
    226     			 */
    >>>     CID 351372:  Concurrent data access violations  (ATOMICITY)
    >>>     Using an unreliable value of "event" inside the second locked section. If the data that "event" depends on was changed by another thread, this use might be incorrect.
    227     			timerevent_unlink(timer, event);
    228     		}
    229     	}
    230     }
    231
    232     void

(cherry picked from commit 98718b3b4b)
2023-01-19 11:28:10 +01:00
Ondřej Surý
e241a3f4db Don't use reference counting in isc_timer unit
The reference counting and isc_timer_attach()/isc_timer_detach()
semantic are actually misleading because it cannot be used under normal
conditions.  The usual conditions under which is timer used uses the
object where timer is used as argument to the "timer" itself.  This
means that when the caller is using `isc_timer_detach()` it needs the
timer to stop and the isc_timer_detach() does that only if this would be
the last reference.  Unfortunately, this also means that if the timer is
attached elsewhere and the timer is fired it will most likely be
use-after-free, because the object used in the timer no longer exists.

Remove the reference counting from the isc_timer unit, remove
isc_timer_attach() function and rename isc_timer_detach() to
isc_timer_destroy() to better reflect how the API needs to be used.

The only caveat is that the already executed event must be destroyed
before the isc_timer_destroy() is called because the timer is no longet
attached to .ev_destroy_arg.

(cherry picked from commit ae01ec2823)
2023-01-19 11:28:10 +01:00
Ondřej Surý
3cf7055286 Set quantum to infinity for the zone loading task
When we are loading the zones, set the quantum to UINT_MAX, which makes
task_run process all tasks at once.  After the zone loading is finished
the quantum will be dropped to 1 to not block server when we are loading
new zones after reconfiguration.

(cherry picked from commit 87c4c24cde)
2023-01-19 11:28:10 +01:00
Ondřej Surý
7fef8e77d6 Add isc_task_setquantum() and use it for post-init zone loading
Add isc_task_setquantum() function that modifies quantum for the future
isc_task_run() invocations.

NOTE: The current isc_task_run() caches the task->quantum into a local
variable and therefore the current event loop is not affected by any
quantum change.

(cherry picked from commit 15ea6f002f)
2023-01-19 11:28:10 +01:00
Ondřej Surý
617186d514 Keep the list of scheduled events on the timer
Instead of searching for the events to purge, keep the list of scheduled
events on the timer list and purge the events that we have scheduled.

(cherry picked from commit 3f8024b4a2f12fcd28a9dd813b6f1f3f11d506f2)
2023-01-19 11:28:10 +01:00
Ondřej Surý
76859344fe Repair isc_task_purgeevent()
The isc_task_purgerange() was walking through all events on the task to
find a matching task.  Instead use the ISC_LINK_LINKED to find whether
the event is active.

(cherry picked from commit 17aed2f895)
2023-01-19 11:28:10 +01:00
Ondřej Surý
4b222f154b Detach the zone views outside of the zone lock
Detaching the views in the zone_shutdown() could lead to
lock-order-inversion between adb->namelocks[bucket], adb->lock,
view->lock and zone->lock.  Detach the views outside of the section that
zone-locked.

(cherry picked from commit 978a0ef84c)
2023-01-19 10:21:27 +01:00
Ondřej Surý
49af3a23b9 Use OpenSSL 1.x SHA_CTX API in isc_iterated_hash()
Instead of going through another layer, use OpenSSL SHA1 API directly
in the isc_iterated_hash() implementation.

(cherry picked from commit 25db8d0103)
2023-01-18 23:26:40 +01:00
Ondřej Surý
cb083876c1 Detach the views in zone_shutdown(), not in zone_free()
The .view (and possibly .prev_view) would be kept attached to the
removed zone until the zone is fully removed from the memory in
zone_free().  If this process is delayed because server is busy
something else like doing constant `rndc reconfig`, it could take
seconds to detach the view, possibly keeping multiple dead views in the
memory.  This could quickly lead to a massive memory bloat.

Release the views early in the zone_shutdown() call, and don't wait
until the zone is freed.

(cherry picked from commit 13bb821280)
2023-01-17 22:48:37 +01:00
Ondřej Surý
606fc6d4aa Merge branch 'feature/main/zt-rwlock.h' into 'main'
Include isc_rwlocktype_t type definition in zt.h

See merge request isc-projects/bind9!7376

(cherry picked from commit d7bcdf8bd6)

395d6fca Include isc_rwlocktype_t type definition in zt.h
2023-01-16 11:08:43 +00:00
Aram Sargsyan
6bebcedb80 Cancel all fetch events in dns_resolver_cancelfetch()
Although 'dns_fetch_t' fetch can have two associated events, one for
each of 'DNS_EVENT_FETCHDONE' and 'DNS_EVENT_TRYSTALE' types, the
dns_resolver_cancelfetch() function is designed in a way that it
expects only one existing event, which it must cancel, and when it
happens so that 'stale-answer-client-timeout' is enabled and there
are two events, only one of them is canceled, and it results in an
assertion in dns_resolver_destroyfetch(), when it finds a dangling
event.

Change the logic of dns_resolver_cancelfetch() function so that it
cancels both the events (if they exist), and in the right order.

(cherry picked from commit ec2098ca35)
2023-01-12 13:00:03 +01:00
Mark Andrews
3cd0c32b0a Move the mapping of SIG and RRSIG to ANY
dns_db_findext() asserts if RRSIG is passed to it and
query_lookup_stale() failed to map RRSIG to ANY to prevent this.  To
avoid cases like this in the future, move the mapping of SIG and RRSIG
to ANY for qctx->type to qctx_init().

(cherry picked from commit 56eae06418)
2023-01-12 12:33:28 +01:00
Evan Hunt
eb98d96481 move update ACL and update-policy checks before quota
check allow-update, update-policy, and allow-update-forwarding before
consuming quota slots, so that unauthorized clients can't fill the
quota.

(this moves the access check before the prerequisite check, which
violates the precise wording of RFC 2136. however, RFC co-author Paul
Vixie has stated that the RFC is mistaken on this point; it should have
said that access checking must happen *no later than* the completion of
prerequisite checks, not that it must happen exactly then.)

(cherry picked from commit 964f559edb)
2023-01-12 12:21:36 +01:00
Evan Hunt
7fe2204a2e add a configuration option for the update quota
add an "update-quota" option to configure the update quota.

(cherry picked from commit f57758a730)
2023-01-12 12:21:36 +01:00
Evan Hunt
35711a29e5 add an update quota
limit the number of simultaneous DNS UPDATE events that can be
processed by adding a quota for update and update forwarding.
this quota currently, arbitrarily, defaults to 100.

also add a statistics counter to record when the update quota
has been exceeded.

(cherry picked from commit 7c47254a14)
2023-01-12 12:21:36 +01:00
Aram Sargsyan
60dece8277 Increase catalog zone entries hash table's bits size
The hash table implementation in the current branch does not
support automatic resize operation, so the initial value of
the table should be chosen carefully.

Catalog zones entries hash table's size is currently only 4 bits,
which is very low for a catalog zone with thousands of entries,
and causes CPU consumption spikes when working with the hash
table to add/delete/search entries.

Use 16 bits instead, which should make working with big catalog
zones much faster at the expense of slightly higher memory usage,
i.e. 512 KiB for a 64-bit system for each catalog zone.
2023-01-11 17:26:26 +00:00
Aram Sargsyan
144135415b Use sizeof(*ptr) for allocating/freeing memory in forward.c
As shown in the previous commit, using sizeof(type_t) is a little
bit more error-prone when copy-pasting code, so extracting the
size information from the pointer which is being dealt with seems
like a better alternative.

(cherry picked from commit cf4003fa58)
2023-01-11 13:42:00 +00:00
Aram Sargsyan
1950629ffa Fix dns_fwdtable_addfwd() error path cleanup bug
Free 'sizeof(dns_forwarder_t)' bytes of memory instead of
'sizeof(dns_sockaddr_t)' bytes, because `fwd` is a pointer
to a 'dns_forwarder_t' type structure.

(cherry picked from commit 0cc1b06d98)
2023-01-11 13:42:00 +00:00
Aram Sargsyan
272afcd999 Fix a use-after-free bug in dns_zonemgr_releasezone()
The dns_zonemgr_releasezone() function makes a decision to destroy
'zmgr' (based on its references count, after decreasing it) inside
a lock, and then destroys the object outside of the lock.

This causes a race with dns_zonemgr_detach(), which could destroy
the object in the meantime.

Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy
the object (if needed) using dns_zonemgr_detach(), outside of the
lock.

(cherry picked from commit c1fc212253)
2023-01-11 12:17:27 +00:00
Evan Hunt
0b40df8f8a deprecate dscp configuration
This commit deprecates the "dscp" configuration option and "dscp"
parameters to source-address configuration options (query-source,
transfer-source, etc.

(Note that the DSCP feature has not been fully operational since
the network manager was introduced in 9.16.0; outgoing DSCP values
can be configured, but incoming DSCP values are not detected.)
2023-01-10 11:16:18 -08:00
Mark Andrews
f1c08fe93b Accept 'in=NULL' with 'inlen=0' in isc_{half}siphash24
Arthimetic on NULL pointers is undefined.  Avoid arithmetic operations
when 'in' is NULL and require 'in' to be non-NULL if 'inlen' is not zero.

(cherry picked from commit 349c23dbb7)
2023-01-10 18:36:27 +11:00
Mark Andrews
2a9300a3bc Don't perform arithmetic on NULL pointers
When node is NULL when calling getparent() et al. they return NULL
but performing arithmetic on the NULL pointer is undefined.  Check
if 'node' or 'header' is NULL and skip the adjustment.
2023-01-10 17:45:51 +11:00
Michał Kępień
ba1306bfb4 Check for NULL before dereferencing qctx->rpz_st
Commit 9ffb4a7ba1 causes Clang Static
Analyzer to flag a potential NULL dereference in query_nxdomain():

    query.c:9394:26: warning: Dereference of null pointer [core.NullDereference]
            if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) {
                                    ^~~~~~~~~~~~~~~~~~~
    1 warning generated.

The warning above is for qctx->rpz_st potentially being a NULL pointer
when query_nxdomain() is called from query_resume().  This is a false
positive because none of the database lookup result codes currently
causing query_nxdomain() to be called (DNS_R_EMPTYWILD, DNS_R_NXDOMAIN)
can be returned by a database lookup following a recursive resolution
attempt.  Add a NULL check nevertheless in order to future-proof the
code and silence Clang Static Analyzer.

(cherry picked from commit 07592d1315)
(cherry picked from commit a4547a1093)
2023-01-09 13:57:44 +01:00
Matthijs Mekking
2696267b1f Consider non-stale data when in serve-stale mode
With 'stale-answer-enable yes;' and 'stale-answer-client-timeout off;',
consider the following situation:

A CNAME record and its target record are in the cache, then the CNAME
record expires, but the target record is still valid.

When a new query for the CNAME record arrives, and the query fails,
the stale record is used, and then the query "restarts" to follow
the CNAME target. The problem is that the query's multiple stale
options (like DNS_DBFIND_STALEOK) are not reset, so 'query_lookup()'
treats the restarted query as a lookup following a failed lookup,
and returns a SERVFAIL answer when there is no stale data found in the
cache, even if there is valid non-stale data there available.

With this change, query_lookup() now considers non-stale data in the
cache in the first place, and returns it if it is available.

(cherry picked from commit 91a1a8efc5)
2023-01-09 13:57:43 +01:00
Aram Sargsyan
a634488a24 Fix logging a uint32_t SOA serial value in dns_catz_update_from_db()
The dns_catz_update_from_db() function prints serial number as a signed
number (with "%d" in the format string), but the `vers` variable's type
is 'uint32_t'. This breaks serials bigger than 2^31.

Use PRIu32 instead of "d" in the format string.

(cherry picked from commit 72b1760ea6)
2022-12-15 13:49:58 +00:00
Tony Finch
f3d96ab1f1 Fix a typo RSASHA236 -> RSASHA256
Use dns_secalg_format() to avoid error-prone repetition.

(cherry picked from commit c18a9a208d)
2022-12-14 12:46:56 +00:00
Ondřej Surý
075c7f7562 Implement proper reference counting for dns_keyfileio_t
Instead of relying on hash table search when using the keys, implement a
proper reference counting in dns_keyfileio_t objects, and attach/detach
the objects to the zone.

(cherry picked from commit 79115a0c3b)
2022-12-09 15:20:11 +01:00
Ondřej Surý
98fca774b6 Release unused key file IO lock objects
Due to off-by-one error in zonemgr_keymgmt_delete, unused key file IO
lock objects were never freed and they were kept until the server
shutdown.  Adjust the returned value by -1 to accomodate the fact that
the atomic_fetch_*() functions return the value before the operation and
not current value after the operation.

(cherry picked from commit fb1acd6736)
2022-12-08 10:32:59 +01:00
Tom Krizek
da42fa7622 Revert "Merge branch '3678-serve-stale-servfailing-unexpectedly-v9_16' into 'v9_16'"
This reverts commit b2a4447af8, reversing
changes made to 8924f92956.

It also removes release note 6038, since the fix is reverted.
2022-12-08 10:23:40 +01:00
Mark Andrews
ea03c3d25c Remove different zero TTL handling for rdataset iterator
Zero TTL handling does not need to be different for 'rdatasetiter_first'
and 'rdatasetiter_next' and it interacts badly with 'bind_rdatadataset'
which makes different determinations.

(cherry picked from commit 1a39328feb)
2022-12-08 11:20:35 +11:00
Mark Andrews
a3bc62e4cd Add dns_db_allrdatasets options
'DNS_DB_STALEOK' returns stale rdatasets as well as current rdatasets.

'DNS_DB_EXPIREDOK' returns expired rdatasets as well as current
rdatasets. This option is currently only set when DNS_DB_STALEOK is
also set.

(cherry picked from commit 85048ddeee)
2022-12-08 11:20:35 +11:00
Mark Andrews
4f3327cd41 Extend dns_db_allrdatasets to control interation results
Add an options parameter to control what rdatasets are returned when
iteratating over the node.  Specific modes will be added later.

(cherry picked from commit 7695c36a5d)
2022-12-08 11:20:35 +11:00
Mark Andrews
8b6a30f59d Properly select active rdatasets when iterating across node
Active rdatasets where not being properly selected in rdatasetiter_first
and rdatasetiter_next.

(cherry picked from commit 3bdab2d111)
2022-12-08 10:47:23 +11:00
Mark Andrews
a85260fc19 Revert "Fix rndc dumpdb -expired for stuck cache contents"
This reverts commit f8d866c6ef.

(cherry picked from commit 90249e4aa5)
2022-12-08 10:46:18 +11:00
Ondřej Surý
72724b258c Propagate the shutdown event to the recursing ns_client(s)
Send the ns_query_cancel() on the recursing clients when we initiate the
named shutdown for faster shutdown.

When we are shutting down the resolver, we cancel all the outstanding
fetches, and the ISC_R_CANCEL events doesn't propagate to the ns_client
callback.

In the future, the better solution how to fix this would be to look at
the shutdown paths and let them all propagate from bottom (loopmgr) to
top (f.e. ns_client).

(cherry picked from commit d861d403bb9a7912e29a06aba6caf6d502839f1b)
2022-12-07 18:09:40 +01:00
Mark Andrews
f9845df6d6 Add missing DbC magic checks
Checking for value != NULL is not sufficient to detect use after
free errors.

(cherry picked from commit b1086a5561)
2022-12-07 09:47:39 +11:00
Mark Andrews
dd73306509 Call dns_db_updatenotify_unregister earlier
dns_db_updatenotify_unregister needed to be called earlier to ensure
that listener->onupdate_arg always points to a valid object.  The
existing lazy cleanup in rbtdb_free did not ensure that.

(cherry picked from commit 35839e91d8)
2022-12-07 09:47:37 +11:00
Mark Andrews
ffeda92cd8 Suppress duplicate dns_db_updatenotify_register registrations
Duplicate dns_db_updatenotify_register registrations need to be
suppressed to ensure that dns_db_updatenotify_unregister is successful.

(cherry picked from commit f13e71e551)
2022-12-07 09:46:50 +11:00
Michał Kępień
148608c7b2 Check for NULL before dereferencing qctx->rpz_st
Commit 9ffb4a7ba1 causes Clang Static
Analyzer to flag a potential NULL dereference in query_nxdomain():

    query.c:9394:26: warning: Dereference of null pointer [core.NullDereference]
            if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) {
                                    ^~~~~~~~~~~~~~~~~~~
    1 warning generated.

The warning above is for qctx->rpz_st potentially being a NULL pointer
when query_nxdomain() is called from query_resume().  This is a false
positive because none of the database lookup result codes currently
causing query_nxdomain() to be called (DNS_R_EMPTYWILD, DNS_R_NXDOMAIN)
can be returned by a database lookup following a recursive resolution
attempt.  Add a NULL check nevertheless in order to future-proof the
code and silence Clang Static Analyzer.

(cherry picked from commit 07592d1315)
2022-12-06 13:51:30 +00:00