Commit Graph

8832 Commits

Author SHA1 Message Date
Matthijs Mekking
b2516e1e0c Use query counters in validator code
Commit af7db89513 as part of #4141 was
supposed to apply the 'max-recursion-queries' quota to validator
queries, but the counter was never actually passed on to
dns_resolver_createfetch(). This has been fixed, and the global query
counter ('max-query-count', per client request) is now also added.

(cherry picked from commit 5b1ae4a948)
2024-12-09 11:44:24 +01:00
Matthijs Mekking
413ba531f5 Remove unused maxquerycount
While implementing the global limit 'max-query-count', initially I
thought adding the variable to the resolver structure. But the limit
is per client request so it was moved to the view structure (and
counter in ns_query structure). However, I forgot to remove the
variable from the resolver structure again. This commit fixes that.

(cherry picked from commit 397ca34e34)
2024-12-06 15:19:01 +00:00
Matthijs Mekking
a0ce89bc15 Implement global limit for outgoing queries
This global limit is not reset on query restarts and is a hard limit
for any client request.

Note: This commit has been significantly modified because of many
merge conflicts due to the dns_resolver_createfetch api changes.

(cherry picked from commit 16b3bd1cc7)
2024-12-06 15:17:53 +00:00
Matthijs Mekking
5a806910a8 Implement 'max-query-count'
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.

(cherry picked from commit bbc16cc8e6)
2024-12-06 15:17:53 +00:00
Ondřej Surý
a4e3d25652 Use attach()/detach() functions instead of touching .references
In rbtdb.c, there were two places where the code touched .references
directly instead of using the helper functions.  Use the helper
functions instead.
2024-11-27 21:17:22 +01:00
JINMEI Tatuya
7d1de99656 use more generic log module name for 'logtoomanyrecords'
DNS_LOGMODULE_RBTDB was simply inappropriate, and this
log message is actually dependent on db implementation
details, so DNS_LOGMODULE_DB would be the best choice.

(cherry picked from commit b0309ee631)
2024-11-27 12:34:11 +11:00
JINMEI Tatuya
a129206f37 emit more helpful log for exceeding max-records-per-type
The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log includes
the owner name and type, corresponding zone name, and the limit value.
It will be emitted on loading a zone file, inbound zone transfer
(both AXFR and IXFR), handling a DDNS update, or updating a cache DB.
It's especially helpful in the case of zone transfer, since the
secondary side doesn't have direct access to the offending zone data.

It could also be used for max-types-per-name, but this change
doesn't implement it yet as it's much less likely to happen
in practice.

(cherry picked from commit 4156995431)
2024-11-27 12:34:11 +11:00
Ondřej Surý
4fbdad515c Move contributed DLZ modules into a separate repository
The DLZ modules are poorly maintained as we only ensure they can still
be compiled, the DLZ interface is blocking, so anything that blocks the
query to the database blocks the whole server and they should not be
used except in testing.  The DLZ interface itself should be scheduled
for removal.

(cherry picked from commit a6cce753e2)
2024-11-26 16:24:35 +01:00
Mark Andrews
2d55935c6e Parse the URI template and check for a dns variable
The 'dns' variable in dohpath can be in various forms ({?dns},
{dns}, {&dns} etc.).  To check for a valid dohpath it ends up
being simpler to just parse the URI template rather than looking
for all the various forms if substring.

(cherry picked from commit af54ef9f5d)
2024-11-26 03:41:51 +00:00
Remi Gacogne
e12e91b90d '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath
See for example section 1.2. "Levels and Expression Types" of rfc6570.

(cherry picked from commit e74052ea71)
2024-11-26 03:41:51 +00:00
Ondřej Surý
c5bac96fd0 Remove redundant parentheses from the return statement
(cherry picked from commit 0258850f20)
2024-11-19 16:06:16 +01:00
Matthijs Mekking
fdeb456341 Small keymgr improvement
When a key is to be purged, don't run the key state machinery for it.

(cherry picked from commit af54e3dadc)
2024-10-14 13:54:09 +00:00
Matthijs Mekking
4091177181 Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.

(cherry picked from commit 5fdad05a8a)
2024-10-14 13:54:09 +00:00
Matthijs Mekking
60bd3bc051 Revert "fix: chg: Improve performance when looking for the closest encloser"
The 9.18 code does not have the rbtdb refactoring. Rather than
backporting from MR !9611, this reverts directly from commit
5d81a258e3.
2024-10-10 14:26:13 +02:00
Mark Andrews
b1cf7997a7 Store static-stub addresses seperately in the adb
Static-stub address and addresses from other sources where being
mixed together resulting in static-stub queries going to addresses
not specified in the configuration or alternatively static-stub
addresses being used instead of the real addresses.

(cherry picked from commit b3a2c790f3)
2024-10-01 15:30:17 +10:00
Mark Andrews
314ff56081 Add the new record type WALLET (262)
This provides a mapping from a domain name to a cryptographic
currency wallet and is a clone of TXT.

(cherry picked from commit b919b9b4f3)
2024-09-25 12:07:57 +00:00
Nicki Křížek
50221d6ff1 Update code formatting
clang 19 was updated in the base image.

(cherry picked from commit ebb5bd9c0f)
2024-09-21 07:20:11 +00:00
Aram Sargsyan
ef344cbd5e Fix a 'serverquota' counter calculation bug
The 'all_spilled' local variable in resolver.c:fctx_getaddresses()
is 'true' by default, and only becomes false when there is at least
one successfully found NS address. However, when a 'forward only;'
configuration is used, the code jumps over the part where it looks
for NS addresses and doesn't reset the 'all_spilled' to false, which
results in incorretly increased 'serverquota' statistics variable,
and also in invalid return error code from the function. The result
code error didn't make any differences, because all codes other than
'ISC_R_SUCCESS' or 'DNS_R_WAIT' were treated in the same way, and
the result code was never logged anywhere.

Set the default value of 'all_spilled' to 'false', and only make it
'true' before actually starting to look up NS addresses.

(cherry picked from commit e430ce7039)
2024-09-18 01:25:01 +00:00
Michal Nowak
fe8d6023e0 Update code formatting
clang 19 was updated in the base image.

(cherry picked from commit ff69d07f)
2024-09-11 11:47:10 +02:00
JINMEI Tatuya
a93b6f2040 allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS
This change allows fallback from an IXFR failure to AXFR when the
reason is DNS_R_TOOMANYRECORDS. This is because this error condition
could be temporary only in an intermediate version of IXFR
transactions and it's possible that the latest version of the zone
doesn't have that condition. In such a case, the secondary would never
be able to update the zone (even if it could) without this fallback.

This fallback behavior is particularly useful with the recently
introduced max-records-per-type and max-types-per-name options:
the primary may not have these limitations and may temporarily
introduce "too many" records, breaking IXFR. If the primary side
subsequently deletes these records, this fallback will help recover
the zone transfer failure automatically; without it, the secondary
side would first need to increase the limit, which requires more
operational overhead and has its own adverse effect.

This change also fixes a minor glitch that DNS_R_TOOMANYRECORDS wasn't
logged in xfrin_fail.

(cherry picked from commit 7289090683)
2024-09-10 14:54:57 +02:00
Mark Andrews
5d81a258e3 Return partial match when requested
Return partial match from dns_db_find/dns_db_find when requested
to short circuit the closest encloser discover process.  Most of the
time this will be the actual closest encloser but may not be when
there yet to be committed / cleaned up versions of the zone with
names below the actual closest encloser.

(cherry picked from commit d42ea08f16)
2024-08-29 21:05:54 +00:00
Matthijs Mekking
bb3bf56157 Fix algorithm rollover bug wrt keytag conflicts
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.

Fix this by not only checking for matching key id but also key
algorithm.

(cherry picked from commit f37eb33f29)
2024-08-22 10:15:02 +00:00
Michal Nowak
b5caae0633 Use clang-format-19 to update formatting 2024-08-22 10:25:22 +02:00
Nicki Křížek
9a63dd7cb6 Merge tag 'v9.18.29' into bind-9.18 2024-08-21 16:36:08 +02:00
Mark Andrews
defd84da6d Fix openssleddsa_isprivate
openssleddsa_isprivate failed to properly determine if a buffer was
private or not. Pass in a buffer so that EVP_PKEY_get_raw_private_key
fails when there is not a private key.
2024-08-19 23:38:18 +00:00
Aram Sargsyan
4379141fe4 Reconfigure catz member zones during named reconfiguration
During a reconfiguration named doesn't reconfigure catalog zones
member zones. Implement the necessary code to reconfigure catz
member zones.

(cherry picked from commit fd71ed5d73ae2dc968e8782ce652fb8ef257c25e)
2024-08-09 08:52:25 +02:00
Evan Hunt
a11367ade3 reduce the max-recursion-queries default to 32
the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.

(cherry picked from commit 7e3b425dc2)
2024-08-07 15:36:15 -07:00
Evan Hunt
bfbc6a6c84 make "max_restarts" a configurable value
MAX_RESTARTS is no longer hard-coded; ns_server_setmaxrestarts()
and dns_client_setmaxrestarts() can now be used to modify the
max-restarts value at runtime. in both cases, the default is 11.

(cherry picked from commit c5588babaf)
2024-08-07 15:36:15 -07:00
Evan Hunt
dd88a4cdfc reduce MAX_RESTARTS to 11
the number of steps that can be followed in a CNAME chain
before terminating the lookup has been reduced from 16 to 11.
(this is a hard-coded value, but will be made configurable later.)

(cherry picked from commit 05d78671bb)
2024-08-07 15:36:14 -07:00
Evan Hunt
14bce7e275 add debug logging when creating or attaching to a query counter
fctx_create() now logs at debug level 9 when the fctx attaches
to an existing counter or creates a new one.

(cherry picked from commit 825f3d68c5)
2024-08-07 15:36:14 -07:00
Evan Hunt
18e39d989f apply max-recursion-queries quota to validator queries
previously, validator queries for DNSKEY and DS records were
not counted toward the quota for max-recursion-queries; they
are now.

(cherry picked from commit af7db89513)
2024-08-07 15:36:09 -07:00
Evan Hunt
5ab4cae4ed attach query counter to NS fetches
there were cases in resolver.c when queries for NS records were
started without passing a pointer to the parent fetch's query counter;
as a result, the max-recursion-queries quota for those queries started
counting from zero, instead of sharing the limit for the parent fetch,
making the quota ineffective in some cases.

(cherry picked from commit d3b7e92783)
2024-08-07 14:51:44 -07:00
Ondřej Surý
236de53c52 Use EXIT_SUCCESS and EXIT_FAILURE
Instead of randomly using -1 or 1 as a failure status, properly utilize
the EXIT_FAILURE define that's platform specific (as it should be).

(cherry picked from commit76997983fde02d9c32aa23bda30b65f1ebd4178c)
2024-08-06 15:19:06 +02:00
Evan Hunt
18d7be118f raise the log level of priming failures
when a priming query is complete, it's currently logged at
level ISC_LOG_INFO, regardless of success or failure. we
are now changing it to ISC_LOG_NOTICE in the case of failure
and ISC_LOG_DEBUG(1) in case of success.

(cherry picked from commit a84d54c6ff)
2024-08-05 15:31:38 +02:00
Mark Andrews
b0d32302b2 Remove unnecessary operations
Decrementing optlen immediately before calling continue is unneccesary
and inconsistent with the rest of dns_message_pseudosectiontoyaml
and dns_message_pseudosectiontotext.  Coverity was also reporting
an impossible false positive overflow of optlen (CID 499061).

    4176                        } else if (optcode == DNS_OPT_CLIENT_TAG) {
    4177                                uint16_t id;
    4178                                ADD_STRING(target, "; CLIENT-TAG:");
    4179                                if (optlen == 2U) {
    4180                                        id = isc_buffer_getuint16(&optbuf);
    4181                                        snprintf(buf, sizeof(buf), " %u\n", id);
    4182                                        ADD_STRING(target, buf);

    CID 499061: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW)
    overflow_const: Expression optlen, which is equal to 65534, underflows
    the type that receives it, an unsigned integer 16 bits wide.
    4183                                        optlen -= 2;
    4184                                        POST(optlen);
    4185                                        continue;
    4186                                }
    4187                        } else if (optcode == DNS_OPT_SERVER_TAG) {

(cherry picked from commit 47338c2c87)
2024-08-02 06:43:03 +00:00
Mark Andrews
b8363ffff9 Add missing period to generated IPv4 6to4 name
The period between the most significant nibble of the IPv4 address
and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the wrong
name being checked.

(cherry picked from commit bca63437a1)
2024-08-02 00:09:17 +00:00
Mark Andrews
4704c28cab Cleanup old clang-format string splitting
(cherry picked from commit 6d1c7beb15)
2024-08-01 15:58:16 +10:00
Mark Andrews
7643a0322f Remove false positive qname minimisation error
Don't report qname minimisation NXDOMAIN errors when the result is
NXDOMAIN.

(cherry picked from commit f78beca942)
2024-08-01 15:58:16 +10:00
Mark Andrews
8fefb27f76 Fix yaml output
In yaml mode we emit a string for each question and record.  Certain
names and data could result in invalid yaml being produced.  Use single
quote string for all questions and records.  This requires that single
quotes get converted to two quotes within the string.

(cherry picked from commit 393d7fa78e)
2024-08-01 03:48:12 +00:00
Mark Andrews
ce8356905c Properly reject zero length ALPN in commatxt_fromtext
ALPN are defined as 1*255OCTET in RFC 9460.  commatxt_fromtext was not
rejecting invalid inputs produces by missing a level of escaping
which where later caught be dns_rdata_fromwire on reception.

These inputs should have been rejected

	svcb in svcb 1 1.svcb alpn=\,abc
	svcb1 in svcb 1 1.svcb alpn=a\,\,abc

and generated 00 03 61 62 63 and 01 61 00 02 61 62 63 respectively.

The correct inputs to include commas in the alpn requires double
escaping.

	svcb in svcb 1 1.svcb alpn=\\,abc
	svcb1 in svcb 1 1.svcb alpn=a\\,\\,abc

and generate 04 2C 61 62 63 and 06 61 2C 2C 61 62 63 respectively.

(cherry picked from commit b51c9eb797)
2024-08-01 01:10:53 +00:00
Mark Andrews
c399388a66 Do not update find.result_v4 and find.result_v6
These values are supposed to be static for the life of the find and
clean_finds_at_name was updating them resulting in TSAN error
reports.

    WARNING: ThreadSanitizer: data race
    Write of size 4 at 0x000000000001 by thread T1 (mutexes: write M1, write M2):
      #0 clean_finds_at_name lib/dns/adb.c:1537
      #1 fetch_callback lib/dns/adb.c:4009
      #2 task_run lib/isc/task.c:815
      #3 isc_task_run lib/isc/task.c:896
      #4 isc__nm_async_task netmgr/netmgr.c:848
      #5 process_netievent netmgr/netmgr.c:920
      #6 process_queue netmgr/netmgr.c:1013
      #7 process_all_queues netmgr/netmgr.c:767
      #8 async_cb netmgr/netmgr.c:796
      #9 uv__async_io /usr/src/libuv-v1.44.1/src/unix/async.c:163
      #10 isc__trampoline_run lib/isc/trampoline.c:189

    Previous read of size 4 at 0x000000000001 by thread T2:
      #0 findname lib/dns/resolver.c:3749
      #1 fctx_getaddresses lib/dns/resolver.c:3993
      #2 fctx_try lib/dns/resolver.c:4390
      #3 rctx_nextserver lib/dns/resolver.c:10356
      #4 rctx_done lib/dns/resolver.c:10503
      #5 resquery_response lib/dns/resolver.c:8511
      #6 udp_recv lib/dns/dispatch.c:638
      #7 isc__nm_async_readcb netmgr/netmgr.c:2885
      #8 isc__nm_readcb netmgr/netmgr.c:2858
      #9 udp_recv_cb netmgr/udp.c:650
      #10 isc__nm_udp_read_cb netmgr/udp.c:1057
      #11 uv__udp_recvmsg /usr/src/libuv-v1.44.1/src/unix/udp.c:303
      #12 isc__trampoline_run lib/isc/trampoline.c:189

(cherry picked from commit 53a5f50e9d)
2024-07-31 05:52:18 +00:00
Matthijs Mekking
8ec554e3de No longer update key lifetime if key is retired
The key lifetime should no longer be adjusted if the key is being
retired earlier, for example because a manual rollover was started.

This would falsely be seen as a dnssec-policy lifetime reconfiguration,
and would adjust the retire/removed time again.

This also means we should update the status output, and the next
rollover scheduled is now calculated using (retire-active) instead of
key lifetime.

(cherry picked from commit 129973ebb0)
2024-07-30 13:38:04 +02:00
Matthijs Mekking
7ab4a35820 Update key lifetime and metadata after reconfig
If dnssec-policy is reconfigured and the key lifetime has changed,
update existing keys with the new lifetime and adjust the retire
and removed timing metadata accordingly.

If the key has no lifetime yet, just initialize the lifetime. It
may be that the retire/removed timing metadata has already been set.

Skip keys which goal is not set to omnipresent. These keys are already
in the progress of retiring, or still unused.

(cherry picked from commit 1cec0b0448)
2024-07-30 13:37:50 +02:00
Ondřej Surý
7f99d7e565 Be smarter about refusing to add many RR types to the database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:

1. If the new header type is in our priority list, we always add either
   positive or negative entry at the beginning of the list.

2. If the new header type is negative entry, and we are over the limit,
   we mark it as ancient immediately, so it gets evicted from the cache
   as soon as possible.

3. Otherwise add the new header after the priority headers (or at the
   head of the list).

4. If we are over the limit, evict the last entry on the normal header
   list.

(cherry picked from commit 57cd34441a)
2024-07-01 15:04:43 +02:00
Ondřej Surý
c2650f5331 Expand the list of the priority types
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
the priority types that are put at the beginning of the slabheader list
for faster access and to avoid eviction when there are more types than
the max-types-per-name limit.

(cherry picked from commit b27c6bcce8)
2024-07-01 13:14:57 +02:00
Petr Špaček
bef3d2cca3 Remove support for SIG(0) message verification 2024-06-10 19:02:49 +02:00
Matthijs Mekking
a97f52263b Log rekey failure as error if too many records
By default we log a rekey failure on debug level. We should probably
change the log level to error. We make an exception for when the zone
is not loaded yet, it often happens at startup that a rekey is
run before the zone is fully loaded.

(cherry picked from commit 68b840c731527e01699afaf084559152124b717a)
2024-06-10 18:51:28 +02:00
Evan Hunt
b89e516420 fix a memory leak that could occur when signing
when signatures were not added because of too many types already
existing at a node, the diff was not being cleaned up; this led to
a memory leak being reported at shutdown.

(cherry picked from commit 2825bdb1ae5be801e7ed603ba2455ed9a308f1f7)
2024-06-10 18:51:27 +02:00
Ondřej Surý
39d3e2a8ec Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k).  As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).

Add a configurable limit to cap the number of the RR types for a single
owner.  This is enforced at the database (rbtdb, qpzone, qpcache) level
and configured with new max-types-per-name configuration option that
can be configured globally, per-view and per-zone.

(cherry picked from commit 00d16211d6368b99f070c1182d8c76b3798ca1db)
2024-06-10 18:50:06 +02:00
Ondřej Surý
e699ef939e Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.

Add a configurable limit to cap the number of the RRs in a single RRSet.
This is enforced at the database (rbtdb, qpzone, qpcache) level and
configured with new max-records-per-type configuration option that can
be configured globally, per-view and per-zone.

(cherry picked from commit 3fbd21f69a1bcbd26c4c00920e7b0a419e8762fc)
2024-06-10 18:50:03 +02:00