Commit Graph

34604 Commits

Author SHA1 Message Date
Mark Andrews
ff883fd75f Suppress manykeys test on duplicate key ids
If there are duplicate key ids across multiple algorithms expected
output is no met.  We have fixed this in on main but decided to not
back port the fix as it will change the statistics channel output.

This change detects when there are duplicate key id across algorithms
as skips the sub test.

(cherry picked from commit ea1d3476a8)
2022-09-16 09:49:41 +10:00
Evan Hunt
d244ff84ac Merge branch '3522-update-detach-v9_16' into 'v9_16'
fix an incorrect detach in update processing

See merge request isc-projects/bind9!6783
2022-09-15 20:14:30 +00:00
Evan Hunt
338663b1cd CHANGES for [GL #3522] 2022-09-15 11:36:37 -07:00
Evan Hunt
17924f4bdf fix an incorrect detach in update processing
when processing UDPATE requests, hold the request handle until
we either drop the request or respond to it.

(cherry picked from commit 00e0758e12)
2022-09-15 11:35:42 -07:00
Michal Nowak
97ea818086 Merge branch '3427-tcp-system-test-bump-socket.create_connection-timeout-v9_16' into 'v9_16'
[v9_16] Bump socket.create_connection() timeout to 10 seconds

See merge request isc-projects/bind9!6781
2022-09-15 12:41:03 +00:00
Michal Nowak
9b41b63607 Bump socket.create_connection() timeout to 10 seconds
The tcp Pytest on OpenBSD fairly reliably fails when receive_tcp()
on a socket is attempted:

    >           (response, rtime) = dns.query.receive_tcp(sock, timeout())

    tests-tcp.py:50:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /usr/local/lib/python3.9/site-packages/dns/query.py:659: in receive_tcp
        ldata = _net_read(sock, 2, expiration)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

    sock = <socket.socket [closed] fd=-1, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6>
    count = 2, expiration = 1662719959.8106785

        def _net_read(sock, count, expiration):
            """Read the specified number of bytes from sock.  Keep trying until we
            either get the desired amount, or we hit EOF.
            A Timeout exception will be raised if the operation is not completed
            by the expiration time.
            """
            s = b''
            while count > 0:
                try:
    >               n = sock.recv(count)
    E               socket.timeout: timed out

This is because the socket is already closed.

Bump the socket connection timeout to 10 seconds.

(cherry picked from commit 658cae9fad)
2022-09-15 12:36:14 +02:00
Tony Finch
f3766061e7 Merge branch '3531-initialize-struct-server-v9_16' into 'v9_16'
Ensure that named_server_t is properly initialized

See merge request isc-projects/bind9!6761
2022-09-12 10:40:40 +00:00
Tony Finch
dff843199f Ensure that named_server_t is properly initialized
There was a ubsan error reporting an invalid value for interface_auto
(a boolean value cannot be 190) because it was not initialized. To
avoid this problem happening again, ensure the whole of the server
structure is initialized to zero before setting the (relatively few)
non-zero elements.
2022-09-12 11:21:37 +01:00
Michał Kępień
208fc897b1 Merge branch 'michal/set-up-version-and-release-notes-for-bind-9.16.34' into 'v9_16'
Set up version and release notes for BIND 9.16.34

See merge request isc-projects/bind9!6760
2022-09-09 18:23:14 +00:00
Michał Kępień
666d315087 Set up release notes for BIND 9.16.34 2022-09-09 20:00:15 +02:00
Michał Kępień
990bd74104 Update BIND version to 9.16.34-dev 2022-09-09 20:00:15 +02:00
Michał Kępień
65245d8b3d Merge branch '3459-rrl-wildcard-handling-v9_16' into 'v9_16'
[v9_16] Make RRL code treat all QNAMEs subject to wildcard processing within a given zone as the same name

See merge request isc-projects/bind9!6749
2022-09-08 08:23:57 +00:00
Aram Sargsyan
5b6e4465be Add CHANGES and release notes for [GL #3459]
(cherry picked from commit 0b0cf12741)
2022-09-08 09:41:15 +02:00
Aram Sargsyan
6f46bfe705 Document RRL processing for wildcard names
All valid wildcard domain names are interpreted as the zone's origin
name concatenated to the "*" name.

(cherry picked from commit 89c2032421)
2022-09-08 09:41:15 +02:00
Aram Sargsyan
3ad0f165ab Fix RRL responses-per-second bypass using wildcard names
It is possible to bypass Response Rate Limiting (RRL)
`responses-per-second` limitation using specially crafted wildcard
names, because the current implementation, when encountering a found
DNS name generated from a wildcard record, just strips the leftmost
label of the name before making a key for the bucket.

While that technique helps with limiting random requests like
<random>.example.com (because all those requests will be accounted
as belonging to a bucket constructed from "example.com" name), it does
not help with random names like subdomain.<random>.example.com.

The best solution would have been to strip not just the leftmost
label, but as many labels as necessary until reaching the suffix part
of the wildcard record from which the found name is generated, however,
we do not have that information readily available in the context of RRL
processing code.

Fix the issue by interpreting all valid wildcard domain names as
the zone's origin name concatenated to the "*" name, so they all will
be put into the same bucket.

(cherry picked from commit baa9698c9d)
2022-09-08 09:41:15 +02:00
Matthijs Mekking
f917f9480e Merge branch 'matthijs-fix-intermittent-inline-system-test-failure-v9_16' into 'v9_16'
[v9_16] Fix intermittent inline system test failure

See merge request isc-projects/bind9!6740
2022-09-07 15:34:24 +00:00
Matthijs Mekking
d1336d49b3 Update inline system test, zone 'retransfer3.'
The zone 'retransfer3.' tests whether zones that 'rndc signing
-nsec3param' requests are queued even if the zone is not loaded.

The test assumes that if 'rndc signing -list' shows that the zone is
done signing with two keys, and there are no NSEC3 chains pending, the
zone is done handling the '-nsec3param' queued requests. However, it
is possible that the 'rndc signing -list' command is received before
the corresponding privatetype records are added to the zone (the records
that are used to retrieve the signing status with 'rndc signing').

This is what happens in test failure
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2722752.

The 'rndc signing -list retransfer3' is thus an unreliable check.
It is simpler to just remove the check and wait for a certain amount
of time and check whether ns3 has re-signed the zone using NSEC3.

(cherry picked from commit 8b71cbd09c)
2022-09-07 16:30:19 +02:00
Evan Hunt
559c9c2e33 Merge branch '3521-interface-cleanup' into 'v9_16'
clean up properly when interface creation fails

See merge request isc-projects/bind9!6723
2022-09-07 00:10:10 +00:00
Evan Hunt
80a8322d65 clean up properly when interface creation fails
previously, if ns_clientmgr_create() failed, the interface was not
cleaned up correctly and an assertion or segmentation fault could
follow. this has been fixed.
2022-09-06 13:53:44 -07:00
Arаm Sаrgsyаn
f3e0915261 Merge branch '3518-libxml2-deprecated-functions-v9_16' into 'v9_16'
[v9_16] Do not use libxml2 deprecated functions

See merge request isc-projects/bind9!6732
2022-09-06 10:31:48 +00:00
Aram Sargsyan
c1be3bda3a Add CHANGES note for [GL #3518]
(cherry picked from commit 87920661b1)
2022-09-06 09:22:42 +00:00
Aram Sargsyan
8b328f0049 Do not use libxml2 deprecated functions
The usage of xmlInitThreads() and xmlCleanupThreads() functions in
libxml2 is now marked as deprecated, and these functions will be made
private in the future.

Use xmlInitParser() and xmlCleanupParser() instead of them.

(cherry picked from commit a5d412d924)
2022-09-06 09:22:35 +00:00
Matthijs Mekking
3e041d15a1 Merge branch '3381-dnssec-policy-explicit-inline-signing-v9_16' into 'v9_16'
[v9_16] dnssec-policy now requires inline-signing

See merge request isc-projects/bind9!6730
2022-09-06 08:48:36 +00:00
Matthijs Mekking
77105a2f60 Add change and release note for #3381
Because folks want to know.

(cherry picked from commit 2b95c11905a1a5faff9efa97a4f2498aadfa467b)
2022-09-06 10:27:34 +02:00
Matthijs Mekking
bc9c65f465 Remove implicit inline-signing code
Remove the code that sets implicit inline-signing on zones using
dnssec-policy.

(cherry picked from commit a6b09c9c69186e81a9be54e8b7bb413b1ac4d650)
2022-09-06 10:27:33 +02:00
Matthijs Mekking
145e888815 Update system tests
Update checkconf and kasp related system tests after requiring
inline-signing.

(cherry picked from commit 8fd75e8a4e1035ce0e81bf47d954a3f5b8a4d571)
2022-09-06 10:27:33 +02:00
Matthijs Mekking
30fceec069 dnssec-policy now requires inline-signing
Having implicit inline-signing set for dnssec-policy when there is no
update policy is confusing, so lets make this explicit.

(cherry picked from commit 5ca02fe6e7e591d1fb85936ea4dda720c3d741ef)
2022-09-06 09:06:17 +02:00
Ondřej Surý
bc0c7243b1 Merge branch '3485-dig-fallback-to-idna2003-v9_16' into 'v9_16'
Allow fallback to IDNA2003 processing

See merge request isc-projects/bind9!6726
2022-09-05 09:29:59 +00:00
Ondřej Surý
561ef63e14 Add CHANGES and release note for [GL #3485]
(cherry picked from commit 0fe7acb4e6)
2022-09-05 10:22:25 +02:00
Ondřej Surý
104eaf34da Enable the IDNA2003 domain names in the idna system test
Allow the IDNA2003 tests to succeed after the fallback to IDNA2003 was
implemented.

(cherry picked from commit 87de726f5c)
2022-09-05 10:22:23 +02:00
Ondřej Surý
efbdf81931 Allow fallback to IDNA2003 processing
In several cases where IDNA2008 mappings do not exist whereas IDNA2003
mappings do, dig was failing to process the suplied domain name.  Take a
backwards compatible approach, and convert the domain to IDNA2008 form,
and if that fails try the IDNA2003 conversion.

(cherry picked from commit 10923f9d87)
2022-09-05 10:21:36 +02:00
Arаm Sаrgsyаn
dca244b1c1 Merge branch '3515-mctx-attach-detach-for-isc_mempool_t-v9_16' into 'v9_16'
[v9_16] Add mctx attach/detach when creating/destroying a memory pool

See merge request isc-projects/bind9!6721
2022-09-02 11:34:45 +00:00
Aram Sargsyan
5440f79cc4 Add CHANGES note for [GL #3515]
(cherry picked from commit 362ead8d85)
2022-09-02 09:05:03 +00:00
Aram Sargsyan
32779aba8a Add mctx attach/detach when creating/destroying a memory pool
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.

(cherry picked from commit e97c3eea95)
2022-09-02 09:05:03 +00:00
Evan Hunt
53fa68b39c Merge branch '3511-quote-yaml-addresses-v9_16' into 'v9_16'
quote addresses in YAML output

See merge request isc-projects/bind9!6718
2022-08-31 23:48:10 +00:00
Evan Hunt
91c61b8d2f CHANGES for [GL #3511] 2022-08-31 16:19:39 -07:00
Evan Hunt
28640e37d8 quote addresses in YAML output
YAML strings should be quoted if they contain colon characters.
Since IPv6 addresses do, we now quote the query_address and
response_address strings in all YAML output.

(cherry picked from commit 66eaf6bb73)
2022-08-31 16:18:57 -07:00
Evan Hunt
b6d12e3181 Merge branch '3501-dnstap-response-v9_16' into 'v9_16'
dnstap query_message field was erroneously set with responses

See merge request isc-projects/bind9!6716
2022-08-31 23:15:57 +00:00
Evan Hunt
5efac2b4d2 CHANGES for [GL #3501] 2022-08-31 15:50:30 -07:00
Evan Hunt
e1fa6cbab8 dnstap query_message field was erroneously set with responses
The dnstap query_message field was in some cases being filled in
with response messages, along with the response_message field.
The query_message field should only be used when logging requests,
and the response_message field only when logging responses.
2022-08-31 15:49:25 -07:00
Mark Andrews
af8e0a2ec9 Merge branch '3505-missing-isc_mutex_destroy-v9_16' into 'v9_16'
Call isc_mutex_destroy(&lasttime_mx); [v9_16]

See merge request isc-projects/bind9!6698
2022-08-24 07:42:25 +00:00
Mark Andrews
5a66ca501b Call isc_mutex_destroy(&lasttime_mx);
(cherry picked from commit 8109f495c8b5d7c7f88d581f7905650add0c184e)
2022-08-24 17:05:00 +10:00
Matthijs Mekking
e3b4794ee7 Merge branch '3500-nsec3-missing-detach-node-9_16' into 'v9_16'
[v9_16] nsec3.c: Add a missing dns_db_detachnode() call

See merge request isc-projects/bind9!6694
2022-08-23 11:10:41 +00:00
Matthijs Mekking
31ed140863 Add CHANGES entry for #3500
There is no need for a release because this case was nearly impossible
to trigger (except for when 'sig-signing-type' was set to 0).

(cherry picked from commit 545ecb64b043617ea609f4f115d280bb5990e221)
2022-08-23 12:06:06 +02:00
Matthijs Mekking
58d01b821a nsec3.c: Add a missing dns_db_detachnode() call
There is one case in 'dns_nsec3_activex()' where it returns but forgets
to detach the db node. Add the missing 'dns_db_detachnode()' call.

This case only triggers if 'sig-signing-type' (privatetype) is set to 0
(which by default is not), or if the function is called with 'complete'
is set to 'true' (which at this moment do not exist).

(cherry picked from commit 0cf6c18ccb2205a1fc81431f908c8310f6136bbb)
2022-08-23 12:05:38 +02:00
Mark Andrews
9e7c12d3b7 Merge branch 'bug/main/delv-cfg_parser_reset-v9_16' into 'v9_16'
Reset parser before parsing of internal trust anchor [v9_16]

See merge request isc-projects/bind9!6687
2022-08-19 05:40:59 +00:00
Mark Andrews
414b35aabd Add CHANGES entry for [GL !6468]
(cherry picked from commit 23a8c15cb2efd3486a4e7ea41c1581cb2ed07912)
2022-08-19 15:21:24 +10:00
Petr Menšík
ba9a140e1f Reset parser before parsing of internal trust anchor
It might be reused if /etc/bind.keys exists, but failed correct parsing.
Release traces of previous parsing attempt of different data.

(cherry picked from commit dc07394c4724c1e1235af85dd8c044af70da93ae)
2022-08-19 15:20:59 +10:00
Michal Nowak
4858e4235d Merge branch 'mnowak/freebsd-13.1-v9_16' into 'v9_16'
[v9_16] Add FreeBSD 13.1

See merge request isc-projects/bind9!6684
2022-08-18 15:58:05 +00:00
Michal Nowak
87dc26e494 Add FreeBSD 13.1
(cherry picked from commit bc425be55e1736d4f2ffada5e8d76f96b08c8351)
2022-08-18 17:34:08 +02:00