8198 Commits

Author SHA1 Message Date
Mark Andrews
e04dec4c77 Look for zones deeper than the current domain or forward name
When caching glue, we need to ensure that there is no closer
source of truth for the name. If the owner name for the glue
record would be answered by a locally configured zone, do not
cache.
2022-03-03 13:33:00 +01:00
Mark Andrews
2df037777e Check cached names for possible "forward only" clause
When caching additional and glue data *not* from a forwarder, we must
check that there is no "forward only" clause covering the owner name
that would take precedence.  Such names would normally be allowed by
baliwick rules, but a "forward only" zone introduces a new baliwick
scope.
2022-03-03 13:33:00 +01:00
Mark Andrews
52d918c315 Check that the forward declaration is unchanged and not overridden
If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.
2022-03-03 13:33:00 +01:00
Mark Andrews
853c6c284a Add additional name checks when using a forwarder
When using a forwarder, check that the owner name of response
records are within the bailiwick of the forwarded name space.
2022-03-03 13:33:00 +01:00
Aram Sargsyan
73e660a806 Use autoconf check for BN_GENCB_new()
BIND unconditionally uses shims for BN_GENCB_new(), BN_GENCB_free(),
and BN_GENCB_get_arg() for all LibreSSL versions and, correctly, for
OpenSSL <1.1.0 versions.

This breaks LibreSSL compilation starting with LibreSSL 3.5.0.

Use autoconf check instead to check whether the family of the functions
are available.

(cherry picked from commit 749973f3259b7638a6af02b7da2f40ae28bdd402)
2022-03-02 09:34:29 +00:00
Mark Andrews
a247d282bf Use unsigned arithmetic when shifting by 24
By default C promotes short unsigned values to signed int which
leads to undefined behaviour when the value is shifted by too much.
Force unsigned arithmetic to be perform by explicitly casting to a
unsigned type.

(cherry picked from commit b8b99603f1)
2022-03-02 11:06:53 +11:00
Petr Špaček
dbe0778b67 extend DLZ interface and example with ECS support
Apparently we forgot about DLZ when updating DNS_CLIENTINFO_VERSION
constant for ECS, which is at value "3" since ECS was introduced.

The code in example drivers and tests now hardcodes version numbers
2 (without ECS) and 3 (with ECS) depending on what a given code path
requires.

(cherry picked from commit f81debe1c8)
2022-01-27 16:20:55 -08:00
Evan Hunt
558b060de5 allow dns_clientinfo to store client ECS data
this brings DNS_CLIENTINFO_VERSION into line with the subscription
branch so that fixes applied to clientinfo processing can also be
applied to the main branch without diverging.

(cherry picked from commit 737e658602)
2022-01-27 16:08:57 -08:00
Aram Sargsyan
254cabb558 Fix a memory leak in dns_dlzcreate()
dns_dlzcreate() fails to free the memory allocated for dlzname
when an error occurs.

Free dlzname's memory (acquired earlier with isc_mem_strdup())
by calling isc_mem_free() before returning an error code.

(cherry picked from commit 4a6c66288f)
2022-01-26 08:19:02 +00:00
Aram Sargsyan
a663216c0e Improve the zones' view reverting logic when a zone is a catalog zone
When a zone is being configured with a new view, the catalog zones
structure will also be linked to that view. Later on, in case of some
error, should the zone be reverted to the previous view, the link
between the catalog zones structure and the view won't be reverted.

Change the dns_zone_setviewrevert() function so it calls
dns_zone_catz_enable() during a zone revert, which will reset the
link between `catzs` and view.

(cherry picked from commit 2fd967136a)
2022-01-26 08:19:02 +00:00
Aram Sargsyan
885e44650b Separate the locked parts of dns_zone_catz_enable/disable functions
Separate the locked parts of dns_zone_catz_enable() and
dns_zone_catz_disable() functions into static functions.  This will
let us perform those tasks from the other parts of the module while
the zone is locked, avoiding one pair of additional unlocking and
locking operations.

(cherry picked from commit 6b937ed5f6)
2022-01-26 08:19:02 +00:00
Ondřej Surý
2bf7921c7e Update the copyright information in all files in the repository
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.

(cherry picked from commit 58bd26b6cf)
2022-01-11 12:22:09 +01:00
Michał Kępień
149285168e Do not detach raw zone until dumping is complete
When the signed version of an inline-signed zone is dumped to disk, the
serial number of the unsigned version of the zone is stored in the
raw-format header so that the contents of the signed zone can be
resynchronized after named restart if the unsigned zone file is modified
while named is not running.

In order for the serial number of the unsigned zone to be determined
during the dump, zone->raw must be set to a non-NULL value.  This should
always be the case as long as the signed version of the zone is used for
anything by named.

However, a scenario exists in which the signed version of the zone has
zone->raw set to NULL while it is being dumped:

 1. Zone dump is requested; zone_dump() is invoked.

 2. Another zone dump is already in progress, so the dump gets deferred
    until I/O is available (see zonemgr_getio()).

 3. The last external reference to the zone is released.
    zone_shutdown() gets queued to the zone's task.

 4. I/O becomes available for zone dumping.  zone_gotwritehandle() gets
    queued to the zone's task.

 5. The zone's task runs zone_shutdown().  zone->raw gets set to NULL.

 6. The zone's task runs zone_gotwritehandle().  zone->raw is determined
    to be NULL, causing the serial number of the unsigned version of the
    zone to be omitted from the raw-format dump of the signed zone file.

Note that the naïve solution - deferring the dns_zone_detach() call for
zone->raw until zone_free() gets called for the secure version of the
zone - does not work because it leads to a chicken-and-egg problem when
the inline-signed zone is about to get freed: the raw zone holds a weak
reference to the secure zone and that reference does not get released
until the reference count for the raw zone reaches zero, which in turn
would not happen until all weak references to the secure zone were
released.

Defer detaching from zone->raw in zone_shutdown() if the zone is in the
process of being dumped to disk.  Ensure zone->raw gets detached from
after the dump is finished if detaching gets deferred.  Prevent zone
dumping from being requeued upon failure if the zone is in the process
of being cleaned up as it opens up possibilities for the zone->raw
reference to leak, triggering a shutdown hang.

(cherry picked from commit ef625f5f06)
2022-01-06 12:27:12 +01:00
Ondřej Surý
b8e6dffdbc Revert "Ensure the correct ordering zone_shutdown() vs zone_gotwritehandle()"
This reverts commit cc1d4e1aa6.

(cherry picked from commit 1064b2fc47)
2022-01-06 12:27:12 +01:00
Matthijs Mekking
bdb91e3825 Fix bug introduced by #763 related to offline keys
In some cases we want to keep expired signatures. For example, if the
KSK is offline, we don't want to fall back to signing with the ZSK.
We could remove the signatures, but in any case we end up with a broken
zone.

The change made for GL #763 prevented the behavior to sign the DNSKEY
RRset with the ZSK if the KSK was offline (and signatures were expired).

The change causes the definition of "having both keys": if one key is
offline, we still consider having both keys, so we don't fallback
signing with the ZSK if KSK is offline.

That change also works the other way, if the ZSK is offline, we don't
fallback signing with the KSK.

This commit fixes that, so we only fallback signing zone RRsets with
the KSK, not signing key RRsets with the ZSK.

(cherry picked from commit beeefe35c4)
2022-01-06 09:35:36 +01:00
Matthijs Mekking
8e31f6981a Only warn if we could not delete signature
BIND can log this warning:

    zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
      missing or inactive and has no replacement: retaining signatures.

This log can happen when BIND tries to remove signatures because the
are about to expire or to be resigned. These RRsets may be signed with
the KSK if the ZSK files has been removed from disk. When we have
created a new ZSK we can replace the signatures creeated by the KSK
with signatures from the new ZSK.

It complains about the KSK being missing or inactive, but actually it
takes the key id from the RRSIG.

The warning is logged if BIND detects the private ZSK file is missing.

The warning is logged even if we were able to delete the signature.

With the change from this commit it only logs this warning if it is not
okay to delete the signature.

(cherry picked from commit 2d2858841a)
2022-01-06 09:35:29 +01:00
Michał Kępień
7b455124d5 Ensure the correct ordering zone_shutdown() vs zone_gotwritehandle()
When the signed version of an inline-signed zone is dumped to disk, the
serial number of the unsigned version of the zone is written in the
raw-format header so that the contents of the signed zone can be
resynchronized after named restart if the unsigned zone file is
modified while named is not running (see RT #26676).

In order for the serial number of the unsigned zone to be determined
during the dump, zone->raw must be set to a non-NULL value.  This
should always be the case as long as the signed version of the zone is
used for anything by named.

However, under certain circumstances the zone->raw could be set to NULL
while the zone is being dumped.

Defer detaching from zone->raw in zone_shutdown() if the zone is in the
process of being dumped to disk.

(cherry picked from commit cc1d4e1aa6)
2022-01-05 10:32:50 +01:00
Ondřej Surý
c5b703d1c6 Adjust the fillcount and freemax for dns_message mempools
According to the measurements (recorded on GL!5085), the fillcount of 2
for namepool and fillcount of 4 for rdspool can fit 99.99% of request
for tested scenarios.

This was discovered by perf recording the single second recursive test
using flamethrower where the initial malloc lit up like a flare.
2021-12-15 13:29:19 +01:00
Ondřej Surý
974f2f6ace Replace locked mempools with memory contexts
Current mempools are kind of hybrid structures - they serve two
purposes:

 1. mempool with a lock is basically static sized allocator with
    pre-allocated free items

 2. mempool without a lock is a doubly-linked list of preallocated items

The first kind of usage could be easily replaced with jemalloc small
sized arena objects and thread-local caches.

The second usage not-so-much and we need to keep this (in
libdns:message.c) for performance reasons.
2021-12-15 13:29:19 +01:00
Aram Sargsyan
4b362a82eb Fix catalog zone reconfiguration crash
The following scenario triggers a "named" crash:

1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.

Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.

(cherry picked from commit 43ac2cd229)
2021-12-01 09:56:59 +00:00
Mark Andrews
4ace37bf73 Do not convert ISC_R_NOSPACE to DNS_R_SERVFAIL too early
The parsing loop needs to process ISC_R_NOSPACE to properly
size the buffer.  If result is still ISC_R_NOSPACE at the end
of the parsing loop set result to DNS_R_SERVFAIL.

(cherry picked from commit 08f1cba096)
2021-11-26 07:44:37 +11:00
Michal Nowak
b61eec8376 Fix "array subscript is of type 'char'" on NetBSD 9
In file included from rdata.c:602:
    In file included from ./code.h:88:
    ./rdata/in_1/svcb_64.c:259:9: warning: array subscript is of type 'char' [-Wchar-subscripts]
                            if (!isdigit(*region->base)) {
                                 ^~~~~~~~~~~~~~~~~~~~~~
    /usr/include/sys/ctype_inline.h:51:44: note: expanded from macro 'isdigit'
    #define isdigit(c)      ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_D))
                                                    ^~~~

(cherry picked from commit d09447287f)
2021-11-25 18:54:18 +01:00
Aram Sargsyan
c6e4c28b4e Add dst_key_pubcompare and dst_key_compare unit test
The dst_key_pubcompare() and dst_key_compare() didn't have a unit test,
add the unit tests which test comparing the same keys, different keys,
and, where possible, similar keys with a manually altered parameter.

dst_key_pubcompare() internally uses the *_todns() functions of the
lib/dns/openssl*_link.c modules.

dst_key_compare() internally uses the *_compare() functions of the
lib/dns/openssl*_link.c modules.
2021-10-28 14:52:28 +00:00
Aram Sargsyan
b122455009 Fix a bug when comparing two RSA keys
When comparing different parameters of two RSA keys there is a typo
which causes the "p" prime factors to not being compared.

Fix the typo.

(cherry picked from commit 930e4f52a5)
2021-10-28 13:46:22 +00:00
Ondřej Surý
498bcc5c9c Enable lame response detection even with disabled lame cache
Previously, when lame cache would be disabled by setting lame-ttl to 0,
it would also disable lame answer detection.  In this commit, we enable
the lame response detection even when the lame cache is disabled.  This
enables stopping answer processing early rather than going through the
whole answer processing flow.
2021-10-28 12:22:33 +02:00
Mark Andrews
d329d47bae Prevent existing catalog zone entries being incorrectly deleted
After receiving a new version of a catalog zone it is required
to merge it with the old version.

The algorithm walks through the new version's hash table and applies
the following logic:

1. If an entry from the new version does not exist in the old
   version, then it's a new entry, add the entry to the `toadd` hash
   table.
2. If the zone does not exist in the set of configured zones, because
   it was deleted via rndc delzone or it was removed from another
   catalog zone instance, then add into to the `toadd` hash table to
   be reinstantiated.
3. If an entry from the new version also exists in the old version,
   but is modified, then add the entry to the `tomod` hash table, then
   remove it from the old version's hash table.
4. If an entry from the new version also exists in the old version and
   is the same (unmodified) then just remove it from the old version's
   hash table.

The algorithm then deletes all the remaining zones which still exist
in the old version's hash table (because only the ones that don't
exist in the new version should now remain there), then adds the ones
that were added to the `toadd`, and modifies the ones that were added
to the `tomod`, completing the merge.

During a recent refactoring, the part when the entry should be
removed from the old version's hash table on condition (4.) above
was accidentally omitted, so the unmodified zones were remaining
in the old version's hash table and consequently being deleted.

(cherry picked from commit 63145fb1d3)
2021-10-28 00:04:44 +11:00
Ondřej Surý
40fa423fd3 Add missing DNS_ZONEFLG_DUMPING to setmodtime()
It was found, that the original commit adding the setmodtime() was
incompletely squashed and there was double check for
DNS_ZONEFLG_NEEDDUMP instead of check for DNS_ZONEFLG_NEEDDUMP and
DNS_ZONEFLG_DUMPING.

Change the duplicate check to DNS_ZONEFLG_DUMPING.

(cherry picked from commit 55ac6b7394)
2021-10-21 12:33:24 +02:00
Ondřej Surý
093cd31ae2 Update the source code formatting using clang-format-13
clang-format-13 fixed some of the formatting that clang-format-12 got
wrong.  Update the formatting.

(cherry picked from commit ed95f9fba3)
2021-10-12 11:31:55 +02:00
Mark Andrews
187787c723 Fix cleanup of signature buffer in dns_dnssec_signmessage
A NULL pointer could be freed if error handling occured.

(cherry picked from commit 0378c05ba0)
2021-10-12 10:19:08 +11:00
Aram Sargsyan
311074f51e Handle a missing zone when reloading a catalog zone
Previously a missing/deleted zone which was referenced by a catalog
zone was causing a crash when doing a reload.

This commit will make `named` to ignore the fact that the zone is
missing, and make sure to restore it later on.

(cherry picked from commit 94a5712801)
2021-09-30 20:15:19 +00:00
Mark Andrews
21771f5295 Pause the dbiterator before calling dns_db_find
zone.c:integrity_checks() acquires a read lock while iterating the
zone database, and calls zone_check_mx() which acquires another
read lock. If another thread tries to acquire a write lock in the
meantime, it can deadlock. Calling dns_dbiterator_pause() to release
the first read lock prevents this.

(cherry picked from commit 4e1faa35d5)
2021-09-29 18:04:14 +02:00
Evan Hunt
e9d62d2442 map files over 2GB could not be loaded
- fixed a size comparison using "signed int" that failed if the file
  size was more than 2GB, since that was treated as a negative number.
- incidentally renamed deserialize32() to just deserialize(). we no
  longer have separate 32 and 64 bit rbtdb implementations.
2021-09-01 00:43:54 -07:00
Evan Hunt
ddc677ae64 rename dns_zone_master and dns_zone_slave
dns_zone_master and dns_zone_slave are renamed as dns_zone_primary
and dns_zone_secondary.

(cherry picked from commit 916760ae46)
2021-08-30 11:58:29 -07:00
Petr Špaček
b70a2c2d07 increase MAPAPI
bump the map zonefile version number to avoid an assertion
failure when loading map files from versions of BIND prior to
the most recent change to the in-memory structure of zone
databases.

(cherry picked from commit 4a68c7be22)
2021-08-28 07:45:39 -07:00
Diego Fronza
f262860d5d Replace literal 255 with a more descriptive macro name
More details on thread:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12186

(cherry picked from commit bd0cc048d1)
2021-08-25 15:57:35 -07:00
Diego Fronza
caa4af08d4 Avoid an empty block under if condition
This commit doesn't change the logic flow from previous code, it only
makes the code more readable and consistent.

More details on thread:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12185

(cherry picked from commit 90e724af45)
2021-08-25 15:57:35 -07:00
Diego Fronza
7af2573219 Remove redundant function 'newchain'
The removed function 'newchain(a, b)' was almost the same as calling
!chain_equal(a, b), varying only in the amount of data compared
in the non-fixed-length data portion of given chain nodes.

A third argument 'data_size' has been introduced into 'chain_equal'
function in order to allow it to know how many bytes to compare in the
variable-length data portion of the chain nodes.

A helper function 'chain_length(e)' has been introduced to allow
easy calculation of the total length of the non-fixed-length data part
of chain nodes.

Check the thread below for more details:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12184

(cherry picked from commit 37f42d19a1)
2021-08-25 15:57:35 -07:00
Diego Fronza
063bc21543 Use sizeof instead of arbitrary number to iterate fixed size array
More details on thread:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12180

(cherry picked from commit 6a12e37382)
2021-08-25 15:57:34 -07:00
Diego Fronza
9954c2da91 Initialize buffers with { 0 } instead of memset
More details on threads:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12178
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12181

(cherry picked from commit 87e970474f)
2021-08-25 15:57:34 -07:00
Diego Fronza
9f5c643769 Minor refactoring on function match_nsec3
The logic for matching a set of nsec3 objects against an nsec3param
object was moved to a specific function.

For more details check thread:
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/291#note_12176

(cherry picked from commit 98d1e40143)
2021-08-25 15:57:34 -07:00
Diego Fronza
ebb827c1d5 Minor refactoring/cleanup
This commit moves the warning message to the logical block where it
belongs better.

For more details check thread comment:
https://gitlab.isc.org/isc-projects/bind9/merge_requests/291#note_12167

(cherry picked from commit 966c06a9e6)
2021-08-25 15:57:34 -07:00
Matthijs Mekking
c499478321 Clear dnssec-sign stats for removed keys
Clear the key slots for dnssec-sign statistics for keys that are
removed. This way, the number of slots will stabilize to the maximum
key usage in a zone and will not grow every time a key rollover is
triggered.

(cherry picked from commit de15e07800)
2021-08-24 09:51:45 +02:00
Matthijs Mekking
df6fb95621 Grow dnssec-sign statistics instead of rotating
We have introduced dnssec-sign statistics to the zone statistics. This
introduced an operational issue because when using zone-statistics
full, the memory usage was going through the roof. We fixed this by
by allocating just four key slots per zone. If a zone exceeds the
number of keys for example through a key rollover, the keys will be
rotated out on a FIFO basis.

This works for most cases, and fixes the immediate problem of high
memory usage, but if you sign your zone with many, many keys, or are
sign with a ZSK/KSK double algorithm strategy you may experience weird
statistics. A better strategy is to grow the number of key slots per
zone on key rollover events.

That is what this commit is doing: instead of rotating the four slots
to track sign statistics, named now grows the number of key slots
during a key rollover (or via some other method that introduces new
keys).

(cherry picked from commit d9cca81d50)
2021-08-24 09:51:45 +02:00
Matthijs Mekking
db18004d69 Migrate a single key to CSK with dnssec-policy
When migrating keys to dnssec-policy, if a zone has only one key,
assume it is going to be a CSK.

(cherry picked from commit 3ea953512a)
2021-08-23 10:36:42 +02:00
Mark Andrews
7d3d7cacf9 Reject zero length ALPN elements in fromwire
(cherry picked from commit 8833d90292)
2021-08-19 18:59:29 +10:00
Mark Andrews
c9858fa078 Check that ALPN is present when NO-DEFAULT-ALPN is present in fromwire
(cherry picked from commit 2f51bb2d93)
2021-08-19 17:32:32 +10:00
Mark Andrews
e3c22ec53a Check that the hostname of the server is legal
(cherry picked from commit f46a0c27df)
2021-08-18 16:54:31 +10:00
Mark Andrews
c0c38eeb36 Add invalid test vectors
(cherry picked from commit bc21015438)
2021-08-18 14:59:29 +10:00
Mark Andrews
4fd35998e6 add text vs unknown test vectors
(cherry picked from commit 3e459b4808)
2021-08-18 14:59:29 +10:00
Mark Andrews
c7130b36fc Parse and print HTTPS and SVCB records
(cherry picked from commit 36f34a3e79)
2021-08-18 14:59:29 +10:00