8223 Commits

Author SHA1 Message Date
Mark Andrews
36612dadff Allow DNS_RPZ_POLICY_ERROR to be converted to a string
(cherry picked from commit f498d2db0d)
2022-05-04 23:53:21 +10:00
Petr Menšík
c1b3862c4a Additional safety check for negative array index
inet_ntop result should always protect against empty string accepted
without an error. Make additional check to satisfy coverity scans.

(cherry picked from commit 656a0f076f)
2022-04-29 11:46:33 +10:00
Petr Menšík
1bc7552203 Ensure diff variable is not read uninitialized
Coverity detected issues:
- var_decl: Declaring variable "diff" without initializer.
- uninit_use_in_call: Using uninitialized value "diff.tuples.head" when
  calling "dns_diff_clear".

(cherry picked from commit 67e773c93c)
2022-04-29 11:46:33 +10:00
Mark Andrews
cb3c29cf8e Update the rdataset->trust field in ncache.c:rdataset_settrust
Both the trust recorded in the slab stucture and the trust on
rdataset need to be updated.

(cherry picked from commit d043a41499)
2022-04-19 09:45:16 +10:00
Matthijs Mekking
42f43cebdd Update dns_dnssec_syncdelete() function
Update the function that synchronizes the CDS and CDNSKEY DELETE
records. It now allows for the possibility that the CDS DELETE record
is published and the CDNSKEY DELETE record is not, and vice versa.

Also update the code in zone.c how 'dns_dnssec_syncdelete()' is called.

With KASP, we still maintain the DELETE records our self. Otherwise,
we publish the CDS and CDNSKEY DELETE record only if they are added
to the zone. We do still check if these records can be signed by a KSK.

This change will allow users to add a CDS and/or CDNSKEY DELETE record
manually, without BIND removing them on the next zone sign.

Note that this commit removes the check whether the key is a KSK, this
check is redundant because this check is also made in
'dst_key_is_signing()' when the role is set to DST_BOOL_KSK.

(cherry picked from commit 3d05c99abb)
2022-04-13 15:13:12 +02:00
Ondřej Surý
daa7d6d6db Revert "General cleanup of dns_rpz implementation"
This reverts commit 84e62cece5.
2022-04-06 10:41:49 +02:00
Ondřej Surý
f5fbe2c26f Revert "Refactor the dns_rpz_add/delete to use local rpz copy"
This reverts commit 635147d01a.
2022-04-06 10:41:39 +02:00
Ondřej Surý
b68ccdc48e Revert "Run the RPZ update as offloaded work"
This reverts commit 73a0bb8588.
2022-04-06 10:31:23 +02:00
Ondřej Surý
73a0bb8588 Run the RPZ update as offloaded work
Previously, the RPZ updates ran quantized on the main nm_worker loops.
As the quantum was set to 1024, this might lead to service
interruptions when large RPZ update was processed.

Change the RPZ update process to run as the offloaded work.  The update
and cleanup loops were refactored to do as little locking of the
maintenance lock as possible for the shortest periods of time and the db
iterator is being paused for every iteration, so we don't hold the rbtdb
tree lock for prolonged periods of time.

(cherry picked from commit f106d0ed2b)
(cherry picked from commit e128b6a951)
2022-04-05 00:30:39 +02:00
Ondřej Surý
635147d01a Refactor the dns_rpz_add/delete to use local rpz copy
Previously dns_rpz_add() were passed dns_rpz_zones_t and index to .zones
array.  Because we actually attach to dns_rpz_zone_t, we should be using
the local pointer instead of passing the index and "finding" the
dns_rpz_zone_t again.

Additionally, dns_rpz_add() and dns_rpz_delete() were used only inside
rpz.c, so make them static.

(cherry picked from commit b6e885c97f)
(cherry picked from commit f4cba0784e)
2022-04-05 00:30:39 +02:00
Ondřej Surý
84e62cece5 General cleanup of dns_rpz implementation
Do a general cleanup of lib/dns/rpz.c style:

 * Removed deprecated and unused functions
 * Unified dns_rpz_zone_t naming to rpz
 * Unified dns_rpz_zones_t naming to rpzs
 * Add and use rpz_attach() and rpz_attach_rpzs() functions
 * Shuffled variables to be more local (cppcheck cleanup)

(cherry picked from commit 840179a247)
(cherry picked from commit bfee462403)
2022-04-05 00:02:35 +02:00
Mark Andrews
c284112bec Prevent arithmetic overflow of 'i' in master.c:generate
the value of 'i' in generate could overflow when adding 'step' to
it in the 'for' loop.  Use an unsigned int for 'i' which will give
an additional bit and prevent the overflow.  The inputs are both
less than 2^31 and and the result will be less than 2^32-1.

(cherry picked from commit 5abdee9004)
2022-04-01 21:42:53 +11:00
Ondřej Surý
79b7804ce8 Consistenly use UNREACHABLE() instead of ISC_UNREACHABLE()
In couple places, we have missed INSIST(0) or ISC_UNREACHABLE()
replacement on some branches with UNREACHABLE().  Replace all
ISC_UNREACHABLE() or INSIST(0) calls with UNREACHABLE().
2022-03-28 23:28:05 +02:00
Ondřej Surý
888dcc6aab Remove UNREACHABLE() statements after exit()
Couple of UNREACHABLE() statements following exit() were found and
removed.

(cherry picked from commit 81fdc4a822)
2022-03-25 10:08:39 +01:00
Ondřej Surý
8b1d60933c Remove workaround for ancient clang versions (<< 3.2 and << 4.0.1)
Some ancient versions of clang reported uninitialized memory use false
positive (see https://bugs.llvm.org/show_bug.cgi?id=14461).  Since clang
4.0.1 has been long obsoleted, just remove the workarounds.

(cherry picked from commit ae508c17bc)
2022-03-25 09:37:22 +01:00
Ondřej Surý
b624be2544 Remove use of the inline keyword used as suggestion to compiler
Historically, the inline keyword was a strong suggestion to the compiler
that it should inline the function marked inline.  As compilers became
better at optimising, this functionality has receded, and using inline
as a suggestion to inline a function is obsolete.  The compiler will
happily ignore it and inline something else entirely if it finds that's
a better optimisation.

Therefore, remove all the occurences of the inline keyword with static
functions inside single compilation unit and leave the decision whether
to inline a function or not entirely on the compiler

NOTE: We keep the usage the inline keyword when the purpose is to change
the linkage behaviour.

(cherry picked from commit 20f0936cf2)
2022-03-25 09:37:18 +01:00
Ondřej Surý
75f9dd8e82 Simplify way we tag unreachable code with only ISC_UNREACHABLE()
Previously, the unreachable code paths would have to be tagged with:

    INSIST(0);
    ISC_UNREACHABLE();

There was also older parts of the code that used comment annotation:

    /* NOTREACHED */

Unify the handling of unreachable code paths to just use:

    UNREACHABLE();

The UNREACHABLE() macro now asserts when reached and also uses
__builtin_unreachable(); when such builtin is available in the compiler.

(cherry picked from commit 584f0d7a7e)
2022-03-25 09:33:51 +01:00
Ondřej Surý
673e53f81d Add FALLTHROUGH macro for __attribute__((fallthrough))
Gcc 7+ and Clang 10+ have implemented __attribute__((fallthrough)) which
is explicit version of the /* FALLTHROUGH */ comment we are currently
using.

Add and apply FALLTHROUGH macro that uses the attribute if available,
but does nothing on older compilers.

In one case (lib/dns/zone.c), using the macro revealed that we were
using the /* FALLTHROUGH */ comment in wrong place, remove that comment.

(cherry picked from commit fe7ce629f4)
2022-03-25 09:30:16 +01:00
Tony Finch
afb5f59a6f Remove a redundant variable-length array
In the GSS-TSIG verification code there was an alarming
variable-length array whose size came off the network, from the
signature in the request. It turned out to be safe, because the caller
had previously checked that the signature had a reasonable size.
However, the safety checks are in the generic TSIG implementation, and
the risky VLA usage was in the GSS-specific code, and they are
separated by the DST indirection layer, so it wasn't immediately
obvious that the risky VLA was in fact safe.

In fact this risky VLA was completely unnecessary, because the GSS
signature can be verified in place without being copied to the stack,
like the message covered by the signature. The `REGION_TO_GBUFFER()`
macro backwardly assigns the region in its left argument to the GSS
buffer in its right argument; this is just a pointer and length
conversion, without copying any data. The `gss_verify_mic()` call uses
both message and signature GSS buffers in a read-only manner.
2022-03-18 17:21:57 +00:00
Ondřej Surý
2c86bd4ed9 Remove debugging implementation of stdatomic using mutexes
Upcoming LLVM/Clang 15 has marked the ATOMIC_VAR_INIT() as deprecated
breaking the build.  In the previous commit, we have removed the use of
ATOMIC_VAR_INIT(), but as that was a prerequisite to using the
--enable-mutexatomic debugging mode, we have to remove the debugging
mode.
2022-03-17 21:44:04 +01:00
Ondřej Surý
25732d818d Remove usage of deprecated ATOMIC_VAR_INIT() macro
The C17 standard deprecated ATOMIC_VAR_INIT() macro (see [1]).  Follow
the suite and remove the ATOMIC_VAR_INIT() usage in favor of simple
assignment of the value as this is what all supported stdatomic.h
implementations do anyway:

  * MacOSX.plaform: #define ATOMIC_VAR_INIT(__v) {__v}
  * Gcc stdatomic.h: #define ATOMIC_VAR_INIT(VALUE)	(VALUE)

1. http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2018/p1138r0.pdf

(cherry picked from commit f251d69eba)
2022-03-17 21:44:04 +01:00
Ondřej Surý
be47b2e5e4 Add couple missing braces around single-line statements
The clang-format-15 has new option InsertBraces that could add missing
branches around single line statements.  Use that to our advantage
without switching to not-yet-released LLVM version to add missing braces
in couple of places.
2022-03-17 18:31:36 +01:00
Mark Andrews
71b2421054 Look for zones deeper than the current domain or forward name
When caching glue, we need to ensure that there is no closer
source of truth for the name. If the owner name for the glue
record would be answered by a locally configured zone, do not
cache.
2022-03-17 00:19:11 +01:00
Mark Andrews
ea06552a3d Check cached names for possible "forward only" clause
When caching additional and glue data *not* from a forwarder, we must
check that there is no "forward only" clause covering the owner name
that would take precedence.  Such names would normally be allowed by
baliwick rules, but a "forward only" zone introduces a new baliwick
scope.
2022-03-17 00:19:11 +01:00
Mark Andrews
3fc7accd88 Check that the forward declaration is unchanged and not overridden
If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.
2022-03-17 00:19:11 +01:00
Mark Andrews
24155213be Add additional name checks when using a forwarder
When using a forwarder, check that the owner name of response
records are within the bailiwick of the forwarded name space.
2022-03-17 00:19:11 +01:00
Ondřej Surý
e7fb7c1de5 Make isc_heap_create() and isc_heap_insert() return void
Previously, the function(s) in the commit subject could fail for various
reasons - mostly allocation failures, or other functions returning
different return code than ISC_R_SUCCESS.  Now, the aforementioned
function(s) cannot ever fail and they would always return ISC_R_SUCCESS.

Change the function(s) to return void and remove the extra checks in
the code that uses them.

(cherry picked from commit bbb4cdb92d)
2022-03-08 20:49:15 +01:00
Ondřej Surý
848e6ee7b6 Make dns_catz_get_iterator() return void
Previously, the function(s) in the commit subject could fail for various
reasons - mostly allocation failures, or other functions returning
different return code than ISC_R_SUCCESS.  Now, the aforementioned
function(s) cannot ever fail and they would always return ISC_R_SUCCESS.

Change the function(s) to return void and remove the extra checks in
the code that uses them.

(cherry picked from commit d128656d2e)
2022-03-08 20:20:54 +01:00
Ondřej Surý
ba89da052a Make isc_ht_init() and isc_ht_iter_create() return void
Previously, the function(s) in the commit subject could fail for various
reasons - mostly allocation failures, or other functions returning
different return code than ISC_R_SUCCESS.  Now, the aforementioned
function(s) cannot ever fail and they would always return ISC_R_SUCCESS.

Change the function(s) to return void and remove the extra checks in
the code that uses them.

(cherry picked from commit 8fa27365ec)
2022-03-08 20:20:52 +01:00
Aram Sargsyan
73e660a806 Use autoconf check for BN_GENCB_new()
BIND unconditionally uses shims for BN_GENCB_new(), BN_GENCB_free(),
and BN_GENCB_get_arg() for all LibreSSL versions and, correctly, for
OpenSSL <1.1.0 versions.

This breaks LibreSSL compilation starting with LibreSSL 3.5.0.

Use autoconf check instead to check whether the family of the functions
are available.

(cherry picked from commit 749973f3259b7638a6af02b7da2f40ae28bdd402)
2022-03-02 09:34:29 +00:00
Mark Andrews
a247d282bf Use unsigned arithmetic when shifting by 24
By default C promotes short unsigned values to signed int which
leads to undefined behaviour when the value is shifted by too much.
Force unsigned arithmetic to be perform by explicitly casting to a
unsigned type.

(cherry picked from commit b8b99603f1)
2022-03-02 11:06:53 +11:00
Petr Špaček
dbe0778b67 extend DLZ interface and example with ECS support
Apparently we forgot about DLZ when updating DNS_CLIENTINFO_VERSION
constant for ECS, which is at value "3" since ECS was introduced.

The code in example drivers and tests now hardcodes version numbers
2 (without ECS) and 3 (with ECS) depending on what a given code path
requires.

(cherry picked from commit f81debe1c8)
2022-01-27 16:20:55 -08:00
Evan Hunt
558b060de5 allow dns_clientinfo to store client ECS data
this brings DNS_CLIENTINFO_VERSION into line with the subscription
branch so that fixes applied to clientinfo processing can also be
applied to the main branch without diverging.

(cherry picked from commit 737e658602)
2022-01-27 16:08:57 -08:00
Aram Sargsyan
254cabb558 Fix a memory leak in dns_dlzcreate()
dns_dlzcreate() fails to free the memory allocated for dlzname
when an error occurs.

Free dlzname's memory (acquired earlier with isc_mem_strdup())
by calling isc_mem_free() before returning an error code.

(cherry picked from commit 4a6c66288f)
2022-01-26 08:19:02 +00:00
Aram Sargsyan
a663216c0e Improve the zones' view reverting logic when a zone is a catalog zone
When a zone is being configured with a new view, the catalog zones
structure will also be linked to that view. Later on, in case of some
error, should the zone be reverted to the previous view, the link
between the catalog zones structure and the view won't be reverted.

Change the dns_zone_setviewrevert() function so it calls
dns_zone_catz_enable() during a zone revert, which will reset the
link between `catzs` and view.

(cherry picked from commit 2fd967136a)
2022-01-26 08:19:02 +00:00
Aram Sargsyan
885e44650b Separate the locked parts of dns_zone_catz_enable/disable functions
Separate the locked parts of dns_zone_catz_enable() and
dns_zone_catz_disable() functions into static functions.  This will
let us perform those tasks from the other parts of the module while
the zone is locked, avoiding one pair of additional unlocking and
locking operations.

(cherry picked from commit 6b937ed5f6)
2022-01-26 08:19:02 +00:00
Ondřej Surý
2bf7921c7e Update the copyright information in all files in the repository
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.

(cherry picked from commit 58bd26b6cf)
2022-01-11 12:22:09 +01:00
Michał Kępień
149285168e Do not detach raw zone until dumping is complete
When the signed version of an inline-signed zone is dumped to disk, the
serial number of the unsigned version of the zone is stored in the
raw-format header so that the contents of the signed zone can be
resynchronized after named restart if the unsigned zone file is modified
while named is not running.

In order for the serial number of the unsigned zone to be determined
during the dump, zone->raw must be set to a non-NULL value.  This should
always be the case as long as the signed version of the zone is used for
anything by named.

However, a scenario exists in which the signed version of the zone has
zone->raw set to NULL while it is being dumped:

 1. Zone dump is requested; zone_dump() is invoked.

 2. Another zone dump is already in progress, so the dump gets deferred
    until I/O is available (see zonemgr_getio()).

 3. The last external reference to the zone is released.
    zone_shutdown() gets queued to the zone's task.

 4. I/O becomes available for zone dumping.  zone_gotwritehandle() gets
    queued to the zone's task.

 5. The zone's task runs zone_shutdown().  zone->raw gets set to NULL.

 6. The zone's task runs zone_gotwritehandle().  zone->raw is determined
    to be NULL, causing the serial number of the unsigned version of the
    zone to be omitted from the raw-format dump of the signed zone file.

Note that the naïve solution - deferring the dns_zone_detach() call for
zone->raw until zone_free() gets called for the secure version of the
zone - does not work because it leads to a chicken-and-egg problem when
the inline-signed zone is about to get freed: the raw zone holds a weak
reference to the secure zone and that reference does not get released
until the reference count for the raw zone reaches zero, which in turn
would not happen until all weak references to the secure zone were
released.

Defer detaching from zone->raw in zone_shutdown() if the zone is in the
process of being dumped to disk.  Ensure zone->raw gets detached from
after the dump is finished if detaching gets deferred.  Prevent zone
dumping from being requeued upon failure if the zone is in the process
of being cleaned up as it opens up possibilities for the zone->raw
reference to leak, triggering a shutdown hang.

(cherry picked from commit ef625f5f06)
2022-01-06 12:27:12 +01:00
Ondřej Surý
b8e6dffdbc Revert "Ensure the correct ordering zone_shutdown() vs zone_gotwritehandle()"
This reverts commit cc1d4e1aa6.

(cherry picked from commit 1064b2fc47)
2022-01-06 12:27:12 +01:00
Matthijs Mekking
bdb91e3825 Fix bug introduced by #763 related to offline keys
In some cases we want to keep expired signatures. For example, if the
KSK is offline, we don't want to fall back to signing with the ZSK.
We could remove the signatures, but in any case we end up with a broken
zone.

The change made for GL #763 prevented the behavior to sign the DNSKEY
RRset with the ZSK if the KSK was offline (and signatures were expired).

The change causes the definition of "having both keys": if one key is
offline, we still consider having both keys, so we don't fallback
signing with the ZSK if KSK is offline.

That change also works the other way, if the ZSK is offline, we don't
fallback signing with the KSK.

This commit fixes that, so we only fallback signing zone RRsets with
the KSK, not signing key RRsets with the ZSK.

(cherry picked from commit beeefe35c4)
2022-01-06 09:35:36 +01:00
Matthijs Mekking
8e31f6981a Only warn if we could not delete signature
BIND can log this warning:

    zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
      missing or inactive and has no replacement: retaining signatures.

This log can happen when BIND tries to remove signatures because the
are about to expire or to be resigned. These RRsets may be signed with
the KSK if the ZSK files has been removed from disk. When we have
created a new ZSK we can replace the signatures creeated by the KSK
with signatures from the new ZSK.

It complains about the KSK being missing or inactive, but actually it
takes the key id from the RRSIG.

The warning is logged if BIND detects the private ZSK file is missing.

The warning is logged even if we were able to delete the signature.

With the change from this commit it only logs this warning if it is not
okay to delete the signature.

(cherry picked from commit 2d2858841a)
2022-01-06 09:35:29 +01:00
Michał Kępień
7b455124d5 Ensure the correct ordering zone_shutdown() vs zone_gotwritehandle()
When the signed version of an inline-signed zone is dumped to disk, the
serial number of the unsigned version of the zone is written in the
raw-format header so that the contents of the signed zone can be
resynchronized after named restart if the unsigned zone file is
modified while named is not running (see RT #26676).

In order for the serial number of the unsigned zone to be determined
during the dump, zone->raw must be set to a non-NULL value.  This
should always be the case as long as the signed version of the zone is
used for anything by named.

However, under certain circumstances the zone->raw could be set to NULL
while the zone is being dumped.

Defer detaching from zone->raw in zone_shutdown() if the zone is in the
process of being dumped to disk.

(cherry picked from commit cc1d4e1aa6)
2022-01-05 10:32:50 +01:00
Ondřej Surý
c5b703d1c6 Adjust the fillcount and freemax for dns_message mempools
According to the measurements (recorded on GL!5085), the fillcount of 2
for namepool and fillcount of 4 for rdspool can fit 99.99% of request
for tested scenarios.

This was discovered by perf recording the single second recursive test
using flamethrower where the initial malloc lit up like a flare.
2021-12-15 13:29:19 +01:00
Ondřej Surý
974f2f6ace Replace locked mempools with memory contexts
Current mempools are kind of hybrid structures - they serve two
purposes:

 1. mempool with a lock is basically static sized allocator with
    pre-allocated free items

 2. mempool without a lock is a doubly-linked list of preallocated items

The first kind of usage could be easily replaced with jemalloc small
sized arena objects and thread-local caches.

The second usage not-so-much and we need to keep this (in
libdns:message.c) for performance reasons.
2021-12-15 13:29:19 +01:00
Aram Sargsyan
4b362a82eb Fix catalog zone reconfiguration crash
The following scenario triggers a "named" crash:

1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.

Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.

(cherry picked from commit 43ac2cd229)
2021-12-01 09:56:59 +00:00
Mark Andrews
4ace37bf73 Do not convert ISC_R_NOSPACE to DNS_R_SERVFAIL too early
The parsing loop needs to process ISC_R_NOSPACE to properly
size the buffer.  If result is still ISC_R_NOSPACE at the end
of the parsing loop set result to DNS_R_SERVFAIL.

(cherry picked from commit 08f1cba096)
2021-11-26 07:44:37 +11:00
Michal Nowak
b61eec8376 Fix "array subscript is of type 'char'" on NetBSD 9
In file included from rdata.c:602:
    In file included from ./code.h:88:
    ./rdata/in_1/svcb_64.c:259:9: warning: array subscript is of type 'char' [-Wchar-subscripts]
                            if (!isdigit(*region->base)) {
                                 ^~~~~~~~~~~~~~~~~~~~~~
    /usr/include/sys/ctype_inline.h:51:44: note: expanded from macro 'isdigit'
    #define isdigit(c)      ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_D))
                                                    ^~~~

(cherry picked from commit d09447287f)
2021-11-25 18:54:18 +01:00
Aram Sargsyan
c6e4c28b4e Add dst_key_pubcompare and dst_key_compare unit test
The dst_key_pubcompare() and dst_key_compare() didn't have a unit test,
add the unit tests which test comparing the same keys, different keys,
and, where possible, similar keys with a manually altered parameter.

dst_key_pubcompare() internally uses the *_todns() functions of the
lib/dns/openssl*_link.c modules.

dst_key_compare() internally uses the *_compare() functions of the
lib/dns/openssl*_link.c modules.
2021-10-28 14:52:28 +00:00
Aram Sargsyan
b122455009 Fix a bug when comparing two RSA keys
When comparing different parameters of two RSA keys there is a typo
which causes the "p" prime factors to not being compared.

Fix the typo.

(cherry picked from commit 930e4f52a5)
2021-10-28 13:46:22 +00:00
Ondřej Surý
498bcc5c9c Enable lame response detection even with disabled lame cache
Previously, when lame cache would be disabled by setting lame-ttl to 0,
it would also disable lame answer detection.  In this commit, we enable
the lame response detection even when the lame cache is disabled.  This
enables stopping answer processing early rather than going through the
whole answer processing flow.
2021-10-28 12:22:33 +02:00