34614 Commits

Author SHA1 Message Date
Michał Kępień
35e9c6e31d Merge branch 'prep-release' into security-v9_16 v9.16.33 2022-09-08 15:01:23 +02:00
Michał Kępień
31fdc767f7 prep 9.16.33 2022-09-08 15:01:10 +02:00
Michał Kępień
f4ad07e82d Merge branch 'michal/prepare-documentation-for-bind-9.16.33' into 'security-v9_16'
Prepare documentation for BIND 9.16.33

See merge request isc-private/bind9!460
2022-09-08 12:40:59 +00:00
Michał Kępień
907b764b2a Tweak and reword release notes 2022-09-08 14:33:43 +02:00
Michał Kępień
b54ee83d50 Prepare release notes for BIND 9.16.33 2022-09-08 14:33:43 +02:00
Michał Kępień
0657c81d59 Merge branch '3487-eddsa-verify-leak-v9_16' into 'security-v9_16'
[v9_16] [CVE-2022-38178] eddsa verify leak

See merge request isc-private/bind9!440
2022-09-08 10:18:54 +00:00
Mark Andrews
ffd69ff780 Add release note for [GL #3487]
(cherry picked from commit e6cb1de20b)
2022-09-08 12:16:36 +02:00
Mark Andrews
a385e884f5 Add CHANGES note for [GL #3487]
(cherry picked from commit b3277f2e10)
2022-09-08 12:16:36 +02:00
Mark Andrews
1af23378eb Free ctx on invalid siglen
(cherry picked from commit 6ddb480a84)
2022-09-08 12:16:36 +02:00
Michał Kępień
1f1c4734fb Merge branch '3487-ecdsa-verify-leak' into 'security-v9_16'
[v9_16][CVE-2022-38177] ecdsa verify leak

See merge request isc-private/bind9!421
2022-09-08 10:14:18 +00:00
Mark Andrews
62c45573ba Add release note for [GL #3487] 2022-09-08 12:12:36 +02:00
Mark Andrews
21518e169a Add CHANGES note for [GL #3487] 2022-09-08 12:12:36 +02:00
Mark Andrews
5b2282afff Free eckey on siglen mismatch 2022-09-08 12:12:36 +02:00
Michał Kępień
b3abc2a844 Merge branch '3517-serve-stale-client-timeout-0-cname-crash-v9_16' into 'security-v9_16'
[v9_16] [CVE-2022-3080] Fix serve-stale-client-timeout 0 CNAME crash

See merge request isc-private/bind9!448
2022-09-08 10:10:34 +00:00
Matthijs Mekking
8ee4c3bbdc Add release notes for #3517
(cherry picked from commit 97c6c3712e)
2022-09-08 12:08:28 +02:00
Matthijs Mekking
57bf78e1ea Add CHANGES entry for 3517
(cherry picked from commit e394902965)
2022-09-08 12:08:28 +02:00
Matthijs Mekking
3f68e2ad83 Only refresh RRset once
Don't attempt to resolve DNS responses for intermediate results. This
may create multiple refreshes and can cause a crash.

One scenario is where for the query there is a CNAME and canonical
answer in cache that are both stale. This will trigger a refresh of
the RRsets because we encountered stale data and we prioritized it over
the lookup. It will trigger a refresh of both RRsets. When we start
recursing, it will detect a recursion loop because the recursion
parameters will eventually be the same. In 'dns_resolver_destroyfetch'
the sanity check fails, one of the callers did not get its event back
before trying to destroy the fetch.

Move the call to 'query_refresh_rrset' to 'ns_query_done', so that it
is only called once per client request.

Another scenario is where for the query there is a stale CNAME in the
cache that points to a record that is also in cache but not stale. This
will trigger a refresh of the RRset (because we encountered stale data
and we prioritized it over the lookup).

We mark RRsets that we add to the message with
DNS_RDATASETATTR_STALE_ADDED to prevent adding a duplicate RRset when
a stale lookup and a normal lookup conflict with each other. However,
the other non-stale RRset when following a CNAME chain will be added to
the message without setting that attribute, because it is not stale.

This is a variant of the bug in #2594. The fix covered the same crash
but for stale-answer-client-timeout > 0.

Fix this by clearing all RRsets from the message before refreshing.
This requires the refresh to happen after the query is send back to
the client.

(cherry picked from commit d939d2ecde)
2022-09-08 12:08:28 +02:00
Michał Kępień
0d5aecf3be Merge branch '3394-security-cve-2022-2795-mitigation-v9_16' into 'security-v9_16'
[CVE-2022-2795] [v9_16] Bound the amount of work performed for delegations

See merge request isc-private/bind9!453
2022-09-08 10:06:06 +00:00
Michał Kępień
315d35589a Add release note for GL #3394
(cherry picked from commit 672072812c)
2022-09-08 11:11:30 +02:00
Michał Kępień
ed6aa5c503 Add CHANGES entry for GL #3394
(cherry picked from commit e802beedfc)
2022-09-08 11:11:30 +02:00
Michał Kępień
bf2ea6d852 Bound the amount of work performed for delegations
Limit the amount of database lookups that can be triggered in
fctx_getaddresses() (i.e. when determining the name server addresses to
query next) by setting a hard limit on the number of NS RRs processed
for any delegation encountered.  Without any limit in place, named can
be forced to perform large amounts of database lookups per each query
received, which severely impacts resolver performance.

The limit used (20) is an arbitrary value that is considered to be big
enough for any sane DNS delegation.

(cherry picked from commit 3a44097fd6)
2022-09-08 11:11:30 +02:00
Michał Kępień
65245d8b3d Merge branch '3459-rrl-wildcard-handling-v9_16' into 'v9_16'
[v9_16] Make RRL code treat all QNAMEs subject to wildcard processing within a given zone as the same name

See merge request isc-projects/bind9!6749
2022-09-08 08:23:57 +00:00
Aram Sargsyan
5b6e4465be Add CHANGES and release notes for [GL #3459]
(cherry picked from commit 0b0cf12741)
2022-09-08 09:41:15 +02:00
Aram Sargsyan
6f46bfe705 Document RRL processing for wildcard names
All valid wildcard domain names are interpreted as the zone's origin
name concatenated to the "*" name.

(cherry picked from commit 89c2032421)
2022-09-08 09:41:15 +02:00
Aram Sargsyan
3ad0f165ab Fix RRL responses-per-second bypass using wildcard names
It is possible to bypass Response Rate Limiting (RRL)
`responses-per-second` limitation using specially crafted wildcard
names, because the current implementation, when encountering a found
DNS name generated from a wildcard record, just strips the leftmost
label of the name before making a key for the bucket.

While that technique helps with limiting random requests like
<random>.example.com (because all those requests will be accounted
as belonging to a bucket constructed from "example.com" name), it does
not help with random names like subdomain.<random>.example.com.

The best solution would have been to strip not just the leftmost
label, but as many labels as necessary until reaching the suffix part
of the wildcard record from which the found name is generated, however,
we do not have that information readily available in the context of RRL
processing code.

Fix the issue by interpreting all valid wildcard domain names as
the zone's origin name concatenated to the "*" name, so they all will
be put into the same bucket.

(cherry picked from commit baa9698c9d)
2022-09-08 09:41:15 +02:00
Matthijs Mekking
f917f9480e Merge branch 'matthijs-fix-intermittent-inline-system-test-failure-v9_16' into 'v9_16'
[v9_16] Fix intermittent inline system test failure

See merge request isc-projects/bind9!6740
2022-09-07 15:34:24 +00:00
Matthijs Mekking
d1336d49b3 Update inline system test, zone 'retransfer3.'
The zone 'retransfer3.' tests whether zones that 'rndc signing
-nsec3param' requests are queued even if the zone is not loaded.

The test assumes that if 'rndc signing -list' shows that the zone is
done signing with two keys, and there are no NSEC3 chains pending, the
zone is done handling the '-nsec3param' queued requests. However, it
is possible that the 'rndc signing -list' command is received before
the corresponding privatetype records are added to the zone (the records
that are used to retrieve the signing status with 'rndc signing').

This is what happens in test failure
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2722752.

The 'rndc signing -list retransfer3' is thus an unreliable check.
It is simpler to just remove the check and wait for a certain amount
of time and check whether ns3 has re-signed the zone using NSEC3.

(cherry picked from commit 8b71cbd09c)
2022-09-07 16:30:19 +02:00
Evan Hunt
559c9c2e33 Merge branch '3521-interface-cleanup' into 'v9_16'
clean up properly when interface creation fails

See merge request isc-projects/bind9!6723
2022-09-07 00:10:10 +00:00
Evan Hunt
80a8322d65 clean up properly when interface creation fails
previously, if ns_clientmgr_create() failed, the interface was not
cleaned up correctly and an assertion or segmentation fault could
follow. this has been fixed.
2022-09-06 13:53:44 -07:00
Arаm Sаrgsyаn
f3e0915261 Merge branch '3518-libxml2-deprecated-functions-v9_16' into 'v9_16'
[v9_16] Do not use libxml2 deprecated functions

See merge request isc-projects/bind9!6732
2022-09-06 10:31:48 +00:00
Aram Sargsyan
c1be3bda3a Add CHANGES note for [GL #3518]
(cherry picked from commit 87920661b1)
2022-09-06 09:22:42 +00:00
Aram Sargsyan
8b328f0049 Do not use libxml2 deprecated functions
The usage of xmlInitThreads() and xmlCleanupThreads() functions in
libxml2 is now marked as deprecated, and these functions will be made
private in the future.

Use xmlInitParser() and xmlCleanupParser() instead of them.

(cherry picked from commit a5d412d924)
2022-09-06 09:22:35 +00:00
Matthijs Mekking
3e041d15a1 Merge branch '3381-dnssec-policy-explicit-inline-signing-v9_16' into 'v9_16'
[v9_16] dnssec-policy now requires inline-signing

See merge request isc-projects/bind9!6730
2022-09-06 08:48:36 +00:00
Matthijs Mekking
77105a2f60 Add change and release note for #3381
Because folks want to know.

(cherry picked from commit 2b95c11905a1a5faff9efa97a4f2498aadfa467b)
2022-09-06 10:27:34 +02:00
Matthijs Mekking
bc9c65f465 Remove implicit inline-signing code
Remove the code that sets implicit inline-signing on zones using
dnssec-policy.

(cherry picked from commit a6b09c9c69186e81a9be54e8b7bb413b1ac4d650)
2022-09-06 10:27:33 +02:00
Matthijs Mekking
145e888815 Update system tests
Update checkconf and kasp related system tests after requiring
inline-signing.

(cherry picked from commit 8fd75e8a4e1035ce0e81bf47d954a3f5b8a4d571)
2022-09-06 10:27:33 +02:00
Matthijs Mekking
30fceec069 dnssec-policy now requires inline-signing
Having implicit inline-signing set for dnssec-policy when there is no
update policy is confusing, so lets make this explicit.

(cherry picked from commit 5ca02fe6e7e591d1fb85936ea4dda720c3d741ef)
2022-09-06 09:06:17 +02:00
Ondřej Surý
bc0c7243b1 Merge branch '3485-dig-fallback-to-idna2003-v9_16' into 'v9_16'
Allow fallback to IDNA2003 processing

See merge request isc-projects/bind9!6726
2022-09-05 09:29:59 +00:00
Ondřej Surý
561ef63e14 Add CHANGES and release note for [GL #3485]
(cherry picked from commit 0fe7acb4e6)
2022-09-05 10:22:25 +02:00
Ondřej Surý
104eaf34da Enable the IDNA2003 domain names in the idna system test
Allow the IDNA2003 tests to succeed after the fallback to IDNA2003 was
implemented.

(cherry picked from commit 87de726f5c)
2022-09-05 10:22:23 +02:00
Ondřej Surý
efbdf81931 Allow fallback to IDNA2003 processing
In several cases where IDNA2008 mappings do not exist whereas IDNA2003
mappings do, dig was failing to process the suplied domain name.  Take a
backwards compatible approach, and convert the domain to IDNA2008 form,
and if that fails try the IDNA2003 conversion.

(cherry picked from commit 10923f9d87)
2022-09-05 10:21:36 +02:00
Arаm Sаrgsyаn
dca244b1c1 Merge branch '3515-mctx-attach-detach-for-isc_mempool_t-v9_16' into 'v9_16'
[v9_16] Add mctx attach/detach when creating/destroying a memory pool

See merge request isc-projects/bind9!6721
2022-09-02 11:34:45 +00:00
Aram Sargsyan
5440f79cc4 Add CHANGES note for [GL #3515]
(cherry picked from commit 362ead8d85)
2022-09-02 09:05:03 +00:00
Aram Sargsyan
32779aba8a Add mctx attach/detach when creating/destroying a memory pool
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.

(cherry picked from commit e97c3eea95)
2022-09-02 09:05:03 +00:00
Evan Hunt
53fa68b39c Merge branch '3511-quote-yaml-addresses-v9_16' into 'v9_16'
quote addresses in YAML output

See merge request isc-projects/bind9!6718
2022-08-31 23:48:10 +00:00
Evan Hunt
91c61b8d2f CHANGES for [GL #3511] 2022-08-31 16:19:39 -07:00
Evan Hunt
28640e37d8 quote addresses in YAML output
YAML strings should be quoted if they contain colon characters.
Since IPv6 addresses do, we now quote the query_address and
response_address strings in all YAML output.

(cherry picked from commit 66eaf6bb73)
2022-08-31 16:18:57 -07:00
Evan Hunt
b6d12e3181 Merge branch '3501-dnstap-response-v9_16' into 'v9_16'
dnstap query_message field was erroneously set with responses

See merge request isc-projects/bind9!6716
2022-08-31 23:15:57 +00:00
Evan Hunt
5efac2b4d2 CHANGES for [GL #3501] 2022-08-31 15:50:30 -07:00
Evan Hunt
e1fa6cbab8 dnstap query_message field was erroneously set with responses
The dnstap query_message field was in some cases being filled in
with response messages, along with the response_message field.
The query_message field should only be used when logging requests,
and the response_message field only when logging responses.
2022-08-31 15:49:25 -07:00