8284 Commits

Author SHA1 Message Date
Ondřej Surý
075c7f7562 Implement proper reference counting for dns_keyfileio_t
Instead of relying on hash table search when using the keys, implement a
proper reference counting in dns_keyfileio_t objects, and attach/detach
the objects to the zone.

(cherry picked from commit 79115a0c3b)
2022-12-09 15:20:11 +01:00
Ondřej Surý
98fca774b6 Release unused key file IO lock objects
Due to off-by-one error in zonemgr_keymgmt_delete, unused key file IO
lock objects were never freed and they were kept until the server
shutdown.  Adjust the returned value by -1 to accomodate the fact that
the atomic_fetch_*() functions return the value before the operation and
not current value after the operation.

(cherry picked from commit fb1acd6736)
2022-12-08 10:32:59 +01:00
Mark Andrews
ea03c3d25c Remove different zero TTL handling for rdataset iterator
Zero TTL handling does not need to be different for 'rdatasetiter_first'
and 'rdatasetiter_next' and it interacts badly with 'bind_rdatadataset'
which makes different determinations.

(cherry picked from commit 1a39328feb)
2022-12-08 11:20:35 +11:00
Mark Andrews
a3bc62e4cd Add dns_db_allrdatasets options
'DNS_DB_STALEOK' returns stale rdatasets as well as current rdatasets.

'DNS_DB_EXPIREDOK' returns expired rdatasets as well as current
rdatasets. This option is currently only set when DNS_DB_STALEOK is
also set.

(cherry picked from commit 85048ddeee)
2022-12-08 11:20:35 +11:00
Mark Andrews
4f3327cd41 Extend dns_db_allrdatasets to control interation results
Add an options parameter to control what rdatasets are returned when
iteratating over the node.  Specific modes will be added later.

(cherry picked from commit 7695c36a5d)
2022-12-08 11:20:35 +11:00
Mark Andrews
8b6a30f59d Properly select active rdatasets when iterating across node
Active rdatasets where not being properly selected in rdatasetiter_first
and rdatasetiter_next.

(cherry picked from commit 3bdab2d111)
2022-12-08 10:47:23 +11:00
Mark Andrews
a85260fc19 Revert "Fix rndc dumpdb -expired for stuck cache contents"
This reverts commit f8d866c6ef.

(cherry picked from commit 90249e4aa5)
2022-12-08 10:46:18 +11:00
Mark Andrews
f9845df6d6 Add missing DbC magic checks
Checking for value != NULL is not sufficient to detect use after
free errors.

(cherry picked from commit b1086a5561)
2022-12-07 09:47:39 +11:00
Mark Andrews
dd73306509 Call dns_db_updatenotify_unregister earlier
dns_db_updatenotify_unregister needed to be called earlier to ensure
that listener->onupdate_arg always points to a valid object.  The
existing lazy cleanup in rbtdb_free did not ensure that.

(cherry picked from commit 35839e91d8)
2022-12-07 09:47:37 +11:00
Mark Andrews
ffeda92cd8 Suppress duplicate dns_db_updatenotify_register registrations
Duplicate dns_db_updatenotify_register registrations need to be
suppressed to ensure that dns_db_updatenotify_unregister is successful.

(cherry picked from commit f13e71e551)
2022-12-07 09:46:50 +11:00
Ondřej Surý
bf093e814c Don't log "final reference detached" on INFO level
The "final reference detached" message was meant to be DEBUG(1), but was
instead kept at INFO level.  Move it to the DEBUG(1) logging level, so
it's not printed under normal operations.

(cherry picked from commit 1816244725)
2022-11-30 11:51:29 +01:00
Michal Nowak
771fed4a14 Update sources to Clang 15 formatting 2022-11-29 10:30:34 +01:00
Michal Nowak
69f00278c3 Remove unused variable reported by Clang 15
resolver.c:4776:15: error: variable 'count' set but not used [-Werror,-Wunused-but-set-variable]
            unsigned int count = 0;
                         ^
2022-11-28 14:35:03 +01:00
Mark Andrews
3952f01cad Select the appropriate namespace when using a dual stack server
When using dual-stack-servers the covering namespace to check whether
answers are in scope or not should be fctx->domain.  To do this we need
to be able to distingish forwarding due to forwarders clauses and
dual-stack-servers.  A new flag FCTX_ADDRINFO_DUALSTACK has been added
to signal this.

(cherry picked from commit dfbffd77f9)
2022-11-17 13:07:58 +11:00
Mark Andrews
10083c2019 Have dns_zt_apply lock the zone table
There were a number of places where the zone table should have been
locked, but wasn't, when dns_zt_apply was called.

Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
all calls to using it.  Removed locks in callers.

(cherry picked from commit f053d5b414)
2022-11-11 16:13:55 +00:00
Ondřej Surý
a6e3fc20d0 Don't use dns_zone_attach() in zone_refreshkeys()
The zone_refreshkeys() could run before the zone_shutdown(), but after
the last .erefs has been "detached" causing assertion failure when doing
dns_zone_attach().  Remove the use of .erefs (dns_zone_attach/detach)
and replace it with using the .irefs and additional checks whether the
zone is exiting in the callbacks.

(cherry picked from commit 80e66fbd2d)
2022-11-03 15:35:58 +01:00
Matthijs Mekking
949768b252 Don't allow DNSSEC records in the raw zone
There was an exception for dnssec-policy that allowed DNSSEC in the
unsigned version of the zone. This however causes a crash if the
zone switches from dynamic to inline-signing in the case of NSEC3,
because we are now trying to add an NSEC3 record to a non-NSEC3 node.
This is because BIND expects none of the records in the unsigned
version of the zone to be NSEC3.

Remove the exception for dnssec-policy when copying non DNSSEC
records, but do allow for DNSKEY as this may be a published DNSKEY
from a different provider.

(cherry picked from commit 332b98ae49)
2022-11-03 14:44:35 +01:00
Aram Sargsyan
78e04d8d0c Don't trust a placeholder KEYDATA record
When named starts it creates an empty KEYDATA record in the managed-keys
zone as a placeholder, then schedules a key refresh. If key refresh
fails for some reason (e.g. connectivity problems), named will load the
placeholder key into secroots as a trusted key during the next startup,
which will break the chain of trust, and named will never recover from
that state until managed-keys.bind and managed-keys.bind.jnl files are
manually deleted before (re)starting named again.

Before calling load_secroots(), check that we are not dealing with a
placeholder.

(cherry picked from commit 354ae2d7e3)
2022-11-01 10:55:38 +00:00
Evan Hunt
8010389902 Call dns_resolver_createfetch() asynchronously in zone_refreshkeys()
Because dns_resolver_createfetch() locks the view, it was necessary
to unlock the zone in zone_refreshkeys() before calling it in order
to maintain the lock order, and relock afterward. this permitted a race
with dns_zone_synckeyzone().

This commit moves the call to dns_resolver_createfetch() into a separate
function which is called asynchronously after the zone has been
unlocked.

The keyfetch object now attaches to the zone to ensure that
it won't be shut down before the asynchronous call completes.

This necessitated refactoring dns_zone_detach() so it always runs
unlocked. For managed zones it schedules zone_shutdown() to
run asynchronously; for unmanaged zones there is no task.
2022-11-01 01:46:17 -07:00
Aram Sargsyan
648e71b086 Match prefetch eligibility behavior with ARM
ARM states that the "eligibility" TTL is the smallest original TTL
value that is accepted for a record to be eligible for prefetching,
but the code, which implements the condition doesn't behave in that
manner for the edge case when the TTL is equal to the configured
eligibility value.

Fix the code to check that the TTL is greater than, or equal to the
configured eligibility value, instead of just greater than it.

(cherry picked from commit 863f51466e)
2022-10-21 10:30:28 +00:00
Aram Sargsyan
c3660564ce Call dns_adb_endudpfetch() on error path, if required
For UDP queries, after calling dns_adb_beginudpfetch() in fctx_query(),
make sure that dns_adb_endudpfetch() is also called on error path, in
order to adjust the quota back.

(cherry picked from commit 5da79e2be0)
2022-10-21 08:46:43 +00:00
Matthijs Mekking
cbdf23e5ec Change log level when doing rekey
This log happens when BIND checks the parental-agents if the DS has
been published. But if you don't have parental-agents set up, the list
of keys to check will be empty and the result will be ISC_R_NOTFOUND.
This is not an error, so change the log level to debug in this case.

(cherry picked from commit a1d57fc8cb)
2022-10-18 16:31:01 +02:00
Mark Andrews
e396d5d72d Add support for 'dohpath' to SVCB (and HTTPS)
dohpath is specfied in draft-ietf-add-svcb-dns and has a value
of 7.  It must be a relative path (start with a /), be encoded
as UTF8 and contain the variable dns ({?dns}).

(cherry picked from commit 6d561d3886)
2022-10-04 15:33:49 +11:00
Mark Andrews
c6abcefee1 Check if RSASHA1 is supported by the OS
(cherry picked from commit 1690cb7bb4)
2022-10-03 13:28:25 +02:00
Mark Andrews
12f902796d Check BN_dup results in rsa_check
(cherry picked from commit a47235f4f5)
2022-09-28 10:06:39 +10:00
Mark Andrews
2c8e38f359 Free 'n' on error path in rsa_check
(cherry picked from commit 483c5a1978)
2022-09-28 10:06:39 +10:00
Mark Andrews
03c5db001e Check that 'e' and 'n' are allocated in opensslrsa_fromdns
(cherry picked from commit db70c30213)
2022-09-28 10:06:39 +10:00
Mark Andrews
0b0718fba3 Check that 'e' and 'n' are non-NULL in opensslrsa_todns
(cherry picked from commit 5603cd69d1)
2022-09-28 09:56:03 +10:00
Mark Andrews
6f1e04409a Free 'rsa' if 'e' is NULL in opensslrsa_verify2
(cherry picked from commit a2b51ca6ac)
2022-09-28 09:53:27 +10:00
Mark Andrews
9524c493c9 Check that primary key names have not changed
When looking for changes in a catalog zone member zone we need to
also check if the TSIG key name associated with a primary server
has be added, removed or changed.

(cherry picked from commit 9172bd9b5a)
2022-09-27 22:20:41 +10:00
Mark Andrews
2905d70ad1 Stop passing mctx to dns_rdata_tostruct as it is unnecessary for SIG
dns_rdata_tostruct doesn't need a mctx passed to it for SIG (the signer
is already expanded at this point). About the only time when mctx is
needed is when the structure is to be used after the rdata has been
destroyed.

(cherry picked from commit d6ad56bd9e)
2022-09-26 12:45:21 +02:00
Petr Špaček
3e77d6bf87 Fix memory leak in dns_message_checksig() - SIG(0) sigs
Impact should be visible only in tests or tools because named never
uses view == NULL, which is a necessary condition to trigger this leak.

(cherry picked from commit 69256b3553)
2022-09-26 12:45:17 +02:00
Mark Andrews
1af23378eb Free ctx on invalid siglen
(cherry picked from commit 6ddb480a84)
2022-09-08 12:16:36 +02:00
Mark Andrews
5b2282afff Free eckey on siglen mismatch 2022-09-08 12:12:36 +02:00
Michał Kępień
bf2ea6d852 Bound the amount of work performed for delegations
Limit the amount of database lookups that can be triggered in
fctx_getaddresses() (i.e. when determining the name server addresses to
query next) by setting a hard limit on the number of NS RRs processed
for any delegation encountered.  Without any limit in place, named can
be forced to perform large amounts of database lookups per each query
received, which severely impacts resolver performance.

The limit used (20) is an arbitrary value that is considered to be big
enough for any sane DNS delegation.

(cherry picked from commit 3a44097fd6)
2022-09-08 11:11:30 +02:00
Aram Sargsyan
3ad0f165ab Fix RRL responses-per-second bypass using wildcard names
It is possible to bypass Response Rate Limiting (RRL)
`responses-per-second` limitation using specially crafted wildcard
names, because the current implementation, when encountering a found
DNS name generated from a wildcard record, just strips the leftmost
label of the name before making a key for the bucket.

While that technique helps with limiting random requests like
<random>.example.com (because all those requests will be accounted
as belonging to a bucket constructed from "example.com" name), it does
not help with random names like subdomain.<random>.example.com.

The best solution would have been to strip not just the leftmost
label, but as many labels as necessary until reaching the suffix part
of the wildcard record from which the found name is generated, however,
we do not have that information readily available in the context of RRL
processing code.

Fix the issue by interpreting all valid wildcard domain names as
the zone's origin name concatenated to the "*" name, so they all will
be put into the same bucket.

(cherry picked from commit baa9698c9d)
2022-09-08 09:41:15 +02:00
Evan Hunt
e1fa6cbab8 dnstap query_message field was erroneously set with responses
The dnstap query_message field was in some cases being filled in
with response messages, along with the response_message field.
The query_message field should only be used when logging requests,
and the response_message field only when logging responses.
2022-08-31 15:49:25 -07:00
Matthijs Mekking
58d01b821a nsec3.c: Add a missing dns_db_detachnode() call
There is one case in 'dns_nsec3_activex()' where it returns but forgets
to detach the db node. Add the missing 'dns_db_detachnode()' call.

This case only triggers if 'sig-signing-type' (privatetype) is set to 0
(which by default is not), or if the function is called with 'complete'
is set to 'true' (which at this moment do not exist).

(cherry picked from commit 0cf6c18ccb2205a1fc81431f908c8310f6136bbb)
2022-08-23 12:05:38 +02:00
Aram Sargsyan
eb72c81e6a Fix tkey.c:buildquery() function's error handling
Add the missing cleanup code.

(cherry picked from commit 4237ab9550eeaea7121e3e3392fd14c26b5150f0)
2022-08-17 08:46:31 +00:00
Evan Hunt
5aa4adc8e5 Lock the address entry bucket when dumping ADB namehook
When dumping an ADB address entry associated with a name,
the name bucket lock was held, but the entry bucket lock was
not; this could cause data races when other threads were updating
address entry info. (These races are probably not operationally
harmful, but they triggered TSAN error reports.)

(cherry picked from commit f841f545b7)
2022-08-12 17:17:43 -07:00
Aram Sargsyan
c0db0d7a8e Improve fetch limit logging
When initially hitting the `fetches-per-zone` value, a log message
is being generated for the event of dropping the first fetch, then
any further log events occur only when another fetch is being dropped
and 60 seconds have been passed since the last logged message.

That logic isn't ideal because when the counter of the outstanding
fetches reaches zero, the structure holding the counters' values will
get deleted, and the information about the dropped fetches accumulated
during the last minute will not be logged.

Improve the fcount_logspill() function to makie sure that the final
values are getting logged before the counter object gets destroyed.

(cherry picked from commit 039871ceb7)
2022-08-01 14:01:26 +00:00
Matthijs Mekking
f8ad7501dc Fix rndc dumpdb -expired for stuck cache contents
The command 'rndc dumpdb -expired' will include expired RRsets in the
output, but only for the RBTDB_VIRTUAL time (of 5 minutes). This means
that if there is a cache cleaning problem and contents are not cleaned
up, the rndc command has little diagnostic value. Fix this by including
all RRsets in the dumpdb output if the '-expired' flag is set.

(cherry picked from commit 930ba2c914)
2022-07-26 10:02:15 +02:00
Mark Andrews
a1452c32ab Check that we can verify a signature at initialisation time
Fedora 33 doesn't support RSASHA1 in future mode.  There is no easy
check for this other than by attempting to perform a verification
using known good signatures.  We don't attempt to sign with RSASHA1
as that would not work in FIPS mode.  RSASHA1 is verify only.

The test vectors were generated using OpenSSL 3.0 and
util/gen-rsa-sha-vectors.c.  Rerunning will generate a new set of
test vectors as the private key is not preserved.

e.g.
	cc util/gen-rsa-sha-vectors.c -I /opt/local/include \
		-L /opt/local/lib -lcrypto

(cherry picked from commit cd3f00874f)
2022-07-25 11:37:49 -04:00
Ondřej Surý
c1b8f5f30c Increase the BUFSIZ-long buffers
The BUFSIZ value varies between platforms, it could be 8K on Linux and
512 bytes on mingw.  Make sure the buffers are always big enough for the
output data to prevent truncation of the output by appropriately
enlarging or sizing the buffers.

(cherry picked from commit b19d932262)
2022-07-15 21:21:03 +02:00
Mark Andrews
f2855facbe disassociate rdatasets when cleaning up
free_namelist could be passed names with associated rdatasets
when handling errors.  These need to be disassociated before
calling dns_message_puttemprdataset.

(cherry picked from commit 745d5edc3a)
2022-07-14 10:21:47 +10:00
Michał Kępień
6505056267 Fix fetch context use-after-free bugs
fctx_decreference() may call fctx_destroy(), which in turn may free the
fetch context by calling isc_mem_putanddetach().  This means that
whenever fctx_decreference() is called, the fetch context pointer should
be assumed to point to garbage after that call.  Meanwhile, the
following pattern is used in several places in lib/dns/resolver.c:

    LOCK(&res->buckets[fctx->bucketnum].lock);
    bucket_empty = fctx_decreference(fctx);
    UNLOCK(&res->buckets[fctx->bucketnum].lock);

Given that 'fctx' may be freed by the fctx_decreference() call, there is
no guarantee that the value of fctx->bucketnum will be the same before
and after the fctx_decreference() call.  This can cause all kinds of
locking issues as LOCK() calls no longer match up with their UNLOCK()
counterparts.

Fix by always using a helper variable to hold the bucket number when the
pattern above is used.

Note that fctx_try() still uses 'fctx' after calling fctx_decreference()
(it calls fctx_done()).  This is safe to do because the reference count
for 'fctx' is increased a few lines earlier and it also cannot be zero
right before that increase happens, so the fctx_decreference() call in
that particular location never invokes fctx_destroy().  Nevertheless,
use a helper variable for that call site as well, to retain consistency
and to prevent copy-pasted code from causing similar problems in the
future.
2022-07-08 11:26:34 +02:00
Mark Andrews
d10e20da0d Tighten $GENERATE directive parsing
The original sscanf processing allowed for a number of syntax errors
to be accepted.  This included missing the closing brace in
${modifiers}

Look for both comma and right brace as intermediate seperators as
well as consuming the final right brace in the sscanf processing
for ${modifiers}.  Check when we got right brace to determine if
the sscanf consumed more input than expected and if so behave as
if it had stopped at the first right brace.

(cherry picked from commit 7be64c0e94)
2022-07-06 11:26:24 +10:00
Mark Andrews
16ac79a8f7 Check for overflow in $GENERATE computations
$GENERATE uses 'int' for its computations and some constructions
can overflow values that can be represented by an 'int' resulting
in undefined behaviour.  Detect these conditions and return a
range error.

(cherry picked from commit 5327b9708f)
2022-07-06 11:26:24 +10:00
Aram Sargsyan
61d77affdd Remove resolver.c:maybe_destroy()
After refactoring of `validated()`, the `maybe_destroy()` function is
no longer expected to actually destroy the fetch context when it is
being called, so effectively it only ensures that the validators are
canceled when the context has no more queries and pending events, but
that is redundant, because `maybe_destroy()` `REQUIRE`s that the context
should be in the shutting down state, and the function which sets that
state is already canceling the validators in its own turn.

As a failsafe, to make sure that no validators will be created after
`fctx_doshutdown()` is called, add an early return from `valcreate()` if
the context is in the shutting down state.
2022-06-30 19:12:17 +00:00
Aram Sargsyan
058a2e7d44 Fix a race between resolver query timeout and validation
The `resolver.c:validated()` function unlinks the current validator from
the fetch's validators list, which can leave it empty, then unlocks
the bucket lock. If, by a chance, the fetch was timed out just before
the `validated()` call, the final timeout callback running in parallel
with `validated()` can find the fetch context with no active fetches
and with an empty validators list and destroy it, which is unexpected
for the `validated()` function and can lead to a crash.

Increase the fetch context's reference count in the beginning of
`validated()` and decrease it when it finishes its work to avoid the
unexpected destruction of the fetch context.
2022-06-30 18:58:58 +00:00