828 Commits

Author SHA1 Message Date
Evan Hunt
7fe2204a2e add a configuration option for the update quota
add an "update-quota" option to configure the update quota.

(cherry picked from commit f57758a730)
2023-01-12 12:21:36 +01:00
Evan Hunt
0b40df8f8a deprecate dscp configuration
This commit deprecates the "dscp" configuration option and "dscp"
parameters to source-address configuration options (query-source,
transfer-source, etc.

(Note that the DSCP feature has not been fully operational since
the network manager was introduced in 9.16.0; outgoing DSCP values
can be configured, but incoming DSCP values are not detected.)
2023-01-10 11:16:18 -08:00
Michal Nowak
771fed4a14 Update sources to Clang 15 formatting 2022-11-29 10:30:34 +01:00
Matthijs Mekking
ed8eba9180 Deprecate auto-dnssec
Deprecate auto-dnssec, add specific log warning to migrate to
dnssec-policy.

Cherry-picking triggered a lot of conflicts, so the changes
were manually picked.

(manually picked from commit f9845dd1)
2022-11-23 13:32:52 +01:00
Mark Andrews
bf3a8c7de9 Add missing closing ')' to update-policy documentation
The opening '(' before local was not being matched by a closing
')' after the closing '};'.

(cherry picked from commit 044c3b2bb8)
2022-11-07 13:08:20 +01:00
Aram Sargsyan
790db0a344 Handle large numbers when parsing/printing a duration
The duration_fromtext() function is truncating large numbers
to 32 bits instead of capping or rejecting them, i.e. 64424509445,
which is 0xf00000005, gets parsed as 32-bit value 5 (0x00000005).

Fail parsing a duration if any of its components is bigger than
32 bits. Using those kind of big numbers has no practical use case
for a duration.

The cfg_obj_asduration() function can overflow the 32 bit
seconds variable when calculating the duration from its component
parts.

To avoid that, use 64-bit calculation and return UINT32_MAX if the
calculated value is bigger than UINT32_MAX. Again, a number this big
has no practical use case anyway.

The buffer for the generated duration string is limited to 64 bytes,
which, in theory, is smaller than the longest possible generated
duration string.

Use 80 bytes instead, calculated by the '7 x (10 + 1) + 3' formula,
where '7' is the count of the duration's parts (year, month, etc.), '10'
is their maximum length when printed as a decimal number, '1' is their
indicator character (Y, M, etc.), and 3 is two more indicators (P and T)
and the terminating NUL character.

(cherry picked from commit fddaebb285)
2022-10-17 11:09:06 +00:00
Aram Sargsyan
d9a8c43107 Fix an off-by-one error in cfg_print_duration()
The cfg_print_duration() checks added previously in the 'duration_test'
unit test uncovered a bug in cfg_print_duration().

When calculating the current 'str' pointer of the generated text in the
buffer 'buf', it erroneously adds 1 byte to compensate for that part's
indicator character. For example, to add 12 minutes, it needs to add
2 + 1 = 3 characters, where 2 is the length of "12", and 1 is the length
of "M" (for minute). The mistake was that the length of the indicator
is already included in 'durationlen[i]', so there is no need to
calculate it again.

In the result of this mistake the current pointer can advance further
than needed and end up after the zero-byte instead of right on it, which
essentially cuts off any further generated text. For example, for a
5 minutes and 30 seconds duration, instead of having this:

    'P', 'T', '5', 'M', '3', '0', 'S', '\0'

The function generates this:

    'P', 'T', '5', 'M', '\0', '3', '0', 'S', '\0'

Fix the bug by adding to 'str' just 'durationlen[i]' instead of
'durationlen[i] + 1'.

(cherry picked from commit dc55f1ebb9)
2022-10-17 11:09:06 +00:00
Aram Sargsyan
b7c5e95d6d Test cfg_print_duration() in duration_test.c
Currently the 'duration_test' unit test checks only the
cfg_obj_asduration() function.

Extend the test so it checks also the reverse operation using the
cfg_print_duration() function, which is used in named-checkconf.

(cherry picked from commit 39290bb7cd)
2022-10-17 11:09:06 +00:00
Aram Sargsyan
f458f6496d Fix a logical bug in cfg_print_duration()
The cfg_print_duration() function prints a ISO 8601 duration value
converted from an array of integers, where the parts of the date and
time are stored.

durationlen[6], which holds the "seconds" part of the duration, has
a special case in cfg_print_duration() to ensure that when there are
no values in the duration, the result still can be printed as "PT0S",
instead of just "P", so it can be a valid ISO 8601 duration value.

There is a logical error in one of the two special case code paths,
when it checks that no value from the "date" part is defined, and no
"hour" or "minute" from the "time" part are defined.

Because of the error, durationlen[6] can be used uninitialized, in
which case the second parameter passed to snprintf() (which is the
maximum allowed length) can contain a garbage value.

This can not be exploited because the buffer is still big enough to
hold the maximum possible amount of characters generated by the "%u%c"
format string.

Fix the logical bug, and initialize the 'durationlen' array to zeros
to be a little safer from other similar errors.

(cherry picked from commit 9440910187)
2022-10-17 09:17:56 +00:00
Michal Nowak
a584a8f88f Update clang to version 14
(cherry picked from commit 1c45a9885a)
2022-06-16 18:11:03 +02:00
Ondřej Surý
a7f893e836 Rename the configuration option to load balance sockets to reuseport
After some back and forth, it was decidede to match the configuration
option with unbound ("so-reuseport"), PowerDNS ("reuseport") and/or
nginx ("reuseport").

(cherry picked from commit 7e71c4d0cc)
2022-04-06 17:51:12 +02:00
Ondřej Surý
8993ebc01a Add option to configure load balance sockets
Previously, the option to enable kernel load balancing of the sockets
was always enabled when supported by the operating system (SO_REUSEPORT
on Linux and SO_REUSEPORT_LB on FreeBSD).

It was reported that in scenarios where the networking threads are also
responsible for processing long-running tasks (like RPZ processing, CATZ
processing or large zone transfers), this could lead to intermitten
brownouts for some clients, because the thread assigned by the operating
system might be busy.  In such scenarious, the overall performance would
be better served by threads competing over the sockets because the idle
threads can pick up the incoming traffic.

Add new configuration option (`load-balance-sockets`) to allow enabling
or disabling the load balancing of the sockets.

(cherry picked from commit 85c6e797aa)
2022-04-05 01:21:50 +02:00
Ondřej Surý
75f9dd8e82 Simplify way we tag unreachable code with only ISC_UNREACHABLE()
Previously, the unreachable code paths would have to be tagged with:

    INSIST(0);
    ISC_UNREACHABLE();

There was also older parts of the code that used comment annotation:

    /* NOTREACHED */

Unify the handling of unreachable code paths to just use:

    UNREACHABLE();

The UNREACHABLE() macro now asserts when reached and also uses
__builtin_unreachable(); when such builtin is available in the compiler.

(cherry picked from commit 584f0d7a7e)
2022-03-25 09:33:51 +01:00
Ondřej Surý
673e53f81d Add FALLTHROUGH macro for __attribute__((fallthrough))
Gcc 7+ and Clang 10+ have implemented __attribute__((fallthrough)) which
is explicit version of the /* FALLTHROUGH */ comment we are currently
using.

Add and apply FALLTHROUGH macro that uses the attribute if available,
but does nothing on older compilers.

In one case (lib/dns/zone.c), using the macro revealed that we were
using the /* FALLTHROUGH */ comment in wrong place, remove that comment.

(cherry picked from commit fe7ce629f4)
2022-03-25 09:30:16 +01:00
Mark Andrews
2c7f02ca45 Check dnssec-policy key roles for validity
For each algorithm there must be a key performing the KSK and
ZSK rolls.  After reading the keys from named.conf check that
each algorithm present has both rolls.  CSK implicitly has both
rolls.

(cherry picked from commit 9bcf45f4ce)
2022-03-08 21:56:39 +11:00
Ondřej Surý
2bf7921c7e Update the copyright information in all files in the repository
This commit converts the license handling to adhere to the REUSE
specification.  It specifically:

1. Adds used licnses to LICENSES/ directory

2. Add "isc" template for adding the copyright boilerplate

3. Changes all source files to include copyright and SPDX license
   header, this includes all the C sources, documentation, zone files,
   configuration files.  There are notes in the doc/dev/copyrights file
   on how to add correct headers to the new files.

4. Handle the rest that can't be modified via .reuse/dep5 file.  The
   binary (or otherwise unmodifiable) files could have license places
   next to them in <foo>.license file, but this would lead to cluttered
   repository and most of the files handled in the .reuse/dep5 file are
   system test files.

(cherry picked from commit 58bd26b6cf)
2022-01-11 12:22:09 +01:00
Mark Andrews
0e0cd6bf17 Report duplicate dnssec-policy names
Duplicate dnssec-policy names were detected as an error condition
but were not logged.

(cherry picked from commit b8845454c8)
2022-01-04 09:04:07 +11:00
Mark Andrews
8dd1288dca Address memory leak when processing dnssec-policy clauses
A kasp structure was not detached when looking to see if there
was an existing kasp structure with the same name, causing memory
to be leaked.  Fixed by calling dns_kasp_detach() to release the
reference.

(cherry picked from commit 694440e614)
2022-01-04 09:04:07 +11:00
Ondřej Surý
093cd31ae2 Update the source code formatting using clang-format-13
clang-format-13 fixed some of the formatting that clang-format-12 got
wrong.  Update the formatting.

(cherry picked from commit ed95f9fba3)
2021-10-12 11:31:55 +02:00
Mark Andrews
74353330cd Address use before NULL check warning of obj
move deference of obj to after NULL check

(cherry picked from commit 06a69e03ac)
2021-09-29 11:43:14 +10:00
Evan Hunt
863dfed0b5 deprecate "cache-file"
this commit marks the "cache-file" option as deprecated.

(cherry picked from commit a67d008ba5)
2021-09-16 00:57:58 -07:00
Evan Hunt
255d092c40 change CFG_ZONE_MASTER and CFG_ZONE_SLAVE
these values have been renamed as CFG_ZONE_PRIMARY and
CFG_ZONE_SECONDARY.

(cherry picked from commit 679f1c0dad)
2021-08-30 12:00:39 -07:00
Matthijs Mekking
9c0e252e2b Add "parental-source[-v6]" config option
Similar to "notify-source" and "transfer-source", add options to
set the source address when querying parental agents for DS records.

(manually picked from commit 2872d6a12e)
2021-07-01 14:48:23 +02:00
Matthijs Mekking
90ef2b9c81 Add parental-agents configuration
Introduce a way to configure parental agents that can be used to
query DS records to be used in automatic key rollovers.

(manually picked from commit 0311705d4b)
2021-07-01 14:48:23 +02:00
Matthijs Mekking
42da0e7790 Change primaries objects to remote-servers
Change the primaries configuration objects to the more generic
remote-servers, that we can reuse for other purposes (such as
parental-agents).

(manually picked from commit 39a961112f)
2021-07-01 14:48:21 +02:00
Mark Andrews
0b8cd8f19d inline-signing should have been in zone_only_clauses
(cherry picked from commit b3301da262)
2021-05-27 15:27:03 +02:00
Matthijs Mekking
375112a623 Add built-in dnssec-policy "insecure"
Add a new built-in policy "insecure", to be used to gracefully unsign
a zone. Previously you could just remove the 'dnssec-policy'
configuration from your zone statement, or remove it.

The built-in policy "none" (or not configured) now actually means
no DNSSEC maintenance for the corresponding zone. So if you
immediately reconfigure your zone from whatever policy to "none",
your zone will temporarily be seen as bogus by validating resolvers.

This means we can remove the functions 'dns_zone_use_kasp()' and
'dns_zone_secure_to_insecure()' again. We also no longer have to
check for the existence of key state files to figure out if a zone
is transitioning to insecure.

(cherry picked from commit 2710d9a11d)
2021-04-30 13:58:22 +02:00
Matthijs Mekking
c2225cde3e dnssec-policy: reduce NSEC3 iterations to 150
When reducing the number of NSEC3 iterations to 150, commit
aa26cde2ae added tests for dnssec-policy
to check that a too high iteration count is a configuration failure.

The test is not sufficient because 151 was always too high for
ECDSAP256SHA256. The test should check for a different algorithm.

There was an existing test case that checks for NSEC3 iterations.
Update the test with the new maximum values.

Update the code in 'kaspconf.c' to allow at most 150 iterations.

(cherry picked from commit efa5d84dcf)
2021-04-29 14:31:16 +02:00
Matthijs Mekking
45dcabf411 Add purge-keys config option
Add a new option 'purge-keys' to 'dnssec-policy' that will purge key
files for deleted keys. The option determines how long key files
should be retained prior to removing the corresponding files from
disk.

If set to 0, the option is disabled and 'named' will not remove key
files from disk.

(cherry picked from commit 313de3a7e2)
2021-02-23 09:18:55 +01:00
Michal Nowak
04aff208fb Use BIND 9.17 preprocessor macro to skip unit test
BIND 9.17 changed exit code of skipped test to meet Automake
expectations in fa505bfb0e. BIND 9.16 was
not rewritten to Automake, but for consistency reasons, the same
SKIPPED_TEST_EXIT_CODE preprocessor macro is used (though the actual
exit code differs from the one in BIND 9.17).

(cherry picked from commit fa505bfb0e)
2021-02-17 12:09:25 +01:00
Diego Fronza
0aebad96b5 Added option for disabling stale-answer-client-timeout
This commit allows to specify "disabled" or "off" in
stale-answer-client-timeout statement. The logic to support this
behavior will be added in the subsequent commits.

This commit also ensures an upper bound to stale-answer-client-timeout
which equals to one second less than 'resolver-query-timeout'.

(cherry picked from commit 0ad6f594f6)
2021-01-29 10:38:58 +01:00
Diego Fronza
3478794a5d Add stale-answer-client-timeout option
The general logic behind the addition of this new feature works as
folows:

When a client query arrives, the basic path (query.c / ns_query_recurse)
was to create a fetch, waiting for completion in fetch_callback.

With the introduction of stale-answer-client-timeout, a new event of
type DNS_EVENT_TRYSTALE may invoke fetch_callback, whenever stale
answers are enabled and the fetch took longer than
stale-answer-client-timeout to complete.

When an event of type DNS_EVENT_TRYSTALE triggers fetch_callback, we
must ensure that the folowing happens:

1. Setup a new query context with the sole purpose of looking up for
   stale RRset only data, for that matters a new flag was added
   'DNS_DBFIND_STALEONLY' used in database lookups.

    . If a stale RRset is found, mark the original client query as
      answered (with a new query attribute named NS_QUERYATTR_ANSWERED),
      so when the fetch completion event is received later, we avoid
      answering the client twice.

    . If a stale RRset is not found, cleanup and wait for the normal
      fetch completion event.

2. In ns_query_done, we must change this part:
	/*
	 * If we're recursing then just return; the query will
	 * resume when recursion ends.
	 */
	if (RECURSING(qctx->client)) {
		return (qctx->result);
	}

   To this:

	if (RECURSING(qctx->client) && !QUERY_STALEONLY(qctx->client)) {
		return (qctx->result);
	}

   Otherwise we would not proceed to answer the client if it happened
   that a stale answer was found when looking up for stale only data.

When an event of type DNS_EVENT_FETCHDONE triggers fetch_callback, we
proceed as before, resuming query, updating stats, etc, but a few
exceptions had to be added, most important of which are two:

1. Before answering the client (ns_client_send), check if the query
   wasn't already answered before.

2. Before detaching a client, e.g.
   isc_nmhandle_detach(&client->reqhandle), ensure that this is the
   fetch completion event, and not the one triggered due to
   stale-answer-client-timeout, so a correct call would be:
   if (!QUERY_STALEONLY(client)) {
        isc_nmhandle_detach(&client->reqhandle);
   }

Other than these notes, comments were added in code in attempt to make
these updates easier to follow.

(cherry picked from commit 171a5b7542)
2021-01-29 10:38:32 +01:00
Mark Andrews
6a0b751555 Require 'ctx' to be non-NULL in cfg_acl_fromconfig{,2}
(cherry picked from commit a8b55992a8)
2021-01-28 13:43:47 +11:00
Evan Hunt
57aadd6cea add syntax and setter/getter functions to configure max-ixfr-ratio 2021-01-26 12:38:32 +01:00
Ondřej Surý
0e25af628c Use -release instead of -version-info for internal library SONAMEs
The BIND 9 libraries are considered to be internal only and hence the
API and ABI changes a lot.  Keeping track of the API/ABI changes takes
time and it's a complicated matter as the safest way to make everything
stable would be to bump any library in the dependency chain as in theory
if libns links with libdns, and a binary links with both, and we bump
the libdns SOVERSION, but not the libns SOVERSION, the old libns might
be loaded by binary pulling old libdns together with new libdns loaded
by the binary.  The situation gets even more complicated with loading
the plugins that have been compiled with few versions old BIND 9
libraries and then dynamically loaded into the named.

We are picking the safest option possible and usable for internal
libraries - instead of using -version-info that has only a weak link to
BIND 9 version number, we are using -release libtool option that will
embed the corresponding BIND 9 version number into the library name.

That means that instead of libisc.so.1608 (as an example) the library
will now be named libisc-9.16.10.so.

(cherry picked from commit c605d75ea5)
2021-01-25 15:28:09 +01:00
Tinderbox User
536bc1163a prep 9.16.11 2021-01-21 09:11:54 +01:00
Evan Hunt
746aa2581c add "primary-only" as a synonym for "master-only"
update the "notify" option to use RFC 8499 terminology as well.

(cherry picked from commit 424a3cf3cc)
2021-01-12 15:21:14 +01:00
Evan Hunt
04b9cdb53c add "primaries" as a synonym for "masters" in named.conf
as "type primary" is preferred over "type master" now, it makes
sense to make "primaries" available as a synonym too.

added a correctness check to ensure "primaries" and "masters"
cannot both be used in the same zone.

(cherry picked from commit 16e14353b1)
2021-01-12 15:21:14 +01:00
Matthijs Mekking
cf0439cd5f Treat dnssec-policy "none" as a builtin zone
Configure "none" as a builtin policy. Change the 'cfg_kasp_fromconfig'
api so that the 'name' will determine what policy needs to be
configured.

When transitioning a zone from secure to insecure, there will be
cases when a zone with no DNSSEC policy (dnssec-policy none) should
be using KASP. When there are key state files available, this is an
indication that the zone once was DNSSEC signed but is reconfigured
to become insecure.

If we would not run the keymgr, named would abruptly remove the
DNSSEC records from the zone, making the zone bogus. Therefore,
change the code such that a zone will use kasp if there is a valid
dnssec-policy configured, or if there are state files available.

(cherry picked from commit cf420b2af0)
2020-12-23 11:56:33 +01:00
Ondřej Surý
7fc62f829d Add libssl libraries to Windows build
This commit extends the perl Configure script to also check for libssl
in addition to libcrypto and change the vcxproj source files to link
with both libcrypto and libssl.
2020-12-09 10:46:16 +01:00
Tinderbox User
7406ea925a prep 9.16.10 2020-12-09 10:46:16 +01:00
Matthijs Mekking
52d3bf5f31 Change nsec3param salt config to saltlen
Upon request from Mark, change the configuration of salt to salt
length.

Introduce a new function 'dns_zone_checknsec3aram' that can be used
upon reconfiguration to check if the existing NSEC3 parameters are
in sync with the configuration. If a salt is used that matches the
configured salt length, don't change the NSEC3 parameters.

(cherry picked from commit 6f97bb6b1f)
2020-11-26 14:15:04 +00:00
Matthijs Mekking
d35dab3db8 Add check for NSEC3 and key algorithms
NSEC3 is not backwards compatible with key algorithms that existed
before the RFC 5155 specification was published.

(cherry picked from commit 00c5dabea3)
2020-11-26 14:15:03 +00:00
Matthijs Mekking
2a1793a2be Check nsec3param configuration values
Check 'nsec3param' configuration for the number of iterations.  The
maximum number of iterations that are allowed are based on the key
size (see https://tools.ietf.org/html/rfc5155#section-10.3).

Check 'nsec3param' configuration for correct salt. If the string is
not "-" or hex-based, this is a bad salt.

(cherry picked from commit 7039c5f805)
2020-11-26 14:15:03 +00:00
Matthijs Mekking
008e84e965 Support for NSEC3 in dnssec-policy
Implement support for NSEC3 in dnssec-policy.  Store the configuration
in kasp objects. When configuring a zone, call 'dns_zone_setnsec3param'
to queue an nsec3param event. This will ensure that any previous
chains will be removed and a chain according to the dnssec-policy is
created.

Add tests for dnssec-policy zones that uses the new 'nsec3param'
option, as well as changing to new values, changing to NSEC, and
changing from NSEC.

(cherry picked from commit 114af58ee2)
2020-11-26 14:15:02 +00:00
Matthijs Mekking
5dfd3b2d7b Add kasp nsec3param configuration
Add configuration and documentation on how to enable NSEC3 when
using dnssec-policy for signing your zones.

(cherry picked from commit f7ca96c805)
2020-11-26 14:15:02 +00:00
Tinderbox User
14620951cc prep 9.16.9 2020-11-26 12:25:53 +01:00
Diego Fronza
8cc5abff23 Add stale-refresh-time option
Before this update, BIND would attempt to do a full recursive resolution
process for each query received if the requested rrset had its ttl
expired. If the resolution fails for any reason, only then BIND would
check for stale rrset in cache (if 'stale-cache-enable' and
'stale-answer-enable' is on).

The problem with this approach is that if an authoritative server is
unreachable or is failing to respond, it is very unlikely that the
problem will be fixed in the next seconds.

A better approach to improve performance in those cases, is to mark the
moment in which a resolution failed, and if new queries arrive for that
same rrset, try to respond directly from the stale cache, and do that
for a window of time configured via 'stale-refresh-time'.

Only when this interval expires we then try to do a normal refresh of
the rrset.

The logic behind this commit is as following:

- In query.c / query_gotanswer(), if the test of 'result' variable falls
  to the default case, an error is assumed to have happened, and a call
  to 'query_usestale()' is made to check if serving of stale rrset is
  enabled in configuration.

- If serving of stale answers is enabled, a flag will be turned on in
  the query context to look for stale records:
  query.c:6839
  qctx->client->query.dboptions |= DNS_DBFIND_STALEOK;

- A call to query_lookup() will be made again, inside it a call to
  'dns_db_findext()' is made, which in turn will invoke rbdb.c /
  cache_find().

- In rbtdb.c / cache_find() the important bits of this change is the
  call to 'check_stale_header()', which is a function that yields true
  if we should skip the stale entry, or false if we should consider it.

- In check_stale_header() we now check if the DNS_DBFIND_STALEOK option
  is set, if that is the case we know that this new search for stale
  records was made due to a failure in a normal resolution, so we keep
  track of the time in which the failured occured in rbtdb.c:4559:
  header->last_refresh_fail_ts = search->now;

- In check_stale_header(), if DNS_DBFIND_STALEOK is not set, then we
  know this is a normal lookup, if the record is stale and the query
  time is between last failure time + stale-refresh-time window, then
  we return false so cache_find() knows it can consider this stale
  rrset entry to return as a response.

The last additions are two new methods to the database interface:
- setservestale_refresh
- getservestale_refresh

Those were added so rbtdb can be aware of the value set in configuration
option, since in that level we have no access to the view object.
2020-11-11 15:59:56 -03:00
Tinderbox User
a4f73cfe8a prep 9.16.7 2020-09-16 22:50:38 +02:00
Evan Hunt
df698d73f4 update all copyright headers to eliminate the typo 2020-09-14 16:50:58 -07:00