Compare commits

..

3 Commits

Author SHA1 Message Date
Michał Kępień
c4389e1685 Use isctest.asyncserver in the "upforwd" test
Replace the custom DNS server used in the "upforwd" system test with new
code based on the isctest.asyncserver module.  The ans4 server currently
used in that test is a copy of bin/tests/system/ans.pl modified to
receive queries over UDP and TCP without ever responding to any of them.
2025-03-24 06:16:19 +01:00
Michał Kępień
8c957388bf Add a response handler for ignoring all queries
Dropping all incoming queries is a typical use case for a custom server
used in BIND 9 system tests.  Add a response handler implementing that
behavior so that it can be reused.
2025-03-24 06:16:19 +01:00
Michał Kępień
220fa70dea Make response handlers global by default
Instead of requiring each class inheriting from ResponseHandler to
define the match() method, make the latter non-abstract and default to
returning True for all queries.  This reduces the amount of boilerplate
code in custom servers.
2025-03-24 06:16:19 +01:00
20 changed files with 46 additions and 1204 deletions

View File

@@ -131,13 +131,11 @@ status=$((status + ret))
echo_i "checking that log-report-channel zones fail if '*._er/TXT' is missing ($n)"
ret=0
$CHECKZONE -R fail example zones/er.db >test.out2.$n 2>&1 || ret=1
grep -F "no '*._er/TXT' wildcard found" test.out2.$n >/dev/null && ret=1
grep -F "no '*._er/TXT' wildcard found" test.out4.$n >/dev/null && ret=1
$CHECKZONE example zones/er-missing.db >test.out3.$n 2>&1 || ret=1
grep -F "no '*._er/TXT' wildcard found" test.out3.$n >/dev/null && ret=1
grep -F "no '*._er/TXT' wildcard found" test.out4.$n >/dev/null && ret=1
$CHECKZONE -R fail example zones/er-missing.db >test.out4.$n 2>&1 && ret=1
grep -F "no '*._er/TXT' wildcard found" test.out4.$n >/dev/null || ret=1
n=$((n + 1))
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "checking that raw zone with bad class is handled ($n)"

View File

@@ -30,6 +30,3 @@ ns8 is a caching-only server, configured with unsupported and disabled
algorithms. It is used for testing failure cases.
ns9 is a forwarding-only server.
ans11 is a mocked authoritative server. Used to simulate broken authoritative
server supporting DNSSEC.

View File

@@ -1,54 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
from isctest.asyncserver import (
AsyncDnsServer,
DomainHandler,
QueryContext,
ResponseAction,
DnsResponseSend,
)
from typing import AsyncGenerator
import dns
class DnssecManglerHandler(DomainHandler):
domains = ["missingdnskey.example."]
def hide_dnskey(self, qctx: QueryContext) -> None:
qctx.response.answer = []
def add_rrsig(self, qctx: QueryContext) -> None:
rrsig = None
if qctx.qname == qctx.zone.origin:
rrsig = qctx.zone.find_rdataset(
qctx.zone.origin, dns.rdatatype.RRSIG, qctx.qtype, True
)
else:
rrsig = qctx.node.get_rdataset(qctx.qclass, dns.rdatatype.RRSIG, True)
if rrsig:
rrsig_rrset = dns.rrset.RRset(qctx.qname, qctx.qclass, dns.rdatatype.RRSIG)
rrsig_rrset.update(rrsig)
qctx.response.answer.append(rrsig_rrset)
async def get_responses(
self, qctx: QueryContext
) -> AsyncGenerator[ResponseAction, None]:
if qctx.qtype == dns.rdatatype.DNSKEY:
self.hide_dnskey(qctx)
else:
self.add_rrsig(qctx)
yield DnsResponseSend(qctx.response)
server = AsyncDnsServer()
server.install_response_handler(DnssecManglerHandler())
server.run()

View File

@@ -1,24 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
MX 10 mx
ns A 10.53.0.3
a A 10.0.0.1

View File

@@ -1,31 +0,0 @@
#!/bin/sh -e
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../../conf.sh
set -e
echo_i "ans11/sign.sh"
zone=missingdnskey.example.
infile=missingdnskey.example.db.in
zonefile=missingdnskey.example.db
keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
cat "$infile" "$keyname1.key" "$keyname2.key" >"$zonefile"
"$SIGNER" -o "$zone" "$zonefile" >/dev/null
# AsyncDnsServer expects a file zone name defined as <apexname>.db, so let's
# renamed the signed file.
mv "$zonefile".signed $zonefile

View File

@@ -177,6 +177,3 @@ rsasha1-1024 NS ns.rsasha1-1024
ns.rsasha1-1024 A 10.53.0.3
dname-at-apex-nsec3 NS ns3
missingdnskey NS ns.missingdnskey
ns.missingdnskey A 10.53.0.11

View File

@@ -16,9 +16,8 @@
set -e
# Sign child zones (served by ns3 and ans11).
# Sign child zones (served by ns3).
(cd ../ns3 && $SHELL sign.sh)
(cd ../ans11 && $SHELL sign.sh)
echo_i "ns2/sign.sh"
@@ -70,8 +69,6 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
cp "../ns3/dsset-$subdomain.example." .
done
cp "../ans11/dsset-missingdnskey.example." .
# Sign the "example." zone.
keyname1=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone -f KSK "$zone")
keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")

View File

@@ -2191,7 +2191,7 @@ echo_i "checking RRSIG query from cache ($n)"
ret=0
dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 a >/dev/null || ret=1
ans=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.4 rrsig) || ret=1
expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep -E '^(A|NSEC)') || ret=1
expect=$(dig_with_opts +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^\(A\|NSEC\)') || ret=1
test "$ans" = "$expect" || ret=1
# also check that RA is set
dig_with_opts normalthenrrsig.secure.example. @10.53.0.4 rrsig >dig.out.ns4.test$n || ret=1
@@ -4133,16 +4133,6 @@ n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
echo_i "check EDE 9 (Missing DNSKEY) is added when the zone is signed but no DNSKEY is provided ($n)"
ret=0
dig_with_opts @10.53.0.4 missingdnskey.example SOA >dig.out.ns4.test$n
grep "status: SERVFAIL," dig.out.ns4.test$n >/dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
grep "; EDE: 9 (DNSKEY Missing): (missingdnskey.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
n=$((n + 1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
# The next two queries ensure that a zone signed with a DNSKEY that the nameserver
# has a disabled algorithm match for will yield insecure positive responses.
# These trust anchors in ns8 are ignored and so this domain is treated as insecure.

View File

@@ -156,8 +156,6 @@ pytestmark = pytest.mark.extra_artifacts(
"ns6/optout-tld.db",
"ns7/split-rrsig.db",
"ns7/split-rrsig.db.unsplit",
"ans11/missingdnskey.example.db",
"ans11/missingdnskey.example.db.tmp",
"signer/example.db",
"signer/example.db.after",
"signer/example.db.before",

View File

@@ -360,10 +360,13 @@ class ResponseHandler(abc.ABC):
method.
"""
@abc.abstractmethod
# pylint: disable=unused-argument
def match(self, qctx: QueryContext) -> bool:
"""
Matching logic - query is handled when it returns True.
Matching logic - the first handler whose `match()` method returns True
is used for handling the query.
The default for each handler is to handle all queries.
"""
return True
@@ -380,6 +383,17 @@ class ResponseHandler(abc.ABC):
yield DnsResponseSend(qctx.response)
class IgnoreAllQueries(ResponseHandler):
"""
Do not respond to any queries sent to the server.
"""
async def get_responses(
self, qctx: QueryContext
) -> AsyncGenerator[ResponseAction, None]:
yield ResponseDrop()
class DomainHandler(ResponseHandler):
"""
Base class used for deriving custom domain handlers.

View File

@@ -43,12 +43,6 @@ grep "status: NOERROR" dig.out.ns1.test${n} >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
rndccmd 10.53.0.1 stats || ret=1 # Get the responses, RTT and timeout statistics before the following timeout tests
grep -F 'responses received' ns1/named.stats >ns1/named.stats.responses-before || true
grep -F 'queries with RTT' ns1/named.stats >ns1/named.stats.rtt-before || true
grep -F 'query timeouts' ns1/named.stats >ns1/named.stats.timeouts-before || true
mv ns1/named.stats ns1/named.stats-before
# 'resolver-query-timeout' is set to 5 seconds in ns1, so dig with a lower
# timeout value should give up earlier than that.
n=$((n + 1))
@@ -72,20 +66,6 @@ grep -F "EDE: 22 (No Reachable Authority)" dig.out.ns1.test${n} >/dev/null || re
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that the timeout didn't skew the resolver responses counters and did update the timeout counter ($n)"
ret=0
rndccmd 10.53.0.1 stats || ret=1
grep -F 'responses received' ns1/named.stats >ns1/named.stats.responses-after || true
grep -F 'queries with RTT' ns1/named.stats >ns1/named.stats.rtt-after || true
grep -F 'query timeouts' ns1/named.stats >ns1/named.stats.timeouts-after || true
mv ns1/named.stats ns1/named.stats-after
diff ns1/named.stats.responses-before ns1/named.stats.responses-after >/dev/null || ret=1
diff ns1/named.stats.rtt-before ns1/named.stats.rtt-after >/dev/null || ret=1
diff ns1/named.stats.timeouts-before ns1/named.stats.timeouts-after >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
# 'resolver-query-timeout' is set to 5 seconds in ns1, so named should
# interrupt the non-responsive query and send a SERVFAIL answer before dig's
# own timeout fires, which is set to 7 seconds. This time, exampleudp.net is

View File

@@ -21,7 +21,6 @@ pytestmark = pytest.mark.extra_artifacts(
"nextpart.out.*",
"ans*/ans.run",
"ans*/query.log",
"ns1/named.stats*",
"ns4/tld.db",
"ns5/trusted.conf",
"ns6/K*",

View File

@@ -1,365 +0,0 @@
#!/usr/bin/perl
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
#
# This is the name server from hell. It provides canned
# responses based on pattern matching the queries, and
# can be reprogrammed on-the-fly over a TCP connection.
#
# The server listens for control connections on port 5301.
# A control connection is a TCP stream of lines like
#
# /pattern/
# name ttl type rdata
# name ttl type rdata
# ...
# /pattern/
# name ttl type rdata
# name ttl type rdata
# ...
#
# There can be any number of patterns, each associated
# with any number of response RRs. Each pattern is a
# Perl regular expression.
#
# Each incoming query is converted into a string of the form
# "qname qtype" (the printable query domain name, space,
# printable query type) and matched against each pattern.
#
# The first pattern matching the query is selected, and
# the RR following the pattern line are sent in the
# answer section of the response.
#
# Each new control connection causes the current set of
# patterns and responses to be cleared before adding new
# ones.
#
# The server handles UDP and TCP queries. Zone transfer
# responses work, but must fit in a single 64 k message.
#
# Now you can add TSIG, just specify key/key data with:
#
# /pattern <key> <key_data>/
# name ttl type rdata
# name ttl type rdata
#
# Note that this data will still be sent with any request for
# pattern, only this data will be signed. Currently, this is only
# done for TCP.
use IO::File;
use IO::Socket;
use Data::Dumper;
use Net::DNS;
use Net::DNS::Packet;
use strict;
# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
local $SIG{PIPE} = 'IGNORE';
# Flush logged output after every line
local $| = 1;
my $server_addr = "10.53.0.4";
my $localport = int($ENV{'PORT'});
if (!$localport) { $localport = 5300; }
my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
LocalPort => $localport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
print "listening on $server_addr:$localport.\n";
my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
print $pidf "$$\n" or die "cannot write pid file: $!";
$pidf->close or die "cannot close pid file: $!";;
sub rmpid { unlink "ans.pid"; exit 1; };
$SIG{INT} = \&rmpid;
$SIG{TERM} = \&rmpid;
#my @answers = ();
my @rules;
sub handleUDP {
my ($buf) = @_;
my $packet;
if ($Net::DNS::VERSION > 0.68) {
$packet = new Net::DNS::Packet(\$buf, 0);
$@ and die $@;
} else {
my $err;
($packet, $err) = new Net::DNS::Packet(\$buf, 0);
$err and die $err;
}
$packet->header->qr(1);
$packet->header->aa(1);
my @questions = $packet->question;
my $qname = $questions[0]->qname;
my $qtype = $questions[0]->qtype;
# get the existing signature if any, and clear the additional section
my $prev_tsig;
while (my $rr = $packet->pop("additional")) {
if ($rr->type eq "TSIG") {
$prev_tsig = $rr;
}
}
my $r;
foreach $r (@rules) {
my $pattern = $r->{pattern};
my($dbtype, $key_name, $key_data) = split(/ /,$pattern);
print "[handleUDP] $dbtype, $key_name, $key_data \n";
if ("$qname $qtype" =~ /$dbtype/) {
my $a;
foreach $a (@{$r->{answer}}) {
$packet->push("answer", $a);
}
if(defined($key_name) && defined($key_data)) {
# Sign the packet
print " Signing the response with " .
"$key_name/$key_data\n";
my $tsig = Net::DNS::RR->
new("$key_name TSIG $key_data");
# These kluges are necessary because Net::DNS
# doesn't know how to sign responses. We
# clear compnames so that the TSIG key and
# algorithm name won't be compressed, and
# add one to arcount because the signing
# function will attempt to decrement it,
# which is incorrect in a response. Finally
# we set request_mac to the previous digest.
$packet->{"compnames"} = {};
$packet->{"header"}{"arcount"} += 1;
if (defined($prev_tsig)) {
my $rmac = pack('n H*',
$prev_tsig->mac_size,
$prev_tsig->mac);
$tsig->{"request_mac"} =
unpack("H*", $rmac);
}
$packet->sign_tsig($tsig);
}
last;
}
}
#$packet->print;
return $packet->data;
}
# namelen:
# given a stream of data, reads a DNS-formatted name and returns its
# total length, thus making it possible to skip past it.
sub namelen {
my ($data) = @_;
my $len = 0;
my $label_len = 0;
do {
$label_len = unpack("c", $data);
$data = substr($data, $label_len + 1);
$len += $label_len + 1;
} while ($label_len != 0);
return ($len);
}
# packetlen:
# given a stream of data, reads a DNS wire-format packet and returns
# its total length, making it possible to skip past it.
sub packetlen {
my ($data) = @_;
my $q;
my $rr;
my ($header, $offset) = Net::DNS::Header->parse(\$data);
for (1 .. $header->qdcount) {
($q, $offset) = Net::DNS::Question->parse(\$data, $offset);
}
for (1 .. $header->ancount) {
($rr, $offset) = Net::DNS::RR->parse(\$data, $offset);
}
for (1 .. $header->nscount) {
($rr, $offset) = Net::DNS::RR->parse(\$data, $offset);
}
for (1 .. $header->arcount) {
($rr, $offset) = Net::DNS::RR->parse(\$data, $offset);
}
return $offset;
}
# sign_tcp_continuation:
# This is a hack to correct the problem that Net::DNS has no idea how
# to sign multiple-message TCP responses. Several data that are included
# in the digest when signing a query or the first message of a response are
# omitted when signing subsequent messages in a TCP stream.
#
# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing
# function (specified by calling Packet->sign_func()). We use this
# function as the signing function for TCP continuations, and it removes
# the unwanted data from the digest before calling the default sign_hmac
# function.
sub sign_tcp_continuation {
my ($key, $data) = @_;
# copy out first two bytes: size of the previous MAC
my $rmacsize = unpack("n", $data);
$data = substr($data, 2);
# copy out previous MAC
my $rmac = substr($data, 0, $rmacsize);
$data = substr($data, $rmacsize);
# try parsing out the packet information
my $plen = packetlen($data);
my $pdata = substr($data, 0, $plen);
$data = substr($data, $plen);
# remove the keyname, ttl, class, and algorithm name
$data = substr($data, namelen($data));
$data = substr($data, 6);
$data = substr($data, namelen($data));
# preserve the TSIG data
my $tdata = substr($data, 0, 8);
# prepare a new digest and sign with it
$data = pack("n", $rmacsize) . $rmac . $pdata . $tdata;
return Net::DNS::RR::TSIG::sign_hmac($key, $data);
}
sub handleTCP {
my ($buf) = @_;
my $packet;
if ($Net::DNS::VERSION > 0.68) {
$packet = new Net::DNS::Packet(\$buf, 0);
$@ and die $@;
} else {
my $err;
($packet, $err) = new Net::DNS::Packet(\$buf, 0);
$err and die $err;
}
$packet->header->qr(1);
$packet->header->aa(1);
my @questions = $packet->question;
my $qname = $questions[0]->qname;
my $qtype = $questions[0]->qtype;
# get the existing signature if any, and clear the additional section
my $prev_tsig;
my $signer;
while (my $rr = $packet->pop("additional")) {
if ($rr->type eq "TSIG") {
$prev_tsig = $rr;
}
}
my @results = ();
my $count_these = 0;
my $r;
foreach $r (@rules) {
my $pattern = $r->{pattern};
my($dbtype, $key_name, $key_data) = split(/ /,$pattern);
print "[handleTCP] $dbtype, $key_name, $key_data \n";
if ("$qname $qtype" =~ /$dbtype/) {
$count_these++;
my $a;
foreach $a (@{$r->{answer}}) {
$packet->push("answer", $a);
}
if(defined($key_name) && defined($key_data)) {
# sign the packet
print " Signing the data with " .
"$key_name/$key_data\n";
my $tsig = Net::DNS::RR->
new("$key_name TSIG $key_data");
# These kluges are necessary because Net::DNS
# doesn't know how to sign responses. We
# clear compnames so that the TSIG key and
# algorithm name won't be compressed, and
# add one to arcount because the signing
# function will attempt to decrement it,
# which is incorrect in a response. Finally
# we set request_mac to the previous digest.
$packet->{"compnames"} = {};
$packet->{"header"}{"arcount"} += 1;
if (defined($prev_tsig)) {
my $rmac = pack('n H*',
$prev_tsig->mac_size,
$prev_tsig->mac);
$tsig->{"request_mac"} =
unpack("H*", $rmac);
}
$tsig->sign_func($signer) if defined($signer);
$packet->sign_tsig($tsig);
$signer = \&sign_tcp_continuation;
my $copy =
Net::DNS::Packet->new(\($packet->data));
$prev_tsig = $copy->pop("additional");
}
#$packet->print;
push(@results,$packet->data);
$packet = new Net::DNS::Packet(\$buf, 0);
$packet->header->qr(1);
$packet->header->aa(1);
}
}
print " A total of $count_these patterns matched\n";
return \@results;
}
# Main
my $rin;
my $rout;
for (;;) {
$rin = '';
vec($rin, fileno($tcpsock), 1) = 1;
vec($rin, fileno($udpsock), 1) = 1;
select($rout = $rin, undef, undef, undef);
if (vec($rout, fileno($udpsock), 1)) {
printf "UDP request\n";
my $buf;
$udpsock->recv($buf, 512);
} elsif (vec($rout, fileno($tcpsock), 1)) {
my $conn = $tcpsock->accept;
my $buf;
for (;;) {
my $lenbuf;
my $n = $conn->sysread($lenbuf, 2);
last unless $n == 2;
my $len = unpack("n", $lenbuf);
$n = $conn->sysread($buf, $len);
last unless $n == $len;
}
sleep(1);
$conn->close;
}
}

View File

@@ -0,0 +1,20 @@
"""
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
"""
from isctest.asyncserver import AsyncDnsServer, IgnoreAllQueries
if __name__ == "__main__":
server = AsyncDnsServer()
server.install_response_handler(IgnoreAllQueries())
server.run()

View File

@@ -18,7 +18,6 @@ Changelog
development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
.. include:: ../changelog/changelog-9.21.6.rst
.. include:: ../changelog/changelog-9.21.5.rst
.. include:: ../changelog/changelog-9.21.4.rst
.. include:: ../changelog/changelog-9.21.3.rst

View File

@@ -47,7 +47,6 @@ The list of known issues affecting the latest version in the 9.21 branch can be
found at
https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.21
.. include:: ../notes/notes-9.21.6.rst
.. include:: ../notes/notes-9.21.5.rst
.. include:: ../notes/notes-9.21.4.rst
.. include:: ../notes/notes-9.21.3.rst

View File

@@ -1,478 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
BIND 9.21.6
-----------
New Features
~~~~~~~~~~~~
- Implement the min-transfer-rate-in configuration option.
``a282f1ba3f``
A new option 'min-transfer-rate-in <bytes> <minutes>' has been added
to the view and zone configurations. It can abort incoming zone
transfers which run very slowly due to network related issues, for
example. The default value is set to 10240 bytes in 5 minutes.
:gl:`#3914` :gl:`!9098`
- Add digest methods for SIG and RRSIG. ``fd48df20f3``
ZONEMD digests RRSIG records and potentially digests SIG record. Add
digests methods for both record types. :gl:`#5219` :gl:`!10217`
- Add HTTPS record query to host command line tool. ``d34414c47b``
The host command was extended to also query for the HTTPS RR type by
default. :gl:`!8642`
Removed Features
~~~~~~~~~~~~~~~~
- Clean up unnecessary code in qpcache. ``74c9ff384e``
Removed some code from the cache database implementation that was left
over from before it and the zone database implementation were
separated. :gl:`!9991`
- Cleanup isc/util.h header and friends. ``239712df16``
Cleanup short list macros from <isc/util.h>, remove two unused
headers, move locking macros to respective headers and use only the
C11 static assertion. :gl:`!10196`
- Remove check for the mandatory IPv6 support. ``daa9c17905``
IPv6 Advanced Socket API (:rfc:`3542`) is a hard requirement, remove
the autoconf check to speed up the ./configure run a little bit.
:gl:`!10201`
- Remove log initialization checks from named. ``1b3e7f52ec``
Logging initialization check is now redundant as there is a default
global log context created during libisc's constructor.
`isc_log` calls can safely be made at any time outside libisc's
constructor. :gl:`!10186`
Feature Changes
~~~~~~~~~~~~~~~
- Refactor and simplify isc_symtab. ``5559539eb0``
This commit does several changes to isc_symtab:
1. Rewrite the isc_symtab to internally use isc_hashmap instead of
hand-stiched hashtable.
2. Create a new isc_symtab_define_and_return() api, which returns
the already defined symvalue on ISC_R_EXISTS; this allows users of
the API to skip the isc_symtab_lookup()+isc_symtab_define() calls
and directly call isc_symtab_define_and_return().
3. Merge isccc_symtab into isc_symtab - the only missing function
was isccc_symtab_foreach() that was merged into isc_symtab API.
4. Add full set of unit tests for the isc_symtab API. :gl:`#5103`
:gl:`!9921`
- Drop malformed notify messages early instead of decompressing them.
``7fce7707db``
The DNS header shows if a message has multiple questions or invalid
NOTIFY sections. We can drop these messages early, right after parsing
the question. This matches RFC 9619 for multi-question messages and
Unbound's handling of NOTIFY. We still parse the question to include
it in our FORMERR response.
Add drop_msg_early() function to check for these conditions: -
Messages with more than one question, as required by RFC 9619 - NOTIFY
query messages containing answer sections (like Unbound) - NOTIFY
messages containing authority sections (like Unbound) :gl:`#5158`,
#3656 :gl:`!10056`
- Cleanup parts of the isc_mem API. ``4ba1ccfa2e``
This MR changes custom attach/detach implementation with refcount
macros, replaces isc_mem_destroy() with isc_mem_detach(), and does
various small cleanups. :gl:`!9456`
- Move the library initialization and shutdown to executables.
``6e0c1f151c``
Instead of relying on unreliable order of execution of the library
constructors and destructors, move them to individual binaries. The
advantage is that the execution time and order will remain constant
and will not depend on the dynamic load dependency solver.
:gl:`!10069`
- Reduce memory used to store DNS names. ``24db1b1a8a``
The memory used to internally store the DNS names has been reduced.
:gl:`!10140`
- Unify fips handling to isc_crypto and make the toggle one way.
``3de629d6b7``
Since algorithm fetching is handled purely in libisc, FIPS mode
toggling can be purely done in within the library instead of provider
fetching in the binary for OpenSSL >=3.0.
Disabling FIPS mode isn't a realistic requirement and isn't done
anywhere in the codebase. Make the FIPS mode toggle enable-only to
reflect the situation. :gl:`!9920`
Bug Fixes
~~~~~~~~~
- Prevent a reference leak when using plugins. ``5604d3a44e``
The `NS_QUERY_DONE_BEGIN` and `NS_QUERY_DONE_SEND` plugin hooks could
cause a reference leak if they returned `NS_HOOK_RETURN` without
cleaning up the query context properly. :gl:`#2094` :gl:`!9971`
- Fix isc_quota bug. ``742d379d88``
Running jobs which were entered into the isc_quota queue is the
responsibility of the isc_quota_release() function, which, when
releasing a previously acquired quota, checks whether the queue is
empty, and if it's not, it runs a job from the queue without touching
the 'quota->used' counter. This mechanism is susceptible to a possible
hangup of a newly queued job in case when between the time a decision
has been made to queue it (because used >= max) and the time it was
actually queued, the last quota was released. Since there is no more
quotas to be released (unless arriving in the future), the newly
entered job will be stuck in the queue.
Fix the issue by adding checks in both isc_quota_release() and
isc_quota_acquire_cb() to make sure that the described hangup does not
happen. Also see code comments. :gl:`#4965` :gl:`!10082`
- Fix dual-stack-servers configuration option. ``6af708f3b0``
The dual-stack-servers configuration option was not working as
expected; the specified servers were not being used when they should
have been, leading to resolution failures. This has been fixed.
:gl:`#5019` :gl:`!9708`
- Implement sig0key-checks-limit and sig0message-checks-limit.
``d78ebff861``
Previously a hard-coded limitation of maximum two key or message
verification checks were introduced when checking the message's SIG(0)
signature. It was done in order to protect against possible DoS
attacks. The logic behind choosing the number 2 was that more than a
single key should only be required during key rotations, and in that
case two keys are enough. But later it became apparent that there are
other use cases too where even more keys are required, see issue
number #5050 in GitLab.
This change introduces two new configuration options for the views,
`sig0key-checks-limit` and `sig0message-checks-limit`, which define
how many keys are allowed to be checked to find a matching key, and
how many message verifications are allowed to take place once a
matching key has been found. The latter protects against expensive
cryptographic operations when there are keys with colliding tags and
algorithm numbers, with default being 2, and the former protects
against a bit less expensive key parsing operations and defaults to
16. :gl:`#5050` :gl:`!9967`
- Fix the data race causing a permanent active client increase.
``479c366c2b``
Previously, a data race could cause a newly created fetch context for
a new client to be used before it had been fully initialized, which
would cause the query to become stuck; queries for the same data would
be either paused indefinitely or dropped because of the
`clients-per-query` limit. This has been fixed. :gl:`#5053`
:gl:`!10146`
- Fix deferred validation of unsigned DS and DNSKEY records.
``ebf1606f38``
When processing a query with the "checking disabled" bit set (CD=1),
`named` stores the unvalidated result in the cache, marked "pending".
When the same query is sent with CD=0, the cached data is validated,
and either accepted as an answer, or ejected from the cache as
invalid. This deferred validation was not attempted for DS and DNSKEY
records if they had no cached signatures, causing spurious validation
failures. We now complete the deferred validation in this scenario.
Also, if deferred validation fails, we now re-query the data to find
out whether the zone has been corrected since the invalid data was
cached. :gl:`#5066` :gl:`!10104`
- When recording an rr trace, use libtool. ``6320586df0``
When a system test is run with the `USE_RR` environment variable set
to 1, an `rr` trace is now correctly generated for each instance of
`named`. :gl:`#5079` :gl:`!10197`
- Do not cache signatures for rejected data. ``fc3a4d6f89``
The cache has been updated so that if new data is rejected - for
example, because there was already existing data at a higher trust
level - then its covering RRSIG will also be rejected. :gl:`#5132`
:gl:`!9999`
- Fix wrong logging severity in do_nsfetch() ``1f6a16e6d0``
ISC_LOG_WARNING was used while ISC_LOG_DEBUG(3) was implied.
:gl:`#5145` :gl:`!10017`
- Fix RPZ race condition during a reconfiguration. ``5ba811bea2``
With RPZ in use, `named` could terminate unexpectedly because of a
race condition when a reconfiguration command was received using
`rndc`. This has been fixed. :gl:`#5146` :gl:`!10079`
- "CNAME and other data check" not applied to all types. ``b694acbe45``
An incorrect optimization caused "CNAME and other data" errors not to
be detected if certain types were at the same node as a CNAME. This
has been fixed. :gl:`#5150` :gl:`!10033`
- Use named Service Parameter Keys (SvcParamKeys) by default.
``3f61a87be3``
When converting SVCB records to text representation `named` now uses
named `SvcParamKeys` values unless backward-compatible mode is
activated, in which case the values which were not defined initially
in RFC9460 and were added later (see [1]) are converted to opaque
"keyNNNN" syntax, like, for example, "key7" instead of "dohpath".
Also a new `+[no]svcparamkeycompat` option is implemented for `dig`,
which enables the backward-compatible mode and uses the opaque syntax,
if required for interoperability with other software or scripts. By
default, the compatibility mode is disabled.
[1] https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml
:gl:`#5156` :gl:`!10085`
- Relax private DNSKEY and RRSIG constraints. ``1bc7016d7a``
DNSKEY, KEY, RRSIG and SIG constraints have been relaxed to allow
empty key and signature material after the algorithm identifier for
PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within
the expected use of these types as no key material is shared and the
signatures are ineffective but these are private algorithms and they
can be totally insecure. :gl:`#5167` :gl:`!10083`
- Delete dead nodes when committing a new version. ``67255da4b3``
In the qpzone implementation of `dns_db_closeversion()`, if there are
changed nodes that have no remaining data, delete them. :gl:`#5169`
:gl:`!10089`
- Revert "Delete dead nodes when committing a new version"
``b652d5327c``
This reverts commit 67255da4b376f65138b299dcd5eb6a3b7f9735a9,
reversing changes made to 74c9ff384e695d1b27fa365d1fee84576f869d4c.
:gl:`#5169` :gl:`!10224`
- Fix dns_qp_insert() checks in qpzone. ``d6b63210a8``
Remove code in the QP zone database to handle failures of
`dns_qp_insert()` which can't actually happen. :gl:`#5171`
:gl:`!10088`
- Remove NSEC/DS/NSEC3 RRSIG check from dns_message_parse.
``f0785fedf1``
Previously, when parsing responses, named incorrectly rejected
responses without matching RRSIG records for NSEC/DS/NSEC3 records in
the authority section. This rejection, if appropriate, should have
been left for the validator to determine and has been fixed.
:gl:`#5185` :gl:`!10125`
- Fix TTL issue with ANY queries processed through RPZ "passthru"
``23c1fbc609``
Answers to an "ANY" query which were processed by the RPZ "passthru"
policy had the response-policy's `max-policy-ttl` value unexpectedly
applied. This has been fixed. :gl:`#5187` :gl:`!10176`
- Save time when creating a slab from another slab. ``cf981ab13b``
The `dns_rdataslab_fromrdataset()` function creates a slab from an
rdataset. If the source rdataset already uses a slab, then no
processing is necessary; we can just copy the existing slab to a new
location. :gl:`#5188` :gl:`!10162`
- Dnssec-signzone needs to check for a NULL key when setting offline.
``26f8ee7229``
dnssec-signzone could dereference a NULL key pointer when resigning a
zone. This has been fixed. :gl:`#5192` :gl:`!10161`
- Acquire the database reference before possibly last node release.
``c4868b5bd9``
Acquire the database reference in the detachnode() to prevent the last
reference to be release while the NODE_LOCK being locked. The
NODE_LOCK is locked/unlocked inside the RCU critical section, thus it
is most probably this should not pose a problem as the database uses
call_rcu memory reclamation, but this it is still safer to acquire the
reference before releasing the node. :gl:`#5194` :gl:`!10155`
- Fix a logic error in cache_name() ``02ef8ff01c``
A change in 6aba56ae8 (checking whether a rejected RRset was identical
to the data it would have replaced, so that we could still cache a
signature) inadvertently introduced cases where processing of a
response would continue when previously it would have been skipped.
:gl:`#5197` :gl:`!10157`
- Fix a bug in the statistics channel when querying zone transfers
information. ``e02d73e7e3``
When querying zone transfers information from the statistics channel
there was a rare possibility that `named` could terminate unexpectedly
if a zone transfer was in a state when transferring from all the
available primary servers had failed earlier. This has been fixed.
:gl:`#5198` :gl:`!10182`
- Fix assertion failure when dumping recursing clients. ``796b662b92``
Previously, if a new counter was added to the hashtable while dumping
recursing clients via the `rndc recursing` command, and
`fetches-per-zone` was enabled, an assertion failure could occur. This
has been fixed. :gl:`#5200` :gl:`!10164`
- Validating ADB fetches could cause a crash in import_rdataset()
``49ccbe857a``
Previously, in some cases, the resolver could return rdatasets of type
CNAME or DNAME without the result code being set to `DNS_R_CNAME` or
`DNS_R_DNAME`. This could trigger an assertion failure in the ADB. The
resolver error has been fixed. :gl:`#5201` :gl:`!10172`
- Call isc__iterated_hash_initialize in isc__work_cb. ``f3458fdf43``
isc_iterated_hash didn't work in offloaded threads as the per thread
initialisation has not been done. This has been fixed. :gl:`#5214`
:gl:`!10206`
- Fix a bug in get_request_transport_type() ``db5166ab99``
When `dns_remote_done()` is true, calling `dns_remote_curraddr()`
asserts. Add a `dns_remote_curraddr()` check before calling
`dns_remote_curraddr()`. :gl:`#5215` :gl:`!10222`
- Clean up dns_rdataslab module. ``948f8d7a98``
Rdata slabs used in the QP databases are usually prepended with a slab
header, but are sometimes "raw", containing only the rdata and no
header. Previously, to allow for them to be used both ways, functions
that operated on them took a `reservelen` argument, which would be set
to either the header length or to zero, and skipped over that many
bytes at the beginning of the buffer. Most such functions were never
used on the raw form. To make the code clearer, each of these
functions now operates on full slabs with headers, and an alternate
"raw" version of the function has been added in cases where that was
needed.
In addition, the `dns_rdataslab_merge()` and `_subtract()` functions
have been rewritten for clarity and efficiency, and a minor bug has
been fixed in `dns_rdataslab_equal()` and `_equalx()`, which could
cause an incorrect result if both slabs being compared had zero
length. :gl:`!10084`
- Dump the active resolver fetches from dns_resolver_dumpfetches()
``5d0c347e75``
Previously, active resolver fetches were only dumped when the
`fetches-per-zone` configuration option was enabled. Now, active
resolver fetches are dumped along with the number of
`clients-per-server` counters per resolver fetch. :gl:`!10107`
- Fix the foundname vs dcname madness in qpcache_findzonecut()
``4e68dbf194``
The qpcache_findzonecut() accepts two "foundnames": 'foundname' and
'dcname' could be NULL. Originally, when 'dcname' would be NULL, the
'dcname' would be set to 'foundname' which basically means that we
were copying the .ndata over itself for no apparent reason.
:gl:`!10049`
- Post [CVE-2024-12705] Performance Drop Fixes, Part 2. ``c8104daf8d``
This merge request addresses several key performance bottlenecks in
the DoH (DNS over HTTPS) implementation by introducing significant
optimizations and improvements.
### Key Improvements
1. **Simplification and Optimisation of `http_do_bio()` Function**:
- The code flow in the `http_do_bio()` function has been significantly
simplified. 2. **Flushing HTTP Write Buffer on Outgoing DNS
Messages**: - The buffer is flushed and a send operation is
performed when there is an outgoing DNS message. 3. **Bumping Active
Streams Processing Limit**: - The total number of active streams
has been increased to 60% of the total streams limit.
These changes collectively enhance the performance and reliability of
the DoH implementation, making it more efficient and robust for
handling high-load scenarios, particularly noticeable in long runs (>=
1h) of `stress:long:rpz:doh+udp:linux:*` tests. It improves perf. for
tests for BIND 9.18, but it likely will have a positive but less
pronounced effect on newer versions as well.
In essence, the merge request fixes three bottlenecks stacked upon
each other.
*It is a logical continuation of the merge requests !10109.* !10109,
unfortunately, did not completely [address the performance drop in
9.18](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/221545)
for longer runs of the stress test. This merge request [addresses
that](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/223661).
**P.S.**
The origin of the fixes is, in fact, the branch in !10193. So this MR
is a ... *forward port* of them. :gl:`!10192`
- Post [CVE-2024-12705] Performance Drop Fixes. ``3033d127d2``
This merge request fixes a [performance
drop](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/216728)
after merging the fixes for #4795, in particular in 9.18.
The MR [fixes the
problem](https://gitlab.isc.org/isc-projects/bind9/-/pipelines/219825)
without affecting performance for the newer versions, in particular
for [the development version](https://gitlab.isc.org/isc-projects/bind
9/-/pipelines/220619). :gl:`!10109`
- Remove 'target' from dns_adb. ``764eb65cf6``
When a server name turns out to be a CNAME or DNAME, the ADB does not
use it, but the `dns_adbname` structure still stored a copy of the
target name. This is unnecessary and the code has been removed.
:gl:`!10149`
- Simplify some dns_name API calls. ``e16560a650``
Several functions in the `dns_name` module have had parameters
removed, that were rarely or never used: - `dns_name_fromtext()` and
`dns_name_concatenate()` no longer take a target buffer. -
`dns_name_towire()` no longer takes a compression offset pointer; this
is now part of the compression context. - `dns_name_towire()` with a
`NULL` compression context will copy name data directly into a buffer
with no processing. :gl:`!10152`
- Sync the TSAN CC, CFLAGS and LDFLAGS in the respdiff:tsan job.
``22b5442722``
:gl:`!10209`

View File

@@ -1,186 +0,0 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.6
---------------------
New Features
~~~~~~~~~~~~
- Implement the :any:`min-transfer-rate-in` configuration option.
A new option :any:`min-transfer-rate-in` has been added
to the view and zone configurations. It can abort incoming zone
transfers that run very slowly due to network-related issues, for
example. The default value is 10240 bytes in five minutes.
:gl:`#3914`
- Add HTTPS record query to :iscman:`host` command line tool.
The :iscman:`host` command was extended to also query for the HTTPS RR
type by default.
- Implement :any:`sig0key-checks-limit` and :any:`sig0message-checks-limit`.
Previously, a hard-coded limitation of a maximum of two key or message
verification checks was introduced when checking a message's ``SIG(0)``
signature, to protect against possible DoS
attacks. Two as a maximum was chosen so that more than a
single key should only be required during key rotations, and in that
case two keys are enough. It later became apparent that there are
other use cases where even more keys are required; see the related GitLab issue for examples.
This change introduces two new configuration options for the views:
:any:`sig0key-checks-limit` and :any:`sig0message-checks-limit`. They define
how many keys can be checked to find a matching key, and
how many message verifications are allowed to take place once a
matching key has been found. The former provides
slightly less "expensive" key parsing operations and defaults to
16. The latter protects against expensive
cryptographic operations when there are keys with colliding tags and
algorithm numbers; the default is 2. :gl:`#5050`
Feature Changes
~~~~~~~~~~~~~~~
- Drop malformed notify messages early instead of decompressing them.
The DNS header shows whether a message has multiple questions or invalid
NOTIFY sections. :iscman:`named` can now drop these messages early, right after parsing
the question, to match :rfc:`9619` for multi-question messages and
Unbound's handling of NOTIFY. Questions are still parsed to be included
in BIND's FORMERR response.
Add ``drop_msg_early()`` function to check for these conditions:
- Messages with more than one question, as required by :rfc:`9619`
- NOTIFY query messages containing answer sections (like Unbound)
:gl:`#5158`
- Reduce memory used to store DNS names.
The memory used to internally store the DNS names has been reduced
by no longer caching certain fields from an internal data structure.
Bug Fixes
~~~~~~~~~
- Fix :any:`dual-stack-servers` configuration option.
The :any:`dual-stack-servers` configuration option was not working as
expected; the specified servers were not being used when they should
have been, leading to resolution failures. This has been fixed.
:gl:`#5019`
- Fix a data race causing a permanent active client increase.
Previously, a data race could cause a newly created fetch context for
a new client to be used before it had been fully initialized, which
would cause the query to become stuck; queries for the same data would
be either paused indefinitely or dropped because of the
:any:`clients-per-query` limit. This has been fixed. :gl:`#5053`
- Fix deferred validation of unsigned DS and DNSKEY records.
When processing a query with the "checking disabled" bit set (CD=1),
:iscman:`named` stores the invalidated result in the cache, marked "pending".
When the same query is sent with CD=0, the cached data is validated
and either accepted as an answer, or ejected from the cache as
invalid. This deferred validation was not attempted for DS and DNSKEY
records if they had no cached signatures, causing spurious validation
failures. The deferred validation is now completed in this scenario.
Also, if deferred validation fails, the data is now re-queried to find
out whether the zone has been corrected since the invalid data was
cached. :gl:`#5066`
- Fix RPZ race condition during a reconfiguration.
With RPZ in use, :iscman:`named` could terminate unexpectedly because of a
race condition when a reconfiguration command was received using
:iscman:`rndc`. This has been fixed. :gl:`#5146`
- "CNAME and other data check" not applied to all types.
An incorrect optimization caused "CNAME and other data" errors not to
be detected if certain types were at the same node as a CNAME. This
has been fixed. :gl:`#5150`
- Use named Service Parameter Keys (``SvcParamKeys``) by default.
When converting SVCB records to text representation, :iscman:`named` now uses
named ``SvcParamKeys`` values unless backward-compatible mode is
activated. In that case, values which were not defined initially
in :rfc:`9460` and were added later (see [1]) are converted to opaque
"keyNNNN" syntax, e.g. "key7" instead of "dohpath".
Also a new ``+[no]svcparamkeycompat`` option is implemented for :iscman:`dig`,
which enables the backward-compatible mode and uses the opaque syntax,
if required for interoperability with other software or scripts. By
default, the compatibility mode is disabled.
[1] https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml
:gl:`#5156`
- Relax private DNSKEY and RRSIG constraints.
DNSKEY, KEY, RRSIG, and SIG constraints have been relaxed to allow
empty key and signature material after the algorithm identifier for
PRIVATEOID and PRIVATEDNS. It is arguable whether this falls within
the expected use of these types, as no key material is shared and the
signatures are ineffective, but these are private algorithms and they
can be totally insecure. :gl:`#5167`
- Remove NSEC/DS/NSEC3 RRSIG check from ``dns_message_parse()``.
Previously, when parsing responses, :iscman:`named` incorrectly rejected
responses without matching RRSIG records for NSEC/DS/NSEC3 records in
the authority section. This rejection, if appropriate, should have
been left for the validator to determine and has been fixed.
:gl:`#5185`
- Fix TTL issue with ANY queries processed through RPZ "passthru".
Answers to an "ANY" query which were processed by the RPZ "passthru"
policy had the response-policy's ``max-policy-ttl`` value unexpectedly
applied. This has been fixed. :gl:`#5187`
- :iscman:`dnssec-signzone` needs to check for a NULL key when setting offline.
:iscman:`dnssec-signzone` could dereference a NULL key pointer when resigning
a zone. This has been fixed. :gl:`#5192`
- Fix a bug in the statistics channel when querying zone transfer
information.
When querying zone transfer information from the statistics channel,
there was a rare possibility that :iscman:`named` could terminate unexpectedly
if a zone transfer was in a state when transferring from all the
available primary servers had failed earlier. This has been fixed.
:gl:`#5198`
- Fix assertion failure when dumping recursing clients.
Previously, if a new counter was added to the hash table while dumping
recursing clients via the :option:`rndc recursing` command, and
:any:`fetches-per-zone` was enabled, an assertion failure could occur. This
has been fixed. :gl:`#5200`
- Dump the active resolver fetches from ``dns_resolver_dumpfetches()``
Previously, active resolver fetches were only dumped when the
:any:`fetches-per-zone` configuration option was enabled. Now, active
resolver fetches are dumped along with the number of
:any:`clients-per-query` counters per resolver fetch.

View File

@@ -7462,12 +7462,10 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) {
QTRACE("response");
if (eresult == ISC_R_SUCCESS) {
if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET) {
inc_stats(fctx->res, dns_resstatscounter_responsev4);
} else {
inc_stats(fctx->res, dns_resstatscounter_responsev6);
}
if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET) {
inc_stats(fctx->res, dns_resstatscounter_responsev4);
} else {
inc_stats(fctx->res, dns_resstatscounter_responsev6);
}
rctx = isc_mem_get(fctx->mctx, sizeof(*rctx));
@@ -8049,9 +8047,6 @@ rctx_timedout(respctx_t *rctx) {
fctx->timeout = true;
fctx->timeouts++;
rctx->no_response = true;
rctx->finish = NULL;
now = isc_time_now();
/* netmgr timeouts are accurate to the millisecond */
if (isc_time_microdiff(&fctx->expires, &now) < US_PER_MS) {
@@ -8062,6 +8057,8 @@ rctx_timedout(respctx_t *rctx) {
} else {
FCTXTRACE("query timed out; trying next server");
/* try next server */
rctx->no_response = true;
rctx->finish = NULL;
rctx->next_server = true;
}

View File

@@ -3275,11 +3275,6 @@ proveunsecure(dns_validator_t *val, bool have_ds, bool resume) {
/* Couldn't complete insecurity proof. */
validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed: %s",
isc_result_totext(result));
if (val->type == dns_rdatatype_dnskey && val->rdataset == NULL) {
validator_addede(val, DNS_EDE_DNSKEYMISSING, NULL);
}
return DNS_R_NOTINSECURE;
out: