GitLab 12.2 has introduced Directed Acyclic Graphs in the GitLab CI[1] that
allow jobs to run out-of-order and not wait for the whole previous stage to
complete.
1. https://docs.gitlab.com/ee/ci/directed_acyclic_graph/
When updating the statistics for RRset types, if a header is marked
stale or ancient, the appropriate statistic counters are decremented,
then incremented.
Also fix some out of date comments.
Having the decrement/increment logic in stats makes the code hard
to follow. Remove it here and adjust the unit test. The caller
will be responsible for maintaining the correct increments and
decrements for statistics counters (in the following commit).
The stale RR types are now printed with '#'. This used to be the
prefix for RR types that were marked ancient, but commit
df50751585 changed the meaning. It is
probably better to keep '#' for stale RR types and introduce a new
prefix for reintroducing ancient type stat counters.
In the ARM section about RPZ, add text explicitly stating that ACLs take
precedence over RPZ to prevent users from expecting RPZ actions to be
applied to queries coming from clients which are not permitted access to
the resolver by ACLs.
- this required modification to the code that generates grammar text for
the documentation, because the "dnssec-lookaside" option spanned more
than one line in doc/misc/options, so grepping out only the lines
marked "// obsolete" didn't remove the whole option. this commit adds
an option to cfg_test to print named.conf clauses only if they don't
have the obsolete, ancient, test-only, or not-yet-implemented flags
set.
Add a helper shell function, rndc_dumpdb(), which provides a convenient
way to call "rndc dumpdb" for a given server with optional additional
arguments. Since database dumping is an asynchronous process, the
function waits until the dump is complete before returning, which
prevents false positives in system tests caused by inspecting the dump
before its preparation is finished. The function also renames the dump
file before returning so that it does not get overwritten by subsequent
calls; this retains forensic data in case of an unexpected test failure.
The change fixes the following build failure on sparc T3 and older CPUs:
```
sparc-unknown-linux-gnu-gcc ... -O2 -mcpu=niagara2 ... -c rwlock.c
{standard input}: Assembler messages:
{standard input}:398: Error: Architecture mismatch on "pause ".
{standard input}:398: (Requires v9e|v9v|v9m|m8; requested architecture is v9b.)
make[1]: *** [Makefile:280: rwlock.o] Error 1
```
`pause` insutruction exists only on `-mcpu=niagara4` (`T4`) and upper.
The change adds `pause` configure-time autodetection and uses it if available.
config.h.in got new `HAVE_SPARC_PAUSE` knob. Fallback is a fall-through no-op.
Build-tested on:
- sparc-unknown-linux-gnu-gcc (no `pause`, build succeeds)
- sparc-unknown-linux-gnu-gcc -mcpu=niagara4 (`pause`, build succeeds)
Reported-by: Rolf Eike Beer
Bug: https://bugs.gentoo.org/691708
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
There's a deadlock in BIND 9 code where (dns_view_t){ .lock } and
(dns_resolver_t){ .buckets[i].lock } gets locked in different order. When
view->weakrefs gets converted to a reference counting we can reduce the locking
in dns_view_weakdetach only to cases where it's the last instance of the
dns_view_t object.
(cherry picked from commit a7c9a52c89)
(cherry picked from commit 232140edae)
There's no strong reason to keep `make tags` in our build system. The previous
functionality of `make tags` could be simply retained by aliasing variant of:
etags $(git ls-files '*.c' '*.h')
which would be universal for all C-code projects.
Previously isc_thread_join() would return ISC_R_UNEXPECTED on a failure to
create new thread. All such occurences were caught and wrapped into assert
function at higher level. The function was simplified to assert directly in the
isc_thread_join() function and all caller level assertions were removed.
Previously isc_thread_create() would return ISC_R_UNEXPECTED on a failure to
create new thread. All such occurences were caught and wrapped into assert
function at higher level. The function was simplified to assert directly in the
isc_thread_create() function and all caller level assertions were removed.
Multiple resolvers in the "wildcard" system test are configured with a
single root hint: "ns.root-servers.nil", pointing to 10.53.0.1, which is
inconsistent with authoritative data served by ns1. This may cause
intermittent resolution failures, triggering false positives for the
"wildcard" system test. Prevent this from happening by making ns2, ns3,
and ns5 use root hints corresponding to the contents of ns1/root.db.in.
The isc-config.sh script was introduced before pkg-config as is a purely
historical thing. There are two reason for removal of isc-config.sh scripts:
a) The BIND 9 libraries are now meant to be used only from BIND 9, so there's no
reason to provide convenience script to link with the libraries.
b) Even if that was not the case, we should and would replace the isc-config.sh
with respective pkg-config (.pc) file for every library.
Resolve "Replace the isc_mem_put(mctx, ...)+isc_mem_detach(&mctx) usage with isc_mem_putanddetach(&mctx)"
Closes#1160
See merge request isc-projects/bind9!2195
Using isc_mem_put(mctx, ...) + isc_mem_detach(mctx) required juggling with the
local variables when mctx was part of the freed object. The isc_mem_putanddetach
function can handle this case internally, but it wasn't used everywhere. This
commit apply the semantic patching plus bit of manual work to replace all such
occurrences with proper usage of isc_mem_putanddetach().
With the move of the normal output to stdout, we need a way how to silence the
extra output, so the signed file name can be captured in a simple way. This
commit adds `-q` command line option that will silence all the normal output
that get's printed from both tools.
The lib/dns/zoneverify.c output was hardwired to stderr, which was inconsistent
with lib/dns/dnssec.c. This commit changes zoneverify.c to print the normal run
information to caller supplied function - same model as in the lib/dns/dnssec.c.
Previously, the default output from the libdns library went to stderr by
default. This was inconsistent with the rest of the output. This commit
changes the default logging to go to stdout, with notable exception - when the
output of the signing process goes to stdout, the messages are printed to the
stderr. This is consistent with other functions that output information about
the signing process - e.g. print_stats().
The ns2 named instance in the "staticstub" system test is configured
with a single root hint commonly used in BIND system tests
(a.root-servers.nil with an address of 10.53.0.1), which is inconsistent
with authoritative data served by ns1. This may cause intermittent
resolution failures, triggering false positives for the "staticstub"
system test. Prevent this from happening by making ns1 serve data
corresponding to the contents of bin/tests/system/common/root.hint.
Ensure BIND is continuously tested on Alpine Linux as it is commonly
used as a base for Docker containers and employs a less popular libc
implementation, musl libc.
"PST8PDT" is a legacy time zone name whose use in modern code is
discouraged. It so happens that using this time zone with musl libc
time functions results in different output than for other libc
implementations, which breaks the lib/isc/tests/time_test unit test.
Use the "America/Los_Angeles" time zone instead in order to get
consistent output across all tested libc implementations.
Appending output of a command to the same file as the one that command
is reading from is a dangerous practice. It seems to have accidentally
worked with all the awk implementations we have tested against so far,
but for BusyBox awk, doing this may result in the input/output file
being written to in an infinite loop. Prevent this from happening by
redirect awk output to a temporary file and appending its contents to
the original file in a separate shell pipeline.
The Net::DNS Perl module needs the Digest::HMAC module to support TSIG.
However, since the latter is not a hard requirement for the former, some
packagers do not make Net::DNS depend on Digest::HMAC. If Net::DNS is
installed on a host but Digest::HMAC is not, the "xfer" system test
breaks in a very hard-to-debug way (ans5 returns TSIG RRs with empty
RDATA, which prevents TSIG-signed SOA queries and transfers from
working). Prevent this from happening by making the "xfer" system test
explicitly require Digest::HMAC apart from Net::DNS.
The BusyBox version of sed treats leading '\+' in a regular expression
to be matched as a syntax error ("Repetition not preceded by valid
expression"), which triggers false positives for the "digdelv" system
test. Make the relevant sed invocations work portably across all sed
implementations by removing the leading backslash.
The BusyBox version of awk treats some variables which other awk
implementations consider to be decimal values as octal values. This
intermittently breaks key event interval calculations in the "autosign"
system test, trigger false positives for it. Prevent the problem from
happening by stripping leading zeros from the affected awk variables.
For some libc implementations, BUFSIZ is small enough (e.g. 1024 for
musl libc) to trigger compilation warnings about insufficient size of
certain buffers. Since the relevant buffers are used for printing DNS
names, increase their size to '(n + 1) * DNS_NAME_FORMATSIZE', where 'n'
is the number of DNS names which are printed to a given buffer. This
results in somewhat arbitrary, albeit nicely-aligned and large enough
buffer sizes.
Including <sys/errno.h> instead of <errno.h> raises a compiler warning
when building against musl libc. Always include <errno.h> instead of
<sys/errno.h> to prevent that compilation warning from being triggered
and to achieve consistency in this regard across the entire source tree.
Make sure all unit tests include headers in a similar order:
1. Three headers which must be included before <cmocka.h>.
2. System headers.
3. UNIT_TESTING definition, followed by the <cmocka.h> header.
4. libisc headers.
5. Headers from other BIND libraries.
6. Local headers.
Also make sure header file names are sorted alphabetically within each
block of #include directives.
All unit tests define the UNIT_TESTING macro, which causes <cmocka.h> to
replace malloc(), calloc(), realloc(), and free() with its own functions
tracking memory allocations. In order for this not to break
compilation, the system header declaring the prototypes for these
standard functions must be included before <cmocka.h>.
Normally, these prototypes are only present in <stdlib.h>, so we make
sure it is included before <cmocka.h>. However, musl libc also defines
the prototypes for calloc() and free() in <sched.h>, which is included
by <pthread.h>, which is included e.g. by <isc/mutex.h>. Thus, unit
tests including "dnstest.h" (which includes <isc/mem.h>, which includes
<isc/mutex.h>) after <cmocka.h> will not compile with musl libc as for
these programs, <sched.h> will be included after <cmocka.h>.
Always including <cmocka.h> after all other header files is not a
feasible solution as that causes the mock assertion macros defined in
<isc/util.h> to mangle the contents of <cmocka.h>, thus breaking
compilation. We cannot really use the __noreturn__ or analyzer_noreturn
attributes with cmocka assertion functions because they do return if the
tested condition is true. The problem is that what BIND unit tests do
is incompatible with Clang Static Analyzer's assumptions: since we use
cmocka, our custom assertion handlers are present in a shared library
(i.e. it is the cmocka library that checks the assertion condition, not
a macro in unit test code). Redefining cmocka's assertion macros in
<isc/util.h> is an ugly hack to overcome that problem - unfortunately,
this is the only way we can think of to make Clang Static Analyzer
properly process unit test code. Giving up on Clang Static Analyzer
being able to properly process unit test code is not a satisfactory
solution.
Undefining _GNU_SOURCE for unit test code could work around the problem
(musl libc's <sched.h> only defines the prototypes for calloc() and
free() when _GNU_SOURCE is defined), but doing that could introduce
discrepancies for unit tests including entire *.c files, so it is also
not a good solution.
All in all, including <sched.h> before <cmocka.h> for all affected unit
tests seems to be the most benign way of working around this musl libc
quirk. While quite an ugly solution, it achieves our goals here, which
are to keep the benefit of proper static analysis of unit test code and
to fix compilation against musl libc.
Resolvers in the "filter-aaaa" system test are configured with a single
root hint: "ns.rootservers.net", pointing to 10.53.0.1. However,
querying ns1 for "ns.rootservers.net" results in NXDOMAIN answers.
Since the TTL for the root hint is set to 0, it may happen that a
resolver's ADB will be asked to return any known addresses for
"ns.rootservers.net", but it will only have access to a cached NXDOMAIN
answer for that name and an expired root hint, which will result in a
resolution failure, triggering a false positive for the "filter-aaaa"
system test. Prevent this from happening by making all the root hints
consistent with authoritative data served by ns1.
The HTML view of the statistics channel creates
pages with many long tables. These can be difficult
to navigate.
This commit adds a "show/hide" toggle to each
heading, which makes it easy to compress/expand
the view.
- removed some dead code
- dns_zone_setdbtype is now void as it could no longer return
anything but ISC_R_SUCCESS; calls to it no longer check for a result
- controlkeylist_fromconfig() is also now void
- fixed a whitespace error
The isc_mem_get() cannot fail gracefully now, it either gets memory of
assert()s. The added semantic patch cleans all the blocks checking whether
the return value of isc_mem_get() was NULL.
The coccinelle and util/update_copyright script have different
idea about how the whitespace should look like. Revert the script
to the previous version, so it doesn't mangle the files in place,
and deal with just whitespace changes.
Commit 9da902a201 removed locking around
the fctx_decreference() call inside resume_dslookup(). This allows
fctx_unlink() to be called without the bucket lock being held, which
must never happen. Ensure the bucket lock is held by resume_dslookup()
before it calls fctx_decreference().
Ensure BIND with dnstap support enabled is being continuously tested by
adding --enable-dnstap to the ./configure invocation used for CentOS 7
and Debian sid builds in GitLab CI.
When the unit test is linked with dynamic libraries, the wrapping
doesn't occur, probably because it's different translation unit.
To workaround the issue, we provide thin wrappers with *real* symbol
names that just call the mocked functions.
1. Restore locking in the fctx_decreference() code, because the insides of the
function needs to be protected when fctx->references drops to 0.
2. Restore locking in the dns_resolver_attach() code, because two variables are
accessed at the same time and there's slight chance of data race.
Although the struct dns_resolver.exiting member is protected by stdatomics, we
actually need to wait for whole dns_resolver_shutdown() to finish before
destroying the resolver object. Otherwise, there would be a data race and some
fctx objects might not be destroyed yet at the time we tear down the
dns_resolver object.
This commit changes the BIND cookie algorithms to match
draft-sury-toorop-dnsop-server-cookies-00. Namely, it changes the Client Cookie
algorithm to use SipHash 2-4, adds the new Server Cookie algorithm using SipHash
2-4, and changes the default for the Server Cookie algorithm to be siphash24.
Add siphash24 cookie algorithm, and make it keep legacy aes as
Each individual test opened GeoIP databased but the database handles were never
closed. This commit moves the open/close from the individual unit tests into
the _setup and _teardown methods where they really belong.
Instead of the explicit struct initializer with all member, rely on the fact
that static variables are explicitly initialized to 0 if not explicitly
initialized.
The MSVS C compiler requires every struct to have at least one member.
The dns_geoip_databases_t structure had one set of members for
HAVE_GEOIP and a different set for HAVE_GEOIP2, and none when neither
API is in use.
This commit silences the compiler error by moving the declaration of
dns_geoip_databases_t to types.h as an opaque reference, and commenting
out the contents of geoip.h when neither version of GeoIP is enabled.
Commit b104a9bc50 introduced unconditional
use of the ATOMIC_VAR_INIT() macro in bin/dnssec/dnssec-signzone.c even
though that macro is only defined on Unix platforms. Define it on
Windows systems as well in order to prevent build failures.
The ThreadSanitizer found several possible data races in our rwlock
implementation. This commit changes all the unprotected variables to atomic and
also changes the explicit memory ordering (atomic_<foo>_explicit(..., <order>)
functions to use our convenience macros (atomic_<foo>_<order>).
The SO_BSDCOMPAT socket option is no-op since Linux 2.4, see the manpage:
SO_BSDCOMPAT
Enable BSD bug-to-bug compatibility. This is used by the UDP protocol
module in Linux 2.0 and 2.2. If enabled, ICMP errors received for a UDP
socket will not be passed to the user program. In later kernel
versions, support for this option has been phased out: Linux 2.4
silently ignores it, and Linux 2.6 generates a kernel warning (printk())
if a program uses this option. Linux 2.0 also enabled BSD bug-to-bug
compatibility options (random header changing, skipping of the broadcast
flag) for raw sockets with this option, but that was removed in Linux
2.2.
The 'managed-keys' (and 'trusted-keys') options have been deprecated
by 'dnssec-keys'. Some documentation references to 'managed-keys'
had not yet been marked or noted as such.
When trying to extract the key ID from a key file name, some test code
incorrectly attempts to strip all leading zeros. This breaks tests when
keys with ID 0 are generated. Add a new helper shell function,
keyfile_to_key_id(), which properly handles keys with ID 0 and use it in
test code whenever a key ID needs to be extracted from a key file name.
When printing a packet, dnstap-read checks whether its text form takes
up more than the 2048 bytes allocated for the output buffer by default.
If that is the case, the output buffer is automatically expanded, but
the truncated output is left in the buffer, resulting in malformed data
being printed. Clear the output buffer before expanding it to prevent
this issue from occurring.
Adds a new option to named-checkconf, -i. If set, named-checkconf
will not warn you about deprecated options. This allows people
to use named-checkconf in automated deployment precoesses where an
operator only cares if their conf is valid, even if it is not optimal.
This was added as a request as part of introducing a policy on
removing named.conf options.
- revise mapping of search terms to database types to match the
GeoIP2 schemas.
- open GeoIP2 databases when starting up; close when shutting down.
- clarify the logged error message when an unknown database type
is configured.
- add new geoip ACL subtypes to support searching for continent in
country databases.
- map geoip ACL subtypes to specific MMDB database queries.
- perform MMDB lookups based on subtype, saving state between
queries so repeated lookups for the same address aren't necessary.
- "--with-geoip" is used to enable the legacy GeoIP library.
- "--with-geoip2" is used to enable the new GeoIP2 library
(libmaxminddb), and is on by default if the library is found.
- using both "--with-geoip" and "--with-geoip2" at the same time
is an error.
- an attempt is made to determine the default GeoIP2 database path at
compile time if pkg-config is able to report the module prefix. if
this fails, it will be necessary to set the path in named.conf with
geoip-directory
- Makefiles have been updated, and a stub lib/dns/geoip2.c has been
added for the eventual GeoIP2 search implementation.
When GNU C Compiler is used on Solaris (11), the Thread Local Storage
is completely broken. The behaviour doesn't manifest when GNU ld is
used. Thus, we need to enforce usage of GNU ld when GNU C Compiler is
the compiler of choice.
For more background for this change, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90912
In ISC-Bugs 45340, I wrote:
The Statistics channel offers links to Zones and Traffic.
Both produce valid data, but display as blank pages with
a web browser.
Zones never had XSL (I provided the original
implementation, but punted on the XSL).
Traffic has XSL, but it wasn't updated to reflect the
split between IPv4 and IPv6 data.
I've picked up enough XSL to fix my original omission,
and as penance for my sloth, fixed the Traffic bug as well.
- when processing authoritative queries for ./NS, set 'gluedb' so
that glue will be included in the response, regardless of how
'minimal-responses' has been configured.
if "rndc reload" fails, the result code is supposed to be passed to
zone_postload, but for inline-signing zones, the result can be
overwritten first by a call to the ZONE_TRYLOCK macro. this can lead
to the partially-loaded unsigned zone being synced over to the signed
zone instead of being rejected.
libidn2 2.2.0+ parses Punycode more strictly than older versions and
thus "dig +idnin +noidnout xn--19g" fails with libidn2 2.2.0+ but
succeeds with older versions.
We could preserve the old behavior by using the IDN2_NO_ALABEL_ROUNDTRIP
flag available in libidn2 2.2.0+, but:
- this change in behavior is considered a libidn2 bug fix [1],
- we want to make sure dig behaves as expected, not libidn2,
- implementing that would require additional configure.ac cruft.
Removing the problematic check appears to be the simplest solution as it
does not prevent the relevant block of checks in the "idna" system test
from achieving its purpose, i.e. ensuring dig properly handles invalid
U-labels.
[1] see upstream commit 241e8f486134793cb0f4a5b0e5817a97883401f5
Since commit 0771dd3be8, <isc/mem.h> no
longer includes <isc/xml.h>. On some systems (e.g. FreeBSD), this means
that no header included by lib/dns/dnsrps.c (and no header included by
those headers) contains a definition of free() any more, which triggers
a compiler warning as lib/dns/dnsrps.c calls that function. Add the
missing #include directive to prevent that warning from being triggered.
No function called dns_dnssecsignstats_decrement() actually exists.
Putting it into lib/dns/win32/libdns.def.in breaks at least some Windows
builds. Remove the nonexistent function from that file.
Since the message confirming outgoing transfer completion is logged
asynchronously, it may happen that transfer statistics may not yet be
logged by the time the dig command triggering a given transfer returns.
This causes false positives for the "ixfr" and "xfer" system tests.
Prevent this from happening by checking outgoing transfer statistics up
to 10 times, in 1-second intervals.
The ax_check_openssl m4 macro used OPENSSL_INCLUDES. Rename the
subst variable to OPENSSL_CFLAGS and wrap AX_CHECK_OPENSSL() in
action-if-not-found part of PKG_CHECK_MODULE check for libcrypto.
The json-c have previously leaked into the global namespace leading
to forced -I<include_path> for every compilation unit using isc/xml.h
header. This MR fixes the usage making the caller object opaque.
The libxml2 have previously leaked into the global namespace leading
to forced -I<include_path> for every compilation unit using isc/xml.h
header. This MR fixes the usage making the caller object opaque.
In addition to gather how many times signatures are created per
key in a zone, also count how many of those signature creations are
because of DNSSEC maintenance. These maintenance counters are
incremented if a signature is refreshed (but the RRset did not
changed), when the DNSKEY RRset is changed, and when that leads
to additional RRset / RRSIG updates (for example SOA, NSEC).
This adds tests to the statschannel system test for testing if
the dnskey sign operation counters are incremented correctly.
It tests three cases:
1. A zone maintenance event where all the signatures that are about
to expire are resigned.
2. A dynamic update event where the new RR and other relevant records
(SOA, NSEC) are resigned.
3. Adding a standby key, that means the DNSKEY and SOA RRset are
resigned.
After a failed reload I noticed two problems:
* There was a missing newline in the output of `rndc status` so it
finished "reload/reconfig in progressserver is up and running"
* The "reconfig in progress" note should have said "reconfig failed"
Previously the autoconf script set sysconfdir to /etc and localstatedir to /var
if they were not explicitly set in the ./configure invocation. This MR reverts
the override and make it more in line with default and generally expected
autoconf behavior.
AM_MAINTAINER_MODE macro adds ability to disable rebuilding build file
(Makefile.in, configure, ...) when the source file changes. This is
important in the CI where the timestamps could get skewed and that
triggers the rebuild on every ./configure run.
The differences between two files are very minimal and most of the
code is common. Merge those two files and use #ifdef WIN32 to include
the right bits on Windows.
Using atomic_int_fast64_t variables with atomic functions on x86 does
not cause Visual Studio to report build errors, but such operations
yield useless results. Since the isc_stat_t type is unconditionally
typedef'd to atomic_int_fast64_t, any code performing atomic operations
on isc_stat_t variables is broken in x86 Windows builds. Fix by using
the atomic_int_fast32_t type for isc_stat_t in x86 Windows builds.
BIND 9.11.0 has bumped DNS_CLIENTINFOMETHODS_VERSION and _AGE to
version 2 and 1 in the dlz_minimal.h because a member was addet to the
dnsclientinfo struct. It was found out that the new member is not
used anywhere and there are no accessor functions therefore the change
was reverted.
Later on, it was found out that the revert caused some problems to the
users of BIND 9, and thus this changes takes a different approach by
syncing the values other way around.
The common construct seen in the BIND 9 source is func(isc_mem_t *mctx, ...).
Unfortunately, the dnstest.{h,c} has been using mctx as a global symbol, which
in turn generated a lot of errors when update.c got included in update_test.c.
As a rule of thumb, we should avoid naming global symbols with generic names
(like mctx) and we should prefix them with "namespace" (like dt_mctx).
The CHECK() macro has been defined both in dnstest.h and update.c
files. This has created a conflict between macro definitions when
including both of the files in update_test.c. While the CHECK() macro
is convenient for the tests, it has been really used in just two
files, so the MR moves them into those respective .c files.
lib/dns/tests/update_test was failing on macOS on random occasions. It
turned out this was a linker problem - it preferred isc_stdtime_get()
from libisc instead of the local version in lib/dns/tests/update_test.c.
Fix by including the original .c file in the unit test. This has two
benefits:
a) linking order may no longer cause issues as symbols found in the
same compilation unit are always preferred,
b) it allows writing tests for static functions in lib/dns/update.c.
Pull and use several autoconf archive convenience macros to simplify
configure.ac.
* AX_CHECK_COMPILE_FLAG(FLAG, ...) - check whether given CFLAG works
* AX_CHECK_LINK_FLAG(FLAG, ...) - check whether given LDFLAG works
* AX_CHECK_PREPROC_FLAG(FLAG, ...) - check whether give CPPFLAG works
* AX_SAVE_FLAGS/AX_RESTORE_FLAGS - save and restore *FLAGS
In certain situations (e.g. a named instance crashing upon shutdown in a
system test which involves shutting down a server and restarting it
afterwards), a system test may succeed despite a named crash being
triggered. This must never be the case. Extend run.sh to mark a test
as failed if core dumps or log lines indicating assertion failures are
detected (the latter is only an extra measure aimed at test environments
in which core dumps are not generated; note that some types of crashes,
e.g. segmentation faults, will not be detected using this method alone).
Make the get_named_xfer_stats() helper shell function more precise in
order to prevent it from matching the wrong lines as that may trigger
false positives for the "ixfr" and "xfer" system tests. As an example,
the regular expression responsible for extracting the number of bytes
transmitted throughout an entire zone transfer could also match a line
containing the following string:
transfer of '<zone-name>/IN': sending TCP message of <integer> bytes
However, such a line is not one summarizing a zone transfer.
Also simplify both get_dig_xfer_stats() and get_named_xfer_stats() by
eliminating the need for "echo" statements in them.
If ns1/setup.sh generates a key with ID 0, the "KEYID" token in
ns1/named.conf.in will be replaced with an empty string, causing the
following broken statement to appear in ns1/named.conf:
tkey-dhkey "server" ;
Such a statement triggers false positives for the "tkey" system test due
to ns1 being unable to start with a broken configuration file. Fix by
tweaking the regular expression used for removing leading zeros from the
key ID, so that it removes at most 4 leading zeros.
We increase recursclients when we attach to recursion quota,
decrease when we detach. In some cases, when we hit soft
quota, we might attach to quota without increasing recursclients
gauge. We then decrease the gauge when we detach from quota,
and it causes the statistics to underflow.
Fix makes sure that we increase recursclients always when we
succesfully attach to recursion quota.
Compiling with -O3 triggers the following warnings with GCC 9.1:
task.c: In function ‘isc_taskmgr_create’:
task.c:1384:43: warning: ‘%04u’ directive output may be truncated writing between 4 and 10 bytes into a region of size 6 [-Wformat-truncation=]
1384 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~
task.c:1384:32: note: directive argument in the range [0, 4294967294]
1384 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~~~~~~~~~~~~~
task.c:1384:3: note: ‘snprintf’ output between 15 and 21 bytes into a destination of size 16
1384 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
private_test.c: In function ‘private_nsec3_totext_test’:
private_test.c:110:9: warning: array subscript 4 is outside array bounds of ‘uint32_t[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
110 | while (*sp == '\0' && slen > 0) {
| ^~~
private_test.c:103:11: note: while referencing ‘salt’
103 | uint32_t salt;
| ^~~~
Prevent these warnings from being triggered by increasing the size of
the relevant array (task.c) and reordering conditions (private_test.c).
Compiling with -O3 triggers the following warning with GCC 8.3:
driver.c: In function ‘dlz_findzonedb’:
driver.c:191:29: warning: ‘%u’ directive output may be truncated writing between 1 and 5 bytes into a region of size between 0 and 99 [-Wformat-truncation=]
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~
driver.c:191:25: note: directive argument in the range [0, 65535]
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~~~~~~
driver.c:191:2: note: ‘snprintf’ output between 3 and 106 bytes into a destination of size 100
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Increase the size of the relevant array to prevent this warning from
being triggered.
Change the compiler optimization level for Debian sid build jobs from
-O2 to -O3 in order to enable triggering compilation warnings which are
not raised when -O2 is used.
write locking.
Unreachable cache in zonemgr is realized as an static LRU list.
When we 'use' an entry we need to update the last-used time, we
can use atomics to do so without the necessity to upgrading
read-lock to write-lock.
this change silences a warning message and prevents the unwanted
use of smart quotes when using pandoc 2.7.1 to generate human-readable
versions of README and other markdown files.
- change references to trusted-keys to dnssec-keys with static-key
- rebuild doc/misc/options and other generated grammar doc
- add a "see MANAGED-KEYS" note when building named.conf.docbook
- managed-keys is now deprecated as well as trusted-keys, though
it continues to work as a synonym for dnssec-keys
- references to managed-keys have been updated throughout the code.
- tests have been updated to use dnssec-keys format
- also the trusted-keys entries have been removed from the generated
bind.keys.h file and are no longer generated by bindkeys.pl.
- any use of trusted or static keys for the root zone will now
elicit a warning, regardless of what the keys may be
- ditto for any use of a key for dlv.isc.org, static or managed
- trusted-keys is now flagged as deprecated, but still works
- managed-keys can be used to configure permanent trust anchors by
using the "static-key" keyword in place of "initial-key"
- parser now uses an enum for static-key and initial-key keywords
Since 2008, the cleaning-interval timer has been documented as
"effectively obsolete" and disabled in the default configuration with
a comment saying "now meaningless".
This change deletes all the code that implements the cleaning-interval
timer, except for the config parser in whcih it is now explicitly
marked as obsolete.
I have verified (using the deletelru and deletettl cache stats) that
named still cleans the cache after this change.
Move the macOS section of <isc/endian.h> to a lower spot as it is
believed not to be the most popular platform for running BIND. Add a
comment and remove redundant definitions.
Instead of only supporting Linux, try making <isc/endian.h> support
other GNU platforms as well. Since some compilers define __GNUC__ on
BSDs (e.g. Clang on FreeBSD), move the relevant section to the bottom of
the platform-specific part of <isc/endian.h>, so that it only gets
evaluated when more specific platform determination criteria are not
met. Also include <byteswap.h> so that any byte-swapping macros which
may be defined in that file on older platforms are used in the fallback
definitions of the nonstandard hto[bl]e{16,32,64}() and
[bl]e{16,32,64}toh() conversion functions.
While Solaris does not support the nonstandard hto[bl]e{16,32,64}() and
[bl]e{16,32,64}toh() conversion functions, it does have some
byte-swapping macros available in <sys/byteorder.h>. Ensure these
macros are used in the fallback definitions of the aforementioned
nonstandard functions.
Since the hto[bl]e{16,32,64}() and [bl]e{16,32,64}toh() conversion
functions are nonstandard, add fallback definitions of these functions
to <isc/endian.h>, so that their unavailability does not prevent
compilation from succeeding.
Current versions of DragonFly BSD, FreeBSD, NetBSD, and OpenBSD all
support the modern variants of functions converting values between host
and big-endian/little-endian byte order while older ones might not.
Ensure <isc/endian.h> works properly in both cases.
Replace grep calls with awk scripts to more precisely detect presence of
CDS and CDNSKEY records in a signed zone file, in order to prevent rare
false positives for the "smartsign" system test triggered by the strings
"CDS" and/or "CDNSKEY" being accidentally present in the Base64 form of
DNSSEC-related data in the zone file being checked.
There's a small possibility of race between udp dispatcher and
socket code - socket code can still hold internal reference to a
socket while dispatcher calls isc_socket_open, which can cause
an assertion failure. Fix it by relaxing the assertion test, and
instead simply locking the socket in isc_socket_open.
qname minimization, even in relaxed mode, can fail on
some very broken domains. In relaxed mode, instead of
asking for "foo.bar NS" ask for "_.foo.bar A" to either
get a delegation or NXDOMAIN. It will require more queries
than regular mode for proper NXDOMAINs.
Performing server setup checks using "+tries=3 +time=5" is redundant as
a single query is arguably good enough for determining whether a given
named instance was set up properly. Only use multiple queries with a
long timeout for resolution checks in the "legacy" system test, in order
to significantly reduce its run time (on a contemporary machine, from
about 1m45s to 0m40s).
In the "legacy" system test, in order to make server setup checks more
consistent with each other, add further checks for either presence or
absence of the EDNS OPT pseudo-RR in the responses returned by the
tested named instances.
Extract repeated dig and grep calls into two helper shell functions,
resolution_succeeds() and resolution_fails(), in order to reduce code
duplication in the "legacy" system test, emphasize the similarity
between all the resolution checks in that test, and make the conditions
for success and failure uniform for all resolution checks in that test.
When testing named instances which are configured to drop outgoing UDP
responses larger than 512 bytes, querying with DO=1 may be used instead
of querying for large TXT records as the effect achieved will be
identical: an unsigned response for a SOA query will be below 512 bytes
in size while a signed response for the same query will be over 512
bytes in size. Doing this makes all resolution checks in the "legacy"
system test more similar. Add checks for the TC flag being set in UDP
responses which are expected to be truncated to further make sure that
tested named instances behave as expected.
Sending TCP queries to test named instances with TCP support disabled
should cause dig output to contain the phrase "connection refused", not
"connection timed out", as such instances never open the relevant
sockets. Make sure that the "legacy" system test fails if the expected
phrase is not found in any of the relevant files containing dig output.
On some systems (namely Debian buster armhf) the readdir() call fails
with `Value too large for defined data type` unless the
_FILE_OFFSET_BITS=64 is defined. The correct way to fix this is to
get the appropriate compilation parameters from getconf system
interface.
Each network thread holds an array of locks, indexed by a hash
of fd. When we accept a connection we hold a lock in accepting thread.
We then generate the thread number and lock bucket for the new
connection socket - if we hit the same thread and lock bucket as
accepting socket we get a deadlock. Avoid this by checking if we're
in the same thread/lock bucket and not locking in this case.
5235. [cleanup] Refactor lib/isc/app.c to be thread-safe, unused
parts of the API has been removed and the
isc_appctx_t data type has been changed to be
fully opaque. [GL #1023]
This work cleans up the API which includes couple of things:
1. Make the isc_appctx_t type fully opaque
2. Protect all access to the isc_app_t members via stdatomics
3. sigwait() is part of POSIX.1, remove dead non-sigwait code
4. Remove unused code: isc_appctx_set{taskmgr,sockmgr,timermgr}
The header file <isc/atomic.h> now contains convenience macros for
most useful explicit memory ordering for C11 stdatomics, only relaxed
and acquire-release semantics is being used. These macros SHOULD be
used instead of atomic_<func>_explicit functions.
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders. As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.
Previously, only a message about missing Python was printed, which was
misleading to many users. The new message clearly states that Python
AND PLY is required and prints basic instructions how to install PLY
package.
This affects CDS records generated by `named` and `dnssec-signzone`
based on `-P sync` and `-D sync` key timing instructions.
This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
This affects two cases:
* When writing a `dsset` file for this zone, to be used by its
parent, only write a SHA-256 DS record.
* When reading a `keyset` file for a child, to generate DS records
to include in this zone, generate SHA-256 DS records only.
This change does not affect digests used in CDS records.
This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
This changes the behaviour so that it explicitly lists DS records that
are present in the parent but do not have keys in the child. Any
inconsistency is reported as an error, which is somewhat stricter than
before.
This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
This makes the `-12a` options to `dnssec-dsfromkey` work more like
`dnssec-cds`, in that you can specify more than one digest and you
will get multiple records. (Previously you could only get one
non-default digest type at a time.)
The default is now `-2`. You can get the old behaviour with `-12`.
Tests and tools that use `dnssec-dsfromkey` have been updated to use
`-12` where necessary.
This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
Fuzz input to dns_rdata_fromwire(). Then convert the result
to text, back to wire format, to multiline text, and back to wire
format again, checking for consistency throughout the sequence.
Resolve "Bind returning malformed packet error when sshfp record has fingerprint value less than 4 characters"
Closes#852
See merge request isc-projects/bind9!1445
there is now a common list of tests in conf.sh.common, with the
tests that are either unique to windows or to unix, or which are
enabled or disabled by configure or Configure, being listed in
separate variables in conf.sh.in and conf.sh.win32.
this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.
Windows systems do not allow a trailing period in file names while Unix
systems do. When BIND system tests are run, the $TP environment
variable is set to an empty string on Windows systems and to "." on Unix
systems. This environment variable is then used by system test scripts
for handling this discrepancy properly.
In multiple system test scripts, a variable holding a zone name is set
to a string with a trailing period while the names of the zone's
corresponding dlvset-* and/or dsset-* files are determined using
numerous sed invocations like the following one:
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
In order to improve code readability, use zone names without trailing
periods and replace sed invocations with variable substitutions.
To retain local consistency, also remove the trailing period from
certain other zone names used in system tests that are not subsequently
processed using sed.
In the "allow-query" system test, ns3 uses a root hints file which
contains a single entry for a.root-servers.nil (10.53.0.1). This name
is not present in the root zone served by ns1, which means querying it
for that name and any type will yield an NXDOMAIN response. When
combined with unfavorable thread scheduling, this can lead to ns3
caching an NXDOMAIN response for the only root server it is aware of and
thus to false positives for the "allow-query" system test caused by ns3
returning unexpected SERVFAIL responses. Fix by modifying the root zone
served by ns1 so that authoritative responses to a.root-servers.nil
queries match the root hints file used by ns3.
in the "refactor tcpquota and pipeline refs" commit, the counting
of active interfaces was tightened in such a way that named could
fail to listen on an interface if there were more interfaces than
tcp-clients. when checking the quota to start accepting on an
interface, if the number of active clients was above zero, then
it was presumed that some other client was able to handle accepting
new connections. this, however, ignored the fact that the current client
could be included in that count, so if the quota was already exceeded
before all the interfaces were listening, some interfaces would never
listen.
we now check whether the current client has been marked active; if so,
then the number of active clients on the interface must be greater
than 1, not 0.
(cherry picked from commit 02365b87ea0b1ea5ea8b17376f6734c811c95e61)
(cherry picked from commit cae79e1bab)
- if the TCP quota has been exceeded but there are no clients listening
for new connections on the interface, we can now force attachment to the
quota using isc_quota_force(), instead of carrying on with the quota not
attached.
- the TCP client quota is now referenced via a reference-counted
'ns_tcpconn' object, one of which is created whenever a client begins
listening for new connections, and attached to by members of that
client's pipeline group. when the last reference to the tcpconn
object is detached, it is freed and the TCP quota slot is released.
- reduce code duplication by adding mark_tcp_active() function
- convert counters to stdatomic
(cherry picked from commit a8dd133d270873b736c1be9bf50ebaa074f5b38f)
(cherry picked from commit 4a8fc979c4)
- ensure that tcpactive is cleaned up correctly when accept() fails.
- set 'client->tcpattached' when the client is attached to the tcpquota.
carry this value on to new clients sharing the same pipeline group.
don't call isc_quota_detach() on the tcpquota unless tcpattached is
set. this way clients that were allowed to accept TCP connections
despite being over quota (and therefore, were never attached to the
quota) will not inadvertently detach from it and mess up the
accounting.
- simplify the code for tcpquota disconnection by using a new function
tcpquota_disconnect().
- before deciding whether to reject a new connection due to quota
exhaustion, check to see whether there are at least two active
clients. previously, this was "at least one", but that could be
insufficient if there was one other client in READING state (waiting
for messages on an open connection) but none in READY (listening
for new connections).
- before deciding whether a TCP client object can to go inactive, we
must ensure there are enough other clients to maintain service
afterward -- both accepting new connections and reading/processing new
queries. A TCP client can't shut down unless at least one
client is accepting new connections and (in the case of pipelined
clients) at least one additional client is waiting to read.
(cherry picked from commit 427a2fb4d17bc04ca3262f58a9dcf5c93fc6d33e)
(cherry picked from commit 0896841272)
Track pipeline groups using a shared reference counter
instead of a linked list.
(cherry picked from commit 31f392db20207a1b05d6286c3c56f76c8d69e574)
(cherry picked from commit 2211120222)
the TCP client quota could still be ineffective under some
circumstances. this change:
- improves quota accounting to ensure that TCP clients are
properly limited, while still guaranteeing that at least one client
is always available to serve TCP connections on each interface.
- uses more descriptive names and removes one (ntcptarget) that
was no longer needed
- adds comments
(cherry picked from commit 9e74969f85329fe26df2fad390468715215e2edd)
(cherry picked from commit d7e84cee0b)
tcp-clients settings could be exceeded in some cases by
creating more and more active TCP clients that are over
the set quota limit, which in the end could lead to a
DoS attack by e.g. exhaustion of file descriptors.
If TCP client we're closing went over the quota (so it's
not attached to a quota) mark it as mortal - so that it
will be destroyed and not set up to listen for new
connections - unless it's the last client for a specific
interface.
(cherry picked from commit eafcff07c25bdbe038ae1e4b6660602a080b9395)
(cherry picked from commit 9e7617cc84)
- Always set is_zonep in query_getdb; previously it was only set if
result was ISC_R_SUCCESS or ISC_R_NOTFOUND.
- Don't reset is_zone for redirect.
- Style cleanup.
(cherry picked from commit a85cc641d7a4c66cbde03cc4e31edc038a24df46)
(cherry picked from commit 486a201149)
Key IDs may accidentally match dig output that is not the key ID (for
example the RRSIG inception or expiration time, the query ID, ...).
Search for key ID + signer name should prevent that, as that is what
only should occur in the RRSIG record, and signer name always follows
the key ID.
Remove sleep calls from test, rely on wait_for_log(). Make
wait_for_log() and dnssec_loadkeys_on() fail the test if the
appropriate log line is not found.
Slightly adjust the echo_i() lines to print only the key ID (not the
key name).
One second may not be enough for an NSEC3 chain change triggered by an
UPDATE message to complete. Wait up to 10 seconds when checking whether
a given NSEC3 chain change is complete in the "nsupdate" system test.
In the "nsupdate" system test, do not sleep before checking results of
changes which are expected to be processed synchronously, i.e. before
nsupdate returns.
- named could return FORMERR if parsing iterative responses
ended with a result code such as DNS_R_OPTERR. instead of
computing a response code based on the result, in this case
we now just force the response to be SERVFAIL.
Make bin/tests/system/ifconfig.bat also configure addresses ending with
9 and 10, so that the script is in sync with its Unix counterpart.
Update comments listing the interfaces created by ifconfig.{bat,sh} so
that they do not include addresses whose last octet is zero (since an
address like 10.53.1.0/24 is not a valid host address and thus the
aforementioned scripts do not even attempt configuring them).
On Windows, the bin/tests/system/dnssec/signer/example.db.signed file
contains carriage return characters at the end of each line. Remove
them before passing the aforementioned file to the awk script extracting
key IDs so that the latter can work properly.
As signals are currently not handled by named on Windows, instances
terminated using signals are not able to perform a clean shutdown, which
involves e.g. removing the lock file. Thus, waiting for a given
instance's lock file to be removed beforing assuming it is shut down
is pointless on Windows, so do not even attempt it.
When a Windows service receives a request to stop, it should not set its
state to SERVICE_STOPPED until it is completely shut down as doing that
allows the operating system to kill that service prematurely, which in
the case of named may e.g. prevent the PID file and/or the lock file
from being cleaned up.
Set service state to SERVICE_STOP_PENDING when named begins its shutdown
and only report the SERVICE_STOPPED state immediately before exiting.
this restores functionality that was removed in commit 03be5a6b4e,
allowing named to search in authoritative zone databases outside the
current zone for additional data, if and only if recursion is allowed
and minimal-responses is disabled.
The option `update-check-ksk` will look if both KSK and ZSK are
available before signing records. It will make sure the keys are
active and available. However, for operational practices keys may
be offline. This commit relaxes the update-check-ksk check and will
mark a key that is offline to be available when adding signature
tasks.
This commit adds a lengthy test where the ZSK is rolled but the
KSK is offline (except for when the DNSKEY RRset is changed). The
specific scenario has the `dnskey-kskonly` configuration option set
meaning the DNSKEY RRset should only be signed with the KSK.
A new zone `updatecheck-kskonly.secure` is added to test against,
that can be dynamically updated, and that can be controlled with rndc
to load the DNSSEC keys.
There are some pre-checks for this test to make sure everything is
fine before the ZSK roll, after the new ZSK is published, and after
the old ZSK is deleted. Note there are actually two ZSK rolls in
quick succession.
When the latest added ZSK becomes active and its predecessor becomes
inactive, the KSK is offline. However, the DNSKEY RRset did not
change and it has a good signature that is valid for long enough.
The expected behavior is that the DNSKEY RRset stays signed with
the KSK only (signature does not need to change). However, the
test will fail because after reconfiguring the keys for the zone,
it wants to add re-sign tasks for the new active keys (in sign_apex).
Because the KSK is offline, named determines that the only other
active key, the latest ZSK, will be used to resign the DNSKEY RRset,
in addition to keeping the RRSIG of the KSK.
The question is: Why do we need to resign the DNSKEY RRset
immediately when a new key becomes active? This is not required,
only once the next resign task is triggered the new active key
should replace signatures that are in need of refreshing.
Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire for
valid inputs to ensure that what we accept in dns_rdata_fromwire()
can be written out and read back in.
In dns_rpz_update_from_db we call setup_update which creates the db
iterator and calls dns_dbiterator_first. This unpauses the iterator and
might cause db->tree_lock to be acquired. We then do isc_task_send(...)
on an event to do quantum_update, which (correctly) after each iteration
calls dns_dbiterator_pause, and re-isc_task_sends itself.
That's an obvious bug, as we're holding a lock over an async task send -
if a task requesting write (e.g. prune_tree) is scheduled on the same
workers queue as update_quantum but before it, it will wait for the
write lock indefinitely, resulting in a deadlock.
To fix it we have to pause dbiterator in setup_update.
Some system tests assume dig's default setings are in effect. While
these defaults may only be silently overridden (because of specific
options set in /etc/resolv.conf) for BIND releases using liblwres for
parsing /etc/resolv.conf (i.e. BIND 9.11 and older), it is arguably
prudent to make sure that tests relying on specific +timeout and +tries
settings specify these explicitly in their dig invocations, in order to
prevent test failures from being triggered by any potential changes to
current defaults.
When parsing message with DNS_MESSAGE_BESTEFFORT (used exclusively in
tools, never in named itself) if we hit an invalid SIG(0) in wrong
place we continue parsing the message, and put the sig0 in msg->sig0.
If we then hit another sig0 in a proper place we see that msg->sig0
is already 'taken' and we don't free name and rdataset, and we don't
set seen_problem. This causes an assertion failure.
This fixes that issue by setting seen_problem if we hit second sig0,
tsig or opt, which causes name and rdataset to be always freed.
Simply looking for the key ID surrounded by spaces in the tested
dnssec-signzone output file is not a precise enough method of checking
for signatures prepared using a given key ID: it can be tripped up by
cross-algorithm key ID collisions and certain low key IDs (e.g. 60, the
TTL specified in bin/tests/system/dnssec/signer/example.db.in), which
triggers false positives for the "dnssec" system test. Make key ID
extraction precise by using an awk script which operates on specific
fields.
The "mirror" system test expects all dig queries (including recursive
ones) to be responded to within 1 second, which turns out to be overly
optimistic in certain cases and leads to false positives being
triggered. Increase dig query timeout used throughout the "mirror"
system test to 2 seconds in order to alleviate the issue.
Currently, ns3 in the "mirror" system test sends trust anchor telemetry
queries every second as it is started with "-T tat=1". Given the number
of trust anchors configured on ns3 (9), TAT-related traffic clutters up
log files, hindering troubleshooting efforts. Increase TAT query
interval to 3 seconds in order to alleviate the issue.
Note that the interval chosen cannot be much higher if intermittent test
failures are to be avoided: TAT queries are only sent after the
configured number of seconds passes since resolver startup. Quick
experiments show that even on contemporary hardware, ns3 should be
running for at least 5 seconds before it is first shut down, so a
3-second TAT query interval seems to be a reasonable, future-proof
compromise. Ensure the relevant check is performed before ns3 is first
shut down to emphasize this trade-off and make it more clear by what
time TAT queries are expected to be sent.
"rndc dumpdb" works asynchronously, i.e. the requested dump may not yet
be fully written to disk by the time "rndc" returns. Prevent false
positives for the "serve-stale" system test by only checking dump
contents after the line indicating that it is complete is written.
This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.
Some values returned by dstkey_fromconfig() indicate that key loading
should be interrupted, others do not. There are also certain subsequent
checks to be made after parsing a key from configuration and the results
of these checks also affect the key loading process. All of this
complicates the key loading logic.
In order to make the relevant parts of the code easier to follow, reduce
the body of the inner for loop in load_view_keys() to a single call to a
new function, process_key(). Move dstkey_fromconfig() error handling to
process_key() as well and add comments to clearly describe the effects
of various key loading errors.
More specifically: ignore configured trusted and managed keys that
match a disabled algorithm. The behavioral change is that
associated responses no longer SERVFAIL, but return insecure.
bin/tests/system/stop.pl only waits for the PID file to be cleaned up
while named cleans up the lock file after the PID file. Thus, the
aforementioned script may consider a named instance to be fully shut
down when in fact it is not.
Fix by also checking whether the lock file exists when determining a
given instance's shutdown status. This change assumes that if a named
instance uses a lock file, it is called "named.lock".
Also rename clean_pid_file() to pid_file_exists(), so that it is called
more appropriately (it does not clean up the PID file itself, it only
returns the server's identifier if its PID file is not yet cleaned up).
MR !1141 broke the way stop.pl is invoked when start.pl fails:
- start.pl changes the working directory to $testdir/$server before
attempting to start $server,
- commit 27ee629e6b causes the $testdir
variable in stop.pl to be determined using the $SYSTEMTESTTOP
environment variable, which is set to ".." by all tests.sh scripts,
- commit e227815af5 makes start.pl pass
$test (the test's name) rather than $testdir (the path to the test's
directory) to stop.pl when a given server fails to start.
Thus, when a server is restarted from within a tests.sh script and such
a restart fails, stop.pl attempts to look for the server directory in a
nonexistent location ($testdir/$server/../$test, i.e. $testdir/$test,
instead of $testdir/../$test). Fix the issue by changing the working
directory before stop.pl is invoked in the scenario described above.
Change to cmocka broken initialization of TZ environment. This time,
commit 1cf1254051 is not soon enough. Has
to be moved more forward, before any other tests. It library is not full
reinitialized on each test.
Remove another remnant of shared secret HMAC-MD5 support.
Explain that with currently recommended setups DNSKEY records are
inserted automatically, but you can still use $INCLUDE in other cases.
When sending an udp query (resquery_send) we first issue an asynchronous
isc_socket_connect and increment query->connects, then isc_socket_sendto2
and increment query->sends.
If we happen to cancel this query (fctx_cancelquery) we need to cancel
all operations we might have issued on this socket. If we are under very high
load the callback from isc_socket_connect (resquery_udpconnected) might have
not yet been fired. In this case we only cancel the CONNECT event on socket,
and ignore the SEND that's waiting there (as there is an `else if`).
Then we call dns_dispatch_removeresponse which kills the dispatcher socket
and calls isc_socket_close - but if system is under very high load, the send
we issued earlier might still not be complete - which triggers an assertion
because we're trying to close a socket that's still in use.
The fix is to always check if we have incomplete sends on the socket and cancel
them if we do.
On Unix systems, the CYGWIN environment variable is not set at all when
BIND system tests are run. If a named instance crashes on shutdown or
otherwise fails to clean up its pidfile and the CYGWIN environment
variable is not set, stop.pl will print an uninitialized value warning
on standard error. Prevent this by using defined().
ifconfig.sh depends on config.guess for platform guessing. It uses it to
choose between ifconfig or ip tools to configure interfaces. If
system-wide automake script is installed and local was not found, use
platform guess. It should work well on mostly any sane platform. Still
prefers local guess, but passes when if cannot find it.
When a zone is converted from NSEC to NSEC3, the private record at zone
apex indicating that NSEC3 chain creation is in progress may be removed
during a different (later) zone_nsec3chain() call than the one which
adds the NSEC3PARAM record. The "delzsk.example" zone check only waits
for the NSEC3PARAM record to start appearing in dig output while private
records at zone apex directly affect "rndc signing -list" output. This
may trigger false positives for the "autosign" system test as the output
of the "rndc signing -list" command used for checking ZSK deletion
progress may contain extra lines which are not accounted for. Ensure
the private record is removed from zone apex before triggering ZSK
deletion in the aforementioned check.
Also future-proof the ZSK deletion progress check by making it only look
at lines it should care about.
For checks querying a named instance with "dnssec-accept-expired yes;"
set, authoritative responses have a TTL of 300 seconds. Assuming empty
resolver cache, TTLs of RRsets in the ANSWER section of the first
response to a given query will always match their authoritative
counterparts. Also note that for a DNSSEC-validating named resolver,
validated RRsets replace any existing non-validated RRsets with the same
owner name and type, e.g. cached from responses received while resolving
CD=1 queries. Since TTL capping happens before a validated RRset is
inserted into the cache and RRSIG expiry time does not impose an upper
TTL bound when "dnssec-accept-expired yes;" is set and, as pointed out
above, the original TTLs of the relevant RRsets equal 300 seconds, the
RRsets in the ANSWER section of the responses to expiring.example/SOA
and expired.example/SOA queries sent with CD=0 should always be exactly
120 seconds, never a lower value. Make the relevant TTL checks stricter
to reflect that.
Always expecting a TTL of exactly 300 seconds for RRsets found in the
ADDITIONAL section of responses received for CD=1 queries sent during
TTL capping checks is too strict since these responses will contain
records cached from multiple DNS messages received during the resolution
process.
In responses to queries sent with CD=1, ns.expiring.example/A in the
ADDITIONAL section will come from a delegation returned by ns2 while the
ANSWER section will come from an authoritative answer returned by ns3.
If the queries to ns2 and ns3 happen at different Unix timestamps,
RRsets cached from the older response will have a different TTL by the
time they are returned to dig, triggering a false positive.
Allow a safety margin of 60 seconds for checks inspecting the ADDITIONAL
section of responses to queries sent with CD=1 to fix the issue. A
safety margin this large is likely overkill, but it is used nevertheless
for consistency with similar safety margins used in other TTL capping
checks.
Commit c032c54dda inadvertently changed
the DNS message section inspected by one of the TTL capping checks from
ADDITIONAL to ANSWER, introducing a discrepancy between that check's
description and its actual meaning. Revert to inspecting the ADDITIONAL
section in the aforementioned check.
Changes introduced by commit 6b8e4d6e69
were incomplete as not all time-sensitive checks were updated to match
revised "nta-lifetime" and "nta-recheck" values. Prevent rare false
positives by updating all NTA-related checks so that they work reliably
with "nta-lifetime 12s;" and "nta-recheck 9s;". Update comments as well
to prevent confusion.
Resolve "Add return code to allow dlz's allowzonexfr to fall back to to the view's allow-transfer setting."
Closes#803
See merge request isc-projects/bind9!1292
During "dlv" system test setup, the "sed" regex used for mangling the
DNSKEY RRset for the "druz" zone does not include the plus sign ("+"),
which may:
- cause the replacement to happen near the end of DNSKEY RDATA, which
can cause the latter to become an invalid Base64 string,
- prevent the replacement from being performed altogether.
Both cases prevent the "dlv" system test from behaving as intended and
may trigger false positives. Add the missing character to the
aforementioned regex to ensure the replacement is always performed on
bytes 10-25 of DNSKEY RDATA.
Use them in structs for various rdata types where they are missing.
This doesn't change the structs since we are replacing explicit
uint8_t field types with aliases for uint8_t.
Use dns_dsdigest_t in library function arguments.
Improve dnssec-cds with these more specific types.
Alphabetize options and synopsis; remove spurious -z from synopsis;
remove remnants of deprecated -k option; remove mention of long-gone
TSIG support; refer to -T KEY in options that are only relevant to
pre-RFC3755 DNSSEC; remove unnecessary -n ZONE from the example, and
add a -f KSK example.
During server reconfiguration, plugin instances set up for the old views
are unloaded very close to the end of the whole process, after new
plugin instances are set up. As the log message announcing plugin
unloading is emitted at the default "info" level, the user might be
misled into thinking that it is the new plugin instances that are being
unloaded for some reason, particularly because all other messages logged
at the "info" level around the same time inform about setting things up
rather than tearing them down. Since no distinction is currently made
between destroying a view due to reconfiguration and due to a shutdown
in progress, there is no easy way to vary the contents of the log
message depending on circumstances. Since this message is not a
particularly critical one, demote it to debug level to prevent
confusion.
5161. [func] named plugins are now installed into a separate
directory. Supplying a filename (a string without path
separators) in a "plugin" configuration stanza now
causes named to look for that plugin in that directory.
[GL #878]
When the "library" part of a "plugin" configuration stanza does not
contain at least one path separator, treat it as a filename and assume
it is a name of a shared object present in the named plugin installation
directory. Absolute and relative paths can still be used and will be
used verbatim. Get the full path to a plugin before attempting to
check/register it so that all relevant log messages include the same
plugin path (apart from the one logged when the full path cannot be
determined).
Implement a helper function which, given an input string:
- copies it verbatim if it contains at least one path separator,
- prepends the named plugin installation directory to it otherwise.
This function will allow configuration parsing code to conveniently
determine the full path to a plugin module given either a path or a
filename.
While other, simpler ways exist for making sure filenames passed to
dlopen() cause the latter to look for shared objects in a specific
directory, they are very platform-specific. Using full paths is thus
likely the most portable and reliable solution.
Also added unit tests for ns_plugin_expandpath() to ensure it behaves
as expected for absolute paths, relative paths, and filenames, for
various target buffer sizes.
(Note: plugins share a directory with named on Windows; there is no
default plugin path. Therefore the source path is copied to the
destination path with no modification.)
Installing named plugins into ${libdir} clutters the latter and is not
in line with common filesystem conventions. Instead, install named
plugins into a separate directory, ${libdir}/named.
The "check key refreshes are resumed after root servers become
available" check may trigger a false positive for the "mkeys" system
test if the second example/TXT query sent by dig is received by ns5 less
than a second after it receives a REFUSED response to the upstream query
it sends to ns1 in order to resolve the first example/TXT query sent by
dig. Since that REFUSED response from ns1 causes ns5 to return a
SERVFAIL answer to dig, example/TXT is added to the SERVFAIL cache,
which is enabled by default with a TTL of 1 second. This in turn may
cause ns5 to return a cached SERVFAIL response to the second example/TXT
query sent by dig, i.e. make ns5 not perform full query processing as
expected by the check.
Since the primary purpose of the check in question is to ensure that key
refreshes are resumed once initially unavailable root servers become
available, the optimal solution appears to be disabling SERVFAIL cache
for ns5 as doing that still allows the check to fulfill its purpose and
it is arguably more prudent than always sleeping for 1 second.
For consistency between all system tests, add missing setup.sh scripts
for tests which do not have one yet and ensure every setup.sh script
calls its respective clean.sh script.
Temporary files created by a given system test should be removed by its
clean.sh script, not its setup.sh script. Remove redundant "rm"
invocations from setup.sh scripts. Move required "rm" invocations from
setup.sh scripts to their corresponding clean.sh scripts.
If dots are not escaped in the "1.2.3.4" regular expressions used for
checking whether IP address 1.2.3.4 is present in the tested resolver's
answers, a COOKIE that matches such a regular expression will trigger a
false positive for the "resolver" system test. Properly escape dots in
the aforementioned regular expressions to prevent that from happening.
in query_respond_any(), the assumption had previously been made that it
was impossible to get past iterating the node with a return value of
ISC_R_NOMORE but not have found any records, unless we were searching
for RRSIG or SIG. however, it is possible for other types to exist but
be hidden, such as when the zone is transitioning from insecure to
secure and DNSSEC types are encountered, and this situation could
trigger an assertion. removed the assertion and reorganized the code.
Including $SYSTEMTESTTOP/conf.sh from a system test's clean.sh script is
not needed for anything while it causes an error message to be printed
out when "./configure" is run, as "make clean" is invoked at the end.
Remove the offending line to prevent the error from occurring.
For all system tests utilizing named instances, call clean.sh from each
test's setup.sh script in a consistent way to make sure running the same
system test multiple times using run.sh does not trigger false positives
caused by stale files created by previous runs.
Ideally we would just call clean.sh from run.sh, but that would break
some quirky system tests like "rpz" or "rpzrecurse" and being consistent
for the time being does not hurt.
In case when a zone fails to load because the file does not exist
or is malformed, we should not run the callback that updates the
zone database when the load is done. This is achieved by
unregistering the callbacks if at zone load end if the result
indicates something else than success.
As pointed out in !813 db_registered is sort of redundant. It is
set to `true` only in `dns_zone_rpz_enable_db()` right before the
`dns_rpz_dbupdate_callback()` callback is registered. It is only
required in that callback and it is the only place that the callback
is registered. Therefore there is no path that that `REQUIRE` can
fail.
The `db_registered` variable is only set to `false` in
`dns_rpz_new_zone`, so it is not like the variable is unset again
later.
The only other place where `db_registered` is checked is in
`rpz_detach()`. If `true`, it will call
`dns_db_updatenotify_unregister()`. However if that happens, the
`db_registered` is not set back to `false` thus this implies that
this may happen multiple times. If called a second time, most
likely the unregister function will return `ISC_R_NOTFOUND`, but
the return value is not checked anyway. So it can do without the
`db_registered` check.
This may happen when loading an RPZ failed and the code path skips
calling dns_db_endload(). The dns_rpz_zone_t object is still kept
marked as having registered db. So when this object is finally
destroyed in rpz_detach(), this code will incorrectly call
`dns_db_updatenotify_unregister()`:
if (rpz->db_registered)
dns_db_updatenotify_unregister(rpz->db,
dns_rpz_dbupdate_callback, rpz);
and trigger this assertion failure:
REQUIRE(db != NULL);
To fix this, only call `dns_db_updatenotify_unregister()` when
`rpz->db` is not NULL.
These tests check if a key with an unsupported algorithm in
managed-keys is ignored and when seeing an algorithm rollover to
an unsupported algorithm, the new key will be ignored too.
If `dns_dnssec_keyfromrdata` failed we don't need to call
`dst_key_free` because no `dstkey` was created. Doing so
nevertheless will result in an assertion failure.
This can happen if the key uses an unsupported algorithm.
removed the SDB databases in contrib/sdb as they hadn't been
maintained in some time, and were no longer able to link to named
without modification. also:
- cleaned up contrib/README, which still referred to contrib
subdirectores that were removed already, and linked to an obsolete URL.
- removed references to sdb in doc/misc/roadmap and doc/misc/sdb.
Illustrate the syntax for the policy options, with semicolons.
Explicitly mention the "default" policy.
Fix a few typos and remove some redundant wording.
When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false. This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor. This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.
The "mirror" system test checks whether log messages announcing a mirror
zone coming into effect are emitted properly. However, the helper
functions responsible for waiting for zone transfers and zone loading to
complete do not wait for these exact log messages, but rather for other
ones preceding them, which introduces a possibility of false positives.
This problem cannot be addressed by just changing the log message to
look for because the test still needs to discern between transferring a
zone and loading a zone.
Add two new log messages at debug level 99 (which is what named
instances used in system tests are configured with) that are to be
emitted after the log messages announcing a mirror zone coming into
effect. Tweak the aforementioned helper functions to only return once
the log messages they originally looked for are followed by the newly
added log messages. This reliably prevents races when looking for
"mirror zone is now in use" log messages and also enables a workaround
previously put into place in the "mirror" system test to be reverted.
In the "mirror" system test, ns3 periodically sends trust anchor
telemetry queries to ns1 and ns2. It may thus happen that for some
non-recursive queries for names inside mirror zones which are not yet
loaded, ns3 will be able to synthesize a negative answer from the cached
records it obtained from trust anchor telemetry responses. In such
cases, NXDOMAIN responses will be sent with the root zone SOA in the
AUTHORITY section. Since the root zone used in the "mirror" system test
has the same serial number as ns2/verify.db.in and zone verification
checks look for the specified serial numbers anywhere in the answer, the
test could be broken if different zone names were used.
The +noauth dig option could be used to address this weakness, but that
would prevent entire responses from being stored for later inspection,
which in turn would hamper troubleshooting test failures. Instead, use
a different serial number for ns2/verify.db.in than for any other zone
used in the "mirror" system test and check the number of records in the
ANSWER section of each response.
Due to the way the "mirror" system test is set up, it is impossible for
the "verify-unsigned" and "verify-untrusted" zones to contain any serial
number other than the original one present in ns2/verify.db.in. Thus,
using presence of a different serial number in the SOA records of these
zones as an indicator of problems with mirror zone verification is
wrong. Look for the original zone serial number instead as that is the
one that will be returned by ns3 if one of the aforementioned zones is
successfully verified.
Add a warning about potential performance implications of configuring a
non-root zone as a mirror zone. Explain in more detail how each mirror
zone version is validated and how validation failures are handled. Move
the paragraphs describing how to set up IANA root zone mirroring higher
up, so that they can be more easily found by the reader. Explicitly
state that the "masters" option needs to be present for any mirror zone
which is not the root zone. Tweak the description of the interaction
between the "dnssec-validation" setting and root zone mirroring to make
it less ambiguous. Specify what the default "notify" setting is for
mirror zones.
* Alphabetize the option lists in the man page and help text
* Make the synopses more consistent between the man page and help
text, in particular the number of different modes
* Group mutually exclusive options in the man page synopses, and order
options so that it is more clear which are available in every mode
* Expand the DESCRIPTION to provide an overview of the output modes
and input modes
* Improve cross-references between options
* Leave RFC citations to the SEE ALSO section, and clarify which RFC
specifies what
* Clarify list of digest algorithms in dnssec-dsfromkey and dnssec-cds
man pages
Running "make install" in a separate job in the "test" phase of a CI
pipeline causes a lot of object files to be rebuilt due to the way
artifacts are passed between GitLab CI jobs (object files extracted from
the artifacts archive have older modification times than their
respective source files checked out using Git by the worker running the
"install" job). Test "make install" in one of the build jobs instead,
in order to prevent object rebuilding.
Using 'after_script' for this purpose was not an option because its
failures are ignored.
Duplicating the build script in two places would be error-prone in the
long run and thus was rejected as a solution. YAML anchors would also
not help in this case.
A "positive" test (`test -n "${RUN_MAKE_INSTALL}" && make install`)
would not work because:
- it would cause the build script to fail for any job not supposed to
run "make install",
- appending `|| :` to the shell pipeline would prevent "make install"
errors from causing a job failure.
Due to the above, a "negative" test is performed, so that:
- jobs not supposed to run "make install" succeed immediately,
- jobs supposed to run "make install" only succeed when "make install"
succeeds.
5153. [func] Zone transfer statistics (size, number of records, and
number of messages) are now logged for outgoing
transfers as well as incoming ones. [GL #513]
Ensure IXFR statistics are calculated correctly by dig and named, both
for incoming and outgoing transfers. Disable EDNS when using dig to
request an IXFR so that the same reference file can be used for testing
statistics calculated by both dig and named (dig uses EDNS by default
when sending transfer requests, which affects the number of bytes
transferred).
Ensure AXFR statistics are calculated correctly by dig and named, both
for incoming and outgoing transfers. Rather than employing a zone which
is already used in the "xfer" system test, create a new one whose AXFR
form spans multiple TCP messages. Disable EDNS when using dig to
request an AXFR so that the same reference file can be used for testing
statistics calculated by both dig and named (dig uses EDNS by default
when sending transfer requests, which affects the number of bytes
transferred).
Transfer statistics are currently only reported for incoming transfers,
even though they are equally useful for outgoing transfers. Define a
separate structure for keeping track of the number of messages, records,
and bytes sent during each outgoing transfer, along with the time each
outgoing transfer took. Repurpose the 'nmsg' field of the xfrout_ctx_t
structure for tracking the number of messages actually sent, ensuring it
is only increased after isc_socket_send() indicates success. Report the
statistics gathered when an outgoing transfer completes.
The 'nmsg' field of the xfrout_ctx_t structure is an integer, even
though it is only ever compared against 0 (for tracking whether the
QUESTION section has already been sent to the client). Use a boolean
instead as it is more appropriate and also enables 'nmsg' to be
repurposed.
the occluded-key test creates both a KEY and a DNSKEY. the second
call to dnssec-keygen calls dns_dnssec_findmatchingkeys(), which causes
a spurious warning to be printed when it sees the type KEY record.
this should be fixed in dnssec.c, but the meantime this change silences
the warning by reversing the order in which the keys are created.
- there was a memory leak when using negotiated TSIG keys.
- TKEY responses could only be signed when using a newly negotiated
key; if an existent matching TSIG was found in in the keyring it
would not be used.
- options that were flagged as obsolete or not implemented in 9.0.0
are now flagged as "ancient", and are a fatal error
- the ARM has been updated to remove these, along with other
obsolete descriptions of BIND 8 behavior
- the log message for obsolete options explicitly recommends removal
This adds a test for rndc dumpdb to ensure the correct "stale
comment" is printed. It also adds a test for non-stale data to
ensure no "stale comment" is printed for active RRsets.
In addition, the serve-stale tests are hardened with more accurate
grep calls.
This change makes rndc dumpdb correctly print the "; stale" line.
It also provides extra information on how long this data may still
be served to clients (in other words how long the stale RRset may
still be used).
up until now, message->tsigkey could only be set during parsing
of the request, but gss-tsig allows one to be created afterward.
this commit adds a new flag to the message structure, `new_tsigkey`,
which indicates that in this case it's okay for `dns_message_settsigkey()`
to be run on a message after parsing, without hitting any assertions due
to the lack of a TSIG in the request. this allows us to keep the current
restriction in place generally, but add an exception for TKEY processing.
it's probably better to just remove the restriction entirely (see next
commit).
The introduced grep call checks whether there was a
response that has an answer and an additional record.
There should be only one in the nsupdate output that is
for the TKEY response.
The introduced grep call checks whether there was a
response that has an answer and an additional record.
There should be only one in the nsupdate output that is
for the TKEY response.
Resolve "--enable-querytrace has negative performance impact - update the documentation to say this"
Closes#766
See merge request isc-projects/bind9!1367
also:
- rearranged things a little, adding a "dependencies" section
- removed the documentation of 'enable-threads'. (this part of
the change should not be backported.)
- Change 5023 (present in BIND 9.13.3+) removed BIND's internal
implementation of the getifaddrs() function which was required for
iterating network interfaces on Solaris 10 as that system does not
support that function natively.
- As of January 2019, FreeBSD 10.x is neither supported upstream nor
regularly tested by ISC, so move it from the list of regularly tested
platforms to the "Best effort" section.
- Debian 10, OpenBSD 6.3, and Fedora 29 have been released and are now
tested regularly.
use a lame server configuration to force SERVFAILs instead of killing ns2.
this prevents test failures that occurred due to a different behavior of
the netowrking stack in windows.
test the average delay between notifies instead of the minimum delay;
this helps avoid unnecessary test failures on systems with bursty
network performance.
dig retries a TCP query when a server closes the connection prematurely.
However, dig's exit code remains unaffected even if the second attempt
to get a response also fails with the same error for the same lookup,
which should not be the case. Ensure the exit code is updated
appropriately when a retry triggered by a TCP EOF condition fails.
- mishandling of trailing dots caused bad behavior with the
root zone or names like "example.com."
- fixing this exposed an error in dnssec-coverage caused the
wrong return value if there were KSK errors but no ZSK errors
- incidentally silenced the dnssec-keygen output in the coverage
system test
- dig command had the @ parameter in the wrong place
- private-dnskey and private-cdnskey are queried in a separate
loop, which strips 'private-' from the name to determine the qtype
In an attempt to ensure that:
- all important changes to repository contents are tested,
- pipelines are not automatically created for every single push,
- some flexibility is allowed for corner cases,
change pipeline triggering settings so that:
- full build & test pipelines are only automatically created for merge
requests and tags (both for creation and updates),
- pipelines for other repository changes (e.g. pushes to arbitrary
branches) can only be created manually, using GitLab's web
interface,
- merging a merge request only causes jobs pushing the updated ARM to
GitLab Pages to be run (as semi-linear Git history is enforced and
thus testing a MR is identical to testing the target branch
post-merge in terms of code),
- repository synchronization does not trigger duplicate pipelines in
projects which are set as mirroring targets.
Make sure all jobs are named using the following pattern:
[<job-type>:]<build-type>:<system>:<architecture>
where specifying <job-type> is optional for "precheck" and "build" jobs.
This should make it easier to quickly recognize:
- what kind of actions are performed by each job,
- which BIND build flavor is used by each job,
- which operating system image is used by each job.
There is no need to build BIND binaries before building docs and thus
the job building the current version of the ARM can be moved to the
build stage of CI.
Remove the following from .gitlab-ci.yml:
- unused variable definitions,
- unused Docker image definitions,
- commands which have no effect,
- sections which were commented out.
If we try to fetch a record from cache and need to look into
hints database we assume that the resolver is not primed and
start dns_resolver_prime(). Priming query is supposed to return
NSes for "." in ANSWER section and glue records for them in
ADDITIONAL section, so that we can fill that info in 'regular'
cache and not use hints db anymore.
However, if we're using a forwarder the priming query goes through
it, and if it's configured to return minimal answers we won't get
the addresses of root servers in ADDITIONAL section. Since the
only records for root servers we have are in hints database we'll
try to prime the resolver with every single query.
This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using
forwarders if possible (that is if we have forward-first policy).
Using this flag on priming fetch fixes the problem as we get the
proper glue. With forward-only policy the problem is non-existent,
as we'll never ask for root server addresses because we'll never
have a need to query them.
Also added a test to confirm priming queries are not forwarded.
go back to regular resolution. When this happens the fetch timer is
already running, and we might end up in a situation where we we create
a fetch for qname-minimized query and after that the timer is triggered
and the query is retried (fctx_try) - which causes relaunching of
qname-minimization fetch - and since we already have a qmin fetch
for this fctx - assertion failure.
This fix stops the timer when doing qname minimization - qmin fetch
internal timer should take care of all the possible timeouts.
Log a message if a mirror zone becomes unusable for the resolver (most
usually due to the zone's expiration timer firing). Ensure that
verification failures do not cause a mirror zone to be unloaded
(instead, its last successfully verified version should be served if it
is available).
Log a message when a mirror zone is successfully loaded from disk and
subsequently verified.
This could have been implemented in a simpler manner, e.g. by modifying
an earlier code branch inside zone_postload() which checks whether the
zone already has a database attached and calls attachdb() if it does
not, but that would cause the resulting logs to indicate that a mirror
zone comes into effect before the "loaded serial ..." message is logged,
which would be confusing.
Tweak some existing sed commands used in the "mirror" system test to
ensure that separate test cases comprising it do not break each other.
Log a message when a mirror zone is successfully transferred and
verified, but only if no database for that zone was yet loaded at the
time the transfer was initiated.
This could have been implemented in a simpler manner, e.g. by modifying
zone_replacedb(), but (due to the calling order of the functions
involved in finalizing a zone transfer) that would cause the resulting
logs to suggest that a mirror zone comes into effect before its transfer
is finished, which would be confusing given the nature of mirror zones
and the fact that no message is logged upon successful mirror zone
verification.
Once the dns_zone_replacedb() call in axfr_finalize() is made, it
becomes impossible to determine whether the transferred zone had a
database attached before the transfer was started. Thus, that check is
instead performed when the transfer context is first created and the
result of this check is passed around in a field of the transfer context
structure. If it turns out to be desired, the relevant log message is
then emitted just before the transfer context is freed.
Taking this approach means that the log message added by this commit is
not timed precisely, i.e. mirror zone data may be used before this
message is logged. However, that can only be fixed by logging the
message inside zone_replacedb(), which causes arguably more dire issues
discussed above.
dns_zone_isloaded() is not used to double-check that transferred zone
data was correctly loaded since the 'shutdown_result' field of the zone
transfer context will not be set to ISC_R_SUCCESS unless axfr_finalize()
succeeds (and that in turn will not happen unless dns_zone_replacedb()
succeeds).
The handling of class and view arguments was broken, because the code
didn't realise that next_token() would overwrite the class name when
it parsed the view name. The code was trying to implement a syntax
like `refresh [[class] view]`, but it was documented to have a syntax
like `refresh [class [view]]`. The latter is consistent with other rndc
commands, so that is how I have fixed it.
Before:
$ rndc managed-keys refresh in rec
rndc: 'managed-keys' failed: unknown class/type
unknown class 'rec'
After:
$ rndc managed-keys refresh in rec
refreshing managed keys for 'rec'
There were missing newlines in the output from `rndc managed-keys
refresh` and `rndc managed-keys destroy`.
Before:
$ rndc managed-keys refresh
refreshing managed keys for 'rec'refreshing managed keys for 'auth'
After:
$ rndc managed-keys refresh
refreshing managed keys for 'rec'
refreshing managed keys for 'auth'
- the checkprivate function in the dnssec test set ret=0, erasing
results from previous tests and making the test appear to have passed
when it shouldn't have
- checkprivate needed a delay loop to ensure there was time for all
private signing records to be updated before the test
Resolve "Large NSEC3 responses cause failure in adding records to ncache and, eventually, FORMERR (instead of NXDOMAIN)"
Closes#804
See merge request isc-projects/bind9!1295
Resolve "Large NSEC3 responses cause failure in adding records to ncache and, eventually, FORMERR (instead of NXDOMAIN)"
Closes#804
See merge request isc-projects/bind9!1298
When a query times out after a socket is created and associated with a
given dig_query_t structure, calling isc_socket_cancel() causes
connect_done() to be run, which in turn takes care of all necessary
cleanups. However, certain errors (e.g. get_address() returning
ISC_R_FAMILYNOSUPPORT) may prevent a TCP socket from being created in
the first place. Since force_timeout() may be used in code handling
such errors, connect_timeout() needs to properly clean up a TCP query
which is not associated with any socket. Call clear_query() from
connect_timeout() after attempting to send a TCP query to the next
available server if the timed out query does not have a socket
associated with it, in order to prevent dig from hanging indefinitely
due to the dig_query_t structure not being detached from its parent
dig_lookup_t structure.
When a query times out and another server is available for querying
within the same lookup, the timeout handler - connect_timeout() - is
responsible for sending the query to the next server. Extract the
relevant part of connect_timeout() to a separate function in order to
improve code readability.
Before commit c2ec022f57, using the "-b"
command line switch for dig did not disable use of the other address
family than the one to which the address supplied to that option
belonged to. Thus, bind9_getaddresses() could e.g. prepare an
isc_sockaddr_t structure for an IPv6 address when an IPv4 address has
been passed to the "-b" command line option. To avoid attempting the
impossible (e.g. querying an IPv6 address from a socket bound to an IPv4
address), a certain code block in send_tcp_connect() checked whether the
address family of the server to be queried was the same as the address
family of the socket set up for sending that query; if there was a
mismatch, that particular server address was skipped.
Commit c2ec022f57 made
bind9_getaddresses() fail upon an address family mismatch between the
address the hostname passed to it resolved to and the address supplied
to the "-b" command line option. Such failures were fatal to dig back
then.
Commit 7f65860391 made
bind9_getaddresses() failures non-fatal, but also ensured that a
get_address() failure in send_tcp_connect() still causes the given query
address to be skipped (and also made such failures trigger an early
return from send_tcp_connect()).
Summing up, the code block handling address family mismatches in
send_tcp_connect() has been redundant since commit
c2ec022f57. Remove it.
5122. [bug] In a "forward first;" configuration, a forwarder
timeout did not prevent that forwarder from being
queried again after falling back to full recursive
resolution. [GL #315]
Since following a delegation resets most fetch context state, address
marks (FCTX_ADDRINFO_MARK) set inside lib/dns/resolver.c are not
preserved when a delegation is followed. This is fine for full
recursive resolution but when named is configured with "forward first;"
and one of the specified forwarders times out, triggering a fallback to
full recursive resolution, that forwarder should no longer be consulted
at each delegation point subsequently reached within a given fetch
context.
Add a new badnstype_t enum value, badns_forwarder, and use it to mark a
forwarder as bad when it times out in a "forward first;" configuration.
Since the bad server list is not cleaned when a fetch context follows a
delegation, this prevents a forwarder from being queried again after
falling back to full recursive resolution. Yet, as each fetch context
maintains its own list of bad servers, this change does not cause a
forwarder timeout to prevent that forwarder from being used by other
fetch contexts.
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm. Current behavior is that it will
fail, hitting a fatal error. The fix detects unsupported algorithms
and will not try to add it to the keylist.
Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.
Resolve "current version of cygwin grep causes tests to fail when grepping for end of line character"
Closes#782
See merge request isc-projects/bind9!1230
Resolve "[ISC-support #13767] NSEC3 typemap improperly includes DNSKEY RRset instead of ignoring it as out-of-zone"
Closes#742
See merge request isc-projects/bind9!1231
Add a new libisccfg function, cfg_pluginlist_foreach(), which allows an
arbitrary callback to be invoked for every "plugin" stanza present in a
configuration object. Use this function for both loading plugins and
checking their configuration in order to reduce duplication of
configuration processing code present in bin/named/server.c and
lib/bind9/check.c.
- "hook" is now used only for hook points and hook actions
- the "hook" statement in named.conf is now "plugin"
- ns_module and ns_modlist are now ns_plugin and ns_plugins
- ns_module_load is renamed ns_plugin_register
- the mandatory functions in plugin modules (hook_register,
hook_check, hook_version, hook_destroy) have been renamed
- use a per-view module list instead of global hook_modules
- create an 'instance' pointer when registering modules, store it in
the module structure, and use it as action_data when calling
hook functions - this enables multiple module instances to be set
up in parallel
- also some nomenclature changes and cleanup
- added some hook points that will be needed for a dns64 module later
- moved some code from the beginning of query_respond() to
the end of query_prepresponse(); this has no effect on functionality
but means we can have a hook point at the top of query_respond(),
which seems nicer
- compressed duplicated code into query_zerottl_refetch() function
- added a qctx->answered flag so that a module can prevent
query_addrrset() from being called from query_respond() when
it's already been called from the module.
- this is necessary because adding the same hook to multiple views
causes the ISC_LIST link value to become inconsistent; it isn't
noticeable when only one hook action is ever registered at a
given hook point, but it will break things when there are two.
- eliminate qctx->hookdata and client->hookflags.
- use a memory pool to allocate data blobs in the filter-aaaa module,
and associate them with the client address in a hash table
- instead of detaching the client in query_done(), mark it for deletion
and then call ns_client_detach() from qctx_destroy(); this ensures
that it will still exist when the QCTX_DESTROYED hook point is
reached.
- use a get_hooktab() function to determine the hook table.
- PROCESS_HOOK now jumps to a cleanup tag on failure
- add PROCESS_ALL_HOOKS in query.c, to run all hook functions at
a specified hook point without stopping. this is to be used for
intiialization and destruction functions that must run in every
module.
- 'result' is set in PROCESS_HOOK only when a hook function
interrupts processing.
- revised terminology: a "callback" is now a "hook action"
- remove unused NS_PROCESS_HOOK and NS_PROCESS_HOOK_VOID macros.
- added a 'hookdata' array to qctx to store pointers to up to
16 blobs of data which are allocated by modules as needed.
each module is assigned an ID number as it's loaded, and this
is the index into the hook data array. this is to be used for
holding persistent state between calls to a hook module for a
specific query.
- instead of using qctx->filter_aaaa, we now use qctx->hookdata.
(this was the last piece of filter-aaaa specific code outside the
module.)
- added hook points for qctx initialization and destruction. we get
a filter-aaaa data pointer from the mempool when initializing and
store it in the qctx->hookdata table; return to to the mempool
when destroying the qctx.
- link the view to the qctx so that detaching the client doesn't cause
hooks to fail
- added a qctx_destroy() function which must be called after qctx_init;
this calls the QCTX_DESTROY hook and detaches the view
- general cleanup and comments
- make some cfg-parsing functions global so they can be run
from filter-aaaa.so
- add filter-aaaa options to the hook module's parser
- mark filter-aaaa options in named.conf as obsolete, remove
from named and checkconf, and update the filter-aaaa test not to
use checkconf anymore
- remove filter-aaaa-related struct members from dns_view
- allow multiple "hook" statements at global or view level
- add "optional bracketed text" type for optional parameter list
- load hook module from specified path rather than hardcoded path
- add a hooktable pointer (and a callback for freeing it) to the
view structure
- change the hooktable functions so they no longer update ns__hook_table
by default, and modify PROCESS_HOOK so it uses the view hooktable, if
set, rather than ns__hook_table. (ns__hook_table is retained for
use by unit tests.)
- update the filter-aaaa system test to load filter-aaaa.so
- add a prereq script to check for dlopen support before running
the filter-aaaa system test
not yet done:
- configuration parameters are not being passed to the filter-aaaa
module; the filter-aaaa ACL and filter-aaaa-on-{v4,v6} settings are
still stored in dns_view
- temporary kluge! in this version, for testing purposes,
named always searches for a filter-aaaa module at /tmp/filter-aaaa.so.
this enables the filter-aaaa system test to run even though the
code to configure hooks in named.conf hasn't been written yet.
- filter-aaaa-on-v4, filter-aaaa-on-v6 and the filter-aaaa ACL are
still configured in the view as they were before, not in the hook.
- these formerly static helper functions have been moved into client.c
and made external so that they can be used in hook modules as well as
internally in libns: query_newrdataset, query_putrdataset,
query_newnamebuf, query_newname, query_getnamebuf, query_keepname,
query_releasename, query_newdbversion, query_findversion
- made query_recurse() and query_done() into public functions
ns_query_recurse() and ns_query_done() so they can be called from
modules.
- the goal of this change is for AAAA filtering to be fully contained
in the query logic, and implemented at discrete points that can be
replaced with hook callouts later on.
- the new code may be slightly less efficient than the old filter-aaaa
implementation, but maximum efficiency was never a priority for AAAA
filtering anyway.
- we now use the rdataset RENDERED attribute to indicate that an AAAA
rdataset should not be included when rendering the message. (this
flag was originally meant to indicate that an rdataset has already
been rendered and should not be repeated, but it can also be used to
prevent rendering in the first place.)
- the DNS_MESSAGERENDER_FILTER_AAAA, NS_CLIENTATTR_FILTER_AAAA,
and DNS_RDATASETGLUE_FILTERAAAA flags are all now unnecessary and
have been removed.
- the purpose of this change is allow for more well-defined hook points
to be available in the query processing logic. some functions that
formerly didn't have access to 'qctx' do now; this is needed because
'qctx' is what gets passed when calling a hook function.
- query_addrdataset() has been broken up into three separate functions
since it used to do three unrelated things, and what was formerly
query_addadditional() has been renamed query_additional_cb() for
clarity.
- client->filter_aaaa is now qctx->filter_aaaa. (later, it will be moved
into opaque storage in the qctx, for use by the filter-aaaa module.)
- cleaned up style and braces
- move hooks.h to public include directory
- ns_hooktable_init() initializes a hook table. if NULL is passed in, it
initializes the global hook table
- ns_hooktable_save() saves a pointer to the current global hook table.
- ns_hooktable_reset() replaces the global hook table with different
one
- ns_hook_add() adds hooks at specified hook points in a hook table (or
the global hook table if the specified table is NULL)
- load and unload functions support dlopen() of hook modules (this is
adapted from dyndb and not yet functional)
- began adding new hook points to query.c
We can remove this, because it is used in `strtodsdigest` but that
already no longer covers the algorithm name "GOST".
There is one more GOST reference in `bin/python/isc/checkds.py.in`
but that is used for presentation format and probably should stay.
(cherry picked from commit 57d44fbc628d3c7dafdd545f6b83dbdcdc39a986)
In the test the quota is set to 400, and softquota to 90%*400=360.
We first attach to quota, and then if we're above softquota we
drop the oldest client. With new socket code and taskmgr it's
parallel enough to create a race between multiple instances doing
'attach to quota' and then 'drop oldest client' - making number
of clients go over softquota. It's not a problem in real life, as
it's just soft quota.
If you have a catalog zone containing 10.in-addr.arpa and an
explicitly-configured version which overrides the catz version,
`named` used to log:
catz: error "success" while trying to add zone "10.in-addr.arpa"
After this patch it logs:
catz: zone "10.in-addr.arpa" is overridden by explicitly configured zone
Apply various fixes and tweaks to Python configuration logic implemented
in the "configure" script:
- Prevent PYTHON_INSTALL_DIR, which holds the value passed to the
--with-python-install-dir option, from being set to "unspec" by
default as this breaks installing Python modules when the
--with-python-install-dir option is not used.
- Make the --with-python-install-dir option also work when the Python
interpreter is specified explicitly (using --with-python=<...>).
- Remove dnspython dependency which was erroneously introduced in
commit 31b0dc1f20: no installed Python
module depends on dnspython, it is only used in system tests, for
which dedicated scripts exist that check whether dnspython is
available and act accordingly.
- Improve contents and placement of error messages.
- Reduce duplication of code checking Python dependencies.
- Use Autoconf macros AS_CASE() and AS_IF() instead of plain shell
code.
- Update comments. Capitalize the word "Python" when referring to the
language itself rather than a specific executable.
The stock toolchain available on CentOS 6 for i386 is unable to use the
_mm_pause() intrinsic. Fix by using "rep; nop" assembly instructions on
that platform instead.
If we know that we'll have a task pool doing specific thing it's better
to use this knowledge and bind tasks to task queues, this behaves better
than randomly choosing the task queue.
- use bound resolver tasks - we have a pool of tasks doing resolutions,
we can spread the load evenly using isc_task_create_bound
- quantum set universally to 25
Mutexes are slower if they're in the same cache line. Since
fd's come in herds, and usually our listen sockets will have nearby
fd numbers, we mangle fdlocks so that the locks are further away.
Sometimes it is useful to set a 'floor' on the TTL for records
to be cached. Some sites like to use ridiculously low TTLs for
some reason, and that often is not compatible with slow links.
Signed-off-by: Michael Milligan <milli@acmeps.com>
Signed-off-by: LaMont Jones <lamont@debian.org>
5089. [bug] Restore localhost fallback in dig and host which is
used when no nameserver addresses present in
/etc/resolv.conf are usable due to the requested
address family restrictions. [GL #433]
In BIND 9.11 and earlier, dig and similar tools used liblwres for
parsing /etc/resolv.conf. After getting a list of servers from
liblwres, a tool would check the address family of each server found and
reject those unusable. When the resulting list of usable servers was
empty, localhost addresses were queried as a fallback.
When liblwres was removed in BIND 9.12, dig and similar tools were
updated to parse /etc/resolv.conf using libirs instead. As part of that
process, the localhost fallback was removed from bin/dig/dighost.c since
the localhost fallback built into libirs was deemed to be sufficient.
However, libirs only falls back to localhost if it does not find any
name servers at all; if it does find any valid nameserver entry in
/etc/resolv.conf, it just returns it to the caller because it is
oblivious to whether the caller supports IPv4 and/or IPv6 or not. The
code in bin/dig/dighost.c subsequently filters the returned list of
servers in get_server_list() according to the requested address family
restrictions. This may result in none of the addresses returned by
libirs being usable, in which case a tool will attempt to work with an
empty server list, causing a hang and subsequently a crash upon user
interruption.
Restore the localhost fallback in bin/dig/dighost.c to prevent the
aforementioned hangs and crashes and ensure recent BIND versions behave
identically to the older ones in the circumstances described above.
If a tool using the routines defined in bin/dig/dighost.c is sent an
interruption signal around the time a connection timeout is scheduled to
fire, connect_timeout() may be executed after destroy_libs() detaches
from the global task (setting 'global_task' to NULL), which results in a
crash upon a UDP retry due to bringup_timer() attempting to create a
timer with 'task' set to NULL. Fix by preventing connect_timeout() from
attempting a retry when shutdown is in progress.
Resolve "Follow-up from "Redefine ISC's int and boolean types to use <stdint.h> and <stdbool.h> types""
Closes#449
See merge request isc-projects/bind9!998
While implementing the new unit testing framework cmocka, it was found that the
BIND 9 code doesn't compile when assertions are disabled or replaced with any
function (such as mock_assert() from cmocka unit testing framework) that's not
directly recognized as assertion by the compiler.
This made the compiler to complain about blocks of code that was recognized as
unreachable before, but now it isn't.
The changes in this commit include:
* assigns default values to couple of local variables,
* moves some return statements around INSIST assertions,
* adds __builtin_unreachable(); annotations after some INSIST assertions,
* fixes one broken assertion (= instead of ==)
Tell the user explicitly about their mistakes:
* Unknown options, e.g. -list instead of -dump
or -delete instead of -remove.
* Unknown view names.
* Excess arguments.
Include the view name in `rndc nta -dump` output, for consistency with
the NTA add and remove actions.
When removing an NTA from all views, do not abort with an error if the
NTA was not found in one of the views.
At the beginning of qname minimization we get fctx->finds filled with what's
in the cache at this point, in worst case root servers. After doing full
run querying for NSes at different levels we need to clean it and refill
it with proper values from cache.
Ensure that serve-stale works as expected when returning stale answers
is enabled, the authoritative server does not respond, and there is no
cached answer available.
Remove the following functions in order to simplify socket code:
- isc_socket_recvv()
- isc_socket_sendtov()
- isc_socket_sendtov2()
- isc_socket_sendv()
Remove the following functions in order to simplify socket code:
- isc_socket_recvv()
- isc_socket_sendtov()
- isc_socket_sendtov2()
- isc_socket_sendv()
Refactor diagnostic tools code to no longer use:
- isc_socket_recvv()
- isc_socket_sendtov2()
- isc_socket_sendv()
as these functions will be removed shortly.
While isc_buffer_copyregion() calls isc_buffer_reserve() to ensure the
target buffer will have enough available space to append the contents of
the source region to it, the variables used for subsequently checking
available space are not updated accordingly after that call. This
prevents isc_buffer_copyregion() from working as expected for
auto-reallocated buffers: ISC_R_NOSPACE will be returned if enough space
is not already available in the target buffer before it is reallocated.
Fix by calling isc_buffer_used() and isc_buffer_availablelength()
directly instead of assigning their return values to local variables.
Add some basic checks for isc_buffer_copyregion() to ensure it behaves
as expected for both fixed-size buffers and buffers which can be
automatically reallocated. Adjust the list of headers included by
lib/isc/tests/buffer_test.c so that it matches what that test program
really uses.
If an RPZ zone is to be freed during an update, canceling the
update_quantum() event is not enough because the resources released when
an update completes also need to be accounted for. Failure to do this
results in a hang upon shutdown. Fix by copying cleanup code from the
end of update_quantum() to rpz_detach().
If another RPZ update is pending when processing the previous one nears
completion and min-update-interval is set to 0, isc_timer_reset() gets
called with 'interval' set to 0, which triggers an assertion failure.
To prevent such a scenario from causing a crash, queue the update event
directly instead of asking the timer thread to do it.
Rationale: the nonce here is only used to make sure there is a low
probability of duplication, according to section B.2 of RFC7873.
It is only 32-bit, and even if an attacker knows the algorithm used
to generate nonces it won't, in any way, give him any platform to
attack the server as long as server secret used to sign the
(nonce, time) pair with HMAC-SHA1 is secure.
On the other hand, currently, each packet sent requires (unnecessarily)
a CS pseudo-random number which is ineffective.
The XSL stylesheet used by the web interface does not currently include
any element which would cause a list of zones configured in each view to
be displayed, making the "Zones" section of the web interface empty
unless some zone has been configured with "zone-statistics full;" and
queried. Since this can be confusing, modify the XSL stylesheet so that
a list of zones configured in each view is displayed in the web
interface.
XXXX. [func] Replace old message digest and hmac APIs with more
generic isc_md and isc_hmac APIs, and convert their
respective tests to cmocka. [GL #305]
XXXX. [func] A default list of primary servers for the root zone is
now built into named, allowing the "masters" statement
to be omitted when configuring an IANA root zone
mirror. [GL #564]
XXXX. [func] Attempts to use mirror zones with recursion disabled
are now considered a configuration error. [GL #564]
XXXX. [func] The only valid zone-level NOTIFY settings for mirror
zones are now "notify no;" and "notify explicit;".
[GL #564]
XXXX. [func] Mirror zones are now configured using "type mirror;"
rather than "mirror yes;". [GL #564]
To minimize the effort required to set up IANA root zone mirroring,
define a default master server list for the root zone and use it when
that zone is to be mirrored and no master server list was explicitly
specified. Contents of that list are taken from RFC 7706 and are
subject to change in future releases.
Since the static get_masters_def() function in bin/named/config.c does
exactly what named_zone_configure() in bin/named/zoneconf.c needs to do,
make the former non-static and use it in the latter to prevent code
duplication.
Since mirror zone data is treated as cache data for access control
purposes, configuring a mirror zone and disabling recursion at the same
time would effectively prevent mirror zone data from being used since
disabling recursion also disables cache access to all clients by
default. Even though this behavior can be inhibited by configuration,
mirror zones are a recursive resolver feature and thus recursion is now
required to use them.
Ignore the fact that certain configurations might still trick named into
assuming recursion is enabled when it effectively is not since this
change is not meant to put a hard policy in place but rather just to
prevent accidental mirror zone misuse.
Previous way of handling NOTIFY settings for mirror zones was a bit
tricky: any value of the "notify" option was accepted, but it was
subsequently overridden with dns_notifytype_explicit. Given the way
zone configuration is performed, this resulted in the following
behavior:
- if "notify yes;" was set explicitly at any configuration level or
inherited from default configuration, it was silently changed and so
only hosts specified in "also-notify", if any, were notified,
- if "notify no;" was set at any configuration level, it was
effectively honored since even though zone->notifytype was silently
set to dns_notifytype_explicit, the "also-notify" option was never
processed due to "notify no;" being set.
Effectively, this only allowed the hosts specified in "also-notify" to
be notified, when either "notify yes;" or "notify explicit;" was
explicitly set or inherited from default configuration.
Clean up handling of NOTIFY settings for mirror zones by:
- reporting a configuration error when anything else than "notify no;"
or "notify explicit;" is set for a mirror zone at the zone level,
- overriding inherited "notify yes;" setting with "notify explicit;"
for mirror zones,
- informing the user when the "notify" setting is overridden, unless
the setting in question was inherited from default configuration.
Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR
option for checking whether it is a mirror zone. This makes said zone
option and its associated helper function, dns_zone_mirror(), redundant,
so remove them. Remove a check specific to mirror zones from
named_zone_reusable() since another check in that function ensures that
changing a zone's type prevents it from being reused during
reconfiguration.
Rather than overloading dns_zone_slave and discerning between a slave
zone and a mirror zone using a zone option, define a separate enum
value, dns_zone_mirror, to be used exclusively by mirror zones. Update
code handling slave zones to ensure it also handles mirror zones where
applicable.
Add a new zone type, CFG_ZONE_MIRROR, to libisccfg, in order to limit
the list of options which are considered valid for mirror zones. Update
the relevant configuration checks.
Contrary to what the documentation states, the "server-addresses"
static-stub zone option does not accept custom port numbers. Fix the
configuration type used by the "server-addresses" option to ensure
documentation matches source code. Remove a check_zoneconf() test which
is unnecessary with this fix in place.
Commonly used network configuration tools write scoped IPv6 nameserver
addresses to /etc/resolv.conf. libirs only handles these when it is
compiled with -DIRS_HAVE_SIN6_SCOPE_ID, which is not the default, and
only handles numeric scopes, which is not what network configuration
tools typically use. This causes dig to be practically unable to handle
scoped IPv6 nameserver addresses in /etc/resolv.conf.
Fix the problem by:
- not requiring a custom compile-time flag to be set in order for
scoped IPv6 addresses to be processed by getaddrinfo(),
- parsing non-numeric scope identifiers using if_nametoindex(),
- setting the sin6_scope_id field in struct sockaddr_in6 structures
returned by getaddrinfo() even if the AI_CANONNAME flag is not set.
Commit ba91243542 causes the resolver to
respond to a client query with FORMERR when all upstream queries sent to
the servers authoritative for QNAME elicit FORMERR responses. This
happens because resolver code returns DNS_R_FORMERR in such a case and
dns_result_torcode() acts as a pass-through for all arguments which are
already a valid RCODE.
The correct RCODE to set in the response returned to the client in the
case described above is SERVFAIL. Make sure this happens by overriding
the RCODE in query_gotanswer(), on the grounds that any format errors in
the client query itself should be caught long before execution reaches
that point. This change should not reduce query error logging accuracy
as the resolver code itself reports the exact reason for returning a
DNS_R_FORMERR result using log_formerr().
* Add configure option --enable-fips-mode that detects and enables FIPS mode
* Add a function to enable FIPS mode and call it on crypto init
* Log an OpenSSL error when FIPS_mode_set() fails and exit
* Report FIPS mode status in a separate log message from named
Whenever master or one for the v9_* branches gets updated, the current
ARM should be published on GitLab Pages. Add a pipeline stage which
takes care of triggering GitLab Pages pipelines. Extend the lifetime of
artifact archives containing the ARM to prevent GitLab Pages pipelines
from failing due to artifacts being unavailable.
Add a CI job which generates the HTML version of the ARM and makes it
available for download. Since this is expected to be a quick process,
the new job is enabled for all pipelines.
- this enables memory to be allocated and freed in dyndb modules
when named is linked statically. when we standardize on libtool,
this should become unnecessary.
- also, simplified the isc_mem_create/createx API by removing
extra compatibility functions
In some cases, setting qctx->result to DNS_R_SERVFAIL causes the value
of a 'result' variable containing a more specific failure reason to be
effectively discarded. This may cause certain query error log messages
to lack specificity despite a more accurate problem cause being
determined during query processing.
In other cases, qctx->result is set to DNS_R_SERVFAIL even though a more
specific error (e.g. ISC_R_NOMEMORY) could be explicitly indicated.
Since the response message's RCODE is derived from qctx->result using
dns_result_torcode(), which handles a number of possible isc_result_t
values and returns SERVFAIL for anything not explicitly listed, it is
fine to set qctx->result to something more specific than DNS_R_SERVFAIL
(in fact, this is already being done in a few cases). Modify most
QUERY_ERROR() calls so that qctx->result is set to a more specific error
code when possible. Adjust query_error() so that statistics are still
calculated properly. Remove the RECURSE_ERROR() macro which was
introduced exactly because qctx->result could be set to DNS_R_SERVFAIL
instead of DNS_R_DUPLICATE or DNS_R_DROP, which need special handling.
Modify dns_sdlz_putrr() so that it returns DNS_R_SERVFAIL when a DLZ
driver returns invalid RDATA, in order to prevent setting RCODE to
FORMERR (which is what dns_result_torcode() translates e.g. DNS_R_SYNTAX
to) while responding authoritatively.
When something goes wrong while recursing for an answer to a query,
query_gotanswer() sets a flag (qctx->want_stale) in the query context.
query_done() is subsequently called and it can either set up a stale
response lookup (if serve-stale is enabled) or conclude that a SERVFAIL
response should be sent. This may cause confusion when looking at query
error logs since the QUERY_ERROR() line responsible for setting the
response's RCODE to SERVFAIL is not in a catch-all branch of a switch
statement inside query_gotanswer() (like it is for authoritative
responses) but rather in a code branch which appears to have something
to do with serve-stale, even when the latter is not enabled.
Extract the part of query_done() responsible for checking serve-stale
configuration and optionally setting up a stale response lookup into a
separate function, query_usestale(), shifting the responsibility for
setting the response's RCODE to SERVFAIL to the same QUERY_ERROR() line
in query_gotanswer() which is evaluated for authoritative responses.
Manual page of host contained instructions to disable IDN processing
when it was built with libidn2. When refactoring IDN support however,
support for disabling IDN in host and nslookup was lost. Use also
environment variable and document it for nslookup, host and dig.
- tried to improve struct variable alignment
- ignore braces on function definitions so we can keep the existing
BIND style; braces can be on a new line or not
to update file, run: uncrustify --replace -c $TOP/.uncrustify.cfg <filename>
- note that if this is in the user's $HOME dir, it's the default
uncrustify config path name. this can be overridden with
'uncrustify -c filenaeme' or the UNCRUSTIFY_CONFIG environment
variable
- if dnssec-enable is no, then dnssec-validation now also defaults to
no. if dnssec-enable is yes, dnssec-validation defaults to auto or yes
depending on --disable-auto-validation.
- correct the doc
Revert parts of commit c3b8130fe8 which
inadvertently broke creating and validating EdDSA signatures:
1. EVP_DigestSignInit() returns 1 on success.
2. EdDSA does not support streaming (EVP_Digest*Update() followed by
EVP_Digest*Final()), only one shot operations.
Resolve "Make the chained delegations in reclimit behave like they would in a regular name server."
Closes#578
See merge request isc-projects/bind9!840
- update_log() is called to log update errors, but if those errors
occur before the zone is set (for example, when returning NOTAUTH)
it returns without logging anything.
Resolve "allow-recursion-on and allow-query-cache-on should default to each other if only one is set"
Closes#319
See merge request isc-projects/bind9!556
The race condition is the timer elapses before isc__timer_create()
returns the pointer to the caller. Assigning the return pointer before
enabling the timer will fix it.
Zone loading happens in a different task (zone->loadtask) than other
zone actions (zone->task). Thus, when zone_postload() is called in the
context of zone->loadtask, it may cause zone maintenance to be queued in
zone->task and another thread can then execute zone_maintenance() before
zone_postload() gets a chance to finish its work in the first thread.
This would not be a problem if zone_maintenance() accounted for this
possibility by locking the zone before checking the state of its
DNS_ZONEFLG_LOADPENDING flag. However, the zone is currently not locked
before the state of that flag is checked, which may prevent zone
maintenance from happening despite zone_postload() scheduling it. Fix
by locking the zone in zone_maintenance() before checking the state of
the zone's DNS_ZONEFLG_LOADPENDING flag.
- the text returned by "rndc nta" when adding NTAs to multiple views
was incorrectly terminated after the first line, so users only saw
on NTA added unless they checked the logs.
5031. [cleanup] Various defines in platform.h has been either dropped
if always or never triggered on supported platforms
or replaced with config.h equivalents if the defines
didn't have any impact on public headers. Workarounds
for LinuxThreads have been removed because NPTL is
available since Linux kernel 2.6.0.
5023. [func] Replace custom assembly for atomic operations with
atomic support from the compiler. The code will now use
C11 stdatomic, or __atomic, or __sync builtins with GCC
or Clang compilers, and Interlocked functions with MSVC.
[GL #10]
This properly orders clearing the freed pointer and calling isc_refcount_destroy
as early as possible to have ability to put proper memory barrier when cleaning
up reference counting.
Remove all kind of legacy compatibility layers (including IPv6, networking and functions defined by C99 or POSIX.1)
Closes#192
See merge request isc-projects/bind9!668
5016. [cleanup] Remove wrappers that try to fix broken or incomplete
implementations of IPv6, pthreads and other core
functionality required and used by BIND. [GL #192]
The "exitcode" variable is set to 9 if a TCP connection fails, but is
not reset to 0 if a subsequent TCP connection succeeds. This causes dig
to return a non-zero exit code if it succeeds in getting a TCP response
after a retry. Fix by resetting "exitcode" to 0 if connect_done()
receives an event with the "result" field set to ISC_R_SUCCESS.
Force ns3 to use a constant source address (10.53.0.3) when sending
transfer requests for the "initially-unavailable" zone to prevent
failures of transfers not triggered by bin/tests/system/mirror/tests.sh
from causing fallback to using a source address for which transfers of
that zone are refused throughout the entire "mirror" system test since
that might yield false positives.
Add a missing semicolon to prevent "make test" run from the top-level
directory from failing even when all system and unit tests succeed due
to "(cd fuzz && ${MAKE} check)" returning a non-zero exit code.
For inline-signed zones, the value of "ixfr-from-differences" is
hardcoded to:
- "yes" for the raw version of the zone,
- "no" for the signed version of the zone.
In other words, any user-provided "ixfr-from-differences" setting is
effectively ignored for an inline-signed zone. Ensure the user is aware
of that by adding a note to the ARM and logging a message when an
"ixfr-from-differences" option is found at the zone level.
A short time window exists between logging the addition of an NSEC3PARAM
record to a zone and committing it to the current version of the zone
database. If a query arrives during such a time window, an unsigned
response will be returned. One of the checks in the "inline" system
test requires NSEC3 records to be present in an answer - that check
would fail in the case described above. Use rndc instead of log
watching for checking whether zone signing and NSEC3 chain modifications
are complete in order to prevent intermittent "inline" system test
failures.
While "rndc reload" causes dns_zone_asyncload() to be called for the
signed version of an inline-signed zone, the subsequent zone_load() call
causes the raw version to be reloaded from storage. This means that
DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
dns_zone_asyncload() before the reload is attempted, but zone_postload()
is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
cleared for the raw version, but not for the signed version. This in
turn prevents zone maintenance from happening for the signed version of
the zone.
Until commit 29b7efdd9f, this problem
remained dormant because DNS_ZONEFLG_LOADPENDING was previously
immediately, unconditionally cleared after zone loading was started
(whereas it should only be cleared when zone loading is finished or an
error occurs). This behavior caused other issues [1] and thus had to be
changed.
Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
for the signed version of the zone once the raw version reload
completes. Take care not to clear it prematurely during initial zone
load. Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
zone_postload() encounters an error or returns early, to prevent other
scenarios from resulting in the same problem. Add comments aiming to
help explain code flow.
[1] see RT #47076
When an inline-signed zone is loaded, the master file for its signed
version is loaded and then a rollforward of the journal for the signed
version of the zone is performed. If DNS_JOURNALOPT_RESIGN is not set
during the latter phase, signatures loaded from the journal for the
signed version of the zone will not be scheduled for refresh. Fix the
conditional expression determining which flags should be used for the
dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
zone_postload() is called for the signed version of an inline-signed
zone.
Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
of "rndc stop" as the former allows master file flushing upon shutdown
to be suppressed.
As part of resquery_response() refactoring [1], a goto statement was
replaced [2] with a call to a new function - originally called
rctx_delegation(), now folded into rctx_answer_none() - extracted from
existing code. However, one call site of that refactored function does
not reset the "result" variable, causing a referral with a non-empty
ANSWER section to be inadvertently treated as an error, which prevents
resolution of names reliant on servers sending such responses. Fix by
resetting the "result" variable to ISC_R_SUCCESS when a response
containing a non-empty ANSWER section can be treated as a delegation.
[1] see RT #45362
[2] see commit e1380a16741a3b4a57e54d7a9ce09dd12691522f
- added new 'validate-except' option, which configures an NTA with
expiry of 0xffffffff. NTAs with that value in the expiry field do not
expire, are are not written out when saving the NTA table and are not
dumped by rndc secroots
dst__openssl_toresult3() first calls toresult() and subsequently uses
ERR_get_error_line_data() in a loop. Given this, it is a mistake to use
ERR_get_error() in toresult() because it causes the retrieved error to
be removed from the OpenSSL error queue, thus preventing it from being
retrieved by the subsequent ERR_get_error_line_data() calls. Fix by
using ERR_peek_error() instead of ERR_get_error() in toresult().
When two or more absolute, two-label names are added to a completely
empty RBT, an extra, empty node for the root name will be created due to
node splitting. check_tree() expects that, but the extra node will not
be created when just one name is added to a completely empty RBT. This
problem could be handled inside check_tree(), but that would introduce
unnecessary complexity into it since adding a single name will result in
a different node count for a completely empty RBT (node count will be 1)
and an RBT containing only an empty node for the root name, created due
to prior node splitting (node count will be 2). Thus, first explicitly
create a node for the root name to prevent rare check_tree() failures
caused by a single name being added in the first iteration of the
insert/remove loop.
Each zone used in the "inline" system test contains a few dozen records.
Over a dozen of these zones are used in the test. Most records present
in these zones are not subsequently used in the test itself, but all of
them need to be signed by the named instances launched by the test,
which puts quite a bit of strain on lower-end machines, leading to
intermittent failures of the "inline" system test. Remove all redundant
records from the zones used in the "inline" system test in order to
stabilize it.
If "rndc signing -nsec3param ..." is ran for a zone which has not yet
been loaded or transferred (i.e. its "db" field is NULL), it will be
silently ignored by named despite rndc logging an "nsec3param request
queued" message, which is misleading. Prevent this by keeping a
per-zone queue of NSEC3PARAM change requests which arrive before a zone
is loaded or transferred and processing that queue once the raw version
of an inline-signed zone becomes available.
5006. [cleanup] Code preparing a delegation response was extracted from
query_delegation() and query_zone_delegation() into a
separate function in order to decrease code
duplication. [GL #431]
Changes introduced by the previous two commits make the parts of
query_delegation() and query_zone_delegation() which prepare a
delegation response functionally equivalent. Extract this code into a
separate function, query_prepare_delegation_response(), and then call
the latter from both query_delegation() and query_zone_delegation() in
order to reduce code duplication. Add a comment describing the purpose
of the extracted code. Fix coding style issues.
When query processing hits a delegation from a locally configured zone,
an attempt may be made to look for a better answer in the cache. In
such a case, the zone-sourced delegation data is set aside and the
lookup is retried using the cache database. When that lookup is
completed, a decision is made whether the answer found in the cache is
better than the answer found in the zone.
Currently, if the zone-sourced answer turns out to be better than the
one found in the cache:
- qctx->zdb is not restored into qctx->db,
- qctx->node, holding the zone database node found, is not even saved.
Thus, in such a case both qctx->db and qctx->node will point at cache
data. This is not an issue for BIND versions which do not support
mirror zones because in these versions non-recursive queries always
cause the zone-sourced delegation to be returned and thus the
non-recursive part of query_delegation() is never reached if the
delegation is coming from a zone. With mirror zones, however,
non-recursive queries may cause cache lookups even after a zone
delegation is found. Leaving qctx->db assigned to the cache database
when query_delegation() determines that the zone-sourced delegation is
the best answer to the client's query prevents DS records from being
added to delegations coming from mirror zones. Fix this issue by
keeping the zone database and zone node in qctx while the cache is
searched for an answer and then restoring them into qctx->db and
qctx->node, respectively, if the zone-sourced delegation turns out to be
the best answer. Since this change means that qctx->zdb cannot be used
as the glue database any more as it will be reset to NULL by RESTORE(),
ensure that qctx->db is not a cache database before attaching it to
qctx->client->query.gluedb.
Furthermore, current code contains a conditional statement which
prevents a mirror zone from being used as a source of glue records.
Said statement was added to prevent assertion failures caused by
attempting to use a zone database's glue cache for finding glue for an
NS RRset coming from a cache database. However, that check is overly
strict since it completely prevents glue from being added to delegations
coming from mirror zones. With the changes described above in place,
the scenario this check was preventing can no longer happen, so remove
the aforementioned check.
If qctx->zdb is not NULL, qctx->zfname will also not be NULL;
qctx->zsigrdataset may be NULL in such a case, but query_putrdataset()
handles pointers to NULL pointers gracefully. Remove redundant
conditional expressions to make the cleanup code in query_freedata()
match the corresponding sequences of SAVE() / RESTORE() macros more
closely.
Make will choose modified manual from build directory or original from source
directory automagically. Take advantage of install tool feature.
Install all files in single command instead of iterating on each of them.
Resolve "isc_buffer_printf() grows buffer without autorealloc being set + nit in isc_buffer_realloc()"
Closes#443
See merge request isc-projects/bind9!559
Fix ax_check_openssl to accept "--with-openssl" or "--with-openssl=yes",
and improve it to modern autotools standard
See merge request isc-projects/bind9!550
dns_view_zonecut() may associate the dns_rdataset_t structure passed to
it even if it returns a result different then ISC_R_SUCCESS. Not
handling this properly may cause a reference leak. Fix by ensuring
'nameservers' is cleaned up in all relevant failure modes.
Prevent ans2.pl from responding authoritatively for any name at or below
example.net.
Make ans3.pl properly answer example.net/NS queries. Use string
comparisons instead of regular expressions where possible.
lo0 and lo0:0 are the same interface on Solaris. Make sure
bin/tests/system/ifconfig.sh does not touch lo0:0 in order to prevent it
from changing the address of the loopback interface on Solaris.
Modify .gitlab-ci.yml so that every CI pipeline also builds and tests
BIND on CentOS versions 6 and 7. Use --disable-warn-error on CentOS 6
since it uses GCC 4.4.7 which suffers from bugs causing bogus warnings
to be generated, e.g.:
sigs_test.c: In function 'compare_tuples':
sigs_test.c:75: warning: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: warning: shadowed declaration is here
sigs_test.c: In function 'updatesigs_test':
sigs_test.c:193: warning: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: warning: shadowed declaration is here
The "git status" command in Git versions before 1.7.2 does not support
the "--ignored" option. Prevent spamming the console when running
system tests from a Git repository on a host with an ancient Git version
installed.
The output of certain "dig +idnout" invocations may be locale-dependent.
Remove the "dig +idnout" subtest from the "digdelv" system test as IDN
support is already thoroughly tested by the "idna" system test.
Every prereq.sh script must include bin/tests/system/conf.sh, otherwise
if some prerequisite is not met, errors about echo_i not being found
will be printed instead of actual error messages.
The Docker images used for CI install ATF to /usr, not /usr/local.
Update the ./configure invocation in .gitlab-ci.yml accordingly in order
to prevent confusion.
Depending on tool versions used, "autoreconf -i" may not update all
Autoconf-generated files, which in turn may result in build errors.
Make autogen.sh call autoreconf with the "-f" command line argument to
ensure all Autoconf-generated files are updated when autogen.sh is run.
Trying to resolve a trust anchor telemetry query for a locally served
zone does not cause upstream queries to be sent as the response is
determined just by consulting local data. Work around this issue by
calling dns_view_findzonecut() first in order to determine the NS RRset
for a given domain name and then passing the zone cut found to
dns_resolver_createfetch().
Note that this change only applies to TAT queries generated by the
resolver itself, not to ones received from downstream resolvers.
Extract the part of dotat() reponsible for preparing the QNAME for a TAT
query to a separate function in order to limit the number of local
variables used by each function and improve code readability.
Rename 'name' to 'origin' to better convey the purpose of that variable.
Also mark it with the const qualifier.
Update named_zone_reusable() so that it does not consider a zone to be
eligible for reuse if its old value of the "mirror" option differs from
the new one. This causes "rndc reconfig" to create a new zone structure
whenever the value of the "mirror" option is changed, which ensures that
the previous zone database is not reused and that flags are properly set
in responses sourced from zones whose "mirror" setting was changed at
runtime.
Net::DNS versions older than 0.67 respond to queries sent to a
Net::DNS::Nameserver even if its ReplyHandler returns undef. This makes
the "serve-stale" system test fail as it takes advantage of the newer
behavior. Since the latest Net::DNS version available with stock
RHEL/CentOS 6 packages is 0.65 and we officially support that operating
system, bin/tests/system/serve-stale/ans2/ans.pl should behave
consistently for various Net::DNS versions. Ensure that by reworking it
so that it does not use Net::DNS::Nameserver.
Net::DNS versions older than 0.68 insert a ./ANY RR into the QUESTION
section if the latter is empty. Since the latest Net::DNS version
available with stock RHEL/CentOS 6 packages is 0.65 and we officially
support that operating system, bin/tests/system/resolver/ans8/ans.pl
should behave consistently for various Net::DNS versions. Ensure that
by making handleUDP() return the query ID and flags generated by
Net::DNS with 8 zero bytes appended.
While idn2_to_unicode_8zlz() takes a 'flags' argument, it is ignored and
thus cannot be used to perform IDN checks on the output string.
The bug in libidn2 versions before 2.0.5 was not that a call to
idn2_to_unicode_8zlz() with certain flags set did not cause IDN checks
to be performed. The bug was that idn2_to_unicode_8zlz() did not check
whether a conversion can be performed between UTF-8 and the current
locale's character encoding. In other words, with libidn2 version
2.0.5+, if the current locale's character encoding is ASCII, then
idn2_to_unicode_8zlz() will fail when it is passed any Punycode string
which decodes to a non-ASCII string, even if it is a valid IDNA2008
name.
Rework idn_ace_to_locale() so that invalid IDNA2008 names are properly
and consistently detected for all libidn2 versions and locales.
Update the "idna" system test accordingly. Add checks for processing a
server response containing Punycode which decodes to an invalid IDNA2008
name. Fix invalid subtest description.
Since idn_output_filter() no longer uses its 'absolute' argument and no
other callback is used with dns_name_settotextfilter(), remove the
'absolute' argument from the dns_name_totextfilter_t prototype.
output_filter() does not need to dot-terminate its input name because
libidn2 properly handles both dot-terminated and non-dot-terminated
names. libidn2 also does not implicitly dot-terminate names passed to
it, so parts of output_filter() handling dot termination can simply be
removed.
Fix a logical condition to make sure 'src' can fit the terminating NULL
byte. Replace the MAXDLEN macro with the MXNAME macro used in the rest
of dig source code. Tweak comments and variable names.
Rename output_filter() to idn_output_filter() so that it can be easily
associated with IDN and other idn_*() functions.
idn_ace_to_locale() may return a string longer than MAXDLEN because it
is using the current locale's character encoding. Rather then imposing
an arbitrary limit on the length of the string that function can return,
make it pass the string prepared by libidn2 back to the caller verbatim,
making the latter responsible for freeing that string. In conjunction
with the fact that libidn2 errors are considered fatal, this makes
returning an isc_result_t from idn_ace_to_locale() unnecessary.
Do not process success cases in conditional branches for improved
consistency with the rest of BIND source code. Add a comment explaining
the purpose of idn_ace_to_locale(). Rename that function's parameters
to match common BIND naming pattern.
idn_locale_to_ace() is a static function which is always used with a
buffer of size MXNAME, i.e. one that can fit any valid domain name.
Since libidn2 detects invalid domain names and libidn2 errors are
considered fatal, remove size checks from idn_locale_to_ace(). This
makes returning an isc_result_t from it unnecessary.
Do not process success cases in conditional branches for improved
consistency with the rest of BIND source code. Add a comment explaining
the purpose of idn_locale_to_ace(). Rename that function's parameters
to match common BIND naming pattern.
Certain characters, like symbols, are allowed by IDNA2003, but not by
IDNA2008. Make dig reject such symbols when IDN input processing is
enabled to ensure BIND only supports IDNA2008. Update the "idna" system
test so that it uses one of such symbols rather than one which is
disallowed by both IDNA2003 and IDNA2008.
There is no need to call dns_name_settotextfilter() in setup_system()
because setup_lookup() determines whether IDN output processing should
be enabled for a specific lookup (taking the global setting into
consideration) and calls dns_name_settotextfilter() anyway if it is.
Remove the dns_name_settotextfilter() call from setup_system().
Clean up the parts of configure.in responsible for handling libidn2
detection and adjust other pieces of the build system to match these
cleanups:
- use pkg-config when --with-libidn2 is used without an explicit path,
- look for idn2_to_ascii_lz() rather than idn2_to_ascii_8z() as the
former is used in BIND while the latter is not,
- do not look for idn2_to_unicode_8zlz() as it is present in all
libidn2 versions which have idn2_to_ascii_lz(),
- check whether the <idn2.h> header is usable,
- set LDFLAGS in the Makefile for dig so that, if specified, the
requested libidn2 path is used when linking with libidn2,
- override CPPFLAGS when looking for libidn2 components so that the
configure script does not produce warnings when libidn2 is not
installed system-wide,
- merge the AS_CASE() call into the AS_IF() call below it to simplify
code,
- indicate the default value of --with-libidn2 in "./configure --help"
output,
- use $with_libidn2 rather than $use_libidn2 to better match the name
of the configure script argument,
- stop differentiating between IDN "in" and "out" support, i.e. make
dig either support libidn2 or not; remove WITH_* Autoconf macros and
use a new one, HAVE_LIBIDN2, to determine whether libidn2 support
should be enabled.
4987. [cleanup] dns_rdataslab_tordataset() and its related
dns_rdatasetmethods_t callbacks were removed as they
were not being used by anything in BIND. [GL #371]
Since BIND libraries are no longer considered public and
dns_rdataslab_tordataset() is not used anywhere in the tree, remove the
latter and its associated dns_rdatasetmethods_t callbacks from
lib/dns/rdataslab.c.
4985. [func] Add a new slave zone option, "mirror", to enable
serving a non-authoritative copy of a zone that
is subject to DNSSEC validation before being
used. For now, this option is only meant to
facilitate deployment of an RFC 7706-style local
copy of the root zone. [GL #33]
Replace "type: slave" with "type: mirror" in "rndc zonestatus" output
for mirror zones in order to enable the user to tell a regular slave
zone and a mirror zone apart.
Since the mirror zone feature is expected to mostly be used for the root
zone, prevent slaves from sending NOTIFY messages for mirror zones by
default. Retain the possibility to use "also-notify" as it might be
useful in certain cases.
As mirror zone data should be treated the way validated, cached DNS
responses are, outgoing mirror zone transfers should be disabled unless
they are explicitly enabled by zone configuration.
As mirror zone data should be treated the way validated, cached DNS
responses are, it should not be used when responding to clients who are
not allowed cache access. Reuse code responsible for determining cache
database access for evaluating mirror zone access.
Modify query_checkcacheaccess() so that it only contains a single return
statement rather than three and so that the "check_acl" variable is no
longer needed. Tweak and expand comments. Fix coding style issues.
Modify query_getcachedb() so that it uses a common return path for both
success and failure. Remove a redundant NULL check since 'db' will
never be NULL after being passed as a target pointer to dns_db_attach().
Fix coding style issues.
Extract the parts of query_getcachedb() responsible for checking whether
the client is allowed to access the cache to a separate function, so
that it can be reused for determining mirror zone access.
If transferring or loading a mirror zone fails, resolution should still
succeed by means of falling back to regular recursive queries.
Currently, though, if a slave zone is present in the zone table and not
loaded, a SERVFAIL response is generated. Thus, mirror zones need
special handling in this regard.
Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
domain name is looked up rather than a zone itself. Handle that flag in
dns_zt_find() in such a way that a mirror zone which is expired or not
yet loaded is ignored when looking up domain names, but still possible
to find when the caller wants to know whether the zone is configured.
This causes a fallback to recursion when mirror zone data is unavailable
without making unloaded mirror zones invisible to code checking a zone's
existence.
Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones. Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.
Section 4 of RFC 7706 suggests that responses sourced from a local copy
of a zone should not have the AA bit set. Follow that recommendation by
setting 'qctx->authoritative' to ISC_FALSE when a response to a query is
coming from a mirror zone.
When a resolver is a regular slave (i.e. not a mirror) for some zone,
non-recursive queries for names below that slaved zone will return a
delegation sourced from it. This behavior is suboptimal for mirror
zones as their contents should rather be treated as validated, cached
DNS responses. Modify query_delegation() and query_zone_delegation() to
permit clients allowed cache access to check its contents for a better
answer when responding to non-recursive queries.
Make ns3 mirror the "root" zone from ns1 and query the former for a
properly signed record below the root. Ensure ns1 is not queried during
resolution and that the AD bit is set in the response.
As mirror zone files are verified when they are loaded from disk, verify
journal files as well to ensure invalid data is not used. Reuse the
journals generated during IXFR tests to test this.
Update axfr_commit() so that all incoming versions of a mirror zone
transferred using AXFR are verified before being used. If zone
verification fails, discard the received version of the zone, wait until
the next refresh and retry.
Add a function for determining whether the supplied version of a mirror
zone passes DNSSEC validation and is signed using a trusted key. Define
a new libdns result signifying a zone verification failure.
Extend check_dnskey_sigs() so that, if requested, it checks whether the
DNSKEY RRset at zone apex is signed by at least one trust anchor. The
trust anchor table is passed as an argument to dns_zoneverify_dnssec()
and passed around in the verification context structure. Neither
dnssec-signzone nor dnssec-verify are yet modified to make use of that
feature, though.
The system test helper function nextpart() always updates the "lines
read so far" marker ("<file>.prev") when it is called, which somewhat
limits its flexibility. Add two new helper functions, nextpartpeek()
and nextpartreset(), so that certain parts of log files can be easily
examined more than once. Add some documentation to help understand the
purpose of each function in the nextpart*() family.
Add a new slave-only boolean configuration option, "mirror", along with
its corresponding dns_zoneopt_t enum and a helper function for checking
whether that option was set for a given zone. This commit does not
introduce any behavior changes yet.
With "dnssec-validation" now defaulting to "auto", it needs to be
explicitly set to "yes" (the previous default value) for all validating
resolvers used in system tests. Ensure that requirement is satisfied by
the resolvers used in the "rpz" system test.
Change 4897 modified the way the $DNSRPS_TEST_MODE variable is used in
bin/tests/system/rpz/tests.sh without updating all references to it,
which i.a. causes the $native and $dnsrps variables to not be set in the
default testing mode, effectively preventing failed checks from being
propagated to the final result of the test. Use $mode instead of
$DNSRPS_TEST_MODE where appropriate to fix error handling in the "rpz"
system test.
4973. [func] verifyzone() and the functions it uses were moved to
libdns and refactored to prevent exit() from being
called upon failure. A side effect of that is that
dnssec-signzone and dnssec-verify now check for memory
leaks upon shutdown. [GL #266]
Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
verification failures should be signalled to callers. Make
dns_zoneverify_dnssec() return an isc_result_t and handle both success
and error appropriately in bin/dnssec/dnssec-signzone.c and
bin/dnssec/dnssec-verify.c. This enables memory leak detection during
shutdown of these tools and causes dnssec-signzone to print signing
statistics even when zone verification fails.
record_found() returns an isc_result_t, but its value is not checked.
Modify the only call site of record_found() so that its errors are
properly handled.
Replace the fprintf() call inside record_nsec3() with a
zoneverify_log_error() call. Remove the "mctx" argument of
record_nsec3() as it can be extracted from "vctx".
Modify one of the record_nsec3() call sites so that its errors are
properly handled.
Make match_nsec3() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all check_result() and fprintf() calls inside
match_nsec3() with zoneverify_log_error() calls and error handling code.
Modify all call sites of match_nsec3() so that its errors are properly
handled.
Replace all check_result() calls inside isoptout() with
zoneverify_log_error() calls and error handling code. Enable isoptout()
to signal errors to the caller using its return value.
Modify the call site of isoptout() so that its errors are properly
handled.
Make verifynsec3(), verifynsec3s(), and verifyemptynodes() return the
verification result through a separate pointer, thus making it possible
to signal errors using function return values. Replace all
check_result() and fprintf() calls inside these functions with
zoneverify_log_error() calls and error handling code.
Modify all call sites of verifynsec3(), verifynsec3s(), and
verifyemptynodes() so that their errors are properly handled.
Make verifynsec() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all check_result() and fprintf() calls inside
verifynsec() with zoneverify_log_error() calls and error handling code.
Modify the call site of verifynsec() so that its errors are properly
handled.
Rename "tresult" to "tvresult" in order to improve variable naming
consistency between functions.
Replace all check_result() and fprintf() calls inside check_no_rrsig()
with zoneverify_log_error() calls and error handling code. Enable
check_no_rrsig() to signal errors to the caller using its return
value.
Modify the call site of check_no_rrsig() so that its errors are properly
handled.
Define buffer size using a named constant rather than a plain integer.
Replace all check_result() and fprintf() calls inside verifyset() with
zoneverify_log_error() calls and error handling code. Enable
verifyset() to signal errors to the caller using its return value.
Modify the call site of verifyset() so that its errors are properly
handled.
Define buffer sizes using named constants rather than plain integers.
Make verifynode() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value. Replace all fatal() and check_result() calls inside
verifynode() with zoneverify_log_error() calls and error handling code.
Add a REQUIRE assertion to emphasize verifynode() may be called with
some of its arguments set to NULL.
Modify all call sites of verifynode() so that its errors are properly
handled.
Replace the check_result() call inside is_empty() with a
zoneverify_log_error() call and error handling code. Enable is_empty()
to signal errors to the caller using its return value.
Modify the call site of is_empty() so that its errors are properly
handled.
Replace the fatal() call inside check_no_nsec() with a
zoneverify_log_error() call. Enable check_no_nsec() to signal errors to
the caller using its return value.
Modify all call sites of check_no_nsec() so that its errors are properly
handled.
Replace all fatal(), check_result(), and check_dns_dbiterator_current()
calls inside verify_nodes() with zoneverify_log_error() calls and error
handling code. Enable verify_nodes() to signal errors to the caller
using its return value.
Modify the call site of verify_nodes() so that its errors are properly
handled.
Free all heap elements upon verification context cleanup as a
verification error may prevent them from being freed elsewhere.
Remove the check_dns_dbiterator_current() macro as it is no longer used
anywhere in lib/dns/zoneverify.c.
Replace all fatal() and fprintf() calls inside check_bad_algorithms()
with zoneverify_print() calls and error handling code. Enable
check_bad_algorithms() to signal errors to the caller using its return
value.
Modify the call site of check_bad_algorithms() so that its errors are
properly handled.
Replace all fatal() and check_result() calls inside check_dnskey() with
zoneverify_log_error() calls and error handling code. Enable
check_dnskey() to signal errors to the caller using its return value.
Modify the call site of check_dnskey() so that its errors are properly
handled.
Replace all fatal() calls inside check_apex_rrsets() with
zoneverify_log_error() calls and error handling code. Enable
check_apex_rrsets() to signal errors to the caller using its return
value.
Modify the call site of check_apex_rrsets() so that its errors are
properly handled.
Replace calls to check_result() with RUNTIME_CHECK assertions for all
dns_rdata_tostruct() calls in lib/dns/zoneverify.c as this function
cannot fail when the "mctx" argument is NULL (and that is the case for
all call sites of this function throughout lib/dns/zoneverify.c).
Extract the part of dns_zoneverify_dnssec() responsible for checking
whether the zone is fully signed using all active algorithms to a
separate function.
Extract the part of dns_zoneverify_dnssec() responsible for verifying
DNSSEC signatures against the DNSKEY RRset at zone apex and checking
consistency of NSEC/NSEC3 chains to a separate function.
Extract the part of dns_zoneverify_dnssec() responsible for determining
and printing a list of DNSSEC algorithms active in the verified zone to
a separate function.
Extract the part of check_dnskey() responsible for determining active
algorithms in the verified zone based on the signatures at zone apex to
a separate function.
Extract the part of dns_zoneverify_dnssec() responsible for fetching and
preliminarily checking DNSKEY, SOA, NSEC, and NSEC3PARAM RRsets from
zone apex to a separate function.
These functions will be used in the process of replacing fatal(),
check_result(), and fprintf() calls throughout lib/dns/zoneverify.c with
code that does not call exit(). They are intended for:
- zoneverify_log_error(): logging problems encountered while
performing zone verification,
- zoneverify_print(): printing status messages and reports which are
only useful in standalone tools.
To make using dns_zone_logv() possible, add a new "zone" argument to
dns_zoneverify_dnssec() that standalone tools are expected to set to
NULL.
Tables representing algorithm use in the verified zone are commonly
accessed throughout dns_zoneverify_dnssec(). Move them into the
structure representing a verification context. While this does not
really simplify currently existing code, it will facilitate passing data
around between smaller functions that dns_zoneverify_dnssec() is about
to get split into.
Eight structures representing four RRsets and their signatures are
commonly accessed throughout dns_zoneverify_dnssec(). Move them into
the structure representing a verification context. While this does not
really simplify currently existing code, it will facilitate passing data
around between smaller functions that dns_zoneverify_dnssec() is about
to get split into.
Move variables commonly used throughout dns_zoneverify_dnssec() and its
helper functions to the structure representing a verification context in
order to reduce the number of arguments passed between functions.
Make dns_zoneverify_dnssec() eligible for multithreaded use by replacing
the static variables it accesses with a stack-allocated structure
containing these variables. Implement setup and cleanup routines for
that structure, ensuring no error in these routines causes exit() to be
called any more. Pass a pointer to that structure to functions
requiring access to variables which were previously static.
This commit only moves code around, with the following exceptions:
- the check_dns_dbiterator_current() macro and functions
is_delegation() and has_dname() were removed from
bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
functions are used both by the code in bin/dnssec/dnssec-signzone.c
and verifyzone(), but are not a good fit for being exported by a
code module responsible for zone verification,
- fatal() and check_result() were duplicated in lib/dns/zoneverify.c
as static functions which do not use the "program" variable any more
(as it is only set by the tools in bin/dnssec/); this is a temporary
step which only aims to prevent compilation from breaking - these
duplicate functions will be removed once lib/dns/zoneverify.c is
refactored not to use them,
- the list of header files included by lib/dns/zoneverify.c was
expanded to encompass all header files that are actually used by the
code in that file,
- a description of the purpose of the commented out "fields" inside
struct nsec3_chain_fixed was added.
DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains. Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records. Check that DNAME-obscured
records are not signed.
The keyfile and key ID for the original managed key do not change
throughout the mkeys system test. Keep them in helper variables to
prevent calling "cat" multiple times and improve code readability.
Reduce code duplication by replacing a code snippet repeated throughout
system tests using "trusted-keys" and/or "managed-keys" configuration
sections with calls to keyfile_to_{managed,trusted}_keys() helper
functions.
Add a set of helper functions for system test scripts which enable
converting key data from a set of keyfiles to either a "trusted-keys"
section or a "managed-keys" section suitable for including in a
resolver's configuration file.
- make qname-minimization option tristate {strict,relaxed,disabled}
- go straight for the record if we hit NXDOMAIN in relaxed mode
- go straight for the record after 3 labels without new delegation or 7 labels total
- use start of fetch (and not time of response) as 'now' time for querying cache for
zonecut when following delegation.
Add a new libdns function, dns_zone_logv(), which takes a single va_list
argument rather than a variable number of arguments and can be used as a
base for implementing more specific zone logging functions.
Resolve "Multiple RRSIGs on some records in signed zone even though only one key is ever active at a time"
Closes#240
See merge request isc-projects/bind9!231
Resolve "9.11.3-S1 totext_nsec3 inserts a redundant white space between next hash and type map [ISC-support #12887]"
See merge request isc-projects/bind9!313
- all tests with "recursion yes" now also specify "dnssec-validation yes",
and all tests with "recursion no" also specify "dnssec-validation no".
this must be maintained in all new tests, or else validation will fail
when we use local root zones for testing.
- clean.sh has been modified where necessary to remove managed-keys.bind
and viewname.mkeys files.
- the default setting for dnssec-validation is now "auto", which
activates DNSSEC validation using the IANA root key. The old behavior
can be restored by explicitly setting "dnssec-validation yes", which
"yes", which activates DNSSEC validation only if keys are explicitly
configured in named.conf.
- the ARM has been updated to describe the new behavior
This commit reverts the previous change to use system provided
entropy, as (SYS_)getrandom is very slow on Linux because it is
a syscall.
The change introduced in this commit adds a new call isc_nonce_buf
that uses CSPRNG from cryptographic library provider to generate
secure data that can be and must be used for generating nonces.
Example usage would be DNS cookies.
The isc_random() API has been changed to use fast PRNG that is not
cryptographically secure, but runs entirely in user space. Two
contestants have been considered xoroshiro family of the functions
by Villa&Blackman and PCG by O'Neill. After a consideration the
xoshiro128starstar function has been used as uint32_t random number
provider because it is very fast and has good enough properties
for our usage pattern.
The other change introduced in the commit is the more extensive usage
of isc_random_uniform in places where the usage pattern was
isc_random() % n to prevent modulo bias. For usage patterns where
only 16 or 8 bits are needed (DNS Message ID), the isc_random()
functions has been renamed to isc_random32(), and isc_random16() and
isc_random8() functions have been introduced by &-ing the
isc_random32() output with 0xffff and 0xff. Please note that the
functions that uses stripped down bit count doesn't pass our
NIST SP 800-22 based random test.
- added a 1-second floor to max-stale-ttl similar to stale-answer-ttl;
if set to 0, it will be silently updated to 1.
- fixed the ARM entry on max-stale-ttl, which incorrectly suggested that
the default was 0 instead of 1 week.
- clarified rndc serve-stale documentation.
- this was a compile time option to disable the use of a hash table in
the RBTDB. the code path without the hash table was buggy and
untested, and unlikely to be needed by anyone anyway.
- mark the 'geoip-use-ecs' option obsolete; warn when it is used
in named.conf
- prohibit 'ecs' ACL tags in named.conf; note that this is a fatal error
since simply ignoring the tags could make ACLs behave unpredictably
- re-simplify the radix and iptable code
- clean up dns_acl_match(), dns_aclelement_match(), dns_acl_allowed()
and dns_geoip_match() so they no longer take ecs options
- remove the ECS-specific unit and system test cases
- remove references to ECS from the ARM
- Replace external -DOPENSSL/-DPKCS11CRYPTO with properly AC_DEFINEd
HAVE_OPENSSL/HAVE_PKCS11
- Don't enforce the crypto provider from platform.h, just from dst_api.c
and configure scripts
- tidy up release notes, removing the existing "security fixes" and
"bug fixes" sections
- add a section in the release notes to discuss the new version
numbering
- update version, CHANGES, api, and mapapi files
Interrupt query processing when query_recurse() attempts to ask the same
name servers for the same QNAME/QTYPE tuple for two times in a row as
this indicates that query processing may be stuck for an indeterminate
period of time, e.g. due to interactions between features able to
restart query_lookup().
check_stale_header() fails to update the pointer to the previous header
while processing rdataset headers eligible for serve-stale, thus
enabling rdataset headers to be leaked (i.e. disassociated from a node
and left on the relevant TTL heap) while iterating through a node. This
can lead to several different assertion failures. Add the missing
pointer update.
4948. [bug] When request-nsid is turned on, EDNS NSID options
should be logged at level info. Since change 3741
they have been logged at debug(3) by mistake.
[GL !290]
The three functions has been modeled after the arc4random family of
functions, and they will always return random bytes.
The isc_random family of functions internally use these CSPRNG (if available):
1. getrandom() libc call (might be available on Linux and Solaris)
2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
4. crypto library function:
4a. RAND_bytes in case OpenSSL
4b. pkcs_C_GenerateRandom() in case PKCS#11 library
Certain isc_buffer_*() functions might call memmove() with the second
argument (source) set to NULL and the third argument (length) set to 0.
While harmless, it triggers an ubsan warning:
runtime error: null pointer passed as argument 2, which is declared to never be null
Modify all memmove() call sites in lib/isc/include/isc/buffer.h and
lib/isc/buffer.c which may potentially use NULL as the second argument
(source) so that memmove() is only called if the third argument (length)
is non-zero.
compare_rdata() was meant to be used as a qsort() callback. Meanwhile,
dns_rdataslab_merge() calls compare_rdata() for a pair of dns_rdata_t
structures rather than a pair of struct xrdata structures, which is
harmless, but triggers an ubsan warning:
rdataslab.c:84:33: runtime error: member access within address <address> with insufficient space for an object of type 'const struct xrdata'
Use dns_rdata_compare() instead of compare_rdata() to prevent the
warning from being triggered.
Replace the outer for loop with a while loop to emphasize it keeps
processing the first element of diff->tuples, which changes on each
iteration due to tuples being removed from diff->tuples by
move_matching_tuples().
The ENSURE assertion at the end of dns_diff_appendminimal() is not
needed because it is placed right after code which resets *tuplep to
NULL if it is not NULL already.
The INSIST assertion in move_matching_tuples() checks the same pointer
again.
Extract the portion of the do-while loop responsible for finding the
next tuple with the same name and type into a separate function to
improve code clarity.
The do-while loop in dns__zone_updatesigs() is hard to follow due to
heavy nesting and the 'tuple' variable also being used in the outer for
loop. Add a comment to explain the purpose of the do-while loop.
Extract it into a separate function to decrease indentation and prevent
using 'tuple' in two different loops.
Add a new ATF test, sigs_test, containing everything required to start
defining test cases for dns__zone_updatesigs(). The framework is
written in a way which ensures that changes to zone database applied by
any dns__zone_updatesigs() invocation are preserved between subsequent
checks.
Rename find_zone_keys() to dns__zone_findkeys() and move it to
lib/dns/zone_p.h, so that it can be used in unit tests. Add a comment
describing the purpose of this function.
Rename update_sigs() to dns__zone_updatesigs() and move it to
lib/dns/zone_p.h, so that it can be unit tested. Add a comment
describing the purpose of this function.
Rename zonediff_t to dns__zonediff_t and move it to lib/dns/zone_p.h, so
that unit tests can be written for functions taking pointers to
structures of this type as arguments.
Add a new private header file, lib/dns/zone_p.h, which will hold type
definitions and function prototypes not meant to be exported by libdns,
but required by zone-related unit tests.
Implement dns_test_difffromchanges(), a function which enables preparing
a dns_diff_t structure from a mostly-textual representation of zone
database changes to be applied. This will improve readability of test
case definitions by allowing contents of a dns_diff_t structure, passed
e.g. to update_sigs(), to be represented in a human-friendly manner.
The dns_test_makezone() helper function always assigns the created zone
to some view, which is not always necessary and complicates cleanup of
non-managed zones as they are required not to be assigned to any view.
Rework dns_test_makezone() in order to make it easier to use in unit
tests operating on non-managed zones. Use dns_name_fromstring() instead
of dns_name_fromtext() to simplify code. Do not use the CHECK() macro
and add comments to make code flow simpler to follow. Use
dns_test_makeview() instead of dns_view_create().
Adjust existing unit tests using this function so that they still pass.
4916. [bug] Not creating signing keys for an inline signed zone
prevented changes applied to the raw zone from being
reflected in the secure zone until signing keys were
made available. [GL #159]
4915. [bug] Bumped signed serial of an inline signed zone was
logged even when an error occurred while updating
signatures. [GL #159]
When inline signing is enabled for a zone without creating signing keys
for it, changes subsequently applied to the raw zone will not be
reflected in the secure zone due to the dns_update_signaturesinc() call
inside receive_secure_serial() failing. Given that an inline zone will
be served (without any signatures) even with no associated signing keys
being present, keep applying raw zone deltas to the secure zone until
keys become available in an attempt to follow the principle of least
astonishment.
If a raw zone is modified, but the dns_update_signaturesinc() call in
receive_secure_serial() fails, the corresponding secure zone's database
will not be modified, even though by that time a message containing the
bumped signed serial will already have been logged. This creates
confusion, because a different secure zone version will be served than
the one announced in the logs. Move the relevant dns_zone_log() call so
that it is only performed if the secure zone's database is modified.
Commit f87e0c03ee removed the "system" directory from the TESTDIRS
variable in bin/tests/Makefile.in in an attempt to fix "make distclean"
which was broken since commit 0d784de16a. However, this change
prevented any system tests from being run when "make test" is invoked.
We now put it back into both SUBDIRS and TESTDIRS, but with a modified
rule to check for the existence of a Makefile in each subdirectory before
trying to run make there. This prevents "make distclean" from trying to
run again in a directory where it's already been run.
Apart from ensuring "make test" returns 0, also check whether any system
test output was generated as a result of running it. This prevents the
CI job running system tests from succeeding unless it actually tests
something.
4921. [cleanup] Add dns_fixedname_initname() and refactor the caller
code to make usage of the new function, as a part of
refactoring dns_fixedname_*() macros were turned into
functions. [GL #183]
Replace dns_fixedname_init() calls followed by dns_fixedname_name()
calls with calls to dns_fixedname_initname() where it is possible
without affecting current behavior and/or performance.
This patch was mostly prepared using Coccinelle and the following
semantic patch:
@@
expression fixedname, name;
@@
- dns_fixedname_init(&fixedname);
...
- name = dns_fixedname_name(&fixedname);
+ name = dns_fixedname_initname(&fixedname);
The resulting set of changes was then manually reviewed to exclude false
positives and apply minor tweaks.
It is likely that more occurrences of this pattern can be refactored in
an identical way. This commit only takes care of the low-hanging fruit.
Emit fatal failures on locale to ACE encoding
Separate idnout support, disable it for libidn2 < 2.0
Add custom path to libidn. Leave default path for multilib support.
Allow turning off IDN input processing by dig option
Improve documentation, fix support in host
Fix configure changes to adjust help text
Use strlcpy with size guard
Improve IDN variants choosing. Fix idn2 function name.
Remove immediate idn_locale_to_ace and idn_ace_to_locale.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Added two new configure options:
--with-libidn2 - to enable IDN using GNU libidn2
idnkit, libidn and libidn2 support can not be used at the same time.
NOTE: libidn2 does not support punycode back to Unicode
characters, so support for this is missing.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Removed iconv, convert directly from locale to ACE
Fix libidn2 and idnkit origin appending
Make IDN options in help less different
Signed-off-by: Petr Menšík <pemensik@redhat.com>
Added new configure option:
--with-libidn - to enable IDN using GNU libidn
Renamed configure option:
--with-idn to --with-idnkit to make the option usage more clear
idnkit and libidn support can not be used at the same time.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
4914. [bug] A bug in zone database reference counting could lead to
a crash when multiple versions of a slave zone were
transferred from a master in close succession.
[GL #134]
A typo in commit d39ab7440e introduced a bug in zone database reference
counting which leads to a crash if dumping one version of a slave zone
is not finished by the time transferring a newer version from a master
completes. Correct the typo to fix reference counting, thus preventing
crashes.
- added tests to the dnssec system test that duplicate the ones
from bin/tests/dnssec-signzone
- changed cleanall.sh so it doesn't automatically remove all
key files, because there are now some of those that are part of the
distribution
- some of these tests are obsolete and should be cleared up,
others overlap with ATF tests and may be removed later.
for now, let's just tidy up the bin/tests directory by
moving these files down a level.
- in unittest step, explicitly preserve kyua.log or atf.out
- preserve kyua results database if present
- generate HTML report from kyua results if available
Using fixed make concurrency settings on all runners is not flexible and
requires .gitlab-ci.yml to be modified each time tweaking these settings
is needed. Use environment variables which are expected to be set by
the runner (defaulting to 1 in case they are not set) for controlling
make concurrency.
Our current CI configuration causes ccache data to be zipped after each
job and also included in build artifacts, which will quickly become
infeasible as ccache data grows. Instead of asking gitlab-runner to
preserve ccache data between jobs, keep a separate ccache directory on
each runner, expecting it to be accessible at /ccache when a CI job is
run. As this requires gitlab-runner to be configured in a specific way,
do not use ccache at all in case the ccache directory is not found while
building.
Given the characteristics of the three timestamps involved in file
modification time checks in the cds system test (each one is an hour
apart from the next), reduce the resolution of these checks to 1 minute.
This will prevent intermittent false negatives caused by exceeding the
currently allowed difference of 9 seconds between file modification
times without making the test moot.
Also note that by using abs(), checkmtime.pl allows the cds system test
to pass when the modification time of the checked file is less than an
hour (or two hours for the second check) in the past. This should never
happen, so remove abs() from the condition checked by checkmtime.pl.
Calling nextpart() after reconfiguring ns1 is not safe, because the
expected log message may appear in ns5/named.run before nextpart() is
run. With the TTL for ./DNSKEY set to 20 seconds, ns5 will refresh it
after 10 seconds, by which time wait_for_log() will already have failed.
This results in a false negative.
However, just calling nextpart() before reconfiguring ns1 would
introduce a different problem: if ns5 refreshed ./DNSKEY between these
two steps, the subsequent wait_for_log() call would return immediately
as it would come across the log message about a failure while refreshing
./DNSKEY instead of the expected success. This in turn would result in
a different false negative as the root key would still be uninitialized
by the time "rndc secroots" is called.
Prevent both kinds of false negatives by:
- calling nextpart() before reconfiguring ns1, in order to prevent the
first case described above,
- looking for a more specific log message, in order to prevent the
second case described above.
Also look for a more specific log message in the first part of the
relevant check, not to fix any problem, but just to emphasize that a
different fetch result is expected in that case.
With these tweaks in place, if a (failed) ./DNSKEY refresh is scheduled
between nextpart() and reconfiguring ns1, wait_for_log() will just wait
for two more seconds (one "hour"), at which point another refresh
attempt will be made that will succeed.
Add a GitLab CI precheck stage to check for up-to-date copyright information and sequential CHANGES notes.
Closes#76
See merge request isc-projects/bind9!42
- wait for the transfer completion message to apear in the log instead
of the notify message. this ensures we don't check for the presense of
transfered records during the time between the notify and the
transfer.
4906. [func] Replace getquad() with inet_pton(), completing
change #4900. [GL #56]
4900. [func] Remove all uses of inet_aton(). As a result of this
change, IPv4 addresses are now only accepted in
dotted-quad format. [GL #13]
getquad() was implemented back in 2001 to warn about IPv4 addresses in
non-dotted-quad form being used. As change 4900 (GL #13) removed all
uses of inet_aton(), which allowed such forms, with inet_pton(), which
does not allow them, there is no point in keeping getquad() around as it
now only prints an extra warning when the parser comes across an IP
address in a form which is not acceptable anyway. Replace all uses of
getquad() with inet_pton(AF_INET, ...).
Support for non-dotted-quad IPv4 addresses in master files was dropped
when the inet_aton() call inside getquad() got replaced with a call to
inet_pton(), so a release note should have been added back then to
inform users that such syntax will no longer work.
The "sortlist-v4.conf" unit test for irs_resconf_load() is always run
twice due to a duplicate entry in the "tests" table. Remove one of them
to prevent this.
irs_resconf_load() stores the value returned by add_search() into ret
without consulting its current value first. This causes any previous
errors raised while parsing resolv.conf to be ignored as long as any
"domain" or "search" statement is present in the file.
Prevent this by returning early in case an error is detected while
parsing resolv.conf. Ensure that "searchlist" and "magic" members of
the created irs_resconf_t structure are always initialized before
isc_resconf_destroy() is called.
The current regular expression used for extracting system test results
from systests.output, "^R:", is anchored at the start of a line, which
prevents colored system test output from being properly processed. As
just "R:" would arguably be too general, extend the pattern a bit to
ensure it will only match lines containing system test results.
- removed a few remaing places where output wasn't being passed
through echo_i or cat_i
- added a "digcomp" function to conf.sh.in to send digcomp.pl output
through cat_i and return the correct exit value
- set SYSTESTDIR when calling echo_i from nsX directories, so that
the test name will always be printed correctly
- fixed a test name typo in conf.sh.in
Prevent runall.sh and "make test" from even attempting to run system
tests when "ifconfig.sh up" has not been run beforehand. This ensures
the user is not flooded with error messages in such a case.
The check_mx() function in lib/ns/update.c incorrectly tests whether the
DNS_RDATA_CHECKMX/DNS_RDATA_CHECKMXFAIL flags are set for each applied
MX record update as these flags are never set in code paths related to
dynamic updates; they can only be set when loading a zone from a master
file (DNS_ZONEOPT_CHECKMX -> DNS_MASTER_CHECKMX -> DNS_RDATA_CHECKMX).
This flaw allows MX records containing IP addresses to be added to a
zone even when "check-mx fail;" is used.
Ensure correct behavior by modifying the relevant tests in check_mx() so
that they use DNS_ZONEOPT_CHECKMX/DNS_ZONEOPT_CHECKMXFAIL instead.
- turn off some of the build tests
- increase test threads to 8
- build with --disable-static
- suppress the non-system tests under bin/tests (timers, task, etc)
- no longer grep for specific line numbers when checking
parameter logging, as those can change
- report the failure immediatey if parameter check fails
- add CHANGES note
- update copyrights and license headers
- add -j to the make commands in .gitlab-ci.yml to take
advantage of parallelization in the gitlab CI process
generated into builddir. If out-of-tree build is used, make unit
will always fail. Kyuafiles and testdata still have to be copied
manually into the builddir.
This enables the environment variables controlling run.sh behavior to be
permanently set in a working environment (e.g. to automatically force
colored output without using "-c" in each runall.sh invocation).
Relevant runall.sh command line arguments still have a higher priority.
As parallel.mk and runsequential.sh both pipe system test output through
"tee" (for the purpose of creating test.output), run.sh invoked from
these two files detects it is not writing to a terminal, which prevents
colored output from being generated. Allow forcing colored output using
a new command line argument for runall.sh, "-c", which sets an
environment variable (SYSTEMTEST_FORCE_COLOR) causing conf.sh to
unconditionally enable colored output.
The same environment variable can also be used directly to force colored
output when using "make test" instead of runall.sh.
Instead of exporting an environment variable containing a command line
argument (NOCLEAN="-n"), extend run.sh to handle a "boolean" environment
variable (SYSTEMTEST_NO_CLEAN) itself. The former method is buggy
because the value of NOCLEAN is set in parallel.mk when that file is
first created, but it is not subsequently updated upon each test run
(because make considers parallel.mk to be up to date).
To retain backward compatibility, the "-n" command line argument for
run.sh is still supported (and has a higher priority than the relevant
environment variable).
The SYSTEMTEST_NO_CLEAN environment variable can also be used directly
to prevent cleanup when using "make test" instead of runall.sh.
Apart from fixing a bug, this simplifies the way runall.sh controls
run.sh behavior due to the Makefile being bypassed. Direct processing
of environment variables in run.sh is more scalable in the long run,
given that the previously utilized technique, even with its
implementation fixed, would still require Makefile.in to be modified in
two places each time a new flag needed to be passed from runall.sh to
run.sh.
During the "check flushtree clears adb correctly" check, expecting
"ns.flushtest.example" to always be the first name in the ADB dump is
fragile, because in a certain corner case "a.root-servers.nil" will be
the first name instead.
As the purpose of the relevant check is to ensure "ns.flushtest.example"
is removed from ADB by "rndc flushtree flushtest.example", search the
entire list of names present in ADB instead of just the first entry when
looking for "ns.flushtest.example".
Dumping the cache is an asynchronous operation, so sleeping for a fixed
amount of time after running "rndc dumpdb" is imperfect as dumping cache
contents may take longer than expected on slower machines. Instead of
always sleeping for 1 second, wait until the "; Dump complete" line
appears in the dump or 10 seconds pass, whichever comes first.
Unless configured otherwise in named.conf, "rndc dumpdb" causes a cache
dump to be written to a file called "named_dump.db" in the working
directory of the given named instance. Repeatedly using this command
throughout different checks in the cacheclean system test causes cache
dumps for older checks to be overwritten, which hinders failure
diagnosis. Prevent this by moving each cache dump to a check-specific
location after running "rndc dumpdb".
Furthermore, during the "check flushtree clears adb correctly" check,
dump_cache() is called twice without renaming the resulting files.
Prevent the first cache dump from being overwritten by moving it to a
different file before calling "rndc dumpdb" for the second time.
1. Track changes to conf.sh.in in conf.sh.win32
2. Modifications to prevent Windows "Configure" script replacing
the sed "@PORT@" substitution tokens in conf.sh.win32.
3. runall.sh now runs Windows tests sequentially
It was TESTNAME, but this is an obvious name and was used in one of
the system tests, something that interfered with the content of
progress messages. It is now SYSTESTDIR.
Commit 57aa7b60fd caused catz/setup.sh to no longer call clean.sh, which
results in the catz system test failing on subsequent runs if the first
run is interrupted or fails.
Escape the line ends in a multi-line variable assignment. Under some
circumstances, substituting the variable caused syntax errors when
used as the list of values in a shell script "for" statement.
When running all the system tests, output from a test is sent to a
test.output file in the test directory. These are combined in to
systests.output when the run finishes.
Miscellaneous tidying up of run management. The most significant
change is that "runall.sh" now runs _all_ the tests, even the
ones that can run in parallel. runsequential.sh is the script
to run tests that have not been converted to parallel running.
Some tests use more ports than just the query and control ports.
Each test that can run in parallel with other tests is now assigned
a unique block of 10 ports.
Currently these tests are allow_query, rpzrecurse and serve-stale
1. Function to copy files and set port numbers renamed from copy_config
to copy_setports, as this is used to change the ports in Perl and Python
test scripts as well.
2. Changes to rpzrecurse/tests.sh to handle two calls to getopts (one to
parse port numbers, the other to parse rpzrecurse-specific options). Also
fixed various commands to use correct ports.
3. Updates to "clean.sh" scripts to ensure that all files created in the
test are removed.
Via an intermediate make file, tests that have been modified to be able
to run in parallel are assigned unique query and control port numbers
(other than 5300 and 9953 respectively). Tests that have not yet been
modified all use ports 5300 and 9953, so must be run sequentially.
Instead of checking current dnstap output file size and potentially
synchronously calling dns_dt_reopen() upon every call to dns_dt_send():
- call dns_dt_reopen() asynchronously by queuing an event to the task
specified at dnstap environment creation time,
- ensure no roll event is outstanding before checking dnstap output
file size and potentially queuing another roll event.
This causes dnstap output files to exceed their configured size limits,
but prevents any two threads from performing the roll simultaneously
(which causes crashes).
Instead of relying on the caller to set up task-exclusive mode, make
dns_dt_reopen() enforce task-exclusive mode itself, using the task
specified at dnstap environment creation time.
Implement a new variant of dns_dt_create() to enable a dnstap
environment structure to hold the task in the context of which
dns_dt_reopen() will be executed.
4892. [bug] named could leak memory when "rndc reload" was invoked
before all zone loading actions triggered by a previous
"rndc reload" command were completed. [RT #47076]
Remove a block of code which dates back to commit 8a2ab2b920, when
dns_zone_asyncload() did not yet check DNS_ZONEFLG_LOADPENDING.
Currently, no race in accessing DNS_ZONEFLG_LOADPENDING is possible any
more, because:
- dns_zone_asyncload() is still the only function which may queue
zone_asyncload(),
- dns_zone_asyncload() accesses DNS_ZONEFLG_LOADPENDING under a lock
(and potentially queues an event under the same lock),
- DNS_ZONEFLG_LOADPENDING is not cleared until the load actually
completes.
Thus, the rechecking code can be safely removed from zone_asyncload().
Note that this also brings zone_asyncload() to a state in which the
completion callback is always invoked. This is required to prevent
leaking memory in case something goes wrong in zone_asyncload() and a
zone table the zone belongs to is indefinitely left with a positive
reference count.
Code handling cancellation of asynchronous zone load events was likely
copied over from other functions when asynchronous zone loading was
first implemented in commit 8a2ab2b920. However, unlike those other
functions, asynchronous zone loading events currently have no way of
getting canceled once they get posted, which means the aforementioned
code is effectively dead. Remove it to prevent confusion.
zone_load() is not always synchronous, it may only initiate an
asynchronous load and return DNS_R_CONTINUE, which means zone loading
has not yet been completed. In such a case, zone_asyncload() must not
clear DNS_ZONEFLG_LOADPENDING immediately and leave that up to
zone_postload().
While this is not an issue in named, which only calls
dns_zone_asyncload() from task-exclusive mode, this function is exported
by libdns and thus may in theory be concurrently called for the same
zone by multiple threads. It also does not hurt to be consistent
locking-wise with other DNS_ZONEFLG_LOADPENDING accesses.
CNAME between to served zones when recursion was
desired and available (RD=1, RA=1). Don't return
the CNAME target otherwise to prevent accidental
cache poisoning. [RT #47078]
4873. [doc] Grammars for named.conf included in the ARM are now
automatically generated by the configuration parser
itself. As a side effect of the work needed to
separate zone type grammars from each other, this
also makes checking of zone statements in
named-checkconf more correct and consistent.
[RT #36957]
4867. [cleanup] Normalize rndc on/off commands (validation,
querylog, serve-stale) so they all accept the
same synonyms for on/off (yes/no, true/false,
enable/disable). Thanks to Tony Finch. [RT #47022]
4859. [bug] A loop was possible when attempting to validate
unsigned CNAME responses from secure zones;
this caused a delay in returning SERVFAIL and
also increased the chances of encountering
CVE-2017-3145. [RT #46839]
4858. [security] Addresses could be referenced after being freed
in resolver.c, causing an assertion failure.
(CVE-2017-3145) [RT #46839]
if there were active KSK and ZSK keys for
a algorithm when update-check-ksk is true
(default) leaving records unsigned with one or
more DNSKEY algorithms. [RT #46774]
if there were active KSK and ZSK keys for
a algorithm when update-check-ksk is true
(default) leaving records unsigned with one or
more DNSKEY algorithms. [RT #46754]
properly determining if there were active KSK and
ZSK keys for a algorithm when update-check-ksk is
true (default) leaving records unsigned. [RT #46743]
4836. [bug] Zones created using "rndc addzone" could
temporarily fail to inherit an "allow-transfer"
ACL that had been configured in the options
statement. [RT #46603]
always later that the resigning time of other records.
[RT #46473]
4820. [bug] dns_db_subtractrdataset should transfer the resigning
information to the new header. [RT #46473]
4819. [bug] Fully backout the transaction when adding a RRset
to the resigning / removal heaps fail. [RT #46473]
4807. [cleanup] isc_rng_randombytes() returns a specified number of
bytes from the PRNG; this is now used instead of
calling isc_rng_random() multiple times. [RT #46230]
4798. [func] Keys specified in "managed-keys" statements
are tagged as "initializing" until they have been
updated by a key refresh query. If initialization
fails it will be visible from "rndc secroots".
[RT #46267]
this completes change 4785. the CHANGES note has been revised:
4785. [func] The hmac-md5 algorithm is no longer recommended for
use with RNDC keys. The default in rndc-confgen
is now hmac-sha256. [RT #42272]
4788. [cleanup] When using "update-policy local", log a warning
when an update matching the session key is received
from a remote host. [RT #46213]
- this completes change #4762.
4785. [func] The hmac-md5 algorithm is no longer recommended for
use with RNDC keys. For compatibility reasons, it
it is still the default algorithm in rndc-confgen,
but this will be changed to hmac-sha256 in a future
release. [RT #42272]
4784. [func] The use of dnssec-keygen to generate HMAC keys is
deprecated in favor of tsig-keygen. dnssec-keygen
will print a warning when used for this purpose.
All HMAC algorithms will be removed from
dnssec-keygen in a future release. [RT #42272]
Change 4592 was supposed to replace a REQUIRE with a conditional return.
While the latter was added, the former was not removed. Remove the
relevant REQUIRE to fix RT #43822 for good.
This change is only applied to master for consistency with other
branches, where it is required to fix the filter-aaaa system test for
builds without DNSSEC support.
This reverts commit 560d8b833e.
This change created a potential race between key refresh queries and
root zone priming queries which could leave the root name servers in
the bad-server cache.
4773. [bug] Keys specified in "managed-keys" statements
can now only be used when validating key refresh
queries during initialization of RFC 5011 key
maintenance. If initialization fails, DNSSEC
validation of normal queries will also fail.
Previously, validation of normal queries could
succeed using the initializing key, potentially
masking problems with managed-keys. [RT #46077]
4770. [bug] Cache additional data from priming queries as glue.
Previously they were ignored as unsigned
non-answer data from a secure zone, and never
actually got added to the cache, causing hints
to be used frequently for root-server
addresses, which triggered re-priming. [RT #45241]
4768. [func] By default, memory is no longer filled with tag values
when it is allocated or freed; this improves
performance but makes debugging of certain memory
issues more difficult. "named -M fill" turns memory
filling back on. (Building "configure
--enable-developer", turns memory fill on by
default again; it can then be disabled with
"named -M nofill".) [RT #45123]
4762. [func] "update-policy local" is now restricted to updates
from local addresses. (Previously, other addresses
were allowed so long as updates were signed by the
local session key.) [RT #45492]
4757. [func] New "dnssec-cds" command creates a new parent DS
RRset based on CDS or CDNSKEY RRsets found in
a child zone, and generates either a dsset file
or stream of nsupdate commands to update the
parent. Thanks to Tony Finch. [RT #46090]
4756. [bug] Interrupting dig could lead to an INSIST failure after
certain errors were encountered while querying a host
whose name resolved to more than one address. Change
4537 increased the odds of triggering this issue by
causing dig to hang indefinitely when certain error
paths were evaluated. dig now also retries TCP queries
(once) if the server gracefully closes the connection
before sending a response. [RT #42832, #45159]
4753. [contrib] Software obtainable from known upstream locations
(i.e., zkt, nslint, query-loc) has been removed.
Links to these and other packages can be found at
https://www.isc.org/community/tools [RT #46182]
4751. [func] "dnssec-signzone -S" can now automatically add parent
synchronization records (CDS and CDNSKEY) according
to key metadata set using the -Psync and -Dsync
options to dnssec-keygen and dnssec-settime.
[RT #46149]
4750. [func] "rndc managed-keys destroy" shuts down RFC 5011 key
maintenance and deletes the managed-keys database.
If followed by "rndc reconfig" or a server restart,
key maintenance is reinitialized from scratch.
This is primarily intended for testing. [RT #32456]
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]
4724. [func] By default, BIND now uses the random number
functions provided by the crypto library (i.e.,
OpenSSL or a PKCS#11 provider) as a source of
randomness rather than /dev/random. This is
suitable for virtual machine environments
which have limited entropy pools and lack
hardware random number generators.
This can be overridden by specifying another
entropy source via the "random-device" option
in named.conf, or via the -r command line option;
however, for functions requiring full cryptographic
strength, such as DNSSEC key generation, this
cannot be overridden. In particular, the -r
command line option no longer has any effect on
dnssec-keygen.
This can be disabled by building with
"configure --disable-crypto-rand".
[RT #31459] [RT #46047]
Stage 2 - synthesis of records from wildcard data.
If the dns64 or filter-aaaa* is configured then the
involved lookups are currently excluded. [RT #40138]
4736. [cleanup] (a) Added comments to NSEC3-related functions in
lib/dns/zone.c. (b) Refactored NSEC3 salt formatting
code. (c) Minor tweaks to lock and result handling.
[RT #46053]
4727. [bug] Retransferring an inline-signed slave using NSEC3
around the time its NSEC3 salt was changed could result
in an infinite signing loop. [RT #45080]
4726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN
from being logged on FreeBSD if the kernel does not
support it. Notify the user when the kernel does
support TCP_FASTOPEN, but it is disabled by sysctl.
Add a new configure option, --disable-tcp-fastopen, to
disable use of TCP_FASTOPEN altogether. [RT #44754]
4721. [func] 'dnssec-signzone -x' and 'dnssec-dnskey-kskonly'
options now apply to CDNSKEY and DS records as well
as DNSKEY. Thanks to Tony Finch. [RT #45689]
4713. [func] Added support for the DNS Response Policy Service
(DNSRPS) API, which allows named to use an external
response policy daemon when built with
"configure --enable-dnsrps". Thanks to Vernon
Schryver and Farsight Security. [RT #43376]
4708. [cleanup] Legacy Windows builds (i.e. for XP and earlier)
are no longer supported. [RT #45186]
4707. [func] The lightweight resolver daemon and library (lwresd
and liblwres) have been removed. [RT #45186]
4706. [func] Code implementing name server query processing has
been moved from bin/named to a new library "libns".
Functions remaining in bin/named are now prefixed
with "named_" rather than "ns_". This will make it
easier to write unit tests for name server code, or
link name server functionality into new tools.
[RT #45186]
allows named to provide stale cached answers when
the authoritative server is under attack.
See max-stale-ttl, stale-answer-enable,
stale-answer-ttl. [RT #44790]
4594. [func] dnssec-keygen no longer uses RSASHA1 by default;
the signing algorithm must be specified on
the command line with the "-a" option. Signing
scripts that rely on the existing default behavior
will break; use "dnssec-keygen -a RSASHA1" to
repair them. (The goal of this change is to make
it easier to find scripts using RSASHA1 so they
can be changed in the event of that algorithm
being deprecated in the future.) [RT #44755]
4686. [bug] dnssec-settime -p could print a bogus warning about
key deletion scheduled before its inactivation when a
key had an inactivation date set but no deletion date
set. [RT #45807]
4674. [func] "dig +sigchase", and related options "+topdown" and
"+trusted-keys", have been removed. Use "delv" for
queries with DNSSEC validation. [RT #42793]
4669. [func] Iterative query logic in resolver.c has been
refactored into smaller functions and commented,
for improved readability, maintainability and
testability. [RT #45362]
4666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9)
could cause a parser error when reading the policy
file. This now works correctly so long as the domain
name is quoted. [RT #45641]
4664. [func] Add a "glue-cache" option to enable or disable the
glue cache. The default is "no" to reduce memory
usage, but enabling this option will improve
performance in delegation-heavy zones. [RT #45125]
4656. [bug] Apply "port" and "dscp" values specified in catalog
zone's "default-masters" option to the generated
configuration of its member zones. [RT #45545]
4642. [cleanup] Add more logging of RFC 5011 events affecting the
status of managed keys: newly observed keys,
deletion of revoked keys, etc. [RT #45354]
4637. [func] "nsec3hash -r" option ("rdata order") takes arguments
in the same order as they appear in NSEC3 or
NSEC3PARAM records, so that NSEC3 parameters can
be cut and pasted from an existing record. Thanks
to Tony Finch for the contribution. [RT #45183]
4613. [func] By default, the maximum size of a zone journal file
is now twice the size of the zone's contents (there
is little benefit to a journal larger than this).
This can be overridden by setting "max-journal-size"
to "unlimited" or to an explicit value up to 2G.
Thanks to Tony Finch. [RT #38324]
4610. [func] The "new-zones-directory" option specifies the
location of NZF or NZD files for storing
configuration of zones added by "rndc addzone".
Thanks to Petr Menšík. [RT #44853]
4579. [func] Logging channels and dnstap output files can now
be configured with a "suffix" option, set to
either "increment" or "timestamp", indicating
whether to use incrementing numbers or timestamps
as the file suffix when rolling over a log file.
[RT #42838]
4572. [func] The "dnstap-output" option can now take "size" and
"versions" parameters to indicate the maximum size
a dnstap log file can grow before rolling to a new
file, and how many old files to retain. [RT #44502]
4549. [func] Added support for the EDNS TCP Keepalive option
(RFC 7828). [RT #42126]
4548. [func] Added support for the EDNS Padding option (RFC 7830).
[RT #42094]
4518. [func] The "print-time" option in the logging configuration
can now take arguments "local", "iso8601" or
"iso8601-utc" to indicate the format in which the
date and time should be logged. For backward
compatibility, "yes" is a synonym for "local".
[RT #42585]
4503. [cleanup] "make uninstall" now removes file installed by
BIND. (This currently excludes Python files
due to lack of support in setup.py.) [RT #42912]
4471. [cleanup] Render client/query logging format consistent for
ease of log file parsing. (Note that this affects
"querylog" format: there is now an additional field
indicating the client object address.) [RT #43238]
4445. [cleanup] isc_errno_toresult() can now be used to call the
formerly private function isc__errno2result().
[RT #43050]
4444. [bug] Fixed some issues related to dyndb: A bug caused
braces to be omitted when passing configuration text
from named.conf to a dyndb driver, and there was a
use-after-free in the sample dyndb driver. [RT #43050]
Patch for dyndb driver submitted by Petr Spacek at Red Hat.
no-auth and no-auth-recursive which suppress
adding the NS records to the authority section
as well as the associated address records for the
nameservers. [RT #42005]
to provide feedback to the trust-anchor administrators
about how key rollovers are progressing as per
draft-ietf-dnsop-edns-key-tag-02. This can be
disabled using 'trust-anchor-telemetry no;'.
[RT #40583]
4421. [func] When built with LMDB (Lightning Memory-mapped
Database), named will now use a database to store
the configuration for zones added by "rndc addzone"
instead of using a flat NZF file. This improves
performance of "rndc delzone" and "rndc modzone"
significantly. Existing NZF files will
automatically by converted to NZD databases.
To view the contents of an NZD or to roll back to
NZF format, use "named-nzd2nzf". To disable
this feature, use "configure --without-lmdb".
[RT #39837]
4417. [bug] dnssec-keymgr could fail to create successor keys
if the prepublication interval was set to a value
smaller than the default. [RT #42820]
Patch submitted by Nis Wechselberg (enbewe@enbewe.de).
4416. [bug] dnssec-keymgr: Domain names in policy files could
fail to match due to trailing dots. [RT #42807]
Patch submitted by Armin Pech (mail@arminpech.de).
4414. [bug] Corrected a bug in the MIPS implementation of
isc_atomic_xadd(). [RT #41965]
Submitted by Lamont Jones (lamont@debian.org). Closes Debian issue #406409.
4411. [func] "rndc dnstap -roll" automatically rolls the
dnstap output file; the previous version is
saved with ".0" suffix, and earlier versions
with ".1" and so on. An optional numeric argument
indicates how many prior files to save. [RT #42830]
trigger a infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. [RT #42694]
added better text to describe the license change
added information about the following changes to notes.xml
+4396. [func] dnssec-keymgr now takes a '-r randomfile' option.
+ [RT #42455]
+4392. [func] Collect statistics for RSSAC02v3 traffic-volume,
+ traffic-sizes and rcode-volume reporting. [RT #41475]
+4388. [func] Support for master entries with TSIG keys in catalog
+ zones. [RT #42577]
+4385. [func] Add support for allow-query and allow-transfer ACLs
+ to catalog zones. [RT #42578]
4380. [experimental] Added a "zone-directory" option to "catalog-zones"
syntax, allowing local masterfiles for slaves
that are provisioned by catalog zones to be stored
in a directory other than the server's working
directory. [RT #42527]
provisioning secondary servers in which a list of
zones to be served is stored in a DNS zone and can
be propagated to slaves via AXFR/IXFR. [RT #41581]
4375. [func] Add support for automatic reallocation of isc_buffer
to isc_buffer_put* functions. [RT #42394]
4371. [func] New "minimal-any" option reduces the size of UDP
responses for qtype ANY by returning a single
arbitrarily selected RRset instead of all RRsets.
Thanks to Tony Finch. [RT #41615]
4354. [func] "pkcs11-list" now displays the extractability
attribute of private or secret keys stored in
an HSM, as either "true", "false", or "never"
Thanks to Daniel Stirnimann. [RT #36557]
4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service
is scheduled to be disabled in 2017. A warning is
now logged when named is configured to use it,
either explicitly or via "dnssec-lookaside auto;"
[RT #42207]
4349. [contrib] kasp2policy: A python script to create a DNSSEC
policy file from an OpenDNSSEC KASP XML file.
4348. [func] dnssec-keymgr: A new python-based DNSSEC key
management utility, which reads a policy definition
file and can create or update DNSSEC keys as needed
to ensure that a zone's keys match policy, roll over
correctly on schedule, etc. Thanks to Sebastian
Castro for assistance in development. [RT #39211]
- [ ] Compare content with merge requests for the release.
- [ ] Check formatting.
- [ ] Build documentation on docs.isc.org.
- [ ] Commit changes and make sure the gitlab-ci tests are passing.
- [ ] Push the changes and tag ("alphatag" is an optional string such as "b1", "rc1" etc.). (```git tag -u <DEVELOPER_KEYID> -a -s -m "BIND 9.X.Y[alphatag]" v9_X_Y[alphatag]```)
- [ ] If this is the first tag for a release (e.g. beta), create a release branch named `release_v9_X_Y` (this allows development to continue on the release branch whilst release engineering continues).
- [ ] (SwEng) Run the "make release" Jenkins job to produce the tarballs and zips.
- [ ] (SwEng) Ask QA to sanity check the tarball and zips (passing to them the number of the Jenkins job).
- [ ] (QA) Sanity check the tarballs.
- [ ] (QA) Request the signature on the tarballs.
- [ ] (QA) Check signatures on tarballs.
- [ ] (QA) Tell Support to handle notification of release.
- [ ] (Manager) Inform Marketing of the release
- [ ] (Manager) Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
- [ ] (SwEng) Update DEB and RPM packages
- [ ] (SwEng) Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`)
## Support
- [ ] Make tarballs and signatures available to download.
- [ ] Write release email to bind9-announce.
- [ ] Write email to bind9-users (if a major release).
- [ ] Update tickets in case of waiting support customers.
## Marketing
- [ ] Update BIND Product page if needed
- [ ] Update BIND Significant Features Matrix in KB if needed
- [ ] Update BIND -S Edition data sheet if S Edition feature change
- [ ] Announce on social media
- [ ] Update [Wikipedia entry for BIND](http://en.wikipedia.org/wiki/BIND).
Due to a large ticket backlog, we are sometimes slow to respond,
especially if a bug is cosmetic or if a feature request is vague or
low in priority, but we will try at least to acknowledge legitimate
bug reports within a week.
ISC's ticketing system is publicly readable; however, you must have
an account to file a new issue. You can either register locally or
use credentials from an existing account at GitHub, GitLab, Google,
Twitter, or Facebook.
### Reporting possible security issues
If you think you may be seeing a potential security vulnerability in BIND
(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
report it immediately by emailing to security-officer@isc.org. Plain-text
e-mail is not a secure choice for communications concerning undisclosed
security issues so please encrypt your communications to us if possible,
using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
Do not discuss undisclosed security vulnerabilites on any public mailing list.
ISC has a long history of handling reported vulnerabilities promptly and
effectively and we respect and acknowledge responsible reporters.
ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
If you have a crash, you may want to consult
[‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
### <a name="contrib"></a>Contributing code
BIND is licensed under the
[Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
ISC does not require an explicit copyright assignment for patch
contributions. However, by submitting a patch to ISC, you implicitly
certify that you are the author of the code, that you intend to reliquish
exclusive copyright, and that you grant permission to publish your work
under the open source license used for the BIND version(s) to which your
patch will be applied.
#### <a name="bind"></a>BIND code
Patches for BIND may be submitted directly via merge requests in
|`-DISC_MEM_DEFAULTFILL=1`|Overwrite memory with tag values when allocating or freeing it; this impairs performance but makes debugging of memory problems easier.|
|`-DISC_MEM_TRACKLINES=0`|Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult.|
|<nobr>`-DISC_FACILITY=LOG_LOCAL0`</nobr>|Change the default syslog facility for `named`|
|`-DNS_CLIENT_DROPPORT=0`|Disable dropping queries from particular well-known ports:|
|`-DCHECK_SIBLING=0`|Don't check sibling glue in `named-checkzone`|
|`-DCHECK_LOCAL=0`|Don't check out-of-zone addresses in `named-checkzone`|
|`-DNS_RUN_PID_DIR=0`|Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/`|
|`-DISC_BUFFER_USEINLINE=0`|Disable the use of inline functions to implement the `isc_buffer` API: this reduces performance but may be useful when debugging |
|`-DISC_HEAP_CHECK`|Test heap consistency after every heap operation; used when debugging|
|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.|
|`CFLAGS`|C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. |
|`STD_CINCLUDES`|System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.|
|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
|`LDFLAGS`|Linker flags. Defaults to empty string.|
|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
|`BUILD_CFLAGS`|Optional, used for cross-compiling|
|`BUILD_CPPFLAGS`||
|`BUILD_LDFLAGS`||
|`BUILD_LIBS`||
#### <a name="macos"> macOS
Building on macOS assumes that the "Command Tools for Xcode" is installed.
This can be downloaded from https://developer.apple.com/download/more/
or if you have Xcode already installed you can run "xcode-select --install".
This will add /usr/include to the system and install the compiler and other
tools so that they can be easily found.
### <a name="dependencies"/> Dependencies
Portions of BIND that are written in Python, including
`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
system tests, require the 'argparse' and 'ply' modules to be available.
'argparse' is a standard module as of Python 2.7 and Python 3.2.
'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
#### <a name="opts"/> Compile-time options
To see a full list of configuration options, run `configure --help`.
To build shared libraries, specify `--with-libtool` on the `configure`
command line.
For the server to support DNSSEC, you need to build it with crypto support.
To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix
using `--with-openssl=<PREFIX>` on the configure command line. To use a
PKCS#11 hardware service module for cryptographic operations, specify the
path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
configure BIND with `--enable-native-pkcs11`.
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2
[http://xmlsoft.org](http://xmlsoft.org) or json-c
[https://github.com/json-c](https://github.com/json-c). If these are
installed at a nonstandard location, then:
* for libxml2, specify the prefix using `--with-libxml2=/prefix`,
* for json-c, adjust `PKG_CONFIG_PATH`.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
specify the prefix using `--with-zlib=/prefix`.
To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in a
nonstandard location, specify the prefix using `with-lmdb=/prefix`.
To support MaxMind GeoIP2 location-based ACLs, the server must be linked
with `libmaxminddb`. This is turned on by default if the library is
found; if the library is installed in a nonstandard location,
specify the prefix using `--with-maxminddb=/prefix`. GeoIP2 support
can be switched off with `--disable-geoip`.
For DNSTAP packet logging, you must have installed libfstrm
| [security] | Fix for a significant security flaw |
| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
| [port] | Portability enhancement |
| [maint] | Updates to built-in data such as root server addresses and keys |
| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
| [performance] | Other changes to improve server performance |
| [protocol] | Updates to the DNS protocol such as new RR types |
| [test] | Changes to the automatic tests, not affecting server functionality |
| [cleanup] | Minor corrections and refactoring |
| [doc] | Documentation |
| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
#### Bug report identifiers
Most notes in the CHANGES file include a reference to a bug report or
issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
Gitlab database. Most of these are publicly readable, unless they include
information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL
@@ -78,6 +69,37 @@ can be run on these files explicitly, however\&.
Print the usage summary and exit\&.
.RE
.PP
\-j
.RS4
When loading a zonefile read the journal if it exists\&.
.RE
.PP
\-l
.RS4
List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
.RE
.PP
\-c
.RS4
Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
\fBplugin\fR
statements to be ignored\&.
.RE
.PP
\-i
.RS4
Ignore warnings on deprecated options\&.
.RE
.PP
\-p
.RS4
Print out the
named\&.conf
and included files in canonical form if no errors were detected\&. See also the
\fB\-x\fR
option\&.
.RE
.PP
\-t \fIdirectory\fR
.RS4
Chroot to
@@ -93,13 +115,6 @@ Print the version of the
program and exit\&.
.RE
.PP
\-p
.RS4
Print out the
named\&.conf
and included files in canonical form if no errors were detected\&.
.RE
.PP
\-x
.RS4
When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
@@ -114,11 +129,6 @@ Perform a test load of all master zones found in
named\&.conf\&.
.RE
.PP
\-j
.RS4
When loading a zonefile read the journal if it exists\&.
.RE
.PP
filename
.RS4
The name of the configuration file to be checked\&. If not specified, it defaults to
<p><spanclass="application">named-checkzone</span>, <spanclass="application">named-compilezone</span>— zone file validity checking or converting tool</p>
<p>
<spanclass="application">named-checkzone</span>,
<spanclass="application">named-compilezone</span>
— zone file validity checking or converting tool
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5\&.
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
.RE
.PP
\-b \fIkeysize\fR
@@ -156,17 +147,6 @@ listens for connections from
\fBrndc\fR\&. The default is 953\&.
.RE
.PP
\-r \fIrandomfile\fR
.RS4
Specifies a source of random data for generating the authorization\&. If the operating system does not provide a
/dev/random
or equivalent device, the default source of randomness is keyboard input\&.
randomdev
specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
@@ -57,13 +49,13 @@ delv \- DNS lookup and validation utility
.SH"DESCRIPTION"
.PP
\fBdelv\fR
(Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
\fBnamed\fR\&.
.PP
\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
By default, responses are validated using built\-in DNSSEC trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&. Records returned by
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
\fBdelv\fR
@@ -143,25 +135,25 @@ will perform a lookup for an A record\&.
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
BIND
9 and contains trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&.
9 and contains one or more trust anchors for the root zone ("\&.")\&.
.sp
Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
\fB+dlv=NAME\fR
or
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
options\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBmanaged\-keys\fR
statements and
\fBtrusted\-keys\fR
statements identically\&. That is, for a managed key, it is the
\fIinitial\fR
key that is trusted; RFC 5011 key management is not supported\&.
\fBdnssec\-keys\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with
\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
\fBdelv\fR
will not consult the managed\-keys database maintained by
as if it had been configured as a
\fBstatic\-key\fR\&.
\fBdelv\fR
does not consult the managed keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
is revoked and rolled over, it will be necessary to update
@@ -398,25 +390,16 @@ output\&. The default is to do so\&. Note that (unlike in
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR
or
\fB+noroot\fR
and
\fB+nodlv\fR\&.
\fB+noroot\fR\&.
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS4
Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
\fB\-a\fR
must be used to specify a file containing the key\&.
.RE
.PP
\fB+[no]dlv[=DLV]\fR
.RS4
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The default is to perform lookaside validation using a trust anchor of "dlv\&.isc\&.org", for which there is a built\-in key\&. If specifying a different name, then
\fB\-a\fR
must be used to specify a file containing the DLV key\&.
.RE
.PP
\fB+[no]tcp\fR
.RS4
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
@@ -445,5 +428,5 @@ RFC5155\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH"COPYRIGHT"
.br
Copyright \(co 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
(domain information groper) is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
\fBdig\fR
to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
\fBdig\fR\&.
@@ -83,7 +74,9 @@ will perform an NS query for "\&." (the root)\&.
It is possible to set per\-user defaults for
\fBdig\fR
via
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&.
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
\fB\-r\fR
option disables this feature, for scripts that need predictable behaviour\&.
.PP
The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
\fB\-t\fR
@@ -183,11 +176,6 @@ reads a list of lookup requests to process from the given
using the command\-line interface\&.
.RE
.PP
\-i
.RS4
Do reverse IPv6 lookups using the obsolete RFC1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC2874) are not attempted\&.
.RE
.PP
\-k \fIkeyfile\fR
.RS4
Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
@@ -217,15 +205,28 @@ The domain name to query\&. This is useful to distinguish the
from other arguments\&.
.RE
.PP
\-r
.RS4
Do not read options from
${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
.RE
.PP
\-t \fItype\fR
.RS4
The resource record type to query\&. It can be any valid query type which is supported in BIND 9\&. The default query type is "A", unless the
The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
\fItype\fR
to
ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
\fIN\fR\&.
.sp
All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
.RE
.PP
\-u
.RS4
Print query times in microseconds instead of milliseconds\&.
.RE
.PP
\-v
@@ -248,9 +249,7 @@ arguments\&.
\fBdig\fR
automatically performs a lookup for a name like
94\&.2\&.0\&.192\&.in\-addr\&.arpa
and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain (but see also the
\fB\-i\fR
option)\&.
and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-y \fI[hmac:]\fR\fIkeyname:secret\fR
@@ -270,7 +269,9 @@ hmac\-sha384, or
hmac\-sha512\&. If
\fIhmac\fR
is not specified, the default is
hmac\-md5\&.
hmac\-md5
or if MD5 was disabled
hmac\-sha256\&.
.sp
NOTE: You should use the
\fB\-k\fR
@@ -360,14 +361,20 @@ Display [do not display] the CLASS when printing the record\&.
.PP
\fB+[no]cmd\fR
.RS4
Toggles the printing of the initial comment in the output identifying the version of
Toggles the printing of the initial comment in the output, identifying the version of
\fBdig\fR
and the query options that have been applied\&. This comment is printed by default\&.
and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
.RE
.PP
\fB+[no]comments\fR
.RS4
Toggle the display of comment lines in the output\&. The default is to print comments\&.
Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
.sp
Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
\fB+[no]cmd\fR,
\fB+[no]question\fR,
\fB+[no]stats\fR, and
\fB+[no]rrcomments\fR\&.
.RE
.PP
\fB+[no]cookie\fR\fB[=####]\fR
@@ -435,6 +442,11 @@ Specify EDNS option with code point
and optionally payload of
\fBvalue\fR
as a hexadecimal string\&.
\fBcode\fR
can be either an EDNS option name (for example,
NSID
or
ECS), or an arbitrary numeric value\&.
\fB+noednsopt\fR
clears the EDNS options to be sent\&.
.RE
@@ -444,6 +456,11 @@ clears the EDNS options to be sent\&.
Send an EDNS Expire option\&.
.RE
.PP
\fB+[no]expandaaaa\fR
.RS4
When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
.RE
.PP
\fB+[no]fail\fR
.RS4
Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
@@ -461,11 +478,30 @@ Show [or do not show] the IP address and port number that supplied the answer wh
option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
.RE
.PP
\fB+[no]idnin\fR
.RS4
Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]idnout\fR
.RS4
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]ignore\fR
.RS4
Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
.RE
.PP
\fB+[no]keepalive\fR
.RS4
Send [or do not send] an EDNS Keepalive option\&.
.RE
.PP
\fB+[no]keepopen\fR
.RS4
Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup\&. The default is
@@ -512,7 +548,7 @@ Include an EDNS name server ID request when sending a query\&.
.RS4
When this option is set,
\fBdig\fR
attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone\&.
attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone\&. Addresses of servers that that did not respond are also printed\&.
.RE
.PP
\fB+[no]onesoa\fR
@@ -525,14 +561,28 @@ Print only one (starting) SOA record when performing an AXFR\&. The default is t
Set [restore] the DNS message opcode to the specified value\&. The default value is QUERY (0)\&.
.RE
.PP
\fB+padding=value\fR
.RS4
Pad the size of the query packet using the EDNS Padding option to blocks of
\fIvalue\fR
bytes\&. For example,
\fB+padding=32\fR
would cause a 48\-byte query to be padded to 64 bytes\&. The default block size is 0, which disables padding\&. The maximum is 512\&. Values are ordinarily expected to be powers of two, such as 128; however, this is not mandatory\&. Responses to padded queries may also be padded, but only if the query uses TCP or DNS COOKIE\&.
.RE
.PP
\fB+[no]qr\fR
.RS4
Print [do not print] the query as it is sent\&. By default, the query is not printed\&.
Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
.RE
.PP
\fB+[no]question\fR
.RS4
Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
.RE
.PP
\fB+[no]raflag\fR
.RS4
Set [do not set] the RA (Recursion Available) bit in the query\&. The default is +noraflag\&. This bit should be ignored by the server for QUERY\&.
.RE
.PP
\fB+[no]rdflag\fR
@@ -545,11 +595,11 @@ A synonym for
.RS4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR
normally sends recursive queries\&. Recursion is automatically disabled when the
normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR
or
option, and when using
\fI+trace\fR
query options are used\&.
except for an initial recursive query to get the list of root servers\&.
.RE
.PP
\fB+retry=T\fR
@@ -580,7 +630,7 @@ determines if the name will be treated as relative or not and hence whether a se
.PP
\fB+[no]short\fR
.RS4
Provide a terse answer\&. The default is to print the answer in a verbose form\&.
Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
.RE
.PP
\fB+[no]showsearch\fR
@@ -590,7 +640,9 @@ Perform [do not perform] a search showing intermediate results\&.
.PP
\fB+[no]sigchase\fR
.RS4
Chase DNSSEC signature chains\&. Requires dig be compiled with \-DDIG_SIGCHASE\&.
This feature is now obsolete and has been removed; use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+split=W\fR
@@ -608,21 +660,30 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char
.PP
\fB+[no]stats\fR
.RS4
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&.
Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
.RE
.PP
\fB+[no]subnet=addr[/netmask]\fR
\fB+[no]subnet=addr[/prefix\-length]\fR
.RS4
Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address or network prefix\&.
.sp
\fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
\fBdig +subnet=0\fR
for short, sends a Client Subnet option with an empty address and a source prefixlength of zero, which signals a resolver that the EDNS Client Subnet option should not be used when resolving this query\&.
for short, sends an EDNS CLIENT\-SUBNET option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
\fInot\fR
be used when resolving this query\&.
.RE
.PP
\fB+[no]tcflag\fR
.RS4
Set [do not set] the TC (TrunCation) bit in the query\&. The default is +notcflag\&. This bit should be ignored by the server for QUERY\&.
.RE
.PP
\fB+[no]tcp\fR
.RS4
Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless an
Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless a type
any
or
ixfr=N
query is requested, in which case the default is TCP\&. AXFR queries always use TCP\&.
.RE
@@ -638,7 +699,10 @@ to less than 1 will result in a query timeout of 1 second being applied\&.
.PP
\fB+[no]topdown\fR
.RS4
When chasing DNSSEC signature chains perform a top\-down validation\&. Requires dig be compiled with \-DDIG_SIGCHASE\&.
This feature is related to
\fBdig +sigchase\fR, which is obsolete and has been removed\&. Use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]trace\fR
@@ -664,18 +728,10 @@ is less than or equal to zero, the number of tries is silently rounded up to 1\&
.PP
\fB+trusted\-key=####\fR
.RS4
Specifies a file containing trusted keys to be used with
\fB+sigchase\fR\&. Each DNSKEY record must be on its own line\&.
.sp
If not specified,
\fBdig\fR
will look for
/etc/trusted\-key\&.key
then
trusted\-key\&.key
in the current directory\&.
.sp
Requires dig be compiled with \-DDIG_SIGCHASE\&.
Formerly specified trusted keys for use with
\fBdig +sigchase\fR\&. This feature is now obsolete and has been removed; use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]ttlid\fR
@@ -716,9 +772,11 @@ In this case, each
\fIquery\fR
argument represent an individual query in the command\-line syntax described above\&. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query\&.
.PP
A global set of query options, which should be applied to all queries, can also be supplied\&. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line\&. Any global query options (except the
A global set of query options, which should be applied to all queries, can also be supplied\&. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line\&. Any global query options (except
\fB+[no]cmd\fR
option) can be overridden by a query\-specific set of query options\&. For example:
and
\fB+[no]short\fR
options) can be overridden by a query\-specific set of query options\&. For example:
.sp
.ifn\{\
.RS4
@@ -750,11 +808,13 @@ If
\fBdig\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBdig\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, defines the
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
\fI+noidnin\fR
and
\fI+noidnout\fR
or define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBdig\fR
runs\&.
environment variable\&.
.SH"FILES"
.PP
/etc/resolv\&.conf
@@ -762,10 +822,11 @@ runs\&.
${HOME}/\&.digrc
.SH"SEE ALSO"
.PP
\fBdelv\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8),
\fBdnssec-keygen\fR(8),
RFC1035\&.
RFC1035\&.
.SH"BUGS"
.PP
There are probably too many query options\&.
@@ -774,7 +835,5 @@ There are probably too many query options\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH"COPYRIGHT"
.br
Copyright \(co 2004-2011, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000-2003 Internet Software Consortium.
Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.br
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
