Compare commits

..

1 Commits

Author SHA1 Message Date
Mark Andrews
6c0747fc2b add missing decrements; set *versionp to NULL at start of closeversion 2020-08-19 12:31:38 +10:00
386 changed files with 973 additions and 5160 deletions

View File

@@ -31,12 +31,6 @@ variables:
AM_COLOR_TESTS: always
WITHOUT_READLINE: "--without-readline"
WITH_READLINE: "--with-readline"
WITH_READLINE_EDITLINE: "--with-readline=editline"
WITH_READLINE_LIBEDIT: "--with-readline=libedit"
WITH_READLINE_READLINE: "--with-readline=readline"
stages:
- autoconf
- precheck
@@ -187,21 +181,6 @@ stages:
$EXTRA_CONFIGURE \
|| cat config.log
.check_readline_setup: &check_readline_setup |
if [[ -n "${WITHOUT_READLINE}" ]]; then \
! grep "^#define HAVE_READLINE" config.h; \
elif [[ -n "${WITH_READLINE}" ]]; then \
grep -e "^#define HAVE_READLINE_READLINE" \
-e "^#define HAVE_READLINE_LIBEDIT" \
-e "^#define HAVE_READLINE_EDITLINE" config.h; \
elif [[ -n "${WITH_READLINE_EDITLINE}" ]]; then \
grep "^#define HAVE_READLINE_EDITLINE" config.h; \
elif [[ -n "${WITH_READLINE_LIBEDIT}" ]]; then \
grep "^#define HAVE_READLINE_LIBEDIT" config.h; \
elif [[ -n "${WITH_READLINE_READLINE}" ]]; then \
grep "^#define HAVE_READLINE_READLINE" config.h; \
fi
.build: &build_job
<<: *default_triggering_rules
stage: build
@@ -210,7 +189,6 @@ stages:
- test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
script:
- *configure
- *check_readline_setup
- make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
- test -z "${RUN_MAKE_INSTALL}" || make install
- test -z "${RUN_MAKE_INSTALL}" || sh util/check-make-install
@@ -272,7 +250,6 @@ stages:
- cd bin/tests/system
- make -j${TEST_PARALLEL_JOBS:-1} -k check V=1
after_script:
- test -d bind-* && cd bind-*
- cat bin/tests/system/test-suite.log
.system_test: &system_test_job
@@ -477,12 +454,8 @@ tarball-create:
<<: *base_image
<<: *default_triggering_rules
script:
- ./configure --enable-maintainer-mode
- make maintainer-clean
- autoreconf -fi
- ./configure --enable-maintainer-mode
- *configure
- make -j${BUILD_PARALLEL_JOBS:-1} all V=1
- if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
- make -j${BUILD_PARALLEL_JOBS:-1} dist V=1
artifacts:
paths:
@@ -532,7 +505,7 @@ gcc:alpine3.12:amd64:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--enable-dnstap ${WITHOUT_READLINE}"
EXTRA_CONFIGURE: "--enable-dnstap"
<<: *alpine_3_12_amd64_image
<<: *build_job
@@ -580,7 +553,7 @@ gcc:centos8:amd64:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--enable-buffer-useinline --with-libidn2"
EXTRA_CONFIGURE: "--with-libidn2"
<<: *centos_centos8_amd64_image
<<: *build_job
@@ -627,7 +600,6 @@ gcc:buster:amd64:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "${WITH_READLINE_LIBEDIT}"
<<: *debian_buster_amd64_image
<<: *build_job
@@ -795,7 +767,7 @@ gcc:tumbleweed:amd64:
variables:
CC: gcc
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--with-libidn2 ${WITH_READLINE_READLINE}"
EXTRA_CONFIGURE: "--with-libidn2 --with-gssapi=/usr/lib/mit/bin/krb5-config"
<<: *tumbleweed_latest_amd64_image
<<: *build_job
@@ -1073,7 +1045,6 @@ unit:gcc:softhsm2.6:
clang:freebsd11:amd64:
variables:
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "${WITH_READLINE}"
USER: gitlab-runner
<<: *freebsd_11_amd64_image
<<: *build_job
@@ -1100,7 +1071,7 @@ unit:clang:freebsd11:amd64:
clang:freebsd12:amd64:
variables:
CFLAGS: "${CFLAGS_COMMON}"
EXTRA_CONFIGURE: "--enable-dnstap ${WITH_READLINE_EDITLINE}"
EXTRA_CONFIGURE: "--enable-dnstap"
USER: gitlab-runner
<<: *freebsd_12_amd64_image
<<: *build_job
@@ -1324,7 +1295,7 @@ abi-check:
CC: gcc
CFLAGS: "${CFLAGS_COMMON} -Og"
EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
BIND_BASELINE_VERSION: v9_17_4
BIND_BASELINE_VERSION: v9_17_3
script:
- *configure
- make -j${BUILD_PARALLEL_JOBS:-1} V=1

130
CHANGES
View File

@@ -1,20 +1,3 @@
5495. [func] Add a netmgr TLS layer, enabling server-side DoT
support (not yet available), and client-side DoT
support in dig with "dig +tls". [GL #1840]
5494. [bug] Silence the EPROTO syslog message on older systems.
[GL #1928]
5493. [bug] Fix off-by-one error when calculating new hashtable
size. [GL #2104]
5492. [bug] Tighten LOC parsing to reject period and/or m as a
value. Correct handling of negative altitudes which
are not whole metres. [GL #2074]
5491. [bug] rbtversion->glue_table_size could be read without the
appropriate lock being held. [GL #2080]
5490. [func] Refactor the readline support to use pkg-config and
add support for editline library. [GL !3942]
@@ -37,94 +20,73 @@
that the DS record has been published in the parent.
[GL #1613]
--- 9.17.4 released ---
5485. [placeholder]
5484. [func] Expire zero TTL records quickly rather than using them
for stale answers. [GL #1829]
5484. [func] Expire the 0 TTL RRSet quickly rather using them for
stale answers. [GL #1829]
5483. [func] Keeping "stale" answers in cache has been disabled by
default and can be re-enabled with a new configuration
option "stale-cache-enable". [GL #1712]
5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
not yet finished after adding a new IPv6 address to the
system, BIND 9 would fail to bind to IPv6 addresses in a
tentative state. [GL #2038]
5482. [bug] BIND 9 would fail to bind to IPv6 addresses in a
tentative state when a new IPv6 address was added to the
system, but the Duplicate Address Detection (DAD)
mechanism had not yet finished. [GL #2038]
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
5481. [placeholder]
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
5480. [placeholder]
5479. [security] named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled. (CVE-2020-8621) [GL #1997]
5479. [placeholder]
5478. [security] It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message.
(CVE-2020-8620) [GL #1996]
5478. [placeholder]
5477. [bug] The idle timeout for connected TCP sockets, which was
previously set to a high fixed value, is now derived
from the client query processing timeout configured for
a resolver. [GL #2024]
5477. [bug] The idle timeout for connected TCP sockets is now
derived from the client query processing timeout
configured for a resolver. [GL #2024]
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
5476. [placeholder]
5475. [bug] Wildcard RPZ passthru rules could incorrectly be
overridden by other rules that were loaded from RPZ
zones which appeared later in the "response-policy"
statement. This has been fixed. [GL #1619]
5475. [bug] Fix RPZ wildcard passthru ignored when a rejection
would overwrite a passthru action matching some
rule in a previously loaded passthru rpz zone.
[GL #1619]
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
5473. [func] The RBT hash table implementation has been changed
to use a faster hash function (HalfSipHash2-4) and
Fibonacci hashing for better distribution. Setting
"max-cache-size" now preallocates a fixed-size hash
table so that rehashing does not cause resolution
brownouts while the hash table is grown. [GL #1775]
5473. [func] The rbt hashtable implementation has been changed
to use faster hash-function (HalfSipHash2-4) and
uses Fibonacci hashing for better distribution.
Setting the max-cache-size now preallocates fixed
size hashtable, so the rehashing doesn't cause
resolution brownouts when growing the hashtable.
[GL #1775]
5472. [func] The statistics channel has been updated to use the
new network manager. [GL #2022]
5471. [bug] The introduction of KASP support inadvertently caused
the second field of "sig-validity-interval" to always be
calculated in hours, even in cases when it should have
been calculated in days. This has been fixed. (Thanks to
Tony Finch.) [GL !3735]
5471. [bug] The introduction of KASP support broke whether the
second field of sig-validity-interval was treated as
days or hours. (Thanks to Tony Finch.) [GL !3735]
5470. [port] gsskrb5_register_acceptor_identity() is now only called
if gssapi_krb5.h is present. [GL #1995]
5470. [port] illumos: only call gsskrb5_register_acceptor_identity
if we have gssapi_krb5.h. [GL #1995]
5469. [port] On illumos, a constant called SEC is already defined in
<sys/time.h>, which conflicts with an identically named
constant in libbind9. This conflict has been resolved.
[GL #1993]
5469. [port] illumos: SEC is defined in <sys/time.h> which
conflicted with our use of SEC. [GL #1993]
5468. [bug] Addressed potential double unlock in process_fd().
5468. [bug] Address potential double unlock in process_fd().
[GL #2005]
5467. [func] The control channel and the rndc utility have been
updated to use the new network manager. To support
this, the network manager was updated to enable
the initiation of client TCP connections. Its
wthe initiation of client TCP connections. Its
internal reference counting has been refactored.
Note: As a side effect of this change, rndc cannot
Note: As side effects of this change, rndc cannot
currently be used with UNIX-domain sockets, and its
default timeout has changed from 60 seconds to 30.
These will be addressed in a future release.
@@ -133,30 +95,30 @@
5466. [bug] Addressed an error in recursive clients stats reporting.
[GL #1719]
5465. [func] Added fallback to built-in trust-anchors, managed-keys,
or trusted-keys if the bindkeys-file (bind.keys) cannot
5465. [func] Fallback to built in trust-anchors, managed-keys, or
trusted-keys if the bindkeys-file (bind.keys) cannot
be parsed. [GL #1235]
5464. [bug] Requesting more than 128 files to be saved when rolling
dnstap log files caused a buffer overflow. This has been
fixed. [GL #1989]
5464. [bug] Specifying saving more than 128 files when rolling
dnstap / log files would cause buffer overflow.
[GL #1989]
5463. [placeholder]
5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
5461. [bug] The STALE rdataset header attribute was updated while
the write lock was not being held, leading to incorrect
statistics. The header attributes are now converted to
use atomic operations. [GL #1475]
5461. [bug] The header STALE attribute was not being updated with
the write lock being held leading to incorrect
statistics. Convert the header attributes to use atomic
operations. [GL #1475]
5460. [cleanup] tsig-keygen was previously an alias for
ddns-confgen and was documented in the ddns-confgen
man page. This has been reversed; tsig-keygen is
now the primary name. [GL #1998]
5459. [bug] Fixed bad isc_mem_put() size when an invalid type was
specified in an "update-policy" rule. [GL #1990]
5459. [bug] Bad isc_mem_put() size when an invalid type was
specified in a update-policy rule. [GL #1990]
--- 9.17.3 released ---

View File

@@ -367,25 +367,3 @@ distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-----------------------------------------------------------------------------
Copyright Joyent, Inc. and other Node contributors. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.

View File

@@ -68,9 +68,6 @@ struct controlkey {
struct controlconnection {
isc_nmhandle_t *handle;
isc_nmhandle_t *readhandle;
isc_nmhandle_t *sendhandle;
isc_nmhandle_t *cmdhandle;
isccc_ccmsg_t ccmsg;
bool ccmsg_valid;
bool sending;
@@ -224,8 +221,10 @@ control_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
conn->sending = false;
isc_nmhandle_unref(handle);
if (result == ISC_R_CANCELED) {
goto cleanup;
return;
} else if (result != ISC_R_SUCCESS) {
char socktext[ISC_SOCKADDR_FORMATSIZE];
@@ -234,23 +233,16 @@ control_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
"error sending command response to %s: %s",
socktext, isc_result_totext(result));
goto cleanup;
return;
}
if (conn->readhandle == NULL) {
isc_nmhandle_attach(handle, &conn->readhandle);
}
result = isccc_ccmsg_readmessage(&conn->ccmsg, control_recvmessage,
conn);
if (result != ISC_R_SUCCESS) {
isc_nmhandle_detach(&conn->readhandle);
maybe_free_listener(listener);
}
listener->listening = true;
cleanup:
isc_nmhandle_detach(&conn->sendhandle);
}
static inline void
@@ -332,11 +324,11 @@ control_respond(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
r.base = conn->buffer->base;
r.length = conn->buffer->used;
isc_nmhandle_attach(handle, &conn->sendhandle);
isc_nmhandle_ref(handle);
conn->sending = true;
result = isc_nm_send(conn->sendhandle, &r, control_senddone, conn);
result = isc_nm_send(handle, &r, control_senddone, conn);
if (result != ISC_R_SUCCESS) {
isc_nmhandle_detach(&conn->sendhandle);
isc_nmhandle_unref(handle);
conn->sending = false;
}
@@ -364,12 +356,17 @@ control_command(isc_task_t *task, isc_event_t *event) {
UNUSED(task);
/*
* An extra ref and two unrefs are needed here to
* ensure the handle isn't cleaned up if we're running
* an "rndc stop" command.
*/
isc_nmhandle_ref(conn->handle);
conn->result = named_control_docommand(conn->request,
listener->readonly, &conn->text);
control_respond(conn->handle, conn->result, conn);
isc_nmhandle_detach(&conn->cmdhandle);
isc_nmhandle_unref(conn->handle);
isc_nmhandle_unref(conn->handle);
isc_event_free(&event);
}
@@ -402,10 +399,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
log_invalid(&conn->ccmsg, result);
}
if (conn->readhandle != NULL) {
isc_nmhandle_detach(&conn->readhandle);
}
return;
}
@@ -431,9 +424,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
REGION_SIZE(conn->secret));
if (result != ISCCC_R_BADAUTH) {
log_invalid(&conn->ccmsg, result);
if (conn->readhandle != NULL) {
isc_nmhandle_detach(&conn->readhandle);
}
return;
}
}
@@ -523,11 +513,10 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
/*
* Trigger the command.
*/
isc_nmhandle_attach(handle, &conn->cmdhandle);
isc_nmhandle_ref(handle);
event = isc_event_allocate(listener->mctx, conn, NAMED_EVENT_COMMAND,
control_command, conn, sizeof(isc_event_t));
isc_task_send(named_g_server->task, &event);
isc_nmhandle_detach(&conn->readhandle);
return;
cleanup:
@@ -545,10 +534,6 @@ cleanup:
if (conn->text != NULL) {
isc_buffer_free(&conn->text);
}
if (conn->readhandle != NULL) {
isc_nmhandle_detach(&conn->readhandle);
}
}
static void
@@ -619,13 +604,9 @@ newconnection(controllistener_t *listener, isc_nmhandle_t *handle) {
ISC_LINK_INIT(conn, link);
if (conn->readhandle == NULL) {
isc_nmhandle_attach(handle, &conn->readhandle);
}
result = isccc_ccmsg_readmessage(&conn->ccmsg, control_recvmessage,
conn);
if (result != ISC_R_SUCCESS) {
isc_nmhandle_detach(&conn->readhandle);
goto cleanup;
}

View File

@@ -14856,15 +14856,14 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
/* Serial number */
result = dns_zone_getserial(mayberaw, &serial);
/* This is to mirror old behavior with dns_zone_getserial */
/* XXXWPK TODO this is to mirror old behavior with dns_zone_getserial */
if (result != ISC_R_SUCCESS) {
serial = 0;
}
snprintf(serbuf, sizeof(serbuf), "%u", serial);
if (hasraw) {
result = dns_zone_getserial(zone, &signed_serial);
/* XXXWPK TODO ut supra */
if (result != ISC_R_SUCCESS) {
serial = 0;
}

View File

@@ -252,8 +252,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
str = cfg_obj_asstring(matchtype);
CHECK(dns_ssu_mtypefromstring(str, &mtype));
if (mtype == dns_ssumatchtype_subdomain &&
strcasecmp(str, "zonesub") == 0) {
if (mtype == dns_ssumatchtype_subdomain) {
usezone = true;
}

View File

@@ -24,7 +24,6 @@
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/netmgr.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/refcount.h>
@@ -90,7 +89,6 @@ static uint32_t serial;
static bool quiet = false;
static bool showresult = false;
static bool shuttingdown = false;
isc_nmhandle_t *readhandle = NULL, *sendhandle = NULL;
static void
rndc_startconnect(isc_sockaddr_t *addr);
@@ -290,21 +288,19 @@ get_addresses(const char *host, in_port_t port) {
static void
rndc_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
REQUIRE(handle == sendhandle);
UNUSED(arg);
if (result != ISC_R_SUCCESS) {
fatal("send failed: %s", isc_result_totext(result));
}
isc_nmhandle_detach(&sendhandle);
if (atomic_fetch_sub_release(&sends, 1) == 1 &&
atomic_load_acquire(&recvs) == 0)
{
shuttingdown = true;
isc_task_shutdown(rndc_task);
isc_app_shutdown();
isc_nmhandle_unref(handle);
}
}
@@ -322,10 +318,7 @@ rndc_recvdone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
atomic_fetch_sub_release(&recvs, 1);
if (shuttingdown && (result == ISC_R_EOF || result == ISC_R_CANCELED)) {
if (readhandle != NULL) {
INSIST(handle == readhandle);
isc_nmhandle_detach(&readhandle);
}
isc_nmhandle_unref(handle);
return;
} else if (result == ISC_R_EOF) {
fatal("connection to remote host closed.\n"
@@ -385,8 +378,8 @@ rndc_recvdone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
if (atomic_load_acquire(&sends) == 0 &&
atomic_load_acquire(&recvs) == 0) {
isc_nmhandle_detach(&readhandle);
shuttingdown = true;
isc_nmhandle_unref(handle);
isc_task_shutdown(rndc_task);
isc_app_shutdown();
}
@@ -405,13 +398,12 @@ rndc_recvnonce(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
isccc_sexpr_t *data;
isc_buffer_t b;
REQUIRE(handle == readhandle);
REQUIRE(ccmsg != NULL);
atomic_fetch_sub_release(&recvs, 1);
if (shuttingdown && result == ISC_R_EOF) {
isc_nmhandle_detach(&readhandle);
isc_nmhandle_unref(handle);
return;
} else if (result == ISC_R_EOF) {
fatal("connection to remote host closed.\n"
@@ -479,9 +471,6 @@ rndc_recvnonce(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
isccc_ccmsg_readmessage(ccmsg, rndc_recvdone, ccmsg));
atomic_fetch_add_relaxed(&recvs, 1);
if (sendhandle == NULL) {
isc_nmhandle_attach(handle, &sendhandle);
}
DO("send message", isc_nm_send(handle, &r, rndc_senddone, NULL));
atomic_fetch_add_relaxed(&sends, 1);
@@ -545,16 +534,12 @@ rndc_connected(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
isccc_ccmsg_init(rndc_mctx, handle, ccmsg);
isccc_ccmsg_setmaxsize(ccmsg, 1024 * 1024);
if (readhandle == NULL) {
isc_nmhandle_attach(handle, &readhandle);
}
isc_nmhandle_ref(handle);
DO("schedule recv",
isccc_ccmsg_readmessage(ccmsg, rndc_recvnonce, ccmsg));
atomic_fetch_add_relaxed(&recvs, 1);
if (sendhandle == NULL) {
isc_nmhandle_attach(handle, &sendhandle);
}
DO("send message", isc_nm_send(handle, &r, rndc_senddone, NULL));
atomic_fetch_add_relaxed(&sends, 1);
@@ -1024,7 +1009,7 @@ main(int argc, char **argv) {
isc_mem_create(&rndc_mctx);
netmgr = isc_nm_start(rndc_mctx, 1);
DO("create task manager",
isc_taskmgr_create(rndc_mctx, 1, 0, netmgr, &taskmgr));
isc_taskmgr_create(rndc_mctx, 1, 0, NULL, &taskmgr));
DO("create task", isc_task_create(taskmgr, 0, &rndc_task));
isc_log_create(rndc_mctx, &log, &logconfig);
isc_log_setcontext(log);

View File

@@ -9,6 +9,6 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ./conf.sh
. ../conf.sh
[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1

View File

@@ -1,560 +0,0 @@
#!/usr/bin/perl
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
#
# This is the name server from hell. It provides canned
# responses based on pattern matching the queries, and
# can be reprogrammed on-the-fly over a TCP connection.
#
# The server listens for queries on port 5300 (or PORT).
#
# The server listens for control connections on port 5301 (or EXTRAPORT1).
#
# A control connection is a TCP stream of lines like
#
# /pattern/
# name ttl type rdata
# name ttl type rdata
# ...
# /pattern/
# name ttl type rdata
# name ttl type rdata
# ...
#
# There can be any number of patterns, each associated
# with any number of response RRs. Each pattern is a
# Perl regular expression. If an empty pattern ("//") is
# received, the server will ignore all incoming queries (TCP
# connections will still be accepted, but both UDP queries
# and TCP queries will not be responded to). If a non-empty
# pattern is then received over the same control connection,
# default behavior is restored.
#
# Each incoming query is converted into a string of the form
# "qname qtype" (the printable query domain name, space,
# printable query type) and matched against each pattern.
#
# The first pattern matching the query is selected, and
# the RR following the pattern line are sent in the
# answer section of the response.
#
# Each new control connection causes the current set of
# patterns and responses to be cleared before adding new
# ones.
#
# The server handles UDP and TCP queries. Zone transfer
# responses work, but must fit in a single 64 k message.
#
# Now you can add TSIG, just specify key/key data with:
#
# /pattern <key> <key_data>/
# name ttl type rdata
# name ttl type rdata
#
# Note that this data will still be sent with any request for
# pattern, only this data will be signed. Currently, this is only
# done for TCP.
#
# /pattern bad-id <key> <key_data>/
# /pattern bad-id/
#
# will add 50 to the message id of the response.
use IO::File;
use IO::Socket;
use Data::Dumper;
use Net::DNS;
use Net::DNS::Packet;
use strict;
# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
local $SIG{PIPE} = 'IGNORE';
# Flush logged output after every line
local $| = 1;
# We default to listening on 10.53.0.2 for historical reasons
# XXX: we should also be able to specify IPv6
my $server_addr = "10.53.0.6";
if (@ARGV > 0) {
$server_addr = @ARGV[0];
}
my $mainport = int($ENV{'PORT'});
if (!$mainport) { $mainport = 5300; }
my $ctrlport = int($ENV{'EXTRAPORT1'});
if (!$ctrlport) { $ctrlport = 5301; }
print "listening on $server_addr:$mainport,$ctrlport.\n";
print "Using Net::DNS $Net::DNS::VERSION\n";
# XXX: we should also be able to set the port numbers to listen on.
my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
LocalPort => $ctrlport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
LocalPort => $mainport, Proto => "udp", Reuse => 1) or die "$!";
my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
LocalPort => $mainport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
print $pidf "$$\n" or die "cannot write pid file: $!";
$pidf->close or die "cannot close pid file: $!";;
sub rmpid { unlink "ans.pid"; exit 1; };
$SIG{INT} = \&rmpid;
$SIG{TERM} = \&rmpid;
#my @answers = ();
my @rules;
my $udphandler;
my $tcphandler;
sub handleUDP {
my ($buf) = @_;
my $request;
if ($Net::DNS::VERSION > 0.68) {
$request = new Net::DNS::Packet(\$buf, 0);
$@ and die $@;
} else {
my $err;
($request, $err) = new Net::DNS::Packet(\$buf, 0);
$err and die $err;
}
my @questions = $request->question;
my $qname = $questions[0]->qname;
my $qtype = $questions[0]->qtype;
my $qclass = $questions[0]->qclass;
my $id = $request->header->id;
my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
$packet->header->qr(1);
$packet->header->aa(1);
$packet->header->id($id);
# get the existing signature if any, and clear the additional section
my $prev_tsig;
while (my $rr = $request->pop("additional")) {
$prev_tsig = $rr if ($rr->type eq "TSIG");
}
my $r;
my $answers = 0;
my $match;
my $key_name;
my $key_data;
foreach $r (@rules) {
my $pattern = $r->{pattern};
($match, $key_name, $key_data) = split(/ /,$pattern);
print "[handleUDP] $match, $key_name, $key_data\n";
$match =~ tr/\// /;
if ("$qname $qtype" =~ /$match/) {
my $a;
foreach $a (@{$r->{answer}}) {
my $resp;
$resp = new Net::DNS::RR("$qname $a");
$packet->push("answer", $resp);
++$answers;
}
last;
}
}
if ($answers eq 0) {
my $soa;
$soa = new Net::DNS::RR("$qname 300 IN SOA . . 0 0 0 0 0");
$packet->push("authority", $soa)
}
if (defined($key_name) && defined($key_data)) {
my $tsig;
# Sign the packet
print " Signing the response with " .
"$key_name/$key_data\n";
if ($Net::DNS::VERSION < 0.69) {
$tsig = Net::DNS::RR->new(
"$key_name TSIG $key_data");
} else {
$tsig = Net::DNS::RR->new(
name => $key_name,
type => 'TSIG',
key => $key_data);
}
# These kluges are necessary because Net::DNS
# doesn't know how to sign responses. We
# clear compnames so that the TSIG key and
# algorithm name won't be compressed, and
# add one to arcount because the signing
# function will attempt to decrement it,
# which is incorrect in a response. Finally
# we set request_mac to the previous digest.
$packet->{"compnames"} = {}
if ($Net::DNS::VERSION < 0.70);
$packet->{"header"}{"arcount"} += 1
if ($Net::DNS::VERSION < 0.70);
if (defined($prev_tsig)) {
if ($Net::DNS::VERSION < 0.73) {
my $rmac = pack('n H*',
length($prev_tsig->mac)/2,
$prev_tsig->mac);
$tsig->{"request_mac"} =
unpack("H*", $rmac);
} else {
$tsig->request_mac(
$prev_tsig->mac);
}
}
$packet->sign_tsig($tsig);
}
#$packet->print;
return $packet->data;
}
# namelen:
# given a stream of data, reads a DNS-formatted name and returns its
# total length, thus making it possible to skip past it.
sub namelen {
my ($data) = @_;
my $len = 0;
my $label_len = 0;
do {
$label_len = unpack("c", $data);
$data = substr($data, $label_len + 1);
$len += $label_len + 1;
} while ($label_len != 0);
return ($len);
}
# packetlen:
# given a stream of data, reads a DNS wire-format packet and returns
# its total length, making it possible to skip past it.
sub packetlen {
my ($data) = @_;
my $q;
my $rr;
my $header;
my $offset;
#
# decode/encode were introduced in Net::DNS 0.68
# parse is no longer a method and calling it here makes perl croak.
#
my $decode = 0;
$decode = 1 if ($Net::DNS::VERSION >= 0.68);
if ($decode) {
($header, $offset) = Net::DNS::Header->decode(\$data);
} else {
($header, $offset) = Net::DNS::Header->parse(\$data);
}
for (1 .. $header->qdcount) {
if ($decode) {
($q, $offset) =
Net::DNS::Question->decode(\$data, $offset);
} else {
($q, $offset) =
Net::DNS::Question->parse(\$data, $offset);
}
}
for (1 .. $header->ancount) {
if ($decode) {
($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
} else {
($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
}
}
for (1 .. $header->nscount) {
if ($decode) {
($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
} else {
($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
}
}
for (1 .. $header->arcount) {
if ($decode) {
($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
} else {
($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
}
}
return $offset;
}
# sign_tcp_continuation:
# This is a hack to correct the problem that Net::DNS has no idea how
# to sign multiple-message TCP responses. Several data that are included
# in the digest when signing a query or the first message of a response are
# omitted when signing subsequent messages in a TCP stream.
#
# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing
# function (specified by calling Packet->sign_func()). We use this
# function as the signing function for TCP continuations, and it removes
# the unwanted data from the digest before calling the default sign_hmac
# function.
sub sign_tcp_continuation {
my ($key, $data) = @_;
# copy out first two bytes: size of the previous MAC
my $rmacsize = unpack("n", $data);
$data = substr($data, 2);
# copy out previous MAC
my $rmac = substr($data, 0, $rmacsize);
$data = substr($data, $rmacsize);
# try parsing out the packet information
my $plen = packetlen($data);
my $pdata = substr($data, 0, $plen);
$data = substr($data, $plen);
# remove the keyname, ttl, class, and algorithm name
$data = substr($data, namelen($data));
$data = substr($data, 6);
$data = substr($data, namelen($data));
# preserve the TSIG data
my $tdata = substr($data, 0, 8);
# prepare a new digest and sign with it
$data = pack("n", $rmacsize) . $rmac . $pdata . $tdata;
return Net::DNS::RR::TSIG::sign_hmac($key, $data);
}
sub handleTCP {
my ($buf) = @_;
my $request;
if ($Net::DNS::VERSION > 0.68) {
$request = new Net::DNS::Packet(\$buf, 0);
$@ and die $@;
} else {
my $err;
($request, $err) = new Net::DNS::Packet(\$buf, 0);
$err and die $err;
}
my @questions = $request->question;
my $qname = $questions[0]->qname;
my $qtype = $questions[0]->qtype;
my $qclass = $questions[0]->qclass;
my $id = $request->header->id;
my $opaque;
my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
$packet->header->qr(1);
$packet->header->aa(1);
$packet->header->id($id);
# get the existing signature if any, and clear the additional section
my $prev_tsig;
my $signer;
my $continuation = 0;
if ($Net::DNS::VERSION < 0.81) {
while (my $rr = $request->pop("additional")) {
if ($rr->type eq "TSIG") {
$prev_tsig = $rr;
}
}
}
my @results = ();
my $count_these = 0;
my $r;
my $answers = 0;
my $match;
my $key_name;
my $key_data;
my $tname;
foreach $r (@rules) {
my $pattern = $r->{pattern};
my($match, $key_name, $key_data, $tname) = split(/ /,$pattern);
print "[handleTCP] $match, $key_name, $key_data, $tname \n";
$match =~ tr/\// /;
if ("$qname $qtype" =~ /$match/) {
$count_these++;
my $a;
foreach $a (@{$r->{answer}}) {
my $resp;
$resp = new Net::DNS::RR("$qname $a");
$packet->push("answer", $resp);
++$answers;
}
last;
}
}
if ($answers eq 0) {
my $soa;
$soa = new Net::DNS::RR("$qname 300 SOA . . 0 0 0 0 0");
$packet->push("authority", $soa)
}
if (defined($key_name) && $key_name eq "bad-id") {
$packet->header->id(($id+50)%0xffff);
$key_name = $key_data;
($key_data, $tname) = split(/ /,$tname)
}
if (defined($key_name) && defined($key_data)) {
my $tsig;
# sign the packet
print " Signing the data with " .
"$key_name/$key_data\n";
if ($Net::DNS::VERSION < 0.69) {
$tsig = Net::DNS::RR->new(
"$key_name TSIG $key_data");
} elsif ($Net::DNS::VERSION >= 0.81 &&
$continuation) {
} elsif ($Net::DNS::VERSION >= 0.75 &&
$continuation) {
$tsig = $prev_tsig;
} else {
$tsig = Net::DNS::RR->new(
name => $key_name,
type => 'TSIG',
key => $key_data);
}
# These kluges are necessary because Net::DNS
# doesn't know how to sign responses. We
# clear compnames so that the TSIG key and
# algorithm name won't be compressed, and
# add one to arcount because the signing
# function will attempt to decrement it,
# which is incorrect in a response. Finally
# we set request_mac to the previous digest.
$packet->{"compnames"} = {}
if ($Net::DNS::VERSION < 0.70);
$packet->{"header"}{"arcount"} += 1
if ($Net::DNS::VERSION < 0.70);
if (defined($prev_tsig)) {
if ($Net::DNS::VERSION < 0.73) {
my $rmac = pack('n H*',
length($prev_tsig->mac)/2,
$prev_tsig->mac);
$tsig->{"request_mac"} =
unpack("H*", $rmac);
} elsif ($Net::DNS::VERSION < 0.81) {
$tsig->request_mac(
$prev_tsig->mac);
}
}
$tsig->sign_func($signer) if defined($signer);
$tsig->continuation($continuation) if
($Net::DNS::VERSION >= 0.71 &&
$Net::DNS::VERSION <= 0.74 );
if ($Net::DNS::VERSION < 0.81) {
$packet->sign_tsig($tsig);
} elsif ($continuation) {
$opaque = $packet->sign_tsig($opaque);
} else {
$opaque = $packet->sign_tsig($request);
}
$signer = \&sign_tcp_continuation
if ($Net::DNS::VERSION < 0.70);
$continuation = 1;
my $copy =
Net::DNS::Packet->new(\($packet->data));
$prev_tsig = $copy->pop("additional");
}
#$packet->print;
push(@results,$packet->data);
if ($tname eq "") {
$tname = $qname;
}
$packet = new Net::DNS::Packet($tname, $qtype, $qclass);
$packet->header->qr(1);
$packet->header->aa(1);
$packet->header->id($id);
print " A total of $count_these patterns matched\n";
return \@results;
}
# Main
my $rin;
my $rout;
for (;;) {
$rin = '';
vec($rin, fileno($ctlsock), 1) = 1;
vec($rin, fileno($tcpsock), 1) = 1;
vec($rin, fileno($udpsock), 1) = 1;
select($rout = $rin, undef, undef, undef);
if (vec($rout, fileno($ctlsock), 1)) {
warn "ctl conn";
my $conn = $ctlsock->accept;
my $rule = ();
@rules = ();
while (my $line = $conn->getline) {
chomp $line;
if ($line =~ m!^/(.*)/$!) {
if (length($1) == 0) {
$udphandler = sub { return; };
$tcphandler = sub { return; };
} else {
$udphandler = \&handleUDP;
$tcphandler = \&handleTCP;
$rule = { pattern => $1, answer => [] };
push(@rules, $rule);
}
} else {
push(@{$rule->{answer}}, $line);
}
}
$conn->close;
#print Dumper(@rules);
#print "+=+=+ $rules[0]->{'pattern'}\n";
#print "+=+=+ $rules[0]->{'answer'}->[0]->{'rname'}\n";
#print "+=+=+ $rules[0]->{'answer'}->[0]\n";
} elsif (vec($rout, fileno($udpsock), 1)) {
printf "UDP request\n";
my $buf;
$udpsock->recv($buf, 512);
my $result = &$udphandler($buf);
if (defined($result)) {
my $num_chars = $udpsock->send($result);
print " Sent $num_chars bytes via UDP\n";
}
} elsif (vec($rout, fileno($tcpsock), 1)) {
my $conn = $tcpsock->accept;
my $buf;
for (;;) {
my $lenbuf;
my $n = $conn->sysread($lenbuf, 2);
last unless $n == 2;
my $len = unpack("n", $lenbuf);
$n = $conn->sysread($buf, $len);
last unless $n == $len;
print "TCP request\n";
my $result = &$tcphandler($buf);
if (defined($result)) {
foreach my $response (@$result) {
$len = length($response);
$n = $conn->syswrite(pack("n", $len), 2);
$n = $conn->syswrite($response, $len);
print " Sent: $n chars via TCP\n";
}
}
}
$conn->close;
}
}

View File

View File

@@ -16,6 +16,3 @@ rm -f ./*/named.memstats
rm -f ./*/named.run ./*/named.run.prev
rm -f ./ns*/named.lock
rm -f ./ns*/managed-keys.bind*
rm -f ./ns1/root.db ./ns1/root.db.signed
rm -f ./ns*/trusted.conf
rm -f ./ns1/K* ./ns1/dsset-*

View File

@@ -23,7 +23,7 @@ options {
zone "." {
type primary;
file "root.db.signed";
file "root.db";
};
zone "example1." {

View File

@@ -29,6 +29,3 @@ ns.example3 A 10.53.0.1
example7 NS ns.example7
ns.example7 A 10.53.0.2
tld NS ns.tld
ns.tld A 10.53.0.2

View File

@@ -1,32 +0,0 @@
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../../conf.sh
set -e
zone=.
infile=root.db.in
zonefile=root.db
echo_i "ns1/sign.sh"
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
# Configure the resolving server with a static key.
keyfile_to_static_ds "$ksk" > trusted.conf
cp trusted.conf ../ns3/trusted.conf

View File

@@ -22,15 +22,6 @@ options {
dnssec-validation yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "root.db";

View File

@@ -1,38 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
forwarders { 10.53.0.6; };
dnssec-validation yes;
};
include "trusted.conf";
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "root.db";
};

View File

@@ -14,13 +14,8 @@
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
(
cd ns1
$SHELL sign.sh
)

View File

@@ -18,10 +18,6 @@ sendcmd() (
send 10.53.0.6 "$EXTRAPORT1"
)
rndccmd() {
"$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
}
root=10.53.0.1
hidden=10.53.0.2
f1=10.53.0.3
@@ -233,24 +229,6 @@ grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)"
ret=0
copy_setports ns3/named2.conf.in ns3/named.conf
rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
sleep 1
sendcmd << EOF
/ns1.sld.tld/A/
300 A 10.53.0.2
/sld.tld/NS/
300 NS ns1.sld.tld.
/sld.tld/
EOF
nextpart ns3/named.run >/dev/null
dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1
grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

View File

@@ -103,20 +103,15 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking drop edns server setup ($n)"
ret=0
echo x
$DIG $DIGOPTS +edns @10.53.0.2 dropedns soa > dig.out.1.test$n && ret=1
echo x
grep "connection timed out; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noedns @10.53.0.2 dropedns soa > dig.out.2.test$n || ret=1
echo x
grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noedns +tcp @10.53.0.2 dropedns soa > dig.out.3.test$n || ret=1
echo x
grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1
grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1
$DIG $DIGOPTS +edns +tcp @10.53.0.2 dropedns soa > dig.out.4.test$n && ret=1
echo x
grep "connection timed out; no servers could be reached" dig.out.4.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

View File

@@ -37,16 +37,6 @@ key altkey {
secret "1234abcd8765";
};
key restricted.example.nil {
algorithm hmac-md5;
secret "1234abcd8765";
};
key zonesub-key.example.nil {
algorithm hmac-md5;
secret "1234subk8765";
};
include "ddns.key";
zone "example.nil" {
@@ -55,9 +45,7 @@ zone "example.nil" {
check-integrity no;
check-mx ignore;
update-policy {
grant zonesub-key.example.nil zonesub TXT;
grant ddns-key.example.nil subdomain example.nil ANY;
grant restricted.example.nil subdomain restricted.example.nil ANY;
};
allow-transfer { any; };
};

View File

@@ -429,7 +429,7 @@ EOF
# this also proves that the server is still running.
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -444,7 +444,7 @@ EOF
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -461,7 +461,7 @@ EOF
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
_ret=0
break
fi
@@ -486,7 +486,7 @@ EOF
_ret=1
for i in 0 1 2 3 4 5 6 7 8 9; do
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
_ret=0
break
fi
@@ -639,58 +639,6 @@ then
echo_i "failed"; status=1
fi
n=`expr $n + 1`
ret=0
echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
# and thus this UPDATE should succeed.
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
server 10.53.0.1 ${PORT}
key restricted.example.nil 1234abcd8765
update add restricted.example.nil 0 IN TXT everywhere.
send
END
$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
# thus this UPDATE should fail.
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
server 10.53.0.1 ${PORT}
key restricted.example.nil 1234abcd8765
update add example.nil 0 IN TXT everywhere.
send
END
$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=`expr $n + 1`
ret=0
echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
# grant zonesub-key.example.nil zonesub TXT;
# the A record update should be rejected as it is not in the type list
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
server 10.53.0.1 ${PORT}
key zonesub-key.example.nil 1234subk8765
update add zonesub.example.nil 0 IN A 1.2.3.4
send
END
$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
# the TXT record update should be accepted as it is in the type list
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
server 10.53.0.1 ${PORT}
key zonesub-key.example.nil 1234subk8765
update add zonesub.example.nil 0 IN TXT everywhere.
send
END
$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=`expr $n + 1`
ret=0
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"

View File

@@ -26,10 +26,12 @@ $DIFF ref output > /dev/null && { ret=1 ; echo_i "diff out of order failed"; }
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "check pipelined TCP queries using mdig"
ret=0
# flush resolver so queries will be from others again
$RNDCCMD 10.53.0.4 flush
sleep 1
echo_i "check pipelined TCP queries using mdig"
ret=0
$MDIG $MDIGOPTS +noall +answer +vc -f input -b 10.53.0.4 @10.53.0.4 > raw.mdig
awk '{ print $1 " " $5 }' < raw.mdig > output.mdig
sort < output.mdig > output-sorted.mdig
@@ -40,8 +42,6 @@ status=`expr $status + $ret`
echo_i "check keep-response-order"
ret=0
$RNDCCMD 10.53.0.4 flush
sleep 1
$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
awk '{ print $1 " " $5 }' < rawb > outputb
$DIFF refb outputb || ret=1
@@ -50,8 +50,6 @@ status=`expr $status + $ret`
echo_i "check keep-response-order using mdig"
ret=0
$RNDCCMD 10.53.0.4 flush
sleep 1
$MDIG $MDIGOPTS +noall +answer +vc -f inputb -b 10.53.0.7 @10.53.0.4 > rawb.mdig
awk '{ print $1 " " $5 }' < rawb.mdig > outputb.mdig
$DIFF refb outputb.mdig || ret=1
@@ -60,8 +58,6 @@ status=`expr $status + $ret`
echo_i "check mdig -4 -6"
ret=0
$RNDCCMD 10.53.0.4 flush
sleep 1
$MDIG $MDIGOPTS -4 -6 -f input @10.53.0.4 > output46.mdig 2>&1 && ret=1
grep "only one of -4 and -6 allowed" output46.mdig > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi

View File

@@ -1,20 +0,0 @@
00000000: 0137 edda 2800 0001 0000 0001 0000 0972 .7..(..........r
00000010: 7361 7368 6132 3536 0765 7861 6d70 6c65 sasha256.example
00000020: 0000 0600 01c0 0c00 3000 0100 0001 2c01 ........0.....,.
00000030: 0801 0003 0803 0100 0100 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000130: 0000 0000 0000 0000 00 .........

View File

@@ -137,10 +137,5 @@ echo_i "Checking if all supported algorithms were tested"
[ "$n" -eq "$(wc -l < supported)" ] || ret=1
test_done
echo_i "Checking for assertion failure in pk11_numbits()"
$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
test_done
echo_i "exit status: $status"
[ "$status" -eq 0 ] || exit 1

View File

@@ -15,7 +15,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation yes;
};
view normal {

View File

@@ -70,7 +70,7 @@ if ! $do_run; then
if [ "$baseport" -eq 0 ]; then
log_flags="$log_flags -p 5300"
fi
env - SLOT="$SLOT" SOFTHSM2_CONF="$SOFTHSM2_CONF" PATH="$PATH" ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} TESTS="$*" TEST_SUITE_LOG=run.log LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" LOG_FLAGS="$log_flags" make -e check
env - PATH="$PATH" ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} TESTS="$*" TEST_SUITE_LOG=run.log LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" LOG_FLAGS="$log_flags" make -e check
exit $?
fi

View File

@@ -8,10 +8,11 @@
# information regarding copyright ownership.
rm -f ns*/*.jnl
rm -f ns*/named.conf
rm -f ns*/named.lock
rm -f ns*/named.memstats
rm -f ns*/named.run
rm -f ns*/rpz*.txt
rm -f */named.conf
rm -f */named.run
rm -f resolver/named.conf
rm -rf __pycache__
rm -f *.status

View File

@@ -1,11 +1,3 @@
logging {
channel basic {
file "named.run";
severity debug 999;
print-time yes;
};
category default { basic; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;

View File

@@ -183,13 +183,5 @@ grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1))
echo_i "checking that BIND 9 doesn't crash on long TCP messages ($n)"
ret=0
$PERL ../packet.pl -a "10.53.0.1" -p "${PORT}" -t udp 1996-alloc_dnsbuf-crash-test.pkt || ret=1
dig_with_opts +tcp @10.53.0.1 txt.example > dig.out.test$n || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

View File

@@ -1,50 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
#
# An adhoc server that returns a TC=1 response with the final byte
# removed to generate UNEXPECTEDEND form dns_message_parse.
#
use IO::File;
use IO::Socket;
my $localport = int($ENV{'PORT'});
if (!$localport) { $localport = 5300; }
printf "localport %u\n", $localport;
my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2",
LocalPort => $localport, Proto => "udp") or die "$!";
my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
print $pidf "$$\n" or die "cannot write pid file: $!";
$pidf->close or die "cannot close pid file: $!";
sub rmpid { unlink "ans.pid"; exit 1; };
$SIG{INT} = \&rmpid;
$SIG{TERM} = \&rmpid;
sub arraystring {
my $string = join("", @_);
return $string;
}
for (;;) {
$from = $sock->recv($buf, 512);
($port, $ip_address) = unpack_sockaddr_in($from);
$l = length($buf);
printf "received %u bytes from %s#%u\n", $l, inet_ntoa($ip_address), $port;
@up = unpack("C[$l]", $buf);
$up[2] |= 0x80; # QR
$up[2] |= 0x02; # TC
$up[3] |= 0x80; # RA
$l -= 1; # truncate the response 1 byte
$replydata = pack("C[$l]", @up);
printf "sent %u bytes\n", $sock->send($replydata);
}

View File

@@ -17,7 +17,7 @@ options {
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
recursion no;
notify no;
};
@@ -85,13 +85,3 @@ zone "example.nil" {
type primary;
file "example.db";
};
server 10.53.0.2 {
keys sha256;
};
zone "bad-tsig" {
type forward;
forwarders { 10.53.0.2; };
forward only;
};

View File

@@ -232,13 +232,6 @@ then
fi
fi
echo_i "check that a malformed truncated response to a TSIG query is handled"
ret=0
$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1
grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=1
fi
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

View File

@@ -14,7 +14,7 @@
#
m4_define([bind_VERSION_MAJOR], 9)dnl
m4_define([bind_VERSION_MINOR], 17)dnl
m4_define([bind_VERSION_PATCH], 4)dnl
m4_define([bind_VERSION_PATCH], 3)dnl
m4_define([bind_VERSION_EXTRA], )dnl
m4_define([bind_DESCRIPTION], [(Development Release)])dnl
m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
@@ -131,7 +131,7 @@ AC_CONFIG_FILES([libltdl/Makefile])
#
# Set the default CFLAGS and CPPFLAGS
#
STD_CFLAGS="-Wall -Wextra -Wwrite-strings -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow"
STD_CFLAGS="-Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow"
# These should be always errors
STD_CFLAGS="$STD_CFLAGS -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes"
@@ -563,15 +563,6 @@ LIBS="$LIBS $LIBUV_LIBS"
AC_CHECK_FUNCS([uv_handle_get_data uv_handle_set_data uv_import])
AX_RESTORE_FLAGS([libuv])
# libnghttp2
AC_MSG_CHECKING([for libnghttp2])
PKG_CHECK_MODULES([LIBNGHTTP2], [libnghttp2 >= 1.40.0], [],
[AC_MSG_ERROR([libnghttp2 not found])])
AX_SAVE_FLAGS([libnghttp2])
CFLAGS="$CFLAGS $LIBNGHTTP2_CFLAGS"
LIBS="$LIBS $LIBNGHTTP2_LIBS"
#
# flockfile is usually provided by pthreads
#
@@ -601,7 +592,7 @@ CRYPTO=OpenSSL
#
# OpenSSL/LibreSSL is mandatory
#
PKG_CHECK_MODULES([OPENSSL], [libssl libcrypto], [],
PKG_CHECK_MODULES([OPENSSL], [libcrypto], [],
[AX_CHECK_OPENSSL([:],[AC_MSG_FAILURE([OpenSSL/LibreSSL not found])])])
AX_SAVE_FLAGS([openssl])
@@ -996,10 +987,10 @@ AC_ARG_WITH([readline],
AS_CASE([$with_readline],
[no],[],
[auto|yes],
[auto],
[PKG_CHECK_MODULES([READLINE], [libedit],
[AC_DEFINE([HAVE_READLINE_LIBEDIT], [1], [Build with libedit support])],
[PKG_CHECK_MODULES([READLINE], [libeditline],
[PKG_CHECK_MODULES([READLINE], [editline],
[AC_DEFINE([HAVE_READLINE_EDITLINE], [1], [Build with editline support.])],
[PKG_CHECK_MODULES([READLINE], [readline],
[AC_DEFINE([HAVE_READLINE_READLINE], [1], [Build with readline support.])],
@@ -1009,7 +1000,7 @@ AS_CASE([$with_readline],
[PKG_CHECK_MODULES([READLINE], [libedit],
[AC_DEFINE([HAVE_READLINE_LIBEDIT], [1], [Build with libedit support])])],
[editline],
[PKG_CHECK_MODULES([READLINE], [libeditline],
[PKG_CHECK_MODULES([READLINE], [editline],
[AC_DEFINE([HAVE_READLINE_EDITLINE], [1], [Build with editline support])])],
[readline],
[PKG_CHECK_MODULES([READLINE], [readline],

View File

@@ -53,7 +53,6 @@ information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
.. include:: ../notes/notes-current.rst
.. include:: ../notes/notes-9.17.4.rst
.. include:: ../notes/notes-9.17.3.rst
.. include:: ../notes/notes-9.17.2.rst
.. include:: ../notes/notes-9.17.1.rst

View File

@@ -32,7 +32,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
..
.SH SYNOPSIS
.sp
\fBtsig\-keygen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-r\fP randomfile] [name]
\fBtsig\-keygen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-r\fP randomfile] [\fB\-s\fP name]
.sp
\fBddns\-confgen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-q\fP] [\fB\-r\fP randomfile] [\fB\-s\fP name] [\fB\-z\fP zone]
.SH DESCRIPTION

View File

@@ -1,127 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.4
---------------------
Security Fixes
~~~~~~~~~~~~~~
- It was possible to trigger an assertion failure by sending a specially
crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
bringing this vulnerability to our attention. [GL #1996]
- ``named`` could crash after failing an assertion check in certain
query resolution scenarios where QNAME minimization and forwarding
were both enabled. To prevent such crashes, QNAME minimization is now
always disabled for a given query resolution process, if forwarders
are used at any point. This was disclosed in CVE-2020-8621.
ISC would like to thank Joseph Gullo for bringing this vulnerability
to our attention. [GL #1997]
- It was possible to trigger an assertion failure when verifying the
response to a TSIG-signed request. This was disclosed in
CVE-2020-8622.
ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
of Oracle for bringing this vulnerability to our attention. [GL #2028]
- When BIND 9 was compiled with native PKCS#11 support, it was possible
to trigger an assertion failure in code determining the number of bits
in the PKCS#11 RSA public key with a specially crafted packet. This
was disclosed in CVE-2020-8623.
ISC would like to thank Lyu Chiy for bringing this vulnerability to
our attention. [GL #2037]
- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
to update names outside of the specified subdomains. The problem was
fixed by making sure ``subdomain`` rules are again processed as
described in the ARM. This was disclosed in CVE-2020-8624.
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
vulnerability to our attention. [GL #2055]
New Features
~~~~~~~~~~~~
- A new configuration option ``stale-cache-enable`` has been introduced
to enable or disable keeping stale answers in cache. [GL #1712]
- ``rndc`` has been updated to use the new BIND network manager API.
This change had the side effect of altering the TCP timeout for RNDC
connections from 60 seconds to the ``tcp-idle-timeout`` value, which
defaults to 30 seconds. Also, because the network manager currently
has no support for UNIX-domain sockets, those cannot now be used
with ``rndc``. This will be addressed in a future release, either by
restoring UNIX-domain socket support or by formally declaring them
to be obsolete in the control channel. [GL #1759]
- Statistics channels have also been updated to use the new BIND network
manager API. [GL #2022]
Feature Changes
~~~~~~~~~~~~~~~
- BIND's cache database implementation has been updated to use a faster
hash function with better distribution. In addition, the effective
``max-cache-size`` (configured explicitly, defaulting to a value based
on system memory or set to ``unlimited``) now pre-allocates fixed-size
hash tables. This prevents interruption to query resolution when the
hash table sizes need to be increased. [GL #1775]
- Keeping stale answers in cache has been disabled by default.
[GL #1712]
- Resource records received with 0 TTL are no longer kept in the cache
to be used for stale answers. [GL #1829]
Bug Fixes
~~~~~~~~~
- Wildcard RPZ passthru rules could incorrectly be overridden by other
rules that were loaded from RPZ zones which appeared later in the
``response-policy`` statement. This has been fixed. [GL #1619]
- The IPv6 Duplicate Address Detection (DAD) mechanism could
inadvertently prevent ``named`` from binding to new IPv6 interfaces,
by causing multiple route socket messages to be sent for each IPv6
address. ``named`` monitors for new interfaces to ``bind()`` to when
it is configured to listen on ``any`` or on a specific range of
addresses. New IPv6 interfaces can be in a "tentative" state before
they are fully available for use. When DAD is in use, two messages are
emitted by the route socket: one when the interface first appears and
then a second one when it is fully "up." An attempt by ``named`` to
``bind()`` to the new interface prematurely would fail, causing it
thereafter to ignore that address/interface. The problem was worked
around by setting the ``IP_FREEBIND`` option on the socket and trying
to ``bind()`` to each IPv6 address again if the first ``bind()`` call
for that address failed with ``EADDRNOTAVAIL``. [GL #2038]
- Addressed an error in recursive clients stats reporting which could
cause underflow, and even negative statistics. There were occasions
when an incoming query could trigger a prefetch for some eligible
RRset, and if the prefetch code were executed before recursion, no
increment in recursive clients stats would take place. Conversely,
when processing the answers, if the recursion code were executed
before the prefetch, the same counter would be decremented without a
matching increment. [GL #1719]
- The introduction of KASP support inadvertently caused the second field
of ``sig-validity-interval`` to always be calculated in hours, even in
cases when it should have been calculated in days. This has been
fixed. (Thanks to Tony Finch.) [GL !3735]
- LMDB locking code was revised to make ``rndc reconfig`` work properly
on FreeBSD and with LMDB >= 0.9.26. [GL #1976]

View File

@@ -8,7 +8,7 @@
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.5
Notes for BIND 9.17.4
---------------------
Security Fixes
@@ -29,19 +29,56 @@ New Features
from the parent. Replaces the time-based ``parent-registration-delay``
configuration option. [GL #1613]
- ``rndc`` has been updated to use the new BIND network manager API.
This change had the side effect of altering the TCP timeout for RNDC
connections from 60 seconds to the ``tcp-idle-timeout`` value, which
defaults to 30 seconds. Also, because the network manager currently
has no support for UNIX-domain sockets, those cannot now be used
with ``rndc``. This will be addressed in a future release, either by
restoring UNIX-domain socket support or by formally declaring them
to be obsolete in the control channel. [GL #1759]
- Statistics channels have also been updated to use the new BIND network
manager API. [GL #2022]
- A new configuration option ``stale-cache-enable`` has been introduced to
enable or disable the keeping of stale answers in cache. [GL #1712]
Feature Changes
~~~~~~~~~~~~~~~
- None.
- BIND's cache database implementation has been updated to use a faster
hash-function with better distribution. In addition, the effective
max-cache-size (configured explicitly, defaulting to a value based on system
memory or set to 'unlimited') now pre-allocates fixed size hash tables. This
prevents interruption to query resolution when the hash tables need to be
increased in size. [GL #1775]
- Keeping stale answers in cache has been disabled by default.
- The resource records received with 0 TTL are no longer kept in the cache
to be used for stale answers. [GL #1829]
Bug Fixes
~~~~~~~~~
- In rare circumstances, named would exit with assertion failure when the number
of nodes stored in the red-black-tree exceeds the maximum allowed size of the
internal hashtable. [GL #2104]
- Addressed an error in recursive clients stats reporting.
There were occasions when an incoming query could trigger a prefetch for
some eligible rrset, and if the prefetch code were executed before recursion,
no increment in recursive clients stats would take place. Conversely,
when processing the answers, if the recursion code were executed before the
prefetch, the same counter would be decremented without a matching increment.
[GL #1719]
- Silence spurious system log messages for EPROTO(71) error code that has been
seen on older operating systems where unhandled ICMPv6 errors result in a
generic protocol error being returned instead of the more specific error code.
[GL #1928]
- The introduction of KASP support broke whether the second field
of sig-validity-interval was treated as days or hours. (Thanks to
Tony Finch.) [GL !3735]
- The IPv6 Duplicate Address Detection (DAD) mechanism could cause the operating
system to report the new IPv6 addresses to the applications via the
getifaddrs() API in a tentative (DAD not yet finished) or duplicate (DAD
failed) state. Such addresses cannot be bound by an application, and named
failed to listen on IPv6 addresses after the DAD mechanism finished. It is
possible to work around the issue by setting the IP_FREEBIND option on the
socket and trying to bind() to the IPv6 address again if the first bind() call
fails with EADDRNOTAVAIL. [GL #2038]

1
fuzz/.gitignore vendored
View File

@@ -1,6 +1,5 @@
/*.dSYM/
/*.out/
/dns_message_parse
/dns_name_fromtext_target
/dns_rdata_fromwire_text
/isc_lex_getmastertoken

View File

@@ -15,18 +15,15 @@ LDADD = \
check_LTLIBRARIES = libfuzzmain.la
libfuzzmain_la_SOURCES = \
fuzz.h \
main.c
check_PROGRAMS = \
dns_message_parse \
dns_name_fromtext_target \
dns_rdata_fromwire_text \
isc_lex_getmastertoken \
isc_lex_gettoken
EXTRA_DIST = \
dns_message_parse.in \
dns_name_fromtext_target.in \
dns_rdata_fromwire_text.in \
isc_lex_getmastertoken.in \

View File

@@ -1,178 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/file.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/message.h>
#include <dns/result.h>
#include "fuzz.h"
bool debug = false;
static isc_mem_t *mctx = NULL;
static uint8_t *output = NULL;
static size_t output_len = 1024;
static uint8_t *render_buf[64 * 1024];
int
LLVMFuzzerInitialize(int *argc __attribute__((unused)),
char ***argv __attribute__((unused))) {
isc_mem_create(&mctx);
output = isc_mem_get(mctx, output_len);
return (0);
}
static isc_result_t
parse_message(isc_buffer_t *input, dns_message_t **messagep) {
isc_result_t result;
dns_message_t *message = NULL;
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &message);
if (result != ISC_R_SUCCESS) {
return (result);
}
result = dns_message_parse(message, input, DNS_MESSAGEPARSE_BESTEFFORT);
if (result == DNS_R_RECOVERABLE) {
result = ISC_R_SUCCESS;
}
if (result == ISC_R_SUCCESS && messagep != NULL) {
*messagep = message;
} else {
dns_message_destroy(&message);
}
return (result);
}
static isc_result_t
print_message(dns_message_t *message) {
isc_result_t result;
isc_buffer_t buffer;
do {
isc_buffer_init(&buffer, output, output_len);
result = dns_message_totext(message, &dns_master_style_debug, 0,
&buffer);
if (result == ISC_R_NOSPACE) {
isc_mem_put(mctx, output, output_len);
output_len *= 2;
output = isc_mem_get(mctx, output_len);
continue;
}
} while (result == ISC_R_NOSPACE);
return (result);
}
#define CHECKRESULT(r, f) \
{ \
r = (f); \
if (r != ISC_R_SUCCESS) { \
return (r); \
} \
}
static isc_result_t
render_message(dns_message_t **messagep) {
isc_result_t result;
dns_message_t *message = *messagep;
isc_buffer_t buffer;
dns_compress_t cctx;
isc_buffer_constinit(&buffer, render_buf, sizeof(render_buf));
message->from_to_wire = DNS_MESSAGE_INTENTRENDER;
for (size_t i = 0; i < DNS_SECTION_MAX; i++) {
message->counts[i] = 0;
}
CHECKRESULT(result, dns_compress_init(&cctx, -1, mctx));
CHECKRESULT(result, dns_message_renderbegin(message, &cctx, &buffer));
CHECKRESULT(result, dns_message_rendersection(message,
DNS_SECTION_QUESTION, 0));
CHECKRESULT(result,
dns_message_rendersection(message, DNS_SECTION_ANSWER, 0));
CHECKRESULT(result, dns_message_rendersection(
message, DNS_SECTION_AUTHORITY, 0));
CHECKRESULT(result, dns_message_rendersection(
message, DNS_SECTION_ADDITIONAL, 0));
dns_message_renderend(message);
dns_compress_invalidate(&cctx);
message->from_to_wire = DNS_MESSAGE_INTENTPARSE;
dns_message_destroy(messagep);
result = parse_message(&buffer, messagep);
return (result);
}
int
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
isc_buffer_t buffer;
isc_result_t result;
dns_message_t *message = NULL;
if (size > 65535) {
return (0);
}
isc_buffer_constinit(&buffer, data, size);
isc_buffer_add(&buffer, size);
isc_buffer_setactive(&buffer, size);
result = parse_message(&buffer, &message);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
result = print_message(message);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
result = render_message(&message);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
result = print_message(message);
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
cleanup:
if (message != NULL) {
dns_message_destroy(&message);
}
return (0);
}

Some files were not shown because too many files have changed in this diff Show More