Compare commits
1 Commits
wpk-handle
...
marka-clos
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
6c0747fc2b |
@@ -31,12 +31,6 @@ variables:
|
||||
|
||||
AM_COLOR_TESTS: always
|
||||
|
||||
WITHOUT_READLINE: "--without-readline"
|
||||
WITH_READLINE: "--with-readline"
|
||||
WITH_READLINE_EDITLINE: "--with-readline=editline"
|
||||
WITH_READLINE_LIBEDIT: "--with-readline=libedit"
|
||||
WITH_READLINE_READLINE: "--with-readline=readline"
|
||||
|
||||
stages:
|
||||
- autoconf
|
||||
- precheck
|
||||
@@ -187,21 +181,6 @@ stages:
|
||||
$EXTRA_CONFIGURE \
|
||||
|| cat config.log
|
||||
|
||||
.check_readline_setup: &check_readline_setup |
|
||||
if [[ -n "${WITHOUT_READLINE}" ]]; then \
|
||||
! grep "^#define HAVE_READLINE" config.h; \
|
||||
elif [[ -n "${WITH_READLINE}" ]]; then \
|
||||
grep -e "^#define HAVE_READLINE_READLINE" \
|
||||
-e "^#define HAVE_READLINE_LIBEDIT" \
|
||||
-e "^#define HAVE_READLINE_EDITLINE" config.h; \
|
||||
elif [[ -n "${WITH_READLINE_EDITLINE}" ]]; then \
|
||||
grep "^#define HAVE_READLINE_EDITLINE" config.h; \
|
||||
elif [[ -n "${WITH_READLINE_LIBEDIT}" ]]; then \
|
||||
grep "^#define HAVE_READLINE_LIBEDIT" config.h; \
|
||||
elif [[ -n "${WITH_READLINE_READLINE}" ]]; then \
|
||||
grep "^#define HAVE_READLINE_READLINE" config.h; \
|
||||
fi
|
||||
|
||||
.build: &build_job
|
||||
<<: *default_triggering_rules
|
||||
stage: build
|
||||
@@ -210,7 +189,6 @@ stages:
|
||||
- test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
|
||||
script:
|
||||
- *configure
|
||||
- *check_readline_setup
|
||||
- make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
|
||||
- test -z "${RUN_MAKE_INSTALL}" || make install
|
||||
- test -z "${RUN_MAKE_INSTALL}" || sh util/check-make-install
|
||||
@@ -272,7 +250,6 @@ stages:
|
||||
- cd bin/tests/system
|
||||
- make -j${TEST_PARALLEL_JOBS:-1} -k check V=1
|
||||
after_script:
|
||||
- test -d bind-* && cd bind-*
|
||||
- cat bin/tests/system/test-suite.log
|
||||
|
||||
.system_test: &system_test_job
|
||||
@@ -477,12 +454,8 @@ tarball-create:
|
||||
<<: *base_image
|
||||
<<: *default_triggering_rules
|
||||
script:
|
||||
- ./configure --enable-maintainer-mode
|
||||
- make maintainer-clean
|
||||
- autoreconf -fi
|
||||
- ./configure --enable-maintainer-mode
|
||||
- *configure
|
||||
- make -j${BUILD_PARALLEL_JOBS:-1} all V=1
|
||||
- if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
|
||||
- make -j${BUILD_PARALLEL_JOBS:-1} dist V=1
|
||||
artifacts:
|
||||
paths:
|
||||
@@ -532,7 +505,7 @@ gcc:alpine3.12:amd64:
|
||||
variables:
|
||||
CC: gcc
|
||||
CFLAGS: "${CFLAGS_COMMON}"
|
||||
EXTRA_CONFIGURE: "--enable-dnstap ${WITHOUT_READLINE}"
|
||||
EXTRA_CONFIGURE: "--enable-dnstap"
|
||||
<<: *alpine_3_12_amd64_image
|
||||
<<: *build_job
|
||||
|
||||
@@ -580,7 +553,7 @@ gcc:centos8:amd64:
|
||||
variables:
|
||||
CC: gcc
|
||||
CFLAGS: "${CFLAGS_COMMON}"
|
||||
EXTRA_CONFIGURE: "--enable-buffer-useinline --with-libidn2"
|
||||
EXTRA_CONFIGURE: "--with-libidn2"
|
||||
<<: *centos_centos8_amd64_image
|
||||
<<: *build_job
|
||||
|
||||
@@ -627,7 +600,6 @@ gcc:buster:amd64:
|
||||
variables:
|
||||
CC: gcc
|
||||
CFLAGS: "${CFLAGS_COMMON}"
|
||||
EXTRA_CONFIGURE: "${WITH_READLINE_LIBEDIT}"
|
||||
<<: *debian_buster_amd64_image
|
||||
<<: *build_job
|
||||
|
||||
@@ -795,7 +767,7 @@ gcc:tumbleweed:amd64:
|
||||
variables:
|
||||
CC: gcc
|
||||
CFLAGS: "${CFLAGS_COMMON}"
|
||||
EXTRA_CONFIGURE: "--with-libidn2 ${WITH_READLINE_READLINE}"
|
||||
EXTRA_CONFIGURE: "--with-libidn2 --with-gssapi=/usr/lib/mit/bin/krb5-config"
|
||||
<<: *tumbleweed_latest_amd64_image
|
||||
<<: *build_job
|
||||
|
||||
@@ -1073,7 +1045,6 @@ unit:gcc:softhsm2.6:
|
||||
clang:freebsd11:amd64:
|
||||
variables:
|
||||
CFLAGS: "${CFLAGS_COMMON}"
|
||||
EXTRA_CONFIGURE: "${WITH_READLINE}"
|
||||
USER: gitlab-runner
|
||||
<<: *freebsd_11_amd64_image
|
||||
<<: *build_job
|
||||
@@ -1100,7 +1071,7 @@ unit:clang:freebsd11:amd64:
|
||||
clang:freebsd12:amd64:
|
||||
variables:
|
||||
CFLAGS: "${CFLAGS_COMMON}"
|
||||
EXTRA_CONFIGURE: "--enable-dnstap ${WITH_READLINE_EDITLINE}"
|
||||
EXTRA_CONFIGURE: "--enable-dnstap"
|
||||
USER: gitlab-runner
|
||||
<<: *freebsd_12_amd64_image
|
||||
<<: *build_job
|
||||
@@ -1324,7 +1295,7 @@ abi-check:
|
||||
CC: gcc
|
||||
CFLAGS: "${CFLAGS_COMMON} -Og"
|
||||
EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
|
||||
BIND_BASELINE_VERSION: v9_17_4
|
||||
BIND_BASELINE_VERSION: v9_17_3
|
||||
script:
|
||||
- *configure
|
||||
- make -j${BUILD_PARALLEL_JOBS:-1} V=1
|
||||
|
||||
130
CHANGES
130
CHANGES
@@ -1,20 +1,3 @@
|
||||
5495. [func] Add a netmgr TLS layer, enabling server-side DoT
|
||||
support (not yet available), and client-side DoT
|
||||
support in dig with "dig +tls". [GL #1840]
|
||||
|
||||
5494. [bug] Silence the EPROTO syslog message on older systems.
|
||||
[GL #1928]
|
||||
|
||||
5493. [bug] Fix off-by-one error when calculating new hashtable
|
||||
size. [GL #2104]
|
||||
|
||||
5492. [bug] Tighten LOC parsing to reject period and/or m as a
|
||||
value. Correct handling of negative altitudes which
|
||||
are not whole metres. [GL #2074]
|
||||
|
||||
5491. [bug] rbtversion->glue_table_size could be read without the
|
||||
appropriate lock being held. [GL #2080]
|
||||
|
||||
5490. [func] Refactor the readline support to use pkg-config and
|
||||
add support for editline library. [GL !3942]
|
||||
|
||||
@@ -37,94 +20,73 @@
|
||||
that the DS record has been published in the parent.
|
||||
[GL #1613]
|
||||
|
||||
--- 9.17.4 released ---
|
||||
|
||||
5485. [placeholder]
|
||||
|
||||
5484. [func] Expire zero TTL records quickly rather than using them
|
||||
for stale answers. [GL #1829]
|
||||
5484. [func] Expire the 0 TTL RRSet quickly rather using them for
|
||||
stale answers. [GL #1829]
|
||||
|
||||
5483. [func] Keeping "stale" answers in cache has been disabled by
|
||||
default and can be re-enabled with a new configuration
|
||||
option "stale-cache-enable". [GL #1712]
|
||||
|
||||
5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
|
||||
not yet finished after adding a new IPv6 address to the
|
||||
system, BIND 9 would fail to bind to IPv6 addresses in a
|
||||
tentative state. [GL #2038]
|
||||
5482. [bug] BIND 9 would fail to bind to IPv6 addresses in a
|
||||
tentative state when a new IPv6 address was added to the
|
||||
system, but the Duplicate Address Detection (DAD)
|
||||
mechanism had not yet finished. [GL #2038]
|
||||
|
||||
5481. [security] "update-policy" rules of type "subdomain" were
|
||||
incorrectly treated as "zonesub" rules, which allowed
|
||||
keys used in "subdomain" rules to update names outside
|
||||
of the specified subdomains. The problem was fixed by
|
||||
making sure "subdomain" rules are again processed as
|
||||
described in the ARM. (CVE-2020-8624) [GL #2055]
|
||||
5481. [placeholder]
|
||||
|
||||
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
|
||||
was possible to trigger an assertion failure in code
|
||||
determining the number of bits in the PKCS#11 RSA public
|
||||
key with a specially crafted packet. (CVE-2020-8623)
|
||||
[GL #2037]
|
||||
5480. [placeholder]
|
||||
|
||||
5479. [security] named could crash in certain query resolution scenarios
|
||||
where QNAME minimization and forwarding were both
|
||||
enabled. (CVE-2020-8621) [GL #1997]
|
||||
5479. [placeholder]
|
||||
|
||||
5478. [security] It was possible to trigger an assertion failure by
|
||||
sending a specially crafted large TCP DNS message.
|
||||
(CVE-2020-8620) [GL #1996]
|
||||
5478. [placeholder]
|
||||
|
||||
5477. [bug] The idle timeout for connected TCP sockets, which was
|
||||
previously set to a high fixed value, is now derived
|
||||
from the client query processing timeout configured for
|
||||
a resolver. [GL #2024]
|
||||
5477. [bug] The idle timeout for connected TCP sockets is now
|
||||
derived from the client query processing timeout
|
||||
configured for a resolver. [GL #2024]
|
||||
|
||||
5476. [security] It was possible to trigger an assertion failure when
|
||||
verifying the response to a TSIG-signed request.
|
||||
(CVE-2020-8622) [GL #2028]
|
||||
5476. [placeholder]
|
||||
|
||||
5475. [bug] Wildcard RPZ passthru rules could incorrectly be
|
||||
overridden by other rules that were loaded from RPZ
|
||||
zones which appeared later in the "response-policy"
|
||||
statement. This has been fixed. [GL #1619]
|
||||
5475. [bug] Fix RPZ wildcard passthru ignored when a rejection
|
||||
would overwrite a passthru action matching some
|
||||
rule in a previously loaded passthru rpz zone.
|
||||
[GL #1619]
|
||||
|
||||
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
|
||||
when it should have. [GL !3880]
|
||||
|
||||
5473. [func] The RBT hash table implementation has been changed
|
||||
to use a faster hash function (HalfSipHash2-4) and
|
||||
Fibonacci hashing for better distribution. Setting
|
||||
"max-cache-size" now preallocates a fixed-size hash
|
||||
table so that rehashing does not cause resolution
|
||||
brownouts while the hash table is grown. [GL #1775]
|
||||
5473. [func] The rbt hashtable implementation has been changed
|
||||
to use faster hash-function (HalfSipHash2-4) and
|
||||
uses Fibonacci hashing for better distribution.
|
||||
Setting the max-cache-size now preallocates fixed
|
||||
size hashtable, so the rehashing doesn't cause
|
||||
resolution brownouts when growing the hashtable.
|
||||
[GL #1775]
|
||||
|
||||
5472. [func] The statistics channel has been updated to use the
|
||||
new network manager. [GL #2022]
|
||||
|
||||
5471. [bug] The introduction of KASP support inadvertently caused
|
||||
the second field of "sig-validity-interval" to always be
|
||||
calculated in hours, even in cases when it should have
|
||||
been calculated in days. This has been fixed. (Thanks to
|
||||
Tony Finch.) [GL !3735]
|
||||
5471. [bug] The introduction of KASP support broke whether the
|
||||
second field of sig-validity-interval was treated as
|
||||
days or hours. (Thanks to Tony Finch.) [GL !3735]
|
||||
|
||||
5470. [port] gsskrb5_register_acceptor_identity() is now only called
|
||||
if gssapi_krb5.h is present. [GL #1995]
|
||||
5470. [port] illumos: only call gsskrb5_register_acceptor_identity
|
||||
if we have gssapi_krb5.h. [GL #1995]
|
||||
|
||||
5469. [port] On illumos, a constant called SEC is already defined in
|
||||
<sys/time.h>, which conflicts with an identically named
|
||||
constant in libbind9. This conflict has been resolved.
|
||||
[GL #1993]
|
||||
5469. [port] illumos: SEC is defined in <sys/time.h> which
|
||||
conflicted with our use of SEC. [GL #1993]
|
||||
|
||||
5468. [bug] Addressed potential double unlock in process_fd().
|
||||
5468. [bug] Address potential double unlock in process_fd().
|
||||
[GL #2005]
|
||||
|
||||
5467. [func] The control channel and the rndc utility have been
|
||||
updated to use the new network manager. To support
|
||||
this, the network manager was updated to enable
|
||||
the initiation of client TCP connections. Its
|
||||
wthe initiation of client TCP connections. Its
|
||||
internal reference counting has been refactored.
|
||||
|
||||
Note: As a side effect of this change, rndc cannot
|
||||
Note: As side effects of this change, rndc cannot
|
||||
currently be used with UNIX-domain sockets, and its
|
||||
default timeout has changed from 60 seconds to 30.
|
||||
These will be addressed in a future release.
|
||||
@@ -133,30 +95,30 @@
|
||||
5466. [bug] Addressed an error in recursive clients stats reporting.
|
||||
[GL #1719]
|
||||
|
||||
5465. [func] Added fallback to built-in trust-anchors, managed-keys,
|
||||
or trusted-keys if the bindkeys-file (bind.keys) cannot
|
||||
5465. [func] Fallback to built in trust-anchors, managed-keys, or
|
||||
trusted-keys if the bindkeys-file (bind.keys) cannot
|
||||
be parsed. [GL #1235]
|
||||
|
||||
5464. [bug] Requesting more than 128 files to be saved when rolling
|
||||
dnstap log files caused a buffer overflow. This has been
|
||||
fixed. [GL #1989]
|
||||
5464. [bug] Specifying saving more than 128 files when rolling
|
||||
dnstap / log files would cause buffer overflow.
|
||||
[GL #1989]
|
||||
|
||||
5463. [placeholder]
|
||||
|
||||
5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
|
||||
|
||||
5461. [bug] The STALE rdataset header attribute was updated while
|
||||
the write lock was not being held, leading to incorrect
|
||||
statistics. The header attributes are now converted to
|
||||
use atomic operations. [GL #1475]
|
||||
5461. [bug] The header STALE attribute was not being updated with
|
||||
the write lock being held leading to incorrect
|
||||
statistics. Convert the header attributes to use atomic
|
||||
operations. [GL #1475]
|
||||
|
||||
5460. [cleanup] tsig-keygen was previously an alias for
|
||||
ddns-confgen and was documented in the ddns-confgen
|
||||
man page. This has been reversed; tsig-keygen is
|
||||
now the primary name. [GL #1998]
|
||||
|
||||
5459. [bug] Fixed bad isc_mem_put() size when an invalid type was
|
||||
specified in an "update-policy" rule. [GL #1990]
|
||||
5459. [bug] Bad isc_mem_put() size when an invalid type was
|
||||
specified in a update-policy rule. [GL #1990]
|
||||
|
||||
--- 9.17.3 released ---
|
||||
|
||||
|
||||
22
COPYRIGHT
22
COPYRIGHT
@@ -367,25 +367,3 @@ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
-----------------------------------------------------------------------------
|
||||
|
||||
Copyright Joyent, Inc. and other Node contributors. All rights reserved.
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to
|
||||
deal in the Software without restriction, including without limitation the
|
||||
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
||||
sell copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
||||
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
||||
IN THE SOFTWARE.
|
||||
|
||||
@@ -68,9 +68,6 @@ struct controlkey {
|
||||
|
||||
struct controlconnection {
|
||||
isc_nmhandle_t *handle;
|
||||
isc_nmhandle_t *readhandle;
|
||||
isc_nmhandle_t *sendhandle;
|
||||
isc_nmhandle_t *cmdhandle;
|
||||
isccc_ccmsg_t ccmsg;
|
||||
bool ccmsg_valid;
|
||||
bool sending;
|
||||
@@ -224,8 +221,10 @@ control_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
|
||||
conn->sending = false;
|
||||
|
||||
isc_nmhandle_unref(handle);
|
||||
|
||||
if (result == ISC_R_CANCELED) {
|
||||
goto cleanup;
|
||||
return;
|
||||
} else if (result != ISC_R_SUCCESS) {
|
||||
char socktext[ISC_SOCKADDR_FORMATSIZE];
|
||||
|
||||
@@ -234,23 +233,16 @@ control_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
NAMED_LOGMODULE_CONTROL, ISC_LOG_WARNING,
|
||||
"error sending command response to %s: %s",
|
||||
socktext, isc_result_totext(result));
|
||||
goto cleanup;
|
||||
return;
|
||||
}
|
||||
|
||||
if (conn->readhandle == NULL) {
|
||||
isc_nmhandle_attach(handle, &conn->readhandle);
|
||||
}
|
||||
result = isccc_ccmsg_readmessage(&conn->ccmsg, control_recvmessage,
|
||||
conn);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_nmhandle_detach(&conn->readhandle);
|
||||
maybe_free_listener(listener);
|
||||
}
|
||||
|
||||
listener->listening = true;
|
||||
|
||||
cleanup:
|
||||
isc_nmhandle_detach(&conn->sendhandle);
|
||||
}
|
||||
|
||||
static inline void
|
||||
@@ -332,11 +324,11 @@ control_respond(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
r.base = conn->buffer->base;
|
||||
r.length = conn->buffer->used;
|
||||
|
||||
isc_nmhandle_attach(handle, &conn->sendhandle);
|
||||
isc_nmhandle_ref(handle);
|
||||
conn->sending = true;
|
||||
result = isc_nm_send(conn->sendhandle, &r, control_senddone, conn);
|
||||
result = isc_nm_send(handle, &r, control_senddone, conn);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_nmhandle_detach(&conn->sendhandle);
|
||||
isc_nmhandle_unref(handle);
|
||||
conn->sending = false;
|
||||
}
|
||||
|
||||
@@ -364,12 +356,17 @@ control_command(isc_task_t *task, isc_event_t *event) {
|
||||
|
||||
UNUSED(task);
|
||||
|
||||
/*
|
||||
* An extra ref and two unrefs are needed here to
|
||||
* ensure the handle isn't cleaned up if we're running
|
||||
* an "rndc stop" command.
|
||||
*/
|
||||
isc_nmhandle_ref(conn->handle);
|
||||
conn->result = named_control_docommand(conn->request,
|
||||
listener->readonly, &conn->text);
|
||||
control_respond(conn->handle, conn->result, conn);
|
||||
|
||||
isc_nmhandle_detach(&conn->cmdhandle);
|
||||
|
||||
isc_nmhandle_unref(conn->handle);
|
||||
isc_nmhandle_unref(conn->handle);
|
||||
isc_event_free(&event);
|
||||
}
|
||||
|
||||
@@ -402,10 +399,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
log_invalid(&conn->ccmsg, result);
|
||||
}
|
||||
|
||||
if (conn->readhandle != NULL) {
|
||||
isc_nmhandle_detach(&conn->readhandle);
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -431,9 +424,6 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
REGION_SIZE(conn->secret));
|
||||
if (result != ISCCC_R_BADAUTH) {
|
||||
log_invalid(&conn->ccmsg, result);
|
||||
if (conn->readhandle != NULL) {
|
||||
isc_nmhandle_detach(&conn->readhandle);
|
||||
}
|
||||
return;
|
||||
}
|
||||
}
|
||||
@@ -523,11 +513,10 @@ control_recvmessage(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
/*
|
||||
* Trigger the command.
|
||||
*/
|
||||
isc_nmhandle_attach(handle, &conn->cmdhandle);
|
||||
isc_nmhandle_ref(handle);
|
||||
event = isc_event_allocate(listener->mctx, conn, NAMED_EVENT_COMMAND,
|
||||
control_command, conn, sizeof(isc_event_t));
|
||||
isc_task_send(named_g_server->task, &event);
|
||||
isc_nmhandle_detach(&conn->readhandle);
|
||||
return;
|
||||
|
||||
cleanup:
|
||||
@@ -545,10 +534,6 @@ cleanup:
|
||||
if (conn->text != NULL) {
|
||||
isc_buffer_free(&conn->text);
|
||||
}
|
||||
|
||||
if (conn->readhandle != NULL) {
|
||||
isc_nmhandle_detach(&conn->readhandle);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -619,13 +604,9 @@ newconnection(controllistener_t *listener, isc_nmhandle_t *handle) {
|
||||
|
||||
ISC_LINK_INIT(conn, link);
|
||||
|
||||
if (conn->readhandle == NULL) {
|
||||
isc_nmhandle_attach(handle, &conn->readhandle);
|
||||
}
|
||||
result = isccc_ccmsg_readmessage(&conn->ccmsg, control_recvmessage,
|
||||
conn);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_nmhandle_detach(&conn->readhandle);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
|
||||
@@ -14856,15 +14856,14 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex,
|
||||
|
||||
/* Serial number */
|
||||
result = dns_zone_getserial(mayberaw, &serial);
|
||||
|
||||
/* This is to mirror old behavior with dns_zone_getserial */
|
||||
/* XXXWPK TODO this is to mirror old behavior with dns_zone_getserial */
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
serial = 0;
|
||||
}
|
||||
|
||||
snprintf(serbuf, sizeof(serbuf), "%u", serial);
|
||||
if (hasraw) {
|
||||
result = dns_zone_getserial(zone, &signed_serial);
|
||||
/* XXXWPK TODO ut supra */
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
serial = 0;
|
||||
}
|
||||
|
||||
@@ -252,8 +252,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
||||
|
||||
str = cfg_obj_asstring(matchtype);
|
||||
CHECK(dns_ssu_mtypefromstring(str, &mtype));
|
||||
if (mtype == dns_ssumatchtype_subdomain &&
|
||||
strcasecmp(str, "zonesub") == 0) {
|
||||
if (mtype == dns_ssumatchtype_subdomain) {
|
||||
usezone = true;
|
||||
}
|
||||
|
||||
|
||||
@@ -24,7 +24,6 @@
|
||||
#include <isc/log.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/net.h>
|
||||
#include <isc/netmgr.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/random.h>
|
||||
#include <isc/refcount.h>
|
||||
@@ -90,7 +89,6 @@ static uint32_t serial;
|
||||
static bool quiet = false;
|
||||
static bool showresult = false;
|
||||
static bool shuttingdown = false;
|
||||
isc_nmhandle_t *readhandle = NULL, *sendhandle = NULL;
|
||||
|
||||
static void
|
||||
rndc_startconnect(isc_sockaddr_t *addr);
|
||||
@@ -290,21 +288,19 @@ get_addresses(const char *host, in_port_t port) {
|
||||
|
||||
static void
|
||||
rndc_senddone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
REQUIRE(handle == sendhandle);
|
||||
|
||||
UNUSED(arg);
|
||||
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
fatal("send failed: %s", isc_result_totext(result));
|
||||
}
|
||||
|
||||
isc_nmhandle_detach(&sendhandle);
|
||||
if (atomic_fetch_sub_release(&sends, 1) == 1 &&
|
||||
atomic_load_acquire(&recvs) == 0)
|
||||
{
|
||||
shuttingdown = true;
|
||||
isc_task_shutdown(rndc_task);
|
||||
isc_app_shutdown();
|
||||
isc_nmhandle_unref(handle);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -322,10 +318,7 @@ rndc_recvdone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
atomic_fetch_sub_release(&recvs, 1);
|
||||
|
||||
if (shuttingdown && (result == ISC_R_EOF || result == ISC_R_CANCELED)) {
|
||||
if (readhandle != NULL) {
|
||||
INSIST(handle == readhandle);
|
||||
isc_nmhandle_detach(&readhandle);
|
||||
}
|
||||
isc_nmhandle_unref(handle);
|
||||
return;
|
||||
} else if (result == ISC_R_EOF) {
|
||||
fatal("connection to remote host closed.\n"
|
||||
@@ -385,8 +378,8 @@ rndc_recvdone(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
|
||||
if (atomic_load_acquire(&sends) == 0 &&
|
||||
atomic_load_acquire(&recvs) == 0) {
|
||||
isc_nmhandle_detach(&readhandle);
|
||||
shuttingdown = true;
|
||||
isc_nmhandle_unref(handle);
|
||||
isc_task_shutdown(rndc_task);
|
||||
isc_app_shutdown();
|
||||
}
|
||||
@@ -405,13 +398,12 @@ rndc_recvnonce(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
isccc_sexpr_t *data;
|
||||
isc_buffer_t b;
|
||||
|
||||
REQUIRE(handle == readhandle);
|
||||
REQUIRE(ccmsg != NULL);
|
||||
|
||||
atomic_fetch_sub_release(&recvs, 1);
|
||||
|
||||
if (shuttingdown && result == ISC_R_EOF) {
|
||||
isc_nmhandle_detach(&readhandle);
|
||||
isc_nmhandle_unref(handle);
|
||||
return;
|
||||
} else if (result == ISC_R_EOF) {
|
||||
fatal("connection to remote host closed.\n"
|
||||
@@ -479,9 +471,6 @@ rndc_recvnonce(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
isccc_ccmsg_readmessage(ccmsg, rndc_recvdone, ccmsg));
|
||||
atomic_fetch_add_relaxed(&recvs, 1);
|
||||
|
||||
if (sendhandle == NULL) {
|
||||
isc_nmhandle_attach(handle, &sendhandle);
|
||||
}
|
||||
DO("send message", isc_nm_send(handle, &r, rndc_senddone, NULL));
|
||||
atomic_fetch_add_relaxed(&sends, 1);
|
||||
|
||||
@@ -545,16 +534,12 @@ rndc_connected(isc_nmhandle_t *handle, isc_result_t result, void *arg) {
|
||||
isccc_ccmsg_init(rndc_mctx, handle, ccmsg);
|
||||
isccc_ccmsg_setmaxsize(ccmsg, 1024 * 1024);
|
||||
|
||||
if (readhandle == NULL) {
|
||||
isc_nmhandle_attach(handle, &readhandle);
|
||||
}
|
||||
isc_nmhandle_ref(handle);
|
||||
|
||||
DO("schedule recv",
|
||||
isccc_ccmsg_readmessage(ccmsg, rndc_recvnonce, ccmsg));
|
||||
atomic_fetch_add_relaxed(&recvs, 1);
|
||||
|
||||
if (sendhandle == NULL) {
|
||||
isc_nmhandle_attach(handle, &sendhandle);
|
||||
}
|
||||
DO("send message", isc_nm_send(handle, &r, rndc_senddone, NULL));
|
||||
atomic_fetch_add_relaxed(&sends, 1);
|
||||
|
||||
@@ -1024,7 +1009,7 @@ main(int argc, char **argv) {
|
||||
isc_mem_create(&rndc_mctx);
|
||||
netmgr = isc_nm_start(rndc_mctx, 1);
|
||||
DO("create task manager",
|
||||
isc_taskmgr_create(rndc_mctx, 1, 0, netmgr, &taskmgr));
|
||||
isc_taskmgr_create(rndc_mctx, 1, 0, NULL, &taskmgr));
|
||||
DO("create task", isc_task_create(taskmgr, 0, &rndc_task));
|
||||
isc_log_create(rndc_mctx, &log, &logconfig);
|
||||
isc_log_setcontext(log);
|
||||
|
||||
@@ -9,6 +9,6 @@
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
. ./conf.sh
|
||||
. ../conf.sh
|
||||
|
||||
[ -x "$TOP_BUILDDIR/bin/pkcs11/pkcs11-destroy" ] && $PK11DEL -w0 > /dev/null 2>&1
|
||||
|
||||
@@ -1,560 +0,0 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
#
|
||||
# This is the name server from hell. It provides canned
|
||||
# responses based on pattern matching the queries, and
|
||||
# can be reprogrammed on-the-fly over a TCP connection.
|
||||
#
|
||||
# The server listens for queries on port 5300 (or PORT).
|
||||
#
|
||||
# The server listens for control connections on port 5301 (or EXTRAPORT1).
|
||||
#
|
||||
# A control connection is a TCP stream of lines like
|
||||
#
|
||||
# /pattern/
|
||||
# name ttl type rdata
|
||||
# name ttl type rdata
|
||||
# ...
|
||||
# /pattern/
|
||||
# name ttl type rdata
|
||||
# name ttl type rdata
|
||||
# ...
|
||||
#
|
||||
# There can be any number of patterns, each associated
|
||||
# with any number of response RRs. Each pattern is a
|
||||
# Perl regular expression. If an empty pattern ("//") is
|
||||
# received, the server will ignore all incoming queries (TCP
|
||||
# connections will still be accepted, but both UDP queries
|
||||
# and TCP queries will not be responded to). If a non-empty
|
||||
# pattern is then received over the same control connection,
|
||||
# default behavior is restored.
|
||||
#
|
||||
# Each incoming query is converted into a string of the form
|
||||
# "qname qtype" (the printable query domain name, space,
|
||||
# printable query type) and matched against each pattern.
|
||||
#
|
||||
# The first pattern matching the query is selected, and
|
||||
# the RR following the pattern line are sent in the
|
||||
# answer section of the response.
|
||||
#
|
||||
# Each new control connection causes the current set of
|
||||
# patterns and responses to be cleared before adding new
|
||||
# ones.
|
||||
#
|
||||
# The server handles UDP and TCP queries. Zone transfer
|
||||
# responses work, but must fit in a single 64 k message.
|
||||
#
|
||||
# Now you can add TSIG, just specify key/key data with:
|
||||
#
|
||||
# /pattern <key> <key_data>/
|
||||
# name ttl type rdata
|
||||
# name ttl type rdata
|
||||
#
|
||||
# Note that this data will still be sent with any request for
|
||||
# pattern, only this data will be signed. Currently, this is only
|
||||
# done for TCP.
|
||||
#
|
||||
# /pattern bad-id <key> <key_data>/
|
||||
# /pattern bad-id/
|
||||
#
|
||||
# will add 50 to the message id of the response.
|
||||
|
||||
|
||||
use IO::File;
|
||||
use IO::Socket;
|
||||
use Data::Dumper;
|
||||
use Net::DNS;
|
||||
use Net::DNS::Packet;
|
||||
use strict;
|
||||
|
||||
# Ignore SIGPIPE so we won't fail if peer closes a TCP socket early
|
||||
local $SIG{PIPE} = 'IGNORE';
|
||||
|
||||
# Flush logged output after every line
|
||||
local $| = 1;
|
||||
|
||||
# We default to listening on 10.53.0.2 for historical reasons
|
||||
# XXX: we should also be able to specify IPv6
|
||||
my $server_addr = "10.53.0.6";
|
||||
if (@ARGV > 0) {
|
||||
$server_addr = @ARGV[0];
|
||||
}
|
||||
|
||||
my $mainport = int($ENV{'PORT'});
|
||||
if (!$mainport) { $mainport = 5300; }
|
||||
my $ctrlport = int($ENV{'EXTRAPORT1'});
|
||||
if (!$ctrlport) { $ctrlport = 5301; }
|
||||
|
||||
print "listening on $server_addr:$mainport,$ctrlport.\n";
|
||||
print "Using Net::DNS $Net::DNS::VERSION\n";
|
||||
|
||||
# XXX: we should also be able to set the port numbers to listen on.
|
||||
my $ctlsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
|
||||
LocalPort => $ctrlport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
|
||||
|
||||
my $udpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
|
||||
LocalPort => $mainport, Proto => "udp", Reuse => 1) or die "$!";
|
||||
|
||||
my $tcpsock = IO::Socket::INET->new(LocalAddr => "$server_addr",
|
||||
LocalPort => $mainport, Proto => "tcp", Listen => 5, Reuse => 1) or die "$!";
|
||||
|
||||
my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
|
||||
print $pidf "$$\n" or die "cannot write pid file: $!";
|
||||
$pidf->close or die "cannot close pid file: $!";;
|
||||
sub rmpid { unlink "ans.pid"; exit 1; };
|
||||
|
||||
$SIG{INT} = \&rmpid;
|
||||
$SIG{TERM} = \&rmpid;
|
||||
|
||||
#my @answers = ();
|
||||
my @rules;
|
||||
my $udphandler;
|
||||
my $tcphandler;
|
||||
|
||||
sub handleUDP {
|
||||
my ($buf) = @_;
|
||||
my $request;
|
||||
|
||||
if ($Net::DNS::VERSION > 0.68) {
|
||||
$request = new Net::DNS::Packet(\$buf, 0);
|
||||
$@ and die $@;
|
||||
} else {
|
||||
my $err;
|
||||
($request, $err) = new Net::DNS::Packet(\$buf, 0);
|
||||
$err and die $err;
|
||||
}
|
||||
|
||||
my @questions = $request->question;
|
||||
my $qname = $questions[0]->qname;
|
||||
my $qtype = $questions[0]->qtype;
|
||||
my $qclass = $questions[0]->qclass;
|
||||
my $id = $request->header->id;
|
||||
|
||||
my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
|
||||
$packet->header->qr(1);
|
||||
$packet->header->aa(1);
|
||||
$packet->header->id($id);
|
||||
|
||||
# get the existing signature if any, and clear the additional section
|
||||
my $prev_tsig;
|
||||
while (my $rr = $request->pop("additional")) {
|
||||
$prev_tsig = $rr if ($rr->type eq "TSIG");
|
||||
}
|
||||
|
||||
my $r;
|
||||
my $answers = 0;
|
||||
my $match;
|
||||
my $key_name;
|
||||
my $key_data;
|
||||
foreach $r (@rules) {
|
||||
my $pattern = $r->{pattern};
|
||||
($match, $key_name, $key_data) = split(/ /,$pattern);
|
||||
print "[handleUDP] $match, $key_name, $key_data\n";
|
||||
$match =~ tr/\// /;
|
||||
if ("$qname $qtype" =~ /$match/) {
|
||||
my $a;
|
||||
foreach $a (@{$r->{answer}}) {
|
||||
my $resp;
|
||||
$resp = new Net::DNS::RR("$qname $a");
|
||||
$packet->push("answer", $resp);
|
||||
++$answers;
|
||||
}
|
||||
last;
|
||||
}
|
||||
}
|
||||
if ($answers eq 0) {
|
||||
my $soa;
|
||||
$soa = new Net::DNS::RR("$qname 300 IN SOA . . 0 0 0 0 0");
|
||||
$packet->push("authority", $soa)
|
||||
}
|
||||
if (defined($key_name) && defined($key_data)) {
|
||||
my $tsig;
|
||||
# Sign the packet
|
||||
print " Signing the response with " .
|
||||
"$key_name/$key_data\n";
|
||||
|
||||
if ($Net::DNS::VERSION < 0.69) {
|
||||
$tsig = Net::DNS::RR->new(
|
||||
"$key_name TSIG $key_data");
|
||||
} else {
|
||||
$tsig = Net::DNS::RR->new(
|
||||
name => $key_name,
|
||||
type => 'TSIG',
|
||||
key => $key_data);
|
||||
}
|
||||
|
||||
# These kluges are necessary because Net::DNS
|
||||
# doesn't know how to sign responses. We
|
||||
# clear compnames so that the TSIG key and
|
||||
# algorithm name won't be compressed, and
|
||||
# add one to arcount because the signing
|
||||
# function will attempt to decrement it,
|
||||
# which is incorrect in a response. Finally
|
||||
# we set request_mac to the previous digest.
|
||||
$packet->{"compnames"} = {}
|
||||
if ($Net::DNS::VERSION < 0.70);
|
||||
$packet->{"header"}{"arcount"} += 1
|
||||
if ($Net::DNS::VERSION < 0.70);
|
||||
if (defined($prev_tsig)) {
|
||||
if ($Net::DNS::VERSION < 0.73) {
|
||||
my $rmac = pack('n H*',
|
||||
length($prev_tsig->mac)/2,
|
||||
$prev_tsig->mac);
|
||||
$tsig->{"request_mac"} =
|
||||
unpack("H*", $rmac);
|
||||
} else {
|
||||
$tsig->request_mac(
|
||||
$prev_tsig->mac);
|
||||
}
|
||||
}
|
||||
|
||||
$packet->sign_tsig($tsig);
|
||||
}
|
||||
#$packet->print;
|
||||
|
||||
return $packet->data;
|
||||
}
|
||||
|
||||
# namelen:
|
||||
# given a stream of data, reads a DNS-formatted name and returns its
|
||||
# total length, thus making it possible to skip past it.
|
||||
sub namelen {
|
||||
my ($data) = @_;
|
||||
my $len = 0;
|
||||
my $label_len = 0;
|
||||
do {
|
||||
$label_len = unpack("c", $data);
|
||||
$data = substr($data, $label_len + 1);
|
||||
$len += $label_len + 1;
|
||||
} while ($label_len != 0);
|
||||
return ($len);
|
||||
}
|
||||
|
||||
# packetlen:
|
||||
# given a stream of data, reads a DNS wire-format packet and returns
|
||||
# its total length, making it possible to skip past it.
|
||||
sub packetlen {
|
||||
my ($data) = @_;
|
||||
my $q;
|
||||
my $rr;
|
||||
my $header;
|
||||
my $offset;
|
||||
|
||||
#
|
||||
# decode/encode were introduced in Net::DNS 0.68
|
||||
# parse is no longer a method and calling it here makes perl croak.
|
||||
#
|
||||
my $decode = 0;
|
||||
$decode = 1 if ($Net::DNS::VERSION >= 0.68);
|
||||
|
||||
if ($decode) {
|
||||
($header, $offset) = Net::DNS::Header->decode(\$data);
|
||||
} else {
|
||||
($header, $offset) = Net::DNS::Header->parse(\$data);
|
||||
}
|
||||
|
||||
for (1 .. $header->qdcount) {
|
||||
if ($decode) {
|
||||
($q, $offset) =
|
||||
Net::DNS::Question->decode(\$data, $offset);
|
||||
} else {
|
||||
($q, $offset) =
|
||||
Net::DNS::Question->parse(\$data, $offset);
|
||||
}
|
||||
}
|
||||
for (1 .. $header->ancount) {
|
||||
if ($decode) {
|
||||
($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
|
||||
} else {
|
||||
($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
|
||||
}
|
||||
}
|
||||
for (1 .. $header->nscount) {
|
||||
if ($decode) {
|
||||
($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
|
||||
} else {
|
||||
($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
|
||||
}
|
||||
}
|
||||
for (1 .. $header->arcount) {
|
||||
if ($decode) {
|
||||
($q, $offset) = Net::DNS::RR->decode(\$data, $offset);
|
||||
} else {
|
||||
($q, $offset) = Net::DNS::RR->parse(\$data, $offset);
|
||||
}
|
||||
}
|
||||
return $offset;
|
||||
}
|
||||
|
||||
# sign_tcp_continuation:
|
||||
# This is a hack to correct the problem that Net::DNS has no idea how
|
||||
# to sign multiple-message TCP responses. Several data that are included
|
||||
# in the digest when signing a query or the first message of a response are
|
||||
# omitted when signing subsequent messages in a TCP stream.
|
||||
#
|
||||
# Net::DNS::Packet->sign_tsig() has the ability to use a custom signing
|
||||
# function (specified by calling Packet->sign_func()). We use this
|
||||
# function as the signing function for TCP continuations, and it removes
|
||||
# the unwanted data from the digest before calling the default sign_hmac
|
||||
# function.
|
||||
sub sign_tcp_continuation {
|
||||
my ($key, $data) = @_;
|
||||
|
||||
# copy out first two bytes: size of the previous MAC
|
||||
my $rmacsize = unpack("n", $data);
|
||||
$data = substr($data, 2);
|
||||
|
||||
# copy out previous MAC
|
||||
my $rmac = substr($data, 0, $rmacsize);
|
||||
$data = substr($data, $rmacsize);
|
||||
|
||||
# try parsing out the packet information
|
||||
my $plen = packetlen($data);
|
||||
my $pdata = substr($data, 0, $plen);
|
||||
$data = substr($data, $plen);
|
||||
|
||||
# remove the keyname, ttl, class, and algorithm name
|
||||
$data = substr($data, namelen($data));
|
||||
$data = substr($data, 6);
|
||||
$data = substr($data, namelen($data));
|
||||
|
||||
# preserve the TSIG data
|
||||
my $tdata = substr($data, 0, 8);
|
||||
|
||||
# prepare a new digest and sign with it
|
||||
$data = pack("n", $rmacsize) . $rmac . $pdata . $tdata;
|
||||
return Net::DNS::RR::TSIG::sign_hmac($key, $data);
|
||||
}
|
||||
|
||||
sub handleTCP {
|
||||
my ($buf) = @_;
|
||||
my $request;
|
||||
|
||||
if ($Net::DNS::VERSION > 0.68) {
|
||||
$request = new Net::DNS::Packet(\$buf, 0);
|
||||
$@ and die $@;
|
||||
} else {
|
||||
my $err;
|
||||
($request, $err) = new Net::DNS::Packet(\$buf, 0);
|
||||
$err and die $err;
|
||||
}
|
||||
|
||||
my @questions = $request->question;
|
||||
my $qname = $questions[0]->qname;
|
||||
my $qtype = $questions[0]->qtype;
|
||||
my $qclass = $questions[0]->qclass;
|
||||
my $id = $request->header->id;
|
||||
|
||||
my $opaque;
|
||||
|
||||
my $packet = new Net::DNS::Packet($qname, $qtype, $qclass);
|
||||
$packet->header->qr(1);
|
||||
$packet->header->aa(1);
|
||||
$packet->header->id($id);
|
||||
|
||||
# get the existing signature if any, and clear the additional section
|
||||
my $prev_tsig;
|
||||
my $signer;
|
||||
my $continuation = 0;
|
||||
if ($Net::DNS::VERSION < 0.81) {
|
||||
while (my $rr = $request->pop("additional")) {
|
||||
if ($rr->type eq "TSIG") {
|
||||
$prev_tsig = $rr;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
my @results = ();
|
||||
my $count_these = 0;
|
||||
|
||||
my $r;
|
||||
my $answers = 0;
|
||||
my $match;
|
||||
my $key_name;
|
||||
my $key_data;
|
||||
my $tname;
|
||||
foreach $r (@rules) {
|
||||
my $pattern = $r->{pattern};
|
||||
my($match, $key_name, $key_data, $tname) = split(/ /,$pattern);
|
||||
print "[handleTCP] $match, $key_name, $key_data, $tname \n";
|
||||
$match =~ tr/\// /;
|
||||
if ("$qname $qtype" =~ /$match/) {
|
||||
$count_these++;
|
||||
my $a;
|
||||
foreach $a (@{$r->{answer}}) {
|
||||
my $resp;
|
||||
$resp = new Net::DNS::RR("$qname $a");
|
||||
$packet->push("answer", $resp);
|
||||
++$answers;
|
||||
}
|
||||
last;
|
||||
}
|
||||
}
|
||||
if ($answers eq 0) {
|
||||
my $soa;
|
||||
$soa = new Net::DNS::RR("$qname 300 SOA . . 0 0 0 0 0");
|
||||
$packet->push("authority", $soa)
|
||||
}
|
||||
if (defined($key_name) && $key_name eq "bad-id") {
|
||||
$packet->header->id(($id+50)%0xffff);
|
||||
$key_name = $key_data;
|
||||
($key_data, $tname) = split(/ /,$tname)
|
||||
}
|
||||
if (defined($key_name) && defined($key_data)) {
|
||||
my $tsig;
|
||||
# sign the packet
|
||||
print " Signing the data with " .
|
||||
"$key_name/$key_data\n";
|
||||
|
||||
if ($Net::DNS::VERSION < 0.69) {
|
||||
$tsig = Net::DNS::RR->new(
|
||||
"$key_name TSIG $key_data");
|
||||
} elsif ($Net::DNS::VERSION >= 0.81 &&
|
||||
$continuation) {
|
||||
} elsif ($Net::DNS::VERSION >= 0.75 &&
|
||||
$continuation) {
|
||||
$tsig = $prev_tsig;
|
||||
} else {
|
||||
$tsig = Net::DNS::RR->new(
|
||||
name => $key_name,
|
||||
type => 'TSIG',
|
||||
key => $key_data);
|
||||
}
|
||||
|
||||
# These kluges are necessary because Net::DNS
|
||||
# doesn't know how to sign responses. We
|
||||
# clear compnames so that the TSIG key and
|
||||
# algorithm name won't be compressed, and
|
||||
# add one to arcount because the signing
|
||||
# function will attempt to decrement it,
|
||||
# which is incorrect in a response. Finally
|
||||
# we set request_mac to the previous digest.
|
||||
$packet->{"compnames"} = {}
|
||||
if ($Net::DNS::VERSION < 0.70);
|
||||
$packet->{"header"}{"arcount"} += 1
|
||||
if ($Net::DNS::VERSION < 0.70);
|
||||
if (defined($prev_tsig)) {
|
||||
if ($Net::DNS::VERSION < 0.73) {
|
||||
my $rmac = pack('n H*',
|
||||
length($prev_tsig->mac)/2,
|
||||
$prev_tsig->mac);
|
||||
$tsig->{"request_mac"} =
|
||||
unpack("H*", $rmac);
|
||||
} elsif ($Net::DNS::VERSION < 0.81) {
|
||||
$tsig->request_mac(
|
||||
$prev_tsig->mac);
|
||||
}
|
||||
}
|
||||
|
||||
$tsig->sign_func($signer) if defined($signer);
|
||||
$tsig->continuation($continuation) if
|
||||
($Net::DNS::VERSION >= 0.71 &&
|
||||
$Net::DNS::VERSION <= 0.74 );
|
||||
if ($Net::DNS::VERSION < 0.81) {
|
||||
$packet->sign_tsig($tsig);
|
||||
} elsif ($continuation) {
|
||||
$opaque = $packet->sign_tsig($opaque);
|
||||
} else {
|
||||
$opaque = $packet->sign_tsig($request);
|
||||
}
|
||||
$signer = \&sign_tcp_continuation
|
||||
if ($Net::DNS::VERSION < 0.70);
|
||||
$continuation = 1;
|
||||
|
||||
my $copy =
|
||||
Net::DNS::Packet->new(\($packet->data));
|
||||
$prev_tsig = $copy->pop("additional");
|
||||
}
|
||||
|
||||
#$packet->print;
|
||||
push(@results,$packet->data);
|
||||
if ($tname eq "") {
|
||||
$tname = $qname;
|
||||
}
|
||||
$packet = new Net::DNS::Packet($tname, $qtype, $qclass);
|
||||
$packet->header->qr(1);
|
||||
$packet->header->aa(1);
|
||||
$packet->header->id($id);
|
||||
print " A total of $count_these patterns matched\n";
|
||||
return \@results;
|
||||
}
|
||||
|
||||
# Main
|
||||
my $rin;
|
||||
my $rout;
|
||||
for (;;) {
|
||||
$rin = '';
|
||||
vec($rin, fileno($ctlsock), 1) = 1;
|
||||
vec($rin, fileno($tcpsock), 1) = 1;
|
||||
vec($rin, fileno($udpsock), 1) = 1;
|
||||
|
||||
select($rout = $rin, undef, undef, undef);
|
||||
|
||||
if (vec($rout, fileno($ctlsock), 1)) {
|
||||
warn "ctl conn";
|
||||
my $conn = $ctlsock->accept;
|
||||
my $rule = ();
|
||||
@rules = ();
|
||||
while (my $line = $conn->getline) {
|
||||
chomp $line;
|
||||
if ($line =~ m!^/(.*)/$!) {
|
||||
if (length($1) == 0) {
|
||||
$udphandler = sub { return; };
|
||||
$tcphandler = sub { return; };
|
||||
} else {
|
||||
$udphandler = \&handleUDP;
|
||||
$tcphandler = \&handleTCP;
|
||||
$rule = { pattern => $1, answer => [] };
|
||||
push(@rules, $rule);
|
||||
}
|
||||
} else {
|
||||
push(@{$rule->{answer}}, $line);
|
||||
}
|
||||
}
|
||||
$conn->close;
|
||||
#print Dumper(@rules);
|
||||
#print "+=+=+ $rules[0]->{'pattern'}\n";
|
||||
#print "+=+=+ $rules[0]->{'answer'}->[0]->{'rname'}\n";
|
||||
#print "+=+=+ $rules[0]->{'answer'}->[0]\n";
|
||||
} elsif (vec($rout, fileno($udpsock), 1)) {
|
||||
printf "UDP request\n";
|
||||
my $buf;
|
||||
$udpsock->recv($buf, 512);
|
||||
my $result = &$udphandler($buf);
|
||||
if (defined($result)) {
|
||||
my $num_chars = $udpsock->send($result);
|
||||
print " Sent $num_chars bytes via UDP\n";
|
||||
}
|
||||
} elsif (vec($rout, fileno($tcpsock), 1)) {
|
||||
my $conn = $tcpsock->accept;
|
||||
my $buf;
|
||||
for (;;) {
|
||||
my $lenbuf;
|
||||
my $n = $conn->sysread($lenbuf, 2);
|
||||
last unless $n == 2;
|
||||
my $len = unpack("n", $lenbuf);
|
||||
$n = $conn->sysread($buf, $len);
|
||||
last unless $n == $len;
|
||||
print "TCP request\n";
|
||||
my $result = &$tcphandler($buf);
|
||||
if (defined($result)) {
|
||||
foreach my $response (@$result) {
|
||||
$len = length($response);
|
||||
$n = $conn->syswrite(pack("n", $len), 2);
|
||||
$n = $conn->syswrite($response, $len);
|
||||
print " Sent: $n chars via TCP\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
$conn->close;
|
||||
}
|
||||
}
|
||||
0
bin/tests/system/forward/ans6/startme
Normal file
0
bin/tests/system/forward/ans6/startme
Normal file
@@ -16,6 +16,3 @@ rm -f ./*/named.memstats
|
||||
rm -f ./*/named.run ./*/named.run.prev
|
||||
rm -f ./ns*/named.lock
|
||||
rm -f ./ns*/managed-keys.bind*
|
||||
rm -f ./ns1/root.db ./ns1/root.db.signed
|
||||
rm -f ./ns*/trusted.conf
|
||||
rm -f ./ns1/K* ./ns1/dsset-*
|
||||
|
||||
@@ -23,7 +23,7 @@ options {
|
||||
|
||||
zone "." {
|
||||
type primary;
|
||||
file "root.db.signed";
|
||||
file "root.db";
|
||||
};
|
||||
|
||||
zone "example1." {
|
||||
|
||||
@@ -29,6 +29,3 @@ ns.example3 A 10.53.0.1
|
||||
|
||||
example7 NS ns.example7
|
||||
ns.example7 A 10.53.0.2
|
||||
|
||||
tld NS ns.tld
|
||||
ns.tld A 10.53.0.2
|
||||
@@ -1,32 +0,0 @@
|
||||
#!/bin/sh -e
|
||||
#
|
||||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
# shellcheck source=conf.sh
|
||||
. ../../conf.sh
|
||||
|
||||
set -e
|
||||
|
||||
zone=.
|
||||
infile=root.db.in
|
||||
zonefile=root.db
|
||||
|
||||
echo_i "ns1/sign.sh"
|
||||
|
||||
ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
# Configure the resolving server with a static key.
|
||||
keyfile_to_static_ds "$ksk" > trusted.conf
|
||||
cp trusted.conf ../ns3/trusted.conf
|
||||
@@ -22,15 +22,6 @@ options {
|
||||
dnssec-validation yes;
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "root.db";
|
||||
@@ -1,38 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* See the COPYRIGHT file distributed with this work for additional
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
options {
|
||||
query-source address 10.53.0.3;
|
||||
notify-source 10.53.0.3;
|
||||
transfer-source 10.53.0.3;
|
||||
port @PORT@;
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.3; };
|
||||
listen-on-v6 { none; };
|
||||
forwarders { 10.53.0.6; };
|
||||
dnssec-validation yes;
|
||||
};
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
};
|
||||
|
||||
controls {
|
||||
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "root.db";
|
||||
};
|
||||
@@ -14,13 +14,8 @@
|
||||
$SHELL clean.sh
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
copy_setports ns2/named.conf.in ns2/named.conf
|
||||
copy_setports ns3/named1.conf.in ns3/named.conf
|
||||
copy_setports ns3/named.conf.in ns3/named.conf
|
||||
copy_setports ns4/named.conf.in ns4/named.conf
|
||||
copy_setports ns5/named.conf.in ns5/named.conf
|
||||
copy_setports ns7/named.conf.in ns7/named.conf
|
||||
copy_setports ns8/named.conf.in ns8/named.conf
|
||||
|
||||
(
|
||||
cd ns1
|
||||
$SHELL sign.sh
|
||||
)
|
||||
|
||||
@@ -18,10 +18,6 @@ sendcmd() (
|
||||
send 10.53.0.6 "$EXTRAPORT1"
|
||||
)
|
||||
|
||||
rndccmd() {
|
||||
"$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
|
||||
}
|
||||
|
||||
root=10.53.0.1
|
||||
hidden=10.53.0.2
|
||||
f1=10.53.0.3
|
||||
@@ -233,24 +229,6 @@ grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
||||
n=$((n+1))
|
||||
echo_i "checking switch from forwarding to normal resolution while chasing DS ($n)"
|
||||
ret=0
|
||||
copy_setports ns3/named2.conf.in ns3/named.conf
|
||||
rndccmd 10.53.0.3 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
|
||||
sleep 1
|
||||
sendcmd << EOF
|
||||
/ns1.sld.tld/A/
|
||||
300 A 10.53.0.2
|
||||
/sld.tld/NS/
|
||||
300 NS ns1.sld.tld.
|
||||
/sld.tld/
|
||||
EOF
|
||||
nextpart ns3/named.run >/dev/null
|
||||
dig_with_opts @$f1 xxx.yyy.sld.tld ds > dig.out.$n.f1 || ret=1
|
||||
grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
||||
@@ -103,20 +103,15 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "checking drop edns server setup ($n)"
|
||||
ret=0
|
||||
echo x
|
||||
$DIG $DIGOPTS +edns @10.53.0.2 dropedns soa > dig.out.1.test$n && ret=1
|
||||
echo x
|
||||
grep "connection timed out; no servers could be reached" dig.out.1.test$n > /dev/null || ret=1
|
||||
$DIG $DIGOPTS +noedns @10.53.0.2 dropedns soa > dig.out.2.test$n || ret=1
|
||||
echo x
|
||||
grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
|
||||
grep "EDNS: version:" dig.out.2.test$n > /dev/null && ret=1
|
||||
$DIG $DIGOPTS +noedns +tcp @10.53.0.2 dropedns soa > dig.out.3.test$n || ret=1
|
||||
echo x
|
||||
grep "status: NOERROR" dig.out.3.test$n > /dev/null || ret=1
|
||||
grep "EDNS: version:" dig.out.3.test$n > /dev/null && ret=1
|
||||
$DIG $DIGOPTS +edns +tcp @10.53.0.2 dropedns soa > dig.out.4.test$n && ret=1
|
||||
echo x
|
||||
grep "connection timed out; no servers could be reached" dig.out.4.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -37,16 +37,6 @@ key altkey {
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key restricted.example.nil {
|
||||
algorithm hmac-md5;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key zonesub-key.example.nil {
|
||||
algorithm hmac-md5;
|
||||
secret "1234subk8765";
|
||||
};
|
||||
|
||||
include "ddns.key";
|
||||
|
||||
zone "example.nil" {
|
||||
@@ -55,9 +45,7 @@ zone "example.nil" {
|
||||
check-integrity no;
|
||||
check-mx ignore;
|
||||
update-policy {
|
||||
grant zonesub-key.example.nil zonesub TXT;
|
||||
grant ddns-key.example.nil subdomain example.nil ANY;
|
||||
grant restricted.example.nil subdomain restricted.example.nil ANY;
|
||||
};
|
||||
allow-transfer { any; };
|
||||
};
|
||||
|
||||
@@ -429,7 +429,7 @@ EOF
|
||||
# this also proves that the server is still running.
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
@@ -444,7 +444,7 @@ EOF
|
||||
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
@@ -461,7 +461,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
|
||||
if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -486,7 +486,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
|
||||
if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -639,58 +639,6 @@ then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
|
||||
# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
|
||||
# and thus this UPDATE should succeed.
|
||||
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
key restricted.example.nil 1234abcd8765
|
||||
update add restricted.example.nil 0 IN TXT everywhere.
|
||||
send
|
||||
END
|
||||
$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
|
||||
grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
|
||||
# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
|
||||
# thus this UPDATE should fail.
|
||||
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
key restricted.example.nil 1234abcd8765
|
||||
update add example.nil 0 IN TXT everywhere.
|
||||
send
|
||||
END
|
||||
$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
|
||||
grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
|
||||
# grant zonesub-key.example.nil zonesub TXT;
|
||||
# the A record update should be rejected as it is not in the type list
|
||||
$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
key zonesub-key.example.nil 1234subk8765
|
||||
update add zonesub.example.nil 0 IN A 1.2.3.4
|
||||
send
|
||||
END
|
||||
$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
|
||||
grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
|
||||
grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
|
||||
# the TXT record update should be accepted as it is in the type list
|
||||
$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
key zonesub-key.example.nil 1234subk8765
|
||||
update add zonesub.example.nil 0 IN TXT everywhere.
|
||||
send
|
||||
END
|
||||
$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
|
||||
grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
|
||||
grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
|
||||
grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
|
||||
|
||||
@@ -26,10 +26,12 @@ $DIFF ref output > /dev/null && { ret=1 ; echo_i "diff out of order failed"; }
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "check pipelined TCP queries using mdig"
|
||||
ret=0
|
||||
# flush resolver so queries will be from others again
|
||||
$RNDCCMD 10.53.0.4 flush
|
||||
sleep 1
|
||||
|
||||
echo_i "check pipelined TCP queries using mdig"
|
||||
ret=0
|
||||
$MDIG $MDIGOPTS +noall +answer +vc -f input -b 10.53.0.4 @10.53.0.4 > raw.mdig
|
||||
awk '{ print $1 " " $5 }' < raw.mdig > output.mdig
|
||||
sort < output.mdig > output-sorted.mdig
|
||||
@@ -40,8 +42,6 @@ status=`expr $status + $ret`
|
||||
|
||||
echo_i "check keep-response-order"
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.4 flush
|
||||
sleep 1
|
||||
$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
|
||||
awk '{ print $1 " " $5 }' < rawb > outputb
|
||||
$DIFF refb outputb || ret=1
|
||||
@@ -50,8 +50,6 @@ status=`expr $status + $ret`
|
||||
|
||||
echo_i "check keep-response-order using mdig"
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.4 flush
|
||||
sleep 1
|
||||
$MDIG $MDIGOPTS +noall +answer +vc -f inputb -b 10.53.0.7 @10.53.0.4 > rawb.mdig
|
||||
awk '{ print $1 " " $5 }' < rawb.mdig > outputb.mdig
|
||||
$DIFF refb outputb.mdig || ret=1
|
||||
@@ -60,8 +58,6 @@ status=`expr $status + $ret`
|
||||
|
||||
echo_i "check mdig -4 -6"
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.4 flush
|
||||
sleep 1
|
||||
$MDIG $MDIGOPTS -4 -6 -f input @10.53.0.4 > output46.mdig 2>&1 && ret=1
|
||||
grep "only one of -4 and -6 allowed" output46.mdig > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
00000000: 0137 edda 2800 0001 0000 0001 0000 0972 .7..(..........r
|
||||
00000010: 7361 7368 6132 3536 0765 7861 6d70 6c65 sasha256.example
|
||||
00000020: 0000 0600 01c0 0c00 3000 0100 0001 2c01 ........0.....,.
|
||||
00000030: 0801 0003 0803 0100 0100 0000 0000 0000 ................
|
||||
00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
|
||||
00000130: 0000 0000 0000 0000 00 .........
|
||||
@@ -137,10 +137,5 @@ echo_i "Checking if all supported algorithms were tested"
|
||||
[ "$n" -eq "$(wc -l < supported)" ] || ret=1
|
||||
test_done
|
||||
|
||||
echo_i "Checking for assertion failure in pk11_numbits()"
|
||||
$PERL ../packet.pl -a "10.53.0.1" -p "$PORT" -t udp 2037-pk11_numbits-crash-test.pkt
|
||||
dig_with_opts @10.53.0.1 version.bind. CH TXT > dig.out.pk11_numbits || ret=1
|
||||
test_done
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ "$status" -eq 0 ] || exit 1
|
||||
|
||||
@@ -15,7 +15,6 @@ options {
|
||||
listen-on { 10.53.0.4; };
|
||||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
dnssec-validation yes;
|
||||
};
|
||||
|
||||
view normal {
|
||||
|
||||
@@ -70,7 +70,7 @@ if ! $do_run; then
|
||||
if [ "$baseport" -eq 0 ]; then
|
||||
log_flags="$log_flags -p 5300"
|
||||
fi
|
||||
env - SLOT="$SLOT" SOFTHSM2_CONF="$SOFTHSM2_CONF" PATH="$PATH" ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} TESTS="$*" TEST_SUITE_LOG=run.log LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" LOG_FLAGS="$log_flags" make -e check
|
||||
env - PATH="$PATH" ${LD_LIBRARY_PATH:+"LD_LIBRARY_PATH=${LD_LIBRARY_PATH}"} TESTS="$*" TEST_SUITE_LOG=run.log LOG_DRIVER_FLAGS="--verbose yes --color-tests yes" LOG_FLAGS="$log_flags" make -e check
|
||||
exit $?
|
||||
fi
|
||||
|
||||
|
||||
@@ -8,10 +8,11 @@
|
||||
# information regarding copyright ownership.
|
||||
|
||||
rm -f ns*/*.jnl
|
||||
rm -f ns*/named.conf
|
||||
rm -f ns*/named.lock
|
||||
rm -f ns*/named.memstats
|
||||
rm -f ns*/named.run
|
||||
rm -f ns*/rpz*.txt
|
||||
rm -f */named.conf
|
||||
rm -f */named.run
|
||||
rm -f resolver/named.conf
|
||||
rm -rf __pycache__
|
||||
rm -f *.status
|
||||
|
||||
@@ -1,11 +1,3 @@
|
||||
logging {
|
||||
channel basic {
|
||||
file "named.run";
|
||||
severity debug 999;
|
||||
print-time yes;
|
||||
};
|
||||
category default { basic; };
|
||||
};
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
|
||||
Binary file not shown.
@@ -183,13 +183,5 @@ grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "checking that BIND 9 doesn't crash on long TCP messages ($n)"
|
||||
ret=0
|
||||
$PERL ../packet.pl -a "10.53.0.1" -p "${PORT}" -t udp 1996-alloc_dnsbuf-crash-test.pkt || ret=1
|
||||
dig_with_opts +tcp @10.53.0.1 txt.example > dig.out.test$n || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=$((status + ret))
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
||||
@@ -1,50 +0,0 @@
|
||||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
#
|
||||
# An adhoc server that returns a TC=1 response with the final byte
|
||||
# removed to generate UNEXPECTEDEND form dns_message_parse.
|
||||
#
|
||||
|
||||
use IO::File;
|
||||
use IO::Socket;
|
||||
|
||||
my $localport = int($ENV{'PORT'});
|
||||
if (!$localport) { $localport = 5300; }
|
||||
printf "localport %u\n", $localport;
|
||||
|
||||
my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.2",
|
||||
LocalPort => $localport, Proto => "udp") or die "$!";
|
||||
|
||||
my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
|
||||
print $pidf "$$\n" or die "cannot write pid file: $!";
|
||||
$pidf->close or die "cannot close pid file: $!";
|
||||
sub rmpid { unlink "ans.pid"; exit 1; };
|
||||
|
||||
$SIG{INT} = \&rmpid;
|
||||
$SIG{TERM} = \&rmpid;
|
||||
|
||||
sub arraystring {
|
||||
my $string = join("", @_);
|
||||
return $string;
|
||||
}
|
||||
|
||||
for (;;) {
|
||||
$from = $sock->recv($buf, 512);
|
||||
($port, $ip_address) = unpack_sockaddr_in($from);
|
||||
$l = length($buf);
|
||||
printf "received %u bytes from %s#%u\n", $l, inet_ntoa($ip_address), $port;
|
||||
@up = unpack("C[$l]", $buf);
|
||||
$up[2] |= 0x80; # QR
|
||||
$up[2] |= 0x02; # TC
|
||||
$up[3] |= 0x80; # RA
|
||||
$l -= 1; # truncate the response 1 byte
|
||||
$replydata = pack("C[$l]", @up);
|
||||
printf "sent %u bytes\n", $sock->send($replydata);
|
||||
}
|
||||
@@ -17,7 +17,7 @@ options {
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.1; };
|
||||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
recursion no;
|
||||
notify no;
|
||||
};
|
||||
|
||||
@@ -85,13 +85,3 @@ zone "example.nil" {
|
||||
type primary;
|
||||
file "example.db";
|
||||
};
|
||||
|
||||
server 10.53.0.2 {
|
||||
keys sha256;
|
||||
};
|
||||
|
||||
zone "bad-tsig" {
|
||||
type forward;
|
||||
forwarders { 10.53.0.2; };
|
||||
forward only;
|
||||
};
|
||||
|
||||
@@ -232,13 +232,6 @@ then
|
||||
fi
|
||||
fi
|
||||
|
||||
echo_i "check that a malformed truncated response to a TSIG query is handled"
|
||||
ret=0
|
||||
$DIG -p $PORT @10.53.0.1 bad-tsig > dig.out.bad-tsig || ret=1
|
||||
grep "status: SERVFAIL" dig.out.bad-tsig > /dev/null || ret=1
|
||||
if [ $ret -eq 1 ] ; then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
||||
21
configure.ac
21
configure.ac
@@ -14,7 +14,7 @@
|
||||
#
|
||||
m4_define([bind_VERSION_MAJOR], 9)dnl
|
||||
m4_define([bind_VERSION_MINOR], 17)dnl
|
||||
m4_define([bind_VERSION_PATCH], 4)dnl
|
||||
m4_define([bind_VERSION_PATCH], 3)dnl
|
||||
m4_define([bind_VERSION_EXTRA], )dnl
|
||||
m4_define([bind_DESCRIPTION], [(Development Release)])dnl
|
||||
m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
|
||||
@@ -131,7 +131,7 @@ AC_CONFIG_FILES([libltdl/Makefile])
|
||||
#
|
||||
# Set the default CFLAGS and CPPFLAGS
|
||||
#
|
||||
STD_CFLAGS="-Wall -Wextra -Wwrite-strings -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow"
|
||||
STD_CFLAGS="-Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow"
|
||||
|
||||
# These should be always errors
|
||||
STD_CFLAGS="$STD_CFLAGS -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes"
|
||||
@@ -563,15 +563,6 @@ LIBS="$LIBS $LIBUV_LIBS"
|
||||
AC_CHECK_FUNCS([uv_handle_get_data uv_handle_set_data uv_import])
|
||||
AX_RESTORE_FLAGS([libuv])
|
||||
|
||||
# libnghttp2
|
||||
AC_MSG_CHECKING([for libnghttp2])
|
||||
PKG_CHECK_MODULES([LIBNGHTTP2], [libnghttp2 >= 1.40.0], [],
|
||||
[AC_MSG_ERROR([libnghttp2 not found])])
|
||||
AX_SAVE_FLAGS([libnghttp2])
|
||||
|
||||
CFLAGS="$CFLAGS $LIBNGHTTP2_CFLAGS"
|
||||
LIBS="$LIBS $LIBNGHTTP2_LIBS"
|
||||
|
||||
#
|
||||
# flockfile is usually provided by pthreads
|
||||
#
|
||||
@@ -601,7 +592,7 @@ CRYPTO=OpenSSL
|
||||
#
|
||||
# OpenSSL/LibreSSL is mandatory
|
||||
#
|
||||
PKG_CHECK_MODULES([OPENSSL], [libssl libcrypto], [],
|
||||
PKG_CHECK_MODULES([OPENSSL], [libcrypto], [],
|
||||
[AX_CHECK_OPENSSL([:],[AC_MSG_FAILURE([OpenSSL/LibreSSL not found])])])
|
||||
|
||||
AX_SAVE_FLAGS([openssl])
|
||||
@@ -996,10 +987,10 @@ AC_ARG_WITH([readline],
|
||||
|
||||
AS_CASE([$with_readline],
|
||||
[no],[],
|
||||
[auto|yes],
|
||||
[auto],
|
||||
[PKG_CHECK_MODULES([READLINE], [libedit],
|
||||
[AC_DEFINE([HAVE_READLINE_LIBEDIT], [1], [Build with libedit support])],
|
||||
[PKG_CHECK_MODULES([READLINE], [libeditline],
|
||||
[PKG_CHECK_MODULES([READLINE], [editline],
|
||||
[AC_DEFINE([HAVE_READLINE_EDITLINE], [1], [Build with editline support.])],
|
||||
[PKG_CHECK_MODULES([READLINE], [readline],
|
||||
[AC_DEFINE([HAVE_READLINE_READLINE], [1], [Build with readline support.])],
|
||||
@@ -1009,7 +1000,7 @@ AS_CASE([$with_readline],
|
||||
[PKG_CHECK_MODULES([READLINE], [libedit],
|
||||
[AC_DEFINE([HAVE_READLINE_LIBEDIT], [1], [Build with libedit support])])],
|
||||
[editline],
|
||||
[PKG_CHECK_MODULES([READLINE], [libeditline],
|
||||
[PKG_CHECK_MODULES([READLINE], [editline],
|
||||
[AC_DEFINE([HAVE_READLINE_EDITLINE], [1], [Build with editline support])])],
|
||||
[readline],
|
||||
[PKG_CHECK_MODULES([READLINE], [readline],
|
||||
|
||||
@@ -53,7 +53,6 @@ information about each release, source code, and pre-compiled versions
|
||||
for Microsoft Windows operating systems.
|
||||
|
||||
.. include:: ../notes/notes-current.rst
|
||||
.. include:: ../notes/notes-9.17.4.rst
|
||||
.. include:: ../notes/notes-9.17.3.rst
|
||||
.. include:: ../notes/notes-9.17.2.rst
|
||||
.. include:: ../notes/notes-9.17.1.rst
|
||||
|
||||
@@ -32,7 +32,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
||||
..
|
||||
.SH SYNOPSIS
|
||||
.sp
|
||||
\fBtsig\-keygen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-r\fP randomfile] [name]
|
||||
\fBtsig\-keygen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-r\fP randomfile] [\fB\-s\fP name]
|
||||
.sp
|
||||
\fBddns\-confgen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-q\fP] [\fB\-r\fP randomfile] [\fB\-s\fP name] [\fB\-z\fP zone]
|
||||
.SH DESCRIPTION
|
||||
|
||||
@@ -1,127 +0,0 @@
|
||||
..
|
||||
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
|
||||
This Source Code Form is subject to the terms of the Mozilla Public
|
||||
License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
See the COPYRIGHT file distributed with this work for additional
|
||||
information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.17.4
|
||||
---------------------
|
||||
|
||||
Security Fixes
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
- It was possible to trigger an assertion failure by sending a specially
|
||||
crafted large TCP DNS message. This was disclosed in CVE-2020-8620.
|
||||
|
||||
ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
|
||||
bringing this vulnerability to our attention. [GL #1996]
|
||||
|
||||
- ``named`` could crash after failing an assertion check in certain
|
||||
query resolution scenarios where QNAME minimization and forwarding
|
||||
were both enabled. To prevent such crashes, QNAME minimization is now
|
||||
always disabled for a given query resolution process, if forwarders
|
||||
are used at any point. This was disclosed in CVE-2020-8621.
|
||||
|
||||
ISC would like to thank Joseph Gullo for bringing this vulnerability
|
||||
to our attention. [GL #1997]
|
||||
|
||||
- It was possible to trigger an assertion failure when verifying the
|
||||
response to a TSIG-signed request. This was disclosed in
|
||||
CVE-2020-8622.
|
||||
|
||||
ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
|
||||
of Oracle for bringing this vulnerability to our attention. [GL #2028]
|
||||
|
||||
- When BIND 9 was compiled with native PKCS#11 support, it was possible
|
||||
to trigger an assertion failure in code determining the number of bits
|
||||
in the PKCS#11 RSA public key with a specially crafted packet. This
|
||||
was disclosed in CVE-2020-8623.
|
||||
|
||||
ISC would like to thank Lyu Chiy for bringing this vulnerability to
|
||||
our attention. [GL #2037]
|
||||
|
||||
- ``update-policy`` rules of type ``subdomain`` were incorrectly treated
|
||||
as ``zonesub`` rules, which allowed keys used in ``subdomain`` rules
|
||||
to update names outside of the specified subdomains. The problem was
|
||||
fixed by making sure ``subdomain`` rules are again processed as
|
||||
described in the ARM. This was disclosed in CVE-2020-8624.
|
||||
|
||||
ISC would like to thank Joop Boonen of credativ GmbH for bringing this
|
||||
vulnerability to our attention. [GL #2055]
|
||||
|
||||
New Features
|
||||
~~~~~~~~~~~~
|
||||
|
||||
- A new configuration option ``stale-cache-enable`` has been introduced
|
||||
to enable or disable keeping stale answers in cache. [GL #1712]
|
||||
|
||||
- ``rndc`` has been updated to use the new BIND network manager API.
|
||||
This change had the side effect of altering the TCP timeout for RNDC
|
||||
connections from 60 seconds to the ``tcp-idle-timeout`` value, which
|
||||
defaults to 30 seconds. Also, because the network manager currently
|
||||
has no support for UNIX-domain sockets, those cannot now be used
|
||||
with ``rndc``. This will be addressed in a future release, either by
|
||||
restoring UNIX-domain socket support or by formally declaring them
|
||||
to be obsolete in the control channel. [GL #1759]
|
||||
|
||||
- Statistics channels have also been updated to use the new BIND network
|
||||
manager API. [GL #2022]
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- BIND's cache database implementation has been updated to use a faster
|
||||
hash function with better distribution. In addition, the effective
|
||||
``max-cache-size`` (configured explicitly, defaulting to a value based
|
||||
on system memory or set to ``unlimited``) now pre-allocates fixed-size
|
||||
hash tables. This prevents interruption to query resolution when the
|
||||
hash table sizes need to be increased. [GL #1775]
|
||||
|
||||
- Keeping stale answers in cache has been disabled by default.
|
||||
[GL #1712]
|
||||
|
||||
- Resource records received with 0 TTL are no longer kept in the cache
|
||||
to be used for stale answers. [GL #1829]
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- Wildcard RPZ passthru rules could incorrectly be overridden by other
|
||||
rules that were loaded from RPZ zones which appeared later in the
|
||||
``response-policy`` statement. This has been fixed. [GL #1619]
|
||||
|
||||
- The IPv6 Duplicate Address Detection (DAD) mechanism could
|
||||
inadvertently prevent ``named`` from binding to new IPv6 interfaces,
|
||||
by causing multiple route socket messages to be sent for each IPv6
|
||||
address. ``named`` monitors for new interfaces to ``bind()`` to when
|
||||
it is configured to listen on ``any`` or on a specific range of
|
||||
addresses. New IPv6 interfaces can be in a "tentative" state before
|
||||
they are fully available for use. When DAD is in use, two messages are
|
||||
emitted by the route socket: one when the interface first appears and
|
||||
then a second one when it is fully "up." An attempt by ``named`` to
|
||||
``bind()`` to the new interface prematurely would fail, causing it
|
||||
thereafter to ignore that address/interface. The problem was worked
|
||||
around by setting the ``IP_FREEBIND`` option on the socket and trying
|
||||
to ``bind()`` to each IPv6 address again if the first ``bind()`` call
|
||||
for that address failed with ``EADDRNOTAVAIL``. [GL #2038]
|
||||
|
||||
- Addressed an error in recursive clients stats reporting which could
|
||||
cause underflow, and even negative statistics. There were occasions
|
||||
when an incoming query could trigger a prefetch for some eligible
|
||||
RRset, and if the prefetch code were executed before recursion, no
|
||||
increment in recursive clients stats would take place. Conversely,
|
||||
when processing the answers, if the recursion code were executed
|
||||
before the prefetch, the same counter would be decremented without a
|
||||
matching increment. [GL #1719]
|
||||
|
||||
- The introduction of KASP support inadvertently caused the second field
|
||||
of ``sig-validity-interval`` to always be calculated in hours, even in
|
||||
cases when it should have been calculated in days. This has been
|
||||
fixed. (Thanks to Tony Finch.) [GL !3735]
|
||||
|
||||
- LMDB locking code was revised to make ``rndc reconfig`` work properly
|
||||
on FreeBSD and with LMDB >= 0.9.26. [GL #1976]
|
||||
@@ -8,7 +8,7 @@
|
||||
See the COPYRIGHT file distributed with this work for additional
|
||||
information regarding copyright ownership.
|
||||
|
||||
Notes for BIND 9.17.5
|
||||
Notes for BIND 9.17.4
|
||||
---------------------
|
||||
|
||||
Security Fixes
|
||||
@@ -29,19 +29,56 @@ New Features
|
||||
from the parent. Replaces the time-based ``parent-registration-delay``
|
||||
configuration option. [GL #1613]
|
||||
|
||||
- ``rndc`` has been updated to use the new BIND network manager API.
|
||||
This change had the side effect of altering the TCP timeout for RNDC
|
||||
connections from 60 seconds to the ``tcp-idle-timeout`` value, which
|
||||
defaults to 30 seconds. Also, because the network manager currently
|
||||
has no support for UNIX-domain sockets, those cannot now be used
|
||||
with ``rndc``. This will be addressed in a future release, either by
|
||||
restoring UNIX-domain socket support or by formally declaring them
|
||||
to be obsolete in the control channel. [GL #1759]
|
||||
|
||||
- Statistics channels have also been updated to use the new BIND network
|
||||
manager API. [GL #2022]
|
||||
|
||||
- A new configuration option ``stale-cache-enable`` has been introduced to
|
||||
enable or disable the keeping of stale answers in cache. [GL #1712]
|
||||
|
||||
Feature Changes
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
- None.
|
||||
- BIND's cache database implementation has been updated to use a faster
|
||||
hash-function with better distribution. In addition, the effective
|
||||
max-cache-size (configured explicitly, defaulting to a value based on system
|
||||
memory or set to 'unlimited') now pre-allocates fixed size hash tables. This
|
||||
prevents interruption to query resolution when the hash tables need to be
|
||||
increased in size. [GL #1775]
|
||||
|
||||
- Keeping stale answers in cache has been disabled by default.
|
||||
|
||||
- The resource records received with 0 TTL are no longer kept in the cache
|
||||
to be used for stale answers. [GL #1829]
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
- In rare circumstances, named would exit with assertion failure when the number
|
||||
of nodes stored in the red-black-tree exceeds the maximum allowed size of the
|
||||
internal hashtable. [GL #2104]
|
||||
- Addressed an error in recursive clients stats reporting.
|
||||
There were occasions when an incoming query could trigger a prefetch for
|
||||
some eligible rrset, and if the prefetch code were executed before recursion,
|
||||
no increment in recursive clients stats would take place. Conversely,
|
||||
when processing the answers, if the recursion code were executed before the
|
||||
prefetch, the same counter would be decremented without a matching increment.
|
||||
[GL #1719]
|
||||
|
||||
- Silence spurious system log messages for EPROTO(71) error code that has been
|
||||
seen on older operating systems where unhandled ICMPv6 errors result in a
|
||||
generic protocol error being returned instead of the more specific error code.
|
||||
[GL #1928]
|
||||
- The introduction of KASP support broke whether the second field
|
||||
of sig-validity-interval was treated as days or hours. (Thanks to
|
||||
Tony Finch.) [GL !3735]
|
||||
|
||||
- The IPv6 Duplicate Address Detection (DAD) mechanism could cause the operating
|
||||
system to report the new IPv6 addresses to the applications via the
|
||||
getifaddrs() API in a tentative (DAD not yet finished) or duplicate (DAD
|
||||
failed) state. Such addresses cannot be bound by an application, and named
|
||||
failed to listen on IPv6 addresses after the DAD mechanism finished. It is
|
||||
possible to work around the issue by setting the IP_FREEBIND option on the
|
||||
socket and trying to bind() to the IPv6 address again if the first bind() call
|
||||
fails with EADDRNOTAVAIL. [GL #2038]
|
||||
|
||||
1
fuzz/.gitignore
vendored
1
fuzz/.gitignore
vendored
@@ -1,6 +1,5 @@
|
||||
/*.dSYM/
|
||||
/*.out/
|
||||
/dns_message_parse
|
||||
/dns_name_fromtext_target
|
||||
/dns_rdata_fromwire_text
|
||||
/isc_lex_getmastertoken
|
||||
|
||||
@@ -15,18 +15,15 @@ LDADD = \
|
||||
|
||||
check_LTLIBRARIES = libfuzzmain.la
|
||||
libfuzzmain_la_SOURCES = \
|
||||
fuzz.h \
|
||||
main.c
|
||||
|
||||
check_PROGRAMS = \
|
||||
dns_message_parse \
|
||||
dns_name_fromtext_target \
|
||||
dns_rdata_fromwire_text \
|
||||
isc_lex_getmastertoken \
|
||||
isc_lex_gettoken
|
||||
|
||||
EXTRA_DIST = \
|
||||
dns_message_parse.in \
|
||||
dns_name_fromtext_target.in \
|
||||
dns_rdata_fromwire_text.in \
|
||||
isc_lex_getmastertoken.in \
|
||||
|
||||
@@ -1,178 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* See the COPYRIGHT file distributed with this work for additional
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
#include <inttypes.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <isc/buffer.h>
|
||||
#include <isc/commandline.h>
|
||||
#include <isc/file.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/string.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
#include <dns/message.h>
|
||||
#include <dns/result.h>
|
||||
|
||||
#include "fuzz.h"
|
||||
|
||||
bool debug = false;
|
||||
|
||||
static isc_mem_t *mctx = NULL;
|
||||
static uint8_t *output = NULL;
|
||||
static size_t output_len = 1024;
|
||||
static uint8_t *render_buf[64 * 1024];
|
||||
|
||||
int
|
||||
LLVMFuzzerInitialize(int *argc __attribute__((unused)),
|
||||
char ***argv __attribute__((unused))) {
|
||||
isc_mem_create(&mctx);
|
||||
output = isc_mem_get(mctx, output_len);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
parse_message(isc_buffer_t *input, dns_message_t **messagep) {
|
||||
isc_result_t result;
|
||||
dns_message_t *message = NULL;
|
||||
|
||||
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &message);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
return (result);
|
||||
}
|
||||
|
||||
result = dns_message_parse(message, input, DNS_MESSAGEPARSE_BESTEFFORT);
|
||||
if (result == DNS_R_RECOVERABLE) {
|
||||
result = ISC_R_SUCCESS;
|
||||
}
|
||||
|
||||
if (result == ISC_R_SUCCESS && messagep != NULL) {
|
||||
*messagep = message;
|
||||
} else {
|
||||
dns_message_destroy(&message);
|
||||
}
|
||||
|
||||
return (result);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
print_message(dns_message_t *message) {
|
||||
isc_result_t result;
|
||||
isc_buffer_t buffer;
|
||||
|
||||
do {
|
||||
isc_buffer_init(&buffer, output, output_len);
|
||||
result = dns_message_totext(message, &dns_master_style_debug, 0,
|
||||
&buffer);
|
||||
if (result == ISC_R_NOSPACE) {
|
||||
isc_mem_put(mctx, output, output_len);
|
||||
output_len *= 2;
|
||||
output = isc_mem_get(mctx, output_len);
|
||||
continue;
|
||||
}
|
||||
} while (result == ISC_R_NOSPACE);
|
||||
|
||||
return (result);
|
||||
}
|
||||
|
||||
#define CHECKRESULT(r, f) \
|
||||
{ \
|
||||
r = (f); \
|
||||
if (r != ISC_R_SUCCESS) { \
|
||||
return (r); \
|
||||
} \
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
render_message(dns_message_t **messagep) {
|
||||
isc_result_t result;
|
||||
dns_message_t *message = *messagep;
|
||||
isc_buffer_t buffer;
|
||||
dns_compress_t cctx;
|
||||
|
||||
isc_buffer_constinit(&buffer, render_buf, sizeof(render_buf));
|
||||
|
||||
message->from_to_wire = DNS_MESSAGE_INTENTRENDER;
|
||||
for (size_t i = 0; i < DNS_SECTION_MAX; i++) {
|
||||
message->counts[i] = 0;
|
||||
}
|
||||
|
||||
CHECKRESULT(result, dns_compress_init(&cctx, -1, mctx));
|
||||
CHECKRESULT(result, dns_message_renderbegin(message, &cctx, &buffer));
|
||||
|
||||
CHECKRESULT(result, dns_message_rendersection(message,
|
||||
DNS_SECTION_QUESTION, 0));
|
||||
|
||||
CHECKRESULT(result,
|
||||
dns_message_rendersection(message, DNS_SECTION_ANSWER, 0));
|
||||
CHECKRESULT(result, dns_message_rendersection(
|
||||
message, DNS_SECTION_AUTHORITY, 0));
|
||||
|
||||
CHECKRESULT(result, dns_message_rendersection(
|
||||
message, DNS_SECTION_ADDITIONAL, 0));
|
||||
|
||||
dns_message_renderend(message);
|
||||
|
||||
dns_compress_invalidate(&cctx);
|
||||
|
||||
message->from_to_wire = DNS_MESSAGE_INTENTPARSE;
|
||||
|
||||
dns_message_destroy(messagep);
|
||||
|
||||
result = parse_message(&buffer, messagep);
|
||||
|
||||
return (result);
|
||||
}
|
||||
|
||||
int
|
||||
LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
||||
isc_buffer_t buffer;
|
||||
isc_result_t result;
|
||||
dns_message_t *message = NULL;
|
||||
|
||||
if (size > 65535) {
|
||||
return (0);
|
||||
}
|
||||
|
||||
isc_buffer_constinit(&buffer, data, size);
|
||||
isc_buffer_add(&buffer, size);
|
||||
isc_buffer_setactive(&buffer, size);
|
||||
|
||||
result = parse_message(&buffer, &message);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
result = print_message(message);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
result = render_message(&message);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
result = print_message(message);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
cleanup:
|
||||
if (message != NULL) {
|
||||
dns_message_destroy(&message);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user