mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Merge tag 'v9.21.1'

Browse Source
This commit is contained in:
Nicki Křížek 2024-09-18 18:02:41 +02:00
commit 377831a290
7 changed files with 430 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

250
doc/arm/changelog.rst
View File

@ -18,6 +18,256 @@ Changelog
development. Regular users should refer to :ref:`Release Notes <relnotes>`
for changes relevant to them.
BIND 9.21.1
-----------
New Features
~~~~~~~~~~~~
- Support for Offline KSK implemented. ``bfa206beecc``
Add a new configuration option `offline-ksk` to enable Offline KSK key
management. Signed Key Response (SKR) files created with `dnssec-ksr`
(or other program) can now be imported into `named` with the new `rndc
skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY
records and generating signatures covering these types, these records
are loaded from the currently active bundle from the imported SKR.
The implementation is loosely based on:
https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-
keymgmt-01.txt :gl:`#1128` :gl:`!9119`
- Implement the 'request-ixfr-max-diffs' configuration option.
``99b18bab7e1``
The new 'request-ixfr-max-diffs' configuration option sets the maximum
number of incoming incremental zone transfer (IXFR) differences,
exceeding which triggers a full zone transfer (AXFR). :gl:`#4389`
:gl:`!9094`
- Print the full path of the working directory in startup log messages.
``cf53eac46e9``
named now prints its initial working directory during startup and the
changed working directory when loading or reloading its configuration
file if it has a valid 'directory' option defined. :gl:`#4731`
:gl:`!9362`
- Support restricted key tag range when generating new keys.
``d40b722d462``
It is useful when multiple signers are being used to sign a zone to
able to specify a restricted range of range of key tags that will be
used by an operator to sign the zone. This adds controls to named
(dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and dnssec-ksr
(dnssec-policy) to specify such ranges. :gl:`#4830` :gl:`!9258`
Removed Features
~~~~~~~~~~~~~~~~
- Remove the 'dialup' and 'heartbeat-interval' options. ``a133a33b650``
The `dialup` and `heartbeat-interval` options have been removed, along
with all code implementing them. Using these options is now a fatal
error. :gl:`#4237` :gl:`!8160`
- Remove outdated perllib integration. ``f73a19bb3e9``
The code in conftools/ directory hasn't been touched since 2000.
Nobody knows what it does and nobody even knows how to build it or
test it. Just remove the whole directory. :gl:`!9302`
Feature Changes
~~~~~~~~~~~~~~~
- Use deterministic ecdsa for openssl >= 3.2. ``069c6c22654``
OpenSSL has added support for deterministic ECDSA (RFC 6979) with
version 3.2.
Use it by default as it removes arguably its most fragile side of
ECDSA. The derandomization doesn't pose a risk for DNS usecases and is
allowed by FIPS 186-5. :gl:`#299` :gl:`!9128`
- Exempt prefetches from the fetches-per-zone and fetches-per-server
quotas. ``4cd73e2536c``
Fetches generated automatically as a result of 'prefetch' are now
exempt from the 'fetches-per-zone' and 'fetches-per-server' quotas.
This should help in maintaining the cache from which query responses
can be given. :gl:`#4219` :gl:`!9095`
- Restore the ability to select individual unit tests. ``2299aba5c20``
This add the command line arguments: `-d` (debug), `-l` (list tests)
and `-t test` (run this test) to the unit tests. :gl:`#4579`
:gl:`!9384`
- Process also the ISC_R_CANCELED result code in rpz_rewrite()
``d0d6ad0c52e``
Log canceled resolver queries (e.g. when shutting down a hung fetch)
in DEBUG3 level instead of DEBUG1 which is used for the "unrecognized"
result codes. :gl:`#4797` :gl:`!9148`
- Use single logging context for everything. ``aa408051d6c``
Instead of juggling different logging context, use one single logging
context that gets initialized in the libisc constructor and destroyed
in the libisc destructor. :gl:`#4848` :gl:`!9301`
- Remove code to read and parse /proc/net/if_inet6 on Linux.
``8071384324b``
The getifaddr() works fine for years, so we don't have to keep the
callback to parse /proc/net/if_inet6 anymore. :gl:`#4852` :gl:`!9315`
- Use seteuid()/setegid() instead of setreseuid()/setresgid()
``558ec133ea1``
It looks like that all supported systems now have support for
_POSIX_SAVED_IDS, so it's safe to use setegid() and setegid() because
those will not change saved used/group IDs. :gl:`#4862` :gl:`!9363`
- Follow the number of CPU set by taskset/cpuset. ``9afcdc2b184``
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S).
If the admin has used taskset, the `named` will now follow to
automatically use the given number of CPUs rather than the system wide
count. :gl:`#4884` :gl:`!9398`
- Double the number of threadpool threads. ``cfdded46676``
Introduce this temporary workaround to reduce the impact of long-
running tasks in offload threads which can block the resolution of
queries. :gl:`#4898`
Bug Fixes
~~~~~~~~~
- Delay release of root privileges until after configuring controls.
``8a09d54d6be``
Delay relinquishing root privileges until the control channel has been
configured, for the benefit of systems that require root to use
privileged port numbers. This mostly affects systems without fine-
grained privilege systems (i.e., other than Linux). :gl:`#4793`
:gl:`!9123`
- Fix the assertion failure in the isc_hashmap iterator. ``c31cd677882``
When the round robin hashing reorders the map entries on deletion, we
were adjusting the iterator table size only when the reordering was
happening at the internal table boundary. The iterator table size had
to be reduced by one to prevent seeing the entry that resized on
position [0] twice because it migrated to [iter->size - 1] position.
However, the same thing could happen when the same entry migrates a
second time from [iter->size - 1] to [iter->size - 2] position (and so
on) because the check that we are manipulating the entry just in the
[0] position was insufficient. Instead of checking the position [pos
== 0], we now check that the [pos % iter->size == 0], thus ignoring
all the entries that might have moved back to the end of the internal
table. :gl:`#4838` :gl:`!9292`
- Add -Wno-psabi to CFLAGS for x86 (32-bit) builds. ``75021765f8d``
GCC 11.1+ emits a note during compilation when there are 64-bit atomic
fields in a structure, because it fixed a compiler bug by changing the
alignment of such fields, which caused ABI change.
Add -Wno-psabi to CFLAGS for such builds in order to silence the
warning. That shouldn't be a problem since we don't expose our
structures to the outside. :gl:`#4841` :gl:`!9319`
- Check if logconfig is NULL before using it in isc_log_doit()
``ebd669a8303``
Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(),
because it's possible that isc_log_destroy() was already called, e.g.
when a 'call_rcu' function wants to log a message during shutdown.
:gl:`#4842` :gl:`!9297`
- Change the NS_PER_SEC (and friends) from enum to static const.
``2d12e1142ae``
New version of clang (19) has introduced a stricter checks when mixing
integer (and float types) with enums. In this case, we used enum {}
as C17 doesn't have constexpr yet. Change the time conversion
constants to be static const unsigned int instead of enum values.
:gl:`#4845` :gl:`!9313`
- Check the result of dirfd() before calling unlinkat() ``661981be7b0``
Instead of directly using the result of dirfd() in the unlinkat()
call, check whether the returned file descriptor is actually valid.
That doesn't really change the logic as the unlinkat() would fail with
invalid descriptor anyway, but this is cleaner and will report the
right error returned directly by dirfd() instead of EBADF from
unlinkat(). :gl:`#4853` :gl:`!9316`
- Fix rare assertion failure when shutting down incoming transfer.
``14d2040934e``
A very rare assertion failure can be triggered when the incoming
transfer is either forcefully shut down or it is finished during
printing the details about the statistics channel. This has been
fixed. :gl:`#4860` :gl:`!9336`
- Fix the resesuid() shim implementation for NetBSD. ``5bfed08b253``
The shim implementation of setresuid() was wrong - there was a copy
and paste error and it was calling setresgid() instead. This only
affects NetBSD because Linux, FreeBSD and OpenBSD have setresuid() and
setresgid() implementation available from the system library.
:gl:`#4862` :gl:`!9359`
- Fix algoritm rollover bug when there are two keys with the same
keytag. ``8dbd57116bf``
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key. This has been fixed by not only checking for matching key tag but
also key algorithm. :gl:`#4878` :gl:`!9381`
- Stop using malloc_usable_size and malloc_size. ``f99da39934d``
The `malloc_usable_size()` can return size larger than originally
allocated and when these sizes disagree the fortifier enabled by
`_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution
abruptly. Stop using these convenience functions as they are primary
used for introspection-only. :gl:`#4880` :gl:`!9400`
- Preserve statement tag order in documentation. ``0b9ce9c05b1``
This supports bit-for-bit reproducibility of built documentation.
:gl:`#4886` :gl:`!9399`
- Fix an assertion failure in validate_dnskey_dsset_done()
``31245213a09``
Under rare circumstances, named could terminate unexpectedly when
validating a DNSKEY resource record if the validation was canceled in
the meantime. This has been fixed. :gl:`#4911`
- Silence all warnings that stem from the default config.
``f4e0d0e460b``
As we now setup the logging very early, parsing the default config
would always print warnings about experimental (and possibly
deprecated) options in the default config. This would even mess with
commands like `named -V` and it is also wrong to warn users about
using experimental options in the default config, because they can't
do anything about this. Add CFG_PCTX_NODEPRECATED and
CFG_PCTX_NOEXPERIMENTAL options that we can pass to cfg parser and
silence the early warnings caused by using experimental options in the
default config. :gl:`!9304`
BIND 9.21.0
-----------

2
doc/arm/notes.rst
View File

@ -39,7 +39,7 @@ https://www.isc.org/download/. There you will find additional
information about each release, and source code.
.. include:: ../notes/notes-known-issues.rst
.. include:: ../notes/notes-9.21.1.rst
.. include:: ../notes/notes-9.21.0.rst
.. _relnotes_license:

12
doc/arm/reference.rst
View File

@ -6264,7 +6264,9 @@ The following options can be specified in a :any:`dnssec-policy` statement:
This indicates the TTL to use when generating DNSKEY resource
records. The default is 1 hour (3600 seconds).
:any:`inline-signing`
.. _dnssec-policy-inline-signing:
inline-signing
:tags: dnssec
:short: Specifies whether BIND 9 maintains a separate signed version of a zone.
@ -6276,7 +6278,9 @@ The following options can be specified in a :any:`dnssec-policy` statement:
This behavior is enabled by default.
.. keys
.. _dnssec-policy-keys:
keys
:tags: dnssec
:short: Specifies the type of keys to be used for DNSSEC signing.
@ -6444,7 +6448,9 @@ The following options can be specified in a :any:`dnssec-policy` statement:
This is similar to :any:`signatures-validity`, but for DNSKEY records.
The default is ``P2W`` (2 weeks).
:any:`max-zone-ttl`
.. _dnssec-policy-max-zone-ttl:
max-zone-ttl
:tags: zone, query
:short: Specifies a maximum permissible time-to-live (TTL) value, in seconds.

139
doc/notes/notes-9.21.1.rst Normal file
View File

@ -0,0 +1,139 @@
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
Notes for BIND 9.21.1
---------------------
New Features
~~~~~~~~~~~~
- Support for Offline KSK implemented.
Add a new configuration option :any:`offline-ksk` to enable Offline
KSK key management. Signed Key Response (SKR) files created with
:iscman:`dnssec-ksr` (or other programs) can now be imported into
:iscman:`named` with the new :option:`rndc skr -import <rndc skr>`
command. Rather than creating new DNSKEY, CDS, and CDNSKEY records and
generating signatures covering these types, these records are loaded
from the currently active bundle from the imported SKR.
The implementation is loosely based on
`draft-icann-dnssec-keymgmt-01.txt
<https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt>`_.
:gl:`#1128`
- Allow limiting the number of differences in IXFR.
A new :any:`request-ixfr-max-diffs` configuration option can set the
maximum number of incoming incremental zone transfer (IXFR)
differences. Exceeding it triggers a full zone transfer (AXFR).
:gl:`#4389`
- Print the full path of the working directory in startup log messages.
:iscman:`named` now prints its initial working directory during
startup, and the changed working directory when loading or reloading
its configuration file, if it has a valid :any:`directory` option
defined. :gl:`#4731`
- Support a restricted key tag range when generating new keys.
When multiple signers are being used to sign a zone, it is useful to
be able to specify a restricted range of key tags to be used by an
operator to sign the zone. The range can be specified with
``tag-range`` in :any:`dnssec-policy`'s :ref:`keys
<dnssec-policy-keys>` (for :iscman:`named` and :iscman:`dnssec-ksr`)
and with the new options :option:`dnssec-keyfromlabel -M` and
:option:`dnssec-keygen -M`. :gl:`#4830`
Removed Features
~~~~~~~~~~~~~~~~
- Remove the ``dialup`` and ``heartbeat-interval`` options.
The ``dialup`` and ``heartbeat-interval`` options have been removed,
along with all code implementing them. Using these options is now a
fatal error. :gl:`#4237`
Feature Changes
~~~~~~~~~~~~~~~
- Use deterministic ECDSA for OpenSSL >= 3.2.
OpenSSL has added support for deterministic ECDSA (:rfc:`6979`) with
version 3.2.
It is used by default, as it removes arguably its most fragile side of
ECDSA. The derandomization does not pose a risk for DNS usecases and is
allowed by FIPS 186-5. :gl:`#299`
- Exempt prefetches from the :any:`fetches-per-zone` and
:any:`fetches-per-server` quotas.
Fetches generated automatically as a result of :any:`prefetch` are now
exempt from the :any:`fetches-per-zone` and :any:`fetches-per-server`
quotas. This should help in maintaining the cache from which query
responses can be given. :gl:`#4219`
- Follow the number of CPUs set by ``taskset``/``cpuset``.
Administrators may wish to constrain the set of cores that
:iscman:`named` runs on via the ``taskset``, ``cpuset``, or ``numactl``
programs (or equivalents on other OSes).
If the admin has used ``taskset``, :iscman:`named` now automatically
uses the given number of CPUs rather than the system-wide count.
:gl:`#4884`
Bug Fixes
~~~~~~~~~
- Delay the release of root privileges until after configuring controls.
Delay relinquishing root privileges until the control channel has been
configured, for the benefit of systems that require root to use
privileged port numbers. This mostly affects systems without fine-
grained privilege systems (i.e., other than Linux). :gl:`#4793`
- Fix a rare assertion failure when shutting down incoming transfer.
A very rare assertion failure could be triggered when the incoming
transfer was either forcefully shut down, or it finished during the
printing of the details about the statistics channel. This has been
fixed. :gl:`#4860`
- Fix algorithm rollover bug when there are two keys with the same
keytag.
If there was an algorithm rollover and two keys of different
algorithms shared the same keytags, there was the possibility that the
check of whether the key matched a specific state could be performed
against the wrong key. This has been fixed by not only checking for
the matching key tag but also the key algorithm. :gl:`#4878`
- Fix an assertion failure in ``validate_dnskey_dsset_done()``.
Under rare circumstances, :iscman:`named` could terminate unexpectedly
when validating a DNSKEY resource record if the validation had been
canceled in the meantime. This has been fixed. :gl:`#4911`
Known Issues
~~~~~~~~~~~~
- Long-running tasks in offloaded threads (e.g. loading RPZ zones or
processing zone transfers) may block the resolution of queries during
these operations and cause the queries to time out.
To work around the issue, the ``UV_THREADPOOL_SIZE`` environment
variable can be set to a larger value before starting :iscman:`named`.
The recommended value is the number of RPZ zones (or number of
transfers) plus the number of threads BIND should use, which is
typically the number of CPUs. :gl:`#4898`

17
doc/notes/notes-known-issues.rst
View File

@ -14,11 +14,12 @@
Known Issues
------------
- On some platforms, including FreeBSD, :iscman:`named` must be run as
root to use the :iscman:`rndc` control channel on a privileged port
(i.e., with a port number less than 1024; this includes the default
:iscman:`rndc` :rndcconf:ref:`port`, 953). Currently, using the
:option:`named -u` option to switch to an unprivileged user makes
:iscman:`rndc` unusable. This will be fixed in a future release; in
the meantime, ``mac_portacl`` can be used as a workaround, as
documented in https://kb.isc.org/docs/aa-00621. :gl:`#4793`
- Long-running tasks in offloaded threads (e.g. loading RPZ zones or
processing zone transfers) may block the resolution of queries during
these operations and cause the queries to time out.
To work around the issue, the ``UV_THREADPOOL_SIZE`` environment
variable can be set to a larger value before starting :iscman:`named`.
The recommended value is the number of RPZ zones (or number of
transfers) plus the number of threads BIND should use, which is
typically the number of CPUs. :gl:`#4898`

25
lib/dns/validator.c
View File

@ -1966,15 +1966,26 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) {
static void
validate_dnskey_dsset_done(dns_validator_t *val, isc_result_t result) {
if (result == ISC_R_SUCCESS) {
switch (result) {
case ISC_R_CANCELED:
case ISC_R_SHUTTINGDOWN:
/* Abort, abort, abort! */
break;
case ISC_R_SUCCESS:
marksecure(val);
validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
} else if (result == ISC_R_NOMORE && !val->supported_algorithm) {
validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm/digest (DS)");
result = markanswer(val, "validate_dnskey (3)",
"no supported algorithm/digest (DS)");
} else {
break;
case ISC_R_NOMORE:
if (!val->supported_algorithm) {
validator_log(val, ISC_LOG_DEBUG(3),
"no supported algorithm/digest (DS)");
result = markanswer(
val, "validate_dnskey (3)",
"no supported algorithm/digest (DS)");
break;
}
FALLTHROUGH;
default:
validator_log(val, ISC_LOG_INFO,
"no valid signature found (DS)");
result = DNS_R_NOVALIDSIG;

5
lib/isc/loop.c
View File

@ -351,7 +351,10 @@ threadpool_initialize(uint32_t workers) {
int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf,
&(size_t){ sizeof(buf) });
if (r == UV_ENOENT) {
snprintf(buf, sizeof(buf), "%" PRIu32, workers);
/* FIXME The number of threadpool threads has been temporarily
* doubled to work around the issue [GL #4898] until a proper
* solution is implemented. */
snprintf(buf, sizeof(buf), "%" PRIu32, 2 * workers);
uv_os_setenv("UV_THREADPOOL_SIZE", buf);
}
}