2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Commit Graph

30117 Commits

Author SHA1 Message Date
Michał Kępień
18dff8e031 Merge branch '1059-prevent-tcp-failures-from-affecting-edns-stats' into 'master'
Prevent TCP failures from affecting EDNS stats

See merge request isc-projects/bind9!2501
2019-10-31 05:36:50 -04:00
Michał Kępień
36d3c66e4e Add CHANGES entry
5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]
2019-10-31 09:54:07 +01:00
Michał Kępień
fce3c93ea2 Prevent TCP failures from affecting EDNS stats
EDNS mechanisms only apply to DNS over UDP.  Thus, errors encountered
while sending DNS queries over TCP must not influence EDNS timeout
statistics.
2019-10-31 09:54:05 +01:00
Michał Kępień
7346e6d3b5 Merge branch '1059-prevent-query-loops-for-misbehaving-servers' into 'master'
Prevent query loops for misbehaving servers

See merge request isc-projects/bind9!2500
2019-10-31 04:45:50 -04:00
Michał Kępień
6cd115994e Prevent query loops for misbehaving servers
If a TCP connection fails while attempting to send a query to a server,
the fetch context will be restarted without marking the target server as
a bad one.  If this happens for a server which:

  - was already marked with the DNS_FETCHOPT_EDNS512 flag,
  - responds to EDNS queries with the UDP payload size set to 512 bytes,
  - does not send response packets larger than 512 bytes,

and the response for the query being sent is larger than 512 byes, then
named will pointlessly alternate between sending UDP queries with EDNS
UDP payload size set to 512 bytes (which are responded to with truncated
answers) and TCP connections until the fetch context retry limit is
reached.  Prevent such query loops by marking the server as bad for a
given fetch context if the advertised EDNS UDP payload size for that
server gets reduced to 512 bytes and it is impossible to reach it using
TCP.
2019-10-31 08:48:35 +01:00
Michał Kępień
9fd89c0587 Merge branch 'michal/placeholder-2476' into 'master'
Add a CHANGES placeholder

See merge request isc-projects/bind9!2502
2019-10-30 11:12:37 -04:00
Michał Kępień
3c29291842 Add a CHANGES placeholder
See [GL !2476].
2019-10-30 16:10:39 +01:00
Mark Andrews
cea2b533fe Merge branch '1288-log-dns_r_unchanged-from-sync_secure_journal-at-info-level-in-receive_secure_serial' into 'master'
Resolve "Log DNS_R_UNCHANGED from sync_secure_journal at info level in receive_secure_serial."

Closes #1288

See merge request isc-projects/bind9!2490
2019-10-29 20:58:44 -04:00
Mark Andrews
e6ef7858c3 add CHANGES 2019-10-30 11:19:34 +11:00
Mark Andrews
8eb09f3232 Log DNS_R_UNCHANGED from sync_secure_journal() at info level in receive_secure_serial() 2019-10-30 11:15:46 +11:00
Mark Andrews
c79077894a Merge branch 'u/fanf2/compilezone-hang' into 'master'
Fix hang in `named-compilezone | head`

See merge request isc-projects/bind9!2481
2019-10-29 19:42:08 -04:00
Tony Finch
548f29a4d9 CHANGES 2019-10-29 10:57:48 -05:00
Tony Finch
a87ccea032 Fix hang in named-compilezone | head
I was truncating zone files for experimental purposes when I found
that `named-compilezone | head` got stuck. The full command line that
exhibited the problem was:

	dig axfr dotat.at |
	named-compilezone -o /dev/stdout dotat.at /dev/stdin |
	head

This requires a large enough zone to exhibit the problem, more than
about 70000 bytes of plain text output from named-compilezone.
I was running the command on Debian Stretch amd64.

This was puzzling since it looked like something was suppressing the
SIGPIPE. I used `strace` to examine what was happening at the hang.
The program was just calling write() a lot to print the zone file, and
the last write() hanged until I sent it a SIGINT.

During some discussion with friends, Ian Jackson guessed that opening
/dev/stdout O_RDRW might be the problem, and after some tests we found
that this does in fact suppress SIGPIPE.

Since `named-compilezone` only needs to write to its output file, the
fix is to omit the stdio "+" update flag.
2019-10-29 10:56:56 -05:00
Ondřej Surý
89ee56e1c0 Merge branch 'placeholder-tcp-highwater' into 'master'
placeholder.

See merge request isc-projects/bind9!2495
2019-10-29 10:34:01 -04:00
Diego Fronza
478831964e placeholder. 2019-10-29 11:19:32 -03:00
Ondřej Surý
d091772279 Merge branch 'ondrej/update-list-of-supported-platforms-for-9.16' into 'master'
Update the list of supported and unsupported PLATFORMS for BIND 9.15

See merge request isc-projects/bind9!2486
2019-10-29 08:28:30 -04:00
Ondřej Surý
cb9553d9e5 Add 'Community Maintained' section to PLATFORMS.md 2019-10-29 06:41:55 -05:00
Ondřej Surý
67166b7ddd Update the list of supported and unsupported PLATFORMS for BIND 9.15 2019-10-29 06:41:55 -05:00
Ondřej Surý
82f07b2c6d Merge branch '1265-disable-synth-from-dnssec-by-default-workaround' into 'master'
Disable synth-from-dnssec by default

See merge request isc-projects/bind9!2491
2019-10-29 05:55:08 -04:00
Ondřej Surý
4a778cfa45 Add CHANGES note 2019-10-29 04:10:12 -05:00
Ondřej Surý
fce5a01a63 Add release notes. 2019-10-29 04:10:12 -05:00
Ondřej Surý
800d7843af Adjust synthfromdnssec system test to the changed defaults 2019-10-29 04:10:12 -05:00
Ondřej Surý
a20c42dca6 Disable NSEC Aggressive Cache (synth-from-dnssec) by default
It was found that NSEC Aggressive Caching has a significant performance impact
on BIND 9 when used as recursor.  This commit disables the synth-from-dnssec
configuration option by default to provide immediate remedy for people running
BIND 9.12+.  The NSEC Aggressive Cache will be enabled again after a proper fix
will be prepared.
2019-10-29 04:10:12 -05:00
Michał Kępień
7abd918d73 Merge branch 'michal/revamp-the-release-checklist' into 'master'
Revamp the release checklist

See merge request isc-projects/bind9!2488
2019-10-29 04:30:12 -04:00
Michał Kępień
a8910de835 Revamp the release checklist
Make the release checklist match the current release process better by
adding missing steps, rearranging existing ones, reassigning
responsibilities, and dividing the list into sections (by due date).
2019-10-29 09:29:05 +01:00
Michał Kępień
35169151d3 Merge branch 'michal/add-centos-8-to-gitlab-ci' into 'master'
Add CentOS 8 to GitLab CI

See merge request isc-projects/bind9!2489
2019-10-29 04:22:34 -04:00
Michał Kępień
dce1c05042 Add CentOS 8 to GitLab CI
Ensure BIND can be tested on CentOS 8 in GitLab CI to more quickly catch
build and test errors on that operating system.
2019-10-25 16:56:32 +02:00
Mark Andrews
765312b655 Merge branch '876-documentation-feedback-2' into 'master'
"dnskey-sig-validity 0;" was not accepted

Closes #876

See merge request isc-projects/bind9!2484
2019-10-24 16:08:28 -04:00
Mark Andrews
918f020f9f add named-checkconf tests for dnskey-sig-validity at range limits 2019-10-24 23:16:21 +11:00
Mark Andrews
20647657f9 accept 0 for dnskey-sig-validity (indicates off) 2019-10-24 23:15:09 +11:00
Mark Andrews
e33f345c4b Merge branch 'marka-placeholder' into 'master'
placeholder

See merge request isc-projects/bind9!2485
2019-10-24 04:19:45 -04:00
Mark Andrews
0706e626e0 placeholder 2019-10-24 19:14:43 +11:00
Ondřej Surý
c77037943d Merge branch '5-update-coding-style' into 'master'
Update the coding style to reflect the year 2019 and C99/C11 standard

Closes #5

See merge request isc-projects/bind9!2148
2019-10-22 06:19:36 -04:00
Ondřej Surý
212e267b05 Update the coding style to reflect the year 2019 and C11 standard 2019-10-22 12:19:14 +02:00
Mark Andrews
5fbab0071a Merge branch '1281-dnstap-per-view-configuration' into 'master'
Resolve "dnstap per view configuration"

Closes #1281

See merge request isc-projects/bind9!2477
2019-10-21 17:20:48 -04:00
Mark Andrews
6ce1e2e731 add CHANGES 2019-10-22 08:03:15 +11:00
Mark Andrews
c2fcc9f16f check for relationship between dnstap and dnstap-output seperately 2019-10-21 11:08:06 +11:00
Mark Andrews
f3d53630c3 add more dnstap/dnstap-output combinations 2019-10-21 11:06:21 +11:00
Tinderbox User
8c573fc3fd Merge branch 'security-master' 2019-10-19 23:30:23 +00:00
Michał Kępień
2bda78425b Merge branch 'michal/address-cppcheck-1.89-warnings' into 'master'
Address cppcheck 1.89 warnings

See merge request isc-projects/bind9!2472
2019-10-17 05:50:06 -04:00
Michał Kępień
db7fd16346 Suppress cppcheck 1.89 false positive
cppcheck 1.89 emits a false positive for lib/dns/spnego_asn1.c:

    lib/dns/spnego_asn1.c:698:9: error: Uninitialized variable: data [uninitvar]
     memset(data, 0, sizeof(*data));
            ^
    lib/dns/spnego.c:1707:47: note: Calling function 'decode_NegTokenResp', 3rd argument '&resp' value is <Uninit>
     ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
                                                  ^
    lib/dns/spnego_asn1.c:698:9: note: Uninitialized variable: data
     memset(data, 0, sizeof(*data));
            ^

This message started appearing with cppcheck 1.89 [1], but it will be
gone in the next release [2], so just suppress it for the time being.

[1] af214e8212

[2] 2595b82634
2019-10-16 22:23:41 +02:00
Michał Kępień
abfde3d543 Fix cppcheck 1.89 warnings
cppcheck 1.89 enabled certain value flow analysis mechanisms [1] which
trigger null pointer dereference false positives in lib/dns/rpz.c:

    lib/dns/rpz.c:582:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1419:44: note: Calling function 'adj_trigger_cnt', 4th argument 'NULL' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:582:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:596:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1419:44: note: Calling function 'adj_trigger_cnt', 4th argument 'NULL' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:596:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:610:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1419:44: note: Calling function 'adj_trigger_cnt', 4th argument 'NULL' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:610:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^

It seems that cppcheck no longer treats at least some REQUIRE()
assertion failures as fatal, so add extra assertion macro definitions to
lib/isc/include/isc/util.h that are only used when the CPPCHECK
preprocessor macro is defined; these definitions make cppcheck 1.89
behave as expected.

There is an important requirement for these custom definitions to work:
cppcheck must properly treat abort() as a function which does not
return.  In order for that to happen, the __GNUC__ macro must be set to
a high enough number (because system include directories are used and
system headers compile attributes away if __GNUC__ is not high enough).
__GNUC__ is thus set to the major version number of the GCC compiler
used, which is what that latter does itself during compilation.

[1] aaeec462e6
2019-10-16 22:23:36 +02:00
Michał Kępień
15b8f92a5a Merge branch 'michal/cleanup-with-cc-alg-remnants' into 'master'
Remove remnants of the --with-cc-alg option

See merge request isc-projects/bind9!2436
2019-10-15 16:35:11 -04:00
Michał Kępień
428dcf3b49 Remove remnants of the --with-cc-alg option
Commit afa81ee4e4 omitted some spots in
the source tree which are still referencing the removed --with-cc-alg
"configure" option.  Make sure the latter is removed completely.
2019-10-15 21:57:58 +02:00
Michał Kępień
2007a7d2db Merge branch 'michal/limit-triggers-for-openbsd-system-test-jobs' into 'master'
Limit triggers for OpenBSD system test jobs

See merge request isc-projects/bind9!2468
2019-10-15 15:52:33 -04:00
Michał Kępień
603e04563b Limit triggers for OpenBSD system test jobs
When a GitLab CI runner is not under load, a single OpenBSD system test
job completes in about 12 minutes, which is considered decent.  However,
such jobs are usually multiplexed with other system test jobs on the
same host, which causes each of them to take even 40 minutes to
complete.  Taking retries into account, this is completely unacceptable
for everyday use, so only start OpenBSD system test jobs for pipelines
created through GitLab's web interface and for pipelines created for Git
tags.
2019-10-15 21:47:47 +02:00
Michał Kępień
818d2bed31 Merge branch 'michal/minor-gitlab-ci-tweaks' into 'master'
Minor GitLab CI tweaks

See merge request isc-projects/bind9!2435
2019-10-15 15:45:54 -04:00
Michał Kępień
dd97dfdc14 Tweak dependencies for the Windows build job
Since the Windows build job does not use the files created as a result
of running "autoreconf -fi" in the "autoreconf:sid:amd64" job, set its
dependencies to an empty list.

Since it is currently not possible to use "needs: []" for jobs which do
not belong to the first stage of a pipeline, set the "needs" key for the
Windows build job to the "autoreconf:sid:amd64" job so that all build
jobs are started at the same time (without this change, the Windows
build job does not start until all jobs in the "precheck" stage are
finished).

As a side note, these changes also attempt to eliminate intermittent,
bogus GitLab error messages ("There has been a missing dependency
failure").
2019-10-15 20:49:08 +02:00
Michał Kępień
e83b322f7f Fix artifacts created by the "autoreconf" CI job
The intended purpose of the "autoreconf:sid:amd64" GitLab CI job is to
run "autoreconf -fi" and then pass the updated files on to subsequent
non-Windows build jobs.  However, the artifacts currently created by
that job only include files which are not tracked by Git.  Since we
currently do track e.g. "configure" with Git, the aforementioned job is
essentially a no-op.  Fix by manually specifying the files generated by
the "autoreconf:sid:amd64" job that should be passed on to subsequent
build jobs.
2019-10-15 20:49:08 +02:00
Michał Kępień
175d096e1e Merge branch 'michal/add-openbsd-to-gitlab-ci' into 'master'
Add OpenBSD to GitLab CI

Closes #148

See merge request isc-projects/bind9!2434
2019-10-15 14:44:40 -04:00