2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00

38512 Commits

Author SHA1 Message Date
Tony Finch
61598b0cd1 Merge branch 'fanf-libbind9-remnants' into 'main'
Remove some lingering references to libbind9

See merge request isc-projects/bind9!7660
2023-03-08 12:04:35 +00:00
Tony Finch
c43668f031 Remove some lingering references to libbind9
Clean up the `.clang-format` #include priority list and
the `\file` declaration in `isc/getaddresses.h`.
2023-03-08 10:06:22 +00:00
Ondřej Surý
d3764f0759 Merge branch '3905-remove-TKEY-Diffie-Hellman-exchange' into 'main'
Remove TKEY Mode 2 (Diffie-Hellman)

Closes #3905

See merge request isc-projects/bind9!7626
2023-03-08 07:57:52 +00:00
Ondřej Surý
cf21e05313 Add CHANGES and release note for [GL #3905] 2023-03-08 08:36:25 +01:00
Evan Hunt
f030831481 further cleanup after removing diffie-hellman TKEY mode
without diffie-hellman TKEY negotiation, some other code is
now effectively dead or unnecessary, and can be cleaned up:

- the rndc tsig-list and tsig-delete commands.
- a nonoperational command-line option to dnssec-keygen that
  was documented as being specific to DH.
- the section of the ARM that discussed TKEY/DH.
- the functions dns_tkey_builddeletequery(), processdeleteresponse(),
  and tkey_processgssresponse(), which are unused.
2023-03-08 08:36:25 +01:00
Ondřej Surý
bd4576b3ce Remove TKEY Mode 2 (Diffie-Hellman)
Completely remove the TKEY Mode 2 (Diffie-Hellman Exchanged Keying) from
BIND 9 (from named, named.conf and all the tools).  The TKEY usage is
fringe at best and in all known cases, GSSAPI is being used as it should.

The draft-eastlake-dnsop-rfc2930bis-tkey specifies that:

    4.2 Diffie-Hellman Exchanged Keying (Deprecated)

       The use of this mode (#2) is NOT RECOMMENDED for the following two
       reasons but the specification is still included in Appendix A in case
       an implementation is needed for compatibility with old TKEY
       implementations. See Section 4.6 on ECDH Exchanged Keying.

          The mixing function used does not meet current cryptographic
          standards because it uses MD5 [RFC6151].

          RSA keys must be excessively long to achieve levels of security
          required by current standards.

We might optionally implement Elliptic Curve Diffie-Hellman (ECDH) key
exchange mode 6 if the draft ever reaches the RFC status.  Meanwhile the
insecure DH mode needs to be removed.
2023-03-08 08:36:25 +01:00
Tom Krizek
584eb79400 Merge branch 'tkrizek/set-up-version-and-release-notes-for-bind-9.19.12' into 'main'
Set up version and release notes for BIND 9.19.12

See merge request isc-projects/bind9!7650
2023-03-07 16:35:33 +00:00
Tom Krizek
7f0cb47044
Set up release notes for BIND 9.19.12 2023-03-07 14:10:26 +01:00
Tom Krizek
ddd337f541
Update BIND version to 9.19.12-dev 2023-03-07 14:09:54 +01:00
Tom Krizek
0874708bbf Merge branch '3917-named-should-log-uv-version-when-starting-up' into 'main'
Resolve "Named should log UV version when starting up"

Closes #3917

See merge request isc-projects/bind9!7642
2023-03-03 08:30:14 +00:00
Mark Andrews
5fd2cd8018 Now logs UV versions when starting up
Named now logs both compile time and run time UV versions when
starting up.  This is useful information to have when debugging
network issues involving named.
2023-03-03 14:04:34 +11:00
Arаm Sаrgsyаn
c3a159e080 Merge branch '3907-data-race-in-rbtdb' into 'main'
Resolve "ThreadSanitizer: data race lib/dns/rbtdb.c:1365 in newversion"

Closes #3907

See merge request isc-projects/bind9!7637
2023-03-02 18:36:01 +00:00
Aram Sargsyan
6980e3b354 Check if catz is active in dns__catz_update_cb()
A reconfiguration can deactivate the catalog zone, while the
offloaded update process was preparing to run.
2023-03-02 17:40:10 +00:00
Aram Sargsyan
67c77aba38 Check if catz is active in dns__catz_timer_cb()
A reconfiguration can deactivate the catalog zone, while the
update process was deferred using a timer.
2023-03-02 17:40:10 +00:00
Aram Sargsyan
3973724d67 Use catzs->lock in dns_catz_prereconfig()
There can be an update running in another thread, so use a lock,
like it's done in dns_catz_postreconfig().
2023-03-02 17:40:10 +00:00
Aram Sargsyan
cb0d6393a7 Add a CHANGES note for [GL #3907] 2023-03-02 17:40:10 +00:00
Aram Sargsyan
a87859f1fa catz: protect db_registered and db callback (un)registration with a lock
Doing this to avoid a race between the 'dns__catz_update_cb()' and
'dns_catz_dbupdate_callback()' functions.
2023-03-02 17:40:10 +00:00
Aram Sargsyan
d2ecff3c4a catz: use two pairs of dns_db_t and dns_dbversion_t in a catalog zone
As it is done in the RPZ module, use 'db' and 'dbversion' for the
database we are going to update to, and 'updb' and 'updbversion' for
the database we are working on.

Doing this should avoid a race between the 'dns__catz_update_cb()' and
'dns_catz_dbupdate_callback()' functions.
2023-03-02 17:39:43 +00:00
Aram Sargsyan
e1627e1289 Update the CHANGES note for [GL #3777]
Remove the part which is no longer true after reverting the commit
in question.

The CHANGES entry was never part of a released BIND 9 version.
2023-03-02 09:43:37 +00:00
Aram Sargsyan
593dea871a Revert "Process db callbacks in zone_loaddone() after zone_postload()"
This reverts commit ed268b46f11706bde3da68bd2a4b45752350f736.

The commit introduced a data race, because dns_db_endload() is called
after unfreezing the zone.
2023-03-01 17:26:41 +00:00
Arаm Sаrgsyаn
0eb6657c21 Merge branch 'aram/catz-add-lock-for-dns_catz_zone_t' into 'main'
Add a lock for dns_catz_zone_t

See merge request isc-projects/bind9!7633
2023-03-01 16:59:37 +00:00
Aram Sargsyan
2ae3bc6e1d Add a lock for dns_catz_zone_t
Use a lock for the catalog zones during dns__catz_zones_merge() to
avoid races between 'catz' and 'parentcatz'.
2023-03-01 15:36:36 +00:00
Arаm Sаrgsyаn
ad5b8fff05 Merge branch '3911-reconfig-zone-view-revert-bugfix' into 'main'
Fix view's zones reverting bug during reconfiguration

Closes #3911

See merge request isc-projects/bind9!7632
2023-03-01 15:35:27 +00:00
Aram Sargsyan
e1036253db Add CHANGES and release notes for [GL #3911] 2023-03-01 14:10:31 +00:00
Aram Sargsyan
84c235a4b0 Fix view's zones reverting bug during reconfiguration
During reconfiguration, the configure_view() function reverts the
configured zones to the previous view in case if there is an error.

It uses the 'zones_configured' boolean variable to decide whether
it is required to revert the zones, i.e. the error happened after
all the zones were successfully configured.

The problem is that it does not account for the case when an error
happens during the configuration of one of the zones (not the first),
in which case there are zones that are already configured for the
new view (and they need to be reverted), and there are zones that
are not (starting from the failed one).

Since 'zones_configured' remains 'false', the configured zones are
not reverted.

Replace the 'zones_configured' variable with a pointer to the latest
successfully configured zone configuration element, and when reverting,
revert up to and including that zone.
2023-03-01 14:10:31 +00:00
Aram Sargsyan
93c4f382f4 Add a catz system test check for [GL #3911]
The trick is to configure a duplicate zone, which comes after the
catalog zone, where the duplicate zone is an existing member zone.

In that scenario, all the zones which come before the "faulty" zone
in the configuration file will fail to be reverted to the previous
version of the view after a reconfiguration error, and in this
particular case that will result in an assertion failure when the
catalog zone update is initiated, because it will be still tied to
the new version of the view, which was dismissed.
2023-03-01 13:47:56 +00:00
Mark Andrews
f6f525132b Merge branch '3894-emit-coverage-summary-for-the-coverage-badge' into 'main'
Resolve "Emit coverage summary for the coverage badge"

Closes #3894

See merge request isc-projects/bind9!7587
2023-02-28 22:43:14 +00:00
Mark Andrews
db7af9fcc1 Extract test coverage statistics from the gcov job
In older GitLab versions, the regular expression used for extracting
test coverage statistics from the output of GitLab CI jobs was
configured in the project's settings, using GitLab's web interface.
That changed in recent GitLab versions [1]; the previous configuration
method was removed from the web interface altogether as of GitLab 15.0.
The relevant regular expression is now supposed to be set in the
relevant job's definition in .gitlab-ci.yml.

Set the regular expression used for extracting test coverage
statistics in the definition of the "gcov" GitLab CI job.  Use the
regular expression suggested in GitLab's documentation [2].

[1] https://docs.gitlab.com/ee/update/deprecations.html#test-coverage-project-cicd-setting
[2] https://docs.gitlab.com/ee/ci/pipelines/settings.html#test-coverage-examples
2023-02-28 22:23:13 +00:00
Ondřej Surý
bf2a1b1ca0 Merge branch '3898-shutdown-then-detach' into 'main'
Decouple view->resolver and friends shutdown and detach

Closes #3898

See merge request isc-projects/bind9!7623
2023-02-28 15:32:40 +00:00
Ondřej Surý
dfd195e77c Decouple view->resolver and friends shutdown and detach
In !7538, the shutdown procedure was simplified, but the ordering was
wrong, we need to shutdown the resolver, adb and requestmgr before
detaching those objects from the view, because there are cross
dependencies between at least the resolver and the adb.

Execute the shutdown(s) first, only when all three shutdowns have been
executed, detach those objects from the view.
2023-02-28 15:32:33 +00:00
Ondřej Surý
004d2a7ad0 Remove unused .loop member from dns_view
After the last round of refactoring, the .loop member of dns_view
structure was unused, remove it.
2023-02-28 15:32:33 +00:00
Arаm Sаrgsyаn
f5669e6013 Merge branch 'aram/catz-refactor-renaming-leftovers-finish' into 'main'
Finish catalog zone 'zone' and 'zones' to 'catz' and 'catzs' renaming

See merge request isc-projects/bind9!7611
2023-02-28 15:19:05 +00:00
Aram Sargsyan
580ef2e18f Finish catalog zone 'zone' and 'zones' to 'catz' and 'catzs' renaming
There are leftovers from the previous refactoring effort, which left
some function declarations and comments in the header file unchanged.

Finish the renaming.
2023-02-28 14:43:04 +00:00
Arаm Sаrgsyаn
b9d2ba8d1b Merge branch 'aram/catz-remove-redundant-declaration' into 'main'
Remove a redundant ISC_REFCOUNT_DECL in catz.h

See merge request isc-projects/bind9!7612
2023-02-28 14:42:45 +00:00
Aram Sargsyan
a627cc9e0b Remove a redundant ISC_REFCOUNT_DECL in catz.h
The 'ISC_REFCOUNT_DECL(dns_catz_zone)' declaration was provided twice.
2023-02-28 13:53:16 +00:00
Michał Kępień
20428f4c77 Merge branch 'michal/add-a-dnsrps-enabled-build-to-regular-ci-pipelines' into 'main'
Add a DNSRPS-enabled build to regular CI pipelines

See merge request isc-projects/bind9!7601
2023-02-28 11:56:27 +00:00
Michał Kępień
a4d6f5f6fd Add a DNSRPS-enabled build to regular CI pipelines
DNSRPS-enabled builds have recently been silently broken a few times due
to that feature not being tested in regular CI pipelines.  Add the
--enable-dnsrps --enable-dnsrps-dl switches to the ./configure
invocation in one of the CI jobs run for all merge requests so that
DNSRPS-related build issues can be detected in advance.

It is important to note that this change by itself does NOT enable
actual testing of the DNSRPS feature as doing that requires a DNSRPS
provider library to be present on the test host.
2023-02-28 12:54:02 +01:00
Michał Kępień
b396f55586 (Mostly) fix building bin/tests/system/rpz/dnsrps
Building the bin/tests/system/rpz/dnsrps helper binary is currently not
possible at all as the necessary compiler and linker flag definitions
are missing from bin/tests/system/Makefile.am.  Add these as a basis for
addressing the problem.

Unfortunately, this is where the "mostly" bit mentioned in this commit's
subject line comes into play.  The dlopen() parts of DNSRPS code have
not yet been reworked to use libuv's dlopen() API (uv_dlopen() etc.)
(See commit 37b9511ce1dd9ba66a6620c5ff617016eb81188f for prior work in
this area.)  While it is certainly possible to do that, implementing
such a change without testing it in practice against a usable librpz.so
(i.e. a DNSRPS provider library) is bound to cause more trouble and
confusion than keeping the code the way it is right now.  However,
making that code buildable as-is requires linking against a C standard
library that exports the dlopen(), dlsym(), and dlclose() symbols used
by the DNSRPS dynamic loading code.  glibc 2.34+ satisfies that
requirement, but older glibc versions do not (these come with a separate
libdl shared library that would need to be linked in as well).  (Other
C standard library implementations have not been examined.)  Since the
long-term plan is to rely on libuv's dlopen() API exclusively and
detecting the shared object containing dlopen() & friends would only
pull in build system complexity for no good reason, assume for now that
the target system provides the dlopen() API in its C standard library.

This change enables the system test suite to be run for a BIND 9 build
prepared using --enable-dnsrps --enable-dnsrps-dl (on systems satisfying
the requirement explained above).  However, it is important to note that
this change by itself does NOT enable actual testing of the DNSRPS
feature as doing that requires a DNSRPS provider library to be present
on the test host.
2023-02-28 12:54:02 +01:00
Ondřej Surý
dcbc659550 Merge branch 'ondrej/implement-dns_rbtnode_t-reference-tracing' into 'main'
Implement dns_db node tracing

See merge request isc-projects/bind9!7313
2023-02-28 10:45:01 +00:00
Ondřej Surý
cd632ad31d
Implement dns_db node tracing
This implements node reference tracing that passes all the internal
layers from dns_db API (and friends) to increment_reference() and
decrement_reference().

It can be enabled by #defining DNS_DB_NODETRACE in <dns/trace.h> header.

The output then looks like this:

    incr:node:check_address_records:rootns.c:409:0x7f67f5a55a40->references = 1
    decr:node:check_address_records:rootns.c:449:0x7f67f5a55a40->references = 0

    incr:nodelock:check_address_records:rootns.c:409:0x7f67f5a55a40:0x7f68304d7040->references = 1
    decr:nodelock:check_address_records:rootns.c:449:0x7f67f5a55a40:0x7f68304d7040->references = 0

There's associated python script to find the missing detach located at:
https://gitlab.isc.org/isc-projects/bind9/-/snippets/1038
2023-02-28 11:44:15 +01:00
Michal Nowak
5737f7bc8f Merge branch 'mnowak/make-openbsd-allow_failure-true' into 'main'
Do not fail pipeline because of failed OpenBSD system test

See merge request isc-projects/bind9!7609
2023-02-28 10:27:17 +00:00
Michal Nowak
fc26da6d89
Do not fail pipeline because of failed OpenBSD system test
System test on OpenBSD is unstable even when test parallelism is
disabled.
2023-02-28 11:23:14 +01:00
Michal Nowak
a9d3ec33b3
Revert "Disable OpenBSD system test parallelism in CI"
This reverts commit d73eba57bd03dce575f4cf4e42c80e1bced08bed.
2023-02-28 11:23:13 +01:00
Matthijs Mekking
36681e2c0a Merge branch '3837-cds-digest-type' into 'main'
Add cds-digest-type configuration option

Closes #3837

See merge request isc-projects/bind9!7457
2023-02-28 10:01:50 +00:00
Matthijs Mekking
78e6b8646a Test dnssec-signzone -G digests
Add test cases for the new dnssec-signzone -G option.
2023-02-28 09:38:31 +01:00
Matthijs Mekking
6c76a99c24 Require to be dereferenced arguments are non-NULL
The function 'dns_dnssec_syncupdate()' is dereferencing arguments
'keys' and 'rmkeys'. There should be a REQUIRE that those are not
null pointers.
2023-02-28 09:38:31 +01:00
Matthijs Mekking
b1633b71b0 dnssec-signzone can now create multiple CDS RRs
Change the commandline option -G to take a string that determines what
sync records should be published. It is a comma-separated string with
each element being either "cdnskey", or "cds:<algorithm>", where
<algorithm> is a valid digest type. Duplicates are suppressed.
2023-02-28 09:38:31 +01:00
Matthijs Mekking
ea4130d6bd Update syncupdate() function to disable CDNSKEY
Add a new function argument so you can choose whether the CDNSKEY
record should be published or not.
2023-02-28 09:38:17 +01:00
Mark Andrews
59cd228216 Fix dns_kasp_attach / dns_kasp_detach usage
The kasp pointers in dns_zone_t should consistently be changed by
dns_kasp_attach and dns_kasp_detach so the usage is balanced.
2023-02-28 09:38:17 +01:00
Matthijs Mekking
28cde5cac2 Suppress duplicate digest types
When adding CDS digest types to the kasp structure, check for
duplicates.
2023-02-28 09:38:17 +01:00