2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Commit Graph

31783 Commits

Author SHA1 Message Date
Michał Kępień
d27f96cc98 Ensure server-specific "edns-udp-size" is obeyed
If "edns-udp-size" is set in a "server" block matching the queried
server, it is accounted for in the process of determining the advertised
UDP buffer size, but its value may still be overridden before the query
is sent.  This behavior contradicts the ARM which claims that when set,
the server-specific "edns-udp-size" value is used for all EDNS queries
sent to a given server.

Furthermore, calling dns_peer_getudpsize() with the "udpsize" variable
as an argument makes the code hard to follow as that call may either
update the value of "udpsize" or leave it untouched.

Ensure the code matches the documentation by moving the
dns_peer_getudpsize() call below all other blocks of code potentially
affecting the advertised UDP buffer size, which is where it was located
when server-specific "edns-udp-size" support was first implemented [1].
Improve code readability by calling dns_peer_getudpsize() with a helper
variable instead of "udpsize".

[1] see commit 1c153afce5
2020-05-25 14:34:56 +02:00
Michał Kępień
d7583e7926 Restore semantic meaning of DNS_FETCHOPT_EDNS512
When the DNS_FETCHOPT_EDNS512 flag was first introduced [1], it enforced
advertising a 512-byte UDP buffer size in an outgoing query.  Ever since
EDNS processing code got updated [2], that flag has still been set upon
detection of certain query timeout patterns, but it has no longer been
affecting the calculations of the advertised UDP buffer size in outgoing
queries.  Restore original semantic meaning of DNS_FETCHOPT_EDNS512 by
ensuring the advertised UDP buffer size is set to 512 bytes when that
flag is set.  Update existing comments and add new ones to improve code
readability.

[1] see commit 08c9026166
[2] see commit 8e15d5eb3a
2020-05-25 14:34:56 +02:00
Michał Kępień
949d9a3ea4 Remove fctx->reason and a misleading log message
The following message:

    success resolving '<name>' (in '<domain>'?) after reducing the advertised EDNS UDP packet size to 512 octets

can currently be logged even if the EDNS UDP buffer size advertised in
queries sent to a given server had already been set to 512 octets before
the fetch context was created (e.g. due to the server responding
intermittently).  In other words, this log message may be misleading as
lowering the advertised EDNS UDP buffer size may not be the actual cause
of <name> being successfully resolved.  Remove the log message in
question to prevent confusion.

As this log message is the only existing user of the "reason" field in
struct fetchctx, remove that field as well, along with all the code
related to it.
2020-05-25 14:34:56 +02:00
Mark Andrews
bb1ec1f6a1 Merge branch '1861-named_checknames_get-missing-dbc' into 'master'
Resolve "named_checknames_get missing DBC"

Closes #1861

See merge request isc-projects/bind9!3567
2020-05-25 01:46:22 +00:00
Mark Andrews
20c07da49b Add DBC checks to named_checknames_get 2020-05-25 11:09:56 +10:00
Mark Andrews
ac9e266749 Set obj to NULL so INSIST makes sense 2020-05-25 11:09:56 +10:00
Michal Nowak
6f576b2c18 Merge branch 'mnowak/automake-unit-tests' into 'master'
Provide unit test driver

Closes #1722

See merge request isc-projects/bind9!3554
2020-05-21 10:15:18 +00:00
Michal Nowak
bfa6ecb796 Provide unit test driver
This adds a unit test driver for BIND with Automake.  It runs the unit
test program provided as its sole command line argument and then looks
for a core dump generated by that test program.  If one is found, the
driver prints the backtrace into the test log.
2020-05-21 12:13:01 +02:00
Michał Kępień
ea5515d292 Merge branch 'michal/do-not-install-python-packages-in-gitlab-ci-jobs' into 'master'
Do not install Python packages in GitLab CI jobs

See merge request isc-projects/bind9!3555
2020-05-21 09:36:47 +00:00
Michał Kępień
d5562a3e7e Add py.test-3 to the list of tested pytest names
Some operating systems (e.g. CentOS, OpenBSD) install the main pytest
script as "py.test-3".  Add that name to the list of names passed to
AC_PATH_PROGS() in order for pytest to be properly detected on a broader
range of operating systems.
2020-05-21 11:33:11 +02:00
Michał Kępień
5562c38ffb Do not use f-strings in Python system tests
Use str.format() instead of f-strings in Python system tests to enable
them to work on Python 3 versions older than 3.6 as the latter is not
available on some operating systems used in GitLab CI that are still
actively supported (CentOS 6, Debian 9, Ubuntu 16.04).
2020-05-21 11:33:11 +02:00
Michał Kępień
62b8a5e59d Do not install doc build tools in GitLab CI jobs
As documentation building utilities are now all included in operating
system images used in GitLab CI, do not install them in each "docs" CI
job any more.
2020-05-21 11:33:11 +02:00
Michał Kępień
e3c217296d Do not install Python packages in GitLab CI jobs
As Python QA tools, BIND system test prerequisites, and documentation
building utilities are now all included in operating system images used
in GitLab CI, do not use pip for installing them in each CI job any
more.
2020-05-21 11:33:11 +02:00
Michał Kępień
622ec2b240 Merge branch 'michal/update-release-checklist' into 'master'
Update release checklist

See merge request isc-projects/bind9!3566
2020-05-21 07:15:10 +00:00
Michał Kępień
da6a4bec21 Update release checklist
- First merge release branches to maintenance branches, then push
    tags.  If tags are pushed first and a given set of releases contains
    security fixes, the push will be rejected by a server-side Git hook.

  - Update ABI check job name.

  - Add an item for updating QA tools used in GitLab CI after each
    public release.
2020-05-21 09:14:27 +02:00
Mark Andrews
0a87413c2a Merge branch '1854-extend-loop-limit-by-1' into 'master'
Resolve "Extend loop limit by 1."

Closes #1854

See merge request isc-projects/bind9!3548
2020-05-21 00:28:45 +00:00
Mark Andrews
3012e1ad9b Extend loop count by 1 to account for non-exact timing in usleep(). 2020-05-21 10:00:13 +10:00
Witold Krecicki
d003949cdb Merge branch '1859-deadlock-in-socket-c' into 'master'
Fix possible deadlock in unix/socket.c

Closes #1859

See merge request isc-projects/bind9!3561
2020-05-20 08:32:02 +00:00
Witold Kręcicki
0eec2594b9 Fix possible deadlock in unix/socket.c
In process_fd we lock sock->lock and then internal_accept locks mgr->lock,
in isc_sockmgr_render* functions we lock mgr->lock and then lock sock->lock,
that can cause a deadlock when accessing stats. Unlock sock->lock early in
all the internal_{send,recv,connect,accept} functions instead of late
in process_fd.
2020-05-20 09:57:25 +02:00
Michał Kępień
25b4280161 Merge branch 'may-2020-cve-fixes' into 'master'
[CVE-2020-8616] [CVE-2020-8617] May 2020 CVE fixes

Closes #1703 and #1388

See merge request isc-projects/bind9!3562
2020-05-19 11:53:08 +00:00
Mark Andrews
f533a73d99 Merge branch '1388-confidential-issue' into 'security-master'
1388 confidential issue

See merge request isc-private/bind9!135
2020-05-19 12:32:32 +02:00
Mark Andrews
7ea45838a9 Add release notes entry 2020-05-19 12:32:31 +02:00
Mark Andrews
83965f70df Add CHANGES entry 2020-05-19 12:31:29 +02:00
Mark Andrews
9b90a01d75 Update the ARM to reflect that TLD and root servers are no longer exempt
from max-recursion-queries limits.
2020-05-19 12:31:28 +02:00
Mark Andrews
e7abb07030 Merge branch '1703-tsig-verify-failure' into security-master 2020-05-19 12:30:29 +02:00
Mark Andrews
266faa3399 Count queries to the root and TLD servers as well 2020-05-19 12:30:29 +02:00
Stephen Morris
19eda751b4 Add test for reduction in number of fetches
Add a system test that counts how many address fetches are made
for different numbers of NS records and checks that the number
are successfully limited.
2020-05-19 12:30:29 +02:00
Mark Andrews
3ee5ea2fdb Reduce the number of fetches we make when looking up addresses
If there are more that 5 NS record for a zone only perform a
maximum of 4 address lookups for all the name servers.  This
limits the amount of remote lookup performed for server
addresses at each level for a given query.
2020-05-19 12:30:29 +02:00
Mark Andrews
2a020ea970 Add release note entry 2020-05-19 12:30:28 +02:00
Mark Andrews
52b4395a0c Add CHANGES entry 2020-05-19 12:29:21 +02:00
Mark Andrews
2d95c81452 Only look at tsig.error in responses 2020-05-19 12:29:21 +02:00
Mark Andrews
cb61e1dd1d Check that a 'BADTIME' response with 'QR=0' is handled as a request 2020-05-19 12:29:21 +02:00
Mark Andrews
a53bc0b28b Merge branch '1856-race-in-clear-signing-records-in-dnssec-system-test' into 'master'
Resolve "Race in 'clear signing records' in dnssec system test."

Closes #1856

See merge request isc-projects/bind9!3557
2020-05-19 03:33:53 +00:00
Mark Andrews
3405ee9eb2 Add CHANGES 2020-05-19 13:33:09 +10:00
Mark Andrews
353018c0e5 Address race in dnssec system test. 'clear signing records' can fail
as the update triggers by the rndc command to clear the signing records
may not have completed by the time the subsequent rndc command to test
that the records have been removed is commenced.  Loop several times to
prevent false negative.
2020-05-19 10:09:51 +10:00
Mark Andrews
bd0ac6ef75 Merge branch '1855-check-max-journal-size-limits-failed-as-not-enough-time-allowed' into 'master'
Resolve ""check max-journal-size limits" failed as not enough time allowed"

Closes #1855

See merge request isc-projects/bind9!3551
2020-05-18 14:10:56 +00:00
Mark Andrews
aaacf3ef45 Add CHANGES 2020-05-18 23:34:13 +10:00
Mark Andrews
0c2f0e02f2 Wait longer (up to 20 secs) for journal to be truncated 2020-05-18 23:34:13 +10:00
Michał Kępień
cda220fff3 Merge branch 'michal/misc-cppcheck-tweaks' into 'master'
Miscellaneous cppcheck tweaks

See merge request isc-projects/bind9!3541
2020-05-18 08:28:26 +00:00
Michał Kępień
481fa34e50 Work around cppcheck 2.0 uninitvar false positives
cppcheck 2.0 reports false positives about uninitialized variables in a
lot of places throughout BIND source code, e.g.:

    bin/dnssec/dnssec-cds.c:283:6: error: Uninitialized variable: length [uninitvar]
     if (isc_buffer_availablelength(&buf) <= len) {
         ^

Apparently cppcheck 2.0 has issues with processing (&var)->field syntax,
which is what the macros from lib/isc/include/isc/buffer.h are evaluated
to.  This issue was reported upstream [1] and will hopefully be
addressed in a future cppcheck release.

In the meantime, to avoid modifying BIND source code in multiple places
just because of a static checker false positive, work around the issue
by adding intermediate variables to buffer macro definitions using a sed
invocation in the cppcheck job script.

[1] https://sourceforge.net/p/cppcheck/discussion/general/thread/122153e3c1/
2020-05-18 10:23:06 +02:00
Michał Kępień
3b48eec79f Make GCC version extraction work with GCC 10
Add whitespace to the regular expression used for extracting the GCC
version from "gcc --version" output so that it works properly with
multi-digit major version numbers.
2020-05-18 10:23:06 +02:00
Michał Kępień
cb2037ee9d Ensure cppcheck creates a HTML report upon failure
Commit ec72d1100d broke the cppcheck job
in GitLab CI: when cppcheck fails, the script is immediately
interrupted, preventing cppcheck-htmlreport from being run.  To ensure
the HTML report is generated when cppcheck fails, revert to invoking
cppcheck-htmlreport in the "after_script" part of the job.
2020-05-18 10:23:06 +02:00
Mark Andrews
f07a714565 Merge branch '1852-race-in-autosign-system-test' into 'master'
Resolve "race in autosign system test."

Closes #1852

See merge request isc-projects/bind9!3546
2020-05-18 05:56:33 +00:00
Mark Andrews
07e335138b Add CHANGES 2020-05-18 15:17:42 +10:00
Mark Andrews
46c4e5d96f Retry checks that records are present and signed
There a race between when the delta is logged and when the
server returns signed record.  Retry the queries if the
lookups fail to meet expectations.
2020-05-18 12:19:16 +10:00
Evan Hunt
d298aa3bd4 Merge branch 'each-move-wiretest' into 'master'
move wire_test

See merge request isc-projects/bind9!3544
2020-05-18 00:30:17 +00:00
Evan Hunt
93d63cd923 incidental fix: reduce a long timeout in dnstap test
the dnstap test was pausing for 20 seconds to search for a string in
named.run, which only appears if named is built with --enable-developer or
--enable-querytrace.
2020-05-15 13:19:33 -07:00
Evan Hunt
e45be9d134 move wire_test back to bin/tests, no longer dependent on dnstap
wire_test is not only used by the dnstap system test, but also in
fuzz testing. it doesn't need to be installed, but it's useful to have it
built when BIND is.  this commit moves it back from bin/tests/system to
bin/tests, as a noinst_PROGRAM so that it's built by "make all" but
not installed.
2020-05-15 13:19:28 -07:00
Michal Nowak
89d7d9aff7 Merge branch 'mnowak/abi-check-artifacts' into 'master'
Collect TXT and HTML reports produced by ABI checker

See merge request isc-projects/bind9!3501
2020-05-15 09:28:42 +00:00
Michal Nowak
b5ccf95b0a Collect TXT and HTML reports produced by ABI checker
Although in util/api-checker.sh we create textual reports, we don't
preserve them in job artifacts, but we should.

We don't want to keep all HTML pages present in the project root, but
just those produced by ABI checker.
2020-05-15 11:26:27 +02:00