2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00

7051 Commits

Author SHA1 Message Date
Mark Andrews
8ef23f9fb0 the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata 2018-07-10 03:20:21 -04:00
Witold Kręcicki
7f60bb39df Don't synthesize NXDOMAIN from NSEC for records under a DNAME 2018-07-10 03:20:21 -04:00
Tinderbox User
b65d19f9fd prep 9.13.2 2018-07-03 07:40:29 +00:00
Michał Kępień
b2f65ddbf0 Remove dns_rdataslab_tordataset() and its related dns_rdatasetmethods_t callbacks
Since BIND libraries are no longer considered public and
dns_rdataslab_tordataset() is not used anywhere in the tree, remove the
latter and its associated dns_rdatasetmethods_t callbacks from
lib/dns/rdataslab.c.
2018-07-03 08:44:05 +02:00
Evan Hunt
b529de9109 add missing symbols 2018-06-28 08:38:22 -07:00
Michał Kępień
8d996fd79c Fall back to normal recursion when mirror zone data is unavailable
If transferring or loading a mirror zone fails, resolution should still
succeed by means of falling back to regular recursive queries.
Currently, though, if a slave zone is present in the zone table and not
loaded, a SERVFAIL response is generated.  Thus, mirror zones need
special handling in this regard.

Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
domain name is looked up rather than a zone itself.  Handle that flag in
dns_zt_find() in such a way that a mirror zone which is expired or not
yet loaded is ignored when looking up domain names, but still possible
to find when the caller wants to know whether the zone is configured.
This causes a fallback to recursion when mirror zone data is unavailable
without making unloaded mirror zones invisible to code checking a zone's
existence.
2018-06-28 13:38:39 +02:00
Michał Kępień
e3160b27f7 Ensure responses sourced from mirror zones have the AD bit set
Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.
2018-06-28 13:38:39 +02:00
Michał Kępień
befd429434 Verify mirror zone files loaded from disk
Verify data read from mirror zone files before it is used in order to
prevent loading corrupt mirror zones from disk.
2018-06-28 13:38:39 +02:00
Michał Kępień
6439a76c6d Verify mirror zone IXFRs
Update ixfr_commit() so that all incoming versions of a mirror zone
transferred using IXFR are verified before being used.
2018-06-28 13:38:39 +02:00
Michał Kępień
d86f1d00ad Verify mirror zone AXFRs
Update axfr_commit() so that all incoming versions of a mirror zone
transferred using AXFR are verified before being used.  If zone
verification fails, discard the received version of the zone, wait until
the next refresh and retry.
2018-06-28 13:38:39 +02:00
Michał Kępień
eaf1c0f6eb Add dns_zone_verifydb()
Add a function for determining whether the supplied version of a mirror
zone passes DNSSEC validation and is signed using a trusted key.  Define
a new libdns result signifying a zone verification failure.
2018-06-28 13:38:39 +02:00
Michał Kępień
fc3dd703d8 Enable dns_zoneverify_dnssec() to check whether the zone was signed by a trust anchor
Extend check_dnskey_sigs() so that, if requested, it checks whether the
DNSKEY RRset at zone apex is signed by at least one trust anchor.  The
trust anchor table is passed as an argument to dns_zoneverify_dnssec()
and passed around in the verification context structure.  Neither
dnssec-signzone nor dnssec-verify are yet modified to make use of that
feature, though.
2018-06-28 13:38:39 +02:00
Michał Kępień
49201f10cb Add new "mirror" slave zone option
Add a new slave-only boolean configuration option, "mirror", along with
its corresponding dns_zoneopt_t enum and a helper function for checking
whether that option was set for a given zone.  This commit does not
introduce any behavior changes yet.
2018-06-28 13:38:39 +02:00
Witold Kręcicki
b1254430df Fallback to normal procedure if creating of ixfr-from-differences fails 2018-06-27 17:32:17 -07:00
Witold Kręcicki
0db7130f2b Fix some issues with large journal entries 2018-06-27 16:04:06 +02:00
Mukund Sivaraman
6a756ab654 Patch in trailing nul character to print just the length label (for various cases below) 2018-06-25 17:18:36 +10:00
Mark Andrews
3ba1d1e43b fix casecompare return type for ninfo, tkey, txt 2018-06-24 22:48:59 -04:00
Mark Andrews
25d693f0c1 add zoneverify.c and zoneverify.h to libdns.vcxproj.filters.in and libdns.vcxproj.in 2018-06-22 06:29:11 -04:00
Evan Hunt
ad94787cca prepare 9.13.1 release 2018-06-21 12:31:33 +02:00
Michał Kępień
8649c59a75 Fix coding style issues in lib/dns/zoneverify.c 2018-06-15 10:40:59 +02:00
Michał Kępień
c094d1e4f3 Constify function arguments throughout lib/dns/zoneverify.c
Where possible, apply the const qualifier to arguments of functions
present in lib/dns/zoneverify.c.
2018-06-15 10:40:59 +02:00
Michał Kępień
24bca1c4b4 Propagate dns_zoneverify_dnssec() errors to callers
Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
verification failures should be signalled to callers.  Make
dns_zoneverify_dnssec() return an isc_result_t and handle both success
and error appropriately in bin/dnssec/dnssec-signzone.c and
bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
shutdown of these tools and causes dnssec-signzone to print signing
statistics even when zone verification fails.
2018-06-15 10:40:59 +02:00
Michał Kępień
a7ae615743 Remove fatal() and check_result() from lib/dns/zoneverify.c
Since no function in lib/dns/zoneverify.c uses fatal() or check_result()
any more, remove them.
2018-06-15 10:34:38 +02:00
Michał Kępień
5609472fbe Replace remaining fprintf() calls with zoneverify_*() calls
Replace all fprintf() calls inside lib/dns/zoneverify.c, but outside of
zoneverify_log_error() and zoneverify_print() with calls to these
functions.
2018-06-15 10:34:38 +02:00
Michał Kępień
11a552a614 Properly handle record_found() errors
record_found() returns an isc_result_t, but its value is not checked.
Modify the only call site of record_found() so that its errors are
properly handled.
2018-06-15 10:34:38 +02:00
Michał Kępień
5ac14cb753 Do not call exit() upon dns_zoneverify_dnssec() errors
Replace the remaining fatal() calls inside dns_zoneverify_dnssec() with
zoneverify_log_error() and zoneverify_print() calls, ensuring proper
cleanup.
2018-06-15 10:36:47 +02:00
Michał Kępień
bf65f72934 Do not call exit() upon record_nsec3() errors
Replace the fprintf() call inside record_nsec3() with a
zoneverify_log_error() call.  Remove the "mctx" argument of
record_nsec3() as it can be extracted from "vctx".

Modify one of the record_nsec3() call sites so that its errors are
properly handled.
2018-06-15 10:34:38 +02:00
Michał Kępień
0d07de9228 Do not call exit() upon match_nsec3() errors
Make match_nsec3() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value.  Replace all check_result() and fprintf() calls inside
match_nsec3() with zoneverify_log_error() calls and error handling code.

Modify all call sites of match_nsec3() so that its errors are properly
handled.
2018-06-15 10:36:40 +02:00
Michał Kępień
0ed3a2b269 Do not call exit() upon isoptout() errors
Replace all check_result() calls inside isoptout() with
zoneverify_log_error() calls and error handling code.  Enable isoptout()
to signal errors to the caller using its return value.

Modify the call site of isoptout() so that its errors are properly
handled.
2018-06-15 10:36:33 +02:00
Michał Kępień
c76fcdd2a2 Do not call exit() upon NSEC3 verification errors
Make verifynsec3(), verifynsec3s(), and verifyemptynodes() return the
verification result through a separate pointer, thus making it possible
to signal errors using function return values.  Replace all
check_result() and fprintf() calls inside these functions with
zoneverify_log_error() calls and error handling code.

Modify all call sites of verifynsec3(), verifynsec3s(), and
verifyemptynodes() so that their errors are properly handled.
2018-06-15 10:36:25 +02:00
Michał Kępień
8448691159 Do not call exit() upon verifynsec() errors
Make verifynsec() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value.  Replace all check_result() and fprintf() calls inside
verifynsec() with zoneverify_log_error() calls and error handling code.

Modify the call site of verifynsec() so that its errors are properly
handled.

Rename "tresult" to "tvresult" in order to improve variable naming
consistency between functions.
2018-06-15 10:36:18 +02:00
Michał Kępień
0ed9ec49ed Do not call exit() upon check_no_rrsig() errors
Replace all check_result() and fprintf() calls inside check_no_rrsig()
with zoneverify_log_error() calls and error handling code.  Enable
check_no_rrsig() to signal errors to the caller using its return
value.

Modify the call site of check_no_rrsig() so that its errors are properly
handled.

Define buffer size using a named constant rather than a plain integer.
2018-06-15 10:36:14 +02:00
Michał Kępień
30e837f31a Do not call exit() upon verifyset() errors
Replace all check_result() and fprintf() calls inside verifyset() with
zoneverify_log_error() calls and error handling code.  Enable
verifyset() to signal errors to the caller using its return value.

Modify the call site of verifyset() so that its errors are properly
handled.

Define buffer sizes using named constants rather than plain integers.
2018-06-15 10:36:06 +02:00
Michał Kępień
d782fcc638 Do not call exit() upon verifynode() errors
Make verifynode() return the verification result through a separate
pointer, thus making it possible to signal errors using function
return value.  Replace all fatal() and check_result() calls inside
verifynode() with zoneverify_log_error() calls and error handling code.
Add a REQUIRE assertion to emphasize verifynode() may be called with
some of its arguments set to NULL.

Modify all call sites of verifynode() so that its errors are properly
handled.
2018-06-15 10:35:55 +02:00
Michał Kępień
7a996f0c0d Do not call exit() upon is_empty() errors
Replace the check_result() call inside is_empty() with a
zoneverify_log_error() call and error handling code.  Enable is_empty()
to signal errors to the caller using its return value.

Modify the call site of is_empty() so that its errors are properly
handled.
2018-06-15 10:35:49 +02:00
Michał Kępień
04038baf1a Do not call exit() upon check_no_nsec() errors
Replace the fatal() call inside check_no_nsec() with a
zoneverify_log_error() call.  Enable check_no_nsec() to signal errors to
the caller using its return value.

Modify all call sites of check_no_nsec() so that its errors are properly
handled.
2018-06-15 10:35:45 +02:00
Michał Kępień
4354f44d9c Do not call exit() upon verify_nodes() errors
Replace all fatal(), check_result(), and check_dns_dbiterator_current()
calls inside verify_nodes() with zoneverify_log_error() calls and error
handling code.  Enable verify_nodes() to signal errors to the caller
using its return value.

Modify the call site of verify_nodes() so that its errors are properly
handled.

Free all heap elements upon verification context cleanup as a
verification error may prevent them from being freed elsewhere.

Remove the check_dns_dbiterator_current() macro as it is no longer used
anywhere in lib/dns/zoneverify.c.
2018-06-15 10:35:40 +02:00
Michał Kępień
00ecbad2d0 Do not call exit() upon check_bad_algorithms() errors
Replace all fatal() and fprintf() calls inside check_bad_algorithms()
with zoneverify_print() calls and error handling code.  Enable
check_bad_algorithms() to signal errors to the caller using its return
value.

Modify the call site of check_bad_algorithms() so that its errors are
properly handled.
2018-06-15 10:35:25 +02:00
Michał Kępień
7c3f653112 Do not call exit() upon check_dnskey() errors
Replace all fatal() and check_result() calls inside check_dnskey() with
zoneverify_log_error() calls and error handling code.  Enable
check_dnskey() to signal errors to the caller using its return value.

Modify the call site of check_dnskey() so that its errors are properly
handled.
2018-06-15 10:35:10 +02:00
Michał Kępień
1a6525ffa2 Do not call exit() upon check_apex_rrsets() errors
Replace all fatal() calls inside check_apex_rrsets() with
zoneverify_log_error() calls and error handling code.  Enable
check_apex_rrsets() to signal errors to the caller using its return
value.

Modify the call site of check_apex_rrsets() so that its errors are
properly handled.
2018-06-15 10:34:38 +02:00
Michał Kępień
ee06182057 Use RUNTIME_CHECK instead of check_result() where it is safe to do so
Replace calls to check_result() with RUNTIME_CHECK assertions for all
dns_rdata_tostruct() calls in lib/dns/zoneverify.c as this function
cannot fail when the "mctx" argument is NULL (and that is the case for
all call sites of this function throughout lib/dns/zoneverify.c).
2018-06-15 10:16:41 +02:00
Michał Kępień
fc6b5ad585 Extract print_summary() from dns_zoneverify_dnssec()
Extract the part of dns_zoneverify_dnssec() responsible for printing a
summary for a fully signed zone to a separate function.
2018-06-15 10:10:24 +02:00
Michał Kępień
b3d2ab442c Extract check_bad_algorithms() from dns_zoneverify_dnssec()
Extract the part of dns_zoneverify_dnssec() responsible for checking
whether the zone is fully signed using all active algorithms to a
separate function.
2018-06-15 10:10:24 +02:00
Michał Kępień
eb17957c3d Extract verify_nodes() from dns_zoneverify_dnssec()
Extract the part of dns_zoneverify_dnssec() responsible for verifying
DNSSEC signatures against the DNSKEY RRset at zone apex and checking
consistency of NSEC/NSEC3 chains to a separate function.
2018-06-15 10:10:24 +02:00
Michał Kępień
dc81d8cb67 Extract determine_active_algorithms() from dns_zoneverify_dnssec()
Extract the part of dns_zoneverify_dnssec() responsible for determining
and printing a list of DNSSEC algorithms active in the verified zone to
a separate function.
2018-06-15 10:10:24 +02:00
Michał Kępień
f06a755dd2 Extract check_dnskey_sigs() from check_dnskey()
Extract the part of check_dnskey() responsible for determining active
algorithms in the verified zone based on the signatures at zone apex to
a separate function.
2018-06-15 10:10:24 +02:00
Michał Kępień
d4f3b14c78 Extract check_dnskey() from dns_zoneverify_dnssec()
Extract the part of dns_zoneverify_dnssec() responsible for checking the
DNSKEY RRset at zone apex to a separate function.
2018-06-15 10:10:24 +02:00
Michał Kępień
097b57744a Extract check_apex_rrsets() from dns_zoneverify_dnssec()
Extract the part of dns_zoneverify_dnssec() responsible for fetching and
preliminarily checking DNSKEY, SOA, NSEC, and NSEC3PARAM RRsets from
zone apex to a separate function.
2018-06-15 10:10:24 +02:00
Michał Kępień
d949a5d83c Implement zoneverify_log_error() and zoneverify_print()
These functions will be used in the process of replacing fatal(),
check_result(), and fprintf() calls throughout lib/dns/zoneverify.c with
code that does not call exit().  They are intended for:

  - zoneverify_log_error(): logging problems encountered while
    performing zone verification,

  - zoneverify_print(): printing status messages and reports which are
    only useful in standalone tools.

To make using dns_zone_logv() possible, add a new "zone" argument to
dns_zoneverify_dnssec() that standalone tools are expected to set to
NULL.
2018-06-15 10:10:24 +02:00
Michał Kępień
730cc3e3c5 Move algorithm tables to the verification context structure
Tables representing algorithm use in the verified zone are commonly
accessed throughout dns_zoneverify_dnssec().  Move them into the
structure representing a verification context.  While this does not
really simplify currently existing code, it will facilitate passing data
around between smaller functions that dns_zoneverify_dnssec() is about
to get split into.
2018-06-15 10:10:24 +02:00