The "mirror" system test checks whether log messages announcing a mirror
zone coming into effect are emitted properly. However, the helper
functions responsible for waiting for zone transfers and zone loading to
complete do not wait for these exact log messages, but rather for other
ones preceding them, which introduces a possibility of false positives.
This problem cannot be addressed by just changing the log message to
look for because the test still needs to discern between transferring a
zone and loading a zone.
Add two new log messages at debug level 99 (which is what named
instances used in system tests are configured with) that are to be
emitted after the log messages announcing a mirror zone coming into
effect. Tweak the aforementioned helper functions to only return once
the log messages they originally looked for are followed by the newly
added log messages. This reliably prevents races when looking for
"mirror zone is now in use" log messages and also enables a workaround
previously put into place in the "mirror" system test to be reverted.
Log a message when a mirror zone is successfully transferred and
verified, but only if no database for that zone was yet loaded at the
time the transfer was initiated.
This could have been implemented in a simpler manner, e.g. by modifying
zone_replacedb(), but (due to the calling order of the functions
involved in finalizing a zone transfer) that would cause the resulting
logs to suggest that a mirror zone comes into effect before its transfer
is finished, which would be confusing given the nature of mirror zones
and the fact that no message is logged upon successful mirror zone
verification.
Once the dns_zone_replacedb() call in axfr_finalize() is made, it
becomes impossible to determine whether the transferred zone had a
database attached before the transfer was started. Thus, that check is
instead performed when the transfer context is first created and the
result of this check is passed around in a field of the transfer context
structure. If it turns out to be desired, the relevant log message is
then emitted just before the transfer context is freed.
Taking this approach means that the log message added by this commit is
not timed precisely, i.e. mirror zone data may be used before this
message is logged. However, that can only be fixed by logging the
message inside zone_replacedb(), which causes arguably more dire issues
discussed above.
dns_zone_isloaded() is not used to double-check that transferred zone
data was correctly loaded since the 'shutdown_result' field of the zone
transfer context will not be set to ISC_R_SUCCESS unless axfr_finalize()
succeeds (and that in turn will not happen unless dns_zone_replacedb()
succeeds).
Update axfr_commit() so that all incoming versions of a mirror zone
transferred using AXFR are verified before being used. If zone
verification fails, discard the received version of the zone, wait until
the next refresh and retry.
This commit reverts the previous change to use system provided
entropy, as (SYS_)getrandom is very slow on Linux because it is
a syscall.
The change introduced in this commit adds a new call isc_nonce_buf
that uses CSPRNG from cryptographic library provider to generate
secure data that can be and must be used for generating nonces.
Example usage would be DNS cookies.
The isc_random() API has been changed to use fast PRNG that is not
cryptographically secure, but runs entirely in user space. Two
contestants have been considered xoroshiro family of the functions
by Villa&Blackman and PCG by O'Neill. After a consideration the
xoshiro128starstar function has been used as uint32_t random number
provider because it is very fast and has good enough properties
for our usage pattern.
The other change introduced in the commit is the more extensive usage
of isc_random_uniform in places where the usage pattern was
isc_random() % n to prevent modulo bias. For usage patterns where
only 16 or 8 bits are needed (DNS Message ID), the isc_random()
functions has been renamed to isc_random32(), and isc_random16() and
isc_random8() functions have been introduced by &-ing the
isc_random32() output with 0xffff and 0xff. Please note that the
functions that uses stripped down bit count doesn't pass our
NIST SP 800-22 based random test.
The three functions has been modeled after the arc4random family of
functions, and they will always return random bytes.
The isc_random family of functions internally use these CSPRNG (if available):
1. getrandom() libc call (might be available on Linux and Solaris)
2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
4. crypto library function:
4a. RAND_bytes in case OpenSSL
4b. pkcs_C_GenerateRandom() in case PKCS#11 library
provisioning secondary servers in which a list of
zones to be served is stored in a DNS zone and can
be propagated to slaves via AXFR/IXFR. [RT #41581]
4375. [func] Add support for automatic reallocation of isc_buffer
to isc_buffer_put* functions. [RT #42394]
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #4098]
3535. [func] Add support for setting Differentiated Services Code
Point (DSCP) values in named. Most configuration
options which take a "port" option (e.g.,
listen-on, forwarders, also-notify, masters,
notify-source, etc) can now also take a "dscp"
option specifying a code point for use with
outgoing traffic, if supported by the underlying
OS. [RT #27596]
Squashed commit of the following:
commit bce2efe66d69d60b746b85df49974ca341723169
Author: Mark Andrews <marka@isc.org>
Date: Mon Oct 29 12:59:25 2012 +1100
use 'static dns_rdata_xxxx_t xxxx'
commit 704d3c29acbf2dd350a26f2df82a57cb077ba72e
Author: Mark Andrews <marka@isc.org>
Date: Mon Oct 29 12:35:16 2012 +1100
return ISC_R_NOTFOUND if private record length does not make sense
commit 7596610c12c5685336fc0909860173d2fae359af
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 21:41:17 2012 +1100
check private->length == 5
commit 3836365a3e3e83b057bd940350f032279e080296
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 21:40:50 2012 +1100
properly set private->length
commit a295778ac53109d39ef3a8b233751100edae678b
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 21:13:30 2012 +1100
check dns_rdata_tostruct result
commit e33c37ca9112159e0b2363615bb018d27fa7d1a5
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 21:10:43 2012 +1100
check remove/fopen/chmod return values
commit 3a675e0666aae25d1c51f51ec7bd3fbe25545aae
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 20:59:10 2012 +1100
check isc_socket_accept result
commit 696923344f4b07ce0dba4cf2675b1cbb6eba7e8e
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 20:55:40 2012 +1100
change variable scopes
commit b9e9d9ad58270271003e463f10744e0ceaf9ad97
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 20:53:19 2012 +1100
check inet_pton return value
commit 70698e9589da77e3745efb6ea24b8830addd6ae4
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 20:52:40 2012 +1100
break -> /* NOTREACHED */
commit 88de9de2e8e201ab2fef16a868f241e8206ea826
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 20:52:06 2012 +1100
strcpy -> strlcpy
commit 6ba79c7cec0e48014cdfa76e8a9406b7a921556e
Author: Mark Andrews <marka@isc.org>
Date: Sat Oct 27 20:51:26 2012 +1100
check dns_rdata_tostruct return values
