when a requested name is found in the QP trie during a lookup, but its
records have been marked as nonexistent by a previous deletion, then
it's treated as a partial match, but the foundname could be left
pointing to the original qname rather than the parent. this could
lead to an assertion failure in query_findclosestnsec3().
maxlabels is the suffix length that corresponds to the latest
NXDOMAIN response. minlabels is the suffix length that corresponds
to longest found existing name.
(cherry picked from commit 67f31c504679dfcd9f1231037afa56da01e40d36)
Add missing locks in dns_zone_getxfrsource4 et al. Addresses CID 468706, 468708, 468741, 468742, 468785, and 468778.
Cleanup dns_zone_setxfrsource4 et al to now return void.
Remove double copies with dns_zone_getprimaryaddr and dns_zone_getsourceaddr.
Closes#4933
Backport of MR !9485
Merge branch 'backport-4933-add-missing-locks-when-returning-addresses-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10259
Add missing locks in dns_zone_getxfrsource4 et al. Addresses CID
468706, 468708, 468741, 468742, 468785 and 468778.
Cleanup dns_zone_setxfrsource4 et al to now return void.
Remove double copies with dns_zone_getprimaryaddr and dns_zone_getsourceaddr.
(cherry picked from commit d0a59277fb13023d3aff5c1d4d91506a850365ee)
The `I:checking that lifting the limit will allow everything to get
cached (20)` test was failing due to the TTL of the records being
too short for the elapsed time of the test. Raise the TTL to fix
this and adjust other tests as needed.
Closes#5206
Backport of MR !10177
Merge branch 'backport-5206-tune-last-sub-test-of-reclimit-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10249
The 'I:checking that lifting the limit will allow everything to get
cached (20)' test was failing due to the TTL of the records being
too short for the elapsed time of the test. Raise the TTL to fix
this and adjust other tests as needed.
(cherry picked from commit 1a58bd211357ccd366b70e51d3cadaa7fc5aad15)
The `step()` function (used for stepping to the prececessor or successor of a database node) could overlook a node if there was an rdataset that was marked IGNORE because it had been rolled back, covering an active rdataset under it.
Closes#5170
Backport of MR !10103
Merge branch 'backport-5170-step-ignores-rollback-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10257
the db_test unit test now looks up an empty nonterminal node
to exercise the behavior of the step() function in qpzone.
(cherry picked from commit ecde0ea2d719153c84fca19eaeeeeb6a01c10c1a)
check that a database rollback works and the correct
(original) data is found on lookup.
(cherry picked from commit 7d98aba3ac9189b88d54ac0a690e625d27950e1a)
the step() function (used for stepping to the prececessor or
successor of a database node) could overlook a node because
there was an rdataset marked IGNORE because it had been rolled
back, covering an active rdataset under it.
(cherry picked from commit 24eaff7adc30c3cde22c5926369c3729ad12ae15)
When a key is revoked, its key ID changes due to the inclusion of the "revoked" flag. A collision between this changed key ID
and an unrelated public-only key could cause a crash in `dnssec-signzone`.
Closes#5231
Backport of MR !10233
Merge branch 'backport-5231-fix-keyid-collision-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10256
when a key is revoked its key ID changes, due to the inclusion
of the "revoke" flag. a collision between this changed key ID and
that of an unrelated public-only key could cause a crash in
dnssec-signzone.
(cherry picked from commit 9cfe9f5eb787f6c42eee87fc79f5fd38218090c4)
Dig +showbadvers now displays the received BADVERS message and
continues the EDNS version negotiation. Previously to see the
BADVERS message +noednsneg had to be specified which terminated the
EDNS negotiation. Additionally the specified EDNS value (+edns=value)
is now used when making all the initial queries with +trace. i.e EDNS
version negotiation will be performed with each server when performing
the trace.
Closes#5234
Backport of MR !10234
Merge branch 'backport-5234-have-dig-display-the-badvers-message-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10247
Add "+showbadvers" to display the BADVERS response similarly
to "+showbadcookie". Additionally reset the EDNS version to
the requested version in "dig +trace" so that EDNS version
negotiation can be tested at all levels of the trace rather
that just when requesting the root nameservers.
(cherry picked from commit 6c271f63281ca2263ebbd7ad7f6788bc4449d279)
Support was added for EDE codes 20 (Not Authoritative) when client requests recursion (RD) but the server has recursion disabled.
RFC 8914 mention EDE 20 should also be returned if the client doesn't have the RD bit set (and recursion is needed) but it doesn't apply for
BIND as BIND would try to resolve from the "deepest" referral in AUTHORITY section. For example, if the client asks for "www.isc.org/A" but the server only knows the root domain, it will return NOERROR but no answer for "www.isc.og/A", just the list of other servers to ask.
See #1836
Backport of MR !10228
Merge branch 'backport-1836-not-authoritative-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10243
Extended DNS Error message EDE 20 (Not Authoritative) is now sent when
client request recursion (RD) but the server has recursion disabled.
RFC 8914 mention EDE 20 should also be returned if the client doesn't
have the RD bit set (and recursion is needed) but it doesn't apply for
BIND as BIND would try to resolve from the "deepest" referral in
AUTHORITY section. For example, if the client asks for "www.isc.org/A"
but the server only knows the root domain, it will returns NOERROR but
no answer for "www.isc.og/A", just the list of other servers to ask.
(cherry picked from commit 24ffbdcfea32b7f3c3feceba23cfc4bf474a1fa3)
Support was added for EDE codes 7 (Signature Expired) and 8 (Signature Not Yet Valid) which might occur during DNSSEC validation.
See #2715
Backport of MR !10225
Merge branch 'backport-2715-expired-future-keys-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10242
Add DNSSEC system tests to cover extended DNS error 7 (Signature
Expired) and 8 (Signature Not Yet Valid).
(cherry picked from commit e763d6637f54fcd079f4ab17120c0c53aa4adecc)
Extended DNS Error messages EDE 7 (expired key) and EDE 8 (validity
period of the key not yet started) are now sent in case of such DNSSEC
validation failures.
Refactor the existing validator extended error APIs in order to make it
easy to have a consisdent extra info (with domain/type) in the various
use case (i.e. when the EDE depends on validator state,
validate_extendederror or when the EDE doesn't depend of any state but
can be called directly in a specific flow).
(cherry picked from commit 334ea1269fc04b764be8e8ebf33d8c9c0036026c)
Closes#5229
Backport of MR !10238
Merge branch 'backport-5229-ksr-system-test-can-fail-on-key-collision-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10240
When generating new key pairs, one test checks if existing keys that
match the time bundle are selected, rather than extra keys being
generated. Part of the test is to check the verbose output, counting
the number of "Selecting" and "Generating" occurences. But if there
is a key collision, the ksr tool will output that the key already
exists and includes the substring "already exists, or might collide
with another key upon revokation. Generating a new key".
So substract by one the generated counter if there is a "collide"
occurrence.
(cherry picked from commit 8b3d2e5633183205fda5121329caf35e71200167)
Acquire the database reference in the detachnode() to prevent the last
reference to be release while the NODE_LOCK being locked. The NODE_LOCK
is locked/unlocked inside the RCU critical section, thus it is most
probably this should not pose a problem as the database uses call_rcu
memory reclamation, but this it is still safer to acquire the reference
before releasing the node.
Closes#5194
Backport of MR !10155
Merge branch 'backport-5194-fix-assertion-failure-while-reference-counting-qpdb-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10156
Acquire the database refernce in the detachnode() to prevent the last
reference to be release while the NODE_LOCK being locked. The NODE_LOCK
is locked/unlocked inside the RCU critical section, thus it is most
probably this should not pose a problem as the database uses call_rcu
memory reclamation, but this it is still safer to acquire the reference
before releasing the node.
(cherry picked from commit d1ef6a93c112137ab0682afb9a3240d47285d408)
The text that stale-cache-enable is set to no has no effect on
max-cache-ttl, but on max-stale-ttl.
Closes#5181
Backport of MR !10108
Merge branch 'backport-5181-max-stale-ttl-typo-arm-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10115
The text that stale-cache-enable is set to no has no effect on
max-cache-ttl, but on max-stale-ttl.
(cherry picked from commit b017d9fe6715c8eee3a0344395c81136d4dde8c8)
This reverts commit 67255da4b376f65138b299dcd5eb6a3b7f9735a9, reversing
changes made to 74c9ff384e695d1b27fa365d1fee84576f869d4c.
Closes#5169
Backport of MR !10224
Merge branch 'backport-5169-revert-qpzone-delete-dead-nodes-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10226
This reverts commit 67255da4b376f65138b299dcd5eb6a3b7f9735a9, reversing
changes made to 74c9ff384e695d1b27fa365d1fee84576f869d4c.
(cherry picked from commit 1e4695510aee2d27bf6f5f14dc8564357d737aa3)
When `dns_remote_done()` is true, calling `dns_remote_curraddr()` asserts.
Add a `dns_remote_curraddr()` check before calling `dns_remote_curraddr()`.
Closes#5215
Backport of MR !10222
Merge branch 'backport-5215-assert-in-dns_remote_curraddr-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10223
When dns_remote_done() is true, calling dns_remote_curraddr() asserts.
Add a dns_remote_curraddr() check before calling dns_remote_curraddr().
(cherry picked from commit 6cd9e4f67c48ce9178600aba7fe91266b914e713)
ZONEMD digests RRSIG records and potentially digests SIG record. Add digests
methods for both record types.
Closes#5219
Backport of MR !10217
Merge branch 'backport-5219-add-digest-methods-for-sig-and-rrsig-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10218
ZONEMD needs to be able to digest SIG and RRSIG records. The signer
field can be compressed in SIG so we need to call dns_name_digest().
While for RRSIG the records the signer field is not compressed the
canonical form has the signer field downcased (RFC 4034, 6.2). This
also implies that compare_rrsig needs to downcase the signer field
during comparison.
(cherry picked from commit 006c5990ce88aa5b5869a6140392ef80f38e415a)
From technical reasons --with-readline=libedit is not being tested on
FreeBSD anymore as it's hard to have anchors both unified and specific.
(cherry picked from commit e0df774ca093bfc775232c5a543162de3c7245c2)
When a system test is run with the `USE_RR` environment variable set to 1, an `rr` trace is now correctly generated for each instance of `named`.
Closes#5079
Backport of MR !10197
Merge branch 'backport-5079-fix-rr-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10207
when running a system test with the USE_RR environment
variable set to 1, an rr trace is generated for named.
because rr wasn't run using libtool --mode=execute, the
trace would actually be generated for the wrapper script
generated by libtool, not for the actual named binary.
(cherry picked from commit 00d7c7c3462dd13b0cf003ad825689c218624ff0)
isc_iterated_hash didn't work in offloaded threads as the per thread
initialisation has not been done. This has been fixed.
Closes#5214
Backport of MR !10206
Merge branch 'backport-5214-call-isc__iterated_hash_initialize-in-isc__work_cb-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10210
The iterated hash implementation needs to be initialised
on the worker thread. Also clean it up after we are done.
(cherry picked from commit 988dc57c8cb04748059769400275a2da5dd6a449)
When querying zone transfers information from the statistics channel there was a rare possibility that `named` could terminate unexpectedly if a zone transfer was in a state when transferring from all the available primary servers had failed earlier. This has been fixed.
Closes#5198
Backport of MR !10182
Merge branch 'backport-5198-dns_remote_curraddr-bug-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10194
