2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00

41111 Commits

Author SHA1 Message Date
Michał Kępień
84e7e5d5df Merge branch 'michal/set-up-version-and-release-notes-for-bind-9.19.22' into 'main'
Set up version and release notes for BIND 9.19.22

See merge request isc-projects/bind9!8651
2024-01-15 14:41:19 +00:00
Michał Kępień
c5eae03d0c
Reduce duplication between checklists 2024-01-15 15:39:46 +01:00
Michał Kępień
a298880d8f
Account for February 2024 releases in CHANGES 2024-01-15 15:39:46 +01:00
Michał Kępień
69ca33314e
Set up release notes for BIND 9.19.22 2024-01-15 15:39:46 +01:00
Michał Kępień
055802e77e
Update BIND version to 9.19.22-dev 2024-01-15 15:39:46 +01:00
Artem Boldariev
4245e8e72a Merge branch '4528-honor-listen-on-changes-logic-fixup' into 'main'
Fix flawed logic when detecting same listener type

See merge request isc-projects/bind9!8648
2024-01-15 10:25:16 +00:00
Artem Boldariev
8ae661048d Fix flawed logic when detecting same listener type
The older version of the code was reporting that listeners are going
to be of the same type after reconfiguration when switching from DoT
to HTTPS listener, making BIND abort its executions.

That was happening due to the flaw in logic due to which the code
could consider a current listener and a configuration for the new one
to be of the same type (DoT) even when the new listener entry is
explicitly marked as HTTP.

The checks for PROXY in between the configuration were masking that
behaviour, but when porting it to 9.18 (when there is no PROXY
support), the behaviour was exposed.

Now the code mirrors the logic in 'interface_setup()' closely (as it
was meant to).
2024-01-12 17:59:53 +02:00
Mark Andrews
1f9f8fc568 Merge branch '4520-log-message-in-lib-ns-update-c-needs-updating' into 'main'
Resolve "Log message in lib/ns/update.c needs updating"

Closes #4520

See merge request isc-projects/bind9!8622
2024-01-12 14:53:39 +00:00
Mark Andrews
2cf6cf967d Report the type being filtered from an UPDATE
When processing UPDATE request DNSKEY, CDNSKEY and CDS record that
are managed by named are filtered out.  The log message has been
updated to report the actual type rather that just DNSKEY.
2024-01-12 14:06:58 +00:00
Artem Boldariev
b75ba71f33 Merge branch '4528-honor-listen-on-changes' into 'main'
Recreate listeners on DNS transport change when editing listen-on statements before reconfiguration

Closes #4528 and #4518

See merge request isc-projects/bind9!8644
2024-01-12 13:48:39 +00:00
Artem Boldariev
ad5378fad7
Update release notes [GL #4518] [GL #4528]
Mentioned that all changes to listen-on statements are now applied on
reconfiguration.
2024-01-12 14:56:14 +02:00
Artem Boldariev
d1a2ad0f44 Update CHANGES [GL #4518] [GL #4528]
Mentioned that all changes to listen-on statements are now applied on
reconfiguration.
2024-01-12 14:56:00 +02:00
Artem Boldariev
211f12ff85 Add a system test to verify listener transport change functionality
This commit adds a system test that helps to verify that changing a
listener transport by editing "listen-on" statements before
reconfiguration works as expected.
2024-01-12 14:55:12 +02:00
Artem Boldariev
d59cf5e0ce Recreate listeners on DNS transport change
This commit ensures that listeners are recreated on reconfiguration in
the case when their type changes (or when PROXY protocol type changes,
too).

Previously, if a "listen-on" statement was modified to represent a
different transport, BIND would not pick-up the change on
reconfiguration if listener type changes (e.g. DoH -> DoT) for a given
interface address and port combination. This commit fixes that by
recreating the listener.

Initially, that worked for most of the new transports as we would
recreate listeners on each reconfiguration for DoH and DoT. But at
some point we changed that in such a way that listeners were not
recreated to avoid rebinding a port as on some platforms only root can
do that for port numbers <1000, making some ports binding possible
only on start-up. We chose to asynchronously update listener socket
settings (like TLS contexts, HTTP settings) instead.

Now, we both avoid recreating the sockets if unnecessary and recreate
listeners when listener type changes.
2024-01-12 14:55:12 +02:00
Artem Boldariev
fa2b8b0adf Merge branch '3504-tls-cipher-suites' into 'main'
Add "cipher-suites" option to the "tls" block

Closes #3504

See merge request isc-projects/bind9!8576
2024-01-12 12:35:21 +00:00
Artem Boldariev
59a57451e6
Update the release notes [GL #3504]
Mention that the 'tls' block was extended with a new 'cipher-suites'
option.
2024-01-12 13:29:14 +02:00
Artem Boldariev
ac55d818c2 Update CHANGES [GL #3504]
Mention that the 'tls' block was extended with a new 'cipher-suites'
option.
2024-01-12 13:28:53 +02:00
Artem Boldariev
0867e2ea30 Update the options reference to document 'cipher-suites'
This commit documents the new 'cipher-suites' options of the 'tls'
statement.
2024-01-12 13:27:59 +02:00
Artem Boldariev
3b2b170c0e Update the documentation for the 'ciphers' option
We need to mention that the 'ciphers' option works only for TLSv1.2
because that is known to cause confusion for some of our users.
2024-01-12 13:27:59 +02:00
Artem Boldariev
ed546007c9 Add TLS 'cipher-suites' checkconf test
This commit adds a set of valid and invalid configuration files
samples that use the new 'cipher-suites' option of the 'tls'
statement.
2024-01-12 13:27:59 +02:00
Artem Boldariev
53f53e9b02 Add a 'cipher-suites' option system test
This commit adds a new system test which verifies that using the
'cipher-suites' option actually works as expected (as well as adds
first TLSv1.3 specific tests).
2024-01-12 13:27:59 +02:00
Artem Boldariev
eb924e460b Integrate TLS cipher suites support into BIND
This commit makes BIND use the new 'cipher-suites' option from the
'tls' statement.
2024-01-12 13:27:59 +02:00
Artem Boldariev
3818c58bf6 Add TLS cipher suites configuration option to BIND
This commit extends the 'tls' statement with 'cipher-suites' option.
2024-01-12 13:27:59 +02:00
Artem Boldariev
9d052522a0 Add TLS cipher-suites related low-level functionality
This commits adds low-level wrappers on top of
'SSL_CTX_set_ciphersuites()'. These are going to be a foundation
behind the 'cipher-suites' option of the 'tls' statement.
2024-01-12 13:27:59 +02:00
Arаm Sаrgsyаn
a6fb918454 Merge branch '4508-crash-in-host' into 'main'
Fix a possible dig/host crash in "NS search" mode

Closes #4508

See merge request isc-projects/bind9!8635
2024-01-11 09:54:01 +00:00
Aram Sargsyan
1246d982a2 Add a CHANGES note for [GL #4508] 2024-01-10 21:54:39 +00:00
Aram Sargsyan
913b20abf8 Print a dig comment about the failed query consistently
Dig failed to print a comment about the reason of the unacceptable
query reply got from a server when there was no other query to
start in the lookup's chain.

Add an "else" block to print out the comment even when not starting
up the next query.
2024-01-10 21:54:39 +00:00
Aram Sargsyan
f6658b333e Fix a possible dig/host crash in "NS search" mode
When getting a SERVFAIL reply from a query, 'host' tries to start
the next query in the lookup's list (also true for 'dig  +nofail').
However, when running with the '-C' switch (or +nssearch for 'dig'),
all the queries in the lookup start from the beginning, so that logic
brings to a crash because of the attempted start of the query which
was already started.

Don't start the next query in the affected code path when in +nssearch
mode.
2024-01-10 21:54:39 +00:00
Mark Andrews
31b1f3c3bc Merge branch '4501-defer-control-channel-message-invalidation' into 'main'
Defer control channel message invalidation

Closes #4501

See merge request isc-projects/bind9!8641
2024-01-10 21:52:03 +00:00
Mark Andrews
d5103b742b
Defer control channel message invalidation
The conn_shutdown() function is called whenever a control channel
connection is supposed to be closed, e.g. after a response to the client
is sent or when named is being shut down.  That function calls
isccc_ccmsg_invalidate(), which resets the magic number in the structure
holding the messages exchanged over a given control channel connection
(isccc_ccmsg_t).  The expectation here is that all operations related to
the given control channel connection will have been completed by the
time the connection needs to be shut down.

However, if named shutdown is initiated while a control channel message
is still in flight, some netmgr callbacks might still be pending when
conn_shutdown() is called and isccc_ccmsg_t invalidated.  This causes
the REQUIRE assertion checking the magic number in ccmsg_senddone() to
fail when the latter function is eventually called, resulting in a
crash.

Fix by splitting up isccc_ccmsg_invalidate() into two separate
functions:

  - isccc_ccmsg_disconnect(), which initiates TCP connection shutdown,
  - isccc_ccmsg_invalidate(), which cleans up magic number and buffer,

and then:

  - replacing all existing uses of isccc_ccmsg_invalidate() with calls
    to isccc_ccmsg_disconnect(),

  - only calling isccc_ccmsg_invalidate() when all netmgr callbacks are
    guaranteed to have been run.

Adjust function comments accordingly.
2024-01-10 15:48:25 +01:00
Tom Krizek
57166cd3b7 Merge branch '3535-fetchlimit-test-flaky' into 'main'
Allow the fetchlimit test to be re-run

Closes #3535

See merge request isc-projects/bind9!8612
2024-01-10 14:44:05 +00:00
Tom Krizek
10827fe96c
Allow the fetchlimit test to be re-run
The test is known to be unstable due to timing issues. Prevent frequent
false positives by allowing the test to be re-run by the flaky pytest
plugin.
2024-01-10 14:57:20 +01:00
Tom Krizek
a65b654a23
Don't type-check the flaky plugin with mypy
Since we execute mypy for bin/tests/system/isctest package, this is now
needed because the flaky package doesn't have type hints.
2024-01-10 14:57:20 +01:00
Tom Krizek
f314f1b432
Move custom pytest markers into isctest module
Keep our pytest code more organized by moving the shared code for custom
pytest markers into a dedicated isctest/mark.py module.
2024-01-10 14:57:13 +01:00
Tom Krizek
d87da207fb Merge branch 'tkrizek/nsupdate-test-flaky-on-freebsd' into 'main'
Allow nsupdate test rerun on FreeBSD

See merge request isc-projects/bind9!8638
2024-01-10 13:43:08 +00:00
Tom Krizek
124882476b
Allow nsupdate test rerun on FreeBSD
The "exceeded time limit waiting for literal 'too many DNS UPDATEs
queued' in ns1/named.run" is prone to fail due to a timing issue.
Despite out efforts to stabilize it, the check still often fails on
FreeBSD in our CI. Allow the test to be re-run on this platform.
2024-01-10 13:18:04 +01:00
Mark Andrews
f737ca0542 Merge branch '4522-dig-in-9-19-19-accept-weird-source-and-destination-ports-within-the-proxy-statement' into 'main'
Resolve "Dig in 9.19.19 accept weird source- and destination-ports within the "proxy"-statement"

Closes #4522

See merge request isc-projects/bind9!8626
2024-01-10 00:05:24 +00:00
Mark Andrews
bb75676f90 Error if proxy ports are too big 2024-01-09 23:27:45 +00:00
Arаm Sаrgsyаn
c60fad36dc Merge branch 'aram/tests-dighost-fix-intermittent-failure' into 'main'
Make digdelv test work in different network envs (continued)

See merge request isc-projects/bind9!8636
2024-01-09 14:33:22 +00:00
Aram Sargsyan
96f63a9f0b Make digdelv test work in different network envs (continued)
This commit complements the 1e7d832342aa2aaaeb8ef1710ec095dfcade4c6d
commit.
2024-01-09 13:40:38 +00:00
Tom Krizek
741de8ef6d Merge branch 'tkrizek/xfer-test-dnssec-validation-no' into 'main'
Add missing dnssec-validation to ns4 in xfer test

See merge request isc-projects/bind9!8630
2024-01-08 18:49:17 +00:00
Tom Krizek
68234372a5
Add missing dnssec-validation to ns4 in xfer test
This file was missing explicit dnssec-validation. Seems like it was
missed in our previous efforts, probably because of the different
filename / extension. Rename it to end with *.in to reflect that it is a
template file used by copy_setports.
2024-01-08 18:43:45 +01:00
Tom Krizek
98b55bb85e Merge branch '4521-timeout-in-dig-not-handled-in-rndc-system-test' into 'main'
Resolve "Timeout in dig not handled in system tests"

Closes #4521

See merge request isc-projects/bind9!8623
2024-01-08 17:39:03 +00:00
Tom Krizek
7b77574b6d
Handle dig timing out gracefully in upforwd 2024-01-08 17:03:36 +01:00
Tom Krizek
cc7c4760aa
Handle dig timing out gracefully in staticstub 2024-01-08 17:03:36 +01:00
Tom Krizek
2341934f7d
Handle dig timing out gracefully in sortlist 2024-01-08 17:03:36 +01:00
Tom Krizek
99799fba60
Handle dig timing out gracefully in rpz 2024-01-08 17:03:36 +01:00
Tom Krizek
de569ad97a
Handle dig timing out gracefully in rootkeysentinel 2024-01-08 17:03:36 +01:00
Tom Krizek
606985d775
Handle dig timing out gracefully in qmin 2024-01-08 17:03:35 +01:00
Tom Krizek
c983449e5e
Handle dig timing out gracefully in padding 2024-01-08 17:03:35 +01:00