2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00

39719 Commits

Author SHA1 Message Date
Mark Andrews
3a2a24903c Check GSS-API TKEY against non configured server
Check for the expected error message which includes rcode REFUSED
then reload the server to specify the keytab for the rest of the
GSSAPI tests.
2023-07-28 14:38:20 +10:00
Mark Andrews
f244619680 Report TKEY query errors in nsupdate 2023-07-28 14:38:20 +10:00
Mark Andrews
b5076014b9 Return REFUSED if GSSAPI is not configured
Return REFUSED if neither a keytab nor a gssapi credential is
configured to GSSAPI/TKEY requests.
2023-07-28 14:37:32 +10:00
Ondřej Surý
5342d6e97d Merge branch 'ondrej/workaround-the-ASAN-report-for-cds_lfht_for_each_entry' into 'main'
Workaround AddressSanitizer overzealous check

See merge request isc-projects/bind9!8116
2023-07-27 13:22:08 +00:00
Ondřej Surý
dc3e07572b
Workaround AddressSanitizer overzealous check
The cds_lfht_for_each_entry and cds_lfht_for_each_entry_duplicate macros
had a code that operated on the NULL pointer, at the end of the list it
was calling caa_container_of() on the NULL pointer in the init-clause
and iteration-expression, but the result wasn't actually used anywhere
because the cond-expression in the for loop has prevented executing
loop-statement.  This made AddressSanitizer notice the invalid operation
and rightfully complain.

This was reported to the upstream and fixed there.  Pull the upstream
fix into our <isc/urcu.h> header, so our CI checks pass.
2023-07-27 15:21:39 +02:00
Ondřej Surý
7c8d6a454d Merge branch '4227-free-stub_glue_request-in-stub_glue_response' into 'main'
Free struct stub_glue_request in stub_glue_response() callback

Closes #4227

See merge request isc-projects/bind9!8147
2023-07-27 10:34:20 +00:00
Ondřej Surý
7a2b4ad17b Add CHANGES note for [GL #4227] 2023-07-27 12:34:03 +02:00
Ondřej Surý
31c43d4b76 Free struct stub_glue_request in stub_glue_response() callback
When stub_glue_response() is called, the associated data is stored in
newly allocated struct stub_glue_request.  The allocated structure is
never freed in the callback, thus we leak a little bit of memory.
2023-07-27 12:34:03 +02:00
Ondřej Surý
57a568e8f9 Unify the naming for struct stub_glue_request
The stub_request_nameserver_address() used 'request' as name for
struct stub_glue_request leading to confusion between 'request'
(stub_glue_request) and 'request->request' (dns_request_t).

Unify the name to 'sgr' already used in struct stub_glue_response().
2023-07-27 12:34:03 +02:00
Ondřej Surý
8ff1729b66 Merge branch 'ondrej/cleanup-isc_stats_create-return' into 'main'
Refactor isc_stats_create() and its downstream users to return void

See merge request isc-projects/bind9!8055
2023-07-27 10:10:26 +00:00
Ondřej Surý
bf44554889 Refactor ns_server_create() to return void
After isc_stats_create() change, the ns_server_create() cannot fail, so
refactor the function to return void and fix all its uses.
2023-07-27 11:37:44 +02:00
Ondřej Surý
ea2fe8eea4 Refactor dns_zone_create() to return void
After isc_stats_create() change, the dns_zone_create() cannot fail, so
refactor the function to return void and fix all its uses.
2023-07-27 11:37:44 +02:00
Ondřej Surý
045d8d9ed6 Refactor dns_adb_create() to return void
After isc_stats_create() change, the dns_adb_create() cannot fail, so
refactor the function to return void and fix all its uses.
2023-07-27 11:37:44 +02:00
Ondřej Surý
5321c474ea Refactor isc_stats_create() and its downstream users to return void
The isc_stats_create() can no longer return anything else than
ISC_R_SUCCESS.  Refactor isc_stats_create() and its variants in libdns,
libns and named to just return void.
2023-07-27 11:37:44 +02:00
Tom Krizek
6a6f2e58e9 Merge branch '4055-improve-the-overmem-cache-cleaning-test' into 'main'
[CVE-2023-2828] Add test for dns_rbtdb overmem purging

Closes #4055

See merge request isc-projects/bind9!8141
2023-07-26 11:24:36 +00:00
Ondřej Surý
269c03831f
Add test for dns_rbtdb overmem purging
Add a unit test to check if the overmem purging in the RBTDB is
effective when mixed size RR data is inserted into the database.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Jinmei Tatuya <jtatuya@infoblox.com>
2023-07-26 10:30:51 +02:00
Tom Krizek
186d4cec3d Merge branch '4089-stale-query-loop-test' into 'main'
Reproducer for CVE-2023-2911

Closes #4089

See merge request isc-projects/bind9!8132
2023-07-25 08:34:00 +00:00
Tom Krizek
f617512d37
Reproducer for CVE-2023-2911
The conditions that trigger the crash:
- a stale record is in cache
- stale-answer-client-timeout is 0
- multiple clients query for the stale record, enough of them to exceed
  the recursive-clients quota
- the response from the authoritative is sufficiently delayed so that
  recursive-clients quota is exceeded first

The reproducer attempts to simulate this situation. However, it hasn't
proven to be 100 % reproducible, especially in CI. When reproducing
locally, the priming query also seems to sometimes interfere and prevent
the crash. When the reproducer is ran twice, it appears to be more
reliable in reproducing the issue.
2023-07-25 09:23:24 +02:00
Tom Krizek
ae179921e0 Merge branch 'tkrizek/checkconf-keys-dir-set-e' into 'main'
Clean up keys directory in checkconf test

See merge request isc-projects/bind9!8133
2023-07-25 07:20:31 +00:00
Tom Krizek
062dfac28e
Clean up keys directory in checkconf test
The keys directory should be cleaned up in clean.sh. Doing that in the
test itself isn't reliable which may lead to failing mkdir which causes
the test to fail with set -e.
2023-07-25 09:19:55 +02:00
Matthijs Mekking
539a4581ea Merge branch '4222-inline-system-test-ns7-fails-to-start' into 'main'
Change RSASHA256 key length to be FIPS compliant

Closes #4222

See merge request isc-projects/bind9!8131
2023-07-25 06:42:17 +00:00
Matthijs Mekking
2c978017b3 Change RSASHA256 key length to be FIPS compliant
After commit f4eb3ba4, that is part of removing 'auto-dnssec', the
inline system test started to fail in FIPS CI jobs. This is because
the 'nsec3-loop' zone started to use a RSASHA256 key size of 1024 and
this is not FIPS compliant.

This commit changes the key size from 1024 to 4096, in order to
become FIPS compliant again.
2023-07-25 06:42:03 +00:00
Ondřej Surý
aed4fdd7d3 Merge branch 'ondrej/cleanup-cruft-in-dns_catz' into 'main'
Cleanup the dns_catz unit API

See merge request isc-projects/bind9!8099
2023-07-24 17:54:26 +00:00
Ondřej Surý
e29f9e982e
Fix TSAN data race accessing zone->parentcatz
The zone->parentcatz was accessed unlocked in dns_zone_get_parentcatz(),
add a locking around it.
2023-07-24 19:49:14 +02:00
Aram Sargsyan
b2e84371d3
Test catz member zone fail-safe recreation
The catz module has a fail-safe code to recreate a member zone
that was expected to exist but was not found.

Improve a test case where the fail-safe code is expected to execute
to check that the log message exists.

Add a test case where the fail-safe code is not expected to execute
to check that the log message does not exist.
2023-07-24 19:49:14 +02:00
Ondřej Surý
48714a9c1d
Cleanup the dns_catz unit API
1. Change the _new, _add and _copy functions to return the new object
   instead of returning 'void' (or always ISC_R_SUCCESS)

2. Cleanup the isc_ht_find() + isc_ht_add() usage - the code is always
   locked with catzs->lock (mutex), so when isc_ht_find() returns
   ISC_R_NOTFOUND, the isc_ht_add() must always succeed.

3. Instead of returning direct iterator for the catalog zone entries,
   add dns_catz_zone_for_each_entry2() function that calls callback
   for each catalog zone entry and passes two extra arguments to the
   callback.  This will allow changing the internal storage for the
   catalog zone entries.

4. Cleanup the naming - dns_catz_<fn>_<obj> -> dns_catz_<obj>_<fn>, as an
   example dns_catz_new_zone() gets renamed to dns_catz_zone_new().
2023-07-24 19:49:14 +02:00
Matthijs Mekking
aad9fda87d Merge branch '4221-multisigner-add-nsupdate-return-value-checks' into 'main'
Add nsupdate retvalue checks in multisigner test

See merge request isc-projects/bind9!8130
2023-07-24 15:18:44 +00:00
Matthijs Mekking
e426501a45 Add nsupdate retvalue checks in multisigner test
Ensure the nsupdate command executes with success.

Add a couple of 'n=$((n+1))' and explicit 'ret=0' to clearly mark the
start of a new check.
2023-07-24 11:48:07 +02:00
Mark Andrews
f66881c995 Merge branch '4215-add-isc_r_timedout-to-the-reasons-to-call-dns_zonemgr_unreachableadd-in-xfrin' into 'main'
Resolve "Add ISC_R_TIMEDOUT to the reasons to call dns_zonemgr_unreachableadd in xfrin"

Closes #4215

See merge request isc-projects/bind9!8122
2023-07-21 22:57:38 +00:00
Mark Andrews
fefc273eb0 Add CHANGES note for [GL #4215] 2023-07-22 08:18:14 +10:00
Mark Andrews
621c117101 Mark a primary as unreachable on timed out in xfin
When a primary server is not responding, mark it as temporarialy
unreachable.  This will prevent too many zones queuing up on a
unreachable server and allow the refresh process to move onto
the next primary sooner once it has been so marked.
2023-07-22 08:17:11 +10:00
Ondřej Surý
2f9322f88d Merge branch '4200-placeholder' into 'main'
Add CHANGES placeholder for [GL #4200]

Closes #4200

See merge request isc-projects/bind9!8127
2023-07-20 16:40:42 +00:00
Ondřej Surý
0487d50813
Add CHANGES placeholder for [GL #4200] 2023-07-20 18:40:08 +02:00
Ondřej Surý
e0aec97bcd Merge branch '4212-dead-code-in-dns_rbt-zonedb' into 'main'
Restore the IS_STUB() condition in zone_zonecut_callback

Closes #4212

See merge request isc-projects/bind9!8117
2023-07-20 16:00:13 +00:00
Ondřej Surý
40659b5978
Restore the IS_STUB() condition in zone_zonecut_callback
After the refactoring the condition whether to use DNAME or NS for the
zonecut was incorrectly simplified and the !IS_STUB() condition was
removed.  This was flagged by Coverity as:

	/lib/dns/rbt-zonedb.c: 192 in zone_zonecut_callback()
	186     		found = ns_header;
	187     		search->zonecut_sigheader = NULL;
	188     	} else if (dname_header != NULL) {
	189     		found = dname_header;
	190     		search->zonecut_sigheader = sigdname_header;
	191     	} else if (ns_header != NULL) {
	>>>     CID 462773:  Control flow issues  (DEADCODE)
	>>>     Execution cannot reach this statement: "found = ns_header;".
	192     		found = ns_header;
	193     		search->zonecut_sigheader = NULL;
	194     	}
	195
	196     	if (found != NULL) {
	197     		/*

Instead of removing the extra block, restore the !IS_STUB() condition
for the first if block.
2023-07-20 17:59:44 +02:00
Tom Krizek
f03d41c6ee Merge branch 'tkrizek/multisigner-test-pytest-glue' into 'main'
Add missing pytest glue to run multisigner test

See merge request isc-projects/bind9!8126
2023-07-20 15:55:09 +00:00
Tom Krizek
47d2d5334f
Add missing pytest glue to run multisigner test
Without the pytest glue file, the multisigner/tests.sh isn't picked
up by the pytest runner and the test isn't executed.

Related !6901
2023-07-20 17:53:48 +02:00
Matthijs Mekking
b8e3c1bb52 Merge branch '3672-remove-auto-dnssec' into 'main'
Remove auto-dnssec

Closes #3672

See merge request isc-projects/bind9!8085
2023-07-20 14:37:30 +00:00
Matthijs Mekking
f5bf8c1d30 Update autosign system test
When checking for the number of logs related to DNSKEY key maintenance
events, don't include CDNSKEY is published lines.

Also consider RSASHA1: If not supported, the key maintenance for
the nsec-only zone are not logged.
2023-07-20 15:34:53 +02:00
Matthijs Mekking
6504b563cb Add release note and CHANGES for #3672
"The king is dead. Long live the king."
2023-07-20 12:44:19 +02:00
Matthijs Mekking
042c89ac69 Obsolete dnssec-update-mode
We no longer support 'no-resign' and thus the configuration option
becomes obsolete. Remove the corresponding dnssec system test cases.
2023-07-20 12:44:19 +02:00
Matthijs Mekking
3bcb096a0e Tiny refactor revoked key check
This makes the code flow a bit more readable.
2023-07-20 12:44:19 +02:00
Matthijs Mekking
3e49223a67 Obsolete dnssec-dnskey-kskonly update-check-ksk
These two configuration options worked in conjunction with 'auto-dnssec'
to determine KSK usage, and thus are now obsoleted.

However, in the code we keep KSK processing so that when a zone is
reconfigured from using 'dnssec-policy' immediately to 'none' (without
going through 'insecure'), the zone is not immediately made bogus.

Add one more test case for going straight to none, now with a dynamic
zone (no inline-signing).
2023-07-20 12:40:54 +02:00
Matthijs Mekking
a8f71f67ac Refactor KSK processing
There are multiple almost identical code blocks, time to make a
function.
2023-07-20 12:40:52 +02:00
Matthijs Mekking
88a687106f Obsolete sig-validity-interval dnskey-sig-validity
These two configuration options worked in conjunction with 'auto-dnssec'
to set the signature validity, and thus are now obsoleted.
2023-07-20 11:04:24 +02:00
Matthijs Mekking
d7cc0a9f7b Remove remaining auto-dnssec bits
Remove the remaining bits related to 'auto-dnssec'.
2023-07-20 11:04:24 +02:00
Matthijs Mekking
c75ddc33aa Remove auto-dnssec check
Remove the check configuration parts related to 'auto-dnssec'.
2023-07-20 11:04:24 +02:00
Matthijs Mekking
10bb8f92a1 Remove auto-dnssec from documentation
Update the ARM and DNSSEC guide, removing references to 'auto-dnssec',
replacing them with 'dnssec-policy' if needed.

The section "Alternative Ways" of signing has to be refactored, since
we now only focus on one alternative way, that is manual signing.
2023-07-20 11:04:24 +02:00
Matthijs Mekking
71af4f4e0b Remove the auto-dnssec option
Mark the "auto-dnssec" option ancient (effectively disallowing it from
the configuration).
2023-07-20 11:04:23 +02:00
Matthijs Mekking
a4b6ff32e9 Update zonechecks system test
Change test configuration to make use of 'dnssec-policy' instead of
'auto-dnssec'.
2023-07-20 11:04:23 +02:00