mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity
41,085 Commits 660 Branches 820 Tags
c35f00e48a871bfcbb8cd821e46c967b4817b90c
Commit Graph

41085 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Petr Špaček
c35f00e48a Merge branch 'pspacek/auto-backports' into 'main' 
Attempt automatic MR backports after every merge

See merge request isc-projects/bind9!8959
 2024-04-19 13:40:51 +00:00
Petr Špaček
49f9487577 Attempt automatic MR backports after every merge 2024-04-19 13:35:19 +00:00
Matthijs Mekking
b53c03d98e Merge branch '1128-offline-ksk' into 'main' 
Introduce new DNSSEC tool dnssec-ksr

See merge request isc-projects/bind9!8188
 2024-04-19 11:56:50 +00:00
Matthijs Mekking
afda87cb08 dnssec-keygen: Change flag options into booleans 
We now have ctx.kskflag, ctx.zskflag, and ctx.revflag, but zskflag is
not quite like the other two, as it doesn't have a special bit in the
DNS packet, and is used as a boolean.

This patch changes so that we use booleans for all three, and
construct the flags based on which ones are set.

patch by @aram
 2024-04-19 13:52:21 +02:00
Matthijs Mekking
7007025302 Don't leak 
Make tsan happy, fix memory leaks by keeping track of the buffers
to be cleaned up.
 2024-04-19 13:52:21 +02:00
Matthijs Mekking
d9c947c57d Add test cases for CDS/CDNSKEY 
Add two more test cases to ensure that a Signed Key Response file
creates signed CDNSKEY and/or CDS RRsets according to the policy.
 2024-04-19 13:52:21 +02:00
Matthijs Mekking
cdf0fd2e5e Adjust system test to expect CDS and CDNSKEY 
Requires storing the KSK keyfile identifier to calculate the expected
CDS and CDNSKEY.
 2024-04-19 13:52:21 +02:00
Matthijs Mekking
83da52d6e4 Add option to dnssec-dsfromkey to chop up rdata 
The new option 'w' allows us to print DS rdata with the base64 portions
split up in chunks. This is mainly done for testing purposes.
 2024-04-19 13:52:21 +02:00
Matthijs Mekking
efe4fa6fc7 Add CDS and CDNSKEY to SKR 
Add signed CDS and CDNSKEY RRsets to the Signed Key Response (SKR) for the
used KSKs.

We only print one bundle header for all three RRsets.
 2024-04-19 13:52:21 +02:00
Matthijs Mekking
46785dc71e sh the fmt up 
Apply shfmt patch. Ideally I fixup every commit that changes testing,
but that is just too much at this point.
 2024-04-19 13:52:21 +02:00
Matthijs Mekking
e7525cab4f Add CHANGES and release note 
Introduce the new 'dnssec-ksr' tool.
 2024-04-19 13:52:21 +02:00
Matthijs Mekking
695be761b0 Test dnssec-ksr sign 
Add test cases for the 'sign' command. Reuse the earlier generated KSR
files.

Also update dnssec-ksr.c to have better cleanup.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
887fa0ddc9 Implement dnssec-ksr sign 
Add code that can create a Signed Key Response (SKR) given a Key
Signing Request (KSR), a DNSSEC policy, a set of keys and an interval.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
31521fade2 Change ksr format 
Make the ksr format compatible with knot.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
2bf03ab7df Refactor dnssec-ksr 
Refactor some more, making the cleanup a generic function.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
852ba174dd Test dnssec-ksr request 
Add test cases for the 'request' command. Reuse the earlier
pregenerated ZSKs. We also need to set up some KSK files, that can
be done with 'dnssec-keygen -k <policy> -fK' now.

The 'check_keys()' function is adjusted such that the expected active
time of the successor key is set to the inactive time of the
predecessor. Some additional information is saved to make 'request'
testing easier.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
1b39172ee7 Implement dnssec-ksr request 
Add code that can create a Key Signing Request (KSR) given a DNSSEC
policy, a set of keys and an interval.

Multiple keys that match the bundle and kasp parameters are sorted by
keytag, mainly for testing purposes.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
22a4bd5bbe Also free the dst_key after keygen 
During cleanup, we also need to free the dst_key structure that is part
of the dns_dnsseckey.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
ed9704fcda Refactor dnssec-ksr keygen 
Create some helper functions for code that is going to be reused by the
other commands (request, sign), such as setting and checking the context
parameters, and retrieving the dnssec-policy/kasp.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
e033e58a85 dnssec-keygen: allow -f and -k together 
The 'dnssec-keygen' tool now allows the options '-k <dnssec-policy>'
and '-f <flags>' together to create keys from a DNSSEC policy that only
match the given role. Allow setting '-fZ' to only create ZSKs, while
'-fK' will only create KSKs.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
7508534789 Implement dnssec-ksr keygen 
Add code that can pregenerate ZSKs given a DNSSEC policy and an
interval.

Fix configuration shell scripts, fixing the ksr system test.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
a3915e535a Move kasp key match function to kasp header 
The dnssec-ksr tool needs to check if existing key files match lines
in the keys section of a dnssec-policy, so make this function publicly
available.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
bc31575899 Move common create key functions to dnssectool.c 
The dnssec-ksr tool needs to read a dnssec-policy from configuration
too, as well as deal with FIPS mode checks.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
1cb345fa95 Add ksr system test 
Add a system test for testing dnssec-ksr, initally for the keygen
command. This should be able to create or select key files given a
DNSSEC policy and a time window.
 2024-04-19 10:41:04 +02:00
Matthijs Mekking
77d4afba1b Introduce new DNSSEC tool dnssec-ksr 
Introduce a new DNSSEC tool, dnssec-ksr, for creating signed key
response (SKR) files, given one or more key signing requests (KSRs).

For now it is just a dummy tool, but the future purpose of this utility
is to pregenerate ZSKs and signed RRsets for DNSKEY, CDNSKEY, and CDS
for a given period that a KSK is to be offline.
 2024-04-19 10:41:04 +02:00
Michal Nowak
2ca6bcc99a Merge branch 'mnowak/revert-874329b3b1a56e58e8caf61d89127441d2cc79a1' into 'main' 
Revert "Temporarily allow failure of respdiff-long:tsan job"

See merge request isc-projects/bind9!8957
 2024-04-19 08:37:47 +00:00
Michal Nowak
620cce8f7e Revert "Temporarily allow failure of respdiff-long:tsan job" 
This reverts commit 874329b3b1.

Addressed in isc-projects/bind9#4475.
 2024-04-19 10:28:51 +02:00
Ondřej Surý
e4793242eb Merge branch '4416-fix-reading-multiple-rndc-messages-in-single-TCP-message' into 'main' 
Rework isccc_ccmsg to support multiple messages per tcp read

Closes #4416

See merge request isc-projects/bind9!8956
 2024-04-18 18:10:56 +00:00
Ondřej Surý
cbbc0051a3 Add CHANGES note for [GL #4416] 2024-04-18 20:09:47 +02:00
Dominik Thalhammer
24ae1157e8 Rework isccc_ccmsg to support multiple messages per tcp read 
Previously, only a single controlconf message would be processed from a
single TCP read even if the TCP read buffer contained multiple messages.
Refactor the isccc_ccmsg unit to store the extra buffer in the internal
buffer and use the already read data first before reading from the
network again.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Dominik Thalhammer <dominik@thalhammer.it>
 2024-04-18 20:08:44 +02:00
Ondřej Surý
e13728413a Merge branch '4586-don-t-count-expired-future-rrsigs-in-verification-failure-quota' into 'main' 
Don't count expired / future RRSIGs in verification failure quota

Closes #4586

See merge request isc-projects/bind9!8746
 2024-04-18 15:07:43 +00:00
Ondřej Surý
5d4233c2c2 Add CHANGES and release notes for [GL #4586] 2024-04-18 16:05:32 +02:00
Ondřej Surý
3b9ea189b2 Don't count expired / future RRSIG against quota 
These don't trigger a public key verification unless
dnssec-accept-expired is set.
 2024-04-18 16:05:31 +02:00
Petr Špaček
903af2e1de Merge branch 'pspacek/update-sphinx' into 'main' 
Update Sphinx version used for documentation build

See merge request isc-projects/bind9!8952
 2024-04-18 14:00:33 +00:00
Petr Špaček
da607d6a06 Update Sphinx version used for documentation build 2024-04-18 12:46:13 +02:00
Ondřej Surý
bbb2741de8 Merge branch 'ondrej-offload-statschannel' into 'main' 
Offload the isc_http response processing to worker thread

Closes #4680

See merge request isc-projects/bind9!7647
 2024-04-18 08:56:06 +00:00
Ondřej Surý
fbea3bb255 Add CHANGES and release note for [GL #4680] 2024-04-18 10:53:31 +02:00
Ondřej Surý
c7ed858c6e Supress the leak detection in xmlGetGlobalState 
The xmlGetGlobalState allocates per-thread memory that is not properly
cleaned up when the libxml2 is used from offloaded threads.  Add the
function the the LeakSanitizer suppression list.
 2024-04-18 10:53:31 +02:00
Ondřej Surý
23835c4afe Use xmlMemSetup() instead of xmlGcMemSetup() 
Since we don't have a specialized function for "atomic" allocations,
it's better to just use xmlMemSetup() instead of xmlGcMemSetup()
according to this:

https://mail.gnome.org/archives/xml/2007-August/msg00032.html
 2024-04-18 10:53:31 +02:00
Ondřej Surý
950f828cd2 Offload the isc_http response processing to worker thread 
Prepare the statistics channel data in the offloaded worker thread, so
the networking thread is not blocked by the process gathering data from
various data structures.  Only the netmgr send is then run on the
networkin thread when all the data is already there.
 2024-04-18 10:53:00 +02:00
Matthijs Mekking
f8a09fd91a Merge branch '4554-dnssec-policy-jitter' into 'main' 
Add signatures-jitter option

Closes #4554

See merge request isc-projects/bind9!8686
 2024-04-18 08:11:18 +00:00
Matthijs Mekking
c3d8932f79 Add checkconf check for signatures-jitter 
Having a value higher than signatures-validity does not make sense
and should be treated as a configuration error.
 2024-04-18 09:50:33 +02:00
Matthijs Mekking
8b7785bc23 Add release notes and CHANGES for #4554 
Mention the new signature jitter option.
 2024-04-18 09:50:31 +02:00
Matthijs Mekking
67f403a423 Implement signature jitter 
When calculating the RRSIG validity, jitter is now derived from the
config option rather than from the refresh value.
 2024-04-18 09:50:10 +02:00
Matthijs Mekking
0438d3655b Refactor code that calculates signature validity 
There are three code blocks that are (almost) similar, refactor it
to one function.
 2024-04-18 09:50:10 +02:00
Matthijs Mekking
50bd729019 Update autosign test to use signatures-jitter 
Now that we have an option to configure jitter, use it in system tests
that test jitter.
 2024-04-18 09:50:10 +02:00
Matthijs Mekking
2a4daaedca Add signatures-jitter option 
Add an option to speficy signatures jitter.
 2024-04-18 09:50:10 +02:00
Petr Špaček
c9ff77c067 Merge tag 'v9.19.23' 2024-04-18 09:21:47 +02:00
Mark Andrews
9360d90bf2 Merge branch '4671-calling-dns_qpkey_toname-twice-fails' into 'main' 
Resolve "Calling dns_qpkey_toname twice fails."

Closes #4671

See merge request isc-projects/bind9!8948
 2024-04-18 01:05:42 +00:00
Mark Andrews
36c11d9180 Check that name is properly reset by dns_qpkey_toname 2024-04-18 00:17:48 +00:00