OpenSSL has added support for deterministic ECDSA (RFC 6979) with
version 3.2.
Use it by default as it removes arguably its most fragile side of ECDSA.
The derandomization doesn't pose a risk for DNS usecases and is allowed by FIPS 186-5.
Closes https://gitlab.isc.org/isc-projects/bind9/-/issues/299
Merge branch '299-change-ecdsa-to-deterministic-usage-elliptic-curve-digital-signature-algorithm-rfc-6979' into 'main'
Closes#299
See merge request isc-projects/bind9!9128
OpenSSL has added support for deterministic ECDSA (RFC 6979) with
version 3.2.
Use it by default as derandomization doesn't pose a risk for DNS
usecases and is allowed by FIPS 186-5.
During a reconfiguration named wasn't reconfiguring catalog zones'
member zones. This has been fixed.
Closesisc-projects/bind9#4733
Merge branch '4733-fix-catz-member-zones-reconfigure' into 'v9.21.0-release'
See merge request isc-private/bind9!695
This condition in catalog zone processing functions is checked only
for sanity, so there is no meaning for a log message that normally
shouldn't be ever logged.
Catalog zone member zones should be reconfigured as all the other
zones during a reconfiguration. Test it by checking whether the newly
added allow-query setting affects a member zone.
The fcount_incr() was not increasing counter->count when force was set
to true, but fcount_decr() would try to decrease the counter leading to
underflow and assertion failure. Swap the order of the arguments in the
condition, so the !force is evaluated after incrementing the .count.
Closes#4846
Merge branch '4786-forced-fcount_incr-should-still-increment-count-and-allowed-fix' into 'main'
Closes#4846
See merge request isc-projects/bind9!9298
The fcount_incr() was not increasing counter->count when force was set
to true, but fcount_decr() would try to decrease the counter leading to
underflow and assertion failure. Swap the order of the arguments in the
condition, so the !force is evaluated after incrementing the .count.
LaTeX in CI and on ReadTheDocs [fails][1] to render a PDF version of ARM if
the Changelog section is included. The running theory is that the
verbatim section of more than twenty thousand lines is too big to meet
LaTeX self-imposed constraints, and it fails with:
! TeX capacity exceeded, sorry [main memory size=5000000].
Or it just hangs if extra_mem_bot=30000000 is set in
/etc/texmf/texmf.d/01main_memory_bump.cnf:
! Dimension too large.
\fb@put@frame ...p \ifdim \dimen@ >\ht \@tempboxa
\fb@putboxa #1\fb@afterfra...
l.56913 \end{sphinxVerbatim}
Make each BIND 9 release a separate code block to work around the issue.
Further split up the sections for some exceptionally large releases, for
the same reason.
[1]: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4584011
Merge branch 'mnowak/fix-arm-changelog-section' into 'main'
See merge request isc-projects/bind9!9266
LaTeX in CI and on ReadTheDocs fails to render a PDF version of ARM if
the Changelog section is included. The running theory is that the
verbatim section of more than twenty thousand lines is too big to meet
LaTeX self-imposed constraints, and it fails with:
! TeX capacity exceeded, sorry [main memory size=5000000].
Or it just hangs if extra_mem_bot=30000000 is set in
/etc/texmf/texmf.d/01main_memory_bump.cnf:
! Dimension too large.
\fb@put@frame ...p \ifdim \dimen@ >\ht \@tempboxa
\fb@putboxa #1\fb@afterfra...
l.56913 \end{sphinxVerbatim}
Make each BIND 9 release a separate code block to work around the issue.
Further split up the sections for some exceptionally large releases, for
the same reason.
Since the enable_fips_mode() now resides inside the isc_tls unit, BIND 9
would fail to compile when FIPS mode was enabled as the DST subsystem
logging functions were missing.
Move the crypto library logging functions from the openssl_link unit to
isc_tls unit and enhance it, so it can now be used from both places
keeping the old dst__openssl_toresult* macros alive.
Merge branch 'ondrej/move-openssl-logging-to-isc_tls-unit' into 'main'
See merge request isc-projects/bind9!9286
Since the enable_fips_mode() now resides inside the isc_tls unit, BIND 9
would fail to compile when FIPS mode was enabled as the DST subsystem
logging functions were missing.
Move the crypto library logging functions from the openssl_link unit to
isc_tls unit and enhance it, so it can now be used from both places
keeping the old dst__openssl_toresult* macros alive.
There were cases in resolver.c when the `max-recursion-queries` quota was ineffective. It was possible to craft zones that would cause a resolver to waste resources by sending excessive queries while attempting to resolve a name. This has been addressed by correcting errors in the implementation of `max-recursion-queries`, and by reducing the default value from 100 to 32.
In addition, a new `max-query-restarts` option has been added which limits the number of times a recursive server will follow CNAME or DNAME records before terminating resolution. This was previously a hard-coded limit of 16, and now defaults to 11.
Closes#4741
Merge branch '4741-reclimit-restarts' into 'main'
Closes#4741
See merge request isc-projects/bind9!9281
implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.
MAX_RESTARTS is no longer hard-coded; ns_server_setmaxrestarts()
and dns_client_setmaxrestarts() can now be used to modify the
max-restarts value at runtime. in both cases, the default is 11.
the number of steps that can be followed in a CNAME chain
before terminating the lookup has been reduced from 16 to 11.
(this is a hard-coded value, but will be made configurable later.)
there were cases in resolver.c when queries for NS records were
started without passing a pointer to the parent fetch's query counter;
as a result, the max-recursion-queries quota for those queries started
counting from zero, instead of sharing the limit for the parent fetch,
making the quota ineffective in some cases.
Use `[[noreturn]]` when compiling with C23 or greater.
The attribute macro name has been capitalized as `NORETURN` as defining it as `noreturn` breaks external headers.
`#define noreturn __attribute__((noreturn))` wasn't used as C11's `stdnoreturn.h`/`_Noreturn` is required to build BIND9 in the first place.
Merge branch 'aydin/noreturn-c23' into 'main'
See merge request isc-projects/bind9!9149
Instead of calling dst_lib_init() and dst_lib_destroy() explicitly by
all the programs, create a separate memory context for the DST subsystem
and use the library constructor and destructor to initialize the DST
internals.
Merge branch 'ondrej/move-dst_lib_init-and-destroy-to-lib-ctor-dtor' into 'main'
See merge request isc-projects/bind9!9254
Instead of calling dst_lib_init() and dst_lib_destroy() explicitly by
all the programs, create a separate memory context for the DST subsystem
and use the library constructor and destructor to initialize the DST
internals.
The new Fedora 40 TSAN images use libuv, urcu and OpenSSL libraries compiled with ThreadSanitizer. This (in theory) should enable better detection of memory races in those (most important) libraries.
Merge branch 'ondrej/test-new-tsan-images' into 'main'
See merge request isc-projects/bind9!9264
When the SSL object was destroyed, it would invalidate all SSL_SESSION
objects including the cached, but not yet used, TLS session objects.
Properly disassociate the SSL object from the SSL_SESSION before we
store it in the TLS session cache, so we can later destroy it without
invalidating the cached TLS sessions.
Closes#4834
Merge branch '4834-detach-SSL-from-cached-SSL_SESSION' into 'main'
Closes#4834
See merge request isc-projects/bind9!9271
When the SSL object was destroyed, it would invalidate all SSL_SESSION
objects including the cached, but not yet used, TLS session objects.
Properly disassociate the SSL object from the SSL_SESSION before we
store it in the TLS session cache, so we can later destroy it without
invalidating the cached TLS sessions.
Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Artem Boldariev <artem@isc.org>
Co-authored-by: Aram Sargsyan <aram@isc.org>
When TLS connection (TLSstream) connection was accepted, the children
listening socket was not attached to sock->server and thus it could have
been freed before all the accepted connections were actually closed.
In turn, this would cause us to call isc_tls_free() too soon - causing
cascade errors in pending SSL_read_ex() in the accepted connections.
Properly attach and detach the children listening socket when accepting
and closing the server connections.
Closes#4833
Merge branch '4833-tlssock-needs-to-attach-to-child-tlslistener' into 'main'
Closes#4833
See merge request isc-projects/bind9!9270
When TLS connection (TLSstream) connection was accepted, the children
listening socket was not attached to sock->server and thus it could have
been freed before all the accepted connections were actually closed.
In turn, this would cause us to call isc_tls_free() too soon - causing
cascade errors in pending SSL_read_ex() in the accepted connections.
Properly attach and detach the children listening socket when accepting
and closing the server connections.
Missing file util/dtrace.sh prevented builds on system without dtrace utility.
This has been corrected.
Fixes: #4835
Merge branch 'pspacek/gitattribute-fixes' into 'main'
Closes#4835
See merge request isc-projects/bind9!9262
Ensure that system tests can be executed without Python hypothesis
package.
Closes#4831
Merge branch '4831-isctest-make-hypothesis-optional' into 'main'
Closes#4831
See merge request isc-projects/bind9!9265
Query responses should contain the question section with some exceptions. Dig was not reporting this.
Closes#4808
Merge branch '4808-have-dig-report-missing-question-section-in-axfr-response' into 'main'
Closes#4808
See merge request isc-projects/bind9!9233
The question section should be present in the first AXFR/IXFR
response and in other QUERY responses unless no question was sent.
Issue a warning if the question section is not present.
The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x
and is going to be removed from the upstream OpenSSL. Remove the OpenSSL
Engine support from BIND 9 in favor of OpenSSL 3.x Providers.
Closes#4828
Merge branch '4828-remove-OpenSSL-engine-support' into 'main'
Closes#4828
See merge request isc-projects/bind9!9252
OpenSSL_version() first appeared in OpenSSL 1.1.0 and have been
available since LibreSSL 2.7.1 and OpenBSD 6.3, thus we can remove the
compatibility shims with older versions that are not supported anymore.
