2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 21:47:59 +00:00

35679 Commits

Author SHA1 Message Date
Evan Hunt
c3fd94cd4d make dnssec-verify and dnssec-signzone read journal files
add a -J option to dnssec-verify and dnssec-signzone to read
a specified journal file when loading a zone.
2022-02-17 12:03:01 -08:00
Ondřej Surý
08026c7ded Merge branch '3149-drop-TCP-connection-when-garbage-is-received' into 'main'
Reset the TCP connection when garbage is received

Closes #3149

See merge request isc-projects/bind9!5849
2022-02-17 20:01:08 +00:00
Ondřej Surý
9f1c439335 Add CHANGES and release note for [GL #3149] 2022-02-17 20:39:55 +01:00
Ondřej Surý
ebfdb50ac7 Add TCP garbage system test
Test if the TCP connection gets reset when garbage instead of DNS
message is sent.

I'm only happy when it rains
Pour some misery down on me
- Garbage
2022-02-17 20:39:55 +01:00
Ondřej Surý
4716c56ebb Reset the TCP connection when garbage is received
When invalid DNS message is received, there was a handling mechanism for
DoH that would be called to return proper HTTP response.

Reuse this mechanism and reset the TCP connection when the client is
blackholed, DNS message is completely bogus or the ns_client receives
response instead of query.
2022-02-17 20:39:55 +01:00
Ondřej Surý
0697288b9d Merge branch '3133-tcp-error-handling' into 'main'
correct TCP error condition handling in dispatch

Closes #3133

See merge request isc-projects/bind9!5810
2022-02-17 10:41:14 +00:00
Evan Hunt
1b25b76921 Add CHANGES note for [GL #3133] 2022-02-17 10:02:38 +01:00
Evan Hunt
b6d40b3c4e correct TCP error handling in dispatch and resolver
- certain TCP result codes, including ISC_R_EOF and
  ISC_R_CONNECTIONRESET, were being mapped to ISC_R_SHUTTINGDOWN
  before calling the response handler in tcp_recv_cancelall().
  the result codes should be passed through to the response handler
  without being changed.

- the response handlers, resquery_response() and req_response(), had
  code to return immediately if encountering ISC_R_EOF, but this is
  not the correct behavior; that should only happen in the case of
  ISC_R_CANCELED when it was the caller that canceled the operation

- ISC_R_CONNECTIONRESET was not being caught in rctx_dispfail().

- removed code in rctx_dispfail() to retry queries without EDNS
  when receiving ISC_R_EOF; this is now treated the same as any
  other connection failure.
2022-02-17 09:59:12 +01:00
Ondřej Surý
ae4cd57ed5 Merge branch '3132-add-send-timeout' into 'main'
Add timeout when writing TCP data

Closes #3132

See merge request isc-projects/bind9!5848
2022-02-17 08:45:17 +00:00
Ondřej Surý
0c35bda762 Add CHANGES and release note for [GL #3132] 2022-02-17 09:07:43 +01:00
Ondřej Surý
ee359d6ffa Update writetimeout to be T_IDLE in netmgr_test.c
Use the isc_nmhandle_setwritetimeout() function in the netmgr unit test
to allow more time for writing and reading the responses because some of
the intervals that are used in the unit tests are really small leaving a
little room for any delays.
2022-02-17 09:06:58 +01:00
Ondřej Surý
a89d9e0fa6 Add isc_nmhandle_setwritetimeout() function
In some situations (unit test and forthcoming XFR timeouts MR), we need
to modify the write timeout independently of the read timeout.  Add a
isc_nmhandle_setwritetimeout() function that could be called before
isc_nm_send() to specify a custom write timeout interval.
2022-02-17 09:06:58 +01:00
Ondřej Surý
b735182ae0 Add TCP write timeout system test
Extend the timeouts system test that bursts the queries for large TXT
record and never read any responses back filling up the server TCP write
buffer.  The test should work with the default wmem_max value on
Linux (208k).
2022-02-17 09:06:58 +01:00
Ondřej Surý
408b362169 Add TCP, TCPDNS and TLSDNS write timer
When the outgoing TCP write buffers are full because the other party is
not reading the data, the uv_write() could wait indefinitely on the
uv_loop and never calling the callback.  Add a new write timer that uses
the `tcp-idle-timeout` value to interrupt the TCP connection when we are
not able to send data for defined period of time.
2022-02-17 09:06:58 +01:00
Ondřej Surý
cd3b58622c Add uv_tcp_close_reset compat
The uv_tcp_close_reset() function was added in libuv 1.32.0 and since we
support older libuv releases, we have to add a shim uv_tcp_close_reset()
implementation loosely based on libuv.
2022-02-17 09:06:58 +01:00
Ondřej Surý
45a73c113f Rename sock->timer to sock->read_timer
Before adding the write timer, we have to remove the generic sock->timer
to sock->read_timer.  We don't touch the function names to limit the
impact of the refactoring.
2022-02-17 09:06:58 +01:00
Evan Hunt
92338f2e29 Merge branch '3157-blackhole-request' into 'main'
negative match on the 'blackhole' ACL could be treated as positive

Closes #3157

See merge request isc-projects/bind9!5853
2022-02-17 06:19:51 +00:00
Evan Hunt
04361b0ad5 CHANGES and release note for [GL #3157] 2022-02-16 19:05:56 -08:00
Evan Hunt
4444b168db negative 'blackhole' ACL match could be treated as positive
There was a bug in the checking of the "blackhole" ACL in
dns_request_create*(), causing an address to be treated as included
in the ACL if it was explicitly *excluded*. Thus, leaving "blackhole"
unset had no effect, but setting it to "none" would cause any
destination addresses to be rejected for dns_request purposes. This
would cause zone transfer requests and SOA queries to fail, among
other things.

The bug has been fixed, and "blackhole { none; };" was added to the
xfer system test as a regression test.
2022-02-16 19:05:06 -08:00
Michał Kępień
5fbbc312a7 Merge branch '3139-log-the-result-of-each-resolver-priming-attempt' into 'main'
Log the result of each resolver priming attempt

Closes #3139

See merge request isc-projects/bind9!5812
2022-02-16 12:27:18 +00:00
Michał Kępień
39df399d9f Add CHANGES entry for [GL #3139] 2022-02-16 13:26:12 +01:00
Michał Kępień
f286c845b0 Log the result of each resolver priming attempt
When a resolver priming attempt completes, the following message is
currently logged:

    resolver priming query complete

This message is identical for both successful and failed priming
attempts.  Consider the following log excerpts:

  - successful priming attempt:

        10-Feb-2022 11:33:11.272 all zones loaded
        10-Feb-2022 11:33:11.272 running
        10-Feb-2022 11:33:19.722 resolver priming query complete

  - failed priming attempt:

        10-Feb-2022 11:33:29.978 all zones loaded
        10-Feb-2022 11:33:29.978 running
        10-Feb-2022 11:33:38.432 timed out resolving '_.org/A/IN': 2001:500:9f::42#53
        10-Feb-2022 11:33:38.522 timed out resolving './NS/IN': 2001:500:9f::42#53
        10-Feb-2022 11:33:42.132 timed out resolving '_.org/A/IN': 2001:500:12::d0d#53
        10-Feb-2022 11:33:42.285 timed out resolving './NS/IN': 2001:500:12::d0d#53
        10-Feb-2022 11:33:44.685 resolver priming query complete

Include the result of each priming attempt in the relevant log message
to give the administrator better insight into named's resolver priming
process.
2022-02-16 13:26:12 +01:00
Ondřej Surý
1e7d666bf5 Merge branch 'ondrej/add-UV_RUNTIME_CHECK-macro' into 'main'
Add UV_RUNTIME_CHECK() macro to print uv_strerror()

See merge request isc-projects/bind9!5838
2022-02-16 10:45:32 +00:00
Ondřej Surý
62bd5cb08c Add semantic patch to keep UV_RUNTIME_CHECK in sync
The UV_RUNTIME_CHECK() macro requires to keep the function name in sync
like this:

    r = func(...);
    UV_RUNTIME_CHECK(func, r);

Add semantic patch to keep the function name and return variable in sync
with the previous line.
2022-02-16 11:16:57 +01:00
Ondřej Surý
8715be1e4b Use UV_RUNTIME_CHECK() as appropriate
Replace the RUNTIME_CHECK() calls for libuv API calls with
UV_RUNTIME_CHECK() to get more detailed error message when
something fails and should not.
2022-02-16 11:16:57 +01:00
Ondřej Surý
62e15bb06d Add UV_RUNTIME_CHECK() macro to print uv_strerror()
When libuv functions fail, they return correct return value that could
be useful for more detailed debugging.  Currently, we usually just check
whether the return value is 0 and invoke assertion error if it doesn't
throwing away the details why the call has failed.  Unfortunately, this
often happen on more exotic platforms.

Add a UV_RUNTIME_CHECK() macro that can be used to print more detailed
error message (via uv_strerror() before ending the execution of the
program abruptly with the assertion.
2022-02-16 11:16:57 +01:00
Ondřej Surý
f4ae230d41 Merge branch 'ondrej/remove-dns_timer-API' into 'main'
Remove unused dns_timer API

See merge request isc-projects/bind9!5818
2022-02-16 09:51:36 +00:00
Ondřej Surý
cdce681cf7 Remove unused dns_timer API
The dns_timer API was unused, and this commit just removes it.
2022-02-16 10:49:48 +01:00
Matthijs Mekking
39004d3b33 Merge branch 'matthijs-document-dnssec-policy-keys-algorithm-match' into 'main'
Update documentation wrt key algorithms

See merge request isc-projects/bind9!5823
2022-02-16 09:40:08 +00:00
Matthijs Mekking
7365400610 Update documentation wrt key algorithms
Add a note to the DNSSEC guide and to the ARM reference that A ZSK/KSK
pair used for signing your zone should have the same algorithm.

This commit also updates the 'dnssec-policy/keys' example to use the
slightly more modern 'rsasha256' algorithm.
2022-02-16 10:21:42 +01:00
Michal Nowak
5fa60c1ce9 Merge branch 'mnowak/make-cocci-parallel' into 'main'
Run spatch jobs in parallel

See merge request isc-projects/bind9!4741
2022-02-14 18:47:39 +00:00
Michal Nowak
48c44fe6d4
Run spatch jobs in parallel
Also make the script more verbose to identify which patch is being
processed and check for failures in spatch standard error output.
2022-02-14 19:38:17 +01:00
Michal Nowak
fcc9ac7bd8 Merge branch 'mnowak/coverity-scan-2021.12' into 'main'
Update Coverity Scan CI job to 2021.12

See merge request isc-projects/bind9!5811
2022-02-14 16:37:07 +00:00
Michal Nowak
f0edf07fbc
Update Coverity Scan CI job to 2021.12.1 2022-02-14 12:43:09 +01:00
Petr Špaček
6914a4cda3 Merge branch 'pspacek/rfc-nits' into 'main'
Update and deduplicate list of RFCs in documentation

Closes #1918

See merge request isc-projects/bind9!5813
2022-02-14 11:10:21 +00:00
Artem Boldariev
8058d64dda
Mention DoT/DoH related RFCs in the ARM
Mention RFC 7858 (DoT), 8484 (DoH), and 8945 (XoT).
2022-02-14 11:54:39 +01:00
Petr Špaček
63989e98ac
Remove rfc-compliance list in plaintext - ARM deduplication
The plaintext version is now fully replaced by the doc/arm/general.rst.
2022-02-14 11:54:39 +01:00
Petr Špaček
7fd61f9403
Reorder list of supported RFCs in more user-oriented manner
For users it's not really important if a RFC is Internet Standard,
Proposed Standard, or Experimental. RFCs are now regrouped by
"Protocol", Best Current Practice, and "catch all" category FYI.
2022-02-14 11:54:39 +01:00
Petr Špaček
4dbad65bfd
Replace obsolete RFC2845 reference with RFC8945 (TSIG) 2022-02-14 11:54:39 +01:00
Petr Špaček
2774b497a6
Remove special chapter about IPv6 address formats from ARM
In 2022, IPv6 is not anything unusual, and it was really odd
to have it in a separate section next to a huge list of RFCs.

Fixes: #1918
2022-02-14 11:54:39 +01:00
Petr Špaček
3c83a9d503
Replace obsolete RFC6944 reference with RFC8624 (DNSSEC algorithm status) 2022-02-14 11:54:39 +01:00
Petr Špaček
bd3b310eae
Replace obsolete RFC5966 reference with RFC7766 (TCP) 2022-02-14 11:54:39 +01:00
Petr Špaček
f8cb0ac141
Replace obsolete RFC4408 reference with RFC7208 (SPF) 2022-02-14 11:54:39 +01:00
Petr Špaček
16dec1ff58
Replace obsolete RFC2915 reference with RFC3403 (NAPTR) 2022-02-14 11:54:39 +01:00
Petr Špaček
f7225db822
Add link to RFC8749 (DLV is historic) 2022-02-14 11:54:39 +01:00
Petr Špaček
09d6cf89df
Add newer version of IDNA RFC to docs 2022-02-14 11:54:39 +01:00
Petr Špaček
9437ea08e1
Remove obsolete RFCs from documentation
There is little point of listing all of the obsolete RFCs. I think it is
more likely confuse people than to do anything useful.
2022-02-14 11:54:39 +01:00
Petr Špaček
2b5b777c07
Replace obsolete RFC6488 reference with RFC8659 (CAA) 2022-02-14 11:54:39 +01:00
Petr Špaček
b686b5c161
Remove obsolete book reference from ARM 2022-02-14 11:54:39 +01:00
Petr Špaček
f713984886
Use Sphinx footnotes for DNS Reference Information
It limits risk of errors while doing updates, which are next in the
pipeline.
2022-02-14 11:54:34 +01:00