Previously, when lame cache would be disabled by setting lame-ttl to 0,
it would also disable lame answer detection. In this commit, we enable
the lame response detection even when the lame cache is disabled. This
enables stopping answer processing early rather than going through the
whole answer processing flow.
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>. This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.
Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
Unless being configured with the `no-deprecated` option, OpenSSL 3.0.0
still has the deprecated APIs present and will throw warnings during
compilation, when using them.
Make sure that the old APIs are being used only with the older versions
of OpenSSL.
OpenSSL 3 deprecates most of the DH* family and associated APIs.
Reimplement the existing functionality using a newer set of APIs
which will be used when compiling/linking with OpenSSL 3.0.0 or newer
versions.
OpenSSL 3 deprecates most of the RSA* family and associated APIs.
Reimplement the existing functionality using a newer set of APIs
which will be used when compiling/linking with OpenSSL 3.0.0 or newer
versions.
OpenSSL 3 deprecates most of the EC* family and associated APIs.
Reimplement the existing functionality using a newer set of APIs
which will be used when compiling/linking with OpenSSL 3.0.0 or newer
versions.
EVP_PKEY_eq() is the replacement with a smaller result range (0, 1)
instead of (-1, 0, 1). EVP_PKEY_cmp() is mapped to EVP_PKEY_eq() when
building with older versions of OpenSSL.
The EVP_MD_CTX_new() and EVP_MD_CTX_free() functions are renamed APIs
which were previously available as EVP_MD_CTX_create() and
EVP_MD_CTX_destroy() respectively, which means that we can use them
instead of providing our own shim functions.
OpenSSL 3.0.0 deprecates the ERR_get_error_line_data() function.
Use ERR_get_error_all() instead of ERR_get_error_line_data() and create
a shim to use the old variant for the older OpenSSL versions which don't
have the newer ERR_get_error_all().
OpenSSL 3.0.0 deprecates the EVP_MD_CTX_md() function.
Use EVP_MD_CTX_md() instead of EVP_MD_CTX_get0_md() and create a shim
to use the old variant for the older OpenSSL versions which don't have
the newer EVP_MD_CTX_get0_md().
OpenSSL 3.0.0 deprecates many low level API functions.
In preparation for the future support of linking BIND with OpenSSL 3.0.0
without the deprecated API functions, change the configure.ac script to
use functions which are available on all supported versions of OpenSSL
and LibreSSL.
The dst_key_pubcompare() and dst_key_compare() didn't have a unit test,
add the unit tests which test comparing the same keys, different keys,
and, where possible, similar keys with a manually altered parameter.
dst_key_pubcompare() internally uses the *_todns() functions of the
lib/dns/openssl*_link.c modules.
dst_key_compare() internally uses the *_compare() functions of the
lib/dns/openssl*_link.c modules.
Duplicate catalog zone entries caused an assertion failure
in named during configuration. This is now a soft error
that is detected earlier by named and also by named-checkconf.
Update the nsec3 system tests to use the new default values. Change
the policy for "nsec3-other" so that we still have a test case for
non-zero salt length.
When using 'nsec3param' in 'dnssec-policy' and no specific parameters
are provided, default to zero additional iterations and no salt, as
recommended by draft-ietf-dnsop-nsec3-guidance.
For the sake of running ASAN and TSAN jobs with the latest stable GCC,
replace "base image" (Debian Buster with GCC 8.3.0) with Fedora 34 image
with GCC 11.
