2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Commit Graph

34407 Commits

Author SHA1 Message Date
Petr Menšík
dbf71b3f68 Parse 'timeout' and 'attempts' from resolv.conf
It was supported by lwres in BIND 9.11, and is still mentioned in
the manual page. Restore support for it by adding it to libirs.
2021-08-12 09:52:52 -07:00
Artem Boldariev
47cf5c1787 Merge branch 'artem/doh-mem-alloc-optimisations' into 'main'
Optimise memory usage in the DoH code and fix a hard-to-reproduce crash

See merge request isc-projects/bind9!5309
2021-08-12 11:53:54 +00:00
Artem Boldariev
f85d899f55 Add a CHANGES entry for the crash fix [GL #2851]
This commit adds a CHANGES entry for the fixed crash, caused by
detaching from the session->handle too early when sending HTTP/2
session data.
2021-08-12 14:31:44 +03:00
Artem Boldariev
d72b1fa5cd Fix the doh_recv_send() logic in the doh_test
The commit fixes the doh_recv_send() because occasionally it would
fail because it did not wait for all responses to be sent, making the
check for ssends value to nit pass.
2021-08-12 14:28:17 +03:00
Artem Boldariev
e639957b58 Optimise TLS stream for small write size (>= 512 bytes)
This commit changes TLS stream behaviour in such a way, that it is now
optimised for small writes. In the case there is a need to write less
or equal to 512 bytes, we could avoid calling the memory allocator at
the expense of possibly slight increase in memory usage. In case of
larger writes, the behviour remains unchanged.
2021-08-12 14:28:17 +03:00
Artem Boldariev
e301e1e3b8 Avoid memory copying during send in TLS stream
At least at this point doing memory copying is not required. Probably
it was a workaround for some problem in the earlier days of DoH, at
this point it appears to be a waste of CPU cycles.
2021-08-12 14:28:17 +03:00
Artem Boldariev
bd69c7c57c Simplify buffering code logic in http_send_outgoing()
This commit significantly simplifies the code in http_send_outgoing()
as it was unnecessary complicated, because it was dealing with
multiple statically and dynamically allocated buffers, making it
extremely hard to follow, as well as making it to do unnecessary
memory copying in some situations. This commit fixes these issues,
while retaining the high level buffering logic.
2021-08-12 14:28:17 +03:00
Artem Boldariev
a32faa20b4 DoH: replace a custom buffer code for POST data with isc_buffer_t
This commit replaces the custom buffer code in client-side DoH code
intended to keep track of POST data, with isc_buffer_t.
2021-08-12 14:28:17 +03:00
Artem Boldariev
5b52a7e37e When terminating a client session, mark it as closing
When an HTTP/2 client terminates a session it means that it is about
to close the underlying connection. However, we were not doing that.
As a result, with the latest changes to the test suite, which made it
to limit amount of requests per a transport connection, the tests
using quota would hang for quite a while. This commit fixes that.
2021-08-12 14:28:17 +03:00
Artem Boldariev
dbca22877a Limit the number of requests sent per connection in DoH tests
This commit ensures that only a limited number of requests is going to
be sent over a single HTTP/2 connection. Before that change was
introduced, it was possible to complete all of the planned sends via
only one transport connection, which undermines the purpose of the
tests using the quota facility.
2021-08-12 14:28:16 +03:00
Artem Boldariev
a05728beb0 Do not call http_do_bio() in isc__nm_http_request()
The function should not be called here because it is, in general,
supposed to be called at the end of the transport level callbacks to
perform I/O, and thus, calling it here is clearly a mistake because it
breaks other code expectations. As a result of the call to
http_do_bio() from within isc__nm_http_request() the unit tests were
running slower than expected in some situations.

In this particular situation http_do_bio() is going to be called at
the end of the transport_connect_cb() (initially), or http_readcb(),
sending all of the scheduled requests at once.

This change affects only the test suite because it is the only place
in the codebase where isc__nm_http_request() is used in order to
ensure that the server is able to handle multiple HTTP/2 streams at
once.
2021-08-12 14:28:16 +03:00
Artem Boldariev
849d38b57b Fix a crash by attach to the transport socket as early as possible
This commit fixes a crash in DoH caused by transport handle to be
detached too early when sending outgoing data.

We need to attach to the session->handle earlier because as an
indirect result of the nghttp2_session_mem_send() the session might
get closed and the handle detached. However, there is still might be
some outgoing data to handle. Besides, even when the underlying socket
was closed via the handle, we still should try to attempt to send
outgoing data via isc_nm_send() to let it call write callback, passed
to the http_send_outgoing().
2021-08-12 14:28:16 +03:00
Artem Boldariev
e0704f2e5d Use isc_buffer_t to keep track of outgoing response
This commit gets rid of custom code taking care of response buffering
by replacing the custom code with isc_buffer_t. Also, it gets rid of
an unnecessary memory copying when sending a response.
2021-08-12 14:28:16 +03:00
Artem Boldariev
6fe4ab39b9 Use isc_buffer_t to keep track of incoming POST data
This commit replaces the ad-hoc 64K buffer for incoming POST data with
isc_buffer_t backed by dynamically allocated buffer sized accordingly
to the value in the "Content-Length" header.
2021-08-12 14:28:16 +03:00
Artem Boldariev
0ca790d9bf DoH: isc__buffer_usedregion->isc_buffer_usedregion in client_send()
This commit replaces wrong usage of  isc__buffer_usedregion() instead
of implied  isc_buffer_usedregion().
2021-08-12 14:28:16 +03:00
Artem Boldariev
2733cca3ac Replace ad-hoc DNS message buffer in client code with isc_buffer_t
The commit replaces an ad-hoc incoming DNS-message buffer in the
client-side DoH code with isc_buffer_t.

The commit also fixes a timing issue in the unit tests revealed by the
change.
2021-08-12 14:28:16 +03:00
Artem Boldariev
c819caa3a1 Replace the HTTP/2 session's ad-hoc buffer with isc_buffer_t
This commit replaces a static ad-hoc HTTP/2 session's temporary buffer
with a realloc-able isc_buffer_t object, which is being allocated on
as needed basis, lowering the memory consumption somewhat. The buffer
is needed in very rare cases, so allocating it prematurely is not
wise.

Also, it fixes a bug in http_readcb() where the ad-hoc buffer appeared
to be improperly used, leading to a situation when the processed data
from the receiving regions can be processed twice, while unprocessed
data will never be processed.
2021-08-12 14:28:16 +03:00
Mark Andrews
83b1d3b49b Merge branch 'marka-remove-print0-run.sh' into 'main'
Use 'find ... -exec ... {} +' run.sh

See merge request isc-projects/bind9!5315
2021-08-12 01:09:25 +00:00
Mark Andrews
de88d83a78 replace '-print0 | xargs -0' with '-exec ... {} +' 2021-08-12 10:41:27 +10:00
Mark Andrews
ce8527252c Merge branch '2844-rndc-freeze-command-always-fails-perhaps-due-to-in-view' into 'main'
Resolve "`rndc freeze` command always fails, perhaps due to `in-view`"

Closes #2844

See merge request isc-projects/bind9!5311
2021-08-12 00:13:32 +00:00
Mark Andrews
1f8ef7cfe2 Add CHANGES not for [GL #2844] 2021-08-12 09:52:45 +10:00
Mark Andrews
dcdd9a403a Don't freeze / thaw non-explict in-view zones 2021-08-12 09:52:03 +10:00
Mark Andrews
ebc92b799b Check 'rndc freeze' with in-view zones works 2021-08-12 09:52:03 +10:00
Matthijs Mekking
812d1027f7 Merge branch '1551-dnssec-signzone-prepublish-zsk-support' into 'main'
dnssec-signzone ZSK smooth rollover

Closes #1551

See merge request isc-projects/bind9!5285
2021-08-11 13:35:44 +00:00
Matthijs Mekking
1befaa5d45 Add release note and change entry for [#1551] 2021-08-11 15:15:48 +02:00
Matthijs Mekking
94bb545087 Fix bug in dst_key_copymetadata
When copying metadata from one dst_key to another, when the source
dst_key has a boolean metadata unset, the destination dst_key will
have a numeric metadata unset instead.

This means that if a key has KSK or ZSK unset, we may be clearing the
Predecessor or Successor metadata in the destination dst_key.
2021-08-11 15:15:25 +02:00
Matthijs Mekking
35efbc270f Add test for dnssec-signzone smooth ZSK roll
Add a test case to the dnssec system test to check that:
- a zone with a prepublished key is only signed with the active key.
- a zone with an inactive key but valid signatures retains those
  signatures and does not add signatures from successor key.
- signatures are swapped in a zone when signatures of predecessor
  inactive key are within the refresh interval.
2021-08-11 15:15:25 +02:00
Matthijs Mekking
837adb93d3 dnssec-signzone ZSK smooth rollover
When signing with a ZSK, check if it has a predecessor. If so, and if
the predecessor key is sane (same algorithm, key id matches predecessor
value, is zsk), check if the RRset is signed with this key. If so, skip
signing with this successor key. Otherwise, do sign with the successor
key.

This change means we also need to apply the interval to keys that are
not actively signing. In other words, 'expired' is always
'isc_serial_gt(now + cycle, rrsig.timeexpire)'.

Fix a print style issue ("removing signature by ..." was untabbed).
2021-08-11 15:15:25 +02:00
Matthijs Mekking
efb1f1c5b8 Merge branch 'matthijs-iterations-typo-dnssec-guide' into 'main'
Fix missing iterations value in dnssec-guide

See merge request isc-projects/bind9!5317
2021-08-11 08:39:48 +00:00
Matthijs Mekking
9e109191cc Fix missing iterations value in dnssec-guide
In the "Migrating from NSEC to NSEC3" section, it says:

    dnssec-policy "standard" {
        nsec3param iterations optout no salt-length 16;
    };

There should be an integer after "iterations". Based on the following
text, the number of iterations should be 10.
2021-08-11 08:39:34 +00:00
Michał Kępień
c3689e6d2c Merge branch '2839-placeholder' into 'main'
Add placeholder for GL #2839

See merge request isc-projects/bind9!5318
2021-08-09 19:45:31 +00:00
Michał Kępień
50ee7f930a Add placeholder for GL #2839 2021-08-09 21:41:59 +02:00
Artem Boldariev
0bb2fa307c Merge branch 'artem/doh-no-rwlocks' into 'main'
Get rid of RW locks in the DoH code

See merge request isc-projects/bind9!5278
2021-08-04 07:59:42 +00:00
Artem Boldariev
170cc41d5c Get rid of some HTTP/2 related types when NGHTTP2 is not available
This commit removes definitions of some DoH-related types when
libnghttp2 is not available.
2021-08-04 10:32:27 +03:00
Artem Boldariev
f388b71378 Get rid of RW locks in the DoH code
This commit gets rid of RW locks in a hot path of the DoH code. In the
original design, it was implied that we add new endpoints after the
HTTP listener was created. Such a design implies some locking. We do
not need such flexibility, though. Instead, we could build a set of
endpoints before the HTTP listener gets created. Such a design does
not need RW locks at all.
2021-08-04 10:32:25 +03:00
Mark Andrews
ebb670c8f8 Merge branch '2830-statistics-system-tests-needs-to-save-named-stats-files' into 'main'
Resolve "statistics system tests needs to save named.stats files"

Closes #2830

See merge request isc-projects/bind9!5290
2021-08-03 00:52:15 +00:00
Mark Andrews
53afccf42b save named.stats files 2021-08-02 17:05:06 +10:00
Matthijs Mekking
f563cd570c Merge branch '2836-parental-agents-documentation-missing-string-net' into 'main'
Fix parental-agents documentation

Closes #2836

See merge request isc-projects/bind9!5302
2021-07-27 12:11:05 +00:00
Matthijs Mekking
8d75ec8300 Fix parental-agents documentation
There is a missing string "net" in the ARM in the parental-agents
example.
2021-07-27 14:10:16 +02:00
Artem Boldariev
ca29677200 Merge branch '2809-doh-quota-systest-fix-on-fbsd11' into 'main'
Resolve "Fix the DoH quota stress test on FreeBSD 11"

Closes #2809

See merge request isc-projects/bind9!5304
2021-07-27 07:53:45 +00:00
Artem Boldariev
9e8ff1d6ad Increase the initial TCP timeout for the DoH quota test
This commit increases the idle TCP timeout to let the DoH quota system
test pass on some platforms (namely FreeBSD 11). It turned out to run
slow enough on the CI under load for the idle TCP timeout to kick in.
2021-07-27 10:30:12 +03:00
Artem Boldariev
ae26a1ec75 Refactor the DoH quota stress test to make it more reliable
This commit refactors the DoH quota system test to make it more
reliable.

The test tries to establish dummy TCP connections to stress the quota
one by one instead of in bulk until the BIND instance cannot answer
queries anymore. This design is better because the test itself does
not need to be aware of the actual quota size.
2021-07-27 10:30:11 +03:00
Michal Nowak
fb982dbdea Merge branch 'v9_17_16-release' into 'main'
Merge 9.17.16 release branch

See merge request isc-projects/bind9!5296
2021-07-23 07:28:30 +00:00
Michal Nowak
109bb0db47 Set up release notes for BIND 9.17.17 2021-07-23 09:19:37 +02:00
Michał Kępień
4b18384e60 Drop Windows zips from release tarballs 2021-07-23 09:19:37 +02:00
Michał Kępień
7aa7b0b419 Update BIND version to 9.17.16 2021-07-23 09:19:37 +02:00
Michał Kępień
c5fc7c22f0 Add a CHANGES marker 2021-07-23 09:19:36 +02:00
Michał Kępień
8600f0fa14 Merge branch 'mnowak/prepare-documentation-for-bind-9.17.16' into 'v9_17_16-release'
Prepare documentation for BIND 9.17.16

See merge request isc-private/bind9!307
2021-07-23 09:19:36 +02:00
Michał Kępień
3cc71752d9 Prepare release notes for BIND 9.17.16 2021-07-23 09:19:36 +02:00
Michał Kępień
565ed6f76a Add release note for GL #2758 2021-07-23 09:19:36 +02:00