2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00

35420 Commits

Author SHA1 Message Date
Michał Kępień
7289896043 Merge branch 'rhbz/fedora/2032704' into 'main'
Avoid conflict with ldap_connect function of openldap

See merge request isc-projects/bind9!5665
2021-12-22 21:14:22 +00:00
Petr Mensik
7bce3e7791 Change all internal functions to dlz_ldap prefix
To prevent any conflict in the future, avoid ldap_ prefix in any
internal functions. Keep it reserved for openldap only.
2021-12-22 22:10:05 +01:00
Petr Mensik
49e523e56f Avoid conflict with ldap_connect function of openldap
ldap_connect is defined by OpenLDAP 2.6. Compiler complains there are
conflicting declarations. Use dlz_ldap prefix instead of ldap to avoid
conflict.
2021-12-22 22:10:05 +01:00
Michał Kępień
43d300ddaf Merge branch '2723-add-SSLKEYLOGFILE-support' into 'main'
Add SSLKEYLOGFILE support

Closes #2723

See merge request isc-projects/bind9!5661
2021-12-22 20:08:46 +00:00
Michał Kępień
35eca53647 Add CHANGES entry for GL #2723 2021-12-22 18:17:26 +01:00
Michał Kępień
9c7c48600a Add release note for GL #2723 2021-12-22 18:17:26 +01:00
Michał Kępień
e65f9b60dd Document SSLKEYLOGFILE handling
Add a section to the ARM explaining how to set the SSLKEYLOGFILE
environment variable in order to prepare a key log file for debugging
purposes.
2021-12-22 18:17:26 +01:00
Michał Kępień
9e81903171 Set up default logging for SSLKEYLOGFILE
A customary method of exporting TLS pre-master secrets used by a piece
of software (for debugging purposes, e.g. to examine decrypted traffic
in a packet sniffer) is to set the SSLKEYLOGFILE environment variable to
the path to the file in which this data should be logged.

In order to enable writing any data to a file using the logging
framework provided by libisc, a logging channel needs to be defined and
the relevant logging category needs to be associated with it.  Since the
SSLKEYLOGFILE variable is only expected to contain a path, some defaults
for the logging channel need to be assumed.  Add a new function,
named_log_setdefaultsslkeylogfile(), for setting up those implicit
defaults, which are equivalent to the following logging configuration:

    channel default_sslkeylogfile {
        file "${SSLKEYLOGFILE}" versions 10 size 100m suffix timestamp;
    };

    category sslkeylog {
    	default_sslkeylogfile;
    };

This ensures TLS pre-master secrets do not use up more than about 1 GB
of disk space, which should be enough to hold debugging data for the
most recent 1 million TLS connections.

As these values are arguably not universally appropriate for all
deployment environments, a way for overriding them needs to exist.
Suppress creation of the default logging channel for TLS pre-master
secrets when the SSLKEYLOGFILE variable is set to the string "config".
This enables providing custom logging configuration for the relevant
category via the "logging" stanza.  (Note that it would have been
simpler to only skip setting up the default logging channel for TLS
pre-master secrets if the SSLKEYLOGFILE environment variable is not set
at all.  However, libisc only logs pre-master secrets if that variable
is set.  Detecting a "magic" string enables the SSLKEYLOGFILE
environment variable to serve as a single control for both enabling TLS
pre-master secret collection and potentially also indicating where and
how they should be exported.)
2021-12-22 18:17:26 +01:00
Michał Kępień
7983d5fa7c Check for SSL_CTX_set_keylog_callback() support
The SSL_CTX_set_keylog_callback() function is a fairly recent OpenSSL
addition, having first appeared in version 1.1.1.  Add a configure.ac
check for the availability of that function to prevent build errors on
older platforms.  Sort similar checks alphabetically.

This makes the SSLKEYLOGFILE mechanism a silent no-op on unsupported
platforms, which is considered acceptable for a debugging feature.
2021-12-22 18:17:26 +01:00
Michał Kępień
060fed3097 Log TLS pre-master secrets when requested
Generate log messages containing TLS pre-master secrets when the
SSLKEYLOGFILE environment variable is set.  This only ensures such
messages are prepared using the right logging category and passed to
libisc for further processing.

The TLS pre-master secret logging callback needs to be set on a
per-context basis, so ensure it happens for both client-side and
server-side TLS contexts.
2021-12-22 18:17:26 +01:00
Michał Kępień
3081bda798 Add a logging category for TLS pre-master secrets
TLS pre-master secrets will be dumped to disk using the logging
framework provided by libisc.  Add a new logging category for this type
of debugging data in order to enable exporting it to a dedicated
channel.  Derive the name of the new category from the name of the
relevant environment variable, SSLKEYLOGFILE.
2021-12-22 18:17:26 +01:00
Michal Nowak
d7c5d09123 Merge branch 'mnowak/respdiff-job-dependency-fix' into 'main'
Execute respdiff jobs out-of-order

See merge request isc-projects/bind9!5664
2021-12-22 14:18:44 +00:00
Michal Nowak
87578efc71
Execute respdiff jobs out-of-order
Commit 2ececf2c dropped dependency of "respdiff" and
"respdiff-third-party" jobs on "tarball-create" job because these jobs
don't need to depend on in (e.g., for its artifacts). This, however,
caused that respdiff jobs weren't started out-of-order and artifacts
from all the "Build" stage jobs plus "unit:gcc:buster:amd64" job were
downloaded to project directory and caused problems with compilation:

Originally, the dependency on "tarball-create" has been added in
04f8b65a to indicate that respdiff "is meant to operate on two different
BIND versions". It seems that the intent didn't work out, and we better
make it obvious that respdiff jobs don't depend on any other job and
should be run out-of-order.
2021-12-22 14:44:51 +01:00
Michal Nowak
077f024c14 Merge branch 'mnowak/freebsd-12.3' into 'main'
Add FreeBSD 12.3

See merge request isc-projects/bind9!5619
2021-12-20 15:58:38 +00:00
Michal Nowak
a4d8571fa2
Add FreeBSD 12.3 2021-12-20 13:59:04 +01:00
Artem Boldariev
1413217fda Merge branch 'artem-doth-reconfig-fix' into 'main'
Fix flakiness in the doth reconfig test

See merge request isc-projects/bind9!5656
2021-12-20 12:46:44 +00:00
Artem Boldariev
84b2141e69 doth system test: reduce number of contexts in ns3
This commit removes unused listen-on statements from the ns3 instance
in order to reduce the startup time. That should help with occasional
system test initialisation hiccups in the CI which happen because the
required instances cannot initialise in time.
2021-12-20 14:28:53 +02:00
Artem Boldariev
2e5f9a0df5 Fix flakiness in the doth reconfig test
Due to the fact that the primary nameserver creates a lot of TLS
contexts, its reconfiguration could take too much time on the CI,
leading to spurious test failures, while in reality it works just
fine.

This commit adds a separate instance for this test which does not use
ephemeral keys (these are costly to generate) and creates minimal
amount of TLS contexts.
2021-12-20 14:28:53 +02:00
Arаm Sаrgsyаn
0ad79ab51c Merge branch '2264-tls-ephemeral-rsa-to-ecc' into 'main'
Use ECDSA P-256 instead of 4096-bit RSA for 'tls ephemeral'

Closes #2264

See merge request isc-projects/bind9!5627
2021-12-20 12:10:42 +00:00
Aram Sargsyan
7ae4bc7710 Add CHANGES for [GL #2264] 2021-12-20 10:09:40 +00:00
Aram Sargsyan
5d87725fdc Use ECDSA P-256 instead of 4096-bit RSA for 'tls ephemeral'
ECDSA P-256 performs considerably better than the previously used
4096-bit RSA (can be observed using `openssl speed`), and, according
to RFC 6605, provides a security level comparable to 3072-bit RSA.
2021-12-20 10:09:05 +00:00
Michal Nowak
4a33c43d1f Merge branch 'mnowak/add-fedora-35' into 'main'
Add Fedora 35

See merge request isc-projects/bind9!5554
2021-12-17 14:37:56 +00:00
Michal Nowak
668be42965
Add Fedora 35 2021-12-17 15:34:46 +01:00
Ondřej Surý
cbfd092f0d Merge branch 'ondrej/simplify-address-sanitizer-use-in-mem.c' into 'main'
Simplify Address Sanitizer tweaks in mem.c

See merge request isc-projects/bind9!5643
2021-12-17 14:25:54 +00:00
Ondřej Surý
ee1f8b60c5 Simplify Address Sanitizer tweaks in mem.c
Previously, whole isc_mempool_get() and isc_mempool_set() would be
replaced by simpler version when run with address sanitizer.

Change the code to limit the fillcount to 1 and freemax to 0.  This
change will make isc_mempool_get() to always allocate and use a single
new item and isc_mempool_put() will always return the item to the
allocator.
2021-12-17 14:43:05 +01:00
Michal Nowak
88bce03b93 Merge branch 'mnowak/drop-freebsd-11' into 'main'
Drop FreeBSD 11

See merge request isc-projects/bind9!5606
2021-12-17 11:48:34 +00:00
Michal Nowak
981579f379
Drop FreeBSD 11
Support for FreeBSD 11.4, the last FreeBSD 11.x release, ended on
September 30, 2021.

The "--with-readline" ./configure option has been added to gcc:sid:amd64
CI job; otherwise, it would be lost with the FreeBSD 11 removal.

Link: https://www.freebsd.org/security/unsupported/
2021-12-17 12:40:48 +01:00
Mark Andrews
7020e2b457 Merge branch '3057-evp_digestsignfinal-needs-the-buffer-length-passed-in' into 'main'
Resolve "EVP_DigestSignFinal needs the buffer length passed in"

Closes #3057

See merge request isc-projects/bind9!5642
2021-12-17 10:27:41 +00:00
Mark Andrews
7b4bff7947 Add CHANGES for [GL #3057] 2021-12-17 20:31:35 +11:00
Mark Andrews
a23507c4fa Pass the digest buffer length to EVP_DigestSignFinal
OpenSSL 3.0.1 does not accept 0 as a digest buffer length when
calling EVP_DigestSignFinal as it now checks that the digest buffer
length is large enough for the digest.  Pass the digest buffer
length instead.
2021-12-17 20:28:01 +11:00
Michal Nowak
9e77e51f72 Merge branch 'mnowak/alpine-3.15' into 'main'
Add Alpine Linux 3.15

See merge request isc-projects/bind9!5595
2021-12-16 15:52:18 +00:00
Michal Nowak
d43127a387
Add Alpine Linux 3.15 2021-12-16 16:43:00 +01:00
Petr Špaček
102c77d6ec Merge branch 'pspacek/ci-api-triggers' into 'main'
Enable regular pipeline jobs to be triggered from Gitlab API

See merge request isc-projects/bind9!5648
2021-12-16 15:00:29 +00:00
Petr Špaček
eb8c8753ad
Enable regular pipeline jobs to be triggered from Gitlab API 2021-12-16 15:55:07 +01:00
Petr Špaček
5039a636f0 Merge branch 'v9_17_21-release' into 'main'
Merge 9.17.21 release branch

See merge request isc-projects/bind9!5644
2021-12-16 12:22:45 +00:00
Petr Špaček
3c21d8d499
Set up release notes for BIND 9.17.22 2021-12-16 13:17:13 +01:00
Petr Špaček
c0c023c49a
Update BIND version to 9.17.21 2021-12-16 13:17:13 +01:00
Petr Špaček
884d86e754
Add a CHANGES marker 2021-12-16 13:17:13 +01:00
Petr Špaček
e7e18792ba
Merge branch 'michal/prepare-documentation-for-bind-9.17.21' into 'v9_17_21-release'
Prepare documentation for BIND 9.17.21

See merge request isc-private/bind9!338
2021-12-16 13:17:12 +01:00
Michał Kępień
7d42bee183
Prepare release notes for BIND 9.17.21 2021-12-16 13:17:12 +01:00
Michał Kępień
513dfd4fcc
Reorder release notes 2021-12-16 13:17:12 +01:00
Michał Kępień
a8d5fd88e3
Mention GL #3040 in the release notes 2021-12-16 13:17:12 +01:00
Michał Kępień
da1e73cd4d
Add release note for GL #853 2021-12-16 13:17:12 +01:00
Michał Kępień
413e369137
Tweak and reword release notes 2021-12-16 13:17:12 +01:00
Michał Kępień
2c628b792c
Tweak recent additions to the ARM 2021-12-16 13:17:07 +01:00
Michal Nowak
135c324311 Merge branch 'mnowak/respdiff-add-third-party-server-support' into 'main'
Add respdiff jobs with third-party recursors

See merge request isc-projects/bind9!5355
2021-12-16 11:51:46 +00:00
Michal Nowak
2ececf2c02
Add respdiff job with third-party recursors
The order of directories with reference and test BIND 9 are now reversed
for respdiff.sh.

Drop unnecessary dependency on the tarball-create job.

The data.mdb file has more than 10 GB and makes artifact download take
an unnecessarily long time.
2021-12-16 11:39:16 +01:00
Ondřej Surý
ce2cad5d65 Merge branch '2398-adjust-the-dns_message-mempools' into 'main'
Reduce freemax values for dns_message mempools

Closes #2398

See merge request isc-projects/bind9!5646
2021-12-15 20:43:00 +00:00
Ondřej Surý
72cc25465f Reduce freemax values for dns_message mempools
It was discovered that NAME_FREEMAX and RDATASET_FREEMAX was based on
the NAME_FILLCOUNT and RDATASET_FILLCOUNT respectively multiplied by 8
and then when used in isc_mempool_setfreemax, the value would be again
multiplied by 32.

Keep the 8 multiplier in the #define and remove the 32 multiplier as it
was kept in error.  The default fillcount can fit 99.99% of the requests
under normal circumstances, so we don't need to keep that many free
items on the mempool.
2021-12-15 21:25:00 +01:00
Artem Boldariev
ada8c28fd4 Merge branch '3055-examine-netlink-messages' into 'main'
Resolve #3055 by examining RTM_NEWADDR, RTM_DELADDR messages contents

Closes #3056 and #3055

See merge request isc-projects/bind9!5638
2021-12-15 18:04:25 +00:00