2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Commit Graph

39204 Commits

Author SHA1 Message Date
Tony Finch
8a3a216f40 Support for iterating over the leaves in a qp-trie
The iterator object records a path through the trie, in a similar
manner to the existing dns_rbtnodechain.
2023-04-05 12:35:04 +01:00
Arаm Sаrgsyаn
45893249a6 Merge branch '3993-gcc-12-fanalyzer-claim-dereference-of-NULL' into 'main'
Resolve "GCC 12 static analyzer: error: dereference of NULL 'alginfo' in openssleddsa_link.c"

Closes #3993

See merge request isc-projects/bind9!7791
2023-04-05 08:04:05 +00:00
Aram Sargsyan
48c506c274 INSIST that openssleddsa_alg_info() is successful
In the check_algorithm() function openssleddsa_alg_info() is
called with two known variants of the 'algorithm' argument, and
both are expected to return a non-NULL value.

Add an INSIST to suppress the following GCC 12 analyzer report:

    openssleddsa_link.c: In function 'raw_key_to_ossl':
    openssleddsa_link.c:92:13: error: dereference of NULL 'alginfo' [CWE-476] [-Werror=analyzer-null-dereference]
       92 |         int pkey_type = alginfo->pkey_type;
          |             ^~~~~~~~~
2023-04-05 08:03:43 +00:00
Ondřej Surý
4d1a80aea1 Merge branch '3973-dnsrps-coverity-fixes' into 'main'
silence coverity warnings

Closes #3973

See merge request isc-projects/bind9!7781
2023-04-05 07:24:44 +00:00
Evan Hunt
80e2a23f9e silence coverity warnings
silence coverity warnings in the DNSPRS code:
- CID 451097, failure to check return value of rpz_ready()
- CID 451099, resource leak
2023-04-05 09:23:51 +02:00
Michal Nowak
7e17ed410e Merge branch '3996-pairwise-skip-fips-mode' into 'main'
Revert "Enable FIPS testing in Pairwise"

See merge request isc-projects/bind9!7790
2023-04-05 07:22:36 +00:00
Michal Nowak
a1bd31cbae Revert "Enable FIPS testing in Pairwise"
This reverts commit e987a0c249.

--enable-fips-mode ./configure option does not work on platforms without
FIPS-enabled OpenSSL.
2023-04-05 09:20:17 +02:00
Mark Andrews
8783cd97a8 Merge branch '3994-unnecessary-null-check' into 'main'
Resolve "Unnecessary NULL check"

Closes #3994

See merge request isc-projects/bind9!7783
2023-04-05 00:25:15 +00:00
Mark Andrews
8c5539e905 Remove 'inst != NULL' from cleanup check in plugin_register
'inst' is guarenteed to be non NULL at this point.

    358        *instp = inst;
    359
    360cleanup:

    CID 281450 (#2 of 2): Dereference before null check (REVERSE_INULL)
    check_after_deref: Null-checking inst suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
    361        if (result != ISC_R_SUCCESS && inst != NULL) {
    362                plugin_destroy((void **)&inst);
    363        }
    364
    365        return (result);
2023-04-04 23:51:22 +00:00
Ondřej Surý
d3190485b8 Merge branch 'ondrej/require-dnspyton-2.0.0-in-shutdown-system-test' into 'main'
Bump the requirement in the shutdown test to dnspython 2.0.0

See merge request isc-projects/bind9!7796
2023-04-04 19:58:31 +00:00
Ondřej Surý
54a3f09c8f Bump the requirement in the shutdown test to dnspython 2.0.0
The dnspython.Resolve.resolve() requires at least dnspython >= 2.0.0,
this wasn't enforced in the shutdown system test leading to infinite
loop waiting for the server start due to failing resolve() call.
2023-04-04 21:31:58 +02:00
Ondřej Surý
82b52f5d72 Merge branch 'ondrej/require-dnspyton-2.0.0-in-dnstap-system-test' into 'main'
Bump the requirement in dnstap test to dnspython 2.0.0

See merge request isc-projects/bind9!7793
2023-04-04 16:44:01 +00:00
Ondřej Surý
e123b76b0e Bump the requirement in dnstap test to dnspython 2.0.0
The dnspython.Resolve.resolve() requires at least dnspython >= 2.0.0,
this wasn't enforced in the dnstap system test.
2023-04-04 17:21:07 +02:00
Ondřej Surý
d897ad29db Merge branch 'ondrej/add-tests-for-rpz-in-multiple-views' into 'main'
Add test for RPZ in multiple views

See merge request isc-projects/bind9!7711
2023-04-04 14:27:24 +00:00
Ondřej Surý
1734d4a33e Squash both rpzextra tests into tests_rpzextra.py
We don't need a separate module/file for every test. Both the rpz tests
could live in the same file.

The setup/teardown of servers if performed separately for each module --
unless there is a need to do that, it's better to avoid it.
2023-04-04 16:23:13 +02:00
Tom Krizek
2ed26609b8 Use more concise syntax to check responses in rpzextra tests
All the answers are expected to have exactly one resource record. Check
it directly instead of iterating over all (possible) records.
2023-04-04 16:22:26 +02:00
Ondřej Surý
1649c768e9 Add test for RPZ in multiple views
This adds rudimentary test for response-policy zones in multiple
views.  Different combinations are tested:

- two views with response-policy inherited from options {};
- two views view explicit response-policy using same RPZ zone name
- two views view explicit response-policy using secondary RPZ zone
2023-04-04 16:22:26 +02:00
Ondřej Surý
3b1756d450 Replace dnspython resolver.query() with resolver.resolve()
The resolver.query() has been deprecated in favor of resolver.resolve();
used that.
2023-04-04 16:22:26 +02:00
Ondřej Surý
ba1c9f1fd1 Merge branch 'ondrej/change-dns_adbentry_overquota-to-dns_adb_overquota' into 'main'
Change dns_adbentry_overquota() to dns_adb_overquota()

See merge request isc-projects/bind9!7758
2023-04-04 14:22:20 +00:00
Ondřej Surý
b8d34e960b Change dns_adbentry_overquota() to dns_adb_overquota()
The dns_adbentry_overquota() was violating the layers accessing the
adbentry struct members directly.  Change it to dns_adb_overquota() to
match the dns_adb API.
2023-04-04 16:21:49 +02:00
Arаm Sаrgsyаn
71a236f6e2 Merge branch '3997-catz-shutdown-crash-in-dns_catz_zones_unref' into 'main'
Resolve "Catalog zone shutdown crash in dns_catz_zones_unref"

Closes #3997

See merge request isc-projects/bind9!7786
2023-04-04 11:09:33 +00:00
Aram Sargsyan
4a0bd69056 Add a CHANGES note for [GL #3997] 2023-04-04 10:33:28 +00:00
Ondřej Surý
2ded876db2 Attach catzs to catz instead of doing this explicitly
Instead of explicitly adding a reference to catzs (catalog zones) when
calling the update callback, attach the catzs to the catz (catalog zone)
object to keep it referenced for the whole time the catz exists.
2023-04-04 10:33:04 +00:00
Ondřej Surý
1c5d1c91fe Merge branch '3984-fix-double-unref-when-shutting-down-dns_xfrin' into 'main'
Don't detach xfr in dns_xfrin_shutdown()

Closes #3984

See merge request isc-projects/bind9!7787
2023-04-04 10:26:10 +00:00
Ondřej Surý
69a23a557b Add CHANGES note for [GL #3984] 2023-04-04 10:32:41 +02:00
Ondřej Surý
05bb89267e Don't detach xfr in dns_xfrin_shutdown()
As we are now using dispatch instead of netmgr for XFR TCP connection,
the xfrin_recv_done() will be called when cancelling the dispatch with
ISC_R_CANCELED.  This could lead to double detach from the dns_xfrin_t,
one in the xfrin_recv_done() and one in the dns_xfrin_shutdown().

Remove the extra detach from the dns_xfrin_shutdown() and rely on the
dispatch read callback to be always called.
2023-04-04 10:26:41 +02:00
Ondřej Surý
2f76fd4142 Merge branch '3989-remove-dead-code-from-dns_xfrin' into 'main'
Fix xfrin_connect_done() error paths

Closes #3989

See merge request isc-projects/bind9!7774
2023-04-04 07:40:59 +00:00
Ondřej Surý
04b851342b Add CHANGES note for [GL #3989] 2023-04-04 09:23:51 +02:00
Ondřej Surý
536e439c79 Fix xfrin_connect_done() error paths
The xfrin_connect_done() had several problems:

- it would not add the server to unreachable table in case of the
  failure coming from the dispatch [GL #3989]

- if dns_dispatch_checkperm() disallowed the connection, the xfr would
  be left undetached

- if xfrin_send_request() failed to send the request, the xfr would be
  left undetached

All of these have been fixed in this commit.
2023-04-04 09:23:51 +02:00
Evan Hunt
ae3209c811 Merge branch 'each-zone-refcount' into 'main'
use ISC_REFCOUNT_IMPL for external dns_zone references

See merge request isc-projects/bind9!7784
2023-04-04 07:08:11 +00:00
Evan Hunt
361c8868b4 use ISC_REFCOUNT_IMPL for external dns_zone references
use the ISC_REFCOUNT implementation for dns_zone_attach() and
_detach(). (this applies only to external zone references, not
to dns_zone_iattach() and dns_zone_idetach().)

use dns_zone_ref() where previously a dummy zone object had been
used to increment the reference count.
2023-04-04 07:07:55 +00:00
Evan Hunt
117dccc01d Merge branch '3975-libdummy-tsan' into 'main'
suppress TSAN reports from dummy DNSRPS library

Closes #3975

See merge request isc-projects/bind9!7782
2023-04-04 07:07:09 +00:00
Evan Hunt
d644c03593 suppress TSAN reports from dummy DNSRPS library
this is a test-only library that will never be used in production.
making it thread safe doesn't need to be a high priority.
2023-04-03 13:24:09 -07:00
Petr Špaček
cfc154cf6a Merge branch '3981-reduce-dnssec-verify-calls' into 'main'
Reduce dns_dnssec_verify calls made checking for revoked trust anchor

Closes #3981

See merge request isc-projects/bind9!7763
2023-04-03 15:45:33 +00:00
Petr Špaček
705a9ced01 Add release note for [GL #3981] 2023-04-03 17:44:42 +02:00
Mark Andrews
5de552d545 Add CHANGES for [GL #3981] 2023-04-03 17:44:41 +02:00
Mark Andrews
21d828241b dns_view_untrust modifies dnskey->flags when it shouldn't
Copy the structure and declare dnskey as const.
2023-04-03 17:43:43 +02:00
Mark Andrews
b5df9b8591 Handle dns_rdata_fromstruct failure dns_keytable_deletekey
dns_rdata_fromstruct in dns_keytable_deletekey can potentially
fail with ISC_R_NOSPACE.  Handle the error condition.
2023-04-03 17:43:43 +02:00
Mark Andrews
e68fecbdaa Reduce the number of verifiations required
In selfsigned_dnskey only call dns_dnssec_verify if the signature's
key id matches a revoked key, the trust is pending and the key
matches a trust anchor.  Previously named was calling dns_dnssec_verify
unconditionally resulted in busy work.
2023-04-03 17:43:43 +02:00
Mark Andrews
7278fff579 Add new view method dns_view_istrusted
dns_view_istrusted determines if the given key is treated as
being trusted by the view.
2023-04-03 17:43:40 +02:00
Arаm Sаrgsyаn
1cda61725c Merge branch '3674-nsupdate--t-timeout-does-not-work' into 'main'
Resolve "nsupdate -t timeout does not work"

Closes #3674

See merge request isc-projects/bind9!7279
2023-04-03 15:22:25 +00:00
Aram Sargsyan
98c8135692 nsupdate: set network manager default timeout values
The default values are currently set to 30 seconds, use nsupdate
default (or overriden using the -t option) timeout value instead.
2023-04-03 15:21:43 +00:00
Aram Sargsyan
ef81775e7b Add a CHANGES note for [GL #3674] 2023-04-03 15:21:43 +00:00
Aram Sargsyan
3ef2a30c75 nsupdate: use the configurable timeout and retry values for all queries
The 'nsupdate' tool, when sending SOA queries, uses a hard-coded value
3 UDP retries and of 5 seconds of timeout for UDP queries, and 100
seconds of timeout for TCP queries.

Use the timeout and retry values which can be configured using the
-t, -u, -r command line options, and which are already used for
sending the update query.
2023-04-03 15:21:43 +00:00
Aram Sargsyan
a00540ac24 Update nsupdate -t option's documentation
Add some clarifications about the -t option's behavior differences
in TCP and UDP modes.
2023-04-03 15:21:43 +00:00
Aram Sargsyan
edcdb881da Do not resend TCP requests
The req_response() function is using 'udpcount' variable to resend
the request 'udpcount' times on timeout even for TCP requests,
which does not make sense, as it would use the same connection.

Add a condition to use the resend logic only for UDP requests.
2023-04-03 15:21:43 +00:00
Aram Sargsyan
5b37359697 Perform request validation in req_response() before using the pointer
The 'request' pointer is used before it is checked. Perform the check
before using the pointer.
2023-04-03 15:21:43 +00:00
Aram Sargsyan
643abfbba7 Synchronize dns_request_createraw() and dns_request_create() UDP timeout
The dns_request_createraw() function, unlike dns_request_create(), when
calculating the UDP timeout value, doesn't check that 'udpretries' is
not zero, and that is the more logical behavior, because the calculation
formula uses division to 'udpretries + 1', where '1' is the first try.

Change the dns_request_create() function to remove the 'udpretries != 0'
condition.

Add a 'REQUIRE(udpretries != UINT_MAX)' check to protect from a division
by zero.

Make the 'request->udpcount' field to represent the number of tries,
instead of the number of retries.
2023-04-03 15:21:43 +00:00
Aram Sargsyan
0ef11c0ccb nsupdate: when set to 0, UDP timeout should be calculated by dns_request
The manual page of nsupdate's '-u udptimeout' option states that, quote:

> If zero, the interval is computed from the timeout interval and number
> of UDP retries.

However, nsupdate sets the UDP timeout value to UINT_MAX when it is 0,
thus, not behaving as documented.

Let dns_request_create() calculate the UDP timeout, if it was set to 0.
2023-04-03 15:21:43 +00:00
Aram Sargsyan
5ce2ed0688 Add nsupdate timeout tests
* nsupdate should take 12 seconds (one try and three retries with
  3 second timeout for each), UDP mode
* nsupdate -u 4 -r 1 should take 8 seconds (one try and one retry with
  4 second timeout for each), UDP mode
* nsupdate -u 0 -t 8 -r 1 should also take 8 seconds, UDP mode
* nsupdate -u 4 -t 30 -r 1 should also take 8 seconds, as -u takes
  precedence over -t, UDP mode
* nsupdate -t 8 -v should also take 8 seconds, TCP mode
2023-04-03 15:21:43 +00:00