Merge branch '3472-ipv4-only-mode-not-respected-for-zone-transfers' into 'main'

Resolve "IPv4-only mode not respected for zone transfers"

Closes #3472

See merge request isc-projects/bind9!8522

CHANGES

@@ -1,3 +1,8 @@
+6394.	[bug]		Named's -4 and -6 options now apply to zone primaries,
+			also-notify and parental-agents.  Report when a zone
+			has these options configured but does not have an IPv4
+			or IPv6 address listed respectively. [GL #3472]
+
 6393.	[func]		Deal with uv_tcp_close_reset() error return codes
 			more gracefully. [GL #4708]
 

bin/tests/system/runtime/ns2/named-alt5.conf.in

@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	dnssec-validation no;
+};
+
+zone "ipv4-only-servers" {
+	type secondary;
+	primaries { 10.53.0.3; };
+};
+
+zone "ipv6-only-servers" {
+	type secondary;
+	primaries { fd92:7065:b8e:ffff::2; };
+};

bin/tests/system/runtime/setup.sh

@@ -21,6 +21,7 @@ copy_setports ns2/named-alt1.conf.in ns2/named-alt1.conf
 copy_setports ns2/named-alt2.conf.in ns2/named-alt2.conf
 copy_setports ns2/named-alt3.conf.in ns2/named-alt3.conf
 copy_setports ns2/named-alt4.conf.in ns2/named-alt4.conf
+copy_setports ns2/named-alt5.conf.in ns2/named-alt5.conf
 
 mkdir ns2/nope
 chmod 555 ns2/nope

bin/tests/system/runtime/tests.sh

@@ -196,6 +196,32 @@ test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking that named log missing IPv4 primaries in -4 mode ($n)"
+ret=0
+INSTANCE_NAME="missing-primaries-ipv4-only-mode"
+testpid=$(run_named ns2 named$n.run -c named-alt5.conf -D "${INSTANCE_NAME}" -4)
+test -n "$testpid" || ret=1
+retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
+grep "IPv6 disabled and no IPv4 primaries" ns2/named$n.run >/dev/null || ret=1
+kill_named ns2/named.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named log missing IPv6 primaries in -6 mode ($n)"
+ret=0
+INSTANCE_NAME="missing-primaries-ipv4-only-mode"
+testpid=$(run_named ns2 named$n.run -c named-alt5.conf -D "${INSTANCE_NAME}" -6)
+test -n "$testpid" || ret=1
+retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
+grep "IPv4 disabled and no IPv6 primaries" ns2/named$n.run >/dev/null || ret=1
+kill_named ns2/named.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "verifying that named switches UID ($n)"
 if [ "$(id -u)" -eq 0 ]; then

lib/dns/zone.c

@@ -5910,6 +5910,32 @@ unlock:
 	UNLOCK_ZONE(zone);
 }
 
+static bool
+has_pf(isc_sockaddr_t *addresses, size_t count, int pf) {
+	for (size_t i = 0; i < count; i++) {
+		if (isc_sockaddr_pf(&addresses[i]) == pf) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static void
+report_no_active_addresses(dns_zone_t *zone, isc_sockaddr_t *addresses,
+			   size_t count, const char *what) {
+	if (isc_net_probeipv4() == ISC_R_DISABLED) {
+		if (!has_pf(addresses, count, AF_INET6)) {
+			dns_zone_log(zone, ISC_LOG_NOTICE,
+				     "IPv4 disabled and no IPv6 %s", what);
+		}
+	} else if (isc_net_probeipv6() == ISC_R_DISABLED) {
+		if (!has_pf(addresses, count, AF_INET)) {
+			dns_zone_log(zone, ISC_LOG_NOTICE,
+				     "IPv6 disabled and no IPv4 %s", what);
+		}
+	}
+}
+
 void
 dns_zone_setprimaries(dns_zone_t *zone, isc_sockaddr_t *addresses,
 		      isc_sockaddr_t *sources, dns_name_t **keynames,
@@ -5950,6 +5976,8 @@ dns_zone_setprimaries(dns_zone_t *zone, isc_sockaddr_t *addresses,
 		goto unlock;
 	}
 
+	report_no_active_addresses(zone, addresses, count, "primaries");
+
 	/*
 	 * Now set up the primaries and primary key lists.
 	 */
@@ -5992,6 +6020,8 @@ dns_zone_setparentals(dns_zone_t *zone, isc_sockaddr_t *addresses,
 		goto unlock;
 	}
 
+	report_no_active_addresses(zone, addresses, count, "parental-agents");
+
 	/*
 	 * Now set up the parentals and parental key lists.
 	 */
@@ -12231,7 +12261,14 @@ notify_find_address(dns_notify_t *notify) {
 	dns_adb_t *adb = NULL;
 
 	REQUIRE(DNS_NOTIFY_VALID(notify));
-	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET | DNS_ADBFIND_INET6;
+
+	options = DNS_ADBFIND_WANTEVENT;
+	if (isc_net_probeipv4() != ISC_R_DISABLED) {
+		options |= DNS_ADBFIND_INET;
+	}
+	if (isc_net_probeipv6() != ISC_R_DISABLED) {
+		options |= DNS_ADBFIND_INET6;
+	}
 
 	dns_view_getadb(notify->zone->view, &adb);
 	if (adb == NULL) {
@@ -12652,6 +12689,10 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 		src = dns_remote_sourceaddr(&zone->notify);
 		INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst));
 
+		if (isc_sockaddr_disabled(&dst)) {
+			goto next;
+		}
+
 		if (notify_isqueued(zone, flags, NULL, &dst, key, transport)) {
 			if (key != NULL) {
 				dns_tsigkey_detach(&key);
@@ -14150,6 +14191,10 @@ again:
 	curraddr = dns_remote_curraddr(&zone->primaries);
 	isc_netaddr_fromsockaddr(&primaryip, &curraddr);
 
+	if (isc_sockaddr_disabled(&curraddr)) {
+		goto skip_primary;
+	}
+
 	/*
 	 * First, look for a tsig key in the primaries statement, then
 	 * try for a server key.
@@ -18316,12 +18361,19 @@ sendtoprimary(dns_forward_t *forward) {
 		return (ISC_R_CANCELED);
 	}
 
+next:
 	if (forward->which >= dns_remote_count(&forward->zone->primaries)) {
 		UNLOCK_ZONE(zone);
 		return (ISC_R_NOMORE);
 	}
 
 	forward->addr = dns_remote_addr(&zone->primaries, forward->which);
+
+	if (isc_sockaddr_disabled(&forward->addr)) {
+		forward->which++;
+		goto next;
+	}
+
 	/*
 	 * Always use TCP regardless of whether the original update
 	 * used TCP.
@@ -20965,7 +21017,14 @@ checkds_find_address(dns_checkds_t *checkds) {
 	dns_adb_t *adb = NULL;
 
 	REQUIRE(DNS_CHECKDS_VALID(checkds));
-	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET | DNS_ADBFIND_INET6;
+
+	options = DNS_ADBFIND_WANTEVENT;
+	if (isc_net_probeipv4() != ISC_R_DISABLED) {
+		options |= DNS_ADBFIND_INET;
+	}
+	if (isc_net_probeipv6() != ISC_R_DISABLED) {
+		options |= DNS_ADBFIND_INET6;
+	}
 
 	dns_view_getadb(checkds->zone->view, &adb);
 	if (adb == NULL) {
@@ -21265,6 +21324,10 @@ checkds_send(dns_zone_t *zone) {
 		src = dns_remote_sourceaddr(&zone->parentals);
 		INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst));
 
+		if (isc_sockaddr_disabled(&dst)) {
+			goto next;
+		}
+
 		/* TODO: glue the transport to the checkds request */
 
 		if (checkds_isqueued(zone, NULL, &dst, key, transport)) {

lib/isc/include/isc/sockaddr.h

@@ -241,4 +241,11 @@ isc_sockaddr_fromsockaddr(isc_sockaddr_t *isa, const struct sockaddr *sa);
  * Minimum size of array to pass to isc_sockaddr_format().
  */
 
+bool
+isc_sockaddr_disabled(const isc_sockaddr_t *sockaddr);
+/*%<
+ * Report whether or not the address family of 'sockaddr'
+ * has been disabled.
+ */
+
 ISC_LANG_ENDDECLS

lib/isc/sockaddr.c

@@ -467,3 +467,15 @@ isc_sockaddr_fromsockaddr(isc_sockaddr_t *isa, const struct sockaddr *sa) {
 
 	return (ISC_R_SUCCESS);
 }
+
+bool
+isc_sockaddr_disabled(const isc_sockaddr_t *sockaddr) {
+	if ((sockaddr->type.sa.sa_family == AF_INET &&
+	     isc_net_probeipv4() == ISC_R_DISABLED) ||
+	    (sockaddr->type.sa.sa_family == AF_INET6 &&
+	     isc_net_probeipv6() == ISC_R_DISABLED))
+	{
+		return (true);
+	}
+	return (false);
+}