From 565731ceea4f82aa835330a9b6c6e7c6558a1679 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 24 May 2024 13:16:16 +0000 Subject: [PATCH 1/9] Test that 'rndc reconfig' reconfigures catz member zones Catalog zone member zones should be reconfigured as all the other zones during a reconfiguration. Test it by checking whether the newly added allow-query setting affects a member zone. (cherry picked from commit cd04b89dba85781c194f22ce6fe358c972a14758) --- bin/tests/system/catz/ns2/named1.conf.in | 1 + bin/tests/system/catz/tests.sh | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in index 882a4bab4f..b13d912ad7 100644 --- a/bin/tests/system/catz/ns2/named1.conf.in +++ b/bin/tests/system/catz/ns2/named1.conf.in @@ -27,6 +27,7 @@ options { listen-on-v6 { fd92:7065:b8e:ffff::2; }; notify no; recursion no; +#T5 allow-query { 10.53.0.99; }; serial-query-rate 100; dnssec-validation no; }; diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 8e54e0c549..713db3b890 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -703,6 +703,23 @@ wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +# GL #4733 +n=$((n + 1)) +echo_i "reconfiguring secondary - checking if catz member zones are reconfigured ($n)" +ret=0 +sed -e "s/^#T5//" ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that dom3.example. is refused by secondary because of an activated allow-query ($n)" +ret=0 +wait_for_no_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "reconfiguring secondary - reverting the bad configuration ($n)" ret=0 From 4379141fe4f08a057dcb20fae0b6d1735cd8e008 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 24 May 2024 13:18:15 +0000 Subject: [PATCH 2/9] Reconfigure catz member zones during named reconfiguration During a reconfiguration named doesn't reconfigure catalog zones member zones. Implement the necessary code to reconfigure catz member zones. (cherry picked from commit fd71ed5d73ae2dc968e8782ce652fb8ef257c25e) --- bin/named/server.c | 132 +++++++++++++++++++++++++++++++------ lib/dns/catz.c | 7 ++ lib/dns/include/dns/catz.h | 9 +++ 3 files changed, 127 insertions(+), 21 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 40b808a817..471793418e 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -324,6 +324,12 @@ typedef struct catz_chgzone_event { bool mod; } catz_chgzone_event_t; +typedef struct catz_reconfig_data { + dns_catz_zone_t *catz; + const cfg_obj_t *config; + catz_cb_data_t *cbd; +} catz_reconfig_data_t; + typedef struct { unsigned int magic; #define DZARG_MAGIC ISC_MAGIC('D', 'z', 'a', 'r') @@ -441,7 +447,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, dns_viewlist_t *viewlist, dns_kasplist_t *kasplist, cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok, - bool modify); + bool is_catz_member, bool modify); static void configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig, @@ -2803,7 +2809,7 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { isc_buffer_free(&confbuf); } /* - * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer3() + * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer() * failed. */ if (result != ISC_R_SUCCESS) { @@ -2827,10 +2833,11 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { result = isc_task_beginexclusive(task); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_view_thaw(ev->view); - result = configure_zone( - cfg->config, zoneobj, cfg->vconfig, ev->cbd->server->mctx, - ev->view, &ev->cbd->server->viewlist, - &ev->cbd->server->kasplist, cfg->actx, true, false, ev->mod); + result = configure_zone(cfg->config, zoneobj, cfg->vconfig, + ev->cbd->server->mctx, ev->view, + &ev->cbd->server->viewlist, + &ev->cbd->server->kasplist, cfg->actx, true, + false, true, ev->mod); dns_view_freeze(ev->view); isc_task_endexclusive(task); @@ -3028,6 +3035,87 @@ catz_modzone(dns_catz_entry_t *entry, dns_catz_zone_t *origin, dns_view_t *view, DNS_EVENT_CATZMODZONE)); } +static void +catz_reconfigure(dns_catz_entry_t *entry, dns_view_t *view, + catz_reconfig_data_t *data) { + isc_buffer_t namebuf; + isc_buffer_t *confbuf = NULL; + const cfg_obj_t *zlist = NULL; + char nameb[DNS_NAME_FORMATSIZE]; + cfg_obj_t *zoneconf = NULL; + cfg_obj_t *zoneobj = NULL; + ns_cfgctx_t *cfg = NULL; + dns_zone_t *zone = NULL; + isc_result_t result; + + isc_buffer_init(&namebuf, nameb, DNS_NAME_FORMATSIZE); + dns_name_totext(dns_catz_entry_getname(entry), DNS_NAME_OMITFINALDOT, + &namebuf); + isc_buffer_putuint8(&namebuf, 0); + + result = dns_view_findzone(view, dns_catz_entry_getname(entry), &zone); + if (result != ISC_R_SUCCESS) { + return; + } + + cfg = (ns_cfgctx_t *)view->new_zone_config; + if (cfg == NULL) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "catz_reconfigure: allow-new-zones statement " + "missing from config; cannot reconfigure a " + "member zone"); + goto cleanup; + } + + result = dns_catz_generate_zonecfg(data->catz, entry, &confbuf); + if (result == ISC_R_SUCCESS) { + cfg_parser_reset(cfg->add_parser); + result = cfg_parse_buffer(cfg->add_parser, confbuf, "catz", 0, + &cfg_type_addzoneconf, 0, &zoneconf); + isc_buffer_free(&confbuf); + } + /* + * Fail if either dns_catz_generate_zonecfg() or cfg_parse_buffer() + * failed. + */ + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "catz_reconfigure: error \"%s\" while trying to " + "generate config for member zone '%s'", + isc_result_totext(result), nameb); + goto cleanup; + } + + CHECK(cfg_map_get(zoneconf, "zone", &zlist)); + if (!cfg_obj_islist(zlist)) { + CHECK(ISC_R_FAILURE); + } + zoneobj = cfg_listelt_value(cfg_list_first(zlist)); + + result = configure_zone(data->config, zoneobj, cfg->vconfig, + data->cbd->server->mctx, view, + &data->cbd->server->viewlist, + &data->cbd->server->kasplist, cfg->actx, true, + false, true, true); + if (result != ISC_R_SUCCESS) { + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, + "catz_reconfigure : error \"%s\" while trying to " + "reconfigure member zone '%s'", + isc_result_totext(result), nameb); + goto cleanup; + } + +cleanup: + if (zoneconf != NULL) { + cfg_obj_destroy(cfg->add_parser, &zoneconf); + } + + dns_zone_detach(&zone); +} + static isc_result_t configure_catz_zone(dns_view_t *view, dns_view_t *pview, const cfg_obj_t *config, const cfg_listelt_t *element) { @@ -3066,18 +3154,18 @@ configure_catz_zone(dns_view_t *view, dns_view_t *pview, if (result == ISC_R_EXISTS) { isc_ht_iter_t *it = NULL; + catz_reconfig_data_t data = { + .catz = zone, + .config = config, + .cbd = (catz_cb_data_t *)dns_catz_zones_get_udata( + view->catzs), + }; RUNTIME_CHECK(pview != NULL); /* - * xxxwpk todo: reconfigure the zone!!!! - */ - cfg_obj_log(catz_obj, named_g_lctx, DNS_CATZ_ERROR_LEVEL, - "catz: catalog zone '%s' will not be reconfigured", - str); - /* - * We have to walk through all the member zones and attach - * them to current view + * We have to walk through all the member zones, attach + * them to the current view and reconfigure */ dns_catz_get_iterator(zone, &it); @@ -3100,6 +3188,8 @@ configure_catz_zone(dns_view_t *view, dns_view_t *pview, dns_zone_setview(dnszone, view); dns_view_addzone(view, dnszone); + catz_reconfigure(entry, view, &data); + /* * The dns_view_findzone() call above increments the * zone's reference count, which we need to decrement @@ -4228,7 +4318,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, viewlist, kasplist, actx, false, - old_rpz_ok, false)); + old_rpz_ok, false, false)); zone_element_latest = element; } @@ -6502,7 +6592,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, dns_viewlist_t *viewlist, dns_kasplist_t *kasplist, cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok, - bool modify) { + bool is_catz_member, bool modify) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ dns_zone_t *raw = NULL; /* New or reused raw zone */ @@ -6765,7 +6855,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, } } - if (view->catzs != NULL && + if (!is_catz_member && view->catzs != NULL && dns_catz_get_zone(view->catzs, origin) != NULL) { zone_is_catz = true; @@ -8066,7 +8156,7 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, CHECK(configure_zone(config, zconfig, vconfig, mctx, view, &named_g_server->viewlist, &named_g_server->kasplist, actx, true, - false, false)); + false, false, false)); } result = ISC_R_SUCCESS; @@ -8250,7 +8340,7 @@ configure_newzone(const cfg_obj_t *zconfig, cfg_obj_t *config, cfg_aclconfctx_t *actx) { return (configure_zone( config, zconfig, vconfig, mctx, view, &named_g_server->viewlist, - &named_g_server->kasplist, actx, true, false, false)); + &named_g_server->kasplist, actx, true, false, false, false)); } /*% @@ -13944,7 +14034,7 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, result = configure_zone(cfg->config, zoneobj, cfg->vconfig, server->mctx, view, &server->viewlist, &server->kasplist, cfg->actx, true, false, - false); + false, false); dns_view_freeze(view); isc_task_endexclusive(server->task); @@ -14132,7 +14222,7 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, result = configure_zone(cfg->config, zoneobj, cfg->vconfig, server->mctx, view, &server->viewlist, &server->kasplist, cfg->actx, true, false, - true); + false, true); dns_view_freeze(view); exclusive = false; diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 613805221f..f5505b1590 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -806,6 +806,13 @@ cleanup_task: return (result); } +void * +dns_catz_zones_get_udata(dns_catz_zones_t *catzs) { + REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); + + return (catzs->zmm->udata); +} + void dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view) { REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); diff --git a/lib/dns/include/dns/catz.h b/lib/dns/include/dns/catz.h index ab5c614e96..d0acefba57 100644 --- a/lib/dns/include/dns/catz.h +++ b/lib/dns/include/dns/catz.h @@ -307,6 +307,15 @@ dns_catz_new_zones(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, * */ +void * +dns_catz_zones_get_udata(dns_catz_zones_t *catzs); +/*%< + * Get the 'udata' member of the zone methods which was set when creating catzs. + * + * Requires: + * \li 'catzs' is a valid dns_catz_zones_t. + */ + isc_result_t dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name, dns_catz_zone_t **catzp); From 2e6e4cdb55ed2804c1994ebbe629f7ef064561a4 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Tue, 9 Jul 2024 10:41:19 +0000 Subject: [PATCH 3/9] Non empty 'catalog-zones' implies that 'allow-new-zones' is true This condition in catalog zone processing functions is checked only for sanity, so there is no meaning for a log message that normally shouldn't be ever logged. (cherry picked from commit 0b3c8ee55e6cda1f2de35aa15f6a4d82d072c309) --- bin/named/server.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/bin/named/server.c b/bin/named/server.c index 471793418e..dd0b859cfd 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -2682,13 +2682,13 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) { ns_cfgctx_t *cfg; dns_zone_t *zone = NULL; + /* + * A non-empty 'catalog-zones' statement implies that 'allow-new-zones' + * is true, so this is expected to be non-NULL. + */ cfg = (ns_cfgctx_t *)ev->view->new_zone_config; if (cfg == NULL) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "catz: allow-new-zones statement missing from " - "config; cannot add zone from the catalog"); - goto cleanup; + CHECK(ISC_R_FAILURE); } name = dns_catz_entry_getname(ev->entry); @@ -3058,14 +3058,13 @@ catz_reconfigure(dns_catz_entry_t *entry, dns_view_t *view, return; } + /* + * A non-empty 'catalog-zones' statement implies that 'allow-new-zones' + * is true, so this is expected to be non-NULL. + */ cfg = (ns_cfgctx_t *)view->new_zone_config; if (cfg == NULL) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "catz_reconfigure: allow-new-zones statement " - "missing from config; cannot reconfigure a " - "member zone"); - goto cleanup; + CHECK(ISC_R_FAILURE); } result = dns_catz_generate_zonecfg(data->catz, entry, &confbuf); From b3af74292602c3bfa0736943a8e959d00fdf8dae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 13 Aug 2024 14:17:00 +0200 Subject: [PATCH 4/9] Generate release documentation --- doc/arm/changelog.rst | 193 ++++++++++++++++++++++++++++++++++++ doc/notes/notes-9.18.29.rst | 93 +++++++++++++++++ 2 files changed, 286 insertions(+) create mode 100644 doc/notes/notes-9.18.29.rst diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 6b8d6623e1..3433c583d9 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,6 +18,199 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. + ``fe3ae71e90`` + + There were cases in resolver.c when the `max-recursion-queries` quota + was ineffective. It was possible to craft zones that would cause a + resolver to waste resources by sending excessive queries while + attempting to resolve a name. This has been addressed by correcting + errors in the implementation of `max-recursion-queries`, and by + reducing the default value from 100 to 32. + + In addition, a new `max-query-restarts` option has been added which + limits the number of times a recursive server will follow CNAME or + DNAME records before terminating resolution. This was previously a + hard-coded limit of 16, and now defaults to 11. :gl:`#4741` + :gl:`!9283` + +- Generate changelog from git log. ``21a0b6aef7`` + + Use a single source of truth, the git log, to generate the list of + CHANGES. Use the .rst format and include it in the ARM for a quick + reference with proper gitlab links to issues and merge requests. + :gl:`#75` :gl:`!9181` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Use _exit() in the fatal() function. ``e4c483f45f`` + + Since the fatal() isn't a correct but rather abrupt termination of the + program, we want to skip the various atexit() calls because not all + memory might be freed during fatal() call, etc. Using _exit() instead + of exit() has this effect - the program will end, but no destructors + or atexit routines will be called. :gl:`!9263` + +- Fix data race in clean_finds_at_name. ``541726871d`` + + Stop updating `find.result_v4` and `find.result_v4` in + `clean_finds_at_name`. The values are supposed to be + static. :gl:`#4118` :gl:`!9198` + +Bug Fixes +~~~~~~~~~ + +- Reconfigure catz member zones during named reconfiguration. + ``944d0dc942`` + + During a reconfiguration named wasn't reconfiguring catalog zones' + member zones. This has been fixed. :gl:`#4733` + +- Disassociate the SSL object from the cached SSL_SESSION. + ``64fde41253`` + + When the SSL object was destroyed, it would invalidate all SSL_SESSION + objects including the cached, but not yet used, TLS session objects. + + Properly disassociate the SSL object from the SSL_SESSION before we + store it in the TLS session cache, so we can later destroy it without + invalidating the cached TLS sessions. :gl:`#4834` :gl:`!9279` + +- Attach/detach to the listening child socket when accepting TLS. + ``3ead47daff`` + + When TLS connection (TLSstream) connection was accepted, the children + listening socket was not attached to sock->server and thus it could + have been freed before all the accepted connections were actually + closed. + + In turn, this would cause us to call isc_tls_free() too soon - causing + cascade errors in pending SSL_read_ex() in the accepted connections. + + Properly attach and detach the children listening socket when + accepting and closing the server connections. :gl:`#4833` :gl:`!9278` + +- Make hypothesis optional for system tests. ``0d1953d7a8`` + + Ensure that system tests can be executed without Python hypothesis + package. :gl:`#4831` :gl:`!9268` + +- Don't loop indefinitely when isc_task quantum is 'unlimited' + ``674420df64`` + + Don't run more events than already scheduled. If the quantum is set + to a high value, the task_run() would execute already scheduled, and + all new events that result from running event->ev_action(). + + Setting quantum to a number of scheduled events will postpone events + scheduled after we enter the loop here to the next task_run() + invocation. :gl:`!9257` + +- Raise the log level of priming failures. ``c948babeeb`` + + When a priming query is complete, it's currently logged at level + ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising + it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` + :gl:`!9251` + +- Add a compatibility shim for older libuv versions (< 1.19.0) + ``61ff983f00`` + + The uv_stream_get_write_queue_size() is supported only in relatively + newer versions of libuv (1.19.0 or higher). Provide a compatibility + shim for this function , so BIND 9 can be built in environments with + older libuv version. + +- Remove extra newline from yaml output. ``1222dbe9f9`` + + I split this into two commits, one for the actual newline removal, and + one for issues I found, ruining the yaml output when some errors were + outputted. + +- CID 498025 and CID 498031: Overflowed constant INTEGER_OVERFLOW. + ``bbdd888b8e`` + + Add INSIST to fail if the multiplication would cause the variables to + overflow. :gl:`#4798` :gl:`!9230` + +- Remove unnecessary operations. ``2374a1a2bd`` + + Decrementing optlen immediately before calling continue is unneccesary + and inconsistent with the rest of dns_message_pseudosectiontoyaml and + dns_message_pseudosectiontotext. Coverity was also reporting an + impossible false positive overflow of optlen (CID 499061). + + 4176 } else if (optcode == DNS_OPT_CLIENT_TAG) + { 4177 uint16_t id; 4178 + ADD_STRING(target, "; CLIENT-TAG:"); 4179 + if (optlen == 2U) { 4180 id + = isc_buffer_getuint16(&optbuf); 4181 + snprintf(buf, sizeof(buf), " %u ", id); 4182 + ADD_STRING(target, buf); + + CID 499061: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW) + overflow_const: Expression optlen, which is equal to 65534, underflows + the type that receives it, an unsigned integer 16 bits wide. 4183 + optlen -= 2; 4184 + POST(optlen); 4185 + continue; 4186 } 4187 + } else if (optcode == DNS_OPT_SERVER_TAG) { :gl:`!9224` + +- Fix generation of 6to4-self name expansion from IPv4 address. + ``df55c15ebb`` + + The period between the most significant nibble of the encoded IPv4 + address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the + wrong name being checked. Add system test for 6to4-self + implementation. :gl:`#4766` :gl:`!9218` + +- Fix false QNAME minimisation error being reported. ``4984afc80c`` + + Remove the false positive "success resolving" log message when QNAME + minimisation is in effect and the final result is NXDOMAIN. + :gl:`#4784` :gl:`!9216` + +- Dig +yaml was producing unexpected and/or invalid YAML output. + ``2db62a4dba`` + + :gl:`#4796` :gl:`!9214` + +- SVBC alpn text parsing failed to reject zero length alpn. + ``8f7be89052`` + + :gl:`#4775` :gl:`!9210` + +- Return SERVFAIL for a too long CNAME chain. ``f7de909b98`` + + When cutting a long CNAME chain, named was returning NOERROR instead + of SERVFAIL (alongside with a partial answer). This has been fixed. + :gl:`#4449` :gl:`!9204` + +- Properly calculate the amount of system memory. ``9faf355a5c`` + + On 32 bit machines isc_meminfo_totalphys could return an incorrect + value. :gl:`#4799` :gl:`!9200` + +- Update key lifetime and metadata after dnssec-policy reconfig. + ``2107a64ee6`` + + Adjust key state and timing metadata if dnssec-policy key lifetime + configuration is updated, so that it also affects existing keys. + :gl:`#4677` :gl:`!9192` + +- Fix dig +timeout argument when using +https. ``381d6246d6`` + + The +timeout argument was not used on DoH connections. This has been + fixed. :gl:`#4806` :gl:`!9161` + + Changes prior to 9.18.28 ------------------------ diff --git a/doc/notes/notes-9.18.29.rst b/doc/notes/notes-9.18.29.rst new file mode 100644 index 0000000000..aa91c4cb13 --- /dev/null +++ b/doc/notes/notes-9.18.29.rst @@ -0,0 +1,93 @@ +(-dev) +------ + +New Features +~~~~~~~~~~~~ + +- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. + + There were cases in resolver.c when the `max-recursion-queries` quota + was ineffective. It was possible to craft zones that would cause a + resolver to waste resources by sending excessive queries while + attempting to resolve a name. This has been addressed by correcting + errors in the implementation of `max-recursion-queries`, and by + reducing the default value from 100 to 32. + + In addition, a new `max-query-restarts` option has been added which + limits the number of times a recursive server will follow CNAME or + DNAME records before terminating resolution. This was previously a + hard-coded limit of 16, and now defaults to 11. :gl:`#4741` + :gl:`!9283` + +Bug Fixes +~~~~~~~~~ + +- Reconfigure catz member zones during named reconfiguration. + + During a reconfiguration named wasn't reconfiguring catalog zones' + member zones. This has been fixed. :gl:`#4733` + +- Raise the log level of priming failures. + + When a priming query is complete, it's currently logged at level + ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising + it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` + :gl:`!9251` + +- Add a compatibility shim for older libuv versions (< 1.19.0) + + The uv_stream_get_write_queue_size() is supported only in relatively + newer versions of libuv (1.19.0 or higher). Provide a compatibility + shim for this function , so BIND 9 can be built in environments with + older libuv version. + +- Remove extra newline from yaml output. + + I split this into two commits, one for the actual newline removal, and + one for issues I found, ruining the yaml output when some errors were + outputted. + +- Fix generation of 6to4-self name expansion from IPv4 address. + + The period between the most significant nibble of the encoded IPv4 + address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the + wrong name being checked. Add system test for 6to4-self + implementation. :gl:`#4766` :gl:`!9218` + +- Fix false QNAME minimisation error being reported. + + Remove the false positive "success resolving" log message when QNAME + minimisation is in effect and the final result is NXDOMAIN. + :gl:`#4784` :gl:`!9216` + +- Dig +yaml was producing unexpected and/or invalid YAML output. + + :gl:`#4796` :gl:`!9214` + +- SVBC alpn text parsing failed to reject zero length alpn. + + :gl:`#4775` :gl:`!9210` + +- Return SERVFAIL for a too long CNAME chain. + + When cutting a long CNAME chain, named was returning NOERROR instead + of SERVFAIL (alongside with a partial answer). This has been fixed. + :gl:`#4449` :gl:`!9204` + +- Properly calculate the amount of system memory. + + On 32 bit machines isc_meminfo_totalphys could return an incorrect + value. :gl:`#4799` :gl:`!9200` + +- Update key lifetime and metadata after dnssec-policy reconfig. + + Adjust key state and timing metadata if dnssec-policy key lifetime + configuration is updated, so that it also affects existing keys. + :gl:`#4677` :gl:`!9192` + +- Fix dig +timeout argument when using +https. + + The +timeout argument was not used on DoH connections. This has been + fixed. :gl:`#4806` :gl:`!9161` + + From 7048b2d471f9e8d002d4ddb88092a452c11c15d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 13 Aug 2024 14:23:06 +0200 Subject: [PATCH 5/9] Re-apply changelog formatting tweaks from the 9.21.0 release --- doc/arm/changelog.rst | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/doc/arm/changelog.rst b/doc/arm/changelog.rst index 3433c583d9..2a55861310 100644 --- a/doc/arm/changelog.rst +++ b/doc/arm/changelog.rst @@ -18,8 +18,8 @@ Changelog development. Regular users should refer to :ref:`Release Notes ` for changes relevant to them. -(-dev) ------- +BIND 9.18.29 +------------ New Features ~~~~~~~~~~~~ @@ -145,23 +145,7 @@ Bug Fixes Decrementing optlen immediately before calling continue is unneccesary and inconsistent with the rest of dns_message_pseudosectiontoyaml and dns_message_pseudosectiontotext. Coverity was also reporting an - impossible false positive overflow of optlen (CID 499061). - - 4176 } else if (optcode == DNS_OPT_CLIENT_TAG) - { 4177 uint16_t id; 4178 - ADD_STRING(target, "; CLIENT-TAG:"); 4179 - if (optlen == 2U) { 4180 id - = isc_buffer_getuint16(&optbuf); 4181 - snprintf(buf, sizeof(buf), " %u ", id); 4182 - ADD_STRING(target, buf); - - CID 499061: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW) - overflow_const: Expression optlen, which is equal to 65534, underflows - the type that receives it, an unsigned integer 16 bits wide. 4183 - optlen -= 2; 4184 - POST(optlen); 4185 - continue; 4186 } 4187 - } else if (optcode == DNS_OPT_SERVER_TAG) { :gl:`!9224` + impossible false positive overflow of optlen (CID 499061). :gl:`!9224` - Fix generation of 6to4-self name expansion from IPv4 address. ``df55c15ebb`` From 8f0d9b7fca4d2d2b7a5758bce3329d4bd49f3ed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 13 Aug 2024 14:36:20 +0200 Subject: [PATCH 6/9] Re-apply release note tweaks from the 9.21.0 release --- doc/notes/notes-9.18.29.rst | 127 +++++++++++++++++++----------------- 1 file changed, 66 insertions(+), 61 deletions(-) diff --git a/doc/notes/notes-9.18.29.rst b/doc/notes/notes-9.18.29.rst index aa91c4cb13..52097556b3 100644 --- a/doc/notes/notes-9.18.29.rst +++ b/doc/notes/notes-9.18.29.rst @@ -1,93 +1,98 @@ -(-dev) ------- +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. -New Features -~~~~~~~~~~~~ +Notes for BIND 9.18.29 +---------------------- -- Tighten 'max-recursion-queries' and add 'max-query-restarts' option. +Feature Changes +~~~~~~~~~~~~~~~ - There were cases in resolver.c when the `max-recursion-queries` quota - was ineffective. It was possible to craft zones that would cause a - resolver to waste resources by sending excessive queries while +- Tighten :any:`max-recursion-queries` and add :any:`max-query-restarts` + configuration statement. + + There were cases when the :any:`max-recursion-queries` + quota was ineffective. It was possible to craft zones that would cause + a resolver to waste resources by sending excessive queries while attempting to resolve a name. This has been addressed by correcting - errors in the implementation of `max-recursion-queries`, and by + errors in the implementation of :any:`max-recursion-queries` and by reducing the default value from 100 to 32. - In addition, a new `max-query-restarts` option has been added which - limits the number of times a recursive server will follow CNAME or - DNAME records before terminating resolution. This was previously a - hard-coded limit of 16, and now defaults to 11. :gl:`#4741` - :gl:`!9283` + In addition, a new :any:`max-query-restarts` configuration statement has been + added, which limits the number of times a recursive server will follow CNAME + or DNAME records before terminating resolution. This was previously a + hard-coded limit of 16 but is now configurable with a default value of 11. -Bug Fixes -~~~~~~~~~ - -- Reconfigure catz member zones during named reconfiguration. - - During a reconfiguration named wasn't reconfiguring catalog zones' - member zones. This has been fixed. :gl:`#4733` + ISC would like to thank Huayi Duan, Marco Bearzi, Jodok Vieli, and Cagin + Tanir from NetSec group, ETH Zurich for discovering and notifying us about + the issue. :gl:`#4741` :gl:`!9283` - Raise the log level of priming failures. - When a priming query is complete, it's currently logged at level - ISC_LOG_DEBUG(1), regardless of success or failure. We are now raising - it to ISC_LOG_NOTICE in the case of failure. [GL #3516] :gl:`#3516` + When a priming query is complete, it was previously logged at level + ``DEBUG(1)``, regardless of success or failure. It is now + logged to ``NOTICE`` in the case of failure. :gl:`#3516` :gl:`!9251` - Add a compatibility shim for older libuv versions (< 1.19.0) The uv_stream_get_write_queue_size() is supported only in relatively - newer versions of libuv (1.19.0 or higher). Provide a compatibility - shim for this function , so BIND 9 can be built in environments with + newer versions of libuv (1.19.0 or higher). Provide a compatibility + shim for this function, so BIND 9 can be built in environments with older libuv version. -- Remove extra newline from yaml output. +Bug Fixes +~~~~~~~~~ - I split this into two commits, one for the actual newline removal, and - one for issues I found, ruining the yaml output when some errors were - outputted. +- Return SERVFAIL for a too long CNAME chain. + + When following long CNAME chains, :iscman:`named` was returning NOERROR + (along with a partial answer) instead of SERVFAIL, if the chain exceeded the + maximum length. This has been fixed. :gl:`#4449` :gl:`!9204` + +- Reconfigure catz member zones during :iscman:`named` reconfiguration. + + During a reconfiguration, :iscman:`named` wasn't reconfiguring catalog + zones' member zones. This has been fixed. :gl:`#4733` + +- Update key lifetime and metadata after :any:`dnssec-policy` reconfiguration. + + Adjust key state and timing metadata if :any:`dnssec-policy` key + lifetime configuration is updated, so that it also affects existing + keys. :gl:`#4677` :gl:`!9192` - Fix generation of 6to4-self name expansion from IPv4 address. The period between the most significant nibble of the encoded IPv4 - address and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the - wrong name being checked. Add system test for 6to4-self - implementation. :gl:`#4766` :gl:`!9218` + address and the 2.0.0.2.IP6.ARPA suffix was missing, resulting in the + wrong name being checked. This has been fixed. :gl:`#4766` :gl:`!9218` + +- :option:`dig +yaml` was producing unexpected and/or invalid YAML. + output. :gl:`#4796` :gl:`!9214` + +- SVBC ALPN text parsing failed to reject zero-length ALPN. :gl:`#4775` :gl:`!9210` - Fix false QNAME minimisation error being reported. - Remove the false positive "success resolving" log message when QNAME - minimisation is in effect and the final result is NXDOMAIN. + Remove the false positive ``success resolving`` log message when QNAME + minimisation is in effect and the final result is an NXDOMAIN. :gl:`#4784` :gl:`!9216` -- Dig +yaml was producing unexpected and/or invalid YAML output. - - :gl:`#4796` :gl:`!9214` - -- SVBC alpn text parsing failed to reject zero length alpn. - - :gl:`#4775` :gl:`!9210` - -- Return SERVFAIL for a too long CNAME chain. - - When cutting a long CNAME chain, named was returning NOERROR instead - of SERVFAIL (alongside with a partial answer). This has been fixed. - :gl:`#4449` :gl:`!9204` - -- Properly calculate the amount of system memory. - - On 32 bit machines isc_meminfo_totalphys could return an incorrect - value. :gl:`#4799` :gl:`!9200` - -- Update key lifetime and metadata after dnssec-policy reconfig. - - Adjust key state and timing metadata if dnssec-policy key lifetime - configuration is updated, so that it also affects existing keys. - :gl:`#4677` :gl:`!9192` - - Fix dig +timeout argument when using +https. The +timeout argument was not used on DoH connections. This has been - fixed. :gl:`#4806` :gl:`!9161` + fixed. :gl:`#4806` :gl:`!9161` +Known Issues +~~~~~~~~~~~~ +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. From 2b491b4007977db6d9bd9ec2ffbb9a53a9f93e02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 13 Aug 2024 14:38:38 +0200 Subject: [PATCH 7/9] Prepare documentation for BIND 9.18.29 --- doc/arm/notes.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst index 70b55310f1..71454d0724 100644 --- a/doc/arm/notes.rst +++ b/doc/arm/notes.rst @@ -38,7 +38,7 @@ information about each release, and source code. .. include:: ../notes/notes-known-issues.rst -.. include:: ../notes/notes-current.rst +.. include:: ../notes/notes-9.18.29.rst .. include:: ../notes/notes-9.18.28.rst .. include:: ../notes/notes-9.18.27.rst .. include:: ../notes/notes-9.18.26.rst From 1ad17e870a6c69aca4e744087032dc5b582bc7e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 13 Aug 2024 13:07:59 +0000 Subject: [PATCH 8/9] Tweak and reword release notes Co-authored-by: Greg Choules --- doc/notes/notes-9.18.29.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/notes/notes-9.18.29.rst b/doc/notes/notes-9.18.29.rst index 52097556b3..1acc1445b6 100644 --- a/doc/notes/notes-9.18.29.rst +++ b/doc/notes/notes-9.18.29.rst @@ -43,10 +43,10 @@ Feature Changes - Add a compatibility shim for older libuv versions (< 1.19.0) - The uv_stream_get_write_queue_size() is supported only in relatively - newer versions of libuv (1.19.0 or higher). Provide a compatibility - shim for this function, so BIND 9 can be built in environments with - older libuv version. + The function uv_stream_get_write_queue_size() is supported only in relatively + new versions of libuv (1.19.0 or higher). Provide a compatibility + shim for this function so BIND 9 can be built in environments with + older libuv versions. Bug Fixes ~~~~~~~~~ From a697ae6d0b216fe9516e53cab4bfc1dbf1ce700c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 13 Aug 2024 16:13:29 +0200 Subject: [PATCH 9/9] Update BIND version for release --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 515ae26e39..35eb5a6c08 100644 --- a/configure.ac +++ b/configure.ac @@ -17,7 +17,7 @@ m4_define([bind_VERSION_MAJOR], 9)dnl m4_define([bind_VERSION_MINOR], 18)dnl m4_define([bind_VERSION_PATCH], 29)dnl -m4_define([bind_VERSION_EXTRA], -dev)dnl +m4_define([bind_VERSION_EXTRA], )dnl m4_define([bind_DESCRIPTION], [(Extended Support Version)])dnl m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl m4_define([bind_PKG_VERSION], [[bind_VERSION_MAJOR.bind_VERSION_MINOR.bind_VERSION_PATCH]bind_VERSION_EXTRA])dnl