Merge branch '3472-ipv4-only-mode-not-respected-for-zone-transfers-9.18' into 'bind-9.18'

[9.18] Resolve "IPv4-only mode not respected for zone transfers"

See merge request isc-projects/bind9!9085

CHANGES

@@ -1,3 +1,8 @@
+6394.	[bug]		Named's -4 and -6 options now apply to zone primaries,
+			also-notify and parental-agents.  Report when a zone
+			has these options configured but does not have an IPv4
+			or IPv6 address listed respectively. [GL #3472]
+
 6393.	[func]		Deal with uv_tcp_close_reset() error return codes
 			more gracefully. [GL #4708]
 

bin/tests/system/runtime/ns2/named-alt8.conf.in

@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { fd92:7065:b8e:ffff::2; };
+	dnssec-validation no;
+};
+
+zone "ipv4-only-servers" {
+	type secondary;
+	primaries { 10.53.0.3; };
+};
+
+zone "ipv6-only-servers" {
+	type secondary;
+	primaries { fd92:7065:b8e:ffff::2; };
+};

bin/tests/system/runtime/setup.sh

@@ -24,6 +24,7 @@ copy_setports ns2/named-alt4.conf.in ns2/named-alt4.conf
 copy_setports ns2/named-alt5.conf.in ns2/named-alt5.conf
 copy_setports ns2/named-alt6.conf.in ns2/named-alt6.conf
 copy_setports ns2/named-alt7.conf.in ns2/named-alt7.conf
+copy_setports ns2/named-alt8.conf.in ns2/named-alt8.conf
 
 mkdir ns2/nope
 chmod 555 ns2/nope

bin/tests/system/runtime/tests.sh

@@ -222,6 +222,32 @@ test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "checking that named log missing IPv4 primaries in -4 mode ($n)"
+ret=0
+INSTANCE_NAME="missing-primaries-ipv4-only-mode"
+testpid=$(run_named ns2 named$n.run -c named-alt8.conf -D "${INSTANCE_NAME}" -4)
+test -n "$testpid" || ret=1
+retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
+grep "IPv6 disabled and no IPv4 primaries" ns2/named$n.run >/dev/null || ret=1
+kill_named ns2/named.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named log missing IPv6 primaries in -6 mode ($n)"
+ret=0
+INSTANCE_NAME="missing-primaries-ipv4-only-mode"
+testpid=$(run_named ns2 named$n.run -c named-alt8.conf -D "${INSTANCE_NAME}" -6)
+test -n "$testpid" || ret=1
+retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1
+grep "IPv4 disabled and no IPv6 primaries" ns2/named$n.run >/dev/null || ret=1
+kill_named ns2/named.pid || ret=1
+test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "verifying that named switches UID ($n)"
 if [ "$(id -u)" -eq 0 ]; then

lib/dns/zone.c

@@ -6253,6 +6253,32 @@ unlock:
 	UNLOCK_ZONE(zone);
 }
 
+static bool
+has_pf(const isc_sockaddr_t *addresses, size_t count, int pf) {
+	for (size_t i = 0; i < count; i++) {
+		if (isc_sockaddr_pf(&addresses[i]) == pf) {
+			return (true);
+		}
+	}
+	return (false);
+}
+
+static void
+report_no_active_addresses(dns_zone_t *zone, const isc_sockaddr_t *addresses,
+			   size_t count, const char *what) {
+	if (isc_net_probeipv4() == ISC_R_DISABLED) {
+		if (!has_pf(addresses, count, AF_INET6)) {
+			dns_zone_log(zone, ISC_LOG_NOTICE,
+				     "IPv4 disabled and no IPv6 %s", what);
+		}
+	} else if (isc_net_probeipv6() == ISC_R_DISABLED) {
+		if (!has_pf(addresses, count, AF_INET)) {
+			dns_zone_log(zone, ISC_LOG_NOTICE,
+				     "IPv6 disabled and no IPv4 %s", what);
+		}
+	}
+}
+
 void
 dns_zone_setprimaries(dns_zone_t *zone, const isc_sockaddr_t *primaries,
 		      dns_name_t **keynames, dns_name_t **tlsnames,
@@ -6308,6 +6334,8 @@ dns_zone_setprimaries(dns_zone_t *zone, const isc_sockaddr_t *primaries,
 		goto unlock;
 	}
 
+	report_no_active_addresses(zone, primaries, count, "primaries");
+
 	/*
 	 * primariesok must contain count elements
 	 */
@@ -6364,6 +6392,8 @@ dns_zone_setparentals(dns_zone_t *zone, const isc_sockaddr_t *parentals,
 		goto unlock;
 	}
 
+	report_no_active_addresses(zone, parentals, count, "parental-agents");
+
 	/*
 	 * Now set up the parentals and parental key lists
 	 */
@@ -12468,8 +12498,14 @@ notify_find_address(dns_notify_t *notify) {
 	unsigned int options;
 
 	REQUIRE(DNS_NOTIFY_VALID(notify));
-	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET | DNS_ADBFIND_INET6 |
-		  DNS_ADBFIND_RETURNLAME;
+
+	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_RETURNLAME;
+	if (isc_net_probeipv4() != ISC_R_DISABLED) {
+		options |= DNS_ADBFIND_INET;
+	}
+	if (isc_net_probeipv6() != ISC_R_DISABLED) {
+		options |= DNS_ADBFIND_INET6;
+	}
 
 	if (notify->zone->view->adb == NULL) {
 		goto destroy;
@@ -12874,6 +12910,17 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 		/* TODO: glue the transport to the notify */
 
 		dst = zone->notify[i];
+
+		if (isc_sockaddr_disabled(&dst)) {
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			if (transport != NULL) {
+				dns_transport_detach(&transport);
+			}
+			continue;
+		}
+
 		if (notify_isqueued(zone, flags, NULL, &dst, key, transport)) {
 			if (key != NULL) {
 				dns_tsigkey_detach(&key);
@@ -14464,8 +14511,12 @@ again:
 	INSIST(zone->curprimary < zone->primariescnt);
 
 	zone->primaryaddr = zone->primaries[zone->curprimary];
-
 	isc_netaddr_fromsockaddr(&primaryip, &zone->primaryaddr);
+
+	if (isc_sockaddr_disabled(&zone->primaryaddr)) {
+		goto skip_primary;
+	}
+
 	/*
 	 * First, look for a tsig key in the primaries statement, then
 	 * try for a server key.
@@ -18582,12 +18633,19 @@ sendtoprimary(dns_forward_t *forward) {
 		return (ISC_R_CANCELED);
 	}
 
+next:
 	if (forward->which >= forward->zone->primariescnt) {
 		UNLOCK_ZONE(forward->zone);
 		return (ISC_R_NOMORE);
 	}
 
 	forward->addr = forward->zone->primaries[forward->which];
+
+	if (isc_sockaddr_disabled(&forward->addr)) {
+		forward->which++;
+		goto next;
+	}
+
 	/*
 	 * Always use TCP regardless of whether the original update
 	 * used TCP.
@@ -21744,6 +21802,16 @@ checkds_send(dns_zone_t *zone) {
 
 		dst = zone->parentals[i];
 
+		if (isc_sockaddr_disabled(&dst)) {
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			if (transport != NULL) {
+				dns_transport_detach(&transport);
+			}
+			continue;
+		}
+
 		/* TODO: glue the transport to the checkds request */
 
 		if (checkds_isqueued(zone, &dst, key, transport)) {
@@ -21771,6 +21839,12 @@ checkds_send(dns_zone_t *zone) {
 				     "checkds: create DS query for "
 				     "parent %d failed",
 				     i);
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			if (transport != NULL) {
+				dns_transport_detach(&transport);
+			}
 			continue;
 		}
 		zone_iattach(zone, &checkds->zone);

lib/isc/include/isc/sockaddr.h

@@ -245,4 +245,11 @@ isc_sockaddr_fromsockaddr(isc_sockaddr_t *isa, const struct sockaddr *sa);
  * Minimum size of array to pass to isc_sockaddr_format().
  */
 
+bool
+isc_sockaddr_disabled(const isc_sockaddr_t *sockaddr);
+/*%<
+ * Report whether or not the address family of 'sockaddr'
+ * has been disabled.
+ */
+
 ISC_LANG_ENDDECLS

lib/isc/sockaddr.c

@@ -497,3 +497,15 @@ isc_sockaddr_fromsockaddr(isc_sockaddr_t *isa, const struct sockaddr *sa) {
 
 	return (ISC_R_SUCCESS);
 }
+
+bool
+isc_sockaddr_disabled(const isc_sockaddr_t *sockaddr) {
+	if ((sockaddr->type.sa.sa_family == AF_INET &&
+	     isc_net_probeipv4() == ISC_R_DISABLED) ||
+	    (sockaddr->type.sa.sa_family == AF_INET6 &&
+	     isc_net_probeipv6() == ISC_R_DISABLED))
+	{
+		return (true);
+	}
+	return (false);
+}