From e0af62deac684fd2cd8ca570de0c406c1e34f13a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 13 Feb 2024 11:42:44 +1100 Subject: [PATCH 1/8] Add helper function isc_sockaddr_disabled (cherry picked from commit 9be1873ef37a4f20e01dc2ad1e64112b7104d942) --- lib/isc/include/isc/sockaddr.h | 7 +++++++ lib/isc/sockaddr.c | 12 ++++++++++++ 2 files changed, 19 insertions(+) diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h index 9f3986b01f..97349a3343 100644 --- a/lib/isc/include/isc/sockaddr.h +++ b/lib/isc/include/isc/sockaddr.h @@ -245,4 +245,11 @@ isc_sockaddr_fromsockaddr(isc_sockaddr_t *isa, const struct sockaddr *sa); * Minimum size of array to pass to isc_sockaddr_format(). */ +bool +isc_sockaddr_disabled(const isc_sockaddr_t *sockaddr); +/*%< + * Report whether or not the address family of 'sockaddr' + * has been disabled. + */ + ISC_LANG_ENDDECLS diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c index 038e3ec7c4..cf3e7612a9 100644 --- a/lib/isc/sockaddr.c +++ b/lib/isc/sockaddr.c @@ -497,3 +497,15 @@ isc_sockaddr_fromsockaddr(isc_sockaddr_t *isa, const struct sockaddr *sa) { return (ISC_R_SUCCESS); } + +bool +isc_sockaddr_disabled(const isc_sockaddr_t *sockaddr) { + if ((sockaddr->type.sa.sa_family == AF_INET && + isc_net_probeipv4() == ISC_R_DISABLED) || + (sockaddr->type.sa.sa_family == AF_INET6 && + isc_net_probeipv6() == ISC_R_DISABLED)) + { + return (true); + } + return (false); +} From 7a9ac0491f31b38b3857b5fefb128169b158ef95 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 28 Nov 2023 17:26:41 +1100 Subject: [PATCH 2/8] Zone transfers should honour -4 and -6 options Check if the address family has been disabled when transferring zones. (cherry picked from commit ecdde04e63277e2bed8d1d861470de80ab0f49e1) --- lib/dns/zone.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 8b97304c6f..8a6013b5c6 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -14464,8 +14464,12 @@ again: INSIST(zone->curprimary < zone->primariescnt); zone->primaryaddr = zone->primaries[zone->curprimary]; - isc_netaddr_fromsockaddr(&primaryip, &zone->primaryaddr); + + if (isc_sockaddr_disabled(&zone->primaryaddr)) { + goto skip_primary; + } + /* * First, look for a tsig key in the primaries statement, then * try for a server key. From 96754276a7ac2f2c33dd19e2988229176b30ecb5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 29 Nov 2023 12:35:20 +1100 Subject: [PATCH 3/8] Report non-effective primaries When named is started with -4 or -6 and the primaries for a zone do not have an IPv4 or IPv6 address respectively issue a log message. (cherry picked from commit 2cd43032498752d2ab4527475ba21beee133b30b) --- lib/dns/zone.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 8a6013b5c6..baaf67eb86 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6253,6 +6253,32 @@ unlock: UNLOCK_ZONE(zone); } +static bool +has_pf(const isc_sockaddr_t *addresses, size_t count, int pf) { + for (size_t i = 0; i < count; i++) { + if (isc_sockaddr_pf(&addresses[i]) == pf) { + return (true); + } + } + return (false); +} + +static void +report_no_active_addresses(dns_zone_t *zone, const isc_sockaddr_t *addresses, + size_t count, const char *what) { + if (isc_net_probeipv4() == ISC_R_DISABLED) { + if (!has_pf(addresses, count, AF_INET6)) { + dns_zone_log(zone, ISC_LOG_NOTICE, + "IPv4 disabled and no IPv6 %s", what); + } + } else if (isc_net_probeipv6() == ISC_R_DISABLED) { + if (!has_pf(addresses, count, AF_INET)) { + dns_zone_log(zone, ISC_LOG_NOTICE, + "IPv6 disabled and no IPv4 %s", what); + } + } +} + void dns_zone_setprimaries(dns_zone_t *zone, const isc_sockaddr_t *primaries, dns_name_t **keynames, dns_name_t **tlsnames, @@ -6308,6 +6334,8 @@ dns_zone_setprimaries(dns_zone_t *zone, const isc_sockaddr_t *primaries, goto unlock; } + report_no_active_addresses(zone, primaries, count, "primaries"); + /* * primariesok must contain count elements */ From 4be2caa3453523530cd7799896dc15860cebee91 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 29 Nov 2023 14:29:05 +1100 Subject: [PATCH 4/8] Check that no primaries is logged with -4 or -6 When in -4 mode check that "IPv6 disabled and no IPv4 primaries" is logged and when in -6 mode check that "IPv4 disabled and no IPv6 primaries" is logged. (cherry picked from commit 07cdf3e94580b99beaa393649e76f760ef6e16c3) --- .../system/runtime/ns2/named-alt8.conf.in | 30 +++++++++++++++++++ bin/tests/system/runtime/setup.sh | 1 + bin/tests/system/runtime/tests.sh | 26 ++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 bin/tests/system/runtime/ns2/named-alt8.conf.in diff --git a/bin/tests/system/runtime/ns2/named-alt8.conf.in b/bin/tests/system/runtime/ns2/named-alt8.conf.in new file mode 100644 index 0000000000..db85f442f6 --- /dev/null +++ b/bin/tests/system/runtime/ns2/named-alt8.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + dnssec-validation no; +}; + +zone "ipv4-only-servers" { + type secondary; + primaries { 10.53.0.3; }; +}; + +zone "ipv6-only-servers" { + type secondary; + primaries { fd92:7065:b8e:ffff::2; }; +}; diff --git a/bin/tests/system/runtime/setup.sh b/bin/tests/system/runtime/setup.sh index f6747ce51a..1b0cfc2c6e 100644 --- a/bin/tests/system/runtime/setup.sh +++ b/bin/tests/system/runtime/setup.sh @@ -24,6 +24,7 @@ copy_setports ns2/named-alt4.conf.in ns2/named-alt4.conf copy_setports ns2/named-alt5.conf.in ns2/named-alt5.conf copy_setports ns2/named-alt6.conf.in ns2/named-alt6.conf copy_setports ns2/named-alt7.conf.in ns2/named-alt7.conf +copy_setports ns2/named-alt8.conf.in ns2/named-alt8.conf mkdir ns2/nope chmod 555 ns2/nope diff --git a/bin/tests/system/runtime/tests.sh b/bin/tests/system/runtime/tests.sh index ca2299bf9e..6ee71bff3a 100644 --- a/bin/tests/system/runtime/tests.sh +++ b/bin/tests/system/runtime/tests.sh @@ -222,6 +222,32 @@ test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "checking that named log missing IPv4 primaries in -4 mode ($n)" +ret=0 +INSTANCE_NAME="missing-primaries-ipv4-only-mode" +testpid=$(run_named ns2 named$n.run -c named-alt8.conf -D "${INSTANCE_NAME}" -4) +test -n "$testpid" || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 +grep "IPv6 disabled and no IPv4 primaries" ns2/named$n.run >/dev/null || ret=1 +kill_named ns2/named.pid || ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +n=$((n + 1)) +echo_i "checking that named log missing IPv6 primaries in -6 mode ($n)" +ret=0 +INSTANCE_NAME="missing-primaries-ipv4-only-mode" +testpid=$(run_named ns2 named$n.run -c named-alt8.conf -D "${INSTANCE_NAME}" -6) +test -n "$testpid" || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 +grep "IPv4 disabled and no IPv6 primaries" ns2/named$n.run >/dev/null || ret=1 +kill_named ns2/named.pid || ret=1 +test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + n=$((n + 1)) echo_i "verifying that named switches UID ($n)" if [ "$(id -u)" -eq 0 ]; then From c6a207c710e3552279a66d5085e68c33183ec8db Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 30 Nov 2023 11:18:41 +1100 Subject: [PATCH 5/8] Don't send NOTIFY over disabled address families (cherry picked from commit 5d9962551547e13274ff7d7f5af9abf4f4982341) --- lib/dns/zone.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index baaf67eb86..d5aff4f588 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -12496,8 +12496,14 @@ notify_find_address(dns_notify_t *notify) { unsigned int options; REQUIRE(DNS_NOTIFY_VALID(notify)); - options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET | DNS_ADBFIND_INET6 | - DNS_ADBFIND_RETURNLAME; + + options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_RETURNLAME; + if (isc_net_probeipv4() != ISC_R_DISABLED) { + options |= DNS_ADBFIND_INET; + } + if (isc_net_probeipv6() != ISC_R_DISABLED) { + options |= DNS_ADBFIND_INET6; + } if (notify->zone->view->adb == NULL) { goto destroy; @@ -12902,6 +12908,17 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) { /* TODO: glue the transport to the notify */ dst = zone->notify[i]; + + if (isc_sockaddr_disabled(&dst)) { + if (key != NULL) { + dns_tsigkey_detach(&key); + } + if (transport != NULL) { + dns_transport_detach(&transport); + } + continue; + } + if (notify_isqueued(zone, flags, NULL, &dst, key, transport)) { if (key != NULL) { dns_tsigkey_detach(&key); From 542e891287e638d215f0ab5f583903e1715d7484 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 30 Nov 2023 16:31:33 +1100 Subject: [PATCH 6/8] Don't forward UPDATE messages over disabled address families (cherry picked from commit d026dbe5367df775fdc22a3e05c63710499dcf07) --- lib/dns/zone.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index d5aff4f588..6419bd410a 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -18631,12 +18631,19 @@ sendtoprimary(dns_forward_t *forward) { return (ISC_R_CANCELED); } +next: if (forward->which >= forward->zone->primariescnt) { UNLOCK_ZONE(forward->zone); return (ISC_R_NOMORE); } forward->addr = forward->zone->primaries[forward->which]; + + if (isc_sockaddr_disabled(&forward->addr)) { + forward->which++; + goto next; + } + /* * Always use TCP regardless of whether the original update * used TCP. From 69dde597b9874a76af25a96d3126b9b8c7a3c307 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 30 Nov 2023 16:46:50 +1100 Subject: [PATCH 7/8] Don't do DS checks over disabled address families (cherry picked from commit 05472e63e8930753d7fa8d3bbf840be2085a2f23) --- lib/dns/zone.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 6419bd410a..cf71477964 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -6392,6 +6392,8 @@ dns_zone_setparentals(dns_zone_t *zone, const isc_sockaddr_t *parentals, goto unlock; } + report_no_active_addresses(zone, parentals, count, "parental-agents"); + /* * Now set up the parentals and parental key lists */ @@ -21800,6 +21802,16 @@ checkds_send(dns_zone_t *zone) { dst = zone->parentals[i]; + if (isc_sockaddr_disabled(&dst)) { + if (key != NULL) { + dns_tsigkey_detach(&key); + } + if (transport != NULL) { + dns_transport_detach(&transport); + } + continue; + } + /* TODO: glue the transport to the checkds request */ if (checkds_isqueued(zone, &dst, key, transport)) { @@ -21827,6 +21839,12 @@ checkds_send(dns_zone_t *zone) { "checkds: create DS query for " "parent %d failed", i); + if (key != NULL) { + dns_tsigkey_detach(&key); + } + if (transport != NULL) { + dns_transport_detach(&transport); + } continue; } zone_iattach(zone, &checkds->zone); From f1d2b0e5fd03e482e7e85eba708d2984770795f9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 29 Nov 2023 12:51:15 +1100 Subject: [PATCH 8/8] Add CHANGES note for [GL #6288] (cherry picked from commit 3834e433f7f625c4f1a177715b96d6eb3c441866) --- CHANGES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index eb44616b68..7129a1f280 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +6394. [bug] Named's -4 and -6 options now apply to zone primaries, + also-notify and parental-agents. Report when a zone + has these options configured but does not have an IPv4 + or IPv6 address listed respectively. [GL #3472] + 6393. [func] Deal with uv_tcp_close_reset() error return codes more gracefully. [GL #4708]