The outgoing UDP sockets enabled `SO_REUSEADDR` that allows sharing of the UDP sockets, but with one big caveat - the socket that was opened the last would get all traffic. The dispatch code would ignore the invalid responses in the dns_dispatch, but this could lead to unexpected results.
Backport of MR !9569
Merge branch 'backport-ondrej/fix-outgoing-UDP-port-selection-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9583
Currently, the outgoing UDP sockets have enabled
SO_REUSEADDR (SO_REUSEPORT on BSDs) which allows multiple UDP sockets to
bind to the same address+port. There's one caveat though - only a
single (the last one) socket is going to receive all the incoming
traffic. This in turn could lead to incoming DNS message matching to
invalid dns_dispatch and getting dropped.
Disable setting the SO_REUSEADDR on the outgoing UDP sockets. This
needs to be done explicitly because `uv_udp_open()` silently enables the
option on the socket.
(cherry picked from commit eec30c33c2)
When matching the received Query ID in the TCP connection,
an invalid received Query ID can very rarely cause assertion
failure.
Closes#4952
Backport of MR !9580
Merge branch 'backport-4952-check-whether-QID-is-not-deleted-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9582
When matching the TCP dispatch responses, we should skip the responses
that do not belong to our TCP connection. This can happen with faulty
upstream server that sends invalid QID back to us.
(cherry picked from commit 4ef316e21e)
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.
Set the 'resp->port' to the given local port value extracted from
'disp->local'.
Closes#4969
Backport of MR !9576
Merge branch 'backport-4969-dispatch-tcp-source-port-bug-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9581
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.
Set the 'resp->port' to the given local port value extracted from
'disp->local'.
(cherry picked from commit d49a8f518a)
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.
Backport of MR !9460
Merge branch 'backport-ondrej/use-release-memory-ordering-for-reference-counting-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9567
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.
(cherry picked from commit 88227ea665)
When `sig-validity-interval` was obsoleted, the text that the signature validity interval should be multiples of the SOA expire interval was removed. Restore this text to the description of the `signatures-validity` option.
Closes#4951
Backport of MR !9566
Merge branch 'backport-4951-document-signatures-validity-soa-expire-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9573
The example.com zone file given in the "Configurations and Zone Files"
chapter has an SOA expire of 3 weeks, which is not a multiple of
the default signatures-validity value. Adjust the SOA expire so that
it is much lower than the signatures-validity default.
(cherry picked from commit 8aa94931c3)
When `sig-validity-interval` was obsoleted, the text that the signature
validity interval should be multiples of the SOA expire interval was
removed. Restore this text to the description of the
`signatures-validity` option.
(cherry picked from commit b09230004b)
The `dns.query.udp` and `dns.query.tcp` methods are [prone to timeouts](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4785053); their `isctest.query` equivalents should be used in system tests instead.
Backport of MR !9560
Merge branch 'backport-mnowak/convert-dns-query-udp-and-tcp-to-isctest-query-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9574
Static-stub addresses and addresses from other sources were being
mixed together, resulting in static-stub queries going to addresses
not specified in the configuration, or alternatively, static-stub
addresses being used instead of the correct server addresses.
Closes#4850
Backport of MR !9314
Merge branch 'backport-4850-add-an-additional-class-of-names-to-adb-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9571
Static-stub address and addresses from other sources where being
mixed together resulting in static-stub queries going to addresses
not specified in the configuration or alternatively static-stub
addresses being used instead of the real addresses.
(cherry picked from commit b3a2c790f3)
Log a query response summary using the new category `responses`. Logging can be controlled by the option `responselog` and `rndc responselog`.
Closes#459
Backport of MR !9449
Merge branch 'backport-459-log-query-response-status-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9526
Extends the resolver system test to to check whether responses are
logged to the query log in addition to the queries.
(cherry picked from commit 61415432ec)
Query and response log shares the same flags. Move flags logging out of
log_query to share it with log_response. Use buffer instead of snprintf
to fill flags a bit faster.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
(cherry picked from commit e6b19af2dd)
Remove answer flag from log, log instead count of records for each
message section. Include EDNS version and few flags of response. Add
also status of result.
Still does not include body of responses rrset.
(cherry picked from commit 6f879aba65)
Log to the querylog the rcode of a previous query using
the identifier 'response:' to diffenciate queries from
responses.
(cherry picked from commit 5fad79c92f)
An exit path in the dns_dispatch_add() function fails to get out of
the RCU critical section when returning early. Add the missing
rcu_read_unlock() call.
Backport of MR !9561
Merge branch 'backport-aram/add-missing-rcu_read_unlock-in-dns_dispatch_add-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9564
An exit path in the dns_dispatch_add() function fails to get out of
the RCU critical section when returning early. Add the missing
rcu_read_unlock() call.
(cherry picked from commit 4123d59fbc)
Add the new record type WALLET (262). This provides a mapping from a domain name to a cryptographic currency wallet. Multiple mappings can exist if multiple records exist.
Closes#4947
Backport of MR !9521
Merge branch 'backport-4947-add-wallet-type-to-named-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9554
The 'rndc dumpdb' command wasn't reporting errors which
occurred when starting up the database dump process by named,
like, for example, a permission denied error for the
'dump-file' file. This has been fixed. Note, however, that
'rndc dumpdb' performs asynchronous writes, so errors can
also occur during the dumping process, which will not be
reported back to 'rndc', but which will still be logged by
named.
Closes#4944
Backport of MR !9547
Merge branch 'backport-4944-rndc-dumpdb-do-not-ignore-errors-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9553
Check that with a preexisting dump file without a write permission
no actual dump happens, and rndc returns an error result.
Also add a couple of missing entries in the cleaning script.
(cherry picked from commit 63bddd7192)
The named_server_dumpdb() function, which is called when a 'rndc dumpdb'
command is issued, returns a 'isc_result_t' result code and it has been
always ignored since its introduction in
eb8713ed94, where it was still called
ns_server_dumpdb(). The orignal reasoning is not preserved, but it could
have been also a simple copy-paste mistake, as there are commands, which
return 'void' and require manually setting 'result = ISC_R_SUCCESS;', as
it was done here. Anyway, named will now return the actual result, and
'rndc' will report an error, when the 'dumpdb' command fails.
(cherry picked from commit 8b866ba8a0)
Keep the changelog for each version in a separate source file to avoid
rebase conflicts when handling the -S version.
---
Related !9549Closes#4946
Merge branch 'nicki/reorganize-changelog-docfiles-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9550
Since the changes aren't tracked in the single changelog.rst file,
generate the changelog to stdout instead, so it can be easily redirected
to the proper file.
Due to the recent improvements to the TCP processing, much higher loads
can be handled by BIND9 without causing client timeouts. The updated
parameters give us useful data for both cold and hot cache testing.
Backport of MR !9494
Merge branch 'backport-nicki/increase-tcp-dot-shotgun-load-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9548
Due to the recent improvements to the TCP processing, much higher loads
can be handled by BIND9 without causing client timeouts. The updated
parameters give us useful data for both cold and hot cache testing.
(cherry picked from commit e89afd3349)
The ans4 server wasn't shutting down cleanly sometimes. Check that read returns the
expected value for the message length or exit read loop.
Closes#4301
Backport of MR !9537
Merge branch 'backport-4301-check-read-value-in-ans4-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9545
The ans4 server wasn't shutting down cleanly sometimes. Check that
read returns the expected value for the message length or exit read
loop.
(cherry picked from commit 21baad0a8f)
The shutdown system test sends queries when named is shutting down, not
in an attempt to get answers but to destabilize the server into a crash.
With isctest.query.udp() defaulting to try up to ten times with a
ten-second timeout to get a response we don't care about from a likely
terminated server, we make the test run much longer than needed because
of retries and long timeouts.
Also, see isc-projects/bind9#4943.
Backport of MR !9507
Merge branch 'backport-mnowak/shutdown-downgrade-timeout-and-attempts-arguments-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9541
The shutdown system test sends queries when named is shutting down, not
in an attempt to get answers but to destabilize the server into a crash.
With isctest.query.udp() defaulting to try up to ten times with a
ten-second timeout to get a response we don't care about from a likely
terminated server, we make the test run much longer than needed because
of retries and long timeouts.
(cherry picked from commit 463ab2f3f5)
