A mix of supported and unsupported DNSSEC algorithms in the same zone could have caused validation failures. Ignore the DNSSEC keys with unsupported algorithm when looking for the signing keys.
Closes#5622
Merge branch '5622-dont-fail-on-unsupported-algorithms' into 'main'
See merge request isc-projects/bind9!11208
When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search. Instead, skip
such keys and continue searching for the right key.
Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path. This could lead to double-unlink
which causes assertion failure. Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
Closes#5606
Merge branch '5606-fix-assertion-failure-in-overmem-cleaning' into 'main'
See merge request isc-projects/bind9!11166
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path. This could lead to double-unlink
which causes assertion failure. Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
Full removal of pre-2.0.0 `dnspython` support is planned for after 9.18
goes EoL.
Merge branch 'stepan/require-dnspython-2-for-asyncserver' into 'main'
See merge request isc-projects/bind9!11191
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
They can be used outside of test modules (like ans.py custom servers)
which leads to pytest.outcomes.Skipped being raised in weird places and
skipping of tests which don't need dnspython this new.
Remove pytest.importskip from top scope in isctest.name, only run the
check when ZoneAnalyzer is used.
Add a new GitLab CI job that automatically generates post-disclosure
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
Add a new GitLab CI job that automatically generates T-1 packager
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
Add a new GitLab CI job that automatically generates public T-5
pre-announcements for BIND 9 security releases based on the metadata for
the current release cycle.
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of security releases in a given release cycle in case
autodetection fails for any reason.
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of CVE IDs fixed in a given release cycle in case
autodetection fails for any reason.
Extract common YAML keys used by release-related job definitions into
reusable anchors to ensure consistency and limit repetition across
multiple similar jobs.
`named-checkconf` now supports the command line switch `-b`, which prints the default built-in configuration used by `named`.
When `-b` is in use, other options are ignored.
Closes#1326
Merge branch '1326-named-checkconf-builtin' into 'main'
See merge request isc-projects/bind9!11177
`named-checkconf` now supports the command line switch `-b`, which
prints the default built-in configuration used by `named`.
When `-b` is in use, other options are ignored.
Previously, :iscman:`dig` could exit with an assertion failure when the server was specified before the :option:`dig -b` option. This has been fixed.
Closes#5609
Merge branch '5609-fix-dig-crash-with-at-and-dash-b-on-main' into 'main'
See merge request isc-projects/bind9!11183
Check that dig doesn't exit with an assertion failure when a IPv4
source address is defined after defining a server address which has
both IPv4 and IPv6 addresses (in this case, @localhost).
Previously, if there's no more server to try in force_next,
it attempted to retry the current server similar to a query
timeout case. But, force_next() is called only when the
current server's address is unusable and the query was not
even sent, so recvcount was not incremented, causing an
assertion failure.
We might be able to fix it so the retry doesn't cause a crash,
but it doesn't make sense to retry the server when its address
is known to be unusable. So, simply avoiding the retry would be
the easiest and safest way to prevent the crash.
Without this, start_udp or start_tcp would trigger an assertion
failure. Detaching it at this point is also consistent with
other failure handling cases, such as in recv_done.
Extended DNS Error 24 (Invalid Data) is returned when the server cannot answer data for a zone it is configured for. This occurs typically when an authoritative server does not have loaded the DB of a configured zone, or a secondary server zone is expired.
See RFC 8914 section 4.25.
See #1836
Merge branch 'colin/ede24' into 'main'
See merge request isc-projects/bind9!11169
When a (secondary) zone is expired, the log message `<zone> expired` is
printed and the flag `DNS_ZONEFLG_EXPIRED` is set. Change the order by
setting the expired flag first, then printing the log.
This should fixes (rare but persistent) timing-related CI error when the
EDE 24 tests expect the zone to be expired (from the log) and
immediately after request and expect an EDE 24 error. (In some rare
cases, the server was still answering the response).
Add system test covering EDE 24 being added in the response in both
common cases: when the server has not loaded the DB of a zone and when
the zone has expired (secondary).
Extended DNS Error 24 (Invalid Data) is returned when the server cannot
answer data for a zone it is configured for. This occurs typically when
an authoritative server does not have loaded the DB of a configured
zone, or a secondary server zone is expired.
See RFC 8914 section 4.25.
If `query_getzonedb()` finds a zone but the zone is expired it
immediately returns `DNS_R_EXPIRED` and doesn't attempt to get the zone
DB (which would be NULL in this case).
This enable caller to have a more precise reason of why getting the DB
has failed.
Introduce the `dns_zone_isexpired()` API which returns `true` when a
secondary, mirror, etc. zone is expired.
This internally use the `DNS_ZONEFLG_EXPIRED` which was already set when
the zone gets expired, but never used.
The flag `DNS_ZONEFLG_EXPIRED` is also now cleared when the expiration
time of the zone is updated and in the future.
CID 638286: Concurrent data access violations (MISSING_LOCK). This
complains about accessing "zone->notifyctx.notify_acl" without holding
the lock "dns_zone.lock". Elsewhere, reading this data does have the
lock, so it makes sense that in the getter function this must also be
so. However, the function is unused so we can just remove it.
CID 638287: Concurrent data access violations (MISSING_LOCK). This
complains about accessing "zone->locked" without holding the lock
"dns_zone.lock". I think this is a false positive as "dns__zone_lock()"
and "dns__zone_unlock() are wrappers around "LOCK_ZONE()" and
"UNLOCK_ZONE()" and where these macros were used they were only
replaced with the internal zone functions. Moreover, "zone->locked"
is only accessed in these macros (and "TRYLOCK_ZONE()" and
"LOCKED_ZONE()").
Changes introduced by 72862c2a moved the
default configuration from within `bin/named` to a central place
`bin/includes`.
The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.
As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
Merge branch 'colin/fix-reuseport-default' into 'main'
See merge request isc-projects/bind9!11180
Changes introduced by 72862c2abc moved the
default configuration from within `bin/named` to a central place
`bin/includes`.
The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.
As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
Move notify code in separate source files in preparation for support of generalized DNS notifications.
Merge branch 'matthijs-refactor-notify-code-2' into 'main'
See merge request isc-projects/bind9!11146
Move dns_notify_destroy, dns_notify_log, dns_notify_cancel,
dns_notify_queue, dns_notify_isqueued, dns_notify_find_address, and
notify related static functions over to the notify source files.
Part of refactoring zone.c is to move the notify code into its own
source files. This commit initiates this work by creating notify.[c,h]
and move notify_create() and the notify state and context there.
The function notify_create() cannot fail, so it can return void instead
of isc_result_t.
Currently, during IXFR we allocate a 2KB buffer for IXFR change logging
regardless of the log level. This commit introduces an early check
on the log level in dns_diff_print to avoid this.
Results in a speedup from 28% in the test case from issue #5442.
Merge branch '5442-ixfr-no-log-alloc' into 'main'
See merge request isc-projects/bind9!11178
Currently, during IXFR we allocate a 2KB buffer for IXFR change logging
regardless of the log level. This commit introduces an early check
on the log level in dns_diff_print to avoid this.
Results in a speedup from 28% in the test case from issue #5442.
The built-in configuration is actually used in two cases: first, when the server is loaded (or reloaded), and second when `rndc showconf -builtin` is called.
Considering the parsing of the builtin configuration is quick and does not occur during exclusive mode, but the configuration tree takes considerable memory space, the built-in configuration is no longer kept in memory once it has been used; instead it is re-parsed on demand.
Merge branch 'colin/not-persist-builtin-config' into 'main'
See merge request isc-projects/bind9!11187
The built-in configuration is actually used in two cases: first, when
the server is loaded (or reloaded), and second when
'rndc showconf -builtin' is called.
Considering the parsing of the builtin configuration is quick and does
not occur during exclusive mode, but the configuration tree takes
considerable memory space, the built-in configuration is no longer kept
in memory once it has been used; instead it is re-parsed on demand.
Once the user configuration has been merged into the effective configuration, it no longer needs to be accessed as a configuration tree, but we still want to be able to show it with `rndc showconf -user`.
Because the recursive strucure of `cfg_obj` objects is fairly large, the canonical text form is a fraction of the size of the configuration tree, so we now save it in that form instead.
Merge branch 'each-userconfig-text' into 'main'
See merge request isc-projects/bind9!11185
once the user configuration has been merged into the effective
configuration, it no longer needs to be accessed as a configuration
tree, but we still want to be able to show it with 'rndc showconf -user'.
because the recursive strucure of cfg_obj objects is fairly large, the
canonical text form is a fraction of the size of the configuration
tree, so we now save it in that form instead.
Instead of having `isc_sockaddr`, `isc_netaddr`, and `isccfg_duration` members in the `cfg_obj->value`
union, we now just keep pointers to them, and allocate memory when parsing these types. This reduces the
size of `cfg_obj_t` from 112 bytes to 72.
Merge branch 'each-refactor-cfg-obj' into 'main'
See merge request isc-projects/bind9!11186
instead of having sockaddr and netaddr members in the cfg_obj->value
union, we now just keep pointers, and allocate memory when parsing
these types. this reduces the size of cfg_obj_t from 112 to 80 bytes.
