Commit graph

35031 commits

Author SHA1 Message Date
Michał Kępień
7db230d6bf Set up release notes for BIND 9.16.38 2023-01-13 15:41:30 +01:00
Michał Kępień
265dbeb3f2 Update BIND version to 9.16.38-dev 2023-01-13 15:41:30 +01:00
Ondřej Surý
afc49c62e0 Merge branch '3744-catz-small-update-to-large-catz-causes-cpu-spike' into 'v9_16'
[9.16] Increase catalog zone entries hash table's bits size

See merge request isc-projects/bind9!7357
2023-01-11 18:06:11 +00:00
Aram Sargsyan
60dece8277 Increase catalog zone entries hash table's bits size
The hash table implementation in the current branch does not
support automatic resize operation, so the initial value of
the table should be chosen carefully.

Catalog zones entries hash table's size is currently only 4 bits,
which is very low for a catalog zone with thousands of entries,
and causes CPU consumption spikes when working with the hash
table to add/delete/search entries.

Use 16 bits instead, which should make working with big catalog
zones much faster at the expense of slightly higher memory usage,
i.e. 512 KiB for a 64-bit system for each catalog zone.
2023-01-11 17:26:26 +00:00
Arаm Sаrgsyаn
5823dacba8 Merge branch 'aram/dns_fwdtable_addfwd-cleanup-bugfix-v9_16' into 'v9_16'
[9.16] Fix dns_fwdtable_addfwd() error path cleanup bug

See merge request isc-projects/bind9!7353
2023-01-11 14:15:20 +00:00
Aram Sargsyan
144135415b Use sizeof(*ptr) for allocating/freeing memory in forward.c
As shown in the previous commit, using sizeof(type_t) is a little
bit more error-prone when copy-pasting code, so extracting the
size information from the pointer which is being dealt with seems
like a better alternative.

(cherry picked from commit cf4003fa58)
2023-01-11 13:42:00 +00:00
Aram Sargsyan
1950629ffa Fix dns_fwdtable_addfwd() error path cleanup bug
Free 'sizeof(dns_forwarder_t)' bytes of memory instead of
'sizeof(dns_sockaddr_t)' bytes, because `fwd` is a pointer
to a 'dns_forwarder_t' type structure.

(cherry picked from commit 0cc1b06d98)
2023-01-11 13:42:00 +00:00
Arаm Sаrgsyаn
56281e968d Merge branch '3768-dns_zonemgr-use-after-free-v9_16' into 'v9_16'
[9.16] Fix a use-after-free bug in dns_zonemgr_releasezone()

See merge request isc-projects/bind9!7352
2023-01-11 13:01:40 +00:00
Aram Sargsyan
1cab382d17 Add a CHANGES note for [GL #3768]
(cherry picked from commit d50cb1d45d)
2023-01-11 12:17:38 +00:00
Aram Sargsyan
272afcd999 Fix a use-after-free bug in dns_zonemgr_releasezone()
The dns_zonemgr_releasezone() function makes a decision to destroy
'zmgr' (based on its references count, after decreasing it) inside
a lock, and then destroys the object outside of the lock.

This causes a race with dns_zonemgr_detach(), which could destroy
the object in the meantime.

Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy
the object (if needed) using dns_zonemgr_detach(), outside of the
lock.

(cherry picked from commit c1fc212253)
2023-01-11 12:17:27 +00:00
Evan Hunt
f57d21c01a Merge branch '3773-remove-dscp-v9_16' into 'v9_16'
[9.16] deprecate dscp configuration

See merge request isc-projects/bind9!7337
2023-01-10 19:46:39 +00:00
Evan Hunt
288e7332ed CHANGES and release note for [GL #3773] 2023-01-10 11:16:18 -08:00
Matthijs Mekking
0656395f25 Test deprecate dscp configuration
Add 'dscp' token and 'option' to deprecated.conf. It should trigger warnings
(except when deprecation warnings are being ignored).
2023-01-10 11:16:18 -08:00
Evan Hunt
0b40df8f8a deprecate dscp configuration
This commit deprecates the "dscp" configuration option and "dscp"
parameters to source-address configuration options (query-source,
transfer-source, etc.

(Note that the DSCP feature has not been fully operational since
the network manager was introduced in 9.16.0; outgoing DSCP values
can be configured, but incoming DSCP values are not detected.)
2023-01-10 11:16:18 -08:00
Michal Nowak
e929b3b54a Merge branch 'mnowak/abort-on-ubsan-errors-v9_16' into 'v9_16'
[9.16] Abort on UBSAN errors

See merge request isc-projects/bind9!7328
2023-01-10 10:23:28 +00:00
Michal Nowak
b276e76130
Abort on UBSAN errors
Previously, UBSAN errors might slip undetected.

(cherry picked from commit 1451bb7390)
2023-01-10 10:17:37 +01:00
Mark Andrews
7c51096f8b Merge branch '3787-siphash-c-105-26-runtime-error-applying-zero-offset-to-null-pointer-v9_16' into 'v9_16'
[9.16] Accept 'in=NULL' with 'inlen=0' in isc_{half}siphash24

See merge request isc-projects/bind9!7342

Backport of MR !7339
2023-01-10 08:18:01 +00:00
Mark Andrews
f1c08fe93b Accept 'in=NULL' with 'inlen=0' in isc_{half}siphash24
Arthimetic on NULL pointers is undefined.  Avoid arithmetic operations
when 'in' is NULL and require 'in' to be non-NULL if 'inlen' is not zero.

(cherry picked from commit 349c23dbb7)
2023-01-10 18:36:27 +11:00
Mark Andrews
cc11456017 Merge branch '3788-rbt-c-187-19-runtime-error-applying-zero-offset-to-null-pointer' into 'v9_16'
Resolve "rbt.c:187:19: runtime error: applying zero offset to null pointer"

See merge request isc-projects/bind9!7340
2023-01-10 07:19:39 +00:00
Mark Andrews
2a9300a3bc Don't perform arithmetic on NULL pointers
When node is NULL when calling getparent() et al. they return NULL
but performing arithmetic on the NULL pointer is undefined.  Check
if 'node' or 'header' is NULL and skip the adjustment.
2023-01-10 17:45:51 +11:00
Matthijs Mekking
802f700d5a Merge branch '3678-serve-stale-servfailing-unexpectedly-v9_16' into 'v9_16'
[9.16] Add serve-stale CNAME check with stale-answer-client-timeout off

See merge request isc-projects/bind9!7311
2023-01-09 13:31:24 +00:00
Michał Kępień
ba1306bfb4 Check for NULL before dereferencing qctx->rpz_st
Commit 9ffb4a7ba1 causes Clang Static
Analyzer to flag a potential NULL dereference in query_nxdomain():

    query.c:9394:26: warning: Dereference of null pointer [core.NullDereference]
            if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) {
                                    ^~~~~~~~~~~~~~~~~~~
    1 warning generated.

The warning above is for qctx->rpz_st potentially being a NULL pointer
when query_nxdomain() is called from query_resume().  This is a false
positive because none of the database lookup result codes currently
causing query_nxdomain() to be called (DNS_R_EMPTYWILD, DNS_R_NXDOMAIN)
can be returned by a database lookup following a recursive resolution
attempt.  Add a NULL check nevertheless in order to future-proof the
code and silence Clang Static Analyzer.

(cherry picked from commit 07592d1315)
(cherry picked from commit a4547a1093)
2023-01-09 13:57:44 +01:00
Aram Sargsyan
36a439b91e Add a CHANGES note for [GL #3678]
(cherry picked from commit 40dee61a1e)
2023-01-09 13:57:44 +01:00
Matthijs Mekking
2696267b1f Consider non-stale data when in serve-stale mode
With 'stale-answer-enable yes;' and 'stale-answer-client-timeout off;',
consider the following situation:

A CNAME record and its target record are in the cache, then the CNAME
record expires, but the target record is still valid.

When a new query for the CNAME record arrives, and the query fails,
the stale record is used, and then the query "restarts" to follow
the CNAME target. The problem is that the query's multiple stale
options (like DNS_DBFIND_STALEOK) are not reset, so 'query_lookup()'
treats the restarted query as a lookup following a failed lookup,
and returns a SERVFAIL answer when there is no stale data found in the
cache, even if there is valid non-stale data there available.

With this change, query_lookup() now considers non-stale data in the
cache in the first place, and returns it if it is available.

(cherry picked from commit 91a1a8efc5)
2023-01-09 13:57:43 +01:00
Aram Sargsyan
869abb768b Add serve-stale CNAME check with stale-answer-client-timeout off
Prime the cache with the following records:

    shortttl.cname.example.	1	IN	CNAME	longttl.target.example.
    longttl.target.example.	600	IN	A	10.53.0.2

Wait for the CNAME record to expire, disable the authoritative server,
and query 'shortttl.cname.example' again, expecting a stale answer.

(cherry picked from commit 537187bf2f)
2023-01-09 13:57:43 +01:00
Tony Finch
d14a22b3d9 Merge branch '3745-delzone-catz-v9_16' into 'v9_16'
[9.16] Don't crash when rndc delzone encounters a catz member

See merge request isc-projects/bind9!7298
2023-01-04 19:32:40 +00:00
Tony Finch
01788b8852 Don't crash when rndc delzone encounters a catz member
Try to remove the zone from the NZF config only if it was
dynamically added but not by a catalog zone.

(cherry picked from commit 9fa20d6f6c)
2023-01-04 18:04:53 +00:00
Michał Kępień
e255032a67 Merge branch 'michal/update-copyright-year-to-2023-v9_16' into 'v9_16'
[9.16] Update copyright year to 2023

See merge request isc-projects/bind9!7284
2023-01-02 13:30:04 +00:00
Michał Kępień
f7bd3bd2b6 Update copyright year to 2023
(cherry picked from commit 1a5d707f52)
2023-01-02 14:24:23 +01:00
Tom Krizek
9d18a5b496 Merge branch 'tkrizek/default-alg-9.16-fixes' into 'v9_16'
[9.16] Skip test algorithm randomization in certain cases

See merge request isc-projects/bind9!7268
2022-12-23 12:07:38 +00:00
Tom Krizek
28b6171424
Don't check algorithm support during configure step
The 9.16 version of ./configure calls bin/tests/system/cleanall.sh
unless --without-make-clean is used. The cleanall.sh script then
includes bin/tests/system/conf.sh, which includes
bin/tests/system/conf.sh.common. At that point, dnssec-keygen which is
used to detect algorithm support isn't compiled, so it can't be used.

More importantly, algorithm selection for system tests during the
./configure phase is irrelevant, so it can be safely skipped.
2022-12-23 12:37:48 +01:00
Tom Krizek
6950dfe003
Disable test algorithm randomization if Python is missing
This change is motivated by the fact that our Windows CI image doesn't
have a Python interpreter.
2022-12-23 12:37:46 +01:00
Tom Krizek
9e895462d1 Merge branch 'tkrizek/dangerfile-backport-tweaks-v9_16' into 'v9_16'
[9.16] danger CI: tweak backport check and add Affects label check

See merge request isc-projects/bind9!7271
2022-12-23 08:58:39 +00:00
Tom Krizek
122c3f00e9
danger: check the Affects labels are set
Unless the MR is a backport, the Affects labels should be used to
indicate which versions are affected by the issue that prompted the MR.

(cherry picked from commit 64d71a1f5f)
2022-12-23 09:53:34 +01:00
Tom Krizek
413e94f2ca
danger: check version in MR title
Enforce the version indicator to be at the start of the MR title.

(cherry picked from commit d1172e011c)
2022-12-23 09:53:31 +01:00
Tom Krizek
fe08c7aa81 Merge branch 'tkrizek/default-alg-fixups-v9_16' into 'v9_16'
[9.16] Fix minor issues with DEFAULT_ALGORITHM selection in system tests

See merge request isc-projects/bind9!7267
2022-12-22 15:20:38 +00:00
Tom Krizek
527c69e2c9
Make Perl interpreter required for system tests
This change has no practical impact, as Perl was already required for
all system tests, this check only makes it more explicit.

(cherry picked from commit 084d72d1d5)

conf.sh.win32 was modified in addition of the mentioned commit.
2022-12-22 15:54:19 +01:00
Tom Krizek
2b93b47c32
Ensure test interpreters are defined before common config
Nothing from conf.sh.common is required to set these values. On the
contrary, a Python interpreter needs to be set in order to randomize the
algorithm set (which happens in conf.sh.common).

(cherry picked from commit 492992dca8)

conf.sh.win32 was modified in addition of the above mentioned commit.
2022-12-22 15:54:19 +01:00
Tom Krizek
4b32c5608a
Force quiet mode when using testcrypto.sh directly
When testcrypto.sh is used as a standalone script, always use quiet mode
to avoid using undefined commands (such as echo_i) which require
inclusion of the entire conf.sh machinery.

(cherry picked from commit ba35a6df9c)
2022-12-22 15:54:17 +01:00
Tom Krizek
d9471c5f3c Merge branch '3503-random-default-algorithm-in-tests2-v9_16' into 'v9_16'
[9.16] Random selection of DEFAULT_ALGORITHM in system tests at runtime

See merge request isc-projects/bind9!7265
2022-12-22 14:54:01 +00:00
Tom Krizek
0eb789efba
ci: disable algorithm support checking in softhsm
The algorithm support detection script doesn't seem to work when using
the SoftHSM module. For some reason, dnssec-keygen returns 'crypto
failure'. Since the tests themselves pass, this is likely to be some
bug/definiency in the test scripts that check algorithm support that get
confused by SoftHSM.

Since this issue only happens for the system:gcc:softhsm2.6 job in the
9.16 branch, use a workaround to not introduce this new feature for
this particular problematic job.
2022-12-22 15:17:41 +01:00
Tom Krizek
7324a7b5e4
Randomize algorithm selection for mkeys test
Use the ALGORITHM_SET option to use randomly selected default algorithm
in this test. Make sure the test works by using variables instead of
hard-coding values.

(cherry picked from commit f65f276f98)
2022-12-22 15:17:41 +01:00
Tom Krizek
aa5453f5e5
Set algorithms for system tests at runtime
Use the get_algorithms.py script to detect supported algorithms and
select random algorithms to use for the tests.

Make sure to load common.conf.sh after KEYGEN env var is exported.

(cherry picked from commit 69b608ee9f)
2022-12-22 15:17:41 +01:00
Tom Krizek
34497e2350
Script for random algorithm selection in system tests
Multiple algorithm sets can be defined in this script. These can be
selected via the ALGORITHM_SET environment variable. For compatibility
reasons, "stable" set contains the currently used algorithms, since our
system tests need some changes before being compatible with randomly
selected algorithms.

The script operation is similar to the get_ports.py - environment
variables are created and then printed out as `export NAME=VALUE`
commands, to be interpreted by shell. Once we support pytest runner for
system tests, this should be a fixture instead.

(cherry picked from commit 5f480c8485)
2022-12-22 15:17:41 +01:00
Tom Krizek
d45aa7581e
Export env variables in system tests
Certain variables have to be exported in order for the system tests to
work. It makes little sense to export the variables in one place/script
while they're defined in another place.

Since it makes no harm, export all the variables to make the behaviour
more predictable and consistent. Previously, some variables were
exported as environment variables, while others were just shell
variables which could be used once the configuration was sourced from
another script. However, they wouldn't be exposed to spawned processes.

For simplicity sake (and for the upcoming effort to run system tests
with pytest), export all variables that are used. TESTS, PARALLEL_UNIX
and SUBDIRS variables are automake-specific, aren't used anywhere else
and thus not exported.

(cherry picked from commit 37d14c69c0)

conf.sh.win32 was modified in addition of the above mentioned commit.
2022-12-22 15:17:41 +01:00
Tom Krizek
4d74430259
Support testcrypto.sh usage without including conf.sh
The only variable really needed for the script to work is the path to
the $KEYGEN binary. Allow setting this via an environment variable to
avoid loading conf.sh (and causing a chicken-egg problem). Also make
testcrypto.sh executable to allow its use from conf.sh.

(cherry picked from commit bb1c6bbdc7)
2022-12-22 15:17:41 +01:00
Tom Krizek
28815949f8
Unify indentation level in testcrypto.sh
(cherry picked from commit 01b293b055)
2022-12-22 15:17:39 +01:00
Tom Krizek
09ec13097f BIND 9.16.36
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQQenrxMWseszT2nKSgBYjubZSogpwUCY5c/RAAKCRABYjubZSog
 p4gnAQD4xJh1/+BZ98ox0eKbLG95Y1vNSa8Sfj7g99WMPXZ9xwD/YSnCkiPALrvs
 UXrT/oVnI4vC/MardpV42QoZG8pitwQ=
 =Re69
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQQenrxMWseszT2nKSgBYjubZSogpwUCY6QagAAKCRABYjubZSog
 p1NjAQDw2Z4RPrzGsNTG0KfTizde35McYMiKxKqeDmZXKesq5wEA4RZoBlyJGXrY
 RXf+hJxqwRg7uh6IUz8bQ8HPUd38HAI=
 =HuoN
 -----END PGP SIGNATURE-----

Merge tag 'v9_16_36' into v9_16

BIND 9.16.36
2022-12-22 09:51:08 +01:00
Tom Krizek
6770e16d8c Merge branch 'tkrizek/system-tests-conventions-v9_16' into 'v9_16'
[9.16] Unify system tests naming conventions

See merge request isc-projects/bind9!7258
2022-12-21 13:37:34 +00:00
Tom Krizek
18e2298ed3
Update tests gitignore file
The .mypy_cache was added to the system test dir gitignore, since it
should be ignored.

(cherry picked from commit 4145068bfa)
2022-12-21 13:58:24 +01:00