Commit graph

4288 commits

Author SHA1 Message Date
Ondřej Surý
173255127f Add the tcp-reuse-timeout option
The idle timeout that bounds how long a reused outgoing TCP/TLS
connection is held open for reuse was only tunable through the 'named -T
tcpidletimeout' developer hook added earlier on this branch. Make it a
proper configuration option, tcp-reuse-timeout (options block, in units
of 100 milliseconds like the other tcp-*-timeout options), and drop the
-T hook.

(cherry picked from commit 477130cf8e)
2026-06-25 11:37:51 +02:00
Ondřej Surý
dc78507aa0 Keep idle reused outgoing TCP connections under read
A reused TCP/TLS dispatch with no outstanding responses was left in the
reuse pool with no read pending, so a peer closing the idle connection
went unnoticed: the socket lingered in CLOSE-WAIT and the dead dispatch
was later handed to a new query, which failed and the fetch timed out.
Keep a read pending on an idle connected dispatch, bounded by an idle
timeout, so the close is seen promptly and the connection is dropped
from the pool instead of reused.

The idle read may only be (re)armed while the dispatch is still
connected; arming it on a dispatch that is already shutting down
re-reads a dying handle and double-schedules a netmgr job.

On shutdown, close the connection as soon as the dispatch reaches its
terminal state instead of waiting for the last reference to drop, so an
unexpected read (or a peer-side close) cannot leave the socket in
CLOSE-WAIT while a reference still lingers.

(cherry picked from commit febeac215d)
2026-06-25 11:37:51 +02:00
Michal Nowak
20197027a1 Print OS platform in "named -V"
The "running on" line emitted by `named -V` (as well as the startup
log and `rndc status`, which share the same source) now appends the
PRETTY_NAME value from /etc/os-release in parentheses after the uname
output, e.g.:

    running on Linux x86_64 6.19.14-... (Fedora Linux 42 (Workstation Edition))

This helps disambiguate environments where the kernel string is not a
reliable indicator of the userspace, such as RHEL clones and
containers whose kernel does not match the host OS.

When /etc/os-release is absent, /usr/lib/os-release is tried as a
fallback per the systemd os-release(5) specification. When neither is
available or no PRETTY_NAME is found, the output is unchanged.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit b5ca9d3372)
2026-06-24 17:52:30 +02:00
Ondřej Surý
4467823700 Fix invalid free in statistics-channel JSON renderer
wrap_jsonfree() called json_object_put() on the response-body buffer
base, which is the JSON string returned by
json_object_to_json_string_ext(), not a struct json_object.  The root
object is already passed in as the callback argument; release only
that.

(cherry picked from commit f39089576a)
2026-06-24 15:39:24 +02:00
Michal Nowak
db441f662d Avoid writing through a const pointer in render_xsl()
render_xsl() cast away the const of the static xslmsg stylesheet and
passed it to isc_buffer_reinit(), which memmove()s into the base when
the buffer is non-empty -- a write to read-only memory that -fanalyzer
flags (-Wanalyzer-write-to-const).  It only stayed safe because the
body buffer is always empty here.

Use isc_buffer_constinit(), which never writes to the base, and assert
the empty-buffer contract with REQUIRE(isc_buffer_length(b) == 0).

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit a8368cdf17)
2026-06-24 09:31:30 +00:00
Alessio Podda
a5bc4955c7 Only print per zone glue cache stats when zone-statistics is full
The code printing glue cache statistics was ignoring the
zone-statistics option. This has been fixed.

(cherry picked from commit f655b6af84)
2026-06-17 14:35:40 +00:00
Aram Sargsyan
cdceadf3f1 Fix DoH quota global variables type
The 'named_g_http_listener_clients' and 'named_g_http_streams_per_conn'
global variables are defined as 'in_port_t', which is usually 16 bits,
but both the readers and the writers of those variables use 'uint32_t'
as the target/source, which can result in truncation.

Use correct types.

(cherry picked from commit 281660ecc1)
2026-06-11 11:33:33 +00:00
Michal Nowak
84f5610d4f Fix wrong variable in named_server_sync() log message
named_server_sync() logged isc_result_totext(result) but returns
tresult. The loop accumulates errors into tresult, so result only
holds the last iteration's value. If the last view succeeded but an
earlier one failed, the log would incorrectly say "success".

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 1b984b1f11)
2026-06-01 17:43:58 +02:00
Andoni Duarte
3d293e2a1e Merge tag 'v9.20.23' into bind-9.20 2026-05-20 10:18:28 +00:00
Ondřej Surý
38dd0e0ccc Switch UDP fetches to TCP on the first response with a wrong query id
Until now, the dispatcher silently dropped UDP responses from the
expected peer that carried the wrong DNS message id and kept listening
for the correct id to arrive within the read timeout.  An off-path
attacker who knows the destination address and source port of an
outgoing fetch could exploit that quiet retry window to flood the
resolver with guessed responses; with a gigabit link the per-query
success probability grows linearly with the number of guesses that
arrive before the legitimate answer or the timeout.

Treat any such mismatch as a possible spoofing attempt and let the
resolver immediately retry the same query over TCP, the same control
path the truncation handler already uses.

Add a resolver statistics counter - exposed as 'queries retried over TCP
after a response with mismatched query id' in rndc stats and
'MismatchTCP' in the statistics channel

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 11bca1051f)
2026-05-15 08:49:19 +02:00
Mark Andrews
ace68e3dea Disable output escaping in bind9.xsl
The statistics charts where not displaying on some browsers (e.g. Chrome)
due to '>' being escaped as '>'.  Use disable-output-escaping="yes" to
turn this off.

(cherry picked from commit 9b6c018425)
2026-05-15 15:36:41 +10:00
Evan Hunt
aecc27189f
Test UPDATE behavior in CHAOS and other non-IN classes
Send various UPDATE requests that are known to have caused
crashes previously with deliberately misconfigured non-IN
zones; confirm that UPDATE is not processed.

(cherry picked from commit e2f7ba2a4b6e7e5dba2fb1a2c9b2f0323e9a88be)
2026-05-07 13:09:18 +02:00
Evan Hunt
134706912f
Disable UPDATE and NOTIFY for non-IN classes
Return NOTIMP for UPDATE and NOTIFY requests received for views with a
class other than IN.  Only QUERY is now supported for non-IN views such
as CHAOS.

When running dns dns_rdata_tostruct() with types that are only defined
for class IN, ensure that the class is correct before proceeding.

Add an assertion that any zone being updated is of class IN. (Note
that previously, a DLZ zone could have its class value set incorrectly
to NONE; this has been fixed.)

This addresses YWH-PGM40640-70 and YWH-PGM40640-73 (as well as any
similar problems that might have occurred in the future) by minimizing
the code paths that can be reached by rdata classes other than IN, so it
is safe for the implementation to assume that rdatatypes that are only
defined for class IN, such as SVCB or WKS, have been parsed and
validated, and not accepted as unknown/opaque data.

Fixes: isc-projects/bind9#5777
Fixes: isc-projects/bind9#5779

(cherry picked from commit a6d8e330ed6cf0021bff3f00aa1dc7a296f5aec0)
2026-05-07 13:09:18 +02:00
Evan Hunt
95fc625d60
Disable recursion for non-IN classes
Force recursion off, and set allow-recursion/allow-recursion-on ACLs
to none, for views with a class other than IN. Log a configuration
warning if recursion is explicitly enabled for a non-IN view.

This addresses YWH-PGM40640-74 and YWH-PGM40640-75 by preventing any
attempt at recursive processing in a class-CHAOS view, ensuring that
server addresses used for recursive queries and received in recursive
responses are of the expected format.

Fixes: isc-projects/bind9#5780
Fixes: isc-projects/bind9#5781

(cherry picked from commit 7becff1a14684a68208c92b3b0315c045c05ad75)
2026-05-07 13:09:18 +02:00
Colin Vidal
1bedd7f244
Limit the number of addresses returned per ADB find
Add a hard limit on the number of addresses that ADB returns from a
single NS lookup (dns_adbfind_t).  This mitigates a flood attack
where an attacker controls a zone with many addresses for a
nameserver, each returning an invalid response.  The global
max-query count (default 50) also limits this, but significant harm
can be done before that limit is reached.

The default limit is now 6 (v4 and/or v6) addresses for an ADB find (so,
ADB looking up for A/AAAA addresses of a name server name). It can be
overridden for testing via 'named -T adbaddrslimit=N'.

(cherry picked from commit 3ec37fc69356ee682bee7f67940613ac31d93d7b)
2026-05-07 13:09:18 +02:00
Ondřej Surý
a3ba799eae Limit TCP pipelining per shared dispatch
Cap the number of in-flight queries on a single shared TCP dispatch.
When the limit is reached, the dispatch is removed from the hash
table so subsequent queries get a fresh connection.  The existing
dispatch continues serving its queries until they complete.

This bounds the blast radius of a connection drop: at most N queries
fail simultaneously instead of all queries to that server.

The default limit is 256.  It can be overridden for testing via
'named -T tcppipelining=N'.

(cherry picked from commit 385ceabe8f)
2026-05-06 15:05:48 +02:00
Ondřej Surý
88537d6d84 Run conn_cleanup on isccc_cc_towire failure in control_respond
The bare return left conn->secret, conn->response, conn->request, and
conn->text pinned until the connection itself was torn down — every
other error in the function reaches conn_cleanup via goto, and the
success path falls into the same label, so the towire-failure return
was the lone outlier.  Send it through the existing cleanup path.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 1b681dfa2f)
2026-04-30 07:33:28 +00:00
Ondřej Surý
1a4ec35e84 Fix inverted gethostname() check in rndc status
When named_os_gethostname() was replaced with raw gethostname(), the
success/failure polarity was flipped: the fallback to "localhost" now
runs on success and the hostname buffer is left uninitialized on
failure.  In the failure path, snprintf() then reads the uninitialized
stack buffer, disclosing stack contents via the rndc status reply.

(cherry picked from commit f7859247df)
2026-04-17 15:53:06 +00:00
Michał Kępień
b040b566fe Merge tag 'v9.20.21' into bind-9.20 2026-03-25 14:24:13 +00:00
JINMEI Tatuya
f2115e9d58 ensure rndc modzone succeeds twice for a zone in named.conf
If a zone is in named.conf, not originally added by rndc addzone,
rndc modzone for that zone succeeds once, but subsequent modzone
attempts fail. This is because do_modzone removes the zone config
from global or view options, but it would fail due to 'not found'
once the config is removed.

The fix is to ensure re-adding the updated zone config to the
global or view options. This also works as a more complete fix
for the issue 85453d3 atempted to solve, ensuring rndc showzone
shows the latest config: it now works for multple attemps of
modzone, and with named that is not built with LMDB.

The change in this commit relies on UNCONST in a few places.
That's not clean, but 'add/mod/delzone' generally seems to
need it (for example, delete_zoneconf uses it to modify the list
of zones). In that sense, this change follows the convention
(for a longer term, there may have to be a better API so that we
can modify config obtions that were once parsed).
2026-03-25 09:38:16 +01:00
JINMEI Tatuya
17416af248 Revert "Store zone config also on modzone"
This reverts commit 85453d393d.

This commit doesn't seem to be a complete solution of what
it appears to fix: showzone succeeds and shows the modified
config after first modzone, but subsequent attempts of modzone
fail (though not because of the commit being reverted), let
alone showing the correct new config.

Revering the change for now, and will provide a more comprehensive
fix in the next commit.
2026-03-24 16:39:36 +01:00
JINMEI Tatuya
2ec6f856e3 prevent named crash on rndc modzone for a zone in named.conf
If named is built without LMDB and has a zone in named.conf,
then rndc modzone for that zone triggers an assertion failure
unless there's already an NZF file. This is because load_nzf
doesn't create 'nzf_config' when NZF is missing, while a valid
nzf_config is assumed in do_modzone when it tries to add the
modified zone config to add_parser.

The crash is fixed by skipping the call to cfg_parser_mapadd when
nzf_config is NULL. Skipping it should be okay since the config stored
in add_parser would be needed only for subsequently deleting a zone by
rndc delzone when the zone was originally added by rndc addzone, but
in this case the zone was not 'added'. Checking if nzf_config is NULL
before using it also seems to be consistent with other parts of the
implementation.
2026-03-24 16:39:28 +01:00
Aram Sargsyan
77d60acb86 Convert dns_dtenv_t reference counting to standard macors
Use standard reference counting macros for dns_dtenv_t instead of
custom attach/detach functions.

(cherry picked from commit 4ac3a6520e)
2026-03-18 17:04:56 +00:00
Matthijs Mekking
85453d393d Store zone config also on modzone
'rndc modzone' deletes the old configuration. If we don't store the
new zone config, when we do a 'rndc showzone' it will be a failure.

This is not an issue in the 9.21 version, because of the effective
config behavior.
2026-03-17 09:51:18 +00:00
Matthijs Mekking
7e30d16e93 Don't call dns_zone_setadded() on modify
If we are modifiying the zone, the zone must have been added before.
Don't overwrite this value on modifications.

Also it feels cleaner to pass added=false to configure_zone() in
do_modzone().

(cherry picked from commit 780872e07e)
2026-03-17 09:51:18 +00:00
Matthijs Mekking
4a65095823 Only lock view->newzone.lock if not already locked
Some code paths try to lock an already locked view->newzone.lock.

For example, do_modzone() aqcuires the lock and then calls
delete_zoneconf(), that wants to acquire the same lock.

Add a parameter to delete_zoneconf() that informs the function if the
lock has already been acquired.

(cherry picked from commit 71587b0816)
2026-03-17 09:51:18 +00:00
Ondřej Surý
4a2048ea7f
Fix stack Use-After-Return in SIG(0) handling
The asynchronous SIG(0) handling improperly used srcaddr, and dstaddr
from the caller's stack and didn't attach to aclenv.  This could
possibly lead to ACL bypass as an invalid srcaddr could be matched or
possible assertion failure if the ACL environment would change between
the initial call and the SIG(0) processing due to the server
reconfiguration.  This has been fixed.

(cherry picked from commit b4b81deed9)
2026-03-13 13:49:48 +01:00
Michal Nowak
82991c7881
Use clang-format-22 to update formatting
(cherry picked from commit 239464f276)
2026-03-04 12:18:27 +01:00
Colin Vidal
ed184d8545 extends named -T so ADB settings can be tweaked
ADB entry window and ADB min cache time can be tweaked using `named -T
adbentrywindow=<unsigned int>` and `named -T adbmincache=<unsigned
int>`.

While those values doesn't needs to be exposed to the operator, this can
be needed to be able to system test ADB behaviors without having to wait
as long as those values are by default.

(cherry picked from commit e5f963262a)
2026-02-20 18:11:29 +01:00
Ondřej Surý
ae81ce723d
Rename isc_net_getudpportrange() to isc_net_getportrange()
This better reflects the true nature of the function as we are reading
the ephemeral port range which is not related to UDP at all.

(cherry picked from commit 295139f8ca)
2026-02-20 17:02:45 +01:00
Ondřej Surý
bad1e4a665
Implement IP_LOCAL_PORT_RANGE socket option for Linux
For Linux >= 6.8:

Since 2023, Linux has introduced a change to the IP_LOCAL_PORT_RANGE
socket option that eliminates the need for the random window
shifting (implemented as a fallback in the next commit).

By setting IP_LOCAL_PORT_RANGE option, we tell the kernel to use better
approach to the source port selection.

For Linux << 6.8:

This implement selecting port by random shifting range leveraging the
IP_LOCAL_PORT_RANGE socket option.  The network manager is initialized
with the ephemeral port range (on startup and on reconfig) and then for
every outgoing TCP connection, we define a custom port range (1000
ports) and then randomly shift the custom range within the system range.

This helps the kernel to reduce the search space to the custom window
between <random_offset, random_offset + 1000>.

Reference:
https://blog.cloudflare.com/linux-transport-protocol-port-selection-performance/#kernel
(cherry picked from commit 04c81b55d2)
2026-02-20 17:02:45 +01:00
Aram Sargsyan
ee6e7e6d00 Lock the catalog zone when reconfiguring it
A catalog zone is updated in an offloaded thread, which is not
stopped during a reconfiguration in an exclusive mode, and so
can cause a race condition with it.

Waiting for the offloaded threads to complete their work before
entering into the exclusive mode can potentially cause unwanted
delays, because offloaded threads are generally "allowed" to take
a longer amount of time before they complete.

Add a dns_catz_zone_prereconfig()/dns_catz_zone_postreconfig() pair
of functions which currently just lock the catalog zone when
reconfiguring it. The change should eliminate the race.

As a side note, there was already a similar pair of functions,
dns_catz_prereconfig() and dns_catz_postreconfig() which are called
before and after reconfiguring a 'dns_catz_zones_t' object.

Below are the stack traces of the reconfiguration thread which has
asserted, and a catalog zone update thread which was caught in the
middle of its work despite the fact that the exclusive mode is
turned on.

                Stack trace of thread 23859:
                #0  0x00007f80e7b8e52f raise (libc.so.6)
                #1  0x00007f80e7b61e65 abort (libc.so.6)
                #2  0x0000000000422558 assertion_failed (named)
                #3  0x00007f80eaa6799e isc_assertion_failed (libisc-9.18.41.so)
                #4  0x00007f80ea5bc788 dns_catz_entry_getname (libdns-9.18.41.so)
                #5  0x000000000042ce0e catz_reconfigure (named)
                #6  0x000000000042d3c5 configure_catz_zone (named)
                #7  0x000000000042d7a4 configure_catz (named)
                #8  0x0000000000430645 configure_view (named)
                #9  0x000000000043d998 load_configuration (named)
                #10 0x000000000044184f loadconfig (named)
                #11 0x0000000000442525 named_server_reconfigcommand (named)
                #12 0x000000000041b277 named_control_docommand (named)
                #13 0x000000000041c74a control_command (named)
                #14 0x00007f80eaa912ae task_run (libisc-9.18.41.so)
                #15 0x00007f80eaa914cd isc_task_run (libisc-9.18.41.so)
                #16 0x00007f80eaa46435 isc__nm_async_task (libisc-9.18.41.so)
                #17 0x00007f80eaa467aa process_netievent (libisc-9.18.41.so)
                #18 0x00007f80eaa475a6 process_queue (libisc-9.18.41.so)
                #19 0x00007f80eaa46227 process_all_queues (libisc-9.18.41.so)
                #20 0x00007f80eaa462a1 async_cb (libisc-9.18.41.so)
                #21 0x00007f80e8d01893 uv__async_io.part.3 (libuv.so.1)
                #22 0x00007f80e8d13ac4 uv__io_poll (libuv.so.1)
                #23 0x00007f80e8d023fb uv_run (libuv.so.1)
                #24 0x00007f80eaa45ced nm_thread (libisc-9.18.41.so)
                #25 0x00007f80eaa9bda3 isc__trampoline_run (libisc-9.18.41.so)
                #26 0x00007f80e7f1e1ca start_thread (libpthread.so.0)
                #27 0x00007f80e7b798d3 __clone (libc.so.6)
    ...
    ...
                Stack trace of thread 23912:
                #0  0x00007f80ea5bc2da dns_catz_options_setdefault (libdns-9.18.41.so)
                #1  0x00007f80ea5bd411 dns__catz_zones_merge (libdns-9.18.41.so)
                #2  0x00007f80ea5c3c2f dns__catz_update_cb (libdns-9.18.41.so)
                #3  0x00007f80eaa4fee9 isc__nm_work_run (libisc-9.18.41.so)
                #4  0x00007f80eaa9bda3 isc__trampoline_run (libisc-9.18.41.so)
                #5  0x00007f80eaa4ff48 isc__nm_work_cb (libisc-9.18.41.so)
                #6  0x00007f80e8cfc75e worker (libuv.so.1)
                #7  0x00007f80e7f1e1ca start_thread (libpthread.so.0)
                #8  0x00007f80e7b798d3 __clone (libc.so.6)

(cherry picked from commit aed9cafd5c)
2025-12-17 17:48:28 +00:00
Aram Sargsyan
62a5ac9cbe Fix the charts in the statistics channel
The statistics channel's HTML presentation has charts, but it has
a couple of problems.

1. Because of an inconsistent condition, a chart's JS code might have
   been executed, while the HTML markup wasn't present, and this is
   causing a JS error.
2. The feature is turned off on Mozilla-based browsers.

Fix the inconsistency in conditions, remove the conditional rendering
which disabled the feature for Mozilla-based browsers by looking at
the XSLT processor's name, and fix indentation inconsistencies.

(cherry picked from commit 3a3013a8b1)
2025-12-10 17:33:59 +00:00
Mark Andrews
89d4d90244 log failing buffer
(cherry picked from commit 066847af25)
2025-12-09 11:12:24 +00:00
Evan Hunt
25c9fb54da standardize CHECK and RETERR macros
previously, there were over 40 separate definitions of CHECK macros, of
which most used "goto cleanup", and the rest "goto failure" or "goto
out". there were another 10 definitions of RETERR, of which most were
identical to CHECK, but some simply returned a result code instead of
jumping to a cleanup label.

this has now been standardized throughout the code base: RETERR is for
returning an error code in the case of an error, and CHECK is for jumping
to a cleanup tag, which is now always called "cleanup". both macros are
defined in isc/util.h.

(cherry picked from commit 52bba5cc34)
2025-12-03 19:17:20 -08:00
Colin Vidal
628a295f3e fix unitiailized pointer check on getipandkeylist
Function `named_config_getipandkeylist` could, in case of error in the
early code attempting to get the `port` or `tls-port`, make a pointer
check on a non-initialized value. This is now fixed.

(cherry picked from commit 954503b9f5)
2025-11-28 15:38:18 +01:00
Colin Vidal
9e8994d853 check validity of key and tls in a server-list
If a `key` or `tls` is associated to an IP address inside a server-list,
only the `tls` existence in the configuration was checked. Also, if
`key` or `tls` is associated to a named server-list inside a
server-list, there was no check at all.

Add the check for making sure a `key` is defined in the configuration,
as well as the check for `key` and `tls` when used on a named
server-list.

(cherry picked from commit 2956e4fc45)
2025-11-28 15:15:46 +01:00
Colin Vidal
f2b46d8a6a refactoring of named_config_getipandkeylist
Function `named_config_getipandkeylist()` processes the nested lists by
overriding the current local variable of the function, jumping back to
the beginning of the list processing. Of course, in order to go back to
the previous state and process the remaining items of the current list,
a "stack" array is used in order to put and get back the next list
element and associated values.

This makes the logic quite complex and error prone. Instead, this commit
changes the logic by recursing into the nested list (while sharing a
state between all the invocations). The processing is fundamentally
identical, but instead of "manually" handling the stack to go back to
the previous state (and process remaining elements of the current list),
takes advantage of recursion.

(cherry picked from commit ccb82ea85d)
2025-11-28 15:15:46 +01:00
Colin Vidal
5d64b3a440 minimal fix for missing key/tls in named remote-servers
The following case

   remote-servers foo { 10.53.0.5; };
   remote-servers bar { foo key fookey; };

did not work: the `fookey` was silently ignored. No matter how `bar` was
used, the server `10.53.0.5` wouldn't be contacted using the TSIG key
`fookey`. The problem is the same the for `tls` property.

The reason of the problem was that when `named_config_getipandkeylist()`
reached a named server-list (here, `foo`), it modified the current
context in order to immediately process what is inside `foo`, but forgot
to look at the fields `key` and `tls`, to associate those with `foo`
addresses.

Fix the problem by wrapping the `key` and `tls` from the "caller" list
inside the existing `lists` struct which is used to figure out if a
list is already processed or not. That way, the `key` and `tls` values
can be read when adding the addresses of the nested list.

(cherry picked from commit e732a8d25a)
2025-11-28 15:15:46 +01:00
Ondřej Surý
5cd69a3dcf
Detect resolution loops between fetches
Maintain the relationship between the parent and child fetch and when
creating a new child fetch, properly check the resolution loops that
would lead to a new fetch would join one of the parent's fetch contexts.

(cherry picked from commit 4d307ac67a)
2025-11-28 09:32:53 +01:00
Evan Hunt
086024fa21 set cfgmaps correctly
a typo in MR !11165 caused cfgmaps to be set with only the top-level
configuration, not the view configuration.

(cherry picked from commit 0bf2df7316)
2025-10-29 13:28:15 -07:00
Evan Hunt
a107d77b33 fix "response-padding" configuration and remove optionmaps
Add a default "response-padding" option in the global defaults,
to disable the option, and simplify the configuration code so that
looks at the global defaults if the option is not set in named.conf.

This enables us to remove the 'optionmaps' variable in configure_view(),
which was used for options that only look in named.conf.

(cherry picked from commit cf409e814f)
2025-10-29 11:31:38 -07:00
Evan Hunt
0b39889b47 simplify "dnssec-validation" configuration
In the past, "dnssec-validation" was not looked up in the global
defaults unless "dnssec-enable" was true. "dnssec-enable" has been
obsolete for several years, but dnssec-validation was still being
configured in two steps.  This commit removes the vestigial bits of
the old logic.

(cherry picked from commit fffae65e27)
2025-10-29 11:31:22 -07:00
Evan Hunt
5ed3bebbf4 fix a "max-cache-size" configuration bug
"max-cache-size default;" is allowed, according to the documentation
and the parser, but when it's configured, named crashes due to an
INSIST that the only legal string value is "unlimited". this has
been fied.

the configuration has also been simplified. previously, we checked for
max-cache-size in view and options, then determined whether to look in
the global default options based on whether the view had recursion set.
the default value set there was only applicable to views with recursion.
now, the default is an explicit "default", which affects views with
and without recursion in different ways.

the cfg type for "max-cache-size" has been changed from
cfg_type_sizeorpercent to cfg_type_maxcachesize.

(cherry picked from commit cd921cc7ef)
2025-10-29 11:30:25 -07:00
Matthijs Mekking
079898cbf6
Implement named-checkconf -k (check keys)
With named-checkconf -k you can check your configuration including
checking the dnssec-policy keys against the configured keystores. If
there is a mismatch in the key files versus the policy, named-checkconf
will fail. This is useful for running before migrating to dnssec-policy.

For logging purposes, introduce a function that writes the identifying
information about a policy key into a string.

Allow a dnssec key to be initialized outside the keymgr code.

Add 'log_errors' to 'cfg_kasp_fromconfig' to avoid duplicate error
logs.

(cherry picked from commit 9fe520ece9)
2025-09-29 15:13:26 +02:00
Colin Vidal
a4c3e6f3dd preserve cache when reload fails
If the server is reloaded, new views are created and preexisting cache
is attached to those _but_ something goes wrong later, the previous
views are restored but the previous cache list is destroyed. This makes
the subsequent reload to drop the existing cache. This fixes it by
avoiding a mutation of the old cache list.

(cherry picked from commit a1703fa35b)
2025-09-18 09:06:31 +02:00
Michał Kępień
cae623fa69
Obsolete the "tkey-domain" statement
The "tkey-domain" statement has effectively been a no-op since commit
bd4576b3ce, which removed the only bit of
code using it: the logic implementing TKEY Mode 2 (Diffie-Hellman).

A subsequent cleanup commit, 885c132f4a,
also missed the opportunity to remove the "tkey-domain" statement
altogether.

Mark the "tkey-domain" statement as obsolete and remove all code and
documentation related to it.

(cherry picked from commit 805f1c0f65)
2025-09-01 22:34:08 +02:00
Aram Sargsyan
9f2b474201 Fix a bug in configure_catz_zone()
When dns_catz_zone_add() returns ISC_R_EXISTS and there is no
'default-primaries' or 'default-masters', the ISC_R_EXISTS result
code doesn't get reset to ISC_R_SUCCESS, and the function returns
ISC_R_EXISTS instead of ISC_R_SUCCESS. Which means that the zone
is successfully added, but the caller assumes that the function has
failed.

Reset 'result' to ISC_R_SUCCESS when dns_catz_zone_add() returns
ISC_R_EXISTS (it's not an error condition).

Refactor the code go call dns_catz_zone_add() when all other error
conditions are already checked.

(cherry picked from commit db36ae47d2)
2025-08-27 16:45:21 +00:00
Aram Sargsyan
07d93f176d Add INSISTs in configure_rpz()
The 'scan-build' job in the CI reports a false positive:

                            /*
    2705                     * We are reusing the old rpzs, so it can no longer be its
    2704                     * first time.
    2707                     */
    2708                    pview->rpzs->first_time = false;
    >> Access to field 'first_time' results in a dereference of a null pointer (loaded from field 'rpzs')

Add INSISTs to silence the report.
2025-08-27 10:00:45 +00:00
Aram Sargsyan
1dd4f95d1e 'servfail-until-ready yes' has no effect with DNSRPS
When a DNS Response Policy Service (DNSRPS) interface is used, the
'servfail-until-ready yes' option is ignored, because RPZ zones are
not processed by BIND.
2025-08-27 10:00:45 +00:00