The option `update-check-ksk` will look if both KSK and ZSK are
available before signing records. It will make sure the keys are
active and available. However, for operational practices keys may
be offline. This commit relaxes the update-check-ksk check and will
mark a key that is offline to be available when adding signature
tasks.
(cherry picked from commit 3cb8c49c73)
(cherry picked from commit b508cffeee3bfb8bc7dcf39db59ec3782a5d9e4c)
Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire for
valid inputs to ensure that what we accept in dns_rdata_fromwire()
can be written out and read back in.
(cherry picked from commit 36f30f5731)
When parsing message with DNS_MESSAGE_BESTEFFORT (used exclusively in
tools, never in named itself) if we hit an invalid SIG(0) in wrong
place we continue parsing the message, and put the sig0 in msg->sig0.
If we then hit another sig0 in a proper place we see that msg->sig0
is already 'taken' and we don't free name and rdataset, and we don't
set seen_problem. This causes an assertion failure.
This fixes that issue by setting seen_problem if we hit second sig0,
tsig or opt, which causes name and rdataset to be always freed.
(cherry picked from commit 51a55ddbb7)
This changes dns_dtdata struct to not expose data types from dnstap.pb-c.h to
prevent the need for including this header where not really needed.
(cherry picked from commit 8ccce7e24b)
Change to cmocka broken initialization of TZ environment. This time,
commit 1cf1254051 is not soon enough. Has
to be moved more forward, before any other tests. It library is not full
reinitialized on each test.
(cherry picked from commit 71c4fad592)
When sending an udp query (resquery_send) we first issue an asynchronous
isc_socket_connect and increment query->connects, then isc_socket_sendto2
and increment query->sends.
If we happen to cancel this query (fctx_cancelquery) we need to cancel
all operations we might have issued on this socket. If we are under very high
load the callback from isc_socket_connect (resquery_udpconnected) might have
not yet been fired. In this case we only cancel the CONNECT event on socket,
and ignore the SEND that's waiting there (as there is an `else if`).
Then we call dns_dispatch_removeresponse which kills the dispatcher socket
and calls isc_socket_close - but if system is under very high load, the send
we issued earlier might still not be complete - which triggers an assertion
because we're trying to close a socket that's still in use.
The fix is to always check if we have incomplete sends on the socket and cancel
them if we do.
(cherry picked from commit 56183a3917)
Make delv honor the operating system's preferred ephemeral port range
instead of always using the default 1024-65535 range for outgoing
messages.
(cherry picked from commit ada6846a10)
Use them in structs for various rdata types where they are missing.
This doesn't change the structs since we are replacing explicit
uint8_t field types with aliases for uint8_t.
Use dns_dsdigest_t in library function arguments.
(cherry picked from commit 0f219714e1)
If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.
(cherry picked from commit b1d5411569ae10830b63f07560091193646cc739)
If `dns_dnssec_keyfromrdata` failed we don't need to call
`dst_key_free` because no `dstkey` was created. Doing so
nevertheless will result in an assertion failure.
This can happen if the key uses an unsupported algorithm.
(cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69)
- there was a memory leak when using negotiated TSIG keys.
- TKEY responses could only be signed when using a newly negotiated
key; if an existent matching TSIG was found in in the keyring it
would not be used.
(cherry picked from commit 73ba24fb36)
up until now, message->tsigkey could only be set during parsing
of the request, but gss-tsig allows one to be created afterward.
(cherry picked from commit 879fc0285e)
