Related to #4606
Backport of MR !10941
Merge branch 'backport-4606-document-rndc-dnssec-step-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10943
In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
Backport of MR !10904
Merge branch 'backport-aram/rpz-servfail-until-ready-tunings-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10940
Since the log level has been raised, busy servers can "explode" from
the amount of log messages. Use the usual practice of logging "every
once in a while".
(cherry picked from commit 1962857ac4)
The "RPZ not ready yet" message is logged at debug 3 level. Use the
info level instead for better visibility.
After raising the log level, the rpz_log_fail_helper() function starts
appending " failed: " the the message. Change the log message so it
makes more sense.
(cherry picked from commit 49356ce944)
In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
(cherry picked from commit d9b5f6c502)
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
Closes#5485
Backport of MR !10909
Merge branch 'backport-ondrej/clarify-rrset-order-random-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10935
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
(cherry picked from commit 369c8dc388)
Closes#5444
Backport of MR !10795
Merge branch 'backport-5444-add-hhit-and-brid-records-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10932
When an IPv6 rpz prefix entry is entered incorrectly the log
message was just displaying the prefix rather than the full
entry. This has been corrected.
Closes#5491
Backport of MR !10890
Merge branch 'backport-5491-rpz-canonical-warning-displays-zone-entry-incorrectly-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10930
Do not insert a NUL into ip_str too early as the full value
is needed later. Only insert the NUL immediately before
displaying just the prefix string.
(cherry picked from commit 283da99f02)
Waiting for "keymgr: done" logs caused some manual-mode tests to fail intermittently. Waiting for "rekey done" logs should be more reliable.
Closes#5493
Backport of MR !10923
Merge branch 'backport-5493-algoroll-csk-step3-manual-unstable-test-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10929
Waiting for "keymgr: done" logs caused some manual-mode tests to fail
intermittently. Waiting for "rekey done" logs should be more reliable.
(cherry picked from commit 4141ae1275)
Add a test to check serve-stale with the 'stale-answer-client-timeout 0'
configuration option and with a delegation which is a CNAME to a auth
zone.
Closes#5372
Backport of MR !10920
Merge branch 'backport-5372-serve-stale-crash-on-insist-unreachable-test-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10927
Add a test to check serve-stale with the 'stale-answer-client-timeout 0'
configuration option and with a delegation which is a CNAME to a auth
zone.
(cherry picked from commit 04ed44e7d7)
Mark the ``tkey-domain`` statement as obsolete, since it has not had any
effect on server behavior since support for TKEY Mode 2 (Diffie-Hellman)
was removed (in BIND 9.20.0).
See #4204
Backport of MR !10798
Merge branch 'backport-4204-obsolete-tkey-domain-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10926
The "tkey-domain" statement has effectively been a no-op since commit
bd4576b3ce, which removed the only bit of
code using it: the logic implementing TKEY Mode 2 (Diffie-Hellman).
A subsequent cleanup commit, 885c132f4a,
also missed the opportunity to remove the "tkey-domain" statement
altogether.
Mark the "tkey-domain" statement as obsolete and remove all code and
documentation related to it.
(cherry picked from commit 805f1c0f65)
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in
a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`.
See #4204
Backport of MR !10782
Merge branch 'backport-4204-deprecate-tkey-gssapi-credential-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10924
The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).
Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named. Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.
(cherry picked from commit 6de435c528)
Clang 20 was spuriously warning about the possibility of passing a NULL file pointer
to `fprintf()`, which uses the 'nonnull' attribute. To silence the warning, the functions
calling `fprintf()` have been marked with the same attribute to assure that NULL can't be
passed to them in the first place.
Close#5487
Backport of MR !10888
Merge branch 'backport-5487-mark-passed-file-pointer-as-nonnull-in-dnssec-signzone-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10913
Clang 20 is complaining about passing NULL to an argument with 'nonnull'
attribute. Mark these two functions with the same attribute to assure
that these two function also don't accept NULL as an argument.
(cherry picked from commit 9e350c1774)
libuv expect file descriptors <= STDERR_FILENO are in use. otherwise,
it may abort when closing a file descriptor it opened.
Closes#5226
Backport of MR !10582
Merge branch 'backport-main-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10908
Testing all combinations seems unnecessary but is cheap.
I was too lazy to run this against all tools we have. nsupdate was
chosen because it is one of few tools which actually use stdin and the
original issue was reproducible even without any network communication,
which was not the case for simple dig invocation.
Sorry for new shell test but doing this in Python seemed very
complicated and fragile.
(cherry picked from commit e415c5c996)
libuv expects file descriptors <= STDERR_FILENO are in use. otherwise,
it may abort when closing a file descriptor it opened.
See https://github.com/libuv/libuv/pull/4559Closes#5226
(cherry picked from commit 5cfdbeba72)
A catalog zone with an unset ``default-primaries`` clause could cause
an unexpected termination of the :iscman:`named` process after two
reloading or reconfiguration commands. This has been fixed.
Closes#5494
Backport of MR !10896
Merge branch 'backport-5494-catz-crash-with-unset-default-primaries-and-double-reconfig-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10905
And unset 'default-primaries' is causing an assertion failure after
two reload/reconfig commands. Add such a catalog zone to check the fix.
(cherry picked from commit 40d040b7d5)
When dns_catz_zone_add() returns ISC_R_EXISTS and there is no
'default-primaries' or 'default-masters', the ISC_R_EXISTS result
code doesn't get reset to ISC_R_SUCCESS, and the function returns
ISC_R_EXISTS instead of ISC_R_SUCCESS. Which means that the zone
is successfully added, but the caller assumes that the function has
failed.
Reset 'result' to ISC_R_SUCCESS when dns_catz_zone_add() returns
ISC_R_EXISTS (it's not an error condition).
Refactor the code go call dns_catz_zone_add() when all other error
conditions are already checked.
(cherry picked from commit db36ae47d2)
Clarify that forwarding points to a resolver and stub to auths.
Add cross-links. Rewrite stub zone type description.
(cherry picked from commit e84b98a9fc)
By default, when :iscman:`named` is started it may start answering to
queries before the response policy zones are completely loaded
and processed. This new feature gives an option to the users to
tell :iscman:`named` that incoming requests should result in SERVFAIL answer
until all the response policy zones are processed and ready. Note that if
one or more response policy zones fail to load, :iscman:`named` starts
responding to queries according to those zones that did load.
Note, that enabling this option has no effect when a DNS Response Policy
Service (DNSRPS) interface is used.
Closes#5222
Backport of MR !10839
Merge branch 'backport-5222-stop-sending-responses-until-rpz-is-ready-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10889
The 'scan-build' job in the CI reports a false positive:
/*
2705 * We are reusing the old rpzs, so it can no longer be its
2704 * first time.
2707 */
2708 pview->rpzs->first_time = false;
>> Access to field 'first_time' results in a dereference of a null pointer (loaded from field 'rpzs')
Add INSISTs to silence the report.
When a DNS Response Policy Service (DNSRPS) interface is used, the
'servfail-until-ready yes' option is ignored, because RPZ zones are
not processed by BIND.
The complier claims that 'qresult_type' may be used uninitialized,
though all the cases inside the switch either set the variable
or return from the function, and the warning is generated on a line
after the switch-case block.
Slightly modify the code to set a default value for the variable when
declaring it.
In function 'rpz_rewrite',
inlined from 'query_checkrpz' at query.c:7288:12,
inlined from 'query_gotanswer' at query.c:7724:12:
query.c:4693:14: error: 'qresult_type' may be used uninitialized [-Werror=maybe-uninitialized]
4693 | !dnsrps_set_p(&emsg, client, st, qtype, &rdataset,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4694 | qresult_type != qresult_type_recurse))
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
query.c: In function 'query_gotanswer':
query.c:4268:24: note: 'qresult_type' was declared here
4268 | qresult_type_t qresult_type;
| ^~~~~~~~~~~~
cc1: all warnings being treated as errors
Test whether 'servfail-until-ready yes' works by enabling slow
RPZ loading with a USDT probe activation, and checking that named
returns SERVFAIL during the initial RPZ zones processing stage.
The test requires SystemTap (stap, dtrace) to activate the USDT
probe.
(cherry picked from commit 924230f05a)
By default, when named is started it may start answering to
queries before the response policy zones are completely loaded
and processed. This new feature gives an option to the users to
tell named that incoming requests should result in SERVFAIL anwser
until all the response policy zones are procesed and ready.
(cherry picked from commit 41387b8d30)
During the initial configuration of named after startup, 'first_time'
is true. This is needed for implementing the new 'servfail-until-ready'
configuration option, which should take into effect only during the
initial configuration.
(cherry picked from commit 88ed81e12d)
Add a new option ``manual-mode`` to :any:`dnssec-policy`. The intended use is that if it is enabled, it will not automatically move to the
next state transition, but instead the transition is logged. Only after manual confirmation with ``rndc dnssec -step`` the transition is made.
Closes#4606
Backport of MR !10774
Merge branch 'backport-4606-dnssec-policy-dry-run-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10880
If we hit an error when issuing an 'rndc dnssec -step' command, and the
keymgr runs again at a later scheduled time, we don't want to enforce
transitions.
(cherry picked from commit e4529b6308)
Similar to previous commit.
Parametrize each test case and in case of manual-mode, execute
additional checks. First a keymgr run should not change the existing
key state (with exceptions of timing events such as moving from
RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate
messages must be logged.
After enforcing the next step with 'rndc dnssec -step', the key state
should be the same as if the step were to be taken automatically.
(cherry picked from commit 1df76e2c24)