A catalog zone is updated in an offloaded thread, which is not
stopped during a reconfiguration in an exclusive mode, and so
can cause a race condition with it.
Waiting for the offloaded threads to complete their work before
entering into the exclusive mode can potentially cause unwanted
delays, because offloaded threads are generally "allowed" to take
a longer amount of time before they complete.
Add a dns_catz_zone_prereconfig()/dns_catz_zone_postreconfig() pair
of functions which currently just lock the catalog zone when
reconfiguring it. The change should eliminate the race.
As a side note, there was already a similar pair of functions,
dns_catz_prereconfig() and dns_catz_postreconfig() which are called
before and after reconfiguring a 'dns_catz_zones_t' object.
Below are the stack traces of the reconfiguration thread which has
asserted, and a catalog zone update thread which was caught in the
middle of its work despite the fact that the exclusive mode is
turned on.
Stack trace of thread 23859:
#0 0x00007f80e7b8e52f raise (libc.so.6)
#1 0x00007f80e7b61e65 abort (libc.so.6)
#2 0x0000000000422558 assertion_failed (named)
#3 0x00007f80eaa6799e isc_assertion_failed (libisc-9.18.41.so)
#4 0x00007f80ea5bc788 dns_catz_entry_getname (libdns-9.18.41.so)
#5 0x000000000042ce0e catz_reconfigure (named)
#6 0x000000000042d3c5 configure_catz_zone (named)
#7 0x000000000042d7a4 configure_catz (named)
#8 0x0000000000430645 configure_view (named)
#9 0x000000000043d998 load_configuration (named)
#10 0x000000000044184f loadconfig (named)
#11 0x0000000000442525 named_server_reconfigcommand (named)
#12 0x000000000041b277 named_control_docommand (named)
#13 0x000000000041c74a control_command (named)
#14 0x00007f80eaa912ae task_run (libisc-9.18.41.so)
#15 0x00007f80eaa914cd isc_task_run (libisc-9.18.41.so)
#16 0x00007f80eaa46435 isc__nm_async_task (libisc-9.18.41.so)
#17 0x00007f80eaa467aa process_netievent (libisc-9.18.41.so)
#18 0x00007f80eaa475a6 process_queue (libisc-9.18.41.so)
#19 0x00007f80eaa46227 process_all_queues (libisc-9.18.41.so)
#20 0x00007f80eaa462a1 async_cb (libisc-9.18.41.so)
#21 0x00007f80e8d01893 uv__async_io.part.3 (libuv.so.1)
#22 0x00007f80e8d13ac4 uv__io_poll (libuv.so.1)
#23 0x00007f80e8d023fb uv_run (libuv.so.1)
#24 0x00007f80eaa45ced nm_thread (libisc-9.18.41.so)
#25 0x00007f80eaa9bda3 isc__trampoline_run (libisc-9.18.41.so)
#26 0x00007f80e7f1e1ca start_thread (libpthread.so.0)
#27 0x00007f80e7b798d3 __clone (libc.so.6)
...
...
Stack trace of thread 23912:
#0 0x00007f80ea5bc2da dns_catz_options_setdefault (libdns-9.18.41.so)
#1 0x00007f80ea5bd411 dns__catz_zones_merge (libdns-9.18.41.so)
#2 0x00007f80ea5c3c2f dns__catz_update_cb (libdns-9.18.41.so)
#3 0x00007f80eaa4fee9 isc__nm_work_run (libisc-9.18.41.so)
#4 0x00007f80eaa9bda3 isc__trampoline_run (libisc-9.18.41.so)
#5 0x00007f80eaa4ff48 isc__nm_work_cb (libisc-9.18.41.so)
#6 0x00007f80e8cfc75e worker (libuv.so.1)
#7 0x00007f80e7f1e1ca start_thread (libpthread.so.0)
#8 0x00007f80e7b798d3 __clone (libc.so.6)
Manually go through the code using dns_rdataset_isassociated() and
use dns_rdataset_cleanup() where appropriate in places that a simple
semantic patch is not able to find automatically.
We had a common pattern in the code that looks like this:
if (dns_rdataset_isassociated(rdataset)) {
dns_rdataset_disassociate(rdataset);
}
add a helper macro that checks for rdataset != NULL and the above
called dns_rdataset_cleanup(rdataset).
Add a tag pipeline CI job to update the stable tag after a release.
Merge branch 'andoni/add-ci-job-to-update-stable-tag-in-a-release' into 'main'
See merge request isc-projects/bind9!11291
Introduce a CI job to update the "stable" tag with the latest released
stable version tag. This is a manual job that only runs in tag
pipelines in the context of a release.
Extended DNS Error 9 (Missing DNSKEY) is now sent when a validating resolver attempts to validate a response but can't get the DNSKEY from the authoritative server of the zone, while the DS record is present in the parent zone.
See #2715
Merge branch '2715-missingdnskey' into 'main'
See merge request isc-projects/bind9!10296
An existing SERVFAIL cache test is updated as it initially checks there
are no EDE (the first SERVFAIL) then immediately re-does the same query,
(still SERVFAIL), and expect the CACHED_ERROR EDE.
However, the configuration used for this test to generate a SERVFAIL is
a broken DNSSEC configuration, where the DNSKEY is not the expected one
(it's a ZSK instead of a KZK). As a result, the first attempt also now
raise an EDE (MISSING_DNSKEY).
The authoritative server on "missing-dnskey." zone is ns2, the zone is
initially signed normally, but then the DNSKEY are pulled out from the
signed generated zone file. As a consequence, a quering the resolver ns4
returns a SERVFAIL with EDE9 as the chain of trust is broken: the DS is
prsent in the parent zone (the root zone in ns1), but the DNSKEY is
missing from the zone.
A similar is "wrong-dnskey.", but here the zone is signed correctly,
but the DS points to a different DNSKEY. Hence no supported matching
DNSKEY record could be found for the child.
Extended DNS Error 9 (Missing DNSKEY) is now sent when a validating resolver
attempts to validate a response but can't get the DNSKEY from the authoritative
server of the zone, while the DS record is present in the parent zone.
Note the EDE 9 is send as part of the proveunsecure flow, after the
validator successfully fetched the DS of the zone from the parent. So if
the DS is also missing, the EDE 9 won't be sent.
We need this to be able to use pytest 9.0 from Debian "sid".
Additionally, this error needs to be addressed before pytest 9.1 is
released, as the filter will no longer work. Also, all pytests in CI
images need to be upgraded to version 7, where the new API is supported.
Related #5690
Merge branch 'mnowak/ignore-pytest-PytestRemovedIn9Warning' into 'main'
See merge request isc-projects/bind9!11379
We need this to be able to use pytest 9.0 from Debian "sid".
Additionally, this error needs to be addressed before pytest 9.1 is
released, as the filter will no longer work. Also, all pytests in CI
images need to be upgraded to version 7, where the new API is supported.
We can't have the "filterwarnings" section in pytest.ini directly as
only pytest 8.0 knows about it.
Fix the data race between reading source slabheader in `makeslab()`
and the heap (write) operation on the same header in the QPcache.
Closes#5627
Merge branch '5688-prevent-data-race-when-copying-slabheader-and-slabvecs' into 'main'
See merge request isc-projects/bind9!11375
The makeslab function in rdataslab.c contains an optimization for cases
where the source is already an rdataslab. In these cases, it copies the
entire slab using memmove. However, this creates a race condition: while
the target slab is protected by a node lock, the source slab is not
protected. This becomes problematic because the TTL heap needs to
modify the heap index stored in the slab header, potentially while the
memmove operation is reading from it.
A closer look at makeslab shows that copying the header part of the slab
is unnecessary, the header can be default-initialized instead. This MR
modifies makeslab to copy only the raw part of the slab, while
default-initializing the header, eliminating the race condition. For
consistency, it also applies the same change to vecheader/makevec.
The bitset packing of the resign_lsb and heap_index in struct vecheader was causing a race condition, since both bindrdataset and heap operations tried to access the same byte (even though they are accessing different fields).
While heap operations are protected by the node lock of the header being inserted, they aren't protected by the node locks of the headers being displaced, leading to the race condition.
This MR fixes the issue by reverting the struct packing optimization.
Closes#5688
Merge branch '5688-no-heap-index-bitset' into 'main'
See merge request isc-projects/bind9!11378
The bitset packing of the resign_lsb and heap_index in struct vecheader
was causing a race condition, since both bindrdataset and heap
operations tried to access the same byte (even though they are accessing
different fields).
While heap operations are protected by the node lock of the header being
inserted, they aren't protected by the node locks of the headers being
displaced, leading to the race condition.
This commit fixes the issue by reverting the struct packing
optimization.
f.f.f.f.ip6.arpa is a configured zone so refused responses
are not expected.
Closes#5687
Merge branch '5687-synthrecord-test-failed' into 'main'
See merge request isc-projects/bind9!11373
If mandatory glue is present, it should be returned when the query type is ANY.
Merge branch '5659-any-glue-test' into 'main'
See merge request isc-projects/bind9!11367
The charts in the statistics channel could sometimes fail
to render in the browser, and were completely disabled for
Mozilla-based browsers for historical reasons. This has
been fixed.
Merge branch 'aram/stats-channel-charts-fix' into 'main'
See merge request isc-projects/bind9!11018
The statistics channel's HTML presentation has charts, but it has
a couple of problems.
1. Because of an inconsistent condition, a chart's JS code might have
been executed, while the HTML markup wasn't present, and this is
causing a JS error.
2. The feature is turned off on Mozilla-based browsers.
Fix the inconsistency in conditions, remove the conditional rendering
which disabled the feature for Mozilla-based browsers by looking at
the XSLT processor's name, and fix indentation inconsistencies.
It may be useful to know which version (begin serial) is missing when the IXFR version cannot be found.
Closes#5669
Merge branch '5669-xfrout-log-serial' into 'main'
See merge request isc-projects/bind9!11323
BIND 9.20 takes much more time signing a large delegation zone with NSEC3 optout compared to version 9.18. This has been restored.
Closes#5672
Merge branch '5672-nsec3-optout-takes-too-long' into 'main'
See merge request isc-projects/bind9!11354
This is a new seek function for dbiterator that is meant to find an
NSEC3 node in a zone database. The difference with dns_dbiterator_seek
is that if the node does not exist, this seek function will point the
iterator to the next NSEC3 name.
This test signs a large delegation with mostly insecure delegations
with NSEC3 optout. Once the NSEC3PARAM record is published, run
dnssec-verify to ensure the zone is correctly signed.
This MR introduces a specialized rdataset implementation for authoritative workloads, which leads to substantial memory savings in our perflab tests.
Merge branch 'alessio/auth-compact-slabs' into 'main'
See merge request isc-projects/bind9!11269
Add a FOREACH macro modelled around the DNS_RDATASET_FOREACH one, that
uses vecheader directly. Useful when you want to manipulate a vecheader
without binding it to avoid having to take the node lock inside qpzone.c.
Add an implementation of rdataset specialized for authoritative
workloads. For now, it is a copy of rdataslab, with redundant fields
from the header removed.
The `foundname` parameter in `qp.c:dns_qp_lookup` was effectively used only in unit tests, as in every case the name is needed, it can be retrieved directly from the node pointer. It also required an inefficient implementation that extracted the name by converting it into a key and then immediately converting it back.
This MR refactors `qp.c:dns_qp_lookup` not to have a foundname parameter, resulting in a 5% speedup in the handling of NXDOMAIN responses in perflab.
Merge branch 'alessio/qp-no-foundname' into 'main'
See merge request isc-projects/bind9!11339
The removal of the foundname and name parameters from various qp.c
functions led to formatting issues. Restore the correct formatting via
clang-format.
Outside of unit tests, the name parameter in dns_qpiter_<...> and
dns_qpchain_<...> is only used in context where the name can be
extracted directly from the underlying node.
This commits modifies the signatures of dns_qpiter_<...> and
dns_qpchain_<...> not to have a name parameter. Where the name parameter
was needed, we now query the node and copy the name directly from it.
This allows us to remove maybe_set_name from qp.c. Besides simplifying
the API, this leads to a performance speedup for NXDOMAIN handling,
as we avoid calling maybe_set_name inside step, and maybe_set_name is
very inefficient.
A copy of the implementation maybe_set_name is retained for the unit
tests.
The `foundname` parameter in dns_qp_lookup is used only in the unit
tests. This commit simplifies the API by removing it, and modifying the
unit tests to extract the name from pval.
When `dns_name_totext()` is called with a dynamically allocated
target buffer which is too small for the name, it will now resize
the buffer instead of returning `ISC_R_NOSPACE`.
Merge branch 'each-name-totext-resize' into 'main'
See merge request isc-projects/bind9!11289
When dns_name_totext() is called with a dynamically allocated
target buffer which is too small for the name, it will resize
the buffer instead of returning ISC_R_NOSPACE.
This adds more information about the active fetches for debugging and diagnostic purposes.
Merge branch 'ondrej/provide-more-information-in-dns_resolver_dumpfetches' into 'main'
See merge request isc-projects/bind9!11305
It is possible to have a fetch that is active, but it has been cloned,
so it won't be used when found in the hash table. The fetch options
also prevent matching in the hash table, so add a hexadecimal dump of
the fctx->options to the output.
