When the tests were added, the files were generated without FIPS
compatibility in mind. That made the tests fail on recent OpenSSL
versions in FIPS mode.
So, the files were regenerated on a FIPS compliant system using the
following stanza:
```
$ openssl dhparam -out <file> 3072
```
Apparently, the old files are not valid for FIPS starting with OpneSSL
3.1.X release series as "FIPS 140-3 compliance changes" are mentioned
in the [changelog](https://openssl-library.org/news/openssl-3.1-notes/).
Closes#5074.
Backport of MR !9807
Merge branch 'backport-5074-fips-compatible-dhparams-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9868
When the tests were added, the files were generated without FIPS
compatibility in mind. That made the tests fail on recent OpenSSL
versions in FIPS mode.
So, the files were regenerated on a FIPS compliant system using the
following stanza:
$ openssl dhparam -out <file> 3072
Apparently, the old files are not valid for FIPS starting with OpneSSL
3.1.X release series as "FIPS 140-3 compliance changes" are mentioned
in the changelog:
https://openssl-library.org/news/openssl-3.1-notes/
(cherry picked from commit 384c92880e)
Commit af7db89513 as part of #4141 was supposed to apply the 'max-recursion-queries' quota to validator queries, but the counter was never actually passed on to 'dns_resolver_createfetch()'. This has been fixed, and the global query counter ('max-query-count', per client request) is now also added.
Related to #4980
Backport of MR !9856
Merge branch 'backport-4980-pass-counters-in-validator-createfetch-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9866
Commit af7db89513 as part of #4141 was
supposed to apply the 'max-recursion-queries' quota to validator
queries, but the counter was never actually passed on to
dns_resolver_createfetch(). This has been fixed, and the global query
counter ('max-query-count', per client request) is now also added.
(cherry picked from commit 5b1ae4a948)
Upstream code doesn't do regular releases, so we need to regularly
sync the code from the upstream repository. This is synchronization up
to the commit f8d0513 from Jan 29, 2024.
(cherry picked from commit d14a76e115)
Closes#5082
Backport of MR !9859
Merge branch 'backport-5082-lock-and-attach-when-return-zone-stats-revert-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9860
When the `attach-cache` option is used in the `options` block with an arbitrary name, it causes all views to use the same cache. Previously, this configuration caused the cache to be deleted and a new cache created every time the server was reconfigured. This has been fixed.
Closes#5061
Backport of MR !9787
Merge branch 'backport-5061-attach-cache-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9862
when the attach-cache option is used in the options block
with an arbitrary name, it causes all views to use the same
cache. however, previously, this could cause the cache to be
deleted and a new cache created every time the server was
reconfigured. this did *not* occur when attach-cache was
used at the view level to refer back to another view's cache.
in this commit we correct the problem by checking for
pre-existing caches during reconfiguration, and moving
them from the old server cache list to the new cache list
before cleaning up and freeing the old cache list.
(cherry picked from commit f3af8a7dc3)
Related to #4980
Backport of MR !9850
Merge branch 'backport-4980-remove-unused-maxqueryqount-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9853
While implementing the global limit 'max-query-count', initially I
thought adding the variable to the resolver structure. But the limit
is per client request so it was moved to the view structure (and
counter in ns_query structure). However, I forgot to remove the
variable from the resolver structure again. This commit fixes that.
(cherry picked from commit 397ca34e34)
To mitigate DNS flood attacks over a single TCP connection, we throttle the connection when the other side does not read the data. Throttling should only occur on server-side sockets, but erroneously also happened for nsupdate, which acts as a client. When nsupdate started throttling the connection, it never attempts to read again. This has been fixed.
Closes#4910
Backport of MR !9709
Merge branch 'backport-4910-nsupdate-hangs-when-processing-large-update-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9834
The root cause is the fix for CVE-2024-0760 (part 3), which resets
the TCP connection on a failed send. Specifically commit
4b7c61381f stops reading on the socket
because the TCP connection is throttling.
When the tcpdns_send_cb callback thinks about restarting reading
on the socket, this fails because the socket is a client socket.
And nsupdate is a client and is using the same netmgr code.
This commit removes the requirement that the socket must be a server
socket, allowing reading on the socket again after being throttled.
(cherry picked from commit aa24b77d8b)
If ECDSAP256SHA256_SUPPORTED or ECDSAP384SHA384_SUPPORTED variables were
not present in the environment, os.environ would raise KeyError that is
not being handled in the decorator. Use os.getenv() instead.
(cherry picked from commit 1a5683b638)
The configuration option 'max-query-count' sets how many outgoing queries per client request is allowed. The existing 'max-recursion-queries' is the number of permissible queries for a single name and is reset on every CNAME redirection. This new option is a global limit on the client request. The default is 200.
This allows us to send a bit more queries while looking up a single name. The default for 'max-recursion-queries' is changed from 32 to 50.
Closes#4980Closes#4921
Backport of MR !9737
Merge branch 'backport-4980-global-limit-outgoing-queries-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9832
Changing the default for max-recursion-queries from 100 to 32 was too
strict in some cases, especially lookups in reverse IPv6 trees started
to fail more frequently. From issue #4921 it looks like 50 is a better
default.
Now that we have 'max-query-count' as a global limit of outgoing queries
per client request, we can increase the default for
'max-recursion-queries' again, as the number of recursive queries is
no longer bound by the multiple of 'max-recursion-queries' and
'max-query-restarts'.
(cherry picked from commit 84df920d9e)
This adds a new test directory specifically for CAMP attacks. This first
test in this test directory follows multiple CNAME chains, restarting
the max-recursion-queries counter, but should bail when the global
maximum quota max-query-count is reached.
(cherry picked from commit 73eafaba14)
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.
(cherry picked from commit bbc16cc8e6)
When returning zone statistics counters, the statistics sets are now attached while the zone is locked. This addresses Coverity warnings CID 468720, 468728 and 468729.
Closes#4934
Backport of MR !9488
Merge branch 'backport-4934-lock-and-attach-when-return-zone-stats-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9843
In dns_zone_getdnssecsignstats, dns_zone_getrcvquerystats and
dns_zone_getrequeststats attach to the statistics structure.
(cherry picked from commit fb50a71159)
Commit 4b3d0c6600 has removed them, but
did not remove few traces in documentation and help. Remove them from
remaining places.
Backport of MR !9606
Merge branch 'backport-main-memory-flags-size-mctx-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9842
Commit 4b3d0c6600 has removed them, but
did not remove few traces in documentation and help. Remove them from
remaining places.
(cherry picked from commit 65b9eeb39a)
`dnssec-signzone` was using revoked keys for signing RRsets other than DNSKEY. This has been corrected.
Closes#5070
Backport of MR !9800
Merge branch 'backport-5070-dnssec-signzone-fix-revoke-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9840
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.
Backport of MR !9815
Merge branch 'backport-mnowak/mkeys-add-ns2-managed1-conf-to-extra-artifacts-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9824
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.
(cherry picked from commit e7d973bd00)
When the resolver is trying to query an authority server and eventually timed out, a SERVFAIL answer is given to the client. Add the Extended DNS Error Code 22 - No Reachable Authority to the response.
Closes#2268
Backport of MR !9743
Merge branch 'backport-2268/ede-no-reachable-authority-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!9814
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.
(cherry picked from commit d13e94b930)
Commit amended in order to fix usage of isc_log_write (adding dns_lctx
parameter)