Function `named_config_getipandkeylist` could, in case of error in the
early code attempting to get the `port` or `tls-port`, make a pointer
check on a non-initialized value. This is now fixed.
If a `key` or `tls` is associated to an IP address inside a server-list,
only the `tls` existence in the configuration was checked. Also, if
`key` or `tls` is associated to a named server-list inside a
server-list, there was no check at all.
Add the check for making sure a `key` is defined in the configuration,
as well as the check for `key` and `tls` when used on a named
server-list.
Function `named_config_getipandkeylist()` processes the nested lists by
overriding the current local variable of the function, jumping back to
the beginning of the list processing. Of course, in order to go back to
the previous state and process the remaining items of the current list,
a "stack" array is used in order to put and get back the next list
element and associated values.
This makes the logic quite complex and error prone. Instead, this commit
changes the logic by recursing into the nested list (while sharing a
state between all the invocations). The processing is fundamentally
identical, but instead of "manually" handling the stack to go back to
the previous state (and process remaining elements of the current list),
takes advantage of recursion.
The following case
remote-servers foo { 10.53.0.5; };
remote-servers bar { foo key fookey; };
did not work: the `fookey` was silently ignored. No matter how `bar` was
used, the server `10.53.0.5` wouldn't be contacted using the TSIG key
`fookey`. The problem is the same the for `tls` property.
The reason of the problem was that when `named_config_getipandkeylist()`
reached a named server-list (here, `foo`), it modified the current
context in order to immediately process what is inside `foo`, but forgot
to look at the fields `key` and `tls`, to associate those with `foo`
addresses.
Fix the problem by wrapping the `key` and `tls` from the "caller" list
inside the existing `lists` struct which is used to figure out if a
list is already processed or not. That way, the `key` and `tls` values
can be read when adding the addresses of the nested list.
Even though `remote-servers` now allows using named server-list with `key`
(or `tls`), the `key` or `tls` is not used, in the context of a named
server-list, when configuring the server.
For instance,
remote-servers foo { 10.53.0.5; };
also-notify { foo key fookey; };
won't use `fookey`.
Add a system test highlighting the problem.
Maintain the relationship between the parent and child fetch and when
creating a new child fetch, properly check the resolution loops that
would lead to a new fetch would join one of the parent's fetch contexts.
In !9155, the QNAME minimization was changed to not leak the query type
to the parent name server. This violates RFC 9156 Section 3, step (3)
and it is not necessary. It also breaks some (weird) authoritative DNS
setups, especially when CNAMEs are involved. Also there is really no
privacy leak with query type.
Add isctest.kasp.Key.into_ta() method which convert the key into DS /
DNSKEY trust anchor for BIND config. Add a shared template
trusted.conf.j2 which can be linked to in tests to create the trust
anchor configuration from trust anchor data returned from bootstrap()
function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
Previously, a DNSKEY string from keyfile was returned. This made the
function brittle for further processing, as the string would have to be
split up, concatenated, and TTL could be missing, making string indices
context-dependent.
Parse the DNSKEY rrset into a proper dnspython object and return it.
This makes the output more predictable and reliable, as all the
neccessary parsing is done by dnspython.
If the primary has been updated, but the secondary has not been
notified, the journal will go out of date. An 'rndc retransfer' causes
the zone to force an AXFR, removing and rebuilding zone and journal
files.
This test reproduces a bug that in such scenario, an NSEC3 signed zone
falls back to NSEC.
The "no root hints for view X" message must not be shown for the default
_bind/CH view. However, it is shown since 27c4f68dcc (part of effective
configuration changes).
The reason is that since 27c4f68dcc, `configure_views()` now processes
a single list of views, which contains both builtin and user views as
they are both part of the effective configuration. Those changes omitted
the `need_hints` bool that disabled the warning for the builtin view.
This commit silences the log message again.
now that the EDNS state is stored within dns_message_t, it's no longer
necessary to have a public API call to build an opt rdataset; we can
just have dns_message_setopt() build the opt record internally.
The new dns_message_ednsinit() and dns_message_ednsaddopt() functions
allow EDNS options to be added to a message one at a time; it is no
longer necessary to construct a full array of EDNS options and set
them all at once.
This allows us to simplify EDNS option handling code, and in the
future it wlil allow plugins to add EDNS options to existing
messages.
To check if the key managing for a zone is done, we check a log message.
On some machines, with many zones this may take some time.
Increate the timeout to a minute. Note that most zones will continue
their test case much faster, but with many zones there may be some
straggling.
When all zones are configured, regardless of whether the test module
actually uses them, it makes debugging the logs needlessly more
complicated, as there is a bunch of stuff going on that is completely
unrelated to the test.
Define a list of tested zones in each test module and only render the
named.conf with those zones defined.
This converts two test cases:
1. A zone that previously failed to load is now fixed. Make sure the
zone is signed correctly with the right NSEC3 parameters.
2. Test case to ensure the salt is the same after a restart, i.e. no
re-salting takes place. Previously we only tested with salt length
0, this commit adds a test case for salt length 8 as well.
This converts the nsec3 system test cases after to reconfiguring the
name server.
Two extra test for nsec3-change.kasp is updated. It depends on the
zone being updated, and a reconfig. This test code is moved to
tests_nsec3_reconfig.py.
Furthermore, an additional 'rndc signing -nsec3param' error test
case has been added.
Change the named.conf templating to make use of jinja template
rendering. The ns2 server is trivial. The ns3 server configuration
structure has changed:
The common configuration is moved out of named-fips.conf.
The main named.conf file is in named.conf.j2. It always includes the
common part, named-common.conf.j2, and the FIPS part,
named-fips.conf.j2.
The named-fips.conf.j2 and named-rsasha1.conf.j2 templates are
rendered differently depending on the reconfiged status. Mainly the
dnssec-policy for zones are different after reconfiguration, but there
are some other changes to, for example some zones change their
inline-signing setting.
Some zones only exist prior or after the configuration.
Finally, this is a bit hackish: If RSASHA1 is supported, named.conf
includes "named-rsasha1.conf", otherwise it includes the deliberately
empty "named-rsasha0.conf".
This converts all the nsec3 system test cases prior to reconfiguring the
name server. There are two main classes, one that tests the zone is
correctly signed with NSEC, the other with NSEC3.
Two extra tests for nsec3-dynamic-update-inline.kasp and
nsec3-change.kasp are also rewritten. For the former, we need to
change the 'nsupdate' definition to be able to set the expected RCODE.
when merging view objects into the effective configuration, add
allow-query-cache, allow-recursion, allow-query-cache-on and
allow-recursion-on ACLs as needed to reflect the way those
options inherit from each other.
this means the effective configuration is now correct for each
view. ACLs no longer need to be corrected when applying the
configuration, and the actual effective ACL values will be
displayed in "rndc showconf" and "named-checkconf -pe".
the merging of options and defaults into the effective configuration
broke the mutual inheritance of the allow-recursion, allow-query, and
allow-query-cache ACLs, and of the allow-recursion-on and
allow-query-cache-on ACLs.
this has been corrected by adding a 'cloned' flag to the cfg_obj
structure to indicate whether it was configured explicitly or
cloned from the defaults during parsing. we can then adjust the
ACLs while configuring a view, favoring user-configured values
when they're available over cloned defaults.
currently the adjustments to the ACLs are done in configure_view();
later they'll be moved into the effective configuration and this
special handling can be removed.
allow-recursion is set to "none" in the options block and to
"any" in the view. allow-query-cache in the view should inherit
the "any", not the "none". (currently this test does not pass.)
The dns_resolver mode of operation is to resolve all the domains as it
iterates the DNS tree to fill up the cache as quickly as possible.
This commit reduces the number of outgoing queries by reducing the
number of remote fetches started for the nameserver addresses resolution
via dns_adb_createfind() to a smaller number per depth of the recursion
since the delegation point (3 2 1 0) - where 0 means only create fetch
on demand if we don't have any addresses yet.
Because the asynchronous loading logic expected all jobs to be scheduled
then to be run (because it used to be scheduled during the exclusive
mode) and because all jobs are scheduled on various threads, there were
random situations where load_zones() would return after the scheduled
DB zone loading actually ran. In such cases, the zl->refs ref counter
in view_loaded() wouldn't go down to 0 and the remaining task to do
once all zones were loaded was never called. In particular,
server->reload_status kept the NAMED_RELOAD_PENDING state.
This problem is fixed by handling zoneload_t as a ref-counted object,
shared between load_zones() and each instance of scheduled zone DB
loading. Its destructor function is actually the content of
view_loaded() in the case the zt->refs went to 0. This ensures a
correct post-loading routine to be called once the last load is done.
The configloading system script attempts multiple `rndc
{reconfig,reload}` commands without ensuring the system left
exclusive mode; which normally raise an RNDC error as the server is
currently reloading already. This used to work because the request was
enqueued while the server was in exclusive mode, and was processed
after the server `reload_status` was reset to `NAMED_RELOAD_DONE`.
Due to the fact the exclusive mode is not retaken after
`apply_configuration()` by `load_zones()`, the scheduling of
pending tasks is changed and, regularly, the RNDC command sent by the
test is processed before `NAMED_RELOAD_DONE` is set. This is the same
kind of issue the views system tests had, solved by
`4b2dcb3128fbd5af4609a5a73aeeee1f93bde237`
Fix the problem by waiting for a log line matching the end of
the reloading phase.
The `reload_status` is set to `NAMED_RELOAD_FAILED` after the log line is
printed about this change. Update `reload_status` first, to avoid
(unlikely) case where a test waiting for this log line would attempt a
RNDC reload query but it would be processed by `named` before the status
is updated.
Remove the exclusive mode when scheduling the zone load right after
(re)loading `named` configuration, as there is no reason anymore to
schedule zone loading while the exclusive lock is held. Data which can
be read or written by multiple threads are locked or atomic.
The prefetch statement now enforces its bounds. The configuration
(including `named-checkconf`) now fails if the trigger (first value) is
above 10, or if the eligibility (second optional value) isn't at least
six seconds more than the trigger value.
Catalog-zones can't be used in view which are not from the IN class.
This is now enforced as the server won't load (instead of loading
without the catalog-zone). This configuration error is now also caught
by `named-checkconf`.
The `configure_view()` `need_hints` is removed as it this function was
always called with the value `true`.
The `need_hints` wasn't even used in the function. The only thing it was
actually used was to throw a warning which can be done simply in an
`else` condition branch.
Moreoever, in the case of catalog zones and response-policy, it fixes a
possible bug that would affect root zones, as those wouldn't be reverted
back to their previous version in case of the view fails to load
(during a server reconfiguration).
Do not save the textual version of the effective configuration when
`allow-new-zones` is enabled, as it can be printed on-demand. This
enable to reduce the memory footprint of ~70MB on huge configurations
(1M zones).
the effective configuration tree is now detached if allow-new-zones
or catalog-zones aren't enabled in any views. this reduces memory
consumption while still allowing "rndc showconf -effective" to work.
as previously mentioned in commit c65b2868ab, a cfg_obj_t
configuration tree structure takes up considerably more space than
the canonical text. since the zone configuration saved in the zone
object using dns_zone_setcfg() is only currently used for "rndc
showzone", it can be saved as text more efficiently than as an
object tree. (and, if a tree were needed, the text could be
re-parsed quickly; zone configuration text is generally small.)
The `display_rrcomments` is a tri-state (-1, 0, 1) which is (in some
cases) initialized with `state`, a boolean, through an implicit cast.
This was spot by Coccinelle. Remove the implcit cast by explicitly
assigning 0 or 1 to `display_rrcomments` based on `state` value.
