Commit graph

12333 commits

Author SHA1 Message Date
Witold Kręcicki
86a847314a Fix a race in socket destruction - we need to remove handle from socket in async close callback or we might race between destruction in the callback and in the original nmhandle_unref 2019-12-09 21:44:04 +01:00
Witold Kręcicki
b804d3a395 always return true in ns_interfacemgr_listeningon if interfacemgr is shutting down
to avoid deadlocks on shutdown.
2019-12-09 21:44:04 +01:00
Witold Kręcicki
b0779cc429 netmgr: Add more DbC checks for asynchronous calls. 2019-12-09 21:44:04 +01:00
Witold Kręcicki
ef2dff5c7a pause and unpause netmgr in isc_nm_destroy to flush all events from worker queues 2019-12-09 21:44:04 +01:00
Evan Hunt
c7b86d1cac Style fixes 2019-12-09 21:44:03 +01:00
Witold Kręcicki
3e66b7ba1c Fix a race in tcpdns close with uv_close on timer
stop timers before closing

netmgr: tcpdns_close needs to be asynchronous, it manipulates sock->timer
2019-12-09 21:43:45 +01:00
Witold Kręcicki
23ab349bbd netmgr: fix a race in socket destruction, happening if we close the socket
externally and, at the same time, a timeout timer callback was called.
2019-12-09 21:43:45 +01:00
Witold Kręcicki
0bf74ac792 netmgr:
- make tcp listening IPC pipe name saner
 - put the pipe in /tmp on unices
 - add pid to the pipe name to avoid conflicts between processes
 - fsync directory in which the pipe resides to make sure that the
   child threads will see it and be able to open it
2019-12-09 21:43:45 +01:00
Evan Hunt
b05194160b style, comments 2019-12-09 11:15:27 -08:00
Witold Kręcicki
8c5aaacbef - Add separate priority event queue for events that must be processed
even when worker is paused (e.g. interface reconfiguration). This is
  needed to prevent deadlocks when reconfiguring interfaces - as network
  manager is paused then, but we still need to stop/start listening.

- Proper handling of TCP listen errors in netmgr - bind to the socket first,
  then return the error code.
2019-12-09 11:15:27 -08:00
Witold Kręcicki
5a65ec0aff Add uv_handle_{get,set}_data functions that's absent in pre-1.19 libuv to make code clearer.
This might be removed when we stop supporting older libuv versions.
2019-12-09 11:15:27 -08:00
Witold Kręcicki
bc5aae1579 netmgr: make tcp listening multithreaded.
When listening for TCP connections we create a socket, bind it
and then pass it over IPC to all threads - which then listen on
in and accept connections. This sounds broken, but it's the
official way of dealing with multithreaded TCP listeners in libuv,
and works on all platforms supported by libuv.
2019-12-09 11:15:27 -08:00
Mark Andrews
c6efc0e50f Add is_leaf and send_to_prune_tree.
Add is_leaf and send_to_prune_tree to make the logic easier
to understand in cleanup_dead_nodes and decrement_reference.
2019-12-09 17:43:54 +00:00
Mark Andrews
176b23b6cd Testing node->down requires the tree lock to be held.
In decrement_reference only test node->down if the tree lock
is held.  As node->down is not always tested in
decrement_reference we need to test that it is non NULL in
cleanup_dead_nodes prior to removing the node from the rbt
tree.  Additionally it is not always possible to aquire the
node lock and reactivate a node when adding parent nodes.
Reactivate such nodes in cleanup_dead_nodes if required.
2019-12-09 17:43:54 +00:00
Matthijs Mekking
4b66c0ebf4 Change some dnssec-policy defaults
Suggested by Tony Finch, these seem to be more reasonable defaults.
2019-12-09 07:25:20 +00:00
Matthijs Mekking
0f9d45a5b8 Default key size 2048
The default size for RSA keys is 2048 bits, for both ZSKs and KSKs.
2019-12-09 07:25:20 +00:00
Ondřej Surý
8120088ec7 Change the (acl)->node_count macro to dns_acl_node_count(acl) macro to clean the global namespace 2019-12-06 15:47:39 +01:00
Matthijs Mekking
60fa5fc760 Fix duration printing on Solaris 2019-12-06 13:12:06 +01:00
Matthijs Mekking
eddac8575d Minor fixes in trust anchor code
This commit makes some minor changes to the trust anchor code:

1. Replace the undescriptive n1, n2 and n3 identifiers with slightly
   better rdata1, rdata2, and rdata3.
2. Fix an occurrence where in the error log message a static number
   32 was printed, rather than the rdata3 length.
3. Add a default case to the switch statement checking DS digest
   algorithms to catch unknown algorithms.
2019-12-06 07:12:24 +00:00
Matthijs Mekking
8c37d3d320 Rename 'dnssec-keys' to 'trust-anchors' 2019-12-05 12:19:17 +01:00
Ondřej Surý
b1a7ec7481 Remove isc_thread_key API in favor of ISC_THREAD_LOCAL variables
For BIND 9.16+, TLS aware compiler is required, and using
ISC_THREAD_LOCAL is preferred way of using Thread Local Storage.  The
isc_thread_key API is no longer used anywhere and hence was removed from
BIND 9.
2019-12-04 14:17:19 +01:00
Ondřej Surý
5d43b7126c Refactor the irs_context API to use ISC_THREAD_LOCAL
Previously, the irs_context API used isc_thread_key API for TLS, which is
fairly complicated and requires initialization of memory contexts, etc.
This part of code was refactored to use a ISC_THREAD_LOCAL pointer which
greatly simplifies the whole code related to storing TLS variables.
2019-12-04 14:17:19 +01:00
Ondřej Surý
a4ffb64073 Refactor the dns_geoip API to use ISC_THREAD_LOCAL
Previously, the dns_geoip API used isc_thread_key API for TLS, which is
fairly complicated and requires initialization of memory contexts, etc.
This part of code was refactored to use a ISC_THREAD_LOCAL pointer which
greatly simplifies the whole code related to storing TLS variables, and
creating the local memory context was moved to named and stored in the
named_g_geoip global context.
2019-12-04 14:17:19 +01:00
Ondřej Surý
4a3d589403 Refactor the dns_dt API to use ISC_THREAD_LOCAL
Previously, the dns_dt API used isc_thread_key API for TLS, which is
fairly complicated and requires initialization of memory contexts, etc.
This part of code was refactored to use a ISC_THREAD_LOCAL pointer which
greatly simplifies the whole code related to storing TLS variables.
2019-12-03 16:27:30 +01:00
Ondřej Surý
1a66aabd22 Refactor the dns_name API to use ISC_THREAD_LOCAL
Previously, the dns_name API used isc_thread_key API for TLS, which is
fairly complicated and requires initialization of memory contexts, etc.
This part of code was refactored to use a ISC_THREAD_LOCAL pointer which
greatly simplifies the whole code related to storing TLS variables.
2019-12-03 16:27:24 +01:00
Ondřej Surý
01731d4b1b Add and use ISC_THREAD_LOCAL macro
The new ISC_THREAD_LOCAL macro unifies usage of platform dependent
Thread Local Storage definition thread_local vs __thread vs
__declspec(thread) to a single macro.

The commit also unifies the required level of support for TLS as for
some parts of the code it was mandatory and for some parts of the code
it wasn't.
2019-12-03 16:27:24 +01:00
Mark Andrews
cd2469d3cd r/w of rbtdb->current_version requires that rbtdb->lock be held 2019-12-02 23:48:41 +00:00
Mark Andrews
912ce87479 Make fctx->attributes atomic.
FCTX_ATTR_SHUTTINGDOWN needs to be set and tested while holding the node
lock but the rest of the attributes don't as they are task locked. Making
fctx->attributes atomic allows both behaviours without races.
2019-12-03 08:58:53 +11:00
Mark Andrews
9ca6ad6311 Assign fctx->client when fctx is created rather when the join happens.
This prevents races on fctx->client whenever a new fetch joins a existing
fetch (by calling fctx_join) as it is now invariant for the active life of
fctx.
2019-12-02 06:01:46 +00:00
Ondřej Surý
edd97cddc1 Refactor dns_name_dup() usage using the semantic patch 2019-11-29 14:00:37 +01:00
Ondřej Surý
a35b19f80e libdns: dns_name_dup() can't fail, change return type to void 2019-11-29 13:59:40 +01:00
Mark Andrews
637b2c4e51 rdataset_setownercase and rdataset_getownercase need to obtain a node lock 2019-11-28 13:37:56 +01:00
Witold Kręcicki
f01d739968 Use clock_realtime_fast where available 2019-11-28 12:36:55 +01:00
Ondřej Surý
c5b18d3dcb Use ATOMIC_VAR_INIT to initialize tid_v_base to 0 2019-11-28 12:06:10 +01:00
Ondřej Surý
9e8feec7d3 Improve the atomics usage in isc_counter API 2019-11-28 11:21:52 +01:00
Mark Andrews
8f6aaa7230 add comments 'tree_lock(write) must be held' 2019-11-27 09:58:15 +00:00
Mark Andrews
7cad3b2e91 rbtnode->nsec needs to be read while holding the tree lock 2019-11-27 09:58:15 +00:00
Evan Hunt
715afa9c57 add a stats counter for clients dropped due to recursive-clients limit 2019-11-26 17:55:06 +00:00
Witold Kręcicki
bf2cc19b04 - Access netmgr worker->finished under worker lock only
- Join network worker thread to silence tsan
2019-11-26 15:21:25 +01:00
Mark Andrews
f269585de3 provide default yaml indent 2019-11-26 13:52:30 +01:00
Mark Andrews
9936462f31 dns_master_indent and dns_master_indentstr must not be global
The indentation for dumping the master zone was driven by two
global variables dns_master_indent and dns_master_indentstr.  In
threaded mode, this becomes prone to data access races, so this commit
converts the global variables into a local per-context tuple that
consist of count and string.
2019-11-26 13:52:18 +01:00
Ondřej Surý
21eab267df Fix missing adb->{e,i}refcnt locking 2019-11-26 13:07:12 +01:00
Witold Kręcicki
bad5a523c2 lib/dns/adb.c: Use atomics for adb quota values and reference counting 2019-11-26 13:07:12 +01:00
Ondřej Surý
b9f4ba19a6 Use integer fast type for mutexatomic shim type 2019-11-26 13:07:12 +01:00
Mark Andrews
26a93d77aa move maxbuffers test to allocate_udp_buffer 2019-11-25 23:39:45 +00:00
Mark Andrews
011af4de71 Lock dispatch manager buffer_lock before accessing buffers;
Only test buffers for UDP dispatches.
2019-11-25 23:39:45 +00:00
Mark Andrews
afc7389ce8 lock disp->mgr before reading disp->mgr->buffers 2019-11-25 23:39:45 +00:00
Ondřej Surý
3ce6708be2 Add missing header guard to new header files 2019-11-25 09:10:29 +01:00
Mark Andrews
6ce39f64d9 remove DNS_RBT_REFLENGTH as it is no longer needed 2019-11-25 16:21:52 +11:00
Mark Andrews
b8bb1e02ad Split access to wild and dirty from locknum to silence TSAN warnings. 2019-11-25 16:21:52 +11:00
Evan Hunt
00333a5c97 netmgr: add shutdown function
- new function isc_nm_shutdown() shuts down all active TCP connections,
  but does not destroy the netmgr.
2019-11-22 16:46:32 -08:00
Witold Kręcicki
d6c5052f7e netmgr: actively close all sockets when shutting down server
without this change, named could sometimes lag for a while on shutdown
while it waited for open TCP connections to time out.
2019-11-22 16:46:32 -08:00
Witold Kręcicki
37354ee225 netmgr: fix TCP backlog and client quota count
- add support for TCP backlog, using the value provided by config.
 - don't attach to TCP client quota for listening sockets, only
   connected sockets.
2019-11-22 16:46:32 -08:00
Evan Hunt
c4ad0466d6 netmgr: log TCP connection errors 2019-11-22 16:46:32 -08:00
Evan Hunt
0260d31d26 netmgr: performance improvement
- use memory pools for ievent and uvreq objects.
2019-11-22 16:46:31 -08:00
Evan Hunt
199bd6b623 netmgr: make TCP timeouts configurable
- restore support for tcp-initial-timeout, tcp-idle-timeout,
  tcp-keepalive-timeout and tcp-advertised-timeout configuration
  options, which were ineffective previously.
2019-11-22 16:46:31 -08:00
Witold Kręcicki
b7a72b1667 netmgr: TCP improvements
- add timeout support for TCP and TCPDNS connections to protect against
  slowloris style attacks. currently, all timeouts are hard-coded.
- rework and simplify the TCPDNS state machine.
2019-11-22 16:46:31 -08:00
Mark Andrews
3075445ed6 lock dispatch before reporting state 2019-11-22 19:52:14 +00:00
Mark Andrews
444d742a94 change log category of some messages to DNS_LOGCATEGORY_XFER_IN 2019-11-22 13:14:54 +00:00
Witold Kręcicki
58db2d1d18 Fix a bug in trust anchors verification.
We were not reseting the keynode value when iterating over DNSKEYs in
RRSET, so we weren't checking all DNSKEYs against all trust anchors. This
commit fixes the issue by resetting keynode with every loop.
2019-11-21 18:18:56 +01:00
Evan Hunt
7bd3205c61 BIND 9.15.6
-----BEGIN PGP SIGNATURE-----
 
 iEYEABECAAYFAl3SCY8ACgkQw1ppSAjxOtJBiwCgpRCA6Q0+8YXb0ycV2G2hJO6V
 AyUAn2acZBqCFJqOZgCdtyh2banWMbmT
 =43ra
 -----END PGP SIGNATURE-----

Merge tag 'v9_15_6' into merge-v9_15_6
2019-11-20 13:34:25 -08:00
Mark Andrews
7d4d64340e use update_recordsandbytes in rbt_datafixer 2019-11-20 00:17:51 +08:00
Mark Andrews
0cda448248 always obtain write lock when updating version->{records,bytes} 2019-11-20 00:17:51 +08:00
Ondřej Surý
bcfc07e3d3 Fix missing lock around pos and destroy mutex in isc_astack_destroy 2019-11-19 10:31:07 +01:00
Mark Andrews
fcb6dbcdd7 make header->count atomic 2019-11-19 17:29:20 +11:00
Ondřej Surý
a5189eefa5 lib/dns/resolver.c: Call dns_adb_endudpfetch() only for UDP queries
The dns_adb_beginudpfetch() is called only for UDP queries, but
the dns_adb_endudpfetch() is called for all queries, including
TCP.  This messages the quota counting in adb.c.
2019-11-19 02:53:56 +08:00
Witold Kręcicki
7d93371581 lib/dns/adb.c: don't use more than 64 lock simultaneously when run under TSAN
- TSAN can't handle more than 64 locks in one thread, lock ADB bucket-by-bucket
   in TSAN mode. This means that the dump won't be consistent but it's good
   enough for testing

 - Use proper order when unlocking adb->namelocks and adb->entrylocks when
   dumping ADB.
2019-11-18 06:51:30 +01:00
Tinderbox User
767a2aef43 prep 9.15.6 2019-11-17 18:59:41 -08:00
Evan Hunt
73cafd9d57 clean up comments 2019-11-17 18:59:40 -08:00
Witold Kręcicki
70f80a3ec7 fix a problem with the mem_test unit test
isc_mem_traceflag_test messes with stdout/stderr, which can cause
problems with subsequent tests (no output, libuv problems).  Moving that
test case to the end ensures there are no side effects.
2019-11-17 18:59:40 -08:00
Witold Kręcicki
62a8405fa2 netmgr: close uv_loop properly
close the uv_handle for the worker async channel, and call
uv_loop_close() on shutdown to ensure that the event loop's
internal resources are properly freed.
2019-11-17 18:59:40 -08:00
Witold Kręcicki
6718a4ef8b ensure isc_queue_t is aligned to double-cacheline size 2019-11-17 18:59:40 -08:00
Evan Hunt
123ee350dc place a limit on pipelined queries that can be processed simultaneously
when the TCPDNS_CLIENTS_PER_CONN limit has been exceeded for a TCP
DNS connection, switch to sequential mode to ensure that memory cannot
be exhausted by too many simultaneous queries.
2019-11-17 18:59:39 -08:00
Evan Hunt
0f9d8eb7b5 add support for DS trust anchors in mirror zone verification 2019-11-17 17:44:17 -08:00
Ondřej Surý
e95af30b23 Make lib/ns Thread Sanitizer clean 2019-11-17 17:42:41 -08:00
Ondřej Surý
7b9084d45d Use atomic_bool for variables shared among threads to make zt_test.c thread-safe 2019-11-18 08:39:12 +08:00
Ondřej Surý
23964dbbbc Change the shared completion->done variable to atomic_bool in socket_test.c 2019-11-17 09:38:36 +08:00
Mark Andrews
00605058b4 conditionally test based on USE_LIBTOOL or LD_WRAP 2019-11-16 11:46:06 +08:00
Mark Andrews
c7b20f3c40 specify the install name when building libwrap 2019-11-16 11:21:41 +08:00
Mark Andrews
b88faee181 MacOS portability
-Wl,-z,interpose is not supported.
-Wl,rpath=<path> is not supported use -Wl,rpath,<path> instead.
Use @SO@ for loadable extension.
Use -L <path> -l libwrap instead of libwrap.sa.
2019-11-16 11:21:41 +08:00
Evan Hunt
342cc9b168 add support for DS trust anchors in delv 2019-11-15 15:47:57 -08:00
Evan Hunt
edafbf1c0f fix root key sentinel code to send the correct key ID for DS trust anchors 2019-11-15 15:47:57 -08:00
Evan Hunt
8aaee26548 add validator support for static DS-style trust anchors 2019-11-15 15:47:56 -08:00
Evan Hunt
4d3ed3f4ea refactor create_keydata
use empty placeholder KEYDATA records for all trust anchors, not just
DS-style trust anchors.

this revealed a pre-existing bug: keyfetch_done() skips keys without
the SEP bit when populating the managed-keys zone. consequently, if a
zone only has a single ZSK which is configured as trust anchor and no
KSKs, then no KEYDATA record is ever written to the managed-keys zone
when keys are refreshed.

that was how the root server in the dnssec system test was configured.
however, previously, the KEYDATA was created when the key was
initialized; this prevented us from noticing the bug until now.

configuring a ZSK as an RFC 5011 trust anchor is not forbidden by the
spec, but it is highly unusual and not well defined.  so for the time
being, I have modified the system test to generate both a KSK and ZSK
for the root zone, enabling the test to pass.

we should consider adding code to detect this condition and allow keys
without the SEP bit to be used as trust anchors if no key with the SEP
bit is available, or at minimum, log a warning.
2019-11-15 15:47:56 -08:00
Evan Hunt
a8f89e9a9f use DS-style trust anchor to verify 5011 key refresh query
note: this also needs further refactoring.

- when initializing RFC 5011 for a name, we populate the managed-keys
  zone with KEYDATA records derived from the initial-key trust anchors.

  however, with initial-ds trust anchors, there is no key. but the
  managed-keys zone still must have a KEYDATA record for the name,
  otherwise zone_refreshkeys() won't refresh that key. so, for
  initial-ds trust anchors, we now add an empty KEYDATA record and set
  the key refresh timer so that the real keys will be looked up as soon
  as possible.

- when a key refresh query is done, we verify it against the
  trust anchor; this is done in two ways, one with the DS RRset
  set up during configuration if present, or with the keys linked
  from each keynode in the list if not.  because there are two different
  verification methods, the loop structure is overly complex and should
  be simplified.

- the keyfetch_done() and sync_keyzone() functions are both too long
  and should be broken into smaller functions.
2019-11-15 15:47:56 -08:00
Evan Hunt
854af5a353 allow DS trust anchors to be set in keytable
note: this is a frankensteinian kluge which needs further refactoring.

the keytable started as an RBT where the node->data points to a list of
dns_keynode structures, each of which points to a single dst_key.
later it was modified so that the list could instead point to a single
"null" keynode structure, which does not reference a key; this means
a trust anchor has been configured but the RFC 5011 refresh failed.

in this branch it is further updated to allow the first keynode in
the list to point to an rdatalist of DS-style trust anchors.  these will
be used by the validator to populate 'val->dsset' when validating a zone
key.

a DS style trust anchor can be updated as a result of RFC 5011
processing to contain DST keys instead; this results in the DS list
being freed.  the reverse is not possible; attempting to add a DS-style
trust anchor if a key-style trust anchor is already in place results
in an error.

later, this should be refactored to use rdatalists for both DS-style
and key-style trust anchors, but we're keeping the existing code for
old-style trust anchors for now.
2019-11-15 15:47:56 -08:00
Evan Hunt
1a8348e2b4 disallow use of DS- and key-style trust anchors for the same name 2019-11-15 15:47:41 -08:00
Evan Hunt
feba480527 read DS trust anchors in named.conf
(but they aren't used for anything yet)
2019-11-15 15:47:17 -08:00
Evan Hunt
3fede8a7e9 add "static-ds" and "initial-ds" keywords to config parser 2019-11-15 15:47:17 -08:00
Evan Hunt
ac0d3c21c6 add a global function to match a DS rdata to a DNSKEY 2019-11-15 15:47:17 -08:00
Evan Hunt
692c879e3c remove unneeded members from dns_validator
- val->keynode and val->seensig were set but never used.
- val->nearest, val->soaset, val->soaname, val->nsecset and val->nsec3set
  were never used at all.
2019-11-15 14:26:08 -08:00
Evan Hunt
3a4334636b simplify validate_dnskey and seek_ds
- pull out the code that checks whether a key was signed by a trust
  anchor into a separate function, anchor_signed().
- pull out the code that looks up a DS while validating a zone key
  into a separate function, get_dsset().
- check in create_validator() whether the sigrdataset is bound, so that
  we can always pass in &val->fsigrdataset during an insecurity proof;
  this will allow a reduction of code duplication.
2019-11-15 14:26:08 -08:00
Evan Hunt
9119dc25fe continue renaming functions for clarity
- also simplified some calls: don't pass siginfo where val->siginfo
  is sufficient, don't INSIST where returning false is sufficient.
- also added header comments to several local functions.
2019-11-15 14:26:07 -08:00
Evan Hunt
22aa668b7d convert if to switch in get_key 2019-11-15 14:26:07 -08:00
Evan Hunt
9150688efd rename fetch/validator callback functions for consistency and clarity 2019-11-15 14:26:07 -08:00
Evan Hunt
edc9c79c9c reorder switch in validatezonekey to similar order as seek_ds 2019-11-15 14:26:07 -08:00
Evan Hunt
d0f8c50618 convert if statement to switch 2019-11-15 14:26:07 -08:00
Evan Hunt
ea1d4d11fc refactor dsfetched/dsfetched2 into a common function 2019-11-15 14:26:06 -08:00
Evan Hunt
3659cca624 rename some functions for better clarity 2019-11-15 14:26:06 -08:00
Evan Hunt
54710873a7 move some duplicate code into validate_neg_rrset() 2019-11-15 14:26:06 -08:00
Evan Hunt
6dc5343d6d move the 'mustbesecure' checks into markanswer() 2019-11-15 14:26:06 -08:00
Evan Hunt
61456d886e split proveunsecure() 2019-11-15 14:26:06 -08:00
Evan Hunt
34d7776f14 reduce redundant code 2019-11-15 14:10:56 -08:00
Evan Hunt
32d1cc1562 style, braces, whitespace 2019-11-15 14:10:56 -08:00
Ondřej Surý
d50322ed95 Properly disable lib/ns tests when run under ASAN 2019-11-15 05:09:52 +00:00
Evan Hunt
bd9f5c3c19 fix netmgr setup/teardown issues; setup and teardown only once in timer_test
- the netmgr was not correctly being specified when creating the task
  manager, and was cleaned up in the wrong order when shutting down.
- on freebsd, timer_test appears to be prone to failure if the
  netmgr is set up and torn down before and after ever test case, but
  less so if it's only set up once at the beginning and once at the
  end.
2019-11-13 14:47:47 +01:00
Ondřej Surý
aca0f88750 Remove the assertions from subthreads and use global errcnt to record errors 2019-11-13 14:47:47 +01:00
Ondřej Surý
2c3589e22a Lock the lasttime variable that's concurrently accessed between threads 2019-11-13 14:47:47 +01:00
Ondřej Surý
b9cb4c94fa Directly embed ../timer.c in timer_test.c for better assertion testing 2019-11-13 14:47:47 +01:00
Ondřej Surý
8de64964a3 Refactor the way we use memory context from isctest.c
This commit renames isctest {mctx,lctx} to test_{mctx,lctx} and cleans
up their usage in the individual unit tests.  This allows embedding
library .c files directly into the unit tests.
2019-11-13 14:47:47 +01:00
Witold Kręcicki
5ce4b04b50 If a task is running and we call isc_task_pause it can
be implicitly unpaused when we switch from 'running' to
'idle' state. Fix it by not switching to 'idle' when paused.
2019-11-13 12:32:17 +00:00
Michał Kępień
d8768bd143 Fix libuv.dll handling
Make sure libuv.dll gets copied to the proper directory in the Release
build configuration and that the BIND installer on Windows installs
libuv.dll.
2019-11-12 09:14:59 +00:00
Ondřej Surý
bd80969b11 Cleanup the {PATH,NAME}_MAX stray #ifdefs 2019-11-12 09:36:08 +01:00
Samuel Thibault
d10fbdec84 hurd: Fix build
Move PATH_MAX, NAME_MAX, IOV_MAX default definitions to the common
<isc/platform.h>.
2019-11-10 20:14:17 +00:00
Evan Hunt
b9a5508e52 remove ISC_QUEUE as it is no longer used 2019-11-07 11:55:37 -08:00
Evan Hunt
53f0b6c34d convert ns_client and related objects to use netmgr
- ns__client_request() is now called by netmgr with an isc_nmhandle_t
  parameter. The handle can then be permanently associated with an
  ns_client object.
- The task manager is paused so that isc_task events that may be
  triggred during client processing will not fire until after the netmgr is
  finished with it. Before any asynchronous event, the client MUST
  call isc_nmhandle_ref(client->handle), to prevent the client from
  being reset and reused while waiting for an event to process. When
  the asynchronous event is complete, isc_nmhandle_unref(client->handle)
  must be called to ensure the handle can be reused later.
- reference counting of client objects is now handled in the nmhandle
  object.  when the handle references drop to zero, the client's "reset"
  callback is used to free temporary resources and reiniialize it,
  whereupon the handle (and associated client) is placed in the
  "inactive handles" queue.  when the sysstem is shutdown and the
  handles are cleaned up, the client's "put" callback is called to free
  all remaining resources.
- because client allocation is no longer handled in the same way,
  the '-T clienttest' option has now been removed and is no longer
  used by any system tests.
- the unit tests require wrapping the isc_nmhandle_unref() function;
  when LD_WRAP is supported, that is used. otherwise we link a
  libwrap.so interposer library and use that.
2019-11-07 11:55:37 -08:00
Witold Kręcicki
33bf90331b use clock_gettime() instead of gettimeofday() for isc_itme functions 2019-11-07 11:55:37 -08:00
Witold Kręcicki
a85a65f96e add atomic_exchange operations to mutexatomic.h and win32 stdatomic.h 2019-11-07 11:55:37 -08:00
Evan Hunt
59c64fa4bd add isc_task_pause() and isc_task_unpause() functions
This allows a task to be temporary disabled so that objects won't be
processed simultaneously by libuv events and isc_task events. When a
task is paused, currently running events may complete, but no further
event will added to the run queue will be executed until the task is
unpaused.
2019-11-07 11:55:37 -08:00
Evan Hunt
36ee430327 optionally associate a netmgr with a task manager when creating
When a task manager is created, we can now specify an `isc_nm`
object to associate with it; thereafter when the task manager is
placed into exclusive mode, the network manager will be paused.
2019-11-07 11:55:37 -08:00
Evan Hunt
48d003edf7 use netmgr in libisc unit tests 2019-11-07 11:55:37 -08:00
Witold Kręcicki
70397f9d92 netmgr: libuv-based network manager
This is a replacement for the existing isc_socket and isc_socketmgr
implementation. It uses libuv for asynchronous network communication;
"networker" objects will be distributed across worker threads reading
incoming packets and sending them for processing.

UDP listener sockets automatically create an array of "child" sockets
so each worker can listen separately.

TCP sockets are shared amongst worker threads.

A TCPDNS socket is a wrapper around a TCP socket, which handles the
the two-byte length field at the beginning of DNS messages over TCP.

(Other wrapper socket types can be implemented in the future to handle
DNS over TLS, DNS over HTTPS, etc.)
2019-11-07 11:55:37 -08:00
Evan Hunt
a8c814cb2f implement fixed-size array stack data structure 2019-11-07 11:55:37 -08:00
Witold Kręcicki
402969bf95 implement fetch-and-add array queue data structure
this is a lockless queue based on hazard pointers.
2019-11-07 11:55:37 -08:00
Evan Hunt
64e1a4a398 temporarily move ISC_QUEUE to list.h
The double-locked queue implementation is still currently in use
in ns_client, but will be replaced by a fetch-and-add array queue.
This commit moves it from queue.h to list.h so that queue.h can be
used for the new data structure, and clean up dependencies between
list.h and types.h. Later, when the ISC_QUEUE is no longer is use,
it will be removed completely.
2019-11-07 11:55:37 -08:00
Witold Kręcicki
aa57fa7090 implement hazard pointer data structure
this is a mechanism to allow safe lock-free data structures.
2019-11-07 11:55:37 -08:00
Witold Kręcicki
a5f8374400 add isc_sockaddr_fromsockaddr function
This converts from struct sockaddr to isc_sockaddr_t
2019-11-07 11:55:37 -08:00
Matthijs Mekking
5f464d15a0 dnssec-policy inheritance from options/view
'dnssec-policy' can now also be set on the options and view level and
a zone that does not set 'dnssec-policy' explicitly will inherit it
from the view or options level.

This requires a new keyword to be introduced: 'none'.  If set to
'none' the zone will not be DNSSEC maintained, in other words it will
stay unsigned.  You can use this to break the inheritance.  Of course
you can also break the inheritance by referring to a different
policy.

The keywords 'default' and 'none' are not allowed when configuring
your own dnssec-policy statement.

Add appropriate tests for checking the configuration (checkconf)
and add tests to the kasp system test to verify the inheritance
works.

Edit the kasp system test such that it can deal with unsigned zones
and views (so setting a TSIG on the query).
2019-11-06 22:36:21 +01:00
Mark Andrews
ce1c1631b3 move appending kasp to the list until we can't fail; document why we don't detach 2019-11-06 22:36:21 +01:00
Mark Andrews
5eedd365d4 Insist that kasp is not linked. 2019-11-06 22:36:21 +01:00
Matthijs Mekking
f11ce44818 Make kasp opaque 2019-11-06 22:36:21 +01:00
Matthijs Mekking
70da58c871 kasp.c: return parenthesis (style) and REQUIRE
This code was missing a lot of return parenthesis (violating our
style guide) and a missing REQUIRE in 'dns_kasplist_find()'.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
c3e0ac865f Add tests for CDS/CDNSKEY publication
The kasp system tests are updated with 'check_cds' calls that will
verify that the correct CDS and CDNSKEY records are published during
a rollover and that they are signed with the correct KSK.

This requires a change in 'dnssec.c' to check the kasp key states
whether the CDS/CDNSKEY of a key should be published or not.  If no
kasp state exist, fall back to key timings.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
2e46dcbbce sign_apex() should also consider CDS/CDNSKEY
The 'sign_apex()' function has special processing for signing the
DNSKEY RRset such that it will always be signed with the active
KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
should have the same special processing.  The special processing is
moved into a new function 'tickle_apex_rrset()' and is applied to
all three RR types (DNSKEY, CDS, CDNSKEY).

In addition, when kasp is involved, update the DNSKEY TTL accordingly
to what is in the policy.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
1211c348bb Add dst_key_copy_metadata function.
When updating DNSSEC keys we would like to be able to copy the
metadata from one key to another.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
29e6ec3181 KASP timings all uint32_t
Get rid of the warnings in the Windows build.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
67033bfd3d Code changes for CSK
Update dns_dnssec_keyactive to differentiate between the roles ZSK
and KSK.  A key is active if it is signing but that differs per role.
A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.

This means that a key can be actively signing for one role but not
the other.  Add checks in inline signing (zone.c and update.c) to
cover the case where a CSK is active in its KSK role but not the ZSK
role.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
6468ffc336 Use keywords in dnssec-policy keys configuration
Add keywords 'lifetime' and 'algorithm' to make the key configuration
more clear.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
c125b721ef Adjust signing code to use kasp
Update the signing code in lib/dns/zone.c and lib/dns/update.c to
use kasp logic if a dnssec-policy is enabled.

This means zones with dnssec-policy should no longer follow
'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
KASP keys configured dictate which RRset gets signed with what key.

Also use the next rekey event from the key manager rather than
setting it to one hour.

Mark the zone dynamic, as otherwise a zone with dnssec-policy is
not eligble for automatic DNSSEC maintenance.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
fcf14b2b47 DNSSEC hints use dst_key functions and key states
Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
functions and thus if dnssec-policy/KASP is used the key states are
being considered.

Add a new variable to 'struct dns_dnsseckey' to signal whether this
key is a zone-signing key (it is no longer true that ksk == !zsk).

Also introduce a hint for revoke.

Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
to also read the key state file, if available.

Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
hint for logging.

Also make get_hints() (now dns_dnssec_get_hints()) public so that
we can use it in the key manager.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
7e7aa5387c Introduce keymgr in named
Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
will run a key manager on the matching keys.  This will do a couple
of things:

1. Create keys when needed (in case of rollover for example)
   according to the set policy.

2. Retire keys that are in excess of the policy.

3. Maintain key states according to "Flexible and Robust Key
   Rollover" [1]. After key manager ran, key files will be saved to
   disk.

   [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf

KEY GENERATION

Create keys according to DNSSEC policy.  Zones configured with
'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
to dnssec-keymgr) if not available.

KEY ROLLOVER

Rather than determining the desired state from timing metadata,
add a key state goal.  Any keys that are created or picked from the
key ring and selected to be a successor has its key state goal set
to OMNIPRESENT (this key wants to be signing!). At the same time,
a key that is being retired has its key state goal set to HIDDEN.

The keymgr state machine with the three rules will make sure no
introduction or withdrawal of DNSSEC records happens too soon.

KEY TIMINGS

All timings are based on RFC 7583.

The keymgr will return when the next action is happening so
that the zone can set the proper rekey event. Prior to this change
the rekey event will run every hour by default (configurable),
but with kasp we can determine exactly when we need to run again.

The prepublication time is derived from policy.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
314b90dfdd Useful dst_key functions
Add a couple of dst_key functions for determining hints that
consider key states if they are available.
- dst_key_is_unused:
  A key has no timing metadata set other than Created.
- dst_key_is_published:
  A key has publish timing metadata <= now, DNSKEY state in
  RUMOURED or OMNIPRESENT.
- dst_key_is_active:
  A key has active timing metadata <= now, RRSIG state in
  RUMOURED or OMNIPRESENT.
- dst_key_is_signing:
  KSK is_signing and is_active means different things than
  for a ZSK. A ZSK is active means it is also signing, but
  a KSK always signs its DNSKEY RRset but is considered
  active if its DS is present (rumoured or omnipresent).
- dst_key_is_revoked:
  A key has revoke timing metadata <= now.
- dst_key_is_removed:
  A key has delete timing metadata <= now, DNSKEY state in
  UNRETENTIVE or HIDDEN.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
1f0d6296a1 kasp: Expose more key timings
When doing rollover in a timely manner we need to have access to the
relevant kasp configured durations.

Most of these are simple get functions, but 'dns_kasp_signdelay'
will calculate the maximum time that is needed with this policy to
resign the complete zone (taking into account the refresh interval
and signature validity).

Introduce parent-propagation-delay, parent-registration-delay,
parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
dcf79ce61f keygen/settime: Write out successor/predecessor
When creating a successor key, or calculating time for a successor
key, write out the successor and predecessor metadata to the
related files.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
53e76f888b Allow DNSSEC records in kasp enabled zone
When signing a zone with dnssec-policy, we don't mind DNSSEC records.
This is useful for testing purposes, and perhaps it is better to
signal this behavior with a different configuration option.
2019-11-06 22:36:21 +01:00
Matthijs Mekking
72042a06d6 dnssec-settime: Allow manipulating state files
Introduce a new option '-s' for dnssec-settime that when manipulating
timing metadata, it also updates the key state file.

For testing purposes, add options to dnssec-settime to set key
states and when they last changed.

The dst code adds ways to write and read the new key states and
timing metadata. It updates the parsing code for private key files
to not parse the newly introduced metadata (these are for state
files only).

Introduce key goal (the state the key wants to be in).
2019-11-06 22:31:45 +01:00
Matthijs Mekking
c55625b035 Add functionality to read key state from disk
When reading a key from file, you can set the DST_TYPE_STATE option
to also read the key state.

This expects the Algorithm and Length fields go above the metadata,
so update the write functionality to do so accordingly.

Introduce new DST metadata types for KSK, ZSK, Lifetime and the
timing metadata used in state files.
2019-11-06 22:31:45 +01:00
Matthijs Mekking
97a5698e06 Add various get functions for kasp
Write functions to access various elements of the kasp structure,
and the kasp keys. This in preparation of code in dnssec-keygen,
dnssec-settime, named...
2019-11-06 22:31:45 +01:00
Matthijs Mekking
77d2895a5a Update dst key code to maintain key state
Add a number of metadata variables (lifetime, ksk and zsk role).

For the roles we add a new type of metadata (booleans).

Add a function to write the state of the key to a separate file.

Only write out known metadata to private file.  With the
introduction of the numeric metadata "Lifetime", adjust the write
private key file functionality to only write out metadata it knows
about.
2019-11-06 22:31:45 +01:00
Matthijs Mekking
7f4d1dbddf Nit: fix typo in documentation dst_key_getnum 2019-11-06 22:31:44 +01:00