1. 09 Sep, 2018 2 commits
  2. 07 Sep, 2018 3 commits
  3. 06 Sep, 2018 1 commit
  4. 31 Aug, 2018 5 commits
  5. 28 Aug, 2018 8 commits
  6. 27 Aug, 2018 1 commit
  7. 25 Aug, 2018 1 commit
    • Michał Kępień's avatar
      Set "use-alt-transfer-source no;" in the "mirror" system test · a23162ab
      Michał Kępień authored
      Force ns3 to use a constant source address (10.53.0.3) when sending
      transfer requests for the "initially-unavailable" zone to prevent
      failures of transfers not triggered by bin/tests/system/mirror/tests.sh
      from causing fallback to using a source address for which transfers of
      that zone are refused throughout the entire "mirror" system test since
      that might yield false positives.
      a23162ab
  8. 24 Aug, 2018 1 commit
    • Michał Kępień's avatar
      Prevent a race in the "inline" system test · e36c869e
      Michał Kępień authored
      A short time window exists between logging the addition of an NSEC3PARAM
      record to a zone and committing it to the current version of the zone
      database.  If a query arrives during such a time window, an unsigned
      response will be returned.  One of the checks in the "inline" system
      test requires NSEC3 records to be present in an answer - that check
      would fail in the case described above.  Use rndc instead of log
      watching for checking whether zone signing and NSEC3 chain modifications
      are complete in order to prevent intermittent "inline" system test
      failures.
      e36c869e
  9. 23 Aug, 2018 2 commits
  10. 22 Aug, 2018 4 commits
    • Evan Hunt's avatar
      e67f81bb
    • Michał Kępień's avatar
      Fix reloading inline-signed zones · 54315839
      Michał Kępień authored
      While "rndc reload" causes dns_zone_asyncload() to be called for the
      signed version of an inline-signed zone, the subsequent zone_load() call
      causes the raw version to be reloaded from storage.  This means that
      DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
      dns_zone_asyncload() before the reload is attempted, but zone_postload()
      is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
      cleared for the raw version, but not for the signed version.  This in
      turn prevents zone maintenance from happening for the signed version of
      the zone.
      
      Until commit 29b7efdd, this problem
      remained dormant because DNS_ZONEFLG_LOADPENDING was previously
      immediately, unconditionally cleared after zone loading was started
      (whereas it should only be cleared when zone loading is finished or an
      error occurs).  This behavior caused other issues [1] and thus had to be
      changed.
      
      Fix reloading inline-signed zones by clearing DNS_ZON...
      54315839
    • Michał Kępień's avatar
      Set DNS_JOURNALOPT_RESIGN when loading the secure journal for an inline-signed zone · 8db550c4
      Michał Kępień authored
      When an inline-signed zone is loaded, the master file for its signed
      version is loaded and then a rollforward of the journal for the signed
      version of the zone is performed.  If DNS_JOURNALOPT_RESIGN is not set
      during the latter phase, signatures loaded from the journal for the
      signed version of the zone will not be scheduled for refresh.  Fix the
      conditional expression determining which flags should be used for the
      dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
      zone_postload() is called for the signed version of an inline-signed
      zone.
      
      Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
      of "rndc stop" as the former allows master file flushing upon shutdown
      to be suppressed.
      8db550c4
    • Michał Kępień's avatar
      Do not treat a referral with a non-empty ANSWER section as an error · 24b9ec55
      Michał Kępień authored
      As part of resquery_response() refactoring [1], a goto statement was
      replaced [2] with a call to a new function - originally called
      rctx_delegation(), now folded into rctx_answer_none() - extracted from
      existing code.  However, one call site of that refactored function does
      not reset the "result" variable, causing a referral with a non-empty
      ANSWER section to be inadvertently treated as an error, which prevents
      resolution of names reliant on servers sending such responses.  Fix by
      resetting the "result" variable to ISC_R_SUCCESS when a response
      containing a non-empty ANSWER section can be treated as a delegation.
      
      [1] see RT #45362
      
      [2] see commit e1380a16741a3b4a57e54d7a9ce09dd12691522f
      24b9ec55
  11. 16 Aug, 2018 1 commit
  12. 14 Aug, 2018 4 commits
    • Evan Hunt's avatar
      add a system test · 7ecd699e
      Evan Hunt authored
      7ecd699e
    • Evan Hunt's avatar
      option to disable validation under specified names · eaac2057
      Evan Hunt authored
      - added new 'validate-except' option, which configures an NTA with
        expiry of 0xffffffff.  NTAs with that value in the expiry field do not
        expire, are are not written out when saving the NTA table and are not
        dumped by rndc secroots
      eaac2057
    • Michał Kępień's avatar
      Make the "inline" system test more lightweight · 24dd865b
      Michał Kępień authored
      Each zone used in the "inline" system test contains a few dozen records.
      Over a dozen of these zones are used in the test.  Most records present
      in these zones are not subsequently used in the test itself, but all of
      them need to be signed by the named instances launched by the test,
      which puts quite a bit of strain on lower-end machines, leading to
      intermittent failures of the "inline" system test.  Remove all redundant
      records from the zones used in the "inline" system test in order to
      stabilize it.
      24dd865b
    • Michał Kępień's avatar
      Queue "rndc signing -nsec3param ..." requests if needed · cb40c522
      Michał Kępień authored
      If "rndc signing -nsec3param ..." is ran for a zone which has not yet
      been loaded or transferred (i.e. its "db" field is NULL), it will be
      silently ignored by named despite rndc logging an "nsec3param request
      queued" message, which is misleading.  Prevent this by keeping a
      per-zone queue of NSEC3PARAM change requests which arrive before a zone
      is loaded or transferred and processing that queue once the raw version
      of an inline-signed zone becomes available.
      cb40c522
  13. 10 Aug, 2018 1 commit
  14. 08 Aug, 2018 5 commits
    • Evan Hunt's avatar
      caclulate nlabels and set *chainingp correctly · 3f907b8b
      Evan Hunt authored
      3f907b8b
    • Evan Hunt's avatar
      test case · 9d7ad525
      Evan Hunt authored
      9d7ad525
    • Ondřej Surý's avatar
      994e6569
    • Ondřej Surý's avatar
    • Michał Kępień's avatar
      Restore zone database and zone node if cache search results are to be ignored · b6c77202
      Michał Kępień authored
      When query processing hits a delegation from a locally configured zone,
      an attempt may be made to look for a better answer in the cache.  In
      such a case, the zone-sourced delegation data is set aside and the
      lookup is retried using the cache database.  When that lookup is
      completed, a decision is made whether the answer found in the cache is
      better than the answer found in the zone.
      
      Currently, if the zone-sourced answer turns out to be better than the
      one found in the cache:
      
        - qctx->zdb is not restored into qctx->db,
        - qctx->node, holding the zone database node found, is not even saved.
      
      Thus, in such a case both qctx->db and qctx->node will point at cache
      data.  This is not an issue for BIND versions which do not support
      mirror zones because in these versions non-recursive queries always
      cause the zone-sourced delegation to be returned and thus the
      non-recursive part of query_delegation() is never reached if the
      delegation is coming from a zone.  With mirror zones, however,
      non-recursive queries may cause cache lookups even after a zone
      delegation is found.  Leaving qctx->db assigned to the cache database
      when query_delegation() determines that the zone-sourced delegation is
      the best answer to the client's query prevents DS records from being
      added to delegations coming from mirror zones.  Fix this issue by
      keeping the zone database and zone node in qctx while the cache is
      searched for an answer and then restoring them into qctx->db and
      qctx->node, respectively, if the zone-sourced delegation turns out to be
      the best answer.  Since this change means that qctx->zdb cannot be used
      as the glue database any more as it will be reset to NULL by RESTORE(),
      ensure that qctx->db is not a cache database before attaching it to
      qctx->client->query.gluedb.
      
      Furthermore, current code contains a conditional statement which
      prevents a mirror zone from being used as a source of glue records.
      Said statement was added to prevent assertion failures caused by
      attempting to use a zone database's glue cache for finding glue for an
      NS RRset coming from a cache database.  However, that check is overly
      strict since it completely prevents glue from being added to delegations
      coming from mirror zones.  With the changes described above in place,
      the scenario this check was preventing can no longer happen, so remove
      the aforementioned check.
      
      If qctx->zdb is not NULL, qctx->zfname will also not be NULL;
      qctx->zsigrdataset may be NULL in such a case, but query_putrdataset()
      handles pointers to NULL pointers gracefully.  Remove redundant
      conditional expressions to make the cleanup code in query_freedata()
      match the corresponding sequences of SAVE() / RESTORE() macros more
      closely.
      b6c77202
  15. 06 Aug, 2018 1 commit