GitLab

Wait for isc_nm_stoplistening() to complete

See merge request isc-projects/bind9!4217

The controllistener could be freed before the event posted by
isc_nm_stoplistening() has been processed. This commit adds
a reference counter to the controllistener to determine when
to free the listener.

Resolve "The fuzzer dns_message_parse.c is leaking memory."

Closes #2200

See merge request isc-projects/bind9!4239

Silence Coverity REVERSE_INULL report

Closes #2198

See merge request isc-projects/bind9!4234

message does not need to be tested to NULL

Avoid a non-standard bashism: use of "==" in "test".

See merge request isc-projects/bind9!4235

render_buf was too big

See merge request isc-projects/bind9!4231

It was misdeclared as a array of pointers (uint8_t*[]) and there
where too many elements (64 * 1024) instead of (64 * 1024 - 1).

Resolve "DNS Flag Day 2020"

Closes #2183

See merge request isc-projects/bind9!4179

This commits uses the isc__nm_socket_dontfrag() helper function to
enable setting DF bit on the outgoing UDP packets.

The dig should behave closely to how the resolver code in `named` work,
so we need to change the buffer size in dig, mdig and host too.

* the legacy test with -T maxudp512 will just fail, e.g. if the packets
  larger than 512 octets are dropped along the path, the proper response
  is to fail

* digdelv test was just expecting default server EDNS buffer size to be
  4096, the test needed only slight adjustment

The DNS Flag Day 2020 aims to remove the IP fragmentation problem from
the UDP DNS communication.  In this commit, we implement the required
changes and simplify the logic for picking the EDNS Buffer Size.

1. The defaults for `edns-udp-size`, `max-udp-size` and
   `nocookie-udp-size` have been changed to `1232` (the value picked by
   DNS Flag Day 2020).

2. The probing heuristics that would try 512->4096->1432->1232 buffer
   sizes has been removed and the resolver will always use just the
   `edns-udp-size` value.

3. Instead of just disabling the PMTUD mechanism on the UDP sockets, we
   now set IP_DONTFRAG (IPV6_DONTFRAG) flag.  That means that the UDP
   packets won't get ever fragmented.  If the ICMP packets are lost the
   UDP will just timeout and eventually be retried over TCP.

Refactor the setsockopt() code in network manager into helper functions

See merge request isc-projects/bind9!4227

The SO_REUSEADDR, SO_REUSEPORT and SO_REUSEPORT_LB has different meaning
on different platform. In this commit, we split the function to set the
reuse of address/port and setting the load-balancing into separate
functions.

The libuv library already have multiplatform support for setting
SO_REUSEADDR and SO_REUSEPORT that allows binding to the same address
and port, but unfortunately, when used after the load-balancing socket
options have been already set, it overrides the previous setting, so we
need our own helper function to enable the SO_REUSEADDR/SO_REUSEPORT
first and then enable the load-balancing socket option.

On POSIX based systems both uv_os_sock_t and uv_os_fd_t are both typedef
to int.  That's not true on Windows, where uv_os_sock_t is SOCKET and
uv_os_fd_t is HANDLE and they differ in level of indirection.

The isc__nm_socket_freebind() has been refactored to match other
isc__nm_socket_...() helper functions and take uv_os_fd_t and
sa_family_t as function arguments.

This commits add isc__nm_socket_dontfrag() helper functions.

The setting of SO_REUSE**** and SO_INCOMING_CPU have been moved into a
separate helper functions.

Resolve "rndc trigger rollover"

Closes #1749

See merge request !4004

These tests don't require a specific algorithm so they should use
the DEFAULT_ALGORITHM from 'conf.sh.common'.

It is better to add new result codes than to overload existing codes.

While working on 'rndc dnssec -rollover' I noticed the following
(small) issues:

- The key files where updated with hints set to "-when" and that
  should always be "now.
- The kasp system test did not properly update the test number when
  calling 'rndc dnssec -checkds' (and ensuring that works).
- There was a missing ']' in the rndc.c help output.

When users (accidentally) try to roll an inactive key, throw an error.

This command is similar in arguments as -checkds so refactor the
'named_server_dnssec' function accordingly.  The only difference
are that:

- It does not take a "publish" or "withdrawn" argument.
- It requires the key id to be set (add a check to make sure).

Add tests that will trigger rollover immediately and one that
schedules a test in the future.

Add to the keymgr a function that will schedule a rollover. This
basically means setting the time when the key needs to retire,
and updating the key lifetime, then update the state file. The next
time that named runs the keymgr the new lifetime will be taken into
account.

Change condition for rndc dumpdb -expired

See merge request isc-projects/bind9!4219

After backporting #1870 to 9.11-S I saw that the condition check there
is different than in the main branch. In 9.11-S "stale" can mean
stale and serve-stale, or not active (awaiting cleanup). In 9.16 and
later versions, "stale" is stale and serve-stale, and "ancient" means
not active (awaiting cleanup). An "ancient" RRset is one that is not
active (TTL expired) and is not eligble for serve-stale.

Update the condition for rndc dumpdb -expired to closer match what is
in 9.11-S.

Resolve "dnssec-policy behaviour for algorithm 15 keys different to algorithm 8 keys"

Closes #2171

See merge request !4199

Sometimes, not all keys have been created in time before 'check_keys'
is called. Run a 'retry_quiet' on checking the number of keys before
continuing checking the key data.

The minimal size for RSASHA1, RSASHA256 is 512, but due to bad
assignment it was set to 1024.

This test case is unrelated to the fix for #2171 but was added to
reproduce the problem.

The 'wait_for_nsec' does not need to add TSIG because it calls
'dig_with_opts' and that already checks for TSIG.

This is a bug that needs to be noted.

The kasp code had bad implicit size values for the cryptographic
algorithms Ed25519 and Ed448. When creating keys they would never
match the dnssec-policy, leading to new attempts to create keys.

These algorithms were previously not yet added to the system tests,
due to lack of availability on some systems.

Use the testcrypto script to see if these algorithms are supported by
openssl. If so, add the specific configuration to the named.conf file
and touch a file to indicate support. If the file exists, the
corresponding setup and tests are performed.

"rrset-order" fixes and cleanups

Closes #2139

See merge request isc-projects/bind9!4195