GitLab

NOTAUTH errors should log the zone from the query not the nearest match

Closes #3209

See merge request isc-projects/bind9!5982

Ensure the update zone name is mentioned in the NOTAUTH error message
in the server log, so that it is easier to track down problematic
update clients. There are two cases: either the update zone is
unrelated to any of the server's zones (previously no zone was
mentioned); or the update zone is a subdomain of one or more of the
server's zones (previously the name of the irrelevant parent zone was
misleadingly logged).

Closes #3209

Remove task exclusive mode from ns_clientmgr

Closes #3230

See merge request isc-projects/bind9!6024

The .lock, .exiting and .excl members were not using for anything else
than starting task exclusive mode, setting .exiting to true and ending
exclusive mode.

Remove all the stray members and dead code eliminating the task
exclusive mode use from ns_clientmgr.

refactor ADB

Closes #3213

See merge request isc-projects/bind9!6033

Evan Hunt authored Mar 24, 2022 and Ondřej Surý committed Mar 30, 2022

To turn on detailed debug tracing of dns_adb and dns_adbentry
reference counting, #define ADB_TRACE at the top of adb.c. This
is off by default.

Evan Hunt authored Mar 21, 2022 and Ondřej Surý committed Mar 30, 2022

The ADB previously used separate reference counters for internal
and external references, plus additional counters for ABD find
and namehook objects, and used all these counters to coordinate
its shutdown process, which was a multi-stage affair involving
a sequence of control events.

It also used a complex interlocking set of static functions for
referencing, deferencing, linking, unlinking, and cleaning up various
internal objects; these functions returned boolean values to their
callers to indicate what additional processing was needed.

The changes in the previous two commits destabilized this fragile
system in a way that was difficult to recover from, so in this commit
we refactor all of it. The dns_adb and dns_adbentry objects now use
conventional attach and detach functions for reference counting, and
the shutdown process is much more straightforward.  Instead of
handling shutdown asynchronously, we can just destroy the ADB when
references reach zero

In addition, ADB locking has been simplified. Instead of a
single `find_{name,entry}_and_lock()` function which searches for
a name or entry's hash bucket, locks it, and then searches for the
name or entry in the bucket, we now use one function to find the
bucket (leaving it to the caller to do the locking) and another
find the name or entry.  Instead of locking the entire ADB when
modifying hash tables, we now use read-write locks around the
specific hash table. The only remaining need for adb->lock
is when modifying the `whenshutdown` list.

Comments throughout the module have been improved.

Evan Hunt authored Mar 16, 2022 and Ondřej Surý committed Mar 30, 2022

Replace adb->{names,entries} and related arrays (indexed by hashed
bucket) with a isc_ht hash tables storing the new struct
adb{name,entry}bucket_t that wraps all the variables that were
originally stored in arrays indexed by "bucket" number stored directly
in the struct dns_adb.

Previously, the task exclusive mode has been used to grow the internal
arrays used to store the named and entries objects.  The isc_ht hash
tables are now protected by the isc_rwlock instead and thus the usage of
the task exclusive mode has been removed from the dns_adb.
Co-authored-by: Ondřej Surý <ondrej@isc.org>

Evan Hunt authored Mar 24, 2022 and Ondřej Surý committed Mar 30, 2022

the use of "result" as a variable name for a boolean return value
was confusing; all 'result' variables that are not isc_result_t
have been renamed to 'ret'.

The static function print_dns_name() was a duplicate of
dns_name_print(), so it has been replaced with that.

Changed INSIST to REQUIRE where appropriate, and added NULL
initialization for pointer variables.

Remove isc_appctx_t use in dns_client

See merge request isc-projects/bind9!6041

Ondřej Surý authored Mar 28, 2022 and Evan Hunt committed Mar 29, 2022

The use of isc_appctx_t in dns_client was used to wait for
dns_client_startresolve() to finish the processing (the resolve_done()
task callback).

This has been replaced with standard bool+cond+lock combination removing
the need of isc_appctx_t altogether.

MacOS needs more IP addresses to run the system tests

See merge request isc-projects/bind9!5993

The launchd script only counted up to 8 whereas ifconfig.sh went all
the way up to 10, and even a bit further than that.

consolidate fibonacci hashing and support case-insensitive hash tables

See merge request isc-projects/bind9!6035

Ondřej Surý authored Mar 16, 2022 and Evan Hunt committed Mar 28, 2022

Previously, the isc_ht API would always take the key as a literal input
to the hashing function.  Change the isc_ht_init() function to take an
'options' argument, in which ISC_HT_CASE_SENSITIVE or _INSENSITIVE can
be specified, to determine whether to use case-sensitive hashing in
isc_hash32() when hashing the key.

Fibonacci hashing was implemented in four separate places (rbt.c,
rbtdb.c, resolver.c, zone.c). This commit combines them into a single
implementation. The hash_32() function is now replaced with
isc_hash_bits32().

Consistenly use UNREACHABLE() instead of ISC_UNREACHABLE()

See merge request isc-projects/bind9!6042

In couple places, we have missed INSIST(0) or ISC_UNREACHABLE()
replacement on some branches with UNREACHABLE().  Replace all
ISC_UNREACHABLE() or INSIST(0) calls with UNREACHABLE().

Add remote TLS certificate verification support, implement Strict and Mutual TLS authentication in BIND and dig

Closes #3163

See merge request isc-projects/bind9!5837

This commit adds points to the CHANGES and the release notes about
supporting remote TLS certificates verification and support for Strict
and Mutual TLS transport connections verification.

Mention that some old cryptographic library versions lack the
functionality to implement ignoring the Subject field (and thus the
Common Name) when establishing DoT connections.

This commit extends the 'doth' system test with a set of Strict/Mutual
TLS related checks.

This commit also makes each doth NS instance use its own TLS
certificate that includes FQDN, IPv4, and IPv6 addresses, issued using
a common Certificate Authority, instead of ad-hoc certs.

Extend servers initialisation timeout to 60 seconds to improve the
tests stability in the CI as certain configurations could fail to
initialise on time under load.

A couple of dig options were missing in the help output, while been
properly documented and supported. This commit fixes this overlook.

This commit updates the reference manual with short descriptions of
different TLS authentication modes, as mentioned in the RFC 9103,
Section 9.3 (Opportunistic TLS, Strict TLS, Mutual TLS), and mentions
how these authentication modes can be achieved via BIND's
configuration file.

This commit adds support for Strict/Mutual TLS into BIND. It does so
by implementing the backing code for 'hostname' and 'ca-file' options
of the 'tls' statement. The commit also updates the documentation
accordingly.

This commit restores the 'tls' options disabled in
78b73d08.

This commit adds support for Strict/Mutual TLS to dig.

The new command-line options and their behaviour are modelled after
kdig (+tls-ca, +tls-hostname, +tls-certfile, +tls-keyfile) for
compatibility reasons. That is, using +tls-* is sufficient to enable
DoT in dig, implying +tls-ca

If there is no other DNS transport specified via command-line,
specifying any of +tls-* options makes dig use DoT. In this case, its
behaviour is the same as if +tls-ca is specified: that is, the remote
peer's certificate is verified using the platform-specific
intermediate CA certificates store. This behaviour is introduced for
compatibility with kdig.

This commit adds support for ISC_R_TLSBADPEERCERT error code, which is
supposed to be used to signal for TLS peer certificates verification
in dig and other code.

The support for this error code is added to our TLS and TLS DNS
implementations.

This commit also adds isc_nm_verify_tls_peer_result_string() function
which is supposed to be used to get a textual description of the
reason for getting a ISC_R_TLSBADPEERCERT error.

This commit adds support for keeping CA certificates stores associated
with TLS contexts. The intention is to keep one reusable store per a
set of related TLS contexts.

This commit adds a set of functions that can be used to implement
Strict and Mutual TLS:

* isc_tlsctx_load_client_ca_names();
* isc_tlsctx_load_certificate();
* isc_tls_verify_peer_result_string();
* isc_tlsctx_enable_peer_verification().

This commit adds a set of high-level utility functions to manipulate
the certificate stores. The stores are needed to implement TLS
certificates verification efficiently.

[1/5] Catalog zones lightweight cleanup

Closes #3221

See merge request isc-projects/bind9!6011

There is a possible code path of using the uninitialized `bname`
character array while logging an error message.

Initialize the `bname` buffer earlier in the function.

Also, change the initialization routine to use a helper function.

A successful call to `dns_rdata_tostruct()` expects an accompanying
call to `dns_rdata_freestruct()` to free up any memory that could have
been allocated during the first call.

In catz.c there are several places where `dns_rdata_freestruct()` call
is skipped.

Add the missing cleanup routines.

Because of the "goto" in the "if" body the "else" part is unnecessary
and adds another level of indentation.

Cleanup the code to not have the "else" part.

Catz logs a warning message when it is told to modify a zone which was
not added by the current catalog zone.

When logging a warning, distinguish the two cases when the zone
was not added by a catalog zone at all, and when the zone was
added by a different catalog zone.