- 30 Mar, 2022 11 commits
-
-
Tony Finch authored
NOTAUTH errors should log the zone from the query not the nearest match Closes #3209 See merge request isc-projects/bind9!5982
-
Tony Finch authored
Ensure the update zone name is mentioned in the NOTAUTH error message in the server log, so that it is easier to track down problematic update clients. There are two cases: either the update zone is unrelated to any of the server's zones (previously no zone was mentioned); or the update zone is a subdomain of one or more of the server's zones (previously the name of the irrelevant parent zone was misleadingly logged). Closes #3209
-
Ondřej Surý authored
Remove task exclusive mode from ns_clientmgr Closes #3230 See merge request isc-projects/bind9!6024
-
Ondřej Surý authored
-
Ondřej Surý authored
The .lock, .exiting and .excl members were not using for anything else than starting task exclusive mode, setting .exiting to true and ending exclusive mode. Remove all the stray members and dead code eliminating the task exclusive mode use from ns_clientmgr.
-
Ondřej Surý authored
refactor ADB Closes #3213 See merge request isc-projects/bind9!6033
-
-
To turn on detailed debug tracing of dns_adb and dns_adbentry reference counting, #define ADB_TRACE at the top of adb.c. This is off by default.
-
The ADB previously used separate reference counters for internal and external references, plus additional counters for ABD find and namehook objects, and used all these counters to coordinate its shutdown process, which was a multi-stage affair involving a sequence of control events. It also used a complex interlocking set of static functions for referencing, deferencing, linking, unlinking, and cleaning up various internal objects; these functions returned boolean values to their callers to indicate what additional processing was needed. The changes in the previous two commits destabilized this fragile system in a way that was difficult to recover from, so in this commit we refactor all of it. The dns_adb and dns_adbentry objects now use conventional attach and detach functions for reference counting, and the shutdown process is much more straightforward. Instead of handling shutdown asynchronously, we can just destroy the ADB when references reach zero In addition, ADB locking has been simplified. Instead of a single `find_{name,entry}_and_lock()` function which searches for a name or entry's hash bucket, locks it, and then searches for the name or entry in the bucket, we now use one function to find the bucket (leaving it to the caller to do the locking) and another find the name or entry. Instead of locking the entire ADB when modifying hash tables, we now use read-write locks around the specific hash table. The only remaining need for adb->lock is when modifying the `whenshutdown` list. Comments throughout the module have been improved.
-
Replace adb->{names,entries} and related arrays (indexed by hashed bucket) with a isc_ht hash tables storing the new struct adb{name,entry}bucket_t that wraps all the variables that were originally stored in arrays indexed by "bucket" number stored directly in the struct dns_adb. Previously, the task exclusive mode has been used to grow the internal arrays used to store the named and entries objects. The isc_ht hash tables are now protected by the isc_rwlock instead and thus the usage of the task exclusive mode has been removed from the dns_adb. Co-authored-by:
Ondřej Surý <ondrej@isc.org>
-
the use of "result" as a variable name for a boolean return value was confusing; all 'result' variables that are not isc_result_t have been renamed to 'ret'. The static function print_dns_name() was a duplicate of dns_name_print(), so it has been replaced with that. Changed INSIST to REQUIRE where appropriate, and added NULL initialization for pointer variables.
-
- 29 Mar, 2022 5 commits
-
-
Ondřej Surý authored
Remove isc_appctx_t use in dns_client See merge request isc-projects/bind9!6041
-
-
The use of isc_appctx_t in dns_client was used to wait for dns_client_startresolve() to finish the processing (the resolve_done() task callback). This has been replaced with standard bool+cond+lock combination removing the need of isc_appctx_t altogether.
-
Tony Finch authored
MacOS needs more IP addresses to run the system tests See merge request isc-projects/bind9!5993
-
Tony Finch authored
The launchd script only counted up to 8 whereas ifconfig.sh went all the way up to 10, and even a bit further than that.
-
- 28 Mar, 2022 24 commits
-
-
Evan Hunt authored
consolidate fibonacci hashing and support case-insensitive hash tables See merge request isc-projects/bind9!6035
-
Previously, the isc_ht API would always take the key as a literal input to the hashing function. Change the isc_ht_init() function to take an 'options' argument, in which ISC_HT_CASE_SENSITIVE or _INSENSITIVE can be specified, to determine whether to use case-sensitive hashing in isc_hash32() when hashing the key.
-
Evan Hunt authored
Fibonacci hashing was implemented in four separate places (rbt.c, rbtdb.c, resolver.c, zone.c). This commit combines them into a single implementation. The hash_32() function is now replaced with isc_hash_bits32().
-
Ondřej Surý authored
Consistenly use UNREACHABLE() instead of ISC_UNREACHABLE() See merge request isc-projects/bind9!6042
-
Ondřej Surý authored
In couple places, we have missed INSIST(0) or ISC_UNREACHABLE() replacement on some branches with UNREACHABLE(). Replace all ISC_UNREACHABLE() or INSIST(0) calls with UNREACHABLE().
-
Artem Boldariev authored
Add remote TLS certificate verification support, implement Strict and Mutual TLS authentication in BIND and dig Closes #3163 See merge request isc-projects/bind9!5837
-
Artem Boldariev authored
This commit adds points to the CHANGES and the release notes about supporting remote TLS certificates verification and support for Strict and Mutual TLS transport connections verification.
-
Artem Boldariev authored
Mention that some old cryptographic library versions lack the functionality to implement ignoring the Subject field (and thus the Common Name) when establishing DoT connections.
-
Artem Boldariev authored
This commit extends the 'doth' system test with a set of Strict/Mutual TLS related checks. This commit also makes each doth NS instance use its own TLS certificate that includes FQDN, IPv4, and IPv6 addresses, issued using a common Certificate Authority, instead of ad-hoc certs. Extend servers initialisation timeout to 60 seconds to improve the tests stability in the CI as certain configurations could fail to initialise on time under load.
-
Artem Boldariev authored
A couple of dig options were missing in the help output, while been properly documented and supported. This commit fixes this overlook.
-
Artem Boldariev authored
This commit updates the reference manual with short descriptions of different TLS authentication modes, as mentioned in the RFC 9103, Section 9.3 (Opportunistic TLS, Strict TLS, Mutual TLS), and mentions how these authentication modes can be achieved via BIND's configuration file.
-
Artem Boldariev authored
This commit adds support for Strict/Mutual TLS into BIND. It does so by implementing the backing code for 'hostname' and 'ca-file' options of the 'tls' statement. The commit also updates the documentation accordingly.
-
Artem Boldariev authored
This commit restores the 'tls' options disabled in 78b73d08.
-
Artem Boldariev authored
This commit adds support for Strict/Mutual TLS to dig. The new command-line options and their behaviour are modelled after kdig (+tls-ca, +tls-hostname, +tls-certfile, +tls-keyfile) for compatibility reasons. That is, using +tls-* is sufficient to enable DoT in dig, implying +tls-ca If there is no other DNS transport specified via command-line, specifying any of +tls-* options makes dig use DoT. In this case, its behaviour is the same as if +tls-ca is specified: that is, the remote peer's certificate is verified using the platform-specific intermediate CA certificates store. This behaviour is introduced for compatibility with kdig.
-
Artem Boldariev authored
This commit adds support for ISC_R_TLSBADPEERCERT error code, which is supposed to be used to signal for TLS peer certificates verification in dig and other code. The support for this error code is added to our TLS and TLS DNS implementations. This commit also adds isc_nm_verify_tls_peer_result_string() function which is supposed to be used to get a textual description of the reason for getting a ISC_R_TLSBADPEERCERT error.
-
Artem Boldariev authored
This commit adds support for keeping CA certificates stores associated with TLS contexts. The intention is to keep one reusable store per a set of related TLS contexts.
-
Artem Boldariev authored
This commit adds a set of functions that can be used to implement Strict and Mutual TLS: * isc_tlsctx_load_client_ca_names(); * isc_tlsctx_load_certificate(); * isc_tls_verify_peer_result_string(); * isc_tlsctx_enable_peer_verification().
-
Artem Boldariev authored
This commit adds a set of high-level utility functions to manipulate the certificate stores. The stores are needed to implement TLS certificates verification efficiently.
-
Arаm Sаrgsyаn authored
[1/5] Catalog zones lightweight cleanup Closes #3221 See merge request isc-projects/bind9!6011
-
Arаm Sаrgsyаn authored
-
Arаm Sаrgsyаn authored
There is a possible code path of using the uninitialized `bname` character array while logging an error message. Initialize the `bname` buffer earlier in the function. Also, change the initialization routine to use a helper function.
-
Arаm Sаrgsyаn authored
A successful call to `dns_rdata_tostruct()` expects an accompanying call to `dns_rdata_freestruct()` to free up any memory that could have been allocated during the first call. In catz.c there are several places where `dns_rdata_freestruct()` call is skipped. Add the missing cleanup routines.
-
Arаm Sаrgsyаn authored
Because of the "goto" in the "if" body the "else" part is unnecessary and adds another level of indentation. Cleanup the code to not have the "else" part.
-
Arаm Sаrgsyаn authored
Catz logs a warning message when it is told to modify a zone which was not added by the current catalog zone. When logging a warning, distinguish the two cases when the zone was not added by a catalog zone at all, and when the zone was added by a different catalog zone.
-