...
 
Commits (17)
  • Mark Andrews's avatar
    Address race between zone_maintenance and dns_zone_setview_helper · 67c8f732
    Mark Andrews authored
    There was a possible NULL dereference due to data race between accessing
    zone->view and zone->view->adb.
    67c8f732
  • Ondřej Surý's avatar
    Merge branch '1627-address-race-in-zone-maintenance' into 'main' · 783e3f92
    Ondřej Surý authored
    address race between zone_maintenance and dns_zone_setview_helper
    
    Closes #1627
    
    See merge request isc-projects/bind9!3669
    783e3f92
  • Evan Hunt's avatar
    "check-names primary" and "check-names secondary" were ignored · ba31b189
    Evan Hunt authored
    these keywords were added to the parser as synonyms for "master"
    and "slave" but were never hooked in to the configuration of named,
    so they were ignored. this has been fixed and the option is now
    checked for correctness.
    ba31b189
  • Ondřej Surý's avatar
    Add CHANGES and release note for #1949 · eaafae27
    Ondřej Surý authored
    eaafae27
  • Ondřej Surý's avatar
    Merge branch '1949-checknames' into 'main' · c3510ca6
    Ondřej Surý authored
    "check-names primary" and "check-names secondary" were ignored
    
    Closes #1949
    
    See merge request isc-projects/bind9!3702
    c3510ca6
  • Ondřej Surý's avatar
    Remove // not configured when generating doc/misc/options · b82ff5b7
    Ondřej Surý authored
    The doc/misc/options is used to generate a file describing all
    configuration options. Currently, the file contents could differ
    based on ./configure option which is kind of suboptimal.
    
    We already removed the "// not configured" from the options.active, and
    this time we remove generation of the string altogether.
    b82ff5b7
  • Ondřej Surý's avatar
    Merge branch '1898-doc/misc/options-should-be-independent-on-configure' into 'main' · 8e4afd31
    Ondřej Surý authored
    Remove // not configured when generating doc/misc/options
    
    Closes #1898
    
    See merge request isc-projects/bind9!3731
    8e4afd31
  • Evan Hunt's avatar
    reorder system tests to shorten runtime · a9154f2a
    Evan Hunt authored
    if tests that take a particularly long time to complete
    (serve-stale, dnssec, rpzrecurse) are run first, a parallel
    run of the system tests can finish 1-2 minutes faster.
    a9154f2a
  • Ondřej Surý's avatar
    Merge branch 'each-shorten-tests' into 'main' · c9c84af3
    Ondřej Surý authored
    reorder system tests to shorten runtime
    
    See merge request isc-projects/bind9!3727
    c9c84af3
  • Ondřej Surý's avatar
    Rebuild the file in doc/misc only when in maintainer mode · b1093533
    Ondřej Surý authored
    The files in doc/misc requires all the BIND 9 libraries to be built
    before the documentation can be built.  One of the extra automake
    features is maintainer mode that allows to conditionally build and clean
    files that require special tools.  Make use of the automake maintainer
    mode to not rebuild the files in doc/misc under normal circumstances.
    b1093533
  • Ondřej Surý's avatar
    Rebuild the manpages sources only when in maintainer mode · 28575abd
    Ondřej Surý authored
    Similarly, the manpage sources will get rebuild only when in maintainer
    mode because they require sphinx-build to be available locally and that
    might not be always the case.
    28575abd
  • Ondřej Surý's avatar
    Disable the double configure and build step in docs CI job · 8b18d8f3
    Ondřej Surý authored
    The documentation now can be build even when the BIND 9 source tree
    hasn't been built yet allowing no-arch builds.
    8b18d8f3
  • Ondřej Surý's avatar
    36e4090c
  • Ondřej Surý's avatar
  • Ondřej Surý's avatar
    Enable maintainer mode by default only when building from git · 7ff77bb6
    Ondřej Surý authored
    When maintainer mode is enabled (./configure --enable-maintainer-mode)
    it enables rebuild of documentation source files that require extra
    tools to be installed or compiled.  For a convenience, those files are
    already committed into the repository and their rebuild is not required
    to build BIND 9 from sources.
    7ff77bb6
  • Ondřej Surý's avatar
    Merge branch 'ondrej/disable-maintainer-mode-in-ci' into 'main' · b4221e25
    Ondřej Surý authored
    Disable rebuilding miscellaneous documentation source files when not in maintainer mode
    
    See merge request isc-projects/bind9!3733
    b4221e25
  • Tony Finch's avatar
    Fix re-signing when `sig-validity-interval` has two arguments · d882a378
    Tony Finch authored
    Since October 2019 I have had complaints from `dnssec-cds` reporting
    that the signatures on some of my test zones had expired. These were
    zones signed by BIND 9.15 or 9.17, with a DNSKEY TTL of 24h and
    `sig-validity-interval 10 8`.
    
    This is the same setup we have used for our production zones since
    2015, which is intended to re-sign the zones every 2 days, keeping
    at least 8 days signature validity. The SOA expire interval is 7
    days, so even in the presence of zone transfer problems, no-one
    should ever see expired signatures. (These timers are a bit too
    tight to be completely correct, because I should have increased
    the expiry timers when I increased the DNSKEY TTLs from 1h to 24h.
    But that should only matter when zone transfers are broken, which
    was not the case for the error reports that led to this patch.)
    
    For example, this morning my test zone contained:
    
            dev.dns.cam.ac.uk. 86400 IN RRSIG DNSKEY 13 5 86400 (
                                    20200701221418 20200621213022 ...)
    
    But one of my resolvers had cached:
    
            dev.dns.cam.ac.uk. 21424 IN RRSIG DNSKEY 13 5 86400 (
                                    20200622063022 20200612061136 ...)
    
    This TTL was captured at 20200622105807 so the resolver cached the
    RRset 64976 seconds previously (18h02m56s), at 20200621165511
    only about 12h before expiry.
    
    The other symptom of this error was incorrect `resign` times in
    the output from `rndc zonestatus`.
    
    For example, I have configured a test zone
    
            zone fast.dotat.at {
                    file "../u/z/fast.dotat.at";
                    type primary;
                    auto-dnssec maintain;
                    sig-validity-interval 500 499;
            };
    
    The zone is reset to a minimal zone containing only SOA and NS
    records, and when `named` starts it loads and signs the zone. After
    that, `rndc zonestatus` reports:
    
            next resign node: fast.dotat.at/NS
            next resign time: Fri, 28 May 2021 12:48:47 GMT
    
    The resign time should be within the next 24h, but instead it is
    near the signature expiry time, which the RRSIG(NS) says is
    20210618074847. (Note 499 hours is a bit more than 20 days.)
    May/June 2021 is less than 500 days from now because expiry time
    jitter is applied to the NS records.
    
    Using this test I bisected this bug to 09990672 which contained a
    mistake leading to the resigning interval always being calculated in
    hours, when days are expected.
    
    This bug only occurs for configurations that use the two-argument form
    of `sig-validity-interval`.
    d882a378
......@@ -484,9 +484,6 @@ docs:
- test -n "${OOT_BUILD_WORKSPACE}" && mkdir "${OOT_BUILD_WORKSPACE}" && cd "${OOT_BUILD_WORKSPACE}"
script:
- *configure
- make -j${BUILD_PARALLEL_JOBS:-1} -k maintainer-clean V=1
- *configure
- make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1
- make -j${BUILD_PARALLEL_JOBS:-1} -k doc V=1
needs:
- job: autoreconf
......
5443. [bug] The "primary" and "secondary" keywords, when used
as parameters for "check-names", were not
processed correctly and were being ignored. [GL #1949]
5442. [func] Add support for outgoing TCP connections in netmgr.
[GL #1958]
......
......@@ -751,22 +751,27 @@ strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
static void
checknames(dns_zonetype_t ztype, const cfg_obj_t **maps,
const cfg_obj_t **objp) {
const char *zone = NULL;
isc_result_t result;
switch (ztype) {
case dns_zone_slave:
case dns_zone_mirror:
zone = "slave";
result = named_checknames_get(maps, "secondary", objp);
if (result != ISC_R_SUCCESS) {
result = named_checknames_get(maps, "slave", objp);
}
break;
case dns_zone_master:
zone = "master";
result = named_checknames_get(maps, "primary", objp);
if (result != ISC_R_SUCCESS) {
result = named_checknames_get(maps, "master", objp);
}
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
result = named_checknames_get(maps, zone, objp);
INSIST(result == ISC_R_SUCCESS && objp != NULL && *objp != NULL);
}
......@@ -1587,11 +1592,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
seconds = cfg_obj_asuint32(resign);
uint32_t r = cfg_obj_asuint32(resign);
if (seconds > 7 * 86400) {
seconds *= 86400;
seconds = r * 86400;
} else {
seconds *= 3600;
seconds = r * 3600;
}
} else {
seconds = cfg_obj_asuint32(resign);
......
......@@ -64,7 +64,19 @@ tkey_keydelete_LDADD = \
$(LDADD) \
$(LIBDNS_LIBS)
TESTS = \
TESTS =
if HAVE_PERLMOD_TIME_HIRES
TESTS += serve-stale
endif HAVE_PERLMOD_TIME_HIRES
if HAVE_PERLMOD_NET_DNS
TESTS += \
dnssec \
rpzrecurse
endif HAVE_PERLMOD_NET_DNS
TESTS += \
acl \
additional \
addzone \
......@@ -158,13 +170,11 @@ if HAVE_PERLMOD_NET_DNS
TESTS += \
digdelv \
dnssec \
fetchlimit \
forward \
ixfr \
nsupdate \
resolver \
rpzrecurse \
statistics \
upforwd \
zero
......@@ -181,10 +191,6 @@ if HAVE_PERLMOD_DIGEST_HMAC
TESTS += xfer
endif HAVE_PERLMOD_DIGEST_HMAC
if HAVE_PERLMOD_TIME_HIRES
TESTS += serve-stale
endif HAVE_PERLMOD_TIME_HIRES
if HAVE_PERLMOD_NET_DNS_NAMESERVER
TESTS += reclimit
endif HAVE_PERLMOD_NET_DNS_NAMESERVER
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
check-names primary warn;
check-names primary fail;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
check-names master warn;
check-names primary fail;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
check-names slave ignore;
check-names secondary warn;
};
......@@ -72,6 +72,8 @@ options {
recursive-clients 3000;
serial-query-rate 100;
server-id none;
check-names primary warn;
check-names secondary ignore;
max-cache-size 20000000000000;
nta-lifetime 604800;
nta-recheck 604800;
......
......@@ -19,7 +19,7 @@ options {
listen-on-v6 { none; };
recursion yes;
dnssec-validation yes;
check-names master ignore;
check-names primary ignore;
notify yes;
};
......
......@@ -126,7 +126,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that updates to 'check-names master ignore;' succeed and are not logged ($n)"
echo_i "check that updates to 'check-names primary ignore;' succeed and are not logged ($n)"
ret=0
not=1
$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
......
......@@ -64,9 +64,9 @@ AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
#
# Enable maintainer mode by default, but allow to disable it in the CI
# Enable maintainer mode by default only when building from git repository
#
AM_MAINTAINER_MODE([enable])
AM_MAINTAINER_MODE([m4_ifset([bind_SRCID],[enable],[disable])])
# Set the library versions
# https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
......
......@@ -2041,7 +2041,7 @@ Boolean Options
This option is used to restrict the character set and syntax of
certain domain names in master files and/or DNS responses received
from the network. The default varies according to usage area. For
``master`` zones the default is ``fail``. For ``slave`` zones the
``primary`` zones the default is ``fail``. For ``secondary`` zones the
default is ``warn``. For answers received from the network
(``response``), the default is ``ignore``.
......
......@@ -120,12 +120,8 @@ EXTRA_DIST = \
$(MANPAGES_RST) \
$(MANPAGES_IN)
MAINTAINERCLEANFILES = \
$(MANPAGES_IN)
CLEANFILES = \
$(man_MANS) \
manpages.stamp
$(man_MANS)
#
# Build rules for pre-generated manpages
......@@ -152,6 +148,14 @@ man: Makefile $(man_MANS)
clean-local::
-rm -rf $(SPHINXBUILDDIR)
if MAINTAINER_MODE
CLEANFILES += \
manpages.stamp
MAINTAINERCLEANFILES = \
$(MANPAGES_IN)
#
# Build rules for generating pre-generated manpages
#
......@@ -196,5 +200,4 @@ $(MANPAGES_IN): manpages.stamp
fi
endif HAVE_SPHINX_BUILD
maintainerclean-local:
-$(RM)
endif MAINTAINER_MODE
......@@ -437,6 +437,15 @@ which disables padding. The maximum is 512. Values are ordinarily
expected to be powers of two, such as 128; however, this is not
mandatory. Responses to padded queries may also be padded, but only
if the query uses TCP or DNS COOKIE.
.UNINDENT
.sp
\fB+qid=value\fP
.INDENT 0.0
.INDENT 3.5
Specify the query ID to use when sending queries.
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
.B \fB+[no]qr\fP
Toggles the display of the query message as it is sent. By default, the query
......
......@@ -86,6 +86,9 @@ valid domain name. The default is \fBrndc\-key\fP\&.
Specifies the command channel port where \fBnamed\fP listens for
connections from \fBrndc\fP\&. The default is 953.
.TP
\fB\-q\fP
Omits printing written path in automatic configuration mode.
.TP
\fB\-s\fP address
Specifies the IP address where \fBnamed\fP listens for command channel
connections from \fBrndc\fP\&. The default is the loopback address
......
include $(top_srcdir)/Makefile.top
include $(top_srcdir)/Makefile.docs
noinst_PROGRAMS = cfg_test
cfg_test_CFLAGS = \
$(AM_CFLAGS) \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS)
cfg_test_LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS)
BUILT_SOURCES = \
OPTIONS_FILES = \
options \
options.active \
master.zoneopt \
......@@ -51,18 +38,36 @@ BUILT_SOURCES = \
managed-keys.grammar.rst \
trusted-keys.grammar.rst
EXTRA_DIST = \
$(BUILT_SOURCES) \
EXTRA_DIST = \
$(OPTIONS_FILES) \
format-options.pl \
rst-grammars.pl \
rst-options.pl \
rst-zoneopt.pl \
sort-options.pl
MAINTAINERCLEANFILES = $(BUILT_SOURCES)
if MAINTAINER_MODE
MAINTAINERCLEANFILES = $(OPTIONS_FILES)
noinst_PROGRAMS = cfg_test
cfg_test_CFLAGS = \
$(AM_CFLAGS) \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS)
cfg_test_LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS)
BUILT_SOURCES = \
$(OPTIONS_FILES)
options: cfg_test
$(AM_V_CFG_TEST)$(builddir)/cfg_test --named --grammar | $(PERL) $(srcdir)/sort-options.pl | $(PERL) $(srcdir)/format-options.pl > $@
$(AM_V_CFG_TEST)$(builddir)/cfg_test --named --grammar | $(PERL) $(srcdir)/sort-options.pl | $(PERL) $(srcdir)/format-options.pl --strip-not-configured > $@
options.active: cfg_test
$(AM_V_CFG_TEST)$(builddir)/cfg_test --named --grammar --active | $(PERL) $(srcdir)/sort-options.pl | $(PERL) $(srcdir)/format-options.pl --strip-not-configured > $@
......@@ -165,3 +170,5 @@ managed-keys.grammar.rst: options.active
trusted-keys.grammar.rst: options.active
$(AM_V_RST_GRAMMARS)$(PERL) $(srcdir)/rst-grammars.pl options.active trusted-keys > $@
endif
......@@ -152,8 +152,8 @@ options {
dns64-contact <string>;
dns64-server <string>;
dnskey-sig-validity <integer>;
dnsrps-enable <boolean>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
dnsrps-enable <boolean>;
dnsrps-options { <unspecified-text> };
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>; // obsolete
......@@ -533,8 +533,8 @@ view <string> [ <class> ] {
dns64-contact <string>;
dns64-server <string>;
dnskey-sig-validity <integer>;
dnsrps-enable <boolean>; // not configured
dnsrps-options { <unspecified-text> }; // not configured
dnsrps-enable <boolean>;
dnsrps-options { <unspecified-text> };
dnssec-accept-expired <boolean>;
dnssec-dnskey-kskonly <boolean>;
dnssec-enable <boolean>; // obsolete
......
......@@ -36,3 +36,7 @@ Bug Fixes
- The DS set returned by ``dns_keynode_dsset()`` was not thread-safe.
This could result in an INSIST being triggered. [GL #1926]
- The ``primary`` and ``secondary`` keywords, when used as parameters for
``check-names``, were not processed correctly and were being ignored.
[GL #1949]
......@@ -1586,6 +1586,81 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
}
}
obj = NULL;
(void)cfg_map_get(options, "check-names", &obj);
if (obj != NULL && !cfg_obj_islist(obj)) {
obj = NULL;
}
if (obj != NULL) {
enum { MAS = 1, PRI = 2, SLA = 4, SEC = 8 } values = 0;
for (const cfg_listelt_t *el = cfg_list_first(obj); el != NULL;
el = cfg_list_next(el))
{
const cfg_obj_t *tuple = cfg_listelt_value(el);
const cfg_obj_t *type = cfg_tuple_get(tuple, "type");
const char *keyword = cfg_obj_asstring(type);
if (strcasecmp(keyword, "primary") == 0) {
if ((values & PRI) == PRI) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'check-names primary' "
"duplicated");
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
}
values |= PRI;
} else if (strcasecmp(keyword, "master") == 0) {
if ((values & MAS) == MAS) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'check-names master' "
"duplicated");
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
}
values |= MAS;
} else if (strcasecmp(keyword, "secondary") == 0) {
if ((values & SEC) == SEC) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'check-names secondary' "
"duplicated");
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
}
values |= SEC;
} else if (strcasecmp(keyword, "slave") == 0) {
if ((values & SLA) == SLA) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'check-names slave' "
"duplicated");
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
}
values |= SLA;
}
}
if ((values & (PRI | MAS)) == (PRI | MAS)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'check-names' cannot take both "
"'primary' and 'master'");
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
}
if ((values & (SEC | SLA)) == (SEC | SLA)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'check-names' cannot take both "
"'secondary' and 'slave'");
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
}
}
return (result);
}
......
......@@ -10857,7 +10857,7 @@ zone_maintenance(dns_zone_t *zone) {
const char me[] = "zone_maintenance";
isc_time_t now;
isc_result_t result;
bool dumping, load_pending;
bool dumping, load_pending, viewok;
REQUIRE(DNS_ZONE_VALID(zone));
ENTER;
......@@ -10880,7 +10880,10 @@ zone_maintenance(dns_zone_t *zone) {
* adb or resolver will be NULL, and we had better not try
* to do further maintenance on it.
*/
if (zone->view == NULL || zone->view->adb == NULL) {
LOCK_ZONE(zone);
viewok = (zone->view != NULL && zone->view->adb != NULL);
UNLOCK_ZONE(zone);
if (!viewok) {
return;
}
......