ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2024-01-23T20:16:48Zhttps://gitlab.isc.org/isc-projects/kea-quick-config/-/issues/52Add selection of options to reservations2024-01-23T20:16:48ZDarren AnkneyAdd selection of options to reservationsReservations can contain options as described here: https://kea.readthedocs.io/en/kea-2.4.1/arm/dhcp4-srv.html#including-specific-dhcpv4-options-in-reservations so re-use the options specification interface from global here to allow the ...Reservations can contain options as described here: https://kea.readthedocs.io/en/kea-2.4.1/arm/dhcp4-srv.html#including-specific-dhcpv4-options-in-reservations so re-use the options specification interface from global here to allow the specification of options in host reservations.0.3Darren AnkneyDarren Ankneyhttps://gitlab.isc.org/isc-projects/kea-quick-config/-/issues/51Add selection of options to client-classes2024-01-23T20:16:48ZDarren AnkneyAdd selection of options to client-classesClient-classes can contain option-data as shown here: https://kea.readthedocs.io/en/kea-2.4.1/arm/classify.html#configuring-classes We now have an options addition interface. Re-use this interface in the client-classification to add opt...Client-classes can contain option-data as shown here: https://kea.readthedocs.io/en/kea-2.4.1/arm/classify.html#configuring-classes We now have an options addition interface. Re-use this interface in the client-classification to add option-data to the classification.0.3Darren AnkneyDarren Ankneyhttps://gitlab.isc.org/isc-projects/kea-quick-config/-/issues/50add client class selection to pool2024-01-02T22:05:13ZDarren Ankneyadd client class selection to poolAs described here: https://kea.readthedocs.io/en/kea-2.4.1/arm/dhcp4-srv.html#pool-selection-with-client-class-reservations you can require a client-class membership in the `pool {}` statement inside a `pools []` block. Now that client-...As described here: https://kea.readthedocs.io/en/kea-2.4.1/arm/dhcp4-srv.html#pool-selection-with-client-class-reservations you can require a client-class membership in the `pool {}` statement inside a `pools []` block. Now that client-classes exist, we should allow selection of a client class in each `pool {}` statement. This should probably include the special classes of `KNOWN` and `UNKNOWN`.0.3Darren AnkneyDarren Ankneyhttps://gitlab.isc.org/isc-projects/kea/-/issues/3185Coverity detected invalid iterator in perfdhcp2024-02-21T10:10:08ZPiotrek ZadrogaCoverity detected invalid iterator in perfdhcpThis might be a false positive, but it could be double checked anyway:
> In `isc::perfdhcp::AvalancheScen::resendPackets(isc::perfdhcp::ExchangeType):` An invalid or past-the-end iterator is being used
```c++
// get some th...This might be a false positive, but it could be double checked anyway:
> In `isc::perfdhcp::AvalancheScen::resendPackets(isc::perfdhcp::ExchangeType):` An invalid or past-the-end iterator is being used
```c++
// get some things from previous retransmissions
auto start_time = pkt->getTimestamp();
int current_pkt_resent_cnt = 0;
auto r_it = retrans.find(trans_id);
if (r_it != retrans.end()) {
start_time = (*start_times.find(trans_id)).second;
current_pkt_resent_cnt = (*r_it).second;
} else {
start_times[trans_id] = start_time;
}
```
> Dereferencing iterator `start_times->find(trans_id)` though it is already past the end of its container.
`CID 1533337`kea2.5.6Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/stork/-/issues/1240Sanity checks for Stork 1.14.0 rc12023-12-06T10:36:36ZMarcin GodzinaSanity checks for Stork 1.14.0 rc1We are now at step SANITY CHECKS of Stork 1.14.0 rc1.
Please do sanity checks according to the steps below:
1. Get the tarball and check it, run tests with `rake unittest:backend` or `rake unittest:backend_db`.
2. Get the apk, deb & rp...We are now at step SANITY CHECKS of Stork 1.14.0 rc1.
Please do sanity checks according to the steps below:
1. Get the tarball and check it, run tests with `rake unittest:backend` or `rake unittest:backend_db`.
2. Get the apk, deb & rpm packages, place them in the tarball location, run tests with `rake system_tests` and `rake system_tests_ui`.
3. Start demo locally with `rake demo:up` and follow the steps from the demo wiki: https://gitlab.isc.org/isc-projects/stork/-/wikis/Demo
4. Install server and agent locally e.g. in VMs from apk, deb & rpm packages
Before starting, please state what you are checking in a thread/discussion (not as comment).
When you finish a check, state in the same thread/discussion what the result is.
This way we know what is covered upfront and we can avoid repeating ourselves.
* tarball: https://gitlab.isc.org/isc-projects/stork/-/jobs/3841692/artifacts/browse
* apk, deb & rpm packages: https://gitlab.isc.org/isc-projects/stork/-/jobs/3841690/artifacts/browse
Hooks:
* tarball: https://gitlab.isc.org/isc-projects/stork/-/jobs/3841702/artifacts/browse
* apk, deb & rpm packages: https://gitlab.isc.org/isc-projects/stork/-/jobs/3841709/artifacts/browse1.14https://gitlab.isc.org/isc-projects/bind9/-/issues/4467Numerical statistics are truncated to 32-bits on export2024-01-04T16:47:06ZPetr Špačekpspacek@isc.orgNumerical statistics are truncated to 32-bits on export### Summary
In BIND statistics, values larger than 4294967295 overflow during export. E.g. any server which processes more 4294967295 queries will see nonsense in statistics. This can conceivably happen in practice within a single day i...### Summary
In BIND statistics, values larger than 4294967295 overflow during export. E.g. any server which processes more 4294967295 queries will see nonsense in statistics. This can conceivably happen in practice within a single day if server is handling sustained ~ 50 k QPS.
Internally tracking still works up to 2^63-1, i.e. 9223372036854775807, but there is no way to get the data out without using debugger.
### BIND version used
Broken by 4e5edb35e475e4868ccbb8e4796b3fbe8ac90bb7, MR !1493.
* ~"Affects v9.19": f8fece81bf651275c3914d2559717943228a4cfd
* ~"Affects v9.18": acf55e125e946f39df96aca26608b01c46968a7b
* ~"Affects v9.16": 161d69aba357fa830bb6ef2b097b0447929041f0
### Steps to reproduce
It's kinda lengthy. Just do 2^32 queries and check /json/v1/server opcodes[] stats to see if they ever exceed 2^32-1.
### What is the current *bug* behavior?
Counters are not monotonic because of the overflow during export.
### What is the expected *correct* behavior?
No information loss.January 2024 (9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20) (❗RECALLED❗)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4466CDS is stuck on an old key.2024-01-12T08:57:15ZBjörn PerssonCDS is stuck on an old key.### Summary
The zone rombobeorn.se seems to be stuck in a CSK rollover that never gets finished. The CDS record still specifies the old key. Thus the parent zone doesn't update DS. Thus the old DNSKEY record can't be removed.
### BIND ...### Summary
The zone rombobeorn.se seems to be stuck in a CSK rollover that never gets finished. The CDS record still specifies the old key. Thus the parent zone doesn't update DS. Thus the old DNSKEY record can't be removed.
### BIND version used
```
# named -V
BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) <id:>
running on Linux x86_64 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.18.19=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.10 1 Aug 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.52.0
linked to libnghttp2 version: 1.52.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
This zone has successfully replaced one CSK with another before. This was the DNSsec policy at the time:
```
dnssec-policy "automatik" {
keys {
csk lifetime P1M algorithm rsasha256 2048;
};
};
```
In an attempt to decrease the time the zone spends with dual keys, I changed the policy to this:
```
dnssec-policy "automatik" {
keys {
csk lifetime P1M algorithm rsasha256 2048;
};
dnskey-ttl P1D;
max-zone-ttl P1D;
signatures-validity P1W;
signatures-refresh P2D;
};
```
### What is the current *bug* behavior?
On 2023-11-20 it was time for another rollover. CSK 58364 was generated and published in a second DNSKEY record. The DNSKEY, CDS and CDNSKEY records were signed with both the old and the new key. Other records had their signatures replaced gradually. Since 2023-12-01 all the records except DNSKEY, CDS and CDNSKEY have signatures only by the new key. Yet CDS and CDNSKEY still show the old key, 44674. You can check it yourself:
```
$ dig +short CDS rombobeorn.se
44674 8 2 DC0A35038C492439E044C0A109A62A7447427B606104613D7BA4B32D 2EDAC3FB
```
On 2023-12-02 it was time to renew the signatures for DNSKEY, CDS and CDNSKEY. They were again signed with both keys. There are still dual DNSKEY records.
Validation still succeeds, presumably because the new key is signed with the old key. Bind seems to understand that it can't remove the old key yet, but it's not publishing a CDS record for the new key.
### What is the expected *correct* behavior?
If the policy I have configured is wrong somehow, then it should have been rejected with an informative error message. Otherwise the CDS record (and CDNSKEY) should have been changed to 58364 by now.
### Relevant configuration files
```
options {
directory "/var/cache/bind";
dnssec-validation auto;
key-directory "/var/lib/bind";
listen-on-v6 { any; };
};
dnssec-policy "som_det_var" {
keys {
ksk lifetime unlimited algorithm rsasha256 2048;
zsk lifetime unlimited algorithm rsasha256 2048;
};
dnskey-ttl P1D;
purge-keys 0;
};
dnssec-policy "automatik" {
keys {
csk lifetime P1M algorithm rsasha256 2048;
};
dnskey-ttl P1D;
max-zone-ttl P1D;
signatures-validity P1W;
signatures-refresh P2D;
};
view "internal" {
match-clients { [omitted] };
recursion yes;
allow-recursion { [omitted] };
allow-transfer { [omitted] };
notify no;
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/zones.rfc1918";
zone "xn--rombobjrn-67a.se" {
type master;
file "/var/lib/bind/db.xn--rombobjrn-67a.se.internal";
dnssec-policy automatik;
parental-agents { ::1; };
inline-signing no;
update-policy { [omitted] };
};
zone "rombobeorn.se" {
type master;
file "/var/lib/bind/db.rombobeorn.se.internal";
dnssec-policy automatik;
parental-agents { ::1; };
inline-signing no;
update-policy { [omitted] };
};
zone "168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.168.192";
update-policy { [omitted] };
};
};
view "external" {
match-clients {
any;
};
recursion no;
allow-transfer { [omitted] };
also-notify { [omitted] };
notify explicit;
rate-limit {
responses-per-second 4;
slip 2;
};
zone "xn--rombobjrn-67a.se" {
type master;
file "/var/lib/bind/db.xn--rombobjrn-67a.se.external";
dnssec-policy automatik;
parental-agents { ::1; };
inline-signing no;
update-policy { [omitted] };
};
zone "rombobeorn.se" {
type master;
file "/var/lib/bind/db.rombobeorn.se.external";
dnssec-policy automatik;
parental-agents { ::1; };
inline-signing no;
update-policy { [omitted] };
};
};
```
### Relevant logs and/or screenshots
As a baseline, these messages about two previously retired keys were repeated every hour:
```
2023-11-20T04:05:53.076358+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-20T04:05:53.105296+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T04:05:53.105790+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T04:05:53.109375+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: next key event: 20-Nov-2023 05:04:58.070
2023-11-20T04:05:53.206927+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-20T04:05:53.237195+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T04:05:53.237622+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T04:05:53.241190+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: next key event: 20-Nov-2023 05:04:58.202
```
Then the new key was generated, and a message about that key was added to the hourly repeats:
```
2023-11-20T05:04:58.076407+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-20T05:04:58.105335+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T05:04:58.105847+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T05:05:02.049479+01:00 cutie named[443161]: keymgr: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) created for policy automatik
2023-11-20T05:05:02.057591+01:00 cutie named[443161]: Fetching rombobeorn.se/RSASHA256/58364 (CSK) from key repository.
2023-11-20T05:05:02.058067+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) is now published
2023-11-20T05:05:02.136470+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: next key event: 20-Nov-2023 06:04:58.070
2023-11-20T05:05:02.137062+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-20T05:05:02.160374+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T05:05:02.160830+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T05:05:02.163720+01:00 cutie named[443161]: Fetching rombobeorn.se/RSASHA256/58364 (CSK) from key repository.
2023-11-20T05:05:02.164031+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) is now published
2023-11-20T05:05:02.242215+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: next key event: 20-Nov-2023 06:05:02.134
2023-11-20T06:04:58.076558+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-20T06:04:58.118725+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T06:04:58.119254+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T06:04:58.123463+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) is now inactive
2023-11-20T06:04:58.125009+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: next key event: 20-Nov-2023 07:04:58.072
2023-11-20T06:05:02.140288+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-20T06:05:02.183496+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-20T06:05:02.183962+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-20T06:05:02.188257+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/58364 (CSK) is now inactive
2023-11-20T06:05:02.189804+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: next key event: 20-Nov-2023 07:05:02.136
```
25 hours later the messages started appearing every ten minutes, claiming falsely that CDS and CDNSKEY had been updated:
```
2023-11-21T06:09:58.116346+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-21T06:09:58.158703+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-21T06:09:58.159244+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-21T06:09:58.171210+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:09:58.171736+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:09:58.178814+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-21T06:09:58.219756+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-21T06:09:58.222083+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-21T06:09:58.223643+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:09:58.223970+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:19:58.172402+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-21T06:19:58.214907+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-21T06:19:58.215409+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-21T06:19:58.220135+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:19:58.220718+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:19:58.222976+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-21T06:19:58.261817+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-21T06:19:58.262297+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-21T06:19:58.265388+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-21T06:19:58.265739+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
```
After another six days a message about the old key was added:
```
2023-11-27T07:24:01.188353+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-27T07:24:01.231048+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-27T07:24:01.231673+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-27T07:24:01.249383+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/44674 (CSK) is now inactive
2023-11-27T07:24:01.250501+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:24:01.250919+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:24:01.253391+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-27T07:24:01.287956+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-27T07:24:01.288376+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-27T07:24:01.290787+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/44674 (CSK) is now inactive
2023-11-27T07:24:01.291398+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:24:01.291732+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:34:01.256339+01:00 cutie named[443161]: zone rombobeorn.se/IN/internal: reconfiguring zone keys
2023-11-27T07:34:01.299042+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-27T07:34:01.299657+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-27T07:34:01.303256+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/44674 (CSK) is now inactive
2023-11-27T07:34:01.304268+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:34:01.304659+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:34:01.307121+01:00 cutie named[443161]: zone rombobeorn.se/IN/external: reconfiguring zone keys
2023-11-27T07:34:01.346113+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/50640 (ZSK)
2023-11-27T07:34:01.346504+01:00 cutie named[443161]: keymgr: retire DNSKEY rombobeorn.se/RSASHA256/48019 (KSK)
2023-11-27T07:34:01.348830+01:00 cutie named[443161]: DNSKEY rombobeorn.se/RSASHA256/44674 (CSK) is now inactive
2023-11-27T07:34:01.349518+01:00 cutie named[443161]: CDS for key rombobeorn.se/RSASHA256/58364 is now published
2023-11-27T07:34:01.349707+01:00 cutie named[443161]: CDNSKEY for key rombobeorn.se/RSASHA256/58364 is now published
```
Those messages are still being repeated every ten minutes, and that "inactive" key is still current according to CDS.
Here's what the key states were right after the new key was generated at 2023-11-20 05:05:
```
; This is the state of key 44674, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 26869
Successor: 58364
KSK: yes
ZSK: yes
Generated: 20231020040458 (Fri Oct 20 06:04:58 2023)
Published: 20231020040458 (Fri Oct 20 06:04:58 2023)
Active: 20231020060958 (Fri Oct 20 08:09:58 2023)
Retired: 20231120060958 (Mon Nov 20 07:09:58 2023)
Removed: 20231126071458 (Sun Nov 26 08:14:58 2023)
DSPublish: 20231020160958 (Fri Oct 20 18:09:58 2023)
PublishCDS: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSPubCount: 1
DNSKEYChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
ZRRSIGChange: 20231030071458 (Mon Oct 30 08:14:58 2023)
KRRSIGChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSChange: 20231021180958 (Sat Oct 21 20:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: omnipresent
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: hidden
```
```
; This is the state of key 58364, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 44674
KSK: yes
ZSK: yes
Generated: 20231120040458 (Mon Nov 20 05:04:58 2023)
Published: 20231120040458 (Mon Nov 20 05:04:58 2023)
Active: 20231120060958 (Mon Nov 20 07:09:58 2023)
Retired: 20231221060958 (Thu Dec 21 07:09:58 2023)
Removed: 20231227071458 (Wed Dec 27 08:14:58 2023)
PublishCDS: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYChange: 20231120040458 (Mon Nov 20 05:04:58 2023)
ZRRSIGChange: 20231120040458 (Mon Nov 20 05:04:58 2023)
KRRSIGChange: 20231120040458 (Mon Nov 20 05:04:58 2023)
DSChange: 20231120040458 (Mon Nov 20 05:04:58 2023)
DNSKEYState: rumoured
ZRRSIGState: hidden
KRRSIGState: rumoured
DSState: hidden
GoalState: omnipresent
```
At 2023-11-21 06:09 the new key's state looked like this:
```
; This is the state of key 58364, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 44674
KSK: yes
ZSK: yes
Generated: 20231120040458 (Mon Nov 20 05:04:58 2023)
Published: 20231120040458 (Mon Nov 20 05:04:58 2023)
Active: 20231120060958 (Mon Nov 20 07:09:58 2023)
Retired: 20231221060958 (Thu Dec 21 07:09:58 2023)
Removed: 20231227071458 (Wed Dec 27 08:14:58 2023)
PublishCDS: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
ZRRSIGChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
KRRSIGChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
DSChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: rumoured
KRRSIGState: omnipresent
DSState: rumoured
GoalState: omnipresent
```
Then, at 2023-11-27 07:24 the key states changed into this:
```
; This is the state of key 44674, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 26869
Successor: 58364
KSK: yes
ZSK: yes
Generated: 20231020040458 (Fri Oct 20 06:04:58 2023)
Published: 20231020040458 (Fri Oct 20 06:04:58 2023)
Active: 20231020060958 (Fri Oct 20 08:09:58 2023)
Retired: 20231120060958 (Mon Nov 20 07:09:58 2023)
Removed: 20231126071458 (Sun Nov 26 08:14:58 2023)
DSPublish: 20231020160958 (Fri Oct 20 18:09:58 2023)
PublishCDS: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSPubCount: 1
DNSKEYChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
ZRRSIGChange: 20231127062401 (Mon Nov 27 07:24:01 2023)
KRRSIGChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSChange: 20231021180958 (Sat Oct 21 20:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: unretentive
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: hidden
```
```
; This is the state of key 58364, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 44674
KSK: yes
ZSK: yes
Generated: 20231120040458 (Mon Nov 20 05:04:58 2023)
Published: 20231120040458 (Mon Nov 20 05:04:58 2023)
Active: 20231120060958 (Mon Nov 20 07:09:58 2023)
Retired: 20231221060958 (Thu Dec 21 07:09:58 2023)
Removed: 20231227071458 (Wed Dec 27 08:14:58 2023)
PublishCDS: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
ZRRSIGChange: 20231127062401 (Mon Nov 27 07:24:01 2023)
KRRSIGChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
DSChange: 20231121050958 (Tue Nov 21 06:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: omnipresent
KRRSIGState: omnipresent
DSState: rumoured
GoalState: omnipresent
```
Most recently, the old key's state changed at 2023-12-03 08:34:
```
; This is the state of key 44674, for rombobeorn.se.
Algorithm: 8
Length: 2048
Lifetime: 2678400
Predecessor: 26869
Successor: 58364
KSK: yes
ZSK: yes
Generated: 20231020040458 (Fri Oct 20 06:04:58 2023)
Published: 20231020040458 (Fri Oct 20 06:04:58 2023)
Active: 20231020060958 (Fri Oct 20 08:09:58 2023)
Retired: 20231120060958 (Mon Nov 20 07:09:58 2023)
Removed: 20231126071458 (Sun Nov 26 08:14:58 2023)
DSPublish: 20231020160958 (Fri Oct 20 18:09:58 2023)
PublishCDS: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSPubCount: 1
DNSKEYChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
ZRRSIGChange: 20231203073446 (Sun Dec 3 08:34:46 2023)
KRRSIGChange: 20231020060958 (Fri Oct 20 08:09:58 2023)
DSChange: 20231021180958 (Sat Oct 21 20:09:58 2023)
DNSKEYState: omnipresent
ZRRSIGState: hidden
KRRSIGState: omnipresent
DSState: omnipresent
GoalState: hidden
```
Other possibly useful state:
```
# rndc dnssec -status rombobeorn.se IN external
dnssec-policy: automatik
current time: Mon Dec 4 10:30:48 2023
key: 26869 (RSASHA256), CSK
published: no
key signing: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: hidden
- zone rrsig: hidden
- key rrsig: hidden
key: 44674 (RSASHA256), CSK
published: yes - since Fri Oct 20 06:04:58 2023
key signing: yes - since Fri Oct 20 06:04:58 2023
zone signing: no
Key is retired, will be removed on Sun Nov 26 08:14:58 2023
- goal: hidden
- dnskey: omnipresent
- ds: omnipresent
- zone rrsig: hidden
- key rrsig: omnipresent
key: 50640 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: unretentive
- zone rrsig: hidden
- key rrsig: hidden
key: 48019 (RSASHA256), KSK
published: no
key signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- ds: hidden
- zone rrsig: hidden
- key rrsig: hidden
key: 58364 (RSASHA256), CSK
published: yes - since Mon Nov 20 05:04:58 2023
key signing: yes - since Mon Nov 20 05:04:58 2023
zone signing: yes - since Mon Nov 20 07:09:58 2023
Next rollover scheduled on Wed Dec 20 06:04:58 2023
- goal: omnipresent
- dnskey: omnipresent
- ds: rumoured
- zone rrsig: omnipresent
- key rrsig: omnipresent
```
```
# rndc zonestatus rombobeorn.se IN external
name: rombobeorn.se
type: primary
files: /var/lib/bind/db.rombobeorn.se.external
serial: 2023092684
nodes: 14
last loaded: Mon, 23 Oct 2023 21:53:52 GMT
secure: yes
inline signing: no
key maintenance: automatic
next key event: Mon, 04 Dec 2023 09:34:54 GMT
next resign node: rombobeorn.se/MX
next resign time: Mon, 04 Dec 2023 22:20:46 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
```January 2024 (9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20) (❗RECALLED❗)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4464BIND can crash with assertion in the situation when a `tls` entry is used mul...2023-12-06T17:24:11ZArtem BoldarievBIND can crash with assertion in the situation when a `tls` entry is used multiple times to establish an outgoing connectionBIND can crash with assertion in the situation when a `tls` entry is used multiple times to establish an outgoing connection to other servers via TLS.
```
04-Dec-2023 13:38:33.746 tls.c:1187: REQUIRE(pstore != ((void *)0) && *pstore != ...BIND can crash with assertion in the situation when a `tls` entry is used multiple times to establish an outgoing connection to other servers via TLS.
```
04-Dec-2023 13:38:33.746 tls.c:1187: REQUIRE(pstore != ((void *)0) && *pstore != ((void *)0)) failed
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(isc_backtrace_log+0x49) [0x7ffff7f4e6d7]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/bin/named/.libs/named() [0x42c0c6]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(isc_assertion_failed+0x31) [0x7ffff7f4e052]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(isc_tls_cert_store_free+0x42) [0x7ffff7f87ebd]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(dns_transport_get_tlsctx+0x6f1) [0x7ffff7de49f4]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(+0x696e6) [0x7ffff7c696e6]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(dns_dispatch_connect+0xb6) [0x7ffff7c69d32]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(+0x20acf2) [0x7ffff7e0acf2]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(dns_xfrin_create+0x2c0) [0x7ffff7e09469]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/dns/.libs/libdns-9.19.19-dev.so(+0x255a9b) [0x7ffff7e55a9b]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(isc__async_cb+0x186) [0x7ffff7f4e500]
04-Dec-2023 13:38:33.746 /nix/store/lsp8kyfkyi35shk51alffb4vsll7030q-libuv-1.46.0/lib/libuv.so.1(+0x10543) [0x7ffff7730543]
04-Dec-2023 13:38:33.746 /nix/store/lsp8kyfkyi35shk51alffb4vsll7030q-libuv-1.46.0/lib/libuv.so.1(+0x238e5) [0x7ffff77438e5]
04-Dec-2023 13:38:33.746 /nix/store/lsp8kyfkyi35shk51alffb4vsll7030q-libuv-1.46.0/lib/libuv.so.1(uv_run+0xb0) [0x7ffff77311c0]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(+0x571e0) [0x7ffff7f6c1e0]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(+0x6e669) [0x7ffff7f83669]
04-Dec-2023 13:38:33.746 /home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.19.19-dev.so(+0x6e6ad) [0x7ffff7f836ad]
04-Dec-2023 13:38:33.746 /nix/store/qn3ggz5sf3hkjs2c797xf7nan3amdxmp-glibc-2.38-27/lib/libc.so.6(+0x8b084) [0x7ffff6e62084]
04-Dec-2023 13:38:33.746 /nix/store/qn3ggz5sf3hkjs2c797xf7nan3amdxmp-glibc-2.38-27/lib/libc.so.6(+0x10d60c) [0x7ffff6ee460c]
04-Dec-2023 13:38:33.746 exiting (due to assertion failure)
```
In particular, the problem reveals itself when multiple threads are trying to initialise a transport-specific TLS context and associated data from the context of multiple threads, like in the following situation:
```
tls tls-v1.3 {
protocols { TLSv1.3; };
prefer-server-ciphers yes;
};
zone "example-1" {
type secondary;
primaries port 22168 { 10.53.0.1 tls tls-v1.3; };
file "example-1.db";
allow-transfer { any; };
};
zone "example-2" {
type secondary;
primaries port 22169 { 10.53.0.1 tls tls-v1.3; };
file "example-2.db";
allow-transfer { any; };
};
zone "example-3" {
type secondary;
primaries port 22170 { 10.53.0.1 tls tls-v1.3; };
file "example-3.db";
allow-transfer { any; };
};
```
The error handling code is not correct for this case, as in some cases, freeing a TLS certificate store is not required. In this particular case it can be `NULL`.
The problem _does not_ reveal itself on each run.December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/stork/-/issues/12391.14.0. release version bump2023-12-04T14:29:09ZMarcin Godzina1.14.0. release version bump1.14Marcin GodzinaMarcin Godzinahttps://gitlab.isc.org/isc-projects/stork/-/issues/1238Redundant asterisks in Changelog after merge2023-12-04T11:10:02ZSlawek FigielRedundant asterisks in Changelog after mergeThe entry header is incorrect. It contains an unnecessary asterisk.
![image](/uploads/d5ba0ef87fcad47256ed3318026cc7ff/image.png)The entry header is incorrect. It contains an unnecessary asterisk.
![image](/uploads/d5ba0ef87fcad47256ed3318026cc7ff/image.png)https://gitlab.isc.org/isc-projects/kea/-/issues/3182Avoid copy in range-based for loops2023-12-05T09:30:15ZFrancis DupontAvoid copy in range-based for loopsAs coverity reports there are some range-based for loops in Kea code where the range-expression (ab)using the `auto` keyword is copied at eache iterations when a better declaration (i.e. `const auto&`) works well with a better performanc...As coverity reports there are some range-based for loops in Kea code where the range-expression (ab)using the `auto` keyword is copied at eache iterations when a better declaration (i.e. `const auto&`) works well with a better performance (compilers should infer a better type but this is not specified for C++...).https://gitlab.isc.org/isc-projects/stork/-/issues/1237kea-app-tab component improvements2023-12-20T10:12:58ZPiotrek Zadrogakea-app-tab component improvementsWhile working on #915, it occurred to me that there are few things that could be improved in `kea-app-tab` component UI/UX.
1. Overview row - _Daemon Information_ vs _Hooks_ columns proportions
Currently proportions for the columns...While working on #915, it occurred to me that there are few things that could be improved in `kea-app-tab` component UI/UX.
1. Overview row - _Daemon Information_ vs _Hooks_ columns proportions
Currently proportions for the columns are 6:6.
By default it looks like:
![image](/uploads/804a06db7a9ceb88e1115b1a5acbca47/image.png)
Hooks names are not that wide, so the proportions could be changed to 8:4:
![image](/uploads/fd801a896b366e9346f5c1184997383d/image.png)
2. Hooks paths displayed after click on a hook name
After click on a hook name there is a path displayed:
![image](/uploads/1f88238856f291b261309f6781082aeb/image.png)
I hear that intention of it is the possibility to copy the path to the clipboard. The path doesn't look good with broken lines. Instead of `p-inplace` component there could be a tooltip displayed `Click to copy hook path to the clipboard`. Click event would write the hook path to the clipboard. The discussion about this concept was in https://gitlab.isc.org/isc-projects/stork/-/merge_requests/682#note_419854 and following comments.
@slawek had some concerns:
> How is a user supposed to know the full path will be copied to a clipboard on click?
The tooltip will display that information: what is about to happen after click.
And my counter question: how is the user supposed to know that right now when the hook name is clicked, it will be changed to a hook path?
Currently, it probably works for the user like: I can click that? Ok, let's click that and see what happens next...
> Especially, why should the user expect the copied value to be a full path instead of displaying the hook name?
It doesn't look to me as a UX improvement. If you would like to do it this way, you should inform a user what action will be performed.
The tooltip will display that information: what is about to happen after click.
> but how do you indicate the copied value is a full path?
My proposal is to use Clipboard API `writeText` which returns a `Promise`, so successful/failed write to the clipboard can be displayed as a notification.
```ts
navigator.clipboard.writeText("some hook path").then(
() => {
/* clipboard successfully set */
},
() => {
/* clipboard write failed */
},
);
```
3. Hooks list display
When there are more hooks loaded in Kea, and the screen displaying the component is not that wide, there happens this overlapping:
![image](/uploads/af6cafdd850fb1334ff1f1fec9396654/image.png)
This is because one list entry consists of 3 columns in proportions 1:10:1. This could be constructed/styled in a better way to avoid the overlap.1.15Piotrek ZadrogaPiotrek Zadrogahttps://gitlab.isc.org/isc-projects/bind9/-/issues/4462Crash on shutdown when DNSSEC validation is running: ENSURE(isc_mempool_getal...2023-12-06T18:35:00ZPetr Špačekpspacek@isc.orgCrash on shutdown when DNSSEC validation is running: ENSURE(isc_mempool_getallocated(*namepoolp) == 0) failed### Summary
(Summarize the bug encountered concisely.)
### BIND version used
* ~"Affects v9.19": 235659b95ad53fd51fa90105b17ba1a4e51df5b0
Does not affect:
* ~"v9.18": 6817bf1284fe8aea303365d2dd17bc5523e7a41b
* ~"v9.16": 161d69aba357f...### Summary
(Summarize the bug encountered concisely.)
### BIND version used
* ~"Affects v9.19": 235659b95ad53fd51fa90105b17ba1a4e51df5b0
Does not affect:
* ~"v9.18": 6817bf1284fe8aea303365d2dd17bc5523e7a41b
* ~"v9.16": 161d69aba357fa830bb6ef2b097b0447929041f0
* ~"v9.11 (EoL)": v9.11.37-S1
* Other versions were not tested
### Steps to reproduce
Essentially cause validator to work on something during shutdown. One possibility is simply random subdomain attack against a signed zone.
1. Run an auth:
- zone: [local.testiscorg.ch.zone.signed](/uploads/e33d65b59661293a9a2722c992b9edd7/local.testiscorg.ch.zone.signed)
- config: [auth.conf](/uploads/adcd06cde487e5da3f24dd6359084e2e/auth.conf)
- `named -g -c auth.conf`
2. Run `named` under attack:
- [resolver.conf](/uploads/7c06f9959cfaf7601a89623ae2efffe4/resolver.conf)
- `named -g -c resolver.conf -n1 -D resolver`
The `-n1` makes it easier to trigger.
3. Run random subdomain attack:
- [randnames.py](/uploads/ee30deec22e8da98fa2949b91ae54ce7/randnames.py)
- `python randlabels.py | dnsperf -s 127.0.0.1 -S1 -D`
4. SIGINT the resolver:
- `pkill -f resolver`
### What is the current *bug* behavior?
:boom:
```
message.c:4768: ENSURE(isc_mempool_getallocated(*namepoolp) == 0) failed
```
<details>
```
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00007ffff6bea8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007ffff6b9a668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff6b824b8 in __GI_abort () at abort.c:79
#4 0x000055555557e3b2 in assertion_failed (file=0x7ffff7eae157 "message.c", line=4768, type=isc_assertiontype_ensure, cond=0x7ffff7eaf818 "isc_mempool_getallocated(*namepoolp) == 0") at main.c:234
#5 0x00007ffff7f502ea in isc_assertion_failed (file=0x7ffff7eae157 "message.c", line=4768, type=isc_assertiontype_ensure, cond=0x7ffff7eaf818 "isc_mempool_getallocated(*namepoolp) == 0") at assertions.c:48
#6 0x00007ffff7cf9a59 in dns_message_destroypools (namepoolp=0x7ffff3e38580, rdspoolp=0x7ffff3e38588) at message.c:4768
#7 0x00007ffff7de87c3 in dns_resolver__destroy (res=0x7ffff3e31c00) at resolver.c:9892
#8 0x00007ffff7dea2b4 in dns_resolver_unref (ptr=0x7ffff3e31c00) at resolver.c:10173
#9 0x00007ffff7dea38d in dns_resolver_detach (ptrp=0x7ffff3e6e848) at resolver.c:10173
#10 0x00007ffff7c6ed52 in destroy (adb=0x7ffff3e6e800) at adb.c:1830
#11 0x00007ffff7c6ef20 in dns_adb_unref (ptr=0x7ffff3e6e800) at adb.c:1838
#12 0x00007ffff7c6eff9 in dns_adb_detach (ptrp=0x7fffffff9dc0) at adb.c:1838
#13 0x00007ffff7e26a56 in dns_view_detach (viewp=0x7ffff13b3e08) at view.c:516
#14 0x00007ffff7e237dd in destroy_validator (val=0x7ffff13b3e00) at validator.c:3122
#15 0x00007ffff7e23f49 in dns_validator_unref (ptr=0x7ffff13b3e00) at validator.c:3226
#16 0x00007ffff7e24022 in dns_validator_detach (ptrp=0x7fffffff9fa0) at validator.c:3226
#17 0x00007ffff7e1c421 in validator_done_cb (arg=0x7ffff13b3e00) at validator.c:211
#18 0x00007ffff7f507ac in isc__async_cb (handle=0x7ffff3e90388) at async.c:111
#19 0x00007ffff78dba1b in uv__async_io (loop=0x7ffff3e90020, w=<optimized out>, events=<optimized out>) at src/unix/async.c:176
#20 0x00007ffff78f8d48 in uv__io_poll (loop=0x7ffff3e90020, timeout=<optimized out>) at src/unix/linux.c:1526
#21 0x00007ffff78e0fbf in uv_run (loop=0x7ffff3e90020, mode=UV_RUN_DEFAULT) at src/unix/core.c:447
#22 0x00007ffff7f6de2c in loop_thread (arg=0x7ffff3e90000) at loop.c:282
#23 0x00007ffff7f847fd in thread_body (wrap=0x7ffff3ee59c0) at thread.c:85
#24 0x00007ffff7f848b6 in isc_thread_main (func=0x7ffff7f6dcb2 <loop_thread>, arg=0x7ffff3e90000) at thread.c:116
#25 0x00007ffff7f6eead in isc_loopmgr_run (loopmgr=0x7ffff3e206c0) at loop.c:454
#26 0x00005555555810e2 in main (argc=5, argv=0x7fffffffe598) at main.c:1574
```
</details>
### What is the expected *correct* behavior?
No crash.December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/stork/-/issues/1236stork-demo.sh is failing to build the web ui for stork2023-12-07T16:49:30Zvarsrajastork-demo.sh is failing to build the web ui for stork---
name: Bug report
about: store-demo.sh fails to build the web ui for stork
---
**Describe the bug**
Trying to build the stork server, web-ui web-apache docker containers . Checked out the latest code and tried to run the stork-dem...---
name: Bug report
about: store-demo.sh fails to build the web ui for stork
---
**Describe the bug**
Trying to build the stork server, web-ui web-apache docker containers . Checked out the latest code and tried to run the stork-demo.sh script that builds these images. it is exiting with error to build the web-ui image.
**Expected behavior**
Able to see the stork demo to start running.
[stork-demo-error.txt](/uploads/d0b03d0046b4202bd0a5c440896b549a/stork-demo-error.txt)
**Contacting you**
How can ISC reach you to discuss this matter further? If you do not specify any means such as
e-mail, jabber id or a telephone, we may send you a message on github with questions when we have
them.https://gitlab.isc.org/isc-projects/kea/-/issues/3178Run multiple HA relationships in hub-and-spoke configuration2024-01-26T14:35:10ZMarcin SiodelskiRun multiple HA relationships in hub-and-spoke configurationThis is the actual implementation of the hub-and-spoke model described in the design ticket: https://gitlab.isc.org/isc-projects/kea/-/issues/1149
It should add the logic to run multiple `HAService` instances concurrently. The major iss...This is the actual implementation of the hub-and-spoke model described in the design ticket: https://gitlab.isc.org/isc-projects/kea/-/issues/1149
It should add the logic to run multiple `HAService` instances concurrently. The major issue is to implement the callouts for the `subnet4_select` and `subnet6_select` hook points that would be used in the hub-and-spoke configuration to select the relationship based on the selected subnet. We should also test that the `HAService` instances do not stomp on each other, that are thread safe etc. After this ticket, the hub-and-spoke configuration should be usable, at least in a basic form.
[support#22017](https://support.isc.org/Ticket/Display.html?id=22017).kea2.5.5Marcin SiodelskiMarcin Siodelskihttps://gitlab.isc.org/isc-projects/kea/-/issues/3177bump up version in configure.ac to 2.5.5-git2023-11-29T16:30:31ZAndrei Pavelandrei@isc.orgbump up version in configure.ac to 2.5.5-gitBump up version in configure.ac for %"kea2.5.5".Bump up version in configure.ac for %"kea2.5.5".kea2.5.5Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/stork/-/issues/1233Upgrade vulnerable packages before 1.14 release2023-11-30T17:21:36ZMarcin SiodelskiUpgrade vulnerable packages before 1.14 releaseThe UI and the backend audits show some vulnerabilities we want to fix before the 1.14 release.The UI and the backend audits show some vulnerabilities we want to fix before the 1.14 release.1.14Marcin SiodelskiMarcin Siodelskihttps://gitlab.isc.org/isc-projects/kea-quick-config/-/issues/49Add favicon.ico2023-11-28T15:45:52ZDarren AnkneyAdd favicon.icoJust for fun. No reason this has to exist.Just for fun. No reason this has to exist.0.3Darren AnkneyDarren Ankneyhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4459[CVE-2023-50868] Preparing an NSEC3 closest encloser proof can exhaust CPU re...2024-03-28T14:11:11ZPetr Špačekpspacek@isc.org[CVE-2023-50868] Preparing an NSEC3 closest encloser proof can exhaust CPU resources| Quick Links | :link: |
| ------------------------ | ------------------------------------------------------------------------------ |
| Incident Manage...| Quick Links | :link: |
| ------------------------ | ------------------------------------------------------------------------------ |
| Incident Manager: | @pspacek |
| Deputy Incident Manager: | @ebf |
| Public Disclosure Date: | 2024-02-13 |
| CVSS Score: | [7.5][cvss_score] |
| Security Advisory: | isc-private/printing-press!93 |
| Mattermost Channel: | [CVE-2023-50868: NSEC3 closest encloser proof can exhaust CPU][mattermost_url] |
| Support Ticket: | N/A |
| Release Checklist: | #4555 |
[cvss_score]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
[mattermost_url]: https://mattermost.isc.org/isc/channels/cve-2023-50868-nsec3-closest-encloser-proof-can-exhaust-cpu
:bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.**
[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations
### Earlier Than T-5
- [x] [:link:][step_deputy] **(IM)** Pick a Deputy Incident Manager
- :no_entry_sign: [:link:][step_respond] **(IM)** Respond to the bug reporter - found internally by @pspacek
- [x] [:link:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue
- [x] [:link:][step_assign_cve_id] **(IM)** Assign a CVE identifier
- [x] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier and the CVSS score
- [x] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition)
- [x] [:link:][step_workarounds] **(SwEng)** Determine whether workarounds for the problem exist
- [x] [:link:][step_coordinate] **(SwEng)** :warning: Coordinate with other parties :warning:
- [x] [:link:][step_earliest_prepare] **(Support)** ~~Prepare "earliest" notification text and hand it off to Marketing~~
- [x] [:link:][step_earliest_send] **(Marketing)** ~~Update "earliest" notification document in SF portal and send bulk email to earliest customers~~
- [x] [:link:][step_advisory_mr] **(Support)** [Create a merge request for the Security Advisory and include all readily available information in it](isc-private/printing-press!93)
- [x] [:link:][step_reproducer_mr] **(SwEng)** ~~[Prepare a private merge request containing a system test reproducing the problem](#note_434474)~~
- [x] [:link:][step_notify_support] **(SwEng)** ~~Notify Support when a reproducer is ready~~
- [x] [:link:][step_code_analysis] **(SwEng)** [Prepare a detailed explanation of the code flow triggering the problem](#note_434480)
- [x] [:link:][step_fix_mr] **(SwEng)** ~~[Prepare a private merge request with the fix](#note_434483)~~
- [x] [:link:][step_review_fix] **(SwEng)** ~~[Ensure the merge request with the fix is reviewed and has no outstanding discussions](#note_434483)~~
- [x] [:link:][step_review_docs] **(Support)** ~~[Review the documentation changes introduced by the merge request with the fix](#note_434483)~~
- [x] [:link:][step_backports] **(SwEng)** ~~[Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product](#note_434483)~~
- [x] [:link:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory
- [x] [:link:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
- [x] [:link:][step_changes] **(QA)** (BIND 9 only) Reserve a block of `CHANGES` placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
- [x] [:link:][step_merge_fixes] **(QA)** ~~[Merge the CVE fixes in CVE identifier order](#note_434483)~~
- [x] [:link:][step_patches] **(QA)** ~~[Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch](#note_434483)~~
- [x] [:link:][step_asn_releases] **(QA)** Prepare ASN releases (as outlined in the Release Checklist)
### At T-5
- [x] [:link:][step_asn_documents] **(Marketing)** Update the text on the T-5 (from the Printing Press project) and "earliest" ASN documents in the SF portal
- [x] [:link:][step_asn_links] **(Marketing)** (BIND 9 only) Update the BIND -S information document in SF with download links to the new versions
- [x] [:link:][step_asn_send] **(Marketing)** Bulk email eligible customers to check the SF portal
- [x] [:link:][step_preannouncement] **(Marketing)** (BIND 9 only) Send a pre-announcement email to the *bind-announce* mailing list to alert users that the upcoming release will include security fixes
### At T-1
- [x] [:link:][step_packager_emails] **(First IM)** Send notifications to OS packagers
### On the Day of Public Disclosure
- [x] [:link:][step_clearance] **(IM)** [Grant QA & Marketing clearance to proceed with public release](https://mattermost.isc.org/isc/pl/rxzn1b4upbnjxrbq75dqx1m96o)
- [x] [:link:][step_publish] **(QA/Marketing)** Publish the releases (as outlined in the release checklist)
- [x] [:link:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base
- [x] [:link:][step_publish_advisory] **(Support)** Bump Document Version for the Security Advisory and publish it in the Knowledge Base
- [x] [:link:][step_notifications] **(First IM)** Send notification emails to third parties
- [x] [:link:][step_mitre] **(First IM)** ~~[Advise MITRE about the disclosed CVEs](#note_436522)~~
- [x] [:link:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request
- [x] [:link:][step_embargo_end] **(IM)** Inform original reporter (if external) that the security disclosure process is complete
- [x] [:link:][step_asn_clear] **(Marketing)** Update the SF portal to clear the ASN
- [x] [:link:][step_customers] **(Marketing)** Email ASN recipients that the embargo is lifted
### After Public Disclosure
- [x] [:link:][step_regression] **(QA)** ~~[Merge a regression test reproducing the bug into all affected (and still maintained) branches](#note_434474)~~
[step_deputy]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager
[step_respond]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter
[step_public_mrs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue
[step_assign_cve_id]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#assign-a-cve-identifier
[step_note_cve_info]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-this-issue-with-the-assigned-cve-identifier-and-the-cvss-score
[step_versions_affected]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-the-range-of-product-versions-affected-including-the-subscription-edition
[step_workarounds]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#determine-whether-workarounds-for-the-problem-exist
[step_coordinate]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#if-necessary-coordinate-with-other-parties
[step_earliest_prepare]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-earliest-notification-text-and-hand-it-off-to-marketing
[step_earliest_send]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-earliest-notification-document-in-sf-portal-and-send-bulk-email-to-earliest-customers
[step_advisory_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-a-merge-request-for-the-security-advisory-and-include-all-readily-available-information-in-it
[step_reproducer_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-containing-a-system-test-reproducing-the-problem
[step_notify_support]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#notify-support-when-a-reproducer-is-ready
[step_code_analysis]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-detailed-explanation-of-the-code-flow-triggering-the-problem
[step_fix_mr]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-private-merge-request-with-the-fix
[step_review_fix]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-the-merge-request-with-the-fix-is-reviewed-and-has-no-outstanding-discussions
[step_review_docs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#review-the-documentation-changes-introduced-by-the-merge-request-with-the-fix
[step_backports]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-backports-of-the-merge-request-addressing-the-problem-for-all-affected-and-still-maintained-branches-of-a-given-product
[step_finish_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#finish-preparing-the-security-advisory
[step_meta_issue]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#create-or-update-the-private-issue-containing-links-to-fixes-reproducers-for-all-cves-fixed-in-a-given-release-cycle
[step_changes]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-reserve-a-block-of-changes-placeholders-once-the-complete-set-of-vulnerabilities-fixed-in-a-given-release-cycle-is-determined
[step_merge_fixes]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-cve-fixes-in-cve-identifier-order
[step_patches]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-a-standalone-patch-for-the-last-stable-release-of-each-affected-and-still-maintained-product-branch
[step_asn_releases]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#prepare-asn-releases-as-outlined-in-the-release-checklist
[step_asn_documents]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-text-on-the-t-5-from-the-printing-press-project-and-earliest-asn-documents-in-the-sf-portal
[step_asn_links]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-update-the-bind-s-information-document-in-sf-with-download-links-to-the-new-versions
[step_asn_send]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bulk-email-eligible-customers-to-check-the-sf-portal
[step_preannouncement]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-send-a-pre-announcement-email-to-the-bind-announce-mailing-list-to-alert-users-that-the-upcoming-release-will-include-security-fixes
[step_packager_emails]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notifications-to-os-packagers
[step_clearance]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#grant-qa-marketing-clearance-to-proceed-with-public-release
[step_publish]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#publish-the-releases-as-outlined-in-the-release-checklist
[step_matrix]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bind-9-only-add-the-new-cves-to-the-vulnerability-matrix-in-the-knowledge-base
[step_publish_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#bump-document-version-for-the-security-advisory-and-publish-it-in-the-knowledge-base
[step_notifications]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#send-notification-emails-to-third-parties
[step_mitre]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#advise-mitre-about-the-disclosed-cves
[step_merge_advisory]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-the-security-advisory-merge-request
[step_embargo_end]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#inform-original-reporter-if-external-that-the-security-disclosure-process-is-complete
[step_asn_clear]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-sf-portal-to-clear-the-asn
[step_customers]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#email-asn-recipients-that-the-embargo-is-lifted
[step_regression]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#merge-a-regression-test-reproducing-the-bug-into-all-affected-and-still-maintained-branches
### Reproducer
1. Sign an empty zone with NSEC3, 150 iterations, and same NSEC3 salt for a good measure:
- [local.testiscorg.ch.zone](/uploads/b4a147bdabff809350e0a7a7b802758e/local.testiscorg.ch.zone)
- [Klocal.testiscorg.ch.+014+01043.key](/uploads/27aa1a99ac52e271ae1bf618c7fc4138/Klocal.testiscorg.ch.+014+01043.key)
- [Klocal.testiscorg.ch.+014+01043.private](/uploads/346295e7f71ed644dd44bb93e52ea531/Klocal.testiscorg.ch.+014+01043.private)
- `dnssec-signzone -u -3 0122345678912345 -H 150 -e 20380101000000 -S -o local.testiscorg.ch -O full -z local.testiscorg.ch.zone Klocal.testiscorg.ch.+014+01043`
- :point_right_tone1: [local.testiscorg.ch.zone.signed](/uploads/ba12811b13cc749084b6c1cef0c3a04a/local.testiscorg.ch.zone.signed)
2. Run an auth with the zone:
- [auth.conf](/uploads/51139fed8b8efe23eb58b82ce4b82379/auth.conf)
- `named -g -c auth.conf`
3. Run a resolver with the zone:
- [resolver.conf](/uploads/2b9a661105397636c55f9c5be13d8855/resolver.conf)
- `named -g -c resolver.conf`
4. Run attack using dnsperf:
- [randlabels.py](/uploads/30b54afbe090da16c06855f5561755df/randlabels.py)
- `python randlabels.py | dnsperf -s 127.0.0.1 -S1`
### Observed behavior
Around 200 QPS, one CPU maxed out. Tweaking dnsperf params can max out all CPUs with ~ 200 queries per core.
### Problem
For NSEC3 we have to hash all the labels between QNAME and zone name to find out a matching NSEC3 RR in authority section. This inflates number of hashes to potentially ~ `127 labels * <NSEC3 iterations> * <number of NSEC3 RRs in the message>`.
We have to cap this somehow. Coordination with other vendors is needed because BIND, Unbound, Knot Resolver, and PowerDNS in current versions are affected. This seems like a protocol issue so other vendors are most likely also affected, see the NSEC3 algorithm here: https://datatracker.ietf.org/doc/html/rfc5155#section-8.3February 2024 (9.16.47/9.16.48, 9.16.47/9.16.48-S1, 9.18.23/9.18.24, 9.18.23/9.18.24-S1, 9.19.21)https://gitlab.isc.org/isc-projects/kea/-/issues/3174Changes for Kea 2.5.4 release2023-11-28T13:38:22ZAndrei Pavelandrei@isc.orgChanges for Kea 2.5.4 release
- [x] added release entry to ChangeLogs
- [x] regenerated BNF grammar
- [x] regenerated message headers
- [x] regenerated parsers
- [x] reordered messages in alphabetical order
- [x] updated copyright years
- [x] added release entry to ChangeLogs
- [x] regenerated BNF grammar
- [x] regenerated message headers
- [x] regenerated parsers
- [x] reordered messages in alphabetical order
- [x] updated copyright yearskea2.5.4Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.org