ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2023-03-14T13:27:30Zhttps://gitlab.isc.org/isc-projects/stork/-/issues/988CodeQL: Inefficient regular expression - rename app panel2023-03-14T13:27:30ZSlawek FigielCodeQL: Inefficient regular expression - rename app panelThe regex used in the rename panel may be inefficient if the application name is specially prepared.The regex used in the rename panel may be inefficient if the application name is specially prepared.backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/986CodeQL: Log entries created from user input - request URL2023-03-14T13:27:30ZSlawek FigielCodeQL: Log entries created from user input - request URLWe log the raw URL of each request. It allows attackers to put any content in log files.
Probably, we can replace the `r.RequestURI` with `r.URL.RequestURI()`, sanitize the request method, and validate the logged IP address from the hea...We log the raw URL of each request. It allows attackers to put any content in log files.
Probably, we can replace the `r.RequestURI` with `r.URL.RequestURI()`, sanitize the request method, and validate the logged IP address from the header.
[Source](https://github.com/isc-projects/stork/security/code-scanning/120)backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/985CodeQL: Disabled TLS verification for Postgres connections - false positive2023-03-14T13:27:30ZSlawek FigielCodeQL: Disabled TLS verification for Postgres connections - false positiveWe disable the TLS certificate verification on Postgres connection depending on the CLI parameters - i.e.; the user can specify to verify only the CA certificate or allow the untrusted certificates. The options fulfill the Postgres speci...We disable the TLS certificate verification on Postgres connection depending on the CLI parameters - i.e.; the user can specify to verify only the CA certificate or allow the untrusted certificates. The options fulfill the Postgres specification of connection parameters. The warnings generated by CodeQL are false positives.
Sources:
- https://github.com/isc-projects/stork/security/code-scanning/122
- https://github.com/isc-projects/stork/security/code-scanning/121backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/984CodeQL: Sensitive information in logs - false postive2023-03-14T13:27:30ZSlawek FigielCodeQL: Sensitive information in logs - false postiveWe print the autogenerated credentials (only when it's expected) using the logging library. CodeQL reports it as a bad practice.We print the autogenerated credentials (only when it's expected) using the logging library. CodeQL reports it as a bad practice.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2718idempotent Option::unpack2023-03-13T11:35:56ZRazvan Becheriuidempotent Option::unpackWhile working at #1518, I have discovered that calling unpack multiple times on the same option will result in actually different end results.
This ticket should address this.While working at #1518, I have discovered that calling unpack multiple times on the same option will result in actually different end results.
This ticket should address this.outstandingRazvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/2520Change v6 vendor-class option definition.2023-03-10T23:20:36ZFrancis DupontChange v6 vendor-class option definition.The idea is to change the DHCPv6 vendor-class (code 16) definition from uint32 + binary into uint32 + tuple array. This has a lot of advantages **but is not backward compatible**. Note if ISC DHCP allows arrays of records for Kea the arr...The idea is to change the DHCPv6 vendor-class (code 16) definition from uint32 + binary into uint32 + tuple array. This has a lot of advantages **but is not backward compatible**. Note if ISC DHCP allows arrays of records for Kea the array flag for a record type means the last field is an array. Currently there is only one standard option using tuples.
Quoting RFC 8415 figures 28 and 29 vendor-class option layout is:
```
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_VENDOR_CLASS | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| enterprise-number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. vendor-class-data .
. . . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...
The vendor-class-data field is composed of a series of separate
items, each of which describes some characteristic of the client's
hardware configuration. Examples of vendor-class-data instances
might include the version of the operating system the client is
running or the amount of memory installed on the client.
Each instance of vendor-class-data is formatted as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
| vendor-class-len | opaque-data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
```outstandinghttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/8Unable to build Debian packages using the content in this repo2023-03-10T19:29:32ZKevin FlemingUnable to build Debian packages using the content in this repoI'm trying to build Kea packages locally, on an arm64 machine since I need packages for that architecture and they aren't available in the Cloudsmith repositories.
While this repo's description says it is 'private', it's not actually pr...I'm trying to build Kea packages locally, on an arm64 machine since I need packages for that architecture and they aren't available in the Cloudsmith repositories.
While this repo's description says it is 'private', it's not actually private so I decided to try to use it.
Unfortunately dropping the `debian` directory from this repository into a Kea source tree and then trying to build the packages failed, because the `debian` directory contains patches which cannot be applied to Kea 2.2.x sources.
Is this repository actively in use for building Kea packages?https://gitlab.isc.org/isc-projects/kea/-/issues/2762Lease user context processing can be made more consistent2023-03-09T14:47:03ZFrancis DupontLease user context processing can be made more consistentFor instance it is possible to add using directly the API a lease user context which is not a map: with SQL backends to try to retrieve the lease throws including in a returning collection method without giving the address of the lease...For instance it is possible to add using directly the API a lease user context which is not a map: with SQL backends to try to retrieve the lease throws including in a returning collection method without giving the address of the lease...next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2758Supplementing DHCP Offers with additional Options (like PXE / 66 and 67)2023-03-09T14:40:53ZHippie HackerSupplementing DHCP Offers with additional Options (like PXE / 66 and 67)Is there information on configuring Proxy DHCP with ISC Kia or DHCPD?
It is a useful feature when wanting to supplement an existing DHCP service and provide the required, but often not configured options 66 and 67.
The DHCP Proxy is be...Is there information on configuring Proxy DHCP with ISC Kia or DHCPD?
It is a useful feature when wanting to supplement an existing DHCP service and provide the required, but often not configured options 66 and 67.
The DHCP Proxy is be used by services running from a laptop or phone connected to the local ethernet to assist in PXE bootstrap network nodes without needing to configure the local DHCP service.
I couldn't find it in the docs for Kia or DHCPD, but DNSMasq seems to provide the most simple implementation for this use case.
DNSmasq provides configuration within the dhcp-range option:
From https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html :
> --dhcp-range=::,constructor:eth0
> The optional <mode> keyword may be static which tells dnsmasq to enable DHCP for the network specified, but not to dynamically allocate IP addresses: only hosts which have static addresses given via --dhcp-host or from /etc/ethers will be served. A static-only subnet with address all zeros may be used as a "catch-all" address to enable replies to all Information-request packets on a subnet which is provided with stateless DHCPv6, ie --dhcp-range=::,static
> For IPv4, the <mode> may be **proxy** in which case dnsmasq will provide proxy-DHCP on the specified subnet. (See --pxe-prompt and --pxe-service for details.)
```
From https://wiki.archlinux.org/title/dnsmasq#Proxy_DHCP
> Proxy DHCP
> In case there is already a DHCP server running on the network and you want to interoperate with it, dnsmasq can be set to behave as a "proxy DHCP", therefore only serving the #PXE server specific information to the client. This mode is only available with IPv4. Use the following syntax, providing the existing DHCP server address:
> dhcp-range=192.168.0.1,proxy
A full example configuration used to augment existing DHCP to supply kernel boot arguments to raspberry pis.
```
port=0
dhcp-range=192.168.1.0,proxy
pxe-service=0,"Raspberry Pi Boot"
enable-tftp
tftp-root=/tftpboot
```
The use case normally means responding with a second DHCP OFFER at the same time as the locally authoritative DHCP server but including the following options https://www.rfc-editor.org/rfc/rfc2132.html :
> 9.4 TFTP server name
> This option is used to identify a TFTP server when the 'sname' field
> in the DHCP header has been used for DHCP options.
> 9.5 Bootfile name
> This option is used to identify a bootfile when the 'file' field in
> the DHCP header has been used for DHCP options.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2756Missing option to control mask size ipv6 address2023-03-09T14:40:15ZheidarsigMissing option to control mask size ipv6 addressAccording to https://www.ripe.net/publications/docs/ripe-690#4-1-1---64-prefix-from-a-dedicated-pool-of-ipv6-prefixes recommended config is to assign /64 address to wan interface and then /56 pd behind it, but in KEA dhcp6 the option to ...According to https://www.ripe.net/publications/docs/ripe-690#4-1-1---64-prefix-from-a-dedicated-pool-of-ipv6-prefixes recommended config is to assign /64 address to wan interface and then /56 pd behind it, but in KEA dhcp6 the option to control the size of mask is missing subnet/pool.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2090Support for supersede together with dhcp-server-identifier2023-03-08T19:10:29ZVeroniqueSupport for supersede together with dhcp-server-identifierWe need to configure *dhcp-server-identifier* using the supersede hook but the server does not send an ACK. Instead it dropped the DHCP request complaining that "it contains a foreign server identifier".
Here is our configuration:
``` ...We need to configure *dhcp-server-identifier* using the supersede hook but the server does not send an ACK. Instead it dropped the DHCP request complaining that "it contains a foreign server identifier".
Here is our configuration:
```
[...]
"client-classes": [
{
"name": "Windows",
"user-context": {},
},
{
"name": "Desktop",
"user-context": {},
},
[...]
"reservations": [
{
"hw-address": "aa:aa:aa:aa:aa:01",
"ip-address": "111.111.111.111",
"hostname": "client1",
"client-classes": [
"Desktop"
]
},
{
"hw-address": "aa:aa:aa:aa:aa:02",
"ip-address": "111.111.111.222",
"hostname": "client2",
"client-classes": [
"Windows"
]
},
[...]
"hooks-libraries": [
{
"library": "/usr/local/lib/kea/hooks/libdhcp_bootp.so",
"parameters": {}
},
{
"library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so",
"parameters": {}
},
{
"library": "/usr/local/lib/kea/hooks/libdhcp_flex_option.so",
"parameters": {
"options": [
{
"code": 54,
"supersede": "ifelse(substring(option[vendor-class-identifier].text, 0, 9) == 'PXEClient' and member('Desktop'), 'xx.xx.xx.xx', ifelse(substring(option[vendor-class-identifier].text, 0, 9) == 'PXEClient' and member('Windows'), 'yy.yy.yy.yy', 'zz.zz.zz.zz'))"
}
]
}
}
],
```
Could this be supported in a coming release ?
Knowing that we have 100's of 1000's of clients in each class, we cannot test on their mac address in the class definition because it would generate a HUGE configuration file containing HUGE test expressions, so big that the validation takes hours to complete.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2203Update doc about ways to get the config/build report2023-03-08T09:40:04ZFrancis DupontUpdate doc about ways to get the config/build reportThere are 2 or 3 ways to get the config/build report when the config.report file itself is not available:
- the -W command line argument
- a grep for ';;;;' on the extracted strings from the main binary
- when there is a control chann...There are 2 or 3 ways to get the config/build report when the config.report file itself is not available:
- the -W command line argument
- a grep for ';;;;' on the extracted strings from the main binary
- when there is a control channel the build-report command
All have different constraints: the first requires to run the binary, the second is more hairy but requires only access to the main binary, and the last requires a running binary but can be done remotely.
Unfortunately it seems this is not explained in the ARM for all Kea commands compiled from C++ so:
- the ARM must be updated
- each way should be checked (some failures were reported and fixed so do not assume they work)backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/1002Run demo on RHEL92023-03-07T14:32:28ZTomek MrugalskiRun demo on RHEL9@cstrotm reported building demo on RHEL9 was really painful. We should:
- [ ] build the demo on fresh RHEL9
- [ ] update outdated dependencies (outdated docker-compose was mentioned, but there may be others)
- [ ] come up with a proposa...@cstrotm reported building demo on RHEL9 was really painful. We should:
- [ ] build the demo on fresh RHEL9
- [ ] update outdated dependencies (outdated docker-compose was mentioned, but there may be others)
- [ ] come up with a proposal how to run tests on RHEL9 (this may end up in a separate ticket)backloghttps://gitlab.isc.org/isc-projects/dhcp/-/issues/32undefined symbols in libomapi2023-03-07T09:15:20ZEnrico Scholzundefined symbols in libomapi**Describe the bug**
Calling `dhclient` fails here with
```
dhclient: symbol lookup error: /usr/lib/libomapi.so.0: undefined symbol: dns_rootname
```
This is caused by a combination of `-Wl,-as-needed` and `-Wl,-no-add-nedded` linker...**Describe the bug**
Calling `dhclient` fails here with
```
dhclient: symbol lookup error: /usr/lib/libomapi.so.0: undefined symbol: dns_rootname
```
This is caused by a combination of `-Wl,-as-needed` and `-Wl,-no-add-nedded` linkerflags (although sounding similarly, they have diffierent semantics and latter one is the default e.g. on Fedora).
Because code in `libomapi.so` uses functionality from `libdns` and other libraries, it should be linked against them.
I fixed it with [omapilibs.patch](/uploads/ff0ba07e0db378984318714d188972e0/omapilibs.patch)
```diff
Index: dhcp-4.4.1/omapip/Makefile.am.in
===================================================================
--- dhcp-4.4.1.orig/omapip/Makefile.am.in
+++ dhcp-4.4.1/omapip/Makefile.am.in
@@ -11,6 +11,10 @@ libomapi_@A@_SOURCES = protocol.c buffer
handle.c message.c convert.c hash.c auth.c inet_addr.c \
array.c trace.c toisc.c iscprint.c isclib.c
+libomapi_@A@_LIBADD = $(BINDLIBDNSDIR)/libdns.@A@ \
+ $(BINDLIBIRSDIR)/libirs.@A@ \
+ $(BINDLIBISCCFGDIR)/libisccfg.@A@
+
man_MANS = omapi.3
EXTRA_DIST = $(man_MANS)
```
**Environment:**
- seen with OpenEmbedded `thud` (http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-connectivity/dhcp?h=thud)4.5.0-betahttps://gitlab.isc.org/isc-projects/bind9/-/issues/3920dnstap logging does not log "opening dnstap destination" to the dnstap channel2023-03-05T16:01:59ZJeremy Reeddnstap logging does not log "opening dnstap destination" to the dnstap channel
### Summary
I have a category dnstap setup and I get the "closing dnstap" logged to my dnstap channel. But the logging of "opening dnstap destination ..." did not go to my dnstap channel but to my default (syslog).
I am using dnstap t...
### Summary
I have a category dnstap setup and I get the "closing dnstap" logged to my dnstap channel. But the logging of "opening dnstap destination ..." did not go to my dnstap channel but to my default (syslog).
I am using dnstap to a unix domain socket. It works fine. I have a dnstap channel and category setup. I get the "closing dnstap" logged as expected at named shutdown.
### BIND version used
BIND 9.18.13-dev (Extended Support Version) <id:3e46baa>
But I also see that this happened in another version. See https://www.mail-archive.com/bind-users@lists.isc.org/msg30000.html which says "I would have expected to see logged in /var/opt/isc/scls/isc-bind/log/named/dnstap" and "... I can't seem to get any more
information out other than the single message about "closing dnstap"."
### What is the expected *correct* behavior?
The ./lib/dns/dnstap.c appears to show that the "opening dnstap destination ..." to be logged same as the "closing" message. Does this mean the dns_dt_create() happens before the (not-dnstap) logging subsystem is enabled?Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3919Test RRSIG churn on large zones2023-03-03T15:06:25ZPetr Špačekpspacek@isc.orgTest RRSIG churn on large zonesObservation
===========
Large zones (in order of 10 M RRs) need RRSIG inception and expiration times to be spread out evenly so resigning does not cause CPUs and zone transfers to explode at single point in time. Spreading resigning then...Observation
===========
Large zones (in order of 10 M RRs) need RRSIG inception and expiration times to be spread out evenly so resigning does not cause CPUs and zone transfers to explode at single point in time. Spreading resigning then causes non-negligible sustained update rate, and that reportedly is or was problem for some providers.
Inspired by https://indico.dns-oarc.net/event/46/contributions/979/
Test ideas
==========
Impact of ongoing resigning on:
- [ ] AXFR
- [ ] IXFR
- [ ] journal maintenance
- [ ] query latency?
I guess, if nothing else, `fsync()` and journal compaction might cause some mess.https://gitlab.isc.org/isc-projects/bind9/-/issues/3918Add tests for ultra-complex NSEC(3) proofs2023-03-03T15:02:10ZPetr Špačekpspacek@isc.orgAdd tests for ultra-complex NSEC(3) proofsThis is essentially list of ideas for tests from DNS-OARC 40.
Check NSEC(3) proofs returned by auth, plus also ability to validate these.
- Chain of CNAME/DNAME alternating between zones on the same box
- Mix of NSEC/NSEC3/unsigned zon...This is essentially list of ideas for tests from DNS-OARC 40.
Check NSEC(3) proofs returned by auth, plus also ability to validate these.
- Chain of CNAME/DNAME alternating between zones on the same box
- Mix of NSEC/NSEC3/unsigned zones in the chain
- Wildcards in the mix
- Zone with wildcard and opt-out enabled for the LOLz?
Does forwarding change anything related to validation (the process how we gather data)?
Inspiration: https://indico.dns-oarc.net/event/46/contributions/979/ slides 17, 21, 22https://gitlab.isc.org/isc-projects/stork/-/issues/754Clone subnet command2023-03-03T13:20:48ZPeter DaviesClone subnet commandClone subnet command:
Creating many subnets where the basic structure is similar to other subnets, for example the subnet-mask, position of default router, pool structure etc.. can be time-consuming and subject to error.
It would be he...Clone subnet command:
Creating many subnets where the basic structure is similar to other subnets, for example the subnet-mask, position of default router, pool structure etc.. can be time-consuming and subject to error.
It would be helpful if one were able to create a subnet based on an existing subnet or a subnet template giving the new subnet address as a parameter. This request also encompasses the cloning of local host reservations.
refers to RT [#16773](https://support.isc.org/Ticket/Display.html?id=16773)backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2670renew-timer and rebind-timer in client classes2023-03-03T11:49:51ZPeter Daviesrenew-timer and rebind-timer in client classesFor some users, it may be useful to be able to define "renew-timer" and "rebind-timer"
within client class definitions.
[RT #21543](https://support.isc.org/Ticket/Display.html?id=21543)For some users, it may be useful to be able to define "renew-timer" and "rebind-timer"
within client class definitions.
[RT #21543](https://support.isc.org/Ticket/Display.html?id=21543)backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/323Warning message "the interface x is down" is incomplete. (GH#95)2023-03-03T08:52:38ZVicky Riskvicky@isc.orgWarning message "the interface x is down" is incomplete. (GH#95)<This was first reported as Github issue #95, by brubbel, on July 19, 2018>
(Note: This was tested on Kea 1.1.0, but I see that this issue is still present in the latest 1.4.0 version.)
At startup, Kea may produce the following warning ...<This was first reported as Github issue #95, by brubbel, on July 19, 2018>
(Note: This was tested on Kea 1.1.0, but I see that this issue is still present in the latest 1.4.0 version.)
At startup, Kea may produce the following warning message:
DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: the interface x is down or has no usable IPv4 addresses configured
I checked interface x of course, but it was [UP] and had an IPv4 address assigned.
It turns out (from reading the source) that Kea expects interface x also being in the [RUNNING] state.
I suggest to change the warning message into "has no usable IPv4 address or is missing flags [UP] and/or [RUNNING]."
As a related question: why does isc-dhcp allow and kea-dhcp does not allow starting a server on an interface without the IFF_RUNNING flag set?
In any case, kea 1.1.0 does not work when the interface is not [RUNNING] when it was started, even when it becomes [RUNNING] afterwards. When the state goes from running->not running->running: all ok.backlog