1. 16 Jun, 2021 12 commits
  2. 15 Jun, 2021 2 commits
    • Mark Andrews's avatar
      Merge branch... · f035a22c
      Mark Andrews authored
      Merge branch '2739-threadsanitizer-data-race-lib-isc-task-c-435-in-task_send-unprotected-access-to-task-threadid' into 'main'
      
      Resolve "ThreadSanitizer: data race lib/isc/task.c:435 in task_send (unprotected access to `task->threadid`)"
      
      Closes #2739
      
      See merge request !5149
      f035a22c
    • Mark Andrews's avatar
      Lock access to task->threadid · 234ad2d0
      Mark Andrews authored
      234ad2d0
  3. 14 Jun, 2021 8 commits
    • Artem Boldariev's avatar
      Merge branch 'artem/dig-large-doh-responses-support' into 'main' · 8d36cac8
      Artem Boldariev authored
      Fix BIND and dig to support large DNS messages over DoH, disable XFRs over DoH
      
      See merge request !5148
      8d36cac8
    • Evan Hunt's avatar
      CHANGES · f8caebe1
      Evan Hunt authored
      Mention that XFRs over DoH are explicitly disabled for now.
      f8caebe1
    • Artem Boldariev's avatar
      Set sock->iface and sock->peer properly for layered connection types · ccd2267b
      Artem Boldariev authored
      This change sets the mentioned fields properly and gets rid of klusges
      added in the times when we were keeping pointers to isc_sockaddr_t
      instead of copies. Among other things it helps to avoid a situation
      when garbage instead of an address appears in dig output.
      ccd2267b
    • Artem Boldariev's avatar
      Make BIND refuse to serve XFRs over DoH · b84fa122
      Artem Boldariev authored
      We cannot use DoH for zone transfers.  According to RFC8484 a DoH
      request contains exactly one DNS message (see Section 6: Definition of
      the "application/dns-message" Media Type,
      https://datatracker.ietf.org/doc/html/rfc8484#section-6).  This makes
      DoH unsuitable for zone transfers as often (and usually!) these need
      more than one DNS message, especially for larger zones.
      
      As zone transfers over DoH are not (yet) standardised, nor discussed
      in RFC8484, the best thing we can do is to return "not implemented."
      
      Technically DoH can be used to transfer small zones which fit in one
      message, but that is not enough for the generic case.
      
      Also, this commit makes the server-side DoH code ensure that no
      multiple responses could be attempted to be sent over one HTTP/2
      stream. In HTTP/2 one stream is mapped to one request/response
      transaction. Now the write callback will be called with failure error
      code in such a case.
      b84fa122
    • Artem Boldariev's avatar
      Pass an HTTP handle to the read callback when finishing a stream · 009752ca
      Artem Boldariev authored
      This commit fixes a leftover from an earlier version of the client-side
      DoH code when the underlying transport handle was used directly.
      009752ca
    • Artem Boldariev's avatar
      Fix a crash in the client-side DoH code (header processing callback) · d5d20ceb
      Artem Boldariev authored
      Support a situation in header processing callback when client side
      code could receive a belated response or part of it. That could
      happen when the HTTP/2 session was already closed, but there were some
      response data from server in flight. Other client-side nghttp2
      callbacks code already handled this case.
      
      The bug became apparent after HTTP/2 write buffering was supported,
      leading to rare unit test failures.
      d5d20ceb
    • Artem Boldariev's avatar
      Nullify connect.cstream in time and keep track of all client streams · 2dfc0d9a
      Artem Boldariev authored
      This commit ensures that sock->h2.connect.cstream gets nullified when
      the object in question is deleted. This fixes a nasty crash in dig
      exposed when receiving large responses leading to double free()ing.
      
      Also, it refactors how the client-side code keeps track of client
      streams (hopefully) preventing from similar errors appearing in the
      future.
      2dfc0d9a
    • Artem Boldariev's avatar
      Fix BIND to serve large HTTP responses · 5b507c11
      Artem Boldariev authored
      This commit makes NM code to report HTTP as a stream protocol. This
      makes it possible to handle large responses properly. Like:
      
      dig +https @127.0.0.1 A cmts1-dhcp.longlines.com
      5b507c11
  4. 13 Jun, 2021 2 commits
  5. 12 Jun, 2021 1 commit
  6. 10 Jun, 2021 9 commits
    • Michał Kępień's avatar
      Merge branch '2759-fix-no-ds-proofs-for-wildcard-cname-delegations' into 'main' · e5673b89
      Michał Kępień authored
      Fix "no DS" proofs for wildcard+CNAME delegations
      
      Closes #2759
      
      See merge request !5155
      e5673b89
    • Michał Kępień's avatar
      Add release note · 16708682
      Michał Kępień authored
      16708682
    • Michał Kępień's avatar
      Add CHANGES entry · c223d816
      Michał Kępień authored
      c223d816
    • Michał Kępień's avatar
      Fix "no DS" proofs for wildcard+CNAME delegations · 7a87bf46
      Michał Kępień authored
      When answering a query requires wildcard expansion, the AUTHORITY
      section of the response needs to include NSEC(3) record(s) proving that
      the QNAME does not exist.
      
      When a response to a query is an insecure delegation, the AUTHORITY
      section needs to include an NSEC(3) proof that no DS record exists at
      the parent side of the zone cut.
      
      These two conditions combined trip up the NSEC part of the logic
      contained in query_addds(), which expects the NS RRset to be owned by
      the first name found in the AUTHORITY section of a delegation response.
      This may not always be true, for example if wildcard expansion causes an
      NSEC record proving QNAME nonexistence to be added to the AUTHORITY
      section before the delegation is added to the response.  In such a case,
      named incorrectly omits the NSEC record proving nonexistence of QNAME
      from the AUTHORITY section.
      
      The same block of code is affected by another flaw: if the same NSEC
      record proves nonexistence of both the QNAME and the DS record at the
      parent side of the zone cut, this NSEC record will be added to the
      AUTHORITY section twice.
      
      Fix by looking for the NS RRset in the entire AUTHORITY section and
      adding the NSEC record to the delegation using query_addrrset() (which
      handles duplicate RRset detection).
      7a87bf46
    • Michał Kępień's avatar
      Add AUTHORITY tests for CNAME-sourced delegations · 26ec4b9a
      Michał Kępień authored
      Add a set of system tests which check the contents of the AUTHORITY
      section for signed, insecure delegation responses constructed from CNAME
      records and wildcards, both for zones using NSEC and NSEC3.
      26ec4b9a
    • Michał Kępień's avatar
      Merge branch 'michal/fix-the-variable-checked-by-a-post-load-assertion' into 'main' · 439efc6e
      Michał Kępień authored
      Fix the variable checked by a post-load assertion
      
      See merge request !5164
      439efc6e
    • Mark Andrews's avatar
      Fix the variable checked by a post-load assertion · 098639dc
      Mark Andrews authored
      Instead of checking the value of the variable modified two lines earlier
      (the number of SOA records present at the apex of the old version of the
      zone), one of the RUNTIME_CHECK() assertions in zone_postload() checks
      the number of SOA records present at the apex of the new version of the
      zone, which is already checked before.  Fix the assertion by making it
      check the correct variable.
      098639dc
    • Michał Kępień's avatar
      Merge branch 'michal/update-release-checklist' into 'main' · 9ec886bc
      Michał Kępień authored
      Update release checklist
      
      See merge request !5165
      9ec886bc
    • Michał Kępień's avatar
      Update release checklist · d0886bd9
      Michał Kępień authored
      Add two items to the release checklist to ensure that the start and the
      end of the code freeze for each release cycle is announced on
      Mattermost.
      d0886bd9
  7. 09 Jun, 2021 6 commits
    • Mark Andrews's avatar
      Merge branch '2760-db-unit-test-failure' into 'main' · b3ef4512
      Mark Andrews authored
      Resolve "db unit test failure"
      
      Closes #2760
      
      See merge request !5156
      b3ef4512
    • Mark Andrews's avatar
      Adjust acceptable count values · 2bc454dc
      Mark Andrews authored
      usleep(100000) can be slightly less than 10ms so allow the count
      to reach 11.
      2bc454dc
    • Mark Andrews's avatar
      Merge branch... · efacee3d
      Mark Andrews authored
      Merge branch '2720-threadsanitizer-data-race-lib-isc-unix-time-c-110-in-isc_time_isepoch' into 'main'
      
      Resolve "ThreadSanitizer: data race lib/isc/unix/time.c:110 in isc_time_isepoch"
      
      Closes #2720
      
      See merge request !5124
      efacee3d
    • Mark Andrews's avatar
      Address race between zone_settimer and set_key_expiry_warning by · 3d66e97a
      Mark Andrews authored
      adding missing lock.
      
          WARNING: ThreadSanitizer: data race
          Read of size 4 at 0x000000000001 by thread T1 (mutexes: read M1, write M2):
          #0 isc_time_isepoch lib/isc/unix/time.c:110
          #1 zone_settimer lib/dns/zone.c:14649
          #2 dns_zone_maintenance lib/dns/zone.c:6281
          #3 dns_zonemgr_forcemaint lib/dns/zone.c:18190
          #4 view_loaded server.c:9654
          #5 call_loaddone lib/dns/zt.c:301
          #6 doneloading lib/dns/zt.c:575
          #7 zone_asyncload lib/dns/zone.c:2259
          #8 task_run lib/isc/task.c:845
          #9 isc_task_run lib/isc/task.c:938
          #10 isc__nm_async_task lib/isc/netmgr/netmgr.c:855
          #11 process_netievent lib/isc/netmgr/netmgr.c:934
          #12 process_queue lib/isc/netmgr/netmgr.c:1003
          #13 process_all_queues lib/isc/netmgr/netmgr.c:775
          #14 async_cb lib/isc/netmgr/netmgr.c:804
          #15 <null> <null>
          #16 isc__trampoline_run lib/isc/trampoline.c:191
          #17 <null> <null>
      
          Previous write of size 4 at 0x000000000001 by thread T2:
          #0 isc_time_set lib/isc/unix/time.c:93
          #1 set_key_expiry_warning lib/dns/zone.c:6430
          #2 del_sigs lib/dns/zone.c:6711
          #3 zone_resigninc lib/dns/zone.c:7113
          #4 zone_maintenance lib/dns/zone.c:11111
          #5 zone_timer lib/dns/zone.c:14588
          #6 task_run lib/isc/task.c:845
          #7 isc_task_run lib/isc/task.c:938
          #8 isc__nm_async_task lib/isc/netmgr/netmgr.c:855
          #9 process_netievent lib/isc/netmgr/netmgr.c:934
          #10 process_queue lib/isc/netmgr/netmgr.c:1003
          #11 process_all_queues lib/isc/netmgr/netmgr.c:775
          #12 async_cb lib/isc/netmgr/netmgr.c:804
          #13 <null> <null>
          #14 isc__trampoline_run lib/isc/trampoline.c:191
          #15 <null> <null>
      
          SUMMARY: ThreadSanitizer: data race lib/isc/unix/time.c:110 in isc_time_isepoch
      3d66e97a
    • Ondřej Surý's avatar
      Merge branch '2690-remove-windows-support-for-bind-9-17-9-18' into 'main' · 0f47ad87
      Ondřej Surý authored
      Completely remove BIND 9 Windows support
      
      Closes #2690
      
      See merge request !5073
      0f47ad87
    • Ondřej Surý's avatar
      Add CHANGES and release note for GL #2690 · 0b5f205b
      Ondřej Surý authored
      0b5f205b