1. 28 Jul, 2020 1 commit
  2. 23 Jul, 2020 1 commit
  3. 16 Jul, 2020 1 commit
    • Evan Hunt's avatar
      rewrite statschannel to use netmgr · 69c1ee1c
      Evan Hunt authored
      modify isc_httpd to use the network manager instead of the
      isc_socket API.
      also cleaned up bin/named/statschannel.c to use CHECK.
  4. 14 Jul, 2020 1 commit
    • Tony Finch's avatar
      Fix re-signing when `sig-validity-interval` has two arguments · 030674b2
      Tony Finch authored
      Since October 2019 I have had complaints from `dnssec-cds` reporting
      that the signatures on some of my test zones had expired. These were
      zones signed by BIND 9.15 or 9.17, with a DNSKEY TTL of 24h and
      `sig-validity-interval 10 8`.
      This is the same setup we have used for our production zones since
      2015, which is intended to re-sign the zones every 2 days, keeping
      at least 8 days signature validity. The SOA expire interval is 7
      days, so even in the presence of zone transfer problems, no-one
      should ever see expired signatures. (These timers are a bit too
      tight to be completely correct, because I should have increased
      the expiry timers when I increased the DNSKEY TTLs from 1h to 24h.
      But that should only matter when zone transfers are broken, which
      was not the case for the error reports that led to this patch.)
      For example, this morning my test zone contained:
              dev.dns.cam.ac.uk. 86400 IN RRSIG DNSKEY 13 5 86400 (
                                      20200701221418 20200621213022 ...)
      But one of my resolvers had cached:
              dev.dns.cam.ac.uk. 21424 IN RRSIG DNSKEY 13 5 86400 (
                                      20200622063022 20200612061136 ...)
      This TTL was captured at 20200622105807 so the resolver cached the
      RRset 64976 seconds previously (18h02m56s), at 20200621165511
      only about 12h before expiry.
      The other symptom of this error was incorrect `resign` times in
      the output from `rndc zonestatus`.
      For example, I have configured a test zone
              zone fast.dotat.at {
                      file "../u/z/fast.dotat.at";
                      type primary;
                      auto-dnssec maintain;
                      sig-validity-interval 500 499;
      The zone is reset to a minimal zone containing only SOA and NS
      records, and when `named` starts it loads and signs the zone. After
      that, `rndc zonestatus` reports:
              next resign node: fast.dotat.at/NS
              next resign time: Fri, 28 May 2021 12:48:47 GMT
      The resign time should be within the next 24h, but instead it is
      near the signature expiry time, which the RRSIG(NS) says is
      20210618074847. (Note 499 hours is a bit more than 20 days.)
      May/June 2021 is less than 500 days from now because expiry time
      jitter is applied to the NS records.
      Using this test I bisected this bug to 09990672 which contained a
      mistake leading to the resigning interval always being calculated in
      hours, when days are expected.
      This bug only occurs for configurations that use the two-argument form
      of `sig-validity-interval`.
  5. 13 Jul, 2020 7 commits
    • Evan Hunt's avatar
      purge pending command events when shutting down · 29dcdeba
      Evan Hunt authored
      When we're shutting the system down via "rndc stop" or "rndc halt",
      or reconfiguring the control channel, there are potential shutdown
      races between the server task and network manager.  These are adressed by:
      - purging any pending command tasks when shutting down the control channel
      - adding an extra handle reference before the command handler to
        ensure the handle can't be deleted out from under us before calling
    • Evan Hunt's avatar
      use an isc_task to execute rndc commands · 45ab0603
      Evan Hunt authored
      - using an isc_task to execute all rndc functions makes it relatively
        simple for them to acquire task exclusive mode when needed
      - control_recvmessage() has been separated into two functions,
        control_recvmessage() and control_respond(). the respond function
        can be called immediately from control_recvmessage() when processing
        a nonce, or it can be called after returning from the task event
        that ran the rndc command function.
    • Evan Hunt's avatar
      convert rndc and control channel to use netmgr · 3551d3ff
      Evan Hunt authored
      - updated libisccc to use netmgr events
      - updated rndc to use isc_nm_tcpconnect() to establish connections
      - updated control channel to use isc_nm_listentcp()
      open issues:
      - the control channel timeout was previously 60 seconds, but it is now
        overridden by the TCP idle timeout setting, which defaults to 30
        seconds. we should add a function that sets the timeout value for
        a specific listener socket, instead of always using the global value
        set in the netmgr. (for the moment, since 30 seconds is a reasonable
        timeout for the control channel, I'm not prioritizing this.)
      - the netmgr currently has no support for UNIX-domain sockets; until
        this is addressed, it will not be possible to configure rndc to use
        them. we will need to either fix this or document the change in
    • Evan Hunt's avatar
      don't use exclusive mode for rndc commands that don't need it · 002c3284
      Evan Hunt authored
      "showzone" and "tsig-list" both used exclusive mode unnecessarily;
      changing this will simplify future refactoring a bit.
    • Evan Hunt's avatar
      style cleanup · 0580d9cd
      Evan Hunt authored
      clean up style in rndc and the control channel in preparation for
      changing them to use the new network manager.
    • Evan Hunt's avatar
      make sure new_zone_lock is locked before unlocking it · ed37c63e
      Evan Hunt authored
      it was possible for the count_newzones() function to try to
      unlock view->new_zone_lock on return before locking it, which
      caused a crash on shutdown.
    • Mark Andrews's avatar
      Fallback to built in trust-anchors, managed-keys, or trusted-keys · d02a14c7
      Mark Andrews authored
      if the bind.keys file cannot be parsed.
  6. 12 Jul, 2020 1 commit
  7. 10 Jul, 2020 1 commit
    • Michał Kępień's avatar
      Fix locking for LMDB 0.9.26 · 53120279
      Michał Kępień authored
      When "rndc reconfig" is run, named first configures a fresh set of views
      and then tears down the old views.  Consider what happens for a single
      view with LMDB enabled; "envA" is the pointer to the LMDB environment
      used by the original/old version of the view, "envB" is the pointer to
      the same LMDB environment used by the new version of that view:
       1. mdb_env_open(envA) is called when the view is first created.
       2. "rndc reconfig" is called.
       3. mdb_env_open(envB) is called for the new instance of the view.
       4. mdb_env_close(envA) is called for the old instance of the view.
      This seems to have worked so far.  However, an upstream change [1] in
      LMDB which will be part of its 0.9.26 release prevents the above
      sequence of calls from working as intended because the locktable mutexes
      will now get destroyed by the mdb_env_close() call in step 4 above,
      causing any subsequent mdb_txn_begin() calls to fail (because all of the
      above steps are happening within a single named process).
      Preventing the above scenario from happening would require either
      redesigning the way we use LMDB in BIND, which is not something we can
      easily backport, or redesigning the way BIND carries out its
      reconfiguration process, which would be an even more severe change.
      To work around the problem, set MDB_NOLOCK when calling mdb_env_open()
      to stop LMDB from controlling concurrent access to the database and do
      the necessary locking in named instead.  Reuse the view->new_zone_lock
      mutex for this purpose to prevent the need for modifying struct dns_view
      (which would necessitate library API version bumps).  Drop use of
      MDB_NOTLS as it is made redundant by MDB_NOLOCK: MDB_NOTLS only affects
      where LMDB reader locktable slots are stored while MDB_NOLOCK prevents
      the reader locktable from being used altogether.
      [1] https://git.openldap.org/openldap/openldap/-/commit/2fd44e325195ae81664eb5dc36e7d265927c5ebc
  8. 06 Jul, 2020 2 commits
  9. 03 Jul, 2020 1 commit
    • Matthijs Mekking's avatar
      Increase "rndc dnssec -status" output size · 9347e7db
      Matthijs Mekking authored
      BUFSIZ (512 bytes on Windows) may not be enough to fit the status of a
      DNSSEC policy and three DNSSEC keys.
      Set the size of the relevant buffer to a hardcoded value of 4096 bytes,
      which should be enough for most scenarios.
  10. 02 Jul, 2020 2 commits
    • Ondřej Surý's avatar
    • Suzanne Goldlust's avatar
      Text edits to manual paages · 78af7e54
      Suzanne Goldlust authored
      This commit updates the wording in following man pages:
      * ddns-confgen.rst
      * delv.rst
      * dig.rst
      * dnssec-dsfromkey.rst
      * dnssec-importkey.rst
      * dnssec-keyfromlabel.rst
      * dnssec-keygen.rst
      * dnssec-revoke.rst
      * dnssec-settime.rst
      * dnssec-signzone.rst
      * dnssec-verify.rst
      * dnstap-read.rst
      * filter-aaaa.rst
      * host.rst
      * mdig.rst
      * named-checkconf.rst
      * named-checkzone.rst
      * named-nzd2nzf.rst
      * named.conf.rst
      * named.rst
      * nsec3hash.rst
      * nsupdate.rst
      * pkcs11-destroy.rst
      * pkcs11-keygen.rst
      * pkcs11-list.rst
      * pkcs11-tokens.rst
      * rndc-confgen.rst
      * rndc.rst
  11. 01 Jul, 2020 5 commits
  12. 30 Jun, 2020 2 commits
    • Matthijs Mekking's avatar
      Output rndc dnssec -status · 19ce9ec1
      Matthijs Mekking authored
      Implement the 'rndc dnssec -status' command that will output
      some information about the key states, such as which policy is
      used for the zone, what keys are in use, and when rollover is
      Add loose testing in the kasp system test, the actual times are
      already tested via key file inspection.
    • Matthijs Mekking's avatar
      Implement dummy 'rndc dnssec -status' command · e1ba1bea
      Matthijs Mekking authored
      Add the code and documentation required to provide DNSSEC signing
      status through rndc.  This does not yet show any useful information,
      just provide the command that will output some dummy string.
  13. 24 Jun, 2020 1 commit
  14. 22 Jun, 2020 1 commit
  15. 11 Jun, 2020 1 commit
    • Mark Andrews's avatar
      The dsset returned by dns_keynode_dsset needs to be thread safe. · e5b2eca1
      Mark Andrews authored
      - clone keynode->dsset rather than return a pointer so that thread
        use is independent of each other.
      - hold a reference to the dsset (keynode) so it can't be deleted
        while in use.
      - create a new keynode when removing DS records so that dangling
        pointers to the deleted records will not occur.
      - use a rwlock when accessing the rdatalist to prevent instabilities
        when DS records are added.
  16. 05 Jun, 2020 1 commit
    • Michal Nowak's avatar
      Fix "make dist" · 5bbc6dd7
      Michal Nowak authored
      Make various adjustments necessary to enable "make dist" to build a BIND
      source tarball whose contents are complete enough to build binaries, run
      unit & system tests, and generate documentation on Unix systems.
      Known outstanding issues:
        - "make distcheck" does not work yet.
        - Tests do not work for out-of-tree source-tarball-based builds.
        - Source tarballs are not complete enough for building on Windows.
      All of the above will be addressed in due course.
  17. 04 Jun, 2020 1 commit
  18. 03 Jun, 2020 1 commit
    • Ondřej Surý's avatar
      Reduce the default value for max-stale-ttl from 1 week to 12 hours · 13fd3ecf
      Ondřej Surý authored
      Originally, the default value for max-stale-ttl was 1 week, which could
      and in some scenarios lead to cache exhaustion on a busy resolvers.
      Picking the default value will always be juggling between value that's
      useful (e.g. keeping the already cached records after they have already
      expired and the upstream name servers are down) and not bloating the
      cache too much (e.g. keeping everything for a very long time).  The new
      default reflects what we think is a reasonable to time to react on both
      sides (upstream authoritative and downstream recursive).
  19. 01 Jun, 2020 2 commits
  20. 29 May, 2020 1 commit
  21. 28 May, 2020 3 commits
  22. 25 May, 2020 3 commits