GitLab

(cherry picked from commit 94a1c853)

Bail-out early in the for install loops instead of continuing because for masks the error in the middle

rndc reconfig should not touch already loaded zones, some refactoring of dns_{zone,view,zt}_{async,}load

- added new 'validate-except' option, which configures an NTA with
  expiry of 0xffffffff.  NTAs with that value in the expiry field do not
  expire, are are not written out when saving the NTA table and are not
  dumped by rndc secroots

Since idn_output_filter() no longer uses its 'absolute' argument and no
other callback is used with dns_name_settotextfilter(), remove the
'absolute' argument from the dns_name_totextfilter_t prototype.

the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata

Since BIND libraries are no longer considered public and
dns_rdataslab_tordataset() is not used anywhere in the tree, remove the
latter and its associated dns_rdatasetmethods_t callbacks from
lib/dns/rdataslab.c.

If transferring or loading a mirror zone fails, resolution should still
succeed by means of falling back to regular recursive queries.
Currently, though, if a slave zone is present in the zone table and not
loaded, a SERVFAIL response is generated.  Thus, mirror zones need
special handling in this regard.

Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
domain name is looked up rather than a zone itself.  Handle that flag in
dns_zt_find() in such a way that a mirror zone which is expired or not
yet loaded is ignored when looking up domain names, but still possible
to find when the caller wants to know whether the zone is configured.
This causes a fallback to recursion when mirror zone data is unavailable
without making unloaded mirror zones invisible to code checking a zone's
existence.

Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.

Add a function for determining whether the supplied version of a mirror
zone passes DNSSEC validation and is signed using a trusted key.  Define
a new libdns result signifying a zone verification failure.

Extend check_dnskey_sigs() so that, if requested, it checks whether the
DNSKEY RRset at zone apex is signed by at least one trust anchor.  The
trust anchor table is passed as an argument to dns_zoneverify_dnssec()
and passed around in the verification context structure.  Neither
dnssec-signzone nor dnssec-verify are yet modified to make use of that
feature, though.

Add a new slave-only boolean configuration option, "mirror", along with
its corresponding dns_zoneopt_t enum and a helper function for checking
whether that option was set for a given zone.  This commit does not
introduce any behavior changes yet.

Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
verification failures should be signalled to callers.  Make
dns_zoneverify_dnssec() return an isc_result_t and handle both success
and error appropriately in bin/dnssec/dnssec-signzone.c and
bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
shutdown of these tools and causes dnssec-signzone to print signing
statistics even when zone verification fails.

These functions will be used in the process of replacing fatal(),
check_result(), and fprintf() calls throughout lib/dns/zoneverify.c with
code that does not call exit().  They are intended for:

  - zoneverify_log_error(): logging problems encountered while
    performing zone verification,

  - zoneverify_print(): printing status messages and reports which are
    only useful in standalone tools.

To make using dns_zone_logv() possible, add a new "zone" argument to
dns_zoneverify_dnssec() that standalone tools are expected to set to
NULL.

This makes the function's name match the naming convention used for
libdns functions.

This commit only moves code around, with the following exceptions:

  - the check_dns_dbiterator_current() macro and functions
    is_delegation() and has_dname() were removed from
    bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
    bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
    functions are used both by the code in bin/dnssec/dnssec-signzone.c
    and verifyzone(), but are not a good fit for being exported by a
    code module responsible for zone verification,

  - fatal() and check_result() were duplicated in lib/dns/zoneverify.c
    as static functions which do not use the "program" variable any more
    (as it is only set by the tools in bin/dnssec/); this is a temporary
    step which only aims to prevent compilation from breaking - these
    duplicate functions will be removed once lib/dns/zoneverify.c is
    refactored not to use them,

  - the list of header files included by lib/dns/zoneverify.c was
    expanded to encompass all header files that are actually used by the
    code in that file,

  - a description of the purpose of the commented out "fields" inside
    struct nsec3_chain_fixed was added.

 - make qname-minimization option tristate {strict,relaxed,disabled}
 - go straight for the record if we hit NXDOMAIN in relaxed mode
 - go straight for the record after 3 labels without new delegation or 7 labels total

- use start of fetch (and not time of response) as 'now' time for querying cache for
  zonecut when following delegation.

Add a new libdns function, dns_zone_logv(), which takes a single va_list
argument rather than a variable number of arguments and can be used as a
base for implementing more specific zone logging functions.

It is very verbose, so it is useful to be able to filter it out.

- this was a compile time option to disable the use of a hash table in
  the RBTDB. the code path without the hash table was buggy and
  untested, and unlikely to be needed by anyone anyway.

- mark the 'geoip-use-ecs' option obsolete; warn when it is used
  in named.conf
- prohibit 'ecs' ACL tags in named.conf; note that this is a fatal error
  since simply ignoring the tags could make ACLs behave unpredictably
- re-simplify the radix and iptable code
- clean up dns_acl_match(), dns_aclelement_match(), dns_acl_allowed()
  and dns_geoip_match() so they no longer take ecs options
- remove the ECS-specific unit and system test cases
- remove references to ECS from the ARM

Also, use variable names consistent with catz for rpz configuration functions

The three functions has been modeled after the arc4random family of
functions, and they will always return random bytes.

The isc_random family of functions internally use these CSPRNG (if available):

1. getrandom() libc call (might be available on Linux and Solaris)
2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
4. crypto library function:
4a. RAND_bytes in case OpenSSL
4b. pkcs_C_GenerateRandom() in case PKCS#11 library

- overrides "sig-validity-interval" for DNSKEY, CDNSKEY and CDS RRSIGs