GitLab

Ondřej Surý authored Sep 24, 2021 and Michał Kępień committed Oct 11, 2021

The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>.  This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.

Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.

Resolve "Large number of small zones in `map` format cannot be loaded"

See merge request !5398

[v9_16] Fix catalog zones configuration syntax in the ARM

See merge request !5459

The 55636ab5 commit made some changes in the reference manual
regarding catalog zones which do not actually correspond to reality
for the v9_16 branch.

This commit reverts those changes.

Increase the number of file descriptors available

See merge request !5462

The 'listenlist_test', 'notify_test', and 'query_test' tests failed
when the descriptor limit was 256 on MacOS 11.6 with 8 cpus. On the
test platform the limit needed to be increased to ~400.  Increase
the limit to at least 1024 to give some head room.

(cherry picked from commit 877f52b7)

[v9_16] Handle a missing zone when reloading a catalog zone

See merge request !5454

(cherry picked from commit 3edaa0bd)

Previously a missing/deleted zone which was referenced by a catalog
zone was causing a crash when doing a reload.

This commit will make `named` to ignore the fact that the zone is
missing, and make sure to restore it later on.

(cherry picked from commit 94a57128)

Pause the dbiterator before calling dns_db_find

See merge request !5450

Mark Andrews authored Sep 17, 2021 and Ondřej Surý committed Sep 29, 2021

(cherry picked from commit c04bce27)

Mark Andrews authored Sep 17, 2021 and Ondřej Surý committed Sep 29, 2021

zone.c:integrity_checks() acquires a read lock while iterating the
zone database, and calls zone_check_mx() which acquires another
read lock. If another thread tries to acquire a write lock in the
meantime, it can deadlock. Calling dns_dbiterator_pause() to release
the first read lock prevents this.

(cherry picked from commit 4e1faa35)

Merge branch '2911-9-16-21-regression-legacy-check-names-configuration-does-not-work-anymore-v9_16' into 'v9_16'

Fix "check-names master" and "check-names slave"

See merge request !5448

(cherry picked from commit 14249ce9)

(cherry picked from commit 0b0d400d)

(cherry picked from commit 9107c8ca)

check for type "master" / "slave" at the same time as checking
for "primary" / "secondary" as we step through the maps.

Checking "primary" then "master" or "master" then "primary" does
not work as the synomym is not checked for to stop the search.
Similarly with "secondary" and "slave".

(cherry picked from commit a3c6516a)

Address use before NULL check warning of uvreq

See merge request !5445

move deference of obj to after NULL check

(cherry picked from commit 06a69e03)

Reorder REQUIRE checks to ensure ievent->sock is checked earlier

(cherry picked from commit 8fc9bb8e)

move dereference of uvreq until the after NULL check.

(cherry picked from commit 7079829b)

Preserve dig results in case of test failure

See merge request !5441

(cherry picked from commit 96b7421f)

The s stands for security (9.16)

See merge request !5439

The "zone-max-ttl" option inside a "dnssec-policy" is not used to cap
the TTLs in a zone, only yo calculate key rollover timings.

(cherry picked from commit 4e3ba816)

Apparently it is confusing that you don't specify a specific salt,
but a salt length.

(cherry picked from commit 9ddc23b2)

So "hardware security modules" not "hardware service modules"

(cherry picked from commit a73a0783)

Add python3.8 to the autoconf search list

See merge request !5434

It was discovered that FreeBSD doesn't setup alias from default
Python version neither to python3 nor python, and thus the configure
step would fail to find working python installation.

Fix has->have typo in DLZ drivers deprecation message

See merge request !5433

We fixed the CHANGES and release notes and missed this one.

Add deprecation warning about DLZ drivers

See merge request !5430

DLZ drivers are going to be removed from the next major BIND 9 release,
this commit adds a deprecation warning to inform the users about the
need to migrate to DLZ modules.

Mark the masterfile-format type 'map' as deprecated

See merge request !5423

(cherry picked from commit c5180369)

Add tests that check that masterfile-format map generate deprecation
warning and mastefile-formats text and raw doesn't.

(cherry picked from commit f4e6348f)

The map masterfile-format is very fragile and it needs API bump every
time a RBTDB data structures changes.  Also while testing it, we found
out that files larger than 2GB weren't loading and nobody noticed, and
loading many map files were also failing (subject to kernel limits).

Thus we are marking the masterfile-format type 'map' as deprecated and
to be removed in the next stable BIND 9 release.

(cherry picked from commit 6b7a488c)

[v9_16] Replace CentOS 7 & 8 with Oracle Linux

See merge request !5419