1. 15 May, 2019 3 commits
  2. 29 Apr, 2019 1 commit
  3. 26 Apr, 2019 5 commits
    • Michał Kępień's avatar
      Add CHANGES entry · 42e750fc
      Michał Kępień authored
      5220.	[bug]		Including an NSEC3PARAM record in an unsigned zone
      			configured with "auto-dnssec maintain;" could lead to
      			invalid NSEC3 signatures being generated. [GL #953]
    • Michał Kępień's avatar
      Properly handle NSEC3PARAM in unsigned zone files · a845e6b4
      Michał Kępień authored
      Initial zone signing with NSEC3 is a three-phase process:
       1. First, zone apex records are adjusted and (re)signed.
       2. Then, regular zone nodes are walked; signatures are generated for
          zone data and the NSEC3 chain is gradually built, but not yet
       3. When all the regular zone nodes are processed, the NSEC3 chain is
          walked and signed.
      This approach minimizes the amount of computation required because every
      NSEC3 record is only signed once (if NSEC3 records were signed
      immediately upon creation, their signatures would have to be regenerated
      for every Next Hashed Owner Name change caused by new nodes being added
      to the NSEC3 chain).
      During steps 2-3 of the initial signing process, redundant computation
      is further avoided by only creating one signature for any <RRset, key>
      Change 3020 fixed a bug which prevented type bitmaps for NSEC3 records
      matching the zone apex from being updated when private type records
      indicating a signing process in progress were inserted by named at zone
      apex.  As a part of that fix, a new function called add_chains() was
      added; its intended purpose was to update existing NSEC(3) records for
      the zone apex.  However, its implementation also allows NSEC3 records to
      be created, not just modififed.  Furthermore, change 3020 also caused
      all records added/modified in step 1 of the initial signing process to
      be signed, which was not the case before.  Combined, these two changes
      made it possible for a signed NSEC3 record matching the zone apex to be
      added to the zone in step 1 of the initial signing process, which is
      incompatible with its design because no NSEC3 signatures are expected to
      exist before step 3 is reached.
      The net effect of all the above is that an NSEC3 record matching the
      zone apex may be created, signed, and subsequently modified without
      regenerating its signature, rendering the latter invalid.
      Fix by making dns_nsec3_addnsec3sx() take an additional argument
      indicating whether it should only adjust existing NSEC3 records (similar
      in spirit to the 'update_only' argument for updatesecure(), the function
      used for adjusting NSEC records).  This allows add_chains() to refrain
      from creating new NSEC3 records which would subsequently be signed by
      sign_apex() and thus prevents the issue described above.
      However, doing just that would break signing zones with DNAME at the
      apex - due to the way zone_sign() currently works, the NSEC3 record
      matching the apex is treated as being below bottom of zone (which
      prevents it from being signed) for such zones and thus their proper
      signing relies on that NSEC3 record being signed before zone_sign() is
      called.  Thus, also fix zone_sign() so that zones with DNAME at the apex
      are processed correctly.
    • Evan Hunt's avatar
      Merge branch '982-filter-aaaa-race' into 'master' · 1766a5d9
      Evan Hunt authored
      Resolve "filter-aaaa crash in 9.14.0"
      Closes #982
      See merge request !1861
    • Evan Hunt's avatar
      CHANGES · ce8ad08a
      Evan Hunt authored
    • Evan Hunt's avatar
  4. 25 Apr, 2019 12 commits
    • Ondřej Surý's avatar
      Merge branch '615-tcp-client-crash-v9_14-master' into 'master' · 2c85466c
      Ondřej Surý authored
      Resolve "tcp-clients mostly ineffective"
      Closes #615
      See merge request !1871
    • Evan Hunt's avatar
      CHANGES, release note · 4551c58e
      Evan Hunt authored and Ondřej Surý's avatar Ondřej Surý committed
      (cherry picked from commit 244e44af432121a05e0a308b7ccce96a8ecd28ab)
      (cherry picked from commit 79fad84b)
    • Evan Hunt's avatar
      restore allowance for tcp-clients < interfaces · d809ec6c
      Evan Hunt authored and Ondřej Surý's avatar Ondřej Surý committed
      in the "refactor tcpquota and pipeline refs" commit, the counting
      of active interfaces was tightened in such a way that named could
      fail to listen on an interface if there were more interfaces than
      tcp-clients. when checking the quota to start accepting on an
      interface, if the number of active clients was above zero, then
      it was presumed that some other client was able to handle accepting
      new connections. this, however, ignored the fact that the current client
      could be included in that count, so if the quota was already exceeded
      before all the interfaces were listening, some interfaces would never
      we now check whether the current client has been marked active; if so,
      then the number of active clients on the interface must be greater
      than 1, not 0.
      (cherry picked from commit 02365b87ea0b1ea5ea8b17376f6734c811c95e61)
      (cherry picked from commit cae79e1b)
    • Evan Hunt's avatar
      refactor tcpquota and pipeline refs; allow special-case overrun in isc_quota · 2f3876d1
      Evan Hunt authored and Ondřej Surý's avatar Ondřej Surý committed
      - if the TCP quota has been exceeded but there are no clients listening
        for new connections on the interface, we can now force attachment to the
        quota using isc_quota_force(), instead of carrying on with the quota not
      - the TCP client quota is now referenced via a reference-counted
        'ns_tcpconn' object, one of which is created whenever a client begins
        listening for new connections, and attached to by members of that
        client's pipeline group. when the last reference to the tcpconn
        object is detached, it is freed and the TCP quota slot is released.
      - reduce code duplication by adding mark_tcp_active() function
      - convert counters to stdatomic
      (cherry picked from commit a8dd133d270873b736c1be9bf50ebaa074f5b38f)
      (cherry picked from commit 4a8fc979)
    • Evan Hunt's avatar
      better tcpquota accounting and client mortality checks · a0f4a3fa
      Evan Hunt authored and Ondřej Surý's avatar Ondřej Surý committed
      - ensure that tcpactive is cleaned up correctly when accept() fails.
      - set 'client->tcpattached' when the client is attached to the tcpquota.
        carry this value on to new clients sharing the same pipeline group.
        don't call isc_quota_detach() on the tcpquota unless tcpattached is
        set.  this way clients that were allowed to accept TCP connections
        despite being over quota (and therefore, were never attached to the
        quota) will not inadvertently detach from it and mess up the
      - simplify the code for tcpquota disconnection by using a new function
      - before deciding whether to reject a new connection due to quota
        exhaustion, check to see whether there are at least two active
        clients. previously, this was "at least one", but that could be
        insufficient if there was one other client in READING state (waiting
        for messages on an open connection) but none in READY (listening
        for new connections).
      - before deciding whether a TCP client object can to go inactive, we
        must ensure there are enough other clients to maintain service
        afterward -- both accepting new connections and reading/processing new
        queries.  A TCP client can't shut down unless at least one
        client is accepting new connections and (in the case of pipelined
        clients) at least one additional client is waiting to read.
      (cherry picked from commit 427a2fb4d17bc04ca3262f58a9dcf5c93fc6d33e)
      (cherry picked from commit 08968412)
    • Michał Kępień's avatar
      use reference counter for pipeline groups (v3) · 3c0f8d91
      Michał Kępień authored and Ondřej Surý's avatar Ondřej Surý committed
      Track pipeline groups using a shared reference counter
      instead of a linked list.
      (cherry picked from commit 31f392db20207a1b05d6286c3c56f76c8d69e574)
      (cherry picked from commit 22111202)
    • Witold Krecicki's avatar
      tcp-clients could still be exceeded (v2) · d989a8b3
      Witold Krecicki authored and Ondřej Surý's avatar Ondřej Surý committed
      the TCP client quota could still be ineffective under some
      circumstances.  this change:
      - improves quota accounting to ensure that TCP clients are
        properly limited, while still guaranteeing that at least one client
        is always available to serve TCP connections on each interface.
      - uses more descriptive names and removes one (ntcptarget) that
        was no longer needed
      - adds comments
      (cherry picked from commit 9e74969f85329fe26df2fad390468715215e2edd)
      (cherry picked from commit d7e84cee)
    • Witold Krecicki's avatar
      fix enforcement of tcp-clients (v1) · 07c3365b
      Witold Krecicki authored and Ondřej Surý's avatar Ondřej Surý committed
      tcp-clients settings could be exceeded in some cases by
      creating more and more active TCP clients that are over
      the set quota limit, which in the end could lead to a
      DoS attack by e.g. exhaustion of file descriptors.
      If TCP client we're closing went over the quota (so it's
      not attached to a quota) mark it as mortal - so that it
      will be destroyed and not set up to listen for new
      connections - unless it's the last client for a specific
      (cherry picked from commit eafcff07c25bdbe038ae1e4b6660602a080b9395)
      (cherry picked from commit 9e7617cc)
    • Ondřej Surý's avatar
      Merge branch '880-secure-asdfasdfasdf-abacadabra-crash-v9_14-master' into 'master' · 7ef39530
      Ondřej Surý authored
      Resolve "CVE-2019-6467: lib/ns/query.c:9176: INSIST(!qctx->is_zone) failed, back trace"
      Closes #880
      See merge request !1868
    • Evan Hunt's avatar
      CHANGES, release note · 38c29c1b
      Evan Hunt authored and Ondřej Surý's avatar Ondřej Surý committed
      (cherry picked from commit ab5473007e91f011d003ff0ba5ab32fa0d56360c)
      (cherry picked from commit 404be595)
    • Matthijs Mekking's avatar
      Fix nxdomain-redirect assertion failure · f3d3703f
      Matthijs Mekking authored and Ondřej Surý's avatar Ondřej Surý committed
      - Always set is_zonep in query_getdb; previously it was only set if
        result was ISC_R_SUCCESS or ISC_R_NOTFOUND.
      - Don't reset is_zone for redirect.
      - Style cleanup.
      (cherry picked from commit a85cc641d7a4c66cbde03cc4e31edc038a24df46)
      (cherry picked from commit 486a2011)
    • Matthijs Mekking's avatar
      Add test for nxdomain-redirect ncachenxdomain · 2fbadaee
      Matthijs Mekking authored and Ondřej Surý's avatar Ondřej Surý committed
      (cherry picked from commit 2d65626630c19bb8159a025accb18e5179da5dc3)
      (cherry picked from commit 05d29443)
  5. 23 Apr, 2019 19 commits