GitLab

Matthijs Mekking authored Feb 06, 2020 and Evan Hunt committed Feb 07, 2020

The key-directory keyword actually does nothing right now but may
be useful in the future if we want to differentiate between key
directories or HSM keys, or if we want to speficy different
directories for different keys or policies.  Make it optional for
the time being.

Matthijs Mekking authored Feb 06, 2020 and Evan Hunt committed Feb 07, 2020

The keyword 'unlimited' can be used instead of PT0S which means the
same but is more comprehensible for users.

Also fix some redundant "none" parameters in the kasp test.

kasp test: Fix key id 0000 lookup

Closes #1589

See merge request !2968

When checking keys we search for keys by key id. The kasp test used key id
0 as an indicator that a key was not yet found. Use "no" instead.

Merge branch '1599-autosign-conversion-from-nsec3-to-nsec-can-take-more-than-2-seconds' into 'master'

Resolve "autosign conversion from NSEC3 to NSEC can take more than 2 seconds."

Closes #1599

See merge request !3000

Disable OpenSSL siphash.

See merge request !2965

Witold Krecicki authored Jan 28, 2020 and Witold Krecicki committed Feb 07, 2020

Creation of EVP_MD_CTX and EVP_PKEY is quite expensive, until
we fix the code to reuse the context and key we'll use our own
implementation of siphash.

Silence unchecked return reported by coverity.

See merge request !3005

190        dns_rdataset_init(&rdataset);
   	3. Condition r == 0, taking true branch.
   	4. Condition result, taking false branch.

	CID 1452691 (#1 of 1): Unchecked return value (CHECKED_RETURN)
	5. check_return: Calling dns_db_find without checking return
	value (as is done elsewhere 39 out of 45 times).

191        check_assertion(dns_db_find(db1, dns_rootname, v2,
192                                    dns_rdatatype_soa, 0, 0, NULL,
193                                    name, &rdataset, NULL));

Set --with-tuning=large as a default, add --with-tuning=small.

See merge request !2989

Fix the "dnssec" system test on Windows

See merge request !3010

Make sure carriage return characters are stripped from awk input to
enable the "dnssec" system test to pass on Windows.

Update kasp test with CDNSKEY checks

Closes #1545

See merge request !2808

Add checks to the kasp system test to verify CDNSKEY publication.
This test is not entirely complete, because when there is a CDNSKEY
available but there should not be one for KEY N, it is hard to tell
whether the existing CDNSKEY actually belongs to KEY N or another
key.

The check works if we expect a CDNSKEY although we cannot guarantee
that the CDNSKEY is correct: The test verifies existence, not
correctness of the record.

Fix kasp bug new KSK on restart [#1593]

Closes #1593

See merge request !3007

When you do a restart or reconfig of named, or rndc loadkeys, this
triggers the key manager to run.  The key manager will check if new
keys need to be created. If there is an active key, and key rollover
is scheduled far enough away, no new key needs to be created.

However, there was a bug that when you just start to sign your zone,
it takes a while before the KSK becomes an active key. An active KSK
has its DS submitted or published, but before the key manager allows
that, the DNSKEY needs to be omnipresent. If you restart named
or rndc loadkeys in quick succession when you just started to sign
your zone, new keys will be created because the KSK is not yet
considered active.

Fix is to check for introducing as well as active keys. These keys
all have in common that their goal is to become omnipresent.

Document forwarders config port and dscp param

Closes #914

See merge request !2869

Windows: Prevent tools from clashing with named in system tests

Closes #1566

See merge request !2998

In system tests on Windows tool's local port can sometimes clash with
'named'. On Unix the system is poked for the minimal local port,
otherwise is set to 32768 as a sane minimum. For Windows we don't
poke but set a hardcoded limit; this change aligns the limit with
Unix and changes it to 32768.

Address various minor issues identified by coverity on master

See merge request !2999

10067 cleanup:

	CID 1452683 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking dispatch suggests that it
	may be null, but it has already been dereferenced on all
	paths leading to the check.

10068        if (dispatch != NULL)
10069                isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));

1549 cleanup:
1550        if (dctx->dbiter != NULL)
1551                dns_dbiterator_destroy(&dctx->dbiter);
1552        if (dctx->db != NULL)
1553                dns_db_detach(&dctx->db);

	CID 1452686 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking dctx suggests that it may
	be null, but it has already been dereferenced on all paths
	leading to the check.

1554        if (dctx != NULL)
1555                isc_mem_put(mctx, dctx, sizeof(*dctx));

707 complete_allnds:

	CID 1452689 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking dir_list suggests that it
	may be null, but it has already been dereferenced on all
	paths leading to the check.

708        if (dir_list != NULL) {
709                /* clean up entries from list. */

389        else

	CID 1452695 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking lcfg suggests that it may
	be null, but it has already been dereferenced on all paths
	leading to the check.

390                if (lcfg != NULL)
391                        isc_logconfig_destroy(&lcfg);

122 cleanup:

	CID 1452696 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking s suggests that it may be
	null, but it has already been dereferenced on all paths
	leading to the check.

123        if (s != NULL)
124                isc_mem_free(mctx, s);

255 flag_fail:
256        /* get rid of what was build of the query list */

	CID 1452697 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking tql suggests that it may
	be null, but it has already been dereferenced on all paths
	leading to the check.

257        if (tql != NULL)
258                destroy_querylist(mctx, &tql);

6412 cleanup:
6413        dns_rdataset_disassociate(&neg);
6414        dns_rdataset_disassociate(&negsig);

	CID 1452700 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking closest suggests that it
	may be null, but it has already been dereferenced on all
	paths leading to the check.

6415        if (closest != NULL)
6416                free_noqname(mctx, &closest);

336 cleanup_mem:
337        /* cleanup memory */
338
339        /* free tmpPath memory */

	CID 1452701 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking tmpPath suggests that it
	may be null, but it has already been dereferenced on all
	paths leading to the check.

340        if (tmpPath != NULL && result != ISC_R_SUCCESS)
341                isc_mem_free(named_g_mctx, tmpPath);
342
343        /* free tmpPath memory */
344        return (result);

13429 cleanup:
13430        cancel_refresh(zone);

	CID 1452702 (#1 of 1): Dereference before null check (REVERSE_INULL)
	check_after_deref: Null-checking stub suggests that it may
	be null, but it has already been dereferenced on all paths
	leading to the check.

13431        if (stub != NULL) {
13432                stub->magic = 0;

6367cleanup:
6368        dns_rdataset_disassociate(&neg);
6369        dns_rdataset_disassociate(&negsig);

	CID 1452704 (#1 of 1): Dereference before null check
	(REVERSE_INULL) check_after_deref: Null-checking noqname
	suggests that it may be null, but it has already been
	dereferenced on all paths leading to the check.

6370        if (noqname != NULL)
6371                free_noqname(mctx, &noqname);