Skip to content

GitLab

Switch branch/tag
  1. 23 Feb, 2021 1 commit
    • Michal Nowak's avatar
      Initialize checknames field in dns_view_create() · b36690e7
      Michal Nowak authored 
      The 'checknames' field wasn't initialized in dns_view_create(), but it
should otherwise AddressSanitizer identifies the following runtime error
in query_test.c.

    runtime error: load of value 190, which is not a valid value for type '_Bool'

(cherry picked from commit 0c6fa164)
      b36690e7
  3. 16 Feb, 2021 1 commit
    • Mark Andrews's avatar
      Stop including <lmdb.h> from <dns/lmdb.h> · bf5aac22
      Mark Andrews authored 
      The lmdb.h header doesn't have to be included from the dns/lmdb.h
header as it can be separately included where used.  This stops
exposing the inclusion of lmdb.h from the libdns headers.
      bf5aac22
  5. 29 Jan, 2021 1 commit
  7. 23 Sep, 2020 1 commit
    • Mark Andrews's avatar
      Address lock order inversions. · 9bd58a1c
      Mark Andrews authored 
          WARNING: ThreadSanitizer: lock-order-inversion (potential deadlock)
    Cycle in lock order graph: M1 (0x000000000000) => M2 (0x000000000000) => M1

    Mutex M2 acquired here while holding mutex M1 in thread T1:
    #0 pthread_mutex_lock <null>
    #1 dns_view_findzonecut lib/dns/view.c:1310:2
    #2 fctx_create lib/dns/resolver.c:5070:13
    #3 dns_resolver_createfetch lib/dns/resolver.c:10813:12
    #4 dns_resolver_prime lib/dns/resolver.c:10442:12
    #5 dns_view_find lib/dns/view.c:1176:4
    #6 dbfind_name lib/dns/adb.c:3833:11
    #7 dns_adb_createfind lib/dns/adb.c:3155:12
    #8 findname lib/dns/resolver.c:3497:11
    #9 fctx_getaddresses lib/dns/resolver.c:3808:3
    #10 fctx_try lib/dns/resolver.c:4197:12
    #11 fctx_start lib/dns/resolver.c:4824:4
    #12 dispatch lib/isc/task.c:1152:7
    #13 run lib/isc/task.c:1344:2

    Mutex M1 previously acquired by the same thread here:
    #0 pthread_mutex_lock <null>
    #1 dns_resolver_createfetch lib/dns/resolver.c:10767:2
    #2 dns_resolver_prime lib/dns/resolver.c:10442:12
    #3 dns_view_find lib/dns/view.c:1176:4
    #4 dbfind_name lib/dns/adb.c:3833:11
    #5 dns_adb_createfind lib/dns/adb.c:3155:12
    #6 findname lib/dns/resolver.c:3497:11
    #7 fctx_getaddresses lib/dns/resolver.c:3808:3
    #8 fctx_try lib/dns/resolver.c:4197:12
    #9 fctx_start lib/dns/resolver.c:4824:4
    #10 dispatch lib/isc/task.c:1152:7
    #11 run lib/isc/task.c:1344:2

    Mutex M1 acquired here while holding mutex M2 in thread T1:
    #0 pthread_mutex_lock <null>
    #1 dns_resolver_shutdown lib/dns/resolver.c:10530:4
    #2 view_flushanddetach lib/dns/view.c:632:4
    #3 dns_view_detach lib/dns/view.c:689:2
    #4 qctx_destroy lib/ns/query.c:5152:2
    #5 fetch_callback lib/ns/query.c:5749:3
    #6 dispatch lib/isc/task.c:1152:7
    #7 run lib/isc/task.c:1344:2

    Mutex M2 previously acquired by the same thread here:
    #0 pthread_mutex_lock <null>
    #1 view_flushanddetach lib/dns/view.c:630:3
    #2 dns_view_detach lib/dns/view.c:689:2
    #3 qctx_destroy lib/ns/query.c:5152:2
    #4 fetch_callback lib/ns/query.c:5749:3
    #5 dispatch lib/isc/task.c:1152:7
    #6 run lib/isc/task.c:1344:2

    Thread T1 (running) created by main thread at:
    #0 pthread_create <null>
    #1 isc_thread_create lib/isc/pthreads/thread.c:73:8
    #2 isc_taskmgr_create lib/isc/task.c:1434:3
    #3 create_managers bin/named/main.c:915:11
    #4 setup bin/named/main.c:1223:11
    #5 main bin/named/main.c:1523:2

    SUMMARY: ThreadSanitizer: lock-order-inversion (potential deadlock) in pthread_mutex_lock

(cherry picked from commit a669c919)
      9bd58a1c
  9. 14 Sep, 2020 1 commit
  11. 09 Sep, 2020 1 commit
    • Mark Andrews's avatar
      Address lock-order-inversion · 5d469f24
      Mark Andrews authored 
      Obtain references to view->redirect and view->managed_keys then
release view->lock so dns_zone_setviewcommit and dns_zone_setviewrevert
can obtain the view->lock while holding zone->lock.

WARNING: ThreadSanitizer: lock-order-inversion (potential deadlock) (pid=9132)
  Cycle in lock order graph: M987831431424375936 (0x000000000000) => M1012319771577875480 (0x000000000000) => M987831431424375936

  Mutex M1012319771577875480 acquired here while holding mutex M987831431424375936 in thread T2:
    #0 pthread_mutex_lock <null> (named+0x4642a6)
    #1 dns_zone_setviewcommit /builds/isc-projects/bind9/lib/dns/zone.c:1571:2 (libdns.so.1110+0x1d74eb)
    #2 dns_view_setviewcommit /builds/isc-projects/bind9/lib/dns/view.c:2388:3 (libdns.so.1110+0x1cfe29)
    #3 load_configuration /builds/isc-projects/bind9/bin/named/./server.c:8188:3 (named+0x51eadd)
    #4 loadconfig /builds/isc-projects/bind9/bin/named/./server.c:9438:11 (named+0x510c66)
    #5 ns_server_reconfigcommand /builds/isc-projects/bind9/bin/named/./server.c:9773:2 (named+0x510b41)
    #6 ns_control_docommand /builds/isc-projects/bind9/bin/named/control.c:243:12 (named+0x4e451a)
    #7 control_recvmessage /builds/isc-projects/bind9/bin/named/controlconf.c:465:13 (named+0x4e9056)
    #8 dispatch /builds/isc-projects/bind9/lib/isc/task.c:1157:7 (libisc.so.1107+0x507d5)
    #9 run /builds/isc-projects/bind9/lib/isc/task.c:1331:2 (libisc.so.1107+0x4d729)

  Mutex M987831431424375936 previously acquired by the same thread here:
    #0 pthread_mutex_lock <null> (named+0x4642a6)
    #1 dns_view_setviewcommit /builds/isc-projects/bind9/lib/dns/view.c:2382:2 (libdns.so.1110+0x1cfde7)
    #2 load_configuration /builds/isc-projects/bind9/bin/named/./server.c:8188:3 (named+0x51eadd)
    #3 loadconfig /builds/isc-projects/bind9/bin/named/./server.c:9438:11 (named+0x510c66)
    #4 ns_server_reconfigcommand /builds/isc-projects/bind9/bin/named/./server.c:9773:2 (named+0x510b41)
    #5 ns_control_docommand /builds/isc-projects/bind9/bin/named/control.c:243:12 (named+0x4e451a)
    #6 control_recvmessage /builds/isc-projects/bind9/bin/named/controlconf.c:465:13 (named+0x4e9056)
    #7 dispatch /builds/isc-projects/bind9/lib/isc/task.c:1157:7 (libisc.so.1107+0x507d5)
    #8 run /builds/isc-projects/bind9/lib/isc/task.c:1331:2 (libisc.so.1107+0x4d729)

  Mutex M987831431424375936 acquired here while holding mutex M1012319771577875480 in thread T7:
    #0 pthread_mutex_lock <null> (named+0x4642a6)
    #1 dns_view_findzonecut2 /builds/isc-projects/bind9/lib/dns/view.c:1300:2 (libdns.so.1110+0x1cc93a)
    #2 dns_view_findzonecut /builds/isc-projects/bind9/lib/dns/view.c:1261:9 (libdns.so.1110+0x1cc864)
    #3 fctx_create /builds/isc-projects/bind9/lib/dns/resolver.c:4459:13 (libdns.so.1110+0x1779d3)
    #4 dns_resolver_createfetch3 /builds/isc-projects/bind9/lib/dns/resolver.c:9628:12 (libdns.so.1110+0x176cb6)
    #5 dns_resolver_createfetch /builds/isc-projects/bind9/lib/dns/resolver.c:9504:10 (libdns.so.1110+0x174e17)
    #6 zone_refreshkeys /builds/isc-projects/bind9/lib/dns/zone.c:10061:12 (libdns.so.1110+0x2055a5)
    #7 zone_maintenance /builds/isc-projects/bind9/lib/dns/zone.c:10274:5 (libdns.so.1110+0x203a78)
    #8 zone_timer /builds/isc-projects/bind9/lib/dns/zone.c:13106:2 (libdns.so.1110+0x1e815a)
    #9 dispatch /builds/isc-projects/bind9/lib/isc/task.c:1157:7 (libisc.so.1107+0x507d5)
    #10 run /builds/isc-projects/bind9/lib/isc/task.c:1331:2 (libisc.so.1107+0x4d729)

  Mutex M1012319771577875480 previously acquired by the same thread here:
    #0 pthread_mutex_lock <null> (named+0x4642a6)
    #1 zone_refreshkeys /builds/isc-projects/bind9/lib/dns/zone.c:9951:2 (libdns.so.1110+0x204dc3)
    #2 zone_maintenance /builds/isc-projects/bind9/lib/dns/zone.c:10274:5 (libdns.so.1110+0x203a78)
    #3 zone_timer /builds/isc-projects/bind9/lib/dns/zone.c:13106:2 (libdns.so.1110+0x1e815a)
    #4 dispatch /builds/isc-projects/bind9/lib/isc/task.c:1157:7 (libisc.so.1107+0x507d5)
    #5 run /builds/isc-projects/bind9/lib/isc/task.c:1331:2 (libisc.so.1107+0x4d729)

  Thread T2 'isc-worker0001' (tid=9163, running) created by main thread at:
    #0 pthread_create <null> (named+0x446edb)
    #1 isc_thread_create /builds/isc-projects/bind9/lib/isc/pthreads/thread.c:60:8 (libisc.so.1107+0x726d8)
    #2 isc__taskmgr_create /builds/isc-projects/bind9/lib/isc/task.c:1468:7 (libisc.so.1107+0x4d635)
    #3 isc_taskmgr_create /builds/isc-projects/bind9/lib/isc/task.c:2109:11 (libisc.so.1107+0x4f587)
    #4 create_managers /builds/isc-projects/bind9/bin/named/./main.c:886:11 (named+0x4f1a97)
    #5 setup /builds/isc-projects/bind9/bin/named/./main.c:1305:11 (named+0x4f05ee)
    #6 main /builds/isc-projects/bind9/bin/named/./main.c:1556:2 (named+0x4ef12d)

  Thread T7 'isc-worker0006' (tid=9168, running) created by main thread at:
    #0 pthread_create <null> (named+0x446edb)
    #1 isc_thread_create /builds/isc-projects/bind9/lib/isc/pthreads/thread.c:60:8 (libisc.so.1107+0x726d8)
    #2 isc__taskmgr_create /builds/isc-projects/bind9/lib/isc/task.c:1468:7 (libisc.so.1107+0x4d635)
    #3 isc_taskmgr_create /builds/isc-projects/bind9/lib/isc/task.c:2109:11 (libisc.so.1107+0x4f587)
    #4 create_managers /builds/isc-projects/bind9/bin/named/./main.c:886:11 (named+0x4f1a97)
    #5 setup /builds/isc-projects/bind9/bin/named/./main.c:1305:11 (named+0x4f05ee)
    #6 main /builds/isc-projects/bind9/bin/named/./main.c:1556:2 (named+0x4ef12d)

SUMMARY: ThreadSanitizer: lock-order-inversion (potential deadlock) (/builds/isc-projects/bind9/bin/named/.libs/named+0x4642a6) in pthread_mutex_lock
(cherry picked from commit cdcfde9e)
      5d469f24
  13. 11 Aug, 2020 1 commit
  15. 31 Jul, 2020 1 commit
    • Mark Andrews's avatar
      Always check the return from isc_refcount_decrement. · 14fe6e77
      Mark Andrews authored 
      Created isc_refcount_decrement_expect macro to test conditionally
the return value to ensure it is in expected range.  Converted
unchecked isc_refcount_decrement to use isc_refcount_decrement_expect.
Converted INSIST(isc_refcount_decrement()...) to isc_refcount_decrement_expect.

(cherry picked from commit bde5c763)
      14fe6e77
  17. 30 Jul, 2020 1 commit
    • Ondřej Surý's avatar
      Fix the rbt hashtable and grow it when setting max-cache-size · aa72c314
      Ondřej Surý authored 
      There were several problems with rbt hashtable implementation:

1. Our internal hashing function returns uint64_t value, but it was
   silently truncated to unsigned int in dns_name_hash() and
   dns_name_fullhash() functions.  As the SipHash 2-4 higher bits are
   more random, we need to use the upper half of the return value.

2. The hashtable implementation in rbt.c was using modulo to pick the
   slot number for the hash table.  This has several problems because
   modulo is: a) slow, b) oblivious to patterns in the input data.  This
   could lead to very uneven distribution of the hashed data in the
   hashtable.  Combined with the single-linked lists we use, it could
   really hog-down the lookup and removal of the nodes from the rbt
   tree[a].  The Fibonacci Hashing is much better fit for the hashtable
   function here.  For longer description, read "Fibonacci Hashing: The
   Optimization that the World Forgot"[b] or just look at the Linux
   kernel.  Also this will make Diego very happy :).

3. The hashtable would rehash every time the number of nodes in the rbt
   tree would exceed 3 * (hashtable size).  The overcommit will make the
   uneven distribution in the hashtable even worse, but the main problem
   lies in the rehashing - every time the database grows beyond the
   limit, each subsequent rehashing will be much slower.  The mitigation
   here is letting the rbt know how big the cache can grown and
   pre-allocate the hashtable to be big enough to actually never need to
   rehash.  This will consume more memory at the start, but since the
   size of the hashtable is capped to `1 << 32` (e.g. 4 mio entries), it
   will only consume maximum of 32GB of memory for hashtable in the
   worst case (and max-cache-size would need to be set to more than
   4TB).  Calling the dns_db_adjusthashsize() will also cap the maximum
   size of the hashtable to the pre-computed number of bits, so it won't
   try to consume more gigabytes of memory than available for the
   database.

   FIXME: What is the average size of the rbt node that gets hashed?  I
   chose the pagesize (4k) as initial value to precompute the size of
   the hashtable, but the value is based on feeling and not any real
   data.

For future work, there are more places where we use result of the hash
value modulo some small number and that would benefit from Fibonacci
Hashing to get better distribution.

Notes:
a. A doubly linked list should be used here to speedup the removal of
   the entries from the hashtable.
b. https://probablydance.com/2018/06/16/fibonacci-hashing-the-optimization-that-the-world-forgot-or-a-better-alternative-to-integer-modulo/

(cherry picked from commit e24bc324)
      aa72c314
  19. 26 May, 2020 1 commit
  21. 11 May, 2020 1 commit
    • Ondřej Surý's avatar
      Resolve the overlinking of the system libraries · af1b5624
      Ondřej Surý authored and Ondřej Surý's avatar Ondřej Surý committed 
      Originally, every library and binaries got linked to everything, which
creates unnecessary overlinking.  This wasn't as straightforward as it
should be as we still support configuration without libtool for 9.16.

Couple of smaller issues related to include headers and an issue where
sanitizer overload dlopen and dlclose symbols, so we were getting false
negatives in the autoconf test.
      af1b5624
  23. 21 Feb, 2020 1 commit
  25. 14 Feb, 2020 2 commits
  27. 13 Feb, 2020 1 commit
  29. 12 Feb, 2020 1 commit
  31. 10 Feb, 2020 1 commit
  33. 22 Jan, 2020 1 commit
    • Diego Fronza's avatar
      Fixed crash when querying for non existing domain in chaos class · 85555f29
      Diego Fronza authored 
      Function dns_view_findzonecut in view.c wasn't correctly handling
classes other than IN (chaos, hesiod, etc) whenever the name being
looked up wasn't in cache or in any of the configured zone views' database.

That resulted in a NULL fname being used in resolver.c:4900, which
in turn was triggering abort.
      85555f29
  35. 14 Jan, 2020 1 commit
    • Evan Hunt's avatar
      rename dns_keytable_deletekeynode to dns_keytable_deletekey · 21d3f66f
      Evan Hunt authored 
      this function is used by dns_view_untrust() to handle revoked keys, so
it will still be needed after the keytable/validator refactoring is
complete, even though the keytable will be storing DS trust anchors
instead of keys. to simplify the way it's called, it now takes a DNSKEY
rdata struct instead of a DST key.
      21d3f66f
  37. 29 Nov, 2019 1 commit
  39. 12 Nov, 2019 1 commit
  41. 09 Oct, 2019 1 commit
  43. 01 Oct, 2019 3 commits
  45. 12 Sep, 2019 1 commit
  47. 09 Aug, 2019 1 commit
  49. 07 Aug, 2019 2 commits
  51. 23 Jul, 2019 3 commits
  53. 10 May, 2019 1 commit
    • Michał Kępień's avatar
      Make NTAs work with validating forwarders · 5e804882
      Michał Kępień authored and Evan Hunt's avatar Evan Hunt committed 
      If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.
      5e804882
  55. 10 Apr, 2019 1 commit
  57. 15 Mar, 2019 1 commit
  59. 08 Mar, 2019 1 commit
  61. 06 Dec, 2018 4 commits
    • Evan Hunt's avatar
      name change from "hook modules" to "plugins" · fd20f10d
      Evan Hunt authored 
      - "hook" is now used only for hook points and hook actions
- the "hook" statement in named.conf is now "plugin"
- ns_module and ns_modlist are now ns_plugin and ns_plugins
- ns_module_load is renamed ns_plugin_register
- the mandatory functions in plugin modules (hook_register,
  hook_check, hook_version, hook_destroy) have been renamed
      fd20f10d
    • Evan Hunt's avatar
      refactor to support multiple module instances · b94945e6
      Evan Hunt authored 
      - use a per-view module list instead of global hook_modules
- create an 'instance' pointer when registering modules, store it in
  the module structure, and use it as action_data when calling
  hook functions - this enables multiple module instances to be set
  up in parallel
- also some nomenclature changes and cleanup
      b94945e6
    • Evan Hunt's avatar
      add a parser to filter-aaaa.so and pass in the parameters · 9911c835
      Evan Hunt authored 
      - make some cfg-parsing functions global so they can be run
  from filter-aaaa.so
- add filter-aaaa options to the hook module's parser
- mark filter-aaaa options in named.conf as obsolete, remove
  from named and checkconf, and update the filter-aaaa test not to
  use checkconf anymore
- remove filter-aaaa-related struct members from dns_view
      9911c835
    • Evan Hunt's avatar
      add hook statement to configuration parser · d2f46443
      Evan Hunt authored 
      - allow multiple "hook" statements at global or view level
- add "optional bracketed text" type for optional parameter list
- load hook module from specified path rather than hardcoded path
- add a hooktable pointer (and a callback for freeing it) to the
  view structure
- change the hooktable functions so they no longer update ns__hook_table
  by default, and modify PROCESS_HOOK so it uses the view hooktable, if
  set, rather than ns__hook_table. (ns__hook_table is retained for
  use by unit tests.)
- update the filter-aaaa system test to load filter-aaaa.so
- add a prereq script to check for dlopen support before running
  the filter-aaaa system test

not yet done:
- configuration parameters are not being passed to the filter-aaaa
  module; the filter-aaaa ACL and filter-aaaa-on-{v4,v6} settings are
  still stored in dns_view
      d2f46443