- 21 Dec, 2022 12 commits
-
-
Michal Nowak authored
[CVE-2022-38178][v9_11] eddsa verify leak See merge request !7242
-
Michal Nowak authored
In order to trigger the EDDSA verify memory leak, use the algorithm in the mkeys system test accordingly.
-
-
-
Michal Nowak authored
[CVE-2022-38177][v9_11] ecdsa verify leak See merge request !7241
-
(cherry picked from commit 78fa0829)
-
-
-
Michal Nowak authored
[CVE-2022-2795] [v9_11] Bound the amount of work performed for delegations See merge request !7240
-
Add a test ensuring that the amount of work fctx_getaddresses() performs for any encountered delegation is limited: delegate example.net to a set of 1,000 name servers in the redirect.com zone, the names of which all resolve to IP addresses that nothing listens on, and query for a name in the example.net domain, checking the number of times the findname() function gets executed in the process; fail if that count is excessively large. Since the size of the referral response sent by ans3 is about 20 kB, it cannot be sent back over UDP (EMSGSIZE) on some operating systems in their default configuration (e.g. FreeBSD - see the net.inet.udp.maxdgram sysctl). To enable reliable reproduction of CVE-2022-2795 (retry patterns vary across BIND 9 versions) and avoid false positives at the same time (thread scheduling - and therefore the number of fetch context restarts - vary across operating systems and across test runs), extend bin/tests/system/resolver/ans3/ans.pl so that it also lis...
-
-
Limit the amount of database lookups that can be triggered in fctx_getaddresses() (i.e. when determining the name server addresses to query next) by setting a hard limit on the number of NS RRs processed for any delegation encountered. Without any limit in place, named can be forced to perform large amounts of database lookups per each query received, which severely impacts resolver performance. The limit used (20) is an arbitrary value that is considered to be big enough for any sane DNS delegation.
-
- 16 Dec, 2022 6 commits
-
-
Tom Krizek authored
Check backport workflow in danger CI [v9_11] See merge request !7247
-
Tom Krizek authored
A full backport must have all the commit from the original MR and the original commit IDs must be referenced in the backport commit messages. If the criteria above is not met, the MR should be marked as a partial backport. In that case, any discrepencies are only logged as informative messages rather than failures. (cherry picked from commit c617f977)
-
Tom Krizek authored
When checking a backport MR, ensure that the original MR has been merged already. This is vital for followup checks that verify commit IDs from original commits are present in backport commit messages. (cherry picked from commit 89530f1a)
-
Tom Krizek authored
When doing archeology, it is much easier to find stuff if it's properly linked. This check ensures that backport MR are linked to their original MR via a "Backport of !XXXX" message. The regular expression is fairly broad and has been tested to accept the following variants of the message: Backport of MR !XXXX Backport of: !XXXX backport of mr !XXXX Backport of !XXXX Backport of https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/XXXX (cherry picked from commit 12e0b057)
-
Tom Krizek authored
Having the MR title clearly marked in its title can be very useful when looking through older issues/MRs. This check also ensures that the version from the version label matches the proper version branch (i.e. v9.16 must be marked with [v9_16]). (cherry picked from commit 14b027cf)
-
Tom Krizek authored
Treat the Backport::Partial label as a backport as well. (cherry picked from commit 1c0c1ba8)
-
- 08 Apr, 2022 2 commits
-
-
Petr Špaček authored
[CVE-2021-25220] Add tests for forwarder cache poisoning scenarios [v9_11] See merge request !6108
-
- Check that an NS in an authority section returned from a forwarder which is above the name in a configured "forward first" or "forward only" zone (i.e., net/NS in a response from a forwarder configured for local.net) is not cached. - Test that a DNAME for a parent domain will not be cached when sent in a response from a forwarder configured to answer for a child. - Check that glue is rejected if its name falls below that of zone configured locally. - Check that an extra out-of-bailiwick data in the answer section is not cached (this was already working correctly, but was not explicitly tested before). - v9_11 backport: Revert primary/secondary to master/slave, backport rndc helper, backport ns8 config. (cherry picked from commit bf3fffff)
-
- 23 Mar, 2022 2 commits
-
-
Ondřej Surý authored
Save parsed tsan files with .txt extension See merge request !6022
-
Ondřej Surý authored
When the parse tsan files have text extension they can be viewed directly in the GitLab web UI without downloading them locally. (cherry picked from commit 80582073)
-
- 16 Mar, 2022 1 commit
-
-
Michał Kępień authored
Merge 9.11.37 release branch See merge request !5992
-
- 07 Mar, 2022 3 commits
-
-
Tinderbox User authored
-
Tinderbox User authored
-
Michał Kępień authored
Prepare documentation for BIND 9.11.37 See merge request isc-private/bind9!394
-
- 04 Mar, 2022 1 commit
-
-
Michał Kępień authored
-
- 03 Mar, 2022 8 commits
-
-
Michał Kępień authored
[CVE-2021-25220] [v9_11] prevent cache poisoning from forwarder responses See merge request isc-private/bind9!381
-
Compound literals are not used in BIND 9.11, in order to ensure backward compatibility with ancient compilers. Rework the relevant parts of the BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals are not used.
-
-
-
When caching glue, we need to ensure that there is no closer source of truth for the name. If the owner name for the glue record would be answered by a locally configured zone, do not cache.
-
When caching additional and glue data *not* from a forwarder, we must check that there is no "forward only" clause covering the owner name that would take precedence. Such names would normally be allowed by baliwick rules, but a "forward only" zone introduces a new baliwick scope.
-
If we are using a fowarder, in addition to checking that names to be cached are subdomains of the forwarded namespace, we must also check that there are no subsidiary forwarded namespaces which would take precedence. To be safe, we don't cache any responses if the forwarding configuration has changed since the query was sent.
-
When using a forwarder, check that the owner name of response records are within the bailiwick of the forwarded name space.
-
- 14 Feb, 2022 4 commits
-
-
Michal Nowak authored
[v9_11] Run spatch jobs in parallel See merge request !5834
-
Michal Nowak authored
Also make the script more verbose to identify which patch is being processed and check for failures in spatch standard error output. (cherry picked from commit 48c44fe6)
-
Michal Nowak authored
[v9_11] Update Coverity Scan CI job to 2021.12.1 See merge request !5831
-
Michal Nowak authored
(cherry picked from commit f0edf07f)
-
- 03 Jan, 2022 1 commit
-
-
Michal Nowak authored
[v9_11] Update copyrights to 2022 See merge request !5683
-