BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2020-06-30T07:19:07Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1949check-names doesn't use 'primary' and 'secondary'2020-06-30T07:19:07ZEvan Huntcheck-names doesn't use 'primary' and 'secondary'`primary` and `secondary` are valid parameters for the `check-names` option in the parser, but they were never hooked in to `named_zone_configure()` correctly and are currently being ignored.`primary` and `secondary` are valid parameters for the `check-names` option in the parser, but they were never hooked in to `named_zone_configure()` correctly and are currently being ignored.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1948add synonym for "masters"2021-01-12T14:24:13ZEvan Huntadd synonym for "masters"When I made `primary` and `secondary` valid zone types, I didn't add `primaries` as a synonym for `masters` because I didn't want to deal with the added complexity of both terms being used in the same context. Time to finish it though.When I made `primary` and `secondary` valid zone types, I didn't add `primaries` as a synonym for `masters` because I didn't want to deal with the added complexity of both terms being used in the same context. Time to finish it though.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1946dnstap-read.1 man page installed when dnstap-read binary is missing2021-03-18T12:36:04ZAnand Buddhdevdnstap-read.1 man page installed when dnstap-read binary is missing### Summary
When BIND 9.16.4 is built without --enable-dnstap, it still installs the man page for dnstap-read. Earlier versions of BIND did not do this.
### BIND version used
9.16.4
### Steps to reproduce
When building BIND, do *not...### Summary
When BIND 9.16.4 is built without --enable-dnstap, it still installs the man page for dnstap-read. Earlier versions of BIND did not do this.
### BIND version used
9.16.4
### Steps to reproduce
When building BIND, do *not* pass the --enable-dnstap option to configure. Then "make install".
### What is the current *bug* behavior?
A man page for dnstap-read is installed in the PREFIX/share/man/man1 directory.
### What is the expected *correct* behavior?
The man page should not be installed.
### Relevant configuration files
n/a
### Relevant logs and/or screenshots
n/a
### Possible fixes
I don't have a fix.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1945system:clang:tsan has bad $SYMBOLIZER2020-06-29T13:04:21ZMark Andrewssystem:clang:tsan has bad $SYMBOLIZERJob [#954307](https://gitlab.isc.org/isc-projects/bind9/-/jobs/954307) failed for 183e1ace67a889b6b7a5bb146c0bba1e13755d28:
==named==1843==ERROR: External symbolizer path is set to '$SYMBOLIZER' which isn't a known symbolizer. Please se...Job [#954307](https://gitlab.isc.org/isc-projects/bind9/-/jobs/954307) failed for 183e1ace67a889b6b7a5bb146c0bba1e13755d28:
==named==1843==ERROR: External symbolizer path is set to '$SYMBOLIZER' which isn't a known symbolizer. Please set the path to the llvm-symbolizer binary or other known tool.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1944prefer primary/secondary terminology in code2021-09-15T20:53:58ZEvan Huntprefer primary/secondary terminology in codeRelated to #1940, further cleanup of the code base would be good too.
- Change `master`/`slave` to `primary`/`secondary` in all system tests
- Change internal identifiers like `dns_zone_slave` and `CFG_ZONE_SLAVE` to match.
Goal state:...Related to #1940, further cleanup of the code base would be good too.
- Change `master`/`slave` to `primary`/`secondary` in all system tests
- Change internal identifiers like `dns_zone_slave` and `CFG_ZONE_SLAVE` to match.
Goal state: `master` and `slave` continue to work, but nothing calls attention to them.September 2021 (9.16.21, 9.16.21-S1, 9.17.18)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1943Remove references to "blacklist" and "whitelist" in BIND ARM2020-06-29T13:08:25ZSuzanne GoldlustRemove references to "blacklist" and "whitelist" in BIND ARMSince these are not actual commands, this terminology is unnecessary and could be considered offensive.Since these are not actual commands, this terminology is unnecessary and could be considered offensive.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1941TCP performance regression on FreeBSD2021-01-19T10:49:09ZMichal NowakTCP performance regression on FreeBSDBIND 9.16.4 (and presumably `master`) on a FreeBSD 12.1 (in a VM) has a TCP query performance regression compared to 9.16.3.
The [stress test](https://gitlab.isc.org/isc-private/bind-qa/-/tree/master/bind9/stress) executes four instance...BIND 9.16.4 (and presumably `master`) on a FreeBSD 12.1 (in a VM) has a TCP query performance regression compared to 9.16.3.
The [stress test](https://gitlab.isc.org/isc-private/bind-qa/-/tree/master/bind9/stress) executes four instances of Flamethrower: UDP IPv6, UDP IPv4, TCP IPv6, and TCP IPv4. Knowing that each TCP Flamethrower runs with 30 concurrent generators, each sending 100 queries every 1000 ms we can calculate number of expected TCP queries processed by BIND. If at least 90 % of this target is processed, the test is considered pass.
This test does pass on Linux (Fedora 32) but fails on FreeBSD 12.1. Some difference can be accounted to difference between these two environments as the former is a bare metal, the latter a KVM VM, but still 9.16.3 on FreeBSD 12.1 performs close to Linux.
**9.16.3: Stress test (FreeBSD 12.1 / recursive / 1 hour)**
```
INFO: Recursive server 'ns3' received 21066269 TCP queries
INFO: About 21600000 TCP queries were expected
INFO: Minimum number of TCP queries required to pass is 19440000
INFO: BIND processed enough TCP queries
```
**9.16.4: Stress test (Fedora 32 / recursive / 1 hour)**
```
INFO: Recursive server 'ns3' received 20714111 TCP queries
INFO: About 21600000 TCP queries were expected
INFO: Minimum number of TCP queries required to pass is 19440000
INFO: BIND processed enough TCP queries
```
**9.16.4: Stress test (FreeBSD 12.1 / recursive / 1 hour)**
```
INFO: Recursive server 'ns3' received 11103214 TCP queries
INFO: About 21600000 TCP queries were expected
INFO: Minimum number of TCP queries required to pass is 19440000
ERROR: BIND did not process enough TCP queries
```
There's a performance problem on BIND 9.11 on FreeBSD [too](https://gitlab.isc.org/isc-projects/bind9/-/issues/1942), but the TCP code seems to be a bit different.January 2021 (9.11.27, 9.11.27-S1, 9.16.11, 9.16.11-S1, 9.17.9)https://gitlab.isc.org/isc-projects/bind9/-/issues/1940Removing more references to "master" and "slave" in BIND ARM2021-01-12T14:33:07ZSuzanne GoldlustRemoving more references to "master" and "slave" in BIND ARMContinued cleanup of ARM files to remove offensive terminology where possible.Continued cleanup of ARM files to remove offensive terminology where possible.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1938Repeated bind 9.16.3 assert error in libuv (attempting restart after an earli...2020-07-20T13:58:01ZCathy AlmondRepeated bind 9.16.3 assert error in libuv (attempting restart after an earlier/different crash)From [Support ticket #16728](https://support.isc.org/Ticket/Display.html?id=16728):
After a crash (see [Support ticket #16727](https://support.isc.org/Ticket/Display.html?id=16727) and also #1937 )
named repeatedly crashing during resta...From [Support ticket #16728](https://support.isc.org/Ticket/Display.html?id=16728):
After a crash (see [Support ticket #16727](https://support.isc.org/Ticket/Display.html?id=16727) and also #1937 )
named repeatedly crashing during restart from systemd.
At least 14 crashes before filesystem full of core files.
```
(gdb) core /var/log/splunk/core/core.10047
(gdb) bt
#0 0x00007fa36e777207 in raise () from /lib64/libc.so.6
#1 0x00007fa36e7788f8 in abort () from /lib64/libc.so.6
#2 0x00007fa36e770026 in __assert_fail_base () from /lib64/libc.so.6
#3 0x00007fa36e7700d2 in __assert_fail () from /lib64/libc.so.6
#4 0x00007fa36f36fed1 in uv__udp_finish_close () from /lib64/libuv.so.1
#5 0x00007fa36f361c68 in uv_run () from /lib64/libuv.so.1
#6 0x0000000000633c4a in nm_thread (worker0=0x1f35ac8) at netmgr.c:481
#7 0x00007fa36ef33dd5 in start_thread () from /lib64/libpthread.so.0
#8 0x00007fa36e83eead in clone () from /lib64/libc.so.6
(gdb) frame 4
#4 0x00007fa36f36fed1 in uv__udp_finish_close () from /lib64/libuv.so.1
(gdb) info frame 4
Stack frame at 0x7fa36a81ed30:
rip = 0x7fa36f36fed1 in uv__udp_finish_close; saved rip 0x7fa36f361c68
called by frame at 0x7fa36a81eda0, caller of frame at 0x7fa36a81ed20
Arglist at 0x7fa36a81ed18, args:
Locals at 0x7fa36a81ed18, Previous frame's sp is 0x7fa36a81ed30
Saved registers:
rbx at 0x7fa36a81ed20, rip at 0x7fa36a81ed28
ti0016o823(root) named 1329# /local/sbin/named -V
BIND 9.16.3 (Stable Release) <id:5ea41c1>
running on Linux x86_64 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019
built by make with 'CFLAGS=-m64 -g -O2' '--prefix=/local' '--localstatedir=/var' '--with-openssl=yes' '--with-libtool' '--enable-static=yes' '--disable-shared' '--enable-largefile' '--sysconfdir=/etc/named' '--with-libxml2=no' '--with-tuning=large' '--with-python=/usr/bin/python3' '--with-libjson'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-39)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabled
default paths:
named configuration: /etc/named/named.conf
rndc configuration: /etc/named/rndc.conf
DNSSEC root key: /etc/named/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
```
They think they've run libuv 1.37 for a time.
It seems there is a 1.38 that they could upgrade to (under sysadmin discussion...)
```
Available Packages
Name : libuv
Arch : x86_64
Epoch : 1
Version : 1.38.0
Release : 2.el7
Size : 148 k
Repo : epel/x86_64
Summary : Platform layer for node.js
URL : http://libuv.org/
License : MIT and BSD and ISC
Description : libuv is a new platform layer for Node. Its purpose is to abstract
: IOCP on Windows and libev on Unix systems. We intend to eventually
: contain all platform differences in this library.
```July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)https://gitlab.isc.org/isc-projects/bind9/-/issues/1937BIND 9.16.3 segfault in isc__nm_tcpdns_send2020-07-20T13:58:01ZCathy AlmondBIND 9.16.3 segfault in isc__nm_tcpdns_sendFrom [Support ticket #16727](https://support.isc.org/Ticket/Display.html?id=16727) (details of core dump etcetera can be found there).
Crash on a BIND 9.16.3 (Stable Release) <id:5ea41c1>
(with no rehash patch - that is the one to make ...From [Support ticket #16727](https://support.isc.org/Ticket/Display.html?id=16727) (details of core dump etcetera can be found there).
Crash on a BIND 9.16.3 (Stable Release) <id:5ea41c1>
(with no rehash patch - that is the one to make it possible to start named with larger hash tables so that there is no hash table resizing as cache expands)
```
core /var/log/splunk/core/core.19901
Core was generated by `/local/sbin/named -f -c /etc/named/named.conf -u named -n 12'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000637859 in isc__nm_tcpdns_send (handle=0x7f01eb0cdcf0, region=0x7f01ff3c2700, cb=0x478fc0 <client_senddone>, cbarg=0x7f01eb0cde60)
at tcpdns.c:483
483 tcpdns.c: No such file or directory.
Missing separate debuginfos, use: debuginfo-install glibc-2.17-260.el7_6.5.x86_64 json-c-0.11-4.el7_0.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-37.el7_6.x86_64 libattr-2.4.46-13.el7.x86_64 libcap-2.22-9.el7.x86_64 libcom_err-1.42.9-13.el7.x86_64 libselinux-2.5-14.1.el7.x86_64 libuv-1.37.0-1.el7.x86_64 openssl-libs-1.0.2k-16.el7_6.1.x86_64 pcre-8.32-17.el7.x86_64 sssd-client-1.16.2-13.el7_6.8.x86_64 zlib-1.2.7-18.el7.x86_64
(gdb) bt
#0 0x0000000000637859 in isc__nm_tcpdns_send (handle=0x7f01eb0cdcf0, region=0x7f01ff3c2700, cb=0x478fc0 <client_senddone>, cbarg=0x7f01eb0cde60)
at tcpdns.c:483
#1 0x000000000063231d in isc_nm_send (handle=<optimized out>, region=<optimized out>, cb=<optimized out>, cbarg=<optimized out>) at netmgr.c:1309
#2 0x00000000004770d7 in client_sendpkg (client=client@entry=0x7f01eb0cde60, buffer=0x7f01ff3c2780, buffer=0x7f01ff3c2780) at client.c:366
#3 0x0000000000478064 in ns_client_send (client=client@entry=0x7f01eb0cde60) at client.c:634
#4 0x0000000000485a6c in query_send (client=0x7f01eb0cde60) at query.c:552
#5 0x000000000048dd13 in ns_query_done (qctx=qctx@entry=0x7f01ff3c4830) at query.c:10921
#6 0x000000000048f65d in query_respond (qctx=0x7f01ff3c4830) at query.c:7414
#7 query_prepresponse (qctx=qctx@entry=0x7f01ff3c4830) at query.c:9913
#8 0x000000000049170c in query_gotanswer (qctx=qctx@entry=0x7f01ff3c4830, res=res@entry=0) at query.c:6836
#9 0x0000000000496760 in query_resume (qctx=0x7f01ff3c4830) at query.c:6134
#10 fetch_callback (task=<optimized out>, event=0x7f0157df1490) at query.c:5716
#11 0x000000000064168a in dispatch (threadid=<optimized out>, manager=<optimized out>) at task.c:1152
#12 run (queuep=<optimized out>) at task.c:1344
#13 0x00007f020a26bdd5 in start_thread () from /lib64/libpthread.so.0
#14 0x00007f0209b76ead in clone () from /lib64/libc.so.6
(gdb) info frame 0
(gdb) info locals
t = 0x7f01a3fc7f28
sock = 0x7f015c8c9e10
(gdb) print *t
$1 = {mctx = 0x7f0193bfdd78, handle = 0x7f01eff53560, region = {base = 0x0, length = 215}, orighandle = 0x7f00f447c4a0, cb = 0x478fc0 <client_senddone>,
cbarg = 0x7f00f447c610}
(gdb) print *t->mtx
There is no member named mtx.
(gdb) print *(t->mctx)
$2 = {impmagic = 1337724176, magic = 32513, methods = 0x7f01dffd1690}
(gdb) print *(t->handle)
$3 = {magic = 0, references = 0, sock = 0x0, ah_pos = 0, inflight = false, peer = {type = {sa = {sa_family = 0, sa_data = '\000' <repeats 13 times>}, sin = {
sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, sin6 = {sin6_family = 0, sin6_port = 0,
sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0,
0}}}, sin6_scope_id = 0}, ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0}, sunix = {sun_family = 0,
sun_path = '\000' <repeats 107 times>}}, length = 0, link = {prev = 0x0, next = 0x0}}, local = {type = {sa = {sa_family = 0,
sa_data = '\000' <repeats 13 times>}, sin = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"},
sin6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0,
0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}, ss = {ss_family = 0, __ss_padding = '\000' <repeats 117 times>, __ss_align = 0},
sunix = {sun_family = 0, sun_path = '\000' <repeats 107 times>}}, length = 0, link = {prev = 0x0, next = 0x0}}, doreset = 0x0, dofree = 0x0,
opaque = 0x0, extra = 0x7f01eff536d0 ""}
(gdb) print *(t->cbarg)
Attempt to dereference a generic pointer.
```
```
# ls -lst --full-time /var/log/splunk/core/core.19901
3243708 -rw------- 1 named named 3637059584 2020-06-13 21:42:52.861692911 +0200 /var/log/splunk/core/core.19901
```
Last syslog messages were:
```
2020-06-13T21:42:42.464+02:00 dispatch: dispatch 0x7f01b2a57550: shutting down due to TCP receive error: 172.105.106.137#53: connection reset
2020-06-13T21:42:42.558+02:00 dispatch: dispatch 0x7f01b3b48cc0: shutting down due to TCP receive error: 172.105.106.137#53: connection reset
```
And just before (as in, the logging is a bit out of sequence):
```
2020-06-13T21:42:42.000+02:00 2020-06-13T21:42:42+02:00 ti0016o823.ti.telenor.net kernel:
[30703183.144337] isc-worker0005[19921]: segfault at 118 ip 0000000000637859 sp 00007f01ff3c26c0
error 4 in named[400000+2f9000]
```
There is a full gdb backtrace of all the threads on the support ticket. Binaries and libs are on another support ticket [#16728](https://support.isc.org/Ticket/Display.html?id=16728)
====
Note that this server then had trouble restarting - repeated instances of another crash on startup.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)https://gitlab.isc.org/isc-projects/bind9/-/issues/1936blackhole ACL broken2020-07-03T07:16:21ZMichael McNallyblackhole ACL broken<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
A submitter who prefers to remain private sent this report to security-officer:
> Two weeks ago I upgraded my FreeBSD 11.4 BIND installs to 9.16.3 from a 2017 private build off 7fcd72f (right before your major query.c restructure). I was working with Cisco CSIRT this past week trying to trackdown DNS spoofers using Cisco address space and entered six addresses into my blackhole list, reloaded, and the spoofed packets kept coming in. So I reinstalled my 2017 private build and the blackhole ACL worked fine.
>
> For testing, I stripped my blackhole ACL down to a single IP address to test from and tested it against both my 2017 build and the 9.16.3 and same thing: works with my 2017 build but silently fails with 9.16.3. I tried with both the FreeBSD pkg version of BIND 9.16.3 and with the FreeBSD ports version of BIND 9.16.3 I built on the machine locally and both the pkg and ports versions fail.
### BIND version used
9.16.3, but we **suspect** probably introduced with netmgr in late 9.15.x and present in stable releases from 9.16.0
```
BIND 9.16.3 ports build named -V:
BIND 9.16.3 (Stable Release) <id:5ea41c1>
running on FreeBSD amd64 11.4-STABLE FreeBSD 11.4-STABLE #26 r361994: Wed Jun 10 00:36:44 UTC 2020 root@s203.sgt.com:/usr/obj/usr/src/sys/SGT11AMD64ZFS
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.4' 'build_alias=amd64-portbld-freebsd11.4' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -Wl,-rpath,/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG FreeBSD Clang 10.0.0 (git@github.com:llvm/llvm-project.git llvmorg-10.0.0-0-gd32170dbd5b)
compiled with OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
```
### What is the current *bug* behavior?
Blackhole ACL does not appear to be appliedJuly 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)https://gitlab.isc.org/isc-projects/bind9/-/issues/1931Fix out-of-order RFCs in general.rst file of BIND ARM2020-06-29T13:06:45ZSuzanne GoldlustFix out-of-order RFCs in general.rst file of BIND ARMA couple of the RFCs are out of numerical order.A couple of the RFCs are out of numerical order.July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1930Possible race in TCP accepting vs quota2020-06-10T18:49:37ZWitold KrecickiPossible race in TCP accepting vs quotaThere's a possibility of a race in TCP accepting code:
1. T1 accepts a connection C1
2. T2 accepts a connection C2
3. T1 tries to accept a connection C3, but we hit a quota, isc_quota_cb_init() sets quota_accept_cb for the socket, we ret...There's a possibility of a race in TCP accepting code:
1. T1 accepts a connection C1
2. T2 accepts a connection C2
3. T1 tries to accept a connection C3, but we hit a quota, isc_quota_cb_init() sets quota_accept_cb for the socket, we return from accept_connection
4. T2 drops C2, but we race in quota_release with accepting C3 so we don't see quota->waiting is > 0, we don't launch the callback
5. T1 accepts a connection C4, we are able to get the quota we clear the quota_accept_cb from sock->quotacb
6. T1 drops C1, tries to call the callback which is zeroed, sigsegv.June 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)https://gitlab.isc.org/isc-projects/bind9/-/issues/1928error: socket.c:1540: unexpected error:2020-08-31T13:13:06ZPeter Davieserror: socket.c:1540: unexpected error:We have upgraded from 9.11.19 to 9.16.3 overnight and have now started to see these events in the syslog.
```
Jun 9 22:20:13 pad-res0 named[58819]: error: socket.c:1540: unexpected error:
Jun 9 22:20:13 pad-res0 named[58819]: error: ...We have upgraded from 9.11.19 to 9.16.3 overnight and have now started to see these events in the syslog.
```
Jun 9 22:20:13 pad-res0 named[58819]: error: socket.c:1540: unexpected error:
Jun 9 22:20:13 pad-res0 named[58819]: error: unable to convert errno to isc_result: 71: Protocol error
```
After restart last night:
```
Jun 9 16:14:34 pad-res0 named[58819]: starting BIND 9.16.3 (Stable Release) <id:5ea41c1>
Jun 9 16:14:34 pad-res0 named[58819]: running on Linux x86_64 2.6.32-754.17.1.el6.x86_64 #1 SMP Thu Jun 20 11:47:12 EDT 2019
Jun 9 16:14:34 pad-res0 named[58819]: built with '--prefix=/usr/local/' '--sysconfdir=/etc' '--with-python=no' '--with-json-c' 'PKG_CONFIG_PATH=:/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
Jun 9 16:14:34 pad-res0 named[58819]: running as: named -f -u named
Jun 9 16:14:34 pad-res0 named[58819]: compiled by GCC 4.4.7 20120313 (Red Hat 4.4.7-23)
Jun 9 16:14:34 pad-res0 named[58819]: compiled with OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
Jun 9 16:14:34 pad-res0 named[58819]: linked to OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
Jun 9 16:14:34 pad-res0 named[58819]: compiled with libxml2 version: 2.7.6
Jun 9 16:14:34 pad-res0 named[58819]: linked to libxml2 version: 20706
Jun 9 16:14:34 pad-res0 named[58819]: compiled with json-c version: 0.11
Jun 9 16:14:34 pad-res0 named[58819]: linked to json-c version: 0.11
Jun 9 16:14:34 pad-res0 named[58819]: compiled with zlib version: 1.2.3
Jun 9 16:14:34 pad-res0 named[58819]: linked to zlib version: 1.2.3
Jun 9 16:14:34 pad-res0 named[58819]: ----------------------------------------------------
Jun 9 16:14:34 pad-res0 named[58819]: BIND 9 is maintained by Internet Systems Consortium,
Jun 9 16:14:34 pad-res0 named[58819]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun 9 16:14:34 pad-res0 named[58819]: corporation. Support and training for BIND 9 are
Jun 9 16:14:34 pad-res0 named[58819]: available at https://www.isc.org/support
Jun 9 16:14:34 pad-res0 named[58819]: ----------------------------------------------------
Jun 9 16:14:34 pad-res0 named[58819]: adjusted limit on open files from 4096 to 1048576
Jun 9 16:14:34 pad-res0 named[58819]: /etc/named.conf:27: option 'dnssec-enable' is obsolete and should be removed
Jun 9 16:14:34 pad-res0 named[58819]: couldn't mkdir '/usr/local/var/run/named': Permission denied
Jun 9 16:14:34 pad-res0 named[58819]: couldn't mkdir '/usr/local/var/run/named': Permission denied
Jun 9 16:14:34 pad-res0 named[58819]: could not create /usr/local/var/run/named/session.key
Jun 9 16:14:34 pad-res0 named[58819]: failed to generate session key for dynamic DNS: permission denied
Jun 9 16:14:34 pad-res0 named[58819]: command channel listening on 127.0.0.1#953
Jun 9 16:14:34 pad-res0 named[58819]: command channel listening on ::1#953
Jun 9 16:14:34 pad-res0 named[58819]: notice: all zones loaded
Jun 9 16:14:34 pad-res0 named[58819]: notice: running
Jun 9 16:14:34 pad-res0 named[58819]: warning: checkhints: view defaultview: b.root-servers.net/A (199.9.14.201) missing from hints
Jun 9 16:14:34 pad-res0 named[58819]: warning: checkhints: view defaultview: b.root-servers.net/A (192.228.79.201) extra record in hints
Jun 9 16:14:34 pad-res0 named[58819]: warning: checkhints: view defaultview: b.root-servers.net/AAAA (2001:500:200::b) missing from hints
Jun 9 16:14:34 pad-res0 named[58819]: warning: checkhints: view defaultview: b.root-servers.net/AAAA (2001:500:84::b) extra record in hints
Jun 9 16:22:35 pad-res0 named[58819]: error: socket.c:1540: unexpected error:
Jun 9 16:22:35 pad-res0 named[58819]: error: unable to convert errno to isc_result: 71: Protocol error
Jun 9 16:22:35 pad-res0 named[58819]: error: socket.c:1540: unexpected error:
Jun 9 16:22:35 pad-res0 named[58819]: error: unable to convert errno to isc_result: 71: Protocol error
Jun 9 17:01:02 pad-res0 ntpdate[17116]: adjust time server 203.14.0.251 offset 0.047735 sec
Jun 9 17:13:02 pad-res0 named[58819]: error: socket.c:1540: unexpected error:
Jun 9 17:13:02 pad-res0 named[58819]: error: unable to convert errno to isc_result: 71: Protocol error
Jun 9 17:13:02 pad-res0 named[58819]: error: socket.c:1540: unexpected error:
Jun 9 17:13:02 pad-res0 named[58819]: error: unable to convert errno to isc_result: 71: Protocol error
Jun 9 17:28:28 pad-res0 named[58819]: error: socket.c:1540: unexpected error:
```
We are unsure what the error is relating to. Happy to provide any logs you require as these events are being recorded reasonably often.
RT #16586[](https://support.isc.org/Ticket/Display.html?id=16586)September 2020 (9.11.23, 9.11.23-S1, 9.16.7, 9.17.5)https://gitlab.isc.org/isc-projects/bind9/-/issues/1927keepalive appears to be unused2021-08-31T13:36:34ZEvan Huntkeepalive appears to be unusedI just noticed in passing that the function `isc_nm_tcpdns_keepalive()` is defined in the netmgr, but is never called by `named`. I think the intent was to call it when the client sent an EDNS TCP KEEPALIVE option, so that named would sw...I just noticed in passing that the function `isc_nm_tcpdns_keepalive()` is defined in the netmgr, but is never called by `named`. I think the intent was to call it when the client sent an EDNS TCP KEEPALIVE option, so that named would switch to using a longer timeout.
The keepalive system test missed this because it only tests option processing and configuration, not timeout behavior. It would be nice to address that as well, though since it would necessarily be timing-dependent, it might be very difficult to make the test reliable.September 2021 (9.16.21, 9.16.21-S1, 9.17.18)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1926Failed assertion in rdatalist.c: INSIST(list_rdata != ((void *)0))2020-07-01T13:39:04ZMichael McNallyFailed assertion in rdatalist.c: INSIST(list_rdata != ((void *)0))Kevan Benson wrote to security-officer@isc.org to say:
> We encountered an assertion failure in bind 9.16.3 running on an up to date CentOS 7 instance.
```
09-Jun-2020 13:27:19.816 cname: info: skipping nameserver 'ns1.fastclick.net' b...Kevan Benson wrote to security-officer@isc.org to say:
> We encountered an assertion failure in bind 9.16.3 running on an up to date CentOS 7 instance.
```
09-Jun-2020 13:27:19.816 cname: info: skipping nameserver 'ns1.fastclick.net' because it is a CNAME, while resolving '172.87.180.205.in-addr.arpa/PTR'
09-Jun-2020 13:27:19.816 cname: info: skipping nameserver 'ns2.fastclick.net' because it is a CNAME, while resolving '172.87.180.205.in-addr.arpa/PTR'
09-Jun-2020 13:27:20.007 trust-anchor-telemetry: info: client @0x7fdd09d71750 2602:24a:de40:7d90::#64256 (root-key-sentinel-not-ta-19036.d2a8n3.rootcanary.net): view internal-secure: root-key-sentinel-not-ta query label found
09-Jun-2020 13:27:20.018 trust-anchor-telemetry: info: client @0x7fdd116b9360 173.228.7.217#38979 (root-key-sentinel-not-ta-19036.d2a8n3.rootcanary.net): view internal-secure: root-key-sentinel-not-ta query label found
09-Jun-2020 13:27:20.581 general: critical: rdatalist.c:150: INSIST(list_rdata != ((void *)0)) failed
09-Jun-2020 13:27:20.582 general: critical: exiting (due to assertion failure)
```July 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1925Additional text edits to BIND ARM2021-01-12T14:46:44ZSuzanne GoldlustAdditional text edits to BIND ARMCleaning up various anomalies in formatting, contentCleaning up various anomalies in formatting, contentJuly 2020 (9.11.21, 9.11.21-S1, 9.16.5, 9.17.3)Suzanne GoldlustSuzanne Goldlusthttps://gitlab.isc.org/isc-projects/bind9/-/issues/1923Teach danger about placeholder in CHANGES.2021-01-29T12:54:40ZMark AndrewsTeach danger about placeholder in CHANGES.February 2021 (9.11.28, 9.11.28-S1, 9.16.12, 9.16.12-S1, 9.17.10)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1921Adapt CI jobs involved in producing release tarballs to work with Automake & ...2020-06-09T12:56:40ZMichał KępieńAdapt CI jobs involved in producing release tarballs to work with Automake & Sphinx - Source tarballs for `master` should be produced using `make dist`.
- Release tarballs for `master` and `v9_16` must contain
Sphinx-generated documentation files.
Internal discussion led to the following solution:
- Include... - Source tarballs for `master` should be produced using `make dist`.
- Release tarballs for `master` and `v9_16` must contain
Sphinx-generated documentation files.
Internal discussion led to the following solution:
- Include the ARM in HTML, PDF, and EPUB formats in the release
tarball (i.e. in the FTP directory for a given release).
- Do not prepare any separate documents with just the release notes,
but point the reader towards them.June 2020 (9.11.20, 9.11.20-S1, 9.16.4, 9.17.2)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1920[netmgr] tcpdns ineffective2020-12-09T09:53:34ZOndřej Surý[netmgr] tcpdns ineffectiveWhile reviewing some other stuff, in `lib/isc/netmgr/tcp.c` there's this code:
```
t->region = (isc_region_t){ .base = isc_mem_get(t->mctx,
region->length + 2),
...While reviewing some other stuff, in `lib/isc/netmgr/tcp.c` there's this code:
```
t->region = (isc_region_t){ .base = isc_mem_get(t->mctx,
region->length + 2),
.length = region->length + 2 };
*(uint16_t *)t->region.base = htons(region->length);
memmove(t->region.base + 2, region->base, region->length);
```
1) the memory returned by `isc_mem_get()` isn't guaranteed to be memory aligned, so you have unaligned write to the memory here.
2) doing `memmove()` just to add two bytes at the beginning of the buffer is inefficient.
Neither is to be fixed in this MR, but it should be fixed. The easiest way would be to rewrite the IO functions to work with `iovec`-like buffers, similar to what `uv_write()` does with `uv_buf_t[]`. Then it would be easy to just add two messages here, one with length, and one with the buffer.BIND 9.17 Backburner