BIND merge requestshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests2021-12-01T11:30:28Zhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5602XoT: add support client-side TLS parameters for incoming XFRs, add 'tls' name...2021-12-01T11:30:28ZArtem BoldarievXoT: add support client-side TLS parameters for incoming XFRs, add 'tls' name configuration validation on secondariesThis merge request adds support for client-side TLS parameters to XoT.
Prior to this commit all client-side TLS contexts were using default
parameters only, ignoring the options from the BIND's configuration
file, even when a valid 'tls...This merge request adds support for client-side TLS parameters to XoT.
Prior to this commit all client-side TLS contexts were using default
parameters only, ignoring the options from the BIND's configuration
file, even when a valid 'tls' configuration was specified, like in:
```
tls tls-v1.2-pfs {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers no;
};
zone "example" {
type secondary;
primaries { 10.53.0.1 tls tls-v1.2-pfs; }; // only "ephemeral" were truly supported here before
file "example.db";
allow-transfer { any; };
};
```
Currently, the following `tls` parameters are supported:
- protocols;
- ciphers;
- prefer-server-ciphers.
Also, this merge request ensures that the `tls` name specified in the 'primaries'
clause of a `zone` statement is a valid one (defined).
Prior to that an invalid configuration would be silently accepted, leading to failures earlier:
```
zone "example" {
type secondary;
primaries { 10.53.0.1 tls an-undefined-tls-configuration; };
file "example.db";
allow-transfer { any; };
};
```
Additionally to that, it fixes a logical mistake in the code, which will lead to on abort() on systems with ancient OpenSSL versions, like Red Hat Linux 7 (on startup or zone transfer via XoT, the latter was possible only in this branch).
Partially addresses #2450
In a way, it is also a substitute for a #2992, which has no chance to make it into the 9.18.December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5608[v9_16] Fix catalog zone reconfiguration crash2021-12-01T10:31:03ZArаm Sаrgsyаn[v9_16] Fix catalog zone reconfiguration crashThe following scenario triggers a "named" crash:
1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.
Imp...The following scenario triggers a "named" crash:
1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.
Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.
(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda)
Closes #1608December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5388Resolve "The list of fetches at the end of 'rndc recursing' output is very po...2021-12-01T09:08:11ZMark AndrewsResolve "The list of fetches at the end of 'rndc recursing' output is very poorly explained in the ARM - what does 'allowed' mean?"Closes #2850Closes #2850December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5600Remove unused 'tls' clause options: 'ca-file' and 'hostname'2021-12-01T08:59:13ZArtem BoldarievRemove unused 'tls' clause options: 'ca-file' and 'hostname'This MR disables the unused 'tls' clause options. For these some
backing code exists, but their values are not really used anywhere,
nor there are sufficient syntax tests for them.
The intention is to re-enable them when we have the bac...This MR disables the unused 'tls' clause options. For these some
backing code exists, but their values are not really used anywhere,
nor there are sufficient syntax tests for them.
The intention is to re-enable them when we have the backing code implemented.December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5590Resolve #3022: DoH: dig eventually aborts on ALPN negotiation failure when is...2021-12-01T08:58:48ZArtem BoldarievResolve #3022: DoH: dig eventually aborts on ALPN negotiation failure when issuing a DoH query (because of dangling handles)This commit removes unneeded isc__nmsocket_prep_destroy() call on ALPN
negotiation failure, which was eventually causing the TLS handle to
leak.
This call is not needed, as not attaching to the transport (TLS)
handle should be enough. A...This commit removes unneeded isc__nmsocket_prep_destroy() call on ALPN
negotiation failure, which was eventually causing the TLS handle to
leak.
This call is not needed, as not attaching to the transport (TLS)
handle should be enough. At this point it seems like a kludge from
earlier days of the TLS code.
Closes #3022December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5596Do not convert ISC_R_NOSPACE to DNS_R_SERVFAIL too early2021-12-01T08:54:17ZMark AndrewsDo not convert ISC_R_NOSPACE to DNS_R_SERVFAIL too earlyThe parsing loop needs to process ISC_R_NOSPACE to properly
size the buffer. If result is still ISC_R_NOSPACE at the end
of the parsing loop set result to DNS_R_SERVFAIL.
(cherry picked from commit 08f1cba096243cd14041731b7ea1ad45e54e8...The parsing loop needs to process ISC_R_NOSPACE to properly
size the buffer. If result is still ISC_R_NOSPACE at the end
of the parsing loop set result to DNS_R_SERVFAIL.
(cherry picked from commit 08f1cba096243cd14041731b7ea1ad45e54e87b0)
Closes #3021December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5481Fix catalog zone reconfiguration crash2021-12-01T08:49:06ZArаm SаrgsyаnFix catalog zone reconfiguration crashA `named` crash was being observed when commenting out a `catalog-zone`
configuration option, doing `rndc reconfig`, then enabling back the
`catalog-zone` option and doing another `rndc reconfig`.
This commit makes sure to implement the...A `named` crash was being observed when commenting out a `catalog-zone`
configuration option, doing `rndc reconfig`, then enabling back the
`catalog-zone` option and doing another `rndc reconfig`.
This commit makes sure to implement the required cleanup of the
in-memory catalog zone during the first `rndc reconfig`, so that
the second `rndc reconfig` could find it in an expected state.
Closes #1608December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5576fix intermittent resolver test error2021-12-01T08:37:26ZEvan Huntfix intermittent resolver test errorthe resolver test checks that the correct number of fetches have
been sent NS rrsets of a given size, but it formerly did so by
counting queries received by the authoritative server, which could
result in an off-by-one count if one of th...the resolver test checks that the correct number of fetches have
been sent NS rrsets of a given size, but it formerly did so by
counting queries received by the authoritative server, which could
result in an off-by-one count if one of the queries had been resent
due to a timeout or a port number collision.
this commit changes the test to count fetches initiated by the
resolver, which should prevent the intermittent test failure, and
is the actual datum we were interested in anyway.
Closes #3013December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5580Resolve "Broken ECDSA signatures may be generated with certain private keys"2021-12-01T08:36:57ZMark AndrewsResolve "Broken ECDSA signatures may be generated with certain private keys"Closes #3014Closes #3014December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4793Set Extended EDNS Error (EDE) Prohibited (18)2021-12-01T08:36:02ZMatthijs Mekkingmatthijs@isc.orgSet Extended EDNS Error (EDE) Prohibited (18)See #1836See #1836December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5569Fix the data race when shutting down dns_adb2021-12-01T08:35:31ZOndřej SurýFix the data race when shutting down dns_adbWhen dns_adb is shutting down, first the adb->shutting_down flag is set
and then task is created that runs shutdown_stage2() that sets the
shutdown flag on names and entries. However, when dns_adb_createfind()
is called, only the indivi...When dns_adb is shutting down, first the adb->shutting_down flag is set
and then task is created that runs shutdown_stage2() that sets the
shutdown flag on names and entries. However, when dns_adb_createfind()
is called, only the individual shutdown flags are being checked, and the
global adb->shutting_down flag was not checked. Because of that it was
possible for a different thread to slip in and create new find between
the dns_adb_shutdown() and dns_adb_detach(), but before the
shutdown_stage2() task is complete. This was detected by
ThreadSanitizer as data race because the zonetable might have been
already detached by dns_view shutdown process and simultaneously
accessed by dns_adb_createfind().
This commit converts the adb->shutting_down to atomic_bool to prevent
the global adb lock when creating the find.
Closes #2978December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5583Update docs with correct cookie-algorithm values (9.16)2021-12-01T08:33:14ZMatthijs Mekkingmatthijs@isc.orgUpdate docs with correct cookie-algorithm values (9.16)The documentation was inconsistent with the code. The new description
for cookie-algorithm now reflects the current behavior.
The following two commits are the relevant code changes to this
section of docs: afa81ee4 a912f313
(cherry pi...The documentation was inconsistent with the code. The new description
for cookie-algorithm now reflects the current behavior.
The following two commits are the relevant code changes to this
section of docs: afa81ee4 a912f313
(cherry picked from commit b29a7481199dd0c76f250f26ac89de49e767785d)December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5579Make mdig use the OS-supplied ephemeral port range2021-12-01T08:31:57ZEvan HuntMake mdig use the OS-supplied ephemeral port rangeDecember 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5552Make mdig use the OS-supplied ephemeral port range2021-12-01T08:31:49ZEvan HuntMake mdig use the OS-supplied ephemeral port rangemdig was always using the default 1024-65535 range for outgoing
messages, instead of using the system's configured ephemeral ports.
Closes #2374mdig was always using the default 1024-65535 range for outgoing
messages, instead of using the system's configured ephemeral ports.
Closes #2374December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5577Update comments around built in trust anchors2021-12-01T08:29:33ZMark AndrewsUpdate comments around built in trust anchorsThe comments now say "# BEGIN TRUST ANCHORS" and "# END TRUST ANCHORS".
(cherry picked from commit 43a7f3f5324a2ea09605cbf0c42bf2a6dbf78c82)
Closes #3012The comments now say "# BEGIN TRUST ANCHORS" and "# END TRUST ANCHORS".
(cherry picked from commit 43a7f3f5324a2ea09605cbf0c42bf2a6dbf78c82)
Closes #3012December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5575Resolve "BEGIN/END DNSSEC/MANAGED KEYS in bin/named/config.c are mismatched."2021-12-01T08:29:25ZMark AndrewsResolve "BEGIN/END DNSSEC/MANAGED KEYS in bin/named/config.c are mismatched."Closes #3012Closes #3012December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5571Add flycheck configuration for libxml2 and json-c on Linux2021-12-01T08:28:44ZOndřej SurýAdd flycheck configuration for libxml2 and json-c on Linux(cherry picked from commit 41f86440c44e5800190f069fa74d7a997eb6e40b)(cherry picked from commit 41f86440c44e5800190f069fa74d7a997eb6e40b)December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5566Replace incorrect sed expersion with awk2021-12-01T08:17:26ZMark AndrewsReplace incorrect sed expersion with awkThe sed expression could find the wrong instance of 10.
Use awk to replace the TTL field and also to specify the
server and issue the send command.
(cherry picked from commit be879cda728b9fac3208f39148869d46c9c919e7)
Closes #3003The sed expression could find the wrong instance of 10.
Use awk to replace the TTL field and also to specify the
server and issue the send command.
(cherry picked from commit be879cda728b9fac3208f39148869d46c9c919e7)
Closes #3003December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5559Resolve "Greedy regular expression causes intermittent "nsupdate" system test...2021-12-01T08:17:20ZMark AndrewsResolve "Greedy regular expression causes intermittent "nsupdate" system test failures"Closes #3003Closes #3003December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5493Resolve #2854: DoH: Assign HTTP responses freshness lifetime according to th...2021-12-01T07:30:50ZArtem BoldarievResolve #2854: DoH: Assign HTTP responses freshness lifetime according to the smallest TTL found in the Answer sectionThis merge request makes BIND assign HTTP responses freshness lifetime according to the smallest TTL found in the Answer section by setting the `max-age` value in the `Cache-Control` header when appropriate. The recommendations regarding...This merge request makes BIND assign HTTP responses freshness lifetime according to the smallest TTL found in the Answer section by setting the `max-age` value in the `Cache-Control` header when appropriate. The recommendations regarding this are given in the section [5.1](https://datatracker.ietf.org/doc/html/rfc8484#section-5.1) of the specification, in particular:
> In particular, DoH servers SHOULD assign an explicit HTTP freshness
lifetime (see Section 4.2 of [RFC7234]) so that the DoH client is
more likely to use fresh DNS data. This requirement is due to HTTP
caches being able to assign their own heuristic freshness (such as
that described in Section 4.2.2 of [RFC7234]), which would take
control of the cache contents out of the hands of the DoH server.
>
> The assigned freshness lifetime of a DoH HTTP response MUST be less
than or equal to the smallest TTL in the Answer section of the DNS
response. A freshness lifetime equal to the smallest TTL in the
Answer section is RECOMMENDED. For example, if a HTTP response
carries three RRsets with TTLs of 30, 600, and 300, the HTTP
freshness lifetime should be 30 seconds (which could be specified as
"Cache-Control: max-age=30"). This requirement helps prevent expired
RRsets in messages in an HTTP cache from unintentionally being
served.
For example:
![doh_max_age_h](/uploads/4dcdad00612dd3e108cd480d9ecc6fd0/doh_max_age_h.png)
That is the only part of the specification which has been unimplemented.
Closes #2854December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldariev