BIND merge requestshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests2022-01-11T14:01:07Zhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5618Mark broken-nsec option as deprecated2022-01-11T14:01:07ZPetr Špačekpspacek@isc.orgMark broken-nsec option as deprecatedDecember 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5613Improve the logging on failed TCP accept2021-12-06T10:01:18ZOndřej SurýImprove the logging on failed TCP acceptPreviously, when TCP accept failed, we have logged a message with
ISC_LOG_ERROR level. One common case, how this could happen is that the
client hits TCP client quota and is put on hold and when resumed, the
client has already given up ...Previously, when TCP accept failed, we have logged a message with
ISC_LOG_ERROR level. One common case, how this could happen is that the
client hits TCP client quota and is put on hold and when resumed, the
client has already given up and closed the TCP connection. In such
case, the named would log:
TCP connection failed: socket is not connected
This message was quite confusing because it actually doesn't say that
it's related to the accepting the TCP connection and also it logs
everything on the ISC_LOG_ERROR level.
Change the log message to "Accepting TCP connection failed" and for
specific error states lower the severity of the log message to
ISC_LOG_INFO.
(cherry picked from commit 20ac73eb222e60395399b467b0a72015a4dd8845)
Closes #2700December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5612Restore the fetch context expiry timer2022-02-11T15:01:45ZMichał KępieńRestore the fetch context expiry timerthe lifetime expiry timer for the fetch context was removed
when we switched to using in-band netmgr timeouts. however,
it turns out some dependency loops can occur between a fetch
and the ADB the validator; these deadlocks were formerly...the lifetime expiry timer for the fetch context was removed
when we switched to using in-band netmgr timeouts. however,
it turns out some dependency loops can occur between a fetch
and the ADB the validator; these deadlocks were formerly broken
when the timer fired, and now there's no timer. we can fix these
errors individually, but in the meantime we don't want the server
to get hung at shutdown because of dangling fetches.
this commit puts back a single timer, which fires two seconds
after the fetch should have completed, and shuts it down. it also
logs a message at level ERROR so we know about the problems when
they occur.
Closes #3040December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5611Improve the logging on failed TCP accept2021-12-02T13:18:12ZOndřej SurýImprove the logging on failed TCP acceptPreviously, when TCP accept failed, we have logged a message with
ISC_LOG_ERROR level. One common case, how this could happen is that the
client hits TCP client quota and is put on hold and when resumed, the
client has already given up ...Previously, when TCP accept failed, we have logged a message with
ISC_LOG_ERROR level. One common case, how this could happen is that the
client hits TCP client quota and is put on hold and when resumed, the
client has already given up and closed the TCP connection. In such
case, the named would log:
TCP connection failed: socket is not connected
This message was quite confusing because it actually doesn't say that
it's related to the accepting the TCP connection and also it logs
everything on the ISC_LOG_ERROR level.
Change the log message to "Accepting TCP connection failed" and for
specific error states lower the severity of the log message to
ISC_LOG_INFO.
Closes #2700December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5609Resolve #2983: Increase startup timeout for servers in system tests2021-12-06T09:51:00ZArtem BoldarievResolve #2983: Increase startup timeout for servers in system testsThis change is made in particular to address the issue with `doth`
system tests where servers are unable to iniitalise in time in CI
system under high load (that happened particularly often for Debian
Buster cross32 configuration). The d...This change is made in particular to address the issue with `doth`
system tests where servers are unable to iniitalise in time in CI
system under high load (that happened particularly often for Debian
Buster cross32 configuration). The delay is caused by TLS context's creation on startup.
Even on my system the servers' initialisation in the test could take up to 20 seconds, let alone in the CI, which is under high load and might not have enough entropy data available.
Such a problem were found earlier after extending the `doth` system test with IPv6 tests, which doubled the amount of contexts to create. Back then extending the startup timeout from 15 to 25 seconds solved the problem. Now, as the test has been extended again, the problem stroke back.
The right solution, is, of course, to (re)use TLS context sparingly,
while right now we create too many of them.
Closes #2983December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5608[v9_16] Fix catalog zone reconfiguration crash2021-12-01T10:31:03ZArаm Sаrgsyаn[v9_16] Fix catalog zone reconfiguration crashThe following scenario triggers a "named" crash:
1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.
Imp...The following scenario triggers a "named" crash:
1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.
Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.
(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda)
Closes #1608December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5605Disable IDN2_USE_STD3_ASCII_RULES to idn2 conversion functions2022-04-26T13:22:26ZOndřej SurýDisable IDN2_USE_STD3_ASCII_RULES to idn2 conversion functionsDisable IDN2_USE_STD3_ASCII_RULES to the libidn2 conversion because it
broke encoding some non-letter but valid domain names like _tcp or *.
This reverts commit ef8aa91740592a78c9162f3f7109167f2c9297a5.
Closes #1610Disable IDN2_USE_STD3_ASCII_RULES to the libidn2 conversion because it
broke encoding some non-letter but valid domain names like _tcp or *.
This reverts commit ef8aa91740592a78c9162f3f7109167f2c9297a5.
Closes #1610December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5604Update the description of fetches-per-zone counters2021-11-30T13:04:05ZMark AndrewsUpdate the description of fetches-per-zone counters(cherry picked from commit 65f6d8af75d99de22f667149435d68d3862cda36)
Closes #2850(cherry picked from commit 65f6d8af75d99de22f667149435d68d3862cda36)
Closes #2850December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5603dnssec-dsfromkey should not convert revoked keys2021-12-06T10:30:17ZMark Andrewsdnssec-dsfromkey should not convert revoked keysit is pointless to convert revoked keys to DS or CDS records as
they cannot be used to provide a cryptographic link from the parent
zone.
(cherry picked from commit 04a5529c2da2187dde4cfce656fee023d55b1b47)
Closes #853it is pointless to convert revoked keys to DS or CDS records as
they cannot be used to provide a cryptographic link from the parent
zone.
(cherry picked from commit 04a5529c2da2187dde4cfce656fee023d55b1b47)
Closes #853December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5602XoT: add support client-side TLS parameters for incoming XFRs, add 'tls' name...2021-12-01T11:30:28ZArtem BoldarievXoT: add support client-side TLS parameters for incoming XFRs, add 'tls' name configuration validation on secondariesThis merge request adds support for client-side TLS parameters to XoT.
Prior to this commit all client-side TLS contexts were using default
parameters only, ignoring the options from the BIND's configuration
file, even when a valid 'tls...This merge request adds support for client-side TLS parameters to XoT.
Prior to this commit all client-side TLS contexts were using default
parameters only, ignoring the options from the BIND's configuration
file, even when a valid 'tls' configuration was specified, like in:
```
tls tls-v1.2-pfs {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers no;
};
zone "example" {
type secondary;
primaries { 10.53.0.1 tls tls-v1.2-pfs; }; // only "ephemeral" were truly supported here before
file "example.db";
allow-transfer { any; };
};
```
Currently, the following `tls` parameters are supported:
- protocols;
- ciphers;
- prefer-server-ciphers.
Also, this merge request ensures that the `tls` name specified in the 'primaries'
clause of a `zone` statement is a valid one (defined).
Prior to that an invalid configuration would be silently accepted, leading to failures earlier:
```
zone "example" {
type secondary;
primaries { 10.53.0.1 tls an-undefined-tls-configuration; };
file "example.db";
allow-transfer { any; };
};
```
Additionally to that, it fixes a logical mistake in the code, which will lead to on abort() on systems with ancient OpenSSL versions, like Red Hat Linux 7 (on startup or zone transfer via XoT, the latter was possible only in this branch).
Partially addresses #2450
In a way, it is also a substitute for a #2992, which has no chance to make it into the 9.18.December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5600Remove unused 'tls' clause options: 'ca-file' and 'hostname'2021-12-01T08:59:13ZArtem BoldarievRemove unused 'tls' clause options: 'ca-file' and 'hostname'This MR disables the unused 'tls' clause options. For these some
backing code exists, but their values are not really used anywhere,
nor there are sufficient syntax tests for them.
The intention is to re-enable them when we have the bac...This MR disables the unused 'tls' clause options. For these some
backing code exists, but their values are not really used anywhere,
nor there are sufficient syntax tests for them.
The intention is to re-enable them when we have the backing code implemented.December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5599Shutdown all active TCP connections on error2021-12-01T20:26:04ZOndřej SurýShutdown all active TCP connections on errorWhen outgoing TCP connection was prematurely terminated (f.e. with
connection reset), the dispatch code would not cleanup the resources
used by such connection leading to dangling dns_dispentry_t entries.
This branch introduces refactor...When outgoing TCP connection was prematurely terminated (f.e. with
connection reset), the dispatch code would not cleanup the resources
used by such connection leading to dangling dns_dispentry_t entries.
This branch introduces refactored tcp_recv() code that cleanly shuts
down the TCP and cleans up resources on any failure, now also including
the cases when the server sends the client garbage DNS message, DNS
query or non-matching DNS answer.
Closes #3026December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5596Do not convert ISC_R_NOSPACE to DNS_R_SERVFAIL too early2021-12-01T08:54:17ZMark AndrewsDo not convert ISC_R_NOSPACE to DNS_R_SERVFAIL too earlyThe parsing loop needs to process ISC_R_NOSPACE to properly
size the buffer. If result is still ISC_R_NOSPACE at the end
of the parsing loop set result to DNS_R_SERVFAIL.
(cherry picked from commit 08f1cba096243cd14041731b7ea1ad45e54e8...The parsing loop needs to process ISC_R_NOSPACE to properly
size the buffer. If result is still ISC_R_NOSPACE at the end
of the parsing loop set result to DNS_R_SERVFAIL.
(cherry picked from commit 08f1cba096243cd14041731b7ea1ad45e54e87b0)
Closes #3021December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5594[v9_16] Fix "array subscript is of type 'char'" on NetBSD 92021-11-25T18:20:13ZMichal Nowak[v9_16] Fix "array subscript is of type 'char'" on NetBSD 9 In file included from rdata.c:602:
In file included from ./code.h:88:
./rdata/in_1/svcb_64.c:259:9: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (!isdigit(*region->base)) {
... In file included from rdata.c:602:
In file included from ./code.h:88:
./rdata/in_1/svcb_64.c:259:9: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (!isdigit(*region->base)) {
^~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:51:44: note: expanded from macro 'isdigit'
#define isdigit(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_D))
^~~~
(cherry picked from commit d09447287f02cdf479cf2e542e4ab0efe7a024fe)December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5593Add OPENSSL_cleanup to tls_shutdown function2021-12-08T11:03:18ZMatthijs Mekkingmatthijs@isc.orgAdd OPENSSL_cleanup to tls_shutdown functionThis prevents a direct leak in OPENSSL_init_crypto (called from
OPENSSL_init_ssl).This prevents a direct leak in OPENSSL_init_crypto (called from
OPENSSL_init_ssl).December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5592Resolve "doh_connect_makeuri fails on illumos"2021-11-25T12:58:29ZMark AndrewsResolve "doh_connect_makeuri fails on illumos"Closes #3024Closes #3024December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5591Fix "array subscript is of type 'char'" on NetBSD 92021-11-25T17:53:37ZMichal NowakFix "array subscript is of type 'char'" on NetBSD 9 In file included from rdata.c:602:
In file included from ./code.h:88:
./rdata/in_1/svcb_64.c:259:9: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (!isdigit(*region->base)) {
... In file included from rdata.c:602:
In file included from ./code.h:88:
./rdata/in_1/svcb_64.c:259:9: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (!isdigit(*region->base)) {
^~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:51:44: note: expanded from macro 'isdigit'
#define isdigit(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_D))
^~~~December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5590Resolve #3022: DoH: dig eventually aborts on ALPN negotiation failure when is...2021-12-01T08:58:48ZArtem BoldarievResolve #3022: DoH: dig eventually aborts on ALPN negotiation failure when issuing a DoH query (because of dangling handles)This commit removes unneeded isc__nmsocket_prep_destroy() call on ALPN
negotiation failure, which was eventually causing the TLS handle to
leak.
This call is not needed, as not attaching to the transport (TLS)
handle should be enough. A...This commit removes unneeded isc__nmsocket_prep_destroy() call on ALPN
negotiation failure, which was eventually causing the TLS handle to
leak.
This call is not needed, as not attaching to the transport (TLS)
handle should be enough. At this point it seems like a kludge from
earlier days of the TLS code.
Closes #3022December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5588Resolve "dns_sdlz_putrr does not auto increase buffer"2021-11-26T21:32:04ZMark AndrewsResolve "dns_sdlz_putrr does not auto increase buffer"Closes #3021Closes #3021December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5587Resolve #2776: Extend 'allow-transfer' with 'port' and 'transport' parameters2024-03-08T05:47:21ZArtem BoldarievResolve #2776: Extend 'allow-transfer' with 'port' and 'transport' parametersThis MR extends ACL syntax with `port` and `transport` options.
```
zone "example" {
...
allow-transfer port 853 transport tls { any; };
};
```
The runtime representation and ACL loading code are extended to allow
the syntax to be us...This MR extends ACL syntax with `port` and `transport` options.
```
zone "example" {
...
allow-transfer port 853 transport tls { any; };
};
```
The runtime representation and ACL loading code are extended to allow
the syntax to be used beyond the `allow-transfer` option (e.g. in
`acl` definitions and other `allow-*` options) and can be used to
ultimately extend the ACL support with transport-only
ACLs. For example, it could look like follows:
```
transport-acl do53 transport udp-tcp;
transport-acl allow-tls port 853 transport tls;
transport-acl allow-http port 443 transport http;
acl https-tls { !do53; allow-tls; allow-http; any;};
options {
allow-query { https-tls; };
};
```
But, due to fundamental nature of such a change, it has not been completed as a
part of 9.17.X release series due to it being close to 9.18 stable
release status. That means that we do not have enough time to fully
test it. so, for now, the transport options are allowed only in `allow-transfer` options, as required by #2776 .
The complete integration is planned as a part of 9.19.X release
series in a separate issue.
The code was manually verified to work as expected by temporarily
enabling the extended syntax for `acl` statements and `allow-query`
options, including ACL merging, negated ACLs (this can be trivially enabled):
```
acl tls port 853 transport tls {};
acl https-tls port 443 transport http { tls; };
zone "example" {
type primary;
file "example.db";
allow-query {https-tls; any; };
};
```
Closes #2776December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldariev