1. 03 Feb, 2021 39 commits
    • Michal Nowak's avatar
      Merge branch 'mnowak/check-arm-pdf-validity' into 'main' · 64d5dad9
      Michal Nowak authored
      Check PDF file structure with QPDF
      See merge request !4620
    • Michal Nowak's avatar
      Check PDF file structure with QPDF · 359708b9
      Michal Nowak authored
      "qpdf --check" checks file structure of generated ARM PDF.
    • Matthijs Mekking's avatar
      Merge branch '2377-allow-a-records-below-an-_spf-label-as-a-check-names-exception' into 'main' · 3648eb29
      Matthijs Mekking authored
      Resolve "Allow A records below an '_spf' label as a check-names exception"
      Closes #2377
      See merge request !4529
    • Mark Andrews's avatar
      Add release note entry · 12949187
      Mark Andrews authored
    • Mark Andrews's avatar
      Add CHANGES · 2b5091ac
      Mark Andrews authored
    • Mark Andrews's avatar
    • Mark Andrews's avatar
    • Matthijs Mekking's avatar
      Merge branch '2375-dnssec-policy-three-is-a-crowd-rollover-bug' into 'main' · 5b8c8660
      Matthijs Mekking authored
      Resolve "three is a crowd" dnssec-policy key rollover bug
      Closes #2375
      See merge request !4541
    • Matthijs Mekking's avatar
      Add kasp test todo for [#2375] · 189f5a3f
      Matthijs Mekking authored
      This bugfix has been manually verified but is missing a unit test.
      Created GL #2471 to track this.
    • Matthijs Mekking's avatar
      Use NUM_KEYSTATES constant where appropriate · 98ace6d9
      Matthijs Mekking authored
      We use the number 4 a lot when working on key states. Better to use
      the NUM_KEYSTATES constant instead.
    • Matthijs Mekking's avatar
      Add change and release note for [#2375] · 7947f7f9
      Matthijs Mekking authored
      News worthy.
    • Matthijs Mekking's avatar
      Cleanup keymgr.c · 189d9a2d
      Matthijs Mekking authored
      Three small cleanups:
      1. Remove an unused keystr/dst_key_format.
      2. Initialize a dst_key_state_t state with NA.
      3. Update false comment about local policy (local policy only adds
         barrier on transitions to the RUMOURED state, not the UNRETENTIVE
    • Matthijs Mekking's avatar
      Fix DS/DNSKEY hidden or chained functions · 291bcc37
      Matthijs Mekking authored
      There was a bug in function 'keymgr_ds_hidden_or_chained()'.
      The funcion 'keymgr_ds_hidden_or_chained()' implements (3e) of rule2
      as defined in the "Flexible and Robust Key Rollover" paper. The rules
      says: All DS records need to be in the HIDDEN state, or if it is not
      there must be a key with its DNSKEY and KRRSIG in OMNIPRESENT, and
      its DS in the same state as the key in question. In human langauge,
      if all keys have their DS in HIDDEN state you can do what you want,
      but if a DS record is available to some validators, there must be
      a chain of trust for it.
      Note that the barriers on transitions first check if the current
      state is valid, and then if the next state is valid too. But
      here we falsely updated the 'dnskey_omnipresent' (now 'dnskey_chained')
      with the next state. The next state applies to 'key' not to the state
      to be checked. Updating the state here leads to (true) always, because
      the key that will move its state will match the falsely updated
      expected state. This could lead to the assumption that Key 2 would be
      a valid chain of trust for Key 1, while clearly the presence of any
      DS is uncertain.
      The fix here is to check if the DNSKEY and KRRSIG are in OMNIPRESENT
      state for the key that does not have its DS in the HIDDEN state, and
      only if that is not the case, ensure that there is a key with the same
      algorithm, that provides a valid chain of trust, that is, has its
      DNSKEY, KRRSIG, and DS in OMNIPRESENT state.
      The changes in 'keymgr_dnskey_hidden_or_chained()' are only cosmetical,
      renaming 'rrsig_omnipresent' to 'rrsig_chained' and removing the
      redundant initialization of the DST_KEY_DNSKEY expected state to NA.
    • Matthijs Mekking's avatar
      Update keymgr_key_is_successor() calls · 600915d1
      Matthijs Mekking authored
      The previous commit changed the function definition of
      'keymgr_key_is_successor()', this commit updates the code where
      this function is called.
      In 'keymgr_key_exists_with_state()' the logic is also updated slightly
      to become more readable. First handle the easy cases:
      - If the key does not match the state, continue with the next key.
      - If we found a key with matching state, and there is no need to
        check the successor relationship, return (true).
      - Otherwise check the successor relationship.
      In 'keymgr_key_has_successor()' it is enough to check if a key has
      a direct successor, so instead of calling 'keymgr_key_is_successor()',
      we can just check 'keymgr_direct_dep()'.
      In 'dns_keymgr_run()', we want to make sure that there is no
      dependency on the keys before retiring excess keys, so replace
      'keymgr_key_is_successor()' with 'keymgr_dep()'.
    • Matthijs Mekking's avatar
      Implement Equation(2) of "Flexible Key Rollover" · cc38527b
      Matthijs Mekking authored
      So far the key manager could only deal with two keys in a rollover,
      because it used a simplified version of the successor relationship
      equation from "Flexible and Robust Key Rollover" paper. The simplified
      version assumes only two keys take part in the key rollover and it
      for that it is enough to check the direct relationship between two
      keys (is key x the direct predecessor of key z and is key z the direct
      successor of key x?).
      But when a third key (or more keys) comes into the equation, the key
      manager would assume that one key (or more) is redundant and removed
      it from the zone prematurely.
      Fix by implementing Equation(2) correctly, where we check for
      dependencies on keys:
      z ->T x: Dep(x, T) = ∅ ∧
               (x ∈ Dep(z, T) ∨
                ∃ y ∈ Dep(z, T)(y != z ∧ y ->T x ∧ DyKyRySy = DzKzRzSz))
      This says: key z is a successor of key x if:
      - key x depends on key z if z is a direct successor of x,
      - or if there is another key y that depends on key z that has identical
        key states as key z and key y is a successor of key x.
      - Also, key x may not have any other keys depending on it.
      This is still a simplified version of Equation(2) (but at least much
      better), because the paper allows for a set of keys to depend on a
      key. This is defined as the set Dep(x, T). Keys in the set Dep(x, T)
      have a dependency on key x for record type T. The BIND implementation
      can only have one key in the set Dep(x, T). The function
      'keymgr_dep()' stores this key in 'uint32_t *dep' if there is a
      There are two scenarios where multiple keys can depend on a single key:
      1. Rolling keys is faster than the time required to finish the
         rollover procedure. This scenario is covered by the recursive
         implementation, and checking for a chain of direct dependencies
         will suffice.
      2. Changing the policy, when a zone is requested to be signed with
         a different key length for example. BIND 9 will not mark successor
         relationships in this case, but tries to move towards the new
         policy. Since there is no successor relationship, the rules are
         even more strict, and the DNSSEC reconfiguration is actually slower
         than required.
      Note: this commit breaks the build, because the function definition
      of 'keymgr_key_is_successor' changed. This will be fixed in the
      following commit.
    • Ondřej Surý's avatar
      Merge branch '2468-cid-318094-null-pointer-dereferences-reverse_inull' into 'main' · de8058e8
      Ondřej Surý authored
      Resolve "CID 318094:  Null pointer dereferences  (REVERSE_INULL)"
      Closes #2468
      See merge request !4641
    • Mark Andrews's avatar
      Remove redundant 'version == NULL' check · 456d53d1
      Mark Andrews authored
          *** CID 318094:  Null pointer dereferences  (REVERSE_INULL)
          /lib/dns/rbtdb.c: 1389 in newversion()
          1383     	version->xfrsize = rbtdb->current_version->xfrsize;
          1384     	RWUNLOCK(&rbtdb->current_version->rwlock, isc_rwlocktype_read);
          1385     	rbtdb->next_serial++;
          1386     	rbtdb->future_version = version;
          1387     	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
             CID 318094:  Null pointer dereferences  (REVERSE_INULL)
             Null-checking "version" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
          1389     	if (version == NULL) {
          1390     		return (result);
          1391     	}
          1393     	*versionp = version;
    • Ondřej Surý's avatar
      Merge branch '1144-dns-over-https-server' into 'main' · adf5051a
      Ondřej Surý authored
      Resolve "Encrypted DNS - RFC 8484, DNS over HTTPS, DOH (also DoT comments)"
      Closes #1144
      See merge request !4644
    • Evan Hunt's avatar
      CHANGES, release notes · 91718fe4
      Evan Hunt authored
    • Ondřej Surý's avatar
      Drop gcc:sid:i386 from GitLab CI · 0aacabc6
      Ondřej Surý authored
      Building sid-i386 in Docker no longer works and we don't have a viable
      alternative now, so dropping gcc:sid:i386 is our only option in this
      very moment.
    • Evan Hunt's avatar
      support "tls ephemeral" with https · fe99484e
      Evan Hunt authored
    • Evan Hunt's avatar
      tls and http configuration code was unnecessarily complex · aa9d51c4
      Evan Hunt authored
      removed the isc_cfg_http_t and isc_cfg_tls_t structures
      and the functions that loaded and accessed them; this can
      be done using normal config parser functions.
    • Ondřej Surý's avatar
      Unit-test fixes and manual page updates for DoH configuration · 1cc24a2c
      Ondřej Surý authored
      This commit contains fixes to unit tests to make them work well on
      various platforms (in particular ones shipping old versions of
      OpenSSL) and for different configurations.
      It also updates the generated manpage to include DoH configuration
    • Artem Boldariev's avatar
      Initial support for DNS-over-HTTP(S) · 08da09bc
      Artem Boldariev authored
      This commit completes the support for DNS-over-HTTP(S) built on top of
      nghttp2 and plugs it into the BIND. Support for both GET and POST
      requests is present, as required by RFC8484.
      Both encrypted (via TLS) and unencrypted HTTP/2 connections are
      supported. The latter are mostly there for debugging/troubleshooting
      purposes and for the means of encryption offloading to third-party
      software (as might be desirable in some environments to simplify TLS
      certificates management).
    • Witold Krecicki's avatar
      nghttp2-based HTTP layer in netmgr · 7a960813
      Witold Krecicki authored
      This commit includes work-in-progress implementation of
      Server-side code remains mostly untested, and there is only support
      for POST requests.
    • Witold Krecicki's avatar
      Add isc_mem_strndup() function · cdf9d217
      Witold Krecicki authored
      This commit adds an implementation of strndup() function which
      allocates memory from the supplied isc_mem_t memory context.
    • Evan Hunt's avatar
      update ARM with "http" grammar · 931ccd22
      Evan Hunt authored
      add a link to the http statement grammar and explanations and examples
      for configuring DoH listeners.
    • Evan Hunt's avatar
      Add parser support for DoH configuration options · 06951472
      Evan Hunt authored
      This commit adds stub parser support and tests for:
      - an "http" global option for HTTP/2 endpoint configuration.
      - command line options to set http or https port numbers by
        specifying -p http=PORT or -p https=PORT.  (NOTE: this change
        only affects syntax; specifying HTTP and HTTPS ports on the
        command line currently has no effect.)
      - named.conf options "http-port" and "https-port"
      - HTTPSPORT environment variable for use when running tests.
    • Artem Boldariev's avatar
      Resurrect old TLS code · 6b9a3198
      Artem Boldariev authored
      This commit resurrects the old TLS code from
      It also includes numerous stability fixes and support for
      isc_nm_cancelread() for the TLS layer.
      The code was resurrected to be used for DoH.
    • Michał Kępień's avatar
      Merge branch '2448-tweak-sphinx-build-invocations' into 'main' · 677cc946
      Michał Kępień authored
      Tweak sphinx-build invocations
      Closes #2448
      See merge request !4640
    • Michał Kępień's avatar
      Make sphinx-build warnings fatal · 51479ed9
      Michał Kępień authored
      In order to prevent documentation building issues from being glossed
      over, pass the -W command line switch to all sphinx-build invocations.
      This causes the latter to return with a non-zero exit code whenever any
      Sphinx warnings are triggered.
    • Michał Kępień's avatar
      Address a Sphinx duplicate label warning · 84862e96
      Michał Kępień authored
      Both doc/man/ddns-confgen.rst and doc/man/tsig-keygen.rst include
      bin/confgen/tsig-keygen.rst, which defines a "man_tsig-keygen" label.
      This triggers the following warning when running sphinx-build with the
      -W command line switch in the doc/man/ directory:
          ../../bin/confgen/tsig-keygen.rst:27: WARNING: duplicate label man_tsig-keygen, other instance in /tmp/bind9/doc/man/ddns-confgen.rst
      Move the offending label from bin/confgen/tsig-keygen.rst to the proper
      spot in doc/arm/manpages.rst to avoid effectively defining it twice in
      different source documents while still allowing the relevant man page to
      be referenced in the ARM.  Also rename that label so that it more
      closely matches the content it points to.  As the label no longer
      immediately precedes a section title in its new location, use
      :ref:`Title <label>` syntax for the only reference to the
      tsig-keygen/ddns-confgen man page in the ARM.
    • Michał Kępień's avatar
      Use separate sphinx-build cache directories · 33db7ea1
      Michał Kępień authored
      Simultaneously starting multiple sphinx-build instances with the -d
      command line switch set to a common value (which is what happens when
      e.g. "make -j6 doc" is run) causes intermittent problems which we failed
      to notice before because they only trigger Sphinx warnings, not errors,
          WARNING: toctree contains ref to nonexisting file 'reference'
      The message above is not triggered because doc/arm/reference.rst is
      actually missing from disk at any point, but rather because a temporary
      file created by one sphinx-build instance gets truncated by another one
      working in parallel (the confusing message quoted above is logged
      because of an overly broad "except" statement in Sphinx code).
      Prevent this problem from being triggered by making each sphinx-build
      process use its own dedicated cache directory.
    • Matthijs Mekking's avatar
      Merge branch '2406-kasp-init-inactive-delete-metadata' into 'main' · 62af115f
      Matthijs Mekking authored
      Resolve "kasp: look at Inactive/Delete when initializing state files"
      Closes #2406
      See merge request !4599
    • Matthijs Mekking's avatar
      Remove initialize goal code · 82632fa6
      Matthijs Mekking authored
      Since keys now have their goals initialized in 'keymgr_key_init()',
      remove this redundant piece of code in 'keymgr_key_run()'.
    • Matthijs Mekking's avatar
      Correctly initialize old key with state file · 76cf72e6
      Matthijs Mekking authored
      The 'key_init()' function is used to initialize a state file for keys
      that don't have one yet. This can happen if you are migrating from a
      'auto-dnssec' or 'inline-signing' to a 'dnssec-policy' configuration.
      It did not look at the "Inactive" and "Delete" timing metadata and so
      old keys left behind in the key directory would also be considered as
      a possible active key. This commit fixes this and now explicitly sets
      the key goal to OMNIPRESENT for keys that have their "Active/Publish"
      timing metadata in the past, but their "Inactive/Delete" timing
      metadata in the future. If the "Inactive/Delete" timing metadata is
      also in the past, the key goal is set to HIDDEN.
      If the "Inactive/Delete" timing metadata is in the past, also the
      key states are adjusted to either UNRETENTIVE or HIDDEN, depending on
      how far in the past the metadata is set.
    • Matthijs Mekking's avatar
      Update legacy-keys kasp test · d4b2b707
      Matthijs Mekking authored
      The 'legacy-keys.kasp' test checks that a zone with key files but not
      yet state files is signed correctly. This test is expanded to cover
      the case where old key files still exist in the key directory. This
      covers bug #2406 where keys with the "Delete" timing metadata are
      picked up by the keymgr as active keys.
      Fix the 'legacy-keys.kasp' test, by creating the right key files
      (for zone 'legacy-keys.kasp', not 'legacy,kasp').
      Use a unique policy for this zone, using shorter lifetimes.
      Create two more keys for the zone, and use 'dnssec-settime' to set
      the timing metadata in the past, long enough ago so that the keys
      should not be considered by the keymgr.
      Update the 'key_unused()' test function, and consider keys with
      their "Delete" timing metadata in the past as unused.
      Extend the test to ensure that the keys to be used are not the old
      predecessor keys (with their "Delete" timing metadata in the past).
      Update the test so that the checks performed are consistent with the
      newly configured policy.
    • Mark Andrews's avatar
      Merge branch '1697-isc_rwlock_init-can-no-longer-fail-in-master-clean-up-calls' into 'main' · 6b79a0ce
      Mark Andrews authored
      Resolve "isc_rwlock_init can no longer fail in master, clean up calls."
      Closes #2462 and #1697
      See merge request !4635
    • Mark Andrews's avatar
  2. 29 Jan, 2021 1 commit