Commit graph

16094 commits

Author SHA1 Message Date
Ondřej Surý
53d9ef5bd0 Refactor check_stale_header() function
The check_stale_header() function now updates header_prev directly
so it doesn't have to be handled in the outer loop; it's always
set to the correct value of the previous header in the chain.
2025-02-18 20:15:00 +00:00
Evan Hunt
5281c708d3 clean up unnecessary code in qpcache
some code was left in the cache database implementation after
it was separated from the zone database, and can be cleaned up
and refactored now:

- the DNS_SLABHEADERATTR_IGNORE flag is never set in the cache
- support for loading the cache from was removed, but the add()
  function still had a 'loading' flag that's always false
- two different macros were used for checking the
  DNS_SLABHEADERATTR_NONEXISTENT flag - EXISTS() and NONEXISTENT().
  it's clearer to just use EXISTS().
- the cache doesn't support versions, so it isn't necessary to
  walk down the 'down' pointer chain when iterating through the
  cache or looking for a header to update.  'down' now only points
  to records that are deleted from the cache but have not yet been
  purged from memory. this allows us to simplify both the iterator
  and the add() function.
2025-02-18 20:15:00 +00:00
Artem Boldariev
fd3beaba2e Fix wrong logging severity in do_nsfetch()
ISC_LOG_WARNING was used while ISC_LOG_DEBUG(3) was implied.
2025-02-18 10:28:23 +02:00
Evan Hunt
fffa150df3 fix dns_qp_insert() checks in qpzone
in some places there were checks for failures of dns_qp_insert()
after dns_qp_getname(). such failures could only happen if another
thread inserted a node between the two calls, and that can't happen
because the calls are serialized with dns_qpmulti_write(). we can
simplify the code and just add an INSIST.
2025-02-17 12:21:50 -08:00
Aram Sargsyan
d5d63d6253 Fix a bug in generic_totext_in_svcb()
The 'sbpr_dohpath' case was missing from the switch-case. Add the
'sbpr_dohpath' case, which should work similarly as the 'sbpr_text'
case.
2025-02-17 17:33:43 +00:00
Aram Sargsyan
c6e3695478 Use named Service Parameter Keys (SvcParamKeys) by default
When converting SVCB records to text representation use named
SvcParamKeys values unless backward-compatible mode is activated,
in which case the values which were not defined initially in
RFC9460 and were added later (see [1]) are converted to opaque
"keyN" syntax, like, for example, "key7" instead of "dohpath".

[1] https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml

Co-authored-by: sdomi <ja@sdomi.pl>
2025-02-17 17:33:43 +00:00
alessio
53991ecc14 Refactor and simplify isc_symtab
This commit does several changes to isc_symtab:

1. Rewrite the isc_symtab to internally use isc_hashmap instead of
   hand-stiched hashtable.

2. Create a new isc_symtab_define_and_return() api, which returns
   the already defined symvalue on ISC_R_EXISTS; this allows users
   of the API to skip the isc_symtab_lookup()+isc_symtab_define()
   calls and directly call isc_symtab_define_and_return().

3. Merge isccc_symtab into isc_symtab - the only missing function
   was isccc_symtab_foreach() that was merged into isc_symtab API.

4. Add full set of unit tests for the isc_symtab API.
2025-02-17 11:43:19 +01:00
Mark Andrews
04b1484ed8 Re-fetch pending records that failed validation
If a deferred validation on data that was originally queried with
CD=1 fails, we now repeat the query, since the zone data may have
changed in the meantime.
2025-02-17 08:57:58 +11:00
Mark Andrews
8b900d1808 Complete the deferred validation if there are no RRSIGs
When a query is made with CD=1, we store the result in the
cache marked pending so that it can be validated later, at
which time it will either be accepted as an answer or removed
from the cache as invalid.  Deferred validation was not
attempted when there were no cached RRSIGs for DNSKEY and
DS.  We now complete the deferred validation in this scenario.
2025-02-17 08:57:58 +11:00
Mark Andrews
5e49a9e4ae Fix "CNAME and other data" detection
prio_type was being used in the wrong place to optimize cname_and_other.
We have to first exclude and accepted types and we also have to
determine that the record exists before we can check if we are at
a point where a later CNAME cannot appear.
2025-02-14 01:51:38 +00:00
Ondřej Surý
732fc338a9
Switch the locknum generation for qpznode to random
Instead of using on hash of the name modulo number of the buckets,
assign the locknum randomly with isc_random_uniform().  This makes
the locknum assignment aligned with qpcache and allows the bucket
number to be non-prime in the future.
2025-02-04 22:50:49 +01:00
Ondřej Surý
1fa5219fdf
Rely on call_rcu() to destroy the qpzone outside of locks
Reduce the number of qpzone_ref() and qpzone_unref() calls in
qpzone_detachnode() by relying on the call_rcu to delay
the destruction of the lock buckets.
2025-02-04 21:37:46 +01:00
Ondřej Surý
6dcc398726
Reduce false sharing in dns_qpzone
Instead of having many node_lock_count * sizeof(<member>) arrays, pack
all the members into a qpzone_bucket_t that is cacheline aligned and have
a single array of those.
2025-02-04 21:37:46 +01:00
Ondřej Surý
c602d76c1f
Reduce false sharing in dns_qpcache
Instead of having many node_lock_count * sizeof(<member>) arrays, pack
all the members into a qpcache_bucket_t struct that is cacheline aligned
and have a single array of those.

Additionaly, make both the head and the tail of isc_queue_t padded, not
just the head, to prevent false sharing of the lock-free structure with
the lock that follows it.
2025-02-04 21:37:46 +01:00
Aram Sargsyan
19843f6c9d Include destination address port number in query logging
When query logging is enabled, named will now include the destination
address port in the logged message.

Example messages for before and after this change:

    before: client @0x7608b2026000 10.53.0.1#52136 (example.test): query: example.test IN A +E(0)K (10.53.0.1)
    after:  client @0x729bf5c26000 10.53.0.1#35976 (example.test): query: example.test IN A +E(0)K (10.53.0.1#53)
2025-02-04 10:49:26 +00:00
Ondřej Surý
355fc48472
Print the expiration time of the stale records (not ancient)
In #1870, the expiration time of ANCIENT records were printed, but
actually the ancient records are very short lived, and the information
carries a little value.

Instead of printing the expiration of ANCIENT records, print the
expiration time of STALE records.
2025-02-03 15:47:06 +01:00
Ondřej Surý
36a3ceb19f
Restore the .ttl field for slabheader in dns_qpzone
The original .ttl field was actually used as TTL in the dns_qpzone unit.
Restore the field by adding it to union with the .expire struct member
and cleanup all the code that added or subtracted 'now' from the ttl
field as that was misleading as 'now' would be always 0 for qpzone
database.
2025-02-03 14:39:06 +01:00
Ondřej Surý
60f6b88c63
Remove duplicate 'now' argument from find_coveringnsec()
The find_coveringnsec() was getting the 'now' from two sources -
search->now and separate now argument.  Things like this are ticking
bombs, remove the extra 'now' argument and use single source of 'now'.
2025-02-03 14:39:06 +01:00
Ondřej Surý
58179e6a19
Expand the usage of mark_ancient() helper functions
When the mark_ancient() helper function was introduced, couple of places
with duplicate (or almost duplicate) code was missed.  Move the
mark_ancient() function closer to the top of the file, and correctly use
it in places that mark the header as ANCIENT.
2025-02-03 14:39:06 +01:00
Ondřej Surý
cfee6aa565
Add better ZEROTTL handling in bindrdataset()
If we know that the header has ZEROTTL set, the server should never send
stale records for it and the TTL should never be anything else than 0.
The comment was already there, but the code was not matching the
comment.
2025-02-03 14:39:06 +01:00
Ondřej Surý
e07f5a4a5b
In dns_slabheader_t structure, change .ttl to .expire
The old name was misleading as it never meant time-to-live, e.g. number
of seconds from now when the header should expire.  The true meaning was
an expiration time e.g. now + ttl.  This was the original design bug
that caused the slip when we assigned header->ttl to rdataset->ttl.
Because the name was matching, nobody has questioned the correctness of
the code both during the MR review and during the numerous re-reviews
when we were searching for the cause of the 54 year TTL.
2025-02-03 14:39:06 +01:00
Ondřej Surý
1bbb57f81b
In cache, set rdataset TTL to 0 when the header is not active
When the header has been marked as ANCIENT, but the ttl hasn't been
reset (this happens in couple of places), the rdataset TTL would be
set to the header timestamp instead to a reasonable TTL value.

Since this header has been already expired (ANCIENT is set), set the
rdataset TTL to 0 and don't reuse this field to print the expiration
time when dumping the cache.  Instead of printing the time, we now
just print 'expired (awaiting cleanup'.
2025-02-03 14:39:06 +01:00
Mark Andrews
6469ebd08e Set PENDINGOK if STARTATZONE is set
When there are parent and child zones on the same server, the DNSKEY
lookup was failing as the pending record we are validating is needed
to fetch the DNSKEY records.  This change allows that to happen.
The caller is already setting STARTATZONE when the name being looked
up is a subdomain of the current domain.
2025-02-03 00:24:34 +00:00
Mark Andrews
ea9d7080cd Validate address lookups from ADB
The address lookups from ADB were not being validated, allowing
spoofed responses to be accepted and used for other lookups.

Validate the answers except when CD=1 is set in the triggering
request.  Separate ADB names looked up with CD=1 from those without
CD=1, to prevent the use of unvalidated answers in the normal lookup
case (CD=0).  Set the TTL on unvalidated (pending) responses to
ADB_CACHE_MINIMUM when adding them to the ADB.
2025-02-03 00:24:34 +00:00
Evan Hunt
1f095b902c
fix the cache findzonecut implementation
the search for the deepest known zone cut in the cache could
improperly reject a node containing stale data, even if the
NS rdataset wasn't the data that was stale.

this change also improves the efficiency of the search by
stopping it when both NS and RRSIG(NS) have been found.
2025-02-02 18:43:50 +01:00
Evan Hunt
d4f791793e Clarify reference counting in QP databases
Change the names of the node reference counting functions
and add comments to make the mechanism easier to understand:

- newref() and decref() are now called qpcnode_acquire()/
  qpznode_acquire() and qpcnode_release()/qpznode_release()
  respectively; this reflects the fact that they modify both
  the internal and external reference counters for a node.

- qpcnode_newref() and qpznode_newref() are now called
  qpcnode_erefs_increment() and qpznode_erefs_increment(), and
  qpcnode_decref() and qpznode_decref() are now called
  qpcnode_erefs_decrement() and qpznode_erefs_decrement(),
  to reflect that they only increase and decrease the node's
  external reference counters, not internal.
2025-01-30 20:08:46 -08:00
Ondřej Surý
431513d8b3
Remove db_nodelock_t in favor of reference counted qpdb
This removes the db_nodelock_t structure and changes the node_locks
array to be composed only of isc_rwlock_t pointers.  The .reference
member has been moved to qpdb->references in addition to
common.references that's external to dns_db API users.  The .exiting
members has been completely removed as it has no use when the reference
counting is used correctly.
2025-01-30 16:43:02 +01:00
Ondřej Surý
36a26bfa1a
Remove origin_node from qpcache
The origin_node in qpcache was always NULL, so we can remove the
getoriginode() function and origin_node pointer as the
dns_db_getoriginnode() correctly returns ISC_R_NOTFOUND when the
function is not implemented.
2025-01-30 16:43:02 +01:00
Ondřej Surý
814b87da64
Refactor decref() in both qpcache.c and qpzone.c
Cleanup the pattern in the decref() functions in both qpcache.c and
qpzone.c, so it follows the similar patter as we already have in
newref() function.
2025-01-30 16:43:02 +01:00
Colin Vidal
7c5678bb03 Use DNS_EDE_OTHER instead of its literal value 2025-01-30 11:54:36 +01:00
Colin Vidal
9021f9d802 detect dup EDE with bitmap and store next pos
In order to avoid to loop to find the next position to store an EDE in
a dns_edectx_t, add a "nextede" state which holds the next available
position.

Also, in order ot avoid to loop to find if an EDE is already existing in
a dns_edectx_t, and avoid a duplicate, use a bitmap to immediately know
if the EDE is there or not.

Those both changes applies for adding or copying EDE.

Also make the direction of dns_ede_copy more explicit/avoid errors by
making "edectx_from" a const pointer.
2025-01-30 11:52:53 +01:00
Colin Vidal
7b01cbfb04 add lib/dns/ede.c documentation
Add documentation usage of EDE compilation unit as well as centralize
all EDE-related macros in the same lib/dns/include/dns/ede.h header.
2025-01-30 11:52:53 +01:00
Colin Vidal
f9f41190b3 Refactor test covering dns_ede API
Migrate tests cases in client_test code which were exclusively testing
code which is now all wrapped inside ede compilation unit. Those are
testing maximum number of EDE, duplicate EDE as well as truncation of
text of an EDE.

Also add coverage for the copy of EDE from an edectx to another one, as
well as checking the assertion of the maximum EDE info code which can be
used.
2025-01-30 11:52:53 +01:00
Ondřej Surý
2f8e0edf3b Split and simplify the use of EDE list implementation
Instead of mixing the dns_resolver and dns_validator units directly with
the EDE code, split-out the dns_ede functionality into own separate
compilation unit and hide the implementation details behind abstraction.

Additionally, the EDE codes are directly copied into the ns_client
buffers by passing the EDE context to dns_resolver_createfetch().

This makes the dns_ede implementation simpler to use, although sligtly
more complicated on the inside.

Co-authored-by: Colin Vidal <colin@isc.org>
Co-authored-by: Ondřej Surý <ondrej@isc.org>
2025-01-30 11:52:53 +01:00
Andoni Duarte Pintado
3a64b288c1 Merge tag 'v9.21.4' 2025-01-29 17:17:18 +01:00
Michal Nowak
5dbc87730e
Use archived version of draft-icann-dnssec-keymgmt-01.txt
The iana.org link is gone.
2025-01-28 12:13:57 +01:00
Colin Vidal
39c2fc4670 fix byte order in EDE logging
When an EDE code is added to a message, the code is converted early in a
big-endian order so it can be memcpy-ed directly in the EDE buffer that
will go on the wire.

This previous change forget to update debug logs which still assume the
EDE code was in host byte order. Add a separate variable to
differentiate both and avoid ambiguities
2025-01-27 11:49:44 +01:00
Colin Vidal
78274ec2b1 fix EDE 22 time out detection
Extended DNS error 22 (No reachable authority) was previously detected
when `fctx_expired` fired. It turns out this function is used as a
"safety net" and the timeout detection should be caught earlier.

It was working though, because of another issue fixed by !9927. Since
this change, the recursive request timed out detection occurs before
`fctx_expired` so EDE 22 is not added to the response message anymore.

The fix of the problem is to add the EDE 22 code in two situations:

- When the dispatch code timed out (rctx_timedout) the resolver code
  checks various properties to figure out if it needs to make another
  fetch attempt. One of the paramters if the fetch expiration time. If
  it expires, the whole recursion is canceled, so it now adds the EDE 22
  code.

- If the fetch expiration time doesn't expires in the case above (and
  other parameters allows it) a new fetch attempt is made (fctx_query).
  But before the new request is actually made, the fetch expiration time
  is re-checked. It might then has elapsed, and the whole recursion is
  canceled. So it now also adds the EDE 22 code here as well.
2025-01-27 11:49:44 +01:00
Colin Vidal
46a58acdf5 add support for EDE code 1 and 2
Add support for EDE codes 1 (Unsupported DNSKEY Algorithm) and 2
(Unsupported DS Digest Type) which might occurs during DNSSEC
validation in case of unsupported DNSKEY algorithm or DS digest type.

Because DNSSEC internally kicks off various fetches, we need to copy
all encountered extended errors from fetch responses to the fetch
context. Upon an event, the errors from the fetch context are copied
to the client response.
2025-01-24 12:26:30 +00:00
Evan Hunt
314741fcd0 deduplicate result codes
ISCCC_R_SYNTAX, ISCCC_R_EXPIRED, and ISCCC_R_CLOCKSKEW have the
same usage and text formats as DNS_R_SYNTAX, DNS_R_EXPIRED and
DNS_R_CLOCKSCREW respectively. this was originally done because
result codes were defined in separate libraries, and some tool
might be linked with libisccc but not libdns. as the result codes
are now defined in only one place, there's no need to retain the
duplicates.
2025-01-23 15:54:57 -08:00
Evan Hunt
a19f6c6654 clean up result codes that are never used
the following result codes are obsolete and have been removed
from result.h and result.c:

        - ISC_R_NOTHREADS
        - ISC_R_BOUND
        - ISC_R_NOTBOUND
        - ISC_R_NOTDIRECTORY
        - ISC_R_EMPTY
        - ISC_R_NOTBLOCKING
        - ISC_R_INPROGRESS
        - ISC_R_WOULDBLOCK

        - DNS_R_TOOMANYHOPS
        - DNS_R_NOREDATA
        - DNS_R_BADCKSUM
        - DNS_R_MOREDATA
        - DNS_R_NOVALIDDS
        - DNS_R_UNKNOWNOPT
        - DNS_R_NOVALIDKEY
        - DNS_R_NTACOVERED

        - DST_R_COMPUTESECRETFAILURE
        - DST_R_NORANDOMNESS
        - DST_R_NOCRYPTO
2025-01-23 15:54:57 -08:00
Evan Hunt
10accd6260 clean up uses of ISC_R_NOMEMORY
the isc_mem allocation functions can no longer fail; as a result,
ISC_R_NOMEMORY is now rarely used: only when an external library
such as libjson-c or libfstrm could return NULL. (even in
these cases, arguably we should assert rather than returning
ISC_R_NOMEMORY.)

code and comments that mentioned ISC_R_NOMEMORY have been
cleaned up, and the following functions have been changed to
type void, since (in most cases) the only value they could
return was ISC_R_SUCCESS:

- dns_dns64_create()
- dns_dyndb_create()
- dns_ipkeylist_resize()
- dns_kasp_create()
- dns_kasp_key_create()
- dns_keystore_create()
- dns_order_create()
- dns_order_add()
- dns_peerlist_new()
- dns_tkeyctx_create()
- dns_view_create()
- dns_zone_setorigin()
- dns_zone_setfile()
- dns_zone_setstream()
- dns_zone_getdbtype()
- dns_zone_setjournal()
- dns_zone_setkeydirectory()
- isc_lex_openstream()
- isc_portset_create()
- isc_symtab_create()

(the exception is dns_view_create(), which could have returned
other error codes in the event of a crypto library failure when
calling isc_file_sanitize(), but that should be a RUNTIME_CHECK
anyway.)
2025-01-23 15:54:57 -08:00
Matthijs Mekking
5e3aef364f dnssec-signzone retain signature if key is offline
Track inside the dns_dnsseckey structure whether we have seen the
private key, or if this key only has a public key file.

If the key only has a public key file, or a DNSKEY reference in the
zone, mark the key 'pubkey'. In dnssec-signzone, if the key only
has a public key available, consider the key to be offline. Any
signatures that should be refreshed for which the key is not available,
retain the signature.

So in the code, 'expired' becomes 'refresh', and the new 'expired'
is only used to determine whether we need to keep the signature if
the corresponding key is not available (retaining the signature if
it is not expired).

In the 'keysthatsigned' function, we can remove:
  -	key->force_publish = false;
  -	key->force_sign = false;

because they are redundant ('dns_dnsseckey_create' already sets these
values to false).
2025-01-23 09:43:07 +00:00
Matthijs Mekking
7ae7851173 Fix possible truncation in dns_keymgr_status()
If the generated status output exceeds 4096 it was silently truncated,
now we output that the status was truncated.
2025-01-23 09:31:00 +01:00
Mark Andrews
89afc11389 Terminate yaml string after negative comment 2025-01-22 21:33:08 +00:00
Colin Vidal
4096f27130 add support for multiple EDE
Extended DNS error mechanism (EDE) enables to have several EDE raised
during a DNS resolution (typically, a DNSSEC query will do multiple
fetches which each of them can have an error). Add support to up to 3
EDE errors in an DNS response. If duplicates occur (two EDEs with the
same code, the extra text is not compared), only the first one will be
part of the DNS answer.

Because the maximum number of EDE is statically fixed, `ns_client_t`
object own a static vector of `DNS_DE_MAX_ERRORS` (instead of a linked
list, for instance). The array can be fully filled (all slots point to
an allocated `dns_ednsopt_t` object) or partially filled (or
empty). In such case, the first NULL slot means there is no more EDE
objects.
2025-01-22 21:07:44 +01:00
Aram Sargsyan
a6d6c3cb45 Clean up fctx->next_timeout
Since the support for non-zero values of stale-answer-client-timeout
was removed in bd7463914f, 'next_timeout'
is unused. Clean it up.
2025-01-22 13:40:45 +00:00
Aram Sargsyan
87c453850c Fix rtt calculation bug for TCP in the resolver
When TCP is used, 'fctx_query()' adds one second to the rtt
(round-trip time) value, but there's a bug when the decision
about using TCP is made already after the calculation. Move the
block of the code which looks up the peers list to decide
whether to use TCP into a place that's before the rtt calculation
is performed. This commit doesn't add or remove any code, it just
moves the code and adds a comment block.
2025-01-22 13:40:45 +00:00
Aram Sargsyan
e61ba5865f Use a suitable response in tcp_connected() when initiating a read
When 'ISC_R_TIMEDOUT' is received in 'tcp_recv()', it times out the
oldest response in the active responses queue, and only after that it
checks whether other active responses have also timed out. So when
setting a timeout value for a read operation after a successful
connection, it makes sense to take the timeout value from the oldest
response in the active queue too, because, theoretically, the responses
can have different timeout values, e.g. when the TCP dispatch is shared.
Currently 'resp' is always NULL. Previously when connect and read
timeouts were not separated in dispatch this affected only logging, but
now since we are setting a new timeout after a successful connection,
we need to choose a suitable response from the active queue.
2025-01-22 13:40:45 +00:00
JINMEI Tatuya
7f4471594d
Optimize database decref by avoiding locking with refs > 1
Previously, this function always acquires a node write lock if it
might need node cleanup in case the reference decrements to 0.  In
fact, the lock is unnecessary if the reference is larger than 1 and it
can be optimized as an "easy" case. This optimization could even be
"necessary". In some extreme cases, many worker threads could repeat
acquring and releasing the reference on the same node, resulting in
severe lock contention for nothing (as the ref wouldn't decrement to 0
in most cases). This change would prevent noticeable performance
drop like query timeout for such cases.

Co-authored-by: JINMEI Tatuya <jtatuya@infoblox.com>
Co-authored-by: Ondřej Surý <ondrej@isc.org>
2025-01-22 14:27:13 +01:00
Ondřej Surý
9f945c8b67
Shutdown the fetch context after canceling the last fetch
Currently, the fetch context will continue running even when the last
fetch (response) has been removed from the context, so named can process
and cache the answer.  This can lead to a situation where the number of
outgoing recursing clients exceeds the the configured number for
recursive-clients.

Be more stringent about the recursive-clients limit and shutdown the
fetch context immediately after the last fetch has been canceled from
that particular fetch context.
2025-01-22 14:19:20 +01:00
Ondřej Surý
05faff6d53
Remove memory limit on ADB finds and fetches
Address Database (ADB) shares the memory for the short lived ADB
objects (finds, fetches, addrinfo) and the long lived ADB
objects (names, entries, namehooks).  This could lead to a situation
where the resolver-heavy load would force evict ADB objects from the
database to point where ADB is completely empty, leading to even more
resolver-heavy load.

Make the short lived ADB objects use the other memory context that we
already created for the hashmaps.  This makes the ADB overmem condition
to not be triggered by the ongoing resolver fetches.
2025-01-22 14:13:35 +01:00
Aram Sargsyan
612d76b83d Remove dispatch timeout INT16_MAX limitation
In some places there was a limitation of the maximum timeout
value of INT16_MAX, which is only about 32 seconds. Refactor
the code to remove the limitation.
2025-01-22 11:57:53 +00:00
Aram Sargsyan
64ffbe82c0 Separate the connect and the read timeouts in dispatch
The network manager layer has two different timers with their
own timeout values for TCP connections: connect timeout and read
timeout. Separate the connect and the read TCP timeouts in the
dispatch module too.
2025-01-22 11:57:52 +00:00
Aram Sargsyan
9ccd1be482 Update the dns_dispatch_add() function's documentation
The 'timedout' callback no longer exists. Remove the mentioning of
the 'timedout' callback.
2025-01-22 11:52:24 +00:00
Colin Vidal
c9529c0acb remove ISC_LINK(link) property from fetchctx
Likely because of historical reasons, struct fetchctx does have a list
link property but is never used as a list. Remove this link property.
2025-01-22 09:56:09 +00:00
Colin Vidal
93e6e72eb6 remove validator link form fetchctx
struct fetchctx does have a list of pending validators as well as a
pointer to the HEAD validator. Remove the validator pointer to avoid
confusion, as there is no perticular reasons to have it directly
accessible outside of the list.
2025-01-22 09:56:09 +00:00
Artem Boldariev
937b5f8349 DoH: reduce excessive bad request logging
We started using isc_nm_bad_request() more actively throughout
codebase. In the case of HTTP/2 it can lead to a large count of
useless "Bad Request" messages in the BIND log, as often we attempt to
send such request over effectively finished HTTP/2 sessions.

This commit fixes that.
2025-01-15 14:09:17 +00:00
Artem Boldariev
4ae4e255cf Do not stop timer in isc_nm_read_stop() in manual timer mode
A call to isc_nm_read_stop() would always stop reading timer even in
manual timer control mode which was added with StreamDNS in mind. That
looks like an omission that happened due to how timers are controlled
in StreamDNS where we always stop the timer before pausing reading
anyway (see streamdns_on_complete_dnsmessage()). That would not work
well for HTTP, though, where we might want pause reading without
stopping the timer in the case we want to split incoming data into
multiple chunks to be processed independently.

I suppose that it happened due to NM refactoring in the middle of
StreamDNS development (at the time isc_nm_cancelread() and
isc_nm_pauseread() were removed), as the StreamDNS code seems to be
written as if timers are not stoping during a call to
isc_nm_read_stop().
2025-01-15 14:09:17 +00:00
Artem Boldariev
609a41517b DoH: introduce manual read timer control
This commit introduces manual read timer control as used by StreamDNS
and its underlying transports. Before that, DoH code would rely on the
timer control provided by TCP, which would reset the timer any time
some data arrived. Now, the timer is restarted only when a full DNS
message is processed in line with other DNS transports.

That change is required because we should not stop the timer when
reading from the network is paused due to throttling. We need a way to
drop timed-out clients, particularly those who refuse to read the data
we send.
2025-01-15 14:09:17 +00:00
Artem Boldariev
3425e4b1d0 DoH: floodding clients detection
This commit adds logic to make code better protected against clients
that send valid HTTP/2 data that is useless from a DNS server
perspective.

Firstly, it adds logic that protects against clients who send too
little useful (=DNS) data. We achieve that by adding a check that
eventually detects such clients with a nonfavorable useful to
processed data ratio after the initial grace period. The grace period
is limited to processing 128 KiB of data, which should be enough for
sending the largest possible DNS message in a GET request and then
some. This is the main safety belt that would detect even flooding
clients that initially behave well in order to fool the checks server.

Secondly, in addition to the above, we introduce additional checks to
detect outright misbehaving clients earlier:

The code will treat clients that open too many streams (50) without
sending any data for processing as flooding ones; The clients that
managed to send 1.5 KiB of data without opening a single stream or
submitting at least some DNS data will be treated as flooding ones.
Of course, the behaviour described above is nothing else but
heuristical checks, so they can never be perfect. At the same time,
they should be reasonable enough not to drop any valid clients,
realatively easy to implement, and have negligible computational
overhead.
2025-01-15 14:09:17 +00:00
Artem Boldariev
9846f395ad DoH: process data chunk by chunk instead of all at once
Initially, our DNS-over-HTTP(S) implementation would try to process as
much incoming data from the network as possible. However, that might
be undesirable as we might create too many streams (each effectively
backed by a ns_client_t object). That is too forgiving as it might
overwhelm the server and trash its memory allocator, causing high CPU
and memory usage.

Instead of doing that, we resort to processing incoming data using a
chunk-by-chunk processing strategy. That is, we split data into small
chunks (currently 256 bytes) and process each of them
asynchronously. However, we can process more than one chunk at
once (up to 4 currently), given that the number of HTTP/2 streams has
not increased while processing a chunk.

That alone is not enough, though. In addition to the above, we should
limit the number of active streams: these streams for which we have
received a request and started processing it (the ones for which a
read callback was called), as it is perfectly fine to have more opened
streams than active ones. In the case we have reached or surpassed the
limit of active streams, we stop reading AND processing the data from
the remote peer. The number of active streams is effectively decreased
only when responses associated with the active streams are sent to the
remote peer.

Overall, this strategy is very similar to the one used for other
stream-based DNS transports like TCP and TLS.
2025-01-15 14:09:17 +00:00
Ondřej Surý
a1982cf1bb Limit the additional processing for large RDATA sets
Limit the number of records appended to ADDITIONAL section to the names
that have less than 14 records in the RDATA.  This limits the number
of the lookups into the database(s) during single client query.

Also don't append any additional data to ANY queries.  The answer to ANY
is already big enough.
2025-01-14 09:57:54 +00:00
Ondřej Surý
8356179953 Rename the qpzone and qpcache methods that implement DB api
All the database implementations share the same names for the methods
implementing the database.  That has some advantages like knowing what
to expect, but it turns out that any time such method shows up in any
kind of tracing - be it perf record, backtrace or anything else that
uses symbol names, it is very hard to distinguish whether the find()
belongs to qpcache, qpzone, builtin or sdlz implementation.

Make at least the names for qpzone and qpcache unique.
2025-01-14 09:57:54 +00:00
Evan Hunt
232dac8cd5 detect when closest-encloser name is too long
there was a database bug in which dns_db_find() could get a partial
match for the query name, but still set foundname to match the full
query name.  this triggered an assertion when query_addwildcardproof()
assumed that foundname would be shorter.

the database bug has been fixed, but in case it happens again, we
can just copy the name instead of splitting it. we will also log a
warning that the closest-encloser name was invalid.
2025-01-09 17:04:08 -08:00
Evan Hunt
71e1c91695 dns_nsec3_addnsec3() can fail when iterating back
when adding a new NSEC3 record, dns_nsec3_addnsec3() uses a
dbiterator to seek to the newly created node and then find its
predecessor.  dbiterators in the qpzone use snapshots, so changes
to the database are not reflected in an already-existing iterator.
consequently, when we add a new node, we have to create a new iterator
before we can seek to it.
2025-01-09 17:04:08 -08:00
Evan Hunt
ad4bab306c qpzone find() function could set foundname incorrectly
when a requested name is found in the QP trie during a lookup, but its
records have been marked as nonexistent by a previous deletion, then
it's treated as a partial match, but the foundname could be left
pointing to the original qname rather than the parent. this could
lead to an assertion failure in query_findclosestnsec3().
2025-01-09 17:03:51 -08:00
Aram Sargsyan
d75bdabe51 Fix a typo in dns/master.h
The ISC_R_SEENINCLUDE definition does not exist, the correct one
is DNS_R_SEENINCLUDE.
2025-01-08 14:00:55 +00:00
Aram Sargsyan
3d7a9fba3b Don't disable RPZ and CATZ for zones with an $INCLUDE statement
The code in zone_startload() disables RPZ and CATZ for a zone if
dns_master_loadfile() returns anything other than ISC_R_SUCCESS,
which makes sense, but it's an error because zone_startload() can
also return DNS_R_SEENINCLUDE upon success when the zone had an
$INCLUDE statement.
2025-01-08 14:00:55 +00:00
Michał Kępień
7bdf5152d6
Adjust dns_message_logpacketfrom() log prefixes
Ensure the log prefixes passed to the dns_message_logpacketfrom()
function by its callers do not include the word "from" as the latter is
now emitted by the logfmtpacket() helper function.
2024-12-31 05:40:48 +01:00
Michał Kępień
58d38352ee
Adjust dns_message_logpacketfromto() log prefixes
Ensure the log prefixes passed to the dns_message_logpacketfromto()
function by its callers do not include the words "from" or "to" as those
are now emitted by the logfmtpacket() helper function.
2024-12-31 05:40:48 +01:00
Michał Kępień
c5555a5ca2
Log both "from" and "to" socket in debug messages
Move dns_dispentry_getlocaladdress() calls around so that they are not
only invoked when dnstap support is compiled in.  This function calls
isc_nmhandle_localaddr(), which may issue a system call, but only if the
ISC_SOCKET_DETAILS preprocessor macro is set at compile time.

Pass the value extracted by dns_dispentry_getlocaladdress() to
dns_message_logpacketfromto() so that it gets logged, adding useful
information to the relevant debug messages.
2024-12-31 05:40:48 +01:00
Michał Kępień
4ab35f6839
Rename dns_message_logpacket()
Since dns_message_logpacket() only takes a single socket address as a
parameter (and it is always the sending socket's address), rename it to
dns_message_logpacketfrom() so that its name better conveys its purpose
and so that the difference in purpose between this function and
dns_message_logpacketfromto() becomes more apparent.
2024-12-31 05:40:48 +01:00
Michał Kępień
fa073a0a63
Rename dns_message_logfmtpacket()
Since dns_message_logfmtpacket() needs to be provided with both "from"
and "to" socket addresses, rename it to dns_message_logpacketfromto() so
that its name better conveys its purpose.  Clean up the code comments
for that function.
2024-12-31 05:40:48 +01:00
Michał Kępień
bafa5d3c2e
Enable logging both "from" and "to" socket
Change the function prototype for dns_message_logfmtpacket() so that it
takes two isc_sockaddr_t parameters: one for the sending side and
another one for the receiving side.  This enables debug messages to be
more precise.

Also adjust the function prototype for logfmtpacket() accordingly.
Unlike dns_message_logfmtpacket(), this function must not require both
'from' and 'to' parameters to be non-NULL as it is still going to be
used by dns_message_logpacket(), which only provides a single socket
address.  Adjust its log format to handle both of these cases properly.

Adjust both dns_message_logfmtpacket() call sites accordingly, without
actually providing the second socket address yet.  (This causes the
revised REQUIRE() assertion in dns_message_logfmtpacket() to fail; the
issue will be addressed in a separate commit.)
2024-12-31 05:40:48 +01:00
Michał Kępień
05d69bd7a4
dns_message_logfmtpacket(): drop 'style' parameter
Both existing callers of the dns_message_logfmtpacket() function set the
argument passed as 'style' to &dns_master_style_comment.  To simplify
these call sites, drop the 'style' parameter from the prototype for
dns_message_logfmtpacket() and use a fixed value of
&dns_master_style_comment in the function's body instead.
2024-12-31 05:40:48 +01:00
Michał Kępień
064b2c6889
logfmtpacket(): drop useless local variables
All callers of the logfmtpacket() helper function require the argument
passed as 'address' to be non-NULL.  Meanwhile, the 'newline' and
'space' local variables in logfmtpacket() are only set to values
different than their initial values if the 'address' parameter is NULL.
Replace the 'newline' and 'space' local variables in logfmtpacket() with
fixed strings to improve code readability.
2024-12-31 05:40:48 +01:00
Michał Kępień
d6f9785ac6
Enable extraction of exact local socket addresses
Extracting the exact address that each wildcard/TCP socket is bound to
locally requires issuing the getsockname() system call, which libuv
exposes via its uv_*_getsockname() functions.  This is only required for
detailed logging and comes at a noticeable performance cost, so it
should not happen by default.  However, it is useful for debugging
certain problems (e.g. cryptic system test failures), so a convenient
way of enabling that behavior should exist.

Update isc_nmhandle_localaddr() so that it calls uv_*_getsockname() when
the ISC_SOCKET_DETAILS preprocessor macro is set at compile time.
Ensure proper handling of sockets that wrap other sockets.

Set the new ISC_SOCKET_DETAILS macro by default when --enable-developer
is passed to ./configure.  This enables detailed logging in the system
tests run in GitLab CI without affecting performance in non-development
BIND 9 builds.

Note that setting the ISC_SOCKET_DETAILS preprocessor macro at compile
time enables all callers of isc_nmhandle_localaddr() to extract the
exact address of a given local socket, which results e.g. in dnstap
captures containing more accurate information.

Mention the new preprocessor macro in the section of the ARM that
discusses why exact socket addresses may not be logged by default.
2024-12-29 12:32:05 +01:00
Michał Kępień
086c325ad3
Improve reuse of outgoing TCP connections
The dns_dispatch_gettcp() function is used for finding an existing TCP
connection that can be reused for sending a query from a specified local
address to a specified remote address.  The logic for matching the
provided <local address, remote address> tuple to one of the existing
TCP connections is implemented in the dispatch_match() function:

  - if the examined TCP connection already has a libuv handle assigned,
    it means the connection has already been established; therefore,
    compare the provided <local address, remote address> tuple against
    the corresponding address tuple for the libuv handle associated with
    the connection,

  - if the examined TCP connection does not yet have a libuv handle
    assigned, it means the connection has not yet been established;
    therefore, compare the provided <local address, remote address>
    tuple against the corresponding address tuple that the TCP
    connection was originally created for.

This logic limits TCP connection reuse potential as the libuv handle
assigned to an existing dispatch object may have a more specific local
<address, port> tuple associated with it than the local <address, port>
tuple that the dispatch object was originally created for.  That's
because the local address for outgoing connections can be set to a
wildcard <address, port> tuple (indicating that the caller does not care
what source <address, port> tuple will be used for establishing the
connection, thereby delegating the task of picking it to the operating
system) and then get "upgraded" to a specific <address, port> tuple when
the socket is bound (and a libuv handle gets associated with it).  When
another dns_dispatch_gettcp() caller then tries to look for an existing
TCP connection to the same peer and passes a wildcard address in the
local part of the tuple, the function will not match that request to a
previously-established TCP connection (unless isc_nmhandle_localaddr()
returns a wildcard address as well).

Simplify dispatch_match() so that the libuv handle associated with an
existing dispatch object is not examined for the purpose of matching it
to the provided <local address, remote address> tuple; instead, always
examine the <local address, remote address> tuple that the dispatch
object was originally created for.  This enables reuse of TCP
connections created without providing a specific local socket address
while still preventing other connections (created for a specific local
socket address) from being inadvertently shared.
2024-12-29 10:22:20 +01:00
Artem Boldariev
740292d3ec BIND - enable TLS SNI support for outgoing TLS connections
This commit ensures that BIND enables TLS SNI support for outgoing DoT
connections (when possible) in order to improve compatibility with
other DNS server software.
2024-12-26 17:23:25 +02:00
Artem Boldariev
6691a1530d TLS SNI - add low level support for SNI to the networking code
This commit adds support for setting SNI hostnames in outgoing
connections over TLS.

Most of the changes are related to either adapting the code to accept
and extra argument in *connect() functions and a couple of changes to
the TLS Stream to actually make use of the new SNI hostname
information.
2024-12-26 17:23:12 +02:00
Ondřej Surý
f7316b44b9 Use CMM_{STORE,LOAD}_SHARED to store/load glue in gluelist
ThreadSanitizer has trouble understanding that gluelist->glue is
constant after it is assigned to the slabheader with cmpxchg.  Help
ThreadSanitizer to understand the code by using CMM_STORE_SHARED and
CMM_LOAD_SHARED on gluelist->glue.

The ThreadSanitizer report:

    WARNING: ThreadSanitizer: data race
      Read of size 8 at 0x000000000001 by thread T0001:
	#0 addglue lib/dns/qpzone.c:5304 (BuildId: 62aa74b0423f77cc56d705f02c2412b4762577cb)
	#1 dns_db_addglue lib/dns/db.c:1119 (BuildId: 62aa74b0423f77cc56d705f02c2412b4762577cb)
	#2 query_additional lib/ns/query.c:2230 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#3 query_addrrset lib/ns/query.c:2324
	#4 query_prepare_delegation_response lib/ns/query.c:8595 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#5 query_delegation lib/ns/query.c:8780 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#6 query_notfound lib/ns/query.c:8552 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#7 query_gotanswer lib/ns/query.c:7553 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#8 query_lookup lib/ns/query.c:6020 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#9 ns__query_start lib/ns/query.c:5690 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#10 query_setup lib/ns/query.c:5239 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#11 ns_query_start lib/ns/query.c:11979 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#12 ns_client_request_continue lib/ns/client.c:2466 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#13 ns_client_request lib/ns/client.c:2142 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#14 isc___nm_readcb netmgr/netmgr.c:1859 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#15 isc__nm_readcb netmgr/netmgr.c:1874
	#16 isc__nm_udp_read_cb netmgr/udp.c:589 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#17 uv__udp_recvmmsg src/unix/udp.c:202 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#18 uv__udp_recvmsg src/unix/udp.c:245 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#19 uv__udp_io src/unix/udp.c:142
	#20 uv__io_poll src/unix/linux.c:1564 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#21 uv_run src/unix/core.c:458 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#22 loop_thread lib/isc/loop.c:328 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#23 thread_body lib/isc/thread.c:85 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#24 thread_run lib/isc/thread.c:100

      Previous write of size 8 at 0x000000000001 by thread T0002:
	#0 create_gluelist lib/dns/qpzone.c:5253 (BuildId: 62aa74b0423f77cc56d705f02c2412b4762577cb)
	#1 addglue lib/dns/qpzone.c:5281
	#2 dns_db_addglue lib/dns/db.c:1119 (BuildId: 62aa74b0423f77cc56d705f02c2412b4762577cb)
	#3 query_additional lib/ns/query.c:2230 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#4 query_addrrset lib/ns/query.c:2324
	#5 query_prepare_delegation_response lib/ns/query.c:8595 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#6 query_delegation lib/ns/query.c:8780 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#7 query_notfound lib/ns/query.c:8552 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#8 query_gotanswer lib/ns/query.c:7553 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#9 query_lookup lib/ns/query.c:6020 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#10 ns__query_start lib/ns/query.c:5690 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#11 query_setup lib/ns/query.c:5239 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#12 ns_query_start lib/ns/query.c:11979 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#13 ns_client_request_continue lib/ns/client.c:2466 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#14 ns_client_request lib/ns/client.c:2142 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#15 isc___nm_readcb netmgr/netmgr.c:1859 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#16 isc__nm_readcb netmgr/netmgr.c:1874
	#17 isc__nm_udp_read_cb netmgr/udp.c:589 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#18 uv__udp_recvmmsg src/unix/udp.c:202 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#19 uv__udp_recvmsg src/unix/udp.c:245 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#20 uv__udp_io src/unix/udp.c:142
	#21 uv__io_poll src/unix/linux.c:1564 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#22 uv_run src/unix/core.c:458 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#23 loop_thread lib/isc/loop.c:328 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#24 thread_body lib/isc/thread.c:85 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#25 thread_run lib/isc/thread.c:100

      Location is heap block of size 88 at 0x000000000024 allocated by thread T0002:
	#0 malloc <null> (BuildId: c08afb1c60772d9b4e4d4be38d0c0434c5b41990)
	#1 mallocx lib/isc/jemalloc_shim.h:41 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#2 mem_get lib/isc/mem.c:303
	#3 isc__mem_get lib/isc/mem.c:654
	#4 new_gluelist lib/dns/qpzone.c:5012 (BuildId: 62aa74b0423f77cc56d705f02c2412b4762577cb)
	#5 create_gluelist lib/dns/qpzone.c:5241
	#6 addglue lib/dns/qpzone.c:5281
	#7 dns_db_addglue lib/dns/db.c:1119 (BuildId: 62aa74b0423f77cc56d705f02c2412b4762577cb)
	#8 query_additional lib/ns/query.c:2230 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#9 query_addrrset lib/ns/query.c:2324
	#10 query_prepare_delegation_response lib/ns/query.c:8595 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#11 query_delegation lib/ns/query.c:8780 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#12 query_notfound lib/ns/query.c:8552 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#13 query_gotanswer lib/ns/query.c:7553 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#14 query_lookup lib/ns/query.c:6020 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#15 ns__query_start lib/ns/query.c:5690 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#16 query_setup lib/ns/query.c:5239 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#17 ns_query_start lib/ns/query.c:11979 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#18 ns_client_request_continue lib/ns/client.c:2466 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#19 ns_client_request lib/ns/client.c:2142 (BuildId: 9cc0711aeddfa6164f4f6fd94b0187f7bfa13ff2)
	#20 isc___nm_readcb netmgr/netmgr.c:1859 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#21 isc__nm_readcb netmgr/netmgr.c:1874
	#22 isc__nm_udp_read_cb netmgr/udp.c:589 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#23 uv__udp_recvmmsg src/unix/udp.c:202 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#24 uv__udp_recvmsg src/unix/udp.c:245 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#25 uv__udp_io src/unix/udp.c:142
	#26 uv__io_poll src/unix/linux.c:1564 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#27 uv_run src/unix/core.c:458 (BuildId: 355edf0d38120d6761c51ee8cab2c162dff57b0a)
	#28 loop_thread lib/isc/loop.c:328 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#29 thread_body lib/isc/thread.c:85 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#30 thread_run lib/isc/thread.c:100

      Thread T0001 'isc-loop-0002' (running) created by main thread at:
	#0 pthread_create <null> (BuildId: c08afb1c60772d9b4e4d4be38d0c0434c5b41990)
	#1 isc_thread_create lib/isc/thread.c:139 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#2 isc_loopmgr_run lib/isc/loop.c:508 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#3 main bin/named/main.c:1532 (BuildId: d03d7837520674921fd1fe7c353cb790cab69b3b)

      Thread T0002 'isc-loop-0003' (running) created by main thread at:
	#0 pthread_create <null> (BuildId: c08afb1c60772d9b4e4d4be38d0c0434c5b41990)
	#1 isc_thread_create lib/isc/thread.c:139 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#2 isc_loopmgr_run lib/isc/loop.c:508 (BuildId: de1ebc9b2642ead6bbd0f4553c7144c016b01ffc)
	#3 main bin/named/main.c:1532 (BuildId: d03d7837520674921fd1fe7c353cb790cab69b3b)

    SUMMARY: ThreadSanitizer: data race lib/dns/qpzone.c:5304 in addglue
2024-12-25 15:06:01 +00:00
Ondřej Surý
7b26becec0
Detect and possibly define constexpr using Autoconf
Previously, we had an ISC_CONSTEXPR macro that was expanded to either
`constexpr` or `static const`, depending on compiler support.  To make
the code cleaner, move `constexpr` support detection to Autoconf; if
`constexpr` support is missing from the compiler, define `constexpr` as
`static const` in config.h.
2024-12-25 15:21:26 +01:00
Ondřej Surý
06f9163d51
Remove C++ support from the public header
Since BIND 9 headers are not longer public, there's no reason to keep
the ISC_LANG_BEGINDECL and ISC_LANG_ENDDECL macros to support including
them from C++ projects.
2024-12-18 13:10:39 +01:00
Ondřej Surý
29bde687b5
Rewrite the GLUE cache in QP zone database
This is a second attempt to rewrite the GLUE cache to not use per
database version hash table.  Instead of keeping a hash table indexed by
the node, use a directly linked list of GLUE records for each
slabheader.  This was attempted before, but there was a data race caused
by the fact that the thread cleaning the GLUE records could be slower
than accessing the slab headers again and reinitializing the wait-free
stack.

The improved design builds on the previous design, but adds a new
dns_gluelist structure that has a pointer to the database version.

If a dns_gluelist belonging to a different (old) version is detected, it
is just detached from the slabheader and left for the closeversion() to
clean it up later.
2024-12-13 21:48:11 +01:00
Ondřej Surý
759d59801b
Revert "Fix the glue table in the QP and RBT zone databases"
This reverts commit 5beae5faf9.
2024-12-13 21:48:11 +01:00
Michal Nowak
57b64dc397
Apply more SET_IF_NOT_NULL() changes
coccinelle v1.2 found more cases where the SET_IF_NOT_NULL macro
applies.
2024-12-13 13:52:52 +01:00
Matthijs Mekking
726c9cd73b Rename remote-servers standard term to server-list
The 'remote-servers' named.conf reference conflicts with the standard
term from the glossary. Rename the standard term to server-list to
make the docs build.
2024-12-13 08:50:02 +01:00
Matthijs Mekking
1b2eadb197 Add primaries, parental-agents as synonyms
Add back the top blocks 'parental-agents', 'primaries', and 'masters'
to the configuration. Do not document them as so many names for the
same clause is confusing.

This has a slight negative side effect that a top block 'primaries'
can be referred to with a zone statement 'parental-agents' for example,
but that shouldn't be a big issue.
2024-12-13 08:50:02 +01:00
Matthijs Mekking
b121f02eac Unify parental-agents, primaries to remote-servers
Having zone statements that are also top blocks is confusing, and if
we want to add more in the future (which I suspect will be for
generalized notifications, multi-signer), we need to duplicate a lot
of code.

Remove top blocks 'parental-agents' and 'primaries' and just have one
top block 'remote-servers' that you can refer to with zone statements.
2024-12-13 08:50:02 +01:00
Evan Hunt
3394aa9c25 remove "sortlist"
this commit removes the deprecated "sortlist" option. the option
is now marked as ancient; it is a fatal error to use it in
named.conf.

the sortlist system test has been removed, and other tests that
referenced the option have been modified.

the enabling functions, dns_message_setsortorder() and
dns_rdataset_towiresorted(), have also been removed.
2024-12-11 15:09:24 -08:00
Mark Andrews
6d44e7320e Check that a zone that serves A/AAAA is served over IPv4/IPv6
named-checkzone will now, as part of the zone's integrity checks,
look to see if there are A or AAAA records being served and if so
check that the nameservers have A or AAAA records respectively.

These are a sometimes overlooked checks that, if not met, can mean
that a service that is supposed to reachable over IPv6 will not be
resolvable when the recursive resolver is IPv6 only.  Similarly for
IPv4 servers when there are IPv4 only resolvers.
2024-12-11 21:32:21 +00:00
Evan Hunt
95a0b6f479 clean up log module names
- remove obsolete DNS_LOGMODULE_RBT and DNS_LOGMODULE_RBTDB
- correct the misuse of the wrong log modules in dns/rpz.c and
  dns/catz.c, and add DNS_LOGMODULE_RPZ and DNS_LOGMODULE_CATZ
  to support them.
2024-12-11 17:11:32 +00:00
Matthijs Mekking
b6ca209292 Remove trusted-keys and managed-keys options
These options have been deprecated in 9.19 in favor of the trust-anchors
option. They are now removed to clean up the configuration and the code.
2024-12-11 14:04:37 +01:00
Pavel Březina
67e21d94d4 mark loop as shuttingdown earlier in shutdown_cb
`shutdown_trigger_close_cb` is not called in the main loop since
queued events in the `loop->async_trigger`, including loop teardown
(shutdown_server) are processed first, before the `uv_close` callback
is executed..

In order to pass the information to the queued events, it is necessary
to set the flag earlier in the process and not wait for the `uv_close`
callback to trigger.
2024-12-10 19:18:49 +00:00
Matthijs Mekking
b6d031462f Drop single-use RETERR macro
If the RETERR define is only used once in a file, just drop the macro.
2024-12-10 08:46:22 +00:00
Petr Menšík
e7ddd3d7b4 Remove artificial search limit from libirs
Search directive from resolv.conf had a maximum of 8 domains. Any
more were ignored. Do not ignore them anymore; iterate over any
number of domains.

Test resolv.conf support by checking the first and last domain in
the search list. Ignore the domains between; just ensure that the
last domain in the configuration is the last domain parsed.
2024-12-10 00:51:56 +00:00
Mark Andrews
eb78ad2080 Fix parsing of unknown directives in resolv.conf
Only call eatline() to skip to the next line if we're not
already at the end of a line when parsing an unknown directive.
We were accidentally skipping the next line when there was only
a single unknown directive on the current line.
2024-12-09 16:08:06 -08:00
Ondřej Surý
2089996f96
Replace remaining usage of DNS_R_MUSTBESECURE with DNS_R_NOVALIDSIG
The DNS_R_MUSTBESECURE lost its meaning with removal of
dnssec-must-be-secure option, so replace the few remaining (and a bit
confusing) use of this result code with DNS_R_NOVALIDSIG.
2024-12-09 13:10:21 +01:00
Ondřej Surý
dcd1f5b842
Remove dnssec-must-be-secure feature
The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature.  There are no
reasons to keep this feature in the production code anymore.

Remove the feature to simplify the code.
2024-12-09 13:10:21 +01:00
Ondřej Surý
64b5c2a743
Remove fixed value for the rrset-order option
Remove the "fixed" value from the "rrset-order" option and from the
autoconf script.
2024-12-09 13:09:26 +01:00
Aydın Mercan
8d093a6b66 disable deterministic ecdsa for fips builds
FIPS 186-5 [1] allows the usage deterministic ECDSA (Section 6.3) which
is compabile with RFC 6979 [2] but OpenSSL seems to follow FIPS 186-4
(Section 6.3) [3] which only allows for random k values, failing
k value generation for OpenSSL >=3.2. [4]

Fix signing by not using deterministic ECDSA when FIPS mode is active.

[1]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
[2]: https://datatracker.ietf.org/doc/html/rfc6979
[3]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[4]: 85f17585b0/crypto/ec/ecdsa_ossl.c (L201-L207)
2024-12-09 10:33:01 +00:00
Matthijs Mekking
5b1ae4a948 Use query counters in validator code
Commit af7db89513 as part of #4141 was
supposed to apply the 'max-recursion-queries' quota to validator
queries, but the counter was never actually passed on to
dns_resolver_createfetch(). This has been fixed, and the global query
counter ('max-query-count', per client request) is now also added.
2024-12-09 10:55:32 +01:00
Ondřej Surý
d14a76e115 Update picohttpparser.{c,h} with upstream repository
Upstream code doesn't do regular releases, so we need to regularly
sync the code from the upstream repository.  This is synchronization up
to the commit f8d0513 from Jan 29, 2024.
2024-12-08 11:14:37 +00:00
Ondřej Surý
7a99d1baf8
Revert "Attach dnssecsignstats, rcvquerystats, and requeststats"
This reverts commit fb50a71159.
2024-12-06 19:46:39 +01:00
Matthijs Mekking
397ca34e34 Remove unused maxquerycount
While implementing the global limit 'max-query-count', initially I
thought adding the variable to the resolver structure. But the limit
is per client request so it was moved to the view structure (and
counter in ns_query structure). However, I forgot to remove the
variable from the resolver structure again. This commit fixes that.
2024-12-06 11:19:18 +01:00
Mark Andrews
fb50a71159 Attach dnssecsignstats, rcvquerystats, and requeststats
In dns_zone_getdnssecsignstats, dns_zone_getrcvquerystats and
dns_zone_getrequeststats attach to the statistics structure.
2024-12-06 04:23:31 +00:00
Mark Andrews
aa686512df INSIST that the zone in locked before unlocking
This is the counterpart to the INSIST(!zone->locked) when the zone
is locked.
2024-12-06 04:23:31 +00:00
Matthijs Mekking
aa24b77d8b Fix nsupdate hang when processing a large update
The root cause is the fix for CVE-2024-0760 (part 3), which resets
the TCP connection on a failed send. Specifically commit
4b7c61381f stops reading on the socket
because the TCP connection is throttling.

When the tcpdns_send_cb callback thinks about restarting reading
on the socket, this fails because the socket is a client socket.
And nsupdate is a client and is using the same netmgr code.

This commit removes the requirement that the socket must be a server
socket, allowing reading on the socket again after being throttled.
2024-12-05 15:40:48 +01:00
Matthijs Mekking
74f845d62f Add +maxtotalqueries option to delv
The max-query-count value can now be set on the command line in delv
with +maxtotalqueries.
2024-12-05 14:17:08 +01:00
Matthijs Mekking
16b3bd1cc7 Implement global limit for outgoing queries
This global limit is not reset on query restarts and is a hard limit
for any client request.
2024-12-05 14:17:07 +01:00
Matthijs Mekking
ca7d487357 Implement getter function for counter limit 2024-12-05 14:17:07 +01:00
Matthijs Mekking
bbc16cc8e6 Implement 'max-query-count'
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.
2024-12-05 14:01:57 +01:00
Mark Andrews
44a54a29d8 Keep a local copy of the update rules to prevent UAF
Previously, the update policy rules check was moved earlier in the
sequence, and the keep rule match pointers were kept to maintain the
ability to verify maximum records by type.

However, these pointers can become invalid if server reloading
or reconfiguration occurs before update completion. To prevent
this issue, extract the maximum records by type value immediately
during processing and only keep the copy of the values instead of the
full ssurule.
2024-12-05 03:40:34 +00:00
Evan Hunt
202c68e6a8 document optional statements the same, enabled or not
the generated grammar for named.conf clauses that may or may not be
enabled at compile time will now print the same comment regardless of
whether or not they are.

previously, the grammar didn't print a comment if an option was enabled,
but printed "not configured" if it was disabled. now, in both cases,
it will say "optional (only available if configured)".

as an incidental fix, clarified the documentation for "named-checkconf -n".
2024-12-04 15:08:44 -08:00
Colin Vidal
d13e94b930 Add EDE 22 No reachable authority code
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.
2024-12-04 16:19:30 +01:00
Ondřej Surý
bfcde806c9 Remove the log message about incomplete IPv6 API
The log message would not be ever reached, because the IPv6 API is
always considered to be complete.  Just remove the dead code.
2024-12-04 15:19:12 +00:00
Artem Boldariev
300f05110d Extended TCP accept()/close() logging
This commit adds extra log messages issued when accepting or closing a
TCP connection (provided that debugging logging level >=99 is
enabled).
2024-11-27 21:14:08 +02:00
Ondřej Surý
b61739836d
Remove dns_badcache usage in the resolver (lame-ttl)
The lame-ttl processing was overriden to be disabled in the config,
but the code related to the lame-ttl was still kept in the resolver
code.  More importantly, the DNS_RESOLVER_BADCACHETTL() macro would
cause the entries in the resolver badcache to be always cached for at
least 30 seconds even if the lame-ttl would be set to 0.

Remove the dns_badcache code from the dns_resolver unit, so we save some
processing time and memory in the resolver code.
2024-11-27 17:44:53 +01:00
Ondřej Surý
2cb5a6210f
Improve the badcache cleaning by adding LRU and using RCU
Instead of cleaning the dns_badcache opportunistically, add per-loop
LRU, so each thread-loop can clean the expired entries.  This also
allows removal of the atomic operations as the badcache entries are now
immutable, instead of updating the badcache entry in place, the old
entry is now deleted from the hashtable and the LRU list, and the new
entry is inserted in the LRU.
2024-11-27 17:44:53 +01:00
alessio
32c7060bd2 Optimize memory layout of core structs
Reduce memory footprint by:

 - Reordering struct fields to minimize padding.
 - Using exact-sized atomic types instead of *_least/*_fast variants
 - Downsizing integer fields where possible

Affected structs:

 - dns_name_t
 - dns_slabheader_t
 - dns_rdata_t
 - qpcnode_t
 - qpznode_t
2024-11-27 16:04:25 +01:00
Ondřej Surý
c18bb5f1f2
Remove unused definition of ISC_CMSG_IP_TOS
The #define was used before, but we forgot to clean it up when we
removed support for dscp.
2024-11-27 15:03:27 +01:00
Ondřej Surý
95a7419c2a
Remove the incomplete code for IPv6 pktinfo
The code that listens on individual interfaces is now stable and doesn't
require any changes.  The code that would bind to IPv6 wildcard address
and then use IPv6 pktinfo structure to get the source address is not
going to be completed, so it's better to just remove the dead cruft.
2024-11-27 15:03:27 +01:00
Ondřej Surý
34a9a9a6be
Assume universal availability of socklen_t
The SUSv2 defines accept(..., socklen_t), so we can safely require
socklen_t to be universally available.
2024-11-27 15:03:27 +01:00
Ondřej Surý
e85399b1c0
Assume that IPv4 and IPv6 is always available
In 2024, it is reasonable to assume that IPv4 and IPv6 is always
available on a socket() level.  We still keep the option to enable or
disable each IP version individually, as the routing might be broken or
undesirable for one of the versions.
2024-11-27 15:03:27 +01:00
Ondřej Surý
5b273b5726
Assume IPV6_V6ONLY is universally available
In 2024, IPV6_V6ONLY socket option is either available or the operating
system is just not going to be supported.
2024-11-27 15:03:27 +01:00
Ondřej Surý
ee122ba025
Make dns_validator_cancel() respect the data ownership
There was a data race dns_validator_cancel() was called when the
offloaded operations were in progress.  Make dns_validator_cancel()
respect the data ownership and only set new .shuttingdown variable when
the offloaded operations are in progress.  The cancel operation would
then finish when the offloaded work passes the ownership back to the
respective thread.
2024-11-27 13:41:16 +01:00
Aram Sargsyan
3262ebd0f3 xfrin: refactor and fix the ISC_R_CANCELED case handling
Previously a ISC_R_CANCELED result code switch-case has been added to
the zone.c:zone_xfrdone() function, which did two things:

1. Schedule a new zone transfer if there's a scheduled force reload of
   the zone.

2. Reset the primaries list.

This proved to be not a well-thought change and causes problems,
because the ISC_R_CANCELED code is used not only when the whole transfer
is canceled, but also when, for example, a particular primary server is
unreachable, and named still needs to continue the transfer process by
trying the next server, which it now no longer does in some cases. To
solve this issue, three changes are made:

1. Make sure dns_zone_refresh() runs on the zone's loop, so that the
   sequential calls of dns_zone_stopxfr() and dns_zone_forcexfr()
   functions (like done in 'rndc retransfer -force') run in intended
   order and don't race with each other.

2. Since starting the new transfer is now guaranteed to run after the
   previous transfer is shut down (see the previous change), remove the
   special handling of the ISC_R_CANCELED case, and let the default
   handler to handle it like before. This will bring back the ability to
   try the next primary if the current one was interrupted with a
   ISC_R_CANCELED result code.

3. Change the xfrin.c:xfrin_shutdown() function to pass the
   ISC_R_SHUTTINGDOWN result code instead of ISC_R_CANCELED, as it makes
   more sense.
2024-11-27 10:37:13 +00:00
Aram Sargsyan
1c4a34a3ab Clean up dns_zonemgr_unreachabledel()
The results of isc_sockaddr_format() calls are not used, remove them
and the local variables.
2024-11-27 10:37:13 +00:00
Petr Menšík
c5ebe5eb0a Remove ns_listenlist_default()
It is not used anywhere in named and is no longer necessary
there.  It was called in some unit tests, but was not actually
needed by them.
2024-11-26 15:22:30 -08:00
Ondřej Surý
a6cce753e2
Move contributed DLZ modules into a separate repository
The DLZ modules are poorly maintained as we only ensure they can still
be compiled, the DLZ interface is blocking, so anything that blocks the
query to the database blocks the whole server and they should not be
used except in testing.  The DLZ interface itself should be scheduled
for removal.
2024-11-26 12:29:41 +01:00
Ondřej Surý
a0a1769509
Add new logging category for logging crypto errors in libisc
The libisc now includes sizeable chunks of cryptography, but the crypto
log module was missing.  Add the new ISC_LOGMODULE_CRYPTO to libisc and
use it in the isc_tls error logging.
2024-11-26 11:22:33 +01:00
Colin Vidal
bcf24ca07e Add a none parameter to query-source[-v6]
This change adds a "none" parameter to the query-source[-v6]
options in named.conf, which forbid the usage of IPv4 or IPv6
addresses when doing upstream queries.
2024-11-26 08:45:50 +01:00
JINMEI Tatuya
b0309ee631 use more generic log module name for 'logtoomanyrecords'
DNS_LOGMODULE_RBTDB was simply inappropriate, and this
log message is actually dependent on db implementation
details, so DNS_LOGMODULE_DB would be the best choice.
2024-11-26 04:06:58 +00:00
JINMEI Tatuya
4156995431 emit more helpful log for exceeding max-records-per-type
The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log includes
the owner name and type, corresponding zone name, and the limit value.
It will be emitted on loading a zone file, inbound zone transfer
(both AXFR and IXFR), handling a DDNS update, or updating a cache DB.
It's especially helpful in the case of zone transfer, since the
secondary side doesn't have direct access to the offending zone data.

It could also be used for max-types-per-name, but this change
doesn't implement it yet as it's much less likely to happen
in practice.
2024-11-26 04:06:58 +00:00
Mark Andrews
af54ef9f5d Parse the URI template and check for a dns variable
The 'dns' variable in dohpath can be in various forms ({?dns},
{dns}, {&dns} etc.).  To check for a valid dohpath it ends up
being simpler to just parse the URI template rather than looking
for all the various forms if substring.
2024-11-26 12:38:49 +11:00
Remi Gacogne
e74052ea71 '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath
See for example section 1.2. "Levels and Expression Types" of rfc6570.
2024-11-26 12:38:33 +11:00
Mark Andrews
9006839ed7 Provide more visibility into configuration errors
by logging SSL_CTX_use_certificate_chain_file and
SSL_CTX_use_PrivateKey_file errors
2024-11-26 10:31:44 +11:00
Aydın Mercan
d987e2d745
add separate query counters for new protocols
Add query counters for DoT, DoH, unencrypted DoH and their proxied
counterparts. The protocols don't increment TCP/UDP counters anymore
since they aren't the same as plain DNS-over-53.
2024-11-25 13:07:29 +03:00
Colin Vidal
642776a976 Remove namedconf port/tls deprecated check on *-source[-v6] options
The usage of port and tls arguments in *-source and *-source-v6 named
configuration options has been previously removed. Remove
configuration check deprecating usage of those arguments.
2024-11-22 18:50:10 +01:00
alessio
99b4f01b33 Incrementally apply AXFR transfer
Reintroduce logic to apply diffs when the number of pending tuples is
above 128. The previous strategy of accumulating all the tuples and
pushing them at the end leads to excessive memory consumption during
transfer.

This effectively reverts half of e3892805d6
2024-11-22 15:00:55 +01:00
Mark Andrews
a24d6e1654 Re-split format strings
Re-split format strings that had been poorly split by multiple
clang-format runs using different versions of clang-format.
2024-11-20 13:06:43 +11:00
Ondřej Surý
1a19ce39db
Remove redundant semicolons after the closing braces of functions 2024-11-19 12:27:22 +01:00
Ondřej Surý
0258850f20
Remove redundant parentheses from the return statement 2024-11-19 12:27:22 +01:00
Aram Sargsyan
53117b2ab3 Add REQUIREs to dns_xfrin_create()
Two REQUIRE assertions were accidentally deleted by the
dbf230650f commit earlier.
Bring them back.
2024-11-15 13:21:26 +00:00
Ondřej Surý
128e50e1ff
Revalidate the adbname when canceling the ADB find
When canceling the ADB find, the lock on the find gets released for
a brief period of time to be locked again inside adbname lock.  During
the brief period that the ADB find is unlocked, it can get canceled by
other means removing it from the adbname list which in turn causes
assertion failure due to a double removal from the adbname list.

Recheck if the find->adbname is still valid after acquiring the lock
again and if not just skip the double removal.  Additionally, attach to
the adbname as in the worst case, the adbname might also cease to exist
if the scheduler would block this particular thread for a longer period
of time invalidating the lock we are going to acquire and release.
2024-11-13 08:18:39 +01:00
Ondřej Surý
34b3e7cb40
Remove RBTDB implementation
QPDB is now a default implementation for both cache and zone.  Remove
the venerable RBTDB database implementation, so we can fast-track the
changes to the database without having to implement the design changes
to both QPDB and RBTDB and this allows us to be more aggressive when
refactoring the database design.
2024-11-12 09:07:19 +01:00
Aram Sargsyan
dbf230650f Fix a data race between dns_zone_getxfr() and dns_xfrin_create()
There is a data race between the statistics channel, which uses
`dns_zone_getxfr()` to get a reference to `zone->xfr`, and the creation
of `zone->xfr`, because the latter happens outside of a zone lock.

Split the `dns_xfrin_create()` function into two parts to separate the
zone tranfer startring part from the zone transfer object creation part.
This allows us to attach the new object to a local variable first, then
attach it to `zone->xfr` under a lock, and only then start the transfer.
2024-11-07 08:47:52 +00:00
Ondřej Surý
8a38c17cca
Enforce type checking for dns_dbversiont_t
Originally, the dns_dbversion_t was typedef'ed to void type.  This
allowed some flexibility, but using (void *) just removes any
type-checking that C might have.  Instead of using:

    typedef void dns_dbversion_t;

use a trick to define the type to non-existing structure:

    typedef struct dns_dbversion dns_dbversion_t;

This allows the C compilers to employ the type-checking while the
structure itself doesn't have to be ever defined because the actual
'storage' is never accessed using dns_dbversion_t type.
2024-11-07 08:03:55 +01:00
Ondřej Surý
fbd5f614d7
Enforce type checking for dns_dbnode_t
Originally, the dns_dbnode_t was typedef'ed to void type.  This allowed
some flexibility, but using (void *) just removes any type-checking that
C might have.  Instead of using:

    typedef void dns_dbnode_t;

use a trick to define the type to non-existing structure:

    typedef struct dns_dbnode dns_dbnode_t;

This allows the C compilers to employ the type-checking while the
structure itself doesn't have to be ever defined because the actual
'storage' is never accessed using dns_dbnode_t type.
2024-11-06 17:08:04 +01:00
Alessio Podda
7a57200f38 Merge parse_querysource and parse_sockaddrsub
The query-source option has the slight quirk of allowing the address to
be specified in two ways, either as every other source option, or as an
"address" key-value pair.
For this reason, it had a separate parsing function from other X-source
options, but it is possible to extend the parsing of other X-sources to
be generic and also handle query-source.
This commit just does that.
2024-11-05 09:37:08 +01:00
Ondřej Surý
88103e72d5 Add OpenSSL includes as needed
The isc/crypto.h now directly includes the OpenSSL headers (evp.h) and
any application that includes that header also needs to have
OPENSSL_CFLAGS in the Makefile.am.  Adjust the required automake files
as needed.
2024-11-04 23:35:52 +00:00
Mark Andrews
5253c75b7a Update zone transfer summary
Print the expire option in the zone transfer summary. This is
currently emitted in a DEBUG(1) message.
2024-11-04 17:53:16 +00:00
Matthijs Mekking
680aedb595 dnssec-ksr keygen -o to create KSKs
Add an option to dnssec-ksr keygen, -o, to create KSKs instead of ZSKs.
This way, we can create a set of KSKS for a given period too.

For KSKs we also need to set timing metadata, including "SyncPublish"
and "SyncDelete". This functionality already exists in keymgr.c so
let's make the function accessible.

Replace dnssec-keygen calls with dnssec-ksr keygen for KSK in the
ksr system test and check keys for created KSKs as well. This requires
a slight modification of the check_keys function to take into account
KSK timings and metadata.
2024-11-01 15:50:16 +01:00
Evan Hunt
e2393ba27b refactor, add missing EDNS options, and fix option names
some EDNS option names, including DAU, DHU, N3U, and CHAIN,
were not printed in dns_message_pseudosectiontotext() or
_psuedosectiontoyaml(); they were displayed as unknown options.
this has been corrected.

that code was also refactored to use switch instead of if/else,
and to look up the option code names in a table to prevent
inconsistencies between the two formats. one such inconsistency
was corrected: the "TCP-KEEPALIVE" option is now always printed
with a hyphen, instead of being "TCP KEEPALIVE" when not using
YAML. the keepalive system test has been updated to expect this.

EDNS options that print DNS names (i.e., CHAIN and Report-Channel)
now enclose them in quotation marks to ensure YAML correctness.
the auth system test has been updated to expect this when grepping
for Report-Channel options.
2024-10-29 20:05:27 +00:00
Timo Eisenmann
e9d54d798f Use TLS for notifies if configured to do so 2024-10-24 12:55:01 +11:00
Mark Andrews
baab8a5d75 Fix TCP dispatches and transport
Dispatch needs to know the transport that is being used over the
TCP connection to correctly allow for it to be reused.  Add a
transport parameter to dns_dispatch_createtcp and dns_dispatch_gettcp
and use it when selecting a TCP socket for reuse.
2024-10-24 11:41:18 +11:00
Evan Hunt
c6698322c6 suppress report-channel for zones above the agent-domain
RFC 9567 section 8.1 specifies that the agent domain cannot
be a subdomain of the domain it is reporting on. therefore,
in addition to making it illegal to configure that at the
zone level, we also need to disable send-report-channel for
any zone for which the global send-report-channel value is
a subdomain.

we also now warn if send-report-channel is configured
globally to a zone that we host, but that zone doesn't
have log-report-channel set.
2024-10-23 21:29:32 +00:00
Evan Hunt
5bcccf4754 expand validity checks for send-report-channel
when configured at the zone level, send-report-channel cannot be
a subdomain of the zone name.
2024-10-23 21:29:32 +00:00
Evan Hunt
1cd0d291d3 enforce '*._er' requirement for error-reporting zones
if "log-report-channel" is set to "yes", then the zone must
contain a wildcard name matching '*._er' with a TXT record.
2024-10-23 21:29:32 +00:00
Evan Hunt
d60324891c set up logging functionality using log-report-channel
the logging of error-report queries is no longer activated by
the view's "send-report-channel" option; that now only configures
the agent-domain value that is to be sent in authoritative
responses. the warning that was logged when "send-agent-domain"
was set to a value that is not a locally configured zone has
been removed.

error-report logging is now activated by the presence of an
authoritative zone with the "log-report-channel" option set to
"yes".  this is not permitted in the root zone.

NOTE: a zone with "log-report-channel yes;" should contain a
"*._er" wildcard, but that requirement is not yet enforced.
2024-10-23 21:29:32 +00:00
Evan Hunt
5519dd2669 add log-report-channel zone option
add a boolean "log-report-channel" option for primary and
secondary zones, which sets the DNS_ZONEOPT_LOGREPORTS zone
flag. this option is not yet functional.
2024-10-23 21:29:32 +00:00
Mark Andrews
c676fd2566 Allow send-report-channel to be set at the zone level
If send-report-channel is set at the zone level, it will
be stored in the zone object and used instead of the
view-level agent-domain when constructing the EDNS
Report-Channel option.
2024-10-23 21:29:32 +00:00
Mark Andrews
ac1c60d87e Add send-report-channel option
This commit adds support for the EDNS Report-Channel option,
which is returned in authoritative responses when EDNS is in use.

"send-report-channel" sets the Agent-Domain value that will be
included in EDNS Report-Channel options.  This is configurable at
the options/view level; the value is a DNS name. Setting the
Agent-Domain to the root zone (".") disables the option.

When this value has been set, incoming queries matchng the form
_er.<qtype>.<qname>.<extended-error-code>._er.<agent-domain>/TXT
will be logged to the dns-reporting-agent channel at INFO level.

(Note: error reporting queries will only be accepted if sent via
TCP or with a good server cookie.  If neither is present, named
returns BADCOOKIE to complete the DNS COOKIE handshake, or TC=1
to switch the client to TCP.)
2024-10-23 21:29:32 +00:00
Mark Andrews
b7a13cf2c1 Add per rule logging of dns_ssutable_checkrules processing
These are logged to the update category at debug level 99 and
have the following form.

    update-policy: using: signer=ddns-key.example.nil, name=updated.example.nil, addr=10.53.0.1, tcp=0, type=A, target=
    update-policy: trying: grant zonesub-key.example.nil zonesub TXT
    update-policy: next rule: signer does not match identity
    update-policy: trying: grant ddns-key.example.nil zonesub ANY
    update-policy: matched: grant ddns-key.example.nil zonesub ANY

or

    update-policy: using: signer=restricted.example.nil, name=example.nil, addr=10.53.0.1, tcp=0, type=TXT, target=
    update-policy: trying: grant zonesub-key.example.nil zonesub TXT
    update-policy: next rule: signer does not match identity
    update-policy: trying: grant ddns-key.example.nil zonesub ANY
    update-policy: next rule: signer does not match identity
    update-policy: trying: grant restricted.example.nil zonesub ANY
    update-policy: next rule: name/subdomain mismatch
    update-policy: no match found

where 'using:' is the calling parameters of dns_ssutable_checkrules,
'trying:' in the rule bing evaluated, "next rule:" is the reason
the rule does not match, "matched:" repeats the matched rule, and
no match found is reported when te set of rules is exhausted.
2024-10-23 08:35:08 +11:00
Mark Andrews
d282e5a66e Add log category update-policy 2024-10-23 08:30:59 +11:00
Mark Andrews
6c095f89f5 Fix parsing of hostnames in rndc.conf
When DSCP was removed the parsing of hostnames was accidentally
broken resulting in an assertion failure.  Call cfg_parse_tuple
rather than using custom code in parse_sockaddrnameport.
2024-10-22 10:30:07 +11:00
Evan Hunt
5ea1f6390d corrected code style errors
- add missing brackets around one-line statements
- add paretheses around return values
2024-10-18 19:31:27 +00:00
Aydın Mercan
0b0f05215c
include missing definitions for fips builds 2024-10-17 15:28:31 +03:00
Mark Andrews
840eaa628d Fix recursive-clients 0
Setting recursive-clients 0 triggered an assertion in isc_quota_soft.
This has now been fixed.
2024-10-17 11:04:26 +11:00
Aydın Mercan
05798b31ff
unify libcrypto and evp_md handling
Unify libcrypto initialization and explicit digest fetching in a single
place and move relevant code to the isc__crypto namespace instead of
isc__tls.

It will remove the remaining implicit fetching and deduplicate explicit
fetching inside the codebase.
2024-10-16 14:03:14 +03:00
Petr Menšík
9e55ffaf89 Remove unused <openssl/hmac.h> headers from OpenSSL shims
The <openssl/hmac.h> header was unused and including the
header might cause build failure when OpenSSL doesn't have
Engines support enabled.

See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine

Removes unused hmac includes after Remove OpenSSL Engine support
(commit ef7aba7072) removed engine
support.
2024-10-16 04:19:16 +00:00
Mark Andrews
67f31c5046 Use a binary search to find the NSEC3 closest encloser
maxlabels is the suffix length that corresponds to the latest
NXDOMAIN response.  minlabels is the suffix length that corresponds
to longest found existing name.
2024-10-14 23:19:34 +00:00
Evan Hunt
8104ffda0e report client transport in 'rndc recursing'
when dumping the list of recursing clients, indicate whether
a given query was sent over UDP, TCP, TLS, or HTTP.
2024-10-14 12:59:52 -07:00
Matthijs Mekking
af54e3dadc Small keymgr improvement
When a key is to be purged, don't run the key state machinery for it.
2024-10-11 17:42:01 +02:00
Matthijs Mekking
5fdad05a8a Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.
2024-10-11 17:42:00 +02:00
Matthijs Mekking
0396bf98ee Revert "fix: chg: Improve performance when looking for the closest encloser when returning NSEC3 proofs"
This reverts merge request !9436
2024-10-10 06:59:28 +00:00
Aram Sargsyan
7bd44a4182 Refactor the way check_recursionquota() is used
Rename check_recursionquota() to acquire_recursionquota(), and
implement a new function called release_recursionquota() to
reverse the action. It helps with decreasing code duplication.
2024-10-09 10:31:33 +00:00
Aram Sargsyan
36c4808903 Fix error path bugs in the "recursing-clients" list management
In two places, after linking the client to the manager's
"recursing-clients" list using the check_recursionquota()
function, the query.c module fails to unlink it on error
paths. Fix the bugs by unlinking the client from the list.

Also make sure that unlinking happens before detaching the
client's handle, as it is the logically correct order, e.g.
in case if it's the last handle and ns__client_reset_cb()
can be called because of the detachment.
2024-10-09 10:31:33 +00:00
Aram Sargsyan
ab07803465 Fix a data race in dns_zone_getxfrintime()
The dns_zone_getxfrintime() function fails to lock the zone before
accessing its 'xfrintime' structure member, which can cause a data
race between soa_query() and the statistics channel. Add the missing
locking/unlocking pair, like it's done in numerous other similar
functions.
2024-10-09 09:13:04 +00:00
Aram Sargsyan
b8c068835e Clean up 'nodetach' in ns_client
The 'nodetach' member is a leftover from the times when non-zero
'stale-answer-client-timeout' values were supported, and currently
is always 'false'. Clean up the member and its usage.
2024-10-09 08:03:13 +00:00
Ondřej Surý
eec30c33c2 Don't enable SO_REUSEADDR on outgoing UDP sockets
Currently, the outgoing UDP sockets have enabled
SO_REUSEADDR (SO_REUSEPORT on BSDs) which allows multiple UDP sockets to
bind to the same address+port.  There's one caveat though - only a
single (the last one) socket is going to receive all the incoming
traffic.  This in turn could lead to incoming DNS message matching to
invalid dns_dispatch and getting dropped.

Disable setting the SO_REUSEADDR on the outgoing UDP sockets.  This
needs to be done explicitly because `uv_udp_open()` silently enables the
option on the socket.
2024-10-02 12:15:53 +00:00
Ondřej Surý
4ef316e21e Skip TCP dispatch responses that are not ours
When matching the TCP dispatch responses, we should skip the responses
that do not belong to our TCP connection.  This can happen with faulty
upstream server that sends invalid QID back to us.
2024-10-02 10:41:04 +00:00
Aram Sargsyan
d49a8f518a Don't ignore the local port number in dns_dispatch_add() for TCP
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.

Set the 'resp->port' to the given local port value extracted from
'disp->local'.
2024-10-02 08:53:44 +00:00
Alessio Podda
cc167266aa Support ISO timestamps with timezone information
This commit adds support for timestamps in iso8601 format with timezone
when logging. This is exposed through the iso8601-tzinfo printtime
suboption.
It also makes the new logging format the default for -g output,
hopefully removing the need for custom timestamp parsing in scripts.
2024-10-01 15:09:43 +00:00
alessio
bc63758d70 Null clausedefs for ancient options
This commit nulls all type fields for the clausedef lists that are
declared ancient, and removes the corresponding cfg_type_t and parsing
functions when they are found to be unused after the change.
2024-10-01 10:17:04 +02:00
Mark Andrews
b3a2c790f3 Store static-stub addresses seperately in the adb
Static-stub address and addresses from other sources where being
mixed together resulting in static-stub queries going to addresses
not specified in the configuration or alternatively static-stub
addresses being used instead of the real addresses.
2024-10-01 00:19:13 +00:00
Petr Špaček
a0f3b0c5de Remove unused function dns_zonemgr_resumexfrs() 2024-09-30 12:42:08 +00:00
Ondřej Surý
88227ea665
Use release memory ordering when incrementing reference counter
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.
2024-09-30 11:03:01 +02:00
Aram Sargsyan
4123d59fbc Add a missing rcu_read_unlock() call on exit path
An exit path in the dns_dispatch_add() function fails to get out of
the RCU critical section when returning early. Add the missing
rcu_read_unlock() call.
2024-09-27 13:48:33 +00:00
Mark Andrews
b919b9b4f3 Add the new record type WALLET (262)
This provides a mapping from a domain name to a cryptographic
currency wallet and is a clone of TXT.
2024-09-25 10:32:38 +00:00
Ondřej Surý
06e5ada4be
Use libuv functions to get memory available to BIND 9
This change uses uv_get_total_memory() to get the memory available to
BIND 9 with possible modification by uv_get_constrained_memory() if the
libuv version is recent enough to honour constraints created by
f.e. cgroups.
2024-09-24 15:51:14 +02:00
Ondřej Surý
31458d405a
Add support to read number of online CPUs on OpenBSD
The OpenBSD doesn't have sysctlbyname(), but sysctl() can be used to
read the number of online/available CPUs by reading following MIB(s):
[CTL_HW, HW_NCPUONLINE] with fallback to [CTL_HW, HW_NCPU].
2024-09-21 12:38:33 +02:00
Ondřej Surý
3a91c0a4e3
Cleanup the sysctlbyname and friends configure checks and ifdefs
Cleanup various checks and cleanups that are available on the all
platforms like sysctlbyname() and various related <sys/*.h> headers
that are either defined in POSIX or available on Linux and all BSDs.
2024-09-21 12:38:33 +02:00
Ondřej Surý
26e7358b16
Use uv_available_parallelism() if available
Instead of cooking up our own code for getting the number of available
CPUs for named to use, make use of uv_available_parallelism() from
libuv >= 1.44.0.
2024-09-21 12:38:33 +02:00
Ondřej Surý
96ef98558c
Don't enable timeouts in dns_dispatch for incoming transfers
The dns_dispatch_add() call in the dns_xfrin unit had hardcoded 30
second limit.  This meant that any incoming transfer would be stopped in
it didn't finish within 30 seconds limit.  Additionally, dns_xfrin
callback was ignoring the return value from dns_dispatch_getnext() when
restarting the reading from the TCP stream; this could cause transfers
to get stuck waiting for a callback that would never come due to the
dns_dispatch having already been shut down.

Call the dns_dispatch_add() without a timeout and properly handle the
result code from the dns_dispatch_getnext().
2024-09-21 10:15:47 +02:00
Ondřej Surý
0f810b3144
Modify dns_dispatch API to accept zero timeout
The dns_dispatch_add() has timeout parameter that could not be 0 (for
not timeout).  Modify the dns_dispatch implementation to accept a zero
timeout for cases where the timeouts are undesirable because they are
managed externally.
2024-09-21 10:15:37 +02:00
Nicki Křížek
ebb5bd9c0f Update code formatting
clang 19 was updated in the base image.
2024-09-20 17:26:33 +02:00
Nicki Křížek
842abe9fbf Revert "Double the number of threadpool threads"
This reverts commit 6857df20a4.
2024-09-20 14:31:25 +02:00
Petr Menšík
e6b19af2dd Move common flags logging to shared functions
Query and response log shares the same flags. Move flags logging out of
log_query to share it with log_response. Use buffer instead of snprintf
to fill flags a bit faster.

Signed-off-by: Petr Menšík <pemensik@redhat.com>
2024-09-19 21:44:06 +00:00
Petr Menšík
6f879aba65 Make responselog flags similar to querylog
Remove answer flag from log, log instead count of records for each
message section. Include EDNS version and few flags of response. Add
also status of result.

Still does not include body of responses rrset.
2024-09-19 21:44:06 +00:00
Mark Andrews
5fad79c92f Log the rcode returned to for a query
Log to the querylog the rcode of a previous query using
the identifier 'response:' to diffenciate queries from
responses.
2024-09-19 21:44:06 +00:00
Evan Hunt
5a444838db rename 'rbtiterator' and similar names in qpcache
when the QP cache was adapted from the RBT database, some names
weren't changed. this could be confusing, so let's change them now.
also, we no longer need to include rbt.h.
2024-09-19 19:32:27 +00:00
Nicki Křížek
377831a290 Merge tag 'v9.21.1' 2024-09-18 18:02:41 +02:00
Ondřej Surý
62d59766d6
Remove DNSRPS implementation
DNSRPS was the API for a commercial implementation of Response-Policy
Zones that was supposedly better.  However, it was never open-sourced
and has only ever been available from a single vendor.  This goes against
the principle that the open-source edition of BIND 9 should contain only
features that are generally available and universal.

This commit removes the DNSRPS implementation from BIND 9.  It may be
reinstated in the subscription edition if there's enough interest from
customers, but it would have to be rewritten as a plugin (hook) instead
of hard-wiring it again in so many places.
2024-09-18 17:39:14 +02:00
Evan Hunt
98ae5dfc7e
fix DNSRPS errors
silence some reported snprintf() overrun warnings that prevented
DNSRPS from building on some platforms.
2024-09-18 17:24:13 +02:00
Evan Hunt
dc13333957
use uv_dlopen() instead of dlopen() when linking DNSRPZ
take advantage of libuv's shared library handling capability
when linking to a DNSRPS library.  (see b396f55586 and 37b9511ce1
for prior related work.)
2024-09-18 17:24:13 +02:00
Ondřej Surý
d7bff3c0f9
Remove old cruft from dnsrps code
There was some old cruft for ancient compilers checking for attributes
that we regularly use, etc.  Just remove the cruft.
2024-09-18 17:24:13 +02:00
Aram Sargsyan
7c45caa8a5 Set logging category for notify/xfer related messages
Some notify/xfer related log messages are logged at the general
category. Set a more suitable caterogry for those messages.
2024-09-17 15:08:40 +00:00
Ondřej Surý
b576c4c977 Limit the outgoing UDP send queue size
If the operating system UDP queue gets full and the outgoing UDP sending
starts to be delayed, BIND 9 could exhibit memory spikes as it tries to
enqueue all the outgoing UDP messages.  As those are not going to be
delivered anyway (as we argued when we stopped enlarging the operating
system send and receive buffers), try to send the UDP messages directly
using `uv_udp_try_send()` and if that fails, drop the outgoing UDP
message.
2024-09-17 14:02:03 +00:00
alessio
8b8149cdd2 Do not set SO_INCOMING_CPU
We currently set SO_INCOMING_CPU incorrectly, and testing by Ondrej
shows that fixing the issue and setting affinities is worse than letting
the kernel schedule threads without constraints. So we should not set
SO_INCOMING_CPU anymore.
2024-09-16 12:18:22 +00:00
Aram Sargsyan
a018b4e36f Implement the ForwardOnlyFail statistics channel counter
The new ForwardOnlyFail statistics channel counter indicates the
number of queries failed due to bad forwarders for 'forward only'
zones.
2024-09-16 09:31:14 +00:00
Aram Sargsyan
e430ce7039 Fix a 'serverquota' counter calculation bug
The 'all_spilled' local variable in resolver.c:fctx_getaddresses()
is 'true' by default, and only becomes false when there is at least
one successfully found NS address. However, when a 'forward only;'
configuration is used, the code jumps over the part where it looks
for NS addresses and doesn't reset the 'all_spilled' to false, which
results in incorretly increased 'serverquota' statistics variable,
and also in invalid return error code from the function. The result
code error didn't make any differences, because all codes other than
'ISC_R_SUCCESS' or 'DNS_R_WAIT' were treated in the same way, and
the result code was never logged anywhere.

Set the default value of 'all_spilled' to 'false', and only make it
'true' before actually starting to look up NS addresses.
2024-09-16 08:23:12 +00:00
Ondřej Surý
8a96a3af6a Move offloaded DNSSEC operations to different helper threads
Currently, the isc_work API is overloaded.  It runs both the
CPU-intensive operations like DNSSEC validations and long-term tasks
like RPZ processing, CATZ processing, zone file loading/dumping and few
others.

Under specific circumstances, when many large zones are being loaded, or
RPZ zones processed, this stops the CPU-intensive tasks and the DNSSEC
validation is practically stopped until the long-running tasks are
finished.

As this is undesireable, this commit moves the CPU-intensive operations
from the isc_work API to the isc_helper API that only runs fast memory
cleanups now.
2024-09-12 12:09:45 +00:00
Ondřej Surý
6370e9b311 Add isc_helper API that adds 1:1 thread for each loop
Add an extra thread that can be used to offload operations that would
affect latency, but are not long-running tasks; those are handled by
isc_work API.

Each isc_loop now has matching isc_helper thread that also built on top
of uv_loop.  In fact, it matches most of the isc_loop functionality, but
only the `isc_helper_run()` asynchronous call is exposed.
2024-09-12 12:09:45 +00:00
Aram Sargsyan
35ef25e5ea Fix data race in offloaded dns_message_checksig()
When verifying a message in an offloaded thread there is a race with
the worker thread which writes to the same buffer. Clone the message
buffer before offloading.
2024-09-12 09:08:35 +00:00
alessio
da0e48b611 Remove "port" from source address options
Remove the use of "port" when configuring query-source(-v6),
transfer-source(-v6), notify-source(-v6), parental-source(-v6),
etc. Remove the use of source ports for parental-agents.

Also remove the deprecated options use-{v4,v6}-udp-ports and
avoid-{v4,v6}udp-ports.
2024-09-12 08:15:58 +02:00
Mark Andrews
b9246418e8 Fix named-checkconf and statistics-channels
If neither libxml2 nor libjson_c are available have named-checkconf
fail if a statistics-channels block is specified.
2024-09-12 09:21:44 +10:00
Michal Nowak
ff69d07fed
Update code formatting
clang 19 was updated in the base image.
2024-09-10 17:31:32 +02:00
JINMEI Tatuya
7289090683 allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS
This change allows fallback from an IXFR failure to AXFR when the
reason is DNS_R_TOOMANYRECORDS. This is because this error condition
could be temporary only in an intermediate version of IXFR
transactions and it's possible that the latest version of the zone
doesn't have that condition. In such a case, the secondary would never
be able to update the zone (even if it could) without this fallback.

This fallback behavior is particularly useful with the recently
introduced max-records-per-type and max-types-per-name options:
the primary may not have these limitations and may temporarily
introduce "too many" records, breaking IXFR. If the primary side
subsequently deletes these records, this fallback will help recover
the zone transfer failure automatically; without it, the secondary
side would first need to increase the limit, which requires more
operational overhead and has its own adverse effect.

This change also fixes a minor glitch that DNS_R_TOOMANYRECORDS wasn't
logged in xfrin_fail.
2024-09-10 14:02:38 +02:00
Aram Sargsyan
0367c60759 Fix RCU API usage in acl.c
The rcu_xchg_pointer() function can be used outside of a critical
section, and usually must be followed by a synchronize_rcu() or
call_rcu() call to detach from the resource, unless if there are
some guarantees in place because of our own reference counting.
2024-09-10 09:54:20 +00:00
Mark Andrews
61faffd06f Add flag to named-checkconf to ignore "not configured" errors
named-checkconf now takes "-n" to ignore "not configured" errors.
This allows named-checkconf to check the syntax of configurations
from other builds which have support for more options.
2024-09-09 23:32:16 +00:00
Nicki Křížek
6857df20a4 Double the number of threadpool threads
Introduce this temporary workaround to reduce the impact of long-running
tasks in offload threads which can block the resolution of queries.
2024-09-06 14:15:21 +02:00
Matthijs Mekking
911daeb306 Nit logging change
Fix wrong function name (dns_dnssec_keymgr -> dns_keymgr_run).

Add error log if dns_keymgr_offline() fails.
2024-09-03 12:01:21 +02:00
Matthijs Mekking
5af53a329f Fix bug in dns_keymgr_offline
If the ZSK has lifetime unlimited, the timing metadata "Inactive" and
"Delete" cannot be found and is treated as an error. Fix by allowing
these metadata to not exist.
2024-09-03 11:57:56 +02:00
Aram Sargsyan
d85918aebf Process canceled/shut down results in validate_dnskey_dsset_done()
When a validator is already shut down, val->name becomes NULL. We
need to process and keep the ISC_R_CANCELED or ISC_R_SHUTTINGDOWN
result code before calling validate_async_done(), otherwise, when it
is called with the hardcoded DNS_R_NOVALIDSIG result code, it can
cause an assetion failure when val->name (being NULL) is used in
proveunsecure().
2024-09-02 15:40:30 +00:00
Ondřej Surý
5a2df8caf5 Follow the number of CPU set by taskset/cpuset
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S), for example to achieve higher (or more stable) performance
by more closely associating threads with individual NIC rx queues. If
the admin has used taskset, it follows that BIND ought to
automatically use the given number of CPUs rather than the system wide
count.

Co-Authored-By: Ray Bellis <ray@isc.org>
2024-08-29 14:43:18 +00:00
Mark Andrews
d42ea08f16 Return partial match when requested
Return partial match from dns_db_find/dns_db_find when requested
to short circuit the closest encloser discover process.  Most of the
time this will be the actual closest encloser but may not be when
there yet to be committed / cleaned up versions of the zone with
names below the actual closest encloser.
2024-08-29 12:48:20 +00:00
Mark Andrews
43f0b0e8eb Move lock earlier in the call sequence
fctx->state should be read with the lock held.

    1559        /*
    1560         * Caller must be holding the fctx lock.
    1561         */

    CID 468796: (#1 of 1): Data race condition (MISSING_LOCK)
    1. missing_lock: Accessing fctx->state without holding lock fetchctx.lock.
       Elsewhere, fetchctx.state is written to with fetchctx.lock held 2 out of 2 times.
    1562        REQUIRE(fctx->state == fetchstate_done);
    1563
    1564        FCTXTRACE("sendevents");
    1565
    1566        LOCK(&fctx->lock);
    1567
2024-08-29 04:33:56 +00:00
Mark Andrews
a45e39d114 Use atomics to access find->status 2024-08-28 22:42:16 +00:00
Mark Andrews
c900300f21 Use an accessor fuction to access find->status
find->status is marked as private and access is controlled
by find->lock.
2024-08-28 22:42:16 +00:00
Aram Sargsyan
c7e8b7cf63 Exempt prefetches from the fetches-per-server quota
Give prefetches a free pass through the quota so that the cache
entries for popular zones could be updated successfully even if the
quota for is already reached.
2024-08-26 15:50:21 +00:00
Aram Sargsyan
cada2de31f Exempt prefetches from the fetches-per-zone quota
Give prefetches a free pass through the quota so that the cache entry
for a popular zone could be updated successfully even if the quota for
it is already reached.
2024-08-26 15:50:21 +00:00
Ondřej Surý
d61712d14e Stop using malloc_usable_size and malloc_size
Although the nanual page of malloc_usable_size says:

    Although the excess bytes can be over‐written by the application
    without ill effects, this is not good programming practice: the
    number of excess bytes in an allocation depends on the underlying
    implementation.

it looks like the premise is broken with _FORTIFY_SOURCE=3 on newer
systems and it might return a value that causes program to stop with
"buffer overflow" detected from the _FORTIFY_SOURCE.  As we do have own
implementation that tracks the allocation size that we can use to track
the allocation size, we can stop relying on this introspection function.

Also the newer manual page for malloc_usable_size changed the NOTES to:

    The value returned by malloc_usable_size() may be greater than the
    requested size of the allocation because of various internal
    implementation details, none of which the programmer should rely on.
    This function is intended to only be used for diagnostics and
    statistics; writing to the excess memory without first calling
    realloc(3) to resize the allocation is not supported.  The returned
    value is only valid at the time of the call.

Remove usage of both malloc_usable_size() and malloc_size() to be on the
safe size and only use the internal size tracking mechanism when
jemalloc is not available.
2024-08-26 15:00:44 +00:00
Evan Hunt
642a1b985d remove the "dialup" and "heartbeat-interval" options
mark "dialup" and "heartbeat-interval" options as ancient and
remove the documentation and the code implementing them.
2024-08-22 11:11:10 -07:00
Aram Sargsyan
c05a823e8b Implement the 'request-ixfr-max-diffs' configuration option
This limits the maximum number of received incremental zone
transfer differences for a secondary server. Upon reaching the
confgiured limit, the secondary aborts IXFR and initiates a full
zone transfer (AXFR).
2024-08-22 13:42:27 +00:00
Mark Andrews
035289be71 Check key tag range when matching dnssec keys to kasp keys 2024-08-22 12:12:02 +00:00
Mark Andrews
c5bc0a1805 Add optional range directive to keys in dnssec-policy 2024-08-22 12:12:02 +00:00
Mark Andrews
25bf77fac6 Add the concept of allowed key tag ranges to kasp 2024-08-22 12:12:02 +00:00
Matthijs Mekking
f37eb33f29 Fix algorithm rollover bug wrt keytag conflicts
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.

Fix this by not only checking for matching key id but also key
algorithm.
2024-08-22 11:29:43 +02:00
Ondřej Surý
7b756350f5
Use clang-format-19 to update formatting
This is purely result of running:

    git-clang-format-19 --binary clang-format-19 origin/main
2024-08-22 09:21:55 +02:00
Matthijs Mekking
2e3068ed60 Disable some behavior in offline-ksk mode
Some things we no longer want to do when we are in offline-ksk mode.

1. Don't check for inactive and private keys if the key is a KSK.
2. Don't update the TTL of DNSKEY, CDS and CDNSKEY RRset, these come
   from the SKR.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
61cf599fbf Retrieve RRSIG from SKR
When it is time to generate a new signature (dns_dnssec_sign), rather
than create a new one, retrieve it from the SKR.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
30d20b110e Don't read private key files for offline KSKs
When we are appending contents of a DNSKEY rdataset to a keylist,
don't attempt to read the private key file of a KSK when we are in
offline-ksk mode.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
2190aa904f Update key states in offline-ksk mode
With offline-ksk enabled, we don't run the keymgr because the key
timings are determined by the SKR. We do update the key states but
we derive them from the timing metadata.

Then, we can skip a other tasks in offline-ksk mode, like DS checking
at the parent and CDS synchronization, because the CDS and CDNSKEY
RRsets also come from the SKR.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
63e058c29e Apply SKR bundle on rekey
When a zone has a skr structure, lookup the currently active bundle
that contains the right key and signature material.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
037382c4a5 Implement SKR import
When 'rndc skr import' is called, read the file contents and store the
data in the zone's skr structure.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
445722d2bf Add code to store SKR
This added source code stores SKR data. It is loosely based on:
https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt

A SKR contains a list of signed DNSKEY RRsets. Each change in data
should be stored in a separate bundle. So if the RRSIG is refreshed that
means it is stored in the next bundle. Likewise, if there is a new ZSK
pre-published, it is in the next bundle.

In addition (not mentioned in the draft), each bundle may contain
signed CDS and CDNSKEY RRsets.

Each bundle has an inception time. These will determine when we need
to re-sign or re-key the zone.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
0598381236 Add offline-ksk option
Add a new configuration option to enable Offline KSK key management.

Offline KSK cannot work with CSK because it splits how keys with the
KSK and ZSK role operate. Therefore, one key cannot have both roles.
Add a configuration check to ensure this.
2024-08-22 08:21:52 +02:00
Nicki Křížek
779de4ec34
Merge tag 'v9.21.0' 2024-08-21 16:23:09 +02:00
Ondřej Surý
3bca3cb5cf
Destroy the dns_xfrin isc_timers on the correct loop
There are few places where we attach/detach from the dns_xfrin object
while running on a different thread than the zone's assigned thread -
xfrin_xmlrender() in the statschannel and dns_zone_stopxfr() to name the
two places where it happens now.  In the rare case, when the incoming
transfer completes (or shuts down) in the brief period between the other
thread attaches and detaches from the dns_xfrin, the isc_timer_destroy()
calls would be called by the last thread calling the xfrin_detach().
In the worst case, it would be this other thread causing assertion
failure.  Move the isc_timer_destroy() call to xfrin_end() function
which is always called on the right thread and to match this move
isc_timer_create() to xfrin_start() - although this other change makes
no difference.
2024-08-21 13:54:40 +02:00
Ondřej Surý
679e90a57d Add isc_log_createandusechannel() function to simplify usage
The new
isc_log_createandusechannel() function combines following calls:

    isc_log_createchannel()
    isc_log_usechannel()

calls into a single call that cannot fail and therefore can be used in
places where we know this cannot fail thus simplifying the error
handling.
2024-08-20 12:50:39 +00:00
Ondřej Surý
091d738c72 Convert all categories and modules into static lists
Remove the complicated mechanism that could be (in theory) used by
external libraries to register new categories and modules with
statically defined lists in <isc/log.h>.  This is similar to what we
have done for <isc/result.h> result codes.  All the libraries are now
internal to BIND 9, so we don't need to provide a mechanism to register
extra categories and modules.
2024-08-20 12:50:39 +00:00
Ondřej Surý
8506102216 Remove logging context (isc_log_t) from the public namespace
Now that the logging uses single global context, remove the isc_log_t
from the public namespace.
2024-08-20 12:50:39 +00:00
Ondřej Surý
043f11de3f Remove isc_log_write1() and isc_log_vwrite1() functions
The isc_log_write1() and isc_log_vwrite1() functions were meant to
de-duplicate the messages sent to the isc_log subsystem.  However, they
were never used in an entire code base and the whole mechanism around it
was complicated and very inefficient.  Just remove those, there are
better ways to deduplicate syslog messages inside syslog daemons now.
2024-08-20 12:50:39 +00:00
Ondřej Surý
b2dda86254 Replace isc_log_create/destroy with isc_logconfig_get()
Add isc_logconfig_get() function to get the current logconfig and use
the getter to replace most of the little dancing around setting up
logging in the tools. Thus:

    isc_log_create(mctx, &lctx, &logconfig);
    isc_log_setcontext(lctx);
    dns_log_setcontext(lctx);
    ...
    ...use lcfg...
    ...
    isc_log_destroy();

is now only:

    logconfig = isc_logconfig_get(lctx);
    ...use lcfg...

For thread-safety, isc_logconfig_get() should be surrounded by RCU read
lock, but since we never use isc_logconfig_get() in threaded context,
the only place where it is actually used (but not really needed) is
named_log_init().
2024-08-20 12:50:39 +00:00
Ondřej Surý
a8a689531f Use single logging context for everything
Instead of juggling different logging context, use one single logging
context that gets initialized in the libisc constructor and destroyed in
the libisc destructor.

The application is still responsible for creating the logging
configuration before using the isc_log API.

This patch is first in the series in a way that it is transparent for
the users of the isc_log API as the isc_log_create() and
isc_log_destroy() are now thin shims that emulate the previous
functionality, but it isc_log_create() will always return internal
isc__lctx pointer and isc_log_destroy() will actually not destroy the
internal isc__lctx context.

Signed-off-by: Ondřej Surý <ondrej@isc.org>
2024-08-20 12:50:39 +00:00
Aram Sargsyan
8bb9568467 Process also the ISC_R_CANCELED result code in rpz_rewrite()
Log  canceled queries (e.g. when shutting down a hung fetch)
in DEBUG3 level instead of DEBUG1 which is used for the
"unrecognized" result codes.
2024-08-19 10:15:01 +00:00
Ondřej Surý
59f4fdebc0 Check the result of dirfd() before calling unlinkat()
Instead of directly using the result of dirfd() in the unlinkat() call,
check whether the returned file descriptor is actually valid.  That
doesn't really change the logic as the unlinkat() would fail with
invalid descriptor anyway, but this is cleaner and will report the right
error returned directly by dirfd() instead of EBADF from unlinkat().
2024-08-19 09:57:28 +00:00
Ondřej Surý
2fbf9757b8 Remove code to read and parse /proc/net/if_inet6 on Linux
The getifaddr() works fine for years, so we don't have to
keep the callback to parse /proc/net/if_inet6 anymore.
2024-08-19 09:42:55 +00:00
Ondřej Surý
dda5ba53df Ignore errno returned from rewind() in the interface iterator
The clang-scan 19 has reported that we are ignoring errno after the call
to rewind().  As we don't really care about the result, just silence the
error, the whole code will be removed in the development version anyway
as it is not needed.
2024-08-19 09:42:55 +00:00
Ondřej Surý
122a142241 Use constexpr for NS_PER_SEC and friends constants
The contexpr introduced in C23 standard makes perfect sense to be used
instead of preprocessor macros - the symbols are kept, etc.  Define
ISC_CONSTEXPR to be `constexpr` for C23 and `static const` for the older
C standards.  Use the newly introduced macro for the NS_PER_SEC and
friends time constants.
2024-08-19 09:08:55 +00:00
Ondřej Surý
b03e90e0d4 Change the NS_PER_SEC (and friends) from enum to static const
New version of clang (19) has introduced a stricter checks when mixing
integer (and float types) with enums.  In this case, we used enum {}
as C17 doesn't have constexpr yet.  Change the time conversion constants
to be static const unsigned int instead of enum values.
2024-08-19 09:08:55 +00:00
Aram Sargsyan
656e04f48a Check if logconfig is NULL before using it in isc_log_doit()
Check if 'lctx->logconfig' is NULL before using it in isc_log_doit(),
because it's possible that isc_log_destroy() was already called, e.g.
when a 'call_rcu' function wants to log a message during shutdown.
2024-08-15 12:54:37 +00:00
Aydın Mercan
b330eb0af8 do not include config.h
The build system ensures it is always included for every source file.
2024-08-15 12:11:48 +00:00
Ondřej Surý
d00ff78a3e Change the placement of ctor/dtor attributes in the dst_api
Change the placement of the attributes to match the existing usage in
other places (after the declaration).
2024-08-14 15:30:18 +00:00
Ondřej Surý
3e4d153453 Skip already rehashed positions in the old hashmap table
When iterating through the old internal hashmap table, skip all the
nodes that have been already migrated to the new table.  We know that
all positions with index less than .hiter are NULL.
2024-08-14 15:19:04 +00:00
Ondřej Surý
acdc57259f Fix the assertion failure in the isc_hashmap iterator
When the round robin hashing reorders the map entries on deletion, we
were adjusting the iterator table size only when the reordering was
happening at the internal table boundary.  The iterator table size had
to be reduced by one to prevent seeing the entry that resized on
position [0] twice because it migrated to [iter->size - 1] position.

However, the same thing could happen when the same entry migrates a
second time from [iter->size - 1] to [iter->size - 2] position (and so
on) because the check that we are manipulating the entry just in the [0]
position was insufficient.  Instead of checking the position [pos == 0],
we now check that the [pos % iter->size == 0], thus ignoring all the
entries that might have moved back to the end of the internal table.
2024-08-14 15:19:04 +00:00
Ondřej Surý
86f1ec34dc Silence all warnings that stem from the default config
As we now setup the logging very early, parsing the default config would
always print warnings about experimental (and possibly deprecated)
options in the default config.  This would even mess with commands like
`named -V` and it is also wrong to warn users about using experimental
options in the default config, because they can't do anything about
this.  Add CFG_PCTX_NODEPRECATED and CFG_PCTX_NOEXPERIMENTAL options
that we can pass to cfg parser and silence the early warnings caused by
using experimental options in the default config.
2024-08-14 12:50:31 +00:00
Aydın Mercan
596903a6b7
use deterministic ecdsa for openssl >= 3.2
OpenSSL has added support for deterministic ECDSA (RFC 6979) with
version 3.2.

Use it by default as derandomization doesn't pose a risk for DNS
usecases and is allowed by FIPS 186-5.
2024-08-14 14:34:44 +03:00
Aram Sargsyan
730fd32ee6 Reconfigure catz member zones during named reconfiguration
During a reconfiguration named doesn't reconfigure catalog zones
member zones. Implement the necessary code to reconfigure catz
member zones.
2024-08-13 16:22:58 +02:00
Ondřej Surý
8e86e55af1
Don't skip the counting if fcount_incr() is called with force==true (v2)
The fcount_incr() was not increasing counter->count when force was set
to true, but fcount_decr() would try to decrease the counter leading to
underflow and assertion failure.  Swap the order of the arguments in the
condition, so the !force is evaluated after incrementing the .count.
2024-08-13 12:51:22 +02:00
Ondřej Surý
39aef50b9b
Move the dst__openssl_toresult to isc_tls unit
Since the enable_fips_mode() now resides inside the isc_tls unit, BIND 9
would fail to compile when FIPS mode was enabled as the DST subsystem
logging functions were missing.

Move the crypto library logging functions from the openssl_link unit to
isc_tls unit and enhance it, so it can now be used from both places
keeping the old dst__openssl_toresult* macros alive.
2024-08-08 11:59:41 +02:00
Evan Hunt
104f3b82fb implement 'max-query-restarts'
implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.
2024-08-07 13:20:05 -07:00
Evan Hunt
7e3b425dc2 reduce the max-recursion-queries default to 32
the number of iterative queries that can be sent to resolve a
name now defaults to 32 rather than 100.
2024-08-07 13:19:57 -07:00
Evan Hunt
c5588babaf make "max_restarts" a configurable value
MAX_RESTARTS is no longer hard-coded; ns_server_setmaxrestarts()
and dns_client_setmaxrestarts() can now be used to modify the
max-restarts value at runtime. in both cases, the default is 11.
2024-08-07 13:03:08 -07:00
Evan Hunt
05d78671bb reduce MAX_RESTARTS to 11
the number of steps that can be followed in a CNAME chain
before terminating the lookup has been reduced from 16 to 11.
(this is a hard-coded value, but will be made configurable later.)
2024-08-07 13:00:42 -07:00
Evan Hunt
825f3d68c5 add debug logging when creating or attaching to a query counter
fctx_create() now logs at debug level 9 when the fctx attaches
to an existing counter or creates a new one.
2024-08-07 11:21:44 -07:00
Evan Hunt
af7db89513 apply max-recursion-queries quota to validator queries
previously, validator queries for DNSKEY and DS records were
not counted toward the quota for max-recursion-queries; they
are now.
2024-08-07 11:21:44 -07:00
Evan Hunt
d3b7e92783 attach query counter to NS fetches
there were cases in resolver.c when queries for NS records were
started without passing a pointer to the parent fetch's query counter;
as a result, the max-recursion-queries quota for those queries started
counting from zero, instead of sharing the limit for the parent fetch,
making the quota ineffective in some cases.
2024-08-07 11:21:44 -07:00
Aydın Mercan
f58ed932d8
use only c23 or c11 noreturn specifiers
Since we require C11 or greater, we can depend on using either _Noreturn
or [[noreturn]].
2024-08-07 18:27:40 +03:00
Ondřej Surý
e6f2f2a5e6
Initialize the DST subsystem implicitly
Instead of calling dst_lib_init() and dst_lib_destroy() explicitly by
all the programs, create a separate memory context for the DST subsystem
and use the library constructor and destructor to initialize the DST
internals.
2024-08-07 17:03:27 +02:00
Ondřej Surý
c11b736e44 Disassociate the SSL object from the cached SSL_SESSION
When the SSL object was destroyed, it would invalidate all SSL_SESSION
objects including the cached, but not yet used, TLS session objects.

Properly disassociate the SSL object from the SSL_SESSION before we
store it in the TLS session cache, so we can later destroy it without
invalidating the cached TLS sessions.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Artem Boldariev <artem@isc.org>
Co-authored-by: Aram Sargsyan <aram@isc.org>
2024-08-07 14:25:11 +00:00
Ondřej Surý
684f3eb8e6 Attach/detach to the listening child socket when accepting TLS
When TLS connection (TLSstream) connection was accepted, the children
listening socket was not attached to sock->server and thus it could have
been freed before all the accepted connections were actually closed.

In turn, this would cause us to call isc_tls_free() too soon - causing
cascade errors in pending SSL_read_ex() in the accepted connections.

Properly attach and detach the children listening socket when accepting
and closing the server connections.
2024-08-07 14:17:43 +00:00
Ondřej Surý
495cf18c75
Remove checks for OPENSSL_API_LEVEL define
Since the support for OpenSSL Engines has been removed, we can now also
remove the checks for OPENSSL_API_LEVEL; The OpenSSL 3.x APIs will be
used when compiling with OpenSSL 3.x, and OpenSSL 1.1.xx APIs will be
used only when OpenSSL 1.1.x is used.
2024-08-06 15:17:48 +02:00
Ondřej Surý
ef7aba7072
Remove OpenSSL Engine support
The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x
and is going to be removed.  Remove the OpenSSL Engine support in favor
of OpenSSL Providers.
2024-08-06 15:17:48 +02:00
Ondřej Surý
5beae5faf9
Fix the glue table in the QP and RBT zone databases
When adding glue to the header, we add header to the wait-free stack to
be cleaned up later which sets wfc_node->next to non-NULL value.  When
the actual cleaning happens we would only cleanup the .glue_list, but
since the database isn't locked for the time being, the headers could be
reused while cleaning the existing glue entries, which creates a data
race between database versions.

Revert the code back to use per-database-version hashtable where keys
are the node pointers.  This allows each database version to have
independent glue cache table that doesn't affect nodes or headers that
could already "belong" to the future database version.
2024-08-05 15:36:54 +02:00
Evan Hunt
6b720bfe1a minor findnode optimization
when searching the cache for a node so that we can delete an
rdataset, it is not necessary to set the 'create' flag. if the
node doesn't exist yet, we then we won't be able to delete
anything from it anyway.
2024-08-05 13:36:41 +00:00
Evan Hunt
a68a77ca86 dns_difftuple_create() cannot fail
dns_difftuple_create() could only return success, so change
its type to void and clean up all the calls to it.

other functions that only returned a result value because of it
have been cleaned up in the same way.
2024-08-05 13:31:38 +00:00
Evan Hunt
a84d54c6ff
raise the log level of priming failures
when a priming query is complete, it's currently logged at
level ISC_LOG_DEBUG(1), regardless of success or failure. we
are now raising it to ISC_LOG_NOTICE in the case of failure.
2024-08-05 13:56:13 +02:00
Aydın Mercan
2a76352b37 fix the rsa exponent to 65537
There isn't a realistic reason to ever use e = 4294967297. Fortunately
its codepath wasn't reachable to users and can be safetly removed.

Keep in mind the `dns_key_generate` header comment was outdated. e = 3
hasn't been used since 2006 so there isn't a reason to panic. The
toggle was the public exponents between 65537 and 4294967297.
2024-08-05 11:21:59 +00:00
Aydın Mercan
5dbb560747 remove the crc64 implementation
CRC-64 has been added for map files. Now that the map file format has
been removed, there isn't a reason to keep the implementation.
2024-08-05 11:21:25 +00:00
Ondřej Surý
13941c8ca7 Call rcu_barrier() in the isc_mem_destroy() just once
The previous work in this area was led by the belief that we might be
calling call_rcu() from within call_rcu() callbacks.  After carefully
checking all the current callback, it became evident that this is not
the case and the problem isn't enough rcu_barrier() calls, but something
entirely else.

Call the rcu_barrier() just once as that's enough and the multiple
rcu_barrier() calls will not hide the real problem anymore, so we can
find it.
2024-08-05 10:24:47 +00:00
Ondřej Surý
8ccfbcfe72 Remove no longer needed OpenSSL shims and checks
Since the minimal OpenSSL version is now OpenSSL 1.1.1, remove all kind
of OpenSSL shims and checks for functions that are now always present in
the OpenSSL libraries.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Aydın Mercan <aydin@isc.org>
2024-08-05 10:23:59 +00:00
Ondřej Surý
37dbd57c16
Fix the assertion failure when putting 48-bit number to buffer
When putting the 48-bit number into a fixed-size buffer that's exactly 6
bytes, the assertion failure would occur as the 48-bit number is
internally represented as 64-bit number and the code was checking if
there is enough space for `sizeof(val)`.  This causes assertion failure
when otherwise valid TSIG signature has a bad timing information.

Specify the size of the argument explicitly, so the 48-bit number
doesn't require 8-byte long buffer.
2024-08-05 09:55:18 +02:00
Ondřej Surý
a513d4c07f Don't skip the counting if fcount_incr() is called with force==true
The fcount_incr() was incorrectly skipping the accounting for the
fetches-per-zone if the force argument was set to true.  We want to skip
the accounting only when the fetches-per-zone is completely disabled,
but for individual names we need to do the accounting even if we are
forcing the result to be success.
2024-08-05 07:33:20 +00:00
Ondřej Surý
827a153d99 Remove superfluous memset() in isc_nmsocket_init()
The tlsstream part of the isc_nmsocket_t gets initialized via designater
initializer and doesn't need the extra memset() later; just remove it.
2024-08-05 07:32:12 +00:00
Ondřej Surý
cc4f99bc6d Fix PTHREAD_MUTEX_ADAPTIVE_NP and PTHREAD_MUTEX_ERRORCHECK_NP usage
The PTHREAD_MUTEX_ADAPTIVE_NP and PTHREAD_MUTEX_ERRORCHECK_NP are
usually not defines, but enum values, so simple preprocessor check
doesn't work.

Check for PTHREAD_MUTEX_ADAPTIVE_NP from the autoconf AS_COMPILE_IFELSE
block and define HAVE_PTHREAD_MUTEX_ADAPTIVE_NP.  This should enable
adaptive mutex on Linux and FreeBSD.

As PTHREAD_MUTEX_ERRORCHECK actually comes from POSIX and Linux glibc
does define it when compatibility macros are being set, we can just use
PTHREAD_MUTEX_ERRORCHECK instead of PTHREAD_MUTEX_ERRORCHECK_NP.
2024-08-05 07:31:39 +00:00
Ondřej Surý
f158884344 Remove ISC_MUTEX_INITIALIZER
It's hard to get it right on different platforms and it's unused
in BIND 9 anyway.
2024-08-05 07:31:39 +00:00
Ondřej Surý
b26079fdaf Don't open route socket if we don't need it
When automatic-interface-scan is disabled, the route socket was still
being opened.  Add new API to connect / disconnect from the route socket
only as needed.

Additionally, move the block that disables periodic interface rescans to
a place where it actually have access to the configuration values.
Previously, the values were being checked before the configuration was
loaded.
2024-08-05 07:31:02 +00:00
Ondřej Surý
912eaf6cb9 Clarify that cds_wfcq_dequeue_blocking() doesn't block if empty 2024-08-05 07:30:10 +00:00
Mark Andrews
47338c2c87 Remove unnecessary operations
Decrementing optlen immediately before calling continue is unneccesary
and inconsistent with the rest of dns_message_pseudosectiontoyaml
and dns_message_pseudosectiontotext.  Coverity was also reporting
an impossible false positive overflow of optlen (CID 499061).

    4176                        } else if (optcode == DNS_OPT_CLIENT_TAG) {
    4177                                uint16_t id;
    4178                                ADD_STRING(target, "; CLIENT-TAG:");
    4179                                if (optlen == 2U) {
    4180                                        id = isc_buffer_getuint16(&optbuf);
    4181                                        snprintf(buf, sizeof(buf), " %u\n", id);
    4182                                        ADD_STRING(target, buf);

    CID 499061: (#1 of 1): Overflowed constant (INTEGER_OVERFLOW)
    overflow_const: Expression optlen, which is equal to 65534, underflows
    the type that receives it, an unsigned integer 16 bits wide.
    4183                                        optlen -= 2;
    4184                                        POST(optlen);
    4185                                        continue;
    4186                                }
    4187                        } else if (optcode == DNS_OPT_SERVER_TAG) {
2024-08-02 03:44:04 +00:00
Aram Sargsyan
5f47c2b567 Allow shorter resolver-query-timeout configuration
There are use cases for which shorter timeout values make sense.
For example if there is a load balancer which sets RD=1 and
forwards queries to a BIND resolver which is then configured to
talk to backend servers which are not visible in the public NS set.
WIth a shorter timeout value the frontend can give back SERVFAIL
early when backends are not available and the ultimate client will
not penalize the BIND-frontend for non-response.
2024-08-01 18:30:35 +00:00
Aram Sargsyan
63b8a75de9 Rename dns_zone_forcereload() to dns_zone_forcexfr()
The new name describes the function more accurately.
2024-08-01 11:01:17 +00:00
Aram Sargsyan
3d1179501a Make dns_xfrin_shutdown() safe to run from a different loop
If the current loop is different than the zone transfer's loop then
run the shutdown operation asynchronously.
2024-08-01 10:43:47 +00:00
Aram Sargsyan
402ca316ae Implement rndc retransfer -force
With this new optional argument if there is an ongoing zone
transfer it will be aborted before a new zone transfer is scheduled.
2024-08-01 10:43:47 +00:00
Aram Sargsyan
b156531b29 Do not automatically restart a canceled zone transfer
If a zone transfer is canceled there is no need to try the
next primary or retry with AXFR.
2024-08-01 10:43:47 +00:00
Mark Andrews
bca63437a1 Add missing period to generated IPv4 6to4 name
The period between the most significant nibble of the IPv4 address
and the 2.0.0.2.IP6.ARPA suffix was missing resulting in the wrong
name being checked.
2024-08-01 15:17:30 +10:00
Mark Andrews
6d1c7beb15 Cleanup old clang-format string splitting 2024-08-01 14:17:57 +10:00
Mark Andrews
f78beca942 Remove false positive qname minimisation error
Don't report qname minimisation NXDOMAIN errors when the result is
NXDOMAIN.
2024-08-01 14:17:57 +10:00
Mark Andrews
393d7fa78e Fix yaml output
In yaml mode we emit a string for each question and record.  Certain
names and data could result in invalid yaml being produced.  Use single
quote string for all questions and records.  This requires that single
quotes get converted to two quotes within the string.
2024-08-01 12:30:57 +10:00
Mark Andrews
b51c9eb797 Properly reject zero length ALPN in commatxt_fromtext
ALPN are defined as 1*255OCTET in RFC 9460.  commatxt_fromtext was not
rejecting invalid inputs produces by missing a level of escaping
which where later caught be dns_rdata_fromwire on reception.

These inputs should have been rejected

	svcb in svcb 1 1.svcb alpn=\,abc
	svcb1 in svcb 1 1.svcb alpn=a\,\,abc

and generated 00 03 61 62 63 and 01 61 00 02 61 62 63 respectively.

The correct inputs to include commas in the alpn requires double
escaping.

	svcb in svcb 1 1.svcb alpn=\\,abc
	svcb1 in svcb 1 1.svcb alpn=a\\,\\,abc

and generate 04 2C 61 62 63 and 06 61 2C 2C 61 62 63 respectively.
2024-08-01 10:20:55 +10:00
Aram Sargsyan
cb5238cc62 Replace #define DNS_GETDB_ with struct of bools
This makes it easier to pretty-print the attributes in a debugger.
2024-07-31 11:52:52 +00:00
Aram Sargsyan
b621f1d88e Return SERVFAIL for a too long CNAME chain
Due to the maximum query restart limitation a long CNAME chain
it is cut after 16 queries but named still returns NOERROR.

Return SERVFAIL instead and the partial answer.
2024-07-31 10:54:10 +00:00
Mark Andrews
48d39f7c30 Check that FILE_STREAM(channel) is not already closed
isc_log_closefilelogs can also close log files.  isc_log_doit failed
to check if the file handle was still valid before closing it.
2024-07-31 17:36:38 +10:00
Mark Andrews
e8dbc5db92 Properly compute the physical memory size
On a 32 bit machine casting to size_t can still lead to an overflow.
Cast to uint64_t.  Also detect all possible negative values for
pages and pagesize to silence warning about possible negative value.

    39#if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE)
    	1. tainted_data_return: Called function sysconf(_SC_PHYS_PAGES),
           and a possible return value may be less than zero.
    	2. assign: Assigning: pages = sysconf(_SC_PHYS_PAGES).
    40        long pages = sysconf(_SC_PHYS_PAGES);
    41        long pagesize = sysconf(_SC_PAGESIZE);
    42
    	3. Condition pages == -1, taking false branch.
    	4. Condition pagesize == -1, taking false branch.
    43        if (pages == -1 || pagesize == -1) {
    44                return (0);
    45        }
    46
    	5. overflow: The expression (size_t)pages * pagesize might be negative,
           but is used in a context that treats it as unsigned.

    CID 498034: (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
    6. return_overflow: (size_t)pages * pagesize, which might have underflowed,
       is returned from the function.
    47        return ((size_t)pages * pagesize);
    48#endif /* if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE) */
2024-07-31 05:55:30 +00:00
Mark Andrews
53a5f50e9d Do not update find.result_v4 and find.result_v6
These values are supposed to be static for the life of the find and
clean_finds_at_name was updating them resulting in TSAN error
reports.

    WARNING: ThreadSanitizer: data race
    Write of size 4 at 0x000000000001 by thread T1 (mutexes: write M1, write M2):
      #0 clean_finds_at_name lib/dns/adb.c:1537
      #1 fetch_callback lib/dns/adb.c:4009
      #2 task_run lib/isc/task.c:815
      #3 isc_task_run lib/isc/task.c:896
      #4 isc__nm_async_task netmgr/netmgr.c:848
      #5 process_netievent netmgr/netmgr.c:920
      #6 process_queue netmgr/netmgr.c:1013
      #7 process_all_queues netmgr/netmgr.c:767
      #8 async_cb netmgr/netmgr.c:796
      #9 uv__async_io /usr/src/libuv-v1.44.1/src/unix/async.c:163
      #10 isc__trampoline_run lib/isc/trampoline.c:189

    Previous read of size 4 at 0x000000000001 by thread T2:
      #0 findname lib/dns/resolver.c:3749
      #1 fctx_getaddresses lib/dns/resolver.c:3993
      #2 fctx_try lib/dns/resolver.c:4390
      #3 rctx_nextserver lib/dns/resolver.c:10356
      #4 rctx_done lib/dns/resolver.c:10503
      #5 resquery_response lib/dns/resolver.c:8511
      #6 udp_recv lib/dns/dispatch.c:638
      #7 isc__nm_async_readcb netmgr/netmgr.c:2885
      #8 isc__nm_readcb netmgr/netmgr.c:2858
      #9 udp_recv_cb netmgr/udp.c:650
      #10 isc__nm_udp_read_cb netmgr/udp.c:1057
      #11 uv__udp_recvmsg /usr/src/libuv-v1.44.1/src/unix/udp.c:303
      #12 isc__trampoline_run lib/isc/trampoline.c:189
2024-07-31 14:46:45 +10:00
Mark Andrews
14a76ae498 Log key calculation overflows 2024-07-30 10:58:54 +02:00
Mark Andrews
25845a866e Check for overflow when adding lifetime 2024-07-30 10:58:54 +02:00
Matthijs Mekking
129973ebb0 No longer update key lifetime if key is retired
The key lifetime should no longer be adjusted if the key is being
retired earlier, for example because a manual rollover was started.

This would falsely be seen as a dnssec-policy lifetime reconfiguration,
and would adjust the retire/removed time again.

This also means we should update the status output, and the next
rollover scheduled is now calculated using (retire-active) instead of
key lifetime.
2024-07-30 10:57:14 +02:00
Matthijs Mekking
1cec0b0448 Update key lifetime and metadata after reconfig
If dnssec-policy is reconfigured and the key lifetime has changed,
update existing keys with the new lifetime and adjust the retire
and removed timing metadata accordingly.

If the key has no lifetime yet, just initialize the lifetime. It
may be that the retire/removed timing metadata has already been set.

Skip keys which goal is not set to omnipresent. These keys are already
in the progress of retiring, or still unused.
2024-07-30 10:57:14 +02:00
Artem Boldariev
5781ff3a93 Drop expired but not accepted TCP connections
This commit ensures that we are not attempting to accept an expired
TCP connection as we are not interested in any data that could have
been accumulated in its internal buffers. Now we just drop them for
good.
2024-07-03 15:03:02 +03:00
Ondřej Surý
bf9fd2a6ff
Reset the TCP connection on a failed send
When sending fails, the ns__client_request() would not reset the
connection and continue as nothing is happening.  This comes from the
model that we don't care about failed UDP sends because datagrams are
unreliable anyway, but it greatly affects TCP connections with
keep-alive.

The worst case scenario is as follows:

1. the 3-way TCP handshake gets completed
2. the libuv calls the "uv_connection_cb" callback
3. the TCP connection gets queue because of the tcp-clients quota
4. the TCP client sends as many DNS messages as the buffers allow
5. the TCP connection gets dropped by the client due to the timeout
6. the TCP connection gets accepted by the server
7. the data already sent by the client gets read
8. all sending fails immediately because the TCP connection is dead
9. we consume all the data in the buffer in a very tight loop

As it doesn't make sense to trying to process more data on the TCP
connection when the sending is failing, drop the connection immediately
on the first sending error.
2024-07-03 09:07:20 +02:00
Ondřej Surý
1c0564d715
Remove ns_query_init() cannot fail, remove the error paths
As ns_query_init() cannot fail now, remove the error paths, especially
in ns__client_setup() where we now don't have to care what to do with
the connection if setting up the client could fail.  It couldn't fail
even before, but now it's formal.
2024-07-03 09:05:51 +02:00
Ondřej Surý
bc3e713317
Throttle the reading when writes are asynchronous
Be more aggressive when throttling the reading - when we can't send the
outgoing TCP synchronously with uv_try_write(), we start throttling the
reading immediately instead of waiting for the send buffers to fill up.

This should not affect behaved clients that read the data from the TCP
on the other end.
2024-07-03 08:45:39 +02:00
Ondřej Surý
57cd34441a
Be smarter about refusing to add many RR types to the database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:

1. If the new header type is in our priority list, we always add either
   positive or negative entry at the beginning of the list.

2. If the new header type is negative entry, and we are over the limit,
   we mark it as ancient immediately, so it gets evicted from the cache
   as soon as possible.

3. Otherwise add the new header after the priority headers (or at the
   head of the list).

4. If we are over the limit, evict the last entry on the normal header
   list.
2024-07-01 12:48:51 +02:00
Ondřej Surý
b27c6bcce8
Expand the list of the priority types and move it to db_p.h
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
the priority types that are put at the beginning of the slabheader list
for faster access and to avoid eviction when there are more types than
the max-types-per-name limit.
2024-07-01 12:47:30 +02:00
Artem Boldariev
55b1a093ea
Do not un-throttle TCP connections on isc_nm_read()
Due to omission it was possible to un-throttle a TCP connection
previously throttled due to the peer not reading back data we are
sending.

In particular, that affected DoH code, but it could also affect other
transports (the current or future ones) that pause/resume reading
according to its internal state.
2024-06-12 13:44:37 +03:00
Mark Andrews
e52c2a654b
Clear qctx->zversion
Clear qctx->zversion when clearing qctx->zrdataset et al in
lib/ns/query.c:qctx_freedata.  The uncleared pointer could lead to
an assertion failure if zone data needed to be re-saved which could
happen with stale data support enabled.
2024-06-10 17:45:38 +02:00
Petr Špaček
9370acd3a7
Require local KEYs for SIG(0) verification
This is additional hardening. There is no known use-case for KEY RRs
from DNS cache and it potentially allows attackers to put weird keys
into cache.
2024-06-10 17:36:45 +02:00
Aram Sargsyan
d69fab1530
Mark SIG(0) quota settings as experimantal
A different solution in the future might be adopted depending
on feedback and other new information, so it makes sense to mark
these options as EXPERIMENTAL until we have more data.
2024-06-10 17:36:45 +02:00
Aram Sargsyan
54ddd848fe
Avoid running get_matching_view() asynchronously on an error path
Also create a new ns_client_async_reset() static function to decrease
code duplication.
2024-06-10 17:35:40 +02:00
Aram Sargsyan
7ca9bd6014
Limit the number of keys for SIG(0) message verification
Check at most two KEY RRs agains a SIG(0) signature. This should
limit potential abuse and at the same time allow key rollover.
2024-06-10 17:33:11 +02:00
Aram Sargsyan
70ff4a3f85
Run resolver message signature checking asynchronously 2024-06-10 17:33:11 +02:00
Aram Sargsyan
ad489c44df
Remove sig0checks-quota-maxwait-ms support
Waiting for a quota to appear complicates things and wastes
rosources on timer management. Just answer with REFUSE if
there is no quota.
2024-06-10 17:33:11 +02:00
Aram Sargsyan
f0cde05e06
Implement asynchronous view matching for SIG(0)-signed queries
View matching on an incoming query checks the query's signature,
which can be a CPU-heavy task for a SIG(0)-signed message. Implement
an asynchronous mode of the view matching function which uses the
offloaded signature checking facilities, and use it for the incoming
queries.
2024-06-10 17:33:10 +02:00
Aram Sargsyan
710bf9b938
Implement asynchronous message signature verification
Add support for using the offload threadpool to perform message
signature verifications. This should allow check SIG(0)-signed
messages without affecting the worker threads.
2024-06-10 17:33:10 +02:00
Aram Sargsyan
7f013ad05d
Remove dns_message_rechecksig()
This is a tiny helper function which is used only once and can be
replaced with two function calls instead. Removing this makes
supporting asynchronous signature checking less complicated.
2024-06-10 17:33:10 +02:00
Aram Sargsyan
c7f79a0353
Add a quota for SIG(0) signature checks
In order to protect from a malicious DNS client that sends many
queries with a SIG(0)-signed message, add a quota of simultaneously
running SIG(0) checks.

This protection can only help when named is using more than one worker
threads. For example, if named is running with the '-n 4' option, and
'sig0checks-quota 2;' is used, then named will make sure to not use
more than 2 workers for the SIG(0) signature checks in parallel, thus
leaving the other workers to serve the remaining clients which do not
use SIG(0)-signed messages.

That limitation is going to change when SIG(0) signature checks are
offloaded to "slow" threads in a future commit.

The 'sig0checks-quota-exempt' ACL option can be used to exempt certain
clients from the quota requirements using their IP or network addresses.

The 'sig0checks-quota-maxwait-ms' option is used to define a maximum
amount of time for named to wait for a quota to appear. If during that
time no new quota becomes available, named will answer to the client
with DNS_R_REFUSED.
2024-06-10 17:33:08 +02:00
Matthijs Mekking
c1ac8b6ad0
Log rekey failure as error if too many records
By default we log a rekey failure on debug level. We should probably
change the log level to error. We make an exception for when the zone
is not loaded yet, it often happens at startup that a rekey is
run before the zone is fully loaded.
2024-06-10 16:55:12 +02:00
Matthijs Mekking
82635e56d8
Log error when update fails
The new "too many records" error can make an update fail without the
error being logged. This commit fixes that.
2024-06-10 16:55:12 +02:00
Evan Hunt
7dd6b47ace
fix a memory leak that could occur when signing
when signatures were not added because of too many types already
existing at a node, the diff was not being cleaned up; this led to
a memory leak being reported at shutdown.
2024-06-10 16:55:12 +02:00
Ondřej Surý
52b3d86ef0
Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k).  As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).

Add a configurable limit to cap the number of the RR types for a single
owner.  This is enforced at the database (rbtdb, qpzone, qpcache) level
and configured with new max-types-per-name configuration option that
can be configured globally, per-view and per-zone.
2024-06-10 16:55:09 +02:00
Ondřej Surý
32af7299eb
Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.

Add a configurable limit to cap the number of the RRs in a single RRSet.
This is enforced at the database (rbtdb, qpzone, qpcache) level and
configured with new max-records-per-type configuration option that can
be configured globally, per-view and per-zone.
2024-06-10 16:55:07 +02:00
Ondřej Surý
e28266bfbc
Remove the extra memory context with own arena for sending
The changes in this MR prevent the memory used for sending the outgoing
TCP requests to spike so much.  That strictly remove the extra need for
own memory context, and thus since we generally prefer simplicity,
remove the extra memory context with own jemalloc arenas just for the
outgoing send buffers.
2024-06-10 16:48:54 +02:00
Ondřej Surý
4c2ac25a95
Limit the number of DNS message processed from a single TCP read
The single TCP read can create as much as 64k divided by the minimum
size of the DNS message.  This can clog the processing thread and trash
the memory allocator because we need to do as much as ~20k allocations in
a single UV loop tick.

Limit the number of the DNS messages processed in a single UV loop tick
to just single DNS message and limit the number of the outstanding DNS
messages back to 23.  This effectively limits the number of pipelined
DNS messages to that number (this is the limit we already had before).
2024-06-10 16:48:54 +02:00
Ondřej Surý
452a2e6348
Replace the tcp_buffers memory pool with static per-loop buffer
As a single thread can process only one TCP send at the time, we don't
really need a memory pool for the TCP buffers, but it's enough to have
a single per-loop (client manager) static buffer that's being used to
assemble the DNS message and then it gets copied into own sending
buffer.

In the future, this should get optimized by exposing the uv_try API
from the network manager, and first try to send the message directly
and allocate the sending buffer only if we need to send the data
asynchronously.
2024-06-10 16:48:53 +02:00
Aram Sargsyan
982eab7de0
ns_client: reuse TCP send buffers
Constantly allocating, reallocating and deallocating 64K TCP send
buffers by 'ns_client' instances takes too much CPU time.

There is an existing mechanism to reuse the ns_clent_t structure
associated with the handle using 'isc_nmhandle_getdata/_setdata'
(see ns_client_request()), but it doesn't work with TCP, because
every time ns_client_request() is called it gets a new handle even
for the same TCP connection, see the comments in
streamdns_on_complete_dnsmessage().

To solve the problem, we introduce an array of available (unused)
TCP buffers stored in ns_clientmgr_t structure so that a 'client'
working via TCP can have a chance to reuse one (if there is one)
instead of allocating a new one every time.
2024-06-10 16:48:53 +02:00
Ondřej Surý
4e7c4af17f
Throttle reading from TCP if the sends are not getting through
When TCP client would not read the DNS message sent to them, the TCP
sends inside named would accumulate and cause degradation of the
service.  Throttle the reading from the TCP socket when we accumulate
enough DNS data to be sent.  Currently this is limited in a way that a
single largest possible DNS message can fit into the buffer.
2024-06-10 16:48:52 +02:00
Artem Boldariev
d80dfbf745
Keep the endpoints set reference within an HTTP/2 socket
This commit ensures that an HTTP endpoints set reference is stored in
a socket object associated with an HTTP/2 stream instead of
referencing the global set stored inside a listener.

This helps to prevent an issue like follows:

1. BIND is configured to serve DoH clients;
2. A client is connected and one or more HTTP/2 stream is
created. Internal pointers are now pointing to the data on the
associated HTTP endpoints set;
3. BIND is reconfigured - the new endpoints set object is created and
promoted to all listeners;
4. The old pointers to the HTTP endpoints set data are now invalid.

Instead referencing a global object that is updated on
re-configurations we now store a local reference which prevents the
endpoints set objects to go out of scope prematurely.
2024-06-10 16:40:12 +02:00
Artem Boldariev
c41fb499b9
DoH: avoid potential use after free for HTTP/2 session objects
It was reported that HTTP/2 session might get closed or even deleted
before all async. processing has been completed.

This commit addresses that: now we are avoiding using the object when
we do not need it or specifically check if the pointers used are not
'NULL' and by ensuring that there is at least one reference to the
session object while we are doing incoming data processing.

This commit makes the code more resilient to such issues in the
future.
2024-06-10 16:40:10 +02:00
Ondřej Surý
086b63f56d Use isc_queue to implement wait-free deadnodes queue
Replace the ISC_LIST based deadnodes implementation with isc_queue which
is wait-free and we don't have to acquire neither the tree nor node lock
to append nodes to the queue and the cleaning process can also
copy (splice) the list into a local copy without acquiring the list.

Currently, there's little benefit to this as we need to hold those
locks anyway, but in the future as we move to RCU based implementation,
this will be ready.

To align the cleaning with our event loop based model, remove the
hardcoded count for the node locks and use the number of the event loops
instead.  This way, each event loop can have its own cleaning as part of
the process.  Use uniform random numbers to spread the nodes evenly
between the buckets (instead of hashing the domain name).
2024-06-05 09:19:56 +02:00
Ondřej Surý
a9b4d42346 Add isc_queue implementation on top of cds_wfcq
Add an isc_queue implementation that hides the gory details of cds_wfcq
into more neat API.  The same caveats as with cds_wfcq.

TODO: Add documentation to the API.
2024-06-05 09:19:56 +02:00
Mark Andrews
56c3dcc5d7 Update resquery_senddone handling of ISC_R_TIMEDOUT
Treat timed out as an address specific error.
2024-06-04 00:15:48 +10:00
Mark Andrews
4e3dd85b8d Update resquery_senddone handling of ISC_R_CONNECTIONRESET
Treat connection reset as an address specific error.
2024-06-04 00:15:48 +10:00
Mark Andrews
180b1e7939 Handle ISC_R_HOSTDOWN and ISC_R_NETDOWN in resolver.c
These error codes should be treated like other unreachable error
codes.
2024-06-04 00:15:48 +10:00
Mark Andrews
05472e63e8 Don't do DS checks over disabled address families 2024-06-03 18:34:31 +10:00
Mark Andrews
d026dbe536 Don't forward UPDATE messages over disabled address families 2024-06-03 18:34:31 +10:00
Mark Andrews
5d99625515 Don't send NOTIFY over disabled address families 2024-06-03 18:34:31 +10:00
Mark Andrews
2cd4303249 Report non-effective primaries
When named is started with -4 or -6 and the primaries for a zone
do not have an IPv4 or IPv6 address respectively issue a log message.
2024-06-03 18:34:31 +10:00
Mark Andrews
ecdde04e63 Zone transfers should honour -4 and -6 options
Check if the address family has been disabled when transferring
zones.
2024-06-03 18:34:31 +10:00
Mark Andrews
9be1873ef3 Add helper function isc_sockaddr_disabled 2024-06-03 18:34:31 +10:00
Matthijs Mekking
c40e5c8653 Call reset_shutdown if uv_tcp_close_reset failed
If uv_tcp_close_reset() returns an error code, this means the
reset_shutdown callback has not been issued, so do it now.
2024-06-03 10:14:47 +02:00
Matthijs Mekking
5b94bb2129 Do not runtime check uv_tcp_close_reset
When we reset a TCP connection by sending a RST packet, do not bother
requiring the result is a success code.
2024-06-03 10:14:47 +02:00
Mark Andrews
87e3b9dbf3 Pass a memory context in to dns_cache_create 2024-05-31 15:40:32 +10:00
Mark Andrews
5e77edd074 Use a new memory context when flushing the cache
When the cache's memory context was in over memory state when the
cache was flushed it resulted in LRU cleaning removing newly entered
data in the new cache straight away until the old cache had been
destroyed enough to take it out of over memory state.  When flushing
the cache create a new memory context for the new db to prevent this.
2024-05-31 15:40:32 +10:00
Ondřej Surý
3310cac2b0
Create the new database for AXFR from the dns_zone API
The `axfr_makedb()` didn't set the loop on the newly created database,
effectively killing delayed cleaning on such database.  Move the
database creation into dns_zone API that knows all the gory details of
creating new database suitable for the zone.
2024-05-29 08:30:19 +02:00
Aram Sargsyan
4d3c31b928
fixup! Merge branch 'ondrej/light-cleanup-of-rdataslab' into 'main' 2024-05-25 11:47:33 +02:00
Ondřej Surý
3feabc8a22
Cleanup the dns_cache unit
Remove duplicate code and use ISC_REFCOUNT_{DECL,IMPL} macros.
2024-05-25 11:47:33 +02:00
Ondřej Surý
03ed19cf71
Refactor the common buffer manipulation in rdataslab.c in macros
The rdataslab.c was full of code like this:

        length = raw[0] * 256 + raw[1];

and

        count2 = *current2++ * 256;
        count2 += *current2++;

Refactor code like this into peek_uint16() and get_uint16 macros
to prevent code repetition and possible mistakes when copy and
pasting the same code over and over.

As a side note for an entertainment of a careful reader of the commit
messages: The byte manipulation was changed from multiplication and
addition to shift with or.

The difference in the assembly looks like this:

MUL and ADD:

	movzx   eax, BYTE PTR [rdi]
        movzx   edi, BYTE PTR [rdi+1]
        sal     eax, 8
        or      edi, eax

SHIFT and OR:

        movzx   edi, WORD PTR [rdi]
        rol     di, 8
        movzx   edi, di

If the result and/or buffer is then being used after the macro call,
there's more differences in favor of the SHIFT+OR solution.
2024-05-24 09:52:45 +02:00
Aydın Mercan
03a59cbb04 reinsert accidentally removed + in db trace
It only affects development when using `DNS_DB_TRACE`.
2024-05-17 18:11:23 -07:00
Aydın Mercan
49e62ee186 fix typing mistakes in trace macros
The detach function declaration in `ISC__REFCOUNT_TRACE_DECL` had an
returned an accidental implicit int. While not allowed since C99, it
became an error by default in GCC 14.

`ISC_REFCOUNT_TRACE_IMPL` and `ISC_REFCOUNT_STATIC_TRACE_IMPL` expanded
into the wrong macros, trying to declare it again with the wrong number
of parameters.
2024-05-17 18:11:23 -07:00
Mark Andrews
b7de2c7cb9 Clang-format header file changes 2024-05-17 16:03:21 -07:00
Mark Andrews
6e9ed4983e add test cases for several FORMERR code paths:
- duplicated question
  - duplicated answer
  - qtype as an answer
  - two question types
  - question names
  - nsec3 bad owner name
  - short record
  - short question
  - mismatching question class
  - bad record owner name
  - mismatched class in record
  - mismatched KEY class
  - OPT wrong owner name
  - invalid RRSIG "covers" type
  - UPDATE malformed delete type
  - TSIG wrong class
  - TSIG not the last record
2024-05-17 13:39:22 +10:00
Evan Hunt
9c882f1e69 replace qpzone node attriutes with atomics
there were TSAN error reports because of conflicting uses of
node->dirty and node->nsec, which were in the same qword.

this could be resolved by separating them, but we could also
make them into atomic values and remove some node locking.
2024-05-17 00:33:35 +00:00
Matthijs Mekking
f882101265 Rewrite qp fix_iterator()
The fix_iterator() function had a lot of bugs in it and while fixing
them, the number of corner cases and the complexity of the function
got out of hand. Rewrite the function with the following modifications:

The function now requires that the iterator is pointing to a leaf node.
This removes the cases we have to deal when the iterator was left on a
dead branch.

From the leaf node, pop up the iterator stack until we encounter the
branch where the offset point is before the point where the search key
differs. This will bring us to the right branch, or at the first
unmatched node, in which case we pop up to the parent branch. From
there it is easier to retrieve the predecessor.

Once we are at the right branch, all we have to do is find the right
twig (which is either the twig for the character at the position where
the search key differs, or the previous twig) and walk down from there
to the greatest leaf or, in case there is no good twig, get the
previous twig from the successor and get the greatest leaf from there.

If there is no previous twig to select in this branch, because every
leaf from this branch node is greater than the one we wanted, we need
to pop up the stack again and resume at the parent branch. This is
achieved by calling prevleaf().
2024-05-16 09:49:41 +00:00
Matthijs Mekking
8b8c16d7a4 Get anyleaf when qp lookup is on a dead end branch
Move the fix_iterator out of the loop and only call it when we found
a leaf node. This leaf node may be the wrong leaf node, but fix_iterator
should correct that.

Also, when we don't need to set the iterator, just get any leaf. We
only need to have a leaf for the qpkey_compare and the end result does
not matter if compare was against an ancestor leaf or any leaf below
that point.
2024-05-16 09:49:41 +00:00
Mark Andrews
ec3c624814 Properly build the NSEC/NSEC3 type bit map
DNSKEY was incorrectly being added to the NESC/NSEC3 type bit map
when it was obscured by the delegation.  This lead to zone verification
failures.
2024-05-16 10:27:49 +10:00
Mark Andrews
e84615629f Properly update 'maxtype'
'maxtype' should be checked to see if it should be updated whenever
a type is added to the type map.
2024-05-16 10:20:49 +10:00
Ondřej Surý
eb862ce509
Properly attach/detach isc_httpd in case read ends earlier than send
An assertion failure would be triggered when sending the TCP data ends
after the TCP reading gets closed.  Implement proper reference counting
for the isc_httpd object.
2024-05-15 12:22:10 +02:00
Evan Hunt
b6815de316 Fix QP chain on partial match
When searching for a requested name in dns_qp_lookup(), we may add
a leaf node to the QP chain, then subsequently determine that the
branch we were on was a dead end. When that happens, the chain can be
left holding a pointer to a node that is *not* an ancestor of the
requested name.

We correct for this by unwinding any chain links with an offset
value greater or equal to that of the node we found.
2024-05-14 12:58:46 -07:00
Matthijs Mekking
91de4f6490 Refactor fix_iterator
The code below the if/else construction could only be run if the 'if'
code path was taken. Move the code into the 'if' code block so that
it is more easier to read.
2024-05-14 12:58:46 -07:00
Aydın Mercan
e037520b92
Keep track of the recursive clients highwater
The high-water allows administrators to better tune the recursive
clients limit without having to to poll the statistics channel in high
rates to get this number.
2024-05-10 12:08:52 +03:00
Aydın Mercan
09e4fb2ffa
Return the old counter value in isc_stats_increment
Returning the value allows for better high-water tracking without
running into edge cases like the following:

0. The counter is at value X
1. Increment the value (X+1)
2. The value is decreased multiple times in another threads (X+1-Y)
3. Get the value (X+1-Y)
4. Update-if-greater misses the X+1 value which should have been the
   high-water
2024-05-10 12:08:52 +03:00
Mark Andrews
88c48dde5e Stop processing catalog zone changes when shutting down
Abandon catz_addmodzone_cb  and catz_delzone_cb processing if the
loop is shutting down.
2024-05-09 08:17:44 +10:00
Mark Andrews
307e3ed9a6 catzs->view should maintain a view reference
Use dns_view_weakattach and dns_view_weakdetach to maintain a
reference to the view referenced through catzs->view.
2024-05-09 08:17:44 +10:00
Mark Andrews
799046929c Only check SVBC alias forms at higher levels
Allow SVBC (HTTPS) alias form with parameters to be accepted from
the wire and when transfered.  This is for possible future extensions.
2024-05-07 11:20:49 +10:00
Mark Andrews
efd27bb82d Remove infinite loop on ISC_R_NOFILE
When parsing a zonefile named-checkzone (and others) could loop
infinitely if a directory was $INCLUDED.  Record the error and treat
as EOF when looking for multiple errors.

This was found by Eric Sesterhenn from X41.
2024-05-07 10:01:12 +10:00
Mark Andrews
371824f078 Address infinite loop when processing $GENERATE
In nibble mode if the value to be converted was negative the parser
would loop forever.  Process the value as an unsigned int instead
of as an int to prevent sign extension when shifting.

This was found by Eric Sesterhenn from X41.
2024-05-07 09:19:43 +10:00
Matthijs Mekking
5d7e613e81 RPZ response's SOA record is incorrectly set to 1
An RPZ response's SOA record TTL is set to 1 instead of the SOA TTL,
a boolean value is passed on to query_addsoa, which is supposed to be
a TTL value. I don't see what value is appropriate to be used for
overriding, so we will pass UINT32_MAX.
2024-05-06 11:38:36 +02:00
Aram Sargsyan
8052848d50 Fix a bug in expireheader() call arguments order
The expireheader() call in the expire_ttl_headers() function
is erroneous as it passes the 'nlocktypep' and 'tlocktypep'
arguments in a wrong order, which then causes an assertion
failure.

Fix the order of the arguments so it corresponds to the function's
prototype.
2024-05-02 08:38:35 +00:00
Evan Hunt
f81bf6bafd handle QP lookups involving escaped characters better
in QP keys, characters that are not common in DNS names are
encoded as two-octet sequences. this caused a glitch in iterator
positioning when some lookups failed.

consider the case where we're searching for "\009" (represented
in a QP key as {0x03, 0x0c}) and a branch exists for "\000"
(represented as {0x03, 0x03}). we match on the 0x03, and continue
to search down. at the point where we find we have no match,
we need to pop back up to the branch before the 0x03 - which may
be multiple levels up the stack - before we position the iterator.
2024-05-01 00:36:51 -07:00
Evan Hunt
4b02246130 fix more ambiguous struct names
there were some structure names used in qpcache.c and qpzone.c that
were too similar to each other and could be confusing when debugging.
they have been changed as follows:

in qcache.c:
- changed_t was unused, and has been removed
- search_t -> qpc_search_t
- qpdb_rdatasetiter_t -> qpc_rditer_t
- qpdb_dbiterator_t -> qpc_dbiter_t

in qpzone.c:
- qpdb_changed_t -> qpz_changed_t
- qpdb_changedlist_t -> qpz_changedlist_t
- qpdb_version_t -> qpz_version_t
- qpdb_versionlist_t -> qpz_versionlist_t
- qpdb_search_t -> qpz_search_t
- qpdb_load_t -> qpz_search_t
2024-04-30 12:50:01 -07:00
Evan Hunt
e300dfce46 use dns_qp_getname() where possible
some calls to dns_qp_lookup() do not need partial matches, QP chains
or QP iterators. in these cases it's more efficient to use
dns_qp_getname().
2024-04-30 12:50:01 -07:00
Evan Hunt
2789e58473 get foundname from the node
when calling dns_qp_lookup() from qpcache, instead of passing
'foundname' so that a name would be constructed from the QP key,
we now just use the name field in the node data. this makes
dns_qp_lookup() run faster.

the same optimization has also been added to qpzone.

the documentation for dns_qp_lookup() has been updated to
discuss this performance consideration.
2024-04-30 12:50:01 -07:00
Evan Hunt
04d319afe4 include the nodenames when calculating memory to purge
when the cache is over memory, we purge from the LRU list until
we've freed the approximate amount of memory to be added. this
approximation could fail because the memory allocated for nodenames
wasn't being counted.

add a dns_name_size() function so we can look up the size of nodenames,
then add that to the purgesize calculation.
2024-04-30 12:50:01 -07:00
Evan Hunt
a8bda6ff1e simplify qpcache iterators
in a cache database, unlike zones, NSEC3 records are stored in
the main tree. it is not necessary to maintain a separate 'nsec3'
tree, nor to have code in the dbiterator implementation to traverse
from one tree to another.

(if we ever implement synth-from-dnssec using NSEC3 records, we'll
need to revert this change. in the meantime, simpler code is better.)
2024-04-30 12:50:01 -07:00
Evan Hunt
7ff43befb7 clean up unnecessary dbiterator code related to origin
the QP database doesn't support relative names as the RBTDB did, so
there's no need for a 'new_origin' flag or to handle `DNS_R_NEWORIGIN`
result codes.
2024-04-30 12:42:32 -07:00
Evan Hunt
85ab92b6e0 more cleanups in qpcache.c
- remove unneeded struct members and misleading comments.
- remove unused parameters for static functions.
- rename 'find_callback' to 'delegating' for consistency with qpzone;
  the find callback mechanism is not used in QP databases.
2024-04-30 12:42:31 -07:00
Evan Hunt
3acab71d46 rename QPDB_HEADERNODE to HEADERNODE
this makes the macro consistent between qpcache.c and qpzone.c.

also removed a redundant definition of HEADERNODE in qpzone.c.
2024-04-30 12:42:31 -07:00