A remote client can force the DNS resolver component to consume the memory faster than cleaning up the resources for the canceled resolver fetches due to `recursive-clients` limit. If the such traffic pattern is sustained for a long period of time, the DNS server might eventually run out of the available memory. This has been fixed.
It should be noted that when under such heavy attack for BIND 9 version both with and without the fix, no outgoing DNS queries will be successful as the generated traffic pattern will consume all the available slots for the recursive clients.
Merge branch '5110-backport-the-hashtable-use-for-fetchcontexts-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9961
When the recursive-clients value is too large, the linked lists holding
the fetch contexts can also grow large and since the algorithm to merge
outgoing queries is quadratic, named can get slow.
Replace the linked list with hashtable for faster lookups. This also
allows us to reduce the number of tasks (buckets) in the resolver.
Prevent lock contention among many worker threads referring to the same database node at the same time. This would improve zone and cache database performance for the heavily contended database nodes.
Backport of !9963Closes#5130
Merge branch '5130-reduce-lock-contention-in-decrement-reference-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9965
Previously, this function always acquires a node write lock if it
might need node cleanup in case the reference decrements to 0. In
fact, the lock is unnecessary if the reference is larger than 1 and it
can be optimized as an "easy" case. This optimization could even be
"necessary". In some extreme cases, many worker threads could repeat
acquring and releasing the reference on the same node, resulting in
severe lock contention for nothing (as the ref wouldn't decrement to 0
in most cases). This change would prevent noticeable performance
drop like query timeout for such cases.
Co-authored-by: JINMEI Tatuya <jtatuya@infoblox.com>
Co-authored-by: Ondřej Surý <ondrej@isc.org>
(cherry picked from commit 7f4471594d)
Shutdown the fetch context immediately after the last fetch has been canceled from that particular fetch context.
Merge branch 'ondrej/shutdown-the-fetch-context-early-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9960
Currently, the fetch context will continue running even when the last
fetch (response) has been removed from the context, so named can process
and cache the answer. This can lead to a situation where the number of
outgoing recursing clients exceeds the the configured number for
recursive-clients.
Be more stringent about the recursive-clients limit and shutdown the
fetch context immediately after the last fetch has been canceled from
that particular fetch context.
The configuration option --with-tuning has been removed as it is no longer required or desired.
Merge branch 'ondrej/remove-tuning-large-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9959
The last remaining tuning value was RESOLVER_NTASKS and instead of
having variable number of the tasks per-cpu and in named and in
dns_client, set the number of the resolver tasks to 523 (number taken
from dns_client unit) to accomodate most of the recursive-clients
values.
* Reduce `sizeof(isc_sockaddr_t)` from 152 to 48 bytes
* Reduce `sizeof(struct isc__nm_uvreq)` from 1560 to 560 bytes
Partial backport of !8299
Merge branch 'ondrej/reduce-netmgr-memory-usage-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9953
The uv_req union member of struct isc__nm_uvreq contained libuv request
types that we don't use. Turns out that uv_getnameinfo_t is 1000 bytes
big and unnecessarily enlarged the whole structure. Remove all the
unused members from the uv_req union.
After removing sockaddr_unix from isc_sockaddr, we can also remove
sockaddr_storage and reduce the isc_sockaddr size from 152 bytes to just
48 bytes needed to hold IPv6 addresses.
(cherry picked from commit 2367b6a2e1)
TAGS file are generated from `make tags` using etags. Other index tags
are already ignored (GTAGS, GPATH, etc.). Also ignoring `TAGS`.
(cherry picked from commit 2164ea8abd)
Add performance tests of DoH using the GET protocol to nightly pipelines.
Backport of MR !9926
Merge branch 'backport-nicki/ci-shotgun-doh-get-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9940
When isc_rwlock_trylock() fails to get a read lock because another
writer was faster, it should wake up other waiting writers in case
there are no other readers, but the current code forgets about
the currently active writer when evaluating 'cntflag'.
Unset the WRITER_ACTIVE bit in 'cntflag' before checking to see if
there are other readers, otherwise the waiting writers, if they exist,
might not wake up.
Closes#5121
Merge branch 'aram/isc_rwlock_trylock-bugfix-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9937
When isc_rwlock_trylock() fails to get a read lock because another
writer was faster, it should wake up other waiting writers in case
there are no other readers, but the current code forgets about
the currently active writer when evaluating 'cntflag'.
Unset the WRITER_ACTIVE bit in 'cntflag' before checking to see if
there are other readers, otherwise the waiting writers, if they exist,
might not wake up.
coccinelle v1.1 trips over a superfluous isc_mem_get() NULL check in
tests/libtest/ns.c and reports the following failure in CI:
EXN: Failure("rule starting on line 26: already tagged token:\nC code context\nFile \"./tests/libtest/ns.c\", line 350, column 1, charpos = 7939\n around = 'if',\n whole content = \tif (qctx != NULL) {") in ./tests/libtest/ns.c
(cherry picked from commit cf76851c75)
Fix the loop terminating condition to get consistent sample sizes and increase the minimum number of samples from 20 to 40.
Closes#5091
Backport of MR !9894
Merge branch 'backport-5091-investigate-checking-startup-notify-rate-limit-failure-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9910
The terminating conditions for the startup notify test would
occasionally get ~20 records or get +10 seconds of records due to
a bad terminating condition. Additionally 20 samples lead to test
failures. Fix the terminating condition to use the correct conditional
(-eq -> -ge) and increase the minimum number of log entries to
average over to 22.
(cherry picked from commit 46388d07a2)
Closes#5088
Backport of MR !9884
Merge branch 'backport-5088-tests-irs-resconf_test-c-is-missing-check-callbacks-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9908
Include the recent changes such as:
- changes to running system tests
- gitlab development workflow
- changelog and release note process
Closes#5045
Backport of MR !9784
Merge branch 'backport-5045-update-contributing-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9903
Include the recent changes such as:
- changes to running system tests
- gitlab development workflow
- changelog and release note process
(cherry picked from commit 39485c1f70)
After the rndc reload command finished, we might have queried the
database zone sooner than it was reloaded because rndc reloads zones
asynchronously if no specific zone was provided. We should wait for "all
zones loaded" in the ns1 log to be sure.
Closes#5075
Backport of MR !9829
Merge branch 'backport-5075-database-rndc-reload-ensure-all-zones-loaded-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9901
After the rndc reload command finished, we might have queried the
database zone sooner than it was reloaded because rndc reloads zones
asynchronously if no specific zone was provided. We should wait for "all
zones loaded" in the ns1 log to be sure.
(cherry picked from commit 0bdd03db66)
The style guide now mentions clang-format, doesn't parenthesize return values, and no longer calls for backward compatibility in public function names.
Backport of MR !9892
Merge branch 'backport-each-style-update-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9897
It now mentions clang-format, doesn't parenthesize return values,
and no longer calls for backward compatibility in public function names.
(cherry picked from commit 9f7314eaa4)
The December releases suffer from the ns2/managed1.conf file not being
in the mkeys extra_artifacts. This manifests only when pytest is run
with the --setup-only option, which is the case in the
cross-version-config-tests CI job. The original issue is fixed in !9815,
but the fix will be effective only when subsequent releases are out.
(cherry picked from commit 97a9d7287c)
This allows easier identification of which burst is which in
named.run.
Backport of MR !9881
Merge branch 'backport-marka-use-different-burst-name-for-forensics-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9883
This subtest exercises static stub behaviour when server-addresses has an address. This was misidentified in the description.
Closes!9799
Backport of MR !9799
Merge branch 'backport-marka-fix-stub-subtest-description-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9880
The line after an unknown directive in resolv.conf could accidentally be skipped, potentially affecting dig, host, nslookup, nsupdate, or delv. This has been fixed.
Closes#5084
Backport of MR !9865
Merge branch 'backport-5084-plain-unknown-keyword-in-resolv-conf-not-handled-propely-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9878
Update to the new unit test framework.
Add a test for an unknown directive without any arguments.
Add test for an unknown directive without arguments, followed
by a search directive.
(cherry picked from commit c44c4fcbfb)
Only call eatline() to skip to the next line if we're not
already at the end of a line when parsing an unknown directive.
We were accidentally skipping the next line when there was only
a single unknown directive on the current line.
(cherry picked from commit eb78ad2080)
Prereq: isc-projects/images!345
Backport of MR !9612
Merge branch 'backport-mnowak/fedora-41-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9876
Prereq: isc-projects/images!359
Backport of MR !9872
Merge branch 'backport-mnowak/alpine-3.21-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9874
Commit af7db89513 as part of #4141 was supposed to apply the 'max-recursion-queries' quota to validator queries, but the counter was never actually passed on to 'dns_resolver_createfetch()'. This has been fixed, and the global query counter ('max-query-count', per client request) is now also added.
Related to #4980
Backport of MR !9856
Merge branch 'backport-4980-pass-counters-in-validator-createfetch-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9867
