`named-checkconf` now supports the command line switch `-b`, which prints the default built-in configuration used by `named`.
When `-b` is in use, other options are ignored.
Closes#1326
Merge branch '1326-named-checkconf-builtin' into 'main'
See merge request isc-projects/bind9!11177
`named-checkconf` now supports the command line switch `-b`, which
prints the default built-in configuration used by `named`.
When `-b` is in use, other options are ignored.
Previously, :iscman:`dig` could exit with an assertion failure when the server was specified before the :option:`dig -b` option. This has been fixed.
Closes#5609
Merge branch '5609-fix-dig-crash-with-at-and-dash-b-on-main' into 'main'
See merge request isc-projects/bind9!11183
Check that dig doesn't exit with an assertion failure when a IPv4
source address is defined after defining a server address which has
both IPv4 and IPv6 addresses (in this case, @localhost).
Previously, if there's no more server to try in force_next,
it attempted to retry the current server similar to a query
timeout case. But, force_next() is called only when the
current server's address is unusable and the query was not
even sent, so recvcount was not incremented, causing an
assertion failure.
We might be able to fix it so the retry doesn't cause a crash,
but it doesn't make sense to retry the server when its address
is known to be unusable. So, simply avoiding the retry would be
the easiest and safest way to prevent the crash.
Without this, start_udp or start_tcp would trigger an assertion
failure. Detaching it at this point is also consistent with
other failure handling cases, such as in recv_done.
Extended DNS Error 24 (Invalid Data) is returned when the server cannot answer data for a zone it is configured for. This occurs typically when an authoritative server does not have loaded the DB of a configured zone, or a secondary server zone is expired.
See RFC 8914 section 4.25.
See #1836
Merge branch 'colin/ede24' into 'main'
See merge request isc-projects/bind9!11169
When a (secondary) zone is expired, the log message `<zone> expired` is
printed and the flag `DNS_ZONEFLG_EXPIRED` is set. Change the order by
setting the expired flag first, then printing the log.
This should fixes (rare but persistent) timing-related CI error when the
EDE 24 tests expect the zone to be expired (from the log) and
immediately after request and expect an EDE 24 error. (In some rare
cases, the server was still answering the response).
Add system test covering EDE 24 being added in the response in both
common cases: when the server has not loaded the DB of a zone and when
the zone has expired (secondary).
Extended DNS Error 24 (Invalid Data) is returned when the server cannot
answer data for a zone it is configured for. This occurs typically when
an authoritative server does not have loaded the DB of a configured
zone, or a secondary server zone is expired.
See RFC 8914 section 4.25.
If `query_getzonedb()` finds a zone but the zone is expired it
immediately returns `DNS_R_EXPIRED` and doesn't attempt to get the zone
DB (which would be NULL in this case).
This enable caller to have a more precise reason of why getting the DB
has failed.
Introduce the `dns_zone_isexpired()` API which returns `true` when a
secondary, mirror, etc. zone is expired.
This internally use the `DNS_ZONEFLG_EXPIRED` which was already set when
the zone gets expired, but never used.
The flag `DNS_ZONEFLG_EXPIRED` is also now cleared when the expiration
time of the zone is updated and in the future.
CID 638286: Concurrent data access violations (MISSING_LOCK). This
complains about accessing "zone->notifyctx.notify_acl" without holding
the lock "dns_zone.lock". Elsewhere, reading this data does have the
lock, so it makes sense that in the getter function this must also be
so. However, the function is unused so we can just remove it.
CID 638287: Concurrent data access violations (MISSING_LOCK). This
complains about accessing "zone->locked" without holding the lock
"dns_zone.lock". I think this is a false positive as "dns__zone_lock()"
and "dns__zone_unlock() are wrappers around "LOCK_ZONE()" and
"UNLOCK_ZONE()" and where these macros were used they were only
replaced with the internal zone functions. Moreover, "zone->locked"
is only accessed in these macros (and "TRYLOCK_ZONE()" and
"LOCKED_ZONE()").
Changes introduced by 72862c2a moved the
default configuration from within `bin/named` to a central place
`bin/includes`.
The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.
As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
Merge branch 'colin/fix-reuseport-default' into 'main'
See merge request isc-projects/bind9!11180
Changes introduced by 72862c2abc moved the
default configuration from within `bin/named` to a central place
`bin/includes`.
The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.
As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
Move notify code in separate source files in preparation for support of generalized DNS notifications.
Merge branch 'matthijs-refactor-notify-code-2' into 'main'
See merge request isc-projects/bind9!11146
Move dns_notify_destroy, dns_notify_log, dns_notify_cancel,
dns_notify_queue, dns_notify_isqueued, dns_notify_find_address, and
notify related static functions over to the notify source files.
Part of refactoring zone.c is to move the notify code into its own
source files. This commit initiates this work by creating notify.[c,h]
and move notify_create() and the notify state and context there.
The function notify_create() cannot fail, so it can return void instead
of isc_result_t.
Currently, during IXFR we allocate a 2KB buffer for IXFR change logging
regardless of the log level. This commit introduces an early check
on the log level in dns_diff_print to avoid this.
Results in a speedup from 28% in the test case from issue #5442.
Merge branch '5442-ixfr-no-log-alloc' into 'main'
See merge request isc-projects/bind9!11178
Currently, during IXFR we allocate a 2KB buffer for IXFR change logging
regardless of the log level. This commit introduces an early check
on the log level in dns_diff_print to avoid this.
Results in a speedup from 28% in the test case from issue #5442.
The built-in configuration is actually used in two cases: first, when the server is loaded (or reloaded), and second when `rndc showconf -builtin` is called.
Considering the parsing of the builtin configuration is quick and does not occur during exclusive mode, but the configuration tree takes considerable memory space, the built-in configuration is no longer kept in memory once it has been used; instead it is re-parsed on demand.
Merge branch 'colin/not-persist-builtin-config' into 'main'
See merge request isc-projects/bind9!11187
The built-in configuration is actually used in two cases: first, when
the server is loaded (or reloaded), and second when
'rndc showconf -builtin' is called.
Considering the parsing of the builtin configuration is quick and does
not occur during exclusive mode, but the configuration tree takes
considerable memory space, the built-in configuration is no longer kept
in memory once it has been used; instead it is re-parsed on demand.
Once the user configuration has been merged into the effective configuration, it no longer needs to be accessed as a configuration tree, but we still want to be able to show it with `rndc showconf -user`.
Because the recursive strucure of `cfg_obj` objects is fairly large, the canonical text form is a fraction of the size of the configuration tree, so we now save it in that form instead.
Merge branch 'each-userconfig-text' into 'main'
See merge request isc-projects/bind9!11185
once the user configuration has been merged into the effective
configuration, it no longer needs to be accessed as a configuration
tree, but we still want to be able to show it with 'rndc showconf -user'.
because the recursive strucure of cfg_obj objects is fairly large, the
canonical text form is a fraction of the size of the configuration
tree, so we now save it in that form instead.
Instead of having `isc_sockaddr`, `isc_netaddr`, and `isccfg_duration` members in the `cfg_obj->value`
union, we now just keep pointers to them, and allocate memory when parsing these types. This reduces the
size of `cfg_obj_t` from 112 bytes to 72.
Merge branch 'each-refactor-cfg-obj' into 'main'
See merge request isc-projects/bind9!11186
instead of having sockaddr and netaddr members in the cfg_obj->value
union, we now just keep pointers, and allocate memory when parsing
these types. this reduces the size of cfg_obj_t from 112 to 80 bytes.
The `sun_path` field is not used anymore, and consumes over a hundred bytes for every `isc_netaddr_t` object. Remove it.
As `isc_netaddr_t` is used in `cfg_obj_t`, in some huge configuration trees (e.g., a million zones), the gain is almost 1GB of resident memory.
Merge branch 'colin/remove-sun-path' into 'main'
See merge request isc-projects/bind9!11184
The sun_path field is not used anymore, and consumes over a hundred
bytes for every isc_netaddr_t object. Remove it.
As isc_netaddr_t is used in cfg_obj_t, in some huge configuration trees
(e.g., a million zones), the gain is almost 1GB of resident memory.
The new `rndc showconf` command prints the running server configuration. There are three options:
- `rndc showconf -user` displays the user configuration (i.e., the contents of `named.conf`).
- `rndc showconf -builtin` displays the default settings, similar to `named -H`.
- `rndc showconf -effective` displays the effective configuration. This is the merged combination of the `-user` and `-builtin` configurations.
Closes#1075
Merge branch 'colin/effective-config-rndc' into 'main'
See merge request isc-projects/bind9!11123
Add system tests covering the rndc showconf command. It doesn't
attempt to check the whole effective configuration (as any change to the
builtin configuration would break it) but instead ensures that some parts
of the user config are present, as well as some parts of the builtin
config as well.
It also checks that the effective config (in this context of running
named instance) is about static configuration: a newly added zone is not
visible in the effective configuration.
add a new rndc command to dump server configuration info:
- "rndc showconf -user" dumps the contents of named.conf
- "rndc showconf -builtin" dumps named_g_defaltconfig
- "rndc showconf -effective" dumps the effective configuration,
i.e., the merger of the builtin and the user configurations.
instead of using an opaque ns_cfgctx pointer to store the configuration
data to be used by addzone and modzone, there are now fields in the
dns_view object to store the view configuration and LMDB database
environment. the global configuration is now stored in the named_server
object, along with the ACL context.
The new `named-checkconf -e` option prints the effective server configuration, including all the default settings, that would result from loading the specified configuration file into `named`.
Closes#2798
Merge branch 'colin/effective-config-checkconf' into 'main'
See merge request isc-projects/bind9!11122
Add a system test checking the command line switch -e of
named-checkconf. The test doesn't care about the whole output of the
effective configuration (in particular to avoid breaking the test for
each default statement that would change) but instead just ensure the
effective configuration is actually returned by checking the presence of
the _bind chaos builtin view as well a user provided view and option
change.
New command line switch `-e` introduced to `named-checkconf`. It acts
like `-p` but instead it print the effective configuration rather than
the user configuration.
The configuration mechanism for `named` has been changed: instead of loading the user configuration from `named.conf` and then, statement-by-statement, picking values from there or from the built-in default configuration, we now merge the user configuration and the default configuration together, then pass the resulting "effective configuration" to `apply_configuration()`.
The new `cfg_effective_config()` function takes a user configuration tree and the built-in default configuration tree, and returns a new effective configuration tree. It works by cloning the user configuration (see !11124) into the effective tree, then walking through the clauses defined in it. If a clause is not in the user config but is present in the defaults, the default version is cloned and attached to the effective tree. If a clause is in both trees, then depending on the statement semantics, either the user configuration overrides the default, or the two are merged. Because these semantics are now handled before `apply_configuration()` runs, that function has been substantially simplified.
Future MRs will enable the effective configuration to be printed, either by `rndc` (!11123) or `named-checkconf` (!11122). The default configuration has been moved to an include file which is accessible to both `named` and `named-checkconf`.
Merge branch 'colin/effective-config-internal' into 'main'
See merge request isc-projects/bind9!11121
In order to harden `cfg_obj_t` usage now the configuration tree is
manipulated in various ways (cloned, merged, etc.), this introduce the
VALID_CFGOBJ macro to check the validity of a `cfg_obj_t` node.
Since the builtin trust-anchors are now called `builtin-trust-anchors`,
delv needs specific handling in order to be able to parse those when
they are used.
Before, delv was simply parsing a single clause (either in the case of
an overriden trust-anchors value from bindkeys file or by simply reading
the builtin value). But since the name changed, the same code can't be
shared and the builtin version is expected to be in a map.
instead of parsing the default configuration to extract the
geoip-directory value, we can just construct the value the same way
it's done for the defaults.
Since the effective configuration tree is a "merged" configuration tree
from the user and the default configurations, the effective configuration
provides a unique configuration tree used by apply_confiuration() to
configure the server.
However, there is one specific case where the configuration code needs
to differentiate whether the configuration originally came from the
default or the user configuration: the trust-anchors. This is because
the default trust-anchors _have_ to be those for the root zone, and the
one provided by the user can be for any zone. A check enforces this.
In order to keep this difference visible from the configuration code,
with a unique configuration tree, we now introduce a default-only
`builtin-trust-anchors` statement which holds the builtin root
trust-anchors. It can't be used from the user configuration (this would
raise an error), hence it is not documented.
The effective configuration now contains the actual named configuration
as a unified user/global single tree instance. We now provide this to
apply_configuration() instead of the user configuration.
The serve-stale system test relies on sed accessing the source
file that hard-codes the default configuration. Since it moved from
bin/named/config.c into bin/include/defaultconfig.h, the test needs
the path updated.
There are multiple check-names options provided in the default
configuration, and they must "complete" those provided by the user.
This is now handled when building the effective tree.
The prefetch statement can be overriden by the user, but the user might
specify the prefetch without the trigger value, which needs to be
pulled from the default configuration. Handle this case by directly
getting the default value if needed from the default configuration when
building the effective configuration tree.
Also take care of keeping the values inside their bounds, and simplify
the server configuration code which then just have to read effective
configuration values.
