In the code base it is very common to iterate over all names in a message
section and all rdatasets for each name, but various idioms are used for
iteration.
This commit standardizes them as much as possible to a single idiom,
through the macro `MSG_SECTION_FOREACH`, similar to the existing
`ISC_LIST_FOREACH`.
Merge branch 'alessio/message-namelist-refactor' into 'main'
See merge request isc-projects/bind9!10302
In the code base it is very common to iterate over all names in a message
section and all rdatasets for each name, but various idioms are used for
iteration.
This commit standardizes them as much as possible to a single idiom,
using the macro MSG_SECTION_FOREACH, similar to the existing
ISC_LIST_FOREACH.
The code in `query_dns64()` that applies the dns64 prefixes to an A rdataset has been moved into the `dns_dns64` module, and `dns_dns64_destroy()` now unlinks the dns64 object from its containing list.
With these changes, we no longer need the list-manipulation API calls, `dns_dns64_next()` and `dns_dns64_unlink()`.
Merge branch 'each-simplify-dns64' into 'main'
See merge request isc-projects/bind9!10324
the code in query_dns64() that applies the dns64 prefixes to
an A rdataset has been moved into the dns_dns64 module, and
dns_dns64_destroy() now unlinks the dns64 object from its
containing list. with these changes, we no longer need the
list-manipulation API calls dns_dns64_next() and
dns_dns64_unlink().
Improve the LRU cache-expiration mechanism to a SIEVE-LRU based mechanism that triggers when the cache is close to the `max-cache-size` limit. This improves the recursive server performance.
Merge branch 'ondrej/sieve' into 'main'
See merge request isc-projects/bind9!10153
This is the core implementation of the SIEVE algorithm described in the
following paper:
Zhang, Yazhuo, Juncheng Yang, Yao Yue, Ymir Vigfusson, and K V
Rashmi. “SIEVE Is Simpler than LRU: An Efficient Turn-Key Eviction
Algorithm for Web Caches,” n.d.. available online from
https://junchengyang.com/publication/nsdi24-SIEVE.pdf
Unit test for isc_netaddr_masktoprefixlen were missing IPv6 mask cases.
Add those and few other IPv4 cases. Also, the test is refactored in
order to make it easy to add new cases.
Merge branch 'colin-netaddrmasktest' into 'main'
See merge request isc-projects/bind9!10328
Unit test for isc_netaddr_masktoprefixlen were missing IPv6 mask cases.
Add those and few other IPv4 cases. Also, the test is refactored in
order to make it easy to add new cases.
The string literal initialalising compressed was too big for the
array as it has an unwanted NUL terminator. This is allowed for
in C for historical reasons but produces a warning with some
compilers. Adjust the declaration to include the NUL and adjust
the users to pass in an adjusted size which excludes the NUL rather
than sizeof(compressed).
Closes#5258
Merge branch '5258-avoid-warning-initialising-compresss' into 'main'
See merge request isc-projects/bind9!10326
The string literal initialalising compressed was too big for the
array as it has an unwanted NUL terminator. This is allowed for
in C for historical reasons but produces a warning with some
compilers. Adjust the declaration to include the NUL and adjust
the users to pass in an adjusted size which excludes the NUL rather
than sizeof(compressed).
When !10262 was rebased prior to merging, there was a new
use of dnssec-keygen -n in the dnssec system test that had
not been removed in the branch, causing a test failure.
This has been fixed.
Merge branch 'each-merge-error' into 'main'
See merge request isc-projects/bind9!10325
When !10262 was rebased prior to merging, there was a
use of dnssec-keygen -n in the dnssec system test that had
not been removed, causing a test failure. This has been fixed.
The `dnssec-keygen` utility (and `dnssec-keyfromlabel`, which was derived from it) had several options dating to the time when keys in DNS were still experimental and not fully specified, and when `dnssec-keygen` had the additional function of generating TSIG keys, which are now generated by `tsig-keygen`. These options are no longer necessary in the modern DNSSEC environment, and have been removed.
The removed options are:
- `-t` (key type), which formerly set flags to disable confidentiality or authentication support in a key; these are no longer used.
- `-n` (name type), which is now always set to "ZONE" for DNSKEY and "HOST" for KEY.
- `-p` (protocol), which is now always set to 3 (DNSSEC); no other value has ever been defined.
- `-s` (signatory field), which was never fully defined.
- `-d` (digest bits), which is meaningful only for TSIG keys.
Merge branch 'each-remove-keygen-options' into 'main'
See merge request isc-projects/bind9!10262
The -s option (previously incorrectly documented as "strength")
actually set the signatory flags for KEY fields, which are unused.
The option is not needed.
The -p (protocol) option for all keys defaults to 3 (DNSSEC).
There is currently no practical reason to use any other value;
we can simplify things by removing the option.
The -n (nametype) option for keys defaults to ZONE for DNSKEY
type keys, and HOST for KEY type keys. There is currently no
practical reason to use any other name type; we can simplify
things by removing the option.
The key type flag (indicating whether a key is valid for
authentication, confidentiality, or both) is essentially
unused. By default, all DNSKEY and KEY records are valid
for both uses. Non-authenticating DNSKEY records are undefined
and meaningless, and validity checks for flags in KEY records
are sporadic at best.
We can simplify the parameters to dnssec-keygen by removing
the -t option completely.
Otherwise curl 8.13 rejects the line with:
I:Check HTTP/1.1 keep-alive with truncated stream (21)
curl: option --header: error encountered when reading a file
curl: try 'curl --help' or 'curl --manual' for more information
Also, see https://github.com/curl/curl/pull/16572.
Closes#5249
Merge branch '5249-statschannel-limit-http-header-size' into 'main'
See merge request isc-projects/bind9!10319
Otherwise curl 8.13 rejects the line with:
I:Check HTTP/1.1 keep-alive with truncated stream (21)
curl: option --header: error encountered when reading a file
curl: try 'curl --help' or 'curl --manual' for more information
Also, see https://github.com/curl/curl/pull/16572.
In QPcache, there were two places that tried to upgrade the lock. In `clean_stale_header()`, the code would try to upgrade the lock and clean up the header, and in `qpzonode_release()`, the tree lock would be optionally upgraded, so we can clean up the node directly if empty. These
optimizations are not needed and they have no effect on the performance.
Merge branch 'ondrej/no-lock-upgrade-in-check_stale_headers' into 'main'
See merge request isc-projects/bind9!10305
In QPcache, there were two places that tried to upgrade the lock. In
clean_stale_header(), the code would try to upgrade the lock and cleanup
the header, and in qpzonode_release(), the tree lock would be optionally
upgraded, so we can cleanup the node directly if empty. These
optimizations are not needed and they have no effect on the performance.
The isc_queue_t was missing in the calculation of the required
padding size inside the qpcache bucket structure.
Merge branch 'ondrej/qpcache-fix-invalid-padding' into 'main'
See merge request isc-projects/bind9!10306
After a refactoring in 2e6107008dae09d32e3d34fb5423b3d78c4ff651 the
dst_key_free() call is invalid and can cause an assertion. Remove the
dst_key_free() call.
Merge branch 'aram/fix-ns_query-get_key-bug' into 'main'
See merge request isc-projects/bind9!10311
After a refactoring in 2e6107008dae09d32e3d34fb5423b3d78c4ff651 the
dst_key_free() call is invalid and can cause an assertion. Remove the
dst_key_free() call.
All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH` (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type, and are not applicable to DNSKEY. Previously, however, because the DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag prevented authentication in DNSKEYs as well. This has been corrected.
Closes#5240
Merge branch '5240-ignore-noauth-flag' into 'main'
See merge request isc-projects/bind9!10261
All DNSKEY keys are able to authenticate. The DNS_KEYTYPE_NOAUTH
(and DNS_KEYTYPE_NOCONF) flags were defined for the KEY rdata type,
and are not applicable to DNSKEY.
Previously, because the DNSKEY implementation was built on top of
KEY, the NOAUTH flag prevented authentication in DNSKEYs as well.
This has been corrected.
Use enums for DNS_KEYFLAG_, DNS_KEYTYPE_, DNS_KEYOWNER_, DNS_KEYALG_,
and DNS_KEYPROTO_ values.
Remove values that are never used.
Eliminate the obsolete DNS_KEYFLAG_SIGNATORYMASK. Instead, add three
more RESERVED bits for the key flag values that it covered but which
were never used.
This function was removed in 6217e434b57bd5d60ed69f792ae9a1a65a008f57 but not from the header file.
Merge branch 'matthijs-remove-unused-qpmulti-lockedread' into 'main'
See merge request isc-projects/bind9!10308
Replace the custom DNS server used in the "upforwd" system test with new
code based on the isctest.asyncserver module. The ans4 server currently
used in that test is a copy of bin/tests/system/ans.pl modified to
receive queries over UDP and TCP without ever responding to any of them.
Closes#5012
Merge branch '5012-upforwd-asyncserver' into 'main'
See merge request isc-projects/bind9!10283
Replace the custom DNS server used in the "upforwd" system test with new
code based on the isctest.asyncserver module. The ans4 server currently
used in that test is a copy of bin/tests/system/ans.pl modified to
receive queries over UDP and TCP without ever responding to any of them.
Dropping all incoming queries is a typical use case for a custom server
used in BIND 9 system tests. Add a response handler implementing that
behavior so that it can be reused.
Instead of requiring each class inheriting from ResponseHandler to
define its match() method, make the latter non-abstract and default to
returning True for all queries. This will reduce the amount of
boilerplate code in custom servers.
Previously, when queries were forwarded to a remote resolver, the CD (checking disabled) bit was used, which could lead to bogus data being retrieved that might have been corrected if validation had been permitted. The CD bit is now only used as a fallback if an initial query without CD fails. See #5132.
Merge branch '5132-cd-retry' into 'main'
See merge request isc-projects/bind9!10024
when sending a query to a forwarder for a name within a secure domain,
the first query is now sent with CD=0. when the forwarder itself
is validating, this will give it a chance to detect bogus data and
replace it with valid data before answering. this reduces our chances
of being stuck with data that can't be validated.
if the forwarder returns SERVFAIL to the initial query, the query
will be repeated with CD=1, to allow for the possibility that the
forwarder's validator is faulty or that the bogus answer is covered
by an NTA.
note: previously, CD=1 was only sent when the query name was in a
secure domain. today, validating servers have a trust anchor at the
root by default, so virtually all queries are in a secure domain.
therefore, the code has been simplified. as long as validation is
enabled, any forward query that receives a SERVFAIL response will be
retried with CD=1.
`dig` and `named` can now make requests with an EDNS `ZONEVERSION` option present.
Two new `named.conf` options have been added: `request-zoneversion` and
`provide-zoneversion`. `request-zoneversion` is `off` by default. `provide-zoneversion`
is `on` by default.
Closes#4767
Merge branch '4767-implement-zoneversion' into 'main'
See merge request isc-projects/bind9!9103
This can be set at the option, view and server levels and causes
named to add an EDNS ZONEVERSION option to requests. Replies are
logged to the 'zoneversion' category.
If there was an EDNS ZONEVERSION option in the DNS request and the
answer was from a zone, return the zone's serial and number of
labels excluding the root label with the type set to 0 (ZONE-SERIAL).
