Compare commits
15 Commits
imports/c8
...
c8
Author | SHA1 | Date |
---|---|---|
eabdullin | 6650d7fa32 | |
eabdullin | 8d35d07b31 | |
eabdullin | 12985e724b | |
Andrew Lukoshko | a42ecab1d9 | |
Andrew Lukoshko | 89e6eee714 | |
CentOS Sources | d6121a1d3f | |
CentOS Sources | 12f00745d8 | |
CentOS Sources | 99a7c922e4 | |
CentOS Sources | 2ce979a606 | |
CentOS Sources | d8d371d1e8 | |
CentOS Sources | 0f18d3fb97 | |
CentOS Sources | 7ea3346926 | |
CentOS Sources | e50e0af00e | |
CentOS Sources | cacdacb017 | |
CentOS Sources | 864e18c0c8 |
|
@ -1,2 +1,2 @@
|
|||
550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
|
||||
4b45d15edc1e3b7902129ce27baec58a50d76b5c SOURCES/bind-9.11.36.tar.gz
|
||||
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
SOURCES/bind-9.11.13.tar.gz
|
||||
SOURCES/bind-9.11.36.tar.gz
|
||||
SOURCES/random.data
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
diff --git a/bin/Makefile.in b/bin/Makefile.in
|
||||
index f0c504a..ce7a2da 100644
|
||||
index a18b222..26a7e4e 100644
|
||||
--- a/bin/Makefile.in
|
||||
+++ b/bin/Makefile.in
|
||||
@@ -11,8 +11,8 @@ srcdir = @srcdir@
|
||||
|
@ -14,7 +14,7 @@ index f0c504a..ce7a2da 100644
|
|||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
|
||||
index 4b8ca13..32f4470 100644
|
||||
index 390aa0c..e59a118 100644
|
||||
--- a/bin/dnssec-pkcs11/Makefile.in
|
||||
+++ b/bin/dnssec-pkcs11/Makefile.in
|
||||
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
|
||||
|
@ -130,7 +130,7 @@ index 4b8ca13..32f4470 100644
|
|||
|
||||
clean distclean::
|
||||
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
|
||||
index 4b8ca13..4175996 100644
|
||||
index 390aa0c..851a008 100644
|
||||
--- a/bin/dnssec/Makefile.in
|
||||
+++ b/bin/dnssec/Makefile.in
|
||||
@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
|
||||
|
@ -143,7 +143,7 @@ index 4b8ca13..4175996 100644
|
|||
CWARNINGS =
|
||||
|
||||
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
|
||||
index 3166368..a403941 100644
|
||||
index 277a0f5..52a6375 100644
|
||||
--- a/bin/named-pkcs11/Makefile.in
|
||||
+++ b/bin/named-pkcs11/Makefile.in
|
||||
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
|
||||
|
@ -260,7 +260,7 @@ index 3166368..a403941 100644
|
|||
@DLZ_DRIVER_RULES@
|
||||
|
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||
index 3166368..890574f 100644
|
||||
index 277a0f5..0e00885 100644
|
||||
--- a/bin/named/Makefile.in
|
||||
+++ b/bin/named/Makefile.in
|
||||
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||
|
@ -273,10 +273,10 @@ index 3166368..890574f 100644
|
|||
CWARNINGS =
|
||||
|
||||
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
|
||||
index a058c91..d4b689a 100644
|
||||
index 2c19e7e..8223d5e 100644
|
||||
--- a/bin/pkcs11/Makefile.in
|
||||
+++ b/bin/pkcs11/Makefile.in
|
||||
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@
|
||||
@@ -13,13 +13,13 @@ top_srcdir = @top_srcdir@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
|
@ -294,10 +294,10 @@ index a058c91..d4b689a 100644
|
|||
DEPLIBS = ${ISCDEPLIBS}
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 9b7d778..59ba20b 100644
|
||||
index 83cad4a..e1e1a32 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
|
||||
@@ -1178,12 +1178,14 @@ AC_SUBST(USE_GSSAPI)
|
||||
AC_SUBST(DST_GSSAPI_INC)
|
||||
AC_SUBST(DNS_GSSAPI_LIBS)
|
||||
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
|
||||
|
@ -312,24 +312,26 @@ index 9b7d778..59ba20b 100644
|
|||
|
||||
#
|
||||
# was --with-randomdev specified?
|
||||
@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
|
||||
@@ -1556,12 +1558,12 @@ AC_ARG_ENABLE(openssl-hash,
|
||||
AC_MSG_CHECKING(for OpenSSL library)
|
||||
OPENSSL_WARNING=
|
||||
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
|
||||
-if test "yes" = "$want_native_pkcs11"
|
||||
-then
|
||||
- use_openssl="native_pkcs11"
|
||||
- want_openssl_hash="no"
|
||||
- AC_MSG_RESULT(use of native PKCS11 instead)
|
||||
-fi
|
||||
+# if test "yes" = "$want_native_pkcs11"
|
||||
+# then
|
||||
+# use_openssl="native_pkcs11"
|
||||
+# AC_MSG_RESULT(use of native PKCS11 instead)
|
||||
+# fi
|
||||
+#if test "yes" = "$want_native_pkcs11"
|
||||
+#then
|
||||
+# use_openssl="native_pkcs11"
|
||||
+# want_openssl_hash="no"
|
||||
+# AC_MSG_RESULT(use of native PKCS11 instead)
|
||||
+#fi
|
||||
|
||||
if test "auto" = "$use_openssl"
|
||||
then
|
||||
@@ -1511,6 +1513,7 @@ then
|
||||
@@ -1574,6 +1576,7 @@ then
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
@ -337,7 +339,7 @@ index 9b7d778..59ba20b 100644
|
|||
OPENSSL_ECDSA=""
|
||||
OPENSSL_GOST=""
|
||||
OPENSSL_ED25519=""
|
||||
@@ -1532,11 +1535,10 @@ case "$with_gost" in
|
||||
@@ -1595,11 +1598,10 @@ case "$with_gost" in
|
||||
;;
|
||||
esac
|
||||
|
||||
|
@ -352,7 +354,7 @@ index 9b7d778..59ba20b 100644
|
|||
CRYPTOLIB="pkcs11"
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
@@ -1546,7 +1548,9 @@ case "$use_openssl" in
|
||||
@@ -1609,7 +1611,9 @@ case "$use_openssl" in
|
||||
OPENSSLGOSTLINKSRCS=""
|
||||
OPENSSLLINKOBJS=""
|
||||
OPENSSLLINKSRCS=""
|
||||
|
@ -363,7 +365,7 @@ index 9b7d778..59ba20b 100644
|
|||
no)
|
||||
AC_MSG_RESULT(no)
|
||||
DST_OPENSSL_INC=""
|
||||
@@ -1578,7 +1582,7 @@ case "$use_openssl" in
|
||||
@@ -1641,7 +1645,7 @@ case "$use_openssl" in
|
||||
If you do not want OpenSSL, use --without-openssl])
|
||||
;;
|
||||
*)
|
||||
|
@ -372,7 +374,7 @@ index 9b7d778..59ba20b 100644
|
|||
then
|
||||
AC_MSG_RESULT()
|
||||
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
|
||||
@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
|
||||
@@ -2077,6 +2081,7 @@ AC_SUBST(OPENSSL_ED25519)
|
||||
AC_SUBST(OPENSSL_GOST)
|
||||
|
||||
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
|
||||
|
@ -380,7 +382,7 @@ index 9b7d778..59ba20b 100644
|
|||
|
||||
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
|
||||
if test "yes" = "$with_aes"
|
||||
@@ -2291,6 +2296,7 @@ esac
|
||||
@@ -2363,6 +2368,7 @@ esac
|
||||
AC_SUBST(PKCS11LINKOBJS)
|
||||
AC_SUBST(PKCS11LINKSRCS)
|
||||
AC_SUBST(CRYPTO)
|
||||
|
@ -388,7 +390,7 @@ index 9b7d778..59ba20b 100644
|
|||
AC_SUBST(PKCS11_ECDSA)
|
||||
AC_SUBST(PKCS11_GOST)
|
||||
AC_SUBST(PKCS11_ED25519)
|
||||
@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
|
||||
@@ -5491,8 +5497,11 @@ AC_CONFIG_FILES([
|
||||
bin/delv/Makefile
|
||||
bin/dig/Makefile
|
||||
bin/dnssec/Makefile
|
||||
|
@ -400,7 +402,7 @@ index 9b7d778..59ba20b 100644
|
|||
bin/nsupdate/Makefile
|
||||
bin/pkcs11/Makefile
|
||||
bin/python/Makefile
|
||||
@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
|
||||
@@ -5565,6 +5574,10 @@ AC_CONFIG_FILES([
|
||||
lib/dns/include/dns/Makefile
|
||||
lib/dns/include/dst/Makefile
|
||||
lib/dns/tests/Makefile
|
||||
|
@ -411,7 +413,7 @@ index 9b7d778..59ba20b 100644
|
|||
lib/irs/Makefile
|
||||
lib/irs/include/Makefile
|
||||
lib/irs/include/irs/Makefile
|
||||
@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
|
||||
@@ -5589,6 +5602,24 @@ AC_CONFIG_FILES([
|
||||
lib/isc/unix/include/Makefile
|
||||
lib/isc/unix/include/isc/Makefile
|
||||
lib/isc/unix/include/pkcs11/Makefile
|
||||
|
@ -437,7 +439,7 @@ index 9b7d778..59ba20b 100644
|
|||
lib/isccc/include/Makefile
|
||||
lib/isccc/include/isccc/Makefile
|
||||
diff --git a/lib/Makefile.in b/lib/Makefile.in
|
||||
index 81270a0..bcb5312 100644
|
||||
index f089bea..3ed939b 100644
|
||||
--- a/lib/Makefile.in
|
||||
+++ b/lib/Makefile.in
|
||||
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
|
||||
|
@ -450,21 +452,21 @@ index 81270a0..bcb5312 100644
|
|||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
|
||||
index 7f09bd6..c388d9e 100644
|
||||
index 1d0f5df..98c9ba0 100644
|
||||
--- a/lib/dns-pkcs11/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/Makefile.in
|
||||
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
|
||||
@@ -24,17 +24,17 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
|
||||
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
|
||||
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
|
||||
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
|
||||
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} \
|
||||
@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
|
||||
|
||||
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
|
||||
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
|
||||
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@
|
||||
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
|
@ -476,7 +478,7 @@ index 7f09bd6..c388d9e 100644
|
|||
|
||||
LIBS = ${MAXMINDDB_LIBS} @LIBS@
|
||||
|
||||
@@ -150,15 +149,15 @@ version.@O@: version.c
|
||||
@@ -148,15 +148,15 @@ version.@O@: version.c
|
||||
-DLIBAGE=${LIBAGE} \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
|
@ -496,7 +498,7 @@ index 7f09bd6..c388d9e 100644
|
|||
|
||||
include: gen
|
||||
${MAKE} include/dns/enumtype.h
|
||||
@@ -189,22 +188,22 @@ gen: gen.c
|
||||
@@ -187,22 +187,22 @@ gen: gen.c
|
||||
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
|
||||
${BUILD_LIBS} ${LFS_LIBS}
|
||||
|
||||
|
@ -525,7 +527,7 @@ index 7f09bd6..c388d9e 100644
|
|||
rm -f include/dns/rdatastruct.h
|
||||
rm -f dnstap.pb-c.c dnstap.pb-c.h
|
||||
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
|
||||
index 8ad54bb..a3ecdfb 100644
|
||||
index 7e3e9ce..58d7466 100644
|
||||
--- a/lib/isc-pkcs11/Makefile.in
|
||||
+++ b/lib/isc-pkcs11/Makefile.in
|
||||
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
|
||||
|
@ -539,7 +541,7 @@ index 8ad54bb..a3ecdfb 100644
|
|||
CWARNINGS =
|
||||
|
||||
# Alphabetically
|
||||
@@ -103,40 +103,40 @@ version.@O@: version.c
|
||||
@@ -107,40 +107,40 @@ version.@O@: version.c
|
||||
-DLIBAGE=${LIBAGE} \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
|
@ -593,10 +595,10 @@ index 8ad54bb..a3ecdfb 100644
|
|||
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
|
||||
+ libisc-pkcs11-nosymtbl.la timestamp
|
||||
diff --git a/make/includes.in b/make/includes.in
|
||||
index fa86ad1..3cfbe9f 100644
|
||||
index 66efe68..966671f 100644
|
||||
--- a/make/includes.in
|
||||
+++ b/make/includes.in
|
||||
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
|
||||
@@ -41,3 +41,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
|
||||
|
||||
TEST_INCLUDES = \
|
||||
-I${top_srcdir}/lib/tests/include
|
||||
|
|
|
@ -79,10 +79,10 @@ index 03a72d5..4c1cb6d 100644
|
|||
@DLZ_DRIVER_RULES@
|
||||
|
||||
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
|
||||
index 108b8d6..a943421 100644
|
||||
index c9fc3cc..148ebb3 100644
|
||||
--- a/bin/named-sdb/main.c
|
||||
+++ b/bin/named-sdb/main.c
|
||||
@@ -93,6 +93,10 @@
|
||||
@@ -97,6 +97,10 @@
|
||||
* Include header files for database drivers here.
|
||||
*/
|
||||
/* #include "xxdb.h" */
|
||||
|
@ -93,7 +93,7 @@ index 108b8d6..a943421 100644
|
|||
|
||||
#ifdef CONTRIB_DLZ
|
||||
/*
|
||||
@@ -1069,6 +1073,11 @@ setup(void) {
|
||||
@@ -1134,6 +1138,11 @@ setup(void) {
|
||||
ns_main_earlyfatal("isc_app_start() failed: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
|
@ -105,7 +105,7 @@ index 108b8d6..a943421 100644
|
|||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
|
||||
ns_g_product, ns_g_version,
|
||||
@@ -1269,6 +1278,75 @@ setup(void) {
|
||||
@@ -1334,6 +1343,75 @@ setup(void) {
|
||||
isc_result_totext(result));
|
||||
#endif
|
||||
|
||||
|
@ -181,7 +181,7 @@ index 108b8d6..a943421 100644
|
|||
ns_server_create(ns_g_mctx, &ns_g_server);
|
||||
|
||||
#ifdef HAVE_LIBSECCOMP
|
||||
@@ -1311,6 +1389,11 @@ cleanup(void) {
|
||||
@@ -1376,6 +1454,11 @@ cleanup(void) {
|
||||
|
||||
dns_name_destroy();
|
||||
|
||||
|
@ -288,10 +288,10 @@ index c7e0868..95ab742 100644
|
|||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index eff9f05..d05ad1f 100644
|
||||
index f85f45f..7d28c52 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([
|
||||
@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
|
||||
bin/named/unix/Makefile
|
||||
bin/named-pkcs11/Makefile
|
||||
bin/named-pkcs11/unix/Makefile
|
||||
|
@ -300,9 +300,9 @@ index eff9f05..d05ad1f 100644
|
|||
bin/nsupdate/Makefile
|
||||
bin/pkcs11/Makefile
|
||||
bin/python/Makefile
|
||||
@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([
|
||||
bin/python/isc/tests/dnskey_test.py
|
||||
@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
|
||||
bin/python/isc/tests/policy_test.py
|
||||
bin/python/isc/utils.py
|
||||
bin/rndc/Makefile
|
||||
+ bin/sdb_tools/Makefile
|
||||
bin/tests/Makefile
|
||||
|
|
|
@ -1,292 +0,0 @@
|
|||
From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Morris <stephen@isc.org>
|
||||
Date: Thu, 5 Mar 2020 18:46:46 +0000
|
||||
Subject: [PATCH] Add test for reduction in number of fetches
|
||||
|
||||
Add a system test that counts how many address fetches are made
|
||||
for different numbers of NS records and checks that the number
|
||||
are successfully limited.
|
||||
|
||||
(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)
|
||||
---
|
||||
bin/tests/system/resolver/clean.sh | 4 +-
|
||||
bin/tests/system/resolver/ns4/named.conf.in | 5 ++
|
||||
bin/tests/system/resolver/ns4/root.db | 4 +
|
||||
bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++
|
||||
bin/tests/system/resolver/ns5/named.conf.in | 9 ++-
|
||||
bin/tests/system/resolver/ns6/named.conf.in | 15 ++++
|
||||
bin/tests/system/resolver/ns6/targetns.db | 23 ++++++
|
||||
bin/tests/system/resolver/tests.sh | 34 ++++++++
|
||||
8 files changed, 180 insertions(+), 3 deletions(-)
|
||||
create mode 100644 bin/tests/system/resolver/ns4/sourcens.db
|
||||
create mode 100644 bin/tests/system/resolver/ns6/targetns.db
|
||||
|
||||
diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
|
||||
index 4dfde1f3e7..b3e4bc0b5d 100644
|
||||
--- a/bin/tests/system/resolver/clean.sh
|
||||
+++ b/bin/tests/system/resolver/clean.sh
|
||||
@@ -17,8 +17,7 @@ rm -f */named.memstats
|
||||
rm -f */named.run
|
||||
rm -f */ans.run
|
||||
rm -f */*.jdb
|
||||
-rm -f dig.out dig.out.*
|
||||
-rm -f dig.*.out.*
|
||||
+rm -f dig.out dig.out.* dig.*.out.*
|
||||
rm -f dig.*.foo.*
|
||||
rm -f dig.*.bar.*
|
||||
rm -f dig.*.prime.*
|
||||
@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
|
||||
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
|
||||
rm -f ns6/dsset-ds.example.net*
|
||||
rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
|
||||
+rm -f ns6/named.stats*
|
||||
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
|
||||
rm -f ns7/server.db ns7/server.db.jnl
|
||||
rm -f resolve.out.*.test*
|
||||
diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
|
||||
index c679dc3151..56fe5d0dd8 100644
|
||||
--- a/bin/tests/system/resolver/ns4/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns4/named.conf.in
|
||||
@@ -50,6 +50,11 @@ zone "broken" {
|
||||
file "broken.db";
|
||||
};
|
||||
|
||||
+zone "sourcens" {
|
||||
+ type master;
|
||||
+ file "sourcens.db";
|
||||
+};
|
||||
+
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
|
||||
index 721765d1be..ae541340da 100644
|
||||
--- a/bin/tests/system/resolver/ns4/root.db
|
||||
+++ b/bin/tests/system/resolver/ns4/root.db
|
||||
@@ -24,3 +24,7 @@ example.net. NS ns.example.net.
|
||||
ns.example.net. A 10.53.0.6
|
||||
no-questions. NS ns.no-questions.
|
||||
ns.no-questions. A 10.53.0.8
|
||||
+sourcens. NS ns.sourcens.
|
||||
+ns.sourcens. A 10.53.0.4
|
||||
+targetns. NS ns.targetns.
|
||||
+ns.targetns. A 10.53.0.6
|
||||
diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
|
||||
new file mode 100644
|
||||
index 0000000000..b02cc6e835
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/resolver/ns4/sourcens.db
|
||||
@@ -0,0 +1,89 @@
|
||||
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+;
|
||||
+; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
+;
|
||||
+; See the COPYRIGHT file distributed with this work for additional
|
||||
+; information regarding copyright ownership.
|
||||
+
|
||||
+; This zone contains a set of delegations with varying numbers of NS
|
||||
+; records. This is used to check that BIND is limiting the number of
|
||||
+; NS records it follows when resolving a delegation. It tests all
|
||||
+; numbers of NS records up to twice the number followed.
|
||||
+
|
||||
+$TTL 60
|
||||
+@ IN SOA marka.isc.org. ns.server. (
|
||||
+ 2010 ; serial
|
||||
+ 600 ; refresh
|
||||
+ 600 ; retry
|
||||
+ 1200 ; expire
|
||||
+ 600 ; minimum
|
||||
+ )
|
||||
+@ NS ns
|
||||
+ns A 10.53.0.4
|
||||
+
|
||||
+target1 NS ns.fake11.targetns.
|
||||
+
|
||||
+target2 NS ns.fake21.targetns.
|
||||
+ NS ns.fake22.targetns.
|
||||
+
|
||||
+target3 NS ns.fake31.targetns.
|
||||
+ NS ns.fake32.targetns.
|
||||
+ NS ns.fake33.targetns.
|
||||
+
|
||||
+target4 NS ns.fake41.targetns.
|
||||
+ NS ns.fake42.targetns.
|
||||
+ NS ns.fake43.targetns.
|
||||
+ NS ns.fake44.targetns.
|
||||
+
|
||||
+target5 NS ns.fake51.targetns.
|
||||
+ NS ns.fake52.targetns.
|
||||
+ NS ns.fake53.targetns.
|
||||
+ NS ns.fake54.targetns.
|
||||
+ NS ns.fake55.targetns.
|
||||
+
|
||||
+target6 NS ns.fake61.targetns.
|
||||
+ NS ns.fake62.targetns.
|
||||
+ NS ns.fake63.targetns.
|
||||
+ NS ns.fake64.targetns.
|
||||
+ NS ns.fake65.targetns.
|
||||
+ NS ns.fake66.targetns.
|
||||
+
|
||||
+target7 NS ns.fake71.targetns.
|
||||
+ NS ns.fake72.targetns.
|
||||
+ NS ns.fake73.targetns.
|
||||
+ NS ns.fake74.targetns.
|
||||
+ NS ns.fake75.targetns.
|
||||
+ NS ns.fake76.targetns.
|
||||
+ NS ns.fake77.targetns.
|
||||
+
|
||||
+target8 NS ns.fake81.targetns.
|
||||
+ NS ns.fake82.targetns.
|
||||
+ NS ns.fake83.targetns.
|
||||
+ NS ns.fake84.targetns.
|
||||
+ NS ns.fake85.targetns.
|
||||
+ NS ns.fake86.targetns.
|
||||
+ NS ns.fake87.targetns.
|
||||
+ NS ns.fake88.targetns.
|
||||
+
|
||||
+target9 NS ns.fake91.targetns.
|
||||
+ NS ns.fake92.targetns.
|
||||
+ NS ns.fake93.targetns.
|
||||
+ NS ns.fake94.targetns.
|
||||
+ NS ns.fake95.targetns.
|
||||
+ NS ns.fake96.targetns.
|
||||
+ NS ns.fake97.targetns.
|
||||
+ NS ns.fake98.targetns.
|
||||
+ NS ns.fake99.targetns.
|
||||
+
|
||||
+target10 NS ns.fake101.targetns.
|
||||
+ NS ns.fake102.targetns.
|
||||
+ NS ns.fake103.targetns.
|
||||
+ NS ns.fake104.targetns.
|
||||
+ NS ns.fake105.targetns.
|
||||
+ NS ns.fake106.targetns.
|
||||
+ NS ns.fake107.targetns.
|
||||
+ NS ns.fake108.targetns.
|
||||
+ NS ns.fake109.targetns.
|
||||
+ NS ns.fake1010.targetns.
|
||||
diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
|
||||
index 07205c9938..90818e4556 100644
|
||||
--- a/bin/tests/system/resolver/ns5/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns5/named.conf.in
|
||||
@@ -46,4 +46,11 @@ zone "delegation-only" {
|
||||
type delegation-only;
|
||||
};
|
||||
|
||||
-include "trusted.conf";
|
||||
+key rndc_key {
|
||||
+ secret "1234abcd8765";
|
||||
+ algorithm hmac-sha256;
|
||||
+};
|
||||
+
|
||||
+controls {
|
||||
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
|
||||
index 7df48558b8..4b01f9ba14 100644
|
||||
--- a/bin/tests/system/resolver/ns6/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns6/named.conf.in
|
||||
@@ -22,6 +22,7 @@ options {
|
||||
recursion no;
|
||||
// minimal-responses yes;
|
||||
querylog yes;
|
||||
+ statistics-file "named.stats";
|
||||
/*
|
||||
* test that named loads with root-delegation-only that
|
||||
* has a exclude list.
|
||||
@@ -67,3 +68,17 @@ zone "delegation-only" {
|
||||
type master;
|
||||
file "delegation-only.db";
|
||||
};
|
||||
+
|
||||
+zone "targetns" {
|
||||
+ type master;
|
||||
+ file "targetns.db";
|
||||
+};
|
||||
+
|
||||
+key rndc_key {
|
||||
+ secret "1234abcd8765";
|
||||
+ algorithm hmac-sha256;
|
||||
+};
|
||||
+
|
||||
+controls {
|
||||
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
|
||||
new file mode 100644
|
||||
index 0000000000..036e64580b
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/resolver/ns6/targetns.db
|
||||
@@ -0,0 +1,23 @@
|
||||
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+;
|
||||
+; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
+;
|
||||
+; See the COPYRIGHT file distributed with this work for additional
|
||||
+; information regarding copyright ownership.
|
||||
+
|
||||
+; In the test for checking how many NS records BIND will follow, this
|
||||
+; zone marks the server as the one to which the NS lookups will be
|
||||
+; directed.
|
||||
+
|
||||
+$TTL 300
|
||||
+@ IN SOA marka.isc.org. ns.server. (
|
||||
+ 2010 ; serial
|
||||
+ 600 ; refresh
|
||||
+ 600 ; retry
|
||||
+ 1200 ; expire
|
||||
+ 600 ; minimum
|
||||
+ )
|
||||
+ NS ns
|
||||
+ns A 10.53.0.6
|
||||
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
|
||||
index 12d2819e30..178ba4d79b 100755
|
||||
--- a/bin/tests/system/resolver/tests.sh
|
||||
+++ b/bin/tests/system/resolver/tests.sh
|
||||
@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
|
||||
status=`expr $status + $ret`
|
||||
fi
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
|
||||
+# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS
|
||||
+# records pointing to non-existent nameservers in the targetns zone on ns6.
|
||||
+ret=0
|
||||
+$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test
|
||||
+for nscount in 1 2 3 4 5 6 7 8 9 10
|
||||
+do
|
||||
+ # Verify number of NS records at source server
|
||||
+ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
|
||||
+ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
|
||||
+ test $sourcerecs -eq $nscount || ret=1
|
||||
+ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
|
||||
+ # Expected queries = 2 * number of NS records, up to a maximum of 10.
|
||||
+ expected=`expr 2 \* $nscount`
|
||||
+ if [ $expected -gt 10 ]; then expected=10; fi
|
||||
+ # Work out the queries made by checking statistics on the target before and after the test
|
||||
+ $RNDCCMD 10.53.0.6 stats || ret=1
|
||||
+ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
|
||||
+ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
|
||||
+ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
|
||||
+ $RNDCCMD 10.53.0.6 stats || ret=1
|
||||
+ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
|
||||
+ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
|
||||
+ # Check number of queries during the test is as expected
|
||||
+ actual=`expr $final_count - $initial_count`
|
||||
+ if [ $actual -ne $expected ]; then
|
||||
+ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
|
||||
+ ret=1
|
||||
+ fi
|
||||
+done
|
||||
+if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
+status=`expr $status + $ret`
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
echo_i "RT21594 regression test check setup ($n)"
|
||||
ret=0
|
||||
--
|
||||
2.21.1
|
||||
|
|
@ -1,78 +0,0 @@
|
|||
From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 25 Mar 2020 17:44:51 +1100
|
||||
Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a
|
||||
request
|
||||
|
||||
(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1)
|
||||
---
|
||||
bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++
|
||||
bin/tests/system/tsig/tests.sh | 9 +++++++++
|
||||
2 files changed, 46 insertions(+)
|
||||
create mode 100644 bin/tests/system/tsig/badtime
|
||||
|
||||
diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
|
||||
new file mode 100644
|
||||
index 0000000000..7926404cfb
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/badtime
|
||||
@@ -0,0 +1,37 @@
|
||||
+# Transaction ID
|
||||
+1122
|
||||
+# Standard query
|
||||
+0000
|
||||
+# Questions: 1, Additional: 1
|
||||
+0001 0000 0000 0001
|
||||
+# QNAME: isc.org
|
||||
+03 69 73 63 03 6F 72 67 00
|
||||
+# Type: A (Host Address)
|
||||
+0001
|
||||
+# Class: IN
|
||||
+0001
|
||||
+# Specially crafted TSIG Resource Record
|
||||
+# Name: "sha256"
|
||||
+06 73 68 61 32 35 36 00
|
||||
+# Type: TSIG (Transaction Signature)
|
||||
+00fa
|
||||
+# Class: ANY
|
||||
+00ff
|
||||
+# TTL: 0
|
||||
+00000000
|
||||
+# RdLen: 29
|
||||
+001d
|
||||
+# Algorithm Name: hmac-sha256
|
||||
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
|
||||
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
|
||||
+00 00 00 00 00 00
|
||||
+# Fudge: 300
|
||||
+012c
|
||||
+# MAC Size: 0; MAC: empty
|
||||
+0000
|
||||
+# Original ID: 0
|
||||
+0000
|
||||
+# Error: BADSIG
|
||||
+0010
|
||||
+# Other Data Length: 0
|
||||
+0000
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index cade35bc1d..284aea1056 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then
|
||||
echo "I: failed"; status=1
|
||||
fi
|
||||
|
||||
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
|
||||
+ret=0
|
||||
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
|
||||
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
|
||||
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
|
||||
+if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+fi
|
||||
+
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
--
|
||||
2.21.1
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,254 @@
|
|||
From 1f5cb247ecd20ba57c472138f94856aa83caf042 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Tue, 1 Mar 2022 09:48:05 +1100
|
||||
Subject: [PATCH] Add additional name checks when using a forwarder
|
||||
|
||||
When using a forwarder, check that the owner name of response
|
||||
records are within the bailiwick of the forwarded name space.
|
||||
|
||||
(cherry picked from commit e8df2802ac62016ea68585893eb4310fc3329028)
|
||||
|
||||
Check that the forward declaration is unchanged and not overridden
|
||||
|
||||
If we are using a fowarder, in addition to checking that names to
|
||||
be cached are subdomains of the forwarded namespace, we must also
|
||||
check that there are no subsidiary forwarded namespaces which would
|
||||
take precedence. To be safe, we don't cache any responses if the
|
||||
forwarding configuration has changed since the query was sent.
|
||||
|
||||
(cherry picked from commit 590f8698fc876d6d72f75cf35359e7546c3af972)
|
||||
|
||||
Check cached names for possible "forward only" clause
|
||||
|
||||
When caching additional and glue data *not* from a forwarder, we must
|
||||
check that there is no "forward only" clause covering the owner name
|
||||
that would take precedence. Such names would normally be allowed by
|
||||
baliwick rules, but a "forward only" zone introduces a new baliwick
|
||||
scope.
|
||||
|
||||
(cherry picked from commit 4a144fae16e70517be894a971cef1d085ee68ebe)
|
||||
|
||||
Look for zones deeper than the current domain or forward name
|
||||
|
||||
When caching glue, we need to ensure that there is no closer
|
||||
source of truth for the name. If the owner name for the glue
|
||||
record would be answered by a locally configured zone, do not
|
||||
cache.
|
||||
|
||||
(cherry picked from commit 42f8c538d3fb9d075b98d82688aeb71621798754)
|
||||
|
||||
Avoid use of compound literals
|
||||
|
||||
Compound literals are not used in BIND 9.11, in order to ensure backward
|
||||
compatibility with ancient compilers. Rework the relevant parts of the
|
||||
BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals
|
||||
are not used.
|
||||
|
||||
(cherry picked from commit d4b1efbcbd4dfb8c6ef303968992440c5bdeed15)
|
||||
---
|
||||
lib/dns/resolver.c | 130 +++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 125 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index c912f3aea8..2c68973899 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -63,6 +63,7 @@
|
||||
#include <dns/stats.h>
|
||||
#include <dns/tsig.h>
|
||||
#include <dns/validator.h>
|
||||
+#include <dns/zone.h>
|
||||
|
||||
#ifdef WANT_QUERYTRACE
|
||||
#define RTRACE(m) isc_log_write(dns_lctx, \
|
||||
@@ -312,6 +313,8 @@ struct fetchctx {
|
||||
bool ns_ttl_ok;
|
||||
uint32_t ns_ttl;
|
||||
isc_counter_t * qc;
|
||||
+ dns_fixedname_t fwdfname;
|
||||
+ dns_name_t *fwdname;
|
||||
|
||||
/*%
|
||||
* The number of events we're waiting for.
|
||||
@@ -3393,6 +3396,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
fwd = ISC_LIST_HEAD(forwarders->fwdrs);
|
||||
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||
+ dns_name_copy(domain, fctx->fwdname, NULL);
|
||||
if (fctx->fwdpolicy == dns_fwdpolicy_only &&
|
||||
isstrictsubdomain(domain, &fctx->domain)) {
|
||||
fcount_decr(fctx);
|
||||
@@ -4422,6 +4426,9 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
|
||||
fctx->restarts = 0;
|
||||
fctx->querysent = 0;
|
||||
fctx->referrals = 0;
|
||||
+
|
||||
+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
|
||||
+
|
||||
TIME_NOW(&fctx->start);
|
||||
fctx->timeouts = 0;
|
||||
fctx->lamecount = 0;
|
||||
@@ -4480,8 +4487,10 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
|
||||
domain = dns_fixedname_initname(&fixed);
|
||||
result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
|
||||
domain, &forwarders);
|
||||
- if (result == ISC_R_SUCCESS)
|
||||
+ if (result == ISC_R_SUCCESS) {
|
||||
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||
+ dns_name_copy(domain, fctx->fwdname, NULL);
|
||||
+ }
|
||||
|
||||
if (fctx->fwdpolicy != dns_fwdpolicy_only) {
|
||||
/*
|
||||
@@ -6231,6 +6240,112 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
|
||||
rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Returns true if 'name' is external to the namespace for which
|
||||
+ * the server being queried can answer, either because it's not a
|
||||
+ * subdomain or because it's below a forward declaration or a
|
||||
+ * locally served zone.
|
||||
+ */
|
||||
+static inline bool
|
||||
+name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
|
||||
+ isc_result_t result;
|
||||
+ dns_forwarders_t *forwarders = NULL;
|
||||
+ dns_fixedname_t fixed, zfixed;
|
||||
+ dns_name_t *fname = dns_fixedname_initname(&fixed);
|
||||
+ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
|
||||
+ dns_name_t *apex = NULL;
|
||||
+ dns_name_t suffix;
|
||||
+ dns_zone_t *zone = NULL;
|
||||
+ unsigned int labels;
|
||||
+ dns_namereln_t rel;
|
||||
+ /*
|
||||
+ * The following two variables do not influence code flow; they are
|
||||
+ * only necessary for calling dns_name_fullcompare().
|
||||
+ */
|
||||
+ int _orderp = 0;
|
||||
+ unsigned int _nlabelsp = 0;
|
||||
+
|
||||
+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
|
||||
+
|
||||
+ /*
|
||||
+ * The name is outside the queried namespace.
|
||||
+ */
|
||||
+ rel = dns_name_fullcompare(name, apex, &_orderp, &_nlabelsp);
|
||||
+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If the record lives in the parent zone, adjust the name so we
|
||||
+ * look for the correct zone or forward clause.
|
||||
+ */
|
||||
+ labels = dns_name_countlabels(name);
|
||||
+ if (dns_rdatatype_atparent(type) && labels > 1U) {
|
||||
+ dns_name_init(&suffix, NULL);
|
||||
+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
|
||||
+ name = &suffix;
|
||||
+ } else if (rel == dns_namereln_equal) {
|
||||
+ /* If 'name' is 'apex', no further checking is needed. */
|
||||
+ return (false);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If there is a locally served zone between 'apex' and 'name'
|
||||
+ * then don't cache.
|
||||
+ */
|
||||
+ LOCK(&fctx->res->view->lock);
|
||||
+ if (fctx->res->view->zonetable != NULL) {
|
||||
+ unsigned int options = DNS_ZTFIND_NOEXACT;
|
||||
+ result = dns_zt_find(fctx->res->view->zonetable, name, options,
|
||||
+ zfname, &zone);
|
||||
+ if (zone != NULL) {
|
||||
+ dns_zone_detach(&zone);
|
||||
+ }
|
||||
+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
|
||||
+ if (dns_name_fullcompare(zfname, apex, &_orderp,
|
||||
+ &_nlabelsp) ==
|
||||
+ dns_namereln_subdomain)
|
||||
+ {
|
||||
+ UNLOCK(&fctx->res->view->lock);
|
||||
+ return (true);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ UNLOCK(&fctx->res->view->lock);
|
||||
+
|
||||
+ /*
|
||||
+ * Look for a forward declaration below 'name'.
|
||||
+ */
|
||||
+ result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname,
|
||||
+ &forwarders);
|
||||
+
|
||||
+ if (ISFORWARDER(fctx->addrinfo)) {
|
||||
+ /*
|
||||
+ * See if the forwarder declaration is better.
|
||||
+ */
|
||||
+ if (result == ISC_R_SUCCESS) {
|
||||
+ return (!dns_name_equal(fname, fctx->fwdname));
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If the lookup failed, the configuration must have
|
||||
+ * changed: play it safe and don't cache.
|
||||
+ */
|
||||
+ return (true);
|
||||
+ } else if (result == ISC_R_SUCCESS &&
|
||||
+ forwarders->fwdpolicy == dns_fwdpolicy_only &&
|
||||
+ !ISC_LIST_EMPTY(forwarders->fwdrs))
|
||||
+ {
|
||||
+ /*
|
||||
+ * If 'name' is covered by a 'forward only' clause then we
|
||||
+ * can't cache this repsonse.
|
||||
+ */
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
+ return (false);
|
||||
+}
|
||||
+
|
||||
static isc_result_t
|
||||
check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
|
||||
dns_section_t section)
|
||||
@@ -6259,7 +6374,7 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
|
||||
result = dns_message_findname(rmessage, section, addname,
|
||||
dns_rdatatype_any, 0, &name, NULL);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||
+ external = name_external(name, type, fctx);
|
||||
if (type == dns_rdatatype_a) {
|
||||
for (rdataset = ISC_LIST_HEAD(name->list);
|
||||
rdataset != NULL;
|
||||
@@ -7141,6 +7256,13 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
||||
break;
|
||||
|
||||
case dns_namereln_subdomain:
|
||||
+ /*
|
||||
+ * Don't accept DNAME from parent namespace.
|
||||
+ */
|
||||
+ if (name_external(name, dns_rdatatype_dname, fctx)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* In-scope DNAME records must have at least
|
||||
* as many labels as the domain being queried.
|
||||
@@ -7376,11 +7498,9 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
||||
*/
|
||||
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
|
||||
while (!done && result == ISC_R_SUCCESS) {
|
||||
- bool external;
|
||||
name = NULL;
|
||||
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
|
||||
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||
- if (!external) {
|
||||
+ if (!name_external(name, dns_rdatatype_ns, fctx)) {
|
||||
/*
|
||||
* We expect to find NS or SIG NS rdatasets, and
|
||||
* nothing else.
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
From 05cdbc1006cee6daaa29e5423976d56047d22461 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
||||
Subject: [PATCH] Bound the amount of work performed for delegations
|
||||
|
||||
Limit the amount of database lookups that can be triggered in
|
||||
fctx_getaddresses() (i.e. when determining the name server addresses to
|
||||
query next) by setting a hard limit on the number of NS RRs processed
|
||||
for any delegation encountered. Without any limit in place, named can
|
||||
be forced to perform large amounts of database lookups per each query
|
||||
received, which severely impacts resolver performance.
|
||||
|
||||
The limit used (20) is an arbitrary value that is considered to be big
|
||||
enough for any sane DNS delegation.
|
||||
|
||||
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
||||
(cherry picked from commit bf2ea6d8525bfd96a84dad221ba9e004adb710a8)
|
||||
---
|
||||
lib/dns/resolver.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 8ae9a993bb..ac9a9ef5d0 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -180,6 +180,12 @@
|
||||
*/
|
||||
#define NS_FAIL_LIMIT 4
|
||||
#define NS_RR_LIMIT 5
|
||||
+/*
|
||||
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
||||
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
||||
+ * large delegations.
|
||||
+ */
|
||||
+#define NS_PROCESSING_LIMIT 20
|
||||
|
||||
/* Number of hash buckets for zone counters */
|
||||
#ifndef RES_DOMAIN_BUCKETS
|
||||
@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
bool need_alternate = false;
|
||||
bool all_spilled = true;
|
||||
unsigned int no_addresses = 0;
|
||||
+ unsigned int ns_processed = 0;
|
||||
|
||||
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||
|
||||
@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdata_freestruct(&ns);
|
||||
+
|
||||
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
||||
+ result = ISC_R_NOMORE;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
if (result != ISC_R_NOMORE) {
|
||||
return (result);
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
From 6c26ede8edcb700caca12c501c6c129801989526 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Fri, 23 Feb 2024 10:12:47 +1100
|
||||
Subject: [PATCH] Do not use header_prev in expire_lru_headers
|
||||
|
||||
dns__cacherbt_expireheader can unlink / free header_prev underneath
|
||||
it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader
|
||||
instead to get the next pointer to be processed.
|
||||
|
||||
(cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab)
|
||||
(cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63)
|
||||
---
|
||||
lib/dns/rbtdb.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||
index cc40eaec60..ee59c1b18b 100644
|
||||
--- a/lib/dns/rbtdb.c
|
||||
+++ b/lib/dns/rbtdb.c
|
||||
@@ -10667,19 +10667,19 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||
static size_t
|
||||
expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
|
||||
bool tree_locked) {
|
||||
- rdatasetheader_t *header, *header_prev;
|
||||
+ rdatasetheader_t *header;
|
||||
size_t purged = 0;
|
||||
|
||||
for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
|
||||
- header != NULL && purged <= purgesize; header = header_prev)
|
||||
+ header != NULL && purged <= purgesize;
|
||||
+ header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
|
||||
{
|
||||
- header_prev = ISC_LIST_PREV(header, link);
|
||||
/*
|
||||
* Unlink the entry at this point to avoid checking it
|
||||
* again even if it's currently used someone else and
|
||||
* cannot be purged at this moment. This entry won't be
|
||||
* referenced any more (so unlinking is safe) since the
|
||||
- * TTL was reset to 0.
|
||||
+ * TTL will be reset to 0.
|
||||
*/
|
||||
ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
|
||||
size_t header_size = rdataset_size(header);
|
||||
--
|
||||
2.43.2
|
||||
|
|
@ -0,0 +1,193 @@
|
|||
From f3aa755ba5ae5148dd0567357f8c538072e2eabc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Tue, 30 May 2023 08:46:17 +0200
|
||||
Subject: [PATCH] Improve RBT overmem cache cleaning
|
||||
|
||||
When cache memory usage is over the configured cache size (overmem) and
|
||||
we are cleaning unused entries, it might not be enough to clean just two
|
||||
entries if the entries to be expired are smaller than the newly added
|
||||
rdata. This could be abused by an attacker to cause a remote Denial of
|
||||
Service by possibly running out of the operating system memory.
|
||||
|
||||
Currently, the addrdataset() tries to do a single TTL-based cleaning
|
||||
considering the serve-stale TTL and then optionally moves to overmem
|
||||
cleaning if we are in that condition. Then the overmem_purge() tries to
|
||||
do another single TTL based cleaning from the TTL heap and then continue
|
||||
with LRU-based cleaning up to 2 entries cleaned.
|
||||
|
||||
Squash the TTL-cleaning mechanism into single call from addrdataset(),
|
||||
but ignore the serve-stale TTL if we are currently overmem.
|
||||
|
||||
Then instead of having a fixed number of entries to clean, pass the size
|
||||
of newly added rdatasetheader to the overmem_purge() function and
|
||||
cleanup at least the size of the newly added data. This prevents the
|
||||
cache going over the configured memory limit (`max-cache-size`).
|
||||
|
||||
Additionally, refactor the overmem_purge() function to reduce for-loop
|
||||
nesting for readability.
|
||||
---
|
||||
lib/dns/rbtdb.c | 109 +++++++++++++++++++++++++++++-------------------
|
||||
1 file changed, 67 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||
index 11203e4..cc40eae 100644
|
||||
--- a/lib/dns/rbtdb.c
|
||||
+++ b/lib/dns/rbtdb.c
|
||||
@@ -834,7 +834,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||
static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||
bool tree_locked, expire_t reason);
|
||||
static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
|
||||
- isc_stdtime_t now, bool tree_locked);
|
||||
+ size_t purgesize, bool tree_locked);
|
||||
static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
|
||||
rdatasetheader_t *newheader);
|
||||
static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
|
||||
@@ -6937,6 +6937,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
|
||||
|
||||
static dns_dbmethods_t zone_methods;
|
||||
|
||||
+static size_t
|
||||
+rdataset_size(rdatasetheader_t *header) {
|
||||
+ if (!NONEXISTENT(header)) {
|
||||
+ return (dns_rdataslab_size((unsigned char *)header,
|
||||
+ sizeof(*header)));
|
||||
+ }
|
||||
+
|
||||
+ return (sizeof(*header));
|
||||
+}
|
||||
+
|
||||
static isc_result_t
|
||||
addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
|
||||
isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
|
||||
@@ -7091,7 +7101,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
|
||||
}
|
||||
|
||||
if (cache_is_overmem)
|
||||
- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
|
||||
+ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
|
||||
+ tree_locked);
|
||||
|
||||
NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
|
||||
isc_rwlocktype_write);
|
||||
@@ -7106,9 +7117,19 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
|
||||
cleanup_dead_nodes(rbtdb, rbtnode->locknum);
|
||||
|
||||
header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
|
||||
- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
|
||||
- expire_header(rbtdb, header, tree_locked,
|
||||
- expire_ttl);
|
||||
+ if (header != NULL) {
|
||||
+ dns_ttl_t rdh_ttl = header->rdh_ttl;
|
||||
+
|
||||
+ /* Only account for stale TTL if cache is not overmem */
|
||||
+ if (!cache_is_overmem) {
|
||||
+ rdh_ttl += rbtdb->serve_stale_ttl;
|
||||
+ }
|
||||
+
|
||||
+ if (rdh_ttl < now - RBTDB_VIRTUAL) {
|
||||
+ expire_header(rbtdb, header, tree_locked,
|
||||
+ expire_ttl);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
/*
|
||||
* If we've been holding a write lock on the tree just for
|
||||
@@ -10643,54 +10664,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||
ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
|
||||
}
|
||||
|
||||
+static size_t
|
||||
+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
|
||||
+ bool tree_locked) {
|
||||
+ rdatasetheader_t *header, *header_prev;
|
||||
+ size_t purged = 0;
|
||||
+
|
||||
+ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
|
||||
+ header != NULL && purged <= purgesize; header = header_prev)
|
||||
+ {
|
||||
+ header_prev = ISC_LIST_PREV(header, link);
|
||||
+ /*
|
||||
+ * Unlink the entry at this point to avoid checking it
|
||||
+ * again even if it's currently used someone else and
|
||||
+ * cannot be purged at this moment. This entry won't be
|
||||
+ * referenced any more (so unlinking is safe) since the
|
||||
+ * TTL was reset to 0.
|
||||
+ */
|
||||
+ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
|
||||
+ size_t header_size = rdataset_size(header);
|
||||
+ expire_header(rbtdb, header, tree_locked, expire_lru);
|
||||
+ purged += header_size;
|
||||
+ }
|
||||
+
|
||||
+ return (purged);
|
||||
+}
|
||||
+
|
||||
/*%
|
||||
- * Purge some expired and/or stale (i.e. unused for some period) cache entries
|
||||
- * under an overmem condition. To recover from this condition quickly, up to
|
||||
- * 2 entries will be purged. This process is triggered while adding a new
|
||||
- * entry, and we specifically avoid purging entries in the same LRU bucket as
|
||||
- * the one to which the new entry will belong. Otherwise, we might purge
|
||||
- * entries of the same name of different RR types while adding RRsets from a
|
||||
- * single response (consider the case where we're adding A and AAAA glue records
|
||||
- * of the same NS name).
|
||||
+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
|
||||
+ * entries under the overmem condition. To recover from this condition quickly,
|
||||
+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
|
||||
+ *
|
||||
+ * This process is triggered while adding a new entry, and we specifically avoid
|
||||
+ * purging entries in the same LRU bucket as the one to which the new entry will
|
||||
+ * belong. Otherwise, we might purge entries of the same name of different RR
|
||||
+ * types while adding RRsets from a single response (consider the case where
|
||||
+ * we're adding A and AAAA glue records of the same NS name).
|
||||
*/
|
||||
static void
|
||||
-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
|
||||
- isc_stdtime_t now, bool tree_locked)
|
||||
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize,
|
||||
+ bool tree_locked)
|
||||
{
|
||||
- rdatasetheader_t *header, *header_prev;
|
||||
unsigned int locknum;
|
||||
- int purgecount = 2;
|
||||
+ size_t purged = 0;
|
||||
|
||||
for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
|
||||
- locknum != locknum_start && purgecount > 0;
|
||||
+ locknum != locknum_start && purged <= purgesize;
|
||||
locknum = (locknum + 1) % rbtdb->node_lock_count) {
|
||||
NODE_LOCK(&rbtdb->node_locks[locknum].lock,
|
||||
isc_rwlocktype_write);
|
||||
|
||||
- header = isc_heap_element(rbtdb->heaps[locknum], 1);
|
||||
- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
|
||||
- expire_header(rbtdb, header, tree_locked,
|
||||
- expire_ttl);
|
||||
- purgecount--;
|
||||
- }
|
||||
-
|
||||
- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
|
||||
- header != NULL && purgecount > 0;
|
||||
- header = header_prev) {
|
||||
- header_prev = ISC_LIST_PREV(header, link);
|
||||
- /*
|
||||
- * Unlink the entry at this point to avoid checking it
|
||||
- * again even if it's currently used someone else and
|
||||
- * cannot be purged at this moment. This entry won't be
|
||||
- * referenced any more (so unlinking is safe) since the
|
||||
- * TTL was reset to 0.
|
||||
- */
|
||||
- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
|
||||
- link);
|
||||
- expire_header(rbtdb, header, tree_locked,
|
||||
- expire_lru);
|
||||
- purgecount--;
|
||||
- }
|
||||
+ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
|
||||
+ tree_locked);
|
||||
|
||||
NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
|
||||
isc_rwlocktype_write);
|
||||
--
|
||||
2.40.1
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,64 @@
|
|||
From f0fc9d7999a94da3d471c4e0a35b1f447f25eea6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Mon, 26 Feb 2024 21:08:42 +0100
|
||||
Subject: [PATCH] Add normal task queue also to non-thread version
|
||||
|
||||
Non-thread builds are used by us for dhcp package. Make it working
|
||||
again.
|
||||
|
||||
Related to [GL #4424] and [GL #4459].
|
||||
---
|
||||
lib/isc/task.c | 14 ++++++++------
|
||||
1 file changed, 8 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/isc/task.c b/lib/isc/task.c
|
||||
index cc83269..5315b51 100644
|
||||
--- a/lib/isc/task.c
|
||||
+++ b/lib/isc/task.c
|
||||
@@ -1115,7 +1115,7 @@ dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||
}
|
||||
#else /* USE_WORKER_THREADS */
|
||||
if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
|
||||
- empty_readyq(manager))
|
||||
+ empty_readyq(manager, qid))
|
||||
break;
|
||||
#endif /* USE_WORKER_THREADS */
|
||||
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
|
||||
@@ -1318,11 +1318,11 @@ dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||
}
|
||||
|
||||
#ifndef USE_WORKER_THREADS
|
||||
- ISC_LIST_APPENDLIST(manager->ready_tasks, new_ready_tasks, ready_link);
|
||||
- ISC_LIST_APPENDLIST(manager->ready_priority_tasks, new_priority_tasks,
|
||||
+ ISC_LIST_APPENDLIST(manager->ready_tasks[qid], new_ready_tasks, ready_link);
|
||||
+ ISC_LIST_APPENDLIST(manager->ready_priority_tasks[qid], new_priority_tasks,
|
||||
ready_priority_link);
|
||||
manager->tasks_ready += tasks_ready;
|
||||
- if (empty_readyq(manager))
|
||||
+ if (empty_readyq(manager, qid))
|
||||
manager->mode = isc_taskmgrmode_normal;
|
||||
#endif
|
||||
|
||||
@@ -1713,7 +1713,8 @@ isc__taskmgr_ready(isc_taskmgr_t *manager0) {
|
||||
return (false);
|
||||
|
||||
LOCK(&manager->lock);
|
||||
- is_ready = !empty_readyq(manager);
|
||||
+ is_ready = !empty_readyq(manager, isc_taskqueue_normal) ||
|
||||
+ !empty_readyq(manager, isc_taskqueue_slow);
|
||||
UNLOCK(&manager->lock);
|
||||
|
||||
return (is_ready);
|
||||
@@ -1730,7 +1731,8 @@ isc__taskmgr_dispatch(isc_taskmgr_t *manager0) {
|
||||
if (manager == NULL)
|
||||
return (ISC_R_NOTFOUND);
|
||||
|
||||
- dispatch(manager);
|
||||
+ dispatch(manager, isc_taskqueue_normal);
|
||||
+ dispatch(manager, isc_taskqueue_slow);
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
--
|
||||
2.43.2
|
||||
|
|
@ -0,0 +1,737 @@
|
|||
From 4c20ab54ec503f65d8ee0b863cbf41103d95130a Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 22 Nov 2023 16:59:03 +1100
|
||||
Subject: [PATCH] Fail the DNSSEC validation on the first failure
|
||||
|
||||
Be more strict when encountering DNSSEC validation failures - fail on
|
||||
the first failure. This will break domains that have DNSSEC signing
|
||||
keys with duplicate key ids, but this is something that's much easier
|
||||
to fix on the authoritative side, so we are just going to be strict
|
||||
on the resolver side where it is causing performance problems.
|
||||
|
||||
(cherry picked from commit 8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34)
|
||||
|
||||
Add normal and slow task queues
|
||||
|
||||
Split the task manager queues into normal and slow task queues, so we
|
||||
can move the tasks that blocks processing for a long time (like DNSSEC
|
||||
validation) into the slow queue which doesn't block fast
|
||||
operations (like responding from the cache). This mitigates the whole
|
||||
class of KeyTrap-like issues.
|
||||
|
||||
(cherry picked from commit db083a21726300916fa0b9fd8a433a796fedf636)
|
||||
|
||||
Don't iterate from start every time we select new signing key
|
||||
|
||||
Improve the selecting of the new signing key by remembering where
|
||||
we stopped the iteration and just continue from that place instead
|
||||
of iterating from the start over and over again each time.
|
||||
|
||||
(cherry picked from commit 75faeefcab47e4f1e12b358525190b4be90f97de)
|
||||
|
||||
Optimize selecting the signing key
|
||||
|
||||
Don't parse the crypto data before parsing and matching the id and the
|
||||
algorithm.
|
||||
|
||||
(cherry picked from commit b38552cca7200a72658e482f8407f57516efc5db)
|
||||
|
||||
6322. [security] Specific DNS answers could cause a denial-of-service
|
||||
condition due to DNS validation taking a long time.
|
||||
(CVE-2023-50387) [GL #4424]
|
||||
|
||||
The same code change also addresses another problem:
|
||||
preparing NSEC3 closest encloser proofs could exhaust
|
||||
available CPU resources. (CVE-2023-50868) [GL #4459]
|
||||
---
|
||||
lib/dns/dst_api.c | 25 ++++--
|
||||
lib/dns/include/dns/validator.h | 1 +
|
||||
lib/dns/include/dst/dst.h | 4 +
|
||||
lib/dns/resolver.c | 2 +-
|
||||
lib/dns/validator.c | 97 +++++++++-----------
|
||||
lib/dns/win32/libdns.def.in | 1 +
|
||||
lib/isc/include/isc/task.h | 11 ++-
|
||||
lib/isc/task.c | 153 ++++++++++++++++++++++----------
|
||||
8 files changed, 186 insertions(+), 108 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
|
||||
index 2156384ec1..6bcd99796c 100644
|
||||
--- a/lib/dns/dst_api.c
|
||||
+++ b/lib/dns/dst_api.c
|
||||
@@ -105,6 +105,7 @@ static isc_result_t frombuffer(dns_name_t *name,
|
||||
dns_rdataclass_t rdclass,
|
||||
isc_buffer_t *source,
|
||||
isc_mem_t *mctx,
|
||||
+ bool no_rdata,
|
||||
dst_key_t **keyp);
|
||||
|
||||
static isc_result_t algorithm_status(unsigned int alg);
|
||||
@@ -764,6 +765,13 @@ isc_result_t
|
||||
dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
|
||||
{
|
||||
+ return (dst_key_fromdns_ex(name, rdclass, source, mctx, false, keyp));
|
||||
+}
|
||||
+
|
||||
+isc_result_t
|
||||
+dst_key_fromdns_ex(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
|
||||
+ dst_key_t **keyp) {
|
||||
uint8_t alg, proto;
|
||||
uint32_t flags, extflags;
|
||||
dst_key_t *key = NULL;
|
||||
@@ -792,7 +800,7 @@ dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||
}
|
||||
|
||||
result = frombuffer(name, alg, flags, proto, rdclass, source,
|
||||
- mctx, &key);
|
||||
+ mctx, no_rdata, &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
return (result);
|
||||
key->key_id = id;
|
||||
@@ -814,7 +822,7 @@ dst_key_frombuffer(dns_name_t *name, unsigned int alg,
|
||||
REQUIRE(dst_initialized);
|
||||
|
||||
result = frombuffer(name, alg, flags, protocol, rdclass, source,
|
||||
- mctx, &key);
|
||||
+ mctx, false, &key);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
return (result);
|
||||
|
||||
@@ -1915,7 +1923,8 @@ computeid(dst_key_t *key) {
|
||||
static isc_result_t
|
||||
frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
|
||||
unsigned int protocol, dns_rdataclass_t rdclass,
|
||||
- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
|
||||
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
|
||||
+ dst_key_t **keyp)
|
||||
{
|
||||
dst_key_t *key;
|
||||
isc_result_t ret;
|
||||
@@ -1940,10 +1949,12 @@ frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
|
||||
return (DST_R_UNSUPPORTEDALG);
|
||||
}
|
||||
|
||||
- ret = key->func->fromdns(key, source);
|
||||
- if (ret != ISC_R_SUCCESS) {
|
||||
- dst_key_free(&key);
|
||||
- return (ret);
|
||||
+ if (!no_rdata) {
|
||||
+ ret = key->func->fromdns(key, source);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ dst_key_free(&key);
|
||||
+ return (ret);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
|
||||
index cc4478d6d4..b4bf8f29db 100644
|
||||
--- a/lib/dns/include/dns/validator.h
|
||||
+++ b/lib/dns/include/dns/validator.h
|
||||
@@ -160,6 +160,7 @@ struct dns_validator {
|
||||
unsigned int depth;
|
||||
unsigned int authcount;
|
||||
unsigned int authfail;
|
||||
+ bool failed;
|
||||
isc_stdtime_t start;
|
||||
};
|
||||
|
||||
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
|
||||
index 180c841307..a8be2daf67 100644
|
||||
--- a/lib/dns/include/dst/dst.h
|
||||
+++ b/lib/dns/include/dst/dst.h
|
||||
@@ -435,6 +435,10 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory);
|
||||
*/
|
||||
|
||||
isc_result_t
|
||||
+dst_key_fromdns_ex(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
|
||||
+ dst_key_t **keyp);
|
||||
+isc_result_t
|
||||
dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
|
||||
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
|
||||
/*%<
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 4f71f48039..487107614c 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -9267,7 +9267,7 @@ dns_resolver_create(dns_view_t *view,
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup_buckets;
|
||||
res->buckets[i].task = NULL;
|
||||
- result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
|
||||
+ result = isc_task_create(taskmgr, ISC_TASK_QUANTUM_SLOW, &res->buckets[i].task);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
DESTROYLOCK(&res->buckets[i].lock);
|
||||
goto cleanup_buckets;
|
||||
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
|
||||
index 2a5c3caa6a..0b257fe874 100644
|
||||
--- a/lib/dns/validator.c
|
||||
+++ b/lib/dns/validator.c
|
||||
@@ -1207,6 +1207,12 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
|
||||
* val->key at it.
|
||||
*
|
||||
* If val->key is non-NULL, this returns the next matching key.
|
||||
+ * If val->key is already non-NULL, start searching from the next position in
|
||||
+ * 'rdataset' to find the *next* key that could have signed 'siginfo', then
|
||||
+ * set val->key to that.
|
||||
+ *
|
||||
+ * Returns ISC_R_SUCCESS if a possible matching key has been found,
|
||||
+ * ISC_R_NOTFOUND if not. Any other value indicates error.
|
||||
*/
|
||||
static isc_result_t
|
||||
get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
|
||||
@@ -1216,54 +1222,59 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
|
||||
isc_buffer_t b;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
dst_key_t *oldkey = val->key;
|
||||
- bool foundold;
|
||||
+ bool no_rdata = false;
|
||||
|
||||
- if (oldkey == NULL)
|
||||
- foundold = true;
|
||||
- else {
|
||||
- foundold = false;
|
||||
+ if (oldkey == NULL) {
|
||||
+ result = dns_rdataset_first(rdataset);
|
||||
+ } else {
|
||||
+ dst_key_free(&oldkey);
|
||||
val->key = NULL;
|
||||
+ result = dns_rdataset_next(rdataset);
|
||||
+ }
|
||||
+
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ goto done;
|
||||
}
|
||||
|
||||
- result = dns_rdataset_first(rdataset);
|
||||
- if (result != ISC_R_SUCCESS)
|
||||
- goto failure;
|
||||
do {
|
||||
dns_rdataset_current(rdataset, &rdata);
|
||||
|
||||
isc_buffer_init(&b, rdata.data, rdata.length);
|
||||
isc_buffer_add(&b, rdata.length);
|
||||
INSIST(val->key == NULL);
|
||||
- result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
|
||||
- val->view->mctx, &val->key);
|
||||
+ result = dst_key_fromdns_ex(&siginfo->signer, rdata.rdclass, &b,
|
||||
+ val->view->mctx, no_rdata,
|
||||
+ &val->key);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
if (siginfo->algorithm ==
|
||||
(dns_secalg_t)dst_key_alg(val->key) &&
|
||||
siginfo->keyid ==
|
||||
(dns_keytag_t)dst_key_id(val->key) &&
|
||||
+ (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
|
||||
+ 0 &&
|
||||
dst_key_iszonekey(val->key))
|
||||
{
|
||||
- if (foundold) {
|
||||
- /*
|
||||
- * This is the key we're looking for.
|
||||
- */
|
||||
- return (ISC_R_SUCCESS);
|
||||
- } else if (dst_key_compare(oldkey, val->key)) {
|
||||
- foundold = true;
|
||||
- dst_key_free(&oldkey);
|
||||
+ if (no_rdata) {
|
||||
+ /* Retry with full key */
|
||||
+ dns_rdata_reset(&rdata);
|
||||
+ dst_key_free(&val->key);
|
||||
+ no_rdata = false;
|
||||
+ continue;
|
||||
}
|
||||
+ /* This is the key we're looking for. */
|
||||
+ goto done;
|
||||
}
|
||||
dst_key_free(&val->key);
|
||||
}
|
||||
dns_rdata_reset(&rdata);
|
||||
result = dns_rdataset_next(rdataset);
|
||||
+ no_rdata = true;
|
||||
} while (result == ISC_R_SUCCESS);
|
||||
- if (result == ISC_R_NOMORE)
|
||||
- result = ISC_R_NOTFOUND;
|
||||
|
||||
- failure:
|
||||
- if (oldkey != NULL)
|
||||
- dst_key_free(&oldkey);
|
||||
+done:
|
||||
+ if (result == ISC_R_NOMORE) {
|
||||
+ result = ISC_R_NOTFOUND;
|
||||
+ }
|
||||
|
||||
return (result);
|
||||
}
|
||||
@@ -1633,37 +1644,13 @@ validate(dns_validator_t *val, bool resume) {
|
||||
continue;
|
||||
}
|
||||
|
||||
- do {
|
||||
- vresult = verify(val, val->key, &rdata,
|
||||
- val->siginfo->keyid);
|
||||
- if (vresult == ISC_R_SUCCESS)
|
||||
- break;
|
||||
- if (val->keynode != NULL) {
|
||||
- dns_keynode_t *nextnode = NULL;
|
||||
- result = dns_keytable_findnextkeynode(
|
||||
- val->keytable,
|
||||
- val->keynode,
|
||||
- &nextnode);
|
||||
- dns_keytable_detachkeynode(val->keytable,
|
||||
- &val->keynode);
|
||||
- val->keynode = nextnode;
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- val->key = NULL;
|
||||
- break;
|
||||
- }
|
||||
- val->key = dns_keynode_key(val->keynode);
|
||||
- if (val->key == NULL)
|
||||
- break;
|
||||
- } else {
|
||||
- if (get_dst_key(val, val->siginfo, val->keyset)
|
||||
- != ISC_R_SUCCESS)
|
||||
- break;
|
||||
- }
|
||||
- } while (1);
|
||||
- if (vresult != ISC_R_SUCCESS)
|
||||
+ vresult = verify(val, val->key, &rdata,
|
||||
+ val->siginfo->keyid);
|
||||
+ if (vresult != ISC_R_SUCCESS) {
|
||||
+ val->failed = true;
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"failed to verify rdataset");
|
||||
- else {
|
||||
+ } else {
|
||||
dns_rdataset_trimttl(event->rdataset,
|
||||
event->sigrdataset,
|
||||
val->siginfo, val->start,
|
||||
@@ -1700,9 +1687,13 @@ validate(dns_validator_t *val, bool resume) {
|
||||
} else {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"verify failure: %s",
|
||||
- isc_result_totext(result));
|
||||
+ isc_result_totext(vresult));
|
||||
resume = false;
|
||||
}
|
||||
+ if (val->failed) {
|
||||
+ result = ISC_R_NOMORE;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
if (result != ISC_R_NOMORE) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
|
||||
index f597049493..7320653439 100644
|
||||
--- a/lib/dns/win32/libdns.def.in
|
||||
+++ b/lib/dns/win32/libdns.def.in
|
||||
@@ -1439,6 +1439,7 @@ dst_key_format
|
||||
dst_key_free
|
||||
dst_key_frombuffer
|
||||
dst_key_fromdns
|
||||
+dst_key_fromdns_ex
|
||||
dst_key_fromfile
|
||||
dst_key_fromgssapi
|
||||
dst_key_fromlabel
|
||||
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
|
||||
index 28e5e25fc6..42f7763869 100644
|
||||
--- a/lib/isc/include/isc/task.h
|
||||
+++ b/lib/isc/include/isc/task.h
|
||||
@@ -98,8 +98,15 @@ ISC_LANG_BEGINDECLS
|
||||
***/
|
||||
|
||||
typedef enum {
|
||||
- isc_taskmgrmode_normal = 0,
|
||||
- isc_taskmgrmode_privileged
|
||||
+ isc_taskqueue_normal = 0,
|
||||
+ isc_taskqueue_slow = 1,
|
||||
+} isc_taskqueue_t;
|
||||
+
|
||||
+#define ISC_TASK_QUANTUM_SLOW 1024
|
||||
+
|
||||
+typedef enum {
|
||||
+ isc_taskmgrmode_normal = 0,
|
||||
+ isc_taskmgrmode_privileged
|
||||
} isc_taskmgrmode_t;
|
||||
|
||||
/*% Task and task manager methods */
|
||||
diff --git a/lib/isc/task.c b/lib/isc/task.c
|
||||
index 048639350b..cc83269df2 100644
|
||||
--- a/lib/isc/task.c
|
||||
+++ b/lib/isc/task.c
|
||||
@@ -107,6 +107,7 @@ struct isc__task {
|
||||
isc_eventlist_t on_shutdown;
|
||||
unsigned int nevents;
|
||||
unsigned int quantum;
|
||||
+ unsigned int qid;
|
||||
unsigned int flags;
|
||||
isc_stdtime_t now;
|
||||
isc_time_t tnow;
|
||||
@@ -141,11 +142,11 @@ struct isc__taskmgr {
|
||||
/* Locked by task manager lock. */
|
||||
unsigned int default_quantum;
|
||||
LIST(isc__task_t) tasks;
|
||||
- isc__tasklist_t ready_tasks;
|
||||
- isc__tasklist_t ready_priority_tasks;
|
||||
+ isc__tasklist_t ready_tasks[2];
|
||||
+ isc__tasklist_t ready_priority_tasks[2];
|
||||
isc_taskmgrmode_t mode;
|
||||
#ifdef ISC_PLATFORM_USETHREADS
|
||||
- isc_condition_t work_available;
|
||||
+ isc_condition_t work_available[2];
|
||||
isc_condition_t exclusive_granted;
|
||||
isc_condition_t paused;
|
||||
#endif /* ISC_PLATFORM_USETHREADS */
|
||||
@@ -247,13 +248,13 @@ isc_taskmgrmode_t
|
||||
isc__taskmgr_mode(isc_taskmgr_t *manager0);
|
||||
|
||||
static inline bool
|
||||
-empty_readyq(isc__taskmgr_t *manager);
|
||||
+empty_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid);
|
||||
|
||||
static inline isc__task_t *
|
||||
-pop_readyq(isc__taskmgr_t *manager);
|
||||
+pop_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid);
|
||||
|
||||
static inline void
|
||||
-push_readyq(isc__taskmgr_t *manager, isc__task_t *task);
|
||||
+push_readyq(isc__taskmgr_t *manager, isc__task_t *task, isc_taskqueue_t qid);
|
||||
|
||||
static struct isc__taskmethods {
|
||||
isc_taskmethods_t methods;
|
||||
@@ -324,7 +325,8 @@ task_finished(isc__task_t *task) {
|
||||
* any idle worker threads so they
|
||||
* can exit.
|
||||
*/
|
||||
- BROADCAST(&manager->work_available);
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||
}
|
||||
#endif /* USE_WORKER_THREADS */
|
||||
UNLOCK(&manager->lock);
|
||||
@@ -364,7 +366,13 @@ isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
|
||||
INIT_LIST(task->events);
|
||||
INIT_LIST(task->on_shutdown);
|
||||
task->nevents = 0;
|
||||
- task->quantum = quantum;
|
||||
+ if (quantum >= ISC_TASK_QUANTUM_SLOW) {
|
||||
+ task->qid = isc_taskqueue_slow;
|
||||
+ task->quantum = quantum - ISC_TASK_QUANTUM_SLOW;
|
||||
+ } else {
|
||||
+ task->qid = isc_taskqueue_normal;
|
||||
+ task->quantum = quantum;
|
||||
+ }
|
||||
task->flags = 0;
|
||||
task->now = 0;
|
||||
isc_time_settoepoch(&task->tnow);
|
||||
@@ -476,11 +484,11 @@ task_ready(isc__task_t *task) {
|
||||
|
||||
LOCK(&manager->lock);
|
||||
LOCK(&task->lock);
|
||||
- push_readyq(manager, task);
|
||||
+ push_readyq(manager, task, task->qid);
|
||||
UNLOCK(&task->lock);
|
||||
#ifdef USE_WORKER_THREADS
|
||||
if (manager->mode == isc_taskmgrmode_normal || has_privilege)
|
||||
- SIGNAL(&manager->work_available);
|
||||
+ SIGNAL(&manager->work_available[task->qid]);
|
||||
#endif /* USE_WORKER_THREADS */
|
||||
UNLOCK(&manager->lock);
|
||||
}
|
||||
@@ -961,13 +969,13 @@ isc__task_getcurrenttimex(isc_task_t *task0, isc_time_t *t) {
|
||||
* Caller must hold the task manager lock.
|
||||
*/
|
||||
static inline bool
|
||||
-empty_readyq(isc__taskmgr_t *manager) {
|
||||
+empty_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||
isc__tasklist_t queue;
|
||||
|
||||
if (manager->mode == isc_taskmgrmode_normal)
|
||||
- queue = manager->ready_tasks;
|
||||
+ queue = manager->ready_tasks[qid];
|
||||
else
|
||||
- queue = manager->ready_priority_tasks;
|
||||
+ queue = manager->ready_priority_tasks[qid];
|
||||
|
||||
return (EMPTY(queue));
|
||||
}
|
||||
@@ -981,18 +989,18 @@ empty_readyq(isc__taskmgr_t *manager) {
|
||||
* Caller must hold the task manager lock.
|
||||
*/
|
||||
static inline isc__task_t *
|
||||
-pop_readyq(isc__taskmgr_t *manager) {
|
||||
+pop_readyq(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||
isc__task_t *task;
|
||||
|
||||
if (manager->mode == isc_taskmgrmode_normal)
|
||||
- task = HEAD(manager->ready_tasks);
|
||||
+ task = HEAD(manager->ready_tasks[qid]);
|
||||
else
|
||||
- task = HEAD(manager->ready_priority_tasks);
|
||||
+ task = HEAD(manager->ready_priority_tasks[qid]);
|
||||
|
||||
if (task != NULL) {
|
||||
- DEQUEUE(manager->ready_tasks, task, ready_link);
|
||||
+ DEQUEUE(manager->ready_tasks[qid], task, ready_link);
|
||||
if (ISC_LINK_LINKED(task, ready_priority_link))
|
||||
- DEQUEUE(manager->ready_priority_tasks, task,
|
||||
+ DEQUEUE(manager->ready_priority_tasks[qid], task,
|
||||
ready_priority_link);
|
||||
}
|
||||
|
||||
@@ -1006,16 +1014,16 @@ pop_readyq(isc__taskmgr_t *manager) {
|
||||
* Caller must hold the task manager lock.
|
||||
*/
|
||||
static inline void
|
||||
-push_readyq(isc__taskmgr_t *manager, isc__task_t *task) {
|
||||
- ENQUEUE(manager->ready_tasks, task, ready_link);
|
||||
+push_readyq(isc__taskmgr_t *manager, isc__task_t *task, isc_taskqueue_t qid) {
|
||||
+ ENQUEUE(manager->ready_tasks[qid], task, ready_link);
|
||||
if ((task->flags & TASK_F_PRIVILEGED) != 0)
|
||||
- ENQUEUE(manager->ready_priority_tasks, task,
|
||||
+ ENQUEUE(manager->ready_priority_tasks[qid], task,
|
||||
ready_priority_link);
|
||||
manager->tasks_ready++;
|
||||
}
|
||||
|
||||
static void
|
||||
-dispatch(isc__taskmgr_t *manager) {
|
||||
+dispatch(isc__taskmgr_t *manager, isc_taskqueue_t qid) {
|
||||
isc__task_t *task;
|
||||
#ifndef USE_WORKER_THREADS
|
||||
unsigned int total_dispatch_count = 0;
|
||||
@@ -1094,13 +1102,13 @@ dispatch(isc__taskmgr_t *manager) {
|
||||
* If a pause has been requested, don't do any work
|
||||
* until it's been released.
|
||||
*/
|
||||
- while ((empty_readyq(manager) || manager->pause_requested ||
|
||||
+ while ((empty_readyq(manager, qid) || manager->pause_requested ||
|
||||
manager->exclusive_requested) && !FINISHED(manager))
|
||||
{
|
||||
XTHREADTRACE(isc_msgcat_get(isc_msgcat,
|
||||
ISC_MSGSET_GENERAL,
|
||||
ISC_MSG_WAIT, "wait"));
|
||||
- WAIT(&manager->work_available, &manager->lock);
|
||||
+ WAIT(&manager->work_available[qid], &manager->lock);
|
||||
XTHREADTRACE(isc_msgcat_get(isc_msgcat,
|
||||
ISC_MSGSET_TASK,
|
||||
ISC_MSG_AWAKE, "awake"));
|
||||
@@ -1113,7 +1121,7 @@ dispatch(isc__taskmgr_t *manager) {
|
||||
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
|
||||
ISC_MSG_WORKING, "working"));
|
||||
|
||||
- task = pop_readyq(manager);
|
||||
+ task = pop_readyq(manager, qid);
|
||||
if (task != NULL) {
|
||||
unsigned int dispatch_count = 0;
|
||||
bool done = false;
|
||||
@@ -1278,7 +1286,7 @@ dispatch(isc__taskmgr_t *manager) {
|
||||
*/
|
||||
#ifdef USE_WORKER_THREADS
|
||||
LOCK(&task->lock);
|
||||
- push_readyq(manager, task);
|
||||
+ push_readyq(manager, task, qid);
|
||||
UNLOCK(&task->lock);
|
||||
#else
|
||||
ENQUEUE(new_ready_tasks, task, ready_link);
|
||||
@@ -1297,10 +1305,14 @@ dispatch(isc__taskmgr_t *manager) {
|
||||
* we're stuck. Automatically drop privileges at that
|
||||
* point and continue with the regular ready queue.
|
||||
*/
|
||||
- if (manager->tasks_running == 0 && empty_readyq(manager)) {
|
||||
+ if (manager->tasks_running == 0 && empty_readyq(manager, isc_taskqueue_normal) && empty_readyq(manager, isc_taskqueue_slow)) {
|
||||
manager->mode = isc_taskmgrmode_normal;
|
||||
- if (!empty_readyq(manager))
|
||||
- BROADCAST(&manager->work_available);
|
||||
+ if (!empty_readyq(manager, isc_taskqueue_normal)) {
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||
+ }
|
||||
+ if (!empty_readyq(manager, isc_taskqueue_slow)) {
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||
+ }
|
||||
}
|
||||
#endif
|
||||
}
|
||||
@@ -1322,13 +1334,37 @@ static isc_threadresult_t
|
||||
#ifdef _WIN32
|
||||
WINAPI
|
||||
#endif
|
||||
-run(void *uap) {
|
||||
+run_normal(void *uap) {
|
||||
isc__taskmgr_t *manager = uap;
|
||||
|
||||
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||
ISC_MSG_STARTING, "starting"));
|
||||
|
||||
- dispatch(manager);
|
||||
+ dispatch(manager, isc_taskqueue_normal);
|
||||
+
|
||||
+ XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||
+ ISC_MSG_EXITING, "exiting"));
|
||||
+
|
||||
+#ifdef OPENSSL_LEAKS
|
||||
+ ERR_remove_state(0);
|
||||
+#endif
|
||||
+
|
||||
+ return ((isc_threadresult_t)0);
|
||||
+}
|
||||
+#endif /* USE_WORKER_THREADS */
|
||||
+
|
||||
+#ifdef USE_WORKER_THREADS
|
||||
+static isc_threadresult_t
|
||||
+#ifdef _WIN32
|
||||
+WINAPI
|
||||
+#endif
|
||||
+run_slow(void *uap) {
|
||||
+ isc__taskmgr_t *manager = uap;
|
||||
+
|
||||
+ XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||
+ ISC_MSG_STARTING, "starting"));
|
||||
+
|
||||
+ dispatch(manager, isc_taskqueue_slow);
|
||||
|
||||
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||
ISC_MSG_EXITING, "exiting"));
|
||||
@@ -1347,7 +1383,8 @@ manager_free(isc__taskmgr_t *manager) {
|
||||
|
||||
#ifdef USE_WORKER_THREADS
|
||||
(void)isc_condition_destroy(&manager->exclusive_granted);
|
||||
- (void)isc_condition_destroy(&manager->work_available);
|
||||
+ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_normal]);
|
||||
+ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_slow]);
|
||||
(void)isc_condition_destroy(&manager->paused);
|
||||
isc_mem_free(manager->mctx, manager->threads);
|
||||
#endif /* USE_WORKER_THREADS */
|
||||
@@ -1414,12 +1451,20 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||
#ifdef USE_WORKER_THREADS
|
||||
manager->workers = 0;
|
||||
manager->threads = isc_mem_allocate(mctx,
|
||||
- workers * sizeof(isc_thread_t));
|
||||
+ 2 * workers * sizeof(isc_thread_t));
|
||||
if (manager->threads == NULL) {
|
||||
result = ISC_R_NOMEMORY;
|
||||
goto cleanup_lock;
|
||||
}
|
||||
- if (isc_condition_init(&manager->work_available) != ISC_R_SUCCESS) {
|
||||
+ if (isc_condition_init(&manager->work_available[isc_taskqueue_normal]) != ISC_R_SUCCESS) {
|
||||
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||
+ "isc_condition_init() %s",
|
||||
+ isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||
+ ISC_MSG_FAILED, "failed"));
|
||||
+ result = ISC_R_UNEXPECTED;
|
||||
+ goto cleanup_threads;
|
||||
+ }
|
||||
+ if (isc_condition_init(&manager->work_available[isc_taskqueue_slow]) != ISC_R_SUCCESS) {
|
||||
UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||
"isc_condition_init() %s",
|
||||
isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
|
||||
@@ -1448,8 +1493,10 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||
default_quantum = DEFAULT_DEFAULT_QUANTUM;
|
||||
manager->default_quantum = default_quantum;
|
||||
INIT_LIST(manager->tasks);
|
||||
- INIT_LIST(manager->ready_tasks);
|
||||
- INIT_LIST(manager->ready_priority_tasks);
|
||||
+ INIT_LIST(manager->ready_tasks[isc_taskqueue_normal]);
|
||||
+ INIT_LIST(manager->ready_tasks[isc_taskqueue_slow]);
|
||||
+ INIT_LIST(manager->ready_priority_tasks[isc_taskqueue_normal]);
|
||||
+ INIT_LIST(manager->ready_priority_tasks[isc_taskqueue_slow]);
|
||||
manager->tasks_running = 0;
|
||||
manager->tasks_ready = 0;
|
||||
manager->exclusive_requested = false;
|
||||
@@ -1465,7 +1512,19 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||
* Start workers.
|
||||
*/
|
||||
for (i = 0; i < workers; i++) {
|
||||
- if (isc_thread_create(run, manager,
|
||||
+ if (isc_thread_create(run_normal, manager,
|
||||
+ &manager->threads[manager->workers]) ==
|
||||
+ ISC_R_SUCCESS) {
|
||||
+ char name[21]; /* thread name limit on Linux */
|
||||
+ snprintf(name, sizeof(name), "isc-worker%04u", i);
|
||||
+ isc_thread_setname(manager->threads[manager->workers],
|
||||
+ name);
|
||||
+ manager->workers++;
|
||||
+ started++;
|
||||
+ }
|
||||
+ }
|
||||
+ for (; i < workers * 2; i++) {
|
||||
+ if (isc_thread_create(run_slow, manager,
|
||||
&manager->threads[manager->workers]) ==
|
||||
ISC_R_SUCCESS) {
|
||||
char name[21]; /* thread name limit on Linux */
|
||||
@@ -1482,7 +1541,7 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||
manager_free(manager);
|
||||
return (ISC_R_NOTHREADS);
|
||||
}
|
||||
- isc_thread_setconcurrency(workers);
|
||||
+ isc_thread_setconcurrency(workers * 2);
|
||||
#endif /* USE_WORKER_THREADS */
|
||||
#ifdef USE_SHARED_MANAGER
|
||||
manager->refs = 1;
|
||||
@@ -1497,7 +1556,8 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
|
||||
cleanup_exclusivegranted:
|
||||
(void)isc_condition_destroy(&manager->exclusive_granted);
|
||||
cleanup_workavailable:
|
||||
- (void)isc_condition_destroy(&manager->work_available);
|
||||
+ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_slow]);
|
||||
+ (void)isc_condition_destroy(&manager->work_available[isc_taskqueue_normal]);
|
||||
cleanup_threads:
|
||||
isc_mem_free(mctx, manager->threads);
|
||||
cleanup_lock:
|
||||
@@ -1582,7 +1642,7 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
|
||||
task = NEXT(task, link)) {
|
||||
LOCK(&task->lock);
|
||||
if (task_shutdown(task))
|
||||
- push_readyq(manager, task);
|
||||
+ push_readyq(manager, task, task->qid);
|
||||
UNLOCK(&task->lock);
|
||||
}
|
||||
#ifdef USE_WORKER_THREADS
|
||||
@@ -1591,7 +1651,8 @@ isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
|
||||
* there's work left to do, and if there are already no tasks left
|
||||
* it will cause the workers to see manager->exiting.
|
||||
*/
|
||||
- BROADCAST(&manager->work_available);
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||
UNLOCK(&manager->lock);
|
||||
|
||||
/*
|
||||
@@ -1693,7 +1754,8 @@ isc__taskmgr_resume(isc_taskmgr_t *manager0) {
|
||||
LOCK(&manager->lock);
|
||||
if (manager->pause_requested) {
|
||||
manager->pause_requested = false;
|
||||
- BROADCAST(&manager->work_available);
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||
}
|
||||
UNLOCK(&manager->lock);
|
||||
}
|
||||
@@ -1778,7 +1840,8 @@ isc__task_endexclusive(isc_task_t *task0) {
|
||||
LOCK(&manager->lock);
|
||||
REQUIRE(manager->exclusive_requested);
|
||||
manager->exclusive_requested = false;
|
||||
- BROADCAST(&manager->work_available);
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_normal]);
|
||||
+ BROADCAST(&manager->work_available[isc_taskqueue_slow]);
|
||||
UNLOCK(&manager->lock);
|
||||
#else
|
||||
UNUSED(task0);
|
||||
@@ -1804,10 +1867,10 @@ isc__task_setprivilege(isc_task_t *task0, bool priv) {
|
||||
|
||||
LOCK(&manager->lock);
|
||||
if (priv && ISC_LINK_LINKED(task, ready_link))
|
||||
- ENQUEUE(manager->ready_priority_tasks, task,
|
||||
+ ENQUEUE(manager->ready_priority_tasks[task->qid], task,
|
||||
ready_priority_link);
|
||||
else if (!priv && ISC_LINK_LINKED(task, ready_priority_link))
|
||||
- DEQUEUE(manager->ready_priority_tasks, task,
|
||||
+ DEQUEUE(manager->ready_priority_tasks[task->qid], task,
|
||||
ready_priority_link);
|
||||
UNLOCK(&manager->lock);
|
||||
}
|
||||
--
|
||||
2.43.2
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
diff --git a/export-libs/Makefile b/export-libs/Makefile
|
||||
index df15ea8..13f416b 100644
|
||||
--- a/export-libs/Makefile
|
||||
+++ b/export-libs/Makefile
|
||||
@@ -404,20 +404,18 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
|
||||
install:: isc-config.sh installdirs
|
||||
- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
|
||||
- rm -f ${DESTDIR}${bindir}/bind9-config
|
||||
- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
|
||||
- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
|
||||
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
|
||||
+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
|
||||
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
|
||||
uninstall::
|
||||
- rm -f ${DESTDIR}${sysconfdir}/bind.keys
|
||||
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
|
||||
- rm -f ${DESTDIR}${bindir}/bind9-config
|
||||
- rm -f ${DESTDIR}${bindir}/isc-config.sh
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
|
||||
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh
|
||||
|
||||
tags:
|
||||
rm -f TAGS
|
|
@ -1,4 +1,4 @@
|
|||
From 68baeb7211ba2fcd4eff53d987e9b70ba38294cb Mon Sep 17 00:00:00 2001
|
||||
From c928591eb2a3b17c5be0cad56c8e061ebba11a95 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 20 Dec 2018 11:52:12 +0100
|
||||
Subject: [PATCH] Fix implicit declaration warning
|
||||
|
@ -11,7 +11,7 @@ header providing it in files that use it.
|
|||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
||||
index 36ee6c7..6051cd2 100644
|
||||
index 4b5b901..a3dd450 100644
|
||||
--- a/bin/tests/system/tkey/keydelete.c
|
||||
+++ b/bin/tests/system/tkey/keydelete.c
|
||||
@@ -21,6 +21,7 @@
|
||||
|
@ -23,7 +23,7 @@ index 36ee6c7..6051cd2 100644
|
|||
#include <isc/sockaddr.h>
|
||||
#include <isc/socket.h>
|
||||
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
|
||||
index 70805bb..33870f3 100644
|
||||
index c37b235..7786801 100644
|
||||
--- a/lib/dns/tsig.c
|
||||
+++ b/lib/dns/tsig.c
|
||||
@@ -18,6 +18,7 @@
|
||||
|
@ -31,9 +31,9 @@ index 70805bb..33870f3 100644
|
|||
#include <isc/buffer.h>
|
||||
#include <isc/mem.h>
|
||||
+#include <isc/md5.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/refcount.h>
|
||||
#include <isc/serial.h>
|
||||
--
|
||||
2.14.5
|
||||
2.26.2
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From c23daf334d5487fa53fef88c82312e439a2d8523 Mon Sep 17 00:00:00 2001
|
||||
From 1dc81c51cd5c70b783aab8b6156aec4cfedd6fe3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||
Subject: [PATCH] FIPS tests changes
|
||||
|
@ -80,7 +80,7 @@ Date: Wed Mar 7 10:44:23 2018 +0100
|
|||
bin/tests/system/digdelv/tests.sh | 20 +++---
|
||||
bin/tests/system/dlv/ns1/sign.sh | 4 +-
|
||||
bin/tests/system/dlv/ns2/sign.sh | 4 +-
|
||||
bin/tests/system/dlv/ns6/sign.sh | 66 +++++++++---------
|
||||
bin/tests/system/dlv/ns6/sign.sh | 66 ++++++++++---------
|
||||
bin/tests/system/dnssec/ns2/sign.sh | 8 +--
|
||||
bin/tests/system/dnssec/ns5/trusted.conf.bad | 2 +-
|
||||
bin/tests/system/dnssec/tests.sh | 4 +-
|
||||
|
@ -92,22 +92,21 @@ Date: Wed Mar 7 10:44:23 2018 +0100
|
|||
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/setup.sh | 7 +-
|
||||
bin/tests/system/nsupdate/tests.sh | 11 ++-
|
||||
bin/tests/system/nsupdate/tests.sh | 11 +++-
|
||||
bin/tests/system/rndc/setup.sh | 2 +-
|
||||
bin/tests/system/rndc/tests.sh | 23 ++++---
|
||||
bin/tests/system/tsig/clean.sh | 1 +
|
||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
||||
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
||||
bin/tests/system/tsig/setup.sh | 5 ++
|
||||
bin/tests/system/tsig/tests.sh | 67 ++++++++++++-------
|
||||
bin/tests/system/tsig/tests.sh | 65 +++++++++++-------
|
||||
bin/tests/system/tsiggss/setup.sh | 2 +-
|
||||
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/upforwd/tests.sh | 2 +-
|
||||
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
||||
45 files changed, 232 insertions(+), 171 deletions(-)
|
||||
44 files changed, 230 insertions(+), 170 deletions(-)
|
||||
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
index 0ea6502..026db3f 100644
|
||||
index 9999ada..e3f8d0e 100644
|
||||
--- a/bin/tests/system/acl/ns2/named1.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
|
@ -126,7 +125,7 @@ index 0ea6502..026db3f 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
|
||||
index b877880..d8f50be 100644
|
||||
index f8ec34e..d2d6ad3 100644
|
||||
--- a/bin/tests/system/acl/ns2/named2.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named2.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
|
@ -145,7 +144,7 @@ index b877880..d8f50be 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
|
||||
index 0a95062..aa54088 100644
|
||||
index 2acb813..6a00344 100644
|
||||
--- a/bin/tests/system/acl/ns2/named3.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named3.conf.in
|
||||
@@ -33,17 +33,17 @@ options {
|
||||
|
@ -170,7 +169,7 @@ index 0a95062..aa54088 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
|
||||
index 7cdcb6e..606a345 100644
|
||||
index bca3ee1..5913420 100644
|
||||
--- a/bin/tests/system/acl/ns2/named4.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named4.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
|
@ -189,7 +188,7 @@ index 7cdcb6e..606a345 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
|
||||
index 4b4e050..0e679a8 100644
|
||||
index 9ef8171..5ae8d38 100644
|
||||
--- a/bin/tests/system/acl/ns2/named5.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named5.conf.in
|
||||
@@ -34,12 +34,12 @@ options {
|
||||
|
@ -208,7 +207,7 @@ index 4b4e050..0e679a8 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
||||
index 09f31f2..f88f0d4 100644
|
||||
index 2ee34a0..a73a54e 100644
|
||||
--- a/bin/tests/system/acl/tests.sh
|
||||
+++ b/bin/tests/system/acl/tests.sh
|
||||
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
|
||||
|
@ -334,7 +333,7 @@ index 09f31f2..f88f0d4 100644
|
|||
|
||||
echo_i "testing allow-query-on ACL processing"
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
index 1569913..e9c5c2d 100644
|
||||
index a579f32..3b8f853 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
|
@ -347,7 +346,7 @@ index 1569913..e9c5c2d 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
index 18ac91c..2b1c873 100644
|
||||
index 166afa1..997ece9 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
@@ -12,12 +12,12 @@
|
||||
|
@ -366,7 +365,7 @@ index 18ac91c..2b1c873 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
index b824844..dd48945 100644
|
||||
index 25271a5..a9cb65d 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
|
@ -379,7 +378,7 @@ index b824844..dd48945 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
index aeb1540..bfce58b 100644
|
||||
index c7c8254..f165e65 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
|
@ -392,7 +391,7 @@ index aeb1540..bfce58b 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
index d4b7432..e0f5252 100644
|
||||
index 567bbcc..4fd2035 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
@@ -12,12 +12,12 @@
|
||||
|
@ -411,7 +410,7 @@ index d4b7432..e0f5252 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
index c025938..87afb3f 100644
|
||||
index b75161f..7b254e6 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
@@ -12,7 +12,7 @@
|
||||
|
@ -424,7 +423,7 @@ index c025938..87afb3f 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
index d83b376..d726b94 100644
|
||||
index 9e17818..22f5001 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
@@ -16,12 +16,12 @@ acl accept { 10.53.0.2; };
|
||||
|
@ -443,7 +442,7 @@ index d83b376..d726b94 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
||||
index fb6059d..f960156 100644
|
||||
index 791a1a4..95cd971 100644
|
||||
--- a/bin/tests/system/allow-query/tests.sh
|
||||
+++ b/bin/tests/system/allow-query/tests.sh
|
||||
@@ -190,7 +190,7 @@ rndc_reload
|
||||
|
@ -528,7 +527,7 @@ index fb6059d..f960156 100644
|
|||
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
|
||||
index 74b7d37..c353766 100644
|
||||
index 6856ec7..0ac1fa3 100644
|
||||
--- a/bin/tests/system/catz/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/catz/ns1/named.conf.in
|
||||
@@ -61,5 +61,5 @@ zone "catalog4.example" {
|
||||
|
@ -539,7 +538,7 @@ index 74b7d37..c353766 100644
|
|||
+ algorithm hmac-sha256;
|
||||
};
|
||||
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
|
||||
index ee83efb..35ced08 100644
|
||||
index dd3a9dc..77b8d96 100644
|
||||
--- a/bin/tests/system/catz/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/catz/ns2/named.conf.in
|
||||
@@ -70,5 +70,5 @@ zone "catalog4.example" {
|
||||
|
@ -550,7 +549,7 @@ index ee83efb..35ced08 100644
|
|||
+ algorithm hmac-sha256;
|
||||
};
|
||||
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
index 21be03e..e57c308 100644
|
||||
index 338dddb..90cd424 100644
|
||||
--- a/bin/tests/system/checkconf/bad-tsig.conf
|
||||
+++ b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
@@ -11,7 +11,7 @@
|
||||
|
@ -563,10 +562,10 @@ index 21be03e..e57c308 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||
index 9ab35b3..486551a 100644
|
||||
index 2282f87..1359cf3 100644
|
||||
--- a/bin/tests/system/checkconf/good.conf
|
||||
+++ b/bin/tests/system/checkconf/good.conf
|
||||
@@ -153,6 +153,6 @@ dyndb "name" "library.so" {
|
||||
@@ -159,6 +159,6 @@ dyndb "name" "library.so" {
|
||||
system;
|
||||
};
|
||||
key "mykey" {
|
||||
|
@ -575,7 +574,7 @@ index 9ab35b3..486551a 100644
|
|||
secret "qwertyuiopasdfgh";
|
||||
};
|
||||
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
|
||||
index f4e30f5..9f53e31 100644
|
||||
index b66207a..359b220 100644
|
||||
--- a/bin/tests/system/digdelv/ns2/example.db
|
||||
+++ b/bin/tests/system/digdelv/ns2/example.db
|
||||
@@ -38,12 +38,15 @@ foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
|
||||
|
@ -601,10 +600,10 @@ index f4e30f5..9f53e31 100644
|
|||
; TTL of 3 weeks
|
||||
weeks 1814400 A 10.53.0.2
|
||||
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
|
||||
index ade45ce..d3aff24 100644
|
||||
index a3ebc31..0d9b9b8 100644
|
||||
--- a/bin/tests/system/digdelv/tests.sh
|
||||
+++ b/bin/tests/system/digdelv/tests.sh
|
||||
@@ -106,7 +106,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -173,7 +173,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +rrcomments works for DNSKEY($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
|
@ -613,7 +612,7 @@ index ade45ce..d3aff24 100644
|
|||
check_ttl_range dig.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
@@ -115,7 +115,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -182,7 +182,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works for DNSKEY ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
|
@ -622,7 +621,7 @@ index ade45ce..d3aff24 100644
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -123,7 +123,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -190,7 +190,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +nosplit works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
|
@ -631,7 +630,7 @@ index ade45ce..d3aff24 100644
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -131,7 +131,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -198,7 +198,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
|
@ -640,7 +639,7 @@ index ade45ce..d3aff24 100644
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -148,7 +148,7 @@ if [ -x "$DIG" ] ; then
|
||||
@@ -215,7 +215,7 @@ if [ -x "$DIG" ] ; then
|
||||
echo_i "checking dig +short +rrcomments works($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
|
||||
|
@ -649,7 +648,7 @@ index ade45ce..d3aff24 100644
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -695,7 +695,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -846,7 +846,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +rrcomments works for DNSKEY($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
|
@ -658,7 +657,7 @@ index ade45ce..d3aff24 100644
|
|||
check_ttl_range delv.out.test$n "DNSKEY" 300 || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
@@ -704,7 +704,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -855,7 +855,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +rrcomments works for DNSKEY ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
|
@ -667,7 +666,7 @@ index ade45ce..d3aff24 100644
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -712,7 +712,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -863,7 +863,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +rrcomments works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
|
@ -676,7 +675,7 @@ index ade45ce..d3aff24 100644
|
|||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
@@ -720,7 +720,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -871,7 +871,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +nosplit works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
|
@ -685,7 +684,7 @@ index ade45ce..d3aff24 100644
|
|||
if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
|
||||
f=`awk '{print NF}' < delv.out.test$n`
|
||||
test "${f:-0}" -eq 14 || ret=1
|
||||
@@ -731,7 +731,7 @@ if [ -x ${DELV} ] ; then
|
||||
@@ -882,7 +882,7 @@ if [ -x ${DELV} ] ; then
|
||||
echo_i "checking delv +short +nosplit +norrcomments works ($n)"
|
||||
ret=0
|
||||
$DELV $DELVOPTS +tcp @10.53.0.3 +short +nosplit +norrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
|
||||
|
@ -695,7 +694,7 @@ index ade45ce..d3aff24 100644
|
|||
f=`awk '{print NF}' < delv.out.test$n`
|
||||
test "${f:-0}" -eq 4 || ret=1
|
||||
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
|
||||
index 606e7cc..a3a0d60 100755
|
||||
index 14ca5db..3f522d0 100755
|
||||
--- a/bin/tests/system/dlv/ns1/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns1/sign.sh
|
||||
@@ -23,8 +23,8 @@ infile=root.db.in
|
||||
|
@ -710,7 +709,7 @@ index 606e7cc..a3a0d60 100755
|
|||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
|
||||
index 9825c57..202c978 100755
|
||||
index d870798..b0ab372 100755
|
||||
--- a/bin/tests/system/dlv/ns2/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns2/sign.sh
|
||||
@@ -24,8 +24,8 @@ zonefile=druz.db
|
||||
|
@ -725,7 +724,7 @@ index 9825c57..202c978 100755
|
|||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
|
||||
index 1e39862..4ed19ac 100755
|
||||
index ba39f90..f20a2dd 100755
|
||||
--- a/bin/tests/system/dlv/ns6/sign.sh
|
||||
+++ b/bin/tests/system/dlv/ns6/sign.sh
|
||||
@@ -16,13 +16,15 @@ SYSTESTDIR=dlv
|
||||
|
@ -912,7 +911,7 @@ index 1e39862..4ed19ac 100755
|
|||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
|
||||
index 13fb924..1ffa279 100644
|
||||
index d401823..139c7ad 100644
|
||||
--- a/bin/tests/system/dnssec/ns2/sign.sh
|
||||
+++ b/bin/tests/system/dnssec/ns2/sign.sh
|
||||
@@ -126,8 +126,8 @@ zone=in-addr.arpa.
|
||||
|
@ -945,7 +944,7 @@ index 13fb924..1ffa279 100644
|
|||
cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
|
||||
|
||||
diff --git a/bin/tests/system/dnssec/ns5/trusted.conf.bad b/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
index ed30460..e6b1126 100644
|
||||
index 75cf699..b4d848c 100644
|
||||
--- a/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
+++ b/bin/tests/system/dnssec/ns5/trusted.conf.bad
|
||||
@@ -10,5 +10,5 @@
|
||||
|
@ -956,10 +955,10 @@ index ed30460..e6b1126 100644
|
|||
+ "." 256 3 8 "AwEAAarwAdjV4gIhpBCjXVAScRFEx3co7k8smJdxrnqoGsl5NB7EZ9jRdgvCXbJn6v8y9jlNWVHvaC8ilhfhLh0A1vLWiWv4ijd/12xcnrY7xpG7Cu3YkxUxaXJ7Jdg/Iw1+9mGgXF1v4UbCIcw/3U3cxyk7OxYg+VSb5KBAQSR0upxV";
|
||||
};
|
||||
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
|
||||
index b31c1b4..a5e237b 100644
|
||||
index 30f7fc5..2f34b6d 100644
|
||||
--- a/bin/tests/system/dnssec/tests.sh
|
||||
+++ b/bin/tests/system/dnssec/tests.sh
|
||||
@@ -3235,8 +3235,8 @@ do
|
||||
@@ -3281,8 +3281,8 @@ do
|
||||
alg=`expr $alg + 1`
|
||||
continue;;
|
||||
3) size="-b 512";;
|
||||
|
@ -971,7 +970,7 @@ index b31c1b4..a5e237b 100644
|
|||
8) size="-b 512";;
|
||||
10) size="-b 1024";;
|
||||
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
||||
index c1249ed..20a3139 100644
|
||||
index 5e473ab..b08692e 100644
|
||||
--- a/bin/tests/system/feature-test.c
|
||||
+++ b/bin/tests/system/feature-test.c
|
||||
@@ -19,6 +19,7 @@
|
||||
|
@ -983,14 +982,14 @@ index c1249ed..20a3139 100644
|
|||
|
||||
#ifdef WIN32
|
||||
@@ -47,6 +48,7 @@ usage() {
|
||||
fprintf(stderr, " --have-geoip2\n");
|
||||
fprintf(stderr, " --have-libxml2\n");
|
||||
fprintf(stderr, " --ipv6only=no\n");
|
||||
+ fprintf(stderr, " --md5\n");
|
||||
fprintf(stderr, " --rpz-nsdname\n");
|
||||
fprintf(stderr, " --rpz-nsip\n");
|
||||
fprintf(stderr, " --with-idn\n");
|
||||
@@ -155,6 +157,18 @@ main(int argc, char **argv) {
|
||||
fprintf(stderr, "\t--have-geoip\n");
|
||||
fprintf(stderr, "\t--have-libxml2\n");
|
||||
fprintf(stderr, "\t--ipv6only=no\n");
|
||||
+ fprintf(stderr, "\t--md5\n");
|
||||
fprintf(stderr, "\t--rpz-log-qtype-qclass\n");
|
||||
fprintf(stderr, "\t--rpz-nsdname\n");
|
||||
fprintf(stderr, "\t--rpz-nsip\n");
|
||||
@@ -194,6 +196,18 @@ main(int argc, char **argv) {
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -1010,7 +1009,7 @@ index c1249ed..20a3139 100644
|
|||
#ifdef ENABLE_RPZ_NSIP
|
||||
return (0);
|
||||
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
index f755581..4a7d890 100755
|
||||
index 479f98c..4d4a765 100755
|
||||
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
|
||||
@@ -21,8 +21,8 @@ infile=signed.db.in
|
||||
|
@ -1025,7 +1024,7 @@ index f755581..4a7d890 100755
|
|||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
index f755581..4a7d890 100755
|
||||
index 479f98c..4d4a765 100755
|
||||
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
|
||||
@@ -21,8 +21,8 @@ infile=signed.db.in
|
||||
|
@ -1040,7 +1039,7 @@ index f755581..4a7d890 100755
|
|||
cat $infile $keyname1.key $keyname2.key >$zonefile
|
||||
|
||||
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
|
||||
index cfcfe8f..0a1614d 100644
|
||||
index 157ef16..b802288 100644
|
||||
--- a/bin/tests/system/notify/ns5/named.conf.in
|
||||
+++ b/bin/tests/system/notify/ns5/named.conf.in
|
||||
@@ -10,17 +10,17 @@
|
||||
|
@ -1065,7 +1064,7 @@ index cfcfe8f..0a1614d 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
|
||||
index 1f6e6d0..c08bd25 100644
|
||||
index f9fd3f5..916af75 100644
|
||||
--- a/bin/tests/system/notify/tests.sh
|
||||
+++ b/bin/tests/system/notify/tests.sh
|
||||
@@ -212,16 +212,16 @@ ret=0
|
||||
|
@ -1089,7 +1088,7 @@ index 1f6e6d0..c08bd25 100644
|
|||
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
|
||||
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index 1d999ad..26b6b7c 100644
|
||||
index b0ded3a..cb80269 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -32,7 +32,7 @@ controls {
|
||||
|
@ -1102,7 +1101,7 @@ index 1d999ad..26b6b7c 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
index 4549184..cb7dccd 100644
|
||||
index e6e2382..b0a94e0 100644
|
||||
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
@@ -33,7 +33,7 @@ controls {
|
||||
|
@ -1115,10 +1114,10 @@ index 4549184..cb7dccd 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||
index 21805c5..0d3d85c 100644
|
||||
index 2b3b154..8240c42 100644
|
||||
--- a/bin/tests/system/nsupdate/setup.sh
|
||||
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||
@@ -58,7 +58,12 @@ EOF
|
||||
@@ -68,7 +68,12 @@ EOF
|
||||
|
||||
$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
|
||||
|
||||
|
@ -1133,10 +1132,10 @@ index 21805c5..0d3d85c 100644
|
|||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
||||
$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index 4da4849..b3bc807 100755
|
||||
index 60cf7ee..f8994ff 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -708,7 +708,14 @@ fi
|
||||
@@ -804,7 +804,14 @@ fi
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms ($n)"
|
||||
|
@ -1152,7 +1151,7 @@ index 4da4849..b3bc807 100755
|
|||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
@@ -716,7 +723,7 @@ send
|
||||
@@ -812,7 +819,7 @@ send
|
||||
END
|
||||
done
|
||||
sleep 2
|
||||
|
@ -1162,10 +1161,10 @@ index 4da4849..b3bc807 100755
|
|||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||||
index 343869e..c30efb0 100644
|
||||
index 2eb2cd5..36f5114 100644
|
||||
--- a/bin/tests/system/rndc/setup.sh
|
||||
+++ b/bin/tests/system/rndc/setup.sh
|
||||
@@ -37,7 +37,7 @@ make_key () {
|
||||
@@ -35,7 +35,7 @@ make_key () {
|
||||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||
}
|
||||
|
||||
|
@ -1175,7 +1174,7 @@ index 343869e..c30efb0 100644
|
|||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||||
index 57e066d..186a723 100644
|
||||
index 4e25e51..cb8934c 100644
|
||||
--- a/bin/tests/system/rndc/tests.sh
|
||||
+++ b/bin/tests/system/rndc/tests.sh
|
||||
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
|
@ -1208,17 +1207,8 @@ index 57e066d..186a723 100644
|
|||
|
||||
n=`expr $n + 1`
|
||||
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||
diff --git a/bin/tests/system/tsig/clean.sh b/bin/tests/system/tsig/clean.sh
|
||||
index 576ec70..cb7a852 100644
|
||||
--- a/bin/tests/system/tsig/clean.sh
|
||||
+++ b/bin/tests/system/tsig/clean.sh
|
||||
@@ -20,3 +20,4 @@ rm -f */named.run
|
||||
rm -f ns*/named.lock
|
||||
rm -f Kexample.net.+163+*
|
||||
rm -f keygen.out?
|
||||
+rm -f ns1/named.conf
|
||||
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
index fbf30c6..f61657d 100644
|
||||
index 4905ffd..958d9fb 100644
|
||||
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
@@ -21,10 +21,7 @@ options {
|
||||
|
@ -1245,11 +1235,27 @@ index fbf30c6..f61657d 100644
|
|||
|
||||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
new file mode 100644
|
||||
index 0000000..0682194
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
@@ -0,0 +1,10 @@
|
||||
+# Conditionally included when support for MD5 is available
|
||||
+key "md5" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5;
|
||||
+};
|
||||
+
|
||||
+key "md5-trunc" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5-80;
|
||||
+};
|
||||
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||
index 4dd4a25..aa0f966 100644
|
||||
index f42aa79..bfcf4a6 100644
|
||||
--- a/bin/tests/system/tsig/setup.sh
|
||||
+++ b/bin/tests/system/tsig/setup.sh
|
||||
@@ -17,3 +17,8 @@ $SHELL clean.sh
|
||||
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
|
||||
test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
||||
|
@ -1259,7 +1265,7 @@ index 4dd4a25..aa0f966 100644
|
|||
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
||||
+fi
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index f731fa6..cade35b 100644
|
||||
index e0c2903..327fa50 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
||||
|
@ -1273,13 +1279,6 @@ index f731fa6..cade35b 100644
|
|||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
-fi
|
||||
-
|
||||
-echo_i "fetching using hmac-md5 (new form)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "fetching using hmac-md5 (old form)"
|
||||
|
@ -1289,7 +1288,13 @@ index f731fa6..cade35b 100644
|
|||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+
|
||||
|
||||
-echo_i "fetching using hmac-md5 (new form)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+ echo_i "fetching using hmac-md5 (new form)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
|
@ -1351,10 +1356,10 @@ index f731fa6..cade35b 100644
|
|||
|
||||
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
|
||||
index 0d21c7b..dbcb7b4 100644
|
||||
index f04c907..09da5f9 100644
|
||||
--- a/bin/tests/system/tsiggss/setup.sh
|
||||
+++ b/bin/tests/system/tsiggss/setup.sh
|
||||
@@ -18,5 +18,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
||||
@@ -16,5 +16,5 @@ test -r $RANDFILE || $GENRANDOM $RANDOMSIZE $RANDFILE
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
|
||||
|
@ -1362,7 +1367,7 @@ index 0d21c7b..dbcb7b4 100644
|
|||
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 1024 -r $RANDFILE -n HOST -T KEY key.example.nil.`
|
||||
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
|
||||
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
index e0a30cd..6a77b1c 100644
|
||||
index 4ddd7a4..238f52a 100644
|
||||
--- a/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
@@ -10,7 +10,7 @@
|
||||
|
@ -1375,7 +1380,7 @@ index e0a30cd..6a77b1c 100644
|
|||
};
|
||||
|
||||
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||
index b0694bb..9adae82 100644
|
||||
index 1cf8d3b..f4c3216 100644
|
||||
--- a/bin/tests/system/upforwd/tests.sh
|
||||
+++ b/bin/tests/system/upforwd/tests.sh
|
||||
@@ -68,7 +68,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||
|
@ -1387,22 +1392,6 @@ index b0694bb..9adae82 100644
|
|||
server 10.53.0.3 ${PORT}
|
||||
update add updated.example. 600 A 10.10.10.1
|
||||
update add updated.example. 600 TXT Foo
|
||||
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
new file mode 100644
|
||||
index 0000000..0682194
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
@@ -0,0 +1,10 @@
|
||||
+# Conditionally included when support for MD5 is available
|
||||
+key "md5" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5;
|
||||
+};
|
||||
+
|
||||
+key "md5-trunc" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5-80;
|
||||
+};
|
||||
--
|
||||
2.20.1
|
||||
2.31.1
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001
|
||||
From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 2 Jan 2018 18:13:07 +0100
|
||||
Subject: [PATCH] Fix pkcs11 variants atf tests
|
||||
|
@ -16,10 +16,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
|
|||
6 files changed, 38 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 0532feb..a83ddd5 100644
|
||||
index 62ecf56..0940a7d 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([
|
||||
@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
|
||||
lib/dns-pkcs11/include/Makefile
|
||||
lib/dns-pkcs11/include/dns/Makefile
|
||||
lib/dns-pkcs11/include/dst/Makefile
|
||||
|
@ -43,13 +43,13 @@ index 7c8bab0..eec9564 100644
|
|||
include('isccfg/Kyuafile')
|
||||
include('lwres/Kyuafile')
|
||||
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
|
||||
index 7671e1d..e237d5c 100644
|
||||
index 22a06a8..5df5b15 100644
|
||||
--- a/lib/dns-pkcs11/tests/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/tests/Makefile.in
|
||||
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||
@DST_OPENSSL_INC@
|
||||
@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
|
||||
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
|
||||
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
|
||||
|
||||
|
@ -65,10 +65,10 @@ index 7671e1d..e237d5c 100644
|
|||
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
|
||||
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
|
||||
index 4dbfd82..a383b8e 100644
|
||||
index a5bf46c..9ff2b76 100644
|
||||
--- a/lib/dns-pkcs11/tests/dh_test.c
|
||||
+++ b/lib/dns-pkcs11/tests/dh_test.c
|
||||
@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
|
||||
@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
|
||||
result = dst_key_computesecret(key, key, &buf);
|
||||
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
|
||||
result = key->func->computesecret(key, key, &buf);
|
||||
|
@ -79,7 +79,7 @@ index 4dbfd82..a383b8e 100644
|
|||
dst_key_free(&key);
|
||||
}
|
||||
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
|
||||
index 2fdee0b..a263b35 100644
|
||||
index 36d2207..00dfbc9 100644
|
||||
--- a/lib/isc-pkcs11/tests/Makefile.in
|
||||
+++ b/lib/isc-pkcs11/tests/Makefile.in
|
||||
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
|
||||
|
@ -97,10 +97,10 @@ index 2fdee0b..a263b35 100644
|
|||
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
|
||||
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
|
||||
index 9c4d299..d9deba2 100644
|
||||
index 4fafc38..5eb2be2 100644
|
||||
--- a/lib/isc-pkcs11/tests/hash_test.c
|
||||
+++ b/lib/isc-pkcs11/tests/hash_test.c
|
||||
@@ -85,7 +85,7 @@ typedef struct hash_testcase {
|
||||
@@ -84,7 +84,7 @@ typedef struct hash_testcase {
|
||||
|
||||
typedef struct hash_test_key {
|
||||
const char *key;
|
||||
|
@ -109,7 +109,7 @@ index 9c4d299..d9deba2 100644
|
|||
} hash_test_key_t;
|
||||
|
||||
/* non-hmac tests */
|
||||
@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
|
||||
@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
|
@ -122,7 +122,7 @@ index 9c4d299..d9deba2 100644
|
|||
isc_hmacsha1_update(&hmacsha1,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
|
||||
@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
|
@ -135,7 +135,7 @@ index 9c4d299..d9deba2 100644
|
|||
isc_hmacsha224_update(&hmacsha224,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
|
||||
@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
|
@ -148,7 +148,7 @@ index 9c4d299..d9deba2 100644
|
|||
isc_hmacsha256_update(&hmacsha256,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
|
||||
@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
|
@ -161,7 +161,7 @@ index 9c4d299..d9deba2 100644
|
|||
isc_hmacsha384_update(&hmacsha384,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
|
||||
@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
|
@ -174,7 +174,7 @@ index 9c4d299..d9deba2 100644
|
|||
isc_hmacsha512_update(&hmacsha512,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
|
||||
@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
|
@ -188,5 +188,5 @@ index 9c4d299..d9deba2 100644
|
|||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
--
|
||||
2.20.1
|
||||
2.21.1
|
||||
|
||||
|
|
|
@ -1,288 +0,0 @@
|
|||
From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||
Date: Wed, 25 Apr 2018 14:04:31 +0200
|
||||
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
|
||||
|
||||
(cherry picked from commit 66ba2fdad583d962a1f4971c85d58381f0849e4d)
|
||||
|
||||
Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp()
|
||||
|
||||
(cherry picked from commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c)
|
||||
|
||||
Fix the isc_safe_memwipe() usage with (NULL, >0)
|
||||
|
||||
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
|
||||
---
|
||||
bin/dnssec/dnssec-signzone.c | 2 +-
|
||||
lib/dns/nsec3.c | 4 +-
|
||||
lib/dns/spnego.c | 4 +-
|
||||
lib/isc/Makefile.in | 8 +---
|
||||
lib/isc/include/isc/safe.h | 18 ++------
|
||||
lib/isc/safe.c | 83 ------------------------------------
|
||||
lib/isc/tests/safe_test.c | 18 --------
|
||||
7 files changed, 11 insertions(+), 126 deletions(-)
|
||||
delete mode 100644 lib/isc/safe.c
|
||||
|
||||
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
||||
index 6ddaebe..d921870 100644
|
||||
--- a/bin/dnssec/dnssec-signzone.c
|
||||
+++ b/bin/dnssec/dnssec-signzone.c
|
||||
@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
|
||||
|
||||
static int
|
||||
hashlist_comp(const void *a, const void *b) {
|
||||
- return (isc_safe_memcompare(a, b, hash_length + 1));
|
||||
+ return (memcmp(a, b, hash_length + 1));
|
||||
}
|
||||
|
||||
static void
|
||||
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
|
||||
index 6ae7ca8..01426d6 100644
|
||||
--- a/lib/dns/nsec3.c
|
||||
+++ b/lib/dns/nsec3.c
|
||||
@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
|
||||
* Work out what this NSEC3 covers.
|
||||
* Inside (<0) or outside (>=0).
|
||||
*/
|
||||
- scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
|
||||
+ scope = memcmp(owner, nsec3.next, nsec3.next_length);
|
||||
|
||||
/*
|
||||
* Prepare to compute all the hashes.
|
||||
@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
|
||||
return (ISC_R_IGNORE);
|
||||
}
|
||||
|
||||
- order = isc_safe_memcompare(hash, owner, length);
|
||||
+ order = memcmp(hash, owner, length);
|
||||
if (first && order == 0) {
|
||||
/*
|
||||
* The hashes are the same.
|
||||
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
|
||||
index ad77f24..670982a 100644
|
||||
--- a/lib/dns/spnego.c
|
||||
+++ b/lib/dns/spnego.c
|
||||
@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
|
||||
|
||||
/* mod_auth_kerb.c */
|
||||
|
||||
-static int
|
||||
+static isc_boolean_t
|
||||
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
|
||||
{
|
||||
unsigned char *p;
|
||||
@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
|
||||
if (((OM_uint32) *p++) != gssoid->length)
|
||||
return (GSS_S_DEFECTIVE_TOKEN);
|
||||
|
||||
- return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
|
||||
+ return (!isc_safe_memequal(p, gssoid->elements, gssoid->length));
|
||||
}
|
||||
|
||||
/* accept_sec_context.c */
|
||||
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
|
||||
index 0fd0837..8ad54bb 100644
|
||||
--- a/lib/isc/Makefile.in
|
||||
+++ b/lib/isc/Makefile.in
|
||||
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
|
||||
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
|
||||
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
|
||||
rwlock.@O@ \
|
||||
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
|
||||
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
|
||||
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
|
||||
tm.@O@ timer.@O@ version.@O@ \
|
||||
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
|
||||
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
|
||||
netaddr.c netscope.c pool.c ondestroy.c \
|
||||
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
|
||||
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
|
||||
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
|
||||
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
|
||||
strtoul.c symtab.c task.c taskpool.c timer.c \
|
||||
tm.c version.c
|
||||
|
||||
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
-safe.@O@: safe.c
|
||||
- ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
|
||||
- -c ${srcdir}/safe.c
|
||||
-
|
||||
version.@O@: version.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||
-DVERSION=\"${VERSION}\" \
|
||||
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
|
||||
index 66ed08b..88b8f47 100644
|
||||
--- a/lib/isc/include/isc/safe.h
|
||||
+++ b/lib/isc/include/isc/safe.h
|
||||
@@ -15,29 +15,19 @@
|
||||
|
||||
/*! \file isc/safe.h */
|
||||
|
||||
-#include <stdbool.h>
|
||||
-
|
||||
-#include <isc/types.h>
|
||||
-#include <stdlib.h>
|
||||
+#include <isc/lang.h>
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
-bool
|
||||
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
|
||||
+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
|
||||
/*%<
|
||||
* Returns true iff. two blocks of memory are equal, otherwise
|
||||
* false.
|
||||
*
|
||||
*/
|
||||
|
||||
-int
|
||||
-isc_safe_memcompare(const void *b1, const void *b2, size_t len);
|
||||
-/*%<
|
||||
- * Clone of libc memcmp() which is safe to differential timing attacks.
|
||||
- */
|
||||
-
|
||||
-void
|
||||
-isc_safe_memwipe(void *ptr, size_t len);
|
||||
+#define isc_safe_memwipe(ptr, len) OPENSSL_cleanse(ptr, len)
|
||||
/*%<
|
||||
* Clear the memory of length `len` pointed to by `ptr`.
|
||||
*
|
||||
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
|
||||
deleted file mode 100644
|
||||
index 7a464b6..0000000
|
||||
--- a/lib/isc/safe.c
|
||||
+++ /dev/null
|
||||
@@ -1,83 +0,0 @@
|
||||
-/*
|
||||
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
- *
|
||||
- * This Source Code Form is subject to the terms of the Mozilla Public
|
||||
- * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
- *
|
||||
- * See the COPYRIGHT file distributed with this work for additional
|
||||
- * information regarding copyright ownership.
|
||||
- */
|
||||
-
|
||||
-/*! \file */
|
||||
-
|
||||
-#include <config.h>
|
||||
-
|
||||
-#include <stdbool.h>
|
||||
-
|
||||
-#include <isc/safe.h>
|
||||
-#include <isc/string.h>
|
||||
-#include <isc/util.h>
|
||||
-
|
||||
-#ifdef WIN32
|
||||
-#include <windows.h>
|
||||
-#endif
|
||||
-
|
||||
-#ifdef _MSC_VER
|
||||
-#pragma optimize("", off)
|
||||
-#endif
|
||||
-
|
||||
-bool
|
||||
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
|
||||
- uint8_t acc = 0;
|
||||
-
|
||||
- if (n != 0U) {
|
||||
- const uint8_t *p1 = s1, *p2 = s2;
|
||||
-
|
||||
- do {
|
||||
- acc |= *p1++ ^ *p2++;
|
||||
- } while (--n != 0U);
|
||||
- }
|
||||
- return (acc == 0);
|
||||
-}
|
||||
-
|
||||
-
|
||||
-int
|
||||
-isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
|
||||
- const unsigned char *p1 = b1, *p2 = b2;
|
||||
- size_t i;
|
||||
- int res = 0, done = 0;
|
||||
-
|
||||
- for (i = 0; i < len; i++) {
|
||||
- /* lt is -1 if p1[i] < p2[i]; else 0. */
|
||||
- int lt = (p1[i] - p2[i]) >> CHAR_BIT;
|
||||
-
|
||||
- /* gt is -1 if p1[i] > p2[i]; else 0. */
|
||||
- int gt = (p2[i] - p1[i]) >> CHAR_BIT;
|
||||
-
|
||||
- /* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
|
||||
- int cmp = lt - gt;
|
||||
-
|
||||
- /* set res = cmp if !done. */
|
||||
- res |= cmp & ~done;
|
||||
-
|
||||
- /* set done if p1[i] != p2[i]. */
|
||||
- done |= lt | gt;
|
||||
- }
|
||||
-
|
||||
- return (res);
|
||||
-}
|
||||
-
|
||||
-void
|
||||
-isc_safe_memwipe(void *ptr, size_t len) {
|
||||
- if (ISC_UNLIKELY(ptr == NULL || len == 0))
|
||||
- return;
|
||||
-
|
||||
-#ifdef WIN32
|
||||
- SecureZeroMemory(ptr, len);
|
||||
-#elif HAVE_EXPLICIT_BZERO
|
||||
- explicit_bzero(ptr, len);
|
||||
-#else
|
||||
- memset(ptr, 0, len);
|
||||
-#endif
|
||||
-}
|
||||
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
|
||||
index 266ac75..60e9181 100644
|
||||
--- a/lib/isc/tests/safe_test.c
|
||||
+++ b/lib/isc/tests/safe_test.c
|
||||
@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) {
|
||||
"\x00\x00\x00\x00", 4));
|
||||
}
|
||||
|
||||
-/* test isc_safe_memcompare() */
|
||||
-static void
|
||||
-isc_safe_memcompare_test(void **state) {
|
||||
- UNUSED(state);
|
||||
-
|
||||
- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
|
||||
- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
|
||||
- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
|
||||
- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
|
||||
- "\x00\x00\x00\x00", 4), 0);
|
||||
- assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
|
||||
- "\x00\x00\x00\x01", 4) < 0);
|
||||
- assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
|
||||
- "\x00\x00\x00\x00", 4) > 0);
|
||||
-}
|
||||
-
|
||||
/* test isc_safe_memwipe() */
|
||||
static void
|
||||
isc_safe_memwipe_test(void **state) {
|
||||
@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) {
|
||||
/* These should pass. */
|
||||
isc_safe_memwipe(NULL, 0);
|
||||
isc_safe_memwipe((void *) -1, 0);
|
||||
- isc_safe_memwipe(NULL, 42);
|
||||
|
||||
/*
|
||||
* isc_safe_memwipe(ptr, size) should function same as
|
||||
@@ -108,7 +91,6 @@ main(void) {
|
||||
const struct CMUnitTest tests[] = {
|
||||
cmocka_unit_test(isc_safe_memequal_test),
|
||||
cmocka_unit_test(isc_safe_memwipe_test),
|
||||
- cmocka_unit_test(isc_safe_memcompare_test),
|
||||
};
|
||||
|
||||
return (cmocka_run_group_tests(tests, NULL, NULL));
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
From f9a37643528dc83b981156d0a1cf52e3d9a38322 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||
Date: Mon, 2 Dec 2019 15:15:06 +0100
|
||||
Subject: [PATCH] Fix GeoIP2 memory leak upon reconfiguration
|
||||
|
||||
Loaded GeoIP2 databases are only released when named is shut down, but
|
||||
not during server reconfiguration. This causes memory to be leaked
|
||||
every time "rndc reconfig" or "rndc reload" is used, as long as any
|
||||
GeoIP2 database is in use. Fix by releasing any loaded GeoIP2 databases
|
||||
before reloading them. Do not call dns_geoip_shutdown() until server
|
||||
shutdown as that function releases the memory context used for caching
|
||||
GeoIP2 lookup results.
|
||||
|
||||
(cherry picked from commit 670afbe84a87e202fa795079d9d6d1639bcf391d)
|
||||
(cherry picked from commit 95a5589fa2ac3956fecfef780158a2745718c860)
|
||||
---
|
||||
bin/named/geoip.c | 2 --
|
||||
bin/named/server.c | 6 ++++++
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bin/named/geoip.c b/bin/named/geoip.c
|
||||
index d560f8fbcf..0b11f6b803 100644
|
||||
--- a/bin/named/geoip.c
|
||||
+++ b/bin/named/geoip.c
|
||||
@@ -243,6 +243,4 @@ ns_geoip_shutdown(void) {
|
||||
ns_g_geoip->domain = NULL;
|
||||
}
|
||||
#endif /* HAVE_GEOIP2 */
|
||||
-
|
||||
- dns_geoip_shutdown();
|
||||
}
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index ebe7ad4702..4d7d2210ff 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -72,6 +72,7 @@
|
||||
#include <dns/events.h>
|
||||
#include <dns/forward.h>
|
||||
#include <dns/fixedname.h>
|
||||
+#include <dns/geoip.h>
|
||||
#include <dns/journal.h>
|
||||
#include <dns/keytable.h>
|
||||
#include <dns/keyvalues.h>
|
||||
@@ -7684,6 +7685,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
|
||||
|
||||
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
|
||||
+ /*
|
||||
+ * Release any previously opened GeoIP2 databases.
|
||||
+ */
|
||||
+ ns_geoip_shutdown();
|
||||
/*
|
||||
* Initialize GeoIP databases from the configured location.
|
||||
* This should happen before configuring any ACLs, so that we
|
||||
@@ -9030,6 +9035,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
|
||||
#endif
|
||||
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
|
||||
ns_geoip_shutdown();
|
||||
+ dns_geoip_shutdown();
|
||||
#endif /* HAVE_GEOIP || HAVE_GEOIP2 */
|
||||
|
||||
dns_db_detach(&server->in_roothints);
|
||||
--
|
||||
2.21.1
|
||||
|
|
@ -1,90 +0,0 @@
|
|||
From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Wed, 3 Jun 2020 14:42:11 +0200
|
||||
Subject: [PATCH] Change the invalid CIDR from parser error to warning
|
||||
|
||||
In [RT #43367], the BIND 9 changed the strictness of address / prefix
|
||||
length checks:
|
||||
|
||||
Check prefixes in acls to make sure the address and
|
||||
prefix lengths are consistent. Warn only in
|
||||
BIND 9.11 and earlier.
|
||||
|
||||
Unfortunately, a regression slipped in and the check was made an error
|
||||
also in the BIND 9.11. This commit fixes the regression, but turning
|
||||
the error into a warning.
|
||||
---
|
||||
bin/tests/system/checkconf/tests.sh | 9 +++++++++
|
||||
...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++--
|
||||
lib/isccfg/parser.c | 9 ---------
|
||||
util/copyrights | 2 +-
|
||||
4 files changed, 20 insertions(+), 12 deletions(-)
|
||||
rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%)
|
||||
|
||||
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
|
||||
index 85fb4839e9..d2b0daa35c 100644
|
||||
--- a/bin/tests/system/checkconf/tests.sh
|
||||
+++ b/bin/tests/system/checkconf/tests.sh
|
||||
@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+echo_i "check that invalid address/prefix length generates a warning ($n)"
|
||||
+ret=0
|
||||
+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1
|
||||
+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1
|
||||
+[ "$LINES" -eq 8 ] || ret=1
|
||||
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
||||
+status=`expr $status + $ret`
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
|
||||
ret=0
|
||||
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
similarity index 70%
|
||||
rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
|
||||
rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
index 2c768c7e1a..5e3bc3f6ee 100644
|
||||
--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
|
||||
+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
@@ -9,6 +9,14 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-acl myacl {
|
||||
- 127.1/8; /* No-zero bits */
|
||||
+zone example {
|
||||
+ type master;
|
||||
+ file "example.db";
|
||||
+ auto-dnssec maintain;
|
||||
+ allow-update {
|
||||
+ 192.0.2.64/24;
|
||||
+ 192.0.2.128/24;
|
||||
+ 198.51.100.255/24;
|
||||
+ 203.0.113.2/24;
|
||||
+ };
|
||||
};
|
||||
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
|
||||
index e2af054661..44a1dfc37a 100644
|
||||
--- a/lib/isccfg/parser.c
|
||||
+++ b/lib/isccfg/parser.c
|
||||
@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
|
||||
"invalid prefix length");
|
||||
return (ISC_R_RANGE);
|
||||
}
|
||||
- result = isc_netaddr_prefixok(&netaddr, prefixlen);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- char buf[ISC_NETADDR_FORMATSIZE + 1];
|
||||
- isc_netaddr_format(&netaddr, buf, sizeof(buf));
|
||||
- cfg_parser_error(pctx, CFG_LOG_NOPREP,
|
||||
- "'%s/%u': address/prefix length "
|
||||
- "mismatch", buf, prefixlen);
|
||||
- return (ISC_R_FAILURE);
|
||||
- }
|
||||
} else {
|
||||
if (expectprefix) {
|
||||
cfg_parser_error(pctx, CFG_LOG_NEAR,
|
||||
--
|
||||
GitLab
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From a503519533eb375a5ce1f7566bfc153aac980d87 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 9 Jul 2021 20:52:21 +0200
|
||||
Subject: [PATCH] Use proper entropy to initialize tsig keyname
|
||||
|
||||
Random names used on GSS backed nsupdate can conflict in specific
|
||||
situations. That might include starting a lot of machines from
|
||||
containers, where they took all similar time to start. PID and timestamp
|
||||
would be similar and therefore randomness is quite low. Use entropy to
|
||||
generate more random identifier and reduce chance of conflict.
|
||||
---
|
||||
bin/nsupdate/nsupdate.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
||||
index 458aa76..d9e5a2b 100644
|
||||
--- a/bin/nsupdate/nsupdate.c
|
||||
+++ b/bin/nsupdate/nsupdate.c
|
||||
@@ -2941,7 +2941,9 @@ start_gssrequest(dns_name_t *master) {
|
||||
|
||||
keyname = dns_fixedname_initname(&fkname);
|
||||
|
||||
- isc_random_get(&val);
|
||||
+ result = isc_entropy_getdata(entropy, &val, sizeof(val), NULL, 0);
|
||||
+ if (result != ISC_R_SUCCESS)
|
||||
+ isc_random_get(&val);
|
||||
result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s",
|
||||
val, namestr);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
--
|
||||
2.31.1
|
||||
|
|
@ -0,0 +1,232 @@
|
|||
From fff2960981a3294ac641968a17558c8d7eecf74d Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 24 Aug 2022 12:21:50 +1000
|
||||
Subject: [PATCH] Have dns_zt_apply lock the zone table
|
||||
|
||||
There where a number of places where the zone table should have
|
||||
been locked, but wasn't, when dns_zt_apply was called.
|
||||
|
||||
Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
|
||||
all calls to using it. Removed locks in callers.
|
||||
|
||||
Modified upstream commit for v9_11
|
||||
---
|
||||
bin/named/server.c | 11 ++++++-----
|
||||
bin/named/statschannel.c | 8 ++++----
|
||||
lib/dns/include/dns/zt.h | 4 ++--
|
||||
lib/dns/tests/zt_test.c | 3 ++-
|
||||
lib/dns/view.c | 3 ++-
|
||||
lib/dns/zt.c | 34 +++++++++++++++++++---------------
|
||||
6 files changed, 35 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 9826588e6d..0b4b309461 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -8723,8 +8723,8 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
strcmp(view->name, "_bind") != 0)
|
||||
{
|
||||
dns_view_setviewrevert(view);
|
||||
- (void)dns_zt_apply(view->zonetable, false,
|
||||
- removed, view);
|
||||
+ (void)dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||
+ false, removed, view);
|
||||
}
|
||||
dns_view_detach(&view);
|
||||
}
|
||||
@@ -10090,8 +10090,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
|
||||
ISC_LIST_INIT(vle->zonelist);
|
||||
ISC_LIST_APPEND(dctx->viewlist, vle, link);
|
||||
if (dctx->dumpzones)
|
||||
- result = dns_zt_apply(view->zonetable, true,
|
||||
- add_zone_tolist, dctx);
|
||||
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||
+ true, add_zone_tolist, dctx);
|
||||
return (result);
|
||||
}
|
||||
|
||||
@@ -11367,7 +11367,8 @@ ns_server_sync(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
|
||||
for (view = ISC_LIST_HEAD(server->viewlist);
|
||||
view != NULL;
|
||||
view = ISC_LIST_NEXT(view, link)) {
|
||||
- result = dns_zt_apply(view->zonetable, false,
|
||||
+ result = dns_zt_apply(view->zonetable,
|
||||
+ isc_rwlocktype_none, false,
|
||||
synczone, &cleanup);
|
||||
if (result != ISC_R_SUCCESS &&
|
||||
tresult == ISC_R_SUCCESS)
|
||||
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
|
||||
index 12ab048469..9828df0f4e 100644
|
||||
--- a/bin/named/statschannel.c
|
||||
+++ b/bin/named/statschannel.c
|
||||
@@ -1833,8 +1833,8 @@ generatexml(ns_server_t *server, uint32_t flags,
|
||||
if ((flags & STATS_XML_ZONES) != 0) {
|
||||
TRY0(xmlTextWriterStartElement(writer,
|
||||
ISC_XMLCHAR "zones"));
|
||||
- result = dns_zt_apply(view->zonetable, true,
|
||||
- zone_xmlrender, writer);
|
||||
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||
+ true, zone_xmlrender, writer);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto error;
|
||||
TRY0(xmlTextWriterEndElement(writer)); /* /zones */
|
||||
@@ -2489,8 +2489,8 @@ generatejson(ns_server_t *server, size_t *msglen,
|
||||
CHECKMEM(za);
|
||||
|
||||
if ((flags & STATS_JSON_ZONES) != 0) {
|
||||
- result = dns_zt_apply(view->zonetable, true,
|
||||
- zone_jsonrender, za);
|
||||
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||
+ true, zone_jsonrender, za);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto error;
|
||||
}
|
||||
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
|
||||
index e658e5bb67..94212250da 100644
|
||||
--- a/lib/dns/include/dns/zt.h
|
||||
+++ b/lib/dns/include/dns/zt.h
|
||||
@@ -177,11 +177,11 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze);
|
||||
*/
|
||||
|
||||
isc_result_t
|
||||
-dns_zt_apply(dns_zt_t *zt, bool stop,
|
||||
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
|
||||
isc_result_t (*action)(dns_zone_t *, void *), void *uap);
|
||||
|
||||
isc_result_t
|
||||
-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||
+dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
|
||||
isc_result_t (*action)(dns_zone_t *, void *), void *uap);
|
||||
/*%<
|
||||
* Apply a given 'action' to all zone zones in the table.
|
||||
diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
|
||||
index 3f1e812d60..ee75303a50 100644
|
||||
--- a/lib/dns/tests/zt_test.c
|
||||
+++ b/lib/dns/tests/zt_test.c
|
||||
@@ -145,7 +145,8 @@ apply(void **state) {
|
||||
assert_non_null(view->zonetable);
|
||||
|
||||
assert_int_equal(nzones, 0);
|
||||
- result = dns_zt_apply(view->zonetable, false, count_zone, &nzones);
|
||||
+ result = dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
|
||||
+ count_zone, &nzones);
|
||||
assert_int_equal(result, ISC_R_SUCCESS);
|
||||
assert_int_equal(nzones, 1);
|
||||
|
||||
diff --git a/lib/dns/view.c b/lib/dns/view.c
|
||||
index f01b4dea0f..bd1ced2863 100644
|
||||
--- a/lib/dns/view.c
|
||||
+++ b/lib/dns/view.c
|
||||
@@ -676,7 +676,8 @@ dns_view_dialup(dns_view_t *view) {
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
REQUIRE(view->zonetable != NULL);
|
||||
|
||||
- (void)dns_zt_apply(view->zonetable, false, dialup, NULL);
|
||||
+ (void)dns_zt_apply2(view->zonetable, isc_rwlocktype_read, false, NULL,
|
||||
+ dialup, NULL);
|
||||
}
|
||||
|
||||
void
|
||||
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
|
||||
index 3f12e247e0..af65740325 100644
|
||||
--- a/lib/dns/zt.c
|
||||
+++ b/lib/dns/zt.c
|
||||
@@ -202,7 +202,8 @@ flush(dns_zone_t *zone, void *uap) {
|
||||
static void
|
||||
zt_destroy(dns_zt_t *zt) {
|
||||
if (zt->flush) {
|
||||
- (void)dns_zt_apply(zt, false, flush, NULL);
|
||||
+ (void)dns_zt_apply(zt, isc_rwlocktype_none,
|
||||
+ false, flush, NULL);
|
||||
}
|
||||
isc_refcount_destroy(&zt->references);
|
||||
dns_rbt_destroy(&zt->table);
|
||||
@@ -249,9 +250,7 @@ dns_zt_load(dns_zt_t *zt, bool stop) {
|
||||
|
||||
REQUIRE(VALID_ZT(zt));
|
||||
|
||||
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
- result = dns_zt_apply(zt, stop, load, NULL);
|
||||
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
+ result = dns_zt_apply2(zt, isc_rwlocktype_read, stop, NULL, load, NULL);
|
||||
return (result);
|
||||
}
|
||||
|
||||
@@ -293,7 +292,7 @@ dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg,
|
||||
* Prevent loads_pending going to zero while kicking off the loads.
|
||||
*/
|
||||
zt->loads_pending++;
|
||||
- result = dns_zt_apply2(zt, false, NULL, asyncload, ¶ms);
|
||||
+ result = dns_zt_apply2(zt, isc_rwlocktype_none, false, NULL, asyncload, ¶ms);
|
||||
pending = --zt->loads_pending;
|
||||
if (pending != 0) {
|
||||
zt->loaddone = alldone;
|
||||
@@ -342,9 +341,7 @@ dns_zt_loadnew(dns_zt_t *zt, bool stop) {
|
||||
|
||||
REQUIRE(VALID_ZT(zt));
|
||||
|
||||
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
- result = dns_zt_apply(zt, stop, loadnew, NULL);
|
||||
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
+ result = dns_zt_apply(zt, isc_rwlocktype_read, stop, loadnew, NULL);
|
||||
return (result);
|
||||
}
|
||||
|
||||
@@ -366,9 +363,7 @@ dns_zt_freezezones(dns_zt_t *zt, bool freeze) {
|
||||
|
||||
REQUIRE(VALID_ZT(zt));
|
||||
|
||||
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
- result = dns_zt_apply2(zt, false, &tresult, freezezones, &freeze);
|
||||
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
+ result = dns_zt_apply2(zt, isc_rwlocktype_read, false, &tresult, freezezones, &freeze);
|
||||
if (tresult == ISC_R_NOTFOUND)
|
||||
tresult = ISC_R_SUCCESS;
|
||||
return ((result == ISC_R_SUCCESS) ? tresult : result);
|
||||
@@ -490,14 +485,14 @@ dns_zt_setviewrevert(dns_zt_t *zt) {
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
-dns_zt_apply(dns_zt_t *zt, bool stop,
|
||||
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
|
||||
isc_result_t (*action)(dns_zone_t *, void *), void *uap)
|
||||
{
|
||||
- return (dns_zt_apply2(zt, stop, NULL, action, uap));
|
||||
+ return (dns_zt_apply2(zt, lock, stop, NULL, action, uap));
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
-dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||
+dns_zt_apply2(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
|
||||
isc_result_t (*action)(dns_zone_t *, void *), void *uap)
|
||||
{
|
||||
dns_rbtnode_t *node;
|
||||
@@ -508,6 +503,10 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||
REQUIRE(VALID_ZT(zt));
|
||||
REQUIRE(action != NULL);
|
||||
|
||||
+ if (lock != isc_rwlocktype_none) {
|
||||
+ RWLOCK(&zt->rwlock, lock);
|
||||
+ }
|
||||
+
|
||||
dns_rbtnodechain_init(&chain, zt->mctx);
|
||||
result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
|
||||
if (result == ISC_R_NOTFOUND) {
|
||||
@@ -538,8 +537,13 @@ dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||
|
||||
cleanup:
|
||||
dns_rbtnodechain_invalidate(&chain);
|
||||
- if (sub != NULL)
|
||||
+ if (sub != NULL) {
|
||||
*sub = tresult;
|
||||
+ }
|
||||
+
|
||||
+ if (lock != isc_rwlocktype_none) {
|
||||
+ RWUNLOCK(&zt->rwlock, lock);
|
||||
+ }
|
||||
|
||||
return (result);
|
||||
}
|
||||
--
|
||||
2.37.2
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
From c8f5b31f0637315c1c45d0287f05fcad2250f40f Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu, 13 Oct 2022 15:35:46 +0200
|
||||
Subject: [PATCH] Add include to rwlocktype_t to dns/zt.h
|
||||
|
||||
It got broken as part of bug #2101712 fix. Introduced new definition,
|
||||
which passes during bind build, but breaks bind-dyndb-ldap build.
|
||||
---
|
||||
lib/dns/include/dns/zt.h | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
|
||||
index 9421225..64c24d6 100644
|
||||
--- a/lib/dns/include/dns/zt.h
|
||||
+++ b/lib/dns/include/dns/zt.h
|
||||
@@ -18,6 +18,7 @@
|
||||
#include <stdbool.h>
|
||||
|
||||
#include <isc/lang.h>
|
||||
+#include <isc/rwlock.h>
|
||||
|
||||
#include <dns/types.h>
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001
|
||||
From 346683631ae0f83ad4f09a69cfa5e5c6ea49e5d9 Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Tue, 12 Sep 2017 19:05:46 -0700
|
||||
Subject: [PATCH] rebased rt31459c
|
||||
|
@ -53,7 +53,7 @@ Include new unit test
|
|||
create mode 100644 lib/dns/tests/dstrandom_test.c
|
||||
|
||||
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
|
||||
index 5015abb..295e16f 100644
|
||||
index 40cf74c..bd269e7 100644
|
||||
--- a/bin/confgen/keygen.c
|
||||
+++ b/bin/confgen/keygen.c
|
||||
@@ -165,6 +165,13 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
|
||||
|
@ -71,10 +71,10 @@ index 5015abb..295e16f 100644
|
|||
&entropy_source,
|
||||
randomfile,
|
||||
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
|
||||
index 2c0c308..3e585af 100644
|
||||
index 4420f2d..9cb63a8 100644
|
||||
--- a/bin/dnssec/dnssec-dsfromkey.c
|
||||
+++ b/bin/dnssec/dnssec-dsfromkey.c
|
||||
@@ -494,14 +494,14 @@ main(int argc, char **argv) {
|
||||
@@ -498,14 +498,14 @@ main(int argc, char **argv) {
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
|
@ -92,7 +92,7 @@ index 2c0c308..3e585af 100644
|
|||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
setup_logging(mctx, &log);
|
||||
@@ -571,8 +571,8 @@ main(int argc, char **argv) {
|
||||
@@ -574,8 +574,8 @@ main(int argc, char **argv) {
|
||||
if (dns_rdataset_isassociated(&rdataset))
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
cleanup_logging(&log);
|
||||
|
@ -103,10 +103,10 @@ index 2c0c308..3e585af 100644
|
|||
dns_name_destroy();
|
||||
if (verbose > 10)
|
||||
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
|
||||
index 0d1e7f8..79c4d74 100644
|
||||
index dc9a293..52863a1 100644
|
||||
--- a/bin/dnssec/dnssec-importkey.c
|
||||
+++ b/bin/dnssec/dnssec-importkey.c
|
||||
@@ -407,14 +407,14 @@ main(int argc, char **argv) {
|
||||
@@ -404,14 +404,14 @@ main(int argc, char **argv) {
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
|
@ -124,7 +124,7 @@ index 0d1e7f8..79c4d74 100644
|
|||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
setup_logging(mctx, &log);
|
||||
@@ -458,8 +458,8 @@ main(int argc, char **argv) {
|
||||
@@ -455,8 +455,8 @@ main(int argc, char **argv) {
|
||||
if (dns_rdataset_isassociated(&rdataset))
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
cleanup_logging(&log);
|
||||
|
@ -135,7 +135,7 @@ index 0d1e7f8..79c4d74 100644
|
|||
dns_name_destroy();
|
||||
if (verbose > 10)
|
||||
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
|
||||
index 7d82dbf..10f9359 100644
|
||||
index 0121a34..74a99b0 100644
|
||||
--- a/bin/dnssec/dnssec-revoke.c
|
||||
+++ b/bin/dnssec/dnssec-revoke.c
|
||||
@@ -184,14 +184,14 @@ main(int argc, char **argv) {
|
||||
|
@ -167,10 +167,10 @@ index 7d82dbf..10f9359 100644
|
|||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
|
||||
index f355903..6a2ca59 100644
|
||||
index f017895..2c568fc 100644
|
||||
--- a/bin/dnssec/dnssec-settime.c
|
||||
+++ b/bin/dnssec/dnssec-settime.c
|
||||
@@ -382,14 +382,14 @@ main(int argc, char **argv) {
|
||||
@@ -391,14 +391,14 @@ main(int argc, char **argv) {
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
|
@ -188,7 +188,7 @@ index f355903..6a2ca59 100644
|
|||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
if (predecessor != NULL) {
|
||||
@@ -674,8 +674,8 @@ main(int argc, char **argv) {
|
||||
@@ -683,8 +683,8 @@ main(int argc, char **argv) {
|
||||
if (prevkey != NULL)
|
||||
dst_key_free(&prevkey);
|
||||
dst_key_free(&key);
|
||||
|
@ -199,10 +199,10 @@ index f355903..6a2ca59 100644
|
|||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
||||
index c6a0313..6ddaebe 100644
|
||||
index a097ac8..6567421 100644
|
||||
--- a/bin/dnssec/dnssec-signzone.c
|
||||
+++ b/bin/dnssec/dnssec-signzone.c
|
||||
@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
|
||||
@@ -3472,14 +3472,15 @@ main(int argc, char *argv[]) {
|
||||
if (!pseudorandom)
|
||||
eflags |= ISC_ENTROPY_GOODONLY;
|
||||
|
||||
|
@ -222,7 +222,7 @@ index c6a0313..6ddaebe 100644
|
|||
isc_stdtime_get(&now);
|
||||
|
||||
if (startstr != NULL) {
|
||||
@@ -3879,8 +3880,8 @@ main(int argc, char *argv[]) {
|
||||
@@ -3896,8 +3897,8 @@ main(int argc, char *argv[]) {
|
||||
dns_master_styledestroy(&dsstyle, mctx);
|
||||
|
||||
cleanup_logging(&log);
|
||||
|
@ -233,7 +233,7 @@ index c6a0313..6ddaebe 100644
|
|||
dns_name_destroy();
|
||||
if (verbose > 10)
|
||||
diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
|
||||
index 4c293bf..3263cbc 100644
|
||||
index 087cd5d..07c7294 100644
|
||||
--- a/bin/dnssec/dnssec-verify.c
|
||||
+++ b/bin/dnssec/dnssec-verify.c
|
||||
@@ -281,15 +281,15 @@ main(int argc, char *argv[]) {
|
||||
|
@ -257,7 +257,7 @@ index 4c293bf..3263cbc 100644
|
|||
|
||||
rdclass = strtoclass(classname);
|
||||
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
|
||||
index fbc7ece..31a99e7 100644
|
||||
index 7f045e8..2a0f9c6 100644
|
||||
--- a/bin/dnssec/dnssectool.c
|
||||
+++ b/bin/dnssec/dnssectool.c
|
||||
@@ -34,6 +34,7 @@
|
||||
|
@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644
|
|||
usekeyboard);
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 7d85d3b..c782073 100644
|
||||
index 9826588..b3e3fc3 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -36,6 +36,7 @@
|
||||
|
@ -304,7 +304,7 @@ index 7d85d3b..c782073 100644
|
|||
#include <isc/portset.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/random.h>
|
||||
@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8291,6 +8292,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
"no source of entropy found");
|
||||
} else {
|
||||
const char *randomdev = cfg_obj_asstring(obj);
|
||||
|
@ -315,7 +315,7 @@ index 7d85d3b..c782073 100644
|
|||
int level = ISC_LOG_ERROR;
|
||||
result = isc_entropy_createfilesource(ns_g_entropy,
|
||||
randomdev);
|
||||
@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8325,6 +8330,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
}
|
||||
isc_entropy_detach(&ns_g_fallbackentropy);
|
||||
}
|
||||
|
@ -324,10 +324,10 @@ index 7d85d3b..c782073 100644
|
|||
}
|
||||
|
||||
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
||||
index bbb3936..0286987 100644
|
||||
index 52b0274..23b69c9 100644
|
||||
--- a/bin/nsupdate/nsupdate.c
|
||||
+++ b/bin/nsupdate/nsupdate.c
|
||||
@@ -272,7 +272,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
@@ -279,7 +279,8 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
if (*ectx == NULL) {
|
||||
result = isc_entropy_create(mctx, ectx);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
|
@ -337,7 +337,7 @@ index bbb3936..0286987 100644
|
|||
ISC_LIST_INIT(sources);
|
||||
}
|
||||
|
||||
@@ -281,6 +282,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
@@ -288,6 +289,13 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
randomfile = NULL;
|
||||
}
|
||||
|
||||
|
@ -351,7 +351,7 @@ index bbb3936..0286987 100644
|
|||
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
|
||||
usekeyboard);
|
||||
|
||||
@@ -979,11 +987,11 @@ setup_system(void) {
|
||||
@@ -990,11 +998,11 @@ setup_system(void) {
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -366,7 +366,7 @@ index bbb3936..0286987 100644
|
|||
result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);
|
||||
check_result(result, "dns_dispatchmgr_create");
|
||||
diff --git a/bin/tests/makejournal.c b/bin/tests/makejournal.c
|
||||
index 61a41b0..acc71a1 100644
|
||||
index 68b5e5a..cd54c8d 100644
|
||||
--- a/bin/tests/makejournal.c
|
||||
+++ b/bin/tests/makejournal.c
|
||||
@@ -102,12 +102,12 @@ main(int argc, char **argv) {
|
||||
|
@ -386,7 +386,7 @@ index 61a41b0..acc71a1 100644
|
|||
isc_log_registercategories(lctx, categories);
|
||||
isc_log_setcontext(lctx);
|
||||
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
|
||||
index c6ab7f8..f0a6ff2 100644
|
||||
index e16ec11..95b65bf 100644
|
||||
--- a/bin/tests/system/pipelined/pipequeries.c
|
||||
+++ b/bin/tests/system/pipelined/pipequeries.c
|
||||
@@ -204,6 +204,7 @@ sendqueries(isc_task_t *task, isc_event_t *event) {
|
||||
|
@ -448,7 +448,7 @@ index c6ab7f8..f0a6ff2 100644
|
|||
|
||||
isc_log_destroy(&lctx);
|
||||
diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
|
||||
index 61f1ff7..ed1302a 100644
|
||||
index c0a99a2..0245527 100644
|
||||
--- a/bin/tests/system/pipelined/tests.sh
|
||||
+++ b/bin/tests/system/pipelined/tests.sh
|
||||
@@ -19,7 +19,7 @@ status=0
|
||||
|
@ -470,7 +470,7 @@ index 61f1ff7..ed1302a 100644
|
|||
$DIFF refb outputb || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
|
||||
index 4462f2e..f06268d 100644
|
||||
index abf12ed..fa5182c 100644
|
||||
--- a/bin/tests/system/rsabigexponent/bigkey.c
|
||||
+++ b/bin/tests/system/rsabigexponent/bigkey.c
|
||||
@@ -20,6 +20,7 @@
|
||||
|
@ -492,7 +492,7 @@ index 4462f2e..f06268d 100644
|
|||
"../random.data",
|
||||
ISC_ENTROPY_KEYBOARDNO),
|
||||
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
|
||||
index 653c951..fe8698e 100644
|
||||
index 34360aa..3236968 100644
|
||||
--- a/bin/tests/system/tkey/keycreate.c
|
||||
+++ b/bin/tests/system/tkey/keycreate.c
|
||||
@@ -206,6 +206,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
|
||||
|
@ -561,10 +561,10 @@ index 653c951..fe8698e 100644
|
|||
|
||||
isc_mem_destroy(&mctx);
|
||||
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
||||
index 70a40c3..2146f9b 100644
|
||||
index a3dd450..350723f 100644
|
||||
--- a/bin/tests/system/tkey/keydelete.c
|
||||
+++ b/bin/tests/system/tkey/keydelete.c
|
||||
@@ -136,6 +136,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
|
||||
@@ -137,6 +137,7 @@ sendquery(isc_task_t *task, isc_event_t *event) {
|
||||
int
|
||||
main(int argc, char **argv) {
|
||||
char *keyname;
|
||||
|
@ -572,7 +572,7 @@ index 70a40c3..2146f9b 100644
|
|||
isc_taskmgr_t *taskmgr;
|
||||
isc_timermgr_t *timermgr;
|
||||
isc_socketmgr_t *socketmgr;
|
||||
@@ -156,10 +157,21 @@ main(int argc, char **argv) {
|
||||
@@ -157,10 +158,21 @@ main(int argc, char **argv) {
|
||||
|
||||
RUNCHECK(isc_app_start());
|
||||
|
||||
|
@ -594,7 +594,7 @@ index 70a40c3..2146f9b 100644
|
|||
keyname = argv[1];
|
||||
|
||||
dns_result_register();
|
||||
@@ -169,14 +181,22 @@ main(int argc, char **argv) {
|
||||
@@ -170,14 +182,22 @@ main(int argc, char **argv) {
|
||||
|
||||
ectx = NULL;
|
||||
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
||||
|
@ -619,7 +619,7 @@ index 70a40c3..2146f9b 100644
|
|||
|
||||
taskmgr = NULL;
|
||||
RUNCHECK(isc_taskmgr_create(mctx, 1, 0, &taskmgr));
|
||||
@@ -264,8 +284,8 @@ main(int argc, char **argv) {
|
||||
@@ -265,8 +285,8 @@ main(int argc, char **argv) {
|
||||
|
||||
isc_log_destroy(&log);
|
||||
|
||||
|
@ -630,50 +630,50 @@ index 70a40c3..2146f9b 100644
|
|||
|
||||
isc_mem_destroy(&mctx);
|
||||
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
|
||||
index 9f90dd7..fad6c83 100644
|
||||
index b265156..bcd60a6 100644
|
||||
--- a/bin/tests/system/tkey/tests.sh
|
||||
+++ b/bin/tests/system/tkey/tests.sh
|
||||
@@ -33,7 +33,7 @@ for owner in . foo.example.
|
||||
do
|
||||
echo "I:creating new key using owner name \"$owner\""
|
||||
echo_i "creating new key using owner name \"$owner\" ($n)"
|
||||
ret=0
|
||||
- keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
|
||||
+ keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
|
||||
if [ $ret != 0 ]; then
|
||||
echo "I:failed"
|
||||
status=`expr $status + $ret`
|
||||
@@ -55,7 +55,7 @@ do
|
||||
echo_i "failed"
|
||||
status=$((status+ret))
|
||||
@@ -57,7 +57,7 @@ do
|
||||
|
||||
echo "I:deleting new key"
|
||||
echo_i "deleting new key ($n)"
|
||||
ret=0
|
||||
- $KEYDELETE $keyname || ret=1
|
||||
+ $KEYDELETE -r $RANDFILE $keyname || ret=1
|
||||
if [ $ret != 0 ]; then
|
||||
echo "I:failed"
|
||||
echo_i "failed"
|
||||
fi
|
||||
@@ -75,7 +75,7 @@ done
|
||||
@@ -79,7 +79,7 @@ done
|
||||
|
||||
echo "I:creating new key using owner name bar.example."
|
||||
echo_i "creating new key using owner name bar.example. ($n)"
|
||||
ret=0
|
||||
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
|
||||
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
|
||||
if [ $ret != 0 ]; then
|
||||
echo "I:failed"
|
||||
status=`expr $status + $ret`
|
||||
@@ -116,7 +116,7 @@ status=`expr $status + $ret`
|
||||
echo_i "failed"
|
||||
status=$((status+ret))
|
||||
@@ -124,7 +124,7 @@ n=$((n+1))
|
||||
|
||||
echo "I:recreating the bar.example. key"
|
||||
echo_i "recreating the bar.example. key ($n)"
|
||||
ret=0
|
||||
-keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
|
||||
+keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
|
||||
if [ $ret != 0 ]; then
|
||||
echo "I:failed"
|
||||
status=`expr $status + $ret`
|
||||
echo_i "failed"
|
||||
status=$((status+ret))
|
||||
diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c
|
||||
index bf6dbb6..0416b21 100644
|
||||
index 26fa609..fb34aa0 100644
|
||||
--- a/bin/tools/mdig.c
|
||||
+++ b/bin/tools/mdig.c
|
||||
@@ -1972,12 +1972,11 @@ main(int argc, char *argv[]) {
|
||||
@@ -2005,12 +2005,11 @@ main(int argc, char *argv[]) {
|
||||
|
||||
ectx = NULL;
|
||||
RUNCHECK(isc_entropy_create(mctx, &ectx));
|
||||
|
@ -688,7 +688,7 @@ index bf6dbb6..0416b21 100644
|
|||
parse_args(false, argc, argv);
|
||||
if (server == NULL)
|
||||
diff --git a/configure b/configure
|
||||
index ed002e0..a578874 100755
|
||||
index 368112f..e060e9d 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -640,6 +640,7 @@ ac_includes_default="\
|
||||
|
@ -699,7 +699,7 @@ index ed002e0..a578874 100755
|
|||
BUILD_LIBS
|
||||
BUILD_LDFLAGS
|
||||
BUILD_CPPFLAGS
|
||||
@@ -821,6 +822,7 @@ XMLSTATS
|
||||
@@ -822,6 +823,7 @@ LIBXML2_CFLAGS
|
||||
NZDTARGETS
|
||||
NZDSRCS
|
||||
NZD_TOOLS
|
||||
|
@ -707,7 +707,7 @@ index ed002e0..a578874 100755
|
|||
PKCS11_TEST
|
||||
PKCS11_ED25519
|
||||
PKCS11_GOST
|
||||
@@ -1045,6 +1047,7 @@ with_eddsa
|
||||
@@ -1046,6 +1048,7 @@ with_eddsa
|
||||
with_aes
|
||||
enable_openssl_hash
|
||||
with_cc_alg
|
||||
|
@ -715,7 +715,7 @@ index ed002e0..a578874 100755
|
|||
with_lmdb
|
||||
with_libxml2
|
||||
with_libjson
|
||||
@@ -1744,6 +1747,7 @@ Optional Features:
|
||||
@@ -1747,6 +1750,7 @@ Optional Features:
|
||||
--enable-threads enable multithreading
|
||||
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
|
||||
--enable-openssl-hash use OpenSSL for hash functions [default=no]
|
||||
|
@ -723,7 +723,7 @@ index ed002e0..a578874 100755
|
|||
--enable-largefile 64-bit file support
|
||||
--enable-backtrace log stack backtrace on abort [default=yes]
|
||||
--enable-symtable use internal symbol table for backtrace
|
||||
@@ -17115,6 +17119,7 @@ case "$use_openssl" in
|
||||
@@ -17204,6 +17208,7 @@ case "$use_openssl" in
|
||||
$as_echo "disabled because of native PKCS11" >&6; }
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO="-DPKCS11CRYPTO"
|
||||
|
@ -731,7 +731,7 @@ index ed002e0..a578874 100755
|
|||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
|
||||
@@ -17218,6 +17223,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
|
||||
$as_echo "no" >&6; }
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
|
@ -739,7 +739,7 @@ index ed002e0..a578874 100755
|
|||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; }
|
||||
@@ -17230,6 +17236,7 @@ $as_echo "no" >&6; }
|
||||
auto)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
|
@ -747,7 +747,7 @@ index ed002e0..a578874 100755
|
|||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; }
|
||||
@@ -17239,7 +17246,7 @@ $as_echo "no" >&6; }
|
||||
OPENSSLLINKOBJS=""
|
||||
OPENSSLLINKSRCS=""
|
||||
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
||||
|
@ -756,7 +756,7 @@ index ed002e0..a578874 100755
|
|||
;;
|
||||
*)
|
||||
if test "yes" = "$want_native_pkcs11"
|
||||
@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; }
|
||||
@@ -17270,6 +17277,7 @@ $as_echo "not found" >&6; }
|
||||
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
|
||||
fi
|
||||
CRYPTO='-DOPENSSL'
|
||||
|
@ -764,7 +764,7 @@ index ed002e0..a578874 100755
|
|||
if test "/usr" = "$use_openssl"
|
||||
then
|
||||
DST_OPENSSL_INC=""
|
||||
@@ -17806,8 +17814,6 @@ fi
|
||||
@@ -17904,8 +17912,6 @@ fi
|
||||
# Use OpenSSL for hash functions
|
||||
#
|
||||
|
||||
|
@ -773,7 +773,7 @@ index ed002e0..a578874 100755
|
|||
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
||||
case $want_openssl_hash in
|
||||
yes)
|
||||
@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then
|
||||
@@ -18280,6 +18286,86 @@ if test "rt" = "$have_clock_gt"; then
|
||||
LIBS="-lrt $LIBS"
|
||||
fi
|
||||
|
||||
|
@ -860,7 +860,7 @@ index ed002e0..a578874 100755
|
|||
#
|
||||
# was --with-lmdb specified?
|
||||
#
|
||||
@@ -20264,9 +20350,12 @@ _ACEOF
|
||||
@@ -20556,9 +20642,12 @@ _ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
|
||||
$as_echo "size_t for buflen; int for flags" >&6; }
|
||||
|
@ -875,7 +875,7 @@ index ed002e0..a578874 100755
|
|||
|
||||
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
|
||||
|
||||
@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||
@@ -21856,12 +21945,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
||||
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
||||
if test "yes" = "$use_atomic"; then
|
||||
|
@ -889,7 +889,7 @@ index ed002e0..a578874 100755
|
|||
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
|
||||
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
|
||||
# This bug is HP SR number 8606223364.
|
||||
@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF
|
||||
@@ -21894,6 +21978,11 @@ cat >>confdefs.h <<_ACEOF
|
||||
_ACEOF
|
||||
|
||||
|
||||
|
@ -901,7 +901,7 @@ index ed002e0..a578874 100755
|
|||
if test $ac_cv_sizeof_void_p = 8; then
|
||||
arch=x86_64
|
||||
have_xaddq=yes
|
||||
@@ -21627,39 +21716,6 @@ _ACEOF
|
||||
@@ -21902,39 +21991,6 @@ _ACEOF
|
||||
fi
|
||||
;;
|
||||
x86_64-*|amd64-*)
|
||||
|
@ -941,7 +941,7 @@ index ed002e0..a578874 100755
|
|||
if test $ac_cv_sizeof_void_p = 8; then
|
||||
arch=x86_64
|
||||
have_xaddq=yes
|
||||
@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
|
||||
@@ -21965,6 +22021,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
|
||||
$as_echo "$arch" >&6; }
|
||||
fi
|
||||
|
||||
|
@ -952,7 +952,7 @@ index ed002e0..a578874 100755
|
|||
if test "yes" = "$have_atomic"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
|
||||
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
|
||||
@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
|
||||
@@ -24547,6 +24607,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
|
||||
#
|
||||
dlzdir='${DLZ_DRIVER_DIR}'
|
||||
|
||||
|
@ -983,7 +983,7 @@ index ed002e0..a578874 100755
|
|||
#
|
||||
# Private autoconf macro to simplify configuring drivers:
|
||||
#
|
||||
@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; }
|
||||
@@ -24877,11 +24961,11 @@ $as_echo "no" >&6; }
|
||||
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
|
||||
;;
|
||||
*)
|
||||
|
@ -998,7 +998,7 @@ index ed002e0..a578874 100755
|
|||
fi
|
||||
|
||||
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
|
||||
@@ -24663,7 +24747,7 @@ $as_echo "" >&6; }
|
||||
@@ -24966,7 +25050,7 @@ $as_echo "" >&6; }
|
||||
# Check other locations for includes.
|
||||
# Order is important (sigh).
|
||||
|
||||
|
@ -1007,7 +1007,7 @@ index ed002e0..a578874 100755
|
|||
# include a blank element first
|
||||
for d in "" $bdb_incdirs
|
||||
do
|
||||
@@ -24688,57 +24772,9 @@ $as_echo "" >&6; }
|
||||
@@ -24991,57 +25075,9 @@ $as_echo "" >&6; }
|
||||
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
|
||||
for d in $bdb_libnames
|
||||
do
|
||||
|
@ -1067,7 +1067,7 @@ index ed002e0..a578874 100755
|
|||
break
|
||||
fi
|
||||
done
|
||||
@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; }
|
||||
@@ -25200,10 +25236,10 @@ $as_echo "no" >&6; }
|
||||
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
|
||||
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
|
||||
fi
|
||||
|
@ -1081,7 +1081,7 @@ index ed002e0..a578874 100755
|
|||
fi
|
||||
|
||||
|
||||
@@ -24986,11 +25022,11 @@ fi
|
||||
@@ -25289,11 +25325,11 @@ fi
|
||||
odbcdirs="/usr /usr/local /usr/pkg"
|
||||
for d in $odbcdirs
|
||||
do
|
||||
|
@ -1095,7 +1095,7 @@ index ed002e0..a578874 100755
|
|||
break
|
||||
fi
|
||||
done
|
||||
@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
|
||||
@@ -25568,6 +25604,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
|
||||
|
||||
|
||||
|
||||
|
@ -1104,7 +1104,7 @@ index ed002e0..a578874 100755
|
|||
#
|
||||
# Commands to run at the end of config.status.
|
||||
# Don't just put these into configure, it won't work right if somebody
|
||||
@@ -27644,6 +27682,8 @@ report() {
|
||||
@@ -27946,6 +27984,8 @@ report() {
|
||||
echo " IPv6 support (--enable-ipv6)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
||||
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
||||
|
@ -1113,7 +1113,7 @@ index ed002e0..a578874 100755
|
|||
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
||||
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
||||
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
||||
@@ -27684,6 +27724,8 @@ report() {
|
||||
@@ -27986,6 +28026,8 @@ report() {
|
||||
echo " Very verbose query trace logging (--enable-querytrace)"
|
||||
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
||||
|
||||
|
@ -1122,7 +1122,7 @@ index ed002e0..a578874 100755
|
|||
echo " Dynamically loadable zone (DLZ) drivers:"
|
||||
test "no" = "$use_dlz_bdb" || \
|
||||
echo " Berkeley DB (--with-dlz-bdb)"
|
||||
@@ -27731,6 +27773,8 @@ report() {
|
||||
@@ -28033,6 +28075,8 @@ report() {
|
||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
||||
echo " EDDSA algorithm support (--with-eddsa)"
|
||||
|
@ -1132,10 +1132,10 @@ index ed002e0..a578874 100755
|
|||
test "yes" = "$enable_seccomp" || \
|
||||
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 45a8126..bb1345b 100644
|
||||
index 11f41e8..fdcfc62 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1537,6 +1537,7 @@ case "$use_openssl" in
|
||||
@@ -1600,6 +1600,7 @@ case "$use_openssl" in
|
||||
AC_MSG_RESULT(disabled because of native PKCS11)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO="-DPKCS11CRYPTO"
|
||||
|
@ -1143,7 +1143,7 @@ index 45a8126..bb1345b 100644
|
|||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -1550,6 +1551,7 @@ case "$use_openssl" in
|
||||
@@ -1613,6 +1614,7 @@ case "$use_openssl" in
|
||||
AC_MSG_RESULT(no)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
|
@ -1151,7 +1151,7 @@ index 45a8126..bb1345b 100644
|
|||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -1562,6 +1564,7 @@ case "$use_openssl" in
|
||||
@@ -1625,6 +1627,7 @@ case "$use_openssl" in
|
||||
auto)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
|
@ -1159,7 +1159,7 @@ index 45a8126..bb1345b 100644
|
|||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -1572,7 +1575,7 @@ case "$use_openssl" in
|
||||
@@ -1635,7 +1638,7 @@ case "$use_openssl" in
|
||||
OPENSSLLINKSRCS=""
|
||||
AC_MSG_ERROR(
|
||||
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
||||
|
@ -1168,7 +1168,7 @@ index 45a8126..bb1345b 100644
|
|||
;;
|
||||
*)
|
||||
if test "yes" = "$want_native_pkcs11"
|
||||
@@ -1602,6 +1605,7 @@ If you don't want OpenSSL, use --without-openssl])
|
||||
@@ -1665,6 +1668,7 @@ If you don't want OpenSSL, use --without-openssl])
|
||||
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
|
||||
fi
|
||||
CRYPTO='-DOPENSSL'
|
||||
|
@ -1176,7 +1176,7 @@ index 45a8126..bb1345b 100644
|
|||
if test "/usr" = "$use_openssl"
|
||||
then
|
||||
DST_OPENSSL_INC=""
|
||||
@@ -2037,7 +2041,6 @@ fi
|
||||
@@ -2109,7 +2113,6 @@ fi
|
||||
# Use OpenSSL for hash functions
|
||||
#
|
||||
|
||||
|
@ -1184,7 +1184,7 @@ index 45a8126..bb1345b 100644
|
|||
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
||||
case $want_openssl_hash in
|
||||
yes)
|
||||
@@ -2309,6 +2312,67 @@ if test "rt" = "$have_clock_gt"; then
|
||||
@@ -2381,6 +2384,67 @@ if test "rt" = "$have_clock_gt"; then
|
||||
LIBS="-lrt $LIBS"
|
||||
fi
|
||||
|
||||
|
@ -1252,7 +1252,7 @@ index 45a8126..bb1345b 100644
|
|||
#
|
||||
# was --with-lmdb specified?
|
||||
#
|
||||
@@ -4105,12 +4169,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||
@@ -4174,12 +4238,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
||||
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
||||
if test "yes" = "$use_atomic"; then
|
||||
|
@ -1266,7 +1266,7 @@ index 45a8126..bb1345b 100644
|
|||
if test $ac_cv_sizeof_void_p = 8; then
|
||||
arch=x86_64
|
||||
have_xaddq=yes
|
||||
@@ -4119,7 +4183,6 @@ if test "yes" = "$use_atomic"; then
|
||||
@@ -4188,7 +4252,6 @@ if test "yes" = "$use_atomic"; then
|
||||
fi
|
||||
;;
|
||||
x86_64-*|amd64-*)
|
||||
|
@ -1274,7 +1274,7 @@ index 45a8126..bb1345b 100644
|
|||
if test $ac_cv_sizeof_void_p = 8; then
|
||||
arch=x86_64
|
||||
have_xaddq=yes
|
||||
@@ -5527,6 +5590,8 @@ report() {
|
||||
@@ -5622,6 +5685,8 @@ report() {
|
||||
echo " IPv6 support (--enable-ipv6)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
||||
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
||||
|
@ -1283,7 +1283,7 @@ index 45a8126..bb1345b 100644
|
|||
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
||||
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
||||
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
||||
@@ -5567,6 +5632,8 @@ report() {
|
||||
@@ -5662,6 +5727,8 @@ report() {
|
||||
echo " Very verbose query trace logging (--enable-querytrace)"
|
||||
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
||||
|
||||
|
@ -1292,7 +1292,7 @@ index 45a8126..bb1345b 100644
|
|||
echo " Dynamically loadable zone (DLZ) drivers:"
|
||||
test "no" = "$use_dlz_bdb" || \
|
||||
echo " Berkeley DB (--with-dlz-bdb)"
|
||||
@@ -5614,6 +5681,8 @@ report() {
|
||||
@@ -5709,6 +5776,8 @@ report() {
|
||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
||||
echo " EDDSA algorithm support (--with-eddsa)"
|
||||
|
@ -1302,7 +1302,7 @@ index 45a8126..bb1345b 100644
|
|||
test "yes" = "$enable_seccomp" || \
|
||||
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
||||
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
|
||||
index ec6e00e..1614afa 100644
|
||||
index 7a86506..aa54afc 100644
|
||||
--- a/lib/dns/dst_api.c
|
||||
+++ b/lib/dns/dst_api.c
|
||||
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
|
||||
|
@ -1366,7 +1366,7 @@ index ec6e00e..1614afa 100644
|
|||
#endif
|
||||
}
|
||||
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
|
||||
index 1924e74..6813c96 100644
|
||||
index 5b42ab4..3aba028 100644
|
||||
--- a/lib/dns/include/dst/dst.h
|
||||
+++ b/lib/dns/include/dst/dst.h
|
||||
@@ -159,6 +159,14 @@ dst_lib_destroy(void);
|
||||
|
@ -1385,10 +1385,10 @@ index 1924e74..6813c96 100644
|
|||
dst_algorithm_supported(unsigned int alg);
|
||||
/*%<
|
||||
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
|
||||
index 304814b..60543c4 100644
|
||||
index d9417de..0dc935d 100644
|
||||
--- a/lib/dns/lib.c
|
||||
+++ b/lib/dns/lib.c
|
||||
@@ -18,6 +18,7 @@
|
||||
@@ -16,6 +16,7 @@
|
||||
#include <stdbool.h>
|
||||
#include <stddef.h>
|
||||
|
||||
|
@ -1396,7 +1396,7 @@ index 304814b..60543c4 100644
|
|||
#include <isc/hash.h>
|
||||
#include <isc/mem.h>
|
||||
#include <isc/msgcat.h>
|
||||
@@ -78,6 +79,7 @@ static unsigned int references = 0;
|
||||
@@ -76,6 +77,7 @@ static unsigned int references = 0;
|
||||
static void
|
||||
initialize(void) {
|
||||
isc_result_t result;
|
||||
|
@ -1404,7 +1404,7 @@ index 304814b..60543c4 100644
|
|||
|
||||
REQUIRE(initialize_done == false);
|
||||
|
||||
@@ -88,11 +90,14 @@ initialize(void) {
|
||||
@@ -86,11 +88,14 @@ initialize(void) {
|
||||
result = dns_ecdb_register(dns_g_mctx, &dbimp);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup_mctx;
|
||||
|
@ -1421,7 +1421,7 @@ index 304814b..60543c4 100644
|
|||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup_hash;
|
||||
|
||||
@@ -100,11 +105,17 @@ initialize(void) {
|
||||
@@ -98,11 +103,17 @@ initialize(void) {
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto cleanup_dst;
|
||||
|
||||
|
@ -1440,7 +1440,7 @@ index 304814b..60543c4 100644
|
|||
isc_hash_destroy();
|
||||
cleanup_db:
|
||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||
index d65ce26..6849732 100644
|
||||
index 1e57c71..3f4f822 100644
|
||||
--- a/lib/dns/openssl_link.c
|
||||
+++ b/lib/dns/openssl_link.c
|
||||
@@ -31,6 +31,7 @@
|
||||
|
@ -1476,7 +1476,7 @@ index d65ce26..6849732 100644
|
|||
#endif
|
||||
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
static void
|
||||
@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
|
||||
isc_result_t
|
||||
|
@ -1624,7 +1624,7 @@ index d65ce26..6849732 100644
|
|||
#endif /* OPENSSL */
|
||||
/*! \file */
|
||||
diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
|
||||
index 5a2c502..8eaef53 100644
|
||||
index 6b30309..20552fa 100644
|
||||
--- a/lib/dns/pkcs11.c
|
||||
+++ b/lib/dns/pkcs11.c
|
||||
@@ -13,12 +13,15 @@
|
||||
|
@ -1692,7 +1692,7 @@ index 937b548..f3c0e38 100644
|
|||
tap_test_program{name='gost_test'}
|
||||
tap_test_program{name='keytable_test'}
|
||||
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
|
||||
index 90dc3a6..7671e1d 100644
|
||||
index 4126372..30cab17 100644
|
||||
--- a/lib/dns/tests/Makefile.in
|
||||
+++ b/lib/dns/tests/Makefile.in
|
||||
@@ -37,6 +37,7 @@ SRCS = acl_test.c \
|
||||
|
@ -1845,10 +1845,10 @@ index 0000000..bd3d164
|
|||
+
|
||||
+#endif
|
||||
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
|
||||
index 5c45d59..34b660c 100644
|
||||
index 9c2ef79..f597049 100644
|
||||
--- a/lib/dns/win32/libdns.def.in
|
||||
+++ b/lib/dns/win32/libdns.def.in
|
||||
@@ -1484,6 +1484,13 @@ dst_lib_destroy
|
||||
@@ -1487,6 +1487,13 @@ dst_lib_destroy
|
||||
dst_lib_init
|
||||
dst_lib_init2
|
||||
dst_lib_initmsgcat
|
||||
|
@ -1863,7 +1863,7 @@ index 5c45d59..34b660c 100644
|
|||
dst_region_computerid
|
||||
dst_result_register
|
||||
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
|
||||
index ab2f617..ed05ed6 100644
|
||||
index 0c1f3ed..fdd17d7 100644
|
||||
--- a/lib/isc/entropy.c
|
||||
+++ b/lib/isc/entropy.c
|
||||
@@ -104,11 +104,15 @@ struct isc_entropy {
|
||||
|
@ -1921,10 +1921,10 @@ index ab2f617..ed05ed6 100644
|
|||
+ hook = myhook;
|
||||
+}
|
||||
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
|
||||
index 4bba8e1..632166a 100644
|
||||
index b5bc956..f32c9dc 100644
|
||||
--- a/lib/isc/include/isc/entropy.h
|
||||
+++ b/lib/isc/include/isc/entropy.h
|
||||
@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
* isc_entropy_createcallbacksource().
|
||||
*/
|
||||
|
||||
|
@ -1944,10 +1944,10 @@ index 4bba8e1..632166a 100644
|
|||
|
||||
#endif /* ISC_ENTROPY_H */
|
||||
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
|
||||
index 9c7c342..ee8dc3e 100644
|
||||
index 2bf8758..f4c684e 100644
|
||||
--- a/lib/isc/include/isc/platform.h.in
|
||||
+++ b/lib/isc/include/isc/platform.h.in
|
||||
@@ -341,6 +341,11 @@
|
||||
@@ -359,6 +359,11 @@
|
||||
*/
|
||||
@ISC_PLATFORM_HAVESTRINGSH@
|
||||
|
||||
|
@ -1960,10 +1960,10 @@ index 9c7c342..ee8dc3e 100644
|
|||
* Define if the hash functions must be provided by OpenSSL.
|
||||
*/
|
||||
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
|
||||
index 42ff7e0..8d87c44 100644
|
||||
index 3bdd54f..d5acd39 100644
|
||||
--- a/lib/isc/include/isc/types.h
|
||||
+++ b/lib/isc/include/isc/types.h
|
||||
@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
|
||||
@@ -95,6 +95,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
|
||||
typedef struct isc_timer isc_timer_t; /*%< Timer */
|
||||
typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */
|
||||
|
||||
|
@ -1973,7 +1973,7 @@ index 42ff7e0..8d87c44 100644
|
|||
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
|
||||
|
||||
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
|
||||
index 8e6ed93..ceb5a2c 100644
|
||||
index 227f807..4a63fdf 100644
|
||||
--- a/lib/isc/pk11.c
|
||||
+++ b/lib/isc/pk11.c
|
||||
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
|
||||
|
@ -1999,10 +1999,10 @@ index 8e6ed93..ceb5a2c 100644
|
|||
cleanup:
|
||||
if (stream != NULL)
|
||||
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
|
||||
index 5b8a2c9..913a2ce 100644
|
||||
index 1f785e0..f9051c3 100644
|
||||
--- a/lib/isc/win32/include/isc/platform.h.in
|
||||
+++ b/lib/isc/win32/include/isc/platform.h.in
|
||||
@@ -69,6 +69,11 @@
|
||||
@@ -73,6 +73,11 @@
|
||||
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
|
||||
#define ISC_PLATFORM_NORETURN_POST
|
||||
|
||||
|
@ -2015,7 +2015,7 @@ index 5b8a2c9..913a2ce 100644
|
|||
* Define if the hash functions must be provided by OpenSSL.
|
||||
*/
|
||||
diff --git a/win32utils/Configure b/win32utils/Configure
|
||||
index ccaf067..240fb80 100644
|
||||
index 7ac30fb..55b6c23 100644
|
||||
--- a/win32utils/Configure
|
||||
+++ b/win32utils/Configure
|
||||
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
|
||||
|
@ -2026,7 +2026,7 @@ index ccaf067..240fb80 100644
|
|||
"ISC_PLATFORM_HAVEATOMICSTORE",
|
||||
"ISC_PLATFORM_HAVEATOMICSTOREQ",
|
||||
"ISC_PLATFORM_HAVECMPXCHG",
|
||||
@@ -517,7 +518,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
|
||||
@@ -516,7 +517,8 @@ my @allcond = (@substcond, "NOTYET", "NOLONGER");
|
||||
|
||||
# enable-xxx/disable-xxx
|
||||
|
||||
|
@ -2035,16 +2035,16 @@ index ccaf067..240fb80 100644
|
|||
+ "developer",
|
||||
"fixed-rrset",
|
||||
"intrinsics",
|
||||
"isc-spnego",
|
||||
@@ -581,6 +583,7 @@ my @help = (
|
||||
"native-pkcs11",
|
||||
@@ -578,6 +580,7 @@ my @help = (
|
||||
"\nOptional Features:\n",
|
||||
" enable-intrinsics enable instrinsic/atomic functions [default=yes]\n",
|
||||
" enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
|
||||
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
|
||||
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
|
||||
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
|
||||
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
|
||||
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
|
||||
@@ -630,7 +633,9 @@ my $want_clean = "no";
|
||||
" enable-fixed-rrset enable fixed rrset ordering [default=no]\n",
|
||||
@@ -625,7 +628,9 @@ my $want_clean = "no";
|
||||
my $want_unknown = "no";
|
||||
my $unknown_value;
|
||||
my $enable_intrinsics = "yes";
|
||||
|
@ -2053,8 +2053,8 @@ index ccaf067..240fb80 100644
|
|||
+my $enable_crypto_rand = "yes";
|
||||
my $enable_openssl_hash = "auto";
|
||||
my $enable_filter_aaaa = "yes";
|
||||
my $enable_isc_spnego = "yes";
|
||||
@@ -850,6 +855,10 @@ sub myenable {
|
||||
my $enable_fixed_rrset = "no";
|
||||
@@ -844,6 +849,10 @@ sub myenable {
|
||||
if ($val =~ /^yes$/i) {
|
||||
$enable_native_pkcs11 = "yes";
|
||||
}
|
||||
|
@ -2065,7 +2065,7 @@ index ccaf067..240fb80 100644
|
|||
} elsif ($key =~ /^openssl-hash$/i) {
|
||||
if ($val =~ /^yes$/i) {
|
||||
$enable_openssl_hash = "yes";
|
||||
@@ -1158,6 +1167,11 @@ if ($verbose) {
|
||||
@@ -1146,6 +1155,11 @@ if ($verbose) {
|
||||
} else {
|
||||
print "native-pkcs11: disabled\n";
|
||||
}
|
||||
|
@ -2077,7 +2077,7 @@ index ccaf067..240fb80 100644
|
|||
if ($enable_openssl_hash eq "yes") {
|
||||
print "openssl-hash: enabled\n";
|
||||
} else {
|
||||
@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") {
|
||||
@@ -1498,6 +1512,7 @@ if ($enable_intrinsics eq "yes") {
|
||||
|
||||
# enable-native-pkcs11
|
||||
if ($enable_native_pkcs11 eq "yes") {
|
||||
|
@ -2085,15 +2085,15 @@ index ccaf067..240fb80 100644
|
|||
if ($use_openssl eq "auto") {
|
||||
$use_openssl = "no";
|
||||
}
|
||||
@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") {
|
||||
@@ -1707,6 +1722,7 @@ if ($use_openssl eq "yes") {
|
||||
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
|
||||
}
|
||||
}
|
||||
|
||||
+ $cryptolib = "openssl";
|
||||
$configcond{"OPENSSL"} = 1;
|
||||
$configdefd{"CRYPTO"} = "OPENSSL";
|
||||
$configvar{"OPENSSL_PATH"} = "$openssl_path";
|
||||
@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") {
|
||||
@@ -2278,6 +2294,15 @@ if ($use_aes eq "yes") {
|
||||
}
|
||||
|
||||
|
||||
|
@ -2109,7 +2109,7 @@ index ccaf067..240fb80 100644
|
|||
# enable-openssl-hash
|
||||
if ($enable_openssl_hash eq "yes") {
|
||||
if ($use_openssl eq "no") {
|
||||
@@ -3671,6 +3696,7 @@ exit 0;
|
||||
@@ -3650,6 +3675,7 @@ exit 0;
|
||||
# --enable-developer partially supported
|
||||
# --enable-newstats (9.9/9.9sub only)
|
||||
# --enable-native-pkcs11 supported
|
||||
|
@ -2118,5 +2118,5 @@ index ccaf067..240fb80 100644
|
|||
# --enable-openssl-hash supported
|
||||
# --enable-threads included without a way to disable it
|
||||
--
|
||||
2.20.1
|
||||
2.31.1
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From 5a465424f5249ceaf0547ab90361a16eb08f7a2b Mon Sep 17 00:00:00 2001
|
||||
From af3b530773231f8cff6548e36962ad1f25e38c5d Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Thu, 28 Sep 2017 10:09:22 -0700
|
||||
Subject: [PATCH] completed and corrected the crypto-random change
|
||||
|
@ -39,19 +39,19 @@ Subject: [PATCH] completed and corrected the crypto-random change
|
|||
bin/tests/system/tkey/keycreate.c | 4 +-
|
||||
bin/tests/system/tkey/keydelete.c | 5 +--
|
||||
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
|
||||
doc/arm/notes-rh-changes.xml | 43 ++++++++++++++++++
|
||||
doc/arm/notes-rh-changes.xml | 42 ++++++++++++++++++
|
||||
doc/arm/notes.xml | 1 +
|
||||
lib/dns/dst_api.c | 4 +-
|
||||
lib/dns/include/dst/dst.h | 14 +++++-
|
||||
lib/dns/openssl_link.c | 3 +-
|
||||
lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
|
||||
lib/isc/include/isc/random.h | 28 +++++++-----
|
||||
lib/isc/include/isc/entropy.h | 48 +++++++++++++++------
|
||||
lib/isc/include/isc/random.h | 26 +++++++----
|
||||
lib/isccfg/namedconf.c | 2 +-
|
||||
23 files changed, 241 insertions(+), 106 deletions(-)
|
||||
23 files changed, 240 insertions(+), 102 deletions(-)
|
||||
create mode 100644 doc/arm/notes-rh-changes.xml
|
||||
|
||||
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
|
||||
index 295e16f..0f79aa8 100644
|
||||
index bd269e7..1ac775f 100644
|
||||
--- a/bin/confgen/keygen.c
|
||||
+++ b/bin/confgen/keygen.c
|
||||
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
|
||||
|
@ -78,10 +78,10 @@ index 295e16f..0f79aa8 100644
|
|||
&entropy_source,
|
||||
randomfile,
|
||||
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
|
||||
index 0ae6b41..4562430 100644
|
||||
index bd19e1d..2c09b30 100644
|
||||
--- a/bin/dnssec/dnssec-keygen.docbook
|
||||
+++ b/bin/dnssec/dnssec-keygen.docbook
|
||||
@@ -348,15 +348,23 @@
|
||||
@@ -349,15 +349,23 @@
|
||||
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
|
@ -114,7 +114,7 @@ index 0ae6b41..4562430 100644
|
|||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
|
||||
index 31a99e7..38c83ed 100644
|
||||
index 2a0f9c6..6fcd411 100644
|
||||
--- a/bin/dnssec/dnssectool.c
|
||||
+++ b/bin/dnssec/dnssectool.c
|
||||
@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
|
@ -142,10 +142,10 @@ index 31a99e7..38c83ed 100644
|
|||
usekeyboard);
|
||||
|
||||
diff --git a/bin/named/client.c b/bin/named/client.c
|
||||
index 50fa2cd..524d9a3 100644
|
||||
index 4a50ad9..4d140e8 100644
|
||||
--- a/bin/named/client.c
|
||||
+++ b/bin/named/client.c
|
||||
@@ -1762,7 +1762,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
|
||||
@@ -1768,7 +1768,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
|
||||
|
||||
isc_buffer_init(&buf, cookie, sizeof(cookie));
|
||||
isc_stdtime_get(&now);
|
||||
|
@ -156,7 +156,7 @@ index 50fa2cd..524d9a3 100644
|
|||
compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
|
||||
|
||||
diff --git a/bin/named/config.c b/bin/named/config.c
|
||||
index dbdff64..63da4b0 100644
|
||||
index 9b343fa..5e663c6 100644
|
||||
--- a/bin/named/config.c
|
||||
+++ b/bin/named/config.c
|
||||
@@ -98,7 +98,9 @@ options {\n\
|
||||
|
@ -171,10 +171,10 @@ index dbdff64..63da4b0 100644
|
|||
#endif
|
||||
" recursing-file \"named.recursing\";\n\
|
||||
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
|
||||
index d955c2f..40621f2 100644
|
||||
index 9fdf49b..42128dc 100644
|
||||
--- a/bin/named/controlconf.c
|
||||
+++ b/bin/named/controlconf.c
|
||||
@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
|
||||
@@ -327,9 +327,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
|
||||
|
||||
static void
|
||||
control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
|
@ -188,7 +188,7 @@ index d955c2f..40621f2 100644
|
|||
isccc_sexpr_t *request = NULL;
|
||||
isccc_sexpr_t *response = NULL;
|
||||
uint32_t algorithm;
|
||||
@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
@@ -340,16 +341,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
isc_buffer_t *text;
|
||||
isc_result_t result;
|
||||
isc_result_t eresult;
|
||||
|
@ -208,7 +208,7 @@ index d955c2f..40621f2 100644
|
|||
algorithm = DST_ALG_UNKNOWN;
|
||||
secret.rstart = NULL;
|
||||
text = NULL;
|
||||
@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
@@ -462,8 +464,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
* Establish nonce.
|
||||
*/
|
||||
if (conn->nonce == 0) {
|
||||
|
@ -223,7 +223,7 @@ index d955c2f..40621f2 100644
|
|||
} else
|
||||
eresult = ns_control_docommand(request, listener->readonly, &text);
|
||||
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
|
||||
index 7ee8f66..8982d26 100644
|
||||
index 4fd0194..0ba2627 100644
|
||||
--- a/bin/named/include/named/server.h
|
||||
+++ b/bin/named/include/named/server.h
|
||||
@@ -20,6 +20,7 @@
|
||||
|
@ -234,7 +234,7 @@ index 7ee8f66..8982d26 100644
|
|||
#include <isc/sockaddr.h>
|
||||
#include <isc/types.h>
|
||||
#include <isc/xml.h>
|
||||
@@ -134,6 +135,7 @@ struct ns_server {
|
||||
@@ -135,6 +136,7 @@ struct ns_server {
|
||||
char * lockfile;
|
||||
|
||||
uint16_t transfer_tcp_message_size;
|
||||
|
@ -243,7 +243,7 @@ index 7ee8f66..8982d26 100644
|
|||
|
||||
struct ns_altsecret {
|
||||
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
|
||||
index 9dea7c1..272d300 100644
|
||||
index 93aac31..e12fad9 100644
|
||||
--- a/bin/named/interfacemgr.c
|
||||
+++ b/bin/named/interfacemgr.c
|
||||
@@ -17,6 +17,7 @@
|
||||
|
@ -255,22 +255,22 @@ index 9dea7c1..272d300 100644
|
|||
#include <isc/task.h>
|
||||
#include <isc/util.h>
|
||||
diff --git a/bin/named/query.c b/bin/named/query.c
|
||||
index c9e5469..0940714 100644
|
||||
index 58b5914..edf42d2 100644
|
||||
--- a/bin/named/query.c
|
||||
+++ b/bin/named/query.c
|
||||
@@ -19,6 +19,7 @@
|
||||
#include <isc/hex.h>
|
||||
@@ -20,6 +20,7 @@
|
||||
#include <isc/mem.h>
|
||||
#include <isc/platform.h>
|
||||
#include <isc/print.h>
|
||||
+#include <isc/random.h>
|
||||
#include <isc/rwlock.h>
|
||||
#include <isc/serial.h>
|
||||
#include <isc/stats.h>
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 36fc047..3c1eec0 100644
|
||||
index b2ae57c..cca7fe8 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -8208,21 +8208,32 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8279,21 +8279,32 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
* Open the source of entropy.
|
||||
*/
|
||||
if (first_time) {
|
||||
|
@ -312,7 +312,7 @@ index 36fc047..3c1eec0 100644
|
|||
#ifdef PATH_RANDOMDEV
|
||||
if (ns_g_fallbackentropy != NULL) {
|
||||
level = ISC_LOG_INFO;
|
||||
@@ -8233,8 +8244,8 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8304,8 +8315,8 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
NS_LOGCATEGORY_GENERAL,
|
||||
NS_LOGMODULE_SERVER,
|
||||
level,
|
||||
|
@ -323,7 +323,7 @@ index 36fc047..3c1eec0 100644
|
|||
randomdev,
|
||||
isc_result_totext(result));
|
||||
}
|
||||
@@ -8254,7 +8265,6 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8325,7 +8336,6 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
}
|
||||
isc_entropy_detach(&ns_g_fallbackentropy);
|
||||
}
|
||||
|
@ -331,7 +331,7 @@ index 36fc047..3c1eec0 100644
|
|||
#endif
|
||||
}
|
||||
|
||||
@@ -9022,6 +9032,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
@@ -9097,6 +9107,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
server->in_roothints = NULL;
|
||||
server->blackholeacl = NULL;
|
||||
server->keepresporder = NULL;
|
||||
|
@ -339,7 +339,7 @@ index 36fc047..3c1eec0 100644
|
|||
|
||||
/* Must be first. */
|
||||
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
|
||||
@@ -9048,6 +9059,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
@@ -9123,6 +9134,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
|
||||
&server->tkeyctx),
|
||||
"creating TKEY context");
|
||||
|
@ -349,7 +349,7 @@ index 36fc047..3c1eec0 100644
|
|||
|
||||
/*
|
||||
* Setup the server task, which is responsible for coordinating
|
||||
@@ -9254,7 +9268,8 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||
@@ -9329,7 +9343,8 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||
|
||||
if (server->zonemgr != NULL)
|
||||
dns_zonemgr_detach(&server->zonemgr);
|
||||
|
@ -359,7 +359,7 @@ index 36fc047..3c1eec0 100644
|
|||
if (server->tkeyctx != NULL)
|
||||
dns_tkeyctx_destroy(&server->tkeyctx);
|
||||
|
||||
@@ -13230,10 +13245,10 @@ newzone_cfgctx_destroy(void **cfgp) {
|
||||
@@ -13366,10 +13381,10 @@ newzone_cfgctx_destroy(void **cfgp) {
|
||||
|
||||
static isc_result_t
|
||||
generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
|
@ -372,7 +372,7 @@ index 36fc047..3c1eec0 100644
|
|||
} rnd;
|
||||
unsigned char text[512 + 1];
|
||||
isc_region_t r;
|
||||
@@ -13243,9 +13258,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
@@ -13379,9 +13394,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
if (saltlen > 256U)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
|
@ -387,10 +387,10 @@ index 36fc047..3c1eec0 100644
|
|||
memmove(salt, rnd.rnd, saltlen);
|
||||
|
||||
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
|
||||
index 0286987..0376377 100644
|
||||
index 7f15cbc..458aa76 100644
|
||||
--- a/bin/nsupdate/nsupdate.c
|
||||
+++ b/bin/nsupdate/nsupdate.c
|
||||
@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
@@ -289,9 +289,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
}
|
||||
|
||||
#ifdef ISC_PLATFORM_CRYPTORANDOM
|
||||
|
@ -402,7 +402,7 @@ index 0286987..0376377 100644
|
|||
}
|
||||
#endif
|
||||
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
|
||||
index f0a6ff2..55064f6 100644
|
||||
index 95b65bf..7a81d4e 100644
|
||||
--- a/bin/tests/system/pipelined/pipequeries.c
|
||||
+++ b/bin/tests/system/pipelined/pipequeries.c
|
||||
@@ -280,9 +280,7 @@ main(int argc, char *argv[]) {
|
||||
|
@ -417,7 +417,7 @@ index f0a6ff2..55064f6 100644
|
|||
}
|
||||
#endif
|
||||
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
|
||||
index fe8698e..937fcc3 100644
|
||||
index 3236968..4fa77b6 100644
|
||||
--- a/bin/tests/system/tkey/keycreate.c
|
||||
+++ b/bin/tests/system/tkey/keycreate.c
|
||||
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
|
||||
|
@ -432,7 +432,7 @@ index fe8698e..937fcc3 100644
|
|||
}
|
||||
#endif
|
||||
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
|
||||
index 2146f9b..64b8e74 100644
|
||||
index 43fb6b0..105e151 100644
|
||||
--- a/bin/tests/system/tkey/keydelete.c
|
||||
+++ b/bin/tests/system/tkey/keydelete.c
|
||||
@@ -171,6 +171,7 @@ main(int argc, char **argv) {
|
||||
|
@ -455,22 +455,22 @@ index 2146f9b..64b8e74 100644
|
|||
}
|
||||
#endif
|
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||
index 33e06e6..539973c 100644
|
||||
index ca98726..1f9df2c 100644
|
||||
--- a/doc/arm/Bv9ARM-book.xml
|
||||
+++ b/doc/arm/Bv9ARM-book.xml
|
||||
@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
@@ -5034,22 +5034,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
<term><command>random-device</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
- The source of entropy to be used by the server. Entropy is
|
||||
- This specifies a source of entropy to be used by the server. Entropy is
|
||||
- primarily needed
|
||||
- for DNSSEC operations, such as TKEY transactions and dynamic
|
||||
- update of signed
|
||||
- zones. This options specifies the device (or file) from which
|
||||
- zones. This option specifies the device (or file) from which
|
||||
- to read
|
||||
- entropy. If this is a file, operations requiring entropy will
|
||||
- entropy. If it is a file, operations requiring entropy will
|
||||
- fail when the
|
||||
- file has been exhausted. If not specified, the default value
|
||||
- file has been exhausted. If <command>random-device</command> is not specified, the default value
|
||||
- is
|
||||
- <filename>/dev/random</filename>
|
||||
- (or equivalent) when present, and none otherwise. The
|
||||
|
@ -522,11 +522,10 @@ index 33e06e6..539973c 100644
|
|||
</varlistentry>
|
||||
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
|
||||
new file mode 100644
|
||||
index 0000000..11c3a7c
|
||||
index 0000000..89a4961
|
||||
--- /dev/null
|
||||
+++ b/doc/arm/notes-rh-changes.xml
|
||||
@@ -0,0 +1,43 @@
|
||||
+
|
||||
@@ -0,0 +1,42 @@
|
||||
+<!--
|
||||
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+ -
|
||||
|
@ -570,10 +569,10 @@ index 0000000..11c3a7c
|
|||
+</section>
|
||||
+
|
||||
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
|
||||
index b16dab6..763ff7e 100644
|
||||
index a5e42c0..f8cb1f9 100644
|
||||
--- a/doc/arm/notes.xml
|
||||
+++ b/doc/arm/notes.xml
|
||||
@@ -36,6 +36,7 @@
|
||||
@@ -47,6 +47,7 @@
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
|
||||
|
||||
|
@ -582,7 +581,7 @@ index b16dab6..763ff7e 100644
|
|||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
|
||||
</section>
|
||||
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
|
||||
index 1614afa..0f52df9 100644
|
||||
index aa54afc..2156384 100644
|
||||
--- a/lib/dns/dst_api.c
|
||||
+++ b/lib/dns/dst_api.c
|
||||
@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
|
||||
|
@ -600,7 +599,7 @@ index 1614afa..0f52df9 100644
|
|||
}
|
||||
|
||||
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
|
||||
index 6813c96..665574d 100644
|
||||
index 3aba028..180c841 100644
|
||||
--- a/lib/dns/include/dst/dst.h
|
||||
+++ b/lib/dns/include/dst/dst.h
|
||||
@@ -163,8 +163,18 @@ isc_result_t
|
||||
|
@ -625,7 +624,7 @@ index 6813c96..665574d 100644
|
|||
|
||||
bool
|
||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||
index 6849732..e00a0e4 100644
|
||||
index 3f4f822..cfdc757 100644
|
||||
--- a/lib/dns/openssl_link.c
|
||||
+++ b/lib/dns/openssl_link.c
|
||||
@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
|
||||
|
@ -639,19 +638,10 @@ index 6849732..e00a0e4 100644
|
|||
#ifndef DONT_REQUIRE_DST_LIB_INIT
|
||||
INSIST(dst__memory_pool != NULL);
|
||||
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
|
||||
index 632166a..c7cb17d 100644
|
||||
index f32c9dc..bed276b 100644
|
||||
--- a/lib/isc/include/isc/entropy.h
|
||||
+++ b/lib/isc/include/isc/entropy.h
|
||||
@@ -9,8 +9,6 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
|
||||
-
|
||||
#ifndef ISC_ENTROPY_H
|
||||
#define ISC_ENTROPY_H 1
|
||||
|
||||
@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
|
||||
@@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
|
||||
/*!<
|
||||
* \brief Create an entropy source that is polled via a callback.
|
||||
*
|
||||
|
@ -663,18 +653,23 @@ index 632166a..c7cb17d 100644
|
|||
*
|
||||
* Samples are added via isc_entropy_addcallbacksample(), below.
|
||||
* _addcallbacksample() is the only function which may be called from
|
||||
@@ -234,15 +231,32 @@ isc_result_t
|
||||
@@ -232,15 +231,32 @@ isc_result_t
|
||||
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
|
||||
unsigned int *returned, unsigned int flags);
|
||||
/*!<
|
||||
- * \brief Extract data from the entropy pool. This may load the pool from various
|
||||
- * sources.
|
||||
+ * \brief Get random data from entropy pool 'ent'.
|
||||
+ *
|
||||
*
|
||||
- * Do this by stirring the pool and returning a part of hash as randomness.
|
||||
- * Note that no secrets are given away here since parts of the hash are
|
||||
- * xored together before returned.
|
||||
+ * If a hook has been set up using isc_entropy_sethook() and
|
||||
+ * isc_entropy_usehook(), then the hook function will be called to get
|
||||
+ * random data.
|
||||
+ *
|
||||
*
|
||||
- * Honor the request from the caller to only return good data, any data,
|
||||
- * etc.
|
||||
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
|
||||
+ * This may cause the pool to be loaded from various sources. Ths is done
|
||||
+ * by stirring the pool and returning a part of hash as randomness.
|
||||
|
@ -685,17 +680,12 @@ index 632166a..c7cb17d 100644
|
|||
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
|
||||
+ * not in use. If it is, the flags will be passed to the hook function
|
||||
+ * but it may ignore them.
|
||||
*
|
||||
- * Do this by stiring the pool and returning a part of hash as randomness.
|
||||
- * Note that no secrets are given away here since parts of the hash are
|
||||
- * xored together before returned.
|
||||
+ *
|
||||
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
|
||||
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
|
||||
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
|
||||
+ * number of bytes copied will be stored in *returned.)
|
||||
*
|
||||
- * Honor the request from the caller to only return good data, any data,
|
||||
- * etc.
|
||||
+ *
|
||||
+ * Returns:
|
||||
+ * \li ISC_R_SUCCESS on success
|
||||
+ * \li ISC_R_NOENTROPY if entropy pool is empty
|
||||
|
@ -703,7 +693,7 @@ index 632166a..c7cb17d 100644
|
|||
*/
|
||||
|
||||
void
|
||||
@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
@@ -305,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
void
|
||||
isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
|
||||
/*!<
|
||||
|
@ -728,26 +718,21 @@ index 632166a..c7cb17d 100644
|
|||
|
||||
ISC_LANG_ENDDECLS
|
||||
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
|
||||
index f8aed34..17c551b 100644
|
||||
index f38e80d..3cb1c56 100644
|
||||
--- a/lib/isc/include/isc/random.h
|
||||
+++ b/lib/isc/include/isc/random.h
|
||||
@@ -9,8 +9,6 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
|
||||
-
|
||||
#ifndef ISC_RANDOM_H
|
||||
#define ISC_RANDOM_H 1
|
||||
|
||||
@@ -21,13 +19,23 @@
|
||||
@@ -19,13 +19,23 @@
|
||||
#include <isc/mutex.h>
|
||||
|
||||
/*! \file isc/random.h
|
||||
- * \brief Implements a random state pool which will let the caller return a
|
||||
- * series of possibly non-reproducible random values.
|
||||
+ * \brief Implements pseudo random number generators.
|
||||
+ *
|
||||
*
|
||||
- * Note that the
|
||||
- * strength of these numbers is not all that high, and should not be
|
||||
- * used in cryptography functions. It is useful for jittering values
|
||||
- * a bit here and there, such as timeouts, etc.
|
||||
+ * Two pseudo-random number generators are implemented, in isc_random_*
|
||||
+ * and isc_rng_*. Neither one is very strong; they should not be used
|
||||
+ * in cryptography functions.
|
||||
|
@ -757,11 +742,7 @@ index f8aed34..17c551b 100644
|
|||
+ * It is useful for jittering values a bit here and there, such as
|
||||
+ * timeouts, etc, but should not be relied upon to generate
|
||||
+ * unpredictable sequences (for example, when choosing transaction IDs).
|
||||
*
|
||||
- * Note that the
|
||||
- * strength of these numbers is not all that high, and should not be
|
||||
- * used in cryptography functions. It is useful for jittering values
|
||||
- * a bit here and there, such as timeouts, etc.
|
||||
+ *
|
||||
+ * isc_rng_* is based on ChaCha20, and is seeded and stirred from the
|
||||
+ * system entropy source. It is stronger than isc_random_* and can
|
||||
+ * be used for generating unpredictable sequences. It is still not as
|
||||
|
@ -770,7 +751,7 @@ index f8aed34..17c551b 100644
|
|||
*/
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
|
||||
@@ -113,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
|
||||
uint16_t
|
||||
isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
|
||||
/*%<
|
||||
|
@ -782,7 +763,7 @@ index f8aed34..17c551b 100644
|
|||
|
||||
ISC_LANG_ENDDECLS
|
||||
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
||||
index 03890a3..7bad989 100644
|
||||
index e74c93b..212194e 100644
|
||||
--- a/lib/isccfg/namedconf.c
|
||||
+++ b/lib/isccfg/namedconf.c
|
||||
@@ -1109,7 +1109,7 @@ options_clauses[] = {
|
||||
|
@ -795,5 +776,5 @@ index 03890a3..7bad989 100644
|
|||
{ "recursive-clients", &cfg_type_uint32, 0 },
|
||||
{ "reserved-sockets", &cfg_type_uint32, 0 },
|
||||
--
|
||||
2.20.1
|
||||
2.26.2
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,65 @@
|
|||
From 8a7bff93037432fcfe8532752e89f150ea3030a4 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Mon, 9 Oct 2023 19:00:12 +0200
|
||||
Subject: [PATCH] Do not keep stale records by default
|
||||
|
||||
By default set max-stale-ttl to 0, unless stale-answer-enable yes. This
|
||||
were enabled by mistake when backporting fix for CVE-2023-2828. It
|
||||
causes increased cache usage on servers not wanting to serve stale
|
||||
records. Fix that by setting smart defaults based on stale answers
|
||||
enabled with possible manual tuning.
|
||||
---
|
||||
bin/named/server.c | 25 +++++++++++++++++++------
|
||||
1 file changed, 19 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 7af90d0..afdc4fa 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -3295,7 +3295,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
size_t max_acache_size;
|
||||
size_t max_adb_size;
|
||||
uint32_t lame_ttl, fail_ttl;
|
||||
- uint32_t max_stale_ttl;
|
||||
+ uint32_t max_stale_ttl = 0;
|
||||
dns_tsig_keyring_t *ring = NULL;
|
||||
dns_view_t *pview = NULL; /* Production view */
|
||||
isc_mem_t *cmctx = NULL, *hmctx = NULL;
|
||||
@@ -3739,16 +3739,29 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
if (view->maxncachettl > 7 * 24 * 3600)
|
||||
view->maxncachettl = 7 * 24 * 3600;
|
||||
|
||||
- obj = NULL;
|
||||
- result = ns_config_get(maps, "max-stale-ttl", &obj);
|
||||
- INSIST(result == ISC_R_SUCCESS);
|
||||
- max_stale_ttl = cfg_obj_asuint32(obj);
|
||||
-
|
||||
obj = NULL;
|
||||
result = ns_config_get(maps, "stale-answer-enable", &obj);
|
||||
INSIST(result == ISC_R_SUCCESS);
|
||||
view->staleanswersenable = cfg_obj_asboolean(obj);
|
||||
|
||||
+ // RHEL-11785 -- set the stale-ttl to non-zero value only if enabled
|
||||
+ obj = NULL;
|
||||
+ if (view->staleanswersenable) {
|
||||
+ result = ns_config_get(maps, "max-stale-ttl", &obj);
|
||||
+ INSIST(result == ISC_R_SUCCESS);
|
||||
+ max_stale_ttl = cfg_obj_asuint32(obj);
|
||||
+ /*
|
||||
+ * If 'stale-answer-enable' is false, max_stale_ttl is set
|
||||
+ * to 0, meaning keeping stale RRsets in cache is disabled.
|
||||
+ */
|
||||
+ } else {
|
||||
+ /* Do not use default value if stale is disabled,
|
||||
+ * but allow manual overriding, like 'stale-cache-enable' */
|
||||
+ result = ns_config_get(optionmaps, "max-stale-ttl", &obj);
|
||||
+ if (result == ISC_R_SUCCESS)
|
||||
+ max_stale_ttl = cfg_obj_asuint32(obj);
|
||||
+ }
|
||||
+
|
||||
result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
|
||||
view->rdclass, &pview);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -1,18 +1,18 @@
|
|||
From 0430b3ac66169eea7a74aaa8bfca50400d3497cf Mon Sep 17 00:00:00 2001
|
||||
From 9683a4d2524b870c4cee09259cb5eb7b8075a507 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 18 Dec 2018 16:06:26 +0100
|
||||
Subject: [PATCH] Make absolute hostname by dns API instead of strings
|
||||
|
||||
Duplicate all strings in dc_list. Free allocated memory on each record.
|
||||
---
|
||||
bin/sdb_tools/zone2ldap.c | 71 +++++++++++++++++++++++++--------------
|
||||
1 file changed, 45 insertions(+), 26 deletions(-)
|
||||
bin/sdb_tools/zone2ldap.c | 70 +++++++++++++++++++++++++--------------
|
||||
1 file changed, 45 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
|
||||
index 76186b5..28df191 100644
|
||||
index d59936c..9ba73b8 100644
|
||||
--- a/bin/sdb_tools/zone2ldap.c
|
||||
+++ b/bin/sdb_tools/zone2ldap.c
|
||||
@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp);
|
||||
@@ -84,6 +84,10 @@ int get_attr_list_size (char **tmp);
|
||||
/* Get a DN */
|
||||
char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
|
||||
|
||||
|
@ -23,7 +23,7 @@ index 76186b5..28df191 100644
|
|||
/* Add to RR list */
|
||||
void add_to_rr_list (char *dn, char *name, char *type, char *data,
|
||||
unsigned int ttl, unsigned int flags);
|
||||
@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL";
|
||||
@@ -120,6 +124,7 @@ static char dNSTTL []="dNSTTL";
|
||||
static char zoneName []="zoneName";
|
||||
static char dc []="dc";
|
||||
static char sameZone []="@";
|
||||
|
@ -31,7 +31,7 @@ index 76186b5..28df191 100644
|
|||
/* LDAPMod mod_values: */
|
||||
static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
@@ -396,6 +401,8 @@ main (int argc, char **argv)
|
||||
@@ -391,6 +396,8 @@ main (int argc, char **argv)
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ index 76186b5..28df191 100644
|
|||
}
|
||||
else
|
||||
{
|
||||
@@ -451,12 +458,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
@@ -446,12 +453,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
char data[2048];
|
||||
char **dc_list;
|
||||
char *dn;
|
||||
|
@ -59,7 +59,7 @@ index 76186b5..28df191 100644
|
|||
isc_result_check (result, "dns_name_totext");
|
||||
name[isc_buffer_usedlength (&buff)] = 0;
|
||||
|
||||
@@ -478,6 +491,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
@@ -473,6 +486,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
|
||||
|
||||
add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
|
||||
|
@ -67,7 +67,7 @@ index 76186b5..28df191 100644
|
|||
}
|
||||
|
||||
|
||||
@@ -538,12 +552,9 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -533,12 +547,9 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
if (tmp->attrs == (LDAPMod **) NULL)
|
||||
fatal("calloc");
|
||||
|
||||
|
@ -83,7 +83,7 @@ index 76186b5..28df191 100644
|
|||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
|
||||
tmp->attrs[0]->mod_type = objectClass;
|
||||
|
||||
@@ -559,9 +570,18 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -554,9 +565,18 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -103,12 +103,11 @@ index 76186b5..28df191 100644
|
|||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL)
|
||||
fatal("calloc");
|
||||
@@ -705,25 +725,16 @@ char **
|
||||
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
@@ -701,24 +721,16 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
{
|
||||
char *tmp;
|
||||
- int i = 0;
|
||||
+ int i = 0, j = 0;
|
||||
int i = 0;
|
||||
+ int j = 0;
|
||||
char *hname=0L, *last=0L;
|
||||
int hlen=strlen(hostname), zlen=(strlen(zone));
|
||||
|
||||
|
@ -127,11 +126,11 @@ index 76186b5..28df191 100644
|
|||
{
|
||||
- if( hname == 0 )
|
||||
- hname=strdup(hostname);
|
||||
+ hname=strdup(hostname);
|
||||
last = strdup(sameZone);
|
||||
+ hname= strdup(hostname);
|
||||
last = strdup(sameZone);
|
||||
}else
|
||||
{
|
||||
@@ -731,8 +742,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
{
|
||||
@@ -726,8 +738,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
||( strcmp( hostname + (hlen - zlen), zone ) != 0)
|
||||
)
|
||||
{
|
||||
|
@ -140,7 +139,7 @@ index 76186b5..28df191 100644
|
|||
hname=(char*)malloc( hlen + zlen + 1);
|
||||
if( *zone == '.' )
|
||||
sprintf(hname, "%s%s", hostname, zone);
|
||||
@@ -740,8 +749,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
@@ -735,8 +745,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
sprintf(hname,"%s",zone);
|
||||
}else
|
||||
{
|
||||
|
@ -150,7 +149,7 @@ index 76186b5..28df191 100644
|
|||
}
|
||||
last = hname;
|
||||
}
|
||||
@@ -754,18 +762,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
@@ -749,18 +758,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
|
||||
tmp = strrchr (hname, '.'))
|
||||
{
|
||||
|
@ -167,7 +166,7 @@ index 76186b5..28df191 100644
|
|||
+ dn_buffer[i++] = dot;
|
||||
if( tmp == hname )
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
+ for (j=0; j<i; j++)
|
||||
+ {
|
||||
|
@ -176,7 +175,7 @@ index 76186b5..28df191 100644
|
|||
if( ( last != hname ) && (tmp != hname) )
|
||||
dn_buffer[i++] = hname;
|
||||
dn_buffer[i++] = last;
|
||||
@@ -825,6 +836,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
|
||||
@@ -820,6 +832,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
|
||||
return dn;
|
||||
}
|
||||
|
||||
|
@ -192,5 +191,5 @@ index 76186b5..28df191 100644
|
|||
/* Initialize LDAP Conn */
|
||||
void
|
||||
--
|
||||
2.20.1
|
||||
2.21.1
|
||||
|
||||
|
|
|
@ -1,222 +0,0 @@
|
|||
From 165181b794e185af8621300e2a68777a04af8358 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 15 May 2020 14:55:26 +0200
|
||||
Subject: [PATCH] CVE-2020-8616
|
||||
|
||||
5395. [security] Further limit the number of queries that can be
|
||||
triggered from a request. Root and TLD servers
|
||||
are no longer exempt from max-recursion-queries.
|
||||
Fetches for missing name server address records
|
||||
are limited to 4 for any domain. (CVE-2020-8616)
|
||||
[GL #1388]
|
||||
---
|
||||
lib/dns/adb.c | 33 +++++++++++++----------
|
||||
lib/dns/include/dns/adb.h | 4 +++
|
||||
lib/dns/resolver.c | 55 ++++++++++++++++++++++++++-------------
|
||||
3 files changed, 60 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
|
||||
index 3d12221..ec183d0 100644
|
||||
--- a/lib/dns/adb.c
|
||||
+++ b/lib/dns/adb.c
|
||||
@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
|
||||
*/
|
||||
#define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
|
||||
#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
|
||||
-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
|
||||
- != 0)
|
||||
-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
|
||||
- != 0)
|
||||
-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
|
||||
-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
|
||||
-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
|
||||
-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
|
||||
+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
|
||||
+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
|
||||
+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
|
||||
+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
|
||||
+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
|
||||
+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
|
||||
+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
|
||||
|
||||
/*
|
||||
* These are currently used on simple unsigned ints, so they are
|
||||
@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
|
||||
* Listen to negative cache hints, and don't start
|
||||
* another query.
|
||||
*/
|
||||
- if (NCACHE_RESULT(result) || AUTH_NX(result))
|
||||
+ if (NCACHE_RESULT(result) || AUTH_NX(result)) {
|
||||
goto fetch;
|
||||
+ }
|
||||
|
||||
- if (!NAME_FETCH_V6(adbname))
|
||||
+ if (!NAME_FETCH_V6(adbname)) {
|
||||
wanted_fetches |= DNS_ADBFIND_INET6;
|
||||
+ }
|
||||
}
|
||||
|
||||
fetch:
|
||||
if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
|
||||
(WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
|
||||
+ {
|
||||
have_address = true;
|
||||
- else
|
||||
+ } else {
|
||||
have_address = false;
|
||||
- if (wanted_fetches != 0 &&
|
||||
- ! (FIND_AVOIDFETCHES(find) && have_address)) {
|
||||
+ }
|
||||
+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
|
||||
+ !FIND_NOFETCH(find))
|
||||
+ {
|
||||
/*
|
||||
* We're missing at least one address family. Either the
|
||||
* caller hasn't instructed us to avoid fetches, or we don't
|
||||
@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
|
||||
* be acceptable so we have to launch fetches.
|
||||
*/
|
||||
|
||||
- if (FIND_STARTATZONE(find))
|
||||
+ if (FIND_STARTATZONE(find)) {
|
||||
start_at_zone = true;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Start V4.
|
||||
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
|
||||
index ca35bac..3e27c9e 100644
|
||||
--- a/lib/dns/include/dns/adb.h
|
||||
+++ b/lib/dns/include/dns/adb.h
|
||||
@@ -207,6 +207,10 @@ struct dns_adbfind {
|
||||
* lame for this query.
|
||||
*/
|
||||
#define DNS_ADBFIND_OVERQUOTA 0x00000400
|
||||
+/*%
|
||||
+ * Don't perform a fetch even if there are no address records available.
|
||||
+ */
|
||||
+#define DNS_ADBFIND_NOFETCH 0x00000800
|
||||
|
||||
/*%
|
||||
* The answers to queries come back as a list of these.
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 164fc01..79ad212 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -173,6 +173,14 @@
|
||||
#define DEFAULT_MAX_QUERIES 75
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
|
||||
+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
|
||||
+ * stop trying to fetch, in order to avoid wasting resources.
|
||||
+ */
|
||||
+#define NS_FAIL_LIMIT 4
|
||||
+#define NS_RR_LIMIT 5
|
||||
+
|
||||
/* Number of hash buckets for zone counters */
|
||||
#ifndef RES_DOMAIN_BUCKETS
|
||||
#define RES_DOMAIN_BUCKETS 523
|
||||
@@ -3121,8 +3129,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
|
||||
static void
|
||||
findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
|
||||
unsigned int options, unsigned int flags, isc_stdtime_t now,
|
||||
- bool *overquota, bool *need_alternate)
|
||||
-{
|
||||
+ bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
|
||||
dns_adbaddrinfo_t *ai;
|
||||
dns_adbfind_t *find;
|
||||
dns_resolver_t *res;
|
||||
@@ -3210,7 +3217,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
|
||||
find->result_v6 != DNS_R_NXDOMAIN) ||
|
||||
(res->dispatches6 == NULL &&
|
||||
find->result_v4 != DNS_R_NXDOMAIN)))
|
||||
+ {
|
||||
*need_alternate = true;
|
||||
+ }
|
||||
+ if (no_addresses != NULL) {
|
||||
+ (*no_addresses)++;
|
||||
+ }
|
||||
} else {
|
||||
if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
|
||||
if (overquota != NULL)
|
||||
@@ -3261,6 +3273,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
dns_rdata_ns_t ns;
|
||||
bool need_alternate = false;
|
||||
bool all_spilled = true;
|
||||
+ unsigned int no_addresses = 0;
|
||||
|
||||
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||
|
||||
@@ -3428,20 +3441,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
* Extract the name from the NS record.
|
||||
*/
|
||||
result = dns_rdata_tostruct(&rdata, &ns, NULL);
|
||||
- if (result != ISC_R_SUCCESS)
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
continue;
|
||||
+ }
|
||||
|
||||
- findname(fctx, &ns.name, 0, stdoptions, 0, now,
|
||||
- &overquota, &need_alternate);
|
||||
+ if (no_addresses > NS_FAIL_LIMIT &&
|
||||
+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
|
||||
+ {
|
||||
+ stdoptions |= DNS_ADBFIND_NOFETCH;
|
||||
+ }
|
||||
+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
|
||||
+ &need_alternate, &no_addresses);
|
||||
|
||||
- if (!overquota)
|
||||
+ if (!overquota) {
|
||||
all_spilled = false;
|
||||
+ }
|
||||
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdata_freestruct(&ns);
|
||||
}
|
||||
- if (result != ISC_R_NOMORE)
|
||||
+ if (result != ISC_R_NOMORE) {
|
||||
return (result);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Do we need to use 6 to 4?
|
||||
@@ -3456,7 +3477,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
if (!a->isaddress) {
|
||||
findname(fctx, &a->_u._n.name, a->_u._n.port,
|
||||
stdoptions, FCTX_ADDRINFO_FORWARDER,
|
||||
- now, NULL, NULL);
|
||||
+ now, NULL, NULL, NULL);
|
||||
continue;
|
||||
}
|
||||
if (isc_sockaddr_pf(&a->_u.addr) != family)
|
||||
@@ -3818,16 +3839,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
|
||||
}
|
||||
}
|
||||
|
||||
- if (dns_name_countlabels(&fctx->domain) > 2) {
|
||||
- result = isc_counter_increment(fctx->qc);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
|
||||
- "exceeded max queries resolving '%s'",
|
||||
- fctx->info);
|
||||
- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
|
||||
- return;
|
||||
- }
|
||||
+ result = isc_counter_increment(fctx->qc);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
|
||||
+ "exceeded max queries resolving '%s'",
|
||||
+ fctx->info);
|
||||
+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
|
||||
+ return;
|
||||
}
|
||||
|
||||
bucketnum = fctx->bucketnum;
|
||||
--
|
||||
2.21.1
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
From f6ca6392adf7f5a94c804d8a8a1233d90170f490 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 15 May 2020 14:56:33 +0200
|
||||
Subject: [PATCH] CVE-2020-8617
|
||||
|
||||
5390. [security] Replaying a TSIG BADTIME response as a request could
|
||||
trigger an assertion failure. (CVE-2020-8617)
|
||||
[GL #1703]
|
||||
---
|
||||
lib/dns/tsig.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
|
||||
index c6f9d1b..aee8eb0 100644
|
||||
--- a/lib/dns/tsig.c
|
||||
+++ b/lib/dns/tsig.c
|
||||
@@ -1431,8 +1431,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
|
||||
goto cleanup_context;
|
||||
}
|
||||
msg->verified_sig = 1;
|
||||
- } else if (tsig.error != dns_tsigerror_badsig &&
|
||||
- tsig.error != dns_tsigerror_badkey) {
|
||||
+ } else if (!response || (tsig.error != dns_tsigerror_badsig &&
|
||||
+ tsig.error != dns_tsigerror_badkey))
|
||||
+ {
|
||||
tsig_log(msg->tsigkey, 2, "signature was empty");
|
||||
return (DNS_R_TSIGVERIFYFAILURE);
|
||||
}
|
||||
@@ -1488,7 +1489,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
|
||||
}
|
||||
}
|
||||
|
||||
- if (tsig.error != dns_rcode_noerror) {
|
||||
+ if (response && tsig.error != dns_rcode_noerror) {
|
||||
msg->tsigstatus = tsig.error;
|
||||
if (tsig.error == dns_tsigerror_badtime)
|
||||
ret = DNS_R_CLOCKSKEW;
|
||||
--
|
||||
2.21.1
|
||||
|
|
@ -1,513 +0,0 @@
|
|||
From bc9a36bad14b014340244bfc35a20df6809a5568 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
Date: Thu, 27 Feb 2020 15:35:31 +0100
|
||||
Subject: [PATCH] Fix rwlock to be thread-safe
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is a backport of the following commits
|
||||
|
||||
commit 4cf275ba8aa1caf47ed763b51c37fa561005cb8d
|
||||
Author: Ondřej Surý <ondrej@isc.org>
|
||||
Date: Wed Feb 12 09:17:55 2020 +0100
|
||||
|
||||
Replace non-loop usage of atomic_compare_exchange_weak with strong variant
|
||||
|
||||
commit b43f5e023885dac9f1ffdace54720150768a333b
|
||||
Author: Ondřej Surý <ondrej@isc.org>
|
||||
Date: Sat Feb 1 10:48:20 2020 +0100
|
||||
|
||||
Convert all atomic operations in isc_rwlock to release-acquire memory ordering
|
||||
|
||||
commit 49462cf9747261cbc39d5fa4c691b64ac5472af4
|
||||
Author: Ondřej Surý <ondrej@sury.org>
|
||||
Date: Tue May 14 00:19:11 2019 +0700
|
||||
|
||||
Make isc_rwlock.c thread-safe
|
||||
|
||||
commit 9d5df99a9d9d13c9487969b6fa3818a8b83b4ee2
|
||||
Author: Ondřej Surý <ondrej@sury.org>
|
||||
Date: Thu Aug 23 15:30:06 2018 +0200
|
||||
|
||||
Directly use return value of atomic_compare_exchange_strong_explicit insteaf of comparing expected value
|
||||
|
||||
commit b5709e5531d9d45f9fc3db129c11ad474477d7b6
|
||||
Author: Ondřej Surý <ondrej@sury.org>
|
||||
Date: Fri Aug 17 19:21:12 2018 +0200
|
||||
|
||||
Explicitly load atomic values in lib/isc/rwlock.c
|
||||
---
|
||||
lib/isc/rwlock.c | 275 ++++++++++++++++++-----------------------------
|
||||
1 file changed, 107 insertions(+), 168 deletions(-)
|
||||
|
||||
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
|
||||
index 9533c0f828..5591eff719 100644
|
||||
--- a/lib/isc/rwlock.c
|
||||
+++ b/lib/isc/rwlock.c
|
||||
@@ -46,6 +46,26 @@
|
||||
#if defined(ISC_RWLOCK_USEATOMIC)
|
||||
static isc_result_t
|
||||
isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
|
||||
+
|
||||
+#ifndef ISC_RWLOCK_USESTDATOMIC
|
||||
+#error non-stdatomic support removed
|
||||
+#endif
|
||||
+
|
||||
+#define atomic_load_acquire(o) \
|
||||
+ atomic_load_explicit((o), memory_order_acquire)
|
||||
+#define atomic_store_release(o, v) \
|
||||
+ atomic_store_explicit((o), (v), memory_order_release)
|
||||
+#define atomic_fetch_add_release(o, v) \
|
||||
+ atomic_fetch_add_explicit((o), (v), memory_order_release)
|
||||
+#define atomic_fetch_sub_release(o, v) \
|
||||
+ atomic_fetch_sub_explicit((o), (v), memory_order_release)
|
||||
+#define atomic_compare_exchange_weak_acq_rel(o, e, d) \
|
||||
+ atomic_compare_exchange_weak_explicit((o), (e), (d), \
|
||||
+ memory_order_acq_rel, \
|
||||
+ memory_order_acquire)
|
||||
+#define atomic_compare_exchange_strong_acq_rel(o, e, d) \
|
||||
+ atomic_compare_exchange_strong_explicit( \
|
||||
+ (o), (e), (d), memory_order_acq_rel, memory_order_acquire)
|
||||
#endif
|
||||
|
||||
#ifdef ISC_RWLOCK_TRACE
|
||||
@@ -108,13 +128,13 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
|
||||
*/
|
||||
rwl->magic = 0;
|
||||
|
||||
- rwl->spins = 0;
|
||||
#if defined(ISC_RWLOCK_USEATOMIC)
|
||||
- rwl->write_requests = 0;
|
||||
- rwl->write_completions = 0;
|
||||
- rwl->cnt_and_flag = 0;
|
||||
+ atomic_init(&rwl->spins, 0);
|
||||
+ atomic_init(&rwl->write_requests, 0);
|
||||
+ atomic_init(&rwl->write_completions, 0);
|
||||
+ atomic_init(&rwl->cnt_and_flag, 0);
|
||||
rwl->readers_waiting = 0;
|
||||
- rwl->write_granted = 0;
|
||||
+ atomic_init(&rwl->write_granted, 0);
|
||||
if (read_quota != 0) {
|
||||
UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||
"read quota is not supported");
|
||||
@@ -123,6 +143,7 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
|
||||
write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
|
||||
rwl->write_quota = write_quota;
|
||||
#else
|
||||
+ rwl->spins = 0;
|
||||
rwl->type = isc_rwlocktype_read;
|
||||
rwl->original = isc_rwlocktype_none;
|
||||
rwl->active = 0;
|
||||
@@ -178,16 +199,9 @@ void
|
||||
isc_rwlock_destroy(isc_rwlock_t *rwl) {
|
||||
REQUIRE(VALID_RWLOCK(rwl));
|
||||
|
||||
-#if defined(ISC_RWLOCK_USEATOMIC)
|
||||
- REQUIRE(rwl->write_requests == rwl->write_completions &&
|
||||
- rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0);
|
||||
-#else
|
||||
- LOCK(&rwl->lock);
|
||||
- REQUIRE(rwl->active == 0 &&
|
||||
- rwl->readers_waiting == 0 &&
|
||||
- rwl->writers_waiting == 0);
|
||||
- UNLOCK(&rwl->lock);
|
||||
-#endif
|
||||
+ REQUIRE(atomic_load_acquire(&rwl->write_requests) ==
|
||||
+ atomic_load_acquire(&rwl->write_completions) &&
|
||||
+ atomic_load_acquire(&rwl->cnt_and_flag) == 0 && rwl->readers_waiting == 0);
|
||||
|
||||
rwl->magic = 0;
|
||||
(void)isc_condition_destroy(&rwl->readable);
|
||||
@@ -274,10 +288,13 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
#endif
|
||||
|
||||
if (type == isc_rwlocktype_read) {
|
||||
- if (rwl->write_requests != rwl->write_completions) {
|
||||
+ if (atomic_load_acquire(&rwl->write_requests) !=
|
||||
+ atomic_load_acquire(&rwl->write_completions))
|
||||
+ {
|
||||
/* there is a waiting or active writer */
|
||||
LOCK(&rwl->lock);
|
||||
- if (rwl->write_requests != rwl->write_completions) {
|
||||
+ if (atomic_load_acquire(&rwl->write_requests) !=
|
||||
+ atomic_load_acquire(&rwl->write_completions)) {
|
||||
rwl->readers_waiting++;
|
||||
WAIT(&rwl->readable, &rwl->lock);
|
||||
rwl->readers_waiting--;
|
||||
@@ -285,23 +302,24 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
UNLOCK(&rwl->lock);
|
||||
}
|
||||
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
|
||||
- READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
|
||||
-#endif
|
||||
+ cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag,
|
||||
+ READER_INCR);
|
||||
POST(cntflag);
|
||||
while (1) {
|
||||
- if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0)
|
||||
+ if ((atomic_load_acquire(&rwl->cnt_and_flag)
|
||||
+ & WRITER_ACTIVE) == 0)
|
||||
+ {
|
||||
break;
|
||||
+ }
|
||||
|
||||
/* A writer is still working */
|
||||
LOCK(&rwl->lock);
|
||||
rwl->readers_waiting++;
|
||||
- if ((rwl->cnt_and_flag & WRITER_ACTIVE) != 0)
|
||||
+ if ((atomic_load_acquire(&rwl->cnt_and_flag)
|
||||
+ & WRITER_ACTIVE) != 0)
|
||||
+ {
|
||||
WAIT(&rwl->readable, &rwl->lock);
|
||||
+ }
|
||||
rwl->readers_waiting--;
|
||||
UNLOCK(&rwl->lock);
|
||||
|
||||
@@ -336,20 +354,19 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
* quota, reset the condition (race among readers doesn't
|
||||
* matter).
|
||||
*/
|
||||
- rwl->write_granted = 0;
|
||||
+ atomic_store_release(&rwl->write_granted, 0);
|
||||
} else {
|
||||
int32_t prev_writer;
|
||||
|
||||
/* enter the waiting queue, and wait for our turn */
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- prev_writer = atomic_fetch_add_explicit(&rwl->write_requests, 1,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- prev_writer = isc_atomic_xadd(&rwl->write_requests, 1);
|
||||
-#endif
|
||||
- while (rwl->write_completions != prev_writer) {
|
||||
+ prev_writer = atomic_fetch_add_release(&rwl->write_requests, 1);
|
||||
+ while (atomic_load_acquire(&rwl->write_completions)
|
||||
+ != prev_writer)
|
||||
+ {
|
||||
LOCK(&rwl->lock);
|
||||
- if (rwl->write_completions != prev_writer) {
|
||||
+ if (atomic_load_acquire(&rwl->write_completions)
|
||||
+ != prev_writer)
|
||||
+ {
|
||||
WAIT(&rwl->writeable, &rwl->lock);
|
||||
UNLOCK(&rwl->lock);
|
||||
continue;
|
||||
@@ -359,29 +376,24 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
}
|
||||
|
||||
while (1) {
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
int_fast32_t cntflag2 = 0;
|
||||
- atomic_compare_exchange_strong_explicit
|
||||
- (&rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE,
|
||||
- memory_order_relaxed, memory_order_relaxed);
|
||||
-#else
|
||||
- int32_t cntflag2;
|
||||
- cntflag2 = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
|
||||
- WRITER_ACTIVE);
|
||||
-#endif
|
||||
-
|
||||
- if (cntflag2 == 0)
|
||||
+ if (atomic_compare_exchange_weak_acq_rel(
|
||||
+ &rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE))
|
||||
+ {
|
||||
break;
|
||||
+ }
|
||||
|
||||
/* Another active reader or writer is working. */
|
||||
LOCK(&rwl->lock);
|
||||
- if (rwl->cnt_and_flag != 0)
|
||||
+ if (atomic_load_acquire(&rwl->cnt_and_flag) != 0) {
|
||||
WAIT(&rwl->writeable, &rwl->lock);
|
||||
+ }
|
||||
UNLOCK(&rwl->lock);
|
||||
}
|
||||
|
||||
- INSIST((rwl->cnt_and_flag & WRITER_ACTIVE) != 0);
|
||||
- rwl->write_granted++;
|
||||
+ INSIST((atomic_load_acquire(&rwl->cnt_and_flag)
|
||||
+ & WRITER_ACTIVE));
|
||||
+ atomic_fetch_add_release(&rwl->write_granted, 1);
|
||||
}
|
||||
|
||||
#ifdef ISC_RWLOCK_TRACE
|
||||
@@ -395,12 +407,10 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
isc_result_t
|
||||
isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
int32_t cnt = 0;
|
||||
- int32_t max_cnt = rwl->spins * 2 + 10;
|
||||
+ int32_t spins = atomic_load_acquire(&rwl->spins) * 2 + 10;
|
||||
+ int32_t max_cnt = ISC_MAX(spins, RWLOCK_MAX_ADAPTIVE_COUNT);
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
|
||||
- if (max_cnt > RWLOCK_MAX_ADAPTIVE_COUNT)
|
||||
- max_cnt = RWLOCK_MAX_ADAPTIVE_COUNT;
|
||||
-
|
||||
do {
|
||||
if (cnt++ >= max_cnt) {
|
||||
result = isc__rwlock_lock(rwl, type);
|
||||
@@ -411,7 +421,7 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
#endif
|
||||
} while (isc_rwlock_trylock(rwl, type) != ISC_R_SUCCESS);
|
||||
|
||||
- rwl->spins += (cnt - rwl->spins) / 8;
|
||||
+ atomic_fetch_add_release(&rwl->spins, (cnt - spins) / 8);
|
||||
|
||||
return (result);
|
||||
}
|
||||
@@ -429,36 +439,28 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
|
||||
if (type == isc_rwlocktype_read) {
|
||||
/* If a writer is waiting or working, we fail. */
|
||||
- if (rwl->write_requests != rwl->write_completions)
|
||||
+ if (atomic_load_acquire(&rwl->write_requests) !=
|
||||
+ atomic_load_acquire(&rwl->write_completions))
|
||||
return (ISC_R_LOCKBUSY);
|
||||
|
||||
/* Otherwise, be ready for reading. */
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
|
||||
- READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
|
||||
-#endif
|
||||
+ cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag,
|
||||
+ READER_INCR);
|
||||
if ((cntflag & WRITER_ACTIVE) != 0) {
|
||||
/*
|
||||
* A writer is working. We lose, and cancel the read
|
||||
* request.
|
||||
*/
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- cntflag = atomic_fetch_sub_explicit
|
||||
- (&rwl->cnt_and_flag, READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag,
|
||||
- -READER_INCR);
|
||||
-#endif
|
||||
+ cntflag = atomic_fetch_sub_release(
|
||||
+ &rwl->cnt_and_flag, READER_INCR);
|
||||
/*
|
||||
* If no other readers are waiting and we've suspended
|
||||
* new writers in this short period, wake them up.
|
||||
*/
|
||||
if (cntflag == READER_INCR &&
|
||||
- rwl->write_completions != rwl->write_requests) {
|
||||
+ atomic_load_acquire(&rwl->write_completions) !=
|
||||
+ atomic_load_acquire(&rwl->write_requests))
|
||||
+ {
|
||||
LOCK(&rwl->lock);
|
||||
BROADCAST(&rwl->writeable);
|
||||
UNLOCK(&rwl->lock);
|
||||
@@ -468,31 +470,19 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
}
|
||||
} else {
|
||||
/* Try locking without entering the waiting queue. */
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
int_fast32_t zero = 0;
|
||||
- if (!atomic_compare_exchange_strong_explicit
|
||||
- (&rwl->cnt_and_flag, &zero, WRITER_ACTIVE,
|
||||
- memory_order_relaxed, memory_order_relaxed))
|
||||
+ if (!atomic_compare_exchange_strong_acq_rel(
|
||||
+ &rwl->cnt_and_flag, &zero, WRITER_ACTIVE))
|
||||
+ {
|
||||
return (ISC_R_LOCKBUSY);
|
||||
-#else
|
||||
- cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
|
||||
- WRITER_ACTIVE);
|
||||
- if (cntflag != 0)
|
||||
- return (ISC_R_LOCKBUSY);
|
||||
-#endif
|
||||
+ }
|
||||
|
||||
/*
|
||||
* XXXJT: jump into the queue, possibly breaking the writer
|
||||
* order.
|
||||
*/
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- atomic_fetch_sub_explicit(&rwl->write_completions, 1,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- (void)isc_atomic_xadd(&rwl->write_completions, -1);
|
||||
-#endif
|
||||
-
|
||||
- rwl->write_granted++;
|
||||
+ atomic_fetch_sub_release(&rwl->write_completions, 1);
|
||||
+ atomic_fetch_add_release(&rwl->write_granted, 1);
|
||||
}
|
||||
|
||||
#ifdef ISC_RWLOCK_TRACE
|
||||
@@ -507,14 +497,12 @@ isc_result_t
|
||||
isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
|
||||
REQUIRE(VALID_RWLOCK(rwl));
|
||||
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
{
|
||||
int_fast32_t reader_incr = READER_INCR;
|
||||
|
||||
/* Try to acquire write access. */
|
||||
- atomic_compare_exchange_strong_explicit
|
||||
- (&rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE,
|
||||
- memory_order_relaxed, memory_order_relaxed);
|
||||
+ atomic_compare_exchange_strong_acq_rel(
|
||||
+ &rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE);
|
||||
/*
|
||||
* There must have been no writer, and there must have
|
||||
* been at least one reader.
|
||||
@@ -527,36 +515,11 @@ isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
|
||||
* We are the only reader and have been upgraded.
|
||||
* Now jump into the head of the writer waiting queue.
|
||||
*/
|
||||
- atomic_fetch_sub_explicit(&rwl->write_completions, 1,
|
||||
- memory_order_relaxed);
|
||||
+ atomic_fetch_sub_release(&rwl->write_completions, 1);
|
||||
} else
|
||||
return (ISC_R_LOCKBUSY);
|
||||
|
||||
}
|
||||
-#else
|
||||
- {
|
||||
- int32_t prevcnt;
|
||||
-
|
||||
- /* Try to acquire write access. */
|
||||
- prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
|
||||
- READER_INCR, WRITER_ACTIVE);
|
||||
- /*
|
||||
- * There must have been no writer, and there must have
|
||||
- * been at least one reader.
|
||||
- */
|
||||
- INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
|
||||
- (prevcnt & ~WRITER_ACTIVE) != 0);
|
||||
-
|
||||
- if (prevcnt == READER_INCR) {
|
||||
- /*
|
||||
- * We are the only reader and have been upgraded.
|
||||
- * Now jump into the head of the writer waiting queue.
|
||||
- */
|
||||
- (void)isc_atomic_xadd(&rwl->write_completions, -1);
|
||||
- } else
|
||||
- return (ISC_R_LOCKBUSY);
|
||||
- }
|
||||
-#endif
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
@@ -567,33 +530,15 @@ isc_rwlock_downgrade(isc_rwlock_t *rwl) {
|
||||
|
||||
REQUIRE(VALID_RWLOCK(rwl));
|
||||
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- {
|
||||
- /* Become an active reader. */
|
||||
- prev_readers = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
|
||||
- READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
- /* We must have been a writer. */
|
||||
- INSIST((prev_readers & WRITER_ACTIVE) != 0);
|
||||
-
|
||||
- /* Complete write */
|
||||
- atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
|
||||
- memory_order_relaxed);
|
||||
- atomic_fetch_add_explicit(&rwl->write_completions, 1,
|
||||
- memory_order_relaxed);
|
||||
- }
|
||||
-#else
|
||||
- {
|
||||
- /* Become an active reader. */
|
||||
- prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
|
||||
- /* We must have been a writer. */
|
||||
- INSIST((prev_readers & WRITER_ACTIVE) != 0);
|
||||
-
|
||||
- /* Complete write */
|
||||
- (void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
|
||||
- (void)isc_atomic_xadd(&rwl->write_completions, 1);
|
||||
- }
|
||||
-#endif
|
||||
+ /* Become an active reader. */
|
||||
+ prev_readers = atomic_fetch_add_release(&rwl->cnt_and_flag,
|
||||
+ READER_INCR);
|
||||
+ /* We must have been a writer. */
|
||||
+ INSIST((prev_readers & WRITER_ACTIVE) != 0);
|
||||
+
|
||||
+ /* Complete write */
|
||||
+ atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE);
|
||||
+ atomic_fetch_add_release(&rwl->write_completions, 1);
|
||||
|
||||
/* Resume other readers */
|
||||
LOCK(&rwl->lock);
|
||||
@@ -614,20 +559,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
#endif
|
||||
|
||||
if (type == isc_rwlocktype_read) {
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- prev_cnt = atomic_fetch_sub_explicit(&rwl->cnt_and_flag,
|
||||
- READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR);
|
||||
-#endif
|
||||
+ prev_cnt = atomic_fetch_sub_release(&rwl->cnt_and_flag,
|
||||
+ READER_INCR);
|
||||
/*
|
||||
* If we're the last reader and any writers are waiting, wake
|
||||
* them up. We need to wake up all of them to ensure the
|
||||
* FIFO order.
|
||||
*/
|
||||
if (prev_cnt == READER_INCR &&
|
||||
- rwl->write_completions != rwl->write_requests) {
|
||||
+ atomic_load_acquire(&rwl->write_completions) !=
|
||||
+ atomic_load_acquire(&rwl->write_requests)) {
|
||||
LOCK(&rwl->lock);
|
||||
BROADCAST(&rwl->writeable);
|
||||
UNLOCK(&rwl->lock);
|
||||
@@ -639,19 +580,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
* Reset the flag, and (implicitly) tell other writers
|
||||
* we are done.
|
||||
*/
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
|
||||
- memory_order_relaxed);
|
||||
- atomic_fetch_add_explicit(&rwl->write_completions, 1,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- (void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
|
||||
- (void)isc_atomic_xadd(&rwl->write_completions, 1);
|
||||
-#endif
|
||||
-
|
||||
- if (rwl->write_granted >= rwl->write_quota ||
|
||||
- rwl->write_requests == rwl->write_completions ||
|
||||
- (rwl->cnt_and_flag & ~WRITER_ACTIVE) != 0) {
|
||||
+ atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE);
|
||||
+ atomic_fetch_add_release(&rwl->write_completions, 1);
|
||||
+
|
||||
+ if ((atomic_load_acquire(&rwl->write_granted) >=
|
||||
+ rwl->write_quota) ||
|
||||
+ (atomic_load_acquire(&rwl->write_requests) ==
|
||||
+ atomic_load_acquire(&rwl->write_completions)) ||
|
||||
+ (atomic_load_acquire(&rwl->cnt_and_flag)
|
||||
+ & ~WRITER_ACTIVE))
|
||||
+ {
|
||||
/*
|
||||
* We have passed the write quota, no writer is
|
||||
* waiting, or some readers are almost ready, pending
|
||||
@@ -668,7 +606,8 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
UNLOCK(&rwl->lock);
|
||||
}
|
||||
|
||||
- if (rwl->write_requests != rwl->write_completions &&
|
||||
+ if ((atomic_load_acquire(&rwl->write_requests) !=
|
||||
+ atomic_load_acquire(&rwl->write_completions)) &&
|
||||
wakeup_writers) {
|
||||
LOCK(&rwl->lock);
|
||||
BROADCAST(&rwl->writeable);
|
||||
--
|
||||
2.21.0
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
From 6d6acf236841da5c2511f8afcd3e4a89af4c5658 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
|
||||
Date: Fri, 14 Feb 2020 09:18:48 +0100
|
||||
Subject: [PATCH] Use RESOLVER_NTASKS_PERCPU - 32 for regular tuning, 8 for
|
||||
small
|
||||
|
||||
Modify original upstream commit 0d80266f7e3, add high limit of used
|
||||
tasks. Minimum would be lower on machines with few cpus, but maximum
|
||||
would stay unchanged. Should prevent negatives of this change.
|
||||
|
||||
Signed-off-by: Petr Mensik <pemensik@redhat.com>
|
||||
---
|
||||
bin/named/server.c | 12 ++++++++----
|
||||
1 file changed, 8 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 39b1124..94b4daa 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -148,11 +148,13 @@
|
||||
#endif
|
||||
|
||||
#ifdef TUNE_LARGE
|
||||
-#define RESOLVER_NTASKS 523
|
||||
+#define RESOLVER_NTASKS_MAX 523
|
||||
+#define RESOLVER_NTASKS_PERCPU 32
|
||||
#define UDPBUFFERS 32768
|
||||
#define EXCLBUFFERS 32768
|
||||
#else
|
||||
-#define RESOLVER_NTASKS 31
|
||||
+#define RESOLVER_NTASKS_MAX 31
|
||||
+#define RESOLVER_NTASKS_PERCPU 8
|
||||
#define UDPBUFFERS 1000
|
||||
#define EXCLBUFFERS 4096
|
||||
#endif /* TUNE_LARGE */
|
||||
@@ -3318,7 +3320,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
ns_cache_t *nsc;
|
||||
bool zero_no_soattl;
|
||||
dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
|
||||
- unsigned int query_timeout, ndisp;
|
||||
+ unsigned int query_timeout, ndisp, ntasks;
|
||||
bool old_rpz_ok = false;
|
||||
isc_dscp_t dscp4 = -1, dscp6 = -1;
|
||||
dns_dyndbctx_t *dctx = NULL;
|
||||
@@ -3926,7 +3928,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
dns_view_setresquerystats(view, resquerystats);
|
||||
|
||||
ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
|
||||
- CHECK(dns_view_createresolver(view, ns_g_taskmgr, RESOLVER_NTASKS,
|
||||
+ ntasks = ISC_MIN(RESOLVER_NTASKS_PERCPU * ns_g_cpus,
|
||||
+ RESOLVER_NTASKS_MAX);
|
||||
+ CHECK(dns_view_createresolver(view, ns_g_taskmgr, ntasks,
|
||||
ndisp, ns_g_socketmgr, ns_g_timermgr,
|
||||
resopts, ns_g_dispatchmgr,
|
||||
dispatch4, dispatch6));
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -0,0 +1,240 @@
|
|||
From 128b3b676eb9413b4d25fb29c560895cfbbfa92e Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Thu, 1 Sep 2022 16:05:04 -0700
|
||||
Subject: [PATCH] add an update quota
|
||||
|
||||
limit the number of simultaneous DNS UPDATE events that can be
|
||||
processed by adding a quota for update and update forwarding.
|
||||
this quota currently, arbitrarily, defaults to 100.
|
||||
|
||||
also add a statistics counter to record when the update quota
|
||||
has been exceeded.
|
||||
|
||||
(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826)
|
||||
---
|
||||
bin/named/bind9.xsl | 2 +-
|
||||
bin/named/bind9.xsl.h | 8 +++++++-
|
||||
bin/named/include/named/server.h | 7 ++++++-
|
||||
bin/named/server.c | 3 +++
|
||||
bin/named/statschannel.c | 5 +++--
|
||||
bin/named/update.c | 34 +++++++++++++++++++++++++++++++-
|
||||
doc/arm/Bv9ARM-book.xml | 15 ++++++++++++++
|
||||
7 files changed, 68 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
|
||||
index 9a1c6ff..85fd4c4 100644
|
||||
--- a/bin/named/bind9.xsl
|
||||
+++ b/bin/named/bind9.xsl
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
|
||||
<xsl:output method="html" indent="yes" version="4.0"/>
|
||||
- <xsl:template match="statistics[@version="3.8"]">
|
||||
+ <xsl:template match="statistics[@version="3.8.1"]">
|
||||
<html>
|
||||
<head>
|
||||
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
|
||||
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
|
||||
index 9ce8cd7..5e0a892 100644
|
||||
--- a/bin/named/bind9.xsl.h
|
||||
+++ b/bin/named/bind9.xsl.h
|
||||
@@ -17,7 +17,13 @@ static char xslmsg[] =
|
||||
"\n"
|
||||
"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
|
||||
" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
|
||||
- " <xsl:template match=\"statistics[@version="3.8"]\">\n"
|
||||
+#if 0
|
||||
+ " <!-- the version number **below** must match version in "
|
||||
+ "bin/named/statschannel.c -->\n"
|
||||
+ " <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in "
|
||||
+ "the HTTP endpoints listed below -->\n"
|
||||
+#endif
|
||||
+ " <xsl:template match=\"statistics[@version="3.8.1"]\">\n"
|
||||
" <html>\n"
|
||||
" <head>\n"
|
||||
" <script type=\"text/javascript\" src=\"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js\"></script>\n"
|
||||
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
|
||||
index 08a02dc..259acc7 100644
|
||||
--- a/bin/named/include/named/server.h
|
||||
+++ b/bin/named/include/named/server.h
|
||||
@@ -137,6 +137,9 @@ struct ns_server {
|
||||
|
||||
uint16_t transfer_tcp_message_size;
|
||||
isc_rng_t * rngctx;
|
||||
+
|
||||
+/* CVE-2022-3094 */
|
||||
+ isc_quota_t updquota;
|
||||
};
|
||||
|
||||
struct ns_altsecret {
|
||||
@@ -230,7 +233,9 @@ enum {
|
||||
dns_nsstatscounter_trystale = 59,
|
||||
dns_nsstatscounter_usedstale = 60,
|
||||
|
||||
- dns_nsstatscounter_max = 61
|
||||
+ dns_nsstatscounter_updatequota = 61,
|
||||
+
|
||||
+ dns_nsstatscounter_max = 62
|
||||
};
|
||||
|
||||
/*%
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 2d2fa0e..f09b895 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -9143,6 +9143,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
result = isc_quota_init(&server->recursionquota, 100);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
+ result = isc_quota_init(&server->updquota, 100);
|
||||
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
|
||||
result = dns_aclenv_init(mctx, &server->aclenv);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
@@ -9410,6 +9412,7 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||
|
||||
dns_aclenv_destroy(&server->aclenv);
|
||||
|
||||
+ isc_quota_destroy(&server->updquota);
|
||||
isc_quota_destroy(&server->recursionquota);
|
||||
isc_quota_destroy(&server->tcpquota);
|
||||
isc_quota_destroy(&server->xfroutquota);
|
||||
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
|
||||
index 56a9c21..1e8723c 100644
|
||||
--- a/bin/named/statschannel.c
|
||||
+++ b/bin/named/statschannel.c
|
||||
@@ -300,6 +300,7 @@ init_desc(void) {
|
||||
SET_NSSTATDESC(reclimitdropped,
|
||||
"queries dropped due to recursive client limit",
|
||||
"RecLimitDropped");
|
||||
+ SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
|
||||
SET_NSSTATDESC(trystale,
|
||||
"attempts to use stale cache data after lookup failure",
|
||||
"QryTryStale");
|
||||
@@ -1546,7 +1547,7 @@ generatexml(ns_server_t *server, uint32_t flags,
|
||||
ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
|
||||
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
|
||||
TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
|
||||
- ISC_XMLCHAR "3.8"));
|
||||
+ ISC_XMLCHAR "3.8.1"));
|
||||
|
||||
/* Set common fields for statistics dump */
|
||||
dumparg.type = isc_statsformat_xml;
|
||||
@@ -2303,7 +2304,7 @@ generatejson(ns_server_t *server, size_t *msglen,
|
||||
/*
|
||||
* These statistics are included no matter which URL we use.
|
||||
*/
|
||||
- obj = json_object_new_string("1.2");
|
||||
+ obj = json_object_new_string("1.2.1");
|
||||
CHECKMEM(obj);
|
||||
json_object_object_add(bindstats, "json-stats-version", obj);
|
||||
|
||||
diff --git a/bin/named/update.c b/bin/named/update.c
|
||||
index 6ad7d27..dccc543 100644
|
||||
--- a/bin/named/update.c
|
||||
+++ b/bin/named/update.c
|
||||
@@ -1526,6 +1526,17 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
isc_task_t *zonetask = NULL;
|
||||
ns_client_t *evclient;
|
||||
|
||||
+ result = isc_quota_attach(&ns_g_server->updquota,
|
||||
+ &(isc_quota_t *){ NULL });
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
|
||||
+ "update failed: too many DNS UPDATEs queued (%s)",
|
||||
+ isc_result_totext(result));
|
||||
+ isc_stats_increment(ns_g_server->nsstats,
|
||||
+ dns_nsstatscounter_updatequota);
|
||||
+ CHECK(DNS_R_DROP);
|
||||
+ }
|
||||
+
|
||||
event = (update_event_t *)
|
||||
isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
|
||||
update_action, NULL, sizeof(*event));
|
||||
@@ -1652,7 +1663,12 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
|
||||
* We are still in the client task context, so we can
|
||||
* simply give an error response without switching tasks.
|
||||
*/
|
||||
- respond(client, result);
|
||||
+ if (result == DNS_R_DROP) {
|
||||
+ ns_client_next(client, result);
|
||||
+ } else {
|
||||
+ respond(client, result);
|
||||
+ }
|
||||
+
|
||||
if (zone != NULL)
|
||||
dns_zone_detach(&zone);
|
||||
}
|
||||
@@ -3385,6 +3401,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
|
||||
dns_zone_detach(&uev->zone);
|
||||
client->nupdates--;
|
||||
respond(client, uev->result);
|
||||
+ isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
|
||||
isc_event_free(&event);
|
||||
ns_client_detach(&client);
|
||||
}
|
||||
@@ -3402,6 +3419,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
|
||||
INSIST(client->nupdates > 0);
|
||||
client->nupdates--;
|
||||
respond(client, DNS_R_SERVFAIL);
|
||||
+
|
||||
+ isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
|
||||
isc_event_free(&event);
|
||||
ns_client_detach(&client);
|
||||
}
|
||||
@@ -3439,6 +3458,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
|
||||
client->nupdates--;
|
||||
ns_client_sendraw(client, uev->answer);
|
||||
dns_message_detach(&uev->answer);
|
||||
+
|
||||
+ isc_quota_detach(&(isc_quota_t *){ &ns_g_server->updquota });
|
||||
isc_event_free(&event);
|
||||
ns_client_detach(&client);
|
||||
}
|
||||
@@ -3472,6 +3493,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
isc_task_t *zonetask = NULL;
|
||||
ns_client_t *evclient;
|
||||
|
||||
+ result = isc_quota_attach(&ns_g_server->updquota,
|
||||
+ &(isc_quota_t *){ NULL });
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
|
||||
+ "update failed: too many DNS UPDATEs queued (%s)",
|
||||
+ isc_result_totext(result));
|
||||
+ isc_stats_increment(ns_g_server->nsstats,
|
||||
+ dns_nsstatscounter_updatequota);
|
||||
+ return (DNS_R_DROP);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* This may take some time so replace this client.
|
||||
*/
|
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||
index c17f168..9aca6d7 100644
|
||||
--- a/doc/arm/Bv9ARM-book.xml
|
||||
+++ b/doc/arm/Bv9ARM-book.xml
|
||||
@@ -15105,6 +15105,21 @@ HOST-127.EXAMPLE. MX 0 .
|
||||
</para>
|
||||
</entry>
|
||||
</row>
|
||||
+ <row rowsep="0">
|
||||
+ <entry colname="1">
|
||||
+ <para><command>UpdateQuota</command></para>
|
||||
+ </entry>
|
||||
+ <entry colname="2">
|
||||
+ <para><command/></para>
|
||||
+ </entry>
|
||||
+ <entry colname="3">
|
||||
+ <para>
|
||||
+ This indicates the number of times a dynamic update or update
|
||||
+ forwarding request was rejected because the number of pending
|
||||
+ requests exceeded the update quota.
|
||||
+ </para>
|
||||
+ </entry>
|
||||
+ </row>
|
||||
<row rowsep="0">
|
||||
<entry colname="1">
|
||||
<para><command>RateDropped</command></para>
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,136 @@
|
|||
From d9a03233c6ea11f20c2fbeca87b763673859f8b2 Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Thu, 1 Sep 2022 16:22:46 -0700
|
||||
Subject: [PATCH] add a configuration option for the update quota
|
||||
|
||||
add an "update-quota" option to configure the update quota.
|
||||
|
||||
(cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19)
|
||||
---
|
||||
bin/named/config.c | 1 +
|
||||
bin/named/named.conf.docbook | 2 ++
|
||||
bin/named/server.c | 1 +
|
||||
bin/tests/system/checkconf/good.conf | 1 +
|
||||
doc/arm/Bv9ARM-book.xml | 11 +++++++++++
|
||||
doc/arm/options.grammar.xml | 1 +
|
||||
doc/misc/options | 1 +
|
||||
lib/isccfg/namedconf.c | 1 +
|
||||
8 files changed, 19 insertions(+)
|
||||
|
||||
diff --git a/bin/named/config.c b/bin/named/config.c
|
||||
index 62d1e88..e3731cf 100644
|
||||
--- a/bin/named/config.c
|
||||
+++ b/bin/named/config.c
|
||||
@@ -134,6 +134,7 @@ options {\n\
|
||||
transfers-per-ns 2;\n\
|
||||
# treat-cr-as-space <obsolete>;\n\
|
||||
trust-anchor-telemetry yes;\n\
|
||||
+ update-quota 100;\n\
|
||||
# use-id-pool <obsolete>;\n\
|
||||
# use-ixfr <obsolete>;\n\
|
||||
\n\
|
||||
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
|
||||
index 6565fce..5842cb5 100644
|
||||
--- a/bin/named/named.conf.docbook
|
||||
+++ b/bin/named/named.conf.docbook
|
||||
@@ -455,6 +455,7 @@ options {
|
||||
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
|
||||
try-tcp-refresh <replaceable>boolean</replaceable>;
|
||||
update-check-ksk <replaceable>boolean</replaceable>;
|
||||
+ update-quota <replaceable>integer</replaceable>;
|
||||
use-alt-transfer-source <replaceable>boolean</replaceable>;
|
||||
use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
|
||||
use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
|
||||
@@ -864,6 +865,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
|
||||
type ( delegation-only | forward | hint | master | redirect
|
||||
| slave | static-stub | stub );
|
||||
update-check-ksk <replaceable>boolean</replaceable>;
|
||||
+ update-quota <replaceable>integer</replaceable>;
|
||||
update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> (
|
||||
6to4-self | external | krb5-self | krb5-selfsub |
|
||||
krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index f09b895..7af90d0 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -7792,6 +7792,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
configure_server_quota(maps, "tcp-clients", &server->tcpquota);
|
||||
configure_server_quota(maps, "recursive-clients",
|
||||
&server->recursionquota);
|
||||
+ configure_server_quota(maps, "update-quota", &server->updquota);
|
||||
|
||||
if (server->recursionquota.max > 1000) {
|
||||
int margin = ISC_MAX(100, ns_g_cpus + 1);
|
||||
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||
index 1359cf3..5d9b292 100644
|
||||
--- a/bin/tests/system/checkconf/good.conf
|
||||
+++ b/bin/tests/system/checkconf/good.conf
|
||||
@@ -63,6 +63,7 @@ options {
|
||||
serial-queries 10;
|
||||
serial-query-rate 100;
|
||||
server-id none;
|
||||
+ update-quota 200;
|
||||
max-cache-size 20000000000000;
|
||||
nta-lifetime 604800;
|
||||
nta-recheck 604800;
|
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||
index 9aca6d7..acf772b 100644
|
||||
--- a/doc/arm/Bv9ARM-book.xml
|
||||
+++ b/doc/arm/Bv9ARM-book.xml
|
||||
@@ -8599,6 +8599,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><command>update-quota</command></term>
|
||||
+ <listitem>
|
||||
+ <para>
|
||||
+ This is the maximum number of simultaneous DNS UPDATE messages that
|
||||
+ the server will accept for updating local authoritiative zones or
|
||||
+ forwarding to a primary server. The default is <userinput>100</userinput>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
</variablelist>
|
||||
|
||||
</section>
|
||||
diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml
|
||||
index 793ac0b..1d17ea8 100644
|
||||
--- a/doc/arm/options.grammar.xml
|
||||
+++ b/doc/arm/options.grammar.xml
|
||||
@@ -277,6 +277,7 @@
|
||||
<command>trust-anchor-telemetry</command> <replaceable>boolean</replaceable>; // experimental
|
||||
<command>try-tcp-refresh</command> <replaceable>boolean</replaceable>;
|
||||
<command>update-check-ksk</command> <replaceable>boolean</replaceable>;
|
||||
+ <command>update-quota</command> <replaceable>integer</replaceable>;
|
||||
<command>use-alt-transfer-source</command> <replaceable>boolean</replaceable>;
|
||||
<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
|
||||
<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
|
||||
diff --git a/doc/misc/options b/doc/misc/options
|
||||
index fde93c7..e6d6ba6 100644
|
||||
--- a/doc/misc/options
|
||||
+++ b/doc/misc/options
|
||||
@@ -357,6 +357,7 @@ options {
|
||||
trust-anchor-telemetry <boolean>; // experimental
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
+ update-quota <integer>;
|
||||
use-alt-transfer-source <boolean>;
|
||||
use-id-pool <boolean>; // obsolete
|
||||
use-ixfr <boolean>; // obsolete
|
||||
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
||||
index b562f95..667111c 100644
|
||||
--- a/lib/isccfg/namedconf.c
|
||||
+++ b/lib/isccfg/namedconf.c
|
||||
@@ -1136,6 +1136,7 @@ options_clauses[] = {
|
||||
{ "transfers-out", &cfg_type_uint32, 0 },
|
||||
{ "transfers-per-ns", &cfg_type_uint32, 0 },
|
||||
{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
||||
+ { "update-quota", &cfg_type_uint32, 0 },
|
||||
{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
||||
{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
||||
{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,553 @@
|
|||
From cba333b262b7ee0034a66cc93cf27f6c4918eea2 Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Tue, 8 Nov 2022 17:32:41 -0800
|
||||
Subject: [PATCH] move update ACL and update-policy checks before quota
|
||||
|
||||
check allow-update, update-policy, and allow-update-forwarding before
|
||||
consuming quota slots, so that unauthorized clients can't fill the
|
||||
quota.
|
||||
|
||||
(this moves the access check before the prerequisite check, which
|
||||
violates the precise wording of RFC 2136. however, RFC co-author Paul
|
||||
Vixie has stated that the RFC is mistaken on this point; it should have
|
||||
said that access checking must happen *no later than* the completion of
|
||||
prerequisite checks, not that it must happen exactly then.)
|
||||
|
||||
(cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d)
|
||||
---
|
||||
bin/named/update.c | 440 ++++++++++++++++++++++++++++++---------------
|
||||
1 file changed, 298 insertions(+), 142 deletions(-)
|
||||
|
||||
diff --git a/bin/named/update.c b/bin/named/update.c
|
||||
index 8853ee7..4d1fe78 100644
|
||||
--- a/bin/named/update.c
|
||||
+++ b/bin/named/update.c
|
||||
@@ -251,6 +251,9 @@ static void updatedone_action(isc_task_t *task, isc_event_t *event);
|
||||
static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
|
||||
static void forward_done(isc_task_t *task, isc_event_t *event);
|
||||
static isc_result_t add_rr_prepare_action(void *data, rr_t *rr);
|
||||
+static isc_result_t
|
||||
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
||||
+ const dns_rdata_t *rdata, bool *flag);
|
||||
|
||||
/**************************************************************************/
|
||||
|
||||
@@ -328,23 +331,24 @@ checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
|
||||
{
|
||||
char namebuf[DNS_NAME_FORMATSIZE];
|
||||
char classbuf[DNS_RDATACLASS_FORMATSIZE];
|
||||
- int level;
|
||||
isc_result_t result;
|
||||
+ bool update_possible =
|
||||
+ ((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
|
||||
+ ssutable != NULL);
|
||||
|
||||
result = ns_client_checkaclsilent(client, NULL, queryacl, true);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
+ int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
|
||||
+
|
||||
dns_name_format(zonename, namebuf, sizeof(namebuf));
|
||||
dns_rdataclass_format(client->view->rdclass, classbuf,
|
||||
sizeof(classbuf));
|
||||
|
||||
- level = (updateacl == NULL && ssutable == NULL) ?
|
||||
- ISC_LOG_INFO : ISC_LOG_ERROR;
|
||||
-
|
||||
ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
|
||||
NS_LOGMODULE_UPDATE, level,
|
||||
"update '%s/%s' denied due to allow-query",
|
||||
namebuf, classbuf);
|
||||
- } else if (updateacl == NULL && ssutable == NULL) {
|
||||
+ } else if (!update_possible) {
|
||||
dns_name_format(zonename, namebuf, sizeof(namebuf));
|
||||
dns_rdataclass_format(client->view->rdclass, classbuf,
|
||||
sizeof(classbuf));
|
||||
@@ -1525,6 +1529,277 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
update_event_t *event = NULL;
|
||||
isc_task_t *zonetask = NULL;
|
||||
ns_client_t *evclient;
|
||||
+#if 1
|
||||
+ dns_ssutable_t *ssutable = NULL;
|
||||
+ dns_message_t *request = client->message;
|
||||
+ dns_rdataclass_t zoneclass;
|
||||
+ dns_rdatatype_t covers;
|
||||
+ dns_name_t *zonename = NULL;
|
||||
+ dns_db_t *db = NULL;
|
||||
+ dns_dbversion_t *ver = NULL;
|
||||
+
|
||||
+ CHECK(dns_zone_getdb(zone, &db));
|
||||
+ zonename = dns_db_origin(db);
|
||||
+ zoneclass = dns_db_class(db);
|
||||
+ dns_zone_getssutable(zone, &ssutable);
|
||||
+ dns_db_currentversion(db, &ver);
|
||||
+
|
||||
+ /*
|
||||
+ * Update message processing can leak record existence information
|
||||
+ * so check that we are allowed to query this zone. Additionally,
|
||||
+ * if we would refuse all updates for this zone, we bail out here.
|
||||
+ */
|
||||
+ CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
|
||||
+ dns_zone_getorigin(zone),
|
||||
+ dns_zone_getupdateacl(zone), ssutable));
|
||||
+
|
||||
+ /*
|
||||
+ * Check requestor's permissions.
|
||||
+ */
|
||||
+ if (ssutable == NULL)
|
||||
+ CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||
+ "update", zonename, false, false));
|
||||
+ else if (client->signer == NULL && !TCPCLIENT(client))
|
||||
+ CHECK(checkupdateacl(client, NULL, "update", zonename,
|
||||
+ false, true));
|
||||
+
|
||||
+ if (dns_zone_getupdatedisabled(zone))
|
||||
+ FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||
+ "because the zone is frozen. Use "
|
||||
+ "'rndc thaw' to re-enable updates.");
|
||||
+
|
||||
+ /*
|
||||
+ * Perform the Update Section Prescan.
|
||||
+ */
|
||||
+
|
||||
+ for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||
+ result == ISC_R_SUCCESS;
|
||||
+ result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||
+ {
|
||||
+ dns_name_t *name = NULL;
|
||||
+ dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
+ dns_ttl_t ttl;
|
||||
+ dns_rdataclass_t update_class;
|
||||
+ get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
|
||||
+ &name, &rdata, &covers, &ttl, &update_class);
|
||||
+
|
||||
+ if (! dns_name_issubdomain(name, zonename))
|
||||
+ FAILC(DNS_R_NOTZONE,
|
||||
+ "update RR is outside zone");
|
||||
+ if (update_class == zoneclass) {
|
||||
+ /*
|
||||
+ * Check for meta-RRs. The RFC2136 pseudocode says
|
||||
+ * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||
+ * "or any other QUERY metatype"
|
||||
+ */
|
||||
+ if (dns_rdatatype_ismeta(rdata.type)) {
|
||||
+ FAILC(DNS_R_FORMERR,
|
||||
+ "meta-RR in update");
|
||||
+ }
|
||||
+ result = dns_zone_checknames(zone, name, &rdata);
|
||||
+ if (result != ISC_R_SUCCESS)
|
||||
+ FAIL(DNS_R_REFUSED);
|
||||
+ } else if (update_class == dns_rdataclass_any) {
|
||||
+ if (ttl != 0 || rdata.length != 0 ||
|
||||
+ (dns_rdatatype_ismeta(rdata.type) &&
|
||||
+ rdata.type != dns_rdatatype_any))
|
||||
+ FAILC(DNS_R_FORMERR,
|
||||
+ "meta-RR in update");
|
||||
+ } else if (update_class == dns_rdataclass_none) {
|
||||
+ if (ttl != 0 ||
|
||||
+ dns_rdatatype_ismeta(rdata.type))
|
||||
+ FAILC(DNS_R_FORMERR,
|
||||
+ "meta-RR in update");
|
||||
+ } else {
|
||||
+ update_log(client, zone, ISC_LOG_WARNING,
|
||||
+ "update RR has incorrect class %d",
|
||||
+ update_class);
|
||||
+ FAIL(DNS_R_FORMERR);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * draft-ietf-dnsind-simple-secure-update-01 says
|
||||
+ * "Unlike traditional dynamic update, the client
|
||||
+ * is forbidden from updating NSEC records."
|
||||
+ */
|
||||
+ if (rdata.type == dns_rdatatype_nsec3) {
|
||||
+ FAILC(DNS_R_REFUSED,
|
||||
+ "explicit NSEC3 updates are not allowed "
|
||||
+ "in secure zones");
|
||||
+ } else if (rdata.type == dns_rdatatype_nsec) {
|
||||
+ FAILC(DNS_R_REFUSED,
|
||||
+ "explicit NSEC updates are not allowed "
|
||||
+ "in secure zones");
|
||||
+ } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||
+ !dns_name_equal(name, zonename)) {
|
||||
+ FAILC(DNS_R_REFUSED,
|
||||
+ "explicit RRSIG updates are currently "
|
||||
+ "not supported in secure zones except "
|
||||
+ "at the apex");
|
||||
+ }
|
||||
+
|
||||
+ if (ssutable != NULL) {
|
||||
+ isc_netaddr_t netaddr;
|
||||
+ dst_key_t *tsigkey = NULL;
|
||||
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||
+
|
||||
+ if (client->message->tsigkey != NULL)
|
||||
+ tsigkey = client->message->tsigkey->key;
|
||||
+
|
||||
+ if (rdata.type != dns_rdatatype_any) {
|
||||
+ if (!dns_ssutable_checkrules2
|
||||
+ (ssutable, client->signer, name, &netaddr,
|
||||
+ TCPCLIENT(client),
|
||||
+ &ns_g_server->aclenv,
|
||||
+ rdata.type, tsigkey))
|
||||
+ {
|
||||
+ FAILC(DNS_R_REFUSED,
|
||||
+ "rejected by secure update");
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!ssu_checkall(db, ver, name, ssutable,
|
||||
+ client->signer,
|
||||
+ &netaddr,
|
||||
+ TCPCLIENT(client),
|
||||
+ tsigkey))
|
||||
+ {
|
||||
+ FAILC(DNS_R_REFUSED,
|
||||
+ "rejected by secure update");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ if (result != ISC_R_NOMORE)
|
||||
+ FAIL(result);
|
||||
+
|
||||
+ update_log(client, zone, LOGLEVEL_DEBUG,
|
||||
+ "update section prescan OK");
|
||||
+#if 0
|
||||
+ if (ssutable == NULL) {
|
||||
+ CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||
+ // zonename
|
||||
+ "update", dns_zone_getorigin(zone), false,
|
||||
+ false));
|
||||
+ } else if (client->signer == NULL && !TCPCLIENT(client)) {
|
||||
+ CHECK(checkupdateacl(client, NULL, "update",
|
||||
+ dns_zone_getorigin(zone), false, true));
|
||||
+ }
|
||||
+
|
||||
+ if (dns_zone_getupdatedisabled(zone)) {
|
||||
+ FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||
+ "because the zone is frozen. Use "
|
||||
+ "'rndc thaw' to re-enable updates.");
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Prescan the update section, checking for updates that
|
||||
+ * are illegal or violate policy.
|
||||
+ */
|
||||
+ for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||
+ result == ISC_R_SUCCESS;
|
||||
+ result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||
+ {
|
||||
+ dns_name_t *name = NULL;
|
||||
+ dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
+ dns_ttl_t ttl;
|
||||
+ dns_rdataclass_t update_class;
|
||||
+
|
||||
+ get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
|
||||
+ &rdata, &covers, &ttl, &update_class);
|
||||
+
|
||||
+ if (!dns_name_issubdomain(name, zonename)) {
|
||||
+ FAILC(DNS_R_NOTZONE, "update RR is outside zone");
|
||||
+ }
|
||||
+ if (update_class == zoneclass) {
|
||||
+ /*
|
||||
+ * Check for meta-RRs. The RFC2136 pseudocode says
|
||||
+ * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||
+ * "or any other QUERY metatype"
|
||||
+ */
|
||||
+ if (dns_rdatatype_ismeta(rdata.type)) {
|
||||
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
+ }
|
||||
+ result = dns_zone_checknames(zone, name, &rdata);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ FAIL(DNS_R_REFUSED);
|
||||
+ }
|
||||
+ } else if (update_class == dns_rdataclass_any) {
|
||||
+ if (ttl != 0 || rdata.length != 0 ||
|
||||
+ (dns_rdatatype_ismeta(rdata.type) &&
|
||||
+ rdata.type != dns_rdatatype_any))
|
||||
+ {
|
||||
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
+ }
|
||||
+ } else if (update_class == dns_rdataclass_none) {
|
||||
+ if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
|
||||
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
+ }
|
||||
+ } else {
|
||||
+ update_log(client, zone, ISC_LOG_WARNING,
|
||||
+ "update RR has incorrect class %d",
|
||||
+ update_class);
|
||||
+ FAIL(DNS_R_FORMERR);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * draft-ietf-dnsind-simple-secure-update-01 says
|
||||
+ * "Unlike traditional dynamic update, the client
|
||||
+ * is forbidden from updating NSEC records."
|
||||
+ */
|
||||
+ if (rdata.type == dns_rdatatype_nsec3) {
|
||||
+ FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
|
||||
+ "allowed "
|
||||
+ "in secure zones");
|
||||
+ } else if (rdata.type == dns_rdatatype_nsec) {
|
||||
+ FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
|
||||
+ "allowed "
|
||||
+ "in secure zones");
|
||||
+ } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||
+ !dns_name_equal(name, zonename))
|
||||
+ {
|
||||
+ FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
|
||||
+ "currently "
|
||||
+ "not supported in secure zones "
|
||||
+ "except "
|
||||
+ "at the apex");
|
||||
+ }
|
||||
+
|
||||
+ if (ssutable != NULL) {
|
||||
+ isc_netaddr_t netaddr;
|
||||
+ dst_key_t *tsigkey = NULL;
|
||||
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||
+
|
||||
+ if (client->message->tsigkey != NULL) {
|
||||
+ tsigkey = client->message->tsigkey->key;
|
||||
+ }
|
||||
+
|
||||
+ if (rdata.type != dns_rdatatype_any) {
|
||||
+ if (!dns_ssutable_checkrules(
|
||||
+ ssutable, client->signer, name,
|
||||
+ &netaddr, TCPCLIENT(client), env,
|
||||
+ rdata.type, tsigkey))
|
||||
+ {
|
||||
+ FAILC(DNS_R_REFUSED, "rejected by "
|
||||
+ "secure update");
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!ssu_checkall(db, ver, name, ssutable,
|
||||
+ client->signer, &netaddr, env,
|
||||
+ TCPCLIENT(client), tsigkey))
|
||||
+ {
|
||||
+ FAILC(DNS_R_REFUSED, "rejected by "
|
||||
+ "secure update");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ if (result != ISC_R_NOMORE) {
|
||||
+ FAIL(result);
|
||||
+ }
|
||||
+
|
||||
+ update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
|
||||
+#endif
|
||||
+#endif
|
||||
|
||||
result = isc_quota_attach(&ns_g_server->updquota,
|
||||
&(isc_quota_t *){ NULL });
|
||||
@@ -1558,6 +1833,15 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
failure:
|
||||
if (event != NULL)
|
||||
isc_event_free(ISC_EVENT_PTR(&event));
|
||||
+ if (db != NULL) {
|
||||
+ dns_db_closeversion(db, &ver, false);
|
||||
+ dns_db_detach(&db);
|
||||
+ }
|
||||
+
|
||||
+ if (ssutable != NULL) {
|
||||
+ dns_ssutable_detach(&ssutable);
|
||||
+ }
|
||||
+
|
||||
return (result);
|
||||
}
|
||||
|
||||
@@ -1644,9 +1928,6 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
|
||||
CHECK(send_update_event(client, zone));
|
||||
break;
|
||||
case dns_zone_slave:
|
||||
- CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
|
||||
- "update forwarding", zonename, true,
|
||||
- false));
|
||||
CHECK(send_forward_event(client, zone));
|
||||
break;
|
||||
default:
|
||||
@@ -1656,7 +1937,6 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
|
||||
|
||||
failure:
|
||||
if (result == DNS_R_REFUSED) {
|
||||
- INSIST(dns_zone_gettype(zone) == dns_zone_slave);
|
||||
inc_stats(zone, dns_nsstatscounter_updaterej);
|
||||
}
|
||||
/*
|
||||
@@ -2520,7 +2800,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||
dns_rdatatype_t covers;
|
||||
dns_message_t *request = client->message;
|
||||
dns_rdataclass_t zoneclass;
|
||||
- dns_name_t *zonename;
|
||||
+ dns_name_t *zonename = NULL;
|
||||
dns_ssutable_t *ssutable = NULL;
|
||||
dns_fixedname_t tmpnamefixed;
|
||||
dns_name_t *tmpname = NULL;
|
||||
@@ -2542,14 +2822,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||
zonename = dns_db_origin(db);
|
||||
zoneclass = dns_db_class(db);
|
||||
dns_zone_getssutable(zone, &ssutable);
|
||||
-
|
||||
- /*
|
||||
- * Update message processing can leak record existence information
|
||||
- * so check that we are allowed to query this zone. Additionally
|
||||
- * if we would refuse all updates for this zone we bail out here.
|
||||
- */
|
||||
- CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
|
||||
- dns_zone_getupdateacl(zone), ssutable));
|
||||
+ options = dns_zone_getoptions(zone);
|
||||
|
||||
/*
|
||||
* Get old and new versions now that queryacl has been checked.
|
||||
@@ -2673,134 +2946,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||
update_log(client, zone, LOGLEVEL_DEBUG,
|
||||
"prerequisites are OK");
|
||||
|
||||
- /*
|
||||
- * Check Requestor's Permissions. It seems a bit silly to do this
|
||||
- * only after prerequisite testing, but that is what RFC2136 says.
|
||||
- */
|
||||
- if (ssutable == NULL)
|
||||
- CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||
- "update", zonename, false, false));
|
||||
- else if (client->signer == NULL && !TCPCLIENT(client))
|
||||
- CHECK(checkupdateacl(client, NULL, "update", zonename,
|
||||
- false, true));
|
||||
-
|
||||
- if (dns_zone_getupdatedisabled(zone))
|
||||
- FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||
- "because the zone is frozen. Use "
|
||||
- "'rndc thaw' to re-enable updates.");
|
||||
-
|
||||
- /*
|
||||
- * Perform the Update Section Prescan.
|
||||
- */
|
||||
-
|
||||
- for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||
- result == ISC_R_SUCCESS;
|
||||
- result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||
- {
|
||||
- dns_name_t *name = NULL;
|
||||
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
- dns_ttl_t ttl;
|
||||
- dns_rdataclass_t update_class;
|
||||
- get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
|
||||
- &name, &rdata, &covers, &ttl, &update_class);
|
||||
-
|
||||
- if (! dns_name_issubdomain(name, zonename))
|
||||
- FAILC(DNS_R_NOTZONE,
|
||||
- "update RR is outside zone");
|
||||
- if (update_class == zoneclass) {
|
||||
- /*
|
||||
- * Check for meta-RRs. The RFC2136 pseudocode says
|
||||
- * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||
- * "or any other QUERY metatype"
|
||||
- */
|
||||
- if (dns_rdatatype_ismeta(rdata.type)) {
|
||||
- FAILC(DNS_R_FORMERR,
|
||||
- "meta-RR in update");
|
||||
- }
|
||||
- result = dns_zone_checknames(zone, name, &rdata);
|
||||
- if (result != ISC_R_SUCCESS)
|
||||
- FAIL(DNS_R_REFUSED);
|
||||
- } else if (update_class == dns_rdataclass_any) {
|
||||
- if (ttl != 0 || rdata.length != 0 ||
|
||||
- (dns_rdatatype_ismeta(rdata.type) &&
|
||||
- rdata.type != dns_rdatatype_any))
|
||||
- FAILC(DNS_R_FORMERR,
|
||||
- "meta-RR in update");
|
||||
- } else if (update_class == dns_rdataclass_none) {
|
||||
- if (ttl != 0 ||
|
||||
- dns_rdatatype_ismeta(rdata.type))
|
||||
- FAILC(DNS_R_FORMERR,
|
||||
- "meta-RR in update");
|
||||
- } else {
|
||||
- update_log(client, zone, ISC_LOG_WARNING,
|
||||
- "update RR has incorrect class %d",
|
||||
- update_class);
|
||||
- FAIL(DNS_R_FORMERR);
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * draft-ietf-dnsind-simple-secure-update-01 says
|
||||
- * "Unlike traditional dynamic update, the client
|
||||
- * is forbidden from updating NSEC records."
|
||||
- */
|
||||
- if (rdata.type == dns_rdatatype_nsec3) {
|
||||
- FAILC(DNS_R_REFUSED,
|
||||
- "explicit NSEC3 updates are not allowed "
|
||||
- "in secure zones");
|
||||
- } else if (rdata.type == dns_rdatatype_nsec) {
|
||||
- FAILC(DNS_R_REFUSED,
|
||||
- "explicit NSEC updates are not allowed "
|
||||
- "in secure zones");
|
||||
- } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||
- !dns_name_equal(name, zonename)) {
|
||||
- FAILC(DNS_R_REFUSED,
|
||||
- "explicit RRSIG updates are currently "
|
||||
- "not supported in secure zones except "
|
||||
- "at the apex");
|
||||
- }
|
||||
-
|
||||
- if (ssutable != NULL) {
|
||||
- isc_netaddr_t netaddr;
|
||||
- dst_key_t *tsigkey = NULL;
|
||||
- isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||
-
|
||||
- if (client->message->tsigkey != NULL)
|
||||
- tsigkey = client->message->tsigkey->key;
|
||||
-
|
||||
- if (rdata.type != dns_rdatatype_any) {
|
||||
- if (!dns_ssutable_checkrules2
|
||||
- (ssutable, client->signer, name, &netaddr,
|
||||
- TCPCLIENT(client),
|
||||
- &ns_g_server->aclenv,
|
||||
- rdata.type, tsigkey))
|
||||
- {
|
||||
- FAILC(DNS_R_REFUSED,
|
||||
- "rejected by secure update");
|
||||
- }
|
||||
- } else {
|
||||
- if (!ssu_checkall(db, ver, name, ssutable,
|
||||
- client->signer,
|
||||
- &netaddr,
|
||||
- TCPCLIENT(client),
|
||||
- tsigkey))
|
||||
- {
|
||||
- FAILC(DNS_R_REFUSED,
|
||||
- "rejected by secure update");
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- if (result != ISC_R_NOMORE)
|
||||
- FAIL(result);
|
||||
-
|
||||
- update_log(client, zone, LOGLEVEL_DEBUG,
|
||||
- "update section prescan OK");
|
||||
-
|
||||
/*
|
||||
* Process the Update Section.
|
||||
*/
|
||||
|
||||
- options = dns_zone_getoptions(zone);
|
||||
options2 = dns_zone_getoptions2(zone);
|
||||
for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||
result == ISC_R_SUCCESS;
|
||||
@@ -3494,6 +3643,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
isc_task_t *zonetask = NULL;
|
||||
ns_client_t *evclient;
|
||||
|
||||
+ result = checkupdateacl(client, dns_zone_getforwardacl(zone),
|
||||
+ "update forwarding", dns_zone_getorigin(zone),
|
||||
+ true, false);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ return (result);
|
||||
+ }
|
||||
+
|
||||
result = isc_quota_attach(&ns_g_server->updquota,
|
||||
&(isc_quota_t *){ NULL });
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,266 @@
|
|||
From 3d84c651f823cb90b73fd736d32ad6de57b11610 Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Wed, 9 Nov 2022 21:56:16 -0800
|
||||
Subject: [PATCH] test failure conditions
|
||||
|
||||
verify that updates are refused when the client is disallowed by
|
||||
allow-query, and update forwarding is refused when the client is
|
||||
is disallowed by update-forwarding.
|
||||
|
||||
verify that "too many DNS UPDATEs" appears in the log file when too
|
||||
many simultaneous updates are processing.
|
||||
|
||||
(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
|
||||
---
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +
|
||||
bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++
|
||||
bin/tests/system/upforwd/clean.sh | 2 +
|
||||
.../ns3/{named.conf.in => named1.conf.in} | 7 +++-
|
||||
bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++
|
||||
bin/tests/system/upforwd/setup.sh | 2 +-
|
||||
bin/tests/system/upforwd/tests.sh | 40 ++++++++++++++++++
|
||||
7 files changed, 120 insertions(+), 2 deletions(-)
|
||||
rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (85%)
|
||||
create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index cb80269..228ad6a 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -20,6 +20,7 @@ options {
|
||||
listen-on-v6 { none; };
|
||||
recursion no;
|
||||
notify yes;
|
||||
+ update-quota 1;
|
||||
};
|
||||
|
||||
key rndc_key {
|
||||
@@ -76,6 +77,7 @@ zone "other.nil" {
|
||||
check-integrity no;
|
||||
check-mx warn;
|
||||
update-policy local;
|
||||
+ allow-query { !10.53.0.2; any; };
|
||||
allow-query-on { 10.53.0.1; 127.0.0.1; };
|
||||
allow-transfer { any; };
|
||||
};
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index f8994ff..4cabf8d 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -1069,6 +1069,34 @@ END
|
||||
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
+n=$((n + 1))
|
||||
+ret=0
|
||||
+echo_i "check that update is rejected if query is not allowed ($n)"
|
||||
+{
|
||||
+ $NSUPDATE -d <<END
|
||||
+ local 10.53.0.2
|
||||
+ server 10.53.0.1 ${PORT}
|
||||
+ update add reject.other.nil 3600 IN TXT Whatever
|
||||
+ send
|
||||
+END
|
||||
+} > nsupdate.out.test$n 2>&1
|
||||
+grep 'status: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
+n=$((n + 1))
|
||||
+ret=0
|
||||
+echo_i "check that update is rejected if quota is exceeded ($n)"
|
||||
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||
+{
|
||||
+ $NSUPDATE -l -p ${PORT} -k ns1/session.key > nsupdate.out.test$n-${loop} 2>&1 <<END
|
||||
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
|
||||
+ send
|
||||
+END
|
||||
+} &
|
||||
+done
|
||||
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
if $FEATURETEST --gssapi ; then
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
|
||||
index 15cf423..832c727 100644
|
||||
--- a/bin/tests/system/upforwd/clean.sh
|
||||
+++ b/bin/tests/system/upforwd/clean.sh
|
||||
@@ -24,3 +24,5 @@ rm -f Ksig0.example2.*
|
||||
rm -f keyname
|
||||
rm -f ns*/named.lock
|
||||
rm -f ns1/example2.db
|
||||
+rm -f nsupdate.out.*
|
||||
+rm -f ns*/named.run.prev
|
||||
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||
similarity index 85%
|
||||
rename from bin/tests/system/upforwd/ns3/named.conf.in
|
||||
rename to bin/tests/system/upforwd/ns3/named1.conf.in
|
||||
index e81cd1a..83a490f 100644
|
||||
--- a/bin/tests/system/upforwd/ns3/named.conf.in
|
||||
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||
@@ -22,10 +22,15 @@ options {
|
||||
notify yes;
|
||||
};
|
||||
|
||||
+include "../../common/rndc.key";
|
||||
+controls {
|
||||
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
+
|
||||
zone "example" {
|
||||
type slave;
|
||||
file "example.bk";
|
||||
- allow-update-forwarding { any; };
|
||||
+ allow-update-forwarding { 10.53.0.1; };
|
||||
masters { 10.53.0.1; };
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||
new file mode 100644
|
||||
index 0000000..992cd69
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||
@@ -0,0 +1,41 @@
|
||||
+/*
|
||||
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+ *
|
||||
+ * SPDX-License-Identifier: MPL-2.0
|
||||
+ *
|
||||
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
+ *
|
||||
+ * See the COPYRIGHT file distributed with this work for additional
|
||||
+ * information regarding copyright ownership.
|
||||
+ */
|
||||
+
|
||||
+options {
|
||||
+ query-source address 10.53.0.3;
|
||||
+ notify-source 10.53.0.3;
|
||||
+ transfer-source 10.53.0.3;
|
||||
+ port @PORT@;
|
||||
+ pid-file "named.pid";
|
||||
+ listen-on { 10.53.0.3; };
|
||||
+ listen-on-v6 { none; };
|
||||
+ recursion no;
|
||||
+ notify yes;
|
||||
+ update-quota 1;
|
||||
+};
|
||||
+
|
||||
+key rndc_key {
|
||||
+ secret "1234abcd8765";
|
||||
+ algorithm hmac-sha256;
|
||||
+};
|
||||
+
|
||||
+controls {
|
||||
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
+
|
||||
+zone "example" {
|
||||
+ type slave;
|
||||
+ file "example.bk";
|
||||
+ allow-update-forwarding { any; };
|
||||
+ masters { 10.53.0.1; };
|
||||
+};
|
||||
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
|
||||
index 74c7ba3..928902b 100644
|
||||
--- a/bin/tests/system/upforwd/setup.sh
|
||||
+++ b/bin/tests/system/upforwd/setup.sh
|
||||
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
copy_setports ns2/named.conf.in ns2/named.conf
|
||||
-copy_setports ns3/named.conf.in ns3/named.conf
|
||||
+copy_setports ns3/named1.conf.in ns3/named.conf
|
||||
|
||||
#
|
||||
# SIG(0) required cryptographic support which may not be configured.
|
||||
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||
index f4c3216..ebc9ded 100644
|
||||
--- a/bin/tests/system/upforwd/tests.sh
|
||||
+++ b/bin/tests/system/upforwd/tests.sh
|
||||
@@ -17,6 +17,7 @@ SYSTEMTESTTOP=..
|
||||
. $SYSTEMTESTTOP/conf.sh
|
||||
|
||||
DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
|
||||
+RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
|
||||
|
||||
status=0
|
||||
n=1
|
||||
@@ -69,6 +70,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||
echo_i "updating zone (signed) ($n)"
|
||||
ret=0
|
||||
$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||
+local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
update add updated.example. 600 A 10.10.10.1
|
||||
update add updated.example. 600 TXT Foo
|
||||
@@ -116,6 +118,7 @@ n=`expr $n + 1`
|
||||
echo_i "updating zone (unsigned) ($n)"
|
||||
ret=0
|
||||
$NSUPDATE -- - <<EOF || ret=1
|
||||
+local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
update add unsigned.example. 600 A 10.10.10.1
|
||||
update add unsigned.example. 600 TXT Foo
|
||||
@@ -161,6 +164,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
|
||||
do
|
||||
(
|
||||
$NSUPDATE -- - <<EOF
|
||||
+local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone nomaster
|
||||
update add unsigned.nomaster. 600 A 10.10.10.1
|
||||
@@ -181,6 +185,7 @@ then
|
||||
ret=0
|
||||
keyname=`cat keyname`
|
||||
$NSUPDATE -k $keyname.private -- - <<EOF
|
||||
+ local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone example2
|
||||
update add unsigned.example2. 600 A 10.10.10.1
|
||||
@@ -194,5 +199,40 @@ EOF
|
||||
n=`expr $n + 1`
|
||||
fi
|
||||
|
||||
+echo_i "attempting an update that should be rejected by ACL ($n)"
|
||||
+ret=0
|
||||
+{
|
||||
+ $NSUPDATE -- - << EOF
|
||||
+ local 10.53.0.2
|
||||
+ server 10.53.0.3 ${PORT}
|
||||
+ update add another.unsigned.example. 600 A 10.10.10.2
|
||||
+ update add another.unsigned.example. 600 TXT Bar
|
||||
+ send
|
||||
+EOF
|
||||
+} > nsupdate.out.$n 2>&1
|
||||
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
|
||||
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||
+n=`expr $n + 1`
|
||||
+
|
||||
+n=$((n + 1))
|
||||
+ret=0
|
||||
+echo_i "attempting updates that should exceed quota ($n)"
|
||||
+# lower the update quota to 1.
|
||||
+copy_setports ns3/named2.conf.in ns3/named.conf
|
||||
+$RNDCCMD 10.53.0.3 reconfig
|
||||
+nextpart ns3/named.run > /dev/null
|
||||
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||
+{
|
||||
+ $NSUPDATE -- - > /dev/null 2>&1 <<END
|
||||
+ local 10.53.0.1
|
||||
+ server 10.53.0.3 ${PORT}
|
||||
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
|
||||
+ send
|
||||
+END
|
||||
+} &
|
||||
+done
|
||||
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
From 0095b8a6b09173ab5eb48611dc0233d2a6337dc1 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 20 Sep 2022 11:21:45 +0200
|
||||
Subject: [PATCH] Fix CVE-2022-38177
|
||||
|
||||
5961. [security] Fix memory leak in ECDSA verify processing.
|
||||
(CVE-2022-38177) [GL #3487]
|
||||
---
|
||||
lib/dns/opensslecdsa_link.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
||||
index 83b5b51..7576e04 100644
|
||||
--- a/lib/dns/opensslecdsa_link.c
|
||||
+++ b/lib/dns/opensslecdsa_link.c
|
||||
@@ -224,7 +224,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
siglen = DNS_SIG_ECDSA384SIZE;
|
||||
|
||||
if (sig->length != siglen)
|
||||
- return (DST_R_VERIFYFAILURE);
|
||||
+ DST_RET(DST_R_VERIFYFAILURE);
|
||||
|
||||
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
|
||||
DST_RET (dst__openssl_toresult3(dctx->category,
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
From bb68864bf05d29df644427ec841bc3db6a336519 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 20 Sep 2022 11:22:47 +0200
|
||||
Subject: [PATCH] Fix CVE-2022-38178
|
||||
|
||||
5962. [security] Fix memory leak in EdDSA verify processing.
|
||||
(CVE-2022-38178) [GL #3487]
|
||||
---
|
||||
lib/dns/openssleddsa_link.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
|
||||
index 8b115ec..4f3c2a8 100644
|
||||
--- a/lib/dns/openssleddsa_link.c
|
||||
+++ b/lib/dns/openssleddsa_link.c
|
||||
@@ -325,7 +325,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
siglen = DNS_SIG_ED448SIZE;
|
||||
|
||||
if (sig->length != siglen)
|
||||
- return (DST_R_VERIFYFAILURE);
|
||||
+ DST_RET(DST_R_VERIFYFAILURE);
|
||||
|
||||
isc_buffer_usedregion(buf, &tbsreg);
|
||||
|
||||
--
|
||||
2.37.3
|
||||
|
|
@ -0,0 +1,166 @@
|
|||
From 3883ec072e5feed1237dc864854ab95ded7302d6 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 19 Sep 2023 13:14:52 +0200
|
||||
Subject: [PATCH] Backport of CVE-2023-3341 fix
|
||||
|
||||
Taken from BIND 9.16.44 change.
|
||||
---
|
||||
lib/isccc/cc.c | 36 +++++++++++++++++++++++---------
|
||||
lib/isccc/include/isccc/result.h | 4 +++-
|
||||
lib/isccc/result.c | 4 +++-
|
||||
3 files changed, 32 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
|
||||
index 463a053..a54e60c 100644
|
||||
--- a/lib/isccc/cc.c
|
||||
+++ b/lib/isccc/cc.c
|
||||
@@ -53,6 +53,10 @@
|
||||
|
||||
#define MAX_TAGS 256
|
||||
#define DUP_LIFETIME 900
|
||||
+#ifndef ISCCC_MAXDEPTH
|
||||
+#define ISCCC_MAXDEPTH \
|
||||
+ 10 /* Big enough for rndc which just sends a string each way. */
|
||||
+#endif
|
||||
|
||||
typedef isccc_sexpr_t *sexpr_ptr;
|
||||
|
||||
@@ -573,19 +577,23 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
|
||||
|
||||
static isc_result_t
|
||||
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||
- uint32_t algorithm, isccc_sexpr_t **alistp);
|
||||
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
|
||||
|
||||
static isc_result_t
|
||||
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
|
||||
+list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp);
|
||||
|
||||
static isc_result_t
|
||||
-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
|
||||
+value_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **valuep) {
|
||||
unsigned int msgtype;
|
||||
uint32_t len;
|
||||
isccc_sexpr_t *value;
|
||||
isccc_region_t active;
|
||||
isc_result_t result;
|
||||
|
||||
+ if (depth > ISCCC_MAXDEPTH) {
|
||||
+ return (ISCCC_R_MAXDEPTH);
|
||||
+ }
|
||||
+
|
||||
if (REGION_SIZE(*source) < 1 + 4)
|
||||
return (ISC_R_UNEXPECTEDEND);
|
||||
GET8(msgtype, source->rstart);
|
||||
@@ -603,9 +611,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
|
||||
} else
|
||||
result = ISC_R_NOMEMORY;
|
||||
} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
|
||||
- result = table_fromwire(&active, NULL, 0, valuep);
|
||||
+ result = table_fromwire(&active, NULL, 0, depth + 1, valuep);
|
||||
else if (msgtype == ISCCC_CCMSGTYPE_LIST)
|
||||
- result = list_fromwire(&active, valuep);
|
||||
+ result = list_fromwire(&active, depth + 1, valuep);
|
||||
else
|
||||
result = ISCCC_R_SYNTAX;
|
||||
|
||||
@@ -614,7 +622,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
|
||||
|
||||
static isc_result_t
|
||||
table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||
- uint32_t algorithm, isccc_sexpr_t **alistp)
|
||||
+ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
|
||||
{
|
||||
char key[256];
|
||||
uint32_t len;
|
||||
@@ -625,6 +633,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||
|
||||
REQUIRE(alistp != NULL && *alistp == NULL);
|
||||
|
||||
+ if (depth > ISCCC_MAXDEPTH) {
|
||||
+ return (ISCCC_R_MAXDEPTH);
|
||||
+ }
|
||||
+
|
||||
checksum_rstart = NULL;
|
||||
first_tag = true;
|
||||
alist = isccc_alist_create();
|
||||
@@ -640,7 +652,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||
GET_MEM(key, len, source->rstart);
|
||||
key[len] = '\0'; /* Ensure NUL termination. */
|
||||
value = NULL;
|
||||
- result = value_fromwire(source, &value);
|
||||
+ result = value_fromwire(source, depth + 1, &value);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
goto bad;
|
||||
if (isccc_alist_define(alist, key, value) == NULL) {
|
||||
@@ -673,14 +685,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
|
||||
+list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) {
|
||||
isccc_sexpr_t *list, *value;
|
||||
isc_result_t result;
|
||||
|
||||
+ if (depth > ISCCC_MAXDEPTH) {
|
||||
+ return (ISCCC_R_MAXDEPTH);
|
||||
+ }
|
||||
+
|
||||
list = NULL;
|
||||
while (!REGION_EMPTY(*source)) {
|
||||
value = NULL;
|
||||
- result = value_fromwire(source, &value);
|
||||
+ result = value_fromwire(source, depth + 1, &value);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isccc_sexpr_free(&list);
|
||||
return (result);
|
||||
@@ -711,7 +727,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
|
||||
if (version != 1)
|
||||
return (ISCCC_R_UNKNOWNVERSION);
|
||||
|
||||
- return (table_fromwire(source, secret, algorithm, alistp));
|
||||
+ return (table_fromwire(source, secret, algorithm, 0, alistp));
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
|
||||
index 6c79dd7..b30b08a 100644
|
||||
--- a/lib/isccc/include/isccc/result.h
|
||||
+++ b/lib/isccc/include/isccc/result.h
|
||||
@@ -47,8 +47,10 @@
|
||||
#define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4)
|
||||
/*% Duplicate */
|
||||
#define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5)
|
||||
+/*% Maximum recursion depth */
|
||||
+#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6)
|
||||
|
||||
-#define ISCCC_R_NRESULTS 6 /*%< Number of results */
|
||||
+#define ISCCC_R_NRESULTS 7 /*%< Number of results */
|
||||
|
||||
ISC_LANG_BEGINDECLS
|
||||
|
||||
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
|
||||
index 8419bbb..a3a3b9a 100644
|
||||
--- a/lib/isccc/result.c
|
||||
+++ b/lib/isccc/result.c
|
||||
@@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = {
|
||||
"bad auth", /* 3 */
|
||||
"expired", /* 4 */
|
||||
"clock skew", /* 5 */
|
||||
- "duplicate" /* 6 */
|
||||
+ "duplicate", /* 6 */
|
||||
+ "max depth", /* 7 */
|
||||
};
|
||||
|
||||
static const char *ids[ISCCC_R_NRESULTS] = {
|
||||
@@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = {
|
||||
"ISCCC_R_EXPIRED",
|
||||
"ISCCC_R_CLOCKSKEW",
|
||||
"ISCCC_R_DUPLICATE",
|
||||
+ "ISCCC_R_MAXDEPTH"
|
||||
};
|
||||
|
||||
#define ISCCC_RESULT_RESULTSET 2
|
||||
--
|
||||
2.41.0
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
From 4e595a6b961e73af43350833109ccba0950119f9 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Thu, 12 Oct 2023 10:19:38 +1100
|
||||
Subject: [PATCH] Update b.root-servers.net IP addresses
|
||||
|
||||
This covers both root hints and the default primaries for the root
|
||||
zone mirror. The official change date is Nov 27, 2023.
|
||||
|
||||
(cherry picked from commit 2ca2f7e9852a3d6e93f065c01ea4679f723688f7)
|
||||
---
|
||||
lib/dns/rootns.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
|
||||
index 9653f3b..d6ff76e 100644
|
||||
--- a/lib/dns/rootns.c
|
||||
+++ b/lib/dns/rootns.c
|
||||
@@ -56,8 +56,8 @@ static char root_ns[] =
|
||||
". 518400 IN NS M.ROOT-SERVERS.NET.\n"
|
||||
"A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4\n"
|
||||
"A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:BA3E::2:30\n"
|
||||
-"B.ROOT-SERVERS.NET. 3600000 IN A 199.9.14.201\n"
|
||||
-"B.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:200::b\n"
|
||||
+"B.ROOT-SERVERS.NET. 3600000 IN A 170.247.170.2\n"
|
||||
+"B.ROOT-SERVERS.NET. 3600000 IN AAAA 2801:1b8:10::b\n"
|
||||
"C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12\n"
|
||||
"C.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2::c\n"
|
||||
"D.ROOT-SERVERS.NET. 3600000 IN A 199.7.91.13\n"
|
||||
--
|
||||
2.43.0
|
||||
|
|
@ -1,62 +1,98 @@
|
|||
diff --git a/bin/named/named.8 b/bin/named/named.8
|
||||
index cd990a9..890be36 100644
|
||||
--- a/bin/named/named.8
|
||||
+++ b/bin/named/named.8
|
||||
@@ -358,6 +358,57 @@ The default configuration file\&.
|
||||
/var/run/named/named\&.pid
|
||||
.RS 4
|
||||
The default process\-id file\&.
|
||||
+.PP
|
||||
+.SH "NOTES"
|
||||
+.PP
|
||||
+.TP
|
||||
+\fBRed Hat SELinux BIND Security Profile:\fR
|
||||
+.PP
|
||||
+By default, Red Hat ships BIND with the most secure SELinux policy
|
||||
+that will not prevent normal BIND operation and will prevent exploitation
|
||||
+of all known BIND security vulnerabilities . See the selinux(8) man page
|
||||
+for information about SElinux.
|
||||
+.PP
|
||||
+It is not necessary to run named in a chroot environment if the Red Hat
|
||||
+SELinux policy for named is enabled. When enabled, this policy is far
|
||||
+more secure than a chroot environment. Users are recommended to enable
|
||||
+SELinux and remove the bind-chroot package.
|
||||
+.PP
|
||||
+With this extra security comes some restrictions:
|
||||
+.PP
|
||||
+By default, the SELinux policy does not allow named to write any master
|
||||
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
|
||||
+zone database file directory (the options { "directory" } option), where
|
||||
+$ROOTDIR is set in /etc/sysconfig/named.
|
||||
+.PP
|
||||
+The "named" group must be granted read privelege to
|
||||
+these files in order for named to be enabled to read them.
|
||||
+.PP
|
||||
+Any file created in the zone database file directory is automatically assigned
|
||||
+the SELinux file context named_zone_t .
|
||||
+.PP
|
||||
+By default, SELinux prevents any role from modifying named_zone_t files; this
|
||||
+means that files in the zone database directory cannot be modified by dynamic
|
||||
+DNS (DDNS) updates or zone transfers.
|
||||
+.PP
|
||||
+The Red Hat BIND distribution and SELinux policy creates three directories where
|
||||
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
|
||||
+/var/named/data. By placing files you want named to modify, such as
|
||||
+slave or DDNS updateable zone files and database / statistics dump files in
|
||||
+these directories, named will work normally and no further operator action is
|
||||
+required. Files in these directories are automatically assigned the 'named_cache_t'
|
||||
+file context, which SELinux allows named to write.
|
||||
+.PP
|
||||
+\fBRed Hat BIND SDB support:\fR
|
||||
+.PP
|
||||
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
|
||||
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
|
||||
+.PP
|
||||
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
|
||||
+.PP
|
||||
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
|
||||
+.br
|
||||
+.PP
|
||||
.RE
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
From facdbb0f2a266c6a3a1fa823afaa09cbd3fc38a5 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu, 26 Nov 2020 12:13:10 +0100
|
||||
Subject: [PATCH] Note specific Red Hat changes in manual page
|
||||
|
||||
Change docbook template instead of generated manual page. Remove
|
||||
system-config-bind reference, package were discontinued.
|
||||
---
|
||||
bin/named/named.docbook | 73 +++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 73 insertions(+)
|
||||
|
||||
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
|
||||
index 7e743a9..802bec3 100644
|
||||
--- a/bin/named/named.docbook
|
||||
+++ b/bin/named/named.docbook
|
||||
@@ -516,6 +516,79 @@
|
||||
|
||||
</refsection>
|
||||
|
||||
+ <refsection><info><title>NOTES</title></info>
|
||||
+ <refsection><info><title>Red Hat SELinux BIND Security Profile</title></info>
|
||||
+
|
||||
+ <para>
|
||||
+ By default, Red Hat ships BIND with the most secure SELinux policy
|
||||
+ that will not prevent normal BIND operation and will prevent exploitation
|
||||
+ of all known BIND security vulnerabilities . See the selinux(8) man page
|
||||
+ for information about SElinux.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ It is not necessary to run named in a chroot environment if the Red Hat
|
||||
+ SELinux policy for named is enabled. When enabled, this policy is far
|
||||
+ more secure than a chroot environment. Users are recommended to enable
|
||||
+ SELinux and remove the bind-chroot package.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ With this extra security comes some restrictions:
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ By default, the SELinux policy allows named to write any master
|
||||
+ zone database files. Only the root user may create files in the $ROOTDIR/var/named
|
||||
+ zone database file directory (the options { "directory" } option), where
|
||||
+ $ROOTDIR is set in /etc/sysconfig/named.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ The "named" group must be granted read privelege to
|
||||
+ these files in order for named to be enabled to read them.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ Any file created in the zone database file directory is automatically assigned
|
||||
+ the SELinux file context named_zone_t .
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ By default, SELinux prevents any role from modifying named_zone_t files; this
|
||||
+ means that files in the zone database directory cannot be modified by dynamic
|
||||
+ DNS (DDNS) updates or zone transfers.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ The Red Hat BIND distribution and SELinux policy creates three directories where
|
||||
+ named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
|
||||
+ /var/named/data. By placing files you want named to modify, such as
|
||||
+ slave or DDNS updateable zone files and database / statistics dump files in
|
||||
+ these directories, named will work normally and no further operator action is
|
||||
+ required. Files in these directories are automatically assigned the 'named_cache_t'
|
||||
+ file context, which SELinux allows named to write.
|
||||
+ </para>
|
||||
+ </refsection>
|
||||
+
|
||||
+ <refsection><info><title>Red Hat BIND SDB support</title></info>
|
||||
+
|
||||
+ <para>
|
||||
+ Red Hat ships named with compiled in Simplified Database Backend modules that ISC
|
||||
+ provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into <command>named-sdb</command>.
|
||||
+ </para>
|
||||
+
|
||||
+ <para>
|
||||
+ See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
|
||||
+ </para>
|
||||
+ </refsection>
|
||||
+
|
||||
+ </refsection>
|
||||
+
|
||||
<refsection><info><title>SEE ALSO</title></info>
|
||||
|
||||
<para><citetitle>RFC 1033</citetitle>,
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
|
||||
index 95ab742..6069f09 100644
|
||||
index 95ab742..5059a17 100644
|
||||
--- a/bin/sdb_tools/Makefile.in
|
||||
+++ b/bin/sdb_tools/Makefile.in
|
||||
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||
|
@ -7,49 +7,46 @@ index 95ab742..6069f09 100644
|
|||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
|
||||
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
|
||||
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
|
||||
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
|
||||
|
||||
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
|
||||
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
|
||||
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
|
||||
|
||||
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
|
||||
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
|
||||
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
|
||||
|
||||
MANPAGES = zone2ldap.1
|
||||
|
||||
@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
|
||||
zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
|
||||
@@ -47,6 +47,9 @@ EXT_CFLAGS =
|
||||
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
|
||||
|
||||
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
|
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
|
||||
+
|
||||
clean distclean manclean maintainer-clean::
|
||||
rm -f ${TARGETS} ${OBJS}
|
||||
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
|
||||
|
||||
@@ -62,6 +65,7 @@ installdirs:
|
||||
|
||||
install:: ${TARGETS} installdirs
|
||||
@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
|
||||
index aa2c711..76186b5 100644
|
||||
index e0e9207..d59936c 100644
|
||||
--- a/bin/sdb_tools/zone2ldap.c
|
||||
+++ b/bin/sdb_tools/zone2ldap.c
|
||||
@@ -66,6 +66,9 @@ ldap_info;
|
||||
/* usage Info */
|
||||
void usage (void);
|
||||
@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
|
||||
void init_ldap_conn (void);
|
||||
|
||||
+/* Check for existence of (and possibly add) containing dNSZone objects */
|
||||
+int lookup_dns_zones( ldap_info *ldinfo);
|
||||
+
|
||||
/* Add to the ldap dit */
|
||||
void add_ldap_values (ldap_info * ldinfo);
|
||||
/* Ldap error checking */
|
||||
-void ldap_result_check (const char *msg, char *dn, int err);
|
||||
+void ldap_result_check (const char *msg, const char *dn, int err);
|
||||
|
||||
@@ -82,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
|
||||
/* Put a hostname into a char ** array */
|
||||
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
|
||||
@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
|
||||
int get_attr_list_size (char **tmp);
|
||||
|
||||
/* Get a DN */
|
||||
|
@ -58,7 +55,7 @@ index aa2c711..76186b5 100644
|
|||
|
||||
/* Add to RR list */
|
||||
void add_to_rr_list (char *dn, char *name, char *type, char *data,
|
||||
@@ -104,11 +107,27 @@ void
|
||||
@@ -104,11 +104,26 @@ void
|
||||
init_ldap_conn ();
|
||||
void usage();
|
||||
|
||||
|
@ -87,11 +84,19 @@ index aa2c711..76186b5 100644
|
|||
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
+static char *dn_buffer [64]={NULL};
|
||||
+
|
||||
LDAP *conn;
|
||||
unsigned int debug = 0;
|
||||
|
||||
@@ -132,12 +151,12 @@ main (int argc, char **argv)
|
||||
@@ -120,7 +135,7 @@ static void
|
||||
fatal(const char *msg) {
|
||||
perror(msg);
|
||||
if (conn != NULL)
|
||||
- ldap_unbind_s(conn);
|
||||
+ ldap_unbind_ext_s(conn, NULL, NULL);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@@ -132,12 +147,13 @@ main (int argc, char **argv)
|
||||
isc_result_t result;
|
||||
char *basedn;
|
||||
ldap_info *tmp;
|
||||
|
@ -102,12 +107,12 @@ index aa2c711..76186b5 100644
|
|||
isc_buffer_t buff;
|
||||
char *zonefile=0L;
|
||||
char fullbasedn[1024];
|
||||
- char *ctmp;
|
||||
+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
|
||||
char *ctmp;
|
||||
+ char *zn, *dcp[2], *znp[2], *rdn[2];
|
||||
dns_fixedname_t fixedzone, fixedname;
|
||||
dns_rdataset_t rdataset;
|
||||
char **dc_list;
|
||||
@@ -150,7 +169,7 @@ main (int argc, char **argv)
|
||||
@@ -150,7 +166,7 @@ main (int argc, char **argv)
|
||||
extern char *optarg;
|
||||
extern int optind, opterr, optopt;
|
||||
int create_base = 0;
|
||||
|
@ -116,7 +121,7 @@ index aa2c711..76186b5 100644
|
|||
|
||||
if (argc < 2)
|
||||
{
|
||||
@@ -158,7 +177,7 @@ main (int argc, char **argv)
|
||||
@@ -158,7 +174,7 @@ main (int argc, char **argv)
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
|
@ -125,7 +130,7 @@ index aa2c711..76186b5 100644
|
|||
{
|
||||
switch (topt)
|
||||
{
|
||||
@@ -181,6 +200,9 @@ main (int argc, char **argv)
|
||||
@@ -181,6 +197,9 @@ main (int argc, char **argv)
|
||||
if (bindpw == NULL)
|
||||
fatal("strdup");
|
||||
break;
|
||||
|
@ -135,35 +140,27 @@ index aa2c711..76186b5 100644
|
|||
case 'b':
|
||||
ldapbase = strdup (optarg);
|
||||
if (ldapbase == NULL)
|
||||
@@ -300,27 +322,62 @@ main (int argc, char **argv)
|
||||
{
|
||||
if (debug)
|
||||
@@ -302,17 +321,51 @@ main (int argc, char **argv)
|
||||
printf ("Creating base zone DN %s\n", argzone);
|
||||
-
|
||||
+
|
||||
|
||||
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
|
||||
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
|
||||
|
||||
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
|
||||
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
|
||||
+ if (debug)
|
||||
+ printf ("base DN %s\n", basedn);
|
||||
+
|
||||
|
||||
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
|
||||
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
|
||||
{
|
||||
- if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
{
|
||||
+
|
||||
base.mod_op = LDAP_MOD_ADD;
|
||||
- base.mod_type = (char*)"objectClass";
|
||||
- base.mod_values = (char**)topObjectClasses;
|
||||
+ base.mod_type = objectClass;
|
||||
+ base.mod_values = topObjectClasses;
|
||||
base.mod_values = (char**)topObjectClasses;
|
||||
base_attrs[0] = (void*)&base;
|
||||
- base_attrs[1] = NULL;
|
||||
-
|
||||
+
|
||||
+
|
||||
+ dcBase.mod_op = LDAP_MOD_ADD;
|
||||
+ dcBase.mod_type = dc;
|
||||
+ dcp[0]=dc_list[dcn];
|
||||
|
@ -172,13 +169,13 @@ index aa2c711..76186b5 100644
|
|||
+ base_attrs[1] = (void*)&dcBase;
|
||||
+
|
||||
+ znBase.mod_op = LDAP_MOD_ADD;
|
||||
+ znBase.mod_type = zoneName;
|
||||
+ znBase.mod_type = zoneName;
|
||||
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
|
||||
+ znlen += strlen(dc_list[zdn])+1;
|
||||
+ znp[0] = (char*)malloc(znlen+1);
|
||||
+ znp[1] = 0L;
|
||||
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
|
||||
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
|
||||
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
|
||||
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
|
||||
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
|
||||
+ );
|
||||
+
|
||||
|
@ -191,24 +188,15 @@ index aa2c711..76186b5 100644
|
|||
+ rdn[1] = 0L;
|
||||
+ rdnBase.mod_values = rdn;
|
||||
+ base_attrs[3] = (void*)&rdnBase;
|
||||
+
|
||||
+
|
||||
+ dcn++;
|
||||
+
|
||||
+ base.mod_values = topObjectClasses;
|
||||
+ base_attrs[4] = NULL;
|
||||
+
|
||||
+ base_attrs[4] = NULL;
|
||||
|
||||
if (ldapbase)
|
||||
{
|
||||
if (ctmp != &basedn[0])
|
||||
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
|
||||
else
|
||||
- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
|
||||
-
|
||||
+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -329,8 +386,13 @@ main (int argc, char **argv)
|
||||
@@ -329,6 +382,10 @@ main (int argc, char **argv)
|
||||
else
|
||||
sprintf (fullbasedn, "%s", ctmp);
|
||||
}
|
||||
|
@ -217,12 +205,9 @@ index aa2c711..76186b5 100644
|
|||
+ printf("Full base dn: %s\n", fullbasedn);
|
||||
+
|
||||
result = ldap_add_s (conn, fullbasedn, base_attrs);
|
||||
ldap_result_check ("intial ldap_add_s", fullbasedn, result);
|
||||
+
|
||||
ldap_result_check ("initial ldap_add_s", fullbasedn, result);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -408,14 +470,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
isc_result_check (result, "dns_rdata_totext");
|
||||
data[isc_buffer_usedlength (&buff)] = 0;
|
||||
|
||||
|
@ -240,7 +225,7 @@ index aa2c711..76186b5 100644
|
|||
}
|
||||
|
||||
|
||||
@@ -455,7 +517,8 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
int attrlist;
|
||||
char ldap_type_buffer[128];
|
||||
char charttl[64];
|
||||
|
@ -250,7 +235,7 @@ index aa2c711..76186b5 100644
|
|||
|
||||
if ((tmp = locate_by_dn (dn)) == NULL)
|
||||
{
|
||||
@@ -482,13 +545,13 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
fatal("malloc");
|
||||
}
|
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
|
||||
|
@ -262,12 +247,8 @@ index aa2c711..76186b5 100644
|
|||
+ tmp->attrs[0]->mod_values = objectClasses;
|
||||
else
|
||||
{
|
||||
- tmp->attrs[0]->mod_values = (char**)topObjectClasses;
|
||||
+ tmp->attrs[0]->mod_values =topObjectClasses;
|
||||
tmp->attrs[1] = NULL;
|
||||
tmp->attrcnt = 2;
|
||||
tmp->next = ldap_info_base;
|
||||
@@ -497,7 +560,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
tmp->attrs[0]->mod_values = (char**)topObjectClasses;
|
||||
@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
}
|
||||
|
||||
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
|
||||
|
@ -276,7 +257,7 @@ index aa2c711..76186b5 100644
|
|||
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL)
|
||||
@@ -526,7 +589,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
fatal("strdup");
|
||||
|
||||
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
|
||||
|
@ -285,16 +266,16 @@ index aa2c711..76186b5 100644
|
|||
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
|
||||
if (tmp->attrs[3]->mod_values == (char **)NULL)
|
||||
@@ -539,14 +602,25 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
if (tmp->attrs[3]->mod_values[0] == NULL)
|
||||
fatal("strdup");
|
||||
|
||||
+ znlen=strlen(gbl_zone);
|
||||
+ if ( *(gbl_zone + (znlen-1)) == '.' )
|
||||
+ znlen=strlen(gbl_zone);
|
||||
+ if ( gbl_zone[znlen-1] == '.' )
|
||||
+ { /* ldapdb MUST search by relative zone name */
|
||||
+ zn = (char*)malloc(znlen);
|
||||
+ strncpy(zn,gbl_zone,znlen-1);
|
||||
+ *(zn + (znlen-1))='\0';
|
||||
+ memcpy(zn, gbl_zone, znlen-1);
|
||||
+ zn[znlen-1]='\0';
|
||||
+ }else
|
||||
+ {
|
||||
+ zn = gbl_zone;
|
||||
|
@ -313,7 +294,7 @@ index aa2c711..76186b5 100644
|
|||
tmp->attrs[4]->mod_values[1] = NULL;
|
||||
|
||||
tmp->attrs[5] = NULL;
|
||||
@@ -557,7 +631,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
else
|
||||
{
|
||||
|
||||
|
@ -322,7 +303,7 @@ index aa2c711..76186b5 100644
|
|||
{
|
||||
sprintf (ldap_type_buffer, "%sRecord", type);
|
||||
if (!strncmp
|
||||
@@ -631,44 +705,70 @@ char **
|
||||
@@ -631,44 +700,70 @@ char **
|
||||
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
{
|
||||
char *tmp;
|
||||
|
@ -382,10 +363,10 @@ index aa2c711..76186b5 100644
|
|||
+ {
|
||||
+ if( hname == 0 )
|
||||
+ hname=strdup(hostname);
|
||||
+ last = strdup(sameZone);
|
||||
+ last = strdup(sameZone);
|
||||
+ }else
|
||||
+ {
|
||||
+ if( (hlen < zlen)
|
||||
+ {
|
||||
+ if( (hlen < zlen)
|
||||
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
|
||||
+ )
|
||||
+ {
|
||||
|
@ -422,7 +403,7 @@ index aa2c711..76186b5 100644
|
|||
+ *tmp = '\0';
|
||||
+ if( tmp == hname )
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ if( ( last != hname ) && (tmp != hname) )
|
||||
+ dn_buffer[i++] = hname;
|
||||
|
@ -430,7 +411,7 @@ index aa2c711..76186b5 100644
|
|||
dn_buffer[i] = NULL;
|
||||
|
||||
return dn_buffer;
|
||||
@@ -680,24 +780,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
* exception of "@"/SOA. */
|
||||
|
||||
char *
|
||||
|
@ -439,19 +420,21 @@ index aa2c711..76186b5 100644
|
|||
{
|
||||
int size;
|
||||
- int x;
|
||||
- static char dn[1024];
|
||||
- char tmp[128];
|
||||
+ int x, znlen;
|
||||
static char dn[1024];
|
||||
char tmp[128];
|
||||
+ static char dn[DNS_NAME_MAXTEXT*3/2];
|
||||
+ char tmp[DNS_NAME_MAXTEXT*3/2];
|
||||
+ char zn[DNS_NAME_MAXTEXT+1];
|
||||
|
||||
bzero (tmp, sizeof (tmp));
|
||||
bzero (dn, sizeof (dn));
|
||||
size = get_attr_list_size (dc_list);
|
||||
+ znlen = strlen(zone);
|
||||
+ if ( *(zone + (znlen-1)) == '.' )
|
||||
+ if ( zone[znlen-1] == '.' )
|
||||
+ { /* ldapdb MUST search by relative zone name */
|
||||
+ memcpy(&(zn[0]),zone,znlen-1);
|
||||
+ *(zn + (znlen-1))='\0';
|
||||
+ zn[znlen-1]='\0';
|
||||
+ zone = zn;
|
||||
+ }
|
||||
for (x = size - 2; x > 0; x--)
|
||||
|
@ -460,40 +443,47 @@ index aa2c711..76186b5 100644
|
|||
{
|
||||
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
|
||||
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
|
||||
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
+ snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
else if (x == (size - 2))
|
||||
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
|
||||
+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
+ snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
else
|
||||
sprintf(tmp,"dc=%s,", dc_list[x]);
|
||||
- sprintf(tmp,"dc=%s,", dc_list[x]);
|
||||
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
|
||||
}
|
||||
@@ -723,6 +831,7 @@ void
|
||||
init_ldap_conn ()
|
||||
{
|
||||
int result;
|
||||
+ char ldb_tag[]="LDAP Bind";
|
||||
conn = ldap_open (ldapsystem, LDAP_PORT);
|
||||
if (conn == NULL)
|
||||
else
|
||||
{
|
||||
@@ -732,7 +841,7 @@ init_ldap_conn ()
|
||||
- sprintf(tmp, "dc=%s,", dc_list[x]);
|
||||
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
|
||||
}
|
||||
|
||||
|
||||
@@ -732,19 +835,18 @@ init_ldap_conn ()
|
||||
}
|
||||
|
||||
result = ldap_simple_bind_s (conn, binddn, bindpw);
|
||||
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
|
||||
+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
|
||||
+ ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
|
||||
}
|
||||
|
||||
/* Like isc_result_check, only for LDAP */
|
||||
@@ -749,8 +858,6 @@ ldap_result_check (const char *msg, char *dn, int err)
|
||||
void
|
||||
-ldap_result_check (const char *msg, char *dn, int err)
|
||||
+ldap_result_check (const char *msg, const char *dn, int err)
|
||||
{
|
||||
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
|
||||
{
|
||||
- fprintf(stderr, "Error while adding %s (%s):\n",
|
||||
- dn, msg);
|
||||
- ldap_perror (conn, dn);
|
||||
- ldap_unbind_s (conn);
|
||||
+ fprintf(stderr, "Error while adding %s (%s):\n%s",
|
||||
+ dn, msg, ldap_err2string(err));
|
||||
+ ldap_unbind_ext_s (conn, NULL, NULL);
|
||||
exit (-1);
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
-
|
||||
/* For running the ldap_info run queue. */
|
||||
void
|
||||
add_ldap_values (ldap_info * ldinfo)
|
||||
@@ -758,14 +865,14 @@ add_ldap_values (ldap_info * ldinfo)
|
||||
@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
|
||||
int result;
|
||||
char dnbuffer[1024];
|
||||
|
||||
|
@ -505,12 +495,14 @@ index aa2c711..76186b5 100644
|
|||
|
||||
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
|
||||
- ldap_result_check ("ldap_add_s", dnbuffer, result);
|
||||
-}
|
||||
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
|
||||
+
|
||||
}
|
||||
|
||||
+}
|
||||
|
||||
|
||||
@@ -776,5 +883,5 @@ void
|
||||
|
||||
@@ -776,5 +877,5 @@ void
|
||||
usage ()
|
||||
{
|
||||
fprintf (stderr,
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
|
||||
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200
|
||||
+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200
|
||||
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index ecb3ddb..f7f73cd 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) {
|
||||
*/
|
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
|
||||
|
@ -10,7 +11,7 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
|
|||
"success resolving '%s' (in '%s'?) after %s",
|
||||
fctx->info, domainbuf, fctx->reason);
|
||||
|
||||
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
|
||||
@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
|
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
|
||||
|
@ -19,12 +20,12 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
|
|||
"lame server resolving '%s' (in '%s'?): %s",
|
||||
namebuf, domainbuf, addrbuf);
|
||||
}
|
||||
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
|
||||
}
|
||||
@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
|
||||
isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
|
||||
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||
"DNS format error from %s resolving %s%s%s: %s",
|
||||
nsbuf, fctx->info, clmsg, clbuf, msgbuf);
|
||||
"DNS format error from %s resolving %s for %s: %s",
|
||||
nsbuf, fctx->info, fctx->clientstr, msgbuf);
|
||||
}
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
/usr/lib/bind
|
||||
/usr/share/GeoIP
|
||||
/run/named
|
||||
/proc/sys/net/ipv4/ip_local_port_range
|
||||
# Warning: the order is important
|
||||
# If a directory containing $ROOTDIR is listed here,
|
||||
# it MUST be listed last. (/var/named contains /var/named/chroot)
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
|
||||
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
|
||||
; (2 servers found)
|
||||
; <<>> DiG 9.18.20 <<>> -4 +tcp +norec +nostats @d.root-servers.net
|
||||
; (1 server found)
|
||||
;; global options: +cmd
|
||||
;; Got answer:
|
||||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
|
||||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47286
|
||||
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
|
||||
|
||||
;; OPT PSEUDOSECTION:
|
||||
; EDNS: version: 0, flags:; udp: 1472
|
||||
; EDNS: version: 0, flags:; udp: 1450
|
||||
;; QUESTION SECTION:
|
||||
;. IN NS
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
|||
|
||||
;; ADDITIONAL SECTION:
|
||||
a.root-servers.net. 518400 IN A 198.41.0.4
|
||||
b.root-servers.net. 518400 IN A 199.9.14.201
|
||||
b.root-servers.net. 518400 IN A 170.247.170.2
|
||||
c.root-servers.net. 518400 IN A 192.33.4.12
|
||||
d.root-servers.net. 518400 IN A 199.7.91.13
|
||||
e.root-servers.net. 518400 IN A 192.203.230.10
|
||||
|
@ -41,7 +41,7 @@ k.root-servers.net. 518400 IN A 193.0.14.129
|
|||
l.root-servers.net. 518400 IN A 199.7.83.42
|
||||
m.root-servers.net. 518400 IN A 202.12.27.33
|
||||
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
|
||||
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
|
||||
b.root-servers.net. 518400 IN AAAA 2801:1b8:10::b
|
||||
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
|
||||
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
|
||||
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
|
||||
|
@ -54,8 +54,3 @@ k.root-servers.net. 518400 IN AAAA 2001:7fd::1
|
|||
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
|
||||
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
|
||||
|
||||
;; Query time: 24 msec
|
||||
;; SERVER: 198.41.0.4#53(198.41.0.4)
|
||||
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
|
||||
;; MSG SIZE rcvd: 811
|
||||
|
||||
|
|
|
@ -1,2 +1 @@
|
|||
. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
|
||||
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
|
||||
|
|
419
SPECS/bind.spec
419
SPECS/bind.spec
|
@ -15,17 +15,21 @@
|
|||
# it is not possible to build the package without PKCS11 sub-package
|
||||
# due to extensive changes to Makefiles
|
||||
%bcond_without PKCS11
|
||||
%bcond_without DEVEL
|
||||
%bcond_without JSON
|
||||
%bcond_with LMDB
|
||||
%bcond_without DNSTAP
|
||||
%bcond_with DLZ
|
||||
%bcond_without EXPORT_LIBS
|
||||
%bcond_without BDB
|
||||
# Legacy GeoIP support
|
||||
%bcond_with GEOIP
|
||||
%bcond_with DOC
|
||||
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
|
||||
%bcond_without UNITTEST
|
||||
%else
|
||||
%bcond_with UNITTEST
|
||||
%endif
|
||||
%bcond_with TSAN
|
||||
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
|
||||
# New MaxMind GeoLite support
|
||||
%bcond_without GEOIP2
|
||||
|
@ -35,6 +39,7 @@
|
|||
|
||||
%{?!bind_uid: %global bind_uid 25}
|
||||
%{?!bind_gid: %global bind_gid 25}
|
||||
%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||
%global bind_dir /var/named
|
||||
%global chroot_prefix %{bind_dir}/chroot
|
||||
%if %{with SDB}
|
||||
|
@ -42,7 +47,7 @@
|
|||
%endif
|
||||
%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
|
||||
%{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
|
||||
%{_libdir}/bind %{_datadir}/GeoIP
|
||||
%{_libdir}/bind %{_datadir}/GeoIP %{_datadir}/GeoIP /proc/sys/net/ipv4
|
||||
|
||||
## The order of libs is important. See lib/Makefile.in for details
|
||||
%define bind_export_libs isc dns isccfg irs
|
||||
|
@ -54,20 +59,20 @@
|
|||
#
|
||||
|
||||
# lib*.so.X versions of selected libraries
|
||||
%global sover_dns 1107
|
||||
%global sover_isc 1104
|
||||
%global sover_dns 1115
|
||||
%global sover_isc 1107
|
||||
%global sover_irs 161
|
||||
%global sover_isccfg 163
|
||||
|
||||
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.11.13
|
||||
Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.1
|
||||
Version: 9.11.36
|
||||
Release: 14%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||
Epoch: 32
|
||||
Url: http://www.isc.org/products/BIND/
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
Source: https://ftp.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
|
||||
Source: https://downloads.isc.org/isc/bind9/%{BINDVERSION}/bind-%{BINDVERSION}.tar.gz
|
||||
Source1: named.sysconfig
|
||||
Source3: named.logrotate
|
||||
Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
|
||||
|
@ -135,10 +140,6 @@ Patch154:bind-9.11-oot-manual.patch
|
|||
Patch155:bind-9.11-pk11.patch
|
||||
Patch156:bind-9.11-fips-code.patch
|
||||
Patch157:bind-9.11-fips-tests.patch
|
||||
# commit 66ba2fdad583d962a1f4971c85d58381f0849e4d
|
||||
# commit b105ccee68ccc3c18e6ea530063b3c8e5a42571c
|
||||
# commit 083461d3329ff6f2410745848a926090586a9846
|
||||
Patch158:bind-9.11-rh1624100.patch
|
||||
Patch159:bind-9.11-host-idn-disable.patch
|
||||
Patch164:bind-9.11-fips-code-includes.patch
|
||||
# [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af
|
||||
|
@ -153,21 +154,44 @@ Patch174:bind-9.11-fips-disable.patch
|
|||
Patch175:bind-9.11-json-c.patch
|
||||
Patch177:bind-9.11-serve-stale.patch
|
||||
Patch178:bind-9.11-dhcp-time-monotonic.patch
|
||||
Patch179:bind-9.11-rh1790879.patch
|
||||
Patch180:bind-9.11.13-rwlock.patch
|
||||
Patch181:bind-9.11.13-CVE-2020-8617.patch
|
||||
Patch182:bind-9.11.13-CVE-2020-8616.patch
|
||||
Patch183:bind-9.11-CVE-2020-8616-test.patch
|
||||
Patch184:bind-9.11-CVE-2020-8617-test.patch
|
||||
Patch185:bind-9.11-rh1865785.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5253
|
||||
Patch183:bind-9.11-rh1980757.patch
|
||||
# modified, https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/3067
|
||||
Patch184: bind-9.15-resolver-ntasks.patch
|
||||
Patch185: bind-9.11-CVE-2021-25220.patch
|
||||
Patch186: bind-9.11-CVE-2021-25220-test.patch
|
||||
Patch188: bind-9.16-CVE-2022-38177.patch
|
||||
Patch189: bind-9.16-CVE-2022-38178.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/6695
|
||||
Patch190: bind-9.11-rh2101712.patch
|
||||
Patch191: bind-9.11-CVE-2022-2795.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7376
|
||||
Patch192: bind-9.11-rh2133889.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/82185f4f80d2fa39a4569f6740cb360ffff8f5c4
|
||||
Patch193: bind-9.16-CVE-2022-3094-1.patch
|
||||
Patch194: bind-9.16-CVE-2022-3094-2.patch
|
||||
Patch195: bind-9.16-CVE-2022-3094-3.patch
|
||||
Patch196: bind-9.16-CVE-2022-3094-test.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/f1d9e9ee3859976f403914d20ad2a10855343702
|
||||
Patch197: bind-9.11-CVE-2023-2828.patch
|
||||
Patch198: bind-9.16-CVE-2023-3341.patch
|
||||
# https://issues.redhat.com/browse/RHEL-11785, downstream
|
||||
Patch199: bind-9.11-stale-cache.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/8924adca613ca9daea63786563cce6fdbd742c56
|
||||
Patch200: bind-9.16-update-b.root-servers.net.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8768
|
||||
Patch201: bind-9.11-CVE-2023-4408.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8769
|
||||
Patch202: bind-9.11-CVE-2023-50387.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8778
|
||||
Patch203: bind-9.11-CVE-2023-2828-fixup.patch
|
||||
# addition to patch 200
|
||||
Patch204: bind-9.11-CVE-2023-50387-fixup.patch
|
||||
|
||||
# SDB patches
|
||||
Patch11: bind-9.3.2b2-sdbsrc.patch
|
||||
Patch12: bind-9.10-sdb.patch
|
||||
|
||||
# export lib patches
|
||||
Patch135:bind-9.11-export-isc-config.patch
|
||||
|
||||
# needs inpection
|
||||
Patch17: bind-9.3.2b1-fix_sdb_ldap.patch
|
||||
Patch18: bind-9.11-zone2ldap.patch
|
||||
|
@ -181,6 +205,7 @@ Requires(post): shadow-utils
|
|||
Requires(post): glibc-common
|
||||
Requires(post): grep
|
||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Obsoletes: bind-config < 30:9.3.2-34.fc6
|
||||
Provides: bind-config = 30:9.3.2-34.fc6
|
||||
Obsoletes: caching-nameserver < 31:9.4.1-7.fc8
|
||||
|
@ -197,13 +222,15 @@ BuildRequires: python3-ply
|
|||
BuildRequires: findutils sed
|
||||
%if %{with SDB}
|
||||
BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mariadb-connector-c-devel
|
||||
%endif
|
||||
%if %{with BDB}
|
||||
BuildRequires: libdb-devel
|
||||
%endif
|
||||
%if %{with UNITTEST}
|
||||
# make unit dependencies
|
||||
BuildRequires: libcmocka-devel kyua
|
||||
%endif
|
||||
%if %{with PKCS11}
|
||||
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
|
||||
BuildRequires: softhsm
|
||||
%endif
|
||||
%if %{with SYSTEMTEST}
|
||||
|
@ -218,14 +245,23 @@ BuildRequires: krb5-devel
|
|||
%if %{with LMDB}
|
||||
BuildRequires: lmdb-devel
|
||||
%endif
|
||||
%if %{with JSON}
|
||||
BuildRequires: json-c-devel
|
||||
%endif
|
||||
%if %{with GEOIP}
|
||||
BuildRequires: GeoIP-devel
|
||||
%endif
|
||||
%if %{with GEOIP2}
|
||||
BuildRequires: libmaxminddb-devel
|
||||
%endif
|
||||
%if %{with DNSTAP}
|
||||
BuildRequires: fstrm-devel protobuf-c-devel
|
||||
%endif
|
||||
# Needed to regenerate dig.1 manpage
|
||||
BuildRequires: docbook-style-xsl, libxslt
|
||||
BuildRequires: docbook-style-xsl, libxslt
|
||||
%if %{with TSAN}
|
||||
BuildRequires: libtsan
|
||||
%endif
|
||||
|
||||
%description
|
||||
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
|
||||
|
@ -239,8 +275,9 @@ tools for verifying that the DNS server is operating properly.
|
|||
Summary: Bind with native PKCS#11 functionality for crypto
|
||||
Requires: systemd
|
||||
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Recommends: softhsm
|
||||
|
||||
%description pkcs11
|
||||
This is a version of BIND server built with native PKCS#11 functionality.
|
||||
|
@ -282,6 +319,7 @@ Summary: BIND server with database backends and DLZ support
|
|||
Requires: systemd
|
||||
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description sdb
|
||||
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
|
||||
|
@ -323,6 +361,7 @@ Contains license of the BIND DNS suite.
|
|||
%package utils
|
||||
Summary: Utilities for querying DNS name servers
|
||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: python3-bind = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description utils
|
||||
|
@ -335,7 +374,6 @@ network addresses.
|
|||
You should install bind-utils if you need to get information from DNS name
|
||||
servers.
|
||||
|
||||
%if %{with DEVEL}
|
||||
%package devel
|
||||
Summary: Header files and libraries needed for BIND DNS development
|
||||
Obsoletes:bind-libbind-devel < 31:9.3.3-4.fc7
|
||||
|
@ -346,17 +384,24 @@ Requires: bind-lite-devel%{?_isa} = %{epoch}:%{version}-%{release}
|
|||
%description devel
|
||||
The bind-devel package contains full version of the header files and libraries
|
||||
required for development with ISC BIND 9
|
||||
%endif
|
||||
|
||||
%package lite-devel
|
||||
Summary: Lite version of header files and libraries needed for BIND DNS development
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
|
||||
%if %{with GEOIP}
|
||||
Requires: GeoIP-devel%{?_isa}
|
||||
# Not required by headers, but "isc-config.sh --libs isc" requires it
|
||||
Requires: libcap-devel%{?_isa}
|
||||
%if %{with GSSTSIG}
|
||||
Requires: krb5-devel%{?_isa}
|
||||
%endif
|
||||
%if %{with GEOIP2}
|
||||
Requires: libmaxminddb-devel%{?_isa}
|
||||
%if %{with LMDB}
|
||||
Requires: lmdb-devel%{?_isa}
|
||||
%endif
|
||||
%if %{with JSON}
|
||||
Requires: json-c-devel%{?_isa}
|
||||
%endif
|
||||
%if %{with DNSTAP}
|
||||
Requires: fstrm-devel%{?_isa} protobuf-c-devel%{?_isa}
|
||||
%endif
|
||||
|
||||
%description lite-devel
|
||||
|
@ -391,6 +436,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
|
|||
|
||||
|
||||
%if %{with DLZ}
|
||||
%if %{with BDB}
|
||||
%package dlz-bdb
|
||||
Summary: BIND server bdb DLZ module
|
||||
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
@ -398,6 +444,10 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
|||
%description dlz-bdb
|
||||
Dynamic Loadable Zones module for BIND server.
|
||||
|
||||
%end
|
||||
|
||||
%endif
|
||||
|
||||
%package dlz-filesystem
|
||||
Summary: BIND server filesystem DLZ module
|
||||
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
@ -438,7 +488,7 @@ Dynamic Loadable Zones module for BIND server.
|
|||
%package -n python3-bind
|
||||
Summary: A module allowing rndc commands to be sent from Python programs
|
||||
Requires: bind-license = %{epoch}:%{version}-%{release}
|
||||
Requires: %{?__python3} python3-ply %{py3_dist ply}
|
||||
Requires: %{?__python3} python3-ply %{?py3_dist:%py3_dist ply}
|
||||
BuildArch: noarch
|
||||
%{?python_provide:%python_provide python3-bind}
|
||||
%{?python_provide:%python_provide python3-isc}
|
||||
|
@ -446,6 +496,25 @@ BuildArch: noarch
|
|||
%description -n python3-bind
|
||||
This package provides a module which allows commands to be sent to rndc directly from Python programs.
|
||||
|
||||
%if %{with DOC}
|
||||
%package doc
|
||||
Summary: BIND 9 Administrator Reference Manual
|
||||
Requires: bind-license = %{epoch}:%{version}-%{release}
|
||||
BuildArch: noarch
|
||||
|
||||
%description doc
|
||||
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
|
||||
(Domain Name System) protocols. BIND includes a DNS server (named),
|
||||
which resolves host names to IP addresses; a resolver library
|
||||
(routines for applications to use when interfacing with DNS); and
|
||||
tools for verifying that the DNS server is operating properly.
|
||||
|
||||
This package contains BIND 9 Administrator Reference Manual
|
||||
in HTML and PDF format.
|
||||
%end
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with EXPORT_LIBS}
|
||||
%package export-libs
|
||||
Summary: ISC libs for DHCP application
|
||||
|
@ -501,7 +570,6 @@ are used for building ISC DHCP.
|
|||
%patch155 -p1 -b .pk11-internal
|
||||
%patch156 -p1 -b .fips-code
|
||||
%patch157 -p1 -b .fips-tests
|
||||
%patch158 -p1 -b .rh1624100
|
||||
%patch159 -p1 -b .host-idn-disable
|
||||
%patch164 -p1 -b .fips-includes
|
||||
%patch165 -p1 -b .rt31459
|
||||
|
@ -512,25 +580,49 @@ are used for building ISC DHCP.
|
|||
%patch175 -p1 -b .json-c
|
||||
%patch177 -p1 -b .serve-stale
|
||||
%patch178 -p1 -b .time-monotonic
|
||||
%patch179 -p1 -b .rh1790879
|
||||
%patch180 -p1 -b .rwlock
|
||||
%patch181 -p1 -b .CVE-2020-8617
|
||||
%patch182 -p1 -b .CVE-2020-8616
|
||||
%patch183 -p1 -b .CVE-2020-8616-test
|
||||
%patch184 -p1 -b .CVE-2020-8616-test
|
||||
%patch185 -p1 -b .rh1865785
|
||||
%patch183 -p1 -b .rh1980757
|
||||
%patch184 -p1 -b .rh2030239
|
||||
%patch185 -p1 -b .CVE-2021-25220
|
||||
%patch186 -p1 -b .CVE-2021-25220-test
|
||||
%patch188 -p1 -b .CVE-2022-38177
|
||||
%patch189 -p1 -b .CVE-2022-38178
|
||||
%patch190 -p1 -b .rh2101712
|
||||
%patch191 -p1 -b .CVE-2022-2795
|
||||
%patch192 -p1 -b .rh2133889
|
||||
%patch193 -p1 -b .CVE-2022-3094
|
||||
%patch194 -p1 -b .CVE-2022-3094
|
||||
%patch195 -p1 -b .CVE-2022-3094
|
||||
%patch196 -p1 -b .CVE-2022-3094-test
|
||||
%patch197 -p1 -b .CVE-2023-2828
|
||||
%patch198 -p1 -b .CVE-2023-3341
|
||||
%patch199 -p1 -b .RHEL-11785
|
||||
%patch200 -p1 -b .b.root-servers.net
|
||||
%patch201 -p1 -b .CVE-2023-4408
|
||||
%patch202 -p1 -b .CVE-2023-50387+50868
|
||||
%patch203 -p1 -b .CVE-2023-2828-fixup
|
||||
%patch204 -p1 -b .CVE-2023-50387-fixup
|
||||
|
||||
mkdir lib/dns/tests/testdata/dstrandom
|
||||
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
|
||||
|
||||
# Avoid having [FIXME: manual] on top of generated manual pages
|
||||
# Alternative approach due missing docbook5 style sheets.
|
||||
# Remove namespace, so docbook is threated as version 4.
|
||||
# Spaces should be fine.
|
||||
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4524
|
||||
find bin lib/lwres/man -name '*.docbook' -exec \
|
||||
sed -e 's|<refmiscinfo>BIND9|<refmiscinfo class="manual">BIND9|' \
|
||||
-e 's|xmlns="http://docbook.org/ns/docbook"\sversion="5.0"\s||' \
|
||||
-i '{}' ';'
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch150 -p1 -b .engine-pkcs11
|
||||
cp -r bin/named{,-pkcs11}
|
||||
cp -r bin/dnssec{,-pkcs11}
|
||||
cp -r lib/isc{,-pkcs11}
|
||||
cp -r lib/dns{,-pkcs11}
|
||||
%patch136 -p1 -b .dist_pkcs11
|
||||
%patch149 -p1 -b .kyua-pkcs11
|
||||
%patch150 -p1 -b .engine-pkcs11
|
||||
%endif
|
||||
|
||||
%if %{with SDB}
|
||||
|
@ -590,10 +682,15 @@ done
|
|||
cp -Tuav bin/tests "%{1}/bin/tests/" \
|
||||
cp -uv version "%{1}" \
|
||||
|
||||
export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
||||
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
||||
%if %{with TSAN}
|
||||
CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
|
||||
%endif
|
||||
export CFLAGS
|
||||
export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
|
||||
export STD_CDEFINES="$CPPFLAGS"
|
||||
|
||||
|
||||
sed -i -e \
|
||||
's/RELEASEVER=\(.*\)/RELEASEVER=\1-RedHat-%{version}-%{release}/' \
|
||||
version
|
||||
|
@ -633,6 +730,8 @@ export LIBDIR_SUFFIX
|
|||
--with-dlz-postgres=yes \
|
||||
--with-dlz-mysql=yes \
|
||||
--with-dlz-filesystem=yes \
|
||||
%endif
|
||||
%if %{with BDB}
|
||||
--with-dlz-bdb=yes \
|
||||
%endif
|
||||
%if %{with GSSTSIG}
|
||||
|
@ -644,6 +743,14 @@ export LIBDIR_SUFFIX
|
|||
%else
|
||||
--with-lmdb=no \
|
||||
%endif
|
||||
%if %{with JSON}
|
||||
--with-libjson \
|
||||
%endif
|
||||
%if %{with DNSTAP}
|
||||
--enable-dnstap \
|
||||
%else
|
||||
--disable-dnstap \
|
||||
%endif
|
||||
%if %{with UNITTEST}
|
||||
--with-cmocka \
|
||||
%endif
|
||||
|
@ -651,6 +758,15 @@ export LIBDIR_SUFFIX
|
|||
--with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \
|
||||
--enable-full-report \
|
||||
;
|
||||
%if %{with DNSTAP}
|
||||
pushd lib
|
||||
SRCLIB="../../../lib"
|
||||
(cd dns && ln -s ${SRCLIB}/dns/dnstap.proto)
|
||||
%if %{with PKCS11}
|
||||
(cd dns-pkcs11 && ln -s ${SRCLIB}/dns-pkcs11/dnstap.proto)
|
||||
%endif
|
||||
popd
|
||||
%endif
|
||||
make %{?_smp_mflags}
|
||||
|
||||
### FIXME hack!!!
|
||||
|
@ -668,16 +784,26 @@ pushd bin/python
|
|||
make man
|
||||
popd
|
||||
|
||||
%if %{with DOC}
|
||||
# Does not work. Use upstream generated documentation instead.
|
||||
# make doc
|
||||
%endif
|
||||
|
||||
%if %{with DLZ}
|
||||
pushd contrib/dlz
|
||||
pushd bin/dlzbdb
|
||||
make
|
||||
popd
|
||||
pushd modules
|
||||
for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
|
||||
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
|
||||
make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
|
||||
done
|
||||
popd
|
||||
%if %{with BDB}
|
||||
pushd bin/dlzbdb
|
||||
make
|
||||
popd
|
||||
pushd modules
|
||||
make -C bdbhpt CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
|
||||
popd
|
||||
%endif
|
||||
popd
|
||||
%endif
|
||||
popd # build
|
||||
|
@ -686,6 +812,8 @@ popd # build
|
|||
%systemtest_prepare_build build
|
||||
|
||||
%if %{with EXPORT_LIBS}
|
||||
cp isc-config.sh.1 isc-export-config.sh.1
|
||||
|
||||
## Create export libs ##
|
||||
mkdir -p export-libs
|
||||
pushd export-libs
|
||||
|
@ -722,8 +850,12 @@ export LIBDIR_SUFFIX
|
|||
## FIXME this should be in patch instead of SED'ing
|
||||
## but do we really like/want to patch generated files?
|
||||
|
||||
sed -i -e \
|
||||
'/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
|
||||
mv isc-config.sh isc-export-config.sh
|
||||
|
||||
sed -i \
|
||||
-e '/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
|
||||
-e 's/isc-config.sh/isc-export-config.sh/g' \
|
||||
-e 's/bind9-config/bind9-export-config/g' \
|
||||
Makefile
|
||||
|
||||
sed -i -e \
|
||||
|
@ -735,9 +867,9 @@ do
|
|||
find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \;
|
||||
sed -e "s/-l${lib}\([^[:alpha:]]\)/-l${lib}-export\1/g" \
|
||||
-e "s/lib${lib}\./lib${lib}-export\./g" \
|
||||
-i isc-config.sh
|
||||
-i isc-export-config.sh
|
||||
done;
|
||||
%{__patch} -p2 -b --suffix .export-isc-config < %{PATCH135}
|
||||
|
||||
make %{?_smp_mflags}
|
||||
popd
|
||||
|
||||
|
@ -757,12 +889,16 @@ sed -e "/^\s*include(/ d" -e 's/^-- use //' \
|
|||
%endif
|
||||
|
||||
%check
|
||||
%if %{with PKCS11}
|
||||
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
|
||||
# Tests require initialization of pkcs11 token
|
||||
export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
|
||||
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
|
||||
%endif
|
||||
|
||||
%if %{with TSAN}
|
||||
export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
|
||||
%endif
|
||||
|
||||
%if %{with UNITTEST}
|
||||
pushd build
|
||||
make unit
|
||||
|
@ -910,15 +1046,20 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/
|
|||
|
||||
%if %{with DLZ}
|
||||
pushd contrib/dlz
|
||||
pushd bin/dlzbdb
|
||||
make DESTDIR=${RPM_BUILD_ROOT} install
|
||||
popd
|
||||
pushd modules
|
||||
for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
|
||||
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
|
||||
make -C $DIR DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install
|
||||
done
|
||||
mv mysqldyn/testing/README mysqldyn/testing/README.testing
|
||||
%if %{with BDB}
|
||||
make -C bdbhpt DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install
|
||||
%endif
|
||||
popd
|
||||
%if %{with BDB}
|
||||
pushd bin/dlzbdb
|
||||
make DESTDIR=${RPM_BUILD_ROOT} install
|
||||
popd
|
||||
%endif
|
||||
popd
|
||||
%endif
|
||||
|
||||
|
@ -933,14 +1074,6 @@ popd
|
|||
# Remove libtool .la files:
|
||||
find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
|
||||
|
||||
# Remove -devel files out of buildroot if not needed
|
||||
%if !%{with DEVEL}
|
||||
rm -f ${RPM_BUILD_ROOT}/%{_libdir}/bind9/*so
|
||||
rm -rf ${RPM_BUILD_ROOT}/%{_includedir}/bind9
|
||||
rm -f ${RPM_BUILD_ROOT}/%{_mandir}/man1/isc-config.sh.1*
|
||||
rm -f ${RPM_BUILD_ROOT}/%{_mandir}/man3/lwres*
|
||||
rm -f ${RPM_BUILD_ROOT}/%{_bindir}/isc-config.sh
|
||||
%endif
|
||||
|
||||
# SDB manpages
|
||||
%if %{with SDB}
|
||||
|
@ -956,6 +1089,7 @@ pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
|
|||
ln -s named.8.gz named-pkcs11.8.gz
|
||||
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
|
||||
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
|
||||
ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
|
||||
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
|
||||
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
|
||||
ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
|
||||
|
@ -965,6 +1099,11 @@ ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
|
|||
popd
|
||||
%endif
|
||||
|
||||
%if %{with DOC}
|
||||
mkdir -p ${RPM_BUILD_ROOT}%{_pkgdocdir}
|
||||
cp -a doc/arm/*.html doc/arm/*.pdf ${RPM_BUILD_ROOT}%{_pkgdocdir}
|
||||
%endif
|
||||
|
||||
# Ghost config files:
|
||||
touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log
|
||||
|
||||
|
@ -1073,7 +1212,7 @@ fi
|
|||
%triggerin -- selinux-policy < 3.14.1-44
|
||||
# Failsafe for upgrades, set to new default
|
||||
if [ -x "%{_sbindir}/selinuxenabled" -a -x "%{_sbindir}/setsebool" ] && %{_sbindir}/selinuxenabled; then
|
||||
"%{_sbindir}/setsebool" -P named_write_master_zones=1
|
||||
"%{_sbindir}/setsebool" -P named_write_master_zones=1
|
||||
fi
|
||||
%end
|
||||
|
||||
|
@ -1190,8 +1329,10 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%{_mandir}/man8/rndc-confgen.8*
|
||||
%{_mandir}/man8/named-journalprint.8*
|
||||
%doc CHANGES README named.conf.default
|
||||
%doc doc/arm/*html doc/arm/*pdf
|
||||
%doc sample/
|
||||
%if %{without DOC}
|
||||
%doc doc/arm/*.html doc/arm/*.pdf
|
||||
%endif
|
||||
|
||||
# Hide configuration
|
||||
%defattr(0640,root,named,0750)
|
||||
|
@ -1270,9 +1411,17 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%{_sbindir}/isc-hmac-fixup
|
||||
%{_sbindir}/named-checkzone
|
||||
%{_sbindir}/named-compilezone
|
||||
%if %{with DNSTAP}
|
||||
%{_bindir}/dnstap-read
|
||||
%{_mandir}/man1/dnstap-read.1*
|
||||
%endif
|
||||
%if %{with LMDB}
|
||||
%{_sbindir}/named-nzd2nzf
|
||||
%endif
|
||||
%if %{with DNSTAP}
|
||||
%{_bindir}/dnstap-read
|
||||
%{_mandir}/man1/dnstap-read.1*
|
||||
%endif
|
||||
%{_mandir}/man1/host.1*
|
||||
%{_mandir}/man1/nsupdate.1*
|
||||
%{_mandir}/man1/dig.1*
|
||||
|
@ -1295,7 +1444,6 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%endif
|
||||
%{_sysconfdir}/trusted-key.key
|
||||
|
||||
%if %{with DEVEL}
|
||||
%files devel
|
||||
%{_libdir}/libbind9.so
|
||||
%{_libdir}/libisccc.so
|
||||
|
@ -1309,7 +1457,6 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%{_mandir}/man3/lwres*
|
||||
%{_bindir}/isc-config.sh
|
||||
%{_bindir}/bind9-config
|
||||
%endif
|
||||
|
||||
%files lite-devel
|
||||
%{_libdir}/libdns.so
|
||||
|
@ -1352,6 +1499,7 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%dir %{chroot_prefix}/%{_libdir}
|
||||
%dir %{chroot_prefix}/%{_libdir}/bind
|
||||
%dir %{chroot_prefix}/%{_datadir}/GeoIP
|
||||
%{chroot_prefix}/proc
|
||||
%defattr(0660,root,named,01770)
|
||||
%dir %{chroot_prefix}%{_localstatedir}/named
|
||||
%defattr(0660,named,named,0770)
|
||||
|
@ -1462,12 +1610,15 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%{_bindir}/bind9-export-config
|
||||
%endif
|
||||
|
||||
%if %{with DLZ}
|
||||
%if %{with DLZ} && %{with BDB}
|
||||
%files dlz-bdb
|
||||
%{_sbindir}/dlzbdb
|
||||
%{_libdir}/bind/dlz_bdbhpt_dynamic.so
|
||||
%doc contrib/dlz/modules/bdbhpt/testing/*
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with DLZ}
|
||||
%files dlz-filesystem
|
||||
%{_libdir}/bind/dlz_filesystem_dynamic.so
|
||||
|
||||
|
@ -1494,19 +1645,135 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%{python3_sitelib}/*.egg-info
|
||||
%{python3_sitelib}/isc/
|
||||
|
||||
%if %{with DOC}
|
||||
%files doc
|
||||
%dir %{_pkgdocdir}
|
||||
%doc %{_pkgdocdir}/*.html
|
||||
%doc %{_pkgdocdir}/*.pdf
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Aug 04 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.13-6.1
|
||||
- Validate configuration files with CIDRs host bits set (#1865785)
|
||||
* Mon Feb 26 2024 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-14
|
||||
- Speed up parsing of DNS messages with many different names (CVE-2023-4408)
|
||||
- Prevent increased CPU consumption in DNSSEC validator (CVE-2023-50387 CVE-2023-50868)
|
||||
- Do not use header_prev in expire_lru_headers
|
||||
|
||||
* Fri May 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-5.1
|
||||
- Add CVE tests to codebase
|
||||
* Thu Dec 07 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-13
|
||||
- Update addresses of b.root-servers.net (RHEL-18449)
|
||||
|
||||
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-5
|
||||
- Limit number of queries triggered by a request (CVE-2020-8616)
|
||||
* Mon Oct 09 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-12
|
||||
- Disable caching of stale records by default (RHEL-11785)
|
||||
|
||||
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-4
|
||||
- Fix invalid tsig request (CVE-2020-8617)
|
||||
* Tue Sep 19 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-11
|
||||
- Prevent exahustion of memory from control channel (CVE-2023-3341)
|
||||
|
||||
* Thu Jun 22 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-10
|
||||
- Prevent the cache going over the configured limit (CVE-2023-2828)
|
||||
|
||||
* Wed Feb 08 2023 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-9
|
||||
- Prevent flooding with UPDATE requests (CVE-2022-3094)
|
||||
- include upstream test for that change
|
||||
|
||||
* Thu Oct 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-8
|
||||
- Correct regression preventing bind-dyndb-ldap build (#2133889)
|
||||
|
||||
* Thu Sep 29 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-7
|
||||
- Prevent excessive resource use while processing large delegations.
|
||||
(CVE-2022-2795)
|
||||
|
||||
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-6
|
||||
- Prevent freeing zone during statistics rendering (#2101712)
|
||||
|
||||
* Thu Sep 22 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-5
|
||||
- Fix memory leak in ECDSA verify processing (CVE-2022-38177)
|
||||
- Fix memory leak in EdDSA verify processing (CVE-2022-38178)
|
||||
|
||||
* Wed Apr 13 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-4
|
||||
- Tighten cache protection against record from forwarders (CVE-2021-25220)
|
||||
- Include test of forwarders
|
||||
|
||||
* Thu Feb 10 2022 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
|
||||
- Reduce memory used per-view on machine with few processors (#2030239)
|
||||
|
||||
* Tue Dec 21 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-2
|
||||
- Rebuilt on a new side-tag (#2013993)
|
||||
|
||||
* Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.36-1
|
||||
- Update to 9.11.36
|
||||
|
||||
* Mon Nov 01 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-9
|
||||
- Correct tsig system test
|
||||
|
||||
* Wed Oct 13 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-8
|
||||
- Propagate ephemeral port ranges to chroot (#1950714)
|
||||
|
||||
* Tue Aug 24 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-7
|
||||
- Do not request softhsm from bind-pkcs11, it is only in modular build
|
||||
(#1934035)
|
||||
|
||||
* Fri Jul 09 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-6
|
||||
- Use random entropy to generate unique TKEY identifiers (#1980916)
|
||||
|
||||
* Fri May 07 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-5
|
||||
- Fix possible assertion failure isc_refcount_current == 0 in free_rbtdb
|
||||
(#1953056)
|
||||
|
||||
* Tue Apr 27 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-4
|
||||
- Possible assertion failure on DNAME processing (CVE-2021-25215)
|
||||
- Insufficient IXFR checks could lead to assertion failure (CVE-2021-25214)
|
||||
|
||||
* Mon Feb 15 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-3
|
||||
- Fix off-by-one bug in ISC SPNEGO implementation (CVE-2020-8625)
|
||||
|
||||
* Tue Jan 05 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-2
|
||||
- Add DNSTAP support (#1854148), new dnstap-read tool
|
||||
- Add JSON support in statistics-channel (#1899257)
|
||||
|
||||
* Mon Jan 04 2021 Petr Menšík <pemensik@redhat.com> - 32:9.11.26-1
|
||||
- Update to 9.11.26
|
||||
|
||||
* Thu Nov 26 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.25-1
|
||||
- Update to 9.11.25
|
||||
- Require libcap from devel package
|
||||
- Fix crash on NTA recheck failure (#1893761)
|
||||
|
||||
* Fri Sep 25 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.20-6
|
||||
- Do not ignore RPZ wildcard passthru (#1876492)
|
||||
|
||||
* Tue Aug 18 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-5
|
||||
- Fix tsig-request verify (CVE-2020-8622)
|
||||
- Prevent PKCS11 daemon crash on crafted packet (CVE-2020-8623)
|
||||
- Correct update-policy type subdomain to match documentation (CVE-2020-8624)
|
||||
- Include available test
|
||||
|
||||
* Wed Jul 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-4
|
||||
- Prevent crash on dstlib initialization failure (#1859454)
|
||||
|
||||
* Fri Jun 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-3
|
||||
- Add remaining require to bind package (#1633169)
|
||||
|
||||
* Fri Jun 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-2
|
||||
- Add manual page for dnssec-importkey-pkcs11 (#1666785)
|
||||
- Add versioned depends to all library subpackages
|
||||
|
||||
* Wed Jun 17 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-1
|
||||
- Update to 9.11.20
|
||||
|
||||
* Mon Jun 08 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-2
|
||||
- Remove old KSK 19036 from remaining trusted-key.key
|
||||
|
||||
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-1
|
||||
- Update to 9.11.19 (CVE-2020-8616, CVE-2020-8617)
|
||||
|
||||
* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.18-1
|
||||
- Update to 9.11.18
|
||||
|
||||
* Tue Apr 07 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.17-1
|
||||
- Update to 9.11.17
|
||||
|
||||
* Tue Apr 07 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-1
|
||||
- Update to 9.11.14
|
||||
- Remove libmaxminddb-devel from devel package dependencies
|
||||
|
||||
* Thu Feb 27 2020 Miroslav Lichvar <mlichvar@redhat.com> - 32:9.11.13-3
|
||||
- Fix rwlock to be thread-safe (#1740511)
|
||||
|
|
Loading…
Reference in New Issue