Commit a1052ac7 authored by Ondrej Sury's avatar Ondrej Sury

New upstream version 9.14.2

parent e8ae8858
--- 9.14.2 released ---
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]
5231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG.
[GL #960]
5229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852]
5228. [cleanup] If trusted-keys and managed-keys are configured
simultaneously for the same name, the key cannot
be rolled automatically. This configuration now
logs a warning. [GL #868]
5224. [bug] Only test provide-ixfr on TCP streams. [GL #991]
5223. [bug] Fixed a race in the filter-aaaa plugin accessing
the hash table. [GL #1005]
5222. [bug] 'delv -t ANY' could leak memory. [GL #983]
5221. [test] Enable parallel execution of system tests on
Windows. [GL !4101]
5220. [cleanup] Refactor the isc_stat structure to take advantage
of stdatomic. [GL !1493]
5219. [bug] Fixed a race in the filter-aaaa plugin that could
trigger a crash when returning an instance object
to the memory pool. [GL #982]
5218. [bug] Conditionally include <dlfcn.h>. [GL #995]
5217. [bug] Restore key id calculation for RSAMD5. [GL #996]
5216. [bug] Fetches-per-zone counter wasn't updated correctly
when doing qname minimization. [GL #992]
5215. [bug] Change #5124 was incomplete; named could still
return FORMERR instead of SERVFAIL in some cases.
[GL #990]
5214. [bug] win32: named now removes its lock file upon shutdown.
[GL #979]
5213. [bug] win32: Eliminated a race which allowed named.exe running
as a service to be killed prematurely during shutdown.
[GL #978]
5211. [bug] Allow out-of-zone additional data to be included
in authoritative responses if recursion is allowed
and "minimal-responses" is disabled. This behavior
was inadvertently removed in change #4605. [GL #817]
5210. [bug] When dnstap is enabled and recursion is not
available, incoming queries are now logged
as "auth". Previously, this depended on whether
recursion was requested by the client, not on
whether recursion was available. [GL #963]
5209. [bug] When update-check-ksk is true, add_sigs was not
considering offline keys, leaving record sets signed
with the incorrect type key. [GL #763]
5208. [test] Run valid rdata wire encodings through totext+fromtext
and tofmttext+fromtext methods to check these methods.
[GL #899]
5207. [test] Check delv and dig TTL values. [GL #965]
5206. [bug] Delv could print out bad TTLs. [GL #965]
5205. [bug] Enforce that a DS hash exists. [GL #899]
5204. [test] Check that dns_rdata_fromtext() produces a record that
will be accepted by dns_rdata_fromwire(). [GL #852]
5203. [bug] Enforce whether key rdata exists or not in KEY,
DNSKEY, CDNSKEY and RKEY. [GL #899]
5202. [bug] <dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
5190. [bug] Ignore trust anchors using disabled algorithms.
[GL #806]
--- 9.14.1 released ---
5201. [bug] Fix a possible deadlock in RPZ update code. [GL #973]
......
......@@ -148,6 +148,10 @@ BIND 9.14.1
BIND 9.14.1 is a maintenance release, and addresses security
vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
BIND 9.14.2
BIND 9.14.2 is a maintenance release.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
......
......@@ -165,6 +165,10 @@ by the C compiler. Non-threaded builds are no longer supported.
BIND 9.14.1 is a maintenance release, and addresses security
vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
#### BIND 9.14.2
BIND 9.14.2 is a maintenance release.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
......
......@@ -1411,6 +1411,8 @@ dig_ednsoptname_t optnames[] = {
{ 12, "PAD" }, /* shorthand */
{ 13, "CHAIN" }, /* RFC 7901 */
{ 14, "KEY-TAG" }, /* RFC 8145 */
{ 16, "CLIENT-TAG" }, /* draft-bellis-dnsop-edns-tags */
{ 17, "SERVER-TAG" }, /* draft-bellis-dnsop-edns-tags */
{ 26946, "DEVICEID" }, /* Brian Hartvigsen */
};
......
......@@ -10,12 +10,12 @@
.\" Title: named.conf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2019-02-06
.\" Date: 2019-04-25
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\&.CONF" "5" "2019\-02\-06" "ISC" "BIND9"
.TH "NAMED\&.CONF" "5" "2019\-04\-25" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
......@@ -409,11 +409,12 @@ options {
resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
\fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
disabled | drop | given | no\-op | nodata | nxdomain | passthru
| tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
......@@ -761,11 +762,12 @@ view \fIstring\fR [ \fIclass\fR ] {
resolver\-retry\-interval \fIinteger\fR;
response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
\fIinteger\fR;
response\-policy { zone \fIstring\fR [ log \fIboolean\fR ] [ max\-policy\-ttl
\fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [ policy ( cname |
disabled | drop | given | no\-op | nodata | nxdomain | passthru
| tcp\-only \fIquoted_string\fR ) ] [ recursive\-only \fIboolean\fR ] [
nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [
response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
\fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval
\fIttlval\fR ] [ policy ( cname | disabled | drop | given | no\-op |
nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIttlval\fR ] [
min\-update\-interval \fIttlval\fR ] [ min\-ns\-dots \fIinteger\fR ] [
nsip\-wait\-recurse \fIboolean\fR ] [ qname\-wait\-recurse \fIboolean\fR ]
......
......@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2019-02-06</date>
<date>2019-04-25</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
......@@ -403,11 +403,12 @@ options {
resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname |
disabled | drop | given | no-op | nodata | nxdomain | passthru
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [
response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
<replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
......@@ -735,11 +736,12 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
resolver-retry-interval <replaceable>integer</replaceable>;
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ log <replaceable>boolean</replaceable> ] [ max-policy-ttl
<replaceable>ttlval</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ] [ policy ( cname |
disabled | drop | given | no-op | nodata | nxdomain | passthru
| tcp-only <replaceable>quoted_string</replaceable> ) ] [ recursive-only <replaceable>boolean</replaceable> ] [
nsip-enable <replaceable>boolean</replaceable> ] [ nsdname-enable <replaceable>boolean</replaceable> ]; ... } [
response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
<replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
......
......@@ -390,11 +390,12 @@ options
resolver-retry-interval<em class="replaceable"><code>integer</code></em>;<br>
response-padding{<em class="replaceable"><code>address_match_element</code></em>;...}block-size<br>
<em class="replaceable"><code>integer</code></em>;<br>
response-policy{zone<em class="replaceable"><code>string</code></em>[log<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<br>
<em class="replaceable"><code>ttlval</code></em>][min-update-interval<em class="replaceable"><code>ttlval</code></em>][policy(cname|<br>
disabled|drop|given|no-op|nodata|nxdomain|passthru<br>
|tcp-only<em class="replaceable"><code>quoted_string</code></em>)][recursive-only<em class="replaceable"><code>boolean</code></em>][<br>
nsip-enable<em class="replaceable"><code>boolean</code></em>][nsdname-enable<em class="replaceable"><code>boolean</code></em>];...}[<br>
response-policy{zone<em class="replaceable"><code>string</code></em>[add-soa<em class="replaceable"><code>boolean</code></em>][log<br>
<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<em class="replaceable"><code>ttlval</code></em>][min-update-interval<br>
<em class="replaceable"><code>ttlval</code></em>][policy(cname|disabled|drop|given|no-op|<br>
nodata|nxdomain|passthru|tcp-only<em class="replaceable"><code>quoted_string</code></em>)][<br>
recursive-only<em class="replaceable"><code>boolean</code></em>][nsip-enable<em class="replaceable"><code>boolean</code></em>][<br>
nsdname-enable<em class="replaceable"><code>boolean</code></em>];...}[add-soa<em class="replaceable"><code>boolean</code></em>][<br>
break-dnssec<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<em class="replaceable"><code>ttlval</code></em>][<br>
min-update-interval<em class="replaceable"><code>ttlval</code></em>][min-ns-dots<em class="replaceable"><code>integer</code></em>][<br>
nsip-wait-recurse<em class="replaceable"><code>boolean</code></em>][qname-wait-recurse<em class="replaceable"><code>boolean</code></em>]<br>
......@@ -727,11 +728,12 @@ view
resolver-retry-interval<em class="replaceable"><code>integer</code></em>;<br>
response-padding{<em class="replaceable"><code>address_match_element</code></em>;...}block-size<br>
<em class="replaceable"><code>integer</code></em>;<br>
response-policy{zone<em class="replaceable"><code>string</code></em>[log<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<br>
<em class="replaceable"><code>ttlval</code></em>][min-update-interval<em class="replaceable"><code>ttlval</code></em>][policy(cname|<br>
disabled|drop|given|no-op|nodata|nxdomain|passthru<br>
|tcp-only<em class="replaceable"><code>quoted_string</code></em>)][recursive-only<em class="replaceable"><code>boolean</code></em>][<br>
nsip-enable<em class="replaceable"><code>boolean</code></em>][nsdname-enable<em class="replaceable"><code>boolean</code></em>];...}[<br>
response-policy{zone<em class="replaceable"><code>string</code></em>[add-soa<em class="replaceable"><code>boolean</code></em>][log<br>
<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<em class="replaceable"><code>ttlval</code></em>][min-update-interval<br>
<em class="replaceable"><code>ttlval</code></em>][policy(cname|disabled|drop|given|no-op|<br>
nodata|nxdomain|passthru|tcp-only<em class="replaceable"><code>quoted_string</code></em>)][<br>
recursive-only<em class="replaceable"><code>boolean</code></em>][nsip-enable<em class="replaceable"><code>boolean</code></em>][<br>
nsdname-enable<em class="replaceable"><code>boolean</code></em>];...}[add-soa<em class="replaceable"><code>boolean</code></em>][<br>
break-dnssec<em class="replaceable"><code>boolean</code></em>][max-policy-ttl<em class="replaceable"><code>ttlval</code></em>][<br>
min-update-interval<em class="replaceable"><code>ttlval</code></em>][min-ns-dots<em class="replaceable"><code>integer</code></em>][<br>
nsip-wait-recurse<em class="replaceable"><code>boolean</code></em>][qname-wait-recurse<em class="replaceable"><code>boolean</code></em>]<br>
......
......@@ -165,23 +165,23 @@
* using it has a 'result' variable and a 'cleanup' label.
*/
#define CHECK(op) \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
do { result = (op); \
if (result != ISC_R_SUCCESS) goto cleanup; \
} while (0)
#define TCHECK(op) \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
do { tresult = (op); \
if (tresult != ISC_R_SUCCESS) { \
isc_buffer_clear(*text); \
goto cleanup; \
} \
} while (0)
#define CHECKM(op, msg) \
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s: %s", msg, \
......@@ -194,7 +194,7 @@
do { result = (op); \
if (result != ISC_R_SUCCESS) { \
isc_log_write(named_g_lctx, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGCATEGORY_GENERAL, \
NAMED_LOGMODULE_SERVER, \
ISC_LOG_ERROR, \
"%s '%s': %s", msg, file, \
......@@ -703,7 +703,8 @@ configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
static isc_result_t
dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
bool managed, dst_key_t **target, isc_mem_t *mctx)
bool managed, dst_key_t **target, const char **keynamestrp,
isc_mem_t *mctx)
{
dns_rdataclass_t viewclass;
dns_rdata_dnskey_t keystruct;
......@@ -721,12 +722,14 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
dst_key_t *dstkey = NULL;
INSIST(target != NULL && *target == NULL);
INSIST(keynamestrp != NULL && *keynamestrp == NULL);
flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
keyname = dns_fixedname_name(&fkeyname);
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
*keynamestrp = keynamestr;
if (managed) {
const char *initmethod;
......@@ -760,6 +763,8 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
if (flags > 0xffff)
CHECKM(ISC_R_RANGE, "key flags");
if (flags & DNS_KEYFLAG_REVOKE)
CHECKM(DST_R_BADKEYTYPE, "key flags revoke bit set");
if (proto > 0xff)
CHECKM(ISC_R_RANGE, "key protocol");
if (alg > 0xff)
......@@ -799,26 +804,118 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
return (ISC_R_SUCCESS);
cleanup:
if (result == DST_R_NOCRYPTO) {
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
return (result);
}
/*%
* Parse 'key' in the context of view configuration 'vconfig'. If successful,
* add the key to 'secroots' if both of the following conditions are true:
*
* - 'keyname_match' is NULL or it matches the owner name of 'key',
* - support for the algorithm used by 'key' is not disabled by 'resolver'
* for the owner name of 'key'.
*
* 'managed' is true for managed keys and false for trusted keys. 'mctx' is
* the memory context to use for allocating memory.
*/
static isc_result_t
process_key(const cfg_obj_t *key, const cfg_obj_t *vconfig,
dns_keytable_t *secroots, const dns_name_t *keyname_match,
dns_resolver_t *resolver, bool managed, isc_mem_t *mctx)
{
const dns_name_t *keyname = NULL;
const char *keynamestr = NULL;
dst_key_t *dstkey = NULL;
unsigned int keyalg;
isc_result_t result;
result = dstkey_fromconfig(vconfig, key, managed, &dstkey, &keynamestr,
mctx);
switch (result) {
case ISC_R_SUCCESS:
/*
* Key was parsed correctly, its algorithm is supported by the
* crypto library, and it is not revoked.
*/
keyname = dst_key_name(dstkey);
keyalg = dst_key_alg(dstkey);
break;
case DST_R_UNSUPPORTEDALG:
case DST_R_BADKEYTYPE:
/*
* Key was parsed correctly, but it cannot be used; this is not
* a fatal error - log a warning about this key being ignored,
* but do not prevent any further ones from being processed.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"ignoring %s key for '%s': %s",
managed ? "managed" : "trusted",
keynamestr, isc_result_totext(result));
return (ISC_R_SUCCESS);
case DST_R_NOCRYPTO:
/*
* Crypto support is not available.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
"ignoring %s key for '%s': no crypto support",
managed ? "managed" : "trusted",
keynamestr);
} else if (result == DST_R_UNSUPPORTEDALG) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"skipping %s key for '%s': %s",
managed ? "managed" : "trusted",
keynamestr, isc_result_totext(result));
} else {
return (result);
default:
/*
* Something unexpected happened; we have no choice but to
* indicate an error so that the configuration loading process
* is interrupted.
*/
cfg_obj_log(key, named_g_lctx, ISC_LOG_ERROR,
"configuring %s key for '%s': %s",
managed ? "managed" : "trusted",
keynamestr, isc_result_totext(result));
result = ISC_R_FAILURE;
return (ISC_R_FAILURE);
}
/*
* If the caller requested to only load keys for a specific name and
* the owner name of this key does not match the requested name, do not
* load it.
*/
if (keyname_match != NULL && !dns_name_equal(keyname_match, keyname)) {
goto done;
}
/*
* Ensure that 'resolver' allows using the algorithm of this key for
* its owner name. If it does not, do not load the key and log a
* warning, but do not prevent further keys from being processed.
*/
if (!dns_resolver_algorithm_supported(resolver, keyname, keyalg)) {
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"ignoring %s key for '%s': algorithm is disabled",
managed ? "managed" : "trusted", keynamestr);
goto done;
}
if (dstkey != NULL)
/*
* Add the key to 'secroots'. This key is taken from the
* configuration, so if it's a managed key then it's an initializing
* key; that's why 'managed' is duplicated below.
*/
result = dns_keytable_add(secroots, managed, managed, &dstkey);
done:
/*
* Ensure 'dstkey' does not leak. Note that if dns_keytable_add()
* succeeds, ownership of the key structure is transferred to the key
* table, i.e. 'dstkey' is set to NULL.
*/
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
return (result);
}
......@@ -834,8 +931,7 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
const dns_name_t *keyname, isc_mem_t *mctx)
{
const cfg_listelt_t *elt, *elt2;
const cfg_obj_t *key, *keylist;
dst_key_t *dstkey = NULL;
const cfg_obj_t *keylist;
isc_result_t result;
dns_keytable_t *secroots = NULL;
......@@ -851,42 +947,13 @@ load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
elt2 != NULL;
elt2 = cfg_list_next(elt2))
{
key = cfg_listelt_value(elt2);
result = dstkey_fromconfig(vconfig, key, managed,
&dstkey, mctx);
if (result == DST_R_UNSUPPORTEDALG) {
result = ISC_R_SUCCESS;
continue;
}
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* If keyname was specified, we only add that key.
*/
if (keyname != NULL &&
!dns_name_equal(keyname, dst_key_name(dstkey)))
{
dst_key_free(&dstkey);
continue;
}
/*
* This key is taken from the configuration, so
* if it's a managed key then it's an
* initializing key; that's why 'managed'
* is duplicated below.
*/
CHECK(dns_keytable_add(secroots, managed,
managed, &dstkey));
CHECK(process_key(cfg_listelt_value(elt2), vconfig,
secroots, keyname, view->resolver,
managed, mctx));
}
}
cleanup:
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
if (secroots != NULL) {
dns_keytable_detach(&secroots);
}
......@@ -10599,7 +10666,7 @@ add_zone_tolist(dns_zone_t *zone, void *uap) {
struct zonelistentry *zle;
zle = isc_mem_get(dctx->mctx, sizeof *zle);
if (zle == NULL)
if (zle == NULL)
return (ISC_R_NOMEMORY);
zle->zone = NULL;
dns_zone_attach(zone, &zle->zone);
......
......@@ -17,7 +17,9 @@
#include <inttypes.h>
#include <stdlib.h>
#include <string.h>
#if HAVE_DLFCN_H
#include <dlfcn.h>
#endif
#include <dns/log.h>
#include <dns/result.h>
......
......@@ -82,7 +82,7 @@ ServiceControl(DWORD dwCtrlCode) {
case SERVICE_CONTROL_STOP:
named_server_flushonshutdown(named_g_server, true);
isc_app_shutdown();
UpdateSCM(SERVICE_STOPPED);
UpdateSCM(SERVICE_STOP_PENDING);
break;
default:
break;
......
......@@ -349,9 +349,9 @@ named_os_shutdown(void) {
if (lockfilefd != -1) {
(void) UnlockFile((HANDLE) _get_osfhandle(lockfilefd),
0, 0, 0, 1);
close(lockfilefd);
lockfilefd = -1;
}
cleanup_lockfile();
ntservice_shutdown(); /* This MUST be the last thing done */
}
......
......@@ -85,11 +85,13 @@ typedef struct filter_instance {
* Memory pool for use with persistent data.
*/
isc_mempool_t *datapool;
isc_mutex_t plock;
/*
* Hash table associating a client object with its persistent data.
*/
isc_ht_t *ht;
isc_mutex_t hlock;
/*
* Values configured when the module is loaded.
......@@ -377,6 +379,7 @@ plugin_register(const char *parameters,
CHECK(isc_mempool_create(mctx, sizeof(filter_data_t),
&inst->datapool));
CHECK(isc_ht_init(&inst->ht, mctx, 16));
isc_mutex_init(&inst->hlock);
/*
* Fill the mempool with 1K filter_aaaa state objects at
......@@ -390,6 +393,8 @@ plugin_register(const char *parameters,
*/
isc_mempool_setfillcount(inst->datapool, 1024);
isc_mempool_setfreemax(inst->datapool, UINT_MAX);
isc_mutex_init(&inst->plock);
isc_mempool_associatelock(inst->datapool, &inst->plock);
/*
* Set hook points in the view's hooktable.
......@@ -445,9 +450,11 @@ plugin_destroy(void **instp) {
if (inst->ht != NULL) {
isc_ht_destroy(&inst->ht);
isc_mutex_destroy(&inst->hlock);
}
if (inst->datapool != NULL) {
isc_mempool_destroy(&inst->datapool);
isc_mutex_destroy(&inst->plock);
}
if (inst->aaaa_acl != NULL) {
dns_acl_detach(&inst->aaaa_acl);
......@@ -517,8 +524,10 @@ client_state_get(const query_ctx_t *qctx, filter_instance_t *inst) {
filter_data_t *client_state = NULL;
isc_result_t result;
LOCK(&inst->hlock);
result = isc_ht_find(inst->ht, (const unsigned char *)&qctx->client,
sizeof(qctx->client), (void **)&client_state);
UNLOCK(&inst->hlock);
return (result == ISC_R_SUCCESS ? client_state : NULL);
}
......@@ -536,8 +545,10 @@ client_state_create(const query_ctx_t *qctx, filter_instance_t *inst) {
client_state->mode = NONE;
client_state->flags = 0;
LOCK(&inst->hlock);
result = isc_ht_add(inst->ht, (const unsigned char *)&qctx->client,
sizeof(qctx->client), client_state);
UNLOCK(&inst->hlock);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
}
......@@ -550,8 +561,10 @@ client_state_destroy(const query_ctx_t *qctx, filter_instance_t *inst) {
return;
}
LOCK(&inst->hlock);
result = isc_ht_delete(inst->ht, (const unsigned char *)&qctx->client,
sizeof(qctx->client));
UNLOCK(&inst->hlock);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
isc_mempool_put(inst->datapool, client_state);
......
......@@ -47,32 +47,6 @@ feature-test@EXEEXT@: feature-test.@O@
# Running the scripts below is bypassed when a separate build directory is
# used.
# Define the tests that can be run in parallel. This should be identical to
# the definition of PARALLELDIRS in conf.sh. Note: longer-running tests
# such as serve-stale and rpzrecurse stale are scheduled first to get more
# benefit from parallelism.
PARALLEL = rpzrecurse serve-stale dnssec \
acl additional addzone allow-query auth autosign \
builtin cacheclean case catz cds chain \
checkconf checknames checkzone \
@CHECKDS@ @COVERAGE@ @KEYMGR@ \
cookie database digdelv dlv dlz dlzexternal \
dns64 @DNSTAP@ dscp dsdigest dyndb \
ednscompliance emptyzones \
fetchlimit filter-aaaa formerr forward \
geoip glue idna inline integrity ixfr keepalive \
legacy limits logfileconfig \
masterfile masterformat metadata mirror mkeys \
names notify nslookup nsupdate nzd2nzf \
padding pending pipelined qmin \
reclimit redirect resolver rndc rootkeysentinel rpz \
rrchecker rrl rrsetorder rsabigexponent runtime \
sfcache smartsign sortlist \
spf staticstub statistics statschannel stub synthfromdnssec \
tcp tools tsig tsiggss ttl \
unknown upforwd verify views wildcard \
xfer xferquota zero zonechecks
# Produce intermediate makefile that assigns unique port numbers to each
# parallel test. The start port number of 5,000 is arbitrary - it must just
# be greater than the highest privileged port, 1024.
......@@ -84,26 +58,7 @@ PARALLEL = rpzrecurse serve-stale dnssec \
.PHONY: parallel.mk
parallel.mk:
@PARALLEL_SANITIZED=`echo $(PARALLEL) | sed "s|\([^ ][^ ]*\)|test-\1|g;" | tr _ -` ; \
echo ".PHONY: $$PARALLEL_SANITIZED" > $@ ; \
echo "" >> $@ ; \
echo "check_interfaces:" >> $@ ; \
echo " @${PERL} testsock.pl > /dev/null 2>&1 || { \\" >> $@ ; \
echo " echo \"I:NOTE: System tests were skipped because they require that the\"; \\" >> $@ ; \
echo " echo \"I: IP addresses 10.53.0.1 through 10.53.0.8 be configured\"; \\" >> $@ ; \
echo " echo \"I: as alias addresses on the loopback interface. Please run\"; \\" >> $@ ; \
echo " echo \"I: \"bin/tests/system/ifconfig.sh up\" as root to configure them.\"; \\" >> $@ ; \
echo " exit 1; \\" >> $@ ; \
echo " }" >> $@ ; \
echo "" >> $@ ; \
echo "test check: $$PARALLEL_SANITIZED" >> $@ ; \
port=$${STARTPORT:-5000} ; \
for directory in $(PARALLEL) ; do \
echo "" >> $@ ; \
echo "test-`echo $$directory | tr _ -`: check_interfaces" >> $@ ; \
echo " @$(SHELL) ./run.sh -r -p $$port $$directory 2>&1 | tee $$directory/test.output" >> $@ ; \
port=`expr $$port + 100` ; \