diff --git a/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch new file mode 100644 index 0000000000000000000000000000000000000000..1a0ad07044fd376c1ece574cf2f94df707e4e3d6 --- /dev/null +++ b/backport-0002-Fix-catalog-zone-reconfiguration-crash.patch @@ -0,0 +1,118 @@ +From 4b362a82ebf511d0915585bbe55bdb9b989f439a Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Mon, 11 Oct 2021 18:13:39 +0000 +Subject: [PATCH] Fix catalog zone reconfiguration crash + +The following scenario triggers a "named" crash: + +1. Configure a catalog zone. +2. Start "named". +3. Comment out the "catalog-zone" clause. +4. Run `rndc reconfig`. +5. Uncomment the "catalog-zone" clause. +6. Run `rndc reconfig` again. + +Implement the required cleanup of the in-memory catalog zone during +the first `rndc reconfig`, so that the second `rndc reconfig` could +find it in an expected state. +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4b362a82ebf511d0915585bbe55bdb9b989f439a +(cherry picked from commit 43ac2cd229813c04438e027c42c0b93b9661adda) +--- + bin/named/server.c | 2 ++ + lib/dns/include/dns/zone.h | 20 ++++++++++++++++++++ + lib/dns/win32/libdns.def.in | 2 ++ + lib/dns/zone.c | 18 ++++++++++++++++++ + 4 files changed, 42 insertions(+) + +diff --git a/bin/named/server.c b/bin/named/server.c +index 860ccae8a1a..9c0f12f63f6 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -6523,6 +6523,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, + + if (zone_is_catz) { + dns_zone_catz_enable(zone, view->catzs); ++ } else if (dns_zone_catz_is_enabled(zone)) { ++ dns_zone_catz_disable(zone); + } + + /* +diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h +index 08e2263c5b2..33ab5c60fd5 100644 +--- a/lib/dns/include/dns/zone.h ++++ b/lib/dns/include/dns/zone.h +@@ -2605,6 +2605,26 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); + * \li prior to calling, zone->catzs is NULL or is equal to 'catzs' + */ + ++void ++dns_zone_catz_disable(dns_zone_t *zone); ++/*%< ++ * Disable zone as catalog zone, if it is one. ++ * ++ * Requires: ++ * ++ * \li 'zone' is a valid zone object ++ */ ++ ++bool ++dns_zone_catz_is_enabled(dns_zone_t *zone); ++/*%< ++ * Return a boolean indicating whether the zone is enabled as catalog zone. ++ * ++ * Requires: ++ * ++ * \li 'zone' is a valid zone object ++ */ ++ + void + dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db); + /*%< +diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in +index 31f511103fd..1e0f7cf64ae 100644 +--- a/lib/dns/win32/libdns.def.in ++++ b/lib/dns/win32/libdns.def.in +@@ -1173,8 +1173,10 @@ dns_xfrin_shutdown + dns_zone_addnsec3chain + dns_zone_asyncload + dns_zone_attach ++dns_zone_catz_disable + dns_zone_catz_enable + dns_zone_catz_enable_db ++dns_zone_catz_is_enabled + dns_zone_cdscheck + dns_zone_checknames + dns_zone_clearforwardacl +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 65a3aacab7b..bc33e6ede85 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -1942,6 +1942,24 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + UNLOCK_ZONE(zone); + } + ++void ++dns_zone_catz_disable(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ LOCK_ZONE(zone); ++ if (zone->catzs != NULL) { ++ dns_catz_catzs_detach(&zone->catzs); ++ } ++ UNLOCK_ZONE(zone); ++} ++ ++bool ++dns_zone_catz_is_enabled(dns_zone_t *zone) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ ++ return (zone->catzs != NULL); ++} ++ + /* + * If a zone is a catalog zone, attach it to update notification in database. + */ +-- +GitLab + diff --git a/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch b/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch new file mode 100644 index 0000000000000000000000000000000000000000..f76a47fe77b5cd0d389c983a2a1cf14d2bd2d8e9 --- /dev/null +++ b/backport-0003-Improve-the-logging-on-failed-TCP-accept.patch @@ -0,0 +1,161 @@ +From 75c484e36d6d28da820bfcf530a28b4f785049a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 1 Dec 2021 17:41:20 +0100 +Subject: [PATCH] Improve the logging on failed TCP accept + +Previously, when TCP accept failed, we have logged a message with +ISC_LOG_ERROR level. One common case, how this could happen is that the +client hits TCP client quota and is put on hold and when resumed, the +client has already given up and closed the TCP connection. In such +case, the named would log: + + TCP connection failed: socket is not connected + +This message was quite confusing because it actually doesn't say that +it's related to the accepting the TCP connection and also it logs +everything on the ISC_LOG_ERROR level. + +Change the log message to "Accepting TCP connection failed" and for +specific error states lower the severity of the log message to +ISC_LOG_INFO. +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/75c484e36d6d28da820bfcf530a28b4f785049a6 +(cherry picked from commit 20ac73eb222e60395399b467b0a72015a4dd8845) +--- + lib/isc/netmgr/netmgr-int.h | 3 +++ + lib/isc/netmgr/netmgr.c | 27 +++++++++++++++++++++++++++ + lib/isc/netmgr/tcp.c | 20 ++------------------ + lib/isc/netmgr/tcpdns.c | 22 ++-------------------- + 4 files changed, 34 insertions(+), 38 deletions(-) + +diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h +index f7b54f94843..b4299d512ea 100644 +--- a/lib/isc/netmgr/netmgr-int.h ++++ b/lib/isc/netmgr/netmgr-int.h +@@ -1576,4 +1576,7 @@ isc__nm_failed_read_cb(isc_nmsocket_t *sock, isc_result_t result, bool async); + void + isc__nmsocket_connecttimeout_cb(uv_timer_t *timer); + ++void ++isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota); ++ + #define STREAM_CLIENTS_PER_CONN 23 +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index 3283eb6e4f4..54042a9123f 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -1967,6 +1967,33 @@ isc__nmsocket_connecttimeout_cb(uv_timer_t *timer) { + } + } + ++void ++isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) { ++ int level; ++ ++ switch (result) { ++ case ISC_R_SUCCESS: ++ case ISC_R_NOCONN: ++ return; ++ case ISC_R_QUOTA: ++ case ISC_R_SOFTQUOTA: ++ if (!can_log_quota) { ++ return; ++ } ++ level = ISC_LOG_INFO; ++ break; ++ case ISC_R_NOTCONNECTED: ++ level = ISC_LOG_INFO; ++ break; ++ default: ++ level = ISC_LOG_ERROR; ++ } ++ ++ isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR, ++ level, "Accepting TCP connection failed: %s", ++ isc_result_totext(result)); ++} ++ + static void + isc__nmsocket_readtimeout_cb(uv_timer_t *timer) { + isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer); +diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c +index 5cca9f52146..1b5e80d3a73 100644 +--- a/lib/isc/netmgr/tcp.c ++++ b/lib/isc/netmgr/tcp.c +@@ -631,15 +631,7 @@ tcp_connection_cb(uv_stream_t *server, int status) { + + result = accept_connection(ssock, quota); + done: +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcp_quota()) { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcp_quota()); + } + + void +@@ -934,15 +926,7 @@ isc__nm_async_tcpaccept(isc__networker_t *worker, isc__netievent_t *ev0) { + REQUIRE(sock->tid == isc_nm_tid()); + + result = accept_connection(sock, ievent->quota); +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcp_quota()) { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcp_quota()); + } + + static isc_result_t +diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c +index 188790c8b4f..b76dcbc66cb 100644 +--- a/lib/isc/netmgr/tcpdns.c ++++ b/lib/isc/netmgr/tcpdns.c +@@ -600,16 +600,7 @@ tcpdns_connection_cb(uv_stream_t *server, int status) { + + result = accept_connection(ssock, quota); + done: +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcpdns_quota()) +- { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcpdns_quota()); + } + + void +@@ -905,16 +896,7 @@ isc__nm_async_tcpdnsaccept(isc__networker_t *worker, isc__netievent_t *ev0) { + REQUIRE(ievent->sock->tid == isc_nm_tid()); + + result = accept_connection(ievent->sock, ievent->quota); +- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { +- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || +- can_log_tcpdns_quota()) +- { +- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, +- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, +- "TCP connection failed: %s", +- isc_result_totext(result)); +- } +- } ++ isc__nm_accept_connection_log(result, can_log_tcpdns_quota()); + } + + static isc_result_t +-- +GitLab + diff --git a/backport-0014-Add-isc_nmhandle_setwritetimeout-function.patch b/backport-0014-Add-isc_nmhandle_setwritetimeout-function.patch new file mode 100644 index 0000000000000000000000000000000000000000..124b718106484eb771dbd2d7d3e54a193f08e561 --- /dev/null +++ b/backport-0014-Add-isc_nmhandle_setwritetimeout-function.patch @@ -0,0 +1,63 @@ +From 1d0f2eb2c495a079101b6f6fd66ff22d95a4ab04 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 9 Feb 2022 19:48:13 +0100 +Subject: [PATCH] Add isc_nmhandle_setwritetimeout() function + +In some situations (unit test and forthcoming XFR timeouts MR), we need +to modify the write timeout independently of the read timeout. Add a +isc_nmhandle_setwritetimeout() function that could be called before +isc_nm_send() to specify a custom write timeout interval. +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/1d0f2eb2c495a079101b6f6fd66ff22d95a4ab04 +(cherry picked from commit a89d9e0fa68b8d915c6a1c416543dd157d8b0b5a) +--- + lib/isc/include/isc/netmgr.h | 3 +++ + lib/isc/netmgr/netmgr.c | 8 ++++++++ + lib/isc/win32/libisc.def.in | 1 + + 3 files changed, 12 insertions(+) + +diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h +index f8477b00182..39dba1d376d 100644 +--- a/lib/isc/include/isc/netmgr.h ++++ b/lib/isc/include/isc/netmgr.h +@@ -489,3 +489,6 @@ isc__nm_force_tid(int tid); + * Force the thread ID to 'tid'. This is STRICTLY for use in unit + * tests and should not be used in any production code. + */ ++ ++void ++isc_nmhandle_setwritetimeout(isc_nmhandle_t *handle, uint64_t write_timeout); +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index 6bc8c643376..31917be1014 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -639,6 +639,14 @@ isc_nm_maxudp(isc_nm_t *mgr, uint32_t maxudp) { + atomic_store(&mgr->maxudp, maxudp); + } + ++void ++isc_nmhandle_setwritetimeout(isc_nmhandle_t *handle, uint64_t write_timeout) { ++ REQUIRE(VALID_NMHANDLE(handle)); ++ REQUIRE(VALID_NMSOCK(handle->sock)); ++ ++ handle->sock->write_timeout = write_timeout; ++} ++ + void + isc_nm_settimeouts(isc_nm_t *mgr, uint32_t init, uint32_t idle, + uint32_t keepalive, uint32_t advertised) { +diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in +index de65c63b7d5..79e7b64a586 100644 +--- a/lib/isc/win32/libisc.def.in ++++ b/lib/isc/win32/libisc.def.in +@@ -457,6 +457,7 @@ isc_nmhandle_localaddr + isc_nmhandle_peeraddr + isc_nmhandle_setdata + isc_nmhandle_settimeout ++isc_nmhandle_setwritetimeout + isc_nm_attach + isc_nm_cancelread + isc_nm_detach +-- +GitLab + diff --git a/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch b/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6bf0466eaad097513f5ede5331b2480feb8b66c --- /dev/null +++ b/backport-0036-Check-if-key-metadata-is-modified-before-writing.patch @@ -0,0 +1,234 @@ +From c2e8c722980cd40e163f748e8502c9637ea55cf3 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 3 May 2022 12:28:31 +0200 +Subject: [PATCH] Check if key metadata is modified before writing + +Add a new parameter to the dst_key structure, mark a key modified if +dst_key_(un)set[bool,num,state,time] is called. Only write out key +files during a keymgr run if the metadata has changed. +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/c2e8c722980cd40e163f748e8502c9637ea55cf3 +(cherry picked from commit 1da91b3ab46b3d875213a473595e671d9ff9c76f) +--- + lib/dns/dst_api.c | 26 ++++++++++++++++++++++++++ + lib/dns/dst_internal.h | 1 + + lib/dns/include/dst/dst.h | 20 ++++++++++++++++++++ + lib/dns/keymgr.c | 17 ++++++++++++++++- + 4 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c +index ab371330f0c..8873a041b8e 100644 +--- a/lib/dns/dst_api.c ++++ b/lib/dns/dst_api.c +@@ -490,6 +490,16 @@ dst_key_isexternal(dst_key_t *key) { + return (key->external); + } + ++void ++dst_key_setmodified(dst_key_t *key, bool value) { ++ key->modified = value; ++} ++ ++bool ++dst_key_ismodified(dst_key_t *key) { ++ return (key->modified); ++} ++ + isc_result_t + dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg, + int type, const char *directory, isc_mem_t *mctx, +@@ -637,6 +647,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type, + (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) + { + RETERR(computeid(pubkey)); ++ pubkey->modified = false; + *keyp = pubkey; + pubkey = NULL; + goto out; +@@ -690,6 +701,7 @@ dst_key_fromnamedfile(const char *filename, const char *dirname, int type, + RETERR(DST_R_INVALIDPRIVATEKEY); + } + ++ key->modified = false; + *keyp = key; + key = NULL; + +@@ -1047,6 +1059,8 @@ dst_key_setbool(dst_key_t *key, int type, bool value) { + REQUIRE(type <= DST_MAX_BOOLEAN); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->boolset[type] || ++ key->bools[type] != value; + key->bools[type] = value; + key->boolset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1058,6 +1072,7 @@ dst_key_unsetbool(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_BOOLEAN); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->boolset[type]; + key->boolset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1089,6 +1104,8 @@ dst_key_setnum(dst_key_t *key, int type, uint32_t value) { + REQUIRE(type <= DST_MAX_NUMERIC); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->numset[type] || ++ key->nums[type] != value; + key->nums[type] = value; + key->numset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1100,6 +1117,7 @@ dst_key_unsetnum(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_NUMERIC); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->numset[type]; + key->numset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1130,6 +1148,8 @@ dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) { + REQUIRE(type <= DST_MAX_TIMES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->timeset[type] || ++ key->times[type] != when; + key->times[type] = when; + key->timeset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1141,6 +1161,7 @@ dst_key_unsettime(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_TIMES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->timeset[type]; + key->timeset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -1172,6 +1193,8 @@ dst_key_setstate(dst_key_t *key, int type, dst_key_state_t state) { + REQUIRE(type <= DST_MAX_KEYSTATES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || !key->keystateset[type] || ++ key->keystates[type] != state; + key->keystates[type] = state; + key->keystateset[type] = true; + isc_mutex_unlock(&key->mdlock); +@@ -1183,6 +1206,7 @@ dst_key_unsetstate(dst_key_t *key, int type) { + REQUIRE(type <= DST_MAX_KEYSTATES); + + isc_mutex_lock(&key->mdlock); ++ key->modified = key->modified || key->keystateset[type]; + key->keystateset[type] = false; + isc_mutex_unlock(&key->mdlock); + } +@@ -2747,4 +2771,6 @@ dst_key_copy_metadata(dst_key_t *to, dst_key_t *from) { + dst_key_unsetstate(to, i); + } + } ++ ++ dst_key_setmodified(to, dst_key_ismodified(from)); + } +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index e26837bfe4e..4933cfd5aa9 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -147,6 +147,7 @@ struct dst_key { + bool inactive; /*%< private key not present as it is + * inactive */ + bool external; /*%< external key */ ++ bool modified; /*%< set to true if key file metadata has changed */ + + int fmt_major; /*%< private key format, major version + * */ +diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h +index d50761a63c0..eab5501029b 100644 +--- a/lib/dns/include/dst/dst.h ++++ b/lib/dns/include/dst/dst.h +@@ -1107,6 +1107,26 @@ dst_key_isexternal(dst_key_t *key); + * 'key' to be valid. + */ + ++void ++dst_key_setmodified(dst_key_t *key, bool value); ++/*%< ++ * If 'value' is true, this marks the key to indicate that key file metadata ++ * has been modified. If 'value' is false, this resets the value, for example ++ * after you have written the key to file. ++ * ++ * Requires: ++ * 'key' to be valid. ++ */ ++ ++bool ++dst_key_ismodified(dst_key_t *key); ++/*%< ++ * Check if the key file has been modified. ++ * ++ * Requires: ++ * 'key' to be valid. ++ */ ++ + bool + dst_key_haskasp(dst_key_t *key); + /*%< +diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c +index 965782b1f38..b01286575fc 100644 +--- a/lib/dns/keymgr.c ++++ b/lib/dns/keymgr.c +@@ -1512,6 +1512,7 @@ transition: + /* It is safe to make the transition. */ + dst_key_setstate(dkey->key, i, next_state); + dst_key_settime(dkey->key, keystatetimes[i], now); ++ INSIST(dst_key_ismodified(dkey->key)); + changed = true; + } + } +@@ -2183,9 +2184,10 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, + for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL; + dkey = ISC_LIST_NEXT(dkey, link)) + { +- if (!dkey->purge) { ++ if (dst_key_ismodified(dkey->key) && !dkey->purge) { + dns_dnssec_get_hints(dkey, now); + RETERR(dst_key_tofile(dkey->key, options, directory)); ++ dst_key_setmodified(dkey->key, false); + } + } + +@@ -2205,6 +2207,13 @@ failure: + } + } + ++ if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ dns_name_format(origin, namebuf, sizeof(namebuf)); ++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, ++ DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3), ++ "keymgr: %s done", namebuf); ++ } + return (result); + } + +@@ -2282,6 +2291,9 @@ keymgr_checkds(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, + + dns_dnssec_get_hints(ksk_key, now); + result = dst_key_tofile(ksk_key->key, options, directory); ++ if (result == ISC_R_SUCCESS) { ++ dst_key_setmodified(ksk_key->key, false); ++ } + isc_dir_close(&dir); + + return (result); +@@ -2582,6 +2594,9 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring, + + dns_dnssec_get_hints(key, now); + result = dst_key_tofile(key->key, options, directory); ++ if (result == ISC_R_SUCCESS) { ++ dst_key_setmodified(key->key, false); ++ } + isc_dir_close(&dir); + + return (result); +-- +GitLab + diff --git a/backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch b/backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch new file mode 100644 index 0000000000000000000000000000000000000000..4520a9015a7538a9e702dad78da49be5b15c08b7 --- /dev/null +++ b/backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch @@ -0,0 +1,39 @@ +From 88751da1145e1bbc4ed32fd100184f3f0d7e2ad1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 15 Feb 2022 14:44:29 +0100 +Subject: [PATCH] Add UV_RUNTIME_CHECK() macro to print uv_strerror() + +When libuv functions fail, they return correct return value that could +be useful for more detailed debugging. Currently, we usually just check +whether the return value is 0 and invoke assertion error if it doesn't +throwing away the details why the call has failed. Unfortunately, this +often happen on more exotic platforms. + +Add a UV_RUNTIME_CHECK() macro that can be used to print more detailed +error message (via uv_strerror() before ending the execution of the +program abruptly with the assertion. + +Conflict: NA +Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/88751da1145e1bbc4ed32fd100184f3f0d7e2ad1 +(cherry picked from commit 62e15bb06db5e7d209e8c20d7bdb1501df7dfba8) +--- + lib/isc/netmgr/netmgr-int.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h +index 8099ea2d767..6c87b0f1cf6 100644 +--- a/lib/isc/netmgr/netmgr-int.h ++++ b/lib/isc/netmgr/netmgr-int.h +@@ -1594,3 +1594,9 @@ void + isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota); + + #define STREAM_CLIENTS_PER_CONN 23 ++ ++#define UV_RUNTIME_CHECK(func, ret) \ ++ if (ret != 0) { \ ++ isc_error_fatal(__FILE__, __LINE__, "%s failed: %s\n", #func, \ ++ uv_strerror(ret)); \ ++ } +-- +GitLab + diff --git a/bind.spec b/bind.spec index e1b31c62729f382460b232bda779ac512397cc07..6d1b577de2923e96d41542e81099d19fb5f09645 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 10 +Release: 11 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -87,6 +87,11 @@ Patch6004:backport-CVE-2022-38177.patch Patch6005:backport-CVE-2022-38178.patch Patch6006:backport-CVE-2022-2906.patch Patch6007:backport-CVE-2022-2881.patch +Patch6008:backport-0002-Fix-catalog-zone-reconfiguration-crash.patch +Patch6009:backport-0003-Improve-the-logging-on-failed-TCP-accept.patch +Patch6010:backport-0014-Add-isc_nmhandle_setwritetimeout-function.patch +Patch6011:backport-0036-Check-if-key-metadata-is-modified-before-writing.patch +Patch6012:backport-0044-Add-UV_RUNTIME_CHECK-macro-to-print-uv_strerror.patch Patch9000:bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -391,6 +396,11 @@ in HTML and PDF format. %patch6005 -p1 %patch6006 -p1 %patch6007 -p1 +%patch6008 -p1 +%patch6009 -p1 +%patch6010 -p1 +%patch6011 -p1 +%patch6012 -p1 %if %{with PKCS11} %patch135 -p1 -b .config-pkcs11 @@ -1113,6 +1123,9 @@ fi; %endif %changelog +* Thu Sep 29 2022 huangyu - 32:9.16.23-11 +- DESC: backport some patches + * Wed Sep 28 2022 huangyu - 32:9.16.23-10 - DESC:fix CVE-2022-2881 CVE-2022-2906 CVE-2022-2795 CVE-2022-38177 CVE-2022-38178 CVE-2022-3080