summaryrefslogtreecommitdiff
path: root/source4/dns_server
Commit message (Collapse)AuthorAgeFilesLines
* dns: changing onelevel search for wildcard to subtreeAaron Haslett2019-01-141-1/+1
| | | | | | | | | | | | | | | | | | | SCOPE_ONELEVEL is used on wildcard dns searches, but onelevel searches currently have a performance problem related to GUID indexing, so this patch changes the search scope to SCOPE_SUBTREE. In this case, as the onelevel and subtree sets of records are roughly the same, and the query is matching against the DN itself, we don't believe there's any benefit in using SCOPE_ONELEVEL over SCOPE_SUBTREE. The onelevel performance problem will be fixed separately later, but in the meantime this solves the DNS performance problem. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13738 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> (cherry picked from commit ef379880037c10589ceeab7f985e3245817908a4)
* CVE-2018-14629 dns: fix CNAME loop prevention using counter regressionStefan Metzmacher2018-12-071-9/+20
| | | | | | | | | | | | | | | | | The loop prevention should only be done for CNAME records! Otherwise we truncate the answer records for A, AAAA or SRV queries, which is a bad idea if you have more than 20 DCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Dec 4 08:52:29 CET 2018 on sn-devel-144 (cherry picked from commit 34f4491d79b47b2fe2457b8882f11644cf773bc4)
* CVE-2018-14629 dns: CNAME loop prevention using counterAaron Haslett2018-11-261-0/+6
| | | | | | | | | | | Count number of answers generated by internal DNS query routine and stop at 20 to match Microsoft's loop prevention mechanism. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dns wildcards: fix BUG 13536Gary Lockyer2018-08-131-0/+1
| | | | | | | | | | | | | The current position in the dns name was not advanced past the '.' character Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Jul 20 04:40:31 CEST 2018 on sn-devel-144 (cherry picked from commit cef1b31cd1f33074e8ab6de52aa0fb74e9b57a9f)
* s4:dns_server: avoid debug noise on successful updatesStefan Metzmacher2018-01-102-2/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12423 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* dns_server: Remove "max_payload" from dns_serverVolker Lendecke2018-01-042-3/+0
| | | | | | | | | | This would have to be retrieved from the interface type we have I guess. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jan 4 05:08:02 CET 2018 on sn-devel-144
* dns_server: Remove unused "dns_generate_options"Volker Lendecke2018-01-042-23/+0
| | | | | | | | This was part of the previous bugfix for 9632, which has been replaced by TCP fallback code. We can dig this up from git if needed. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* dns_server: Remove unused "dns" parameter from ask_forwarder_sendVolker Lendecke2018-01-041-4/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* dns_server: Use dns_cli_request instead of direct udpVolker Lendecke2018-01-041-56/+6
| | | | | | | | This skips adding the DNS option for a larger UDP packet size than 512. This is a different fix for bug 9632. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* dns_server: Do the exact match query first, then do the wildcard lookupAndrew Bartlett2017-12-191-0/+14
| | | | | | | | | | | | | | The wildcard lookup is SCOPE_ONELEVEL combined with an index on the name attribute. This is not as efficient as a base DN lookup, so we try for that first. A not-found and wildcard response will still fall back to the ONELEVEL index. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dns_server: Do not look for a wildcard for @Andrew Bartlett2017-12-191-0/+10
| | | | | | | | | This query is made for every record returned via BIND9 DLZ. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dns_server: Use the indexed "name" attribute in wildcard lookupAndrew Bartlett2017-12-191-7/+5
| | | | | | | | | | (the RDN, being 'dc' in this use case, does not have an index in the AD schema). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dns server: fix warning about enum mismatchUri Simchoni2017-11-221-1/+1
| | | | | | | | Fix picky developer clang warning about assignment of an enum value to a variable of a different enum type. Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* source4/smbd: Do not overstamp the process model with "single"Gary Lockyer2017-10-191-12/+3
| | | | | | | | | Instead, except in RPC which is a special SNOWFLAKE, we rely on the struct service_details in the init function. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* source4/smbd: refactor the process model for preforkGary Lockyer2017-10-191-2/+7
| | | | | | | | | | | | | | | | | | Refactor the process model code to allow the addition of a prefork process model. - Add a process context to contain process model specific state - Add a service details structure to allow service to indicate which process model options they can support. In the new code the services advertise the features they support to the process model. The process model context is plumbed through to allow the process model to keep track of the supported options, and any state the process model may require. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* samdb: Rework samdb_connect_url() to return LDB error code and an error stringAndrew Bartlett2017-09-201-5/+10
| | | | | | | This allows debugging of why the LDB failed to start up. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* s4:bind_dlz: Try the 'binddns dir' firstAndreas Schneider2017-09-161-6/+6
| | | | | | | | | | The directory is normally empty if you did not provision or call samba_upgradedns for the bind_dlz module. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4:bind_dlz: Use the 'binddns dir' if possibleAndreas Schneider2017-09-051-3/+41
| | | | | | | | | | | The code makes sure we are backwards compatible. It will first check if we still have files in the private directory, if yes it will use those. If the the file is not in the private directory it will try the binddns dir. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org>
* dnsserver: Add support for dns wildcardsGary Lockyer2017-08-156-5/+380
| | | | | | | | | | | | | | | | | Add support for dns wildcard records. i.e. if the following records exist exact.samba.example.com 3600 A 1.1.1.1 *.samba.example.com 3600 A 1.1.1.2 look up on exact.samba.example.com will return 1.1.1.1 look up on *.samba.example.com will return 1.1.1.2 look up on other.samba.example.com will return 1.1.1.2 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
* dnsserver: Tighten DNS name checkingGary Lockyer2017-08-151-6/+29
| | | | | | | | | | | Add checks for the maximum permitted length, maximum number of labels and the maximum label length. These extra checks will be used by the DNS wild card handling. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
* Set log level for "Not authorative for" from 2 to 5Marc Muehlfeld2017-07-261-1/+1
| | | | | | | | Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Marc Muehlfeld <mmuehlfeld@samba.org> Autobuild-Date(master): Wed Jul 26 21:34:48 CEST 2017 on sn-devel-144
* dns_server: Only install common library if AD DC is enabled.Andrew Bartlett2017-07-041-1/+2
| | | | | | | | | | The library is used in selftest, so must still be built This reverts commit d32b66b40c931fe8214faa2e1d40b34b86667d4c and replaces the behaviour. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* dnsserver/common: Use cached dnsHostName to reduce database readsGarming Sam2017-06-221-20/+4
| | | | | | | | | | The code to clobber the host name appears to have caused DNS requests to use 3x as much resources Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jun 22 13:06:07 CEST 2017 on sn-devel-144
* dns_server: clobber MNAME in the SOAAndrew Bartlett2017-06-104-7/+59
| | | | | | | | Otherwise, we always report the first server we created/provisioned the AD domain on which does not match AD behaviour. AD is multi-master so all RW servers are a master. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* pydsdb_dns: Allow the partition DN to be specified into py_dsdb_dns_lookupAndrew Bartlett2017-06-104-10/+42
| | | | | | | | | This allows lookups to be confined to one partition, which in turn avoids issues when running this against MS Windows, which does not match Samba behaviour for dns_common_zones() Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* pydsdb_dns: Use TypeError not LdbError for mismatched typesAndrew Bartlett2017-06-101-12/+3
| | | | | | | This avoids the samba-tool command handling code blowing up when trying to parse an LdbError Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* pydns: Also return the DN of the LDB object when finding a DNS recordAndrew Bartlett2017-06-101-2/+3
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* pydns: Fix leak of talloc_stackframe() in python bindingsAndrew Bartlett2017-06-101-3/+20
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4:dlz_bind9: assert SPNEGO/KRB5 and use gensec_update()Stefan Metzmacher2017-05-211-4/+38
| | | | | | | This avoids using gensec_update_ev() with a nested event loop. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dns_server: use samba_server_gensec_krb5_start() and gensec_update() in ↵Stefan Metzmacher2017-05-211-9/+28
| | | | | | | | | dns_query.c This avoids using gensec_update_ev() with a nested event loop. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4: Add TALLOC_CTX * to register_server_service().Jeremy Allison2017-05-111-1/+1
| | | | | | | | Use the passed in context from callers. Remove one talloc_autofree_context(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-221-2/+2
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* dns: Provide local and remote socket address to GENSECAndrew Bartlett2017-03-293-2/+36
| | | | | | | | This can be used for logging and for Kerberos channel bindings Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* dnsserver_common: Add name check in name2dnBob Campbell2016-12-121-2/+7
| | | | | | | | | | | | Fills in the missing TODO. Note that this may also prevent deletion of existing corrupted records, but should be resolvable through RPC, or at worst LDAP. Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* dnsserver: add dns name checkingBob Campbell2016-12-122-1/+94
| | | | | | | | | | | This may also prevent deletion of existing corrupted records through DNS, but should be resolvable through RPC, or at worst LDAP. Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* dlz-bind: Add support for BIND 9.11.xAmitay Isaacs2016-10-272-0/+37
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12366 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org>
* dlz-bind: Set DNS_CLIENTINFO_VERSION based on BIND versionAmitay Isaacs2016-10-271-1/+7
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12366 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org>
* dlz-bind: Fix initialization of DLZ_DLOPEN_AGEAmitay Isaacs2016-10-271-1/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12366 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org>
* dlz-bind: Fix preprocessor checks for BIND versionsAmitay Isaacs2016-10-271-8/+8
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12366 Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org>
* werror: replace WERR_INVALID_PARAM with WERR_INVALID_PARAMETER in ↵Günther Deschner2016-09-282-4/+4
| | | | | | | | | source4/dns_server/ Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* werror: replace WERR_NOMEM with WERR_NOT_ENOUGH_MEMORY in source4/dns_server/Günther Deschner2016-09-286-39/+39
| | | | | | | Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4: dns: Correctly check for talloc failure.Jeremy Allison2016-06-161-0/+3
| | | | | | | | Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Jun 16 16:55:15 CEST 2016 on sn-devel-144
* dns_server: Fix typo in dns_authoritative_for_zone() name.Garming Sam2016-06-163-6/+6
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4/dns_server: enable sending of TSIG error recordsRalph Boehme2016-06-161-1/+3
| | | | | | | | | | | | | | This final patch enables sending TSIG error records by adding DNS_RCODE_NOTAUTH to the set of error conditions that are allowed to trigger sending a full generated response. See RFC 2845 "4.5.1. KEY check and error handling" and "4.5.3. MAC check and error handling". Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4/dns_server: prepare sending correct error responses for dns_verify_tsig() ↵Ralph Boehme2016-06-161-8/+7
| | | | | | | | | | | | | | | | | errors Call dns_verify_tsig() after updating state.flags and assign and use out_packet for dns_verify_tsig(). We will need the updated flags when sending TSIG error responses when TSIG request MAC verification fails and dns_verify_tsig() uses the passed in packet as response, so we have to make sure we copy in_packet to out_packet before calling out and pass out_packet. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4/dns_server: don't compute TSIG MAC in TSIG error recordsRalph Boehme2016-06-161-12/+15
| | | | | | | | | See RFC 2845 "4.3. TSIG on TSIG Error returns". Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4/dns_server: error codes for failing MAC verification in TSIG requestsRalph Boehme2016-06-161-1/+2
| | | | | | | | | | According to RFC 2845 "4.5.3. MAC check and error handling" we must return NOTAUTH and DNS_RCODE_BADSIG when MAC verification fails. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4/dns_server: ensure we store the key name in error code pathsRalph Boehme2016-06-161-4/+17
| | | | | | | | | We need the TKEY name when adding TSIG records to error responses. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4/dns_server: not finding the key here is a fatal errorRalph Boehme2016-06-161-2/+1
| | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4/dns_server: split out function that does the MAC computationRalph Boehme2016-06-161-27/+48
| | | | | | | | | | | | | | | | Split out function that does the MAC computation from the TSIG record creating function. This will later simplify the code when creating error responsed to TSIG requests with bad MACs where we have to add the TSIG record with an empty MAC. No functional behaviour change besides hard coding "gss-tsig" algorithm name: later when sending a TSIG error response for a TKEY request with a bad keyname, we won't have a tkey to fetch the algorithm name from. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
View Lorry Controller Status