Merge branch 'master' into features/af-xdp

Author: mozzieongit

.github/workflows/analysis_ports.yml

@@ -51,6 +51,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
       - name: cross-platform-action on ${{ matrix.cross_platform_os }} ${{ matrix.cross_platform_version }}
         if: ${{ matrix.with_cross_platform_action == 'yes' }}
         uses: cross-platform-actions/[email protected]

.github/workflows/build-test.yml

@@ -16,13 +16,15 @@ jobs:
             cc: clang
             cflags: -g2 -O0 -fsanitize=address,undefined,leak -fno-sanitize-recover=all
             packages: autoconf automake libtool make libevent-dev libssl-dev flex bison
-          - os: macos-12
+          - os: macos-15
             cflags: -g2 -O0 -fsanitize=address,undefined -fno-sanitize-recover=all
-            packages: autoconf automake libtool openssl libevent flex bison
+            packages: autoconf automake libtool flex bison
+            # The libevent and openssl packages are already installed.
     steps:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
       - name: 'Workaround for actions/runner-images#9491'
         if: runner.os == 'Linux'
         run: sudo sysctl vm.mmap_rnd_bits=28
@@ -47,7 +49,11 @@ jobs:
           autoconf && autoheader
           (cd simdzone && autoconf && autoheader)
           libtoolize -c -i || glibtoolize -c -i
-          ./configure --enable-checking --disable-flto --with-ssl=yes --with-libevent=yes
+          if test "${{runner.os}}" = 'macOS'; then
+            ./configure --enable-checking --disable-flto --with-ssl=/opt/homebrew/opt/openssl --with-libevent=/opt/homebrew/opt/libevent
+          else
+            ./configure --enable-checking --disable-flto --with-ssl=yes --with-libevent=yes
+          fi
           make -j 2
       - name: 'Run tests'
         id: test

.github/workflows/coverity-scan.yml

@@ -25,6 +25,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
       - id: install_packages
         shell: bash
         run: |

Makefile.in

@@ -258,6 +258,10 @@ server-key-file{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_KEY_FILE;
 server-cert-file{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_CERT_FILE;}
 control-key-file{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_KEY_FILE;}
 control-cert-file{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_CONTROL_CERT_FILE;}
+metrics-enable{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_METRICS_ENABLE;}
+metrics-interface{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_METRICS_INTERFACE;}
+metrics-port{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_METRICS_PORT;}
+metrics-path{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_METRICS_PATH;}
 AXFR			{ LEXOUT(("v(%s) ", yytext)); return VAR_AXFR;}
 UDP			{ LEXOUT(("v(%s) ", yytext)); return VAR_UDP;}
 rrl-size{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_RRL_SIZE;}
@@ -286,6 +290,7 @@ dnstap-version{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_VERSION; }
 dnstap-log-auth-query-messages{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_LOG_AUTH_QUERY_MESSAGES; }
 dnstap-log-auth-response-messages{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_DNSTAP_LOG_AUTH_RESPONSE_MESSAGES; }
 log-time-ascii{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_LOG_TIME_ASCII;}
+log-time-iso{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_LOG_TIME_ISO;}
 round-robin{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_ROUND_ROBIN;}
 minimal-responses{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_MINIMAL_RESPONSES;}
 confine-to-zone{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_CONFINE_TO_ZONE;}
@@ -312,6 +317,7 @@ proxy-protocol-port{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PROXY_PROTOC
 answer-cookie{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_ANSWER_COOKIE;}
 cookie-secret{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_COOKIE_SECRET;}
 cookie-secret-file{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_COOKIE_SECRET_FILE;}
+cookie-staging-secret{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_COOKIE_STAGING_SECRET;}
 xfrd-tcp-max{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_XFRD_TCP_MAX;}
 xfrd-tcp-pipeline{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_XFRD_TCP_PIPELINE;}
 verify{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_VERIFY; }

configlexer.lex

@@ -111,6 +111,7 @@ struct component {
 %token VAR_STATISTICS
 %token VAR_XFRD_RELOAD_TIMEOUT
 %token VAR_LOG_TIME_ASCII
+%token VAR_LOG_TIME_ISO
 %token VAR_ROUND_ROBIN
 %token VAR_MINIMAL_RESPONSES
 %token VAR_CONFINE_TO_ZONE
@@ -138,6 +139,10 @@ struct component {
 %token VAR_DROP_UPDATES
 %token VAR_XFRD_TCP_MAX
 %token VAR_XFRD_TCP_PIPELINE
+%token VAR_METRICS_ENABLE
+%token VAR_METRICS_INTERFACE
+%token VAR_METRICS_PORT
+%token VAR_METRICS_PATH
 
 /* dnstap */
 %token VAR_DNSTAP
@@ -195,6 +200,7 @@ struct component {
 %token VAR_ANSWER_COOKIE
 %token VAR_COOKIE_SECRET
 %token VAR_COOKIE_SECRET_FILE
+%token VAR_COOKIE_STAGING_SECRET
 %token VAR_MAX_REFRESH_TIME
 %token VAR_MIN_REFRESH_TIME
 %token VAR_MAX_RETRY_TIME
@@ -461,6 +467,11 @@ server_option:
       cfg_parser->opt->log_time_ascii = $2;
       log_time_asc = cfg_parser->opt->log_time_ascii;
     }
+  | VAR_LOG_TIME_ISO boolean
+    {
+      cfg_parser->opt->log_time_iso = $2;
+      log_time_iso = cfg_parser->opt->log_time_iso;
+    }
   | VAR_ROUND_ROBIN boolean
     {
       cfg_parser->opt->round_robin = $2;
@@ -516,9 +527,39 @@ server_option:
   | VAR_ANSWER_COOKIE boolean
     { cfg_parser->opt->answer_cookie = $2; }
   | VAR_COOKIE_SECRET STRING
-    { cfg_parser->opt->cookie_secret = region_strdup(cfg_parser->opt->region, $2); }
+    {
+      uint8_t secret[32];
+      ssize_t len = hex_pton($2, secret, NSD_COOKIE_SECRET_SIZE);
+
+      if(len != NSD_COOKIE_SECRET_SIZE) {
+        yyerror("expected a 128 bit hex string");
+      } else {
+        cfg_parser->opt->cookie_secret = region_strdup(cfg_parser->opt->region, $2);
+      }
+    }
+  | VAR_COOKIE_STAGING_SECRET STRING
+    {
+      uint8_t secret[32];
+      ssize_t len = hex_pton($2, secret, NSD_COOKIE_SECRET_SIZE);
+
+      if(len != NSD_COOKIE_SECRET_SIZE) {
+        yyerror("expected a 128 bit hex string");
+      } else {
+        cfg_parser->opt->cookie_staging_secret = region_strdup(cfg_parser->opt->region, $2);
+      }
+    }
   | VAR_COOKIE_SECRET_FILE STRING
-    { cfg_parser->opt->cookie_secret_file = region_strdup(cfg_parser->opt->region, $2); }
+    {
+      /* Empty filename means explicitly disabled cookies from file, internally
+       * represented as NULL.
+       * Note that after parsing, if no value was configured, then
+       * cookie_secret_file_is_default is still 1, then the default cookie
+       * secret file value will be assigned to cookie_secret_file.
+       */
+      if(*$2) cfg_parser->opt->cookie_secret_file = region_strdup(cfg_parser->opt->region, $2);
+      cfg_parser->opt->cookie_secret_file_is_default = 0;
+    }
+    
   | VAR_XFRD_TCP_MAX number
     { cfg_parser->opt->xfrd_tcp_max = (int)$2; }
   | VAR_XFRD_TCP_PIPELINE number
@@ -578,6 +619,40 @@ server_option:
 #ifdef USE_XDP
       cfg_parser->opt->xdp_bpffs_path = region_strdup(cfg_parser->opt->region, $2);
 #endif
+	}
+  | VAR_METRICS_ENABLE boolean
+    {
+#ifdef USE_METRICS
+      cfg_parser->opt->metrics_enable = $2;
+#endif /* USE_METRICS */
+    }
+  | VAR_METRICS_INTERFACE ip_address
+    {
+#ifdef USE_METRICS
+      struct ip_address_option *ip = cfg_parser->opt->metrics_interface;
+      if(ip == NULL) {
+        cfg_parser->opt->metrics_interface = $2;
+      } else {
+        while(ip->next != NULL) { ip = ip->next; }
+        ip->next = $2;
+      }
+#endif /* USE_METRICS */
+    }
+  | VAR_METRICS_PORT number
+    {
+#ifdef USE_METRICS
+      if($2 == 0) {
+        yyerror("metrics port number expected");
+      } else {
+        cfg_parser->opt->metrics_port = (int)$2;
+      }
+#endif /* USE_METRICS */
+    }
+  | VAR_METRICS_PATH STRING
+    {
+#ifdef USE_METRICS
+      cfg_parser->opt->metrics_path = region_strdup(cfg_parser->opt->region, $2);
+#endif /* USE_METRICS */
     }
   ;
 

configparser.y

@@ -7,7 +7,7 @@ sinclude(dnstap/dnstap.m4)
 
 # autoconf-2.70 is needed for @runstatedir@
 AC_PREREQ([2.70])
-AC_INIT([NSD],[4.10.1],[https://github.com/NLnetLabs/nsd/issues or [email protected]])
+AC_INIT([NSD],[4.11.2],[https://github.com/NLnetLabs/nsd/issues or [email protected]])
 AC_CONFIG_HEADERS([config.h])
 
 #
@@ -126,6 +126,12 @@ AC_ARG_WITH([zonelistfile], AS_HELP_STRING([--with-zonelistfile=path],[Pathname
 AC_DEFINE_UNQUOTED(ZONELISTFILE, ["`eval echo $zonelistfile`"], [Pathname to the NSD zone list file.])
 AC_SUBST(zonelistfile)
 
+# default cookiesecrets file location.
+cookiesecretsfile=${dbdir}/cookiesecrets.txt
+AC_ARG_WITH([cookiesecretsfile], AS_HELP_STRING([--with-cookiesecretsfile=path],[Pathname to the NSD cookie secrets file]), [cookiesecretsfile=$withval])
+AC_DEFINE_UNQUOTED(COOKIESECRETSFILE, ["`eval echo $cookiesecretsfile`"], [Pathname to the NSD cookies secrets file.])
+AC_SUBST(cookiesecretsfile)
+
 # default xfr dir location.
 xfrdir="/tmp"
 AC_ARG_WITH([xfrdir], AS_HELP_STRING([--with-xfrdir=path],[Pathname to where the NSD transfer dir is created]), [xfrdir=$withval])
@@ -1177,6 +1183,19 @@ case "$enable_xdp" in
 esac
 AC_SUBST(xdp)
 
+AC_ARG_ENABLE(prometheus-metrics, AS_HELP_STRING([--enable-prometheus-metrics],[Enable prometheus metrics support.]))
+case "$enable_prometheus_metrics" in
+	yes)
+		AC_DEFINE_UNQUOTED([USE_METRICS], [], [Define this to expose NSD statistics via a prometheus metrics HTTP endpoint.])
+		AC_DEFINE_UNQUOTED([NSD_METRICS_PORT], [9100], [Define to the default metrics HTTP endpoint port.])
+		AC_SEARCH_LIBS(evhttp_free, [event], , AC_MSG_ERROR(Cannot find libevent, but is needed for prometheus metrics support.))
+        AC_SUBST([METRICS_SRC], ["metrics.c"])
+        AC_SUBST([METRICS_OBJ], ["metrics.o"])
+		;;
+	no|*)
+		;;
+esac
+
 # check for dnstap if requested
 dt_DNSTAP([${localstatedir}/run/nsd-dnstap.sock],
     [

configure.ac

@@ -75,6 +75,8 @@ namedb_zone_create(namedb_type* db, const dname_type* dname,
 	zone->opts = zo;
 	zone->ixfr = NULL;
 	zone->filename = NULL;
+	zone->includes.count = 0;
+	zone->includes.paths = NULL;
 	zone->logstr = NULL;
 	zone->mtime.tv_sec = 0;
 	zone->mtime.tv_nsec = 0;
@@ -89,6 +91,34 @@ namedb_zone_create(namedb_type* db, const dname_type* dname,
 	return zone;
 }
 
+void
+namedb_zone_free_filenames(namedb_type *db, zone_type* zone)
+{
+	assert(!zone->includes.paths == !zone->includes.count);
+
+	if (zone->filename) {
+		region_recycle(
+			db->region, zone->filename, strlen(zone->filename) + 1);
+		zone->filename = NULL;
+	}
+
+	if (zone->includes.count) {
+		for (size_t i=0; i < zone->includes.count; i++) {
+			region_recycle(
+				db->region,
+				zone->includes.paths[i],
+				strlen(zone->includes.paths[i]) + 1);
+		}
+
+		region_recycle(
+			db->region,
+			zone->includes.paths,
+			zone->includes.count * sizeof(*zone->includes.paths));
+		zone->includes.count = 0;
+		zone->includes.paths = NULL;
+	}
+}
+
 void
 namedb_zone_delete(namedb_type* db, zone_type* zone)
 {
@@ -119,9 +149,7 @@ namedb_zone_delete(namedb_type* db, zone_type* zone)
 	hash_tree_delete(db->region, zone->dshashtree);
 #endif
 	zone_ixfr_free(zone->ixfr);
-	if(zone->filename)
-		region_recycle(db->region, zone->filename,
-			strlen(zone->filename)+1);
+	namedb_zone_free_filenames(db, zone);
 	if(zone->logstr)
 		region_recycle(db->region, zone->logstr,
 			strlen(zone->logstr)+1);
@@ -236,12 +264,27 @@ namedb_read_zonefile(struct nsd* nsd, struct zone* zone, udb_base* taskudb,
 		/* if zone_fname, then the file was acquired from reading it,
 		 * and see if filename changed or mtime newer to read it */
 		} else if(zone_fname && strcmp(zone_fname, fname) == 0 &&
-		   timespec_compare(&zone_mtime, &mtime) == 0) {
-			VERBOSITY(3, (LOG_INFO, "zonefile %s is not modified",
-				fname));
-			return;
+			timespec_compare(&zone_mtime, &mtime) == 0) {
+			int changed = 0;
+			struct timespec include_mtime;
+			/* one of the includes may have been deleted, changed, etc */
+			for (size_t i=0; i < zone->includes.count; i++) {
+				if (!file_get_mtime(zone->includes.paths[i], &include_mtime, &nonexist)) {
+					changed = 1;
+				} else if (timespec_compare(&zone_mtime, &include_mtime) < 0) {
+					mtime = include_mtime;
+					changed = 1;
+				}
+			}
+
+			if (!changed) {
+				VERBOSITY(3, (LOG_INFO, "zonefile %s is not modified",
+					fname));
+				return;
+			}
 		}
 	}
+
 	if(ixfr_create_from_difference(zone, fname,
 		&ixfr_create_already_done)) {
 		ixfrcr = ixfr_create_start(zone, fname,
@@ -252,6 +295,9 @@ namedb_read_zonefile(struct nsd* nsd, struct zone* zone, udb_base* taskudb,
 		}
 	}
 
+	namedb_zone_free_filenames(nsd->db, zone);
+	zone->filename = region_strdup(nsd->db->region, fname);
+
 	/* wipe zone from memory */
 #ifdef NSEC3
 	nsec3_clear_precompile(nsd->db, zone);
@@ -271,10 +317,7 @@ namedb_read_zonefile(struct nsd* nsd, struct zone* zone, udb_base* taskudb,
 		zone->nsec3_param = NULL;
 #endif
 		delete_zone_rrs(nsd->db, zone);
-		if(zone->filename)
-			region_recycle(nsd->db->region, zone->filename,
-				strlen(zone->filename)+1);
-		zone->filename = NULL;
+		namedb_zone_free_filenames(nsd->db, zone);
 		if(zone->logstr)
 			region_recycle(nsd->db->region, zone->logstr,
 				strlen(zone->logstr)+1);
@@ -286,10 +329,6 @@ namedb_read_zonefile(struct nsd* nsd, struct zone* zone, udb_base* taskudb,
 		zone->is_changed = 0;
 		/* store zone into udb */
 		zone->mtime = mtime;
-		if(zone->filename)
-			region_recycle(nsd->db->region, zone->filename,
-				strlen(zone->filename)+1);
-		zone->filename = region_strdup(nsd->db->region, fname);
 		if(zone->logstr)
 			region_recycle(nsd->db->region, zone->logstr,
 				strlen(zone->logstr)+1);

dbaccess.c

@@ -256,6 +256,8 @@ namedb_write_zonefile(struct nsd* nsd, struct zone_options* zopt)
 			return;
 		}
 		zone->is_changed = 0;
+		VERBOSITY(3, (LOG_INFO, "zone %s written to file %s",
+			zone->opts->name, zfile));
 		/* fetch the mtime of the just created zonefile so we
 		 * do not waste effort reading it back in */
 		if(!file_get_mtime(zfile, &mtime, &notexist)) {