From 83024695075412f95c3d445ae0acd2e0a49b5c27 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Fri, 24 Jan 2025 11:50:36 +0100 Subject: [PATCH 1/2] Fix broken links in documentation Some detected links are not to be verified (127.*, dnssec-or-not.com) and some I can't fix (flaticon, godaddy, icann), but they are not crucial. --- bin/dnssec/dnssec-signzone.rst | 4 ++-- doc/arm/build.inc.rst | 9 +++++---- doc/arm/general.rst | 2 +- doc/arm/intro-dns-bind.inc.rst | 2 +- doc/arm/pkcs11.inc.rst | 2 +- doc/arm/reference.rst | 6 +++--- doc/arm/rpz.inc.rst | 4 ++-- doc/arm/troubleshooting.inc.rst | 2 +- doc/changelog/changelog-9.21.1.rst | 4 ++-- doc/dnssec-guide/introduction.rst | 2 +- doc/dnssec-guide/preface.rst | 2 +- doc/dnssec-guide/validation.rst | 2 +- 12 files changed, 21 insertions(+), 20 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index fffae1980a..bfeede3830 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -274,7 +274,7 @@ Options with cached copies of the old DNSKEY RRset. The :option:`-Q` option forces :program:`dnssec-signzone` to remove signatures from keys that are no longer active. This enables ZSK rollover using the procedure described in - :rfc:`6781#4.1.1.1` ("Pre-Publish Key Rollover"). + :rfc:`6781#section-4.1.1.1` ("Pre-Publish Zone Signing Key Rollover"). .. option:: -q @@ -291,7 +291,7 @@ Options This option is similar to :option:`-Q`, except it forces :program:`dnssec-signzone` to remove signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in - :rfc:`6781#4.1.1.2` ("Double Signature Zone Signing Key + :rfc:`6781#section-4.1.1.2` ("Double Signature Zone Signing Key Rollover"). .. option:: -S diff --git a/doc/arm/build.inc.rst b/doc/arm/build.inc.rst index 10dd3eaddd..b87b82c9ce 100644 --- a/doc/arm/build.inc.rst +++ b/doc/arm/build.inc.rst @@ -105,8 +105,9 @@ unavailable, ``--disable-doh`` can be used to disable DoH support. To support the HTTP statistics channel, the server must be linked with at least one of the following libraries: ``libxml2`` -(http://xmlsoft.org) or ``json-c`` (https://github.com/json-c/json-c). -If these are installed at a nonstandard location, then: +(https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home) or ``json-c`` +(https://github.com/json-c/json-c). If these are installed at a +nonstandard location, then: - for ``libxml2``, specify the prefix using ``--with-libxml2=/prefix``, - for ``json-c``, adjust ``PKG_CONFIG_PATH``. @@ -130,7 +131,7 @@ installed in a nonstandard location, specify the prefix using For DNSTAP packet logging, ``libfstrm`` (https://github.com/farsightsec/fstrm) and ``libprotobuf-c`` -(https://developers.google.com/protocol-buffers) must be installed, and +(https://protobuf.dev) must be installed, and BIND must be configured with ``--enable-dnstap``. To support internationalized domain names in :iscman:`dig`, ``libidn2`` @@ -176,6 +177,6 @@ macOS Building on macOS assumes that the “Command Tools for Xcode” are installed. These can be downloaded from -https://developer.apple.com/download/more/ or, if Xcode is already +https://developer.apple.com/xcode/resources/ or, if Xcode is already installed, simply run ``xcode-select --install``. (Note that an Apple ID may be required to access the download page.) diff --git a/doc/arm/general.rst b/doc/arm/general.rst index 5cf402cfd7..3127d06774 100644 --- a/doc/arm/general.rst +++ b/doc/arm/general.rst @@ -39,7 +39,7 @@ The list is non-exhaustive. .. _Internet Engineering Steering Group: https://www.ietf.org/about/groups/iesg/ .. _Internet Engineering Task Force: https://www.ietf.org/about/ -.. _Request for Comments: https://www.ietf.org/standards/rfcs/ +.. _Request for Comments: https://www.ietf.org/process/rfcs/ Some of these RFCs, though DNS-related, are not concerned with implementing software. diff --git a/doc/arm/intro-dns-bind.inc.rst b/doc/arm/intro-dns-bind.inc.rst index 58b0d2952c..f37cfa30a8 100644 --- a/doc/arm/intro-dns-bind.inc.rst +++ b/doc/arm/intro-dns-bind.inc.rst @@ -102,7 +102,7 @@ that could be packed into a 512-byte UDP message, and not a perverse affinity fo cultures treat as unlucky. The 512-byte UDP data limit is no longer a limiting factor and all root servers now support both IPv4 and IPv6. In addition, almost all the root servers use **anycast**, with well over -300 instances of the root servers now providing service worldwide (see further information at https://www.root-servers.org). +300 instances of the root servers now providing service worldwide (see further information at https://root-servers.org). The root servers are the starting point for all **name resolution** within the DNS. Name Resolution diff --git a/doc/arm/pkcs11.inc.rst b/doc/arm/pkcs11.inc.rst index 020796676a..bd0d5ead85 100644 --- a/doc/arm/pkcs11.inc.rst +++ b/doc/arm/pkcs11.inc.rst @@ -42,7 +42,7 @@ Building SoftHSMv2 ^^^^^^^^^^^^^^^^^^ SoftHSMv2, the latest development version of SoftHSM, is available from -https://github.com/opendnssec/SoftHSMv2. It is a software library +https://github.com/softhsm/SoftHSMv2. It is a software library developed by the OpenDNSSEC project (https://www.opendnssec.org) which provides a PKCS#11 interface to a virtual HSM, implemented in the form of an SQLite3 database on the local filesystem. It provides less security diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 23b2a3fc34..e0c661226f 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -1181,7 +1181,7 @@ default is used. https://github.com/farsightsec/fstrm) to send event payloads which are encoded using Protocol Buffers (``libprotobuf-c``, a mechanism for serializing structured data developed by Google, Inc.; see - https://developers.google.com/protocol-buffers/). + https://protobuf.dev). To enable :any:`dnstap` at compile time, the ``fstrm`` and ``protobuf-c`` libraries must be available, and BIND must be @@ -5743,7 +5743,7 @@ The following options can be specified in a :any:`tls` statement: ``TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256``. The string must be formed according to the rules specified in the OpenSSL documentation (see - https://www.openssl.org/docs/man1.1.1/man1/ciphers.html, section + https://docs.openssl.org/1.1.1/man1/ciphers/, section "TLS v1.3 cipher suites" for details). .. namedconf:statement:: ciphers @@ -5753,7 +5753,7 @@ The following options can be specified in a :any:`tls` statement: This option defines allowed ciphers, such as ``HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384``. The string must be formed according to the rules specified in the OpenSSL documentation - (see https://www.openssl.org/docs/man1.1.1/man1/ciphers.html + (see https://docs.openssl.org/1.1.1/man1/ciphers/ for details). .. namedconf:statement:: prefer-server-ciphers diff --git a/doc/arm/rpz.inc.rst b/doc/arm/rpz.inc.rst index 500d153983..163fb58f7a 100644 --- a/doc/arm/rpz.inc.rst +++ b/doc/arm/rpz.inc.rst @@ -727,8 +727,8 @@ particular). This is a concern for some network administrators who do not want their users' DNS queries to be rerouted unexpectedly. However, Mozilla provides a mechanism to disable the DoH-by-default setting: if the Mozilla-owned domain `use-application-dns.net -`_ returns an NXDOMAIN response code, Firefox -will not use DoH. +`_ +returns an NXDOMAIN response code, Firefox will not use DoH. To accomplish this using RPZ: diff --git a/doc/arm/troubleshooting.inc.rst b/doc/arm/troubleshooting.inc.rst index a2d81a9f1d..ec871c15ea 100644 --- a/doc/arm/troubleshooting.inc.rst +++ b/doc/arm/troubleshooting.inc.rst @@ -42,7 +42,7 @@ back to plain DNS queries without EDNS. Such workarounds cause unnecessary resolution delays, increase code complexity, and prevent deployment of new DNS features. In February 2019, all major DNS software vendors removed these -workarounds; see https://dnsflagday.net/2019 for further details. This change +workarounds; see https://www.dnsflagday.net/2019/ for further details. This change was implemented in BIND as of release 9.14.0. As a result, some domains may be non-resolvable without manual diff --git a/doc/changelog/changelog-9.21.1.rst b/doc/changelog/changelog-9.21.1.rst index cc42507bb7..824c283e69 100644 --- a/doc/changelog/changelog-9.21.1.rst +++ b/doc/changelog/changelog-9.21.1.rst @@ -25,8 +25,8 @@ New Features are loaded from the currently active bundle from the imported SKR. The implementation is loosely based on: - https://www.iana.org/dnssec/archive/files/draft-icann-dnssec- - keymgmt-01.txt :gl:`#1128` :gl:`!9119` + https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt + :gl:`#1128` :gl:`!9119` - Implement the 'request-ixfr-max-diffs' configuration option. ``99b18bab7e1`` diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst index 8809445f2b..7539b93e99 100644 --- a/doc/dnssec-guide/introduction.rst +++ b/doc/dnssec-guide/introduction.rst @@ -376,7 +376,7 @@ want to consider deploying DNSSEC: requesting all ``.gov`` subdomains to be DNSSEC-signed by December 2009. This explains why ``.gov`` is the most-deployed DNSSEC domain currently, with `around 90% of subdomains - signed. `__ + signed. `__ .. _how_does_dnssec_change_my_job: diff --git a/doc/dnssec-guide/preface.rst b/doc/dnssec-guide/preface.rst index fb6bd67d68..7a898bd53d 100644 --- a/doc/dnssec-guide/preface.rst +++ b/doc/dnssec-guide/preface.rst @@ -78,6 +78,6 @@ Considerations" by S. Morris, J. Ihren, J. Dickinson, and W. Mekking, subsequently published as :rfc:`7583`. Icons made by `Freepik `__ and -`SimpleIcon `__ from +`SimpleIcon `__ from `Flaticon `__, licensed under `Creative Commons BY 3.0 `__. diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst index 3bcd065edc..a7135f86d5 100644 --- a/doc/dnssec-guide/validation.rst +++ b/doc/dnssec-guide/validation.rst @@ -110,7 +110,7 @@ Configure your client computer to use the newly reconfigured recursive server for DNS resolution; then use one of these web-based tests to confirm that it is in fact validating DNS responses. -- `Internet.nl `__ +- `Internet.nl `__ - `DNSSEC or Not (VeriSign) `__ From 48eab764273fe2e2b47ebbf08b6120d74ff11b81 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Fri, 24 Jan 2025 11:50:49 +0100 Subject: [PATCH 2/2] Add linkcheck job --- .gitlab-ci.yml | 12 ++++++++++++ doc/arm/conf.py | 14 ++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0b4637f9b9..d386dbfbd0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -683,6 +683,18 @@ changelog: artifacts: untracked: true +linkcheck: + <<: *base_image + stage: docs + script: + - pushd doc/arm/ > /dev/null && sphinx-build -b linkcheck . linkcheck_output/ + artifacts: + paths: + - doc/arm/linkcheck_output/ + rules: + - if: '$CI_PIPELINE_SOURCE == "schedule"' + needs: [] + docs: <<: *default_triggering_rules <<: *base_image diff --git a/doc/arm/conf.py b/doc/arm/conf.py index 4f2d9e98cd..d3c27e4dc8 100644 --- a/doc/arm/conf.py +++ b/doc/arm/conf.py @@ -214,6 +214,20 @@ latex_documents = [ latex_logo = "isc-logo.pdf" +# -- Options for linkcheck ---------------------------------------------- +linkcheck_timeout = 10 +linkcheck_ignore = [ + "http://127.0.0.1", + "https://gitlab.isc.org", + "https://kb.isc.org", + "https://simpleicon.com/", + "https://www.dnssec-or-not.com/", + "https://www.flaticon.com/", + "https://www.freepik.com/", + "https://www.godaddy.com", + "https://www.icann.org", +] + # # The rst_epilog will be completely overwritten from the Makefile, # the definition here is provided purely for situations when