Commit Graph

42185 Commits

Author SHA1 Message Date
Nicki Křížek
02cf566312 Ensure changelog job builds docs with the new entry
The changelog job is supposed to test that the text from GitLab MR
title&description is valid rst syntax and can be built with sphinx. In
49128fc1, the way gitchangelog generates entries was changed - it no
longer writes to the changelog file, but generates output on stdout
instead. Ensure the generated notes is actually written to (some)
rendered file which is part of the docs so that the subsequent sphinx
build attempts to render the note.

(cherry picked from commit 380a30ba8d)
2025-01-24 18:11:11 +00:00
Colin Vidal
b3eab79bc1 [9.20] new: usr: adds support for EDE code 1 and 2
Add support for EDE codes 1 & 2 which might occurs during DNSSEC validation in case of unsupported RRSIG algorithm or DNSKEY digest.

See #2715

Backport of MR !9948

Merge branch 'backport-2715-ede-unsupported-digest-alg-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9996
2025-01-24 14:58:46 +00:00
Colin Vidal
b61e1a5bcf add DNSSEC EDE test for unsupported digest and alg
A DNSSEC validation can fail in the case where multiple DNSKEY are
available for a zone and none of them are supported, but for different
reasons: one has a DS record in the parent zone using an unsupported
digest while the other one uses an unsupported encryption algorithm.

Add a specific test case covering this flow and making sure that two
extended DNS error are provided: code 1 and 2, each of them highlighting
unsupported algorithm and digest.

(cherry picked from commit 244923b9dc)
2025-01-24 14:27:17 +01:00
Colin Vidal
e133411451 tests for support for EDE 1 & 2
(cherry picked from commit 8b50d63fe1)
2025-01-24 14:27:17 +01:00
Colin Vidal
6c65d70ce5 add support for EDE code 1 and 2
Add support for EDE codes 1 (Unsupported DNSKEY Algorithm) and 2
(Unsupported DS Digest Type) which might occurs during DNSSEC
validation in case of unsupported DNSKEY algorithm or DS digest type.

Because DNSSEC internally kicks off various fetches, we need to copy
all encountered extended errors from fetch responses to the fetch
context. Upon an event, the errors from the fetch context are copied
to the client response.

(cherry picked from commit 46a58acdf5)
2025-01-24 14:27:16 +01:00
Michal Nowak
20057d587f [9.20] chg: test: Rewrite cipher-suites system test to pytest
The minimal dnspython version to run this test is 2.5.0.

Backport of MR !8662

Merge branch 'backport-mnowak/pytest_rewrite_cipher-suites-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9992
2025-01-24 09:31:16 +00:00
Michal Nowak
d2c8694930 Rename have_* marks to with_*
Marks starting with "with" or "without" make more sense linguistically
than those starting with "have" or "have_not".

(cherry picked from commit df7e9f4ac3)
2025-01-24 08:56:36 +00:00
Nicki Křížek
e7a469133c Test cipher-suites after zone transfers complete
Ensure the zone transfers have completed (successfully or not) before
running the test cases, because they assume zone transfers have been
done.

(cherry picked from commit 23fb615963)
2025-01-24 08:56:36 +00:00
Nicki Křížek
2eb5ce24fb Make servers fixture in pytest module-wide
The servers are setup and torn down once per each test module. All the
logs and server state persists between individual tests within the same
module. The servers fixture representing these servers should be
module-wide as well.

(cherry picked from commit a72ff9fd57)
2025-01-24 08:56:36 +00:00
Michal Nowak
f3f7667fc7 Rewrite cipher-suites system test to pytest
The minimal required dnspython version is 2.5.0 because of the need for
the "verify" argument in dns.query.tls().

(cherry picked from commit 100b759863)
2025-01-24 08:56:36 +00:00
Michal Nowak
3047cc9a25 Use Debian "sid" for pylint and mypy jobs to get recent dnspython
The base image tends to have a rather old dnspython version and when
used with pylint and mypy it produces errors about newer dnspython
features the old version does not know about.

    $ mypy "bin/tests/system/isctest/"
    bin/tests/system/isctest/query.py:55: error: Unexpected keyword argument "verify" for "tls"  [call-arg]
    /usr/lib/python3/dist-packages/dns/query.py:958: note: "tls" defined here

    $ pylint --rcfile $CI_PROJECT_DIR/.pylintrc --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py')
    ************* Module isctest.query
    bin/tests/system/isctest/query.py:55:11: E1123: Unexpected keyword argument 'verify' in function call (unexpected-keyword-arg)

(cherry picked from commit b2964cc922)
2025-01-24 08:56:36 +00:00
Michal Nowak
9f356962ec Add isctest.query.tls() function
When explicitly set to True, the "verify" argument lets dnspython verify
certificates used for the connection. As most certificates in the system
test will inevitably be self-signed, the "verify" argument defaults to
False.

The "verify" argument is present in dnspython since the version 2.5.0.

(cherry picked from commit df8c419058)
2025-01-24 08:56:36 +00:00
Michal Nowak
1a4fb0550b Add "without_fips" mark
The "without_fips" mark disables test function when BIND 9 was built
with the FIPS mode enabled as not everything works in FIPS-enabled
builds.

(cherry picked from commit feecbd8e77)
2025-01-24 08:56:36 +00:00
Nicki Křížek
d79b113f93 [9.20] chg: ci: Set stricter limits for respdiff testing
Adjust the limit of maximum disagreements in respdiff results based on
recent pipeline results.

The respdiff and respdiff:asan seem to have almost identical results,
typically around 0.07 % of differences with ocassional spikes up to
around 0.11 %. Similar results are for respdiff:tsan, perhaps with more
common spikes with values up to around 0.12 %. Set the limit to 0.15 %
to allow for some tolerance due to network conditions, time of day etc.

The respdiff:third-party has a slightly higher disagreements average,
with typical values being around 0.12 %. Set the limit to 0.2 %.

Exceeding either of those values should be quite clear indication that
some resolution behaviour has changed, since the values appear to be
very stable within the newly configured limits.

Backport of MR !9950

Merge branch 'backport-nicki/ci-respdiff-limits-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9989
2025-01-23 17:48:09 +00:00
Nicki Křížek
a4f480ba04 Set stricter limits for respdiff testing
Adjust the limit of maximum disagreements in respdiff results based on
recent pipeline results.

The respdiff and respdiff:asan seem to have almost identical results,
typically around 0.07 % of differences with ocassional spikes up to
around 0.11 %. Similar results are for respdiff:tsan, perhaps with more
common spikes with values up to around 0.12 %. Set the limit to 0.15 %
to allow for some tolerance due to network conditions, time of day etc.

The respdiff:third-party has a slightly higher disagreements average,
with typical values being around 0.12 %. Set the limit to 0.2 %.

Exceeding either of those values should be quite clear indication that
some resolution behaviour has changed, since the values appear to be
very stable within the newly configured limits.

(cherry picked from commit 0584d3f65f)
2025-01-23 18:29:31 +01:00
Matthijs Mekking
fe95badcd0 [9.20] chg: doc: Document how secondaries refresh a zone in the ARM
Closes #5123

Backport of MR !9966

Merge branch 'backport-5123-document-refreshing-a-secondary-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9986
2025-01-23 16:27:45 +00:00
Matthijs Mekking
049ac923b7 Document how secondaries refresh a zone in the ARM
We have a KB article that describes this, put a condensed version into
the ARM.

(cherry picked from commit 8daf3782d1)
2025-01-23 15:53:54 +00:00
Matthijs Mekking
ddda6cb59e [9.20] fix: usr: Fix a bug in dnssec-signzone related to keys being offline
In the case when `dnssec-signzone` is called on an already signed zone, and the private key file is unavailable, a signature that needs to be refreshed may be dropped without being able to generate a replacement. This has been fixed.

Closes #5126

Backport of MR !9951

Merge branch 'backport-5126-dnssec-signzone-retain-rrsig-if-key-is-offline-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9982
2025-01-23 15:46:27 +00:00
Matthijs Mekking
9d6302b32c dnssec-signzone retain signature if key is offline
Track inside the dns_dnsseckey structure whether we have seen the
private key, or if this key only has a public key file.

If the key only has a public key file, or a DNSKEY reference in the
zone, mark the key 'pubkey'. In dnssec-signzone, if the key only
has a public key available, consider the key to be offline. Any
signatures that should be refreshed for which the key is not available,
retain the signature.

So in the code, 'expired' becomes 'refresh', and the new 'expired'
is only used to determine whether we need to keep the signature if
the corresponding key is not available (retaining the signature if
it is not expired).

In the 'keysthatsigned' function, we can remove:
  -	key->force_publish = false;
  -	key->force_sign = false;

because they are redundant ('dns_dnsseckey_create' already sets these
values to false).

(cherry picked from commit 5e3aef364f)
2025-01-23 14:04:03 +00:00
Matthijs Mekking
cf73c9b1a9 Test dnssec-signzone with private key file missing
Add a test case for the scenario below.

There is a case when signing a zone with dnssec-signzone where the
private key file is moved outside the key directory (for offline
ksk purposes), and then the zone is resigned. The signature of the
DNSKEY needs refreshing, but is not expired.

Rather than removing the signature without having a valid replacement,
leave the signature in the zone (despite it needs to be refreshed).

(cherry picked from commit 0a91321d78)
2025-01-23 14:04:03 +00:00
Colin Vidal
4d945128dc [9.20] new: usr: Add support for multiple extended DNS errors
Extended DNS error mechanism (EDE) may have several errors raised during a DNS resolution. `named` is now able to add up to three EDE codes in a DNS response. In the case of duplicate error codes, only the first one will be part of the DNS response.

Closes #5085

Backport of MR !9952

Merge branch 'backport-5085-multiple-ede-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9978
2025-01-23 13:46:03 +00:00
Colin Vidal
01bbc357c7 add unit tests covering multiple EDE support
(cherry picked from commit 950a0cffb3)
2025-01-23 13:12:53 +00:00
Colin Vidal
e685443c74 add support for multiple EDE
Extended DNS error mechanism (EDE) enables to have several EDE raised
during a DNS resolution (typically, a DNSSEC query will do multiple
fetches which each of them can have an error). Add support to up to 3
EDE errors in an DNS response. If duplicates occur (two EDEs with the
same code, the extra text is not compared), only the first one will be
part of the DNS answer.

Because the maximum number of EDE is statically fixed, `ns_client_t`
object own a static vector of `DNS_DE_MAX_ERRORS` (instead of a linked
list, for instance). The array can be fully filled (all slots point to
an allocated `dns_ednsopt_t` object) or partially filled (or
empty). In such case, the first NULL slot means there is no more EDE
objects.

(cherry picked from commit 4096f27130)
2025-01-23 13:12:53 +00:00
Matthijs Mekking
2bbb30156b [9.20] fix: doc: Clarify dnssec-signzone interval option
There was confusion about whether the interval was calculated from
the validity period provided on the command line (with -s and -e),
or from the signature being replaced.

Add text to clarify that the interval is calculated from the new
validity period.

Closes #5128

Backport of MR !9955

Merge branch 'backport-5128-clarify-dnssec-signzone-interval-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9983
2025-01-23 12:08:20 +00:00
Matthijs Mekking
e36f4b66a3 Clarify dnssec-signzone interval option
There was confusion about whether the interval was calculated from
the validity period provided on the command line (with -s and -e),
or from the signature being replaced.

Add text to clarify that the interval is calculated from the new
validity period.

(cherry picked from commit ae42fa69fa)
2025-01-23 12:08:11 +00:00
Matthijs Mekking
1333dac316 [9.20] fix: dev: Fix possible truncation in dns_keymgr_status()
If the generated status output exceeds 4096 it was silently truncated, now we output that the status was truncated.

Closes #4180

Backport of MR !9905

Merge branch 'backport-4180-possible-truncation-in-dns_keymgr_status-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9981
2025-01-23 11:28:07 +00:00
Matthijs Mekking
87518b618b Fix possible truncation in dns_keymgr_status()
If the generated status output exceeds 4096 it was silently truncated,
now we output that the status was truncated.

(cherry picked from commit 7ae7851173)
2025-01-23 09:40:39 +00:00
Mark Andrews
74640b3613 [9.20] fix: usr: Yaml string not terminated in negative response in delv
Closes #5098

Backport of MR !9922

Merge branch 'backport-5098-missing-yaml-string-termination-delv-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9979
2025-01-23 00:34:59 +00:00
Mark Andrews
2225f96251 Check delv +yaml negative response output
(cherry picked from commit 9c04640def)
2025-01-22 23:58:49 +00:00
Mark Andrews
69a15deffa Terminate yaml string after negative comment
(cherry picked from commit 89afc11389)
2025-01-22 23:58:49 +00:00
Ondřej Surý
55b7cc9596 [9.20] chg: dev: Shutdown the fetch context after canceling the last fetch
Shutdown the fetch context immediately after the last fetch has been canceled from
that particular fetch context.

Backport of MR !9958

Merge branch 'backport-ondrej/shutdown-the-fetch-context-early-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9977
2025-01-22 14:05:12 +00:00
Ondřej Surý
ea301cf062 Shutdown the fetch context after canceling the last fetch
Currently, the fetch context will continue running even when the last
fetch (response) has been removed from the context, so named can process
and cache the answer.  This can lead to a situation where the number of
outgoing recursing clients exceeds the the configured number for
recursive-clients.

Be more stringent about the recursive-clients limit and shutdown the
fetch context immediately after the last fetch has been canceled from
that particular fetch context.

(cherry picked from commit 9f945c8b67)
2025-01-22 15:02:38 +01:00
Ondřej Surý
0ab22458f5 [9.20] fix: usr: Apply the memory limit only to ADB database items
Resolver under heavy-load could exhaust the memory available for storing
the information in the Address Database (ADB) effectively evicting already
stored information in the ADB.  The memory used to retrieve and provide
information from the ADB is now not a subject of the same memory limits
that are applied for storing the information in the Address Database.

Closes #5127

Backport of MR !9954

Merge branch 'backport-5127-change-ADB-memory-split-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9975
2025-01-22 14:01:52 +00:00
Ondřej Surý
819e809be5 Remove memory limit on ADB finds and fetches
Address Database (ADB) shares the memory for the short lived ADB
objects (finds, fetches, addrinfo) and the long lived ADB
objects (names, entries, namehooks).  This could lead to a situation
where the resolver-heavy load would force evict ADB objects from the
database to point where ADB is completely empty, leading to even more
resolver-heavy load.

Make the short lived ADB objects use the other memory context that we
already created for the hashmaps.  This makes the ADB overmem condition
to not be triggered by the ongoing resolver fetches.

(cherry picked from commit 05faff6d53)
2025-01-22 15:01:33 +01:00
Ondřej Surý
60b81239de [9.20] fix: usr: Avoid unnecessary locking in the zone/cache database
Prevent lock contention among many worker threads referring to the same database node at the same time. This would improve zone and cache database performance for the heavily contended database nodes.

Backport of !9963

Closes #5130

Merge branch '5130-reduce-lock-contention-in-decrement-reference-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9964
2025-01-22 13:30:28 +00:00
JINMEI Tatuya
da0453b1d5 Optimize database decref by avoiding locking with refs > 1
Previously, this function always acquires a node write lock if it
might need node cleanup in case the reference decrements to 0.  In
fact, the lock is unnecessary if the reference is larger than 1 and it
can be optimized as an "easy" case. This optimization could even be
"necessary". In some extreme cases, many worker threads could repeat
acquring and releasing the reference on the same node, resulting in
severe lock contention for nothing (as the ref wouldn't decrement to 0
in most cases). This change would prevent noticeable performance
drop like query timeout for such cases.

Co-authored-by: JINMEI Tatuya <jtatuya@infoblox.com>
Co-authored-by: Ondřej Surý <ondrej@isc.org>

(cherry picked from commit 7f4471594d)
2025-01-22 14:29:30 +01:00
Colin Vidal
ba48aee4c9 [9.20] new: nil: ignore TAGS files
Backport of MR !9956

Merge branch 'backport-colin/ignoreTAGS-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9973
2025-01-22 11:59:50 +00:00
Colin Vidal
6eed964dd9 ignore TAGS files
TAGS file are generated from `make tags` using etags. Other index tags
are already ignored (GTAGS, GPATH, etc.). Also ignoring `TAGS`.

(cherry picked from commit 2164ea8abd)
2025-01-22 11:23:28 +00:00
Andoni Duarte
ac651c4250 chg: doc: Set up version for BIND 9.20.6
Merge branch 'andoni/set-up-version-for-bind-9.20.6' into 'bind-9.20'

See merge request isc-projects/bind9!9969
2025-01-22 08:40:51 +00:00
Andoni Duarte Pintado
d343349b83 Update BIND version to 9.20.6-dev 2025-01-21 17:52:22 +01:00
Nicki Křížek
993cb76148 chg: usr: Revert "Fix NSEC3 closest encloser lookup for names with empty non-terminals"
Revert the fix for #4950 for 9.20.

This reverts MR !9438.

History: A performance improvement for NSEC3 closest encloser lookups (#4460) was introduced (in MR !9436) and backported to 9.20 (MR !9438) and to 9.18 in (MR !9439). It was released in 9.18.30 (and 9.20.2 and 9.21.1).

There was a bug in the code (#4950), so we reverted the change in !9611, !9613 and !9614 (not released).

Then a new attempt was merged in main (MR !9610) and backported to 9.20 (MR !9631) and 9.18 (MR !9632). The latter should not have been backported and was reverted in !9689. 

We now also revert the fix for 9.20

Related #5108

Merge branch 'revert-4950-bind-logs-expected-covering-nsec3-got-an-exact-match-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9947
2025-01-14 08:35:53 +00:00
Matthijs Mekking
8c9d31edaf Revert "Test that the correct NSEC3 closest encloser is returned"
This reverts commit fd2f1bdf02.
2025-01-13 11:42:26 +01:00
Matthijs Mekking
5798ed1fa6 Revert "Use a binary search to find the NSEC3 closest encloser"
This reverts commit 14bb1f8aa0.
2025-01-13 11:40:19 +01:00
Michał Kępień
698f1091bf [9.20] fix: nil: Fix default IANA root zone mirror configuration
Closes #5115

Backport of MR !9934

Merge branch 'backport-5115-fix-default-iana-root-zone-mirror-configuration-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9944
2025-01-09 12:00:26 +00:00
Michał Kępień
1e9eab2b5d Fix default IANA root zone mirror configuration
Commit 4555a31934 renamed the top-level
"primaries" block in bin/named/config.c to "remote-servers".  This
configuration block lists the primary servers used for an IANA root zone
mirror when no primary servers are explicitly specified for it in the
configuration.  However, the relevant part of the named_zone_configure()
function only looks for a top-level "primaries" block and not for any of
its synonyms.  As a result, configuring an IANA root zone mirror with
just:

    zone "." {
        type mirror;
    };

now results in a cryptic fatal error on startup:

    loading configuration: not found
    exiting (due to fatal error)

Fix by using the correct top-level block name in named_zone_configure().

(cherry picked from commit 010d2eb436)
2025-01-09 12:25:33 +01:00
Arаm Sаrgsyаn
cc0cbbe697 [9.20] fix: usr: Fix response policy zones and catalog zones with an $INCLUDE statement defined
Response policy zones (RPZ) and catalog zones were not working correctly if they had an $INCLUDE statement defined. This has been fixed.

Closes #5111

Backport of MR !9930

Merge branch 'backport-5111-includes-disable-rpz-and-catz-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9941
2025-01-08 15:21:52 +00:00
Aram Sargsyan
c9ecf79e89 Fix a typo in dns/master.h
The ISC_R_SEENINCLUDE definition does not exist, the correct one
is DNS_R_SEENINCLUDE.

(cherry picked from commit d75bdabe51)
2025-01-08 15:21:28 +00:00
Aram Sargsyan
1c6a97055d Don't disable RPZ and CATZ for zones with an $INCLUDE statement
The code in zone_startload() disables RPZ and CATZ for a zone if
dns_master_loadfile() returns anything other than ISC_R_SUCCESS,
which makes sense, but it's an error because zone_startload() can
also return DNS_R_SEENINCLUDE upon success when the zone had an
$INCLUDE statement.

(cherry picked from commit 3d7a9fba3b)
2025-01-08 15:21:28 +00:00
Nicki Křížek
2d89dae589 [9.20] new: ci: Add shotgun perf test of DoH GET to CI
Add performance tests of DoH using the GET protocol to nightly pipelines.

Backport of MR !9926

Merge branch 'backport-nicki/ci-shotgun-doh-get-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9939
2025-01-08 14:12:54 +00:00
Nicki Křížek
ee76d3f2c2 Add shotgun perf test of DoH GET to CI
(cherry picked from commit 32c5f24713)
2025-01-08 13:46:49 +00:00