This change allows fallback from an IXFR failure to AXFR when the reason is `DNS_R_TOOMANYRECORDS`. This is because this error condition could be temporary only in an intermediate version of IXFR transactions and it's possible that the latest version of the zone doesn't have that condition. In such a case, the secondary would never be able to update the zone (even if it could) without this fallback.
This fallback behavior is particularly useful with the recently introduced `max-records-per-type` and `max-types-per-name` options: the primary may not have these limitations and may temporarily introduce "too many" records, breaking IXFR. If the primary side subsequently deletes these records, this fallback will help recover the zone transfer failure automatically; without it, the secondary side would first need to increase the limit, which requires more operational overhead and has its own adverse effect.
Closes#4928
Backport of MR !9333
Merge branch 'backport-fallback-ixfr-to-axfr-on-toomanyrecords-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9472
This change allows fallback from an IXFR failure to AXFR when the
reason is DNS_R_TOOMANYRECORDS. This is because this error condition
could be temporary only in an intermediate version of IXFR
transactions and it's possible that the latest version of the zone
doesn't have that condition. In such a case, the secondary would never
be able to update the zone (even if it could) without this fallback.
This fallback behavior is particularly useful with the recently
introduced max-records-per-type and max-types-per-name options:
the primary may not have these limitations and may temporarily
introduce "too many" records, breaking IXFR. If the primary side
subsequently deletes these records, this fallback will help recover
the zone transfer failure automatically; without it, the secondary
side would first need to increase the limit, which requires more
operational overhead and has its own adverse effect.
This change also fixes a minor glitch that DNS_R_TOOMANYRECORDS wasn't
logged in xfrin_fail.
(cherry picked from commit 7289090683)
When the TCP test is run on the busy server, the server might take a
while to wind the server down because it might still be processing all
that 300k invalid XFR requests.
Increate the rncd wait time to 120 seconds, the SIGTERM time to 300
seconds, and reduce the time to wait for ans servers from 1200 second
to just 120 seconds.
(cherry picked from commit d971472321)
Backport of MR !6847
Merge branch 'backport-ondrej-increase-the-time-to-wait-for-servers-to-gracefully-shutdown-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9467
When the TCP test is run on the busy server, the server might take a
while to wind the server down because it might still be processing all
that 300k invalid XFR requests.
Increate the rncd wait time to 120 seconds, the SIGTERM time to 300
seconds, and reduce the time to wait for ans servers from 1200 second
to just 120 seconds.
(cherry picked from commit d971472321)
Administrators may wish to constrain the set of cores that BIND 9 runs on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on other O/S).
If the admin has used taskset, the `named` will now follow to automatically use the given number of CPUs rather than the system wide count.
Closes#4884
Backport of MR !9398
Merge branch 'backport-4884-use-cpuset-to-get-number-of-cpus-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9443
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S), for example to achieve higher (or more stable) performance
by more closely associating threads with individual NIC rx queues. If
the admin has used taskset, it follows that BIND ought to
automatically use the given number of CPUs rather than the system wide
count.
Co-Authored-By: Ray Bellis <ray@isc.org>
(cherry picked from commit 5a2df8caf5)
Use the fact that the database returns the longest matching part of the requested name to find the required NSEC3 record. If there are multiple versions present in the database we may have to search further.
Closes#4460
Backport of MR !9436
Merge branch 'backport-4460-auth-nsec3-many-labels-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9439
Return partial match from dns_db_find/dns_db_find when requested
to short circuit the closest encloser discover process. Most of the
time this will be the actual closest encloser but may not be when
there yet to be committed / cleaned up versions of the zone with
names below the actual closest encloser.
(cherry picked from commit d42ea08f16)
With max-recursion-queries set to 50 the resolver system test was
unstable in the "checking query resolution for a domain with a valid
glueless delegation chain" check as ns1 replied with SERVFAIL.
Closes#4897
Backport of MR !9435
Merge branch 'backport-4897-resolver-ns1-max-recursion-queries-100-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9441
With max-recursion-queries set to 50 the resolver system test was
unstable in the "checking query resolution for a domain with a valid
glueless delegation chain" check as ns1 replied with SERVFAIL.
(cherry picked from commit 8e0244d300)
Backport of MR !9424
Merge branch 'backport-mnowak/avoid-some-artifacts-in-stress-tests-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9429
The `malloc_usable_size()` can return size larger than originally allocated and when these sizes disagree the fortifier enabled by `_FORTIFY_SOURCE=3` detects overflow and stops the `named` execution abruptly. Stop using these convenience functions as they are primary used for introspection-only.
Closes#4880
Backport of MR !9400
Merge branch 'backport-4880-dont-use-malloc_usable_size-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9419
Although the nanual page of malloc_usable_size says:
Although the excess bytes can be over‐written by the application
without ill effects, this is not good programming practice: the
number of excess bytes in an allocation depends on the underlying
implementation.
it looks like the premise is broken with _FORTIFY_SOURCE=3 on newer
systems and it might return a value that causes program to stop with
"buffer overflow" detected from the _FORTIFY_SOURCE. As we do have own
implementation that tracks the allocation size that we can use to track
the allocation size, we can stop relying on this introspection function.
Also the newer manual page for malloc_usable_size changed the NOTES to:
The value returned by malloc_usable_size() may be greater than the
requested size of the allocation because of various internal
implementation details, none of which the programmer should rely on.
This function is intended to only be used for diagnostics and
statistics; writing to the excess memory without first calling
realloc(3) to resize the allocation is not supported. The returned
value is only valid at the time of the call.
Remove usage of both malloc_usable_size() and malloc_size() to be on the
safe size and only use the internal size tracking mechanism when
jemalloc is not available.
(cherry picked from commit d61712d14e)
The ISC_ATTR_UNUSED macro was missing in BIND 9.18, which
complicated things when backporting merge requests from main.
As __attribute__((__unused__)) is ubiquitous, just define the
macro.
The cross-version-config-tests job fails when a system test is removed
from the upcoming release. To avoid this, remove the system test also
from the $BIND_BASELINE_VERSION.
See the failure mode at https://gitlab.isc.org/isc-projects/bind9/-/jobs/4668947.
Backport of MR !9413
Merge branch 'backport-mnowak/remove-dialup-from-cross-version-config-tests-job-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9416
The cross-version-config-tests job fails when a system test is removed
from the upcoming release. To avoid this, remove the system test also
from the $BIND_BASELINE_VERSION.
(cherry picked from commit 60f5f2a9d9)
This supports bit-for-bit reproducibility of built documentation.
Closes#4886
Backport of MR !9399
Merge branch 'backport-issue-4886/order-preserving-documentation-tags-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9409
The 'set' datatype in Python does not provide iteration-order
guarantees related to insertion-order. That means that its
usage in the 'split_csv' helper function during documentation
build can produce nondeterministic results.
That is non-desirable for two reasons: it means that the
documentation output may appear to vary unnecessarily between
builds, and secondly there could be loss-of-information in cases
where tag order in the source documentation is significant.
This patch implements order-preserving de-duplication of tags,
allowing authors to specify tags using intentional priority
ordering, while also removing tags that appear more than once.
(cherry picked from commit 5a79b36f56)
Milestone is automatically set by 'merged-metadata' CI job to 'Not
released yet' so it does not matter what the original value was.
(cherry picked from commit 73b950dc29)
1. Set milestone to 'Not released yet' after merge
We will set milestone to actual version number when we actually tag a
particular version. This will get rid of mass MR reassignment when we
do last minute changes to a release plan etc.
2. Adjust No CHANGES and Release Notes MR labels to match gitchangelog
workflow.
(cherry picked from commit d1c64d588b)
Previously CI job for the autobackport bot inherited "interruptible:
true" global configuration. This caused premature termination of the job
when another merge was finished before the autobackport job ran to
completion.
(cherry picked from commit 3165261ecd)
If there is an algorithm rollover and two keys of different algorithm share the same keytags, then there is a possibility that if we check that a key matches a specific state, we are checking against the wrong key. This has been fixed by not only checking for matching key tag but also key algorithm.
Closes#4878
Backport of MR !9381
Merge branch 'backport-4878-fix-algorithm-rollover-keytag-conflict-bug-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9394
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.
Fix this by not only checking for matching key id but also key
algorithm.
(cherry picked from commit f37eb33f29)
If there is a keytag conflict between keys with different algorithms,
we need to supply what key algorithm is used so we can get the right
public key.
For clarity, print the algorithm on the found keys after 'check_keys'.
(cherry picked from commit 7bb6d82505)
This adds the command line arguments: `-d` (debug), `-l` (list tests) and `-t test` (run this test) to the unit tests.
e.g.
```
% ./rdata_test -t zonemd
[==========] selected: Running 1 test(s).
[ RUN ] zonemd
[ OK ] zonemd
[==========] selected: 1 test(s) run.
[ PASSED ] 1 test(s).
%
```
Closes#4579
Backport of MR !9384
Merge branch 'backport-4579-restore-the-ability-to-select-individual-unit-tests-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9386
named now prints its initial working directory during startup and the
changed working directory when loading or reloading its configuration
file if it has a valid 'directory' option defined.
Closes#4731
Backport of MR !9362
Merge branch 'backport-4731-log-workdir-full-path-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9373
named now prints its initial working directory during startup and the
changed working directory when loading or reloading its configuration
file if it has a valid 'directory' option defined.
(cherry picked from commit fd8e1d161f)
Related: #4847
Backport of MR !9300
Merge branch 'backport-4847-changelog-sorting-and-tweaks-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9365
When manually handling the release notes (due to rst markup, fixups
etc.), the different MR number for backports causes needless friction.
Remove the reference from release notes and keep it only in changelog
which isn't manually redacted.
(cherry picked from commit 993ba7cc7f)
