FreeBSD 13.0 replaced GNU grep with BSD grep and removed support for
"redundant escapes for most ordinary characters" from regex(3) library,
therefore the matching sequence in digdelv/tests.sh needs to be
rewritten otherwise it fails with:
grep: trailing backslash (\)
Instead of using fixed quantum, this commit adds atomic counter for
number of items on each queue and uses the number of netievents
scheduled to run as the limit of maximum number of netievents for a
single process_queue() run.
This prevents the endless loops when the netievent would schedule more
netievents onto the same loop, but we don't have to pick "magic" number
for the quantum.
(cherry picked from commit 9e3cb396b2)
OpenBSD changed the name of the pytest script from py.test-3 in OpenBSD
6.8 to py.test in OpenBSD 6.9.
The py.test-3 name which was added in d5562a3e for the sake of OpenBSD
and CentOS is still required for CentOS.
(cherry picked from commit 510b4b70e9)
To ensure that a release with outdated copyright year is not produced at
the beginning of a year, set copyright year to the current year.
(cherry picked from commit 7eb44b05c5)
- Add POSIX nanosleep() and usleep() shim implementation for Windows
to help implementors use less #ifdef _WIN32 in the code.
- Use uv_sleep when possible in the netmgr code and define usleep based
shim for libuv << 1.34.0.
The outgoing UDP socket selection would pick unintialized children
socket on Windows, because we have more netmgr workers than we have
listening sockets. This commit fixes the selection by keeping the
outgoing socket the same, so it's always run on existing socket.
(cherry picked from commit cd413234f7)
- memory tracing failed if the driver didn't have access
to the isc_mem_debugging variable.
- remove RTLD_DEEPBIND from dlopen() flags as it causes
shared libraries to be unable to access thread-local storage,
which is needed when enqueuing tasks.
this rolls up numerous changes that have been applied to the
main branch, including moving isc_task operations into the
netmgr event loops, and other general stabilization.
This commit adds POSIX nanosleep() and usleep() shim implementation for
Windows to help implementors use less #ifdef _WIN32 in the code.
(cherry picked from commit c37ff5d188)
On Windows, the iocompletionport_createthreads() didn't use
isc_thread_create() to create new threads for processing IO, but just a
simple CreateThread() function that completely circumvent the
isc_trampoline mechanism to initialize global isc_tid_v. This lead to
segmentation fault in isc_hp API because '-1' isn't valid index to the
hazard pointer array.
This commit changes the iocompletionport_createthreads() to use
isc_thread_create() instead of CreateThread() to properly initialize
isc_tid_v.
(cherry picked from commit cd54bbbd9a)
When looking for key files, we could use isdigit rather than checking
if the character is within the range [0-9].
Use (unsigned char) cast to ensure the value is representable in the
unsigned char type (as suggested by the isdigit manpage).
Change " & 0xff" occurrences to the recommended (unsigned char) type
cast.
(cherry picked from commit 1998ad6c776a9c17c27788b17765dee90d9e25df)
Just like with dynamic and/or inline-signing zones, check if no two
or more zone configurations set the same filename. In these cases,
the zone files are not read-only and named-checkconf should catch
a configuration where multiple zone statements write to the same file.
Add some bad configuration tests where KASP zones reference the same
zone file.
Update the good-kasp test to allow for two zones configure the same
file name, dnssec-policy none.
(cherry picked from commit 0b5fc0afcfd1a0bb7c1f16b63872b7ee26fb2777)
Make sure no DNSSEC contents are added to the zonefile if dnssec-policy
is set to "none" (and no .state files exist for the zone).
(cherry picked from commit 5246c16f43e6fda7587193a4dd801951cf87db14)
When we introduced "dnssec-policy insecure" we could have removed the
'strcmp' check for "none", because if it was set to "none", the 'kasp'
variable would have been set to NULL.
(cherry picked from commit 636ff1e15c)
Add a test for default.kasp that if we remove the private key file,
no successor key is created for it. We need to update the kasp script
to deal with a missing private key. If this is the case, skip checks
for private key files.
Add a test with a zone for which the private key of the ZSK is missing.
Add a test with a zone for which the private key of the KSK is missing.
(cherry picked from commit 4a8ad0a77f)
BIND 9 is smart about when to sign with what key. If a key is offline,
BIND will delete the old signature anyway if there is another key to
sign the RRset with.
With KASP we don't want to fallback to the KSK if the ZSK is missing,
only for the SOA RRset. If the KSK is missing, but we do have a ZSK,
deleting the signature is fine. Otherwise it depends on if we use KASP
or not. Update the 'delsig_ok' function to reflect that.
(cherry picked from commit 6a60bf637d)
When checking the current DNSSEC state against the policy, consider
offline keys. If we didn't found an active key, check if the key is
offline by checking the public key list. If there is a match in the
public key list (the key data is retrieved from the .key and the
.state files), treat the key as offline and don't create a successor
key for it.
(cherry picked from commit 3e6fc49c16)
The rndc command 'dnssec -status' only considered keys from
'dns_dnssec_findmatchingkeys' which only includes keys with accessible
private keys. Change it so that offline keys are also listed in the
status.
(cherry picked from commit b3a5859a9b)
The function 'dns_dnssec_keylistfromrdataset()' creates a keylist from
the DNSKEY RRset. If we attempt to read the private key, we also store
the key state. However, if the private key is offline, the key state
will not be stored. To fix this, first attempt to read the public key
file. If then reading the private key file fails, and we do have a
public key, add that to the keylist, with appropriate state. If we
also failed to read the public key file, add the DNSKEY to the keylist,
as we did before.
(cherry picked from commit 7ed089576f)
The 'dst_key_fromnamedfile()' function did not read and store the
key state from the .state file when reading a public key file.
(cherry picked from commit fa05c1b8da)
When the feature was backported, we should have leave it disabled by
default, it turns out the default `100%` is producing some unexpected
results (under investigation), so for the time being, we are going to to
disable the max-ixfr-ratio.
