Closes#4796
Backport of MR !9127
Merge branch 'backport-4796-yaml-stringify-question-and-records-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9214
In yaml mode we emit a string for each question and record. Certain
names and data could result in invalid yaml being produced. Use single
quote string for all questions and records. This requires that single
quotes get converted to two quotes within the string.
(cherry picked from commit 393d7fa78e)
Closes#4774
Backport of MR !9105
Merge branch 'backport-4774-resolver-system-test-didn-t-fail-on-all-subtest-errors-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9212
Closes#4775
Backport of MR !9106
Merge branch 'backport-4775-reject-zero-length-alpn-in-alpn-fromtext-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9210
ALPN are defined as 1*255OCTET in RFC 9460. commatxt_fromtext was not
rejecting invalid inputs produces by missing a level of escaping
which where later caught be dns_rdata_fromwire on reception.
These inputs should have been rejected
svcb in svcb 1 1.svcb alpn=\,abc
svcb1 in svcb 1 1.svcb alpn=a\,\,abc
and generated 00 03 61 62 63 and 01 61 00 02 61 62 63 respectively.
The correct inputs to include commas in the alpn requires double
escaping.
svcb in svcb 1 1.svcb alpn=\\,abc
svcb1 in svcb 1 1.svcb alpn=a\\,\\,abc
and generate 04 2C 61 62 63 and 06 61 2C 2C 61 62 63 respectively.
(cherry picked from commit b51c9eb797)
When cutting a long CNAME chain, named was returning NOERROR
instead of SERVFAIL (alongside with a partial answer). This
has been fixed.
Closes#4449
Backport of MR !9090
Merge branch 'backport-4449-return-servfail-for-a-long-cname-chain-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9204
Update the CNAME chain test to correspond to the changed behavior,
because now named returns SERVFAIL when hitting the maximum query
restarts limit (e.g. happening when following a long CNAME chain).
In the current test auth will hit the limit and return partial data
with a SERVFAIL code, while the resolver will return no data with
a SERVFAIL code after auth returns SERVFAIL to it.
(cherry picked from commit 7751c7eca6)
Due to the maximum query restart limitation a long CNAME chain
it is cut after 16 queries but named still returns NOERROR.
Return SERVFAIL instead and the partial answer.
(cherry picked from commit b621f1d88e)
On 32 bit machines isc_meminfo_totalphys could return an incorrect value.
Closes#4799
Backport of MR !9132
Merge branch 'backport-4799-cid-498034-overflowed-return-value-integer_overflow-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9200
On a 32 bit machine casting to size_t can still lead to an overflow.
Cast to uint64_t. Also detect all possible negative values for
pages and pagesize to silence warning about possible negative value.
39#if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE)
1. tainted_data_return: Called function sysconf(_SC_PHYS_PAGES),
and a possible return value may be less than zero.
2. assign: Assigning: pages = sysconf(_SC_PHYS_PAGES).
40 long pages = sysconf(_SC_PHYS_PAGES);
41 long pagesize = sysconf(_SC_PAGESIZE);
42
3. Condition pages == -1, taking false branch.
4. Condition pagesize == -1, taking false branch.
43 if (pages == -1 || pagesize == -1) {
44 return (0);
45 }
46
5. overflow: The expression (size_t)pages * pagesize might be negative,
but is used in a context that treats it as unsigned.
CID 498034: (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
6. return_overflow: (size_t)pages * pagesize, which might have underflowed,
is returned from the function.
47 return ((size_t)pages * pagesize);
48#endif /* if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE) */
(cherry picked from commit e8dbc5db92)
Stop updating `find.result_v4` and `find.result_v4` in `clean_finds_at_name`. The values are supposed to be static.
Closes#4118
Backport of MR !9108
Merge branch 'backport-4118-data-race-lib-dns-adb-c-1537-in-clean_finds_at_name-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9198
Don't verify the just signed zone as the RRSIGs could have expired before the signing process completes
Closes#4781#2476
Backport of MR !9114
Merge branch 'backport-4781-statschannel-setup-can-fail-due-to-short-validity-interval-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9196
Adjust key state and timing metadata if dnssec-policy key lifetime configuration is updated, so that it also
affects existing keys.
Closes#4677
Backport of MR !9118
Merge branch 'backport-4677-dnssec-policy-key-lifetime-reconfigure-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9192
In 9.18, 'inline-signing yes;' must also be configured explicitly for
zones using dnssec-policy without a configured 'allow-update' or
'update-policy'.
The key lifetime should no longer be adjusted if the key is being
retired earlier, for example because a manual rollover was started.
This would falsely be seen as a dnssec-policy lifetime reconfiguration,
and would adjust the retire/removed time again.
This also means we should update the status output, and the next
rollover scheduled is now calculated using (retire-active) instead of
key lifetime.
(cherry picked from commit 129973ebb0)
If dnssec-policy is reconfigured and the key lifetime has changed,
update existing keys with the new lifetime and adjust the retire
and removed timing metadata accordingly.
If the key has no lifetime yet, just initialize the lifetime. It
may be that the retire/removed timing metadata has already been set.
Skip keys which goal is not set to omnipresent. These keys are already
in the progress of retiring, or still unused.
(cherry picked from commit 1cec0b0448)
Check if the key lifetime is updated in the key files. Make sure the
inactive and removed timing metadata are adjusted accordingly.
(cherry picked from commit 2237895bb4)
The +timeout argument was not used on DoH connections. This has been fixed.
Closes#4806
Merge branch '4806-dig-https-local-timeout-ignored-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9161
bin/dig/dighost.c calls isc_nm_httpconnect. The timeout setting
(local_timeout) is passed as the 11th argument, but the function in
lib/isc/netmgr/http.c has the timeout argument as the 11th argument.
The 10th and 11th argument were reversed. This commit fixes that.
Thanks to Nicolas Dehaine for reporting and providing the fix.
The tests currently fail on debian:bookworm due to a bug in OpenSSL 3.0.13.
Related #4814
Merge branch '4814-allow-keyfromlabel-failure' into 'bind-9.18'
See merge request isc-projects/bind9!9179
Closes#4777
Backport of MR !9107
Merge branch '4777-retry-job-aws-spot-instance-interruption-event-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9185
Use a single source of truth, the git log, to generate the list of CHANGES. Use the .rst format and include it in the ARM for a quick reference with proper gitlab links to issues and merge requests.
Closes#75
Backport of MR !9152
Merge branch 'nicki/add-gitchangelog-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9181
The files in contrib/ directory shouldn't be subject to our pylint
check. They can come from external sources and we don't subject these to
the same standards as the rest of the BIND9 code / scripts.
(cherry picked from commit 7cbb052649)
The configuration has been crafted to cater for BIND9 needs:
- Define actions that have an equivalent section in existing Release
Notes
- Assume the commits that have the necessary changelog makrup are merge
commits from GitLab and transform them into messages and proper links
- Put the resulting changelog into the proper place in
doc/arm/changelog.rst
- Have a separate configuration for changelog and release notes. Both of
these should be generated from the `git log`, with release notes being
subject to more scrutiny and further editing
(cherry picked from commit 0ec8b99ea3)
Create new changelog and include it in the documentation. Include the
previous CHANGES as plain text without any markup.
(cherry picked from commit e9b6031e0c)
Add an option which can be used to put short commit sha at the end of
each commit subject line in the generated changelog.
(cherry picked from commit c2b23fa2de)
Given our workflow, this could easily lead to misattribution. It's also
not an actionable information and it can be found in the MR / git log
instead.
(cherry picked from commit a8258d1c53)
The project hasn't seen any new development/changes since 2018 and it
seems unlikely we'd be able to get any changes into the upstream. Since
it's isolated into a single file and its task is fairly straighforward,
pull the code into our own repository and maintain it here as needed.
This also makes it easier to make any changes that are specific to our
project.
(cherry picked from commit 63247d8a73)
