Commit Graph

35129 Commits

Author SHA1 Message Date
Petr Menšík
3f81fbed12 FIPS tests changes for RHEL
Include MD5 feature detection in featuretest tool and use it in some
places. When RHEL distribution or Fedora ELN is in FIPS mode, then MD5
algorithm is unavailable completely and even hmac-md5 algorithm usage
will always fail. Work that around by checking MD5 works and if not,
skipping its usage.

Those changes were dragged as downstream patch bind-9.11-fips-tests.patch
in Fedora and RHEL.

(cherry picked from commit 6ad794a8cd)
2023-02-16 08:48:39 +11:00
Ondřej Surý
77fb1a4dc8 Merge branch '3865-failing-windows-system-tests-due-to-libuv-version-check' into 'v9_16'
Resolve "Failing windows system tests due to libuv version check"

See merge request isc-projects/bind9!7536
2023-02-15 11:28:08 +00:00
Ondřej Surý
100c20b470 Don't check for maximal version on Windows
The Windows doesn't have support for recvmmsg(), so we don't need to
check for maximal version on Windows (only for a minimal version).

Remove the MAXIMAL_VERSION when compiling on Windows.
2023-02-15 11:02:57 +01:00
Mark Andrews
5ce64ea878 Merge branch '3662-extend-mkeys-system-test-to-handle-islands-of-trust-v9_16' into 'v9_16'
[9.16] Resolve "Extend mkeys system test to handle islands of trust"

See merge request isc-projects/bind9!7530
2023-02-14 22:34:09 +00:00
Mark Andrews
d0fd97f67c Add CHANGES note for [GL #3662]
(cherry picked from commit 2928f21733)
2023-02-14 22:09:52 +00:00
Mark Andrews
9109f38ece Add islands of trust to mkeys test
This adds an island of trust that is reachable from the root
where the trust anchors are added to island.conf.

This add an island of trust that is not reachable from the root
where the trust anchors are added to private.conf.

(cherry picked from commit 41bdb5b9fe)
2023-02-14 22:09:52 +00:00
Mark Andrews
4df6019c16 Report the key name that failed in retry_keyfetch
When there are multiple managed trust anchors we need to know the
name of the trust anchor that is failing.  Extend the error message
to include the trust anchor name.

(cherry picked from commit fb7b7ac495)
2023-02-14 22:09:52 +00:00
Evan Hunt
9507facb36 Merge branch '3673-delay-trust-anchor-management-v9_16' into 'v9_16'
[9.16] Merge branch '3673-delay-trust-anchor-management' into 'main'

See merge request isc-projects/bind9!7534
2023-02-14 19:07:10 +00:00
Evan Hunt
aca10608b6 delay trust anchor management until zones are loaded
it was possible for a managed trust anchor needing to send a key
refresh query to be unable to do so because an authoritative zone
was not yet loaded. this has been corrected by delaying the
synchronization of managed-keys zones until after all zones are
loaded.

(cherry picked from commit bafbbd2465)
2023-02-14 10:23:28 -08:00
Tom Krizek
89ed0724e2 Merge branch '3848-increase-wait-time-runtime-test-v9_16' into 'v9_16'
[9.16] Increase named startup wait time for runtime test

See merge request isc-projects/bind9!7525
2023-02-13 16:02:45 +00:00
Tom Krizek
208777b74e Increase named startup wait time for runtime test
Occasionally, the allotted 10 seconds for the "running" line to appear
in log after named is started proved insufficient in CI, especially
during increased load. Give named up to 60 seconds to start up to
mitigate this issue.

(cherry picked from commit b8bb4233e8)
2023-02-13 16:11:04 +01:00
Michal Nowak
12e323dd2e Merge branch '3846-nsupdate-test-fix-v9_16' into 'v9_16'
[9.16] increase simultaneous updates for quota test

See merge request isc-projects/bind9!7522
2023-02-13 15:03:01 +00:00
Evan Hunt
5d0a8996ce increase simultaneous updates for quota test
the nsupdate system test was intermittently failing due to the update
quota not being exceeded when it should have been.  this is most likely
a timing issue: the client is sending updates too slowly, or the server
is processing them too quickly, for the quota to fill. this commit
attempts to make that the failure less likely by increasing the number
of update transactions from 10 to 20.

(cherry picked from commit 06b1faf068)
2023-02-13 13:36:11 +01:00
Ondřej Surý
dd0ce8e218 Merge branch 'pspacek/make-manin-on-dist-v9_16-fix2' into 'v9_16'
Use placeholders in pre-generated manpages in the tarball

See merge request isc-projects/bind9!7520
2023-02-10 17:46:02 +00:00
Ondřej Surý
0c7bd27598 Use placeholders in pre-generated manpages in the tarball
When pre-generating the manpages in the tarball-create CI job, we need
to use placeholders, and not the final values.
2023-02-10 18:40:34 +01:00
Ondřej Surý
3ff297e9fe Merge branch 'pspacek/make-manin-on-dist-v9_16' into 'v9_16'
[9.16] Remove pregenerated manpages from the repo

See merge request isc-projects/bind9!7518
2023-02-10 12:41:04 +00:00
Ondřej Surý
18b7ba3ea3 Test the pre-generated man pages in GitLab CI
Add an extra job for a build from tarball, but without sphinx-build and
enable RUN_MAKE_INSTALL to check that man pages were generated and
installed.

Disable the RUN_MAKE_INSTALL on the systems without sphinx-build (sid).

(cherry picked from commit 8f2e1e15cc)
2023-02-10 13:13:34 +01:00
Petr Špaček
c07e8b4a65 Remove pregenerated manpages from the repo
We don't need them in the repo, it's sufficient if we pregenerate them
while preparing the tarball.  That way we don't have overhead while
modifying them but they are still available for installations without
Sphinx.

I assume that this will make rebases and cherry-picks across branches
easier, with less trial and error churn required in the CI.

It's implemented in the way that we build the manpages only when we
either have pregenerated pages available at the configure time or
sphinx-build is installed and working.

(cherry picked from commit 9110465194)
2023-02-10 13:02:24 +01:00
Michał Kępień
5e85e8e524 Merge branch '3840-avoid-libuv-with-broken-recvmmsg-v9_16' into 'v9_16'
[9.16] Avoid libuv 1.35 and 1.36 that have broken recvmmsg implementation

See merge request isc-projects/bind9!7483
2023-02-10 06:00:04 +00:00
Ondřej Surý
2709a3c962 Add CHANGES and release note for [GL #3840]
(cherry picked from commit 6fa48c963e)
2023-02-10 06:50:32 +01:00
Ondřej Surý
b163ca9f97 Enforce version drift limits for libuv
libuv support for receiving multiple UDP messages in a single system
call (recvmmsg()) has been tweaked several times between libuv versions
1.35.0 and 1.40.0.  Mixing and matching libuv versions within that span
may lead to assertion failures and is therefore considered harmful, so
try to limit potential damage be preventing users from mixing libuv
versions with distinct sets of recvmmsg()-related flags.

(cherry picked from commit 735d09bffe)
2023-02-10 06:50:32 +01:00
Ondřej Surý
9309589ad0 Avoid libuv 1.35 and 1.36 that have broken recvmmsg implementation
The implementation of UDP recvmmsg in libuv 1.35 and 1.36 is
incomplete and could cause assertion failure under certain
circumstances.

Modify the configure and runtime checks to report a fatal error when
trying to compile or run with the affected versions.

(cherry picked from commit 251f411fc3)
2023-02-10 06:50:32 +01:00
Mark Andrews
7a6233a816 Merge branch '3852-follow-up-from-9-18-merge-branch-3790-use-configured-udp-port-into-main-v9_16' into 'v9_16'
[9.16] Allow some time to the root trust anchor to appear

See merge request isc-projects/bind9!7499
2023-02-07 22:26:57 +00:00
Mark Andrews
539f29d412 Allow some time to the root trust anchor to appear
Following deleting the root trust anchor and reconfiguring the
server it takes some time to for trust anchor to appear in 'rndc
managed-keys status' output.  Retry several times.

(cherry picked from commit 71dbd09796)
2023-02-08 00:46:41 +11:00
Michal Nowak
061d4e2f8b Merge branch 'mnowak/set-up-version-and-release-notes-for-bind-9.16.39' into 'v9_16'
Set up release notes for BIND 9.16.39

See merge request isc-projects/bind9!7497
2023-02-07 11:03:42 +00:00
Michal Nowak
ae79bfe94d Set up release notes for BIND 9.16.39 2023-02-07 11:28:48 +01:00
Michal Nowak
1d21a46e34 Update BIND version to 9.16.39-dev 2023-02-07 11:27:17 +01:00
Michał Kępień
c1e77063c0 Merge branch '3827-fix-dnsrps-builds-v9_16' into 'v9_16'
[9.16] Fix DNSRPS builds

See merge request isc-projects/bind9!7475
2023-02-01 11:47:27 +00:00
Michał Kępień
f933650204 Add CHANGES entry for GL #3827
(cherry picked from commit 493eadd1ae)
2023-02-01 12:07:11 +01:00
Michał Kępień
f7dc0a4708 Handle iterator options in rpsdb_allrdatasets()
Commit 4f3327cd41 added a new parameter,
'options', to the prototype of the 'allrdatasets' function pointer in
struct dns_dbmethods.  Handle this new parameter accordingly in
rpsdb_allrdatasets().

(cherry picked from commit f3def4e4ed)
2023-02-01 12:07:11 +01:00
Michał Kępień
29d90a95eb Add DNSRPS builds to pairwise testing
The --enable-dnsrps-dl switch for ./configure enables preparing a
DNSRPS-enabled build of BIND 9 that is not directly linked against a
DNSRPS provider library (dlopen() at runtime is used instead).  Employ
this switch to test DNSRPS-enabled builds in the pairwise testing job in
GitLab CI.

(cherry picked from commit e688ca5316)
2023-02-01 12:07:11 +01:00
Mark Andrews
4ad04b48fb Merge branch '3830-nsupdate-failed-to-handle-primary-server-address-lookup-gracefully-v9_16' into 'v9_16'
[9.16] Handle address lookup failure more gracefully

See merge request isc-projects/bind9!7459
2023-01-31 14:31:05 +00:00
Mark Andrews
1062188cd0 Add CHANGES for [GL #3830]
(cherry picked from commit fda7858e74)
2023-02-01 00:41:10 +11:00
Mark Andrews
d53828b749 Handle address lookup failure more gracefully
If the address lookup of the primary server fails just abort
the current update request rather than calling exit.  This allows
nsupdate to cleanup gracefully.

(cherry picked from commit f1387514c6)
2023-02-01 00:41:09 +11:00
Mark Andrews
cafc135019 Merge branch '3829-named-v-leaks-memory-when-shutting-down-v9_16' into 'v9_16'
[9.16] Call dns_lib_destroy in bin/named/main.c:printversion

See merge request isc-projects/bind9!7455
2023-01-30 23:37:56 +00:00
Mark Andrews
e226b4c826 Add CHANGES for [GL #3829]
(cherry picked from commit 1d258e2fb8)
2023-01-31 10:06:15 +11:00
Mark Andrews
09fce29a9a Call dns_lib_destroy in bin/named/main.c:printversion
There were unbalanced calls to dns_lib_init and dns_lib_destroy
leading to an OpenSSL memory leak.

(cherry picked from commit 8b3c018f54)
2023-01-31 10:06:15 +11:00
Mark Andrews
d76b1ad5ed Merge branch '3824-teach-danger-about-amend-v9_16' into 'v9_16'
[9.16] Teach danger about amend

See merge request isc-projects/bind9!7440
2023-01-27 22:57:27 +00:00
Mark Andrews
66da661eff Teach danger about amend
commit --fixup=amend:<hash> produces a subject starting with amend!
by default.  Have danger look for this to ensure that it is squashed
before merging.

(cherry picked from commit 9b12473292)
2023-01-28 09:18:32 +11:00
Matthijs Mekking
1feb8d4d7a Merge branch '3822-rndc-dnssec-checkds-force-ds-state-v9_16' into 'v9_16'
[9.16] Force set DS state after 'rndc dnssec -checkds'

See merge request isc-projects/bind9!7438
2023-01-27 15:43:55 +00:00
Matthijs Mekking
fd5ef80b1c Add CHANGES for #3822
(cherry picked from commit 38ffe5acf3)
2023-01-27 16:09:35 +01:00
Matthijs Mekking
3ffb63e9bb Force set DS state after 'rndc dnssec -checkds'
Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.

(cherry picked from commit ee42f66fbe)
2023-01-27 16:09:06 +01:00
Tom Krizek
e2eca8a8a9 Merge branch 'tkrizek/danger-improvements-v9_16' into 'v9_16'
[9.16] danger: refine existing rules

See merge request isc-projects/bind9!7436
2023-01-27 14:09:33 +00:00
Tom Krizek
1ee31187db danger: relax rules for single-line commits
The following are not also accepted as single-line commits without
generating warnings:
- CHANGES/release note may appear in the beginning of the commit message
- Release note may be capitalized
- Allow commits with "GL #" (e.g. Update documentation for [GL #XXXX])

(cherry picked from commit 79ae467973)
2023-01-27 14:50:14 +01:00
Tom Krizek
1bc4186e39 danger: update CHANGES rule to work with -S edition
When updating the -S edition, the CHANGES.SE file is modified. Make sure
danger accepts that.

(cherry picked from commit 1939e585c0)
2023-01-27 14:50:08 +01:00
Michał Kępień
f469580296 Merge branch 'michal/extend-artifact-lifetime-for-release-related-jobs-v9_16' into 'v9_16'
[9.16] Extend artifact lifetime for release-related jobs

See merge request isc-projects/bind9!7434
2023-01-27 12:33:38 +00:00
Michał Kępień
fc0f691c5b Extend artifact lifetime for release-related jobs
Artifacts of the "stress" jobs in GitLab CI are used for generating the
QA summary for a given set of releases.  It happened in the past that
these artifacts were purged before the QA summary was prepared,
unnecessarily prolonging the release process.  A complete set of
artifacts from all such jobs for a single pipeline should be less than 1
GB in size, so extend their lifetime from one day to one week as a more
reasonable compromise between availability and disk space usage.  (Note:
these jobs are also run in scheduled pipelines, but that is expected to
be acceptable in the context of artifact lifetime.)

Artifacts of the "release" jobs in GitLab CI are what we eventually
publish on the FTP server.  It happened in the past that these artifacts
were purged before we copied them to their destination, unnecessarily
prolonging the release process, even though we usually press the "Keep"
button for the "release" jobs manually to keep them around indefinitely
(as they are the source of what we publish in other places).  Since
there is only one "release" job per tag pipeline and its artifacts only
take up tens of megabytes of space, keep the artifacts of the "release"
jobs around indefinitely by default.

(cherry picked from commit 71c9d69145)
2023-01-27 13:30:46 +01:00
Michał Kępień
7b0e57095a Merge tag 'v9_16_37' into v9_16
BIND 9.16.37
2023-01-25 21:34:55 +01:00
Mark Andrews
1c80708561 Merge branch '3799-tsan-race-between-dns_rbtnode_t-bitfields-v9_16' into 'v9_16'
[9.16] Add missing node lock when setting node->wild in rbtdb.c

See merge request isc-projects/bind9!7415
2023-01-19 14:13:13 +00:00
Mark Andrews
89f287b538 Add CHANGES for [GL #3799]
(cherry picked from commit 5c471c5d2c)
2023-01-20 00:38:43 +11:00