The following scenario triggers a "named" crash:
1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.
Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.
(cherry picked from commit 43ac2cd229)
Checks that there is a revoked key in the DNSKEY RRset then checks
that only the correct number of DS records are produced.
(cherry picked from commit e7a3ada1d2)
it is pointless to convert revoked keys to DS or CDS records as
they cannot be used to provide a cryptographic link from the parent
zone.
(cherry picked from commit 04a5529c2d)
We are not back porting OpenSSL 3.0.0 fixes to this branch so there
is no point in emitting warnings about using deprecated code.
Additionally this impacts --enable-developer and --enable-warn-error.
Use relative names when adding SOA record and a long domain
name to create SOA RR where the wire format is longer than
the initial buffer allocation in dns_sdlz_putrr.
(cherry picked from commit 6dc5248606)
The parsing loop needs to process ISC_R_NOSPACE to properly
size the buffer. If result is still ISC_R_NOSPACE at the end
of the parsing loop set result to DNS_R_SERVFAIL.
(cherry picked from commit 08f1cba096)
In file included from rdata.c:602:
In file included from ./code.h:88:
./rdata/in_1/svcb_64.c:259:9: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (!isdigit(*region->base)) {
^~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:51:44: note: expanded from macro 'isdigit'
#define isdigit(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_D))
^~~~
(cherry picked from commit d09447287f)
The documentation was inconsistent with the code. The new description
for cookie-algorithm now reflects the current behavior.
The following two commits are the relevant code changes to this
section of docs: afa81ee4a912f313
(cherry picked from commit b29a748119)
mdig was always using the default 1024-65535 range for outgoing
messages, instead of using the system's configured ephemeral ports.
(cherry picked from commit 0fecb10c17)
The sed expression could find the wrong instance of 10.
Use awk to replace the TTL field and also to specify the
server and issue the send command.
(cherry picked from commit be879cda72)
The old .gitlab-ci.yaml accidentally worked because pylint
was importing modules internally, probably as a side-effect
of testing other code.
This pylint invocation errors out when PYTHONPATH is not set:
$ pylint --rcfile $CI_PROJECT_DIR/.pylintrc bin/tests/system/keymgr/testpolicy.py
************* Module testpolicy
bin/tests/system/keymgr/testpolicy.py:13:0: E0401: Unable to import 'isc' (import-error)
And this invocation works even without PYTHONPATH:
$ pylint --rcfile $CI_PROJECT_DIR/.pylintrc bin/python/setup.py bin/tests/system/keymgr/testpolicy.py
This is almost minimal prototype to show how to use python-hypothesis
library in a system test. It does not fully replace existing shell-based
system test for wildcards.
(cherry picked from commit 49da19c353)
Gitlab feature
https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines
can automatically cancel jobs which operate on an outdated code, i.e. on
branches which received new commits while jobs with an older set of
commits are still running. For this feature to work jobs have to be
configured with boolean interruptible: true.
I think practically all of our current CI jobs can be cancelled,
so the option is now on by default for all jobs.
It's major PITA trying to guess what exactly clang-format has changed,
so how CI stores patch file with changes which can be applied locally if
needed.
(cherry picked from commit ca4393fc9f)
The dst_key_pubcompare() and dst_key_compare() didn't have a unit test,
add the unit tests which test comparing the same keys, different keys,
and, where possible, similar keys with a manually altered parameter.
dst_key_pubcompare() internally uses the *_todns() functions of the
lib/dns/openssl*_link.c modules.
dst_key_compare() internally uses the *_compare() functions of the
lib/dns/openssl*_link.c modules.
When comparing different parameters of two RSA keys there is a typo
which causes the "p" prime factors to not being compared.
Fix the typo.
(cherry picked from commit 930e4f52a5)