When copying metadata from one dst_key to another, when the source
dst_key has a boolean metadata unset, the destination dst_key will
have a numeric metadata unset instead.
This means that if a key has KSK or ZSK unset, we may be clearing the
Predecessor or Successor metadata in the destination dst_key.
(cherry picked from commit 94bb545087)
Add a test case to the dnssec system test to check that:
- a zone with a prepublished key is only signed with the active key.
- a zone with an inactive key but valid signatures retains those
signatures and does not add signatures from successor key.
- signatures are swapped in a zone when signatures of predecessor
inactive key are within the refresh interval.
(cherry picked from commit 35efbc270f)
When signing with a ZSK, check if it has a predecessor. If so, and if
the predecessor key is sane (same algorithm, key id matches predecessor
value, is zsk), check if the RRset is signed with this key. If so, skip
signing with this successor key. Otherwise, do sign with the successor
key.
This change means we also need to apply the interval to keys that are
not actively signing. In other words, 'expired' is always
'isc_serial_gt(now + cycle, rrsig.timeexpire)'.
Fix a print style issue ("removing signature by ..." was untabbed).
(cherry picked from commit 837adb93d3)
In the "Migrating from NSEC to NSEC3" section, it says:
dnssec-policy "standard" {
nsec3param iterations optout no salt-length 16;
};
There should be an integer after "iterations". Based on the following
text, the number of iterations should be 10.
(cherry picked from commit 9e109191cc)
respdiff needs to be run regularly to identify problems with query
responses discrepancies sooner than after tagging a release.
Contrary to the main branch, which hosts the BIND 9 Development Version
and thus sets MAX_DISAGREEMENTS_PERCENTAGE variable to 0.5, branches
hosting BIND 9 Stable Versions have it set to 0.1, which provides only
tiny room for non-timeout response disagreements between the baseline
version and version under test.
(cherry picked from commit 561b58196b)
Increasing the nodelock count had major impact on the memory footprint
in scenarios where multiple rbtdb structure would be created like
hosting many zones in a single server.
This reverts commit 0344684385 and sets
the nodelock count to previously used values.
The FreeBSD 13 EXTRA_CONFIGURE variable contains only the invalid
WITH_READLINE_LIBEDIT variable, which slipped in ddf03e while
backporting and should not be present at all.
