Commit Graph

34837 Commits

Author SHA1 Message Date
Petr Špaček
62a0d10014 Document that update-policy external is synchronous
(cherry picked from commit 7d352741a0)
2022-11-11 11:15:54 +01:00
Mark Andrews
0fcec7a22c Merge branch '3630-nextpart-is-not-compatible-with-set-x-v9_16' into 'v9_16'
Resolve "'nextpart' is not compatible with 'set -x'" [v9_16]

See merge request isc-projects/bind9!7061
2022-11-08 17:50:26 +00:00
Mark Andrews
8cda49f604 Use file descriptor 3 to save file.prev
If 'set -x' is in effect file.prev gets populated with debugging output.
To prevent this open descriptor 3 and redirect stderr from the awk
command to descriptor 3. Debugging output will stay directed to stderr.

(cherry picked from commit 10f67938db)
2022-11-08 16:44:05 +00:00
Tom Krizek
f7ad072501 Merge branch 'tkrizek/danger-approve-v9_16' into 'v9_16'
ci: add danger checks - approve workflow & wip commits [v9_16]

See merge request isc-projects/bind9!7058
2022-11-08 13:41:55 +00:00
Tom Krizek
df30dffdd1 Check for cherry pick message in backport commits in danger CI
Using the -x option for cherry pick makes it easy to link commits across
branches and it is recommended to use for all backport commits (with
exceptions -- thus a warning level rather than failure).

(cherry picked from commit 5ecb277090)
2022-11-08 14:40:14 +01:00
Tom Krizek
f8ed380890 Detect work-in-progress commits in danger CI
To avoid accidentally merging unfinished work, detect prohibited
keywords at the start of the subject line. If the first word is any of
the following, fail the check:
WIP, wip, DROP, drop, TODO, todo

The only slightly controversial is the lowercase "drop" which might have
a legitimate use - seems like four commits in the history used it as a
start of a sentence. However, since people commonly use "drop" to
indicate a commit should be dropped before merging, let's prohibit it as
well. In case of false-positive, "Drop" with a capitalized first letter
can always be used.

(cherry picked from commit 402b11431c)
2022-11-08 14:40:14 +01:00
Tom Krizek
3a6e014b20 Use approve button workflow in danger CI
Since the LGTM label was deprecated in favor of using the Approve button
in gitlab, adjust the detection in danger bot.

Unfortunately, danger-python seems no longer maintained since 2020 and
MR approvals aren't available in its Python API (even though they're
supported in its Ruby/JS APIs). Going forward, let's use the more
comprehensive python-gitlab API.

It still makes sense to utilize the danger-python, since it handles the
integration with gitlab which doesn't need to be reimplemented as long
as it works - same with the other checks.

(cherry picked from commit e901342dd9)
2022-11-08 14:40:08 +01:00
Michał Kępień
04e434f113 Merge branch 'michal/set-up-version-and-release-notes-for-bind-9.16.36' into 'v9_16'
Set up version and release notes for BIND 9.16.36

See merge request isc-projects/bind9!7055
2022-11-08 12:30:14 +00:00
Michał Kępień
cc71b0afb0 Set up release notes for BIND 9.16.36 2022-11-08 13:24:19 +01:00
Michał Kępień
74ff93af19 Update BIND version to 9.16.36-dev 2022-11-08 13:24:19 +01:00
Michał Kępień
8d15ce5ff0 Merge branch 'pspacek/doc-known-issues-reshuffle-v9_16' into 'v9_16'
[v9_16] Repeat Known Issues at the top of Release Notes page

See merge request isc-projects/bind9!7044
2022-11-07 14:10:58 +00:00
Petr Špaček
04cd80c0f5 Repeat Known Issues at the top of Release Notes page
From now on all per-version notes link to the global list
of Known Issues. If there is a new note it should be listed twice:
In the per-version list, and in the global list.

(cherry picked from commit c58dd2790a)
2022-11-07 15:04:23 +01:00
Michał Kępień
9b22c414ce Merge branch '3652-reference-manual-update-policies-unmatched-parenthesis-v9_16' into 'v9_16'
[v9_16] Add missing closing ')' to update-policy documentation

See merge request isc-projects/bind9!7039
2022-11-07 12:49:55 +00:00
Mark Andrews
bf3a8c7de9 Add missing closing ')' to update-policy documentation
The opening '(' before local was not being matched by a closing
')' after the closing '};'.

(cherry picked from commit 044c3b2bb8)
2022-11-07 13:08:20 +01:00
Michał Kępień
a9f5cbb4da Merge branch 'each-dupsigs-test-v9_16' into 'v9_16'
make dupsigs test less timing-sensitive [v9_16]

See merge request isc-projects/bind9!7037
2022-11-07 10:56:01 +00:00
Evan Hunt
4840d6f9c9 make dupsigs test less timing-sensitive
the dupsigs test is prone to failing on slow CI machines
because the first test can occur before the zone is fully
signed.

instead of just waiting ten seconds arbitrarily, we now
check every second, and allow up to 30 seconds before giving
up.

(cherry picked from commit d9b85cbaae)
2022-11-07 10:29:00 +01:00
Tom Krizek
149bda2764 Merge branch 'tkrizek/revert-random-algorithm-randomization' into 'v9_16'
Revert "Merge branch '3503-random-default-algorithm-in-tests-v9_16' into 'v9_16'"

See merge request isc-projects/bind9!7019
2022-11-04 09:32:02 +00:00
Tom Krizek
a1fd85ac70 Revert "Merge branch '3503-random-default-algorithm-in-tests-v9_16' into 'v9_16'"
This reverts commit a7ac1e0105, reversing
changes made to d690c55ed7.
2022-11-04 10:08:51 +01:00
Ondřej Surý
4e326b23fb Merge branch '3643-dont-use-dns_zone_attach-in-zone_refreshkeys-v9_16' into 'v9_16'
Don't use dns_zone_attach() in zone_refreshkeys() [9.16]

See merge request isc-projects/bind9!7026
2022-11-03 15:10:06 +00:00
Ondřej Surý
a6e3fc20d0 Don't use dns_zone_attach() in zone_refreshkeys()
The zone_refreshkeys() could run before the zone_shutdown(), but after
the last .erefs has been "detached" causing assertion failure when doing
dns_zone_attach().  Remove the use of .erefs (dns_zone_attach/detach)
and replace it with using the .irefs and additional checks whether the
zone is exiting in the callbacks.

(cherry picked from commit 80e66fbd2d)
2022-11-03 15:35:58 +01:00
Matthijs Mekking
aee91a01b4 Merge branch '3591-nsec3-crash-dynamic-to-inline-signing-v9_16' into 'v9_16'
[v9_16] Fix crash where dnssec-policy zone with NSEC3 crashes when inline-signing is turned on

See merge request isc-projects/bind9!7021
2022-11-03 14:31:24 +00:00
Matthijs Mekking
23f87f5ca7 Add release note and change for GL #3591
Breaking news.

(cherry picked from commit 1cf2f6fe68)
2022-11-03 14:45:12 +01:00
Matthijs Mekking
e4808e1f5f If a zone is not reusable, trigger full sign
If after a reconfig a zone is not reusable because inline-signing
was turned on/off, trigger a full resign. This is necessary because
otherwise the zone maintenance may decide to only apply the changes
in the journal, leaving the zone in an inconsistent DNSSEC state.

(cherry picked from commit 4d143f2cc4)
2022-11-03 14:44:41 +01:00
Matthijs Mekking
949768b252 Don't allow DNSSEC records in the raw zone
There was an exception for dnssec-policy that allowed DNSSEC in the
unsigned version of the zone. This however causes a crash if the
zone switches from dynamic to inline-signing in the case of NSEC3,
because we are now trying to add an NSEC3 record to a non-NSEC3 node.
This is because BIND expects none of the records in the unsigned
version of the zone to be NSEC3.

Remove the exception for dnssec-policy when copying non DNSSEC
records, but do allow for DNSKEY as this may be a published DNSKEY
from a different provider.

(cherry picked from commit 332b98ae49)
2022-11-03 14:44:35 +01:00
Matthijs Mekking
9533b68089 Remove checks when going to dnssec-policy none
The changes in the code have the side effect that the CDNSKEY and CDS
records in the secure version of the zone are not reusable and thus
are thrashed from the zone. Remove the apex checks for this use case.
We only care about that the zone is not immediately goes bogus, but
a user really should use the built-in "insecure" policy when unsigning
a zone.

(cherry picked from commit bc703a12e7)
2022-11-03 14:41:31 +01:00
Matthijs Mekking
3656e8c967 Add nsec3 system test that transfers in NSEC3
Similar to an attempt to add NSEC through dynamic update, add a test
case that tries to add NSEC3 through zone transfer.

(cherry picked from commit ef1cb9935c)
2022-11-03 14:41:23 +01:00
Matthijs Mekking
ee18cfe215 Add two more nsec3 system tests
Add one more case that tests reconfiguring a zone to turn off
inline-signing. It should still be a valid DNSSEC zone and the NSEC3
parameters should not change.

Add another test to ensure that you cannot update the zone with a
NSEC3 record.

(cherry picked from commit 4cd8e8e9c3)
2022-11-03 14:41:05 +01:00
Matthijs Mekking
8f6efb8446 Update kasp system test to work with .signed files
We no longer accept copying DNSSEC records from the raw zone to
the secure zone, so update the kasp system test that relies on this
accordingly.

Also add more debugging and store the dnssec-verify results in a file.

(cherry picked from commit 57ea9e08c6)
2022-11-03 14:39:38 +01:00
Matthijs Mekking
9bef41046f Test changing from dynamic to inline-signing
Add a kasp system test that reconfigures a dnssec-policy zone from
maintaining DNSSEC records directly to the zone to using inline-signing.

Add a similar test case to the nsec3 system test, testing the same
thing but now with NSEC3 in use.

(cherry picked from commit 9018fbb205)
2022-11-03 14:39:23 +01:00
Tom Krizek
a7ac1e0105 Merge branch '3503-random-default-algorithm-in-tests-v9_16' into 'v9_16'
Random selection of DEFAULT_ALGORITHM in system tests at runtime [v9_16]

See merge request isc-projects/bind9!6994
2022-11-01 18:52:54 +00:00
Tom Krizek
df436ed93b ci: disable algorithm support checking in softhsm
The algorithm support detection script doesn't seem to work when using
the SoftHSM module. For some reason, dnssec-keygen returns 'crypto
failure'. Since the tests themselves pass, this is likely to be some
bug/definiency in the test scripts that check algorithm support that get
confused by SoftHSM.

Since this issue only happens for the system:gcc:softhsm2.6 job in the
9.16 branch, use a workaround to not introduce this new feature for
this particular problematic job.
2022-11-01 19:51:52 +01:00
Tom Krizek
b5946acfc9 Randomize algorithm selection for mkeys test
Use the ALGORITHM_SET option to use randomly selected default algorithm
in this test. Make sure the test works by using variables instead of
hard-coding values.

(cherry picked from commit f65f276f98)
2022-11-01 19:51:52 +01:00
Tom Krizek
8a6fc2d20e Set algorithms for system tests at runtime
Use the get_algorithms.py script to detect supported algorithms and
select random algorithms to use for the tests.

Make sure to load common.conf.sh after KEYGEN env var is exported.

(cherry picked from commit 69b608ee9f)
2022-11-01 19:51:52 +01:00
Tom Krizek
8b5a9c185a Script for random algorithm selection in system tests
Multiple algorithm sets can be defined in this script. These can be
selected via the ALGORITHM_SET environment variable. For compatibility
reasons, "stable" set contains the currently used algorithms, since our
system tests need some changes before being compatible with randomly
selected algorithms.

The script operation is similar to the get_ports.py - environment
variables are created and then printed out as `export NAME=VALUE`
commands, to be interpreted by shell. Once we support pytest runner for
system tests, this should be a fixture instead.

(cherry picked from commit 5f480c8485)
2022-11-01 19:51:52 +01:00
Tom Krizek
ae86743e7b Export env variables in system tests
Certain variables have to be exported in order for the system tests to
work. It makes little sense to export the variables in one place/script
while they're defined in another place.

Since it makes no harm, export all the variables to make the behaviour
more predictable and consistent. Previously, some variables were
exported as environment variables, while others were just shell
variables which could be used once the configuration was sourced from
another script. However, they wouldn't be exposed to spawned processes.

For simplicity sake (and for the upcoming effort to run system tests
with pytest), export all variables that are used. TESTS, PARALLEL_UNIX
and SUBDIRS variables are automake-specific, aren't used anywhere else
and thus not exported.

(cherry picked from commit 37d14c69c0)
2022-11-01 19:51:52 +01:00
Tom Krizek
edd923e8eb Support testcrypto.sh usage without including conf.sh
The only variable really needed for the script to work is the path to
the $KEYGEN binary. Allow setting this via an environment variable to
avoid loading conf.sh (and causing a chicken-egg problem). Also make
testcrypto.sh executable to allow its use from conf.sh.

(cherry picked from commit bb1c6bbdc7)
2022-11-01 19:51:52 +01:00
Tom Krizek
a51b0ad31f Unify indentation level in testcrypto.sh
(cherry picked from commit 01b293b055)
2022-11-01 19:51:49 +01:00
Arаm Sаrgsyаn
d690c55ed7 Merge branch '2895-named-can-create-unrecoverable-managed-keys-v9_16' into 'v9_16'
[v9_16] Don't trust a placeholder KEYDATA record

See merge request isc-projects/bind9!7009
2022-11-01 12:11:16 +00:00
Aram Sargsyan
854b2cf182 Add CHANGES and release notes for [GL #2895]
(cherry picked from commit 3bf4bc7336)
2022-11-01 11:20:25 +00:00
Aram Sargsyan
78e04d8d0c Don't trust a placeholder KEYDATA record
When named starts it creates an empty KEYDATA record in the managed-keys
zone as a placeholder, then schedules a key refresh. If key refresh
fails for some reason (e.g. connectivity problems), named will load the
placeholder key into secroots as a trusted key during the next startup,
which will break the chain of trust, and named will never recover from
that state until managed-keys.bind and managed-keys.bind.jnl files are
manually deleted before (re)starting named again.

Before calling load_secroots(), check that we are not dealing with a
placeholder.

(cherry picked from commit 354ae2d7e3)
2022-11-01 10:55:38 +00:00
Aram Sargsyan
f12260c435 Test managed-keys placeholder
Add a dnssec test to make sure that named can correctly process a
managed-keys zone with a placeholder KEYDATA record.

(cherry picked from commit 8c48eabbc1)
2022-11-01 10:55:19 +00:00
Evan Hunt
946c389254 Merge branch '3617-keyfetch-race-v9_18-v9_16' into 'v9_16'
Call dns_resolver_createfetch() asynchronously in zone_refreshkeys()

See merge request isc-projects/bind9!7007
2022-11-01 09:22:52 +00:00
Evan Hunt
90c41d41d7 CHANGES for [GL #3617] 2022-11-01 01:46:39 -07:00
Evan Hunt
8010389902 Call dns_resolver_createfetch() asynchronously in zone_refreshkeys()
Because dns_resolver_createfetch() locks the view, it was necessary
to unlock the zone in zone_refreshkeys() before calling it in order
to maintain the lock order, and relock afterward. this permitted a race
with dns_zone_synckeyzone().

This commit moves the call to dns_resolver_createfetch() into a separate
function which is called asynchronously after the zone has been
unlocked.

The keyfetch object now attaches to the zone to ensure that
it won't be shut down before the asynchronous call completes.

This necessitated refactoring dns_zone_detach() so it always runs
unlocked. For managed zones it schedules zone_shutdown() to
run asynchronously; for unmanaged zones there is no task.
2022-11-01 01:46:17 -07:00
Tom Krizek
2e7f973c6e Merge branch '3517-serve-stale-cache-timeout-0-test-v9_16' into 'v9_16'
[v9_16] [CVE-2022-3080] Test serve stale cache with timeout 0 and CNAME

See merge request isc-projects/bind9!6977
2022-10-24 13:08:48 +00:00
Tom Krizek
29782e5613 Remove misleading comment from serve-stale test
The stale-answer-client-timeout option is not set to 0 in the config
neither is it the default value. This was probably caused by a
copy-paste error.
2022-10-24 14:39:48 +02:00
Tom Krizek
01293b86d9 Test serve stale cache with timeout 0 and CNAME
Add a couple of tests that verify the serve-stale behavior when
stale-answer-client-timeout is set to 0 and a (stale) CNAME record is
queried.

Related #3517
2022-10-24 14:39:46 +02:00
Michał Kępień
d736356e3d Merge branch 'michal/bump-sphinx-version-to-5.3.0-v9_16' into 'v9_16'
[v9_16] Bump Sphinx version to 5.3.0

See merge request isc-projects/bind9!6974
2022-10-24 09:57:45 +00:00
Michał Kępień
f93e4c160c Bump Sphinx version to 5.3.0
Make the Sphinx version listed in doc/arm/requirements.txt match the
version currently used in GitLab CI, so that Read the Docs builds the
documentation using the same Python software versions as those used in
GitLab CI.

(cherry picked from commit a8f0ab7df6)
2022-10-24 11:45:25 +02:00
Arаm Sаrgsyаn
523fa7c3a9 Merge branch '3603-resolver-prefetch-eligibility-edge-case-bug-v9_16' into 'v9_16'
[v9_16] Synchronize prefetch "trigger" and "eligibility" code and documentation

See merge request isc-projects/bind9!6970
2022-10-21 11:48:32 +00:00