Commit Graph

34547 Commits

Author SHA1 Message Date
Mark Andrews
69be4d3bdc Improve awk tests to prevent false negatives
The old code could incorrectly match "INSOA" in the RRSIG rdata
when looking for the SOA record.

(cherry picked from commit 2fc5f6fb2831697c79f75c50a769449ac561aad0)
2022-08-18 13:43:47 +10:00
Michal Nowak
f59757d0be Merge branch 'mnowak/coverity-scan-2022.06-v9_16' into 'v9_16'
[v9_16] Use Coverity Scan 2022.06

See merge request isc-projects/bind9!6674
2022-08-17 14:04:39 +00:00
Michal Nowak
6bf3d890b5 Use Coverity Scan 2022.06
(cherry picked from commit 3d683c704e271f1c8107a5b108c93db4bde7db7f)
2022-08-17 16:02:27 +02:00
Arаm Sаrgsyаn
ee28d4bd32 Merge branch '3492-fix-tkey.c-buildquery-cleanup-v9_16' into 'v9_16'
[v9_16] Fix tkey.c:buildquery() function's error handling

See merge request isc-projects/bind9!6671
2022-08-17 09:10:49 +00:00
Aram Sargsyan
30b1be4e59 Add CHANGES note for [GL #3492]
(cherry picked from commit 8dd12db505892640d885e81dc6701607da1df67f)
2022-08-17 08:46:31 +00:00
Aram Sargsyan
eb72c81e6a Fix tkey.c:buildquery() function's error handling
Add the missing cleanup code.

(cherry picked from commit 4237ab9550eeaea7121e3e3392fd14c26b5150f0)
2022-08-17 08:46:31 +00:00
Michal Nowak
1c6dbb5993 Merge branch 'mnowak/openbsd-7.1-v9_16' into 'v9_16'
[v9_16] Add OpenBSD 7.1

See merge request isc-projects/bind9!6667
2022-08-16 15:21:05 +00:00
Michal Nowak
591d58be6e Add OpenBSD 7.1
(cherry picked from commit 7edf8ab47cfd0cc3a633e941b2880ee11d75d6cd)
2022-08-16 17:17:34 +02:00
Michal Nowak
88aa703c75 Merge branch 'mnowak/configure-find-newer-python-versions' into 'v9_16'
Teach configure to find Python 3.9, 3.10, and 3.11

See merge request isc-projects/bind9!6662
2022-08-15 13:50:23 +00:00
Michal Nowak
d92b9a02b1 Teach configure to find Python 3.9, 3.10, and 3.11
FreeBSD does not have python3 symlink, and ./configure relies on finding
python3.X binaries instead.
2022-08-15 15:11:27 +02:00
Evan Hunt
80604b856d Merge branch '3488-prevent-adb-dump-race-v9_18-v9_16' into 'v9_16'
Lock the address entry bucket when dumping ADB namehook

See merge request isc-projects/bind9!6658
2022-08-13 00:48:17 +00:00
Evan Hunt
5aa4adc8e5 Lock the address entry bucket when dumping ADB namehook
When dumping an ADB address entry associated with a name,
the name bucket lock was held, but the entry bucket lock was
not; this could cause data races when other threads were updating
address entry info. (These races are probably not operationally
harmful, but they triggered TSAN error reports.)

(cherry picked from commit f841f545b7)
2022-08-12 17:17:43 -07:00
Michal Nowak
1c1c0e3dca Merge branch '3348-move-pkcs11-interface-test-to-debian-v9_16' into 'v9_16'
[v9_16] Move OpenSSL-based PKCS#11 interface job to Debian "bullseye"

See merge request isc-projects/bind9!6654
2022-08-12 06:50:33 +00:00
Michal Nowak
b4b865aacd Move OpenSSL-based PKCS#11 interface job to Debian "bullseye"
Fedora 36 uses OpenSSL 3.0.2 by default, but the OpenSSL engine API
which we use for PKCS#11 is deprecated in OpenSSL 3.0.0. For the
keyfromlabel system test to work operating system with OpenSSL 1.1 needs
to be used.

(cherry picked from commit 2eecebdea91868be571e3c7a5fb3324505fbd2ff)
2022-08-12 08:07:22 +02:00
Matthijs Mekking
cd43fa723c Merge branch '2982-servfail-servestale-duplicate-queries-v9_16' into 'v9_16'
[v9_16] Don't enable serve-stale on duplicate queries

See merge request isc-projects/bind9!6643
2022-08-09 09:02:31 +00:00
Matthijs Mekking
294431b8f8 Add release note and change entry for #2982
News worthy.

(cherry picked from commit 2bd4486766)
2022-08-09 09:38:23 +02:00
Matthijs Mekking
dd7dde5743 Don't enable serve-stale on duplicate queries
When checking if we should enable serve-stale, add an early out case
when the result is an error signalling a duplicate query or a query
that would be dropped.

(cherry picked from commit 059a4c2f4d)
2022-08-09 09:37:49 +02:00
Michał Kępień
44e0164b6c Merge branch 'michal/set-up-version-and-release-notes-for-bind-9.16.33' into 'v9_16'
Set up version and release notes for BIND 9.16.33

See merge request isc-projects/bind9!6634
2022-08-05 06:40:40 +00:00
Michał Kępień
571a5b7cca Set up release notes for BIND 9.16.33 2022-08-05 06:58:17 +02:00
Michał Kępień
72b16782e6 Update BIND version to 9.16.33-dev 2022-08-05 06:58:17 +02:00
Arаm Sаrgsyаn
c863061a13 Merge branch '3461-fetches-per-zone-final-log-message-v9_16' into 'v9_16'
[v9_16] Resolve "Do a better job of logging when fetches-per-zone is triggered"

See merge request isc-projects/bind9!6626
2022-08-01 14:46:29 +00:00
Aram Sargsyan
23bf8afbcb Add CHANGES and release notes for [GL #3461]
(cherry picked from commit 0d64f55f5d)
2022-08-01 14:01:37 +00:00
Aram Sargsyan
c0db0d7a8e Improve fetch limit logging
When initially hitting the `fetches-per-zone` value, a log message
is being generated for the event of dropping the first fetch, then
any further log events occur only when another fetch is being dropped
and 60 seconds have been passed since the last logged message.

That logic isn't ideal because when the counter of the outstanding
fetches reaches zero, the structure holding the counters' values will
get deleted, and the information about the dropped fetches accumulated
during the last minute will not be logged.

Improve the fcount_logspill() function to makie sure that the final
values are getting logged before the counter object gets destroyed.

(cherry picked from commit 039871ceb7)
2022-08-01 14:01:26 +00:00
Mark Andrews
6a866e30f5 Merge branch 'marka-set-suffix-in-ans.py-v9_16' into 'v9_16'
Ensure suffix is always valid in bin/tests/system/qmin/ans4/ans.py [v9_16]

See merge request isc-projects/bind9!6620
2022-07-27 22:06:10 +00:00
Mark Andrews
19bf98201b Ensure suffix is always valid in bin/tests/system/qmin/ans4/ans.py
initalise suffix to ""

    170        r.answer.append(
    171            dns.rrset.from_text(
    172                lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix
    173            )
    174        )
    175        r.flags |= dns.flags.AA
           15. Condition endswith(lqname, "icky.ptang.zoop.boing."), taking true branch.
    176    elif endswith(lqname, "icky.ptang.zoop.boing."):
           CID 350722 (#7 of 7): Bad use of null-like value (FORWARD_NULL)
           16. invalid_operation: Invalid operation on null-like value suffix.
    177        r.authority.append(
    178            dns.rrset.from_text(
    179                "icky.ptang.zoop.boing." + suffix,
    180                1,
    181                IN,
    182                SOA,
    183                "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
    184            )
    185        )

(cherry picked from commit eb798d0478)
2022-07-27 14:27:26 -04:00
Matthijs Mekking
40c5816814 Merge branch '3462-rndc-dumpdb-expired-doesnt-always-work-v9_16' into 'v9_16'
[v9_16] Fix destination port extraction for client queries

See merge request isc-projects/bind9!6613
2022-07-26 08:43:39 +00:00
Matthijs Mekking
3c2f517415 Add change entry and release note for #3462
News worthy.

(cherry picked from commit 44bbc0175c)
2022-07-26 10:02:26 +02:00
Matthijs Mekking
f8ad7501dc Fix rndc dumpdb -expired for stuck cache contents
The command 'rndc dumpdb -expired' will include expired RRsets in the
output, but only for the RBTDB_VIRTUAL time (of 5 minutes). This means
that if there is a cache cleaning problem and contents are not cleaned
up, the rndc command has little diagnostic value. Fix this by including
all RRsets in the dumpdb output if the '-expired' flag is set.

(cherry picked from commit 930ba2c914)
2022-07-26 10:02:15 +02:00
Mark Andrews
24bb1d109c Merge branch '3469-auto-disable-rsasha1-and-nsec3rsasha1-when-not-supported-by-the-os-v9_16' into 'v9_16'
Check that we can verify a signature at initialisation time [v9_16]

See merge request isc-projects/bind9!6615
2022-07-25 15:59:21 +00:00
Mark Andrews
8be8257914 Add release note for [GL #3469]
(cherry picked from commit 16b133af40)
2022-07-25 11:37:49 -04:00
Mark Andrews
cbd2403633 CHANGES note for [GL #3469]
(cherry picked from commit c549249cb9)
2022-07-25 11:37:49 -04:00
Mark Andrews
a1452c32ab Check that we can verify a signature at initialisation time
Fedora 33 doesn't support RSASHA1 in future mode.  There is no easy
check for this other than by attempting to perform a verification
using known good signatures.  We don't attempt to sign with RSASHA1
as that would not work in FIPS mode.  RSASHA1 is verify only.

The test vectors were generated using OpenSSL 3.0 and
util/gen-rsa-sha-vectors.c.  Rerunning will generate a new set of
test vectors as the private key is not preserved.

e.g.
	cc util/gen-rsa-sha-vectors.c -I /opt/local/include \
		-L /opt/local/lib -lcrypto

(cherry picked from commit cd3f00874f)
2022-07-25 11:37:49 -04:00
Evan Hunt
5503d9aa68 Merge branch '2918-deprecate-max-zone-ttl-v9_16' into 'v9_16'
Test dnssec-policy max-zone-ttl rejects zone with too high TTL

See merge request isc-projects/bind9!6611
2022-07-22 22:57:00 +00:00
Evan Hunt
a20584dcf8 CHANGES and release note for [GL #2918] 2022-07-22 15:24:34 -07:00
Evan Hunt
fb8f102ffc warn about zones with both dnssec-policy and max-zone-ttl
max-zone-ttl in zone/view/options is a no-op if dnssec-policy
is in use, so generate a warning.
2022-07-22 15:24:34 -07:00
Evan Hunt
1ed5eb38e4 clarify "max-zone-ttl" documentation
The "max-zone-ttl" option should now be configured as part of
dnssec-policy. Use of this option in zone/view/options will be ignored
in any zone that also has dnssec-policy configured.
2022-07-22 15:24:29 -07:00
Matthijs Mekking
111b215987 Reject zones with TTL higher than dnssec-policy max-zone-ttl
Reject loading of zones with TTL higher than the max-zone-ttl
from the dnssec-policy.

With this change, any zone with a dnssec-policy in use will ignore
the max-zone-ttl option in zone/view/options.
2022-07-22 13:40:12 -07:00
Matthijs Mekking
2022384b8d Test dnssec-policy max-zone-ttl rejects zone with too high TTL
Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
2022-07-22 13:39:17 -07:00
Petr Špaček
04c76d0055 Merge branch 'pspacek/minor-arm-tweaks-and-fixes-v9_16' into 'v9_16'
Fix dnssec-signzone examples in DNSSEC Guide [v9_16]

See merge request isc-projects/bind9!6604
2022-07-21 13:20:02 +00:00
Petr Špaček
a94c063c19 Avoid opt-out flag in dnssec-signzone examples
Since !6413 we discourage opt-out, so we should not be advertising it in
the examples. Even worse, it was just thrown into the command line
without even mentioning its meaning in the surrounding text.

Related: !6413
(cherry picked from commit beae857288)
2022-07-21 15:19:38 +02:00
Petr Špaček
445863c9fd Remove errorneous shell output redirection from dnssec-signzone example
The > looked like shell output redirection. It was present since we
imported DNSSEC Guide into the ARM.

(cherry picked from commit 1ab564d605)
2022-07-21 15:19:38 +02:00
Michal Nowak
a0e7b05aba Merge tag 'v9_16_31' into v9_16
BIND 9.16.31
2022-07-21 14:37:36 +02:00
Michał Kępień
55edba1dc6 Merge branch 'michal/run-a-short-respdiff-test-for-all-merge-requests-v9_16' into 'v9_16'
[v9_16] Run a short respdiff test for all merge requests

See merge request isc-projects/bind9!6591
2022-07-18 13:40:05 +00:00
Michał Kępień
1faaefd134 Run a short respdiff test for all merge requests
Running a respdiff test for every merge request would be useful for
catching protocol-breaking changes before they are applied to the source
code.  However, the existing respdiff-based tests take a while to
complete (about half an hour with our current CI infrastructure), which
does not make them a good fit for this purpose.  Add a new GitLab CI
job, "respdiff-short", which uses a smaller query set that gets
processed within a couple of minutes on our current CI infrastructure.
Rename the existing respdiff-based jobs to make distinguishing them
easier.

(cherry picked from commit 31ee43a314)
2022-07-18 15:28:21 +02:00
Michał Kępień
6b03f8bbfc Extract respdiff job definition to a YAML anchor
Ensure the common parts of all jobs using respdiff are available in the
form of a reusable YAML anchor, to reduce code duplication and to
simplify adding more respdiff-based jobs to GitLab CI.

(cherry picked from commit ca20a189f7)
2022-07-18 15:28:21 +02:00
Michał Kępień
d02d5b97f5 Use a pre-built executable as the reference named
The "respdiff" GitLab CI job compares DNS responses produced by the
current version of named with those produced by a reference version.
The latter is built from source in each "respdiff" job, despite the fact
that the reference version changes very rarely.  Use a pre-built named
executable as the reference version instead, assuming it is available in
the OS image used for "respdiff" tests.

(cherry picked from commit ab90a4705a)
2022-07-18 15:28:21 +02:00
Ondřej Surý
2e7e47f88d Merge branch '3453-cope-with-too-small-BUFSIZ-v9_16' into 'v9_16'
Increase the BUFSIZ-long buffers [v9.16]

See merge request isc-projects/bind9!6587
2022-07-15 19:48:15 +00:00
Ondřej Surý
c1b8f5f30c Increase the BUFSIZ-long buffers
The BUFSIZ value varies between platforms, it could be 8K on Linux and
512 bytes on mingw.  Make sure the buffers are always big enough for the
output data to prevent truncation of the output by appropriately
enlarging or sizing the buffers.

(cherry picked from commit b19d932262)
2022-07-15 21:21:03 +02:00
Michał Kępień
cacca9bdf9 Merge branch '3443-memory-related-cleanups-v9_16' into 'v9_16'
[v9_16] Memory-related cleanups

See merge request isc-projects/bind9!6569
2022-07-15 09:01:03 +00:00
Michał Kępień
b68851773c Make "named -h" output match option-handling code
The usage instructions printed by "named -h" are missing the "external"
and "internal" flags that can be passed to the -M command-line option.
Add the missing flags to "named -h" output.
2022-07-15 10:45:34 +02:00