maxlabels is the suffix length that corresponds to the latest
NXDOMAIN response. minlabels is the suffix length that corresponds
to longest found existing name.
(cherry picked from commit 67f31c5046)
Prior to doing key management, BIND 9 will check if the key files on disk match the expected keys. If key files for previously observed keys have become unavailable, this will prevent the internal key manager from running.
Backport of MR !9337
Merge branch 'backport-4763-do-not-roll-if-key-files-are-missing-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9623
In a multi-signer setup, removing DNSKEY records from the zone should
not be treated as a key that previously exists in the keyring, thus
blocking the keymgr. Add a test case to make sure.
(cherry picked from commit 5f552293d7)
Test that if a key to be purged is in the keyring, it does not
prevent the keymgr from running. Normally a key that is in the keyring
should be available again on the next run, but that is not true for
a key that can be purged.
In addition, fix some wait_for_log calls, by adding the missing
'|| ret=1' parts.
(cherry picked from commit a2317425bc)
Some test cases were working but for the wrong reasons. These started
to fail when I implemented the first approach for #4763, where the
existence of a DNSKEY together with an empty keyring is suspicious and
would prevent the keymgr from running.
These are:
1. kasp: The multisigner-model2.kasp zone has ZSKs from other providers
in the zone, but not yet its own keys. Pregenerate signing keys and
add them to the unsigned zone as well.
2. kasp: The dynamic-signed-inline-signing.kasp zone has a key generated
and added in the raw version of the zone. But the key file is stored
outside the key-directory for the given zone. Add '-K keys' to the
dnssec-keygen command.
(cherry picked from commit d1e263ef13)
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.
(cherry picked from commit 5fdad05a8a)
In this specific case the key files are temporary unavailable, for
example because of an operator error, or a mount failure). In such
cases, BIND should not try to roll over these keys.
(cherry picked from commit a3afbd9d6f)
When running shotgun tests on tagged releases, the increased number of
jobs may cause the shotgun pipeline to take longer than 50 minutes to
finish.
Backport of MR !9599
Merge branch 'backport-nicki/increase-shotgun-pipeline-timeout-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9625
When running shotgun tests on tagged releases, the increased number of
jobs may cause the shotgun pipeline to take longer than 50 minutes to
finish.
(cherry picked from commit 3b227e1161)
This change ensures that the port is set before attempting a UDP query. Before that a situation could appear when previous query have completed over a different transport (that uses a dedicated port) and then a UDP query will be attempted over the port of the previous transport.
Backport of !9618.
Merge branch 'artem-debian-bug-1059582-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9620
This commit ensures that the port is set before attempting a UDP
query. Before that a situation could appear when previous query have
completed over a different transport (that uses a dedicated port) and
then a UDP query will be attempted over the port of the previous
transport.
(cherry picked from commit e390ed4421)
This release note was missing due to a malformed Merge Request title.
The text is not copied verbatim, but changed to something more release
note-like.
Backport of MR !9598
Merge branch 'backport-4460-add-missing-release-note-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9616
This release note was missing due to a malformed Merge Request title.
The text is not copied verbatim, but changed to something more release
note-like.
(manually picked from commit 5860bafc60)
Revert "fix: chg: Improve performance when looking for the closest encloser when returning NSEC3 proofs"
This reverts merge request !9436Closes#4950
Backport of MR !9611
Merge branch 'backport-revert-78d48f7a-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9614
The outgoing UDP sockets enabled `SO_REUSEADDR` that allows sharing of the UDP sockets, but with one big caveat - the socket that was opened the last would get all traffic. The dispatch code would ignore the invalid responses in the dns_dispatch, but this could lead to unexpected results.
Backport of MR !9569
Merge branch 'backport-ondrej/fix-outgoing-UDP-port-selection-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9584
Currently, the outgoing UDP sockets have enabled
SO_REUSEADDR (SO_REUSEPORT on BSDs) which allows multiple UDP sockets to
bind to the same address+port. There's one caveat though - only a
single (the last one) socket is going to receive all the incoming
traffic. This in turn could lead to incoming DNS message matching to
invalid dns_dispatch and getting dropped.
Disable setting the SO_REUSEADDR on the outgoing UDP sockets. This
needs to be done explicitly because `uv_udp_open()` silently enables the
option on the socket.
(cherry picked from commit eec30c33c2)
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.
Backport of MR !9460
Merge branch 'backport-ondrej/use-release-memory-ordering-for-reference-counting-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9568
As the relaxed memory ordering doesn't ensure any memory
synchronization, it is possible that the increment will succeed even
in the case when it should not - there is a race between
atomic_fetch_sub(..., acq_rel) and atomic_fetch_add(..., relaxed).
Only the result is consistent, but the previous value for both calls
could be same when both calls are executed at the same time.
(cherry picked from commit 88227ea665)
The `dns.query.udp` and `dns.query.tcp` methods are [prone to timeouts](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4785053); their `isctest.query` equivalents should be used in system tests instead.
Backport of MR !9560
Merge branch 'backport-mnowak/convert-dns-query-udp-and-tcp-to-isctest-query-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9575
Static-stub addresses and addresses from other sources were being
mixed together, resulting in static-stub queries going to addresses
not specified in the configuration, or alternatively, static-stub
addresses being used instead of the correct server addresses.
Closes#4850
Backport of MR !9314
Merge branch 'backport-4850-add-an-additional-class-of-names-to-adb-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9572
Static-stub address and addresses from other sources where being
mixed together resulting in static-stub queries going to addresses
not specified in the configuration or alternatively static-stub
addresses being used instead of the real addresses.
(cherry picked from commit b3a2c790f3)
Add the new record type WALLET (262). This provides a mapping from a domain name to a cryptographic currency wallet. Multiple mappings can exist if multiple records exist.
Closes#4947
Backport of MR !9521
Merge branch 'backport-4947-add-wallet-type-to-named-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9555
The ans4 server wasn't shutting down cleanly sometimes. Check that read returns the
expected value for the message length or exit read loop.
Closes#4301
Backport of MR !9537
Merge branch 'backport-4301-check-read-value-in-ans4-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9546
The ans4 server wasn't shutting down cleanly sometimes. Check that
read returns the expected value for the message length or exit read
loop.
(cherry picked from commit 21baad0a8f)
Keeping a single changelog file creates annoying conflicts when rebasing
the -S version. To eliminate these, keep the changelog for each version
in a separate file and also create files for the -S versions to include
them in the docs. In the open source version, these files will remain
empty and thus won't affect the documentation, while in the -S edition
they'll be filled in and included without introducing any conflicts.
---
Closes#4946
Merge branch 'nicki/reorganize-changelog-docfiles' into 'bind-9.18'
See merge request isc-projects/bind9!9528
Since the changes aren't tracked in the single changelog.rst file,
generate the changelog to stdout instead, so it can be easily redirected
to the proper file.
Keeping a single changelog file creates annoying conflicts when rebasing
the -S version. To eliminate these, keep the changelog for each version
in a separate file and also create files for the -S versions to include
them in the docs. In the open source version, these files will remain
empty and thus won't affect the documentation, while in the -S edition
they'll be filled in and included without introducing any conflicts.
The shutdown system test sends queries when named is shutting down, not
in an attempt to get answers but to destabilize the server into a crash.
With isctest.query.udp() defaulting to try up to ten times with a
ten-second timeout to get a response we don't care about from a likely
terminated server, we make the test run much longer than needed because
of retries and long timeouts.
Also, see isc-projects/bind9#4943.
Backport of MR !9507
Merge branch 'backport-mnowak/shutdown-downgrade-timeout-and-attempts-arguments-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9542
The shutdown system test sends queries when named is shutting down, not
in an attempt to get answers but to destabilize the server into a crash.
With isctest.query.udp() defaulting to try up to ten times with a
ten-second timeout to get a response we don't care about from a likely
terminated server, we make the test run much longer than needed because
of retries and long timeouts.
(cherry picked from commit 463ab2f3f5)
