BIND can log this warning:
zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
missing or inactive and has no replacement: retaining signatures.
This log can happen when BIND tries to remove signatures because the
are about to expire or to be resigned. These RRsets may be signed with
the KSK if the ZSK files has been removed from disk. When we have
created a new ZSK we can replace the signatures creeated by the KSK
with signatures from the new ZSK.
It complains about the KSK being missing or inactive, but actually it
takes the key id from the RRSIG.
The warning is logged if BIND detects the private ZSK file is missing.
The warning is logged even if we were able to delete the signature.
With the change from this commit it only logs this warning if it is not
okay to delete the signature.
(cherry picked from commit 2d2858841a)
If a catz event is scheduled while the task manager was being
shut down, task-exclusive mode is unavailable. This needs to be
handled as an error rather than triggering an assertion.
(cherry picked from commit 973ac1d891)
When the signed version of an inline-signed zone is dumped to disk, the
serial number of the unsigned version of the zone is written in the
raw-format header so that the contents of the signed zone can be
resynchronized after named restart if the unsigned zone file is
modified while named is not running (see RT #26676).
In order for the serial number of the unsigned zone to be determined
during the dump, zone->raw must be set to a non-NULL value. This
should always be the case as long as the signed version of the zone is
used for anything by named.
However, under certain circumstances the zone->raw could be set to NULL
while the zone is being dumped.
Defer detaching from zone->raw in zone_shutdown() if the zone is in the
process of being dumped to disk.
(cherry picked from commit cc1d4e1aa6)
A kasp structure was not detached when looking to see if there
was an existing kasp structure with the same name, causing memory
to be leaked. Fixed by calling dns_kasp_detach() to release the
reference.
(cherry picked from commit 694440e614)
Add a comment explaining the purpose of setting the "today" variable in
Sphinx invocations to prevent confusion caused by the absence of that
variable from reStructuredText sources.
(cherry picked from commit e67cdb390a)
Some Sphinx variables used in the ARM are only set in
doc/arm/Makefile.in. This works fine when building the ARM using
"make", but does not work with Read the Docs, which only looks at
conf.py files.
Since Read the Docs does not run ./configure, renaming conf.py to
conf.py.in and using Autoconf output variables is not a feasible
solution.
Instead, extend doc/arm/conf.py with some Python code which processes
the "version" file using regular expressions and sets the relevant
Sphinx variables accordingly. As this solution also works fine when
building the ARM using "make", drop the relevant -D options from the
list of sphinx-build options used for building the ARM in
doc/arm/Makefile.in.
Note that the man_SPHINXOPTS counterparts of the removed -D switches are
left intact because doc/man/conf.py is a separate Sphinx project which
is only processed using "make" and duplicating the Python code added to
doc/arm/conf.py by this commit would be inelegant.
(cherry picked from commit 38d251e11b)
This prevents resolver timeouts for the reference (BIND 9.11) servers
used in respdiff tests run on Debian 11 "bullseye".
(cherry picked from commit 4d7e343813)
"buster" jobs are now only going to be run in scheduled pipelines.
"--without-gssapi" ./configure option of "bullseye" before it became
the base image is dropped from "bullseye"-the-base-image because it
reduces gcov coverage by 0.38 % (651 lines) and is used in Debian 9
"stretch".
(cherry picked from commit 910d595fbc)
To prevent any conflict in the future, avoid ldap_ prefix in any
internal functions. Keep it reserved for openldap only.
(cherry picked from commit 7bce3e7791)
ldap_connect is defined by OpenLDAP 2.6. Compiler complains there are
conflicting declarations. Use dlz_ldap prefix instead of ldap to avoid
conflict.
(cherry picked from commit 49e523e56f)
Commit e8d8b43e dropped dependency of "respdiff" and
"respdiff-third-party" jobs on "tarball-create" job because these jobs
don't need to depend on in (e.g., for its artifacts). This, however,
caused that respdiff jobs weren't started out-of-order and artifacts
from all the "Build" stage jobs plus "unit:gcc:buster:amd64" job were
downloaded to project directory and caused problems with compilation:
Originally, the dependency on "tarball-create" has been added in
704eeb32 to indicate that respdiff "is meant to operate on two different
BIND versions". It seems that the intent didn't work out, and we better
make it obvious that respdiff jobs don't depend on any other job and
should be run out-of-order.
(cherry picked from commit 87578efc71)
The order of directories with reference and test BIND 9 are now reversed
for respdiff.sh.
The data.mdb file has more than 10 GB and makes artifact download take
an unnecessarily long time.
(cherry picked from commit 2ececf2c02)
Support for FreeBSD 11.4, the last FreeBSD 11.x release, ended on
September 30, 2021.
The "--with-readline" ./configure option has been added to gcc:sid:amd64
CI job; otherwise, it would be lost with the FreeBSD 11 removal.
Link: https://www.freebsd.org/security/unsupported/
(cherry picked from commit 981579f379)