Use `nc` to check that multiple POST requests with non-empty HTTP
body are serviced normally by the statistics channel.
(cherry picked from commit bc32885ba981cab6308981936f49ab625af84bf2)
Update the "statschannel" system test to use the $((expression))
shell constucts instead of executing the `expr` program.
(cherry picked from commit 8034819b53789b52dd1c80b0256880b506a3f31b)
It might be reused if /etc/bind.keys exists, but failed correct parsing.
Release traces of previous parsing attempt of different data.
(cherry picked from commit dc07394c4724c1e1235af85dd8c044af70da93ae)
Before the commit some checks in the system test would try to verify
that different HTTP methods can be used and are functional. However,
until recently, it was not possible to tell from the output which
method was in fact used, so it turned out that +http-plain-get option
is broken.
This commit add the additional checks to prevent that from happening
in the future.
(cherry picked from commit 625991c810b4086a5fbfc48ecb54974f6b6e3f9a)
Support for parsing +http-plain-get and +http-plain-post options was
broken. This commit fixes that.
(cherry picked from commit fb135867644684a21d79bc3a5cebe3c83217a221)
The old code could incorrectly match "INSOA" in the RRSIG rdata
when looking for the SOA record.
(cherry picked from commit 2fc5f6fb2831697c79f75c50a769449ac561aad0)
Stop using a RSASHA1 fixed key in ns3's named.conf as the
trusted key and instead compute a broken digest from the
real digest to use in trusted-keys.
(cherry picked from commit be4cbe2b80)
Moves tests from being RSASHA1 based to RSASHA256 based where possible
and split out the remaining RSASHA1 based tests so that they are not
run on OS's that don't support RSASHA1.
(cherry picked from commit db028684e5)
migrate-nomatch-alglen: switched to RSASHA256 instead of RSASHA1
and the key size now changes from 2048 bits to 3072 bits instead
of 1024 bits to 2048 bits.
migrate-nomatch-algnum: switched to RSASHA256 instead of RSASHA1
as initial algorithm and adjusted mininum key size to 2048 bits.
rsasha256: adjusted minimum key size to 2048 bits.
(cherry picked from commit 048b015166)
The nsec-only.example zone was not converted as we use it to
test nsec-only DNSSEC algorithms to nsec3 conversion failure.
The subtest is skipped in fips mode.
Update "checking revoked key with duplicate key ID" test
to use FIPS compatible algorithm.
(cherry picked from commit 99ad09975e)
When DiG finishes its work with a lookup (due to success or error), it
calls the clear_current_lookup() function, which decreases the lookup's
reference count. That decrease action is the counterpart of the initial
creation of the reference counter, so this function was designed in such
a way that it should decrease the reference count only once, when there
are no more active queries in the lookup.
The way it checks whether there are any active queries is by looking
at the queries list of the lookup object - if it's NULL then there are
no active queries. But that is not always true - the cancel_lookup()
function, when canceling the queries one by one, also removes them
from the lookup's list, but in NSSEARCH mode, when the queries are
working in parallel, some of those queries can be still active. And
when their recv_done() callback gets called, it sees that the lookup
has been canceled, calls clear_current_lookup(), which decreases the
reference count every time for each query that was still active
(because ISC_LIST_HEAD(lookup->q) is NULL) and results in a reference
counting error.
Fix the issue by introducing a new "cleared" property for the lookup,
which will ensure that the clear_current_lookup() function does its
job only once per lookup.
(cherry picked from commit 08ba2732e0)
The +qid=<num> option, which sets the outgoing query ID, was missing
from the usage summary printed using `dig -h` command.
(cherry picked from commit 4dcc855093)
Reject loading of zones with TTL higher than the max-zone-ttl
from the dnssec-policy.
With this change, any zone with a dnssec-policy in use will ignore
the max-zone-ttl option in zone/view/options.
In the NSSEARCH followup lookup, when one of the queries fails to be
set up (UDP) or connected (TCP), DiG doesn't start the next query.
This is a mistake, because in NSSEARCH mode the queries are independent
and DiG shouldn't stop the lookup process just because setting up (or
connecting to) one of the name servers returns an error code in the
`udp_ready()` or `tcp_connected()` callbacks.
Write a new `nssearch_next()` function which takes care of starting the
next query in NSSEARCH mode, so it can be used in several places without
code repetition.
Make sure that the `udp_ready()` and `tcp_connected()` functions call
`nssearch_next()` in case they won't be calling `send_udp()` and
`send_tcp()` respectively, because in that case the `send_done()`
callback, which usually does the job, won't be called.
Refactor `send_done()` to use the newly written `nssearch_next()`
function.
(cherry picked from commit 76bee507b7)
In the NSSEARCH followup lookup, when one of the queries fails to be
sent, DiG doesn't start the next query. This is a mistake, because in
NSSEARCH mode the queries are independent and DiG shouldn't stop the
lookup process just because sending a query to one of the name servers
returns an error code.
Restructure the `send_done()` function to unconditionally send the next
query in NSSEARCH mode, if it exists.
(cherry picked from commit 49ac879dfa)
