when built without libtool, the sample driver in the dyndb
system test runs library intializers that have already been
run, causing the value for isc__trampoline_min to be reset.
wrap the trampoline initialize and shutdown routines under
isc_once_do() to ensure that they are only run once.
Check that the recursing client count is above a reasonable
minimum, as well as below a maximum, so that we can detect
bugs that cause recursion to fail too early or too often.
(cherry picked from commit 8834c44683)
The ns_statscounter_recursclients counter was previously only
incremented or decremented if client->recursionquota was non-NULL.
This was harmless, because that value should always be non-NULL if
recursion is enabled, but it made the code slightly confusing.
(cherry picked from commit 0201eab655)
The fetchlimit test depends on a resolver continuing to try UDP
and timing out while the client waits for resolution to succeed.
but since commit bb990030 (flag day 2020), a fetch will always
switch to TCP after two timeouts, unless EDNS was disabled for
the query.
This commit adds "edns no;" to server statements in the fetchlimit
resolver, to restore the behavior expected by the test.
(cherry picked from commit 81deb24deb)
Since commit bad5a523c2, when the fetches-per-server quota
was increased or decreased, instead of the value being set to
the newly calculated quota, it was set to the *minimum* of
the new quota or 1 - which effectively meant it was always set to 1.
it should instead have been the maximum, to prevent the value from
ever dropping to zero.
(cherry picked from commit 694bc50273)
When attaching to the trampoline, the isc__trampoline_max was access
unlocked. This would not manifest under normal circumstances because we
initialize 65 trampolines by default and that's enough for most
commodity hardware, but there are ARM machines with 128+ cores where
this would be reported by ThreadSanitizer.
Add locking around the code in isc__trampoline_attach(). This also
requires the lock to leak on exit (along with memory that we already)
because a new thread might be attaching to the trampoline while we are
running the library destructor at the same time.
(cherry picked from commit 933162ae14)
Remove the line "This address must appear in the secondary server’s
parental-agents zone clause". This line is a copy paste error from
notify-source.
Rewrap.
(cherry picked from commit 313f606692)
Commit 24961f6068 introduced the concept
of post-merge pipelines. These were used to build documentation after
each merge to any of the maintained branches, to allow up-to-date
documentation to be subsequently published on the bind.isc.org
microsite. As the latter no longer downloads documentation from GitLab,
instead linking to Read the Docs for all currently maintained branches,
post-merge pipelines have become redundant since running the
"autoreconf" and "docs" jobs after each merge is not necessary any more.
Drop the "release_branch_triggering_rules" YAML anchor and revert to
default triggering rules for the "autoconf" and "docs" jobs, effectively
preventing pipelines from being created after each merge to any of the
maintained branches.
(cherry picked from commit 7b8c9e04fc)
The bind.isc.org microsite no longer downloads documentation from
GitLab, instead linking to Read the Docs for all currently maintained
branches. This makes it redundant to trigger GitLab Pages pipelines
after each merge to any of the maintained branches. Revert changes
introduced by commit 31bde118db: remove
the "push:docs" job along with the "push" stage it is associated with
and revert artifact expiry time for the "docs" job to the default value.
(cherry picked from commit a7fccaee82)
RPZ NSIP and NSDNAME checks were failing with "unrecognized NS
rpz_rrset_find() failed: glue" when static or static-stub zones
where used to resolve the query name.
Add tests using stub and static-stub zones that are expected to
be filtered and not-filtered against NSIP and NSDNAME rules.
stub and static-stub queries are expected to be filtered
stub-nomatch and static-stub-nomatch queries are expected to be passed
(cherry picked from commit 30cb70c826)
The named_config_getdefault() was missing void in the function
definition. This broke clang-15 that didn't match the declaration that
had the void in the argument with the definition that hadn't.
The dig commands appear to be failing unexpectedly on some platforms
when rate limiting kicks in and the response is dropped. Correct
behaviour should be for dig to retry the query. Set +qr and capture
stdout and stderr of each of the dig commands involved.
(cherry picked from commit 614cf5a030)
In '_check_apex_dnskey' we check for each key (KEY1 to KEY4) if they
are present in the DNSKEY RRset if they should be.
However, we only grep the dig output for the first seven fields (owner,
ttl, class, type, flags, protocol, algorithm). This can be the same
for different keys.
For example, KEY1 may be KSK predecessor and KEY2 a KSK successor,
both DNSKEY records for these keys are the same up to the public key
field. This can cause test failures if KEY1 needs to be present, but
KEY2 not, because when grepping for KEY2 we will falsely detect the
key to be present (because the grep matches KEY1).
Fix the function by grepping looking for the first seven fields in the
corresponding key file and retrieve the public key part. Grep for this
in the dig output.
(cherry picked from commit 3e1d09ac66)
It might be useful to display built-in configuration with all its
values. It should make it easier to test what default values has changed
in a new release.
Related: #1326
(cherry picked from commit cf722d18b3)
The `send_done()` callback needs to access query's `link.next` pointer
when running in `+nssearch` mode, even if the query is already canceled
or serviced, which can happen when `recv_done()` happens to be called
earlier than `send_done()`.
Keep the next query's pointer before unlinking the query from the
lookup's queries list in `clear_query()` so that `send_done()` can
use it even if the query is cleared.
Printing the pointers makes it clear, for example, for which query
exactly a recv_done() or send_done() callback was called, which
helps investigating and debugging issues easier.
dzl_ldap_driver.c was missing some FALLTHROUGH macros in a switch
statement resulting in compiler warnings and a failed build when
configured with `--with-dlz-ldap` option.
inet_ntop result should always protect against empty string accepted
without an error. Make additional check to satisfy coverity scans.
(cherry picked from commit 656a0f076f)
- var_decl: Declaring variable "tbuf" without initializer
- assign: Assigning: "target.base" = "tbuf", which points to
uninitialized data
- assign: Assigning: "r.base" = "target.base", which points to
uninitialized data
I expect it would correctly initialize length always. Add simple
initialization to silent coverity.
(cherry picked from commit 59132bd3ec)
Coverity detected issues:
- var_decl: Declaring variable "diff" without initializer.
- uninit_use_in_call: Using uninitialized value "diff.tuples.head" when
calling "dns_diff_clear".
(cherry picked from commit 67e773c93c)