Commit Graph

41673 Commits

Author SHA1 Message Date
Michal Nowak
b3902a3871 Drop removed system tests from $BIND_BASELINE_VERSION
The cross-version-config-tests job fails when a system test is removed
from the upcoming release. To avoid this, remove the system test also
from the $BIND_BASELINE_VERSION.

(cherry picked from commit 60f5f2a9d9)
2024-08-26 14:32:46 +00:00
Petr Špaček
57a9e3da00 [9.20] fix: dev: Preserve statement tag order in documentation
This supports bit-for-bit reproducibility of built documentation.

Closes #4886

Backport of MR !9399

Merge branch 'backport-issue-4886/order-preserving-documentation-tags-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9408
2024-08-23 14:43:09 +00:00
Petr Špaček
12c240dd56 Disallow duplicate statement tags in docs
I can't think of a use-case for them, so let's simplify code and treat
them as an invalid input.

(cherry picked from commit 5b832126b3)
2024-08-23 14:02:16 +00:00
James Addison
7880e1e73a Preserve de-duplicated tag order in documentation
The 'set' datatype in Python does not provide iteration-order
guarantees related to insertion-order.  That means that its
usage in the 'split_csv' helper function during documentation
build can produce nondeterministic results.

That is non-desirable for two reasons: it means that the
documentation output may appear to vary unnecessarily between
builds, and secondly there could be loss-of-information in cases
where tag order in the source documentation is significant.

This patch implements order-preserving de-duplication of tags,
allowing authors to specify tags using intentional priority
ordering, while also removing tags that appear more than once.

(cherry picked from commit 5a79b36f56)
2024-08-23 14:02:16 +00:00
Petr Špaček
3e6c2d6ed7 [9.20] new: ci: Automate parts of MR workflow
Backport of MR !9244

Merge branch 'backport-pspacek/post-merge-ci-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9401
2024-08-23 08:17:56 +00:00
Petr Špaček
4f04079727 Remove milestone check from dangerfile
Milestone is automatically set by 'merged-metadata' CI job to 'Not
released yet' so it does not matter what the original value was.

(cherry picked from commit 73b950dc29)
2024-08-23 07:58:29 +00:00
Petr Špaček
84e7550631 Remove 'Release notes' label check from dangerfile
This label is now handled automatically by 'merged-metadata' CI job.

(cherry picked from commit 146743d5a3)
2024-08-23 07:58:29 +00:00
Petr Špaček
23cd27689b Remove 'No CHANGES' check from dangerfile
This label is now handled automatically by 'merged-metadata' CI job.

(cherry picked from commit edf0e6415a)
2024-08-23 07:58:29 +00:00
Petr Špaček
19fd63b15b Automatically adjust MR metadata after merge
1. Set milestone to 'Not released yet' after merge
   We will set milestone to actual version number when we actually tag a
   particular version. This will get rid of mass MR reassignment when we
   do last minute changes to a release plan etc.

2. Adjust No CHANGES and Release Notes MR labels to match gitchangelog
   workflow.

(cherry picked from commit d1c64d588b)
2024-08-23 07:58:28 +00:00
Petr Špaček
77ff5dc762 Mark backports CI job as non-interruptible
Previously CI job for the autobackport bot inherited "interruptible:
true" global configuration. This caused premature termination of the job
when another merge was finished before the autobackport job ran to
completion.

(cherry picked from commit 3165261ecd)
2024-08-23 07:58:28 +00:00
Mark Andrews
d089963263 [9.20] new: usr: Support restricted key tag range when generating new keys
It is useful when multiple signers are being used
to sign a zone to able to specify a restricted
range of range of key tags that will be used by an
operator to sign the zone.  This adds controls to
named (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and
dnssec-ksr (dnssec-policy) to specify such ranges.

Closes #4830

Backport of MR !9258

Merge branch 'backport-4830-support-restricted-key-tag-range-when-generating-new-keys-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9396
2024-08-22 23:03:16 +00:00
Mark Andrews
20632b9f44 Add bad dnssec-policy range variants test examples
(cherry picked from commit bb653d37e0)
2024-08-23 08:05:16 +10:00
Mark Andrews
fab6d0e021 Add a multi-signer where the key tag range changes
(cherry picked from commit 62469afe71)
2024-08-23 08:05:16 +10:00
Mark Andrews
3ec77a2f92 Use key tag ranges when generating multisigner keys
(cherry picked from commit 266530d473)
2024-08-23 08:05:16 +10:00
Mark Andrews
6e51d5b04b Check that dnssec-keygen honours key tag ranges
(cherry picked from commit d165466125)
2024-08-23 08:05:16 +10:00
Mark Andrews
2c8fd5337c Document dnssec-policy keys range directive
Co-authored-by: Suzanne Goldlust <sgoldlust@isc.org>
(cherry picked from commit c088772191)
2024-08-23 08:05:16 +10:00
Mark Andrews
4c980c2a51 Add good dnssec-policy tag-range variants test examples
(cherry picked from commit e7decd7a65)
2024-08-23 08:05:16 +10:00
Mark Andrews
1f1440c1b9 Check key tag range when matching dnssec keys to kasp keys
(cherry picked from commit 035289be71)
2024-08-23 08:05:16 +10:00
Mark Andrews
e3dedfb981 Add optional range directive to keys in dnssec-policy
(cherry picked from commit c5bc0a1805)
2024-08-23 08:05:16 +10:00
Mark Andrews
a5c3e3b9f7 Add the concept of allowed key tag ranges to kasp
(cherry picked from commit 25bf77fac6)
2024-08-23 07:44:13 +10:00
Mark Andrews
57c7c5452a Document -M tag_min:tag_max
A new argument has been added to dnssec-keygen and dnssec-keyfromlabel
to restrict the tag value of key generated / imported to a particular
range.  This is intended to be used by multi-signers.

Co-authored-by: Suzanne Goldlust <sgoldlust@isc.org>
(cherry picked from commit 0c347fb321)
2024-08-23 07:44:11 +10:00
Mark Andrews
79f9a10eb6 Add restrict key tag range support
to dnssec-keygen and dnssec-keyfromlabel.

(cherry picked from commit 329e5eee9b)
2024-08-23 07:42:21 +10:00
Matthijs Mekking
2f2003c55d [9.20] fix: usr: Fix algoritm rollover bug when there are two keys with the same keytag
If there is an algorithm rollover and two keys of different algorithm share the same keytags, then there is a possibility that if we check that a key matches a specific state, we are checking against the wrong key. This has been fixed by not only checking for matching key tag but also key algorithm.

Closes #4878

Backport of MR !9381

Merge branch 'backport-4878-fix-algorithm-rollover-keytag-conflict-bug-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9393
2024-08-22 12:58:06 +00:00
Matthijs Mekking
d0db5c07f8 Fix algorithm rollover bug wrt keytag conflicts
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.

Fix this by not only checking for matching key id but also key
algorithm.

(cherry picked from commit f37eb33f29)
2024-08-22 12:58:00 +00:00
Matthijs Mekking
b7bc6abdfe Adjust kasp system test to get keys which signed
If there is a keytag conflict between keys with different algorithms,
we need to supply what key algorithm is used so we can get the right
public key.

For clarity, print the algorithm on the found keys after 'check_keys'.

(cherry picked from commit 7bb6d82505)
2024-08-22 12:58:00 +00:00
Michal Nowak
abe82a52c4 [9.20] chg: ci: Revert "Workaround temporary cross-version-config-tests limitation"
With the release of BIND 9.19.25 this workaround is not needed anymore.

This reverts commit c58dd6e78f.

Backport of MR !9065

Merge branch 'backport-mnowak/revert-workaround-temporary-cross-version-config-tests-limitation-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9395
2024-08-22 10:53:40 +00:00
Michal Nowak
abc58b2796 Revert "Workaround temporary cross-version-config-tests limitation"
With the release of BIND 9.19.25 this workaround is not needed anymore.

This reverts commit c58dd6e78f.

(cherry picked from commit 125059caef)
2024-08-22 10:45:01 +00:00
Matthijs Mekking
3555094a68 [9.20] new: usr: Support for Offline KSK implemented
Add a new configuration option `offline-ksk` to enable Offline KSK key management. Signed Key Response (SKR) files created with `dnssec-ksr` (or other program) can now be imported into `named` with the new `rndc skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY records and generating signatures covering these types, these records are loaded from the currently active bundle from the imported SKR. 

The implementation is loosely based on: https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt

Closes #1128

Backport of MR !9119

Merge branch 'backport-1128-offline-ksk-rndc-import-skr-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9389
2024-08-22 10:17:23 +00:00
Matthijs Mekking
762f78e150 Add a section for Offline KSK to the DNSSEC Guide
This will describe in more detail the operational practices of
Offline KSK.

(cherry picked from commit d504f4f20b)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
c92ae2b010 Add skr unit test
Add a test file for testing the skr related code.

(cherry picked from commit 1ce163795e)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
f4624281dc Disable some behavior in offline-ksk mode
Some things we no longer want to do when we are in offline-ksk mode.

1. Don't check for inactive and private keys if the key is a KSK.
2. Don't update the TTL of DNSKEY, CDS and CDNSKEY RRset, these come
   from the SKR.

(cherry picked from commit 2e3068ed60)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
282d32c3d8 Retrieve RRSIG from SKR
When it is time to generate a new signature (dns_dnssec_sign), rather
than create a new one, retrieve it from the SKR.

(cherry picked from commit 61cf599fbf)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
75f7118a92 Don't read private key files for offline KSKs
When we are appending contents of a DNSKEY rdataset to a keylist,
don't attempt to read the private key file of a KSK when we are in
offline-ksk mode.

(cherry picked from commit 30d20b110e)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
56814221fd Update key states in offline-ksk mode
With offline-ksk enabled, we don't run the keymgr because the key
timings are determined by the SKR. We do update the key states but
we derive them from the timing metadata.

Then, we can skip a other tasks in offline-ksk mode, like DS checking
at the parent and CDS synchronization, because the CDS and CDNSKEY
RRsets also come from the SKR.

(cherry picked from commit 2190aa904f)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
6f6d000103 Apply SKR bundle on rekey
When a zone has a skr structure, lookup the currently active bundle
that contains the right key and signature material.

(cherry picked from commit 63e058c29e)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
f516e461fd Implement SKR import
When 'rndc skr import' is called, read the file contents and store the
data in the zone's skr structure.

(cherry picked from commit 037382c4a5)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
27fd4e5687 Add code to store SKR
This added source code stores SKR data. It is loosely based on:
https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt

A SKR contains a list of signed DNSKEY RRsets. Each change in data
should be stored in a separate bundle. So if the RRSIG is refreshed that
means it is stored in the next bundle. Likewise, if there is a new ZSK
pre-published, it is in the next bundle.

In addition (not mentioned in the draft), each bundle may contain
signed CDS and CDNSKEY RRsets.

Each bundle has an inception time. These will determine when we need
to re-sign or re-key the zone.

(cherry picked from commit 445722d2bf)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
908bf753f9 Test rndc skr import
Test importing a Signed Key Response. Files should be loaded and once
loaded the correct bundle should be used. Alsoe test cases where the
bundle is not the first bundle in the SKR.

(cherry picked from commit afe093258c)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
0fd246ac26 Add option to kasp.sh check_keys to retain found keys
This will come in handy when we are testing offline-ksk where first
we check for ZSKs and then the KSK.

(cherry picked from commit ecd2b79106)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
07de3d8466 Implement dummy 'rndc skr -import' command
Add the code and documentation required to provide KSR import using
rndc.  This is just the command, and the feature is at this point in
time still not implemented.

(cherry picked from commit edbb219fda)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
1813b7877c Add a common setup script for ksr
The previous setup.sh has been moved to ns1/setup.sh, we need a common
setup script to invoke ns1/setup.sh.

(cherry picked from commit 748d98e387)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
ad7366853e Update ksr system test to include server
Prepare the system test for tests that require a server to import
created SKR files. This means the test script needs adjustments to
take into account the directory test files are located.

In addition, the check_keys function is renamed to ksr_check_keys
because the name clashes with check_keys from kasp.sh. It also has an
extra parameter added, offset, that can be used to check ksr files that
are created in the past or future.

(cherry picked from commit 367154c1de)
2024-08-22 10:17:08 +00:00
Matthijs Mekking
40bd74b182 Add offline-ksk option
Add a new configuration option to enable Offline KSK key management.

Offline KSK cannot work with CSK because it splits how keys with the
KSK and ZSK role operate. Therefore, one key cannot have both roles.
Add a configuration check to ensure this.

(cherry picked from commit 0598381236)
2024-08-22 10:17:08 +00:00
Petr Špaček
196466e42a chg: ci: Disallow cross-version-test failures
This reverts commit df97088dcf.

Merge branch 'pspacek/disallow-cross-version-test-failures' into 'bind-9.20'

See merge request isc-projects/bind9!9392
2024-08-22 10:09:34 +00:00
Petr Špaček
a2e78e5eb2 Revert "Allow failure of cross-version-config due to !9201"
This reverts commit df97088dcf.
2024-08-22 11:25:37 +02:00
Michal Nowak
463ec6b384 [9.20] chg: ci: Update Clang to version 19
These Clang 19-identified issues need to be addressed first:
- [x] isc-projects/bind9!9313
- [x] isc-projects/bind9!9317
- [x] isc-projects/bind9!9316
- [x] isc-projects/bind9!9315

Validation pipelines for backports:
- [x] ~"v9.21" - https://gitlab.isc.org/isc-projects/bind9/-/pipelines/191211
- [x] ~"v9.20" - https://gitlab.isc.org/isc-projects/bind9/-/pipelines/191512
- [x] ~"v9.18" - https://gitlab.isc.org/isc-projects/bind9/-/pipelines/191904

Prereq: isc-projects/images!328

Backport of MR !9296

Merge branch 'backport-mnowak/llvm-19-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9390
2024-08-22 09:09:17 +00:00
Ondřej Surý
46069fe5c7 Use clang-format-19 to update formatting
This is purely result of running:

    git-clang-format-19 --binary clang-format-19 origin/main

(cherry picked from commit 7b756350f5)
2024-08-22 08:16:03 +00:00
Michal Nowak
8ed97e5144 Update Clang to version 19
(cherry picked from commit ec62fc1399)
2024-08-22 08:16:03 +00:00
Michal Nowak
3221b3bae1 [9.20] chg: ci: Add FreeBSD 14.1
Prereq: https://gitlab.isc.org/isc-projects/images/-/merge_requests/323

Backport of MR !9116

Merge branch 'backport-mnowak/freebsd-14.1-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9382
2024-08-22 04:20:15 +00:00
Michal Nowak
f0f5e783d1 Add FreeBSD 14.1
(cherry picked from commit bca3d09354)
2024-08-22 06:09:51 +02:00