Commit Graph

2571 Commits

Author SHA1 Message Date
Michal Nowak
9f27c3f95e Drop flake8 ignore lists
flake8 is not used in BIND 9 CI and inline ignore lists are not needed
anymore.

(cherry picked from commit f5d9fa6ea4)
2022-10-05 18:33:34 +02:00
Michal Nowak
7ae22392da Add Oracle Linux 9
(cherry picked from commit be08cf41d9)
2022-10-03 13:28:26 +02:00
Matthijs Mekking
df11527a9a Add inline-signing to config examples
Add 'inline-signing yes;' to configuration examples to have working
copy paste configurations.

(cherry picked from commit b13a0c8836d2d8bc5b4de1cdfcdb2057c0bb9d93)
2022-09-28 10:54:52 +02:00
Matthijs Mekking
5c0e98410f Update inline-signing requirement to ARM
This change was made in !6403, but the appropriate documentation
changes were not applied to the ARM.

(cherry picked from commit 7231383e4cc57caac36d03055e8627b12aa4b91a)
2022-09-28 10:54:52 +02:00
Michal Nowak
5b1ab4615a Add Fedora 36
(cherry picked from commit a313c49a3b)
2022-09-27 09:42:50 +02:00
Petr Menšík
e036ac4d3d Compatibility for building ARM on older sphinx
Make documentation building successful even on RHEL9 sphinx 3.4.3. It
does not like case-insensitive matching of terms, so provide lowercase
text description with Uppercase word reference.

(cherry picked from commit bc6c6b1184)
2022-09-26 17:29:07 +02:00
Ondřej Surý
f830737c51 Provide stronger wording about the security of statistics channel
Add more text about the importance of properly securing the statistics
channel and what is and what is not considered a security vulnerability.

(cherry-picked from commit 6869c98d36)
2022-09-21 17:49:49 +02:00
Michał Kępień
69c38b5e1c Merge tag 'v9_16_33' into v9_16
BIND 9.16.33
2022-09-21 13:21:29 +02:00
Michał Kępień
b54ee83d50 Prepare release notes for BIND 9.16.33 2022-09-08 14:33:43 +02:00
Aram Sargsyan
6f46bfe705 Document RRL processing for wildcard names
All valid wildcard domain names are interpreted as the zone's origin
name concatenated to the "*" name.

(cherry picked from commit 89c2032421)
2022-09-08 09:41:15 +02:00
Michal Nowak
87dc26e494 Add FreeBSD 13.1
(cherry picked from commit bc425be55e1736d4f2ffada5e8d76f96b08c8351)
2022-08-18 17:34:08 +02:00
Michal Nowak
16458122a8 Merge tag 'v9_16_32' into v9_16
BIND 9.16.32
2022-08-18 11:55:55 +02:00
Michal Nowak
591d58be6e Add OpenBSD 7.1
(cherry picked from commit 7edf8ab47cfd0cc3a633e941b2880ee11d75d6cd)
2022-08-16 17:17:34 +02:00
Michał Kępień
814d9f7bc8 Prepare release notes for BIND 9.16.32 2022-08-04 23:59:36 +02:00
Evan Hunt
1ed5eb38e4 clarify "max-zone-ttl" documentation
The "max-zone-ttl" option should now be configured as part of
dnssec-policy. Use of this option in zone/view/options will be ignored
in any zone that also has dnssec-policy configured.
2022-07-22 15:24:29 -07:00
Michal Nowak
a0e7b05aba Merge tag 'v9_16_31' into v9_16
BIND 9.16.31
2022-07-21 14:37:36 +02:00
Michal Nowak
0043999f54 Add Alpine Linux 3.16
(cherry picked from commit 0d0ab3db10)
2022-07-12 13:59:30 +02:00
Michał Kępień
59da803e86 Prepare release notes for BIND 9.16.31 2022-07-11 06:32:55 +02:00
Petr Špaček
75854c5e6b Rewrite DNSSEC Validation subchapter in the ARM
Mostly deduplicating and linking information across the ARM.
Generally people should not touch it unless they what they are doing, so
let's try to discourage them a bit.

(cherry picked from commit bffa3063f0)
2022-07-07 11:07:32 +02:00
Petr Špaček
c9e52437ca Resynchronize DNSSEC chapter with the main branch
This is essentially a backport of !6296.

Replace DNSSEC chapter with version from the main branch, commit
901b6425d2.

There were structural changes to the ARM in the main branch, and
replacing the whole file with a new version is an order of magniture
easier than attempting to cherry-pick individual changes which should, in
the end, produce the same file under a different name.

File names in the main branch and v9_16 are now in sync (for the DNSSEC
chapter).

Fixes: #3320
2022-07-07 10:34:06 +02:00
Evan Hunt
4897f3ccc0 Improve $GENERATE documentation
Clarify the documentation of $GENERATE modifiers and add an example.

(cherry picked from commit 13fb2faf7a)
2022-07-06 11:35:16 +10:00
Petr Špaček
561f2a3930 Declare Debian 9 (Stretch) community-maintained
(cherry picked from commit 4ce1f25210)
2022-06-28 17:59:21 +02:00
Matthijs Mekking
68105e66cf Add some clarifications wrt dynamic zones
These were suggested by GitLab user @elmaimbo.

(cherry picked from commit fb517eb52a)
2022-06-27 11:56:59 +02:00
Michal Nowak
009c7871ec Add Ubuntu 22.04 LTS (Jammy Jellyfish)
(cherry picked from commit 4c2af3bdfa)
2022-06-22 12:04:13 +02:00
Matthijs Mekking
e1f0acc3e7 Document where updates and DNSSEC records are stored
Make clear that inline-signing stores DNSSEC records in a signed
version of the zone, using the zone's filename plus ".signed" extension.

Tell that dynamic zones store updates in the zone's filename.

DNSSEC records for dynamic zones also go in the zone's filename, unless
inline-signing is enabled.

Then, dnssec-policy assumes inline-signing, but only if the zone is
not dynamic.

(cherry picked from commit 8860f6b4ff)
2022-06-20 16:50:42 +02:00
Petr Špaček
3eae58207a Update NSEC3 guidance to match draft-ietf-dnsop-nsec3-guidance-10
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10
is on it's way to become RFC, so let's update our recommendations in the
docs to be in line with it.

The default values for dnssec-policy and dnssec-signzone were adapted to
match v9_16 branch.

(cherry picked from commit 2ee3f4e6c8)
2022-06-15 18:10:50 +02:00
Michał Kępień
68fadd52c1 Merge tag 'v9_16_30' into v9_16
BIND 9.16.30
2022-06-15 16:02:06 +02:00
Tom Krizek
b3c7bd1c04 Auto-format Python files with black
This patch is strictly the result of:
$ black $(git ls-files '*.py' '*.py.in')

There have been no manual changes.
2022-06-08 13:34:19 +02:00
Michał Kępień
501ac73a7c Prepare release notes for BIND 9.16.30 2022-06-02 20:57:12 +02:00
Petr Špaček
cc1599e454 ARM style change: render literals in black color
After enormous amount of bikesheding about colors we decided to override
ReadTheDocs default style for literals (``literal`` in the RST markup).

Justification:
- The default RTD "light red literal on white background" is hard to
  read.  https://webaim.org/resources/contrastchecker/ reports that text
  colored as rgb(231, 76, 60) on white background has insufficient
  contrast.
- The ARM has enormous amount of literals all over the place and thus
  one sentence can contain several black/red/black color changes. This
  is distracting. As a consequence, the ARM looks like a Geronimo
  Stilton book.

What we experimented with as replacements for red:
- Green - way too distracting
- Blue - too similar to "usual clickable link"
- Violet - too Geronimo Stilton style
- Brown - better but still distracting

After all the bikesheding we settled on black, i.e. the same as all
"normal" text. I.e. the color is now the same and literals are denoted
by monospaced font and a box around the literal. This has best contrast
and is way less distracting than it used to be.

This lead to a new problem: Internal references to "term definitions"
defined using directives like .. option:: were rendered almost the same
as literals:
- References: monospaced + box + bold + clickable
- Literals: monospaced + box To distinguish these two we added black
  dotted underline to clickable references.

I hereby declare the bikeshed painted.

(cherry picked from commit 833af31e7b)
2022-06-02 17:24:41 +02:00
Petr Špaček
dafacea24c Allow wrapping for ARM table content
RTD style default never wraps <th> and <td> elements and that just does
not work for real sentences or any other long lines.

We can reconsider styling some tables separately, but at the moment we
do not have use for tables with long but unwrappable lines so it's
easier to allow wrapping globally.

(cherry picked from commit a5dd98ac1b)
2022-06-02 17:24:39 +02:00
Michal Nowak
db5f8ebb6f Merge tag 'v9_16_29' into v9_16
BIND 9.16.29
2022-05-19 13:14:59 +02:00
Matthijs Mekking
24913fc696 Remove confusing parental-source line
Remove the line "This address must appear in the secondary server’s
parental-agents zone clause". This line is a copy paste error from
notify-source.

Rewrap.

(cherry picked from commit 313f606692)
2022-05-11 15:01:35 +00:00
Petr Špaček
0366ff94ee Remove ARM notes about Solaris 2.5.1
It was released in May 1996 and hopefully is not used to run BIND
anymore.

(cherry picked from commit 4388656f60)
2022-05-11 12:54:01 +02:00
Michal Nowak
e4f535334e Prepare release notes for BIND 9.16.29 2022-05-06 17:06:36 +02:00
Petr Špaček
cf44faf6ae Pin Sphinx related package versions to match ReadTheDocs and our CI
This seems to be most appropriate way to ensure consistency between
release tarballs and public presentation on ReadTheDocs.

Previous attempt with removing docutils constraint, which relied on pip
depedency solver to pick the same packages as in CI was flawed. RTD
installs a bit different set of packages so it was inherently
unreliable.

As a result RTD pulled in sphinx-rtd-theme==0.4.3 while CI
had 1.0.0, and this inconsistency caused Table of Contents in Release
Notes to render incorrectly. Previous solution was to downgrade
docutils to < 0.17, but I think we should rather pin exact versions.

For the long history of messing with versions read also
isc-projects/bind9@2a8eda0084
isc-projects/images@d4435b97be
isc-projects/bind9@6a2daddf5b

(cherry picked from commit 6088ba3837)
2022-04-27 14:35:52 +02:00
Petr Špaček
a5c06c0080 Fix mismatch between docutils version in CI and ReadTheDocs
Currently our CI images we use to build docs (which subsequently get
into release tarballs) are using docutils 0.17.1, which is latest version
which fulfills Sphinx 4.5.0 requirement for docutils < 0.18.

The old requirement for docutils < 0.17 was causing discrepancy between
the way we build release artifacts and the docs on ReadTheDocs.org which
uses doc/arm/requirements.txt from our repo.

Remove the limit for RDT with hope that it will pull latest permissible
version of docutils.

For the long history of messing with docutils version read also
isc-projects/images@d4435b97be
isc-projects/bind9@6a2daddf5b

(cherry picked from commit 2a8eda0084)
2022-04-26 15:48:46 +02:00
Petr Špaček
02f5e9c505 Support Sphinx 1.6.7 again
Older versions do not have "override" parameter in add_role_to_domain()
function signature. Luckily the override is _not_ required when
overidding the built-in standard domain roles for the first time, so we
just drop the paramter.

Tested with Sphinx 1.6.7 (does not have override) and Sphinx 4.5.0
(does have override).

Fixes: #3294
Related: !6086
2022-04-25 13:31:55 +02:00
Michał Kępień
d17d794722 Merge tag 'v9_16_28' into v9_16
BIND 9.16.28
2022-04-21 09:47:04 +02:00
Michał Kępień
6810a0c055 Prepare release notes for BIND 9.16.28 2022-04-11 17:05:07 +02:00
Petr Špaček
148f6f20e7 Ignore :option: references in rst files to to simplify doc backports
Override Sphinx built-in :option: to act and render as `` literal.
This avoids problems with undefined :option:`target`s when merging
doc backports.
2022-04-07 15:46:55 +02:00
Petr Špaček
c9a512247d Introduce new Sphinx role iscman for ISC manual pages
The new directive and role "iscman" allow to tag & reference man pages in
our source tree. Essentially it is just namespacing for ISC man pages,
but it comes with couple benefits.

Differences from .. _man_program label we formerly used:
- Does not expand :ref:`man_program` into full text of the page header.
- Generates index entry with category "manual page".
- Rendering style is closer to ubiquitous to the one produced
  by ``named`` syntax.

Differences from Sphinx built-in :manpage: role:
- Supports all builders with support for cross-references.
- Generates internal links (unlike :manpage: which generates external
  URLs).
- Checks that target exists withing our source tree.

(cherry-picked from commit 7e7a946d44)
2022-04-07 15:46:52 +02:00
Ondřej Surý
a7f893e836 Rename the configuration option to load balance sockets to reuseport
After some back and forth, it was decidede to match the configuration
option with unbound ("so-reuseport"), PowerDNS ("reuseport") and/or
nginx ("reuseport").

(cherry picked from commit 7e71c4d0cc)
2022-04-06 17:51:12 +02:00
Ondřej Surý
8993ebc01a Add option to configure load balance sockets
Previously, the option to enable kernel load balancing of the sockets
was always enabled when supported by the operating system (SO_REUSEPORT
on Linux and SO_REUSEPORT_LB on FreeBSD).

It was reported that in scenarios where the networking threads are also
responsible for processing long-running tasks (like RPZ processing, CATZ
processing or large zone transfers), this could lead to intermitten
brownouts for some clients, because the thread assigned by the operating
system might be busy.  In such scenarious, the overall performance would
be better served by threads competing over the sockets because the idle
threads can pick up the incoming traffic.

Add new configuration option (`load-balance-sockets`) to allow enabling
or disabling the load balancing of the sockets.

(cherry picked from commit 85c6e797aa)
2022-04-05 01:21:50 +02:00
Michał Kępień
e82ffa9b03 Set up release notes for BIND 9.16.28 2022-03-17 00:19:11 +01:00
Michał Kępień
3849ad19fb Prepare release notes for BIND 9.16.27 2022-03-17 00:19:11 +01:00
Suzanne Goldlust
da3369179f Fix Tools for Use With the Name Server Daemon in the ARM
Remove outdated command references from ARM section
3.3.1. Tools for Use With the Name Server Daemon
and replace them with links to man pages.

Fixes: #2799
(cherry picked from commit 2d2d87a615)
2022-03-10 21:58:36 +01:00
Tony Finch
b8a3359d76 In the ARM appendix, sort man page sections alphabetically
(cherry picked from commit 315b3c3a1a)
2022-03-10 21:58:36 +01:00
Petr Špaček
9242f53e3d Split out named-compilezone and named-checkzone man pages
Both utilities were included as one man page, but this caused a problem:
Sphinx directive .. include was used twice on the same file, which
prevented us from using labels (or anything with unique identifier) in
the man pages. This effectivelly prevented linking to them.

Splitting man pages allows us to solve the linking problems and also
clearly make text easier to follow because it does not mention two tools
at the same time.

This change causes duplication of text, but given the frequecy of changes
to these tools I think it is acceptable. I've considered deduplication
using smaller .rst snippets which get included into both man pages,
but it would require more sed scripting to handle defaults etc. and
I think it would be way too complex solution for this problem.

Related: #2799
(cherry picked from commit 9992f7808c)
2022-03-10 21:58:35 +01:00
Petr Špaček
e46322c583 Split out ddns-confgen and tsig-keygen man pages
Both utilities were included as one man page, but this caused a problem:
Sphinx directive .. include was used twice on the same file, which
prevented us from using labels (or anything with unique identifier) in
the man pages. This effectivelly prevented linking to them.

Splitting man pages allows us to solve the linking problems and also
clearly make text easier to follow because it does not mention two tools
at the same time.

This change causes duplication of text, but given the frequecy of changes
to these tools I think it is acceptable.

Related: #2799
(cherry picked from commit 2e42414522)
2022-03-10 21:56:15 +01:00