Commit Graph

34252 Commits

Author SHA1 Message Date
Petr Menšík
b98658a99a Move ignore case indication to flags passed to re
Recent python does not make parsetab.py successfully, because some token
regexp is starting with ?i flag. Remove that flag from regex and pass it
as extra flags parameter instead.
2022-04-28 05:38:42 +00:00
Petr Špaček
6800f552f2 Merge branch 'pspacek/pin-sphinx-packages-for-rtd-v9_16' into 'v9_16'
Pin Sphinx related package versions to match ReadTheDocs and our CI [v9_16]

See merge request isc-projects/bind9!6193
2022-04-27 12:36:26 +00:00
Petr Špaček
cf44faf6ae Pin Sphinx related package versions to match ReadTheDocs and our CI
This seems to be most appropriate way to ensure consistency between
release tarballs and public presentation on ReadTheDocs.

Previous attempt with removing docutils constraint, which relied on pip
depedency solver to pick the same packages as in CI was flawed. RTD
installs a bit different set of packages so it was inherently
unreliable.

As a result RTD pulled in sphinx-rtd-theme==0.4.3 while CI
had 1.0.0, and this inconsistency caused Table of Contents in Release
Notes to render incorrectly. Previous solution was to downgrade
docutils to < 0.17, but I think we should rather pin exact versions.

For the long history of messing with versions read also
isc-projects/bind9@2a8eda0084
isc-projects/images@d4435b97be
isc-projects/bind9@6a2daddf5b

(cherry picked from commit 6088ba3837)
2022-04-27 14:35:52 +02:00
Petr Špaček
fafa477c91 Merge branch 'pspacek/rtd-requirements-update-v9_16' into 'v9_16'
Fix mismatch between docutils version in CI and ReadTheDocs [v9_16]

See merge request isc-projects/bind9!6186
2022-04-26 13:49:59 +00:00
Petr Špaček
a5c06c0080 Fix mismatch between docutils version in CI and ReadTheDocs
Currently our CI images we use to build docs (which subsequently get
into release tarballs) are using docutils 0.17.1, which is latest version
which fulfills Sphinx 4.5.0 requirement for docutils < 0.18.

The old requirement for docutils < 0.17 was causing discrepancy between
the way we build release artifacts and the docs on ReadTheDocs.org which
uses doc/arm/requirements.txt from our repo.

Remove the limit for RDT with hope that it will pull latest permissible
version of docutils.

For the long history of messing with docutils version read also
isc-projects/images@d4435b97be
isc-projects/bind9@6a2daddf5b

(cherry picked from commit 2a8eda0084)
2022-04-26 15:48:46 +02:00
Ondřej Surý
a7f3951579 Merge branch 'ondrej-enforce-minimal-libuv-version-v9_16' into 'v9_16'
Abort when libuv at runtime mismatches libuv at compile time [v9.16]

See merge request isc-projects/bind9!6178
2022-04-26 10:21:26 +00:00
Ondřej Surý
4f30b16d96 Abort when libuv at runtime mismatches libuv at compile time
When we compile with libuv that has some capabilities via flags passed
to f.e. uv_udp_listen() or uv_udp_bind(), the call with such flags would
fail with invalid arguments when older libuv version is linked at the
runtime that doesn't understand the flag that was available at the
compile time.

Enforce minimal libuv version when flags have been available at the
compile time, but are not available at the runtime.  This check is less
strict than enforcing the runtime libuv version to be same or higher
than compile time libuv version.
2022-04-26 11:52:02 +02:00
Petr Špaček
64fb24a354 Merge branch '3294-support-ancient-sphinx' into 'v9_16'
Support Sphinx 1.6.7 again

See merge request isc-projects/bind9!6168
2022-04-26 09:34:28 +00:00
Petr Špaček
02f5e9c505 Support Sphinx 1.6.7 again
Older versions do not have "override" parameter in add_role_to_domain()
function signature. Luckily the override is _not_ required when
overidding the built-in standard domain roles for the first time, so we
just drop the paramter.

Tested with Sphinx 1.6.7 (does not have override) and Sphinx 4.5.0
(does have override).

Fixes: #3294
Related: !6086
2022-04-25 13:31:55 +02:00
Michał Kępień
2368359fe2 Merge branch '3297-use-setuptools-instead-of-distutils-if-possible' into 'v9_16'
Use setuptools instead of distutils if possible

See merge request isc-projects/bind9!6152
2022-04-22 10:38:12 +00:00
Michał Kępień
1f4667061f Use setuptools instead of distutils if possible
According to PEP 632 [1], the distutils module is considered deprecated
in Python 3.10 and will be removed in Python 3.12.  Setup scripts
using it should be migrated to the setuptools module, which contains
drop-in replacements for distutils functions [2].  The catch is that the
setuptools module is not part of the Python Standard Library.

While this problem could be addressed by adding a hard dependency on
setuptools, it only affects BIND 9.16, which is an Extended Support
Version.  To avoid unnecessary disruptions, try importing setup() from
the setuptools module and fall back to using distutils if that fails.
Add a PyLint suppression for this specific "deprecated-module" warning.

Since the setuptools module is not part of the Python Standard Library
and therefore it is not guaranteed that it is universally available in
every Python installation, update Python-related checks in configure.ac
to ensure Python module installation does not silently fail.

[1] https://peps.python.org/pep-0632/
[2] https://setuptools.pypa.io/en/latest/deprecated/distutils-legacy.html
2022-04-22 12:36:57 +02:00
Michał Kępień
eedf1df1f6 Merge branch '3287-prevent-memory-bloat-caused-by-a-jemalloc-quirk-v9_16' into 'v9_16'
[v9_16] Prevent memory bloat caused by a jemalloc quirk

See merge request isc-projects/bind9!6154
2022-04-21 12:45:48 +00:00
Michał Kępień
eb9a0c1fdd Add CHANGES entry for GL #3287
(cherry picked from commit e33aef4e39)
2022-04-21 14:23:59 +02:00
Michał Kępień
e850946557 Prevent memory bloat caused by a jemalloc quirk
Since version 5.0.0, decay-based purging is the only available dirty
page cleanup mechanism in jemalloc.  It relies on so-called tickers,
which are simple data structures used for ensuring that certain actions
are taken "once every N times".  Ticker data (state) is stored in a
thread-specific data structure called tsd in jemalloc parlance.  Ticks
are triggered when extents are allocated and deallocated.  Once every
1000 ticks, jemalloc attempts to release some of the dirty pages hanging
around (if any).  This allows memory use to be kept in check over time.

This dirty page cleanup mechanism has a quirk.  If the first
allocator-related action for a given thread is a free(), a
minimally-initialized tsd is set up which does not include ticker data.
When that thread subsequently calls *alloc(), the tsd transitions to its
nominal state, but due to a certain flag being set during minimal tsd
initialization, ticker data remains unallocated.  This prevents
decay-based dirty page purging from working, effectively enabling memory
exhaustion over time. [1]

The quirk described above has been addressed (by moving ticker state to
a different structure) in jemalloc's development branch [2], but not in
any numbered jemalloc version released to date (the latest one being
5.2.1 as of this writing).

Work around the problem by ensuring that every thread spawned by
isc_thread_create() starts with a malloc() call.  Avoid immediately
calling free() for the dummy allocation to prevent an optimizing
compiler from stripping away the malloc() + free() pair altogether.

An alternative implementation of this workaround was considered that
used a pair of isc_mem_create() + isc_mem_destroy() calls instead of
malloc() + free(), enabling the change to be fully contained within
isc__trampoline_run() (i.e. to not touch struct isc__trampoline), as the
compiler is not allowed to strip away arbitrary function calls.
However, that solution was eventually dismissed as it triggered
ThreadSanitizer reports when tools like dig, nsupdate, or rndc exited
abruptly without waiting for all worker threads to finish their work.

[1] https://github.com/jemalloc/jemalloc/issues/2251
[2] c259323ab3

(cherry picked from commit 7aa7b6474b)
2022-04-21 14:23:59 +02:00
Michał Kępień
d17d794722 Merge tag 'v9_16_28' into v9_16
BIND 9.16.28
2022-04-21 09:47:04 +02:00
Mark Andrews
61f86bb7b0 Merge branch '3279-lib-dns-ncache-c-rdataset_settrust-fails-to-set-trust-on-called-rdataset-v9_16' into 'v9_16'
Check that pending negative cache entries for DS can be used successfully

See merge request isc-projects/bind9!6136
2022-04-19 00:07:39 +00:00
Mark Andrews
18c479f4d5 Add CHANGES entry for [GL #3279]
(cherry picked from commit 14ca6270d3)
2022-04-19 09:45:48 +10:00
Mark Andrews
cb3c29cf8e Update the rdataset->trust field in ncache.c:rdataset_settrust
Both the trust recorded in the slab stucture and the trust on
rdataset need to be updated.

(cherry picked from commit d043a41499)
2022-04-19 09:45:16 +10:00
Mark Andrews
b5f2ab9cd4 Check that pending negative cache entries for DS can be used successfully
Prime the cache with a negative cache DS entry then make a query for
name beneath that entry. This will cause the DS entry to be retieved
as part of the validation process.  Each RRset in the ncache entry
will be validated and the trust level for each will be updated.

(cherry picked from commit d2d9910da2)
2022-04-19 09:45:16 +10:00
Matthijs Mekking
d44585fd94 Merge branch '2931-cds-delete-removed-on-signing-v9_16' into 'v9_16'
[v9_16] Don't delete CDS DELETE after zone sign

See merge request isc-projects/bind9!6127
2022-04-13 15:19:54 +00:00
Matthijs Mekking
24f9902753 Add CDS/CDNSKEY DELETE documentation
Mention in the DNSSEC guide in the "revert to unsigned" recipe that you
can publish CDS and CDNSKEY DELETE records to remove the corresponding
DS records from the parent zone.

(cherry picked from commit f088657eb1)
2022-04-13 15:13:49 +02:00
Matthijs Mekking
facf1c80a1 Add CHANGE and release note for #2931
Release note worthy.

(cherry picked from commit ebbcf4c34f)
2022-04-13 15:13:47 +02:00
Matthijs Mekking
42f43cebdd Update dns_dnssec_syncdelete() function
Update the function that synchronizes the CDS and CDNSKEY DELETE
records. It now allows for the possibility that the CDS DELETE record
is published and the CDNSKEY DELETE record is not, and vice versa.

Also update the code in zone.c how 'dns_dnssec_syncdelete()' is called.

With KASP, we still maintain the DELETE records our self. Otherwise,
we publish the CDS and CDNSKEY DELETE record only if they are added
to the zone. We do still check if these records can be signed by a KSK.

This change will allow users to add a CDS and/or CDNSKEY DELETE record
manually, without BIND removing them on the next zone sign.

Note that this commit removes the check whether the key is a KSK, this
check is redundant because this check is also made in
'dst_key_is_signing()' when the role is set to DST_BOOL_KSK.

(cherry picked from commit 3d05c99abb)
2022-04-13 15:13:12 +02:00
Matthijs Mekking
e5a5b23f41 Test CDS DELETE persists after zone sign
Add a test case for a dynamically added CDS DELETE record and make
sure it is not removed when signing the zone. This happens because
BIND maintains CDS and CDNSKEY publishing and it will only allow
CDS DELETE records if the zone is transitioning to insecure. This is
a state that can be identified when using KASP through 'dnssec-policy',
but not when using 'auto-dnssec'.

(cherry picked from commit f08277f9fb)
2022-04-13 15:13:03 +02:00
Michał Kępień
493ddc15f3 Merge branch 'michal/set-up-release-notes-for-bind-9.16.29' into 'v9_16'
Set up release notes for BIND 9.16.29

See merge request isc-projects/bind9!6120
2022-04-12 12:17:18 +00:00
Michał Kępień
0fb4b6520e Set up release notes for BIND 9.16.29 2022-04-12 14:15:41 +02:00
Michał Kępień
5c4dafe354 Merge branch 'michal/update-bind-version-to-9.16.29-dev' into 'v9_16'
Update BIND version to 9.16.29-dev

See merge request isc-projects/bind9!6116
2022-04-12 11:16:00 +00:00
Michał Kępień
5e4b940c9c Update BIND version to 9.16.29-dev 2022-04-12 13:15:31 +02:00
Tinderbox User
7aea13ff14 Merge branch 'prep-release' into v9_16_28-release v9.16.28 2022-04-11 15:28:12 +00:00
Tinderbox User
f7cbac4c36 prep 9.16.28 2022-04-11 15:21:43 +00:00
Michał Kępień
37a672467a Merge branch 'michal/prepare-documentation-for-bind-9.16.28' into 'v9_16_28-release'
Prepare documentation for BIND 9.16.28

See merge request isc-private/bind9!398
2022-04-11 15:15:04 +00:00
Michał Kępień
6810a0c055 Prepare release notes for BIND 9.16.28 2022-04-11 17:05:07 +02:00
Michał Kępień
d559c8ac0c Reorder release notes 2022-04-11 17:05:07 +02:00
Michał Kępień
ab0923a9ce Tweak and reword release notes 2022-04-11 17:05:07 +02:00
Michał Kępień
1c35cb1aa0 Merge branch 'michal/fix-forward-system-test-requirements-v9_16' into 'v9_16'
[v9_16] Fix "forward" system test requirements

See merge request isc-projects/bind9!6112
2022-04-11 13:33:16 +00:00
Michał Kępień
55f2457526 Fix "forward" system test requirements
Commit 59d1eb3ff8 added a Python-based
name server (bin/tests/system/forward/ans11/ans.py) to the "forward"
system test, but did not update the bin/tests/system/forward/prereq.sh
script to ensure Python is present in the test environment before the
"forward" system test is run.  Update bin/tests/system/forward/prereq.sh
to enforce that requirement.
2022-04-11 14:40:20 +02:00
Petr Špaček
7ee090be53 Merge branch '2950-cache-acceptance-rules-test-v9_16' into 'v9_16'
[CVE-2021-25220] Add tests for forwarder cache poisoning scenarios [v9_16]

See merge request isc-projects/bind9!6106
2022-04-08 08:13:15 +00:00
Mark Andrews
59d1eb3ff8 Add tests for forwarder cache poisoning scenarios
- Check that an NS in an authority section returned from a forwarder
  which is above the name in a configured "forward first" or "forward
  only" zone (i.e., net/NS in a response from a forwarder configured for
  local.net) is not cached.
- Test that a DNAME for a parent domain will not be cached when sent
  in a response from a forwarder configured to answer for a child.
- Check that glue is rejected if its name falls below that of zone
  configured locally.
- Check that an extra out-of-bailiwick data in the answer section is
  not cached (this was already working correctly, but was not explicitly
  tested before).

(cherry picked from commit bf3fffff67)
2022-04-08 10:12:24 +02:00
Michal Nowak
cc0954631d Merge branch '3112-test-lingering-tcp-sockets-in-closewait-v9_16' into 'v9_16'
[v9_16] Add system test lingering CLOSE_WAIT TCP sockets

See merge request isc-projects/bind9!6104
2022-04-08 08:03:14 +00:00
Ondřej Surý
260e0ceaf5 Add system test **/named.* modifier files to .reuse/dep5
There's couple of files that modify behaviour of named when started via
bin/tests/system/start.pl.  Add those files as CC-1.0 to .reuse/dep5 as
they are just empty placeholders.

(cherry picked from commit b6eb31a0e3)
2022-04-08 09:36:08 +02:00
Matthijs Mekking
a8313a6c3c Add system test lingering CLOSE_WAIT TCP sockets
Add a test case to check for lingering TCP sockets stuck in the
CLOSE_WAIT state. This can happen if a client sends some garbage after
its first query.

The system test runs the reproducer script and then sends another TCP
query to the resolver. The resolver is configured to allow one TCP
client only. If BIND has its TCP socket stuck in CLOSE_WAIT, it does
not have the resources available to answer the second query.

Note: A better test would be to check if the named daemon does not
have a TCP socket stuck in CLOSE_WAIT for example with netstat. When
running this test locally you can examine named with netstat manually.
But since netstat is platform specific it is not a good candidate to do
this as a system test.

If you, if you could return, don't let it burn.
Do you have to let it linger?
- Cranberries

(cherry picked from commit b9ebde705b)
2022-04-08 09:36:08 +02:00
Petr Špaček
237d88fe22 Allow py.test system test to skip itself
Enable use of shortcuts like pytest.importorskip and other tricks
which can cause test to skip itself.

(cherry picked from commit b8829c801f)

In addition to b8829c801f,
"R:$systest:SKIPPED" is not being printed when pytests are skipped
because that leads to two `R:` lines - SKIPPED and PASS/FAIL which is
determined later based on other conditions (core files identified,
assertion failures, shell test result, ...) - which is wrong and
testsummary.sh rightfully stumbles on it:

    I:Found 106 test results, but 105 tests were run
2022-04-08 09:20:55 +02:00
Petr Špaček
7cffcce36f Merge branch 'pspacek/manpage-hyperlinks-v9_16' into 'v9_16'
Backport helpers for hyperlinks in manual pages [v9_16]

See merge request isc-projects/bind9!6086
2022-04-07 14:14:07 +00:00
Petr Špaček
148f6f20e7 Ignore :option: references in rst files to to simplify doc backports
Override Sphinx built-in :option: to act and render as `` literal.
This avoids problems with undefined :option:`target`s when merging
doc backports.
2022-04-07 15:46:55 +02:00
Petr Špaček
c9a512247d Introduce new Sphinx role iscman for ISC manual pages
The new directive and role "iscman" allow to tag & reference man pages in
our source tree. Essentially it is just namespacing for ISC man pages,
but it comes with couple benefits.

Differences from .. _man_program label we formerly used:
- Does not expand :ref:`man_program` into full text of the page header.
- Generates index entry with category "manual page".
- Rendering style is closer to ubiquitous to the one produced
  by ``named`` syntax.

Differences from Sphinx built-in :manpage: role:
- Supports all builders with support for cross-references.
- Generates internal links (unlike :manpage: which generates external
  URLs).
- Checks that target exists withing our source tree.

(cherry-picked from commit 7e7a946d44)
2022-04-07 15:46:52 +02:00
Michał Kępień
ecc6ec0754 Merge branch '3208-add-CHANGES-entry-v9_16' into 'v9_16'
[v9_16] Add CHANGES entry for GL #3208

See merge request isc-projects/bind9!6101
2022-04-07 13:08:10 +00:00
Michał Kępień
197e8989c9 Add CHANGES entry for GL #3208
(cherry picked from commit 059a602551)
2022-04-07 15:04:51 +02:00
Ondřej Surý
47eaecf69f Merge branch '3249-rename-configuration-option-to-reuseport-v9_16' into 'v9_16'
Rename the configuration option to load balance sockets to reuseport [v9.16]

See merge request isc-projects/bind9!6095
2022-04-06 16:07:52 +00:00
Ondřej Surý
a7f893e836 Rename the configuration option to load balance sockets to reuseport
After some back and forth, it was decidede to match the configuration
option with unbound ("so-reuseport"), PowerDNS ("reuseport") and/or
nginx ("reuseport").

(cherry picked from commit 7e71c4d0cc)
2022-04-06 17:51:12 +02:00
Ondřej Surý
f943504b03 Merge branch '3190-offload-rpz-updates-revert-v9_16' into 'v9_16'
Revert "Run the RPZ update as offloaded work" [v9.16]

See merge request isc-projects/bind9!6092
2022-04-06 11:43:57 +00:00