Having implicit inline-signing set for dnssec-policy when there is no
update policy is confusing, so lets make this explicit.
(cherry picked from commit 5ca02fe6e7e591d1fb85936ea4dda720c3d741ef)
In several cases where IDNA2008 mappings do not exist whereas IDNA2003
mappings do, dig was failing to process the suplied domain name. Take a
backwards compatible approach, and convert the domain to IDNA2008 form,
and if that fails try the IDNA2003 conversion.
(cherry picked from commit 10923f9d87)
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.
(cherry picked from commit e97c3eea95)
YAML strings should be quoted if they contain colon characters.
Since IPv6 addresses do, we now quote the query_address and
response_address strings in all YAML output.
(cherry picked from commit 66eaf6bb73)
The dnstap query_message field was in some cases being filled in
with response messages, along with the response_message field.
The query_message field should only be used when logging requests,
and the response_message field only when logging responses.
There is no need for a release because this case was nearly impossible
to trigger (except for when 'sig-signing-type' was set to 0).
(cherry picked from commit 545ecb64b043617ea609f4f115d280bb5990e221)
There is one case in 'dns_nsec3_activex()' where it returns but forgets
to detach the db node. Add the missing 'dns_db_detachnode()' call.
This case only triggers if 'sig-signing-type' (privatetype) is set to 0
(which by default is not), or if the function is called with 'complete'
is set to 'true' (which at this moment do not exist).
(cherry picked from commit 0cf6c18ccb2205a1fc81431f908c8310f6136bbb)
It might be reused if /etc/bind.keys exists, but failed correct parsing.
Release traces of previous parsing attempt of different data.
(cherry picked from commit dc07394c4724c1e1235af85dd8c044af70da93ae)
The old code could incorrectly match "INSOA" in the RRSIG rdata
when looking for the SOA record.
(cherry picked from commit 2fc5f6fb2831697c79f75c50a769449ac561aad0)
When dumping an ADB address entry associated with a name,
the name bucket lock was held, but the entry bucket lock was
not; this could cause data races when other threads were updating
address entry info. (These races are probably not operationally
harmful, but they triggered TSAN error reports.)
(cherry picked from commit f841f545b7)
Fedora 36 uses OpenSSL 3.0.2 by default, but the OpenSSL engine API
which we use for PKCS#11 is deprecated in OpenSSL 3.0.0. For the
keyfromlabel system test to work operating system with OpenSSL 1.1 needs
to be used.
(cherry picked from commit 2eecebdea91868be571e3c7a5fb3324505fbd2ff)
When checking if we should enable serve-stale, add an early out case
when the result is an error signalling a duplicate query or a query
that would be dropped.
(cherry picked from commit 059a4c2f4d)