The `rndc signing -clear` command cleans up the private-type records
that keep track of zone signing activity, but before this change it
did not tell the secondary servers that the zone has changed.
(cherry picked from commit f3f7b7df5d)
Function dns_view_findzonecut in view.c wasn't correctly handling
classes other than IN (chaos, hesiod, etc) whenever the name being
looked up wasn't in cache or in any of the configured zone views' database.
That resulted in a NULL fname being used in resolver.c:4900, which
in turn was triggering abort.
(cherry picked from commit 85555f29d7)
This is a bug I encountered when trying to schedule an algorithm
rollover. My plan, for a zone whose maximum TTL is 48h, was to sign
with the new algorithm and schedule a change of CDS records for more
than 48 hours in the future, roughly like this:
$ dnssec-keygen -a 13 -fk -Psync now+50h $zone
$ dnssec-keygen -a 13 $zone
$ dnssec-settime -Dsync now+50h $zone_ksk_old
However the algorithm 13 CDS was published immediately, which could
have made the zone bogus.
To reveal the bug using the `smartsign` test, this change just adds a
KSK with all its times in the future, so it should not affect the
existing checks at all. But the final check (that there are no CDS or
CDSNSKEY records after -Dsync) fails with the old `syncpublish()`
logic, because the future key's sync records appear early. With the
new `syncpublish()` logic the future key does not affect the test, as
expected, and it now passes.
(cherry picked from commit 4227b7969b)
(cherry picked from commit 2db5a2539a)
When both 'broken' and 'failed' test cases appear in unit test output
...
===> Broken tests
lib/isc/tests/socket_test:main -> broken: Test case timed out [300.022s]
===> Failed tests
lib/isc/tests/time_test:main -> failed: 2 of 6 tests failed [0.006s]
===> Summary
...
spurious '===>' string gets matched, that results in the following
error:
Usage error for command debug: '===>' is not a test case identifier (missing ':'?).
Following change makes sure the string is omitted.
I checked on FreeBSD and OpenBSD that the AWK construct is supported.
(cherry picked from commit 9e6f6156f7)
When retry_quiet() was backported to v9_11, it was only placed in
bin/tests/system/conf.sh.in, but not in bin/tests/system/conf.sh.win32.
This prevents every system test which employs this shell function either
directly or indirectly from ever succeeding on Windows. Fix by copying
the definition of retry_quiet() to bin/tests/system/conf.sh.win32.
Make sure carriage return characters are stripped from awk input to
enable the "dnssec" system test to pass on Windows.
(cherry picked from commit 451484b870)
* report when NSEC3PARAM is not yet present
* allow more time for NSEC3PARAM to become present
* adjust frequency failure message
(cherry picked from commit 17d25dbf47)
Split the "testing basic zone transfer functionality" into primary and
secondary parts to improve forensic logging.
(cherry picked from commit 14ef8b10af)
Add is_leaf and send_to_prune_tree to make the logic easier
to understand in cleanup_dead_nodes and decrement_reference.
(cherry picked from commit c6efc0e50f)
In decrement_reference only test node->down if the tree lock
is held. As node->down is not always tested in
decrement_reference we need to test that it is non NULL in
cleanup_dead_nodes prior to removing the node from the rbt
tree. Additionally it is not always possible to aquire the
node lock and reactivate a node when adding parent nodes.
Reactivate such nodes in cleanup_dead_nodes if required.
(cherry picked from commit 176b23b6cd)
Before this change, there was a missing blank line between the
negative trust anchors for one view, and the heading line for the next
view. This is because dns_ntatable_totext() omits the last newline.
There is an example of the incorrect output below; the fixed output
has a blank line before "Start view auth".
secure roots as of 21-Oct-2019 12:03:23.500:
Start view rec
Secure roots:
./RSASHA256/20326 ; managed
Negative trust anchors:
example.com: expiry 21-Oct-2019 13:03:15.000
Start view auth
Secure roots:
./RSASHA256/20326 ; managed
Negative trust anchors:
example.com: expiry 21-Oct-2019 13:03:07.000
(cherry picked from commit 5b600c2cd8)
Ensure BIND is continuously tested on Tumbleweed, a pure rolling release
version of openSUSE. This will allow BIND incompatibilities with latest
upstream versions of its dependencies to be caught more quickly.
(cherry picked from commit bd5dd1b58c60edb372bc6fa4eb39e355c5c76de4)
Since Alpine Linux 3.11 is the current Alpine Linux release, replace
Alpine Linux 3.10 GitLab CI jobs with their up-to-date counterparts.
(cherry picked from commit bebf353eb5)
5339. [bug] With some libmaxminddb versions, named could erroneously
match an IP address not belonging to any subnet defined
in a given GeoIP2 database to one of the existing
entries in that database. [GL #1552]
(cherry picked from commit a070defb18)