While implementing the new unit testing framework cmocka, it was found that the
BIND 9 code doesn't compile when assertions are disabled or replaced with any
function (such as mock_assert() from cmocka unit testing framework) that's not
directly recognized as assertion by the compiler.
This made the compiler to complain about blocks of code that was recognized as
unreachable before, but now it isn't.
The changes in this commit include:
* assigns default values to couple of local variables,
* moves some return statements around INSIST assertions,
* adds __builtin_unreachable(); annotations after some INSIST assertions,
* fixes one broken assertion (= instead of ==)
(cherry picked from commit fbd2e47f51)
The XSL stylesheet used by the web interface does not currently include
any element which would cause a list of zones configured in each view to
be displayed, making the "Zones" section of the web interface empty
unless some zone has been configured with "zone-statistics full;" and
queried. Since this can be confusing, modify the XSL stylesheet so that
a list of zones configured in each view is displayed in the web
interface.
(cherry picked from commit aeda3f389e)
Contrary to what the documentation states, the "server-addresses"
static-stub zone option does not accept custom port numbers. Fix the
configuration type used by the "server-addresses" option to ensure
documentation matches source code. Remove a check_zoneconf() test which
is unnecessary with this fix in place.
(cherry picked from commit b324576858)
* Add configure option --enable-fips-mode that detects and enables FIPS mode
* Add a function to enable FIPS mode and call it on crypto init
* Log an OpenSSL error when FIPS_mode_set() fails and exit
* Report FIPS mode status in a separate log message from named
(cherry picked from commit c4cee27f9b)
- the text returned by "rndc nta" when adding NTAs to multiple views
was incorrectly terminated after the first line, so users only saw
on NTA added unless they checked the logs.
(cherry picked from commit 83dc5a704a)
For inline-signed zones, the value of "ixfr-from-differences" is
hardcoded to:
- "yes" for the raw version of the zone,
- "no" for the signed version of the zone.
In other words, any user-provided "ixfr-from-differences" setting is
effectively ignored for an inline-signed zone. Ensure the user is aware
of that by adding a note to the ARM and logging a message when an
"ixfr-from-differences" option is found at the zone level.
(cherry picked from commit 087157d14f)
Make will choose modified manual from build directory or original from source
directory automagically. Take advantage of install tool feature.
Install all files in single command instead of iterating on each of them.
(cherry picked from commit 88f913ac81)
dns_view_zonecut() may associate the dns_rdataset_t structure passed to
it even if it returns a result different then ISC_R_SUCCESS. Not
handling this properly may cause a reference leak. Fix by ensuring
'nameservers' is cleaned up in all relevant failure modes.
(cherry picked from commit 8666f8d28f)
Trying to resolve a trust anchor telemetry query for a locally served
zone does not cause upstream queries to be sent as the response is
determined just by consulting local data. Work around this issue by
calling dns_view_findzonecut() first in order to determine the NS RRset
for a given domain name and then passing the zone cut found to
dns_resolver_createfetch().
Note that this change only applies to TAT queries generated by the
resolver itself, not to ones received from downstream resolvers.
(cherry picked from commit a7657dc150)
Extract the part of dotat() reponsible for preparing the QNAME for a TAT
query to a separate function in order to limit the number of local
variables used by each function and improve code readability.
Rename 'name' to 'origin' to better convey the purpose of that variable.
Also mark it with the const qualifier.
(cherry picked from commit 127810e512)
While libcap-enabled builds check whether any capability named requests
is within the permitted capability set, non-libcap builds just try
requesting them, which potentially causes a misleading error message to
be output ("Operation not permitted: please ensure that the capset
kernel module is loaded"). Ensure non-libcap builds also check whether
any requested capability is within the permitted capability set.
- added a 1-second floor to max-stale-ttl similar to stale-answer-ttl;
if set to 0, it will be silently updated to 1.
- fixed the ARM entry on max-stale-ttl, which incorrectly suggested that
the default was 0 instead of 1 week.
- clarified rndc serve-stale documentation.
(cherry picked from commit d1ca21d50a)
Replace dns_fixedname_init() calls followed by dns_fixedname_name()
calls with calls to dns_fixedname_initname() where it is possible
without affecting current behavior and/or performance.
This patch was mostly prepared using Coccinelle and the following
semantic patch:
@@
expression fixedname, name;
@@
- dns_fixedname_init(&fixedname);
...
- name = dns_fixedname_name(&fixedname);
+ name = dns_fixedname_initname(&fixedname);
The resulting set of changes was then manually reviewed to exclude false
positives and apply minor tweaks.
It is likely that more occurrences of this pattern can be refactored in
an identical way. This commit only takes care of the low-hanging fruit.
(cherry picked from commit 4df4a8e731)
Instead of relying on the caller to set up task-exclusive mode, make
dns_dt_reopen() enforce task-exclusive mode itself, using the task
specified at dnstap environment creation time.