34532 Commits

Author SHA1 Message Date
Michał Kępień
56f3439263 Merge branch 'prep-release' into v9_16_32-release v9.16.32 2022-08-05 00:06:08 +02:00
Michał Kępień
d4afcf3dfb prep 9.16.32 2022-08-05 00:06:08 +02:00
Michał Kępień
8ff8f2c1ca Merge branch 'michal/prepare-documentation-for-bind-9.16.32' into 'v9_16_32-release'
Prepare documentation for BIND 9.16.32

See merge request isc-private/bind9!420
2022-08-04 22:04:12 +00:00
Michał Kępień
c2ca99b710 Tweak and reword release notes 2022-08-04 23:59:36 +02:00
Michał Kępień
814d9f7bc8 Prepare release notes for BIND 9.16.32 2022-08-04 23:59:36 +02:00
Arаm Sаrgsyаn
c863061a13 Merge branch '3461-fetches-per-zone-final-log-message-v9_16' into 'v9_16'
[v9_16] Resolve "Do a better job of logging when fetches-per-zone is triggered"

See merge request isc-projects/bind9!6626
2022-08-01 14:46:29 +00:00
Aram Sargsyan
23bf8afbcb Add CHANGES and release notes for [GL #3461]
(cherry picked from commit 0d64f55f5d)
2022-08-01 14:01:37 +00:00
Aram Sargsyan
c0db0d7a8e Improve fetch limit logging
When initially hitting the `fetches-per-zone` value, a log message
is being generated for the event of dropping the first fetch, then
any further log events occur only when another fetch is being dropped
and 60 seconds have been passed since the last logged message.

That logic isn't ideal because when the counter of the outstanding
fetches reaches zero, the structure holding the counters' values will
get deleted, and the information about the dropped fetches accumulated
during the last minute will not be logged.

Improve the fcount_logspill() function to makie sure that the final
values are getting logged before the counter object gets destroyed.

(cherry picked from commit 039871ceb7)
2022-08-01 14:01:26 +00:00
Mark Andrews
6a866e30f5 Merge branch 'marka-set-suffix-in-ans.py-v9_16' into 'v9_16'
Ensure suffix is always valid in bin/tests/system/qmin/ans4/ans.py [v9_16]

See merge request isc-projects/bind9!6620
2022-07-27 22:06:10 +00:00
Mark Andrews
19bf98201b Ensure suffix is always valid in bin/tests/system/qmin/ans4/ans.py
initalise suffix to ""

    170        r.answer.append(
    171            dns.rrset.from_text(
    172                lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix
    173            )
    174        )
    175        r.flags |= dns.flags.AA
           15. Condition endswith(lqname, "icky.ptang.zoop.boing."), taking true branch.
    176    elif endswith(lqname, "icky.ptang.zoop.boing."):
           CID 350722 (#7 of 7): Bad use of null-like value (FORWARD_NULL)
           16. invalid_operation: Invalid operation on null-like value suffix.
    177        r.authority.append(
    178            dns.rrset.from_text(
    179                "icky.ptang.zoop.boing." + suffix,
    180                1,
    181                IN,
    182                SOA,
    183                "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
    184            )
    185        )

(cherry picked from commit eb798d0478)
2022-07-27 14:27:26 -04:00
Matthijs Mekking
40c5816814 Merge branch '3462-rndc-dumpdb-expired-doesnt-always-work-v9_16' into 'v9_16'
[v9_16] Fix destination port extraction for client queries

See merge request isc-projects/bind9!6613
2022-07-26 08:43:39 +00:00
Matthijs Mekking
3c2f517415 Add change entry and release note for #3462
News worthy.

(cherry picked from commit 44bbc0175c)
2022-07-26 10:02:26 +02:00
Matthijs Mekking
f8ad7501dc Fix rndc dumpdb -expired for stuck cache contents
The command 'rndc dumpdb -expired' will include expired RRsets in the
output, but only for the RBTDB_VIRTUAL time (of 5 minutes). This means
that if there is a cache cleaning problem and contents are not cleaned
up, the rndc command has little diagnostic value. Fix this by including
all RRsets in the dumpdb output if the '-expired' flag is set.

(cherry picked from commit 930ba2c914)
2022-07-26 10:02:15 +02:00
Mark Andrews
24bb1d109c Merge branch '3469-auto-disable-rsasha1-and-nsec3rsasha1-when-not-supported-by-the-os-v9_16' into 'v9_16'
Check that we can verify a signature at initialisation time [v9_16]

See merge request isc-projects/bind9!6615
2022-07-25 15:59:21 +00:00
Mark Andrews
8be8257914 Add release note for [GL #3469]
(cherry picked from commit 16b133af40)
2022-07-25 11:37:49 -04:00
Mark Andrews
cbd2403633 CHANGES note for [GL #3469]
(cherry picked from commit c549249cb9)
2022-07-25 11:37:49 -04:00
Mark Andrews
a1452c32ab Check that we can verify a signature at initialisation time
Fedora 33 doesn't support RSASHA1 in future mode.  There is no easy
check for this other than by attempting to perform a verification
using known good signatures.  We don't attempt to sign with RSASHA1
as that would not work in FIPS mode.  RSASHA1 is verify only.

The test vectors were generated using OpenSSL 3.0 and
util/gen-rsa-sha-vectors.c.  Rerunning will generate a new set of
test vectors as the private key is not preserved.

e.g.
	cc util/gen-rsa-sha-vectors.c -I /opt/local/include \
		-L /opt/local/lib -lcrypto

(cherry picked from commit cd3f00874f)
2022-07-25 11:37:49 -04:00
Evan Hunt
5503d9aa68 Merge branch '2918-deprecate-max-zone-ttl-v9_16' into 'v9_16'
Test dnssec-policy max-zone-ttl rejects zone with too high TTL

See merge request isc-projects/bind9!6611
2022-07-22 22:57:00 +00:00
Evan Hunt
a20584dcf8 CHANGES and release note for [GL #2918] 2022-07-22 15:24:34 -07:00
Evan Hunt
fb8f102ffc warn about zones with both dnssec-policy and max-zone-ttl
max-zone-ttl in zone/view/options is a no-op if dnssec-policy
is in use, so generate a warning.
2022-07-22 15:24:34 -07:00
Evan Hunt
1ed5eb38e4 clarify "max-zone-ttl" documentation
The "max-zone-ttl" option should now be configured as part of
dnssec-policy. Use of this option in zone/view/options will be ignored
in any zone that also has dnssec-policy configured.
2022-07-22 15:24:29 -07:00
Matthijs Mekking
111b215987 Reject zones with TTL higher than dnssec-policy max-zone-ttl
Reject loading of zones with TTL higher than the max-zone-ttl
from the dnssec-policy.

With this change, any zone with a dnssec-policy in use will ignore
the max-zone-ttl option in zone/view/options.
2022-07-22 13:40:12 -07:00
Matthijs Mekking
2022384b8d Test dnssec-policy max-zone-ttl rejects zone with too high TTL
Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
2022-07-22 13:39:17 -07:00
Petr Špaček
04c76d0055 Merge branch 'pspacek/minor-arm-tweaks-and-fixes-v9_16' into 'v9_16'
Fix dnssec-signzone examples in DNSSEC Guide [v9_16]

See merge request isc-projects/bind9!6604
2022-07-21 13:20:02 +00:00
Petr Špaček
a94c063c19 Avoid opt-out flag in dnssec-signzone examples
Since !6413 we discourage opt-out, so we should not be advertising it in
the examples. Even worse, it was just thrown into the command line
without even mentioning its meaning in the surrounding text.

Related: !6413
(cherry picked from commit beae857288)
2022-07-21 15:19:38 +02:00
Petr Špaček
445863c9fd Remove errorneous shell output redirection from dnssec-signzone example
The > looked like shell output redirection. It was present since we
imported DNSSEC Guide into the ARM.

(cherry picked from commit 1ab564d605)
2022-07-21 15:19:38 +02:00
Michal Nowak
a0e7b05aba Merge tag 'v9_16_31' into v9_16
BIND 9.16.31
2022-07-21 14:37:36 +02:00
Michał Kępień
55edba1dc6 Merge branch 'michal/run-a-short-respdiff-test-for-all-merge-requests-v9_16' into 'v9_16'
[v9_16] Run a short respdiff test for all merge requests

See merge request isc-projects/bind9!6591
2022-07-18 13:40:05 +00:00
Michał Kępień
1faaefd134 Run a short respdiff test for all merge requests
Running a respdiff test for every merge request would be useful for
catching protocol-breaking changes before they are applied to the source
code.  However, the existing respdiff-based tests take a while to
complete (about half an hour with our current CI infrastructure), which
does not make them a good fit for this purpose.  Add a new GitLab CI
job, "respdiff-short", which uses a smaller query set that gets
processed within a couple of minutes on our current CI infrastructure.
Rename the existing respdiff-based jobs to make distinguishing them
easier.

(cherry picked from commit 31ee43a314)
2022-07-18 15:28:21 +02:00
Michał Kępień
6b03f8bbfc Extract respdiff job definition to a YAML anchor
Ensure the common parts of all jobs using respdiff are available in the
form of a reusable YAML anchor, to reduce code duplication and to
simplify adding more respdiff-based jobs to GitLab CI.

(cherry picked from commit ca20a189f7)
2022-07-18 15:28:21 +02:00
Michał Kępień
d02d5b97f5 Use a pre-built executable as the reference named
The "respdiff" GitLab CI job compares DNS responses produced by the
current version of named with those produced by a reference version.
The latter is built from source in each "respdiff" job, despite the fact
that the reference version changes very rarely.  Use a pre-built named
executable as the reference version instead, assuming it is available in
the OS image used for "respdiff" tests.

(cherry picked from commit ab90a4705a)
2022-07-18 15:28:21 +02:00
Ondřej Surý
2e7e47f88d Merge branch '3453-cope-with-too-small-BUFSIZ-v9_16' into 'v9_16'
Increase the BUFSIZ-long buffers [v9.16]

See merge request isc-projects/bind9!6587
2022-07-15 19:48:15 +00:00
Ondřej Surý
c1b8f5f30c Increase the BUFSIZ-long buffers
The BUFSIZ value varies between platforms, it could be 8K on Linux and
512 bytes on mingw.  Make sure the buffers are always big enough for the
output data to prevent truncation of the output by appropriately
enlarging or sizing the buffers.

(cherry picked from commit b19d932262)
2022-07-15 21:21:03 +02:00
Michał Kępień
cacca9bdf9 Merge branch '3443-memory-related-cleanups-v9_16' into 'v9_16'
[v9_16] Memory-related cleanups

See merge request isc-projects/bind9!6569
2022-07-15 09:01:03 +00:00
Michał Kępień
b68851773c Make "named -h" output match option-handling code
The usage instructions printed by "named -h" are missing the "external"
and "internal" flags that can be passed to the -M command-line option.
Add the missing flags to "named -h" output.
2022-07-15 10:45:34 +02:00
Michał Kępień
31012c1c0d Update documentation for named's -M option
Add "internal" to the list of legal values for the -M command-line
option (commit 1f7d2d53f0 added that
flag).

Make the style of the relevant paragraph more in line with the next one
and split its contents up into an unordered list of options for improved
readability.

(cherry picked from commit f0c31ceb3b)
2022-07-15 10:45:34 +02:00
Michał Kępień
4d1986ebcb Handle ISC_MEM_DEFAULTFILL consistently
Contrary to what the documentation states, memory filling is only
enabled by --enable-developer (or by setting -DISC_MEM_DEFAULTFILL=1) if
the internal memory allocator is used.  However, the internal memory
allocator is disabled by default, so just using the --enable-developer
build-time option does not enable memory filling (passing "-M fill" on
the named command line is necessary to actually enable it).  As memory
filling is a useful tool for troubleshooting certain types of bugs, it
should also be enabled by --enable-developer when the system allocator
is used.

Furthermore, memory-related preprocessor macros are handled in two
distinct locations: lib/isc/include/isc/mem.h and bin/named/main.c.
This makes the logic hard to follow.

Move all code handling the ISC_MEM_DEFAULTFILL preprocessor macro to
lib/isc/include/isc/mem.h, ensuring memory filling is enabled by the
--enable-developer build-time switch, no matter which memory allocator
is used.
2022-07-15 10:45:34 +02:00
Michał Kępień
7df6070c02 Fix mempool stats bug in the internal allocator
Commit c96b6eb5ec changed the way mempool
code handles freed allocations that cannot be retained for later use as
"free list" items: it no longer uses different logic depending on
whether the internal allocator is used or the system one.  However, that
commit did not update a relevant piece of code in isc_mempool_destroy(),
causing memory context statistics to always be off upon shutdown when
BIND 9 is built with -DISC_MEM_USE_INTERNAL_MALLOC=1.  This causes
assertion failures.  Update isc_mempool_destroy() accordingly in order
to prevent this issue from being triggered.
2022-07-15 10:45:34 +02:00
Mark Andrews
5338fc9e19 Merge branch '3447-lib-dns-tkey-c-free_namelist-should-be-disassociating-associated-rdatatsets-v9_16' into 'v9_16'
disassociate rdatasets when cleaning up [v9_16]

See merge request isc-projects/bind9!6578
2022-07-14 01:08:57 +00:00
Mark Andrews
f2855facbe disassociate rdatasets when cleaning up
free_namelist could be passed names with associated rdatasets
when handling errors.  These need to be disassociated before
calling dns_message_puttemprdataset.

(cherry picked from commit 745d5edc3a)
2022-07-14 10:21:47 +10:00
Mark Andrews
29f0ac40f3 Merge branch '3449-kasp-system-test-failed-to-log-some-zones-during-setup-v9_16' into 'v9_16'
kasp: add missing logging during setup [v9_16]

See merge request isc-projects/bind9!6576
2022-07-14 00:18:27 +00:00
Mark Andrews
9980c7be8d kasp: add missing logging during setup
Some zones where not being logged when just DNSSEC keys where being
generated in system test setup phase.  Add logging for these zones.

(cherry picked from commit 04627997eb)
2022-07-14 09:46:16 +10:00
Mark Andrews
5e5232aa5b Merge branch '3446-autosign-s-checking-revoked-key-with-duplicate-key-id-test-was-incomplete-v9_16' into 'v9_16'
Make "checking revoked key with duplicate key ID" work [v9_16]

See merge request isc-projects/bind9!6558
2022-07-13 01:42:56 +00:00
Mark Andrews
5fec2fcbe7 Make "checking revoked key with duplicate key ID" work
There should be 2 keys with the same key id after the numerically
lower one is revoked (serial space arithmetic).  The DS points
at the non-revoked key so validation should still succeed.

(cherry picked from commit 513cb24b55)
2022-07-13 10:58:41 +10:00
Evan Hunt
492f614d0e Merge branch '2683-ixfr-logging-v9_16' into 'v9_16'
log the reason for falling back to AXFR from IXFR at level info

See merge request isc-projects/bind9!6552
2022-07-12 23:52:47 +00:00
Evan Hunt
0849fd2211 log the reason for falling back to AXFR from IXFR at level info
messages indicating the reason for a fallback to AXFR (i.e, because
the requested serial number is not present in the journal, or because
the size of the IXFR response would exceeed "max-ixfr-ratio") are now
logged at level info instead of debug(4).

(cherry picked from commit df1d81cf96)
2022-07-12 16:27:01 -07:00
Michal Nowak
d0bf87eab5 Merge branch 'mnowak/alpine-3.16-v9_16' into 'v9_16'
[v9_16] Add Alpine Linux 3.16

See merge request isc-projects/bind9!6549
2022-07-12 12:01:37 +00:00
Michal Nowak
0043999f54 Add Alpine Linux 3.16
(cherry picked from commit 0d0ab3db10)
2022-07-12 13:59:30 +02:00
Matthijs Mekking
77ee0f87b5 Merge branch '3438-dnssec-policy-does-not-set-inline-signing-v9_16' into 'v9_16'
[v9_16] Fix inheritance for dnssec-policy when checking for inline-signing

See merge request isc-projects/bind9!6547
2022-07-12 11:39:42 +00:00
Matthijs Mekking
60c297d717 Add release note and change entry for #3438
Bug worth mentioning.

(cherry picked from commit 689215a675)
2022-07-12 12:48:57 +02:00