Compare commits

...

1289 Commits

Author SHA1 Message Date
Ondřej Surý
098f68799b Merge branch 'ondrej/win32-stdatomic-fix-v9_14' into 'v9_14'
Stop requiring same memory ordering in win32 atomic_compare_exchange functions

See merge request isc-projects/bind9!3059
2020-02-13 14:21:40 +00:00
Ondřej Surý
a377780049 Stop requiring same memory ordering in win32 atomic_compare_exchange functions 2020-02-13 15:16:06 +01:00
Tinderbox User
596b94db38 Merge branch 'prep-release' into v9_14 2020-02-12 20:08:05 +00:00
Tinderbox User
d271d444aa prep v9.14.11 2020-02-12 20:07:41 +00:00
Michal Nowak
f1afaa80af Merge branch 'mnowak/coverity-disable-web-tag-v9_14' into 'v9_14'
[v9_14] Run Coverity Scan only when specific variables are present

See merge request isc-projects/bind9!3055
2020-02-12 14:58:10 +00:00
Michal Nowak
04a60beb25 Run Coverity Scan only when specific variables are present
Submissions to Coverity Scan should be limited to those originated from
release branches and only from a specific schedule which holds
COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN variables.

(cherry picked from commit 48530aa21395414b0f9788ea5ab158b2b09ab977)
2020-02-12 14:58:10 +00:00
Michał Kępień
744b819f14 Merge branch 'michal/prepare-release-notes-for-bind-9.14.11' into 'v9_14'
Prepare release notes for BIND 9.14.11

See merge request isc-projects/bind9!3051
2020-02-12 13:18:56 +00:00
Michał Kępień
38f3053694 Add release notes section for BIND 9.14.11 2020-02-12 13:50:21 +01:00
Michał Kępień
69425845c4 Merge branch 'michal/minor-README-tweaks-v9_14' into 'v9_14'
[v9_14] Minor README tweaks

See merge request isc-projects/bind9!3048
2020-02-12 10:38:22 +00:00
Michał Kępień
1aa9f58aba Minor CHANGES tweak
(cherry picked from commit a0349b18e0)
2020-02-12 11:27:28 +01:00
Stephen Morris
a5a358df87 Minor README tweaks
(cherry picked from commit bc539d48e7)
2020-02-12 11:26:59 +01:00
Michal Nowak
4bc64ad831 Merge branch 'mnowak/coverity2-v9_14' into 'v9_14'
[v9_14] Add Coverity Scan to CI

See merge request isc-projects/bind9!3046
2020-02-12 10:01:35 +00:00
Michal Nowak
27ff22ff37 Add Coverity Scan to CI
This job requires two CI variables to be set:

  - COVERITY_SCAN_PROJECT_NAME: project name, which is associated with
    the BIND branch for which this job is executed, e.g. "bind-master",

  - COVERITY_SCAN_TOKEN: project token.

(cherry picked from commit e8392e4bb911366b65cdc461ec907d9e1a68bf54)
2020-02-12 10:01:35 +00:00
Mark Andrews
dcf3e0684c Merge branch '1602-rpz-system-test-failed-because-protoype-responses-timed-out-v9_14' into 'v9_14'
spin waiting for prototype dig responses

See merge request isc-projects/bind9!3045
2020-02-12 09:34:23 +00:00
Mark Andrews
8bea078674 spin waiting for prototype dig responses
(cherry picked from commit c38752b07c)
2020-02-12 19:48:02 +11:00
Mark Andrews
94ebac1e45 Merge branch '1616-autosign-not-waiting-long-enough-for-zone-to-be-signed-v9_11-and-maybe-others-v9_14' into 'v9_14'
wait for apex NSEC3 to be generated

See merge request isc-projects/bind9!3041
2020-02-12 08:38:55 +00:00
Mark Andrews
d3f726cbef wait for apex NSEC3 to be generated
(cherry picked from commit c99ad5c8c7)
2020-02-12 19:12:40 +11:00
Ondřej Surý
12b44788bd Merge branch '1428-possible-data-race-in-rbtdb-happens-occasionally-on-ppc64le-v9_14' into 'v9_14'
Resolve "Possible data race in rbtdb, happens occasionally on ppc64le"

See merge request isc-projects/bind9!3035
2020-02-11 11:19:12 +00:00
Ondřej Surý
3c8a441a0e Convert all atomic operations in isc_rwlock to release-acquire memory ordering
The memory ordering in the rwlock was all wrong, I am copying excerpts
from the https://en.cppreference.com/w/c/atomic/memory_order#Relaxed_ordering
for the convenience of the reader:

  Relaxed ordering

  Atomic operations tagged memory_order_relaxed are not synchronization
  operations; they do not impose an order among concurrent memory
  accesses. They only guarantee atomicity and modification order
  consistency.

  Release-Acquire ordering

  If an atomic store in thread A is tagged memory_order_release and an
  atomic load in thread B from the same variable is tagged
  memory_order_acquire, all memory writes (non-atomic and relaxed atomic)
  that happened-before the atomic store from the point of view of thread
  A, become visible side-effects in thread B. That is, once the atomic
  load is completed, thread B is guaranteed to see everything thread A
  wrote to memory.

  The synchronization is established only between the threads releasing
  and acquiring the same atomic variable. Other threads can see different
  order of memory accesses than either or both of the synchronized
  threads.

Which basically means that we had no or weak synchronization between
threads using the same variables in the rwlock structure.  There should
not be a significant performance drop because the critical sections were
already protected by:

  while(1) {
    if (relaxed_atomic_operation) {
      break;
    }
    LOCK(lock);
    if (!relaxed_atomic_operation) {
      WAIT(sem, lock);
    }
    UNLOCK(lock)l
  }

I would add one more thing to "Don't do your own crypto, folks.":

  - Also don't do your own locking, folks.
2020-02-11 11:50:04 +01:00
Ondřej Surý
1da0994ea4 Make isc_rwlock.c thread-safe
The ThreadSanitizer found several possible data races in our rwlock
implementation.  This commit changes all the unprotected variables to atomic and
also changes the explicit memory ordering (atomic_<foo>_explicit(..., <order>)
functions to use our convenience macros (atomic_<foo>_<order>).
2020-02-11 11:49:01 +01:00
Ondřej Surý
50058a4bc8 Merge branch 'ondrej/remove-OpenSSL-engine-specification-in-label-v9_14' into 'v9_14'
[v9_14] Cleanup support for specifying PKCS#11 engine as part of the label

See merge request isc-projects/bind9!3033
2020-02-11 10:13:56 +00:00
Ondřej Surý
f172ecabda Remove reference to prepending label with engine in manpage
(cherry picked from commit 33fa3d5eb1)
2020-02-11 10:32:12 +01:00
Ondřej Surý
95130a379c Cleanup support for specifying PKCS#11 engine as part of the label
The code for specifying OpenSSL PKCS#11 engine as part of the label
(e.g. -l "pkcs11:token=..." instead of -E pkcs11 -l "token=...")
was non-functional.  This commit just cleans the related code.

(cherry picked from commit a5c87d9d18)
2020-02-11 10:32:11 +01:00
Ondřej Surý
e834548376 Merge branch 'ondrej/lgtm-narrow-vs-wider-type-comparison-in-a-loop-v9_14' into 'v9_14'
Fix comparison between type uint16_t and  wider type size_t in a loop

See merge request isc-projects/bind9!3030
2020-02-10 10:59:40 +00:00
Ondřej Surý
bffdf9c58d Fix comparison between type uint16_t and wider type size_t in a loop
Found by LGTM.com (see below for description), and while it should not
happen as EDNS OPT RDLEN is uint16_t, the fix is easy.  A little bit
of cleanup is included too.

> In a loop condition, comparison of a value of a narrow type with a value
> of a wide type may result in unexpected behavior if the wider value is
> sufficiently large (or small). This is because the narrower value may
> overflow. This can lead to an infinite loop.

(cherry picked from commit a9bd6f6ea6)
2020-02-10 02:42:50 -08:00
Evan Hunt
018e366f6b Merge branch '932-doc-query-error-logging-v9_14' into 'v9_14'
improve documentation of query logging

See merge request isc-projects/bind9!3027
2020-02-09 00:08:07 +00:00
Evan Hunt
d3c6e5d89c improve documentation of query logging
(cherry picked from commit 21bb9fa77f)
2020-02-08 16:07:01 -08:00
Ondřej Surý
ce202f4d17 Merge branch '1560-isc_httpd-and-isc_httpdmgr-structures-are-not-reference-counted-and-magic-v9_14' into 'v9_14'
Resolve "isc_httpd and isc_httpdmgr structures are not reference counted and magic"

See merge request isc-projects/bind9!2939
2020-02-08 20:23:56 +00:00
Ondřej Surý
3828d4e3e9 Clean the ENTER/EXIT/NOTICE debugging from production code
(cherry picked from commit 5b448996e5)
2020-02-08 11:37:42 -08:00
Ondřej Surý
5391187fd4 Refactor parts of isc_httpd and isc_httpd for better readability and safety
(cherry picked from commit 9643a62dd5)
2020-02-08 11:37:42 -08:00
Mark Andrews
f5be6c8877 add ISC_MAGIC and reference counting to httpd and httpdmgr
(cherry picked from commit 7c3f419d66)
2020-02-08 11:37:42 -08:00
Mark Andrews
5f0314c467 Merge branch '1596-echo_ic-should-be-used-for-continuations-v9_14' into 'v9_14'
Resolve "echo_ic should be used for continuations."

See merge request isc-projects/bind9!3021
2020-02-07 22:35:05 +00:00
Mark Andrews
4db05004ef indent failed: descriptions
(cherry picked from commit 1e4773f121)
2020-02-07 21:48:46 +00:00
Mark Andrews
cf40f76703 indent some test descriptions/continuation
(cherry picked from commit ec95bc6f2c)
2020-02-07 21:48:46 +00:00
Mark Andrews
1264cbc9b8 remove space before 'failed'
(cherry picked from commit 0d5ec0c7dc)
2020-02-07 21:48:46 +00:00
Mark Andrews
1df2df5706 ident continuation of test descriptions
(cherry picked from commit 059b16b991)
2020-02-07 21:48:46 +00:00
Mark Andrews
9804cdb5f2 remove space from before 'failed'; count errors
(cherry picked from commit 879c63b573)
2020-02-07 21:48:46 +00:00
Mark Andrews
def0570453 Merge branch '1559-dnssec-system-test-failed-reload-of-root-server-not-completed-in-time-v9_14' into 'v9_14'
wait for root server to complete reloading

See merge request isc-projects/bind9!3018
2020-02-07 21:37:03 +00:00
Mark Andrews
85d2a2c633 wait for root server to complete reloading
(cherry picked from commit 784e64f238)
2020-02-07 21:09:30 +00:00
Mark Andrews
75972ebdf3 Merge branch '1599-autosign-conversion-from-nsec3-to-nsec-can-take-more-than-2-seconds-v9_14' into 'v9_14'
wait a short while for no NSEC3PARAM

See merge request isc-projects/bind9!3016
2020-02-07 15:04:40 +00:00
Mark Andrews
5a559c3fcf wait a short while for no NSEC3PARAM
(cherry picked from commit e378241324)
2020-02-08 00:43:06 +11:00
Mark Andrews
f8f2b192a7 Merge branch 'marka-coverity-dns-db-find-v9_14' into 'v9_14'
Marka coverity dns db find v9 14

See merge request isc-projects/bind9!3014
2020-02-07 11:16:47 +00:00
Mark Andrews
76df419b27 Silence unchecked return of dns_db_find()
190        dns_rdataset_init(&rdataset);
   	3. Condition r == 0, taking true branch.
   	4. Condition result, taking false branch.

	CID 1452691 (#1 of 1): Unchecked return value (CHECKED_RETURN)
	5. check_return: Calling dns_db_find without checking return
	value (as is done elsewhere 39 out of 45 times).

191        check_assertion(dns_db_find(db1, dns_rootname, v2,
192                                    dns_rdatatype_soa, 0, 0, NULL,
193                                    name, &rdataset, NULL));

(cherry picked from commit e8bf82efc6)
2020-02-07 21:43:26 +11:00
Mark Andrews
a6f09283cd Fix indenting.
(cherry picked from commit 98d5109e82)
2020-02-07 21:43:26 +11:00
Mark Andrews
f015929d35 Correct logged function name.
(cherry picked from commit 550bbee427)
2020-02-07 21:43:26 +11:00
Michał Kępień
39701467a9 Merge branch 'michal/fix-the-dnssec-system-test-on-windows-v9_14' into 'v9_14'
[v9_14] Fix the "dnssec" system test on Windows

See merge request isc-projects/bind9!3012
2020-02-06 14:20:54 +00:00
Michał Kępień
6c5295ca09 Fix the "dnssec" system test on Windows
Make sure carriage return characters are stripped from awk input to
enable the "dnssec" system test to pass on Windows.

(cherry picked from commit 2f694f0b77)
2020-02-06 15:17:51 +01:00
Matthijs Mekking
eed59f521b Merge branch '914-forwarders-port-documentation-v9_14' into 'v9_14'
Document forwarders config port and dscp param

See merge request isc-projects/bind9!3008
2020-02-06 09:54:22 +00:00
Matthijs Mekking
5e1f3ae518 Document forwarders config port and dscp param
(cherry picked from commit be3a11029a)
2020-02-06 10:06:22 +01:00
Michal Nowak
64f6e8597b Merge branch 'mnowak/windows-raise-port-range-v9_14' into 'v9_14'
[v9_14] Windows: Prevent tools from clashing with named in system tests

See merge request isc-projects/bind9!3002
2020-02-05 11:07:18 +00:00
Michal Nowak
8a47de5110 Windows: Prevent tools from clashing with named in system tests
In system tests on Windows tool's local port can sometimes clash with
'named'. On Unix the system is poked for the minimal local port,
otherwise is set to 32768 as a sane minimum. For Windows we don't
poke but set a hardcoded limit; this change aligns the limit with
Unix and changes it to 32768.

(cherry picked from commit ed7fe5fae3b22d136f0a5a92ea3b67536b10a5ce)
2020-02-05 11:07:18 +00:00
Matthijs Mekking
cffc7c15f7 Merge branch 'cppcheck-1.90-warnings-v9_14' into 'v9_14'
Cppcheck 1.90 warnings v9 14

See merge request isc-projects/bind9!2997
2020-02-05 09:22:11 +00:00
Matthijs Mekking
6799f2208f more_frags: check for basic blocks != NULL 2020-02-05 09:08:35 +01:00
Matthijs Mekking
076585e611 Fix build
Restore cleanup: label in dns_client_startrequest because it still has one
goto for it.
2020-02-05 09:08:35 +01:00
Matthijs Mekking
6b9f9a0b52 Add a note on memory allocation
isc__memalloc_t must deal with memory allocation failure
and must never return NULL.

(cherry picked from commit b8be29fee6)
2020-02-05 09:08:35 +01:00
Ondřej Surý
d91cfbd67f Suppress unknownMacro directive which is currently broken with OpenSSL
(cherry picked from commit 2868eafc46)
2020-02-05 09:08:35 +01:00
Ondřej Surý
49edf175fe Suppress cppcheck false positive nullPointerArithmeticRedundantCheck
(cherry picked from commit c00def343f)
2020-02-05 09:08:35 +01:00
Ondřej Surý
5f4ca46d50 Change pk11_mem_get() so it cannot soft-fail
(cherry picked from commit 05ae2e48ab)
2020-02-05 09:08:35 +01:00
Ondřej Surý
1b9a7a17d9 Make the DbC checks to be consistent and cppcheck clean
(cherry picked from commit 478e4ac201)
2020-02-05 09:08:35 +01:00
Mark Andrews
da02ff9d08 isc_mem_get cannot fail
(cherry picked from commit bb65e57297)
2020-02-05 09:08:35 +01:00
Mark Andrews
c2ce468734 delay assignment until after REQUIRE
(cherry picked from commit d6de520bd1)
2020-02-05 09:08:35 +01:00
Mark Andrews
e515ac325e skip if first is NULL
(cherry picked from commit 704b9ee9d0)
2020-02-05 09:08:35 +01:00
Mark Andrews
71a55892eb delay assignment until after REQUIRE
(cherry picked from commit c65c06301c)
2020-02-05 09:08:35 +01:00
Mark Andrews
4217930699 make expression logical for cppcheck
(cherry picked from commit f17b9b8dd1)
2020-02-05 09:08:35 +01:00
Mark Andrews
8251141baa remove brackets
(cherry picked from commit 7b948c7335)
2020-02-05 09:08:35 +01:00
Mark Andrews
123371e1e7 simplify ISC_LIKELY/ISC_UNLIKELY for CPPCHECK
(cherry picked from commit 6c2e138d7a)
2020-02-05 09:08:35 +01:00
Mark Andrews
30492c2d40 simplify RUNTIME_CHECK for cppcheck
(cherry picked from commit 668a972d1e)
2020-02-05 09:08:35 +01:00
Mark Andrews
3cc180a12d Merge branch '1192-fix-serve-stale-test-v9_14' into 'v9_14'
Increase TTL in serve-stale test

See merge request isc-projects/bind9!2996
2020-02-05 01:45:26 +00:00
Matthijs Mekking
832763a7d7 Increase TTL in serve-stale test
Increase the short lived record TTL and negative SOA TTL to make
this test less vulnerable to timing issues. The drawback is that we
also have to sleep longer in this test.

(cherry picked from commit 2c0c333d16)
2020-02-04 14:06:39 +01:00
Michał Kępień
0255a381c4 Merge branch '1305-update-gitlab-ci-to-openbsd-6.6-v9_14' into 'v9_14'
[v9_14] Update GitLab CI to OpenBSD 6.6

See merge request isc-projects/bind9!2994
2020-02-04 10:46:20 +00:00
Michał Kępień
9e2cb82779 Update GitLab CI to OpenBSD 6.6
Since OpenBSD 6.6 is the current OpenBSD release, replace OpenBSD 6.5
GitLab CI jobs with their up-to-date counterparts.

As CI jobs for OpenBSD 6.6 will be run by a generalized libvirt executor
rather than an OpenBSD-specific one, make the necessary tag and variable
adjustments as well.

(cherry picked from commit 99ed3a0e13)
2020-02-04 11:43:44 +01:00
Evan Hunt
fa69de09c9 Merge branch '1592-catz-filename-v9_14' into 'v9_14'
Resolve "catalog zones fail if a zone name contains a slash"

See merge request isc-projects/bind9!2992
2020-02-04 03:47:13 +00:00
Evan Hunt
b2f56efcbd CHANGES
(cherry picked from commit 7a002c7ece)
2020-02-03 19:19:46 -08:00
Mark Andrews
c09d01c7da don't swallow backslash characters in test output
(cherry picked from commit fc4e44bd37)
2020-02-03 19:19:45 -08:00
Mark Andrews
c1754035cb test all the scenarios for hashed filenames together
(cherry picked from commit 8745043a86)
2020-02-03 19:19:45 -08:00
Evan Hunt
68eb6c1bb9 Correctly handle catalog zone entries containing slashes
- Add quotes before and after zone name when generating "addzone"
  input so avoid "unexpected token" errors.
- Use a hex digest for zone filenames when the zone or view name
  contains a slash.
- Test with a domain name containing a slash.
- Incidentally added 'catzhash.py' to contrib/scripts to generate
  hash labels for catalog zones, as it was needed to write the test.

(cherry picked from commit dba0163dac)
2020-02-03 19:19:45 -08:00
Michal Nowak
8793ff9343 Merge branch 'mnowak/drop-kyua-report-verbose-option-v9_14' into 'v9_14'
[v9_14] Drop kyua report's --verbose option

See merge request isc-projects/bind9!2982
2020-01-31 09:11:37 +00:00
Michal Nowak
6bdb48908a Drop kyua report's --verbose option
It prints far more than needed.

(cherry picked from commit 5d14ed8465ccb1cb35bdbdeba2e0143b62b5455c)
2020-01-31 09:11:37 +00:00
Mark Andrews
f3cf7ccaa1 Merge branch '1554-cds-cdnskey-consistency-checks-don-t-work-with-deletion-records-v9_14' into 'v9_14'
Resolve "CDS / CDNSKEY consistency checks don't work with deletion records"

See merge request isc-projects/bind9!2977
2020-01-30 23:08:02 +00:00
Mark Andrews
e79a87566d use anonomous constants
(cherry picked from commit 02c2fc5ad3)
2020-01-31 00:15:16 +11:00
Mark Andrews
5432e365d5 use enum
(cherry picked from commit 7c0d9dac9f)
2020-01-31 00:15:16 +11:00
Mark Andrews
ea5e1ad762 add more CDS / CDNSKEY deletion record tests
(cherry picked from commit d159fdf25d)
2020-01-31 00:15:16 +11:00
Mark Andrews
a7e5a14624 check CDS and CDNSKEY content
(cherry picked from commit 68a360772f)
2020-01-31 00:15:16 +11:00
Mark Andrews
7f079c4fa3 check kskonly key ids
(cherry picked from commit 379949cce4)
2020-01-31 00:15:16 +11:00
Mark Andrews
d403b3621d add CHANGES
(cherry picked from commit 272a31f758)
2020-01-31 00:15:16 +11:00
Mark Andrews
3a87b02b1a style
(cherry picked from commit 279f6b01de)
2020-01-31 00:15:16 +11:00
Mark Andrews
c2a2e1f454 return the correct error code for the type being checked
(cherry picked from commit a09c464a20)
2020-01-31 00:15:16 +11:00
Mark Andrews
735dfc1ab8 check that a CDNSKEY deletion record is accepted
(cherry picked from commit f91b3a69ce)
2020-01-31 00:15:16 +11:00
Mark Andrews
103cd665e1 handle CDS deletion record in consistancy checks
(cherry picked from commit 0adb4b25d3)
2020-01-31 00:15:15 +11:00
Michał Kępień
5338d34173 Merge branch 'michal/list-atypical-failures-in-system-test-summary-v9_14' into 'v9_14'
[v9_14] List atypical failures in system test summary

See merge request isc-projects/bind9!2974
2020-01-29 14:42:40 +00:00
Michał Kępień
6e9d3680f9 List atypical failures in system test summary
Each system test can be marked as failed not only due to some tested
component(s) not behaving as expected, but also because of core dumps,
assertion failures, and/or ThreadSanitizer reports being found among its
artifacts.  Make the system test summary list the tests which exhibit
such atypical symptoms to more clearly present the nature of problems
found.

(cherry picked from commit a8836b381f)
2020-01-29 14:50:42 +01:00
Mark Andrews
249fc48cbb Merge branch '1508-case-system-test-failed-v9_14' into 'v9_14'
wait longer for dynamic zone to be transfered

See merge request isc-projects/bind9!2971
2020-01-28 23:05:22 +00:00
Mark Andrews
7865f1e28a wait longer for dynamic zone to be transfered
(cherry picked from commit 7b0ba6eb10)
2020-01-29 08:24:42 +11:00
Evan Hunt
d4c5c36392 Merge branch 'each-merge-doc-v9_14_10' into 'v9_14'
merge doc from 9.14.10 release

See merge request isc-projects/bind9!2962
2020-01-27 22:43:14 +00:00
Tinderbox User
2b13e3ca3b regen v9_14 2020-01-27 11:06:04 -08:00
Tinderbox User
0ec9ae77a8 prep 9.14.10
Update the API files.
- lib/dns:
  - struct resolver has added elements, this is an interface change
    and thus LIBINTERFACE is incremented, and LIBREVISION is reset.
  - Since this also means an interface change since the last public
    release, also reset LIBAGE.
- lib/isccfg:
  - The library source code changed, so increment LIBREVISION.
- lib/ns:
  - The library source code changed, so increment LIBREVISION.

Update other files:
- No changes needed to the README, this is a small bugfix release.
2020-01-27 11:06:04 -08:00
Evan Hunt
e00f03a6cb Merge branch 'each-history-typo-v9_14' into 'v9_14'
fixed a typo

See merge request isc-projects/bind9!2961
2020-01-24 17:57:08 +00:00
Evan Hunt
1e5b7b52f8 fixed a typo
(cherry picked from commit 0147acd7b6)
2020-01-24 09:56:36 -08:00
Mark Andrews
d2f3295e0a Merge branch '1579-dnstap-system-test-appears-to-be-timing-sensitive-v9_14' into 'v9_14'
Resolve "dnstap system test appears to be timing sensitive"

See merge request isc-projects/bind9!2958
2020-01-23 21:50:26 +00:00
Mark Andrews
cb271dcef0 wait for the ./NS lookup to complete
(cherry picked from commit 9b6df37303)
2020-01-24 08:20:04 +11:00
Mark Andrews
c585221d10 check that all servers have finished loading before beginging tests
(cherry picked from commit 4a992c7a18)
2020-01-24 08:20:04 +11:00
Mark Andrews
9eeaaed160 Merge branch 'marka-signing-clear-notify-v9_14' into 'v9_14'
Send NOFITY messages after deleting private-type records.

See merge request isc-projects/bind9!2953
2020-01-23 13:34:24 +00:00
Tony Finch
bee4599f90 Send NOFITY messages after deleting private-type records.
The `rndc signing -clear` command cleans up the private-type records
that keep track of zone signing activity, but before this change it
did not tell the secondary servers that the zone has changed.

(cherry picked from commit f3f7b7df5d)
2020-01-24 00:02:44 +11:00
Mark Andrews
914e7a8199 Merge branch '1572-wait-for-mirror-zone-to-be-deleted-v9_14' into 'v9_14'
wait for log message before testing that mirror zone is correctly removed

See merge request isc-projects/bind9!2952
2020-01-23 05:46:53 +00:00
Mark Andrews
0336701524 wait for log message before testing that mirror zone is correctly removed
(cherry picked from commit c6ba51cfc4)
2020-01-23 16:19:38 +11:00
Mark Andrews
acd91d1241 Merge branch '1522-pad-system-test-is-timing-sensitive-v9_14' into 'v9_14'
address timing issues in padding system test

See merge request isc-projects/bind9!2951
2020-01-23 03:47:26 +00:00
Mark Andrews
a0505547ca address timing issues in padding system test
'rndc stats' is not instantaneous. Wait for the dump to complete
before looking at the content.

(cherry picked from commit b3f06729e5)
2020-01-23 14:19:41 +11:00
Evan Hunt
7a3c9c63c6 Merge branch '1540-bind-aborts-when-queried-for-non-existing-domain-in-chaos-class-v9_14' into 'v9_14'
Resolve "bind 9.14.8 and 9.14.9 aborts when queried for non-existing domain in chaos class"

See merge request isc-projects/bind9!2948
2020-01-22 21:12:24 +00:00
Evan Hunt
34e206eb07 CHANGES
(cherry picked from commit 42e1fb8322)
2020-01-22 12:25:50 -08:00
Diego Fronza
f506a40914 Added test for the proposed fix
Added test to ensure that NXDOMAIN is returned when BIND is queried for a
non existing domain in CH class (if a view of CHAOS class is configured)
and that it also doesn't crash anymore in those cases.

(cherry picked from commit 7417b79c7a)
2020-01-22 12:25:34 -08:00
Diego Fronza
150b98d185 Fixed crash when querying for non existing domain in chaos class
Function dns_view_findzonecut in view.c wasn't correctly handling
classes other than IN (chaos, hesiod, etc) whenever the name being
looked up wasn't in cache or in any of the configured zone views' database.

That resulted in a NULL fname being used in resolver.c:4900, which
in turn was triggering abort.

(cherry picked from commit 85555f29d7)
2020-01-22 12:25:33 -08:00
Michal Nowak
4b34e5a135 Merge branch 'mnowak/prevent-failing-grep-invocations-from-interrupting-mkeys-v9_14' into 'v9_14'
[v9_14] mkeys: Prevent failing grep invocations

See merge request isc-projects/bind9!2945
2020-01-22 14:56:15 +00:00
Michal Nowak
377e48e897 mkeys: Prevent failing grep invocations
Some 'grep' invocations were not guarded from interrupting the test
prematurely, e.g. when no text was matched.

(cherry picked from commit 6c4a2b602042d83450f0af50c25225efa8698750)
2020-01-22 15:54:19 +01:00
Mark Andrews
882ee0fd29 Merge branch 'marka-Psync-future-v9_14' into 'v9_14'
Marka psync future v9 14

See merge request isc-projects/bind9!2926
2020-01-21 23:04:16 +00:00
Mark Andrews
2db5a2539a dnssec: do not publish CDS records when -Psync is in the future
This is a bug I encountered when trying to schedule an algorithm
rollover. My plan, for a zone whose maximum TTL is 48h, was to sign
with the new algorithm and schedule a change of CDS records for more
than 48 hours in the future, roughly like this:

    $ dnssec-keygen -a 13 -fk -Psync now+50h $zone
    $ dnssec-keygen -a 13 $zone
    $ dnssec-settime -Dsync now+50h $zone_ksk_old

However the algorithm 13 CDS was published immediately, which could
have made the zone bogus.

To reveal the bug using the `smartsign` test, this change just adds a
KSK with all its times in the future, so it should not affect the
existing checks at all. But the final check (that there are no CDS or
CDSNSKEY records after -Dsync) fails with the old `syncpublish()`
logic, because the future key's sync records appear early. With the
new `syncpublish()` logic the future key does not affect the test, as
expected, and it now passes.

(cherry picked from commit 4227b7969b)
2020-01-21 23:04:16 +00:00
Michal Nowak
79c15d2c07 Merge branch 'mnowak/enhance_unit_test_debugging-v9_14' into 'v9_14'
[v9_14] Omit spurious string from unit test debugging efforts

See merge request isc-projects/bind9!2936
2020-01-21 17:46:57 +00:00
Michal Nowak
8056ea212d Omit spurious string from unit test debugging efforts
When both 'broken' and 'failed' test cases appear in unit test output

...
===> Broken tests
lib/isc/tests/socket_test:main  ->  broken: Test case timed out  [300.022s]
===> Failed tests
lib/isc/tests/time_test:main  ->  failed: 2 of 6 tests failed  [0.006s]
===> Summary
...

spurious '===>' string gets matched, that results in the following
error:

  Usage error for command debug: '===>' is not a test case identifier (missing ':'?).

Following change makes sure the string is omitted.

I checked on FreeBSD and OpenBSD that the AWK construct is supported.

(cherry picked from commit 9e6f6156f7)
2020-01-21 17:46:57 +00:00
Witold Krecicki
b3941d61cb Merge branch 'wpk/fix-inline-test-v9_14' into 'v9_14'
tests: add a missing log nextpart in inline test

See merge request isc-projects/bind9!2934
2020-01-21 14:34:37 +00:00
Witold Kręcicki
3f54e31d0c tests: add a missing log nextpart in inline test 2020-01-21 15:15:42 +01:00
Ondřej Surý
4fe14b1a9d Merge branch 'ondrej/lower-the-artifact-expiration-time-to-just-12-hours-v9_14' into 'v9_14'
Lower the artifact expiration time to just 1 day

See merge request isc-projects/bind9!2931
2020-01-21 12:11:00 +00:00
Ondřej Surý
3ae30df269 Lower the artifact expiration time to just 1 day
(cherry picked from commit 27a9be3034)
2020-01-21 13:08:57 +01:00
Mark Andrews
c83b14fea6 Merge branch 'marka-omit-spurious-newlines-v9_14' into 'v9_14'
Omit spurious newlines when reporting DNSKEY changes

See merge request isc-projects/bind9!2923
2020-01-21 05:49:50 +00:00
Tony Finch
5c2573c1ad Omit spurious newlines when reporting DNSKEY changes
These caused blank lines to appear in the logs.

(cherry picked from commit 3b1bd3f48b)
2020-01-21 16:28:24 +11:00
Mark Andrews
9816c0c3ca Merge branch 'marka-document-authors-bind-v9_14' into 'v9_14'
document that version also controls authors.bind

See merge request isc-projects/bind9!2920
2020-01-21 04:29:24 +00:00
Mark Andrews
f198545cc1 document that version also controls authors.bind
(cherry picked from commit 05c6a29c87)
2020-01-21 15:04:51 +11:00
Mark Andrews
619746390b Merge branch '1537-nslookup-manual-page-needs-update-for-default-querytype-a-and-aaaa-v9_14' into 'v9_14'
document that nslookup defaults to A + AAAA lookups

See merge request isc-projects/bind9!2916
2020-01-20 02:23:23 +00:00
Mark Andrews
1151df1715 document that nslookup defaults to A + AAAA lookups
(cherry picked from commit 938fc81493)
2020-01-20 10:47:54 +11:00
Mark Andrews
c4ba29de6a Merge branch 'marka-check-CHANGES-SE-in-CI-v9_14' into 'v9_14'
check that CHANGES.SE entries are correctly ordered and that whitespace is correct

See merge request isc-projects/bind9!2915
2020-01-19 23:12:27 +00:00
Mark Andrews
e0605f1ee2 check that CHANGES.SE entries are correctly ordered and that whitespace is correct
(cherry picked from commit 05f2ba973f)
2020-01-18 08:11:08 +11:00
Matthijs Mekking
350a8867bf Merge branch 'prepare-release-notes-for-bind-9-14.10' into 'v9_14'
Add release notes section for BIND 9.14.10

See merge request isc-projects/bind9!2905
2020-01-16 12:01:29 +00:00
Michał Kępień
169ffcb96e Add release notes section for BIND 9.14.10 2020-01-16 12:26:53 +01:00
Michał Kępień
3a6d3abc4d Merge branch 'michal/fix-the-dnssec-system-test-on-windows-v9_14' into 'v9_14'
[v9_14] Fix the "dnssec" system test on Windows

See merge request isc-projects/bind9!2903
2020-01-16 08:51:23 +00:00
Michał Kępień
bfedaa5a99 Fix the "dnssec" system test on Windows
Make sure carriage return characters are stripped from awk input to
enable the "dnssec" system test to pass on Windows.

(cherry picked from commit 451484b870)
2020-01-16 09:50:06 +01:00
Michał Kępień
ddaeb2ce14 Merge branch '1525-inline-system-test-failed-need-to-wait-for-zone-to-be-loaded-v9_14' into 'v9_14'
[v9_14] Resolve "inline system test failed, need to wait for zone to be loaded."

See merge request isc-projects/bind9!2890
2020-01-14 14:14:38 +00:00
Mark Andrews
0384fb7d92 address some timing issues in inline system test
(cherry picked from commit 2dc4d72fa9)
2020-01-14 14:36:35 +01:00
Michał Kępień
9a5b608ac2 Merge branch '1482-autosign-system-test-failed-v9_14' into 'v9_14'
[v9_14] Resolve "autosign system test failed"

See merge request isc-projects/bind9!2887
2020-01-14 13:34:54 +00:00
Mark Andrews
1327031232 Fix autosign system test issues.
* report when NSEC3PARAM is not yet present
* allow more time for NSEC3PARAM to become present
* adjust frequency failure message

(cherry picked from commit 17d25dbf47)
2020-01-14 13:24:19 +01:00
Michał Kępień
4c3c2a5296 Merge branch '1467-xfer-test-suppress-zone-transfer-when-we-are-going-to-retry-v9_14' into 'v9_14'
[v9_14] Resolve "xfer test: suppress zone transfer when we are going to retry."

See merge request isc-projects/bind9!2884
2020-01-14 11:52:28 +00:00
Mark Andrews
895f60d6f8 improve forensic logs
improve forensic logs by directing output to per sub-test named
files and reporting the sub-subtest number.

(cherry picked from commit 05aa45c602)
2020-01-14 11:57:40 +01:00
Mark Andrews
28695f1c92 suppress unnecessary zone transfer
suppressed unnecessary zone transfer in "test mapped zone with
out of zone data" sub-test.

(cherry picked from commit 9bd6720f58)
2020-01-14 11:54:58 +01:00
Mark Andrews
14ef8b10af Improve forensic logging in "testing basic zone transfer functionality"
Split the "testing basic zone transfer functionality" into primary and
secondary parts to improve forensic logging.

(cherry picked from commit 46982b414b)
2020-01-14 11:51:31 +01:00
Ondřej Surý
173d770bf3 Merge branch '1531-add-calls-to-dns_rdata_additionaldata-to-lib-dns-tests-rdata_test-c-v9_14' into 'v9_14'
Resolve "Add calls to dns_rdata_additionaldata to lib/dns/tests/rdata_test.c"

See merge request isc-projects/bind9!2878
2020-01-14 09:36:33 +00:00
Mark Andrews
2ec9d87b20 exercise dns_rdata_checknames
(cherry picked from commit b3c1b2a869)
2020-01-14 08:07:38 +00:00
Mark Andrews
ff4b0af279 exercise dns_rdata_additionaldata
(cherry picked from commit 649a34d628)
2020-01-14 08:07:38 +00:00
Mark Andrews
aa0ea40182 call dns_rdata_towire on valid output from dns_rdata_fromtext and dns_rdata_fromwire
(cherry picked from commit 5e74550740)
2020-01-14 08:07:38 +00:00
Ondřej Surý
56f149e1ea Merge branch '1443-threadsanitizer-data-race-lib-dns-rbtdb-c-1960-in-decrement_reference-2-v9_14' into 'v9_14'
Resolve "ThreadSanitizer: data race lib/dns/rbtdb.c:1960 in decrement_reference"

See merge request isc-projects/bind9!2873
2020-01-14 08:05:00 +00:00
Mark Andrews
067b9f8d31 Add is_leaf and send_to_prune_tree.
Add is_leaf and send_to_prune_tree to make the logic easier
to understand in cleanup_dead_nodes and decrement_reference.

(cherry picked from commit c6efc0e50f)
2020-01-14 08:36:02 +01:00
Mark Andrews
d7593feb46 Testing node->down requires the tree lock to be held.
In decrement_reference only test node->down if the tree lock
is held.  As node->down is not always tested in
decrement_reference we need to test that it is non NULL in
cleanup_dead_nodes prior to removing the node from the rbt
tree.  Additionally it is not always possible to aquire the
node lock and reactivate a node when adding parent nodes.
Reactivate such nodes in cleanup_dead_nodes if required.

(cherry picked from commit 176b23b6cd)
2020-01-14 08:36:02 +01:00
Mark Andrews
8bee7954c6 Merge branch 'u/fanf2/rndc-secroots-newlines-v9_14' into 'v9_14'
Fix line spacing in `rndc secroots`

See merge request isc-projects/bind9!2866
2020-01-13 19:51:53 +00:00
Tony Finch
6014fe13ff Fix line spacing in rndc secroots
Before this change, there was a missing blank line between the
negative trust anchors for one view, and the heading line for the next
view. This is because dns_ntatable_totext() omits the last newline.
There is an example of the incorrect output below; the fixed output
has a blank line before "Start view auth".

secure roots as of 21-Oct-2019 12:03:23.500:

 Start view rec
   Secure roots:

./RSASHA256/20326 ; managed

   Negative trust anchors:

example.com: expiry 21-Oct-2019 13:03:15.000
 Start view auth
   Secure roots:

./RSASHA256/20326 ; managed

   Negative trust anchors:

example.com: expiry 21-Oct-2019 13:03:07.000

(cherry picked from commit 5b600c2cd8)
2020-01-14 06:29:09 +11:00
Michal Nowak
339dce6f72 Merge branch 'mnowak/add-openSUSE-Tumblewed-image-v9_14' into 'v9_14'
[v9_14] Add openSUSE Tumbleweed image to the CI

See merge request isc-projects/bind9!2875
2020-01-13 16:27:21 +00:00
Michal Nowak
d48f7a9f48 Add openSUSE Tumbleweed image to the CI
Ensure BIND is continuously tested on Tumbleweed, a pure rolling release
version of openSUSE.  This will allow BIND incompatibilities with latest
upstream versions of its dependencies to be caught more quickly.

(cherry picked from commit bd5dd1b58c60edb372bc6fa4eb39e355c5c76de4)
2020-01-13 16:27:21 +00:00
Michał Kępień
952b6ad495 Merge branch '1552-properly-detect-mmdb-lookup-failures-v9_14' into 'v9_14'
[v9_14] Properly detect MMDB lookup failures

See merge request isc-projects/bind9!2871
2020-01-13 14:06:52 +00:00
Michał Kępień
a070defb18 Add CHANGES entry
5339.	[bug]		With some libmaxminddb versions, named could erroneously
			match an IP address not belonging to any subnet defined
			in a given GeoIP2 database to one of the existing
			entries in that database. [GL #1552]

(cherry picked from commit aa96ec25c8)
2020-01-13 14:37:16 +01:00
Michał Kępień
814da1c808 Properly detect MMDB lookup failures
Only comparing the value of the integer passed as the last argument to
MMDB_lookup_sockaddr() against MMDB_SUCCESS is not enough to ensure that
an MMDB lookup was successful - the 'found_entry' field of the
MMDB_lookup_result_s structure returned by that function also needs to
be true or else the remaining contents of that structure should be
ignored as the lookup failed.  Extend the relevant logical condition in
get_entry_for() to ensure the latter does not return incorrect MMDB
entries for IP addresses which do not belong to any subnet defined in a
given GeoIP2 database.

(cherry picked from commit ec8334fb74)
2020-01-13 14:36:58 +01:00
Michał Kępień
8c7faf623d Merge branch 'michal/update-gitlab-ci-to-alpine-linux-3.11-v9_14' into 'v9_14'
[v9_14] Update GitLab CI to Alpine Linux 3.11

See merge request isc-projects/bind9!2861
2020-01-10 11:43:00 +00:00
Michał Kępień
1132ae8886 Update GitLab CI to Alpine Linux 3.11
Since Alpine Linux 3.11 is the current Alpine Linux release, replace
Alpine Linux 3.10 GitLab CI jobs with their up-to-date counterparts.

(cherry picked from commit bebf353eb5)
2020-01-10 11:24:51 +01:00
Michał Kępień
3a8a9ef124 Merge branch 'ondrej/run-full-pipeline-on-schedule-v9_14' into 'v9_14'
[v9_14] Run all jobs on scheduled builds (including OpenBSD and Windows)

See merge request isc-projects/bind9!2859
2020-01-10 10:20:53 +00:00
Ondřej Surý
60ff0e97b5 Run all jobs on scheduled builds (including OpenBSD and Windows)
(cherry picked from commit 52773e226a)
2020-01-10 11:19:54 +01:00
Michał Kępień
f13cf700bf Merge branch 'ondrej/stop-retrying-system-tests-v9_14' into 'v9_14'
[v9_14] Stop retrying the system tests; we should fix the tests instead

See merge request isc-projects/bind9!2857
2020-01-10 10:15:02 +00:00
Ondřej Surý
6ea00b65da Stop retrying the system tests; we should fix the tests instead
(cherry picked from commit 8ad67f8b9f)
2020-01-10 11:13:58 +01:00
Michał Kępień
5f73947d34 Merge branch '1431-summary-sanitizer-grep-is-dangerous-v9_14' into 'v9_14'
[v9_14] Resolve ""SUMMARY: .*Sanitizer" grep is dangerous"

See merge request isc-projects/bind9!2855
2020-01-10 10:12:57 +00:00
Mark Andrews
3636b0d275 replace grep -r with 'find -type f | xargs'
(cherry picked from commit 36ce99d8a4)
2020-01-10 10:51:37 +01:00
Michał Kępień
3e1cb80650 Merge branch 'ondrej/keep-sanitizer-tainted-system-tests-files-v9_14' into 'v9_14'
[v9_14] Don't clean the system test temporary files if sanitizer reports were found inside

See merge request isc-projects/bind9!2853
2020-01-10 09:50:27 +00:00
Ondřej Surý
3bc834daae Don't clean the system test temporary files if sanitizer reports were found inside
(cherry picked from commit 7489e6e6f9)
2020-01-10 10:47:54 +01:00
Michał Kępień
13033c4527 Merge branch 'michal/fix-the-forward-system-test-on-windows-v9_14' into 'v9_14'
[v9_14] Fix the "forward" system test on Windows

See merge request isc-projects/bind9!2851
2020-01-10 09:45:17 +00:00
Michał Kępień
12f0f68742 Fix the "forward" system test on Windows
Make sure carriage return characters are stripped from sed input to
enable the "forward" system test to pass on Windows.

(cherry picked from commit 075613aea4)
2020-01-10 10:44:08 +01:00
Michał Kępień
2c5edb965a Merge branch '1479-_wait_for_rcode-adds-extraneous-query-v9_14' into 'v9_14'
[v9_14] Resolve "_wait_for_rcode adds extraneous query"

See merge request isc-projects/bind9!2849
2020-01-10 09:42:43 +00:00
Mark Andrews
05596de640 consume all arguments we have processed in shift
(cherry picked from commit 0ee0580fc9)
2020-01-10 10:41:23 +01:00
Michał Kępień
a59e76c658 Merge branch '1453-the-zero-system-test-timeouts-intermittently-v9_14' into 'v9_14'
[v9_14] Bail-out early if dig fails to finish successfully or takes too long

See merge request isc-projects/bind9!2847
2020-01-10 09:26:53 +00:00
Ondřej Surý
bea5bcff8d Bail-out early if dig fails to finish successfully or takes too long
Before, the zero system test could get stuck almost infinitely, because
the first test sends > 300 queries with 5 seconds timeout on each in
each pass.  If named crashed early, it would took the test more than 4
hours to properly timeout.

This commit introduces a "watchdog" on the dig commands running in the
background and failing the test on timeout, failing any test if any dig
command fails to return successfully, and making the tests.sh script
shellcheck clean.

(cherry picked from commit 2a65a47f39)
2020-01-10 10:04:12 +01:00
Michał Kępień
7c87878455 Merge branch '1458-intermittent-failure-in-the-forward-system-test-v9_14' into 'v9_14'
[v9_14] Resolve "Intermittent failure in the forward system test"

See merge request isc-projects/bind9!2845
2020-01-10 09:03:20 +00:00
Ondřej Surý
865fff9b5a Wait for named to forward the question before testing the validity
(cherry picked from commit fb03edacd8)
2020-01-10 09:10:46 +01:00
Ondřej Surý
b29efb0406 Make forward system test shellcheck clean
(cherry picked from commit 0e15cbb092)
2020-01-10 09:10:45 +01:00
Ondřej Surý
97985a2d4d Use $n to keep diagnostic output of every individual test separate
(cherry picked from commit 10f4cd066f)
2020-01-10 09:08:21 +01:00
Ondřej Surý
4cf83a956c Add the standard $n to each test
(cherry picked from commit 64df488e1e)
2020-01-10 09:06:13 +01:00
Michał Kępień
9cd291bbdc Merge branch '1425-intermittent-failure-in-the-addzone-system-test-v9_14' into 'v9_14'
[v9_14] Resolve "Intermittent failure in the addzone system test"

See merge request isc-projects/bind9!2842
2020-01-09 16:38:39 +00:00
Witold Kręcicki
d1afbda2f0 tests: addzone: retry when checking for things, to allow for timing problems
(cherry picked from commit 8885fd6966)
2020-01-09 15:13:42 +01:00
Mark Andrews
80a26c15be loop waiting for the redirect zone to load
(cherry picked from commit 9e8cd3ccc5)
2020-01-09 15:13:42 +01:00
Matthijs Mekking
6dfdd83040 Move wait_for_log to conf.sh.common
(cherry picked from cfaa631f65)
2020-01-09 15:13:30 +01:00
Michał Kępień
fe2d797bde Merge branch '1427-intermittent-failure-in-fetchlimit-system-test-v9_14' into 'v9_14'
[v9_14] Test for the hard fetchlimit instead of soft fetchlimit

See merge request isc-projects/bind9!2841
2020-01-09 13:31:21 +00:00
Ondřej Surý
b29059b391 Test for the hard fetchlimit instead of soft fetchlimit
Previously, the fetchlimit tested the recursive-clients soft limit
that's defined as 90% of the hard limit (the actual configured value).
This worked previously because the reaping of the oldest recursive
client was put on the same event queue as the current TCP client, thus
the cleaning has happened before the new TCP client established a new
connection.

With the change in BIND 9.14 that added a multiple event queues the
cleaning of the oldests clients is no longer synchronous and could
happen stochastically making the soft limit testing fail often.  The
situation became even worse with the new networking manager, thus we
change the system test to fail only if the hard limit bound is not
honored.

Changing the accounting of the already reaped TCP clients so the soft
limit testing is possible again is out of the scope for this change.

(cherry picked from commit c35a4e05fa)
2020-01-09 14:08:05 +01:00
Michał Kępień
042698cf72 Merge branch '1407-intermittent-failure-in-the-mkeys-system-test-v9_14' into 'v9_14'
[v9_14] Improve the error handling in mkeys test and use retry_quiet()

See merge request isc-projects/bind9!2839
2020-01-09 12:05:57 +00:00
Ondřej Surý
e6b303344a Wait for 'all zones loaded' message instead of zoneless 'loaded serial' message
(cherry picked from commit b0ad689e16)
2020-01-09 12:28:39 +01:00
Ondřej Surý
f81589f255 Save all rndc diagnostic output
(cherry picked from commit 3b63c51a64)
2020-01-09 12:28:39 +01:00
Ondřej Surý
031de5a857 Make mkeys system test shellcheck clean and run under set -e
(cherry picked from commit 4ff25c06c1)
2020-01-09 12:28:38 +01:00
Ondřej Surý
5d0732634a Improve the error handling in mkeys test and use retry_quiet()
(cherry picked from commit f239d67c1a)
2020-01-09 12:26:28 +01:00
Michał Kępień
b0ff750ef9 Merge branch '1410-intermittent-failure-in-the-resolver-test-v9_14' into 'v9_14'
[v9_14] Resolve "Intermittent failure in the resolver test"

See merge request isc-projects/bind9!2837
2020-01-09 11:15:44 +00:00
Diego Fronza
cbd4cc6242 Improved prefetch disabled test code
Using retry_quiet to test that prefetch is disabled instead of a
standard loop with sleep 1 between each iteration.

(cherry picked from commit 994fc2e822)
2020-01-09 11:28:34 +01:00
Diego Fronza
dd1b4007b8 Fix resolver tests: prefetch 40/41
These two tests were failing basically because in order for prefetching to
happen, the TTL for a given DNS record must be greater than or equal to
the prefetch config value + 9.

The previous TTL for both records was 10, while prefetch value in
configuration was 3, thus making only records with TTL >= 12 elligible
for prefetching.

TTL value for both records was adjusted to the value 13, and prefetch
value was set to 4 (inc by 1), so records with TTL (4 + 9) >= 13 are
elligible for prefetching.

Adjusting prefetch value to 4 gives the test 1 second more to avoid time
problems when sharing resources on a heavy loaded PC.

Also prefetch value in settings is now read by the script and used
by it to corrrectly calculate the amount of time needed to delay before
sending a request to trigger prefetch, adding a bit of flexibility to
fine tune the test in the future.

(cherry picked from commit a711d6f8c0)
2020-01-09 11:27:23 +01:00
Diego Fronza
e0c03d19a4 Fix resolver test: prefetch disabled
The previous test had two problems:
1. It wasn't written specifically for testing what it was supposed to:
prefetch disabled.
2. It could fail in some circunstances if the computer's load is too
high, due to sleeps not taking parallel tests and cpu load into account.

The new test is testing prefetch disabled as follows:
1. It asks for a txt record for a given domain and takes note of the
record's TTL (which is 10).
2. It sleeps for (TTL - 5) = 5 seconds, having a window of 5 seconds to
issue new queries before the record expires from cache.
3. Three(3) queries are executed in a row, with a interval of 1 second
between them, and for each query we verify that the TTL in response is
less than the previous one, thus ensuring that prefetch is disabled (if
it were enabled this record would have been refreshed already and TTL
would be >= the first TTL).

Having a window of 5 seconds to perform 3 queries with a interval of 1
second between them gives the test a reasonable amount of time
to not suffer from a machine with heavy load.

(cherry picked from commit dd524cc893)
2020-01-09 11:18:12 +01:00
Michał Kępień
d6d6be9a59 Merge branch '1401-intermittent-failures-in-the-catz-system-test-v9_14' into 'v9_14'
[v9_14] Debug "Intermittent failures in the catz system test"

See merge request isc-projects/bind9!2835
2020-01-09 10:15:45 +00:00
Mark Andrews
96aa3bb884 Increase wait_for_message attempts to 20.
(cherry picked from commit 4dd9ec8919)
2020-01-09 10:46:27 +01:00
Mark Andrews
d60ca30d2d save wait_for_message contents
(cherry picked from commit 1334daaec0)
2020-01-09 10:46:27 +01:00
Michał Kępień
89f34f0296 Merge branch 'michal/bind-to-random-port-numbers-in-unit-tests-v9_14' into 'v9_14'
[v9_14] Bind to random port numbers in unit tests

See merge request isc-projects/bind9!2832
2020-01-09 09:45:07 +00:00
Michał Kępień
11ff0537e1 Bind to random port numbers in unit tests
Some unit tests need various managers to be created before they are run.
The interface manager spawned during libns tests listens on a fixed port
number, which causes intermittent issues when multiple tests using an
interface manager are run concurrently.  Make the interface manager
listen on a randomized port number to greatly reduce the risk of
multiple unit tests using the same port concurrently.

(cherry picked from commit ea7bddb4ca)
2020-01-09 10:44:28 +01:00
Michal Nowak
4d80289abb Merge branch 'mnowak/1546-Add-out-of-tree-build-to-CI-v9_14' into 'v9_14'
[v9_14] Add out-of-tree build to the CI

See merge request isc-projects/bind9!2833
2020-01-09 09:42:36 +00:00
Michal Nowak
1258b8ccd9 Add out-of-tree build to the CI
Fixes #1546.

(cherry picked from commit 640dd566e9)
2020-01-09 09:42:36 +00:00
Michał Kępień
73f7f54575 Merge branch '1401-intermittent-failures-in-the-catz-system-test-v9_14' into 'v9_14'
[v9_14] Resolve "Intermittent failures in the catz system test"

See merge request isc-projects/bind9!2828
2020-01-08 14:13:12 +00:00
Ondřej Surý
557b051fc4 Use retry() and nextpart*() to simplify catz test
(cherry picked from commit 51b05189f7)
2020-01-08 14:11:29 +01:00
Witold Kręcicki
8cdad6bedf Fix timing issues in catz test
Make the log checks more precise and use the retry() function for
repeating the checks.

(cherry picked from commit 9b43e65c01)
2020-01-08 14:11:29 +01:00
Michał Kępień
64427406a7 Merge branch '1402-multiple-issues-in-the-runtime-system-test-v9_14' into 'v9_14'
[v9_14] Resolve "Multiple issues in the runtime system test"

See merge request isc-projects/bind9!2824
2020-01-08 09:11:31 +00:00
Ondřej Surý
4a6d9ea152 Fix multiple issues in named setuid check
(cherry picked from commit cd804158b4)
2020-01-08 09:31:13 +01:00
Evan Hunt
dc760867d8 fixed a test failure, some other shell cleanup
(cherry picked from commit 7a8269207d)
2020-01-08 09:30:00 +01:00
Ondřej Surý
355eb0c288 Instead of sleeping for a fixed time, wait for named to log specific message in a loop
(cherry picked from commit f020199925)
2020-01-08 09:29:24 +01:00
Ondřej Surý
57b6aeabd5 Make runtime/tests.sh shellcheck and set -e clean
This mostly comprises of:

* using $(...) instead of `...`
* changing the directories in subshell and not ignoring `cd` return code
* handling every error gracefully instead of ignoring the return code

(cherry picked from commit 340b1d2b6b)
2020-01-08 09:28:24 +01:00
Ondřej Surý
d26e7166a6 Further improve the runtime tests to look for a specific instead of generic error
(cherry picked from commit 8f539a8886)
2020-01-08 09:27:48 +01:00
Ondřej Surý
60f335204a Fix couple of no-op tests to actually test something (configuration files were missing)
(cherry picked from commit b5a18ac439)
2020-01-08 09:27:16 +01:00
Ondřej Surý
fe021299e0 runtime test: make the pidfiles match the names of configuration files
(cherry picked from commit ce86721bc3)
2020-01-08 09:24:49 +01:00
Ondřej Surý
e9d348bac5 runtime test: use helper function that kills named and waits for the finish
(cherry picked from commit e9fa7b831b)
2020-01-08 09:22:59 +01:00
Ondřej Surý
5261f3f9c8 Merge branch '1513-inline-system-test-failed-v9_14' into 'v9_14'
Address timing issues in 'inline' system test.

See merge request isc-projects/bind9!2821
2020-01-08 08:04:07 +00:00
Mark Andrews
546efbe2ee Address timing issues in 'inline' system test.
"rndc signing -serial <value>" could take longer than a second to
complete.  Loop waiting for update to succeed.

For tests where "rndc signing -serial <value>" is supposed to not
succeed, repeatedly test that we don't get the new serial, then
test that we have the old value.  This should prevent false negatives.

(cherry picked from commit 13fa80ede8)
2020-01-08 08:31:42 +01:00
Michał Kępień
9885fcc2a8 Merge branch 'ondrej/detect-cores-in-system-tests-on-FreeBSD-v9_14' into 'v9_14'
[v9_14] Detect cores on FreeBSD

See merge request isc-projects/bind9!2819
2020-01-07 15:00:47 +00:00
Ondřej Surý
ba2b616a4a Detect cores on FreeBSD
(cherry picked from commit 38277ddb0b)
2020-01-07 15:58:44 +01:00
Michał Kępień
bef6d2bc45 Merge branch '1380-autosign-jitter-test-fails-with-no-nsec3param-found-in-axfr-v9_14' into 'v9_14'
[v9_14] Tune the performance of the autosign test

See merge request isc-projects/bind9!2817
2020-01-07 14:50:40 +00:00
Ondřej Surý
48512e11be Reduce the minimal numbers of days in jitter test to 5
(cherry picked from commit 4b2911a45a)
2020-01-07 15:46:28 +01:00
Ondřej Surý
e359a954fc Tune the performance of CDS/CDNSKEY deletion test
(cherry picked from commit 76eac9a691)
2020-01-07 15:46:27 +01:00
Ondřej Surý
46403cff2c Tune the performance of oldsigs test
The oldsigs test was checking only for the validity of the A
a.oldsigs.example. resource record and associated DNSSEC signature while
the zone might not have been fully signed yet leading to validation
failures because of bogus signatures on the validation path.

This commit changes the test to test that all old signatures in the
oldsigs.example. zone were replaced and the zone is fully resigned
before running the main check.

(cherry picked from commit 519b047362)
2020-01-07 15:44:50 +01:00
Ondřej Surý
a6a19bb246 Tune the performance of the jitter test
(cherry picked from commit ffb7ae8beb)
2020-01-07 15:44:50 +01:00
Michał Kępień
8f5faf7084 Merge branch '1256-fix-the-jitter-test-2-v9_14' into 'v9_14'
[v9_14] Wait a little bit longer for autosign, bail out on not enough categories

See merge request isc-projects/bind9!2815
2020-01-07 14:41:26 +00:00
Ondřej Surý
2f57988483 Wait a little bit longer for autosign, bail out on not enough categories
(cherry picked from commit f1cbdc5498)
2020-01-07 15:37:40 +01:00
Ondřej Surý
8061971926 Adjust the jitter range to +-3*stddev
(cherry picked from commit d6f68fc4f0)
2020-01-07 15:37:40 +01:00
Michał Kępień
ef44037334 Merge branch '1256-fix-the-jitter-test-v9_14' into 'v9_14'
[v9_14] Check if the RRSIG jitter falls <mean-2.5*stddev;mean+2.5*stddev>

See merge request isc-projects/bind9!2813
2020-01-07 14:36:00 +00:00
Ondřej Surý
484d131137 Check if the RRSIG jitter falls into mean+-2.5*stddev range
(cherry picked from commit 0480a95ddf)
2020-01-07 15:34:33 +01:00
Michał Kępień
4ef6c818e3 Merge branch 'ondrej/get-the-backtraces-out-of-system-test-coredumps-v9_14' into 'v9_14'
[v9_14] Get the backtraces out of system test coredumps

See merge request isc-projects/bind9!2811
2020-01-07 14:00:41 +00:00
Ondřej Surý
3f68b0ee8e Get better stack traces
(cherry picked from commit d0a0c22433)
2020-01-07 14:45:03 +01:00
Ondřej Surý
002f908c2f Dump the backtrace to stdout when core is found in systest directory
(cherry picked from commit 512dadc8d1)
2020-01-07 14:42:06 +01:00
Michal Nowak
16ed33c0b6 Merge branch 'mnowak/get-the-backtraces-out-of-unit-test-coredumps-v9_14' into 'v9_14'
[v9_14] Gather debug info on broken unit tests

See merge request isc-projects/bind9!2806
2020-01-06 12:05:05 +00:00
Michal Nowak
ec59e49cc1 Gather debug info on broken unit tests
(cherry picked from commit 6a94e6ba73)
2020-01-06 12:05:04 +00:00
Michał Kępień
2af284cc9f Merge branch 'michal/misc-doc-fixes-v9_14' into 'v9_14'
[v9_14] Miscellaneous documentation fixes

See merge request isc-projects/bind9!2804
2020-01-03 08:26:00 +00:00
Michał Kępień
6862007939 Fix minor CHANGES issues
(cherry picked from commit 56f388cae1)
2020-01-03 09:08:09 +01:00
Michał Kępień
fbe12036df Fix whitespace in release notes
(cherry picked from commit b2f3eaf188)
2020-01-03 09:08:09 +01:00
Michał Kępień
635d915268 Prevent splitting GitLab identifiers across lines
GitLab issue and merge request numbers placed in release notes (in the
form of "#1234" for issues and "!5678" for merge requests) should not be
split across two lines.  Extend the shell pipeline generating
doc/arm/notes.txt with a sed invocation which prevents such splitting.

(cherry picked from commit 2d00143ab1)
2020-01-03 09:08:09 +01:00
Evan Hunt
5301d8c77f Merge branch 'each-copyrights-v9_14' into 'v9_14'
update copyright year to 2020

See merge request isc-projects/bind9!2802
2020-01-03 05:53:15 +00:00
Evan Hunt
6e73d3266c update copyright year to 2020 2020-01-02 21:47:16 -08:00
Mark Andrews
e5875ec558 Merge branch '1530-lib-dns-gen-c-29-26-fatal-error-isc-platform-h-no-such-file-or-directory-v9_14' into 'v9_14'
Resolve "lib/dns/gen.c:29:26: fatal error: isc/platform.h: No such file or directory"

See merge request isc-projects/bind9!2793
2019-12-22 21:50:23 +00:00
Mark Andrews
ebc43d8d66 remove duplicate #includes
(cherry picked from commit 848c1c8b8b)
2019-12-23 08:20:35 +11:00
Mark Andrews
171f2ab8d6 revert d10fbdec for lib/dns/gen.c as it is a build platform executable
(cherry picked from commit 7278f2529a)
2019-12-23 08:20:35 +11:00
Mark Andrews
19079bbec0 Merge branch '1501-summary-threadsanitizer-lock-order-inversion-potential-deadlock-in-pthread_rwlock_wrlock-v9_14' into 'v9_14'
Resolve "SUMMARY: ThreadSanitizer: lock-order-inversion (potential deadlock) in pthread_rwlock_wrlock - zone_postload"

See merge request isc-projects/bind9!2789
2019-12-20 11:41:05 +00:00
Mark Andrews
7f04f2f252 Refactor loop body as copy_non_dnssec_records.
(cherry picked from commit d26e125438)
2019-12-20 22:05:24 +11:00
Ondřej Surý
364f232da8 Add failure handling when iterators don't end with ISC_R_NOMORE
(cherry picked from commit bff83b9480)
2019-12-20 22:02:32 +11:00
Ondřej Surý
a2cf6090b2 Refactor receive_secure_db to make the variables and code flow around the iterator more local
(cherry picked from commit 6012479419)
2019-12-20 22:02:32 +11:00
Mark Andrews
37567e0106 Call dns_dbiterator_destroy earlier to prevent potential deadlock.
(cherry picked from commit 9d8f9cc8f2)
2019-12-20 22:02:32 +11:00
Mark Andrews
c45da64953 Merge branch '1523-pkcs11-destroy-s-usage-message-is-misleading-v9_14' into 'v9_14'
update usage message

See merge request isc-projects/bind9!2787
2019-12-20 09:24:30 +00:00
Mark Andrews
631ac188ee update usage message
(cherry picked from commit 41d827893e)
2019-12-20 20:04:36 +11:00
Mark Andrews
818fdd0490 Merge branch 'feature/master/maxminddb-version-v9_14' into 'v9_14'
Feature/master/maxminddb version v9 14

See merge request isc-projects/bind9!2778
2019-12-18 00:57:50 +00:00
Mark Andrews
299fdfc76f add CHANGES
(cherry picked from commit 2f2bc03b2d)
2019-12-18 00:31:43 +00:00
Petr Menšík
e37d8aecba Include protobuf-c version
Include used version of protobuf-c in version info, both link time and
runtime version is available.

(cherry picked from commit 85f3476894)
2019-12-18 00:31:43 +00:00
Petr Menšík
412d7724ae Provide GeoIP2 library version in version
Libmaxmind does not provide any version macro for link time version.
Print at least runtime version library used, if linked.

(cherry picked from commit e6d7384c0d)
2019-12-18 00:31:43 +00:00
Mark Andrews
ce2cf874fd Merge branch 'ondrej/remove-too-generic-node_count-macro-from-dns_acl-v9_14' into 'v9_14'
Change the (acl)->node_count macro to dns_acl_node_count(acl) macro to clean the global namespace

See merge request isc-projects/bind9!2779
2019-12-18 00:30:53 +00:00
Ondřej Surý
f42d1be5fa Change the (acl)->node_count macro to dns_acl_node_count(acl) macro to clean the global namespace
(cherry picked from commit 8120088ec7)
2019-12-18 11:11:31 +11:00
Ondřej Surý
065d19c023 Merge branch '1423-threadsanitizer-data-race-time-c-170-in-isc_time_nowplusinterval-v9_14' into 'v9_14'
Ensure all zone_settimer() calls are done on locked zone

See merge request isc-projects/bind9!2769
2019-12-12 15:37:36 +00:00
Ondřej Surý
8eac1d365d Ensure all zone_settimer() calls are done on locked zone
(cherry picked from commit cf48e8eb32)
2019-12-12 16:12:51 +01:00
Mark Andrews
caafeb6c7e Merge branch '1486-threadsanitizer-lock-order-inversion-potential-deadlock-dns_resolver_createfetch-vs-v9_14' into 'v9_14'
make resolver->zspill atomic to prevent potential deadlock

See merge request isc-projects/bind9!2765
2019-12-12 10:05:05 +00:00
Mark Andrews
02874aa472 make resolver->zspill atomic to prevent potential deadlock
(cherry picked from commit 62abb6aa82)
2019-12-12 20:22:22 +11:00
Evan Hunt
623e23e296 Merge branch 'prep-release-v9_14_9' into 'v9_14'
Prep 9.14.9

See merge request isc-projects/bind9!2762
2019-12-12 06:12:17 +00:00
Tinderbox User
b247e541b0 Merge branch 'prep-release' into v9_14 2019-12-12 06:09:31 +00:00
Tinderbox User
84e68460cc prep 9.14.9 2019-12-12 06:09:19 +00:00
Evan Hunt
9b98a59634 Merge branch 'michal/add-empty-release-notes-section-for-bind-9.14.9' into 'v9_14'
Add empty release notes section for BIND 9.14.9

See merge request isc-projects/bind9!2754
2019-12-11 22:12:02 +00:00
Michał Kępień
f23f682860 Add empty release notes section for BIND 9.14.9 2019-12-11 22:11:38 +00:00
Michal Nowak
4c63562fe6 Merge branch 'mnowak/fedora31-v9.14' into 'v9_14'
[9.14] Update GitLab CI to Fedora 31

See merge request isc-projects/bind9!2758
2019-12-11 16:33:34 +00:00
Michal Nowak
fde281f653 Update GitLab CI to Fedora 31
Since Fedora 31 is the current Fedora release, replace Fedora 30 GitLab
CI jobs with their up-to-date counterparts.

(cherry picked from commit b36f5496237f0dbb84d7541140e87d7da475cd36)
2019-12-11 16:33:33 +00:00
Michał Kępień
56e54fb201 Merge branch 'michal/create-release-tarballs-in-gitlab-ci-v9_14' into 'v9_14'
[v9_14] Create release tarballs in GitLab CI

See merge request isc-projects/bind9!2752
2019-12-11 12:31:13 +00:00
Michał Kępień
7e13a1f7e9 Add a job creating a release tarball to GitLab CI
Add a GitLab CI job (which is run only if all other jobs in a pipeline
succeed) that builds a BIND release tarball, i.e. fetches the source
tarball from the tarball building job, creates Windows zips, puts
certain parts of BIND documentation into the appropriate places, and
packs it all up into a single tarball whose contents can be subsequently
signed and published.

(cherry picked from commit 5a4a6b5e91)
2019-12-11 12:26:48 +01:00
Michał Kępień
7c586d3ac6 Add a Windows debug system test job to GitLab CI
Add a system test job for binaries created by Visual Studio in the
"Debug" build configuration to GitLab CI so that they can be tested
along their "Release" counterparts when necessary.

(cherry picked from commit 2b1c8c54d1)
2019-12-11 12:26:37 +01:00
Michał Kępień
01598c5c2a Add a Windows debug build job to GitLab CI
Add a Visual Studio build job using the "Debug" build configuration to
GitLab CI without enabling it for every pipeline as it takes about twice
as long to complete as its "Release" counterpart.

(cherry picked from commit 12564928a7)
2019-12-11 12:26:11 +01:00
Michał Kępień
d1b120d3bd Create and test BIND source tarballs in GitLab CI
Add a set of jobs to GitLab CI that create a BIND source tarball and
then build and test its contents.  Run those extra jobs only when a tag
is pushed to the Git repository as they are only meant to be sanity
checks of BIND source tarball contents.

(cherry picked from commit 8d56749046)
2019-12-11 12:24:17 +01:00
Michał Kępień
f60cd0c730 Include prepare-softhsm2.sh in source tarballs
The util/prepare-softhsm2.sh script is useful for initializing a working
SoftHSM environment which can be used by unit tests and system tests.
However, since it is a test-specific script, it does not really belong
in the util/ subdirectory which is mostly pruned during the BIND source
tarball creation process.  Move the prepare-softhsm2.sh script to
bin/tests/ so that its location is more appropriate for its purpose and
also so that it does not get removed during the BIND source tarball
creation process, allowing it to be used for setting up test
environments for tarball-based builds.

(cherry picked from commit c0be772ebc)
2019-12-11 12:23:20 +01:00
Michał Kępień
89cccc53ba List paths which should be excluded from tarballs
Convert the logic (currently present in the form of "rm -rf" calls in
util/kit.sh) for removing files and directories which are tracked by Git
but redundant in release tarballs into a set of .gitattributes rules
which allow the same effect to be achieved using "git archive".

(cherry picked from commit 925ecb0aae)
2019-12-11 12:22:14 +01:00
Mark Andrews
872462fe7b Merge branch '1411-threadsanitizer-data-race-resolver-c-2153-in-fctx_query-v9_14' into 'v9_14'
Resolve "ThreadSanitizer: data race resolver.c:2153 in fctx_query"

See merge request isc-projects/bind9!2748
2019-12-11 00:35:59 +00:00
Mark Andrews
e40c1582d6 Note bucket lock requirements and move REQUIRE inside locked section.
(cherry picked from commit 13aaeaa06f)
2019-12-11 11:01:59 +11:00
Mark Andrews
0de313fff7 lock access to fctx->nqueries
(cherry picked from commit 5589748eca)
2019-12-11 11:01:59 +11:00
Mark Andrews
bd6a5a9993 Merge branch '1441-threadsanitizer-lock-order-inversion-potential-deadlock-usr-lib-x86_64-linux-gnu-libtsan-so-0-v9_14' into 'v9_14'
address deadlock introduced in cd2469d3cd

See merge request isc-projects/bind9!2743
2019-12-10 13:04:22 +00:00
Mark Andrews
8bd8ed26ed address deadlock introduced in cd2469d3cd
(cherry picked from commit fd52417f71)
2019-12-10 23:38:53 +11:00
Michał Kępień
7242c4fbd7 Merge branch '1465-fix-idna-system-test-v9_14' into 'v9_14'
[v9_14] Fix the "idna" system test

See merge request isc-projects/bind9!2741
2019-12-10 11:28:43 +00:00
Michał Kępień
7c14f67d74 Only use LC_ALL=C where intended
The LC_ALL=C assignments in the "idna" system test, which were only
meant to affect a certain subset of checks, in fact persist throughout
all the subsequent checks in that system test.  That affects the test's
behavior and is misleading.

When the "VARIABLE=value command ..." syntax is used in a shell script,
in order for the variable assignment to only apply to "command", the
latter must be an external binary; otherwise, the VARIABLE=value
assignment persists for all subsequent commands in a script:

    $ cat foo.sh
    #!/bin/sh

    foo() {
        /bin/sh bar.sh
    }

    BAR="baz0"
    BAR="baz1" /bin/sh bar.sh
    echo "foo: BAR=${BAR}"
    BAR="baz2" foo
    echo "foo: BAR=${BAR}"

    $ cat bar.sh
    #!/bin/sh

    echo "bar: BAR=${BAR}"

    $ /bin/sh foo.sh
    bar: BAR=baz1
    foo: BAR=baz0
    bar: BAR=baz2
    foo: BAR=baz2
    $

Fix by saving the value of LC_ALL before the relevant set of checks in
the "idna" system test, restoring it afterwards, and dropping the
"LC_ALL=C command ..." syntax.

(cherry picked from commit 2ee7ff23ce)
2019-12-10 11:57:57 +01:00
Matthijs Mekking
18d314fa64 Merge branch '1457-intermittent-failure-autosign-v9_14' into 'v9_14'
Resolve "Intermittent failure in the autosign system test"

See merge request isc-projects/bind9!2732
2019-12-09 15:30:27 +00:00
Matthijs Mekking
6658c11251 Better error handling in autosign system test
(cherry picked from commit bd4035900a)
2019-12-09 16:01:53 +01:00
Matthijs Mekking
fb0ddd5bfe Fix race in autosign test
The autosign test has a test case where a DNSSEC maintaiend zone
has a set of DNSSEC keys without any timing metadata set.  It
tests if named picks up the key for publication and signing if a
delayed dnssec-settime/loadkeys event has occured.

The test failed intermittently despite the fact it sleeps for 5
seconds but the triggered key reconfigure action should happen after
3 seconds.

However, the test output showed that the test query came in before
the key reconfigure action was complete (see excerpts below).

The loadkeys command is received:

15:38:36 received control channel command 'loadkeys delay.example.'

The reconfiguring zone keys action is triggered after 3 seconds:

15:38:39 zone delay.example/IN: reconfiguring zone keys
15:38:39 DNSKEY delay.example/NSEC3RSASHA1/7484 (ZSK) is now published
15:38:39 DNSKEY delay.example/NSEC3RSASHA1/7455 (KSK) is now published
15:38:39 writing to journal

Two seconds later the test query comes in:

15:38:41 client @0x7f1b8c0562b0 10.53.0.1#44177: query
15:38:41 client @0x7f1b8c0562b0 10.53.0.1#44177: endrequest

And 6 more seconds later the reconfigure keys action is complete:

15:38:47 zone delay.example/IN: next key event: 05-Dec-2019 15:48:39

This commit fixes the test by checking the "next key event" log has
been seen before executing the test query, making sure that the
reconfigure keys action has been complete.

This commit however does not fix, nor explain why it took such a long
time (8 seconds) to reconfigure the keys.

(cherry picked from commit 2e4273b55a)
2019-12-09 15:53:02 +01:00
Matthijs Mekking
5d6fad9e1e Introduce wait_for_log in autosign test 2019-12-09 15:52:00 +01:00
Matthijs Mekking
440732acd7 Save settime output
(cherry picked from commit 6b4a17ef7c)
2019-12-09 15:45:11 +01:00
Michał Kępień
fdccea0896 Merge branch '1452-system-test-framework-cleanup-tweaks-v9_14' into 'v9_14'
[v9_14] System test framework: cleanup tweaks

See merge request isc-projects/bind9!2721
2019-12-06 13:48:53 +00:00
Michał Kępień
5f82122ffa Automatically run clean.sh from run.sh
The first step in all existing setup.sh scripts is to call clean.sh.  To
reduce code duplication and ensure all system tests added in the future
behave consistently with existing ones, invoke clean.sh from run.sh
before calling setup.sh.

(cherry picked from commit d8905b7a9c)
2019-12-06 14:47:08 +01:00
Michał Kępień
3f7658bda7 Remove bin/tests/system/clean.sh
Since the role of the bin/tests/system/clean.sh script has now been
reduced to calling a given system test's clean.sh script, remove the
former altogether and replace its only use with a direct invocation of
the latter.

(cherry picked from commit bf3eeac067)
2019-12-06 14:47:08 +01:00
Michał Kępień
9a60296b84 Remove the -r switch from system test scripts
Since files containing system test output are no longer stored in test
subdirectories, bin/tests/system/clean.sh no longer needs to take care
of removing the test.output file for a given test as testsummary.sh
already takes care of that and even if a test suite terminates
abnormally and another one is started, tee invoked without the -a
command line switch overwrites the destination file if it exists, so
leftover test.output.* files from previous test suite runs are not a
concern.  Remove the -r command line switch and the code associated with
it from the relevant scripts.

(cherry picked from commit b4d37878f6)
2019-12-06 14:47:08 +01:00
Michał Kępień
38a4bedfcd Store system test output in bin/tests/system/
Some clean.sh scripts contain overly broad file deletion wildcards which
cause the test.output file (used by the system test framework for
collecting output) in a given system test's directory to be erroneously
removed immediately after the test is started (due to setup.sh scripts
calling clean.sh at the beginning).  This prevents the test's output
from being placed in bin/tests/system/systests.output at the end of a
test suite run and thus can lead to test failures being ignored.  Fix by
storing each test's output in a test.output.<test-name> file in
bin/tests/system/, which prevents clean.sh scripts from removing it (as
they should only ever affect files contained in a given system test's
directory).

(cherry picked from commit b0916bba41)
2019-12-06 14:47:08 +01:00
Michał Kępień
8ed6c8fd59 Merge branch '1452-detect-missing-system-test-results-v9_14' into 'v9_14'
[v9_14] Detect missing system test results

See merge request isc-projects/bind9!2720
2019-12-06 13:46:31 +00:00
Michał Kępień
19cd59923c Detect missing system test results
At the end of each system test suite run, the system test framework
collects all existing test.output files from system test subdirectories
and produces bin/tests/system/systests.output from those files.
However, it does not check whether a test.output file was found for
every executed test.  Thus, if the test.output file is accidentally
deleted by the system test itself (e.g. due to an overly broad file
removal wildcard present in clean.sh), its output will not be included
in bin/tests/system/systests.output.  Since the result of each system
test suite run is determined by bin/tests/system/testsummary.sh, which
only operates on the contents of bin/tests/system/systests.output, this
can lead to test failures being ignored.  Fix by ensuring the number of
test results found in bin/tests/system/systests.output is equal to the
number of tests run and triggering a system test suite failure in case
of a discrepancy between these two values.

(cherry picked from commit 3c3085be3c)
2019-12-06 14:19:55 +01:00
Mark Andrews
1b0845a182 Merge branch '1455-job-failed-453300-v9_14' into 'v9_14'
loop waiting for the redirect zone to load

See merge request isc-projects/bind9!2713
2019-12-06 00:19:40 +00:00
Mark Andrews
a47736abb0 loop waiting for the redirect zone to load
(cherry picked from commit e4b1d0b686)
2019-12-06 10:57:16 +11:00
Mark Andrews
c480706290 Merge branch '1434-explicitly-set-python-to-a-empty-string-with-without-python-v9_14' into 'v9_14'
Resolve "explicitly set PYTHON to a empty string with --without-python"

See merge request isc-projects/bind9!2696
2019-12-03 13:32:47 +00:00
Mark Andrews
eab8463f42 add AC_ARG_VAR([PYTHON], [path to python executable])
(cherry picked from commit eed2aabc40)
2019-12-03 23:51:09 +11:00
Mark Andrews
4c257570d6 add CHANGES
(cherry picked from commit 8cd3cf90b2)
2019-12-03 23:51:09 +11:00
Mark Andrews
a53231a274 unset PYTHON on --without-python to prevent python still being used
(cherry picked from commit d8fc544569)
2019-12-03 23:51:09 +11:00
Mark Andrews
62f0b06637 Merge branch '1419-threadsanitizer-data-race-rbtdb-c-7568-in-issecure-v9_14' into 'v9_14'
r/w of rbtdb->current_version requires that rbtdb->lock be held

See merge request isc-projects/bind9!2692
2019-12-03 12:16:00 +00:00
Mark Andrews
e9704327c4 r/w of rbtdb->current_version requires that rbtdb->lock be held
(cherry picked from commit cd2469d3cd)
2019-12-03 09:09:52 +00:00
Mark Andrews
08a60bdd92 Merge branch '1416-threadsanitizer-data-race-resolver-c-3384-in-findname-v9_14' into 'v9_14'
Assign fctx->client when fctx is created rather when the join happens.

See merge request isc-projects/bind9!2694
2019-12-03 06:20:50 +00:00
Mark Andrews
d0796289dc Assign fctx->client when fctx is created rather when the join happens.
This prevents races on fctx->client whenever a new fetch joins a existing
fetch (by calling fctx_join) as it is now invariant for the active life of
fctx.

(cherry picked from commit 9ca6ad6311)
2019-12-03 17:00:02 +11:00
Mark Andrews
90712110e3 Merge branch '1412-threadsanitizer-data-race-resolver-c-7030-in-fctx_decreference-2-v9_14' into 'v9_14'
Make fctx->attributes atomic.

See merge request isc-projects/bind9!2690
2019-12-03 01:34:36 +00:00
Mark Andrews
7e66602cd6 back port atomic and / or support 2019-12-03 11:38:06 +11:00
Mark Andrews
c712f40676 Make fctx->attributes atomic.
FCTX_ATTR_SHUTTINGDOWN needs to be set and tested while holding the node
lock but the rest of the attributes don't as they are task locked. Making
fctx->attributes atomic allows both behaviours without races.

(cherry picked from commit 912ce87479)
2019-12-03 10:52:02 +11:00
Michał Kępień
0f2a8e259d Merge branch 'michal/address-asan-memory-leak-reports-v9_14' into 'v9_14'
[v9_14] Address ASAN memory leak reports

See merge request isc-projects/bind9!2683
2019-12-02 18:24:42 +00:00
Michał Kępień
1313f06110 Move xmlInitThreads()/xmlCleanupThreads() calls
xmlInitThreads() and xmlCleanupThreads() are called from within
named_statschannels_configure() and named_statschannels_shutdown(),
respectively.  Both of these functions are executed by worker threads,
not the main named thread.  This causes ASAN to report memory leaks like
the following one upon shutdown (as long as named is asked to produce
any XML output over its configured statistics channels during its
lifetime):

    Direct leak of 968 byte(s) in 1 object(s) allocated from:
        #0 0x7f677c249cd8 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x7f677bc1838f in xmlGetGlobalState (/usr/lib/libxml2.so.2+0xa838f)

The data mentioned in the above report is a libxml2 state structure
stored as thread-specific data.  Such chunks of memory are automatically
released (by a destructor passed to pthread_key_create() by libxml2)
whenever a thread that allocated a given chunk exits.  However, if
xmlCleanupThreads() is called by a given thread before it exits, the
destructor will not be invoked (due to xmlCleanupThreads() calling
pthread_key_delete()) and ASAN will report a memory leak.  Thus,
xmlInitThreads() and xmlCleanupThreads() must not be called from worker
threads.  Since xmlInitThreads() must be called on Windows in order for
libxml2 to work at all, move xmlInitThreads() and xmlCleanupThreads()
calls to the main named thread (which does not produce any XML output
itself) in order to prevent the memory leak from being reported by ASAN.

(cherry picked from commit b425b5d56e)
2019-12-02 17:09:39 +01:00
Michał Kępień
7a5c7f2ba7 Merge branch '1445-fix-geoip2-memory-leak-upon-reconfiguration-v9_14' into 'v9_14'
[v9_14] Fix GeoIP2 memory leak upon reconfiguration

See merge request isc-projects/bind9!2681
2019-12-02 16:07:29 +00:00
Michał Kępień
b109666c94 Add CHANGES entry
5329.	[bug]		Reconfiguring named caused memory to be leaked when any
			GeoIP2 database was in use. [GL #1445]

(cherry picked from commit 628b1837d2)
2019-12-02 15:27:15 +01:00
Michał Kępień
5a0582f3e7 Fix GeoIP2 memory leak upon reconfiguration
Loaded GeoIP2 databases are only released when named is shut down, but
not during server reconfiguration.  This causes memory to be leaked
every time "rndc reconfig" or "rndc reload" is used, as long as any
GeoIP2 database is in use.  Fix by releasing any loaded GeoIP2 databases
before reloading them.  Do not call dns_geoip_shutdown() until server
shutdown as that function releases the memory context used for caching
GeoIP2 lookup results.

(cherry picked from commit 670afbe84a)
2019-12-02 15:21:38 +01:00
Mark Andrews
29b40677b0 Merge branch '1417-threadsanitizer-data-race-rbtdb-c-1535-in-add32-v9_14' into 'v9_14'
Resolve "ThreadSanitizer: data race rbtdb.c:1535 in add32"

See merge request isc-projects/bind9!2664
2019-11-28 21:55:22 +00:00
Mark Andrews
049b5e0dcc add CHANGES
(cherry picked from commit 68693f8279)
2019-11-29 07:12:44 +11:00
Mark Andrews
1a7b62916c rdataset_setownercase and rdataset_getownercase need to obtain a node lock
(cherry picked from commit 637b2c4e51)
2019-11-29 07:12:44 +11:00
Ondřej Surý
36e5f50ee8 Merge branch 'mnowak/runtime-forward-port-softhsm2-setup-9_14' into 'v9_14'
[9.14] Fix the UID switch test to work with PKCS#11 build

See merge request isc-projects/bind9!2653
2019-11-27 17:14:53 +00:00
Michal Nowak
271c836a86 Fix the UID switch test to work with PKCS#11 build
Forward port of 32fe9a0051fc76be4657fc2742e71d2be6193011 by Ondřej Surý.

(cherry picked from commit c49c41a1adb9fa8ae75fe656692d9935de1d505f)
2019-11-27 17:14:53 +00:00
Mark Andrews
af0e100b84 Merge branch '1350-threadsanitizer-data-race-rbt-c-1312-in-dns_rbt_addnode-v9_14' into 'v9_14'
Resolve "ThreadSanitizer: data race rbt.c:1312 in dns_rbt_addnode"

See merge request isc-projects/bind9!2650
2019-11-27 11:49:00 +00:00
Mark Andrews
da0fb0fdc0 add comments 'tree_lock(write) must be held'
(cherry picked from commit 8f6aaa7230)
2019-11-27 21:59:19 +11:00
Mark Andrews
e53af115da rbtnode->nsec needs to be read while holding the tree lock
(cherry picked from commit 7cad3b2e91)
2019-11-27 21:59:18 +11:00
Evan Hunt
5f3d61e1ff Merge branch '1399-recursive-limit-stat-v9_14' into 'v9_14'
Resolve "recursive-client limit should have a stat counter"

See merge request isc-projects/bind9!2645
2019-11-26 19:43:26 +00:00
Evan Hunt
d445121c26 add a stats counter for clients dropped due to recursive-clients limit
(cherry picked from commit 715afa9c57)
2019-11-26 11:20:12 -08:00
Ondřej Surý
0f7676c8fe Merge branch '1403-when-configuration-loading-fails-named-could-assert-v9_14' into 'v9_14'
Request exclusive access when crashing via fatal()

See merge request isc-projects/bind9!2637
2019-11-26 12:54:11 +00:00
Ondřej Surý
e78506c3a8 Request exclusive access when crashing via fatal()
When loading the configuration fails, there might be already other tasks
running and calling OpenSSL library functions.  The OpenSSL on_exit
handler is called when exiting the main process and there's a timing
race between the on_exit function that destroys OpenSSL allocated
resources (threads, locks, ...) and other tasks accessing the very same
resources leading to a crash in the system threading library. Therefore,
the fatal() function needs to request exlusive access to the task
manager to finish the already running tasks and exit only when no other
tasks are running.

(cherry picked from commit 952d7fde63)
2019-11-26 12:51:49 +01:00
Ondřej Surý
f2d9b062b4 Merge branch 'ondrej/add-retry_quiet-function-to-conf.sh.common-v9_14' into 'v9_14'
Add retry_quiet() function to retry quietly for an event to occur

See merge request isc-projects/bind9!2631
2019-11-26 08:20:37 +00:00
Ondřej Surý
699bcc70ca Add retry_quiet() function to retry quietly for an event to occur
(cherry picked from commit 31264a7e00)
2019-11-26 09:19:52 +01:00
Mark Andrews
2a368efd53 Merge branch '1367-threadsanitizer-data-race-dispatch-c-901-in-free_buffer-v9_14' into 'v9_14'
Resolve "ThreadSanitizer: data race dispatch.c:901 in free_buffer"

See merge request isc-projects/bind9!2627
2019-11-26 02:37:14 +00:00
Mark Andrews
d53ce94d36 move maxbuffers test to allocate_udp_buffer
(cherry picked from commit 26a93d77aa)
2019-11-26 11:53:19 +11:00
Mark Andrews
25306ea1ad Lock dispatch manager buffer_lock before accessing buffers;
Only test buffers for UDP dispatches.

(cherry picked from commit 011af4de71)
2019-11-26 11:53:19 +11:00
Mark Andrews
fbcf160346 lock disp->mgr before reading disp->mgr->buffers
(cherry picked from commit afc7389ce8)
2019-11-26 11:53:19 +11:00
Mark Andrews
00ff640c36 Merge branch '1397-install-isc-python-module-v9_14' into 'v9_14'
Resolve "Install ISC python module"

See merge request isc-projects/bind9!2625
2019-11-25 23:38:44 +00:00
Mark Andrews
047c8f3318 add CHANGES and note in README.md
(cherry picked from commit 8bbafeb5ef)
2019-11-26 10:02:38 +11:00
Mark Andrews
04f16633c5 check for 'distutils.core setup'
(cherry picked from commit 50e1bf3800)
2019-11-26 10:02:06 +11:00
Evan Hunt
1a8b22c715 Merge branch 'each-notes-v9_14' into 'v9_14'
cleanup release notes text

See merge request isc-projects/bind9!2623
2019-11-25 21:20:18 +00:00
Evan Hunt
d47a606707 cleanup release notes text
(cherry picked from commit fa70fc8731)
2019-11-25 13:19:48 -08:00
Mark Andrews
6bf8ecf15e Merge branch '1334-threadsanitizer-data-race-dispatch-c-1339-in-tcp_recv-v9_14' into 'v9_14'
lock dispatch before reporting state

See merge request isc-projects/bind9!2618
2019-11-22 21:52:58 +00:00
Mark Andrews
e99156043f lock dispatch before reporting state
(cherry picked from commit 3075445ed6)
2019-11-23 08:25:33 +11:00
Mark Andrews
940f75a4fe Merge branch '1317-alphabetise-delv-s-usage-v9_14' into 'v9_14'
alphabetise delv's usage.

See merge request isc-projects/bind9!2615
2019-11-22 19:56:53 +00:00
Mark Andrews
a7da1514d2 fix release line 2019-11-23 00:19:40 +11:00
Mark Andrews
148c0f63fd alphabetise delv's usage.
(cherry picked from commit 78685ed173)
2019-11-23 00:09:29 +11:00
Evan Hunt
4eb815a283 Merge branch 'merge-v9_14_8' into 'v9_14'
merge 9.14.8 to v9_14 branch

See merge request isc-projects/bind9!2605
2019-11-20 21:42:11 +00:00
Evan Hunt
ff2a28351a Merge tag 'v9_14_8' into merge-v9_14_8 2019-11-20 13:39:46 -08:00
Michal Nowak
eba92ada69 Merge branch 'mnowak/537_Add_CI_step_to_test_named_-u-v9_14' into 'v9_14'
[9.14] Verifying that named switches UID

See merge request isc-projects/bind9!2599
2019-11-20 11:01:05 +00:00
Michal Nowak
4c391e0a47 Verifying that named switches UID
This test runs only under root, which is required for the user-switch
`-u` option to work.

Closes #537.

(cherry picked from commit b00360537e)
2019-11-20 11:01:05 +00:00
Ondřej Surý
410eab62ee Merge branch '1341-threadsanitizer-data-race-rbtdb-c-5756-in-add32-v9_14' into 'v9_14'
Resolve "ThreadSanitizer: data race rbtdb.c:5756 in add32"

See merge request isc-projects/bind9!2593
2019-11-19 17:30:39 +00:00
Mark Andrews
6a64f3a84e add CHANGES
(cherry picked from commit 4534fb5ec1)
2019-11-20 01:00:24 +08:00
Mark Andrews
637fb4cdb4 use update_recordsandbytes in rbt_datafixer
(cherry picked from commit 7d4d64340e)
2019-11-20 00:59:12 +08:00
Mark Andrews
83ce99a389 always obtain write lock when updating version->{records,bytes}
(cherry picked from commit 0cda448248)
2019-11-20 00:59:12 +08:00
Michał Kępień
847d6ac7c6 Merge branch '1308-fix-tcp-system-test-v9_14' into 'v9_14'
[v9_14] Fix "tcp" system test

See merge request isc-projects/bind9!2591
2019-11-19 15:17:54 +00:00
Michał Kępień
3d58204f46 Address ShellCheck warnings
Address all outstanding warnings that ShellCheck reports for
bin/tests/system/tcp/tests.sh.

(cherry picked from commit 23ca0ec55b)
2019-11-19 15:39:04 +01:00
Michał Kępień
b1294b049c Use "set -e" in the "tcp" system test
Ensure any unexpected failure in the "tcp" system test causes it to be
immediately interrupted with an error to make the aforementioned test
more reliable.  Since the exit code for "expr 0 + 0" is 1, the status
variable needs to be updated using arithmetic expansion.

(cherry picked from commit 9841635b7f)
2019-11-19 15:39:03 +01:00
Michał Kępień
5e818012e5 Ensure all "tcp" system test errors are caught
Ensure any "rndc stats" failure causes the "tcp" system test to fail.
Do not hide "rndc stats" output.

(cherry picked from commit 46df363a0d)
2019-11-19 15:39:03 +01:00
Michał Kępień
1138e158f1 Make all "tcp" system test checks numbered
Ensure all checks in the "tcp" system test are numbered, so that
forensic data is preserved in case of any failure.

(cherry picked from commit 2f4877d11c)
2019-11-19 15:39:03 +01:00
Michał Kępień
8e19e3701b Fix argument order in assert_int_equal()
assert_int_equal() calls in bin/tests/system/tcp/tests.sh pass the found
value as the first argument and the expected value as the second
argument, while the function interprets its arguments the other way
round.  Fix argument handling in assert_int_equal() to make sure the
error messages printed by that function are correct.

(cherry picked from commit 6bd1f68bef)
2019-11-19 15:39:03 +01:00
Michał Kępień
1286db44f1 Allow retries when checking TCP high-water stats
In the TCP high-water checks, "rndc stats" is run after ans6 reports
that it opened the requested number of TCP connections.  However, we
fail to account for the fact that ns5 might not yet have called accept()
for these connections, in which case the counts output by "rndc stats"
will be off.  To prevent intermittent "tcp" system test failures, allow
the relevant connection count checks to be retried (just once, after one
second, as that should be enough for any system to accept() a dozen TCP
connections under any circumstances).

(cherry picked from commit 1e22e052d0)
2019-11-19 15:39:03 +01:00
Mark Andrews
d396360b22 Merge branch '1299-parse-commandline-code-should-be-done-in-alphabetical-order-v9_14' into 'v9_14'
alphabetize command line switch

See merge request isc-projects/bind9!2589
2019-11-19 10:47:58 +00:00
Mark Andrews
3f27a0ccb2 alphabetize command line switch
(cherry picked from commit ca83a66618)
2019-11-19 20:44:21 +11:00
Ondřej Surý
fa9a406a10 Merge branch 'ondrej/dont-call-dns_adb_endupdfetch-for-TCP-queries-v9_14' into 'v9_14'
lib/dns/resolver.c: Call dns_adb_endudpfetch() only for UDP queries

See merge request isc-projects/bind9!2585
2019-11-18 20:33:48 +00:00
Ondřej Surý
dc8eafee57 lib/dns/resolver.c: Call dns_adb_endudpfetch() only for UDP queries
The dns_adb_beginudpfetch() is called only for UDP queries, but
the dns_adb_endudpfetch() is called for all queries, including
TCP.  This messages the quota counting in adb.c.

(cherry picked from commit a5189eefa5)
2019-11-19 03:48:32 +08:00
Ondřej Surý
4cc935b0ff Merge branch 'ondrej/switch-coccinelle-job-to-buster-v9_14' into 'v9_14'
Installing coccinelle on Debian sid is broken, switch to Debian buster

See merge request isc-projects/bind9!2583
2019-11-18 18:05:03 +00:00
Ondřej Surý
c1f658c225 Installing coccinelle on Debian sid is broken, switch to Debian buster
(cherry picked from commit 0946db13de)
2019-11-19 02:02:29 +08:00
Mark Andrews
db5d4e5618 Merge branch '1327-update-solution-dependencies-host-and-nslookup-depend-on-libirs-v9_14' into 'v9_14'
Add dependancy on libirs to dig, host, and nslookup.

See merge request isc-projects/bind9!2574
2019-11-15 04:01:53 +00:00
Mark Andrews
1cff81e0a6 Add dependancy on libirs to dig, host, and nslookup.
(cherry picked from commit 72ca05c966)
2019-11-15 12:13:36 +11:00
Michał Kępień
284042a54f Merge branch 'fix-url-in-readme-v9_14' into 'v9_14'
[v9_14] updated a broken link for newer release notes.

See merge request isc-projects/bind9!2569
2019-11-13 12:02:27 +00:00
Vicky Risk
38f6a686d4 Update broken release notes link
(cherry picked from commit c830a9116d)
2019-11-13 12:59:35 +01:00
Ondřej Surý
3a2522e687 Merge branch 'hurd-v9_14' into 'v9_14'
hurd: Fix build

See merge request isc-projects/bind9!2563
2019-11-12 09:08:19 +00:00
Samuel Thibault
1100d198e4 hurd: Fix build
Move PATH_MAX, NAME_MAX, IOV_MAX default definitions to the common
<isc/platform.h>.

(cherry picked from commit d10fbdec84)
2019-11-12 09:27:19 +01:00
Tinderbox User
abcf57d588 Merge branch 'prep-release' into security-v9_14 2019-11-06 21:29:49 +00:00
Tinderbox User
eebfffb5d0 regen security-v9_14 2019-11-06 21:29:08 +00:00
Tinderbox User
efee30c516 prep 9.14.8 2019-11-06 21:29:08 +00:00
Ondřej Surý
b75599f4c2 Add CHANGES entry 2019-11-06 16:38:47 +01:00
Ondřej Surý
badeefdcb0 Add release note 2019-11-06 16:38:47 +01:00
Witold Kręcicki
68012b2c82 libns: Rename ns_tcpconn refs member to clients 2019-11-06 16:37:13 +01:00
Witold Kręcicki
ea5dae9e25 Limit query pipelining within each TCP connection
Previously, there was no limit to the number of concurrently served
queries over one pipelined TCP connection; an unlimited number of
queries sent over a single TCP connection could have potentially
exhausted the server's resources.
2019-11-06 16:37:13 +01:00
Michał Kępień
a604aa25af Merge branch '1206-fix-tcp-high-water-release-note-v9_14' into 'v9_14'
[v9_14] Fix TCP high-water release note

See merge request isc-projects/bind9!2542
2019-11-06 15:36:15 +00:00
Michał Kępień
8e72c1aeb6 Fix TCP high-water release note
Add missing GitLab issue number to the TCP high-water release note and
put it in the "New Features" section where it belongs.

(cherry picked from commit d0a3273d4d)
2019-11-06 16:31:53 +01:00
Michał Kępień
afcb1d8f8d Merge branch '1298-do-not-use-sys-sysctl.h-on-linux-v9_14' into 'v9_14'
[v9_14] Do not use <sys/sysctl.h> on Linux

See merge request isc-projects/bind9!2540
2019-11-06 15:14:12 +00:00
Michał Kępień
ae933dec2c Do not use <sys/sysctl.h> on Linux
glibc 2.30 deprecated the <sys/sysctl.h> header [1].  However, that
header is still used on other Unix-like systems, so only prevent it from
being used on Linux, in order to prevent compiler warnings from being
triggered.

[1] https://sourceware.org/ml/libc-alpha/2019-08/msg00029.html

(cherry picked from commit 65a8b53bd0)
2019-11-06 16:00:02 +01:00
Michał Kępień
d0344e2505 Merge branch '1206-add-assert_int_equal-shell-function-v9_14' into 'v9_14'
[v9_14] Add assert_int_equal() shell function

See merge request isc-projects/bind9!2539
2019-11-06 14:56:48 +00:00
Michał Kępień
0bb075808a Add assert_int_equal() shell function
Add a shell function which is used in the "tcp" system test, but has
been accidentally omitted from !2425.  Make sure the function does not
change the value of "ret" itself, so that the caller can decide what to
do with the function's return value.

(cherry picked from commit 8bb7f1f2a1)
2019-11-06 15:54:52 +01:00
Matthijs Mekking
9d8b4af026 Merge branch '1256-jitter-dynamically-updated-signatures-v9_14' into 'v9_14'
Resolve "Signature Expiration Jitter not working for dynamic NSEC3 zones"

See merge request isc-projects/bind9!2537
2019-11-06 14:53:28 +00:00
Ondřej Surý
8466be3e91 Add CHANGES
(cherry picked from commit 00569e0dfa)
2019-11-06 15:15:26 +01:00
Matthijs Mekking
75f31d2422 Test jitter distribution
Test jitter distribution in NSEC3 dynamic zone and for a zone that has old
signatures.  In both cases the generated signatures should be spread nicely.

(cherry picked from commit 540b90fd6c)
2019-11-06 15:15:15 +01:00
Witold Kręcicki
662d10cba7 Jitter signatures times when adding dynamic records.
When doing regular signing expiry time is jittered to make sure
that the re-signing times are not clumped together. This expands
this behaviour to expiry times of dynamically added records.

When incrementally re-signing a zone use the full jitter range if
the server appears to have been offline for greater than 5 minutes
otherwise use a small jitter range of 3600 seconds.  This will stop
the signatures becoming more clustered if the server has been off
line for a significant period of time (> 5 minutes).

(cherry picked from commit 6b2fd40269)
2019-11-06 15:14:16 +01:00
Ondřej Surý
6db9d7c279 Merge branch '1206-tcp-high-water-stats-v9_14' into 'v9_14'
Resolve "Customer Feature Request:  Add "high-water" measurement for tcp-clients"

See merge request isc-projects/bind9!2530
2019-11-06 11:31:27 +00:00
Diego Fronza
f3750b385c Added TCP high-water entry to CHANGES
(cherry picked from commit ba3fe75e65)
2019-11-06 11:29:35 +01:00
Diego Fronza
873973959d Added TCP high-water entry to release notes
(cherry picked from commit dd492b64d9)
2019-11-06 11:29:35 +01:00
Ondřej Surý
bc760310cd Avoid an extra atomic_load() call 2019-11-06 11:29:35 +01:00
Diego Fronza
558d7ff5e5 Added TCP high-water system tests
Note: ans6/ans6.py is a helper script that allows tests.sh to open/close
TCP connections to some BIND instance.

(cherry picked from commit 29be224a04)
2019-11-06 11:26:22 +01:00
Diego Fronza
d5cc3ed381 Added TCP high-water statistics variable
This variable will report the maximum number of simultaneous tcp clients
that BIND has served while running.

It can be verified by running rndc status, then inspect "tcp high-water:
count", or by generating statistics file, rndc stats, then inspect the
line with "TCP connection high-water" text.

The tcp-highwater variable is atomically updated based on an existing
tcp-quota system handled in ns/client.c.

(cherry picked from commit 66fe8627de)
2019-11-06 11:26:22 +01:00
Diego Fronza
faf3cbe62d Add functions for collecting high-water counters
Add {isc,ns}_stats_{update_if_greater,get_counter}() functions that
are used to set and collect high-water type of statistics.

(cherry picked from commit a544e2e300)
2019-11-06 11:26:22 +01:00
Diego Fronza
733720a3f2 Change the isc_stat_t type to isc__atomic_statcounter_t
The isc_stat_t type was too similar to isc_stats_t type, so the name was
changed to something more distinguishable.

(cherry picked from commit eb5611a770)
2019-11-06 11:26:22 +01:00
Diego Fronza
02555bb7a5 Change the isc_statscounter_t type from int to C99 int_fast64_t type
For TCP high-water work, we need to keep the used integer types widths
in sync.

Note: int_fast32_t is used on WIN32 platform
(cherry picked from commit 0fc98ef2d5)
2019-11-06 11:26:22 +01:00
Ondřej Surý
a217737764 Merge branch '1285-documentation-update-to-sortlist-feature-bugs-42615-v9_14' into 'v9_14'
arm: Add a sentence about overlaping selectors in sortlist statement

See merge request isc-projects/bind9!2532
2019-11-06 10:09:26 +00:00
Ondřej Surý
28884623fb arm: Add a sentence about overlaping selectors in sortlist statement
(cherry picked from commit ebc61946b2)
2019-11-06 11:08:17 +01:00
Michał Kępień
11f08caa9a Merge branch 'michal/split-release-notes-into-per-version-sections-v9_14' into 'v9_14'
[v9_14] Split release notes into per-version sections

See merge request isc-projects/bind9!2529
2019-11-06 09:13:46 +00:00
Michał Kępień
78d96b8fb9 Rebuild output files 2019-11-06 09:33:59 +01:00
Michał Kępień
bb74ec04bb Update URLs used in release notes
Some URLs used in release notes became outdated.  Make sure they point
to currently available resources.
2019-11-06 09:33:59 +01:00
Michał Kępień
920920e68e Split release notes into per-version sections
Intertwining release notes from different BIND releases in a single XML
file has caused confusion in the past due to different (and often
arbitrary) approaches to keeping/removing release notes from older
releases on different BIND branches.  Divide doc/arm/notes.xml into
per-version sections to simplify determining the set of changes
introduced by a given release and to make adding/reviewing release notes
less error-prone.
2019-11-06 09:33:57 +01:00
Mark Andrews
e700a0a67b Merge branch '1301-geoip2-default-data-path-v9_14' into 'v9_14'
Resolve "geoip2 default data path"

See merge request isc-projects/bind9!2526
2019-11-06 01:43:12 +00:00
Mark Andrews
82458699f9 Add CHANGES note
(cherry picked from commit 7b10faf108)
2019-11-06 12:28:52 +11:00
Mark Andrews
dcf958b852 Regenerate configure.
(cherry picked from commit 51fb42edcb)
2019-11-06 12:28:52 +11:00
Mark Andrews
538b455490 Have 'named -V' report geoip-directory
(cherry picked from commit 2eaa75c380)
2019-11-06 12:28:52 +11:00
Mark Andrews
ca036f346d The default geoip-directory should be <MAXMINDDB_PREFIX>/share/GeoIP
(cherry picked from commit fcd765a59d)
2019-11-06 11:47:32 +11:00
Mark Andrews
33b1a1ef0f MAXMINDDB_LIBS should end with '/lib' not '/libs'
(cherry picked from commit e0fe33506c)
2019-11-06 11:47:28 +11:00
Ondřej Surý
d116a4ea9f Merge branch '664-fetches-per-server-quota-docs-v9_14' into 'v9_14'
Describe the polynomial backoff curve used in the quota adjustment

See merge request isc-projects/bind9!2523
2019-11-05 10:12:48 +00:00
Ondřej Surý
1ab5685d25 Describe the polynomial backoff curve used in the quota adjustment
(cherry picked from commit 56ef09c3a1)
2019-11-05 11:06:04 +01:00
Ondřej Surý
d265ce0243 Merge branch '45-integrate-llvm-scan-build-to-gitlab-ci-workflow-v9_14' into 'v9_14'
Resolve "Integrate LLVM scan-build to GitLab CI workflow"

See merge request isc-projects/bind9!2521
2019-11-05 09:19:49 +00:00
Ondřej Surý
027f2c1518 libdns: add missing checks for return values in dnstap unit test
Related scan-build report:

dnstap_test.c:169:2: warning: Value stored to 'result' is never read
        result = dns_test_makeview("test", &view);
        ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dnstap_test.c:193:2: warning: Value stored to 'result' is never read
        result = dns_compress_init(&cctx, -1, dt_mctx);
        ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.

(cherry picked from commit e9acad638e)
2019-11-05 09:49:24 +01:00
Ondřej Surý
2d52a05f4f named: remove named_g_defaultdnstap global variable
The named_g_defaultdnstap was never used as the dnstap requires
explicit configuration of the output file.

Related scan-build report:

./server.c:3476:14: warning: Value stored to 'dpath' during its initialization is never read
        const char *dpath = named_g_defaultdnstap;
                    ^~~~~   ~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

(cherry picked from commit 6decd14592)
2019-11-05 09:48:51 +01:00
Ondřej Surý
72f9846be6 libdns: Change check_dnskey_sigs() return type to void to match the reality how the function is used
(cherry picked from commit 64cf5144a6)
2019-11-05 09:48:51 +01:00
Ondřej Surý
7a0019cfa1 tests: Resolve scan-build false positive by adding extra assertion
(cherry picked from commit 309dca417c)
2019-11-05 09:48:51 +01:00
Ondřej Surý
38866cb5c4 dnssec: don't qsort() empty hashlist
(cherry picked from commit 6bbb0b8e42)
2019-11-05 09:48:51 +01:00
Ondřej Surý
aaded0efe0 named: Add INSIST() after bindkeysfile configuration load to silence scan-build FP
(cherry picked from commit 6bf364aec8)
2019-11-05 09:48:50 +01:00
Ondřej Surý
fcfdd847f4 tests: Workaround scan-build false positive with FD_ZERO/FD_SET
(cherry picked from commit 7aa7f8592c)
2019-11-05 09:48:50 +01:00
Ondřej Surý
1be8170888 libdns: Remove useless checks for ISC_R_MEMORY, which cannot happen now
(cherry picked from commit 80b55d25de)
2019-11-05 09:48:50 +01:00
Ondřej Surý
9bf2ae0e0a ci: Add LLVM/Clang scan-build checks into the GitLab CI
(cherry picked from commit 5f584310bc)
2019-11-05 09:48:50 +01:00
Michal Nowak
742eb50347 Merge branch 'mnowak/1244-extra-quotes-around-TESTSOCK6/9_14' into 'v9_14'
[9.14] digdelv: Extra quotes prevent IPv6 runs

See merge request isc-projects/bind9!2515
2019-10-31 12:32:07 -04:00
Michal Nowak
c7a1d051c5 digdelv: Extra quotes prevent IPv6 runs
Portion of the digdelv test are skipped on IPv6 due to extra quotes
around $TESTSOCK6: "I:digdelv:IPv6 unavailable; skipping".

Researched by @michal.

Regressed with 351efd8812.

(cherry picked from commit 1b6419f8a7)
2019-10-31 12:32:06 -04:00
Ondřej Surý
cab2929b4f Merge branch '876-documentation-feedback-v9_14' into 'v9_14'
Resolve "Documentation feedback."

See merge request isc-projects/bind9!2513
2019-10-31 10:42:58 -04:00
Ondřej Surý
912040b611 arm: add more text describing interaction between automatic-interface-scan and interface-interval
(cherry picked from commit e0618174b6)
2019-10-31 09:09:06 -05:00
Ondřej Surý
5095ad31b1 arm: Fix the default for the lock-file command, it's 'none'
(cherry picked from commit f7eea400a8)
2019-10-31 09:09:06 -05:00
Brian Conry
30ccde7cdc arm: Add an explanation on the effect of 'require-server-cookie yes;'
(cherry picked from commit c6f91f8bd0)
2019-10-31 09:09:05 -05:00
Mark Andrews
bcb9fca00c arm: add why when to set 'require-server-cookie yes;'
(cherry picked from commit c5453ea328)
2019-10-31 09:09:05 -05:00
Mark Andrews
9054c1ff33 arm: document resolver-nonbackoff-tries and resolver-retry-interval
(cherry picked from commit 1ea6aadf6f)
2019-10-31 09:09:05 -05:00
Mark Andrews
09999761ad arm: add default values for require-server-cookie and send-cookie options
(cherry picked from commit d8abf4f5b6)
2019-10-31 09:09:05 -05:00
Michał Kępień
0506c0b442 Merge branch '1059-prevent-tcp-failures-from-affecting-edns-stats-v9_14' into 'v9_14'
[v9_14] Prevent TCP failures from affecting EDNS stats

See merge request isc-projects/bind9!2511
2019-10-31 05:36:51 -04:00
Michał Kępień
80586e82b1 Add CHANGES entry
5310.	[bug]		TCP failures were affecting EDNS statistics. [GL #1059]

(cherry picked from commit 36d3c66e4e)
2019-10-31 09:54:37 +01:00
Michał Kępień
b2ee3fa0bb Prevent TCP failures from affecting EDNS stats
EDNS mechanisms only apply to DNS over UDP.  Thus, errors encountered
while sending DNS queries over TCP must not influence EDNS timeout
statistics.

(cherry picked from commit fce3c93ea2)
2019-10-31 09:54:23 +01:00
Michał Kępień
79a9bf6f03 Merge branch '1059-prevent-query-loops-for-misbehaving-servers-v9_14' into 'v9_14'
[v9_14] Prevent query loops for misbehaving servers

See merge request isc-projects/bind9!2508
2019-10-31 04:45:51 -04:00
Michał Kępień
61370994fc Prevent query loops for misbehaving servers
If a TCP connection fails while attempting to send a query to a server,
the fetch context will be restarted without marking the target server as
a bad one.  If this happens for a server which:

  - was already marked with the DNS_FETCHOPT_EDNS512 flag,
  - responds to EDNS queries with the UDP payload size set to 512 bytes,
  - does not send response packets larger than 512 bytes,

and the response for the query being sent is larger than 512 byes, then
named will pointlessly alternate between sending UDP queries with EDNS
UDP payload size set to 512 bytes (which are responded to with truncated
answers) and TCP connections until the fetch context retry limit is
reached.  Prevent such query loops by marking the server as bad for a
given fetch context if the advertised EDNS UDP payload size for that
server gets reduced to 512 bytes and it is impossible to reach it using
TCP.

(cherry picked from commit 6cd115994e)
2019-10-31 08:49:09 +01:00
Mark Andrews
e99835b915 Merge branch '1288-log-dns_r_unchanged-from-sync_secure_journal-at-info-level-in-receive_secure_serial-v9_14' into 'v9_14'
Resolve "Log DNS_R_UNCHANGED from sync_secure_journal at info level in receive_secure_serial."

See merge request isc-projects/bind9!2498
2019-10-29 21:32:49 -04:00
Mark Andrews
244c72b5b6 add CHANGES
(cherry picked from commit e6ef7858c3)
2019-10-30 12:13:01 +11:00
Mark Andrews
cdf114078b Log DNS_R_UNCHANGED from sync_secure_journal() at info level in receive_secure_serial()
(cherry picked from commit 8eb09f3232)
2019-10-30 12:13:01 +11:00
Mark Andrews
f42292104b Merge branch 'u/fanf2/compilezone-hang-v9_14' into 'v9_14'
Fix hang in `named-compilezone | head`

See merge request isc-projects/bind9!2496
2019-10-29 20:14:35 -04:00
Tony Finch
c4890c7e83 CHANGES
(cherry picked from commit 548f29a4d9)
2019-10-30 10:52:52 +11:00
Tony Finch
19970088fc Fix hang in named-compilezone | head
I was truncating zone files for experimental purposes when I found
that `named-compilezone | head` got stuck. The full command line that
exhibited the problem was:

	dig axfr dotat.at |
	named-compilezone -o /dev/stdout dotat.at /dev/stdin |
	head

This requires a large enough zone to exhibit the problem, more than
about 70000 bytes of plain text output from named-compilezone.
I was running the command on Debian Stretch amd64.

This was puzzling since it looked like something was suppressing the
SIGPIPE. I used `strace` to examine what was happening at the hang.
The program was just calling write() a lot to print the zone file, and
the last write() hanged until I sent it a SIGINT.

During some discussion with friends, Ian Jackson guessed that opening
/dev/stdout O_RDRW might be the problem, and after some tests we found
that this does in fact suppress SIGPIPE.

Since `named-compilezone` only needs to write to its output file, the
fix is to omit the stdio "+" update flag.

(cherry picked from commit a87ccea032)
2019-10-30 10:52:22 +11:00
Ondřej Surý
8c2f196182 Merge branch '1265-disable-synth-from-dnssec-by-default-workaround-v9_14' into 'v9_14'
Disable synth-from-dnssec by default [v9_14]

See merge request isc-projects/bind9!2494
2019-10-29 07:39:27 -04:00
Ondřej Surý
41611a9bd9 Add CHANGES note
(cherry picked from commit 4a778cfa45)
2019-10-29 05:59:51 -05:00
Ondřej Surý
5eeaeb486f Add release notes.
(cherry picked from commit fce5a01a63)
2019-10-29 05:59:50 -05:00
Ondřej Surý
56b6d8c6a7 Adjust synthfromdnssec system test to the changed defaults
(cherry picked from commit 800d7843af)
2019-10-29 05:14:34 -05:00
Ondřej Surý
b97004be30 Disable NSEC Aggressive Cache (synth-from-dnssec) by default
It was found that NSEC Aggressive Caching has a significant performance impact
on BIND 9 when used as recursor.  This commit disables the synth-from-dnssec
configuration option by default to provide immediate remedy for people running
BIND 9.12+.  The NSEC Aggressive Cache will be enabled again after a proper fix
will be prepared.

(cherry picked from commit a20c42dca6)
2019-10-29 05:14:34 -05:00
Michał Kępień
4fb9ef674f Merge branch 'michal/add-centos-8-to-gitlab-ci-v9_14' into 'v9_14'
[v9_14] Add CentOS 8 to GitLab CI

See merge request isc-projects/bind9!2492
2019-10-29 04:22:35 -04:00
Michał Kępień
810cbde0bc Add CentOS 8 to GitLab CI
Ensure BIND can be tested on CentOS 8 in GitLab CI to more quickly catch
build and test errors on that operating system.

(cherry picked from commit dce1c05042)
2019-10-29 08:53:56 +01:00
Mark Andrews
4689f8cec6 Merge branch '876-documentation-feedback-2-v9_14' into 'v9_14'
dnskey-sig-validity 0;

See merge request isc-projects/bind9!2487
2019-10-24 17:09:53 -04:00
Mark Andrews
c452db5790 add named-checkconf tests for dnskey-sig-validity at range limits
(cherry picked from commit 918f020f9f)
2019-10-25 07:12:36 +11:00
Mark Andrews
85d89c00da accept 0 for dnskey-sig-validity (indicates off)
(cherry picked from commit 20647657f9)
2019-10-25 07:12:03 +11:00
Mark Andrews
f59321d972 Merge branch '1281-dnstap-per-view-configuration-v9_14' into 'v9_14'
Resolve "dnstap per view configuration"

See merge request isc-projects/bind9!2479
2019-10-21 19:29:09 -04:00
Mark Andrews
aface50cfe add CHANGES
(cherry picked from commit 6ce1e2e731)
2019-10-22 08:23:32 +11:00
Mark Andrews
c46f4d14f5 check for relationship between dnstap and dnstap-output seperately
(cherry picked from commit c2fcc9f16f)
2019-10-22 08:23:32 +11:00
Mark Andrews
71f33e0c24 add more dnstap/dnstap-output combinations
(cherry picked from commit f3d53630c3)
2019-10-22 08:23:32 +11:00
Tinderbox User
6330f2c6c8 Merge branch 'security-v9_14' into v9_14 2019-10-19 23:34:28 +00:00
Michał Kępień
afb1e0758f Merge branch 'michal/address-cppcheck-1.89-warnings-v9_14' into 'v9_14'
[v9_14] Address cppcheck 1.89 warnings

See merge request isc-projects/bind9!2473
2019-10-17 05:50:06 -04:00
Michał Kępień
c62c7c2f86 Suppress cppcheck 1.89 false positive
cppcheck 1.89 emits a false positive for lib/dns/spnego_asn1.c:

    lib/dns/spnego_asn1.c:700:9: error: Uninitialized variable: data [uninitvar]
     memset(data, 0, sizeof(*data));
            ^
    lib/dns/spnego.c:1709:47: note: Calling function 'decode_NegTokenResp', 3rd argument '&resp' value is <Uninit>
     ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
                                                  ^
    lib/dns/spnego_asn1.c:700:9: note: Uninitialized variable: data
     memset(data, 0, sizeof(*data));
            ^

This message started appearing with cppcheck 1.89 [1], but it will be
gone in the next release [2], so just suppress it for the time being.

[1] af214e8212

[2] 2595b82634

(cherry picked from commit db7fd16346)
2019-10-17 10:52:19 +02:00
Michał Kępień
2a2a346340 Fix cppcheck 1.89 warnings
cppcheck 1.89 enabled certain value flow analysis mechanisms [1] which
trigger null pointer dereference false positives in lib/dns/rpz.c:

    lib/dns/rpz.c:584:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1425:44: note: Calling function 'adj_trigger_cnt', 4th argument '(void*)0' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:584:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:598:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1425:44: note: Calling function 'adj_trigger_cnt', 4th argument '(void*)0' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:598:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:612:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1425:44: note: Calling function 'adj_trigger_cnt', 4th argument '(void*)0' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:612:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^

It seems that cppcheck no longer treats at least some REQUIRE()
assertion failures as fatal, so add extra assertion macro definitions to
lib/isc/include/isc/util.h that are only used when the CPPCHECK
preprocessor macro is defined; these definitions make cppcheck 1.89
behave as expected.

There is an important requirement for these custom definitions to work:
cppcheck must properly treat abort() as a function which does not
return.  In order for that to happen, the __GNUC__ macro must be set to
a high enough number (because system include directories are used and
system headers compile attributes away if __GNUC__ is not high enough).
__GNUC__ is thus set to the major version number of the GCC compiler
used, which is what that latter does itself during compilation.

[1] aaeec462e6

(cherry picked from commit abfde3d543)
2019-10-17 10:50:51 +02:00
Michał Kępień
4ea4e9b0b0 Merge branch 'michal/cleanup-with-cc-alg-remnants-v9_14' into 'v9_14'
[v9_14] Remove remnants of the --with-cc-alg option

See merge request isc-projects/bind9!2469
2019-10-15 16:35:12 -04:00
Michał Kępień
847879f772 Remove remnants of the --with-cc-alg option
Commit afa81ee4e4 omitted some spots in
the source tree which are still referencing the removed --with-cc-alg
"configure" option.  Make sure the latter is removed completely.

(cherry picked from commit 428dcf3b49)
2019-10-15 21:58:48 +02:00
Michał Kępień
97a940041f Merge branch 'michal/limit-triggers-for-openbsd-system-test-jobs-v9_14' into 'v9_14'
[v9_14] Limit triggers for OpenBSD system test jobs

See merge request isc-projects/bind9!2467
2019-10-15 15:52:45 -04:00
Michał Kępień
695e099c67 Limit triggers for OpenBSD system test jobs
When a GitLab CI runner is not under load, a single OpenBSD system test
job completes in about 12 minutes, which is considered decent.  However,
such jobs are usually multiplexed with other system test jobs on the
same host, which causes each of them to take even 40 minutes to
complete.  Taking retries into account, this is completely unacceptable
for everyday use, so only start OpenBSD system test jobs for pipelines
created through GitLab's web interface and for pipelines created for Git
tags.

(cherry picked from commit 603e04563b)
2019-10-15 21:48:43 +02:00
Michał Kępień
c2faa4dd64 Merge branch 'michal/minor-gitlab-ci-tweaks-v9_14' into 'v9_14'
[v9_14] Minor GitLab CI tweaks

See merge request isc-projects/bind9!2464
2019-10-15 15:45:57 -04:00
Michał Kępień
765cdd284b Tweak dependencies for the Windows build job
Since the Windows build job does not use the files created as a result
of running "autoreconf -fi" in the "autoreconf:sid:amd64" job, set its
dependencies to an empty list.

Since it is currently not possible to use "needs: []" for jobs which do
not belong to the first stage of a pipeline, set the "needs" key for the
Windows build job to the "autoreconf:sid:amd64" job so that all build
jobs are started at the same time (without this change, the Windows
build job does not start until all jobs in the "precheck" stage are
finished).

As a side note, these changes also attempt to eliminate intermittent,
bogus GitLab error messages ("There has been a missing dependency
failure").

(cherry picked from commit dd97dfdc14)
2019-10-15 20:49:28 +02:00
Michał Kępień
5599892021 Fix artifacts created by the "autoreconf" CI job
The intended purpose of the "autoreconf:sid:amd64" GitLab CI job is to
run "autoreconf -fi" and then pass the updated files on to subsequent
non-Windows build jobs.  However, the artifacts currently created by
that job only include files which are not tracked by Git.  Since we
currently do track e.g. "configure" with Git, the aforementioned job is
essentially a no-op.  Fix by manually specifying the files generated by
the "autoreconf:sid:amd64" job that should be passed on to subsequent
build jobs.

(cherry picked from commit e83b322f7f)
2019-10-15 20:49:28 +02:00
Michał Kępień
feaed60540 Merge branch 'michal/add-openbsd-to-gitlab-ci-v9_14' into 'v9_14'
[v9_14] Add OpenBSD to GitLab CI

See merge request isc-projects/bind9!2459
2019-10-15 14:44:41 -04:00
Michał Kępień
9d24eba876 Add OpenBSD to GitLab CI
Ensure BIND can be tested on OpenBSD in GitLab CI to more quickly catch
build and test errors on that operating system.

Some notes:

  - While GCC is packaged for OpenBSD, only old versions (4.2.1, 4.9.4)
    are readily available and none of them is the default system
    compiler, so we are only doing Clang builds in GitLab CI.

  - Unit tests are currently not run on OpenBSD because it ships with an
    old version of kyua which does not handle skipped tests properly.
    These jobs will be added when we move away from using kyua in the
    future as the test code itself works fine.

  - All OpenBSD jobs are run inside QEMU virtual machines, using GitLab
    Runner Custom executor.

(cherry picked from commit 07d2fcb544)
2019-10-15 16:38:24 +02:00
Michał Kępień
2395288c2e Work around an OpenBSD "make" quirk
Consider the following Makefile:

    foo:
    	false

On OpenBSD, the following happens for this Makefile:

  - "make foo" returns 1,
  - "make -k foo" returns 0,
  - "make -k -j6 foo" returns 1.

However, if the .NOTPARALLEL pseudo-target is added to this Makefile,
"make -k -j6 foo" will return 0 as well.

Since bin/tests/Makefile contains the .NOTPARALLEL pseudo-target,
running "make -k -j6 test" from bin/tests/ on OpenBSD prevents any
errors from being reported through that command's exit code.

Work around the issue by running "make -k -j6 test" in the
bin/tests/system/ directory instead as bin/tests/system/Makefile does
not contain the .NOTPARALLEL pseudo-target and thus things work as
expected there.

(cherry picked from commit 6b5426e1a7)
2019-10-15 16:38:23 +02:00
Mark Andrews
71db12db0f Merge branch '1143-a-minor-documentation-issue-consideration-of-parsing-inconsistencies-in-ipv4s-in-address-match-lists-and-in-a-controls-inet-statement-v9_14' into 'v9_14'
Resolve "A minor documentation issue & consideration of parsing inconsistencies in IPv4s in address match lists and in a controls/inet statement"

See merge request isc-projects/bind9!2454
2019-10-13 10:59:37 -04:00
Mark Andrews
446de056b6 Detect partial prefixes / incomplete IPv4 address in acls.
(cherry picked from commit fb87e669fb)
2019-10-14 01:31:44 +11:00
Ondřej Surý
7076fd6825 Merge branch 'ondrej/1-week-artifact-expiration-v9_14' into 'v9_14'
Synchronize the lifetime of artifact to 1 week

See merge request isc-projects/bind9!2449
2019-10-10 02:10:04 -04:00
Ondřej Surý
540f25194b Synchronize the lifetime of artifact to 1 week
(cherry picked from commit 85c0bede78)
2019-10-10 07:47:41 +02:00
Tinderbox User
5b7e2059ca Merge branch 'fix-doc' into security-v9_14 2019-10-09 20:54:55 +00:00
Tinderbox User
98f2e7149b regenerate doc 2019-10-09 20:54:43 +00:00
Ondřej Surý
148d39afbd Merge branch 'security-v9_14-issue-numbers' into 'security-v9_14'
Fix the GitLab issue numbers in CHANGES and notes.xml

See merge request isc-private/bind9!120
2019-10-09 02:34:53 -04:00
Ondřej Surý
bfb08a9780 Fix the GitLab issue numbers in CHANGES and notes.xml 2019-10-09 08:02:05 +02:00
Mark Andrews
348077c1e6 Merge branch 'marka-missing-runtime-check-v9_14' into 'v9_14'
missing RUNTIME_CHECK

See merge request isc-projects/bind9!2417
2019-10-04 00:34:22 -04:00
Mark Andrews
0f51b41094 add CHANGES
(cherry picked from commit 346624fe38)
2019-10-04 14:08:26 +10:00
Ondřej Surý
3c20623436 Move the failure handling block closer to the only place where it could fail
(cherry picked from commit 69ecc711ac)
2019-10-04 14:08:26 +10:00
Ondřej Surý
aebea22fab Replace RUNTIME_CHECK(dns_name_copy(..., NULL)) with dns_name_copynf()
Use the semantic patch from the previous commit to replace all the calls to
dns_name_copy() with NULL as third argument with dns_name_copynf().

(cherry picked from commit c2dad0dcb2)
2019-10-04 14:08:26 +10:00
Ondřej Surý
c8c6718ee4 Add semantic patch to replace RUNTIME_CHECK(dns_name_copy(..., NULL)) with dns_name_copynf
(cherry picked from commit ac26ecf540)
2019-10-04 14:08:25 +10:00
Ondřej Surý
a1ef76cd78 Split dns_name_copy() into dns_name_copy() and dns_name_copynf()
The dns_name_copy() function followed two different semanitcs that was driven
whether the last argument was or wasn't NULL.  This commit splits the function
in two where now third argument to dns_name_copy() can't be NULL and
dns_name_copynf() doesn't have third argument.

(cherry picked from commit f7aef3738a)
2019-10-04 14:08:25 +10:00
Ondřej Surý
660307283e The final round of adding RUNTIME_CHECK() around dns_name_copy() calls
This commit was done by hand to add the RUNTIME_CHECK() around stray
dns_name_copy() calls with NULL as third argument.  This covers the edge cases
that doesn't make sense to write a semantic patch since the usage pattern was
unique or almost unique.

(cherry picked from commit 5efa29e03a)
2019-10-04 14:08:25 +10:00
Ondřej Surý
77fe5da647 Add RUNTIME_CHECK() around result = dns_name_copy(..., NULL) calls
This second commit uses second semantic patch to replace the calls to
dns_name_copy() with NULL as third argument where the result was stored in a
isc_result_t variable.  As the dns_name_copy(..., NULL) cannot fail gracefully
when the third argument is NULL, it was just a bunch of dead code.

Couple of manual tweaks (removing dead labels and unused variables) were
manually applied on top of the semantic patch.

(cherry picked from commit 89b269b0d2)
2019-10-04 14:08:25 +10:00
Ondřej Surý
9adb3ae2d5 Add RUNTIME_CHECK() around plain dns_name_copy(..., NULL) calls using spatch
This commit add RUNTIME_CHECK() around all simple dns_name_copy() calls where
the third argument is NULL using the semantic patch from the previous commit.

(cherry picked from commit 35bd7e4da0)
2019-10-04 14:08:25 +10:00
Ondřej Surý
500b5b9f79 Add semantic patches to correctly check dns_name_copy(..., NULL) return code
The dns_name_copy() function cannot fail gracefully when the last argument
(target) is NULL.  Add RUNTIME_CHECK()s around such calls.

The first semantic patch adds RUNTIME_CHECK() around any call that ignores the
return value and is very safe to apply.

The second semantic patch attempts to properly add RUNTIME_CHECK() to places
where the return value from `dns_name_copy()` is recorded into `result`
variable.  The result of this semantic patch needs to be reviewed by hand.

Both patches misses couple places where the code surrounding the
`dns_name_copy(..., NULL)` usage is more complicated and is better suited to be
fixed by a human being that understands the surrounding code.

(cherry picked from commit 406eba0c41)
2019-10-04 14:08:25 +10:00
Mark Andrews
2894de2ab3 Merge branch 'marka-cppcheck-fixes-v9_12-and-v9_14' into 'v9_14'
Address cppcheck reports (v9_11/v9_14)

See merge request isc-projects/bind9!2342
2019-10-03 23:36:19 -04:00
Mark Andrews
fcebc4f15b Address cppcheck reports 2019-10-04 13:06:00 +10:00
Mark Andrews
b396c9dfde Merge branch 'marka-silence-clang-v9_14' into 'v9_14'
silence clang warning by using local variable.

See merge request isc-projects/bind9!2441
2019-10-03 21:58:45 -04:00
Mark Andrews
b997237f49 silence clang warning by using local variable.
'isc_commandline_index' is a global variable so it can theoretically
change result between if expressions.  Save 'argv[isc_commandline_index]'
to local variable 'arg1' and use 'arg1 == NULL' in if expressions
instead of 'argc < isc_commandline_index + 1'.  This allows clang
to correctly determine what code is reachable.

(cherry picked from commit 1b27ab8642)
2019-10-04 11:36:19 +10:00
Ondřej Surý
418b340a8f Merge branch 'ondrej/fix-docs-autoreconf-v9_14' into 'v9_14'
Fix docs -> autoreconf dependencies in the .gitlab-ci.yml (v9_14)

See merge request isc-projects/bind9!2439
2019-10-03 10:08:05 -04:00
Ondřej Surý
3b339eb43f Fix the triggering rule for autoreconf job (take 2) 2019-10-03 15:34:09 +02:00
Ondřej Surý
cc4c5482ef Fix docs -> autoreconf dependencies in the .gitlab-ci.yml 2019-10-03 15:34:06 +02:00
Ondřej Surý
c70c4be5c4 Merge branch 'ondrej/enable-cppcheck-v9_14' into 'v9_14'
Enable Cppcheck for v9_14 branch

See merge request isc-projects/bind9!2432
2019-10-03 08:20:18 -04:00
Ondřej Surý
2ae68cd120 Use util/suppressions.txt for Cppcheck suppressions list 2019-10-03 14:02:08 +02:00
Ondřej Surý
36b0c5a517 lib/isc/tests/md_test.c: Silence sizeofFunctionCall Cppcheck 2019-10-03 12:44:02 +02:00
Ondřej Surý
e8f64e99f3 lib/isc/tests/hmac_test.c: Silence sizeofFunctionCall Cppcheck 2019-10-03 12:44:02 +02:00
Ondřej Surý
fedfd48a08 lib/dns/zone.c: Fix invalid order of DbC checks that could cause dereference before NULL check 2019-10-03 10:16:03 +02:00
Ondřej Surý
6a82289e35 lib/dns/sdlz.c: Use the referenced variable in the DbC check 2019-10-03 10:15:35 +02:00
Ondřej Surý
9ffcc8f165 lib/dns/sdb.c: Fix invalid order of DbC checks that could cause dereference before NULL check 2019-10-03 10:14:43 +02:00
Ondřej Surý
9f75d17e95 Remove randomly scattered additional style check suppressions that caused unmatchedSuppression
(cherry picked from commit a0d3614a60)
2019-10-03 09:50:27 +02:00
Ondřej Surý
beb05c3d78 lib/ns/query.c: Fix invalid order of DbC checks that could cause dereference before NULL check
(cherry picked from commit d1f035bbba)
2019-10-03 09:50:27 +02:00
Ondřej Surý
82d3faa274 lib/ns/interfacemgr.c: Fix invalid order of DbC checks that could cause dereference before NULL check
(cherry picked from commit 033f3eb580)
2019-10-03 09:50:27 +02:00
Ondřej Surý
c12ff394f1 lib/ns/client.c: Fix invalid order of DbC checks that could cause dereference before NULL check
(cherry picked from commit b4a42a286f)
2019-10-03 09:50:27 +02:00
Ondřej Surý
929fc207c7 lib/isccfg/parser.c: Fix invalid order of DbC checks that could cause dereference before NULL check
(cherry picked from commit f855f09a55)
2019-10-03 09:50:27 +02:00
Ondřej Surý
22d5735a0e lib/isccfg/aclconf.c: Suppress nullPointerRedundantCheck false positive
(cherry picked from commit 09232213d7)
2019-10-03 09:50:27 +02:00
Ondřej Surý
be4aafeac7 lib/isc/unix/socket.c: Suppress preprocessorErrorDirective error from Cppcheck
(cherry picked from commit 026cf2ff4f)
2019-10-03 09:50:27 +02:00
Ondřej Surý
d6de4edc41 lib/isc/task.c: Fix invalid order of DbC checks that could cause dereference before NULL check
(cherry picked from commit c662969da1)
2019-10-03 09:50:27 +02:00
Ondřej Surý
4acf396f83 lib/isc/pkc11.c: Fix possible NULL pointer dereference in push_attribute()
(cherry picked from commit e8948fd9b4)
2019-10-03 09:50:27 +02:00
Ondřej Surý
ac1127b2ad lib/isc/buffer.c: Fix invalid order of DbC checks that could cause dereference before NULL check
(cherry picked from commit e9f30fc211)
2019-10-03 09:50:26 +02:00
Ondřej Surý
8b32d11206 lib/dns/tsig.c: Suppress Cppcheck false positive error uninitStructMember
(cherry picked from commit 8f2ad12d0a)
2019-10-03 09:50:26 +02:00
Ondřej Surý
8db221d97a lib/dns/tests/rbt_serialize_test.c: Fix dereference before DbC check
(cherry picked from commit 14c174d921)
2019-10-03 09:50:26 +02:00
Ondřej Surý
4ef534aa90 Instead of declaring unused va_list, just don't declare it at all
(cherry picked from commit 269d507ccc)
2019-10-03 09:50:26 +02:00
Ondřej Surý
c3c515b56b lib/dns/rdatalist.c: Fix dereference before DbC check
(cherry picked from commit 5fc7e98d29)
2019-10-03 09:50:26 +02:00
Ondřej Surý
e442d1bbd2 lib/dns/rdata/*/*.c: Silence false positive nullPointerRedundantCheck warning from Cppcheck
Cppcheck gets confused by:

void bar(void *arg) {
    foo *data = arg;
    REQUIRE(source != NULL);
    REQUIRE(data->member != NULL);
}

and for consistency the DbC check needs to be changed to

void bar(void *arg) {
    foo *data = arg;
    REQUIRE(data != NULL);
    REQUIRE(data->member != NULL);
}

(cherry picked from commit 66af8713d8)
2019-10-03 09:50:26 +02:00
Ondřej Surý
2f5a7e84d9 lib/dns/rdata.c: Silence false positive nullPointerRedundantCheck warning from Cppcheck
(cherry picked from commit e68333aa67)
2019-10-03 09:50:26 +02:00
Ondřej Surý
7379248d9c lib/dns/rbtdb.c: Add DbC check to safely dereference rbtdb in rbt_datafixer()
(cherry picked from commit d508ce4036)
2019-10-03 09:50:26 +02:00
Ondřej Surý
4a129256e4 lib/dns/rbt.c: Suppress nullPointerRedundantCheck warnings from Cppcheck
(cherry picked from commit 8be5c3fcfc)
2019-10-03 09:50:26 +02:00
Ondřej Surý
e5474241e9 lib/dns/name.c: Fix dereference before DbC check reported by Cppcheck
(cherry picked from commit 0f5860aad3)
2019-10-03 09:50:26 +02:00
Ondřej Surý
df21cac6a8 lib/dns/gssapi_link.c: Fix %d -> %u formatting when printing unsigned integers
(cherry picked from commit cea871464f)
2019-10-03 09:50:26 +02:00
Ondřej Surý
e3ccbb7dc0 Fix passing NULL after the last typed argument to a variadic function leads to undefined behaviour.
From Cppcheck:

Passing NULL after the last typed argument to a variadic function leads to
undefined behaviour.  The C99 standard, in section 7.15.1.1, states that if the
type used by va_arg() is not compatible with the type of the actual next
argument (as promoted according to the default argument promotions), the
behavior is undefined.  The value of the NULL macro is an implementation-defined
null pointer constant (7.17), which can be any integer constant expression with
the value 0, or such an expression casted to (void*) (6.3.2.3). This includes
values like 0, 0L, or even 0LL.In practice on common architectures, this will
cause real crashes if sizeof(int) != sizeof(void*), and NULL is defined to 0 or
any other null pointer constant that promotes to int.  To reproduce you might be
able to use this little code example on 64bit platforms. If the output includes
"ERROR", the sentinel had only 4 out of 8 bytes initialized to zero and was not
detected as the final argument to stop argument processing via
va_arg(). Changing the 0 to (void*)0 or 0L will make the "ERROR" output go away.

void f(char *s, ...) {
    va_list ap;
    va_start(ap,s);
    for (;;) {
        char *p = va_arg(ap,char*);
        printf("%018p, %s\n", p, (long)p & 255 ? p : "");
        if(!p) break;
    }
    va_end(ap);
}

void g() {
    char *s2 = "x";
    char *s3 = "ERROR";

    // changing 0 to 0L for the 7th argument (which is intended to act as
    // sentinel) makes the error go away on x86_64
    f("first", s2, s2, s2, s2, s2, 0, s3, (char*)0);
}

void h() {
    int i;
    volatile unsigned char a[1000];
    for (i = 0; i<sizeof(a); i++)
        a[i] = -1;
}

int main() {
    h();
    g();
    return 0;
}

(cherry picked from commit d8879af877)
2019-10-03 09:50:26 +02:00
Ondřej Surý
a3abf117ad lib/dns/ecdb.c: Fix couple of DbC conditions reported by Cppcheck
(cherry picked from commit 91cc6b9eb9)
2019-10-03 09:50:25 +02:00
Ondřej Surý
a8a0c78927 Fix the constification of the dns_name_t * result variable for dns_tsig_identity()
(cherry picked from commit fa7475b77a)
2019-10-03 09:50:25 +02:00
Ondřej Surý
67978007a2 bin/named/zoneconf.c: Reset dns_name_t *tsig on every view iteration
(cherry picked from commit 43925b2a8b)
2019-10-03 09:50:25 +02:00
Ondřej Surý
adb4e80f58 Change dns_tsigkey_identity from macro to a function and const argument and result
(cherry picked from commit 2e304b0b7f)
2019-10-03 09:50:25 +02:00
Ondřej Surý
2163567cb8 Constify dns_name_t *signer argument to dns_acl_allowed()
(cherry picked from commit 4d2697b31c)
2019-10-03 09:50:25 +02:00
Ondřej Surý
3a10558787 bin/named/server.c: Fix couple of DbC conditions reported by Cppcheck
(cherry picked from commit 476277a6e6)
2019-10-03 09:50:25 +02:00
Ondřej Surý
dfe1bb5388 bin/dig/dighost.c: Fix REQUIRE(!= NULL) condition after the variable has been dereferenced
(cherry picked from commit 9366ca769f)
2019-10-03 09:50:25 +02:00
Ondřej Surý
a2c7b2f619 bin/delv/delv.c: Fix invalid logic operation in REQUIRE() condition
(cherry picked from commit 9ab16d10d4)
2019-10-03 09:50:25 +02:00
Ondřej Surý
b9cb767cbf Add Cppcheck job to the CI
This MR changes the default Debian sid build to wrap make with bear
that creates compilation database and use the compilation database
to run Cppcheck on the source files systematically.

The job is currently set to be allowed to fail as it will take some
time to fix all the Cppcheck detected issues.

(cherry picked from commit f55dc51f42)
2019-10-03 09:50:25 +02:00
Tinderbox User
d410de0545 Merge branch 'prep-release' into security-v9_14 2019-10-02 06:24:10 +00:00
Tinderbox User
4ee12e5337 prep 9.14.7 2019-10-02 06:21:57 +00:00
Evan Hunt
70da456043 Merge branch '16-security-mirror-key-check-security-v9_14' into 'security-v9_14' 2019-10-01 22:38:47 -07:00
Evan Hunt
8af8d626d3 CHANGES, release note
(cherry picked from commit 03278d6062)
2019-10-01 22:38:45 -07:00
Evan Hunt
4c09be6309 fix mirror zone trust anchor check
- compare key data when checking for a trust anchor match.
- allow for the possibility of multiple trust anchors with the same key ID
  so we don't overlook possible matches.

(cherry picked from commit bc727e5ccc)
2019-10-01 22:38:30 -07:00
Evan Hunt
95b2398fdf Merge branch 'marka-forward-to-non-recursive-security-v9_14' into 'security-v9_14' 2019-10-01 22:15:24 -07:00
Mark Andrews
4c56b3c556 add release note entry
(cherry picked from commit b7442e4389)
2019-10-01 22:15:24 -07:00
Mark Andrews
2ee9a6ee4e add CHANGES
(cherry picked from commit 21553af7cc)
2019-10-01 22:15:21 -07:00
Mark Andrews
8766962f22 reset fctx->qmindcname and fctx->qminname after processing a delegation
(cherry picked from commit 622bef6aec)
2019-10-01 22:14:22 -07:00
Mark Andrews
22247084e3 check recovery from forwarding to a non-recursive server
(cherry picked from commit 47d285a7d6)
2019-10-01 22:14:22 -07:00
Evan Hunt
7434f80008 Merge branch '1191-qmin-fetch-failure-v9_14' into 'v9_14'
SERVFAIL if a prior qmin fetch has not been canceled when a new one starts

See merge request isc-projects/bind9!2426
2019-10-02 00:45:55 -04:00
Evan Hunt
31636d05c4 CHANGES
(cherry picked from commit 1d741c5c0f)
2019-10-01 21:20:38 -07:00
Evan Hunt
b632142526 SERVFAIL if a prior qmin fetch has not been canceled when a new one starts
(cherry picked from commit 488cb4da10)
2019-10-01 21:20:20 -07:00
Ondřej Surý
dd4c4d155c Merge branch '846-dig-idn-alabel-fallback-v9_14' into 'v9_14'
Resolve "dig cannot display ACE query if locale is not unicode"

See merge request isc-projects/bind9!2413
2019-09-30 06:51:14 -04:00
Ondřej Surý
b5ca157e2a Add CHANGES for GL #846
(cherry picked from commit dccec984c0)
2019-09-30 11:53:28 +02:00
Ondřej Surý
f5d443aa56 Test of valid A-label in locale that cannot display it only with non-broken idn2
The libidn2 library on Ubuntu Bionic is broken and idn2_to_unicode_8zlz() does't
fail when it should.  This commit ensures that we don't run the system test for
valid A-label in locale that cannot display with the buggy libidn2 as it would
break the tests.

(cherry picked from commit c42e3583f9)
2019-09-30 11:53:28 +02:00
Petr Menšík
b3bc4f6eac Emit warning on IDN output failure
Warning is emitted before any dig headers.

(cherry picked from commit 21371abd72)
2019-09-30 11:53:28 +02:00
Petr Menšík
30bf32365f Modify idna test to fallback to ACE
Test valid A-label on input would be displayed as A-label on output if
locale does not allow U-label.

(cherry picked from commit ac0cf85f09)
2019-09-30 11:53:28 +02:00
Petr Menšík
a38aa7f674 Fallback to ASCII on output IDN conversion error
It is possible dig used ACE encoded name in locale, which does not
support converting it to unicode. Instead of fatal error, fallback to
ACE name on output.

(cherry picked from commit c8a871e908)
2019-09-30 11:53:28 +02:00
Mark Andrews
93c334dd41 Merge branch 'marka-correct-list-v9_14' into 'v9_14'
use correct list

See merge request isc-projects/bind9!2411
2019-09-28 21:19:40 -04:00
Mark Andrews
76a15b6fe8 Address cut-and-paste error where list name was not changed in one instance for change 5292.
(cherry picked from commit 9cd308ac5e)
2019-09-29 10:52:31 +10:00
Michał Kępień
72d5660a15 Merge branch '147-add-windows-to-gitlab-ci-v9_14' into 'v9_14'
[v9_14] Add Windows to GitLab CI

See merge request isc-projects/bind9!2408
2019-09-27 07:18:10 -04:00
Michał Kępień
f861d5d156 Update Windows-specific documentation
Bring the files describing Windows-specific aspects of building and
installing BIND up to date.  Remove the parts which are either outdated
(e.g. 32-bit build instructions), already included elsewhere (e.g. the
list of Windows systems BIND is known to run on), or inconvenient to
keep up to date in the long run (e.g. ARM chapter numbers).

(cherry picked from commit 646fcb733e)
2019-09-27 09:16:02 +02:00
Michał Kępień
4fa3b4ff9c Add Windows to GitLab CI
Ensure BIND can be tested on Windows in GitLab to more quickly catch
build and test errors on that operating system.

Some notes:

  - While build jobs are triggered for all pipelines, system test jobs
    are not - due to the time it takes to run the complete system test
    suite on Windows (about 20 minutes), the latter are only run for
    pipelines created through GitLab's web interface and for pipelines
    created for Git tags.

  - Only the "Release" build configuration is currently used.  Adding
    "Debug" builds is a matter of extending .gitlab-ci.yml, but it was
    not done for the time being due to questionable usefulness of
    performing such builds in GitLab CI.

  - Only a 64-bit build is performed.  Adding support for 32-bit builds
    is not planned to be implemented.

  - Unit tests are still not run on Windows, but adding support for that
    is on the roadmap.

  - All Windows GitLab CI jobs are run inside Windows Server containers,
    using the Custom executor feature of GitLab Runner as Windows Server
    2016 is not supported by GitLab Runner's native Docker on Windows
    executor and Windows Server 2019 is not yet widely available from
    hosting providers.

  - The Windows Docker image used by GitLab CI is not stored in the
    GitLab Container Registry as it is over 27 GB in size and thus
    passing it between GitLab and its runners is impractical.

  - There is no vcvarsall.bat variant written in PowerShell and batch
    scripts are no longer supported by GitLab Runner Custom executor, so
    the environment variables set by vcvarsall.bat are injected back
    into the PowerShell environment by processing the output of "set".

  - Visual Studio parallel builds are a bit different than "make -jX"
    builds as parallelization happens in two tiers: project parallelism
    (controlled by the "/maxCpuCount" msbuild.exe switch) and compiler
    parallelism (controlled by the "/MP" cl.exe switch).  To limit the
    total number of compiler processes spawned concurrently to a value
    similar to the one used for Unix builds, msbuild.exe is allowed to
    build at most 2 projects at once, each of which can spawn up to half
    of BUILD_PARALLEL_JOBS worth of compiler processes.  Using such
    parameters is a fairly arbitrary decision taken to solve the
    trade-off between compilation speed and runner load.

  - Configuring network addresses in Windows Server containers is
    tricky.  Adding 10.53.0.1/24 and similar addresses to the vEthernet
    interface created by Docker never causes ifconfig.bat to fail, but
    in fact only one container can have any given IP address configured
    at any given time (the request to add the same address in another
    container is silently ignored).  Thus, in order to allow multiple
    system test jobs to be run in parallel, the addresses used in system
    tests are configured on the loopback interfaces.  Interestingly
    enough, the addresses set on the loopback interfaces... persist
    between containers.  Fortunately, this is acceptable for the time
    being and only requires ifconfig.bat failures to be ignored (as
    ifconfig.bat will fail if it attempts to configure an already
    existing address on an interface).  We also need to wait for a brief
    moment after calling ifconfig.bat as the addresses the latter
    attempts to configure may not be immediately available after it
    returns (and that causes runall.sh to error out).  Finally, for some
    reason we also need to signal that the DNS servers on each loopback
    interface are to be configured using DHCP or else ifconfig.bat will
    fail to add the requested addresses.

  - Since named.pid files created by named instances used in system
    tests contain Windows PIDs instead of Cygwin PIDs and various
    versions of Cygwin "kill" react differently when passed Windows PIDs
    without the -W switch, all "kill" invocations in GitLab CI need to
    use that switch (otherwise they would print error messages which
    would cause stop.pl to assume the process being killed died
    prematurely).  However, to preserve compatibility with older Cygwin
    versions used in our other Windows test environments, we alter the
    relevant scripts "on the fly" rather than in the Git repository.

  - In the containers used for running system tests, Windows Error
    Reporting is configured to automatically create crash dumps in
    C:\CrashDumps.  This directory is examined after the test suite is
    run to ensure no crashes went under stop.pl's radar.

(cherry picked from commit ca36405a3d)
2019-09-27 09:16:02 +02:00
Michał Kępień
6ab9726038 Fix the "statschannel" system test on Windows
The SYSTEMTESTTOP variable is set by bin/tests/system/run.sh.  When
system tests are run on Windows, that variable will contain an absolute
Cygwin path.  In the case of the "statschannel" system test, using the
unmodified SYSTEMTESTTOP variable in tests.sh causes the RNDCCMD
variable to contain an invocation of a native Windows application with
an absolute Cygwin path passed as a parameter, which prevents rndc from
working in that system test.  Until we have a cleaner solution, override
SYSTEMTESTTOP with a relative path to work around the issue and thus fix
the "statschannel" system test on Windows.

(cherry picked from commit 4deb2a48d9)
2019-09-27 09:16:02 +02:00
Michał Kępień
d20a928435 Fix system test error reporting on Windows
Make sure the CYGWIN environment variable is set whenever system tests
are run on Windows to prevent stop.pl from making incorrect assumptions
about the environment it is running in, which triggers e.g. false
reports about named instances crashing on shutdown when system tests are
run on Windows.  This issue has not been caught earlier because the
CYGWIN environment variable was incidentally being set on a higher level
in our Windows test environments.

Error reporting for parallel system tests on Windows has been broken all
along: since all parallel.mk targets generated by parallel.sh pipe their
output through "tee", the return code from run.sh is lost and thus
running "make -f parallel.mk check" will not yield a non-zero return
code if some system tests fail.  The same applies to runsequential.sh.
Yet, runall.sh on Windows only sets its return code to a non-zero value
if either "make -f parallel.mk check" or runsequential.sh returns a
non-zero return code.  Fix by making runall.sh yield a non-zero return
code when testsummary.sh fails, which is the same approach as the one
used in the "test" target in bin/tests/system/Makefile.

(cherry picked from commit fed397c04b)
2019-09-27 09:16:02 +02:00
Michał Kępień
78a3cacf8d Make VS solution upgrading unnecessary
Until now, the build process for BIND on Windows involved upgrading the
solution file to the version of Visual Studio used on the build host.
Unfortunately, the executable used for that (devenv.exe) is not part of
Visual Studio Build Tools and thus there is no clean way to make that
executable part of a Windows Server container.

Luckily, the solution upgrade process boils down to just adding XML tags
to Visual Studio project files and modifying certain XML attributes - in
files which we pregenerate anyway using win32utils/Configure.  Thus,
extend win32utils/Configure with three new command line parameters that
enable it to mimic what "devenv.exe bind9.sln /upgrade" does.  This
makes the devenv.exe build step redundant and thus facilitates building
BIND in Windows Server containers.

(cherry picked from commit 0476e8f1ac)
2019-09-27 09:16:02 +02:00
Michał Kępień
90b8e590b7 Enable building dnssec-cds.exe
Build configuration for the dnssec-cds Visual Studio project is absent
from the solution file template, which means the solution needs to be
upgraded using "devenv bind9.sln /upgrade" in order for the dnssec-cds
project to be built.  Add the build configuration for dnssec-cds to the
solution file template so that upgrading the solution is not necessary
for building that project.

(cherry picked from commit 1d5259b0a0)
2019-09-27 09:16:02 +02:00
Michał Kępień
d43392e546 Drop named-checkzone dependency on libbind9
named-checkzone does not use libbind9.  Update the Visual Studio project
file template for named-checkzone to reflect that, thus preventing
compilation issues during parallel builds.

(cherry picked from commit 918ebd9830)
2019-09-27 09:16:02 +02:00
Michał Kępień
1bf5a95774 Add missing nsupdate dependency on libirs
When commit 8eb88aafee removed liblwres,
it also modified nsupdate to use libirs instead of liblwres, but the
Visual Studio project files were not updated to reflect that change.
Make sure the nsupdate Visual Studio project depends on the libirs
project to prevent compilation issues during parallel builds.

(cherry picked from commit de1859422e)
2019-09-27 09:16:02 +02:00
Michał Kępień
cfb6e311a0 Merge branch 'marka-win32-vsconf-v9_14' into 'v9_14'
[v9_14] allow VSCONF to be overridden at runtime

See merge request isc-projects/bind9!2406
2019-09-27 03:15:19 -04:00
Mark Andrews
fea03c8a43 allow VSCONF to be overridden at runtime
(cherry picked from commit 2433e3e808)
2019-09-27 09:14:10 +02:00
Mark Andrews
d44a1289c9 Merge branch 'marka-resolver-fix-v9_14' into 'v9_14'
use test specific shell variables

See merge request isc-projects/bind9!2388
2019-09-27 03:07:43 -04:00
Mark Andrews
fd916bf406 use test specific shell variables
(cherry picked from commit 4a5400c1b7)
2019-09-27 16:23:27 +10:00
Ondřej Surý
6d2092e749 Merge branch 'ondrej/fix-clang-10-error-v9_14' into 'v9_14'
Silence false positive warning from Clang 10 in random_test.c

See merge request isc-projects/bind9!2405
2019-09-26 09:25:44 -04:00
Ondřej Surý
903fab5f6c Silence false positive warning from Clang 10 in random_test.c
(cherry picked from commit 9ff02c8170)
2019-09-26 15:24:56 +02:00
Michał Kępień
3096e11af9 Merge branch 'michal/prevent-unbuffered-stderr-io-on-windows-v9_14' into 'v9_14'
[v9_14] Prevent unbuffered stderr I/O on Windows

See merge request isc-projects/bind9!2401
2019-09-26 08:00:54 -04:00
Michał Kępień
b440d30a78 Prevent unbuffered stderr I/O on Windows
Make stderr fully buffered on Windows to improve named performance when
it is logging to stderr, which happens e.g. in system tests.  Note that:

  - line buffering (_IOLBF) is unavailable on Windows,

  - fflush() is called anyway after each log message gets written to the
    default stderr logging channels created by libisc.

(cherry picked from commit c72da3497d)
2019-09-26 13:56:38 +02:00
Ondřej Surý
7f55b7d60c Merge branch '1246-fix-stdatomic-shim-for-win32-v9_14' into 'v9_14'
Resolve "Add atomic_fetch_add and atomic_fetch_or shims"

See merge request isc-projects/bind9!2399
2019-09-26 07:43:16 -04:00
Ondřej Surý
9d400c7d89 Fix the wrong function for the atomic_fetch_add_explicit64 shim on non-WIN64 build 2019-09-26 13:01:26 +02:00
Michał Kępień
75bc9ea249 Merge branch 'michal/prevent-cygwin-from-concealing-non-abort-crashes-v9_14' into 'v9_14'
Prevent Cygwin from concealing non-abort() crashes

See merge request isc-projects/bind9!2394
2019-09-26 04:38:08 -04:00
Michał Kępień
239c1195d5 Prevent Cygwin from concealing non-abort() crashes
BIND system tests are run in a Cygwin environment.  Apparently Cygwin
shell sets the SEM_NOGPFAULTERRORBOX bit in its process error mode which
is then inherited by all spawned child processes.  This bit prevents the
Windows Error Reporting dialog from being displayed, which I assume is
part of an effort to contain memory handling errors triggered by Cygwin
binaries in the Cygwin environment.  Unfortunately, this also prevents
automatic crash dump creation by Windows Error Reporting and Cygwin
itself does not handle memory errors in native Windows processes spawned
from a Cygwin shell.

Fix by clearing the SEM_NOGPFAULTERRORBOX bit inside named if it is
started in a Cygwin environment, thus overriding the Cygwin-set process
error mode in order to enable Windows Error Reporting to handle all
named crashes.

(cherry picked from commit 3d4b17806f)
2019-09-26 10:34:40 +02:00
Michał Kępień
8dfb51b15d Merge branch '1245-properly-initialize-libxml2-v9_14' into 'v9_14'
[v9_14] Properly initialize libxml2

See merge request isc-projects/bind9!2392
2019-09-26 04:31:55 -04:00
Michał Kępień
258f48bcf0 Add CHANGES entry
5293.	[bug]		On Windows, named crashed upon any attempt to fetch XML
			statistics from it. [GL #1245]

(cherry picked from commit b5bcd4b8d6)
2019-09-26 10:28:52 +02:00
Michał Kępień
e9f9062732 Properly initialize libxml2
When libxml2 is to be used in a multi-threaded application, the
xmlInitThreads() function must be called before any other libxml2
function.  This function does different things on various platforms and
thus one can get away without calling it on Unix systems, but not on
Windows, where it initializes critical section objects used for
synchronizing access to data structures shared between threads.  Add the
missing xmlInitThreads() call to prevent crashes on affected systems.

Also add a matching xmlCleanupThreads() call to properly release the
resources set up by xmlInitThreads().

(cherry picked from commit a3c0b00ef6)
2019-09-26 10:28:51 +02:00
Mark Andrews
4d725a54b8 Merge branch '1205-named-crashes-when-setting-nsec3param-v9_14' into 'v9_14'
Resolve "named crashes when setting nsec3param"

See merge request isc-projects/bind9!2379
2019-09-23 23:06:24 -04:00
Mark Andrews
75a8acf3ab add CHANGES
(cherry picked from commit 31c8f66f25)
2019-09-24 11:38:06 +10:00
Mark Andrews
bf63ff09c1 Queue nsec3param setting until receive_secure_serial has completed.
(cherry picked from commit 456888c00f)
2019-09-24 11:37:37 +10:00
Mark Andrews
553313c2c2 Move dns_zone_setdb() to after the db is created.
Addresses the database changing w/o the changes being done under task lock.
Fix: build the database before assigning it to the zone.

(cherry picked from commit 4e686f40e0)
2019-09-24 11:37:37 +10:00
Michał Kępień
c6d9e9cd8f Merge branch 'michal/run-freebsd-jobs-automatically-for-all-pipelines-v9_14' into 'v9_14'
[v9_14] Run FreeBSD jobs automatically for all pipelines

See merge request isc-projects/bind9!2353
2019-09-17 14:26:16 -04:00
Michał Kępień
7c992a0e57 Run FreeBSD jobs automatically for all pipelines
No problems have been observed on the FreeBSD GitLab CI runner during
the burn-in period, when FreeBSD jobs needed to be triggered manually.
Thus, make the FreeBSD jobs run automatically along other GitLab CI
jobs.

(cherry picked from commit f7bc95409d)
2019-09-17 20:24:37 +02:00
Michal Nowak
b479738b20 Merge branch 'mnowak/Red_Hat_find_docbook-xsl-v9_14' into 'v9_14'
Find docbook-xsl and dblatex templates on Red Hat/Fedora

See merge request isc-projects/bind9!2351
2019-09-17 12:07:26 -04:00
Michal Nowak
5347941ef1 Remove unused configure checks for dblatex
(cherry picked from commit c871dda0aa)
2019-09-17 17:03:44 +02:00
Michal Nowak
df6e06e941 Find docbook-xsl and dblatex templates on Red Hat/Fedora
`/usr/share/sgml/docbook/xsl-stylesheets` and `/usr/share/dblatex` are
places where docbook-style-xsl and, respectively, dblatex packages on
Red Hat systems put their XSL templates. Unless we hint this place it
has to be added to `./configure` manually (`--with-docbook-xsl=...`):
https://src.fedoraproject.org/rpms/bind/blob/master/f/bind.spec#_691.

On Fedora 30:

Before
```
./configure
...
checking for Docbook-XSL path... auto
checking for html/docbook.xsl... "not found"
checking for xhtml/docbook.xsl... "not found"
checking for manpages/docbook.xsl... "not found"
checking for html/chunk.xsl... "not found"
checking for xhtml/chunk.xsl... "not found"
checking for html/chunktoc.xsl... "not found"
checking for xhtml/chunktoc.xsl... "not found"
checking for html/maketoc.xsl... "not found"
checking for xhtml/maketoc.xsl... "not found"
checking for xsl/docbook.xsl... "not found"
checking for xsl/latex_book_fast.xsl... "not found"
```

After:
```
./configure
...
checking for Docbook-XSL path... auto
checking for html/docbook.xsl... /usr/share/sgml/docbook/xsl-stylesheets/html/docbook.xsl
checking for xhtml/docbook.xsl... /usr/share/sgml/docbook/xsl-stylesheets/xhtml/docbook.xsl
checking for manpages/docbook.xsl... /usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl
checking for html/chunk.xsl... /usr/share/sgml/docbook/xsl-stylesheets/html/chunk.xsl
checking for xhtml/chunk.xsl... /usr/share/sgml/docbook/xsl-stylesheets/xhtml/chunk.xsl
checking for html/chunktoc.xsl... /usr/share/sgml/docbook/xsl-stylesheets/html/chunktoc.xsl
checking for xhtml/chunktoc.xsl... /usr/share/sgml/docbook/xsl-stylesheets/xhtml/chunktoc.xsl
checking for html/maketoc.xsl... /usr/share/sgml/docbook/xsl-stylesheets/html/maketoc.xsl
checking for xhtml/maketoc.xsl... /usr/share/sgml/docbook/xsl-stylesheets/xhtml/maketoc.xsl
checking for xsl/docbook.xsl... /usr/share/dblatex/xsl/docbook.xsl
checking for xsl/latex_book_fast.xsl... /usr/share/dblatex/xsl/latex_book_fast.xsl
```

(cherry picked from commit 0055b9616e)
2019-09-17 17:03:44 +02:00
Ondřej Surý
236e47beec Merge branch 'ondrej/improve-flycheck-configuration-v9_14' into 'v9_14'
Remove the current directory from the flycheck configuration

See merge request isc-projects/bind9!2349
2019-09-17 07:31:08 -04:00
Ondřej Surý
28241706c6 Remove the current directory from the flycheck configuration 2019-09-17 13:07:23 +02:00
Michal Nowak
b792a3bc02 Merge branch 'mnowak_README_fixes-v9_14' into 'v9_14'
Various README.md and README fixes

See merge request isc-projects/bind9!2337
2019-09-16 01:46:46 -04:00
Michal Nowak
3ec897c97e Various README.md and README fixes
Fixing typos, typographical glitches. Added backticks around binaries,
modules, and libraries so it's more consistent. Added a paragraph with
ISC Security Policy.

(cherry picked from commit 4e2fdd7ee9)
2019-09-16 07:45:16 +02:00
Mark Andrews
974fc3c3f4 Merge branch 'marka-win32-fixup-v9_11-v9_14' into 'v9_14'
reinstate error handler

See merge request isc-projects/bind9!2341
2019-09-13 00:31:22 -04:00
Mark Andrews
31a905775c reinstate error handler
(cherry picked from commit 7fb0a0db53)
2019-09-13 14:29:54 +10:00
Mark Andrews
1aff269e6a Merge branch 'marka-win32-fixup-v9_11-v9_14' into 'v9_14'
win32 fixup v9_11

See merge request isc-projects/bind9!2340
2019-09-13 00:28:01 -04:00
Mark Andrews
946f08db99 declare alloc_failure
(cherry picked from commit 0d23bc5b55)
2019-09-13 14:26:36 +10:00
Mark Andrews
fd395947ad declare result
(cherry picked from commit 9ee27573af)
2019-09-13 14:26:36 +10:00
Michał Kępień
ab6db576e2 Merge branch 'michal/add-freebsd-to-ci-v9_14' into 'v9_14'
[v9_14] Add FreeBSD to CI

See merge request isc-projects/bind9!2334
2019-09-12 09:23:38 -04:00
Michał Kępień
097989cf59 Add FreeBSD to GitLab CI
Ensure BIND can be tested on FreeBSD in GitLab to more quickly catch
build and test errors on that operating system.  Make the relevant jobs
optional until the CI environment supporting them is deemed stable
enough for continuous use.

FreeBSD jobs are run using the Custom executor feature of GitLab Runner.
Unlike the Docker executor, the Custom executor does not support the
"image" option and thus some way of informing the runner about the OS
version to use for a given job is necessary.  Arguably the simplest way
of doing that without a lot of code duplication in .gitlab-ci.yml would
be to use a YAML template with a "variables" block specifying the
desired FreeBSD release to use, but including such a template in a job
definition would cause issues in case other variables also needed to be
set for that job (e.g. CFLAGS or EXTRA_CONFIGURE for build jobs).  Thus,
only one FreeBSD YAML template is defined instead and the Custom
executor scripts on FreeBSD runners extract the OS version to use from
the CI job name.  This allows .gitlab-ci.yml variables to be defined for
FreeBSD jobs in the same way as for Docker-based jobs.

(cherry picked from commit 51af91d007)
2019-09-12 15:00:38 +02:00
Michał Kępień
83ceebef81 Set --logfile for all kyua invocations
When kyua is called without the --logfile command line option, the log
file is created at a default location which is derived from the HOME
environment variable.  On FreeBSD GitLab CI runners, /home is a
read-only directory and thus kyua invocations not using the --logfile
option fail when HOME is set to something beneath /home.  Set --logfile
to /dev/null for all kyua invocations whose logs are irrelevant in order
to prevent kyua failures caused by HOME being non-writable.

(cherry picked from commit 1bffa602ba)
2019-09-12 15:00:34 +02:00
Michał Kępień
84fdc4034f Merge branch 'michal/misc-doc-fixes-v9_14' into 'v9_14'
[v9_14] Miscellaneous documentation fixes

See merge request isc-projects/bind9!2330
2019-09-12 08:01:33 -04:00
Michał Kępień
bf4c9450ca README: do not mention /usr/include on macOS
For newer versions of Xcode, "xcode-select --install" no longer installs
system headers into /usr/include (instead, they are installed in the
Xcode directory tree), so do not mention that path in the macOS section
of README to prevent confusion.

(cherry picked from commit 5af0b1d1d3)
2019-09-12 13:58:01 +02:00
Mark Andrews
973eac118d Merge branch 'marka-split-notes-v9_14' into 'v9_14'
split notes.xml into sections v9_14

See merge request isc-projects/bind9!2327
2019-09-12 06:06:42 -04:00
Mark Andrews
9f612e0850 split notes.xml into sections 2019-09-12 20:05:05 +10:00
Mark Andrews
eeb281641b Merge branch '1043-cppcheck-detected-code-issues-v9_14' into 'v9_14'
Resolve "cppcheck-detected code issues"

See merge request isc-projects/bind9!2332
2019-09-12 06:01:25 -04:00
Mark Andrews
57824120e4 address or suppress cppcheck warnings
(cherry picked from commit b59fe46e76)
2019-09-12 19:27:28 +10:00
Tinderbox User
39057cceec Merge branch 'prep-release' into v9_14 2019-09-09 14:51:54 +00:00
Tinderbox User
87bcd335d6 prep for 9.14.6 2019-09-09 14:09:52 +00:00
Tinderbox User
2a2d8d00aa prep for 9.14.6 2019-09-09 13:34:28 +00:00
Mark Andrews
57a21490bf Merge branch 'marka-fix-insist-v9_14' into 'v9_14'
Address "Value stored to 'dscpcount' is never read"

See merge request isc-projects/bind9!2319
2019-09-06 03:06:00 -04:00
Mark Andrews
34f4295d1f also insist that keycount == dscpcount
(cherry picked from commit dbdd19853e)
2019-09-06 16:44:05 +10:00
Mark Andrews
729882ce41 Merge branch '1212-edns-udp-size-docs-not-updated-for-flag-day-changes-v9_14' into 'v9_14'
Resolve "edns-udp-size docs not updated for Flag Day changes"

See merge request isc-projects/bind9!2316
2019-09-05 21:13:27 -04:00
Mark Andrews
91b0e48b2a remove discussion about falling back to plain DNS on timeout
(cherry picked from commit aca78add3a)
2019-09-06 10:51:54 +10:00
Mark Andrews
c628c9a9ad Merge branch '1210-address-potential-null-pointer-dereference-in-rpz-c-v9_14' into 'v9_14'
Resolve "Address potential NULL pointer dereference in rpz.c"

See merge request isc-projects/bind9!2309
2019-09-04 17:51:45 -04:00
Mark Andrews
cc5978a961 add CHANGES
(cherry picked from commit 924f9b9e1d)
2019-09-05 07:29:35 +10:00
Mark Andrews
7b26e2d819 use rpzs->updater as rpz->rpzs is NULL
(cherry picked from commit 3e82a2ea9a)
2019-09-05 07:29:05 +10:00
Mark Andrews
6f729bf3e3 Merge branch '1207-bind-potential-for-null-pointer-de-references-plus-memory-leaks-cwe-476-in-file-dlz_mysqldyn_mod-c-v9_14' into 'v9_14'
Resolve "BIND | Potential for NULL pointer de-references plus memory leaks (CWE-476) in file 'dlz_mysqldyn_mod.c'"

See merge request isc-projects/bind9!2301
2019-09-04 00:52:15 -04:00
Mark Andrews
ee1636d0c8 add CHANGES
(cherry picked from commit 8b65ac9128)
2019-09-04 14:37:57 +10:00
Mark Andrews
1eafd26fa4 address NULL pointer dereferences
(cherry picked from commit 2de94dd4c4)
2019-09-04 14:37:56 +10:00
Mark Andrews
573f88e5ba Merge branch '837-win32-legacy-system-test-failure-v9_14' into 'v9_14'
Resolve "win32 legacy system test failure"

See merge request isc-projects/bind9!2297
2019-09-03 21:18:57 -04:00
Mark Andrews
33c751c967 add CHANGES
(cherry picked from commit f0fd713f17)
2019-09-04 10:50:23 +10:00
Mark Andrews
0c75cb9a1e silence dos2unix messages
(cherry picked from commit 2390d16955)
2019-09-04 10:50:00 +10:00
Mark Andrews
d72f73af48 implement maxudp under windows
(cherry picked from commit 2f558854b7)
2019-09-04 10:50:00 +10:00
Ondřej Surý
581baceff9 Merge branch '1196-misaligned-address-in-siphash-c-v9_14' into 'v9_14'
Resolve "Misaligned address in siphash.c"

See merge request isc-projects/bind9!2291
2019-09-03 05:00:42 -04:00
Ondřej Surý
77a68cbd4c Fix alignment issues in the native implementation of isc_siphash24()
The native implementation's conversion from the uint8_t buffers to uint64_t now
follows the reference implementation that doesn't require aligned buffers.
2019-09-02 13:21:40 +02:00
Evan Hunt
8057e21421 Merge branch '1146-rpz-expiry-v9_14' into 'v9_14'
remove policies from RPZ summary database when policy zones expire

See merge request isc-projects/bind9!2290
2019-08-30 16:28:33 -04:00
Evan Hunt
25bbe76f4f CHANGES, release note
(cherry picked from commit 38523ac4a8)
2019-08-30 13:08:48 -07:00
Evan Hunt
2a58b03336 when a response-policy zone expires, unload its polices from RPZ summary
(cherry picked from commit 7ba6d592ec)
2019-08-30 13:08:48 -07:00
Evan Hunt
b92b5ef35d Merge branch '1146-rpz-search-v9_14' into 'v9_14'
use an rbtnodechain for wildcard matching in RPZ summary db

See merge request isc-projects/bind9!2286
2019-08-30 14:46:51 -04:00
Evan Hunt
2078d8fcca CHANGES
(cherry picked from commit 22349d919c)
2019-08-29 20:08:16 -07:00
Evan Hunt
326ec91c8b use an rbtnodechain to walk up labels
when looking for a possible wildcard match in the RPZ summary database,
use an rbtnodechain to walk up label by label, rather than using the
node's parent pointer.

(cherry picked from commit 6e9be9a952)
2019-08-29 20:08:16 -07:00
Mark Andrews
2701f9eab0 Merge branch '1189-don-t-escape-commas-when-reporting-named-s-command-line-v9_14' into 'v9_14'
Resolve "Don't escape commas when reporting named's command line."

See merge request isc-projects/bind9!2283
2019-08-29 21:19:24 -04:00
Mark Andrews
7ef47e8979 add CHANGES
(cherry picked from commit ecba23bc24)
2019-08-30 10:42:51 +10:00
Mark Andrews
ed92040d7a don't escape commas when saving named's command line
(cherry picked from commit 70dd93bf8a)
2019-08-30 10:42:48 +10:00
Ondřej Surý
9691ad733b Merge branch 'ondrej/use-needs-kw-in-gitlab-ci-v9_14' into 'v9_14'
Ondrej/use needs kw in gitlab ci v9 14

See merge request isc-projects/bind9!2281
2019-08-29 09:57:24 -04:00
Ondřej Surý
d17168b102 Remove the tkey_test.c from the BIND 9.14 branch, it's no-op here anyway. 2019-08-29 15:37:03 +02:00
Ondřej Surý
1c084c35f0 Fix uninitialized variable warning in restore_nsec3param() 2019-08-29 15:14:24 +02:00
Ondřej Surý
53058ce4b3 Synchronize the .gitlab-ci.yml with master 2019-08-29 15:07:49 +02:00
Ondřej Surý
173ecd41a2 Swap unit and system stages
(cherry picked from commit 3f2de6d39c)
2019-08-29 15:04:06 +02:00
Ondřej Surý
6464b2e962 Further improve the CI by starting the build and docs right after autoreconf
(cherry picked from commit fc834aa4bc)
2019-08-29 15:03:49 +02:00
Ondřej Surý
76e8f7783d Split the system and unit tests into separate stages
(cherry picked from commit 008b73fb41)
2019-08-29 15:02:41 +02:00
Ondřej Surý
1d04597702 Make use of DAG for GitLab Pipelines
GitLab 12.2 has introduced Directed Acyclic Graphs in the GitLab CI[1] that
allow jobs to run out-of-order and not wait for the whole previous stage to
complete.

1. https://docs.gitlab.com/ee/ci/directed_acyclic_graph/

(cherry picked from commit 04ce124279)
2019-08-29 15:02:39 +02:00
Mark Andrews
a12ad253f1 Merge branch '1199-return-value-from-open-not-checked-v9_14' into 'v9_14'
Resolve "Return value from open() not checked."

See merge request isc-projects/bind9!2274
2019-08-28 20:50:36 -04:00
Mark Andrews
768fb45660 check that open() succeeded
(cherry picked from commit 510306c654)
2019-08-29 10:26:00 +10:00
Mark Andrews
f54f73d063 Merge branch '1201-add-llq-option-v9_14' into 'v9_14'
Resolve "Add LLQ option"

See merge request isc-projects/bind9!2271
2019-08-28 03:36:48 -04:00
Mark Andrews
b25262b1df Add support for displaying EDNS option LLQ.
(cherry picked from commit d98f446d3f)
2019-08-28 17:22:11 +10:00
Mark Andrews
aefde2f527 Merge branch '1187-ddns-rejected-if-zone-contains-cds-cdnskey-v9_14' into 'v9_14'
Resolve "DDNS rejected if zone contains CDS/CDNSKEY"

See merge request isc-projects/bind9!2269
2019-08-28 02:40:33 -04:00
Mark Andrews
8959c97667 add CHANGES
(cherry picked from commit ba26c6eb48)
2019-08-28 16:15:29 +10:00
Mark Andrews
f109c56f4e add good and bad CDS / CDNSKEY test zones
(cherry picked from commit 30610eb9a5)
2019-08-28 16:14:46 +10:00
Mark Andrews
491b2ebcf2 fix dnssec system tests that fail now that we call dns_zone_cdscheck
(cherry picked from commit 3705605e0b)
2019-08-28 16:14:45 +10:00
Mark Andrews
545e7cca9d add dns_zone_cdscheck to integrity checks
(cherry picked from commit cd40c9fe61)
2019-08-28 16:14:45 +10:00
Mark Andrews
45402340b6 implement getoriginnode for sdb
(cherry picked from commit 2ebc4776ca)
2019-08-28 16:14:45 +10:00
Evan Hunt
8b4ce7f900 Merge branch 'each-tidy-glue-test-v9_14' into 'v9_14'
remove unneeded files and options from glue test

See merge request isc-projects/bind9!2268
2019-08-27 21:53:22 -04:00
Evan Hunt
b361e7523e remove unneeded files and options from glue test
- the cache-file and check-itegrity options were not needed
- some zones and files were not used

(cherry picked from commit 7b65ea4c11)
2019-08-27 18:26:47 -07:00
Tinderbox User
6cd21bd26e Merge branch 'prep-release' into v9_14 2019-08-21 21:35:31 +00:00
Tinderbox User
cbc0f07a70 prep 9.14.5 2019-08-21 21:35:31 +00:00
Tinderbox User
7f67efcc14 prep 9.14.5 2019-08-21 21:35:30 +00:00
Evan Hunt
18e8b0cd7f Merge branch '1031-multiple-rate-limit-clauses-are-unsupported-v9_14' into 'v9_14'
Resolve "Multiple rate-limit clauses are unsupported"

See merge request isc-projects/bind9!2263
2019-08-21 11:05:00 -04:00
Mark Andrews
f155d1e020 remove reference to rate-limit { domain ...; }
(cherry picked from commit 2275630bc9)
2019-08-21 08:42:01 -06:00
Matthijs Mekking
04e7d2294f Merge branch 'fix-changes-file-dlv-entry-v9_14' into 'v9_14'
Fix CHANGES

See merge request isc-projects/bind9!2260
2019-08-12 06:46:44 -04:00
Matthijs Mekking
6809a5b594 Fix CHANGES
Commit 5d8eba4be0 accidentally
cherry-picked change number 5276 about obsoleting DLV.
2019-08-12 12:23:28 +02:00
Matthijs Mekking
5170a79d09 Merge branch '1074-matthijs-underflow-cachedb-statistics-v9_14' into 'v9_14'
Resolve "underflow in stats channel stale cached RRSIG gauge [ISC-support #14769]"

See merge request isc-projects/bind9!2259
2019-08-12 05:10:57 -04:00
Matthijs Mekking
ea0543a74f Simplify do_stats logic in rbtdb.c
(cherry picked from commit 4c0b0fa6a5)
2019-08-12 10:44:48 +02:00
Evan Hunt
db381b7205 improve ARM text about cache DB statistics
(cherry picked from commit 2ceb4b6a98)
2019-08-12 10:44:25 +02:00
Matthijs Mekking
3e3fd9bb2e Add serve-stale test for ancient RRsets counters
(cherry picked from commit 98b460e604)
2019-08-12 10:44:07 +02:00
Matthijs Mekking
3df7a1961f Move dnssec_keyid_max out rrsettype counters enum
(cherry picked from commit 1cd3516d54)
2019-08-12 10:43:44 +02:00
Matthijs Mekking
5d8eba4be0 Update CHANGES, notes
(cherry picked from commit 6e48abc503)
2019-08-12 10:43:22 +02:00
Matthijs Mekking
a8b29e051e Make rbtdb maintain stale counters
When updating the statistics for RRset types, if a header is marked
stale or ancient, the appropriate statistic counters are decremented,
then incremented.

Also fix some out of date comments.

(cherry picked from commit a3af2c57e7)
2019-08-12 10:42:23 +02:00
Matthijs Mekking
51a3ba45e1 No longer have stale tracking in stats module
Having the decrement/increment logic in stats makes the code hard
to follow. Remove it here and adjust the unit test. The caller
will be responsible for maintaining the correct increments and
decrements for statistics counters (in the following commit).

(cherry picked from commit 48332d4478)
2019-08-12 10:42:12 +02:00
Matthijs Mekking
ca4c9f3b06 Print out ancient type stats with '~' prefix.
The stale RR types are now printed with '#'.  This used to be the
prefix for RR types that were marked ancient, but commit
df50751585 changed the meaning.  It is
probably better to keep '#' for stale RR types and introduce a new
prefix for reintroducing ancient type stat counters.

(cherry picked from commit c9d56a8185)
2019-08-12 10:41:19 +02:00
Michał Kępień
3292b22957 Merge branch '1110-clarify-relationship-between-acls-and-rpz-v9_14' into 'v9_14'
[v9_14] Clarify relationship between ACLs and RPZ

See merge request isc-projects/bind9!2257
2019-08-12 03:50:21 -04:00
Michał Kępień
5d36461feb Clarify relationship between ACLs and RPZ
In the ARM section about RPZ, add text explicitly stating that ACLs take
precedence over RPZ to prevent users from expecting RPZ actions to be
applied to queries coming from clients which are not permitted access to
the resolver by ACLs.

(cherry picked from commit 33bddbb5d1)
2019-08-12 09:48:05 +02:00
Michał Kępień
822e20a721 Merge branch 'michal/implement-a-convenience-function-for-rndc-dumpdb-v9_14' into 'v9_14'
[v9_14] Implement a convenience function for "rndc dumpdb"

See merge request isc-projects/bind9!2249
2019-08-08 09:31:41 -04:00
Michał Kępień
e68255814e Use rndc_dumpdb() in the "sfcache" system test
(cherry picked from commit 4a8b3a8ac0)
2019-08-08 15:12:01 +02:00
Michał Kępień
f520e571b4 Use rndc_dumpdb() in the "serve-stale" system test
(cherry picked from commit 52beeed444)
2019-08-08 15:12:01 +02:00
Michał Kępień
25bd10710a Use rndc_dumpdb() in the "rndc" system test
(cherry picked from commit 443449863b)
2019-08-08 15:12:01 +02:00
Michał Kępień
50f6c92ae6 Use rndc_dumpdb() in the "dnssec" system test
(cherry picked from commit 44c0cc881f)
2019-08-08 15:12:01 +02:00
Michał Kępień
c356748700 Use rndc_dumpdb() in the "cookie" system test
(cherry picked from commit cbf32b901b)
2019-08-08 15:12:01 +02:00
Michał Kępień
66cfb7a34e Use rndc_dumpdb() in the "cacheclean" system test
(cherry picked from commit 22d5355782)
2019-08-08 15:12:01 +02:00
Michał Kępień
841be8d06d Implement a convenience function for "rndc dumpdb"
Add a helper shell function, rndc_dumpdb(), which provides a convenient
way to call "rndc dumpdb" for a given server with optional additional
arguments.  Since database dumping is an asynchronous process, the
function waits until the dump is complete before returning, which
prevents false positives in system tests caused by inspecting the dump
before its preparation is finished.  The function also renames the dump
file before returning so that it does not get overwritten by subsequent
calls; this retains forensic data in case of an unexpected test failure.

(cherry picked from commit ab78e350dd)
2019-08-08 15:12:01 +02:00
Ondřej Surý
d0b9ca1a2e Merge branch '1182-add-older-autoconf-pkg-config-compat-macros-v9_14' into 'v9_14'
Add PKG_CHECK_VAR and AS_VAR_COPY compat macros (Courtesy of ycflash)

See merge request isc-projects/bind9!2247
2019-08-08 09:06:37 -04:00
Ondřej Surý
f9154f3c88 Add PKG_CHECK_VAR and AS_VAR_COPY compat macros (Courtesy of ycflash)
(cherry picked from commit d80b6ec879)
2019-08-08 14:47:56 +02:00
Ondřej Surý
4809483086 Merge branch 'sparc-pause-v9_14' into 'v9_14'
configure.ac: autodetect 'pause' instruction presence on sparc

See merge request isc-projects/bind9!2245
2019-08-08 08:22:46 -04:00
Sergei Trofimovich
e39b03d06d configure.ac: autodetect 'pause' instruction presence on sparc
The change fixes the following build failure on sparc T3 and older CPUs:

```
sparc-unknown-linux-gnu-gcc ... -O2 -mcpu=niagara2 ... -c rwlock.c
{standard input}: Assembler messages:
{standard input}:398: Error: Architecture mismatch on "pause ".
{standard input}:398: (Requires v9e|v9v|v9m|m8; requested architecture is v9b.)
make[1]: *** [Makefile:280: rwlock.o] Error 1
```

`pause` insutruction exists only on `-mcpu=niagara4` (`T4`) and upper.

The change adds `pause` configure-time autodetection and uses it if available.
config.h.in got new `HAVE_SPARC_PAUSE` knob. Fallback is a fall-through no-op.

Build-tested on:

- sparc-unknown-linux-gnu-gcc (no `pause`, build succeeds)
- sparc-unknown-linux-gnu-gcc -mcpu=niagara4 (`pause`, build succeeds)

Reported-by: Rolf Eike Beer
Bug: https://bugs.gentoo.org/691708
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
(cherry picked from commit a5ad6b16c5)
2019-08-08 14:03:29 +02:00
Evan Hunt
e7b8c9b451 Merge branch 'each-mdig-multi-norrcomments-v9_14' into 'v9_14'
minor bugfix in mdig: when using +multi, +norrcomments was ignored

See merge request isc-projects/bind9!2240
2019-08-08 00:15:26 -04:00
Evan Hunt
81312bcf82 added "mdig +multi +norrcomment" test; also fixed the flawed dig test
(cherry picked from commit 93ad3eea90)
2019-08-07 20:52:20 -07:00
Evan Hunt
c2a128587c minor bugfix in mdig: when using +multi, +norrcomments was ignored
(cherry picked from commit edab51b420)
2019-08-07 20:52:20 -07:00
Ondřej Surý
13f4c3b54d Merge branch '1148-deadlock-hangs-named-v9_11-v9_14' into 'v9_14'
Resolve "deadlock hangs named"

See merge request isc-projects/bind9!2235
2019-08-07 06:34:25 -04:00
Ondřej Surý
ebc48cda26 Have the dns_client hold a .references until all external references are removed
so that cleanup can all be done in dns_client_destroy().

(cherry picked from commit e80c4c3431)
2019-08-07 12:15:32 +02:00
Mark Andrews
e394632703 Have the view hold a weakref until all external references are removed
so that cleanup can all be done in dns_view_weakattach().

(cherry picked from commit be8af3afb7)
2019-08-07 12:15:32 +02:00
Ondřej Surý
232140edae lib/dns/resolver.c: Convert (dns_view_t *)->weakrefs to isc_refcount_t
There's a deadlock in BIND 9 code where (dns_view_t){ .lock } and
(dns_resolver_t){ .buckets[i].lock } gets locked in different order.  When
view->weakrefs gets converted to a reference counting we can reduce the locking
in dns_view_weakdetach only to cases where it's the last instance of the
dns_view_t object.

(cherry picked from commit a7c9a52c89)
2019-08-07 12:00:50 +02:00
Evan Hunt
94ba942eab Merge branch '1170-dig-comments-v9_14' into 'v9_14'
Resolve "dig +nocomment still comments"

See merge request isc-projects/bind9!2231
2019-08-06 01:10:43 -04:00
Evan Hunt
e6b8944f9e clarify descriptions of comment-related options in dig usage and man page
(cherry picked from commit 9679c8c20a)
2019-08-05 21:57:09 -07:00
Evan Hunt
4caffaaad2 always check 'printcmd' before printing cmdline message
(cherry picked from commit 6d50f7d924)
2019-08-05 21:57:09 -07:00
Mark Andrews
cb0140bdda Merge branch '964-use-referral-ds-record-when-validating-v9_14' into 'v9_14'
Resolve "Use referral DS record when validating"

See merge request isc-projects/bind9!2228
2019-08-02 02:40:13 -04:00
Mark Andrews
1d925c4068 add CHANGES
(cherry picked from commit ac28cc14e1)
2019-08-02 15:38:00 +10:00
Mark Andrews
c9e6813899 check that example/DS is not fetched when validating a.example
(cherry picked from commit 4293a2f4bf)
2019-08-02 15:34:22 +10:00
Mark Andrews
2e85ede202 Store the DS and RRSIG(DS) with trust dns_trust_pending_answer
so that the validator can validate the records as part of validating
the current request.

(cherry picked from commit 57a328d67e)
2019-08-02 15:34:22 +10:00
Mark Andrews
df6574aa2c Merge branch '1175-a-race-in-ht-c-can-cause-require-failures-v9_14' into 'v9_14'
Resolve "a race in ht.c can cause REQUIRE failures"

See merge request isc-projects/bind9!2226
2019-08-01 02:43:19 -04:00
Mark Andrews
d1e36a5adf add CHANGES
(cherry picked from commit 49c31702bd)
2019-08-01 16:07:00 +10:00
Mark Andrews
f2ab4eb376 remove invalid comment
(cherry picked from commit 9cfd0ecccf)
2019-08-01 16:07:00 +10:00
Mark Andrews
a15e89c3d6 keep rpzs around until everything referencing it has gone
(cherry picked from commit 9b10cfef56)
2019-08-01 16:06:59 +10:00
Mark Andrews
d4551764fd maintain a reference to 'rpz' when calling rpz.c:update_quantum
(cherry picked from commit 53800281fe)
2019-08-01 16:06:59 +10:00
Mark Andrews
f3b4b3601b Merge branch '1159-bits-65-72-of-the-dns64-prefix-are-supposed-to-be-zero-v9_14' into 'v9_14'
Resolve "Bits 64..71 of the dns64 prefix are supposed to be zero"

See merge request isc-projects/bind9!2220
2019-07-31 08:56:28 -04:00
Mark Andrews
06f390e478 add CHANGES
(cherry picked from commit d95ae93dd3)
2019-07-31 22:35:14 +10:00
Mark Andrews
f0fa5ce397 check that bits 64..71 in a dns64 prefix are zero
(cherry picked from commit a7ec7eb6ed)
2019-07-31 22:35:14 +10:00
Michał Kępień
31998f2bf2 Merge branch 'michal/wildcard-system-test-make-root-hints-consistent-with-authoritative-data-v9_14' into 'v9_14'
[v9_14] "wildcard" system test: make root hints consistent with authoritative data

See merge request isc-projects/bind9!2217
2019-07-31 05:43:18 -04:00
Michał Kępień
558ee243a6 Make root hints consistent with authoritative data
Multiple resolvers in the "wildcard" system test are configured with a
single root hint: "ns.root-servers.nil", pointing to 10.53.0.1, which is
inconsistent with authoritative data served by ns1.  This may cause
intermittent resolution failures, triggering false positives for the
"wildcard" system test.  Prevent this from happening by making ns2, ns3,
and ns5 use root hints corresponding to the contents of ns1/root.db.in.

(cherry picked from commit dd430c3093)
2019-07-31 11:07:22 +02:00
Michał Kępień
72915c9d40 Merge branch 'michal/staticstub-system-test-make-root-hints-consistent-with-authoritative-data-v9_14' into 'v9_14'
[v9_14] "staticstub" system test: make root hints consistent with authoritative data

See merge request isc-projects/bind9!2215
2019-07-31 03:42:42 -04:00
Michał Kępień
df4d771ed8 Make root hints consistent with authoritative data
The ns2 named instance in the "staticstub" system test is configured
with a single root hint commonly used in BIND system tests
(a.root-servers.nil with an address of 10.53.0.1), which is inconsistent
with authoritative data served by ns1.  This may cause intermittent
resolution failures, triggering false positives for the "staticstub"
system test.  Prevent this from happening by making ns1 serve data
corresponding to the contents of bin/tests/system/common/root.hint.

(cherry picked from commit 4b5e1da0e3)
2019-07-31 09:18:16 +02:00
Michał Kępień
0cebbd2742 Merge branch 'michal/update-gitlab-ci-to-fedora-30-v9_14' into 'v9_14'
[v9_14] Update GitLab CI to Fedora 30

See merge request isc-projects/bind9!2213
2019-07-31 03:14:26 -04:00
Michał Kępień
947d40692b Update GitLab CI to Fedora 30
Since Fedora 30 is the current Fedora release, replace Fedora 29 GitLab
CI jobs with their up-to-date counterparts.

(cherry picked from commit fac23cf939)
2019-07-31 08:47:36 +02:00
Mark Andrews
3c11f3ea0c Merge branch '1133-your-problem-or-cygwin-s-v9_14' into 'v9_14'
Resolve "Your problem or Cygwin's ?????"

See merge request isc-projects/bind9!2211
2019-07-30 21:26:45 -04:00
Mark Andrews
2b5237c325 add CHANGES
(cherry picked from commit 12d9681442)
2019-07-31 11:03:26 +10:00
Mark Andrews
f6d6fb8124 handle connect() returning ETIMEDOUT on a non-blocking socket
(cherry picked from commit 91a0cb5da3)
2019-07-31 11:02:30 +10:00
Michał Kępień
ef63765c73 Merge branch '1171-alpine-linux-tweaks-v9_14' into 'v9_14'
[v9_14] Alpine Linux tweaks

See merge request isc-projects/bind9!2209
2019-07-30 16:49:16 -04:00
Michał Kępień
6cf79bc963 Add Alpine Linux to GitLab CI
Ensure BIND is continuously tested on Alpine Linux as it is commonly
used as a base for Docker containers and employs a less popular libc
implementation, musl libc.

(cherry picked from commit 326a334b49)
2019-07-30 21:25:47 +02:00
Michał Kępień
8d0cdb54ee Do not use legacy time zone names
"PST8PDT" is a legacy time zone name whose use in modern code is
discouraged.  It so happens that using this time zone with musl libc
time functions results in different output than for other libc
implementations, which breaks the lib/isc/tests/time_test unit test.
Use the "America/Los_Angeles" time zone instead in order to get
consistent output across all tested libc implementations.

(cherry picked from commit f4daf6e0e7)
2019-07-30 21:25:47 +02:00
Michał Kępień
5159597db5 Fix awk invocation in the "verify" system test
Appending output of a command to the same file as the one that command
is reading from is a dangerous practice.  It seems to have accidentally
worked with all the awk implementations we have tested against so far,
but for BusyBox awk, doing this may result in the input/output file
being written to in an infinite loop.  Prevent this from happening by
redirect awk output to a temporary file and appending its contents to
the original file in a separate shell pipeline.

(cherry picked from commit bb9c1654e2)
2019-07-30 21:25:47 +02:00
Michał Kępień
61981b3688 Extend prerequisites for the "xfer" system test
The Net::DNS Perl module needs the Digest::HMAC module to support TSIG.
However, since the latter is not a hard requirement for the former, some
packagers do not make Net::DNS depend on Digest::HMAC.  If Net::DNS is
installed on a host but Digest::HMAC is not, the "xfer" system test
breaks in a very hard-to-debug way (ans5 returns TSIG RRs with empty
RDATA, which prevents TSIG-signed SOA queries and transfers from
working).  Prevent this from happening by making the "xfer" system test
explicitly require Digest::HMAC apart from Net::DNS.

(cherry picked from commit b10d28d1e0)
2019-07-30 21:25:47 +02:00
Michał Kępień
fe7dec851b Make "digdelv" system test work with BusyBox sed
The BusyBox version of sed treats leading '\+' in a regular expression
to be matched as a syntax error ("Repetition not preceded by valid
expression"), which triggers false positives for the "digdelv" system
test.  Make the relevant sed invocations work portably across all sed
implementations by removing the leading backslash.

(cherry picked from commit 266e3ed52a)
2019-07-30 21:25:47 +02:00
Michał Kępień
fdd926d7cb Make "autosign" system test work with BusyBox awk
The BusyBox version of awk treats some variables which other awk
implementations consider to be decimal values as octal values.  This
intermittently breaks key event interval calculations in the "autosign"
system test, trigger false positives for it.  Prevent the problem from
happening by stripping leading zeros from the affected awk variables.

(cherry picked from commit ad008f7dbf)
2019-07-30 21:25:46 +02:00
Michał Kępień
149ffc529d Tweak buffer sizes to prevent compilation warnings
For some libc implementations, BUFSIZ is small enough (e.g. 1024 for
musl libc) to trigger compilation warnings about insufficient size of
certain buffers.  Since the relevant buffers are used for printing DNS
names, increase their size to '(n + 1) * DNS_NAME_FORMATSIZE', where 'n'
is the number of DNS names which are printed to a given buffer.  This
results in somewhat arbitrary, albeit nicely-aligned and large enough
buffer sizes.

(cherry picked from commit 3384455659)
2019-07-30 21:25:46 +02:00
Michał Kępień
3f341b996d Always include <errno.h> instead of <sys/errno.h>
Including <sys/errno.h> instead of <errno.h> raises a compiler warning
when building against musl libc.  Always include <errno.h> instead of
<sys/errno.h> to prevent that compilation warning from being triggered
and to achieve consistency in this regard across the entire source tree.

(cherry picked from commit b5cd146033)
2019-07-30 21:25:46 +02:00
Michał Kępień
80669d8c89 Unify header ordering in unit tests
Make sure all unit tests include headers in a similar order:

 1. Three headers which must be included before <cmocka.h>.
 2. System headers.
 3. UNIT_TESTING definition, followed by the <cmocka.h> header.
 4. libisc headers.
 5. Headers from other BIND libraries.
 6. Local headers.

Also make sure header file names are sorted alphabetically within each
block of #include directives.

(cherry picked from commit 5381ac0fcc)
2019-07-30 21:25:45 +02:00
Michał Kępień
77dc5be6b4 Include <sched.h> where necessary for musl libc
All unit tests define the UNIT_TESTING macro, which causes <cmocka.h> to
replace malloc(), calloc(), realloc(), and free() with its own functions
tracking memory allocations.  In order for this not to break
compilation, the system header declaring the prototypes for these
standard functions must be included before <cmocka.h>.

Normally, these prototypes are only present in <stdlib.h>, so we make
sure it is included before <cmocka.h>.  However, musl libc also defines
the prototypes for calloc() and free() in <sched.h>, which is included
by <pthread.h>, which is included e.g. by <isc/mutex.h>.  Thus, unit
tests including "dnstest.h" (which includes <isc/mem.h>, which includes
<isc/mutex.h>) after <cmocka.h> will not compile with musl libc as for
these programs, <sched.h> will be included after <cmocka.h>.

Always including <cmocka.h> after all other header files is not a
feasible solution as that causes the mock assertion macros defined in
<isc/util.h> to mangle the contents of <cmocka.h>, thus breaking
compilation.  We cannot really use the __noreturn__ or analyzer_noreturn
attributes with cmocka assertion functions because they do return if the
tested condition is true.  The problem is that what BIND unit tests do
is incompatible with Clang Static Analyzer's assumptions: since we use
cmocka, our custom assertion handlers are present in a shared library
(i.e. it is the cmocka library that checks the assertion condition, not
a macro in unit test code).  Redefining cmocka's assertion macros in
<isc/util.h> is an ugly hack to overcome that problem - unfortunately,
this is the only way we can think of to make Clang Static Analyzer
properly process unit test code.  Giving up on Clang Static Analyzer
being able to properly process unit test code is not a satisfactory
solution.

Undefining _GNU_SOURCE for unit test code could work around the problem
(musl libc's <sched.h> only defines the prototypes for calloc() and
free() when _GNU_SOURCE is defined), but doing that could introduce
discrepancies for unit tests including entire *.c files, so it is also
not a good solution.

All in all, including <sched.h> before <cmocka.h> for all affected unit
tests seems to be the most benign way of working around this musl libc
quirk.  While quite an ugly solution, it achieves our goals here, which
are to keep the benefit of proper static analysis of unit test code and
to fix compilation against musl libc.

(cherry picked from commit 59528d0e9d)
2019-07-30 21:25:30 +02:00
Michał Kępień
747dbdcb84 Merge branch 'michal/filter-aaaa-system-test-make-root-hints-consistent-with-authoritative-data-v9_14' into 'v9_14'
[v9_14] "filter-aaaa" system test: make root hints consistent with authoritative data

See merge request isc-projects/bind9!2205
2019-07-29 16:10:45 -04:00
Michał Kępień
7bcb5a3178 Make root hints consistent with authoritative data
Resolvers in the "filter-aaaa" system test are configured with a single
root hint: "ns.rootservers.net", pointing to 10.53.0.1.  However,
querying ns1 for "ns.rootservers.net" results in NXDOMAIN answers.
Since the TTL for the root hint is set to 0, it may happen that a
resolver's ADB will be asked to return any known addresses for
"ns.rootservers.net", but it will only have access to a cached NXDOMAIN
answer for that name and an expired root hint, which will result in a
resolution failure, triggering a false positive for the "filter-aaaa"
system test.  Prevent this from happening by making all the root hints
consistent with authoritative data served by ns1.

(cherry picked from commit c19ebde14b)
2019-07-29 21:44:51 +02:00
Evan Hunt
cd288f14e2 Merge branch '1163-geoip-subtype-fix' into 'v9_14'
fix a bug that could cause an assert when configuring "geoip continent"

See merge request isc-projects/bind9!2200
2019-07-25 22:22:56 -04:00
Evan Hunt
c3a996d547 CHANGES 2019-07-25 22:06:19 -04:00
Evan Hunt
8f1cdaeed9 add a system test, confirming that named fails to reload without crashing 2019-07-25 16:53:01 -04:00
Evan Hunt
326349228a fix a bug that could cause an assert when configuring "geoip continent"
- incidentally fixed some typos in log messages
2019-07-25 15:55:00 -04:00
Ondřej Surý
fd5fc5b46a Merge branch 'ondrej/fix-LD_WRAP-Makefile-v9_14' into 'v9_14'
Fix the lib/dns/tests/Makefile.in to work without LD_WRAP

See merge request isc-projects/bind9!2189
2019-07-23 09:06:49 -04:00
Ondřej Surý
16610d5477 Fix the lib/dns/tests/Makefile.in to work without LD_WRAP
(cherry picked from commit b558346437)
2019-07-23 09:06:12 -04:00
Mark Andrews
b572a5a210 Merge branch '1136-named-checkconf-should-report-missing-dnstap-output-option-when-dnstap-option-is-set-v9_14' into 'v9_14'
Resolve "named-checkconf should report missing dnstap-output option when dnstap option is set"

See merge request isc-projects/bind9!2185
2019-07-23 07:22:13 -04:00
Mark Andrews
2524d76133 named-checkconf failed to report dnstap-output missing
from named.conf when dnstap was specified

(cherry picked from commit a4f38bec6a)
2019-07-23 21:09:34 +10:00
Ondřej Surý
2a2d512ca3 Merge branch 'u/fanf2/arm-rrset-order-random-v9_14' into 'v9_14'
doc/arm: correct default for rrset-order

See merge request isc-projects/bind9!2183
2019-07-22 18:26:56 -04:00
Tony Finch
448ec6acad doc/arm: correct default for rrset-order
(cherry picked from commit bded8af7b8)
2019-07-22 18:25:37 -04:00
Ondřej Surý
1298a2aa40 Merge branch '195-add-dnstap-builds-to-ci-v9_14' into 'v9_14'
Add dnstap builds to CI

See merge request isc-projects/bind9!2181
2019-07-22 18:09:23 -04:00
Michał Kępień
e1006e0a25 Add dnstap builds to CI
Ensure BIND with dnstap support enabled is being continuously tested by
adding --enable-dnstap to the ./configure invocation used for CentOS 7
and Debian sid builds in GitLab CI.

(cherry picked from commit 2bf44c6cd4)
2019-07-22 17:53:27 -04:00
Ondřej Surý
f6bc62e663 Merge branch 'each-fix-ld-wrap-test-v9_14' into 'v9_14'
Fix LD_WRAP test [v9_14]

See merge request isc-projects/bind9!2180
2019-07-22 17:33:56 -04:00
Evan Hunt
b8e6b68d88 Make the symbol wrapping work with dynamic linking
When the unit test is linked with dynamic libraries, the wrapping
doesn't occur, probably because it's different translation unit.

To workaround the issue, we provide thin wrappers with *real* symbol
names that just call the mocked functions.

(cherry picked from commit 839ed7894b)
2019-07-22 17:20:19 -04:00
Ondřej Surý
6ba4b02d67 Fix the configure.ac and Makefile.in to correctly test for --wrap
(cherry picked from commit 135519e59a)
2019-07-22 17:19:51 -04:00
Mark Andrews
97f1bff3cc Merge branch '1106-interaction-between-dns64-and-rpz-can-cause-unexpected-results-v9_14' into 'v9_14'
Resolve "Interaction between dns64 and RPZ can cause unexpected results"

See merge request isc-projects/bind9!2179
2019-07-22 15:31:10 -04:00
Mark Andrews
22471cc532 add CHANGES
(cherry picked from commit b9a1c31df1)
2019-07-23 05:11:47 +10:00
Mark Andrews
4e63bacc04 Do not attempt to perform a DNS64 rewrite if RPZ returns NODATA.
(cherry picked from commit 1eb640049c)
2019-07-23 05:10:41 +10:00
Mark Andrews
984f2cea47 Check that RPZ 'CNAME *.' (NODATA) works with DNS64.
(cherry picked from commit b9dc9b68cd)
2019-07-23 05:10:41 +10:00
Ondřej Surý
712d991b2a Merge branch 'michal/add-debian-buster-to-ci-v9_14' into 'v9_14'
Add Debian buster to CI

See merge request isc-projects/bind9!2176
2019-07-22 11:52:20 -04:00
Michał Kępień
d8a613b78d Add Debian buster to CI
Ensure BIND is continuously tested on Debian 10 (buster) as it is the
current stable Debian release.

(cherry picked from commit 5f71d9c6ac)
2019-07-22 11:26:31 -04:00
Ondřej Surý
1b85e20f03 Merge branch 'ondrej-disable-freebsd-again-v9_14' into 'v9_14'
Disable FreeBSD Runner in the CI; it's broken again.

See merge request isc-projects/bind9!2174
2019-07-22 08:08:09 -04:00
Ondřej Surý
b2401f0caa Disable FreeBSD Runner in the CI; it's broken again.
(cherry picked from commit 747736d361)
2019-07-22 08:07:12 -04:00
Ondřej Surý
01b76c373e Merge branch '605-add-siphash24-v9_14' into 'v9_14'
Resolve "Add SipHash24 and synchronize the Cookie algorithm with other vendors"

See merge request isc-projects/bind9!2170
2019-07-21 17:58:38 -04:00
Ondřej Surý
be0cd728c5 Add CHANGES note 2019-07-21 17:30:53 -04:00
Ondřej Surý
7d8e7b0194 Add release notes 2019-07-21 17:30:53 -04:00
Ondřej Surý
196b342bc9 Add new default siphash24 cookie algorithm
This commit changes the BIND cookie algorithms to match
draft-sury-toorop-dnsop-server-cookies-00.  Namely, it changes the Client Cookie
algorithm to use SipHash 2-4, adds the new Server Cookie algorithm using SipHash
2-4.  The change doesn't make the SipHash 2-4 to be the default algorithm, this
is up to the operator.
2019-07-21 17:30:53 -04:00
Michał Kępień
496397eb3f Make ifconfig.sh work on DragonFly BSD
On DragonFly BSD, use the same commands for configuring network
interfaces used during system tests as on NetBSD and OpenBSD.
2019-07-21 15:37:22 -04:00
Ondřej Surý
84ff6a6963 Revise the Windows section of <isc/endian.h>
Add a comment and remove redundant definitions.
2019-07-21 15:37:22 -04:00
Ondřej Surý
c727a31eab Revise the macOS section of <isc/endian.h>
Move the macOS section of <isc/endian.h> to a lower spot as it is
believed not to be the most popular platform for running BIND.  Add a
comment and remove redundant definitions.
2019-07-21 15:37:22 -04:00
Ondřej Surý
a98c7408fc Make <isc/endian.h> detect GNU rather than Linux
Instead of only supporting Linux, try making <isc/endian.h> support
other GNU platforms as well.  Since some compilers define __GNUC__ on
BSDs (e.g. Clang on FreeBSD), move the relevant section to the bottom of
the platform-specific part of <isc/endian.h>, so that it only gets
evaluated when more specific platform determination criteria are not
met.  Also include <byteswap.h> so that any byte-swapping macros which
may be defined in that file on older platforms are used in the fallback
definitions of the nonstandard hto[bl]e{16,32,64}() and
[bl]e{16,32,64}toh() conversion functions.
2019-07-21 15:37:22 -04:00
Ondřej Surý
5b0f81e549 Add Solaris support for <isc/endian.h>
While Solaris does not support the nonstandard hto[bl]e{16,32,64}() and
[bl]e{16,32,64}toh() conversion functions, it does have some
byte-swapping macros available in <sys/byteorder.h>.  Ensure these
macros are used in the fallback definitions of the aforementioned
nonstandard functions.
2019-07-21 15:37:22 -04:00
Ondřej Surý
973d2991a0 Add fallback definitions to <isc/endian.h>
Since the hto[bl]e{16,32,64}() and [bl]e{16,32,64}toh() conversion
functions are nonstandard, add fallback definitions of these functions
to <isc/endian.h>, so that their unavailability does not prevent
compilation from succeeding.
2019-07-21 15:37:22 -04:00
Michał Kępień
588c14d5c9 Fix <isc/endian.h> on BSD systems
Current versions of DragonFly BSD, FreeBSD, NetBSD, and OpenBSD all
support the modern variants of functions converting values between host
and big-endian/little-endian byte order while older ones might not.
Ensure <isc/endian.h> works properly in both cases.
2019-07-21 15:37:21 -04:00
Ondřej Surý
283101fc89 Add CHANGES entry:
5236.   [func]          Add SipHash 2-4 implementation in lib/isc/siphash.c
                        and switch isc_hash_function() to use SipHash 2-4.
                        [GL #605]

(cherry picked from commit dc9543abb3)
2019-07-21 15:33:53 -04:00
Ondřej Surý
3f826a923f Remove isc_hash_reverse function
(cherry picked from commit d5055665ca)
2019-07-21 15:32:57 -04:00
Ondřej Surý
4e04e3d861 Convert isc_hash functions to use isc_siphash24
(cherry picked from commit 2e7d82443f)
2019-07-21 15:32:57 -04:00
Ondřej Surý
2188a58171 Add tests for the isc_siphash24 function
(cherry picked from commit 2cbf633192)
2019-07-21 15:32:57 -04:00
Ondřej Surý
8d87ad53eb Add reference SipHash 2-4 implementation
(cherry picked from commit a197df137a)
2019-07-21 15:32:56 -04:00
Ondřej Surý
0b050ad4fd Add portable <isc/endian.h> header
(cherry picked from commit 0efc36c19a)
2019-07-21 15:32:56 -04:00
Evan Hunt
3e16bf6ecb Merge branch 'ondrej/fix-leaked-memory-in-geoip_test.c-v9_14' into 'v9_14'
Fix leaked memory in geoip_test.c

See merge request isc-projects/bind9!2157
2019-07-16 19:07:53 -04:00
Ondřej Surý
aad88d2c00 Fix the memory leaks in GeoIP unit test
Each individual test opened GeoIP databases but the database handles were never
closed.  This commit moves the open/close from the individual unit tests into
the _setup and _teardown methods where they really belong.

(cherry picked from commit d1c7b79183)
2019-07-16 15:39:56 -07:00
Witold Krecicki
b8c84a7900 Merge branch 'wpk-fix-compilation-error-statschannel-v9_14' into 'v9_14'
statschannel.c: declare dnssecsignstat_dump only if it's used (LIBXML2 or LIBJSON is available)

See merge request isc-projects/bind9!2144
2019-07-09 14:15:48 -04:00
Witold Kręcicki
4748d7e6d4 statschannel.c: declare dnssecsignstat_dump only if it's used (LIBXML2 or LIBJSON is available) 2019-07-09 19:38:35 +02:00
Tinderbox User
a1f27b4012 Merge branch 'prep-release' into v9_14 2019-07-09 13:55:40 +00:00
Tinderbox User
1f83aca5e8 prep 9.14.4 2019-07-09 13:51:41 +00:00
Ondřej Surý
5dfd116057 Merge branch 'ondrej/missing-ax_restore_flags-geoip2-v9_14' into 'v9_14'
Add missing AX_RESTORE_FLAGS([geoip2]) to configure.ac

See merge request isc-projects/bind9!2142
2019-07-09 08:50:00 -04:00
Ondřej Surý
124595ea7f Add missing AX_RESTORE_FLAGS([geoip2]) to configure.ac
(cherry picked from commit 5c0cc1ee8b)
2019-07-09 14:22:15 +02:00
Evan Hunt
430365772b Merge branch '1131-geoip2-windows-914' into 'v9_14'
add support for building GeoIP2 on windows

See merge request isc-projects/bind9!2134
2019-07-04 17:42:26 -04:00
Evan Hunt
b5032f7a8b add support for building GeoIP2 on windows 2019-07-04 12:05:32 -07:00
Ondřej Surý
387b205a65 Merge branch 'ondrej/kyua.result-location-v9_14' into 'v9_14'
Ondrej/kyua.result location v9 14

See merge request isc-projects/bind9!2129
2019-07-03 14:07:38 -04:00
Ondřej Surý
9ffec881f2 Set number of parallel jobs in .gitlab-ci.yml
(cherry picked from commit f56b88f72e)
2019-07-03 19:24:23 +02:00
Ondřej Surý
e5f565358d Use $KYUA_RESULT in kyua report-html invocation for unified file location
(cherry picked from commit a2a69725ef)
2019-07-03 19:24:23 +02:00
Evan Hunt
36387a3761 Merge branch '1114-windows-build-broken-v9_14' into 'v9_14'
fix broken windows build

See merge request isc-projects/bind9!2128
2019-07-03 13:21:35 -04:00
Evan Hunt
2b8cdc06f9 fix broken windows build
The MSVS C compiler requires every struct to have at least one member.
The dns_geoip_databases_t structure had one set of members for
HAVE_GEOIP and a different set for HAVE_GEOIP2, and none when neither
API is in use.

This commit silences the compiler error by moving the declaration of
dns_geoip_databases_t to types.h as an opaque reference, and commenting
out the contents of geoip.h when neither version of GeoIP is enabled.

(cherry picked from commit 81fcde5953)
2019-07-03 10:00:28 -07:00
Ondřej Surý
c4565c994d Merge branch 'ondrej/restore-freebsd-runner-v9_14' into 'v9_14'
[v9_14] Restore the FreeBSD Runner

See merge request isc-projects/bind9!2122
2019-07-02 17:50:04 -04:00
Ondřej Surý
bc6c042116 Use $(pwd) instead of $CI_PROJECT_DIR to always get absolute path
(cherry picked from commit e957825eee)
2019-07-02 22:43:53 +02:00
Ondřej Surý
9d9a8400b2 Use sudo to setup the interfaces when CI job is not running as root
(cherry picked from commit 4d3e7d0b7d)
2019-07-02 22:43:53 +02:00
Evan Hunt
48c1ad84c3 Add FreeBSD 11 GitLab CI Runner
(cherry picked from commit 646bb64246)
2019-07-02 22:43:53 +02:00
Ondřej Surý
801bdd5a13 Merge branch 'ondrej/fix-freebsd-make-v9_14' into 'v9_14'
Add rules to make sure subdirs are always built before testdirs

See merge request isc-projects/bind9!2118
2019-07-02 13:58:48 -04:00
Ondřej Surý
d995dc4661 Add rules to make sure subdirs are always built before testdirs
(cherry picked from commit 723433cbc6)
2019-07-02 19:40:26 +02:00
Michał Kępień
d66a9a9b9a Merge branch 'michal/add-and-use-keyfile_to_key_id-helper-function-v9_14' into 'v9_14'
[v9_14] Add and use keyfile_to_key_id() helper function

See merge request isc-projects/bind9!2108
2019-06-28 08:33:30 -04:00
Michał Kępień
6045adbd1a Add and use keyfile_to_key_id() helper function
When trying to extract the key ID from a key file name, some test code
incorrectly attempts to strip all leading zeros.  This breaks tests when
keys with ID 0 are generated.  Add a new helper shell function,
keyfile_to_key_id(), which properly handles keys with ID 0 and use it in
test code whenever a key ID needs to be extracted from a key file name.

(cherry picked from commit 7d6eaad1bd)
2019-06-28 14:05:44 +02:00
Michał Kępień
23c2b14064 Merge branch '1093-dnstap-read-clear-buffer-before-expanding-it-v9_14' into 'v9_14'
[v9_14] dnstap-read: clear buffer before expanding it

See merge request isc-projects/bind9!2106
2019-06-28 07:08:35 -04:00
Michał Kępień
18aa38610f Add CHANGES entry
5260.	[bug]		dnstap-read was producing malformed output for large
			packets. [GL #1093]

(cherry picked from commit 7354207e1b)
2019-06-28 12:46:54 +02:00
Michał Kępień
1a1e550f94 dnstap-read: clear buffer before expanding it
When printing a packet, dnstap-read checks whether its text form takes
up more than the 2048 bytes allocated for the output buffer by default.
If that is the case, the output buffer is automatically expanded, but
the truncated output is left in the buffer, resulting in malformed data
being printed.  Clear the output buffer before expanding it to prevent
this issue from occurring.

(cherry picked from commit 3549abe81d)
2019-06-28 12:46:53 +02:00
Evan Hunt
5369bbe6e6 Merge branch '182-geoip2-api-v9_14' into 'v9_14'
Resolve "Update GeoIP support to new API (GeoLite2 from Maxmind)"

See merge request isc-projects/bind9!2099
2019-06-27 19:54:34 -04:00
Evan Hunt
24103171ca CHANGES, release note, README
(cherry picked from commit 8854e284fd)
2019-06-27 16:32:31 -07:00
Evan Hunt
d6bd7bb9af update ARM documentation
(cherry picked from commit c9945d6148)
2019-06-27 16:32:30 -07:00
Evan Hunt
049d8a311b add geoip2 system test
(cherry picked from commit 9a1caf99ef)
2019-06-27 16:32:30 -07:00
Evan Hunt
7468036226 add GeoIP2 lookups to unit test
(cherry picked from commit 6399a70cb4)
2019-06-27 16:32:29 -07:00
Evan Hunt
0283ab7512 implement searching of geoip2 database
- revise mapping of search terms to database types to match the
  GeoIP2 schemas.
- open GeoIP2 databases when starting up; close when shutting down.
- clarify the logged error message when an unknown database type
  is configured.
- add new geoip ACL subtypes to support searching for continent in
  country databases.
- map geoip ACL subtypes to specific MMDB database queries.
- perform MMDB lookups based on subtype, saving state between
  queries so repeated lookups for the same address aren't necessary.

(cherry picked from commit 6e0b93e5a0)
2019-06-27 16:32:29 -07:00
Evan Hunt
7fc92bee0c add HAVE_GEOIP2 #ifdef branches, without implementing yet
(cherry picked from commit fe46d5bc34)
2019-06-27 16:25:29 -07:00
Evan Hunt
6a7e805796 add a search for GeoIP2 libraries in configure
- "--with-geoip" is used to enable the legacy GeoIP library.
- "--with-geoip2" is used to enable the new GeoIP2 library
  (libmaxminddb), and is on by default if the library is found.
- using both "--with-geoip" and "--with-geoip2" at the same time
  is an error.
- an attempt is made to determine the default GeoIP2 database path at
  compile time if pkg-config is able to report the module prefix. if
  this fails, it will be necessary to set the path in named.conf with
  geoip-directory
- Makefiles have been updated, and a stub lib/dns/geoip2.c has been
  added for the eventual GeoIP2 search implementation.

(cherry picked from commit fea6b5bf10)
2019-06-27 16:25:28 -07:00
Ondřej Surý
38e10a8201 Merge branch '1095-when-gnu-c-compiler-is-used-on-solaris-gnu-ld-must-be-used-v9_14' into 'v9_14'
Enforce usage -zrelax=transtls when GNU C Compiler is used on Solaris

See merge request isc-projects/bind9!2098
2019-06-27 07:51:21 -04:00
Ondřej Surý
e87a180187 Enforce usage -zrelax=transtls when GNU C Compiler is used on Solaris
When GNU C Compiler is used on Solaris (11), the Thread Local Storage
is completely broken.  The behaviour doesn't manifest when GNU ld is
used.  Thus, we need to enforce usage of GNU ld when GNU C Compiler is
the compiler of choice.

For more background for this change, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90912

(cherry picked from commit d584223653)
2019-06-27 13:33:26 +02:00
Matthijs Mekking
34bacac31e Merge branch '513-matthijs-dnssec-sign-stats-v9_14' into 'v9_14'
Resolve "New metrics to report DNSSEC signing operations and IXFRs [ISC-support #13431]"

See merge request isc-projects/bind9!2080
2019-06-27 07:14:21 -04:00
Matthijs Mekking
04c8c43f09 DNSSEC sign metrics: CHANGES, doc, release note
Add some information about the new statistic-channel DNS sign
metrics. Also add a CHANGES and release note entry.

(cherry picked from commit 3a3f40e372)
2019-06-27 12:37:48 +02:00
Matthijs Mekking
97041a38a7 Also collect DNSSEC refresh signature statistics
In addition to gather how many times signatures are created per
key in a zone, also count how many of those signature creations are
because of DNSSEC maintenance.  These maintenance counters are
incremented if a signature is refreshed (but the RRset did not
changed), when the DNSKEY RRset is changed, and when that leads
to additional RRset / RRSIG updates (for example SOA, NSEC).

(cherry picked from commit 6f67546cd6)
2019-06-27 12:37:27 +02:00
Matthijs Mekking
212db50edd Add tests for DNSSEC sign statistics
This adds tests to the statschannel system test for testing if
the dnskey sign operation counters are incremented correctly.

It tests three cases:

1. A zone maintenance event where all the signatures that are about
   to expire are resigned.
2. A dynamic update event where the new RR and other relevant records
   (SOA, NSEC) are resigned.
3. Adding a standby key, that means the DNSKEY and SOA RRset are
   resigned.

(cherry picked from commit a8750a8805)
2019-06-27 12:37:27 +02:00
Matthijs Mekking
2c494feee6 Update dnskey sign operations statistics
Update per key tag the stats counter when it creates a new signature.
This can happen upon a dynamic update, or when doing DNSSEC
maintenance.

(cherry picked from commit 312fa7f65e)
2019-06-27 12:37:27 +02:00
Matthijs Mekking
ec799c667d Add DNSSEC sign operations statistics channel
Add a new statistics structure to record how many sign operations
a key has made within a zone.

(cherry picked from commit d8cf7aedfa)
2019-06-27 12:37:27 +02:00
Mark Andrews
a25668a58b Merge branch '1030-statistics-channel-fixes-v9_14' into 'v9_14'
Statistics Channel Fixes

See merge request isc-projects/bind9!2096
2019-06-26 23:41:38 -04:00
Mark Andrews
93b3964bc1 add CHANGES
(cherry picked from commit f8b3aa97df)
2019-06-27 13:23:57 +10:00
Mark Andrews
8573a1d752 check xsl vs xml
(cherry picked from commit d5c795942f)
2019-06-27 13:23:57 +10:00
Evan Hunt
41bb9505d4 add odd/even shading to the remaining tables
(cherry picked from commit ce3907e9fe)
2019-06-27 13:23:56 +10:00
Mark Andrews
e20eb63a6d remove 'Configured Zones'; add even/odd to zone list
(cherry picked from commit eaba8dd799)
2019-06-27 13:23:56 +10:00
Timothe Litt
bbb55191c5 Fix ISC-Bugs 45340: Statschannel XSL for zones, Traffic
In ISC-Bugs 45340, I wrote:

The Statistics channel offers links to Zones and Traffic.
Both produce valid data, but display as blank pages with
a web browser.

Zones never had XSL (I provided the original
implementation, but punted on the XSL).

Traffic has XSL, but it wasn't updated to reflect the
split between IPv4 and IPv6 data.

I've picked up enough XSL to fix my original omission,
and as penance for my sloth, fixed the Traffic bug as well.

(cherry picked from commit 96f0bbd4d5)
2019-06-27 13:23:56 +10:00
Evan Hunt
0c6b4f7285 Merge branch '1092-allow-priming-glue-v9_14' into 'v9_14'
allow glue in authoritative responses to root priming queries

See merge request isc-projects/bind9!2094
2019-06-26 12:38:22 -04:00
Evan Hunt
5246f6ecaa CHANGES, release note
(cherry picked from commit 03a6a78b55)
2019-06-26 09:21:05 -07:00
Evan Hunt
e8ce85d073 add system test to confirm glue is returned in priming queries
(cherry picked from commit 9a1f0ea873)
2019-06-26 09:21:05 -07:00
Evan Hunt
11b4bd4d7e allow glue in authoritative responses to root priming queries
- when processing authoritative queries for ./NS, set 'gluedb' so
  that glue will be included in the response, regardless of how
  'minimal-responses' has been configured.

(cherry picked from commit e7684c7b64)
2019-06-26 09:21:05 -07:00
Evan Hunt
3d839809c9 Merge branch '1109-inline-reload-error-v9_14' into 'v9_14'
don't overwrite the dns_master_loadfile() result before calling zone_postload()

See merge request isc-projects/bind9!2092
2019-06-26 12:09:04 -04:00
Evan Hunt
6b3eef02c5 CHANGES
(cherry picked from commit c29e344f07)
2019-06-26 08:50:14 -07:00
Evan Hunt
a049ce872f add a test that reloading errors are not ignored
(cherry picked from commit e48b3f1a00)
2019-06-26 08:49:52 -07:00
Evan Hunt
09fc9d4f87 don't overwrite the dns_master_loadfile() result before calling zone_postload()
if "rndc reload" fails, the result code is supposed to be passed to
zone_postload, but for inline-signing zones, the result can be
overwritten first by a call to the ZONE_TRYLOCK macro. this can lead
to the partially-loaded unsigned zone being synced over to the signed
zone instead of being rejected.

(cherry picked from commit 0b792bd37b)
2019-06-26 08:49:52 -07:00
Michał Kępień
9ea8ff424a Merge branch 'michal/prevent-idna-test-failures-with-libidn2-2.2.0-v9_14' into 'v9_14'
[v9_14] Prevent "idna" test failures with libidn2 2.2.0+

See merge request isc-projects/bind9!2090
2019-06-26 09:00:54 -04:00
Michał Kępień
e79362eaee Prevent "idna" test failures with libidn2 2.2.0+
libidn2 2.2.0+ parses Punycode more strictly than older versions and
thus "dig +idnin +noidnout xn--19g" fails with libidn2 2.2.0+ but
succeeds with older versions.

We could preserve the old behavior by using the IDN2_NO_ALABEL_ROUNDTRIP
flag available in libidn2 2.2.0+, but:

  - this change in behavior is considered a libidn2 bug fix [1],
  - we want to make sure dig behaves as expected, not libidn2,
  - implementing that would require additional configure.ac cruft.

Removing the problematic check appears to be the simplest solution as it
does not prevent the relevant block of checks in the "idna" system test
from achieving its purpose, i.e. ensuring dig properly handles invalid
U-labels.

[1] see upstream commit 241e8f486134793cb0f4a5b0e5817a97883401f5

(cherry picked from commit 60ce0ed411)
2019-06-26 14:40:58 +02:00
Ondřej Surý
efaa857219 Merge branch '1067-underflow-recursing-clients-stats-v9_14' into 'v9_14'
Resolve "Underflow in Stats Channel RecursClients value?"

See merge request isc-projects/bind9!2035
2019-06-26 05:36:51 -04:00
Witold Kręcicki
22a40323b0 CHANGES note
(cherry picked from commit c62a7c88b8)
2019-06-26 11:09:05 +02:00
Witold Kręcicki
0612da5d5d Make sure that recursclient gauge is calculated correctly.
We increase recursclients when we attach to recursion quota,
decrease when we detach. In some cases, when we hit soft
quota, we might attach to quota without increasing recursclients
gauge. We then decrease the gauge when we detach from quota,
and it causes the statistics to underflow.
Fix makes sure that we increase recursclients always when we
succesfully attach to recursion quota.

(cherry picked from commit 24cfee942f)
2019-06-26 11:08:44 +02:00
Michał Kępień
5324e332c5 Merge branch 'michal/wait-for-outgoing-transfer-statistics-to-be-logged-v9_14' into 'v9_14'
[v9_14] Wait for outgoing transfer statistics to be logged

See merge request isc-projects/bind9!2082
2019-06-25 16:15:22 -04:00
Michał Kępień
8c1c47b22b Wait for outgoing transfer statistics to be logged
Since the message confirming outgoing transfer completion is logged
asynchronously, it may happen that transfer statistics may not yet be
logged by the time the dig command triggering a given transfer returns.
This causes false positives for the "ixfr" and "xfer" system tests.
Prevent this from happening by checking outgoing transfer statistics up
to 10 times, in 1-second intervals.

(cherry picked from commit 9fc5e48b14)
2019-06-25 22:01:53 +02:00
Mark Andrews
32e5035ddb Merge branch 'marka-silence-unchecked-return-v9_14' into 'v9_14'
silence unchecked return

See merge request isc-projects/bind9!2078
2019-06-25 01:44:31 -04:00
Mark Andrews
e98921fd8d silence unchecked return
(cherry picked from commit 134248531c)
2019-06-25 15:32:12 +10:00
Mark Andrews
aff3391656 Merge branch '1098-compile-failure-on-9-11-8-v9_14' into 'v9_14'
Resolve "Compile failure on 9.11.8"

See merge request isc-projects/bind9!2076
2019-06-24 20:14:31 -04:00
Mark Andrews
019c5f3d12 add CHANGES
(cherry picked from commit 5c23623094)
2019-06-25 09:49:37 +10:00
Mark Andrews
7c963d0fc4 define ULLONG_MAX if not already defined
(cherry picked from commit 4110b9184d)
2019-06-25 09:48:59 +10:00
Mark Andrews
79765491c0 Merge branch 'marka-wait-for-zones-to-load-v9_14' into 'v9_14'
wait for zones to load

See merge request isc-projects/bind9!2070
2019-06-24 00:30:21 -04:00
Mark Andrews
1f9eb50f56 wait for zones to load
(cherry picked from commit b62e6418b5)
2019-06-24 14:18:43 +10:00
Ondřej Surý
add9625713 Merge branch '1081-fix-statistics-in-x86-windows-builds-v9_14' into 'v9_14'
Resolve "Statistics are broken in x86 Windows builds"

See merge request isc-projects/bind9!2068
2019-06-20 12:45:31 -04:00
Michał Kępień
4906e9cb9a Add CHANGES entry
5249.	[bug]		Statistics were broken in x86 Windows builds.
			[GL #1081]

(cherry picked from commit cbb2edb8d3)
2019-06-20 18:34:55 +02:00
Michał Kępień
de65b8f0f8 Fix statistics for x86 Windows builds
Using atomic_int_fast64_t variables with atomic functions on x86 does
not cause Visual Studio to report build errors, but such operations
yield useless results.  Since the isc_stat_t type is unconditionally
typedef'd to atomic_int_fast64_t, any code performing atomic operations
on isc_stat_t variables is broken in x86 Windows builds.  Fix by using
the atomic_int_fast32_t type for isc_stat_t in x86 Windows builds.

(cherry picked from commit e21103f2d3)
2019-06-20 18:34:27 +02:00
Ondřej Surý
095cfa32a3 Merge branch '1094-bump-clientinfomethods-version-v9_14' into 'v9_14'
[v9_14] Bump DNS_CLIENTINFOMETHODS VERSION and AGE

See merge request isc-projects/bind9!2060
2019-06-20 11:45:48 -04:00
Brian Conry
5de88e29f8 Bump DNS_CLIENTINFOMETHODS_VERSION/_AGE to 2/1 in clientinfo.h
BIND 9.11.0 has bumped DNS_CLIENTINFOMETHODS_VERSION and _AGE to
version 2 and 1 in the dlz_minimal.h because a member was addet to the
dnsclientinfo struct.  It was found out that the new member is not
used anywhere and there are no accessor functions therefore the change
was reverted.

Later on, it was found out that the revert caused some problems to the
users of BIND 9, and thus this changes takes a different approach by
syncing the values other way around.

(cherry picked from commit 39344dfb3e)
2019-06-20 14:18:50 +02:00
Ondřej Surý
5f777e6a49 Revert "Downgrade the dns_clientinfomethod structure to the version in lib/dns/clientinfo.c"
This reverts commit a6f09b2255.

(cherry picked from commit 04961a7e6b)
2019-06-20 14:18:50 +02:00
Evan Hunt
b0c7a44744 Merge branch 'security-v9_14' into 'v9_14'
merge security-v9_14

See merge request isc-projects/bind9!2063
2019-06-19 19:25:17 -04:00
Tinderbox User
84c8c26ae4 Merge branch 'prep-release' into security-v9_14 2019-06-19 15:54:22 -07:00
Evan Hunt
adf5b60e50 Merge branch '942-security-move-test-inside-lock-security-v9_14' into 'security-v9_14' 2019-06-19 15:54:22 -07:00
Tinderbox User
5a70336065 prep 9.14.3 2019-06-19 15:54:22 -07:00
Evan Hunt
1c6ce19e1b CHANGES, release note
(cherry picked from commit 332af50eed96cbcb20173f297e543adaded0ed92)
2019-06-19 15:54:22 -07:00
Mark Andrews
878dfb1e52 move item_out test inside lock in dns_dispatch_getnext()
(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
2019-06-19 15:54:21 -07:00
Michał Kępień
488656375c Merge branch '1088-always-fail-a-system-test-if-crashes-are-detected-v9_14' into 'v9_14'
[v9_14] Always fail a system test if crashes are detected

See merge request isc-projects/bind9!2047
2019-06-18 03:55:22 -04:00
Michał Kępień
931357d801 Always fail a system test if crashes are detected
In certain situations (e.g. a named instance crashing upon shutdown in a
system test which involves shutting down a server and restarting it
afterwards), a system test may succeed despite a named crash being
triggered.  This must never be the case.  Extend run.sh to mark a test
as failed if core dumps or log lines indicating assertion failures are
detected (the latter is only an extra measure aimed at test environments
in which core dumps are not generated; note that some types of crashes,
e.g. segmentation faults, will not be detected using this method alone).

(cherry picked from commit 7706f22924)
2019-06-18 09:18:41 +02:00
Michał Kępień
14d4968f78 Merge branch 'michal/fix-transfer-statistics-extraction-v9_14' into 'v9_14'
[v9_14] Fix transfer statistics extraction

See merge request isc-projects/bind9!2046
2019-06-18 03:12:54 -04:00
Michał Kępień
aa54cc407f Fix transfer statistics extraction
Make the get_named_xfer_stats() helper shell function more precise in
order to prevent it from matching the wrong lines as that may trigger
false positives for the "ixfr" and "xfer" system tests.  As an example,
the regular expression responsible for extracting the number of bytes
transmitted throughout an entire zone transfer could also match a line
containing the following string:

    transfer of '<zone-name>/IN': sending TCP message of <integer> bytes

However, such a line is not one summarizing a zone transfer.

Also simplify both get_dig_xfer_stats() and get_named_xfer_stats() by
eliminating the need for "echo" statements in them.

(cherry picked from commit fab67c074a)
2019-06-18 08:53:35 +02:00
Mark Andrews
4f23a48449 Merge branch 'marka-cleanup-builtin-config-v9_14' into 'v9_14'
remove geoip-use-ecs from default config

See merge request isc-projects/bind9!2044
2019-06-17 20:49:55 -04:00
Mark Andrews
a4946bfd23 remove geoip-use-ecs from default config
(cherry picked from commit b2026bd9e8)
2019-06-18 09:59:59 +10:00
Michał Kępień
7e8884e2e3 Merge branch 'michal/tkey-system-test-fix-key-id-processing-v9_14' into 'v9_14'
[v9_14] "tkey" system test: fix key ID processing

See merge request isc-projects/bind9!2042
2019-06-17 08:43:19 -04:00
Michał Kępień
b9820ec727 Fix key ID processing
If ns1/setup.sh generates a key with ID 0, the "KEYID" token in
ns1/named.conf.in will be replaced with an empty string, causing the
following broken statement to appear in ns1/named.conf:

    tkey-dhkey "server" ;

Such a statement triggers false positives for the "tkey" system test due
to ns1 being unable to start with a broken configuration file.  Fix by
tweaking the regular expression used for removing leading zeros from the
key ID, so that it removes at most 4 leading zeros.

(cherry picked from commit 0b7b1161c2)
2019-06-17 14:15:36 +02:00
Michał Kępień
87b7562bfb Merge branch 'michal/address-compilation-warnings-for-O3-builds-v9_14' into 'v9_14'
[v9_14] Address compilation warnings for -O3 builds

See merge request isc-projects/bind9!2028
2019-06-11 04:49:02 -04:00
Michał Kępień
1d0bb1de10 Address GCC 9.1 -O3 compilation warnings
Compiling with -O3 triggers the following warnings with GCC 9.1:

    task.c: In function ‘isc_taskmgr_create’:
    task.c:1386:43: warning: ‘%04u’ directive output may be truncated writing between 4 and 10 bytes into a region of size 6 [-Wformat-truncation=]
     1386 |   snprintf(name, sizeof(name), "isc-worker%04u", i);
          |                                           ^~~~
    task.c:1386:32: note: directive argument in the range [0, 4294967294]
     1386 |   snprintf(name, sizeof(name), "isc-worker%04u", i);
          |                                ^~~~~~~~~~~~~~~~
    task.c:1386:3: note: ‘snprintf’ output between 15 and 21 bytes into a destination of size 16
     1386 |   snprintf(name, sizeof(name), "isc-worker%04u", i);
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    private_test.c: In function ‘private_nsec3_totext_test’:
    private_test.c:113:9: warning: array subscript 4 is outside array bounds of ‘uint32_t[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
      113 |  while (*sp == '\0' && slen > 0) {
          |         ^~~
    private_test.c:106:11: note: while referencing ‘salt’
      106 |  uint32_t salt;
          |           ^~~~

Prevent these warnings from being triggered by increasing the size of
the relevant array (task.c) and reordering conditions (private_test.c).

(cherry picked from commit ce796ac1f4)
2019-06-11 10:19:04 +02:00
Witold Kręcicki
a0621b51d8 Address GCC 8.3 -O3 compilation warning
Compiling with -O3 triggers the following warning with GCC 8.3:

    driver.c: In function ‘dlz_findzonedb’:
    driver.c:193:29: warning: ‘%u’ directive output may be truncated writing between 1 and 5 bytes into a region of size between 0 and 99 [-Wformat-truncation=]
      snprintf(buffer, size, "%s#%u", addr_buf, port);
                                 ^~
    driver.c:193:25: note: directive argument in the range [0, 65535]
      snprintf(buffer, size, "%s#%u", addr_buf, port);
                             ^~~~~~~
    driver.c:193:2: note: ‘snprintf’ output between 3 and 106 bytes into a destination of size 100
      snprintf(buffer, size, "%s#%u", addr_buf, port);
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Increase the size of the relevant array to prevent this warning from
being triggered.

(cherry picked from commit 44e6bb8b93)
2019-06-11 10:18:58 +02:00
Michał Kępień
bd501abaa6 Make some build jobs use -O3 optimizations
Change the compiler optimization level for Debian sid build jobs from
-O2 to -O3 in order to enable triggering compilation warnings which are
not raised when -O2 is used.

(cherry picked from commit 3569487875)
2019-06-11 10:18:53 +02:00
Evan Hunt
8d2ae614e4 Merge branch 'each-pandoc-args-v9_14' into 'v9_14'
specify title metadata and markdown format when calling pandoc

See merge request isc-projects/bind9!2023
2019-06-10 00:31:13 -04:00
Evan Hunt
639bdf24c7 specify title metadata and markdown format when calling pandoc
this change silences a warning message and prevents the unwanted
use of smart quotes when using pandoc 2.7.1 to generate human-readable
versions of README and other markdown files.

(cherry picked from commit 3663f61e0e)
2019-06-09 21:30:28 -07:00
Evan Hunt
929ee132fc Merge branch 'michal/minor-doc-fixes-v9_14' into 'v9_14'
[v9_14] Minor doc fixes

See merge request isc-projects/bind9!2019
2019-06-10 00:22:25 -04:00
Stephen Morris
823c7babf8 Tweak paragraph style in release notes PDF 2019-06-07 08:37:33 +02:00
Stephen Morris
6e058ea035 Fix typos in README and release notes 2019-06-07 08:37:33 +02:00
Stephen Morris
4e0e7e2f24 Reword release note about obsolete systems 2019-06-07 08:37:33 +02:00
Mark Andrews
60177eb292 Merge branch 'marka-capture-checkconf-output-v9_14' into 'v9_14'
capture named-checkconf output

See merge request isc-projects/bind9!2015
2019-06-06 04:49:28 -04:00
Mark Andrews
b65b268fde capture named-checkconf output
(cherry picked from commit 36dd373ab4)
2019-06-06 18:34:51 +10:00
Mark Andrews
9a957fef40 Merge branch 'marka-rndc-manpage-fix-v9_14' into 'v9_14'
add missing word 'includes'

See merge request isc-projects/bind9!2012
2019-06-05 19:49:19 -04:00
Mark Andrews
9c374db434 add missing word 'includes'
(cherry picked from commit c6553eb3fc)
2019-06-06 09:33:13 +10:00
Mark Andrews
e3afb5c619 Merge branch '1066-macports-uses-opt-local-as-its-openssl-location-v9_14' into 'v9_14'
Resolve "MacPorts uses /opt/local as its OpenSSL location"

See merge request isc-projects/bind9!2010
2019-06-04 04:32:51 -04:00
Mark Andrews
a86cf8eef6 add /opt/local to list of locations for OpenSSL
(cherry picked from commit 8973d4bd16)
2019-06-04 18:19:34 +10:00
Mark Andrews
535cf4b1aa Merge branch '1063-pkcs11_test-is-not-being-expanded-v9_14' into 'v9_14'
Resolve "@PKCS11_TEST@ is not being expanded"

See merge request isc-projects/bind9!2008
2019-06-04 04:15:41 -04:00
Mark Andrews
0c65d9dc3a make PKCS11_TEST unix only
(cherry picked from commit fbd9c5c97f)
2019-06-04 18:00:45 +10:00
Mark Andrews
f9649f0529 Merge branch '1017-remove-dead-stores-v9_14' into 'v9_14'
Resolve "remove dead stores"

See merge request isc-projects/bind9!2006
2019-06-04 02:07:42 -04:00
Mark Andrews
f33d9a825f POST(optlen)
(cherry picked from commit 4e97f7dccc)
2019-06-04 15:48:52 +10:00
Mark Andrews
023b44a921 Merge branch 'cppcheck-and-cmocka-false-positive-v9_14' into 'v9_14'
teach clang analyser that _assert_int_equal and _assert_int_not_equal don't return on failure

See merge request isc-projects/bind9!2003
2019-06-04 01:46:52 -04:00
Mark Andrews
65ece077c2 teach cppcheck that _assert_int_equal and _assert_int_not_equal don't return on failure
(cherry picked from commit 5d5d751c7f)
2019-06-04 15:23:49 +10:00
Michał Kępień
9c3c0c463f Merge branch 'michal/smartsign-system-test-properly-detect-presence-of-cds-cdnskey-records-v9_14' into 'v9_14'
[v9_14] "smartsign" system test: properly detect presence of CDS/CDNSKEY records

See merge request isc-projects/bind9!2002
2019-06-03 07:59:09 -04:00
Michał Kępień
0fc89e0f9f Properly detect presence of CDS/CDNSKEY records
Replace grep calls with awk scripts to more precisely detect presence of
CDS and CDNSKEY records in a signed zone file, in order to prevent rare
false positives for the "smartsign" system test triggered by the strings
"CDS" and/or "CDNSKEY" being accidentally present in the Base64 form of
DNSSEC-related data in the zone file being checked.

(cherry picked from commit d0a73c7da6)
2019-06-03 13:44:18 +02:00
Evan Hunt
d19507416d Merge branch '1061-update-supported-rfc-list-v9_14' into 'v9_14'
Resolve "update supported RFC list"

See merge request isc-projects/bind9!1996
2019-05-31 19:25:11 -04:00
Mark Andrews
4a889d5fe3 add RFC6944 2019-05-31 16:23:15 -07:00
Mark Andrews
8da63b7e7b update RFC compliance document 2019-05-31 16:23:05 -07:00
Evan Hunt
5dda2cfca7 Merge branch '943-race-in-dispatcher-socket-v9_14' into 'v9_14'
Fix a possible race between udp dispatch and socket code

See merge request isc-projects/bind9!1995
2019-05-31 15:43:52 -04:00
Witold Kręcicki
95c2595194 CHANGES
(cherry picked from commit e56d95847b)
2019-05-31 12:32:37 -07:00
Witold Kręcicki
b6d11230b2 Fix a possible race between udp dispatch and socket code
There's a small possibility of race between udp dispatcher and
socket code - socket code can still hold internal reference to a
socket while dispatcher calls isc_socket_open, which can cause
an assertion failure. Fix it by relaxing the assertion test, and
instead simply locking the socket in isc_socket_open.

(cherry picked from commit e517c18d98)
2019-05-31 12:32:37 -07:00
Witold Krecicki
dddc16d1d5 Merge branch '1055-qname-minimization-relaxed-lame-v9_14' into 'v9_14'
Resolve "Make relaxed qname minimization work with lame delegations"

See merge request isc-projects/bind9!1991
2019-05-31 04:01:42 -04:00
Evan Hunt
40b2ebc9c7 CHANGES
(cherry picked from commit 8783735f89)
2019-05-31 09:25:44 +02:00
Witold Kręcicki
60d0da833b Use experimental "_ A" minimization in relaxed mode.
qname minimization, even in relaxed mode, can fail on
some very broken domains. In relaxed mode, instead of
asking for "foo.bar NS" ask for "_.foo.bar A" to either
get a delegation or NXDOMAIN. It will require more queries
than regular mode for proper NXDOMAINs.

(cherry picked from commit ae52c2117e)
2019-05-31 09:25:44 +02:00
Witold Kręcicki
8b29a7cbf4 Don't SERVFAIL on lame delegations when doing minimization in relaxed mode.
qname minimization in relaxed mode should fall back to regular
resolution in case of failure.

(cherry picked from commit 2691e729f0)
2019-05-31 09:25:23 +02:00
Mark Andrews
668fce4f79 Merge branch '225-ed448-broken-with-openssl-1-1-1-pre6-v9_14' into 'v9_14'
Fix ASN.1 length values in Ed448 public and private key prefix blobs.

See merge request isc-projects/bind9!1987
2019-05-30 09:22:55 -04:00
Mark Andrews
630d05e920 add CHANGES note
(cherry picked from commit 6c499a0c08)
2019-05-30 23:09:56 +10:00
Mark Andrews
e726515e03 test Ed448 against test vectors
(cherry picked from commit 20f2d9b41b)
2019-05-30 23:09:23 +10:00
Mark Andrews
6ca95b5478 fix Ed448 length values for precomputed ASN.1 prefix blobs
(cherry picked from commit 5da97eeea6)
2019-05-30 23:09:23 +10:00
Ondřej Surý
b7a14300d8 Merge branch '996-revert-wrong-key-id-is-displayed-for-rsamd5-keys-v9_14' into 'v9_14'
Revert "Merge branch '996-wrong-key-id-is-displayed-for-rsamd5-keys' into 'master'"

See merge request isc-projects/bind9!1982
2019-05-30 09:00:00 -04:00
Ondřej Surý
d0181cb97d Revert "Merge branch '996-wrong-key-id-is-displayed-for-rsamd5-keys' into 'master'"
This reverts commit ea131d2e6a, reversing
changes made to e79dd268b6.

(cherry picked from commit 52a8fb31c7)
2019-05-30 14:32:58 +02:00
Mark Andrews
09b95b399e Merge branch '1011-use-proper-linker-config-on-hp-ux-v9_14' into 'v9_14'
Resolve "Use proper linker (config) on HP-UX"

See merge request isc-projects/bind9!1983
2019-05-29 21:47:53 -04:00
Mark Andrews
7273a5fa98 regen
(cherry picked from commit 92325d3150)
2019-05-30 11:27:27 +10:00
Mark Andrews
93063a0d3a add link flags for ia64-hp-hpux
(cherry picked from commit 61752bf8ac)
2019-05-30 11:27:27 +10:00
Ondřej Surý
53683aeed5 Merge branch '1044-fix-LFS-flags-on-BSDs-v9_14' into 'v9_14'
Pull the values for LFS_{CFLAGS,LDFLAGS,LIBS} from autoconf instead using them directly in make

See merge request isc-projects/bind9!1979
2019-05-29 07:54:49 -04:00
Ondřej Surý
8464fef786 Pull the values for LFS_{CFLAGS,LDFLAGS,LIBS} from autoconf instead using them directly in make
(cherry picked from commit d4596baed4)
2019-05-29 13:34:55 +02:00
Michał Kępień
2a569ef9e4 Merge branch 'michal/legacy-system-test-fixes-v9_14' into 'v9_14'
[v9_14] "legacy" system test fixes

See merge request isc-projects/bind9!1974
2019-05-29 05:33:52 -04:00
Michał Kępień
30c9068714 Optimize dig parameters to decrease test run time
Performing server setup checks using "+tries=3 +time=5" is redundant as
a single query is arguably good enough for determining whether a given
named instance was set up properly.  Only use multiple queries with a
long timeout for resolution checks in the "legacy" system test, in order
to significantly reduce its run time (on a contemporary machine, from
about 1m45s to 0m40s).

(cherry picked from commit 47b850348c)
2019-05-29 11:09:53 +02:00
Michał Kępień
909651afe6 Make "plain" server setup checks more similar
Send a test TCP query to the "plain" server during its setup check to
improve its consistency with the setup check for the "plain + no TCP"
server.

(cherry picked from commit bb939a03ff)
2019-05-29 11:09:49 +02:00
Michał Kępień
0f5871e0fa Add more EDNS checks for dig output files
In the "legacy" system test, in order to make server setup checks more
consistent with each other, add further checks for either presence or
absence of the EDNS OPT pseudo-RR in the responses returned by the
tested named instances.

(cherry picked from commit 56ed1275c6)
2019-05-29 11:09:44 +02:00
Michał Kępień
e1823c5240 Do not ignore dig exit codes
Make sure the "legacy" system test fails if any exit code returned by
dig does not match the expected one.

(cherry picked from commit 4dea5cb799)
2019-05-29 11:09:34 +02:00
Michał Kępień
eeb0747efa Use helper functions for checking resolution
Extract repeated dig and grep calls into two helper shell functions,
resolution_succeeds() and resolution_fails(), in order to reduce code
duplication in the "legacy" system test, emphasize the similarity
between all the resolution checks in that test, and make the conditions
for success and failure uniform for all resolution checks in that test.

(cherry picked from commit effd16ab25)
2019-05-29 11:09:28 +02:00
Michał Kępień
762344a468 Use +dnssec instead of separate TXT records
When testing named instances which are configured to drop outgoing UDP
responses larger than 512 bytes, querying with DO=1 may be used instead
of querying for large TXT records as the effect achieved will be
identical: an unsigned response for a SOA query will be below 512 bytes
in size while a signed response for the same query will be over 512
bytes in size.  Doing this makes all resolution checks in the "legacy"
system test more similar.  Add checks for the TC flag being set in UDP
responses which are expected to be truncated to further make sure that
tested named instances behave as expected.

(cherry picked from commit aaf81ca6ef)
2019-05-29 11:09:16 +02:00
Michał Kępień
96a4c329f1 Fix the name of the file to inspect
One of the checks in the "legacy" system test inspects dig.out.1.test$n
instead of dig.out.2.test$n.  Fix the file name used in that check.

(cherry picked from commit 3e7fa15ca3)
2019-05-29 11:09:12 +02:00
Michał Kępień
a74bcebbff Ensure queries expected to time out really do
Make sure that the "legacy" system test fails if queries which are
expected to time out do not really time out.

(cherry picked from commit 6283c1cc7e)
2019-05-29 11:09:01 +02:00
Michał Kępień
82f3c88d46 Properly test servers with TCP support disabled
Sending TCP queries to test named instances with TCP support disabled
should cause dig output to contain the phrase "connection refused", not
"connection timed out", as such instances never open the relevant
sockets.  Make sure that the "legacy" system test fails if the expected
phrase is not found in any of the relevant files containing dig output.

(cherry picked from commit 9491616e5c)
2019-05-29 11:08:47 +02:00
Ondřej Surý
bdae8ed097 Merge branch '1044-include-config.h-in-gen.c-v9_14' into 'v9_14'
Resolve "gen fails to generate headers on Debian buster"

See merge request isc-projects/bind9!1976
2019-05-29 04:44:33 -04:00
Ondřej Surý
f7050fc728 Use getconf LFS_{CFLAGS,LDFLAGS,LIBS} to get flags to compile lib/dns/gen
On some systems (namely Debian buster armhf) the readdir() call fails
with `Value too large for defined data type` unless the
_FILE_OFFSET_BITS=64 is defined.  The correct way to fix this is to
get the appropriate compilation parameters from getconf system
interface.

(cherry picked from commit 4c7345bcb6)
2019-05-29 10:30:39 +02:00
Ondřej Surý
a17eb8dec4 Exit the ./gen program on failed readdir() call
(cherry picked from commit 05b7c08a16)
2019-05-29 10:30:39 +02:00
Mark Andrews
477515fb09 Merge branch '1056-misleading-error-message-when-trying-to-build-without-python-support-v9_14' into 'v9_14'
Resolve "Misleading error message when trying to build without Python support"

See merge request isc-projects/bind9!1965
2019-05-27 00:13:27 -04:00
Mark Andrews
1ceef52e21 fix configire error message to say --without-python
(cherry picked from commit d70bf76d80)
2019-05-27 14:00:04 +10:00
Witold Krecicki
43f5b94da6 Merge branch '1046-deadlock-in-tcp-code-v9_14' into 'v9_14'
Fix a possible deadlock in TCP accepting

See merge request isc-projects/bind9!1961
2019-05-24 07:03:05 -04:00
Witold Kręcicki
000fdd8fa5 Fix a possible deadlock in TCP accepting
Each network thread holds an array of locks, indexed by a hash
of fd. When we accept a connection we hold a lock in accepting thread.
We then generate the thread number and lock bucket for the new
connection socket - if we hit the same thread and lock bucket as
accepting socket we get a deadlock. Avoid this by checking if we're
in the same thread/lock bucket and not locking in this case.

(cherry picked from commit 75815c1581)
2019-05-24 12:50:15 +02:00
Mark Andrews
0fc9c25cd8 Merge branch '1028-dig-trace-should-not-set-rd-0-norecurse-for-the-initial-root-hints-query-v9_14' into 'v9_14'
Resolve "dig +trace should not set RD=0 (+norecurse) for the initial root hints query"

See merge request isc-projects/bind9!1955
2019-05-22 02:31:22 -04:00
Mark Andrews
98de15b780 Recurse to find the root server list with 'dig +trace'.
(cherry picked from commit e65d4989a1)
2019-05-22 16:05:25 +10:00
Evan Hunt
4b21ee60b6 Merge branch 'each-document-bug-ids-v9_14' into 'v9_14'
update README to explain gitlab numbers

See merge request isc-projects/bind9!1948
2019-05-17 02:44:47 -04:00
Evan Hunt
1aabcfc725 update README to explain gitlab numbers
(cherry picked from commit 45d76498d9)
2019-05-16 23:44:16 -07:00
Ondřej Surý
9088679e85 Merge branch '1003-SO_REUSEPORT-tweaks-v9_14' into 'v9_14'
Resolve "socket.c error 'SO_REUSEPORT' undeclared"

See merge request isc-projects/bind9!1947
2019-05-17 01:58:56 -04:00
Ondřej Surý
2b343d1fc1 Use SO_REUSEPORT_LB on FreeBSD if available
(cherry picked from commit 94cb73d96c)
2019-05-17 07:45:21 +02:00
Ondřej Surý
5d8d65bfdc Add safeguard against the other usage of SO_REUSEPORT
(cherry picked from commit 1c672367a0)
2019-05-17 07:45:21 +02:00
Ondřej Surý
110beba49c Merge branch '984-remove-dead-code-in-pkcs11-keygen-c-v9_14' into 'v9_14'
Resolve "Remove dead code in pkcs11-keygen.c"

See merge request isc-projects/bind9!1929
2019-05-13 00:35:44 -04:00
Mark Andrews
b61d6cde83 remove dead code and unnecessary call to pkcs_C_GetAttributeValue
(cherry picked from commit 2e4986e2c4)
2019-05-13 11:22:33 +07:00
Ondřej Surý
f433202a5e Merge branch '899-remove-unspec-v9_14' into 'v9_14'
Remove UNSPEC rrtype

See merge request isc-projects/bind9!1932
2019-05-13 00:20:11 -04:00
Witold Kręcicki
0617148792 Remove UNSPEC rrtype
(cherry picked from commit a8e2ca6f7d)
2019-05-13 10:52:48 +07:00
Mark Andrews
7ad719f45a Merge branch '981-armv5-build-is-broken-v9_14' into 'v9_14'
Resolve "armv5 build is broken"

See merge request isc-projects/bind9!1930
2019-05-12 23:05:45 -04:00
Mark Andrews
4de58ee1c8 arm: just use the compiler's default yield support
(cherry picked from commit f546769b8b)
2019-05-13 12:19:26 +10:00
Tinderbox User
354cf1f66f Merge branch 'prep-release' into v9_14 2019-05-10 04:51:34 +00:00
Tinderbox User
d7862ea81c prep 9.14.2 2019-05-10 04:51:22 +00:00
Evan Hunt
092b9d3cba Merge branch 'fix-changes' into 'v9_14'
fix change number

See merge request isc-projects/bind9!1924
2019-05-10 00:02:25 -04:00
Evan Hunt
3b7bf9ecac fix change number 2019-05-09 21:00:54 -07:00
Evan Hunt
ddb09b8046 Merge branch '997-make-ntas-work-with-validating-forwarders-v9_14' into 'v9_14'
Make NTAs work with validating forwarders

See merge request isc-projects/bind9!1922
2019-05-09 23:51:13 -04:00
Michał Kępień
9ca0c63f1f Add CHANGES entry
5219.	[bug]		Negative trust anchors did not work with "forward only;"
			to validating resolvers. [GL #997]

(cherry picked from commit 5be7c6f4b3)
2019-05-09 20:37:37 -07:00
Michał Kępień
c6bf43a821 Make NTAs work with validating forwarders
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.

(cherry picked from commit 5e80488270)
2019-05-09 20:37:37 -07:00
Evan Hunt
90c4e778d5 Merge branch '958-improve-message-about-python-ply-v9_14' into 'v9_14'
Improve the error message about missing PLY Python package

See merge request isc-projects/bind9!1919
2019-05-09 23:16:34 -04:00
Ondřej Surý
31fbfe56fd Improve the error message about missing PLY Python package
Previously, only a message about missing Python was printed, which was
misleading to many users.  The new message clearly states that Python
AND PLY is required and prints basic instructions how to install PLY
package.

(cherry picked from commit 55b48700da)
2019-05-09 19:55:53 -07:00
Ondřej Surý
c3162ac196 Merge branch 'ondrej/reproducible-build-v9_14' into 'v9_14'
Make lib/dns/gen.c compatible with reproducible builds.

See merge request isc-projects/bind9!1912
2019-05-09 05:26:34 -04:00
Ondřej Surý
c10f361f44 Make lib/dns/gen.c compatible with reproducible builds.
The gen.c will now use SOURCE_DATE_EPOCH[1] if found in environment
to make the build more reproducible build friendly.

1. https://reproducible-builds.org/specs/source-date-epoch/

(cherry picked from commit c8cb612d39)
2019-05-09 16:05:12 +07:00
Mark Andrews
ace60a3daa Merge branch '960-add-edns-client-tag-and-edns-server-tag-v9_14' into 'v9_14'
Resolve "Add EDNS Client Tag and EDNS Server Tag"

See merge request isc-projects/bind9!1910
2019-05-09 04:39:06 -04:00
Mark Andrews
07f8daf536 Recognise EDNS Client Tag and EDNS Server Tag
(cherry picked from commit ee7cf180b3)
2019-05-09 18:19:29 +10:00
Evan Hunt
b31a9ce95d Merge branch '868-fix-trusted-keys-handling-with-dnssec-validation-auto-v9_14' into 'v9_14'
fix incorrect behavior mixing trusted-keys with validation auto

See merge request isc-projects/bind9!1904
2019-05-09 01:19:23 -04:00
Evan Hunt
bfd646795d CHANGES, release notes 2019-05-08 21:59:35 -07:00
Evan Hunt
9b59425d06 warn about the use of trusted-keys and managed-keys for the same name 2019-05-08 21:59:35 -07:00
Mark Andrews
80d946e90e Merge branch '899-totext-fromtext-fuzz-v9_14' into 'v9_14'
fuzz dns_rdata_fromwire

See merge request isc-projects/bind9!1907
2019-05-08 21:00:08 -04:00
Mark Andrews
228a50a3f3 dns_rdata_fromwire_text fuzzer
Fuzz input to dns_rdata_fromwire(). Then convert the result
to text, back to wire format, to multiline text, and back to wire
format again, checking for consistency throughout the sequence.

(cherry picked from commit 8ffdf6759e)
2019-05-09 10:46:21 +10:00
Mark Andrews
0ae562e2af Merge branch '852-bind-returning-malformed-packet-error-when-sshfp-record-has-fingerprint-value-less-than-4-characters-v9_14' into 'v9_14'
Resolve "Bind returning malformed packet error when sshfp record has fingerprint value less than 4 characters"

See merge request isc-projects/bind9!1905
2019-05-08 18:59:55 -04:00
Mark Andrews
7dd4fa9da3 enforce known SSHFP finger print lengths
(cherry picked from commit 1722728c80)
2019-05-09 08:48:28 +10:00
Mark Andrews
b99c0f93b1 Merge branch '991-provide-ixfr-should-only-be-tests-on-tcp-clients-v9_14' into 'v9_14'
Resolve "provide-ixfr should only be tested on TCP clients."

See merge request isc-projects/bind9!1900
2019-05-07 00:28:40 -04:00
Mark Andrews
7098238039 add CHANGES
(cherry picked from commit ba1d7f3a07)
2019-05-07 13:43:15 +10:00
Mark Andrews
227b49a830 add test for 'provide-ixfr no;' ; add forensics support
(cherry picked from commit d547465af5)
2019-05-07 13:43:14 +10:00
Mark Andrews
8c7052e1cf only test provideixfr if the transport is TCP
(cherry picked from commit 18c49853e3)
2019-05-07 13:43:14 +10:00
Mark Andrews
ea9083647e Merge branch '1005-filter-aaaa-crash-in-9-14-1-v9_14' into 'v9_14'
Resolve "filter-aaaa crash in 9.14.1"

See merge request isc-projects/bind9!1899
2019-05-06 21:19:35 -04:00
Mark Andrews
0b6a698320 add CHANGES
(cherry picked from commit bdc66eb5d9)
2019-05-07 11:07:32 +10:00
Mark Andrews
a0feec3dbc lock accesses to hash table
(cherry picked from commit 2483a8c76d)
2019-05-07 11:07:32 +10:00
Mark Andrews
dbbbed29e9 clear pointer before hash table
(cherry picked from commit 4886701c03)
2019-05-07 11:07:32 +10:00
Mark Andrews
b01ebf8168 Merge branch '983-delv-www-isc-org-any-rtrace-multiline-leaks-memory-v9_14' into 'v9_14'
Resolve "'delv www.isc.org ANY +rtrace +multiline' leaks memory"

See merge request isc-projects/bind9!1896
2019-05-06 20:39:34 -04:00
Mark Andrews
83310317c7 add CHANGES note
(cherry picked from commit ce5520b695)
2019-05-07 10:27:18 +10:00
Mark Andrews
3ebf1ddeb2 check that delv -t any works
(cherry picked from commit 6999bee7ef)
2019-05-07 10:27:18 +10:00
Mark Andrews
0e6a620432 fix whitespace
(cherry picked from commit 32ba5a0494)
2019-05-07 10:27:18 +10:00
Mark Andrews
2ffdbe9eff return rdatasets when processing ANY queries in client_resfind
(cherry picked from commit 127333c71f)
2019-05-07 10:27:18 +10:00
Evan Hunt
9c9b9ab651 Merge branch 'each-win32-parallel-tests-v9_14' into 'v9_14'
enable parallel system tests on windows

See merge request isc-projects/bind9!1894
2019-05-06 19:13:26 -04:00
Evan Hunt
df9cfeaf1b CHANGES
(cherry picked from commit d3cd0729c9)
2019-05-06 15:54:31 -07:00
Evan Hunt
96e0e38fcd move the test lists into conf.sh.common
there is now a common list of tests in conf.sh.common, with the
tests that are either unique to windows or to unix, or which are
enabled or disabled by configure or Configure, being listed in
separate variables in conf.sh.in and conf.sh.win32.

(cherry picked from commit a33237f070)
2019-05-06 15:54:31 -07:00
Evan Hunt
5755465c2f enable parallel system tests on windows
this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.

(cherry picked from commit bbae24c140)
2019-05-06 15:54:30 -07:00
Evan Hunt
9fe5acc36b Merge branch 'each-simplify-stats-v9_14' into 'v9_14'
simplify the isc_stat structure to take avantage of atomics

See merge request isc-projects/bind9!1893
2019-05-06 17:13:17 -04:00
Evan Hunt
6925c8136d CHANGES
(cherry picked from commit f1aaf45085)
2019-05-06 14:02:41 -07:00
Evan Hunt
fb58d23a94 simplify the isc_stat structure to take avantage of atomics
(cherry picked from commit 4e5edb35e4)
2019-05-06 14:02:41 -07:00
Mark Andrews
3e052caca8 Merge branch '1000-arm-doc-rpz-nodata-policy-says-ancount-1-v9_14' into 'v9_14'
Resolve "ARM doc RPZ NODATA policy says ANCOUNT=1"

See merge request isc-projects/bind9!1890
2019-05-06 04:05:38 -04:00
Mark Andrews
756bb201bd A NODATA response has ANCOUNT of 0 assuming no CNAME/DNAMES
(cherry picked from commit 4889e06c3a)
2019-05-06 17:53:42 +10:00
Mark Andrews
63fe63c8c5 Merge branch 'marka-fix-changes' into 'v9_14'
move change 5190 above 9.14.1 release point.

See merge request isc-projects/bind9!1885
2019-04-29 18:54:05 -04:00
Mark Andrews
455472c817 move change 5190 above 9.14.1 release point. 2019-04-30 08:41:35 +10:00
Evan Hunt
0e30e6abaa Merge branch '956-fix-dnstap-test-v9_14' into 'v9_14'
attach memory context sooner so that cleanup will work correctly

See merge request isc-projects/bind9!1883
2019-04-26 19:10:32 -04:00
Evan Hunt
524d36bc2d attach memory context sooner so that cleanup will work correctly
(cherry picked from commit 0fd344e77a)
2019-04-26 15:53:48 -07:00
Ondřej Surý
60a834789e Merge branch '999-tcp-client-crash-v9_11-locks-v9_14' into 'v9_14'
Replace atomic operations in bin/named/client.c with isc_refcount reference counting

See merge request isc-projects/bind9!1880
2019-04-26 15:45:38 -04:00
Ondřej Surý
e203d4d65a Replace atomic operations in bin/named/client.c with isc_refcount reference counting
(cherry picked from commit ef49780d30)
2019-04-26 21:33:50 +02:00
Michał Kępień
bb258967c3 Merge branch 'michal/simplify-trailing-period-handling-in-system-tests-v9_14' into 'v9_14'
[v9_14] Simplify trailing period handling in system tests

See merge request isc-projects/bind9!1877
2019-04-26 15:12:11 -04:00
Michał Kępień
3b7bc3421c Simplify trailing period handling in system tests
Windows systems do not allow a trailing period in file names while Unix
systems do.  When BIND system tests are run, the $TP environment
variable is set to an empty string on Windows systems and to "." on Unix
systems.  This environment variable is then used by system test scripts
for handling this discrepancy properly.

In multiple system test scripts, a variable holding a zone name is set
to a string with a trailing period while the names of the zone's
corresponding dlvset-* and/or dsset-* files are determined using
numerous sed invocations like the following one:

    dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"

In order to improve code readability, use zone names without trailing
periods and replace sed invocations with variable substitutions.

To retain local consistency, also remove the trailing period from
certain other zone names used in system tests that are not subsequently
processed using sed.

(cherry picked from commit da2c1b74ad)
2019-04-26 20:38:29 +02:00
Michał Kępień
e3a090e159 Merge branch 'michal/fix-rare-allow-query-system-test-failures-v9_14' into 'v9_14'
[v9_14] Fix rare "allow-query" system test failures

See merge request isc-projects/bind9!1876
2019-04-26 05:31:25 -04:00
Michał Kępień
027c6179a8 Make root zone data match root hints
In the "allow-query" system test, ns3 uses a root hints file which
contains a single entry for a.root-servers.nil (10.53.0.1).  This name
is not present in the root zone served by ns1, which means querying it
for that name and any type will yield an NXDOMAIN response.  When
combined with unfavorable thread scheduling, this can lead to ns3
caching an NXDOMAIN response for the only root server it is aware of and
thus to false positives for the "allow-query" system test caused by ns3
returning unexpected SERVFAIL responses.  Fix by modifying the root zone
served by ns1 so that authoritative responses to a.root-servers.nil
queries match the root hints file used by ns3.

(cherry picked from commit 978a0d2555)
2019-04-26 11:07:00 +02:00
Evan Hunt
9215d68c6b Merge branch '982-filter-aaaa-race-v9_14' into 'v9_14'
Resolve "filter-aaaa crash in 9.14.0"

See merge request isc-projects/bind9!1874
2019-04-26 03:44:38 -04:00
Evan Hunt
e4204809ed CHANGES
(cherry picked from commit ce8ad08a45)
2019-04-26 00:32:55 -07:00
Evan Hunt
8c1af0d3f5 associate a lock with the memory pool in the filter-aaaa plugin
(cherry picked from commit 4f4c18d643)
2019-04-26 00:32:55 -07:00
Ondřej Surý
1d6133277f Merge branch 'prep-release-v9_14' into 'v9_14'
Prep release v9 14

See merge request isc-projects/bind9!1872
2019-04-25 11:28:50 -04:00
Tinderbox User
586e085a71 doc rebuild
(cherry picked from commit b441152036)
2019-04-25 17:01:11 +02:00
Tinderbox User
02cbca91d7 prep 9.14.1
(cherry picked from commit c7004347bc)
2019-04-25 17:00:56 +02:00
Ondřej Surý
a6fac68b4f Merge branch '615-tcp-client-crash-v9_14-v9_14' into 'v9_14'
Resolve "tcp-clients mostly ineffective"

See merge request isc-projects/bind9!1870
2019-04-25 10:40:31 -04:00
Evan Hunt
228a29da4b CHANGES, release note
(cherry picked from commit 244e44af432121a05e0a308b7ccce96a8ecd28ab)
(cherry picked from commit 79fad84bf6)
2019-04-25 16:20:50 +02:00
Evan Hunt
86e9e54766 restore allowance for tcp-clients < interfaces
in the "refactor tcpquota and pipeline refs" commit, the counting
of active interfaces was tightened in such a way that named could
fail to listen on an interface if there were more interfaces than
tcp-clients. when checking the quota to start accepting on an
interface, if the number of active clients was above zero, then
it was presumed that some other client was able to handle accepting
new connections. this, however, ignored the fact that the current client
could be included in that count, so if the quota was already exceeded
before all the interfaces were listening, some interfaces would never
listen.

we now check whether the current client has been marked active; if so,
then the number of active clients on the interface must be greater
than 1, not 0.

(cherry picked from commit 02365b87ea0b1ea5ea8b17376f6734c811c95e61)
(cherry picked from commit cae79e1bab)
2019-04-25 16:20:50 +02:00
Evan Hunt
a78af2f1d3 refactor tcpquota and pipeline refs; allow special-case overrun in isc_quota
- if the TCP quota has been exceeded but there are no clients listening
  for new connections on the interface, we can now force attachment to the
  quota using isc_quota_force(), instead of carrying on with the quota not
  attached.
- the TCP client quota is now referenced via a reference-counted
  'ns_tcpconn' object, one of which is created whenever a client begins
  listening for new connections, and attached to by members of that
  client's pipeline group. when the last reference to the tcpconn
  object is detached, it is freed and the TCP quota slot is released.
- reduce code duplication by adding mark_tcp_active() function
- convert counters to stdatomic

(cherry picked from commit a8dd133d270873b736c1be9bf50ebaa074f5b38f)
(cherry picked from commit 4a8fc979c4)
2019-04-25 16:20:50 +02:00
Evan Hunt
a41c9dbfc1 better tcpquota accounting and client mortality checks
- ensure that tcpactive is cleaned up correctly when accept() fails.
- set 'client->tcpattached' when the client is attached to the tcpquota.
  carry this value on to new clients sharing the same pipeline group.
  don't call isc_quota_detach() on the tcpquota unless tcpattached is
  set.  this way clients that were allowed to accept TCP connections
  despite being over quota (and therefore, were never attached to the
  quota) will not inadvertently detach from it and mess up the
  accounting.
- simplify the code for tcpquota disconnection by using a new function
  tcpquota_disconnect().
- before deciding whether to reject a new connection due to quota
  exhaustion, check to see whether there are at least two active
  clients. previously, this was "at least one", but that could be
  insufficient if there was one other client in READING state (waiting
  for messages on an open connection) but none in READY (listening
  for new connections).
- before deciding whether a TCP client object can to go inactive, we
  must ensure there are enough other clients to maintain service
  afterward -- both accepting new connections and reading/processing new
  queries.  A TCP client can't shut down unless at least one
  client is accepting new connections and (in the case of pipelined
  clients) at least one additional client is waiting to read.

(cherry picked from commit 427a2fb4d17bc04ca3262f58a9dcf5c93fc6d33e)
(cherry picked from commit 0896841272)
2019-04-25 16:20:49 +02:00
Michał Kępień
010e6f4bd7 use reference counter for pipeline groups (v3)
Track pipeline groups using a shared reference counter
instead of a linked list.

(cherry picked from commit 31f392db20207a1b05d6286c3c56f76c8d69e574)
(cherry picked from commit 2211120222)
2019-04-25 16:20:49 +02:00
Witold Kręcicki
ef28e8879b tcp-clients could still be exceeded (v2)
the TCP client quota could still be ineffective under some
circumstances.  this change:

- improves quota accounting to ensure that TCP clients are
  properly limited, while still guaranteeing that at least one client
  is always available to serve TCP connections on each interface.
- uses more descriptive names and removes one (ntcptarget) that
  was no longer needed
- adds comments

(cherry picked from commit 9e74969f85329fe26df2fad390468715215e2edd)
(cherry picked from commit d7e84cee0b)
2019-04-25 16:20:49 +02:00
Witold Kręcicki
4ca208adb8 fix enforcement of tcp-clients (v1)
tcp-clients settings could be exceeded in some cases by
creating more and more active TCP clients that are over
the set quota limit, which in the end could lead to a
DoS attack by e.g. exhaustion of file descriptors.

If TCP client we're closing went over the quota (so it's
not attached to a quota) mark it as mortal - so that it
will be destroyed and not set up to listen for new
connections - unless it's the last client for a specific
interface.

(cherry picked from commit eafcff07c25bdbe038ae1e4b6660602a080b9395)
(cherry picked from commit 9e7617cc84)
2019-04-25 16:20:49 +02:00
Ondřej Surý
b128b54261 Merge branch '880-secure-asdfasdfasdf-abacadabra-crash-v9_14-v9_14' into 'v9_14'
Resolve "CVE-2019-6467: lib/ns/query.c:9176: INSIST(!qctx->is_zone) failed, back trace"

See merge request isc-projects/bind9!1867
2019-04-25 10:19:26 -04:00
Evan Hunt
31c690396d CHANGES, release note
(cherry picked from commit ab5473007e91f011d003ff0ba5ab32fa0d56360c)
(cherry picked from commit 404be59527)
2019-04-25 15:59:43 +02:00
Matthijs Mekking
6b22e1f4fe Fix nxdomain-redirect assertion failure
- Always set is_zonep in query_getdb; previously it was only set if
  result was ISC_R_SUCCESS or ISC_R_NOTFOUND.
- Don't reset is_zone for redirect.
- Style cleanup.

(cherry picked from commit a85cc641d7a4c66cbde03cc4e31edc038a24df46)
(cherry picked from commit 486a201149)
2019-04-25 15:59:43 +02:00
Matthijs Mekking
a38d17dc1c Add test for nxdomain-redirect ncachenxdomain
(cherry picked from commit 2d65626630c19bb8159a025accb18e5179da5dc3)
(cherry picked from commit 05d29443eb)
2019-04-25 15:59:43 +02:00
Mark Andrews
ef6001e055 Merge branch '992-fetchcount-increment-in-resume-qmin-v9_14' into 'v9_14'
When resuming from qname-minimization increase fetches-per-zone counters for the 'new' zone

See merge request isc-projects/bind9!1850
2019-04-23 21:14:40 -04:00
Witold Kręcicki
434ef46661 When resuming from qname-minimization increase fetches-per-zone counters for the 'new' zone
(cherry picked from commit 7043c6eaf5)
2019-04-24 11:03:37 +10:00
Mark Andrews
84a02a0ed7 Merge branch '995-dlz_open_driver-fix-build-failure-without-dlfcn-h-v9_14' into 'v9_14'
Resolve "dlz_open_driver: fix build failure without dlfcn.h"

See merge request isc-projects/bind9!1856
2019-04-23 21:00:55 -04:00
Mark Andrews
c7bf78d52d add CHANGES
(cherry picked from commit 19e4098139)
2019-04-24 09:31:04 +10:00
Mark Andrews
0c5ab7563a conditionally include <dlfcn.h>
(cherry picked from commit eee8084734)
2019-04-24 09:31:04 +10:00
Mark Andrews
d5ec990f18 Merge branch '996-wrong-key-id-is-displayed-for-rsamd5-keys-v9_14' into 'v9_14'
Resolve "Wrong key id is displayed for RSAMD5 keys."

See merge request isc-projects/bind9!1853
2019-04-23 19:10:33 -04:00
Mark Andrews
c15805d74d add CHANGES
(cherry picked from commit 11cddb689f)
2019-04-24 08:52:20 +10:00
Mark Andrews
1b432b3633 compute the RSAMD5 key id
(cherry picked from commit ffaa5a07dd)
2019-04-24 08:51:50 +10:00
Matthijs Mekking
ae9c457878 Merge branch 'matthijs-fix-dnssec-test-intermittent-failure-kskonly-v9_14' into 'v9_14'
Fix dnssec test intermittent failure related to kskonly bugfix

See merge request isc-projects/bind9!1851
2019-04-23 11:25:39 -04:00
Matthijs Mekking
f58a0bbcc1 Harden grep key ID calls
Key IDs may accidentally match dig output that is not the key ID (for
example the RRSIG inception or expiration time, the query ID, ...).
Search for key ID + signer name should prevent that, as that is what
only should occur in the RRSIG record, and signer name always follows
the key ID.

(cherry picked from commit 83473b9758)
2019-04-23 17:12:20 +02:00
Matthijs Mekking
5496b04829 Remove sleeps
Remove sleep calls from test, rely on wait_for_log().  Make
wait_for_log() and dnssec_loadkeys_on() fail the test if the
appropriate log line is not found.

Slightly adjust the echo_i() lines to print only the key ID (not the
key name).

(cherry picked from commit 67f0635f3c)
2019-04-23 17:12:11 +02:00
Michał Kępień
5bb8f501ee Merge branch 'michal/minor-nsupdate-system-test-tweaks-v9_14' into 'v9_14'
[v9_14] Minor "nsupdate" system test tweaks

See merge request isc-projects/bind9!1848
2019-04-23 09:20:07 -04:00
Michał Kępień
5bd52654e8 Wait more than 1 second for NSEC3 chain changes
One second may not be enough for an NSEC3 chain change triggered by an
UPDATE message to complete.  Wait up to 10 seconds when checking whether
a given NSEC3 chain change is complete in the "nsupdate" system test.

(cherry picked from commit f8746cddbc)
2019-04-23 14:59:22 +02:00
Michał Kępień
8691b38edf Remove redundant sleeps
In the "nsupdate" system test, do not sleep before checking results of
changes which are expected to be processed synchronously, i.e. before
nsupdate returns.

(cherry picked from commit 1c8e5ea333)
2019-04-23 14:59:22 +02:00
Mark Andrews
41af10f069 Merge branch 'cleanup-socket-references-v9_14' into 'v9_14'
use isc_refcount_decrement to decrement NEWCONNSOCK(dev)->references; use...

See merge request isc-projects/bind9!1845
2019-04-23 02:44:19 -04:00
Mark Andrews
ca51ee2bb3 use isc_refcount_decrement to decrement NEWCONNSOCK(dev)->references; use isc_refcount_increment instead of isc_refcount_init in socket_create
(cherry picked from commit 265554f895)
2019-04-23 14:47:20 +10:00
Mark Andrews
f5eae9d637 Merge branch 'clang-false-positive-v9_14' into 'v9_14'
add assertions to silence clang false positive

See merge request isc-projects/bind9!1844
2019-04-23 00:22:26 -04:00
Mark Andrews
ff2c10cced add assertions to silence clang false positive
(cherry picked from commit bed9ad79ba)
2019-04-23 14:05:47 +10:00
Mark Andrews
8af9f59a58 Merge branch '962-bind-just-disables-gssapi-support-if-no-gssapi-krb5-headers-found-v9_14' into 'v9_14'
Resolve "Bind just disables GSSAPI support if no GSSAPI/KRB5 headers found"

See merge request isc-projects/bind9!1842
2019-04-22 23:17:02 -04:00
Mark Andrews
eee13b7786 make 'configure --with-gssapi=yes' fatal if support is not found
(cherry picked from commit e420078c63)
2019-04-23 12:59:26 +10:00
Evan Hunt
6419622575 Merge branch '990-return-servfail-v9_14' into 'v9_14'
force SERVFAIL response in the gotanswer failure case

See merge request isc-projects/bind9!1841
2019-04-22 22:30:37 -04:00
Evan Hunt
358e37309c CHANGES
(cherry picked from commit 4d358c9bce)
2019-04-22 19:11:41 -07:00
Evan Hunt
fcd2c2b644 force SERVFAIL response in the gotanswer failure case
- named could return FORMERR if parsing iterative responses
  ended with a result code such as DNS_R_OPTERR. instead of
  computing a response code based on the result, in this case
  we now just force the response to be SERVFAIL.

(cherry picked from commit 7402615697)
2019-04-22 19:11:41 -07:00
Mark Andrews
93af6cd40e Merge branch 'incorrect-use-of-bool-v9_14' into 'v9_14'
using 0 instead of false

See merge request isc-projects/bind9!1839
2019-04-22 22:06:57 -04:00
Mark Andrews
d5d4ddd764 using 0 instead of false
(cherry picked from commit da7f683abf)
2019-04-23 11:45:33 +10:00
Michał Kępień
5ac1725b67 Merge branch 'michal/win32-system-test-fixes-v9_14' into 'v9_14'
[v9_14] Miscellaneous Windows system test fixes

See merge request isc-projects/bind9!1834
2019-04-19 05:52:15 -04:00
Michał Kępień
f069aca7ed Update interface lists in ifconfig scripts
Make bin/tests/system/ifconfig.bat also configure addresses ending with
9 and 10, so that the script is in sync with its Unix counterpart.

Update comments listing the interfaces created by ifconfig.{bat,sh} so
that they do not include addresses whose last octet is zero (since an
address like 10.53.1.0/24 is not a valid host address and thus the
aforementioned scripts do not even attempt configuring them).

(cherry picked from commit b6c1cdfffe)
2019-04-19 11:29:29 +02:00
Michał Kępień
26907f1b0b Fix the "dnssec" system test on Windows
On Windows, the bin/tests/system/dnssec/signer/example.db.signed file
contains carriage return characters at the end of each line.  Remove
them before passing the aforementioned file to the awk script extracting
key IDs so that the latter can work properly.

(cherry picked from commit e4280ed9f5)
2019-04-19 11:29:24 +02:00
Michał Kępień
2c7e341bf3 Do not wait for lock file cleanup on Windows
As signals are currently not handled by named on Windows, instances
terminated using signals are not able to perform a clean shutdown, which
involves e.g. removing the lock file.  Thus, waiting for a given
instance's lock file to be removed beforing assuming it is shut down
is pointless on Windows, so do not even attempt it.

(cherry picked from commit 761ba4514f)
2019-04-19 11:28:05 +02:00
Michał Kępień
aa5839b19c Merge branch '979-win32-remove-lock-file-upon-shutdown-v9_14' into 'v9_14'
[v9_14] win32: remove lock file upon shutdown

See merge request isc-projects/bind9!1832
2019-04-19 05:20:31 -04:00
Michał Kępień
b45e5fc0c6 Add CHANGES entry
5214.	[bug]		win32: named now removes its lock file upon shutdown.
			[GL #979]

(cherry picked from commit e048436805)
2019-04-19 11:00:36 +02:00
Michał Kępień
a228c5b7be win32: remove lock file upon shutdown
Upon named shutdown, the lock file should not just be unlocked but also
removed.

(cherry picked from commit c506077da5)
2019-04-19 11:00:35 +02:00
Michał Kępień
f9b7e2834c Merge branch '978-win32-fix-service-state-reported-during-shutdown-v9_14' into 'v9_14'
[v9_14] win32: fix service state reported during shutdown

See merge request isc-projects/bind9!1830
2019-04-19 04:19:35 -04:00
Michał Kępień
d79ad36b90 Add CHANGES entry
5213.	[bug]		win32: Eliminated a race which allowed named.exe running
			as a service to be killed prematurely during shutdown.
			[GL #978]

(cherry picked from commit e7332343ed)
2019-04-19 09:53:39 +02:00
Michał Kępień
a8172d06cf win32: fix service state reported during shutdown
When a Windows service receives a request to stop, it should not set its
state to SERVICE_STOPPED until it is completely shut down as doing that
allows the operating system to kill that service prematurely, which in
the case of named may e.g. prevent the PID file and/or the lock file
from being cleaned up.

Set service state to SERVICE_STOP_PENDING when named begins its shutdown
and only report the SERVICE_STOPPED state immediately before exiting.

(cherry picked from commit 964749dfdb)
2019-04-19 09:38:45 +02:00
Ondřej Surý
1aeeb6ab85 Merge branch '989-check-for-typeof-extension-v9_14' into 'v9_14'
(v9_14) Use uintmax_t instead of typeof(x) in the ISC_ALIGN macro on non-GNUC systems

See merge request isc-projects/bind9!1827
2019-04-18 07:38:40 -04:00
Ondřej Surý
3349792aa3 On non-GNUC systems, use uintmax_t in the ISC_ALIGN macro
(cherry picked from commit 2e40cc94dc)
2019-04-18 13:17:21 +02:00
Ondřej Surý
5c1d831069 Merge branch 'ondrej/text-files-dont-need-copyright-v9_14' into 'v9_14'
(v9_14) Simple text files don't need copyright header

See merge request isc-projects/bind9!1822
2019-04-18 02:58:22 -04:00
Ondřej Surý
c8e376af50 Simple text files with docs on build or design don't really need copyright on their own
(cherry picked from commit 1877139a32)
2019-04-18 08:56:01 +02:00
Ondřej Surý
9e44151d40 Merge branch 'ondrej/refactor-DNS_RDATASET_FIXED-code-flow-v9_14' into 'v9_14'
(v9_14) Refactor the DNS_RDATASET_FIXED code to use macros instead of ifdefs

See merge request isc-projects/bind9!1817
2019-04-17 05:53:58 -04:00
Ondřej Surý
cd40d65e1b Refactor the DNS_RDATASET_FIXED code to use constants instead of ifdefs
(cherry picked from commit 4edbb773a1)
2019-04-17 11:34:17 +02:00
Matthijs Mekking
d583362353 Merge branch '757-unsupported-algorithms-v9_14' into 'v9_14'
Resolve "Investigate and fix what happens when managed-key algorithm is not supported"

See merge request isc-projects/bind9!1816
2019-04-17 04:54:45 -04:00
Matthijs Mekking
30ec661356 Update CHANGES
(cherry picked from commit 768ded1102)
2019-04-17 10:36:20 +02:00
Matthijs Mekking
b93cb57afe Add documentation
(cherry picked from commit a67dac5d21)
2019-04-17 10:35:33 +02:00
Matthijs Mekking
d52bed8864 DLV tests unsupported/disabled algorithms
This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.

(cherry picked from commit 3b7c849a3f)
2019-04-17 10:35:19 +02:00
Michał Kępień
3113dc24ec Move code handling key loading errors into a common function
Some values returned by dstkey_fromconfig() indicate that key loading
should be interrupted, others do not.  There are also certain subsequent
checks to be made after parsing a key from configuration and the results
of these checks also affect the key loading process.  All of this
complicates the key loading logic.

In order to make the relevant parts of the code easier to follow, reduce
the body of the inner for loop in load_view_keys() to a single call to a
new function, process_key().  Move dstkey_fromconfig() error handling to
process_key() as well and add comments to clearly describe the effects
of various key loading errors.

(cherry picked from commit b85007e0a6)
2019-04-17 10:35:07 +02:00
Matthijs Mekking
a224bea4b2 Also ignore configured revoked trusted anchors
(cherry picked from commit 4d1ed1283a)
2019-04-17 10:34:54 +02:00
Matthijs Mekking
a7c59e322b Ignore trust anchors using disabled algorithm
More specifically: ignore configured trusted and managed keys that
match a disabled algorithm.  The behavioral change is that
associated responses no longer SERVFAIL, but return insecure.

(cherry picked from commit 1d45ad8f39)
2019-04-17 10:33:25 +02:00
Matthijs Mekking
42c543bb85 Move algorithm variables, add disabled algorithms
Move from conf.sh.in to conf.sh.common as they will also need to be
added to conf.sh.win32.  Add variables for testing disabled
algorithms.

(cherry picked from commit 07c35f32f9)
2019-04-17 10:29:09 +02:00
Matthijs Mekking
96312dadc6 Add inline test related to unsupported algorithms
(cherry picked from commit 924fdad0e5)
2019-04-17 10:28:57 +02:00
Matthijs Mekking
5626c56862 System tests for tools and unsupported algorithms
(cherry picked from commit dfcf9bb0ed)
2019-04-17 10:28:40 +02:00
Evan Hunt
ab125db998 Merge branch '817-out-of-zone-additional-v9_14' into 'v9_14'
out of zone additional data

See merge request isc-projects/bind9!1805
2019-04-15 14:54:58 -04:00
Evan Hunt
0d6a4f7a89 CHANGES
(cherry picked from commit 5071e43c19)
2019-04-15 11:38:28 -07:00
Evan Hunt
0ccddb2b0e revise "minimal-responses" documentation in the ARM
(cherry picked from commit b7e9115793)
2019-04-15 11:38:28 -07:00
Evan Hunt
19f249ffa5 if recursion is allowed and minimal-responses is no, search other databases
this restores functionality that was removed in commit 03be5a6b4e,
allowing named to search in authoritative zone databases outside the
current zone for additional data, if and only if recursion is allowed
and minimal-responses is disabled.

(cherry picked from commit 7fff3295f5)
2019-04-15 11:38:28 -07:00
Matthijs Mekking
7d7930cb82 Merge branch '763-matthijs-active-zsk-but-ksk-only-v9_14' into 'v9_14'
Don't sign DNKSEY RRset with ZSK if KSK is offline

See merge request isc-projects/bind9!1796
2019-04-12 06:02:16 -04:00
Matthijs Mekking
f4dc62f33b With update-check-ksk also consider offline keys
The option `update-check-ksk` will look if both KSK and ZSK are
available before signing records.  It will make sure the keys are
active and available.  However, for operational practices keys may
be offline.  This commit relaxes the update-check-ksk check and will
mark a key that is offline to be available when adding signature
tasks.

(cherry picked from commit 3cb8c49c73)
2019-04-12 11:33:06 +02:00
Matthijs Mekking
244870844c Style: some curly brackets
(cherry picked from commit 2e83e3255a)
2019-04-12 11:33:06 +02:00
Matthijs Mekking
3e75bea995 Add detail on echo message in autosign test
(cherry picked from commit d330986374)
2019-04-12 11:33:06 +02:00
Matthijs Mekking
4dee3d149c Add test for ZSK rollover while KSK offline
This commit adds a lengthy test where the ZSK is rolled but the
KSK is offline (except for when the DNSKEY RRset is changed).  The
specific scenario has the `dnskey-kskonly` configuration option set
meaning the DNSKEY RRset should only be signed with the KSK.

A new zone `updatecheck-kskonly.secure` is added to test against,
that can be dynamically updated, and that can be controlled with rndc
to load the DNSSEC keys.

There are some pre-checks for this test to make sure everything is
fine before the ZSK roll, after the new ZSK is published, and after
the old ZSK is deleted.  Note there are actually two ZSK rolls in
quick succession.

When the latest added ZSK becomes active and its predecessor becomes
inactive, the KSK is offline.  However, the DNSKEY RRset did not
change and it has a good signature that is valid for long enough.
The expected behavior is that the DNSKEY RRset stays signed with
the KSK only (signature does not need to change).  However, the
test will fail because after reconfiguring the keys for the zone,
it wants to add re-sign tasks for the new active keys (in sign_apex).
Because the KSK is offline, named determines that the only other
active key, the latest ZSK, will be used to resign the DNSKEY RRset,
in addition to keeping the RRSIG of the KSK.

The question is: Why do we need to resign the DNSKEY RRset
immediately when a new key becomes active?  This is not required,
only once the next resign task is triggered the new active key
should replace signatures that are in need of refreshing.

(cherry picked from commit 8bc10bcf59)
2019-04-12 11:33:06 +02:00
Mark Andrews
72ba7d132d Merge branch '980-util-update_copyrights-now-needs-to-handle-files-with-cr-lf-endings-v9_14' into 'v9_14'
Resolve "util/update_copyrights now needs to handle files with CR LF endings."

See merge request isc-projects/bind9!1803
2019-04-12 00:50:03 -04:00
Mark Andrews
a7e1a91a36 support files which have CR LF ending like those in win32utils
(cherry picked from commit e76936fd85)
2019-04-12 14:32:32 +10:00
Evan Hunt
7378ba8a80 Merge branch '963-dnstap-check-ra-v9_14' into 'v9_14'
dnstap: if recursion is not available, log queries as AQ instead of CQ

See merge request isc-projects/bind9!1799
2019-04-11 19:08:50 -04:00
Evan Hunt
ded4650794 CHANGES 2019-04-11 15:48:50 -07:00
Evan Hunt
f6c3b13522 dnstap: if recursion is not available, log queries as AQ instead of CQ
(cherry picked from commit 1f578cdb12)
2019-04-11 15:45:52 -07:00
Evan Hunt
c675e366f2 Merge branch '972-auto-validation-summary-v9_14' into 'v9_14'
configure summary failed to report --disable-auto-validation correctly

See merge request isc-projects/bind9!1798
2019-04-11 13:05:00 -04:00
Evan Hunt
7b99a235a8 configure summary failed to report --disable-auto-validation correctly 2019-04-11 09:45:47 -07:00
Mark Andrews
57c8cb42db Merge branch '899-add-totext-fromtext-to-wirechecks-v9_14' into 'v9_14'
Run wire check through "totext" and "fromtext" methods including multi-line.

See merge request isc-projects/bind9!1789
2019-04-11 06:01:29 -04:00
Mark Andrews
ad73e08b07 Add CHANGES
(cherry picked from commit 307a1b563b)
2019-04-11 19:47:44 +10:00
Mark Andrews
b27ef87c38 Add debug printfs
(cherry picked from commit b78e128a2f)
2019-04-11 19:47:44 +10:00
Mark Andrews
86bb6e23ce Prevent WIRE_INVALID() being called without a argument
(cherry picked from commit e73a5b0ce3)
2019-04-11 19:47:44 +10:00
Mark Andrews
1eb7267e60 Check multi-line output from dns_rdata_tofmttext()
Check that multi-line output from dns_rdata_tofmttext() can be read
back in by dns_rdata_fromtext().

(cherry picked from commit b089f43b7a)
2019-04-11 19:47:44 +10:00
Mark Andrews
14c2db8c5d Process master file comments and make input invalid again
(cherry picked from commit 1a75a5cee6)
2019-04-11 19:47:43 +10:00
Mark Andrews
4395311280 Set 'specials' to match 'specials' in 'lib/dns/master.c'
(cherry picked from commit 7941a9554f)
2019-04-11 19:47:43 +10:00
Mark Andrews
c5b191e78f Fix whitespace so that the names align
(cherry picked from commit cc5e16e4d3)
2019-04-11 19:47:43 +10:00
Mark Andrews
56a534ab06 Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire
Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire for
valid inputs to ensure that what we accept in dns_rdata_fromwire()
can be written out and read back in.

(cherry picked from commit 36f30f5731)
2019-04-11 19:47:43 +10:00
Mark Andrews
63b34486c1 Merge branch '965-delv-prints-weird-ttl-values-2-v9_14' into 'v9_14'
Test that dig and delve print correct TTL values.

See merge request isc-projects/bind9!1786
2019-04-10 02:01:08 -04:00
Mark Andrews
fe0c131061 add CHANGES
(cherry picked from commit dfc485b02e)
2019-04-10 15:48:48 +10:00
Matthijs Mekking
5b77d02cbb Check dig TTLs.
This also fixes a bug in the tests ($n was not incremented in one
place).

(cherry picked from commit 195277ca6d)
2019-04-10 15:48:48 +10:00
Mark Andrews
f471907db8 Check delv TTLs.
(cherry picked from commit 146202d6a8)
2019-04-10 15:48:48 +10:00
Mark Andrews
6ba7607283 Merge branch '965-delv-prints-weird-ttl-values-v9_14' into 'v9_14'
Initialise view->mincachettl and view->minncachettl to zero in dns_view_create.

See merge request isc-projects/bind9!1785
2019-04-10 01:20:45 -04:00
Mark Andrews
dad1a49e4e Add CHANGES.
(cherry picked from commit 538da8c80d)
2019-04-10 15:08:33 +10:00
Mark Andrews
10fba8fd8d Initialise mincachettl and minncachettl to zero in dns_view_create.
(cherry picked from commit 8fd4308bda)
2019-04-10 15:08:33 +10:00
Mark Andrews
3818f05513 Merge branch '899-enforce-hash-in-ds-v9_14' into 'v9_14'
enforce DS hash exists

See merge request isc-projects/bind9!1783
2019-04-10 01:03:30 -04:00
Mark Andrews
92bb35b2f5 add CHANGES
(cherry picked from commit 97b7360ce1)
2019-04-10 14:44:05 +10:00
Mark Andrews
480bcb314d add ds unit test
(cherry picked from commit 6eb28eda1e)
2019-04-10 14:44:05 +10:00
Mark Andrews
b24c128a2c enforce DS hash exists
(cherry picked from commit b274f3fad7)
2019-04-10 14:44:05 +10:00
Mark Andrews
4b3df7b577 Merge branch '852-run-fromtext-through-fromwire-v9_14' into 'v9_14'
check that from fromtext produces valid towire input

See merge request isc-projects/bind9!1780
2019-04-09 23:36:54 -04:00
Mark Andrews
2e7a18fb3c add CHANGES
(cherry picked from commit d712b88048)
2019-04-10 13:24:17 +10:00
Mark Andrews
d006ae2195 check that from fromtext produces valid towire input
(cherry picked from commit 7b0a653858)
2019-04-10 13:24:17 +10:00
Ondřej Surý
25b1635310 Merge branch '971-downgrade-DLZ_DBCLIENTINFO_VERSION-in-dlz_minimal.h-v9_14' into 'v9_14'
Downgrade the dns_clientinfomethod structure to the version in lib/dns/clientinfo.c

See merge request isc-projects/bind9!1778
2019-04-09 15:39:25 -04:00
Ondřej Surý
69e218ea45 Downgrade the dns_clientinfomethod structure to the version in lib/dns/clientinfo.c
(cherry picked from commit a6f09b2255)
2019-04-09 20:25:53 +01:00
Mark Andrews
e09a3f0a2b Merge branch '899-fromwire-check-flags-for-nokey-v9_14' into 'v9_14'
Check KEY flags for empty key in fromwire method

See merge request isc-projects/bind9!1776
2019-04-09 00:49:12 -04:00
Mark Andrews
3c32b765c1 add CHANGES
(cherry picked from commit f78c688c4f)
2019-04-09 14:22:50 +10:00
Mark Andrews
53a62e2977 for rkey flags MUST be zero
(cherry picked from commit 82d4931440)
2019-04-09 14:22:50 +10:00
Mark Andrews
07d024a4da check flags for no key in fromwire for *KEY
(cherry picked from commit 2592e91516)
2019-04-09 14:22:50 +10:00
Mark Andrews
356bf021e2 Merge branch '976-dns-ecs-h-missing-isc_lang_enddecls-v9_14' into 'v9_14'
Resolve "dns/ecs.h missing ISC_LANG_ENDDECLS"

See merge request isc-projects/bind9!1775
2019-04-08 22:19:11 -04:00
Mark Andrews
14313d798a <dns/ecs.h> was missing ISC_LANG_ENDDECLS.
(cherry picked from commit 698a6f955e)
2019-04-09 12:05:57 +10:00
Evan Hunt
e5de594ddb Merge branch '973-pause-dbiterator-in-rpz-v9_14' into 'v9_14'
Fix deadlock in RPZ update code.

See merge request isc-projects/bind9!1772
2019-04-06 15:55:03 -04:00
Witold Kręcicki
6e63d7047d Fix deadlock in RPZ update code.
In dns_rpz_update_from_db we call setup_update which creates the db
iterator and calls dns_dbiterator_first. This unpauses the iterator and
might cause db->tree_lock to be acquired. We then do isc_task_send(...)
on an event to do quantum_update, which (correctly) after each iteration
calls dns_dbiterator_pause, and re-isc_task_sends itself.

That's an obvious bug, as we're holding a lock over an async task send -
if a task requesting write (e.g. prune_tree) is scheduled on the same
workers queue as update_quantum but before it, it will wait for the
write lock indefinitely, resulting in a deadlock.

To fix it we have to pause dbiterator in setup_update.

(cherry picked from commit 06021b3529)
2019-04-06 12:41:36 -07:00
Witold Krecicki
5ca807d65d Merge branch '966-resume-qmin-shuttingdown-v9_14' into 'v9_14'
Resolve "Crash in resolver code"

See merge request isc-projects/bind9!1766
2019-04-03 10:57:36 -04:00
Witold Kręcicki
4df48b84c1 CHANGES
(cherry picked from commit d11791e24c)
2019-04-03 16:34:33 +02:00
Witold Kręcicki
9ff296afeb In resume_qmin check if the fetch context is already shutting down - if so, try to destroy it, don't continue
(cherry picked from commit 7c960e89ea)
2019-04-03 16:34:33 +02:00
Michał Kępień
4024dac62b Merge branch '893-do-not-rely-on-default-dig-options-in-system-tests-v9_14' into 'v9_14'
[v9_14] Do not rely on default dig options in system tests

See merge request isc-projects/bind9!1764
2019-04-03 07:21:57 -04:00
Michał Kępień
915f94a6a3 Do not rely on default dig options in system tests
Some system tests assume dig's default setings are in effect.  While
these defaults may only be silently overridden (because of specific
options set in /etc/resolv.conf) for BIND releases using liblwres for
parsing /etc/resolv.conf (i.e. BIND 9.11 and older), it is arguably
prudent to make sure that tests relying on specific +timeout and +tries
settings specify these explicitly in their dig invocations, in order to
prevent test failures from being triggered by any potential changes to
current defaults.

(cherry picked from commit b6cce0fb8b)
2019-04-03 12:57:45 +02:00
Mark Andrews
cabee6b765 Merge branch '920-see-problem-when-multiple-sigs-with-besteffort-parsing-v9_14' into 'v9_14'
Address problems with best effort parsing.

See merge request isc-projects/bind9!1752
2019-03-26 06:46:09 -04:00
Mark Andrews
ffdd736b63 add CHANGES
(cherry picked from commit b779342017)
2019-03-26 21:32:08 +11:00
Witold Kręcicki
69d3bb78c2 Fix assertion failure in nslookup/dig/mdig when message has multiple SIG(0) options.
When parsing message with DNS_MESSAGE_BESTEFFORT (used exclusively in
tools, never in named itself) if we hit an invalid SIG(0) in wrong
place we continue parsing the message, and put the sig0 in msg->sig0.
If we then hit another sig0 in a proper place we see that msg->sig0
is already 'taken' and we don't free name and rdataset, and we don't
set seen_problem. This causes an assertion failure.
This fixes that issue by setting seen_problem if we hit second sig0,
tsig or opt, which causes name and rdataset to be always freed.

(cherry picked from commit 51a55ddbb7)
2019-03-26 21:32:08 +11:00
Mark Andrews
ddfd5be3b7 Merge branch '955-make-install-fails-after-configure-with-dlopen-no-v9_14' into 'v9_14'
Resolve "`make install` fails after ./configure --with-dlopen=no"

See merge request isc-projects/bind9!1750
2019-03-26 05:09:06 -04:00
Mark Andrews
7a0f39b848 add CHANGES
(cherry picked from commit bd670d4a04)
2019-03-26 19:54:40 +11:00
Mark Andrews
8c2a3b03f4 fix plugin installation
(cherry picked from commit cd3593c38d)
2019-03-26 19:54:39 +11:00
Evan Hunt
e1240eaa2e Merge branch 'each-merge-9140-doc' into 'v9_14'
merge version updates for 9.14.0rc3 and 9.14.0

See merge request isc-projects/bind9!1748
2019-03-22 13:35:42 -04:00
Tinderbox User
684f90a674 doc rebuild 2019-03-22 10:35:15 -07:00
Tinderbox User
e6225b210b prep 9.14.0 2019-03-22 10:35:15 -07:00
Tinderbox User
19c53595ff doc rebuild 2019-03-22 10:35:15 -07:00
Tinderbox User
2d36283bc1 prep 9.14.0rc3 2019-03-22 10:35:15 -07:00
Tinderbox User
fdeb694c1e doc rebuild 2019-03-22 10:35:15 -07:00
Tinderbox User
fc43fe565a prep 9.14.0rc2 2019-03-22 10:35:15 -07:00
Ondřej Surý
9cfcce0858 Merge branch '4-make-dnstap.pb-c.h-private-v9_14' into 'v9_14'
(v9_14) Make lib/dns/dnstap.pb-c.h header a private to lib/dns

See merge request isc-projects/bind9!1745
2019-03-22 07:20:10 -04:00
Ondřej Surý
7485a4332e Make lib/dns/dnstap.pb-c.h private header
This changes dns_dtdata struct to not expose data types from dnstap.pb-c.h to
prevent the need for including this header where not really needed.

(cherry picked from commit 8ccce7e24b)
2019-03-22 12:07:31 +01:00
Evan Hunt
ffb950c8ae Merge branch '913-allow-update-v9_14' into 'v9_14'
restore inheritance of 'allow-update' and 'allow-update-forwarding'

See merge request isc-projects/bind9!1743
2019-03-22 03:29:39 -04:00
Evan Hunt
6b09e885b8 CHANGES, release notes
(cherry picked from commit 55a7961cf3)
2019-03-22 00:15:22 -07:00
Evan Hunt
dde35a8edf don't fail when allow-update{,-forwarding} is used globally
(cherry picked from commit 91dca0f8da)
2019-03-22 00:14:52 -07:00
Mark Andrews
a31960314a Merge branch '899-zonemd-check-for-hash-existence-v9_14' into 'v9_14'
zonemd require non empty hash

See merge request isc-projects/bind9!1740
2019-03-21 16:10:49 -04:00
Mark Andrews
5125a367ad add CHANGES
(cherry picked from commit e1db1b8dcb)
2019-03-22 06:52:10 +11:00
Mark Andrews
753d77c51f Disallow empty ZONEMD hashes
This change is the result of discussions with the authors of
draft-wessels-dns-zone-digest.

(cherry picked from commit 473987d8d9)
2019-03-22 06:52:10 +11:00
Mark Andrews
e4bd0c00e2 Merge branch '899-eid-totext-is-broken-v9_14' into 'v9_14'
EID and NIMLOC totext is broken.

See merge request isc-projects/bind9!1736
2019-03-21 05:40:45 -04:00
Mark Andrews
2818a83df9 add CHANGES
(cherry picked from commit c20b89fcf8)
2019-03-21 20:26:29 +11:00
Mark Andrews
c52dfb2063 add brackets for multi-line output
(cherry picked from commit 40a770b932)
2019-03-21 20:26:02 +11:00
Michał Kępień
8b047466c9 Merge branch 'michal/fix-key-id-extraction-in-the-dnssec-system-test-v9_14' into 'v9_14'
[v9_14] Fix key ID extraction in the "dnssec" system test

See merge request isc-projects/bind9!1734
2019-03-21 03:35:54 -04:00
Michał Kępień
d14d661c20 Fix key ID extraction in the "dnssec" system test
Simply looking for the key ID surrounded by spaces in the tested
dnssec-signzone output file is not a precise enough method of checking
for signatures prepared using a given key ID: it can be tripped up by
cross-algorithm key ID collisions and certain low key IDs (e.g. 60, the
TTL specified in bin/tests/system/dnssec/signer/example.db.in), which
triggers false positives for the "dnssec" system test.  Make key ID
extraction precise by using an awk script which operates on specific
fields.

(cherry picked from commit a40c60e4c1)
2019-03-21 08:10:47 +01:00
Michał Kępień
7046195e23 Merge branch 'michal/minor-mirror-system-test-tweaks-v9_14' into 'v9_14'
[v9_14] Minor "mirror" system test tweaks

See merge request isc-projects/bind9!1726
2019-03-20 05:09:21 -04:00
Michał Kępień
689f5aef5a Increase dig query timeout to 2 seconds
The "mirror" system test expects all dig queries (including recursive
ones) to be responded to within 1 second, which turns out to be overly
optimistic in certain cases and leads to false positives being
triggered.  Increase dig query timeout used throughout the "mirror"
system test to 2 seconds in order to alleviate the issue.

(cherry picked from commit 73afbdc552)
2019-03-20 09:51:18 +01:00
Michał Kępień
78cce30893 Increase TAT query interval
Currently, ns3 in the "mirror" system test sends trust anchor telemetry
queries every second as it is started with "-T tat=1".  Given the number
of trust anchors configured on ns3 (9), TAT-related traffic clutters up
log files, hindering troubleshooting efforts.  Increase TAT query
interval to 3 seconds in order to alleviate the issue.

Note that the interval chosen cannot be much higher if intermittent test
failures are to be avoided: TAT queries are only sent after the
configured number of seconds passes since resolver startup.  Quick
experiments show that even on contemporary hardware, ns3 should be
running for at least 5 seconds before it is first shut down, so a
3-second TAT query interval seems to be a reasonable, future-proof
compromise.  Ensure the relevant check is performed before ns3 is first
shut down to emphasize this trade-off and make it more clear by what
time TAT queries are expected to be sent.

(cherry picked from commit 6847a29b54)
2019-03-20 09:51:18 +01:00
Ondřej Surý
31a2a00c64 Merge branch '4-update-gitignore-for-future-automake-v9_14' into 'v9_14'
(v9_14) Update and sort the top level .gitignore to ignore automake files

See merge request isc-projects/bind9!1728
2019-03-20 04:45:11 -04:00
Ondřej Surý
514ed3d0fa Sort the top level .gitignore file
(cherry picked from commit b9d524ed7e)
2019-03-20 09:25:07 +01:00
Ondřej Surý
03a7e521df Update top level .gitignore to ignore automake files
(cherry picked from commit 5c67d1d120)
2019-03-20 09:25:07 +01:00
Michał Kępień
cab6c2ff01 Merge branch 'michal/serve-stale-system-test-wait-for-dump-completion-v9_14' into 'v9_14'
[v9_14] "serve-stale" system test: wait until "rndc dumpdb" completes

See merge request isc-projects/bind9!1725
2019-03-20 04:08:05 -04:00
Michał Kępień
a61cc8cffe Wait until "rndc dumpdb" completes
"rndc dumpdb" works asynchronously, i.e. the requested dump may not yet
be fully written to disk by the time "rndc" returns.  Prevent false
positives for the "serve-stale" system test by only checking dump
contents after the line indicating that it is complete is written.

(cherry picked from commit 6e3f812afc)
2019-03-20 08:48:25 +01:00
Michał Kępień
e677397e19 Merge branch '944-make-stop.pl-wait-for-lock-file-cleanup-v9_14' into 'v9_14'
[v9_14] Make stop.pl wait for lock file cleanup

See merge request isc-projects/bind9!1710
2019-03-19 06:18:36 -04:00
Michał Kępień
a226afa2a6 Make stop.pl wait for lock file cleanup
bin/tests/system/stop.pl only waits for the PID file to be cleaned up
while named cleans up the lock file after the PID file.  Thus, the
aforementioned script may consider a named instance to be fully shut
down when in fact it is not.

Fix by also checking whether the lock file exists when determining a
given instance's shutdown status.  This change assumes that if a named
instance uses a lock file, it is called "named.lock".

Also rename clean_pid_file() to pid_file_exists(), so that it is called
more appropriately (it does not clean up the PID file itself, it only
returns the server's identifier if its PID file is not yet cleaned up).

(cherry picked from commit c787a539d2)
2019-03-19 10:28:54 +01:00
Michał Kępień
1119cccf99 Correctly invoke stop.pl when start.pl fails
MR !1141 broke the way stop.pl is invoked when start.pl fails:

  - start.pl changes the working directory to $testdir/$server before
    attempting to start $server,

  - commit 27ee629e6b causes the $testdir
    variable in stop.pl to be determined using the $SYSTEMTESTTOP
    environment variable, which is set to ".." by all tests.sh scripts,

  - commit e227815af5 makes start.pl pass
    $test (the test's name) rather than $testdir (the path to the test's
    directory) to stop.pl when a given server fails to start.

Thus, when a server is restarted from within a tests.sh script and such
a restart fails, stop.pl attempts to look for the server directory in a
nonexistent location ($testdir/$server/../$test, i.e. $testdir/$test,
instead of $testdir/../$test).  Fix the issue by changing the working
directory before stop.pl is invoked in the scenario described above.

(cherry picked from commit 4afad2a047)
2019-03-19 10:28:54 +01:00
Evan Hunt
6fd2475f3e Merge branch '945-remove-revoked-root-key-from-bind-keys-v9_14' into 'v9_14'
Resolve "Remove revoked root key from bind.keys."

See merge request isc-projects/bind9!1708
2019-03-19 00:23:16 -04:00
Mark Andrews
3954d4ec30 Remove revoked root DNSKEY from bind.keys.
(cherry picked from commit 0e805b58e8)
2019-03-18 21:21:39 -07:00
Mark Andrews
8c0a0011f4 Merge branch '940-unit-dnstap-pkcs11-tz-v9_14' into 'v9_14'
Fix regression in dnstap_test with native pkcs11

See merge request isc-projects/bind9!1700
2019-03-15 01:37:53 -04:00
Mark Andrews
b1c658b850 add CHANGES
(cherry picked from commit 788f784191)
2019-03-15 16:17:52 +11:00
Petr Menšík
7885bbff99 Fix regression in dnstap_test with native pkcs11
Change to cmocka broken initialization of TZ environment. This time,
commit 1cf1254051 is not soon enough. Has
to be moved more forward, before any other tests. It library is not full
reinitialized on each test.

(cherry picked from commit 71c4fad592)
2019-03-15 16:17:52 +11:00
Mark Andrews
2dc5dbfeb2 Merge branch 'rename-shadowed-variable-v9_14' into 'v9_14'
rename-shadowed-variable

See merge request isc-projects/bind9!1699
2019-03-14 21:35:49 -04:00
Mark Andrews
b57ca2982f rename-shadowed-variable
(cherry picked from commit 15bfe4f2e1)
2019-03-15 12:23:57 +11:00
Evan Hunt
3123d8714f Merge branch '938-cppcheck-format-issues-v9_14' into 'v9_14'
Resolve "Cppcheck format issues."

See merge request isc-projects/bind9!1695
2019-03-14 17:03:16 -04:00
Mark Andrews
b30e5f11fb force promotion to unsigned int
(cherry picked from commit 1eba2c5b06)
2019-03-14 13:51:30 -07:00
Mark Andrews
838906b3cd isc_quota_* return unsigned int
(cherry picked from commit a43d648b95)
2019-03-14 13:51:30 -07:00
Evan Hunt
46bc92d5d1 Merge branch '890-assert-the-hevent-rdataset-is-non-null-v9_14' into 'v9_14'
Resolve "Assert the hevent->rdataset is non-NULL."

See merge request isc-projects/bind9!1693
2019-03-14 16:34:22 -04:00
Mark Andrews
68608eaa3c assert hevent->rdataset is non NULL
(cherry picked from commit d8d04edfba)
2019-03-14 13:16:43 -07:00
Evan Hunt
1c1fb922c2 Merge branch '937-potential-null-pointer-dereference-in-bin-tests-system-dlzexternal-driver-c-v9_14' into 'v9_14'
Resolve "potential null pointer dereference in bin/tests/system/dlzexternal/driver.c"

See merge request isc-projects/bind9!1690
2019-03-14 16:14:06 -04:00
Mark Andrews
8f2227a423 check that state and state->log are non NULL before calling state->log
(cherry picked from commit 7bf6750330)
2019-03-14 12:55:57 -07:00
Evan Hunt
be71d9cc43 Merge branch 'missing-isc-lang-h-v9_14' into 'v9_14'
missing lang.h

See merge request isc-projects/bind9!1689
2019-03-14 15:43:34 -04:00
Mark Andrews
cdaf04f043 missing #include <isc/lang.h>
(cherry picked from commit 719b1d7fdc)
2019-03-14 12:24:19 -07:00
Mark Andrews
12fa506459 Merge branch 'u/fanf2/man-dnssec-keygen-again-v9_14' into 'v9_14'
A bit more cleanup in the dnssec-keygen manual

See merge request isc-projects/bind9!1684
2019-03-14 00:30:36 -04:00
Tony Finch
d69530cae8 A bit more cleanup in the dnssec-keygen manual
Remove another remnant of shared secret HMAC-MD5 support.

Explain that with currently recommended setups DNSKEY records are
inserted automatically, but you can still use $INCLUDE in other cases.

(cherry picked from commit acc3fa04b7)
2019-03-14 15:17:03 +11:00
Mark Andrews
d8ef8b5658 Merge branch '936-missing-unlocks-in-sdlz-c-v9_14' into 'v9_14'
Resolve "Missing unlocks in sdlz.c"

See merge request isc-projects/bind9!1679
2019-03-13 20:08:10 -04:00
Mark Andrews
1210201ab3 add CHANGES
(cherry picked from commit 32f2ae3791)
2019-03-14 09:01:12 +11:00
Mark Andrews
e9a1087e96 add missing MAYBE_UNLOCK
(cherry picked from commit ff8bf617e7)
2019-03-14 09:01:12 +11:00
Evan Hunt
e658e92ada Merge branch '881-cleanup-ecs-v9_14' into 'v9_14'
clean up ECS before reusing clients

See merge request isc-projects/bind9!1676
2019-03-12 17:10:04 -04:00
Evan Hunt
a87585aba3 CHANGES
(cherry picked from commit 9463a781fb)
2019-03-12 13:59:12 -07:00
Witold Kręcicki
fcb5642ec0 Clean up client->ecs when we're done with the request.
(cherry picked from commit aa3da7a232)
2019-03-12 13:59:12 -07:00
Evan Hunt
84910c0920 Merge branch '834-fix-race-in-fctx-cancel-v9_14' into 'v9_14'
fix race in socket code

See merge request isc-projects/bind9!1672
2019-03-12 16:10:22 -04:00
Witold Kręcicki
ec8621ae10 CHANGES
(cherry picked from commit 50f6054294)
2019-03-12 11:55:04 -07:00
Witold Kręcicki
fcc7a8c6ca Fix a race in fctx_cancelquery.
When sending an udp query (resquery_send) we first issue an asynchronous
isc_socket_connect and increment query->connects, then isc_socket_sendto2
and increment query->sends.
If we happen to cancel this query (fctx_cancelquery) we need to cancel
all operations we might have issued on this socket. If we are under very high
load the callback from isc_socket_connect (resquery_udpconnected) might have
not yet been fired. In this case we only cancel the CONNECT event on socket,
and ignore the SEND that's waiting there (as there is an `else if`).
Then we call dns_dispatch_removeresponse which kills the dispatcher socket
and calls isc_socket_close - but if system is under very high load, the send
we issued earlier might still not be complete - which triggers an assertion
because we're trying to close a socket that's still in use.

The fix is to always check if we have incomplete sends on the socket and cancel
them if we do.

(cherry picked from commit 56183a3917)
2019-03-12 11:54:43 -07:00
Michał Kępień
769982d7db Merge branch 'michal/silence-a-perl-warning-output-by-stop.pl-v9_14' into 'v9_14'
[v9_14] Silence a Perl warning output by stop.pl

See merge request isc-projects/bind9!1669
2019-03-12 04:04:14 -04:00
Michał Kępień
abf84143e4 Silence a Perl warning output by stop.pl
On Unix systems, the CYGWIN environment variable is not set at all when
BIND system tests are run.  If a named instance crashes on shutdown or
otherwise fails to clean up its pidfile and the CYGWIN environment
variable is not set, stop.pl will print an uninitialized value warning
on standard error.  Prevent this by using defined().

(cherry picked from commit 91e5a99b9b)
2019-03-12 08:43:07 +01:00
Mark Andrews
b0b1c5f88f Merge branch 'ifconfig.sh-anywhere-v9_14' into 'v9_14'
Allow ifconfig to be called from any directory

See merge request isc-projects/bind9!1667
2019-03-11 23:22:08 -04:00
Petr Menšík
2b526cf8e1 Allow ifconfig to be called from any directory
ifconfig.sh depends on config.guess for platform guessing. It uses it to
choose between ifconfig or ip tools to configure interfaces. If
system-wide automake script is installed and local was not found, use
platform guess. It should work well on mostly any sane platform. Still
prefers local guess, but passes when if cannot find it.

(cherry picked from commit 38301052e1)
2019-03-12 14:10:40 +11:00
Evan Hunt
4e0e40dee7 Merge branch '892-fix-redirect-name-v9_14' into 'v9_14'
use qname in redirect2

See merge request isc-projects/bind9!1663
2019-03-11 14:34:35 -04:00
Mark Andrews
7dcee14699 add CHANGES
(cherry picked from commit ad785e4f93)
2019-03-11 11:22:13 -07:00
Mark Andrews
d974a28898 use client->query.qname
(cherry picked from commit 8758d36a5e)
2019-03-11 11:19:00 -07:00
Evan Hunt
85f6e00755 Merge branch 'each-fix-changes' into 'v9_14'
remove accidentally-included CHANGES notes

See merge request isc-projects/bind9!1661
2019-03-11 13:59:59 -04:00
Evan Hunt
0faa56cb6c remove accidentally-included CHANGES notes 2019-03-11 10:58:51 -07:00
Michał Kępień
802a965245 Merge branch '928-stabilize-delzsk.example-zone-checks-v9_14' into 'v9_14'
[v9_14] Stabilize "delzsk.example" zone checks

See merge request isc-projects/bind9!1658
2019-03-11 08:28:15 -04:00
Michał Kępień
79a4cbd203 Stabilize "delzsk.example" zone checks
When a zone is converted from NSEC to NSEC3, the private record at zone
apex indicating that NSEC3 chain creation is in progress may be removed
during a different (later) zone_nsec3chain() call than the one which
adds the NSEC3PARAM record.  The "delzsk.example" zone check only waits
for the NSEC3PARAM record to start appearing in dig output while private
records at zone apex directly affect "rndc signing -list" output.  This
may trigger false positives for the "autosign" system test as the output
of the "rndc signing -list" command used for checking ZSK deletion
progress may contain extra lines which are not accounted for.  Ensure
the private record is removed from zone apex before triggering ZSK
deletion in the aforementioned check.

Also future-proof the ZSK deletion progress check by making it only look
at lines it should care about.

(cherry picked from commit e02de04e97)
2019-03-11 13:03:17 +01:00
Michał Kępień
83acb4ffad Merge branch '129-dnssec-system-test-tweaks-v9_14' into 'v9_14'
[v9_14] "dnssec" system test tweaks

See merge request isc-projects/bind9!1656
2019-03-11 08:02:07 -04:00
Mark Andrews
8f2f5d98dc ${ttl} must exist and be non null
(cherry picked from commit dee1f1a498)
2019-03-11 12:11:58 +01:00
Michał Kępień
f301744f59 Make ANSWER TTL capping checks stricter
For checks querying a named instance with "dnssec-accept-expired yes;"
set, authoritative responses have a TTL of 300 seconds.  Assuming empty
resolver cache, TTLs of RRsets in the ANSWER section of the first
response to a given query will always match their authoritative
counterparts.  Also note that for a DNSSEC-validating named resolver,
validated RRsets replace any existing non-validated RRsets with the same
owner name and type, e.g. cached from responses received while resolving
CD=1 queries.  Since TTL capping happens before a validated RRset is
inserted into the cache and RRSIG expiry time does not impose an upper
TTL bound when "dnssec-accept-expired yes;" is set and, as pointed out
above, the original TTLs of the relevant RRsets equal 300 seconds, the
RRsets in the ANSWER section of the responses to expiring.example/SOA
and expired.example/SOA queries sent with CD=0 should always be exactly
120 seconds, never a lower value.  Make the relevant TTL checks stricter
to reflect that.

(cherry picked from commit a85cc41486)
2019-03-11 12:11:58 +01:00
Michał Kępień
f28953b6fc Relax ADDITIONAL TTL capping checks
Always expecting a TTL of exactly 300 seconds for RRsets found in the
ADDITIONAL section of responses received for CD=1 queries sent during
TTL capping checks is too strict since these responses will contain
records cached from multiple DNS messages received during the resolution
process.

In responses to queries sent with CD=1, ns.expiring.example/A in the
ADDITIONAL section will come from a delegation returned by ns2 while the
ANSWER section will come from an authoritative answer returned by ns3.
If the queries to ns2 and ns3 happen at different Unix timestamps,
RRsets cached from the older response will have a different TTL by the
time they are returned to dig, triggering a false positive.

Allow a safety margin of 60 seconds for checks inspecting the ADDITIONAL
section of responses to queries sent with CD=1 to fix the issue.  A
safety margin this large is likely overkill, but it is used nevertheless
for consistency with similar safety margins used in other TTL capping
checks.

(cherry picked from commit 8baf859063)
2019-03-11 12:11:58 +01:00
Michał Kępień
8f1c3e5da6 Fix message section checked in a TTL capping test
Commit c032c54dda inadvertently changed
the DNS message section inspected by one of the TTL capping checks from
ADDITIONAL to ANSWER, introducing a discrepancy between that check's
description and its actual meaning.  Revert to inspecting the ADDITIONAL
section in the aforementioned check.

(cherry picked from commit a597bd52a6)
2019-03-11 12:11:58 +01:00
Michał Kępień
95a765202c Fix NTA-related races
Changes introduced by commit 6b8e4d6e69
were incomplete as not all time-sensitive checks were updated to match
revised "nta-lifetime" and "nta-recheck" values.  Prevent rare false
positives by updating all NTA-related checks so that they work reliably
with "nta-lifetime 12s;" and "nta-recheck 9s;".  Update comments as well
to prevent confusion.

(cherry picked from commit 9a36a1bba3)
2019-03-11 12:11:58 +01:00
Evan Hunt
b23e7208ed Merge branch 'ondrej/restore-flockfile-check-v9_14' into 'v9_14'
(v9_14) Restore missing check for flockfile and getc_unlocked

See merge request isc-projects/bind9!1654
2019-03-08 19:41:33 -05:00
Ondřej Surý
a169e35634 Restore missing check for flockfile and getc_unlocked
(cherry picked from commit 7eea756858)
2019-03-08 21:35:08 +01:00
Michał Kępień
4e38e3bb24 Merge branch 'michal/fix-regex-used-for-mangling-druz-dnskey-v9_14' into 'v9_14'
[v9_14] Fix regex used for mangling druz/DNSKEY (in the "dlv" system test)

See merge request isc-projects/bind9!1647
2019-03-08 08:08:57 -05:00
Michał Kępień
3bf0350ae7 Fix regex used for mangling druz/DNSKEY
During "dlv" system test setup, the "sed" regex used for mangling the
DNSKEY RRset for the "druz" zone does not include the plus sign ("+"),
which may:

  - cause the replacement to happen near the end of DNSKEY RDATA, which
    can cause the latter to become an invalid Base64 string,

  - prevent the replacement from being performed altogether.

Both cases prevent the "dlv" system test from behaving as intended and
may trigger false positives.  Add the missing character to the
aforementioned regex to ensure the replacement is always performed on
bytes 10-25 of DNSKEY RDATA.

(cherry picked from commit fd13fef299)
2019-03-08 13:48:39 +01:00
Michał Kępień
7202303f8c Merge branch '925-make-delv-use-os-supplied-ephemeral-port-range-v9_14' into 'v9_14'
[v9_14] Make delv use OS-supplied ephemeral port range

See merge request isc-projects/bind9!1645
2019-03-08 07:46:09 -05:00
Michał Kępień
9fe1f29d39 Add CHANGES entry
5180.	[bug]		delv now honors the operating system's preferred
			ephemeral port range. [GL #925]

(cherry picked from commit bf98324956)
2019-03-08 13:14:01 +01:00
Michał Kępień
040d631027 Make delv use OS-supplied ephemeral port range
Make delv honor the operating system's preferred ephemeral port range
instead of always using the default 1024-65535 range for outgoing
messages.

(cherry picked from commit ada6846a10)
2019-03-08 13:14:00 +01:00
Mark Andrews
a364783956 Merge branch 'u/fanf2/sectypes-v9_14' into 'v9_14'
cleanup: use dns_secalg_t and dns_dsdigest_t where appropriate

See merge request isc-projects/bind9!1643
2019-03-08 06:38:51 -05:00
Tony Finch
1e2bfb1460 cleanup: use dns_secalg_t and dns_dsdigest_t where appropriate
Use them in structs for various rdata types where they are missing.
This doesn't change the structs since we are replacing explicit
uint8_t field types with aliases for uint8_t.

Use dns_dsdigest_t in library function arguments.

Improve dnssec-cds with these more specific types.

(cherry picked from commit 0f219714e1)
2019-03-08 22:16:48 +11:00
Mark Andrews
1d3a271352 Merge branch 'marka-define-path-max-v9_14' into 'v9_14'
#include <limits.h> for PATH_MAX, define if not found

See merge request isc-projects/bind9!1639
2019-03-08 02:45:39 -05:00
Mark Andrews
8faca93b37 #include <limits.h> for PATH_MAX, define if not found
(cherry picked from commit 1fc7be36eb)
2019-03-08 18:23:59 +11:00
Evan Hunt
06d2cb71da Merge branch 'each-silence-warning-v9_14' into 'v9_14'
silence a warning about potential snprintf overrun

See merge request isc-projects/bind9!1633
2019-03-08 01:16:42 -05:00
Evan Hunt
e2ee2e9e0b silence a warning about potential snprintf overrun
(cherry picked from commit 7f26cad247)
2019-03-07 21:46:50 -08:00
Evan Hunt
61339e91ea Merge branch '902-hang-when-unexpected-errno-encountered-during-log-rename-v9_14' into 'v9_14'
Resolve "Hang when unexpected errno encountered during log rename"

See merge request isc-projects/bind9!1631
2019-03-08 00:44:04 -05:00
Mark Andrews
cdf928d391 Handle EDQUOT and ENOSPC errors
(cherry picked from commit 435ae2f29a)
2019-03-07 21:23:39 -08:00
Evan Hunt
5bb39746a1 Merge branch '884-patches-to-review-3-v9_14' into 'v9_14'
fix the use of dns_wildcardname as an optimisation in DLZ

See merge request isc-projects/bind9!1629
2019-03-07 23:39:30 -05:00
Mark Andrews
c1489dfa4f fix the use of dns_wildcardname as an optimisation in DLZ
(cherry picked from commit cb32cd98bd)
2019-03-07 20:27:57 -08:00
Evan Hunt
8b1e4ec8e9 Merge branch 'ckb-statistics-test-nit-v9_14' into 'v9_14'
the wrong variable was used to count the test cases in one place.

See merge request isc-projects/bind9!1627
2019-03-07 21:54:20 -05:00
Curtis Blackburn
e58a77043c the wrong variable was used to count the test cases in one place.
(cherry picked from commit 4f60a84e34)
2019-03-07 18:42:14 -08:00
Mark Andrews
ee9d1eca72 Merge branch '927-teach-clang-that-_fail-does-not-return-v9_14' into 'v9_14'
Resolve "teach clang that _fail() does not return."

See merge request isc-projects/bind9!1626
2019-03-07 20:26:08 -05:00
Mark Andrews
c117605812 add noreturn attribute
(cherry picked from commit 3f2b7e1006)
2019-03-08 12:13:18 +11:00
Evan Hunt
f13692afcf Merge branch '865-option-to-disable-information-leak-on-rpz-rewrites-isc-support-14178-v9_14' into 'v9_14'
Resolve "Option to disable information leak on RPZ rewrites [ISC-support

See merge request isc-projects/bind9!1623
2019-03-07 16:41:31 -05:00
Mark Andrews
d76b2147a8 CHANGES, release note
(cherry picked from commit 89234643e1)
2019-03-07 13:29:37 -08:00
Evan Hunt
e152529fb7 disable a previously broken test under dnsrps
(cherry picked from commit aeed047495)
2019-03-07 13:29:11 -08:00
Mark Andrews
edc607bced add the ability to control whether SOA records are added response-policy modified answers
(cherry picked from commit d1fa8be611)
2019-03-07 13:29:11 -08:00
Evan Hunt
b3e152610d Merge branch 'each-notes-914' into 'v9_14'
clear out 9.14.0 release notes

See merge request isc-projects/bind9!1622
2019-03-07 14:34:27 -05:00
Evan Hunt
5d09223874 clear out release notes from 9.14.0 to prepare the ground for 9.14.1 2019-03-07 11:11:15 -08:00
Evan Hunt
56e4b5c9dd Merge branch '882-zone-data-cannot-be-loaded-with-dnssec-coverage-v9_14' into 'v9_14'
Resolve "Zone data cannot be loaded with dnssec-coverage"

See merge request isc-projects/bind9!1619
2019-03-06 23:58:34 -05:00
Evan Hunt
36d91876bf add CHANGES
(cherry picked from commit 57e44efc73)
2019-03-06 20:41:23 -08:00
Mark Andrews
4a46242ed2 explicitly convert byte to string
(cherry picked from commit ec3d830bc5)
2019-03-06 20:41:09 -08:00
Mark Andrews
5b27d26909 Merge branch 'u/fanf2/man-dnssec-keygen-v9_14' into 'v9_14'
cleanup dnssec-keygen manual page

See merge request isc-projects/bind9!1616
2019-03-06 19:15:23 -05:00
Tony Finch
7ddd24ba97 cleanup dnssec-keygen manual page
Alphabetize options and synopsis; remove spurious -z from synopsis;
remove remnants of deprecated -k option; remove mention of long-gone
TSIG support; refer to -T KEY in options that are only relevant to
pre-RFC3755 DNSSEC; remove unnecessary -n ZONE from the example, and
add a -f KSK example.

(cherry picked from commit 1954f8d2bf)
2019-03-07 11:14:55 +11:00
Mark Andrews
9d3eb872d0 Merge branch '926-statschannel-system-tests-fails-json-only-no-libxml-v9_14' into 'v9_14'
Resolve "statschannel system tests fails json only (no libxml)"

See merge request isc-projects/bind9!1615
2019-03-06 19:02:59 -05:00
Mark Andrews
ef46f75066 add CHANGES
(cherry picked from commit 5bc06a0a11)
2019-03-07 10:45:04 +11:00
Mark Andrews
98fd813532 remove dependancy on libxml
(cherry picked from commit a9c47414b3)
2019-03-07 10:44:11 +11:00
Evan Hunt
be60fedced Merge branch '874-fix-race-in-socket-code-v9_14' into 'v9_14'
Fix a race in socket code

See merge request isc-projects/bind9!1613
2019-03-06 17:33:11 -05:00
Evan Hunt
71adab3f4a CHANGES
(cherry picked from commit 6d24292830)
2019-03-06 14:15:19 -08:00
Witold Kręcicki
54f9c1d306 Fix a race in socket code when internal_{accept, send, receive} is called
from event loop on an socket and, in the meantime, someone has closed this
socket.

(cherry picked from commit b57a38ae43)
2019-03-06 14:15:19 -08:00
Evan Hunt
c2fb1f8853 Merge branch 'michal/log-plugin-unloading-at-debug-level-v9_14' into 'v9_14'
Log plugin unloading at debug level

See merge request isc-projects/bind9!1612
2019-03-06 16:07:57 -05:00
Michał Kępień
9036952f84 Log plugin unloading at debug level
During server reconfiguration, plugin instances set up for the old views
are unloaded very close to the end of the whole process, after new
plugin instances are set up.  As the log message announcing plugin
unloading is emitted at the default "info" level, the user might be
misled into thinking that it is the new plugin instances that are being
unloaded for some reason, particularly because all other messages logged
at the "info" level around the same time inform about setting things up
rather than tearing them down.  Since no distinction is currently made
between destroying a view due to reconfiguration and due to a shutdown
in progress, there is no easy way to vary the contents of the log
message depending on circumstances.  Since this message is not a
particularly critical one, demote it to debug level to prevent
confusion.

(cherry picked from commit af4b81f944)
2019-03-06 12:55:29 -08:00
Michał Kępień
3e676b0d65 Merge branch '905-make-nsupdate-use-os-supplied-ephemeral-port-range-v9_14' into 'v9_14'
[v9_14] Make nsupdate use OS-supplied ephemeral port range

See merge request isc-projects/bind9!1609
2019-03-06 08:27:40 -05:00
Michał Kępień
0a5a0a5e97 Add CHANGES entry
5172.	[bug]		nsupdate now honors the operating system's preferred
			ephemeral port range. [GL #905]

(cherry picked from commit 0e64948274)
2019-03-06 14:03:37 +01:00
Michał Kępień
a553168786 Make nsupdate use OS-supplied ephemeral port range
Make nsupdate honor the operating system's preferred ephemeral port
range instead of always using the default 1024-65535 range for outgoing
messages.

(cherry picked from commit 06f582f23e)
2019-03-06 14:03:36 +01:00
Evan Hunt
d4d89a18af Merge branch '878-install-named-plugins-into-a-separate-directory-v9_14' into 'v9_14'
Install named plugins into a separate directory

See merge request isc-projects/bind9!1605
2019-03-05 20:04:27 -05:00
Michał Kępień
f1f695ef5a Add CHANGES entry
5161.	[func]		named plugins are now installed into a separate
			directory.  Supplying a filename (a string without path
			separators) in a "plugin" configuration stanza now
			causes named to look for that plugin in that directory.
			[GL #878]

(cherry picked from commit d2c960cfc2)
2019-03-05 16:52:49 -08:00
Michał Kępień
1865264426 Add -c to usage message for named-checkconf
Add the -c command line option to the usage message for named-checkconf
as it is not present there despite being documented.

(cherry picked from commit cba155154b)
2019-03-05 16:52:49 -08:00
Michał Kępień
9b72458b1e Look for named plugins in ${libdir}/named
When the "library" part of a "plugin" configuration stanza does not
contain at least one path separator, treat it as a filename and assume
it is a name of a shared object present in the named plugin installation
directory.  Absolute and relative paths can still be used and will be
used verbatim.  Get the full path to a plugin before attempting to
check/register it so that all relevant log messages include the same
plugin path (apart from the one logged when the full path cannot be
determined).

(cherry picked from commit 1a9fc624ca)
2019-03-05 16:52:49 -08:00
Michał Kępień
3883acc5c2 Add ns_plugin_expandpath()
Implement a helper function which, given an input string:

  - copies it verbatim if it contains at least one path separator,
  - prepends the named plugin installation directory to it otherwise.

This function will allow configuration parsing code to conveniently
determine the full path to a plugin module given either a path or a
filename.

While other, simpler ways exist for making sure filenames passed to
dlopen() cause the latter to look for shared objects in a specific
directory, they are very platform-specific.  Using full paths is thus
likely the most portable and reliable solution.

Also added unit tests for ns_plugin_expandpath() to ensure it behaves
as expected for absolute paths, relative paths, and filenames, for
various target buffer sizes.

(Note: plugins share a directory with named on Windows; there is no
default plugin path. Therefore the source path is copied to the
destination path with no modification.)

(cherry picked from commit d181c28c60)
2019-03-05 16:52:49 -08:00
Michał Kępień
4ddfaeea3e Install named plugins into a separate directory
Installing named plugins into ${libdir} clutters the latter and is not
in line with common filesystem conventions.  Instead, install named
plugins into a separate directory, ${libdir}/named.

(cherry picked from commit c527b7fd5c)
2019-03-05 16:52:49 -08:00
Evan Hunt
017b190bdb Merge branch '909-add-explicit-link-check-for-libatomic-v9_14' into 'v9_14'
Add explicit check for libatomic to fix configure step on NetBSD

See merge request isc-projects/bind9!1604
2019-03-05 18:41:55 -05:00
Ondřej Surý
919dc5dd42 Add information about NetBSD 6 compilation on i386
(cherry picked from commit 9a16e0a5ae)
2019-03-05 15:24:05 -08:00
Ondřej Surý
c7d164fad5 Add explicit check for libatomic
(cherry picked from commit fcade0610f)
2019-03-05 15:24:04 -08:00
Mark Andrews
1d8682d429 Merge branch '919-add-win32util-configure-file-list-check-to-ci-v9_14' into 'v9_14'
Resolve "Add win32util/Configure file list check to CI"

See merge request isc-projects/bind9!1602
2019-03-05 17:41:46 -05:00
Mark Andrews
3b6de8e0c1 remove '..\\bin\\tests\\system\\dlz\\prereq.sh' from win32util/Configure
(cherry picked from commit 442421906b)
2019-03-05 17:41:33 -05:00
Mark Andrews
cb1006d95d add util/check-win32util-configure to precheck
(cherry picked from commit c3dd8bb9f0)
2019-03-05 17:41:33 -05:00
Evan Hunt
8c32b70956 Merge branch '884-patches-to-review-4-v9_14' into 'v9_14'
dlz filesystem driver failed to properly detect period at end of filename.

See merge request isc-projects/bind9!1600
2019-03-05 17:40:01 -05:00
Mark Andrews
b12970046a properly detect period as last character in filename
(cherry picked from commit c9dc59eb90)
2019-03-05 14:22:36 -08:00
Evan Hunt
4b0eaf7267 Merge branch 'michal/disable-servfail-cache-for-ns5-in-the-mkeys-system-test-v9_14' into 'v9_14'
Disable SERVFAIL cache for ns5 in the "mkeys" system test

See merge request isc-projects/bind9!1598
2019-03-05 16:40:49 -05:00
Michał Kępień
e4a544e989 Disable SERVFAIL cache for ns5 in the "mkeys" system test
The "check key refreshes are resumed after root servers become
available" check may trigger a false positive for the "mkeys" system
test if the second example/TXT query sent by dig is received by ns5 less
than a second after it receives a REFUSED response to the upstream query
it sends to ns1 in order to resolve the first example/TXT query sent by
dig.  Since that REFUSED response from ns1 causes ns5 to return a
SERVFAIL answer to dig, example/TXT is added to the SERVFAIL cache,
which is enabled by default with a TTL of 1 second.  This in turn may
cause ns5 to return a cached SERVFAIL response to the second example/TXT
query sent by dig, i.e. make ns5 not perform full query processing as
expected by the check.

Since the primary purpose of the check in question is to ensure that key
refreshes are resumed once initially unavailable root servers become
available, the optimal solution appears to be disabling SERVFAIL cache
for ns5 as doing that still allows the check to fulfill its purpose and
it is arguably more prudent than always sleeping for 1 second.

(cherry picked from commit 7c6bff3c4e)
2019-03-05 13:25:04 -08:00
Evan Hunt
60beddf87f Merge branch '889-improve-clang-cmocka-interaction-v9_14' into 'v9_14'
Resolve "Improve clang/cmocka interaction."

See merge request isc-projects/bind9!1596
2019-03-05 14:01:37 -05:00
Mark Andrews
7c78e5b90a improve clang / cmocka integration
(cherry picked from commit cb913177ae)
2019-03-05 10:42:01 -08:00
Matthijs Mekking
3ca83c19d9 Merge branch 'matthijs-more-clean.sh-related-cleanups-v9_14' into 'v9_14'
More clean.sh related cleanups

See merge request isc-projects/bind9!1592
2019-03-04 11:30:16 -05:00
Matthijs Mekking
8578d11ca7 Ensure all system tests run clean.sh from setup.sh
For consistency between all system tests, add missing setup.sh scripts
for tests which do not have one yet and ensure every setup.sh script
calls its respective clean.sh script.
2019-03-04 16:58:40 +01:00
Matthijs Mekking
00d04b28c2 Only perform test cleanups in clean.sh scripts
Temporary files created by a given system test should be removed by its
clean.sh script, not its setup.sh script.  Remove redundant "rm"
invocations from setup.sh scripts.  Move required "rm" invocations from
setup.sh scripts to their corresponding clean.sh scripts.
2019-03-04 16:58:30 +01:00
Mark Andrews
4e800096e6 Merge branch 'feature/featuretest-dlz-v9_14' into 'v9_14'
Test dlz support in feature-test

See merge request isc-projects/bind9!1588
2019-03-03 22:26:30 -05:00
Mark Andrews
f9920f62c4 add CHANGES
(cherry picked from commit 5f125df462)
2019-03-04 14:08:21 +11:00
Mark Andrews
25e4ebaba6 run autoheader and autoconf
(cherry picked from commit 4988367b53)
2019-03-04 14:08:19 +11:00
Petr Menšík
3c29d47797 Support DLZ filesystem detection in feature-test
Do not use variable from configure to detect the feature.

(cherry picked from commit 759a7b4ce3)
2019-03-04 14:06:38 +11:00
Michał Kępień
6fd9415350 Merge branch 'michal/fix-ip-regex-used-in-the-resolver-system-test-v9_14' into 'v9_14'
[v9_14] Fix IP regex used in the "resolver" system test

See merge request isc-projects/bind9!1583
2019-03-01 01:55:45 -05:00
Michał Kępień
06b36db554 Fix IP regex used in the "resolver" system test
If dots are not escaped in the "1.2.3.4" regular expressions used for
checking whether IP address 1.2.3.4 is present in the tested resolver's
answers, a COOKIE that matches such a regular expression will trigger a
false positive for the "resolver" system test.  Properly escape dots in
the aforementioned regular expressions to prevent that from happening.

(cherry picked from commit 70ae48e5cb)
2019-03-01 07:53:27 +01:00
Evan Hunt
3761db36e8 Merge branch '901-empty-any-v9_14' into 'v9_14'
handle empty ANY query responses

See merge request isc-projects/bind9!1581
2019-02-28 19:24:52 -05:00
Evan Hunt
778cfd3a98 CHANGES 2019-02-28 16:07:41 -08:00
Evan Hunt
8431d18426 test correct occlusion of DNSSEC records
(cherry picked from commit c6939f0bd4)
2019-02-28 16:06:38 -08:00
Evan Hunt
ed72b9434d fix crash in query_respond_any() from all records being hidden
in query_respond_any(), the assumption had previously been made that it
was impossible to get past iterating the node with a return value of
ISC_R_NOMORE but not have found any records, unless we were searching
for RRSIG or SIG. however, it is possible for other types to exist but
be hidden, such as when the zone is transitioning from insecure to
secure and DNSSEC types are encountered, and this situation could
trigger an assertion.  removed the assertion and reorganized the code.

(cherry picked from commit 3e74c7e5ff)
2019-02-28 16:06:38 -08:00
Michał Kępień
71f7589f08 Merge branch 'michal/do-not-include-conf.sh-from-ttl-clean.sh-v9_14' into 'v9_14'
[v9_14] Do not include conf.sh from ttl/clean.sh

See merge request isc-projects/bind9!1578
2019-02-28 07:42:46 -05:00
Michał Kępień
43eeb2319b Do not include conf.sh from ttl/clean.sh
Including $SYSTEMTESTTOP/conf.sh from a system test's clean.sh script is
not needed for anything while it causes an error message to be printed
out when "./configure" is run, as "make clean" is invoked at the end.
Remove the offending line to prevent the error from occurring.

(cherry picked from commit 6602848460)
2019-02-28 13:17:13 +01:00
Michał Kępień
79666f739b Merge branch 'michal/call-clean.sh-from-all-relevant-setup.sh-scripts-v9_14' into 'v9_14'
[v9_14] Call clean.sh from all relevant setup.sh scripts

See merge request isc-projects/bind9!1576
2019-02-28 07:11:02 -05:00
Michał Kępień
7b1f4c8a6a Call clean.sh from all relevant setup.sh scripts
For all system tests utilizing named instances, call clean.sh from each
test's setup.sh script in a consistent way to make sure running the same
system test multiple times using run.sh does not trigger false positives
caused by stale files created by previous runs.

Ideally we would just call clean.sh from run.sh, but that would break
some quirky system tests like "rpz" or "rpzrecurse" and being consistent
for the time being does not hurt.

(cherry picked from commit a077a3ae8a)
2019-02-28 12:39:06 +01:00
Tinderbox User
c2c957735f Merge branch 'prep-release' into v9_14 2019-02-28 00:05:32 +00:00
Tinderbox User
4ea7fb82a7 doc rebuild 2019-02-28 00:05:06 +00:00
Tinderbox User
13c0bf922b prep 9.14.0rc1 2019-02-27 23:50:01 +00:00
Evan Hunt
8d3931409e Merge branch 'prep-914' into 'v9_14'
documentation changes establishing the 9.14 stable branch

See merge request isc-projects/bind9!1559
2019-02-27 18:33:05 -05:00
Evan Hunt
3396f9396f documentation changes establishing the 9.14 stable branch 2019-02-27 18:06:35 -05:00
Matthijs Mekking
06d5da0204 Merge branch '813-matthijs-failure-loading-rpz-v9_14' into 'v9_14'
Resolve "Problems after failure of loading rpz [ISC-support #14002]"

See merge request isc-projects/bind9!1562
2019-02-22 10:05:07 -05:00
Matthijs Mekking
0f520ac026 Update CHANGES 2019-02-22 15:26:43 +01:00
Matthijs Mekking
05f156e8ba Unregister RPZ CATZ db cbs when zone load fails
In case when a zone fails to load because the file does not exist
or is malformed, we should not run the callback that updates the
zone database when the load is done.  This is achieved by
unregistering the callbacks if at zone load end if the result
indicates something else than success.
2019-02-22 15:24:24 +01:00
Matthijs Mekking
ae159914b0 Update copyrights 2019-02-22 15:24:16 +01:00
Matthijs Mekking
d6cb3022a3 Add test for rpz zone load fail 2019-02-22 15:24:08 +01:00
Matthijs Mekking
6594f7acb2 Remove rpz->db_registered
As pointed out in !813 db_registered is sort of redundant.  It is
set to `true` only in `dns_zone_rpz_enable_db()` right before the
`dns_rpz_dbupdate_callback()` callback is registered.  It is only
required in that callback and it is the only place that the callback
is registered.  Therefore there is no path that that `REQUIRE` can
fail.

The `db_registered` variable is only set to `false` in
`dns_rpz_new_zone`, so it is not like the variable is unset again
later.

The only other place where `db_registered` is checked is in
`rpz_detach()`.  If `true`, it will call
`dns_db_updatenotify_unregister()`.  However if that happens, the
`db_registered` is not set back to `false` thus this implies that
this may happen multiple times.  If called a second time, most
likely the unregister function will return `ISC_R_NOTFOUND`, but
the return value is not checked anyway.  So it can do without the
`db_registered` check.
2019-02-22 15:23:59 +01:00
Matthijs Mekking
a4cd74e71a Add curly brackets on if statements 2019-02-22 15:23:44 +01:00
Matthijs Mekking
48d7e4bb40 named crashes on shutdown after load rpz failed
This may happen when loading an RPZ failed and the code path skips
calling dns_db_endload().  The dns_rpz_zone_t object is still kept
marked as having registered db.  So when this object is finally
destroyed in rpz_detach(), this code will incorrectly call
`dns_db_updatenotify_unregister()`:

   if (rpz->db_registered)
     dns_db_updatenotify_unregister(rpz->db,
                                    dns_rpz_dbupdate_callback, rpz);

and trigger this assertion failure:

   REQUIRE(db != NULL);

To fix this, only call `dns_db_updatenotify_unregister()` when
`rpz->db` is not NULL.
2019-02-22 15:23:33 +01:00
Matthijs Mekking
e2def297b6 Make RPZ tests more readable 2019-02-22 15:18:20 +01:00
Matthijs Mekking
c01d63373c Add README to RPZ tests 2019-02-22 15:18:11 +01:00
Tinderbox User
6491691ac4 Merge branch 'prep-release' into security-v9_14 2019-02-21 02:11:26 +00:00
Tinderbox User
453f5da790 doc rebuild 2019-02-21 02:11:15 +00:00
Tinderbox User
856c74700f prep 9.13.7 2019-02-21 01:57:08 +00:00
Evan Hunt
ce5857556b Merge branch 'security-dlz-axfr-deny-broken' into security-master
denied axfr requests were not effective for writable DLZ zones

See merge request isc-private/bind9!57
2019-02-20 17:45:50 -08:00
Mark Andrews
ed6c10d46b add CHANGES and release notes entries 2019-02-20 17:45:50 -08:00
Mark Andrews
bc01aadc02 denied axfr requests were not effective for writable DLZ zones 2019-02-20 17:45:50 -08:00
Evan Hunt
702e5dc21a Merge 'keytag-memleak' into security-master 2019-02-20 17:45:49 -08:00
Evan Hunt
a47d2850c0 fix test error 2019-02-20 17:45:49 -08:00
Mark Andrews
7d5b7192ec add CHANGES and release note entries 2019-02-20 17:45:49 -08:00
Mark Andrews
d68adfea9c check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory 2019-02-20 17:45:49 -08:00
Mark Andrews
873c704de9 silently ignore additional keytag options 2019-02-20 17:45:49 -08:00
Evan Hunt
ff47556e26 Merge 'managed-key-assert' into security-master 2019-02-20 17:45:48 -08:00
Evan Hunt
f3fbbc20d2 Merge 'managed-key-assert' into security-master 2019-02-20 17:45:48 -08:00
Evan Hunt
8b8e492e48 use algorithm 255 for both unsupported keys 2019-02-20 17:45:48 -08:00
Matthijs Mekking
ea5a5b77f9 CHANGES, notes 2019-02-20 17:45:48 -08:00
Matthijs Mekking
98ef5c09d2 Update keyfetch_done compute_tag check
If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.
2019-02-20 17:45:47 -08:00
Matthijs Mekking
3516864ade Add tests for mkeys with unsupported algorithm
These tests check if a key with an unsupported algorithm in
managed-keys is ignored and when seeing an algorithm rollover to
an unsupported algorithm, the new key will be ignored too.
2019-02-20 17:45:47 -08:00
Matthijs Mekking
5aa41ae9f8 Don't free key in compute_tag in case of failure
If `dns_dnssec_keyfromrdata` failed we don't need to call
`dst_key_free` because no `dstkey` was created.  Doing so
nevertheless will result in an assertion failure.

This can happen if the key uses an unsupported algorithm.
2019-02-20 17:45:47 -08:00
Evan Hunt
566ad7021e Merge branch 'setup-v914' into v9_14 2019-02-20 17:44:43 -08:00
Evan Hunt
2579f31f54 begin setup of 9.14 branch 2019-02-20 17:44:32 -08:00
1099 changed files with 32749 additions and 15532 deletions

View File

@@ -15,9 +15,6 @@
(expand-file-name
(concat directory-of-current-dir-locals-file "./"))
;; current directory
(expand-file-name (concat default-directory "./"))
;; libisc
(expand-file-name
(concat directory-of-current-dir-locals-file "lib/isc/unix/include"))
@@ -25,11 +22,16 @@
(concat directory-of-current-dir-locals-file "lib/isc/pthreads/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "lib/isc/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "lib/isc"))
(expand-file-name
(concat directory-of-current-dir-locals-file "lib/isc/netmgr"))
;; libdns
(expand-file-name
(concat directory-of-current-dir-locals-file "lib/dns/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "lib/dns"))
;; libisccc
(expand-file-name
@@ -51,6 +53,30 @@
(expand-file-name
(concat directory-of-current-dir-locals-file "lib/bind9/include"))
;; bin
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/check"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/confgen/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/confgen"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/confgen/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/dig/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/named/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/named/unix/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/rndc/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/dnssec/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/named/include"))
(expand-file-name
(concat directory-of-current-dir-locals-file "bin/rndc/include"))
(expand-file-name "/usr/local/opt/openssl@1.1/include")
(expand-file-name "/usr/local/opt/libxml2/include/libxml2")
(expand-file-name "/usr/local/include")

8
.gitattributes vendored
View File

@@ -1,3 +1,11 @@
*.sln.in eol=crlf
*.vcxproj.in eol=crlf
*.vcxproj.filters.in eol=crlf
.gitignore export-ignore
/conftools export-ignore
/doc/design export-ignore
/doc/dev export-ignore
/util/** export-ignore
/util/bindkeys.pl -export-ignore
/util/mksymtbl.pl -export-ignore

83
.gitignore vendored
View File

@@ -1,36 +1,61 @@
Makefile
config.log
config.h
config.cache
config.status
libtool
/isc-config.sh
/configure.lineno
autom4te.cache/
*.rej
*.orig
*.o
*.lo
*.so
*.a
*.la
*.gcno
*.gcda
*_test
*-symtbl.c
timestamp
ans.run
named.run
named.memstats
gen.dSYM/
*.a
*.gcda
*.gcno
*.la
*.lo
*.o
*.orig
*.plist/ # ccc-analyzer store its results in .plist directories
*.rej
*.so
*_test
*~
.ccache/
.cproject
.deps/
.dirstamp
.libs/
# ccc-analyzer store its results in .plist directories
*.plist/
*~
.project
.cproject
.settings
kyua.log
/aclocal.m4
/ar-lib
/autom4te.cache/
/bind.keys.h
/compile
/config.cache
/config.guess
/config.h
/config.h.in
/config.log
/config.status
/config.sub
/configure
/configure.lineno
/depcomp
/install-sh
/isc-config.sh
/libltdl/*
/libtool
/ltmain.sh
/m4/libtool.m4
/m4/ltargz.m4
/m4/ltdl.m4
/m4/ltoptions.m4
/m4/ltsugar.m4
/m4/ltversion.m4
/m4/lt~obsolete.m4
/missing
/py-compile
/stamp-h1
/test-driver
Makefile
ans.run
gen.dSYM/
kyua.log
named.memstats
named.run
timestamp
/compile_commands.json
/cppcheck_html/
/cppcheck.results

File diff suppressed because it is too large Load Diff

485
CHANGES
View File

@@ -1,3 +1,458 @@
--- 9.14.11 released ---
5353. [doc] Document port and dscp parameters in forwarders
configuration option. [GL #914]
5352. [bug] Correctly handle catalog zone entries containing
characters that aren't legal in filenames. [GL #1592]
5351. [bug] CDS / CDNSKEY consistency checks failed to handle
removal records. [GL #1554]
5350. [bug] When a view was configured with class CHAOS, the
server could crash while processing a query for a
non-existent record. [GL #1540]
5348. [bug] dnssec-settime -Psync was not being honoured.
[GL !2925]
--- 9.14.10 released ---
5339. [bug] With some libmaxminddb versions, named could erroneously
match an IP address not belonging to any subnet defined
in a given GeoIP2 database to one of the existing
entries in that database. [GL #1552]
5338. [bug] Fix line spacing in `rndc secroots`.
Thanks to Tony Finch. [GL !2478]
5337. [func] 'named -V' now reports maxminddb and protobuf-c
versions. [GL !2686]
--- 9.14.9 released ---
5330. [bug] 'configure --without-python' was ineffective if
PYTHON was set in the environment. [GL #1434]
5329. [bug] Reconfiguring named caused memory to be leaked when any
GeoIP2 database was in use. [GL #1445]
5328. [bug] rbtdb.c:rdataset_{get,set}ownercase failed to obtain
a node lock. [GL #1417]
5327. [func] Added a statistics counter to track queries
dropped because the recursive-clients quota was
exceeded. [GL #1399]
5326. [bug] Add Python dependency on 'distutils.core' to configure.
'distutils.core' is required for installation.
[GL #1397]
5321. [bug] Obtain write lock before updating version->records
and version->bytes. [GL #1341]
--- 9.14.8 released ---
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
when the server has been offline for prolonged
period of times. [GL #1256]
5314. [func] Added a new statistics variable "tcp-highwater"
that reports the maximum number of simultaneous TCP
clients BIND has handled while running. [GL #1206]
5313. [bug] The default GeoIP2 database location did not match
the ARM. 'named -V' now reports the default
location. [GL #1301]
5310. [bug] TCP failures were affecting EDNS statistics. [GL #1059]
5308. [bug] Don't log DNS_R_UNCHANGED from sync_secure_journal()
at ERROR level in receive_secure_serial(). [GL #1288]
5307. [bug] Fix hang when named-compilezone output is sent to pipe.
Thanks to Tony Finch. [GL !2481]
5306. [security] Set a limit on the number of concurrently served
pipelined TCP queries. (CVE-2019-6477) [GL #1264]
5305. [bug] NSEC Aggressive Cache ("synth-from-dnssec") has been
disabled by default because it was found to have
a significant performance impact on the recursive
service. [GL #1265]
5304. [bug] "dnskey-sig-validity 0;" was not being accepted.
[GL #876]
5302. [bug] Fix checking that "dnstap-output" is defined when
"dnstap" is specified in a view. [GL #1281]
5301. [bug] Detect partial prefixes / incomplete IPv4 address in
acls. [GL #1143]
--- 9.14.7 released ---
5299. [security] A flaw in DNSSEC verification when transferring
mirror zones could allow data to be incorrectly
marked valid. (CVE-2019-6475) [GL #1252]
5298. [security] Named could assert if a forwarder returned a
referral, rather than resolving the query, when QNAME
minimization was enabled. (CVE-2019-6476) [GL #1051]
5297. [bug] Check whether a previous QNAME minimization fetch
is still running before starting a new one; return
SERVFAIL and log an error if so. [GL #1191]
5295. [cleanup] Split dns_name_copy() calls into dns_name_copy() and
dns_name_copynf() for those calls that can potentially
fail and those that should not fail respectively.
[GL !2265]
5294. [func] Fallback to ACE name on output in locale, which does not
support converting it to unicode. [GL #846]
5293. [bug] On Windows, named crashed upon any attempt to fetch XML
statistics from it. [GL #1245]
5292. [bug] Queue 'rndc nsec3param' requests while signing inline
zone changes. [GL #1205]
--- 9.14.6 released ---
5289. [bug] Address NULL pointer dereference in rpz.c:rpz_detach.
[GL #1210]
5286. [contrib] Address potential NULL pointer dereferences in
dlz_mysqldyn_mod.c. [GL #1207]
5285. [port] win32: implement "-T maxudpXXX". [GL #837]
5283. [bug] When a response-policy zone expires, ensure that
its policies are removed from the RPZ summary
database. [GL #1146]
5282. [bug] Fixed a bug in searching for possible wildcard matches
for query names in the RPZ summary database. [GL #1146]
5281. [cleanup] Don't escape commas when reporting named's command
line. [GL #1189]
5280. [protocol] Add support for displaying EDNS option LLQ. [GL #1201]
5279. [bug] When loading, reject zones containing CDS or CDNSKEY
RRsets at the zone apex if they would cause DNSSEC
validation failures if published in the parent zone
as the DS RRset. [GL #1187]
--- 9.14.5 released ---
5277. [bug] Cache DB statistics could underflow when serve-stale
was in use, because of a bug in counter maintenance
when RRsets become stale.
Functions for dumping statistics have been updated
to dump active, stale, and ancient statistic
counters. Ancient RRset counters are prefixed
with '~'; stale RRset counters are still prefixed
with '#'. [GL #602]
5275. [bug] Mark DS records included in referral messages
with trust level "pending" so that they can be
validated and cached immediately, with no need to
re-query. [GL #964]
5274. [bug] Address potential use after free race when shutting
down rpz. [GL #1175]
5273. [bug] Check that bits [64..71] of a dns64 prefix are zero.
[GL #1159]
5269. [port] cygwin: can return ETIMEDOUT on connect() with a
non-blocking socket. [GL #1133]
5268. [bug] named could crash during configuration if
configured to use "geoip continent" ACLs with
legacy GeoIP. [GL #1163]
5266. [bug] named-checkconf failed to report dnstap-output
missing from named.conf when dnstap was specified.
[GL #1136]
5265. [bug] DNS64 and RPZ nodata (CNAME *.) rules interacted badly
[GL #1106]
5264. [func] New DNS Cookie algorithm - siphash24 - has been added
to BIND 9. [GL #605]
5236. [func] Add SipHash 2-4 implementation in lib/isc/siphash.c
and switch isc_hash_function() to use SipHash 2-4.
[GL #605]
--- 9.14.4 released ---
5260. [bug] dnstap-read was producing malformed output for large
packets. [GL #1093]
5258. [func] Added support for the GeoIP2 API from MaxMind,
when BIND is compiled using "configure --with-geoip2".
The legacy GeoIP API can be enabled by using
"configure --with-geoip" instead. These options
cannot be used together.
Certain geoip ACL settings that were available with
legacy GeoIP are not available when using GeoIP2.
See the ARM for details. [GL #182]
5257. [bug] Some statistics data was not being displayed.
Add shading to the zone tables. [GL #1030]
5256. [bug] Ensure that glue records are included in root
priming responses if "minimal-responses" is not
set to "yes". [GL #1092]
5255. [bug] Errors encountered while reloading inline-signing
zones could be ignored, causing the zone content to
be left in an incompletely updated state rather than
reverted. [GL #1109]
5254. [func] Collect metrics to report to the statistics-channel
DNSSEC signing operations (dnssec-sign) and refresh
operations (dnssec-refresh) per zone and per keytag.
[GL #513]
5253. [port] Support platforms that don't define ULLONG_MAX.
[GL #1098]
5251. [bug] Statistics were broken in x86 Windows builds.
[GL #1081]
5249. [bug] Fix a possible underflow in recursion clients
statistics when hitting recursive clients
soft quota. [GL #1067]
--- 9.14.3 released ---
5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
5243. [bug] Fix a possible race between dispatcher and socket
code in a high-load cold-cache resolver scenario.
[GL #943]
5242. [bug] In relaxed qname minimization mode, fall back to
normal resolution when encountering a lame
delegation, and use _.domain/A queries rather
than domain/NS. [GL #1055]
5241. [bug] Fix Ed448 private and public key ASN.1 prefix blobs.
[GL #225]
5240. [bug] Remove key id calculation for RSAMD5. [GL #996]
5238. [bug] Fix a possible deadlock in TCP code. [GL #1046]
5237. [bug] Recurse to find the root server list with 'dig +trace'.
[GL #1028]
5234. [port] arm: just use the compiler's default support for
yield. [GL #981]
--- 9.14.2 released ---
5233. [bug] Negative trust anchors did not work with "forward only;"
to validating resolvers. [GL #997]
5231. [protocol] Add support for displaying CLIENT-TAG and SERVER-TAG.
[GL #960]
5229. [protocol] Enforce known SSHFP fingerprint lengths. [GL #852]
5228. [cleanup] If trusted-keys and managed-keys are configured
simultaneously for the same name, the key cannot
be rolled automatically. This configuration now
logs a warning. [GL #868]
5224. [bug] Only test provide-ixfr on TCP streams. [GL #991]
5223. [bug] Fixed a race in the filter-aaaa plugin accessing
the hash table. [GL #1005]
5222. [bug] 'delv -t ANY' could leak memory. [GL #983]
5221. [test] Enable parallel execution of system tests on
Windows. [GL !4101]
5220. [cleanup] Refactor the isc_stat structure to take advantage
of stdatomic. [GL !1493]
5219. [bug] Fixed a race in the filter-aaaa plugin that could
trigger a crash when returning an instance object
to the memory pool. [GL #982]
5218. [bug] Conditionally include <dlfcn.h>. [GL #995]
5217. [bug] Restore key id calculation for RSAMD5. [GL #996]
5216. [bug] Fetches-per-zone counter wasn't updated correctly
when doing qname minimization. [GL #992]
5215. [bug] Change #5124 was incomplete; named could still
return FORMERR instead of SERVFAIL in some cases.
[GL #990]
5214. [bug] win32: named now removes its lock file upon shutdown.
[GL #979]
5213. [bug] win32: Eliminated a race which allowed named.exe running
as a service to be killed prematurely during shutdown.
[GL #978]
5211. [bug] Allow out-of-zone additional data to be included
in authoritative responses if recursion is allowed
and "minimal-responses" is disabled. This behavior
was inadvertently removed in change #4605. [GL #817]
5210. [bug] When dnstap is enabled and recursion is not
available, incoming queries are now logged
as "auth". Previously, this depended on whether
recursion was requested by the client, not on
whether recursion was available. [GL #963]
5209. [bug] When update-check-ksk is true, add_sigs was not
considering offline keys, leaving record sets signed
with the incorrect type key. [GL #763]
5208. [test] Run valid rdata wire encodings through totext+fromtext
and tofmttext+fromtext methods to check these methods.
[GL #899]
5207. [test] Check delv and dig TTL values. [GL #965]
5206. [bug] Delv could print out bad TTLs. [GL #965]
5205. [bug] Enforce that a DS hash exists. [GL #899]
5204. [test] Check that dns_rdata_fromtext() produces a record that
will be accepted by dns_rdata_fromwire(). [GL #852]
5203. [bug] Enforce whether key rdata exists or not in KEY,
DNSKEY, CDNSKEY and RKEY. [GL #899]
5202. [bug] <dns/ecs.h> was missing ISC_LANG_ENDDECLS. [GL #976]
5190. [bug] Ignore trust anchors using disabled algorithms.
[GL #806]
--- 9.14.1 released ---
5201. [bug] Fix a possible deadlock in RPZ update code. [GL #973]
5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615]
5199. [security] In certain configurations, named could crash
if nxdomain-redirect was in use and a redirected
query resulted in an NXDOMAIN from the cache.
(CVE-2019-6467) [GL #880]
5198. [bug] If a fetch context was being shut down and, at the same
time, we returned from qname minimization, an INSIST
could be hit. [GL #966]
5197. [bug] dig could die in best effort mode on multiple SIG(0)
records. Similarly on multiple OPT and multiple TSIG
records. [GL #920]
5196. [bug] make install failed with --with-dlopen=no. [GL #955]
5195. [bug] "allow-update" and "allow-update-forwarding" were
treated as configuration errors if used at the
options or view level. [GL #913]
5194. [bug] Enforce non empty ZOMEMD hash. [GL #899]
5193. [bug] EID and NIMLOC failed to do multi-line output
correctly. [GL #899]
5189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945]
5187. [test] Set time zone before running any tests in dnstap_test.
[GL #940]
5186. [cleanup] More dnssec-keygen manual tidying. [GL !1678]
5184. [bug] Missing unlocks in sdlz.c. [GL #936]
5183. [bug] Reinitialize ECS data before reusing client
structures. [GL #881]
--- 9.14.0 released ---
--- 9.14.0rc3 released ---
5182. [bug] Fix a high-load race/crash in handling of
isc_socket_close() in resolver. [GL #834]
5180. [bug] delv now honors the operating system's preferred
ephemeral port range. [GL #925]
5179. [cleanup] Replace some vague type declarations with the more
specific dns_secalg_t and dns_dsdigest_t.
Thanks to Tony Finch. [GL !1498]
5178. [bug] Handle EDQUOT (disk quota) and ENOSPC (disk full)
errors when writing files. [GL #902]
5177. [func] Add the ability to specify in named.conf whether a
response-policy zone's SOA record should be added
to the additional section (add-soa yes/no). [GL #865]
5167. [bug] nxdomain-redirect could sometimes lookup the wrong
redirect name. [GL #892]
--- 9.14.0rc2 released ---
5176. [tests] Remove a dependency on libxml in statschannel system
test. [GL #926]
5175. [bug] Fixed a problem with file input in dnssec-keymgr,
dnssec-coverage and dnssec-checkds when using
python3. [GL #882]
5174. [doc] Tidy dnssec-keygen manual. [GL !1557]
5173. [bug] Fixed a race in socket code that could occur when
accept, send, or recv were called from an event
loop but the socket had been closed by another
thread. [RT #874]
5172. [bug] nsupdate now honors the operating system's preferred
ephemeral port range. [GL #905]
5171. [func] named plugins are now installed into a separate
directory. Supplying a filename (a string without path
separators) in a "plugin" configuration stanza now
causes named to look for that plugin in that directory.
[GL #878]
5170. [test] Added --with-dlz-filesystem to feature-test. [GL !1587]
5169. [bug] The presence of certain types in an otherwise
empty node could cause a crash while processing a
type ANY query. [GL #901]
--- 9.14.0rc1 released ---
5168. [bug] Do not crash on shutdown when RPZ fails to load. Also,
keep previous version of the database if RPZ fails to
load. [GL #813]
5165. [contrib] Removed SDB drivers from contrib; they're obsolete.
[GL #428]
@@ -25,6 +480,18 @@
5157. [bug] Nslookup now errors out if there are extra command
line arguments. [GL #207]
5141. [security] Zone transfer controls for writable DLZ zones were
not effective as the allowzonexfr method was not being
called for such zones. (CVE-2019-6465) [GL #790]
5118. [security] Named could crash if it is managing a key with
`managed-keys` and the authoritative zone is rolling
the key to an unsupported algorithm. (CVE-2018-5745)
[GL #780]
5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
--- 9.13.6 released ---
5156. [doc] Extended and refined the section of the ARM describing
@@ -48,7 +515,7 @@
- Zone signing and DNSKEY maintenance events are
now logged to the "dnssec" category
- Messages are now logged when DNSSEC keys are
pubished, activated, inactivated, deleted,
published, activated, inactivated, deleted,
or revoked.
[GL #714]
@@ -85,8 +552,6 @@
and "nsdname-enable" both now default to yes,
regardless of compile-time settings. [GL #824]
5141. [placeholder]
5140. [bug] Don't immediately mark existing keys as inactive and
deleted when running dnssec-keymgr for the first
time. [GL #117]
@@ -157,8 +622,6 @@
5119. [placeholder]
5118. [placeholder]
5117. [placeholder]
5116. [bug] Named/named-checkconf triggered a assertion when
@@ -179,8 +642,6 @@
5111. [bug] Occluded DNSKEY records could make it into the
delegating NSEC/NSEC3 bitmap. [GL #742]
5110. [placeholder]
5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628]
--- 9.13.5 released ---
@@ -259,8 +720,8 @@
5091. [func] Two new global and per-view options min-cache-ttl
and min-ncache-ttl [GL #613]
5090. [bug] dig and mdig failed to properly preparse dash value
pairs when value was a seperate argument and started
5090. [bug] dig and mdig failed to properly pre-parse dash value
pairs when value was a separate argument and started
with a dash. [GL #584]
5089. [bug] Restore localhost fallback in dig and host which is
@@ -326,7 +787,7 @@
5072. [bug] Add unit tests for isc_buffer_copyregion() and fix its
behavior for auto-reallocated buffers. [GL #644]
5071. [bug] Comparision of NXT records was broken. [GL #631]
5071. [bug] Comparison of NXT records was broken. [GL #631]
5070. [bug] Record types which support a empty rdata field were
not handling the empty rdata field case. [GL #638]
@@ -345,7 +806,7 @@
5065. [bug] Only set IPV6_USE_MIN_MTU on IPv6. [GL #553]
5064. [test] Initalize TZ environment variable before calling
5064. [test] Initialize TZ environment variable before calling
dns_test_begin in dnstap_test. [GL #624]
5063. [test] In statschannel test try a few times before failing
@@ -571,7 +1032,7 @@
5001. [bug] Fix refcount errors on error paths. [GL !563]
5000. [bug] named_server_servestale() could leave the server in
exclusive mode if an error occured. [GL #441]
exclusive mode if an error occurred. [GL #441]
4999. [cleanup] Remove custom printf implementation in lib/isc/print.c.
[GL #261]

View File

@@ -1,3 +1,5 @@
CONTRIBUTING
BIND Source Access and Contributor Guidelines
Feb 22, 2018

View File

@@ -1,4 +1,4 @@
Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2020 Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this

12
HISTORY
View File

@@ -1,3 +1,5 @@
HISTORY
Functional enhancements from prior major releases of BIND 9
BIND 9.11
@@ -67,7 +69,7 @@ releases. New features include:
* "rndc modzone" reconfigures a single zone, without requiring the
entire server to be reconfigured.
* "rndc showzone" displays the current configuration of a zone.
* "rndc managed-keys" can be used to check the status of RFC 5001
* "rndc managed-keys" can be used to check the status of RFC 5011
managed trust anchors, or to force trust anchors to be refreshed.
* "max-cache-size" can now be set to a percentage of available memory.
The default is 90%.
@@ -431,11 +433,11 @@ BIND 9.4.0
* Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable.
* The lame cache is now done on a basis as some servers only appear to
be lame for certain query types.
* The lame cache is now done on a <qname,qclass,qtype> basis as some
servers only appear to be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single
query () to resolve. New options clients-per-query and
max-clients-per-query.
query (<qname,qtype,qclass>) to resolve. New options clients-per-query
and max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after
processing all the records.
* Support for IPSECKEY rdata type.

View File

@@ -75,7 +75,7 @@ releases. New features include:
- "rndc modzone" reconfigures a single zone, without requiring the entire
server to be reconfigured.
- "rndc showzone" displays the current configuration of a zone.
- "rndc managed-keys" can be used to check the status of RFC 5001 managed
- "rndc managed-keys" can be used to check the status of RFC 5011 managed
trust anchors, or to force trust anchors to be refreshed.
- "max-cache-size" can now be set to a percentage of available memory. The
default is 90%.

View File

@@ -97,27 +97,27 @@ test-force:
exit $$status
README: README.md
${PANDOC} --email-obfuscation=none -s -t html README.md | \
${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
HISTORY: HISTORY.md
${PANDOC} --email-obfuscation=none -s -t html HISTORY.md | \
${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
OPTIONS: OPTIONS.md
${PANDOC} --email-obfuscation=none -s -t html OPTIONS.md | \
${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
CONTRIBUTING: CONTRIBUTING.md
${PANDOC} --email-obfuscation=none -s -t html CONTRIBUTING.md | \
${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
PLATFORMS: PLATFORMS.md
${PANDOC} --email-obfuscation=none -s -t html PLATFORMS.md | \
${PANDOC} --email-obfuscation=none -s --metadata title="PLATFORMS" -f markdown-smart -t html PLATFORMS.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@

View File

@@ -1,10 +1,12 @@
OPTIONS
Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly
defined in configure.
Some of these settings are:
Setting Description
Setting Description
Overwrite memory with tag values when allocating
-DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but
makes debugging of memory problems easier.

View File

@@ -1,3 +1,5 @@
PLATFORMS
Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant
@@ -13,15 +15,16 @@ offer support on a "best effort" basis for some.
Regularly tested platforms
As of Jan 2019, BIND 9.13 is fully supported and regularly tested on the
As of Feb 2020, BIND 9.14 is fully supported and regularly tested on the
following systems:
* Debian 8, 9, 10
* Ubuntu 16.04, 18.04
* Fedora 28, 29
* Red Hat Enterprise Linux / CentOS 6, 7
* FreeBSD 11.x
* OpenBSD 6.2, 6.3
* Ubuntu LTS 16.04, 18.04
* Fedora 31
* Red Hat Enterprise Linux / CentOS 6, 7, 8
* FreeBSD 11.3, 12.0
* OpenBSD 6.6
* Alpine Linux
The amd64, i386, armhf and arm64 CPU architectures are all fully
supported.
@@ -38,8 +41,6 @@ Server 2012 R2, none of these are tested regularly by ISC.
* Windows 10 / x64
* macOS 10.12+
* Solaris 11
* FreeBSD 10.x, 12.0+
* OpenBSD 6.4+
* NetBSD
* Other Linux distributions still supported by their vendors, such as:
+ Ubuntu 14.04, 18.10+
@@ -51,7 +52,7 @@ Server 2012 R2, none of these are tested regularly by ISC.
Unsupported platforms
These are platforms on which BIND 9.13 is known not to build or run:
These are platforms on which BIND 9.14 is known not to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86
@@ -64,27 +65,10 @@ These are platforms on which BIND 9.13 is known not to build or run:
Platform quirks
ARM
NetBSD 6 i386
If the compilation ends with following error:
The i386 build of NetBSD requires the libatomic library, available from
the gcc5-libs package. Because this library is in a non-standard path, its
location must be specified in the configure command line:
Error: selected processor does not support `yield' in ARM mode
You will need to set -march compiler option to native, so the compiler
recognizes yield assembler instruction. The proper way to set -march=
native would be to put it into CFLAGS, e.g. run ./configure like this:
CFLAGS="-march=native -Os -g" ./configure plus your usual options.
If that doesn't work, you can enforce the minimum CPU and FPU (taken from
Debian armhf documentation):
* The lowest worthwhile CPU implementation is Armv7-A, therefore the
recommended build option is -march=armv7-a.
* FPU should be set at VFPv3-D16 as they represent the minimum
specification of the processors to support here, therefore the
recommended build option is -mfpu=vfpv3-d16.
The configure command should look like this:
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure

View File

@@ -23,15 +23,16 @@ offer support on a "best effort" basis for some.
### Regularly tested platforms
As of Jan 2019, BIND 9.13 is fully supported and regularly tested on the
As of Feb 2020, BIND 9.14 is fully supported and regularly tested on the
following systems:
* Debian 8, 9, 10
* Ubuntu 16.04, 18.04
* Fedora 28, 29
* Red Hat Enterprise Linux / CentOS 6, 7
* FreeBSD 11.x
* OpenBSD 6.2, 6.3
* Ubuntu LTS 16.04, 18.04
* Fedora 31
* Red Hat Enterprise Linux / CentOS 6, 7, 8
* FreeBSD 11.3, 12.0
* OpenBSD 6.6
* Alpine Linux
The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
@@ -47,8 +48,6 @@ Server 2012 R2, none of these are tested regularly by ISC.
* Windows 10 / x64
* macOS 10.12+
* Solaris 11
* FreeBSD 10.x, 12.0+
* OpenBSD 6.4+
* NetBSD
* Other Linux distributions still supported by their vendors, such as:
* Ubuntu 14.04, 18.10+
@@ -60,7 +59,7 @@ Server 2012 R2, none of these are tested regularly by ISC.
## Unsupported platforms
These are platforms on which BIND 9.13 is known *not* to build or run:
These are platforms on which BIND 9.14 is known *not* to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86
@@ -72,31 +71,12 @@ These are platforms on which BIND 9.13 is known *not* to build or run:
## Platform quirks
### ARM
### NetBSD 6 i386
If the compilation ends with following error:
The i386 build of NetBSD requires the `libatomic` library, available from
the `gcc5-libs` package. Because this library is in a non-standard path,
its location must be specified in the `configure` command line:
```
Error: selected processor does not support `yield' in ARM mode
```
You will need to set `-march` compiler option to `native`, so the compiler
recognizes `yield` assembler instruction. The proper way to set `-march=native`
would be to put it into `CFLAGS`, e.g. run `./configure` like this:
`CFLAGS="-march=native -Os -g" ./configure` plus your usual options.
If that doesn't work, you can enforce the minimum CPU and FPU (taken from Debian
armhf documentation):
* The lowest worthwhile CPU implementation is Armv7-A, therefore the recommended
build option is `-march=armv7-a`.
* FPU should be set at VFPv3-D16 as they represent the minimum specification of
the processors to support here, therefore the recommended build option is
`-mfpu=vfpv3-d16`.
The configure command should look like this:
```
CFLAGS="-march=armv7-a -mfpu=vfpv3-d16 -Os -g" ./configure
LDFLAGS="-L/usr/pkg/gcc5/i486--netbsdelf/lib/ -Wl,-R/usr/pkg/gcc5/i486--netbsdelf/lib/" ./configure
```

185
README
View File

@@ -1,3 +1,5 @@
README
BIND 9
Contents
@@ -5,7 +7,7 @@ Contents
1. Introduction
2. Reporting bugs and getting help
3. Contributing to BIND
4. BIND 9.13 features
4. BIND 9.14 features
5. Building BIND
6. macOS
7. Dependencies
@@ -37,7 +39,7 @@ in versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a
501(c)(3) public benefit corporation dedicated to providing software and
services in support of the Internet infrastructure, developed BIND 9 and
is responsible for its ongoing maintenance and improvement. BIND is open
source software licenced under the terms of the Mozilla Public License,
source software licensed under the terms of the Mozilla Public License,
version 2.0.
For a summary of features introduced in past major releases of BIND, see
@@ -46,8 +48,8 @@ the file HISTORY.
For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format.
For up-to-date release notes and errata, see http://www.isc.org/software/
bind9/releasenotes
For up-to-date versions and release notes, see https://www.isc.org/
download/.
For information about supported platforms, see PLATFORMS.
@@ -67,7 +69,13 @@ named-checkconf -px.
If the bug you are reporting is a potential security issue, such as an
assertion failure or other crash in named, please do NOT use GitLab to
report it. Instead, please send mail to security-officer@isc.org.
report it. Instead, send mail to security-officer@isc.org using our
OpenPGP key to secure your message. (Information about OpenPGP and links
to our key can be found at https://www.isc.org/pgpkey.) Please do not
discuss the bug on any public mailing list.
For a general overview of ISC security policies, read the Knowledge Base
article at https://kb.isc.org/docs/aa-00861.
Professional support and training for BIND are available from ISC at
https://www.isc.org/support.
@@ -88,7 +96,7 @@ Information for BIND contributors can be found in the following files: -
General information: CONTRIBUTING.md - BIND 9 code style: doc/dev/style.md
- BIND architecture and developer guide: doc/dev/dev.md
Patches for BIND may be submitted as Merge Requests in the ISC GitLab
Patches for BIND may be submitted as merge requests in the ISC GitLab
server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
By default, external contributors don't have ability to fork BIND in the
@@ -100,17 +108,19 @@ If you prefer, you may also submit code by opening a GitLab Issue and
including your patch as an attachment, preferably generated by git
format-patch.
BIND 9.13 features
BIND 9.14 features
BIND 9.13 is the newest development branch of BIND 9. It includes a number
of changes from BIND 9.12 and earlier releases. New features include:
BIND 9.14.0 is the first release from a new stable branch of BIND 9,
incorporating all changes from the 9.13 development branch, updating the
most recent stable branch, 9.12. These changes include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a
plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* Socket and task code has been refactored to improve performance on
most modern machines.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
zone.
@@ -138,15 +148,66 @@ is now mandatory: building BIND without DNSSEC is no longer supported.
Special code to support certain legacy operating systems has also been
removed; see the file PLATFORMS.md for details of supported platforms. In
addition to OpenSSL, BIND now requires support for IPv6, threads, and
standard atomic operations provided by the C compiler.
standard atomic operations provided by the C compiler. Non-threaded builds
are no longer supported.
BIND 9.14.1
BIND 9.14.1 is a maintenance release, and addresses security
vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
BIND 9.14.2
BIND 9.14.2 is a maintenance release.
BIND 9.14.3
BIND 9.14.3 is a maintenance release, and addresses the security
vulnerability disclosed in CVE-2019-6471.
BIND 9.14.4
BIND 9.14.4 is a maintenance release, and also adds support for the new
MaxMind GeoIP2 geolocation API when built with configure --with-geoip2.
BIND 9.14.5
BIND 9.14.5 is a maintenance release.
BIND 9.14.6
BIND 9.14.6 is a maintenance release.
BIND 9.14.7
BIND 9.14.7 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
BIND 9.14.8
BIND 9.14.8 is a maintenance release, and also addresses the security
vulnerability disclosed in CVE-2019-6477.
BIND 9.14.9
BIND 9.14.9 is a maintenance release.
BIND 9.14.10
BIND 9.14.10 is a maintenance release.
BIND 9.14.11
BIND 9.14.11 is a maintenance release.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. Successful builds have
been observed on many versions of Linux and UNIX, including RedHat,
Fedora, Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS
X, Solaris, HP-UX, and OpenWRT.
been observed on many versions of Linux and UNIX, including RHEL/CentOS,
Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD,
NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and
OpenWRT.
BIND requires a cryptography provider library such as OpenSSL or a
hardware service module supporting PKCS#11. On Linux, BIND requires the
@@ -155,8 +216,8 @@ overridden by disabling capability support at compile time. See
Compile-time options below for details on other libraries that may be
required to support optional features.
BIND is also available for Windows 2008 and higher. See win32utils/
readme1st.txt for details on building for Windows systems.
BIND is also available for Windows Server 2008 and higher. See win32utils/
build.txt for details on building for Windows systems.
To build on a UNIX or Linux system, use:
@@ -167,9 +228,9 @@ If you're planning on making changes to the BIND 9 source, you should run
make depend. If you're using Emacs, you might find make tags helpful.
Several environment variables that can be set before running configure
will affect compilation:
will affect compilation. Significant ones are:
Variable Description
Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
@@ -184,26 +245,31 @@ STD_CDEFINES Defaults to empty string. For a list of possible settings,
LDFLAGS Linker flags. Defaults to empty string.
BUILD_CC Needed when cross-compiling: the native C compiler to use
when building for the target system.
BUILD_CFLAGS Optional, used for cross-compiling
BUILD_CPPFLAGS
BUILD_LDFLAGS
BUILD_LIBS
BUILD_CFLAGS CFLAGS for the target system during cross-compiling.
BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
BUILD_LDFLAGS LDFLAGS for the target system during cross-compiling.
BUILD_LIBS LIBS for the target system during cross-compiling.
Additional environment variables affecting the build are listed at the end
of the configure help text, which can be obtained by running the command:
$ ./configure --help
macOS
Building on macOS assumes that the "Command Tools for Xcode" is installed.
This can be downloaded from https://developer.apple.com/download/more/ or
if you have Xcode already installed you can run "xcode-select --install".
This will add /usr/include to the system and install the compiler and
other tools so that they can be easily found.
This can be downloaded from https://developer.apple.com/download/more/ or,
if you have Xcode already installed, you can run xcode-select --install.
(Note that an Apple ID may be required to access the download page.)
Dependencies
Portions of BIND that are written in Python, including dnssec-keymgr,
dnssec-coverage, dnssec-checkds, and some of the system tests, require the
'argparse' and 'ply' modules to be available. 'argparse' is a standard
module as of Python 2.7 and Python 3.2. 'ply' is available from https://
pypi.python.org/pypi/ply.
argparse, ply and distutils.core modules to be available. argparse is a
standard module as of Python 2.7 and Python 3.2. ply is available from
https://pypi.python.org/pypi/ply. distutils.core is required for
installation.
Compile-time options
@@ -221,9 +287,12 @@ operations, specify the path to the PKCS#11 provider library using
--with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https://
github.com/json-c. If these are installed at a nonstandard location,
specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
least one of the following libraries: libxml2 http://xmlsoft.org or json-c
https://github.com/json-c/json-c. If these are installed at a nonstandard
location, then:
* for libxml2, specify the prefix using --with-libxml2=/prefix,
* for json-c, adjust PKG_CONFIG_PATH.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
@@ -252,8 +321,8 @@ smaller systems.
On Linux, process capabilities are managed in user space using the libcap
library, which can be installed on most Linux systems via the libcap-dev
or libcap-devel module. Process capability support can also be disabled by
configuring with --disable-linux-caps.
or libcap-devel package. Process capability support can also be disabled
by configuring with --disable-linux-caps.
On some platforms it is necessary to explicitly request large file support
to handle files bigger than 2GB. This can be done by using
@@ -290,7 +359,7 @@ ifconfig.sh up as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
and will be skipped if these are not available. Some tests require Python
and the 'dnspython' module and will be skipped if these are not available.
and the dnspython module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using the CMocka unit testing framework. To
@@ -301,7 +370,7 @@ tests can be run via make test or make unit.
Documentation
The BIND 9 Administrator Reference Manual is included with the source
distribution, in DocBook XML, HTML and PDF format, in the doc/arm
distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
directory.
Some of the programs in the BIND 9 distribution have man pages in their
@@ -321,7 +390,7 @@ development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
Category Description
Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
@@ -349,26 +418,46 @@ releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
Bug report identifiers
Most notes in the CHANGES file include a reference to a bug report or
issue number. Prior to 2018, these were usually of the form [RT #NNN] and
referred to entries in the "bind9-bugs" RT database, which was not open to
the public. More recent entries use the form [GL #NNN] or, less often, [GL
!NNN], which, respectively, refer to issues or merge requests in the
GitLab database. Most of these are publicly readable, unless they include
information which is confidential or security sensitive.
To look up a GitLab issue by its number, use the URL https://
gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
In rare cases, an issue or merge request number may be followed with the
letter "P". This indicates that the information is in the private ISC
GitLab instance, which is not visible to the public.
Acknowledgments
* The original development of BIND 9 was underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)

179
README.md
View File

@@ -15,7 +15,7 @@
1. [Introduction](#intro)
1. [Reporting bugs and getting help](#help)
1. [Contributing to BIND](#contrib)
1. [BIND 9.13 features](#features)
1. [BIND 9.14 features](#features)
1. [Building BIND](#build)
1. [macOS](#macos)
1. [Dependencies](#dependencies)
@@ -48,7 +48,7 @@ used in versions 4 and 8. Internet Systems Consortium
corporation dedicated to providing software and services in support of the
Internet infrastructure, developed BIND 9 and is responsible for its
ongoing maintenance and improvement. BIND is open source software
licenced under the terms of the Mozilla Public License, version 2.0.
licensed under the terms of the Mozilla Public License, version 2.0.
For a summary of features introduced in past major releases of BIND,
see the file [HISTORY](HISTORY.md).
@@ -57,8 +57,8 @@ For a detailed list of changes made throughout the history of BIND 9, see
the file [CHANGES](CHANGES). See [below](#changes) for details on the
CHANGES file format.
For up-to-date release notes and errata, see
[http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
For up-to-date versions and release notes, see
[https://www.isc.org/download/](https://www.isc.org/download/).
For information about supported platforms, see [PLATFORMS](PLATFORMS.md).
@@ -79,8 +79,15 @@ using `named-checkconf -px`.
If the bug you are reporting is a potential security issue, such as an
assertion failure or other crash in `named`, please do *NOT* use GitLab to
report it. Instead, please send mail to
[security-officer@isc.org](mailto:security-officer@isc.org).
report it. Instead, send mail to
[security-officer@isc.org](mailto:security-officer@isc.org) using our
OpenPGP key to secure your message. (Information about OpenPGP and links
to our key can be found at
[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
discuss the bug on any public mailing list.
For a general overview of ISC security policies, read the Knowledge Base
article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
Professional support and training for BIND are available from
ISC at [https://www.isc.org/support](https://www.isc.org/support).
@@ -103,7 +110,7 @@ Information for BIND contributors can be found in the following files:
- BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
Patches for BIND may be submitted as
[Merge Requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
[merge requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
in the [ISC GitLab server](https://gitlab.isc.org) at
at [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
@@ -117,17 +124,18 @@ If you prefer, you may also submit code by opening a
including your patch as an attachment, preferably generated by
`git format-patch`.
### <a name="features"/> BIND 9.13 features
### <a name="features"/> BIND 9.14 features
BIND 9.13 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.12 and earlier releases. New features
include:
BIND 9.14.0 is the first release from a new stable branch of BIND 9,
incorporating all changes from the 9.13 development branch, updating
the most recent stable branch, 9.12. These changes include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* Socket and task code has been refactored to improve performance on most
modern machines.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone.
* Secondary zones can now be configured as "mirror" zones; their contents
@@ -157,15 +165,65 @@ Special code to support certain legacy operating systems has also
been removed; see the file [PLATFORMS.md](PLATFORMS.md) for details
of supported platforms. In addition to OpenSSL, BIND now requires
support for IPv6, threads, and standard atomic operations provided
by the C compiler.
by the C compiler. Non-threaded builds are no longer supported.
#### BIND 9.14.1
BIND 9.14.1 is a maintenance release, and addresses security
vulnerabilities disclosed in CVE-2018-5743 and CVE-2019-6467.
#### BIND 9.14.2
BIND 9.14.2 is a maintenance release.
#### BIND 9.14.3
BIND 9.14.3 is a maintenance release, and addresses the security
vulnerability disclosed in CVE-2019-6471.
#### BIND 9.14.4
BIND 9.14.4 is a maintenance release, and also adds support for
the new MaxMind GeoIP2 geolocation API when built with
`configure --with-geoip2`.
#### BIND 9.14.5
BIND 9.14.5 is a maintenance release.
#### BIND 9.14.6
BIND 9.14.6 is a maintenance release.
#### BIND 9.14.7
BIND 9.14.7 is a maintenance release, and also addresses the security
vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
#### BIND 9.14.8
BIND 9.14.8 is a maintenance release, and also addresses the security
vulnerability disclosed in CVE-2019-6477.
#### BIND 9.14.9
BIND 9.14.9 is a maintenance release.
#### BIND 9.14.10
BIND 9.14.10 is a maintenance release.
#### BIND 9.14.11
BIND 9.14.11 is a maintenance release.
### <a name="build"/> Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. Successful builds have been
observed on many versions of Linux and UNIX, including RedHat, Fedora,
Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X,
Solaris, HP-UX, and OpenWRT.
observed on many versions of Linux and UNIX, including RHEL/CentOS, Fedora,
Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, FreeBSD, NetBSD,
OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, and OpenWRT.
BIND requires a cryptography provider library such as OpenSSL or a
hardware service module supporting PKCS#11. On Linux, BIND requires
@@ -174,8 +232,8 @@ can be overridden by disabling capability support at compile time.
See [Compile-time options](#opts) below for details on other libraries
that may be required to support optional features.
BIND is also available for Windows 2008 and higher. See
`win32utils/readme1st.txt` for details on building for Windows
BIND is also available for Windows Server 2008 and higher. See
`win32utils/build.txt` for details on building for Windows
systems.
To build on a UNIX or Linux system, use:
@@ -187,7 +245,7 @@ If you're planning on making changes to the BIND 9 source, you should run
`make depend`. If you're using Emacs, you might find `make tags` helpful.
Several environment variables that can be set before running `configure` will
affect compilation:
affect compilation. Significant ones are:
|Variable|Description |
|--------------------|-----------------------------------------------|
@@ -197,26 +255,35 @@ affect compilation:
|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
|`LDFLAGS`|Linker flags. Defaults to empty string.|
|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
|`BUILD_CFLAGS`|Optional, used for cross-compiling|
|`BUILD_CPPFLAGS`||
|`BUILD_LDFLAGS`||
|`BUILD_LIBS`||
|`BUILD_CFLAGS`|`CFLAGS` for the target system during cross-compiling.|
|`BUILD_CPPFLAGS`|`CPPFLAGS` for the target system during cross-compiling.|
|`BUILD_LDFLAGS`|`LDFLAGS` for the target system during cross-compiling.|
|`BUILD_LIBS`|`LIBS` for the target system during cross-compiling.|
Additional environment variables affecting the build are listed at the
end of the `configure` help text, which can be obtained by running the
command:
$ ./configure --help
#### <a name="macos"> macOS
Building on macOS assumes that the "Command Tools for Xcode" is installed.
This can be downloaded from https://developer.apple.com/download/more/
or if you have Xcode already installed you can run "xcode-select --install".
This will add /usr/include to the system and install the compiler and other
tools so that they can be easily found.
This can be downloaded from
[https://developer.apple.com/download/more/](https://developer.apple.com/download/more/)
or, if you have Xcode already installed, you can run `xcode-select
--install`. (Note that an Apple ID may be required to access the download
page.)
### <a name="dependencies"/> Dependencies
Portions of BIND that are written in Python, including
`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
system tests, require the 'argparse' and 'ply' modules to be available.
'argparse' is a standard module as of Python 2.7 and Python 3.2.
'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
system tests, require the `argparse`, `ply` and `distutils.core` modules
to be available.
`argparse` is a standard module as of Python 2.7 and Python 3.2.
`ply` is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
`distutils.core` is required for installation.
#### <a name="opts"/> Compile-time options
@@ -234,14 +301,16 @@ path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
configure BIND with `--enable-native-pkcs11`.
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2
[http://xmlsoft.org](http://xmlsoft.org) or json-c
[https://github.com/json-c](https://github.com/json-c). If these are
installed at a nonstandard location, specify the prefix using
`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
least one of the following libraries: `libxml2`
[http://xmlsoft.org](http://xmlsoft.org) or `json-c`
[https://github.com/json-c/json-c](https://github.com/json-c/json-c).
If these are installed at a nonstandard location, then:
* for `libxml2`, specify the prefix using `--with-libxml2=/prefix`,
* for `json-c`, adjust `PKG_CONFIG_PATH`.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
linked against `libzlib`. If this is installed in a nonstandard location,
specify the prefix using `--with-zlib=/prefix`.
To support storing configuration data for runtime-added zones in an LMDB
@@ -253,9 +322,9 @@ libGeoIP. This is not turned on by default; BIND must be configured with
`--with-geoip`. If the library is installed in a nonstandard location,
specify the prefix using `--with-geoip=/prefix`.
For DNSTAP packet logging, you must have installed libfstrm
For DNSTAP packet logging, you must have installed `libfstrm`
[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
and libprotobuf-c
and `libprotobuf-c`
[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
and BIND must be configured with `--enable-dnstap`.
@@ -268,7 +337,7 @@ performance on smaller systems.
On Linux, process capabilities are managed in user space using
the `libcap` library, which can be installed on most Linux systems via
the `libcap-dev` or `libcap-devel` module. Process capability support can
the `libcap-dev` or `libcap-devel` package. Process capability support can
also be disabled by configuring with `--disable-linux-caps`.
On some platforms it is necessary to explicitly request large file support
@@ -304,20 +373,21 @@ multiple servers to run locally and communicate with one another). These
IP addresses can be configured by running the command
`bin/tests/system/ifconfig.sh up` as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
Some tests require Perl and the `Net::DNS` and/or `IO::Socket::INET6` modules,
and will be skipped if these are not available. Some tests require Python
and the 'dnspython' module and will be skipped if these are not available.
and the `dnspython` module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using the CMocka unit testing framework.
Unit tests are implemented using the [CMocka unit testing framework](https://cmocka.org/).
To build them, use `configure --with-cmocka`. Execution of tests is done
by the Kyua test execution engine; if the `kyua` command is available,
then unit tests can be run via `make test` or `make unit`.
by the [Kyua test execution engine](https://github.com/jmmv/kyua); if the
`kyua` command is available, then unit tests can be run via `make test`
or `make unit`.
### <a name="doc"/> Documentation
The *BIND 9 Administrator Reference Manual* is included with the source
distribution, in DocBook XML, HTML and PDF format, in the `doc/arm`
distribution, in DocBook XML, HTML, and PDF format, in the `doc/arm`
directory.
Some of the programs in the BIND 9 distribution have man pages in their
@@ -360,6 +430,25 @@ releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
#### Bug report identifiers
Most notes in the CHANGES file include a reference to a bug report or
issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
GitLab database. Most of these are publicly readable, unless they include
information which is confidential or security sensitive.
To look up a GitLab issue by its number, use the URL
[https://gitlab.isc.org/isc-projects/bind9/issues/NNN](https://gitlab.isc.org/isc-projects/bind9/issues).
To look up a merge request, use
[https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
In rare cases, an issue or merge request number may be followed with the
letter "P". This indicates that the information is in the private ISC
GitLab instance, which is not visible to the public.
### <a name="ack"/> Acknowledgments
* The original development of BIND 9 was underwritten by the

2
aclocal.m4 vendored
View File

@@ -291,6 +291,8 @@ AS_VAR_IF([$1], [""], [$5], [$4])dnl
m4_include([m4/ax_check_openssl.m4])
m4_include([m4/ax_posix_shell.m4])
m4_include([m4/ax_pthread.m4])
m4_include([m4/ax_restore_flags.m4])
m4_include([m4/ax_save_flags.m4])
m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])

View File

@@ -21,7 +21,7 @@ CINCLUDES = ${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES}
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@

View File

@@ -722,7 +722,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
FILE *output = stdout;
const char *flags;
flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+";
flags = (fileformat == dns_masterformat_text) ? "w" : "wb";
if (debug) {
if (filename != NULL && strcmp(filename, "-") != 0)

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -143,5 +143,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -63,7 +63,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "usage: %s [-hjlvz] [-p [-x]] [-t directory] "
fprintf(stderr, "usage: %s [-chjlvz] [-p [-x]] [-t directory] "
"[named.conf]\n", program);
exit(1);
}

View File

@@ -41,6 +41,7 @@
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -325,5 +325,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -44,6 +44,7 @@
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{03A96113-CB14-43AA-AEB2-48950E3915C5}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>checkconf</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -17,18 +17,21 @@
<ProjectGuid>{2C1F7096-C5B5-48D4-846F-A7ACA454335D}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>checktool</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{66028555-7DD5-4016-B601-9EF9A1EE8BFA}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>checkzone</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@@ -62,15 +65,15 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)
@@ -95,7 +98,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
@@ -104,8 +107,8 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<PostBuildEvent>

View File

@@ -29,7 +29,7 @@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -144,5 +144,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -38,6 +38,7 @@
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -206,5 +206,5 @@ BIND 9 Administrator Reference Manual\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -45,6 +45,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{64964B03-4815-41F0-9057-E766A94AF197}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>confgentool</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{1EA4FC64-F33B-4A50-970A-EA052BBE9CF1}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>ddnsconfgen</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{1E2C1635-3093-4D59-80E7-4743AC10F22F}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>rndcconfgen</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -23,7 +23,7 @@ CDEFINES = -DVERSION=\"${VERSION}\" \
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
IRSLIBS = ../../lib/irs/libirs.@A@

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -437,5 +437,5 @@ RFC5155\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -160,42 +160,43 @@ usage(void) {
" q-class is one of (in,hs,ch,...) [default: in]\n"
" q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
" q-opt is one of:\n"
" -x dot-notation (shortcut for reverse lookups)\n"
" -d level (set debugging level)\n"
" -4 (use IPv4 query transport only)\n"
" -6 (use IPv6 query transport only)\n"
" -a anchor-file (specify root and dlv trust anchors)\n"
" -b address[#port] (bind to source address/port)\n"
" -c class (option included for compatibility;\n"
" -d level (set debugging level)\n"
" -h (print help and exit)\n"
" -i (disable DNSSEC validation)\n"
" -m (enable memory usage debugging)\n"
" -p port (specify port number)\n"
" -q name (specify query name)\n"
" -t type (specify query type)\n"
" -c class (option included for compatibility;\n"
" only IN is supported)\n"
" -4 (use IPv4 query transport only)\n"
" -6 (use IPv6 query transport only)\n"
" -i (disable DNSSEC validation)\n"
" -m (enable memory usage debugging)\n"
" -v (print version and exit)\n"
" -x dot-notation (shortcut for reverse lookups)\n"
" d-opt is of the form +keyword[=value], where keyword is:\n"
" +[no]all (Set or clear all display flags)\n"
" +[no]class (Control display of class)\n"
" +[no]comments (Control display of comment lines)\n"
" +[no]crypto (Control display of cryptographic\n"
" fields in records)\n"
" +[no]dlv (DNSSEC lookaside validation anchor)\n"
" +[no]dnssec (Display DNSSEC records)\n"
" +[no]mtrace (Trace messages received)\n"
" +[no]multiline (Print records in an expanded format)\n"
" +[no]comments (Control display of comment lines)\n"
" +[no]root (DNSSEC validation trust anchor)\n"
" +[no]rrcomments (Control display of per-record "
"comments)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 \"unknown\" format)\n"
" +[no]rtrace (Trace resolver fetches)\n"
" +[no]short (Short form answer)\n"
" +[no]split=## (Split hex/base64 fields into chunks)\n"
" +[no]tcp (TCP mode)\n"
" +[no]ttl (Control display of ttls in records)\n"
" +[no]trust (Control display of trust level)\n"
" +[no]rtrace (Trace resolver fetches)\n"
" +[no]mtrace (Trace messages received)\n"
" +[no]vtrace (Trace validation process)\n"
" +[no]dlv (DNSSEC lookaside validation anchor)\n"
" +[no]root (DNSSEC validation trust anchor)\n"
" +[no]dnssec (Display DNSSEC records)\n"
" -h (print help and exit)\n"
" -v (print version and exit)\n",
" +[no]unknownformat (Print RDATA in RFC 3597 "
"\"unknown\" format)\n"
" +[no]vtrace (Trace validation process)\n",
stderr);
exit(1);
}
@@ -502,7 +503,7 @@ setup_style(dns_master_style_t **stylep) {
isc_result_t result;
dns_master_style_t *style = NULL;
REQUIRE(stylep != NULL || *stylep == NULL);
REQUIRE(stylep != NULL && *stylep == NULL);
styleflags |= DNS_STYLEFLAG_REL_OWNER;
if (showcomments)

View File

@@ -40,6 +40,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{BE172EFE-C1DC-4812-BFB9-8C5F8ADB7E9F}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>delv</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -25,7 +25,7 @@ CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -361,14 +361,20 @@ Display [do not display] the CLASS when printing the record\&.
.PP
\fB+[no]cmd\fR
.RS 4
Toggles the printing of the initial comment in the output identifying the version of
Toggles the printing of the initial comment in the output, identifying the version of
\fBdig\fR
and the query options that have been applied\&. This comment is printed by default\&.
and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggle the display of comment lines in the output\&. The default is to print comments\&.
Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
.sp
Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
\fB+[no]cmd\fR,
\fB+[no]question\fR,
\fB+[no]stats\fR, and
\fB+[no]rrcomments\fR\&.
.RE
.PP
\fB+[no]cookie\fR\fB[=####]\fR
@@ -561,12 +567,12 @@ would cause a 48\-byte query to be padded to 64 bytes\&. The default block size
.PP
\fB+[no]qr\fR
.RS 4
Print [do not print] the query as it is sent\&. By default, the query is not printed\&.
Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
.RE
.PP
\fB+[no]question\fR
.RS 4
Print [do not print] the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
.RE
.PP
\fB+[no]raflag\fR
@@ -584,11 +590,11 @@ A synonym for
.RS 4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR
normally sends recursive queries\&. Recursion is automatically disabled when the
normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR
or
option, and when using
\fI+trace\fR
query options are used\&.
except for an initial recursive query to get the list of root servers\&.
.RE
.PP
\fB+retry=T\fR
@@ -619,7 +625,7 @@ determines if the name will be treated as relative or not and hence whether a se
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&.
Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
.RE
.PP
\fB+[no]showsearch\fR
@@ -649,7 +655,7 @@ causes fields not to be split at all\&. The default is 56 characters, or 44 char
.PP
\fB+[no]stats\fR
.RS 4
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics\&.
Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
.RE
.PP
\fB+[no]subnet=addr[/prefix\-length]\fR
@@ -824,5 +830,5 @@ There are probably too many query options\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -175,11 +175,13 @@ help(void) {
" +bufsize=### (Set EDNS0 Max UDP packet size)\n"
" +[no]cdflag (Set checking disabled flag in query)\n"
" +[no]class (Control display of class in records)\n"
" +[no]cmd (Control display of command line)\n"
" +[no]comments (Control display of comment lines)\n"
" +[no]cmd (Control display of command line -\n"
" global option)\n"
" +[no]comments (Control display of packet header\n"
" and section name comments)\n"
" +[no]cookie (Add a COOKIE option to the request)\n"
" +[no]crypto (Control display of cryptographic "
"fields in records)\n"
" +[no]crypto (Control display of cryptographic\n"
" fields in records)\n"
" +[no]defname (Use search list (+[no]search))\n"
" +[no]dnssec (Request DNSSEC records)\n"
" +domain=### (Set default domainname)\n"
@@ -195,11 +197,13 @@ help(void) {
" +[no]identify (ID responders in short answers)\n"
#ifdef HAVE_LIBIDN2
" +[no]idnin (Parse IDN names [default=on on tty])\n"
" +[no]idnout (Convert IDN response [default=on on tty])\n"
" +[no]idnout (Convert IDN response "
"[default=on on tty])\n"
#endif
" +[no]ignore (Don't revert to TCP for TC responses.)\n"
" +[no]keepalive (Request EDNS TCP keepalive)\n"
" +[no]keepopen (Keep the TCP socket open between queries)\n"
" +[no]keepopen (Keep the TCP socket open between "
"queries)\n"
" +[no]mapped (Allow mapped IPv4 over IPv6)\n"
" +[no]multiline (Print records in an expanded format)\n"
" +ndots=### (Set search NDOTS value)\n"
@@ -218,7 +222,7 @@ help(void) {
"comments)\n"
" +[no]search (Set whether to use searchlist)\n"
" +[no]short (Display nothing except short\n"
" form of answer)\n"
" form of answers - global option)\n"
" +[no]showsearch (Search with intermediate results)\n"
" +[no]split=## (Split hex/base64 fields into chunks)\n"
" +[no]stats (Control display of statistics)\n"
@@ -226,11 +230,13 @@ help(void) {
" +[no]tcflag (Set TC flag in query (+[no]tcflag))\n"
" +[no]tcp (TCP mode (+[no]vc))\n"
" +timeout=### (Set query timeout) [5]\n"
" +[no]trace (Trace delegation down from root [+dnssec])\n"
" +[no]trace (Trace delegation down from root "
"[+dnssec])\n"
" +tries=### (Set number of UDP attempts) [3]\n"
" +[no]ttlid (Control display of ttls in records)\n"
" +[no]ttlunits (Display TTLs in human-readable units)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 \"unknown\" format)\n"
" +[no]unknownformat (Print RDATA in RFC 3597 \"unknown\" "
"format)\n"
" +[no]vc (TCP mode (+[no]tcp))\n"
" +[no]zflag (Set Z flag in query)\n"
" global d-opts and servers (before host name) affect all queries.\n"
@@ -502,8 +508,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
check_result(result, "dns_master_stylecreate");
if (query->lookup->cmdline[0] != 0) {
if (!short_form)
if (!short_form && printcmd) {
fputs(query->lookup->cmdline, stdout);
}
query->lookup->cmdline[0]=0;
}
debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
@@ -526,7 +533,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
check_result(result, "isc_buffer_allocate");
if (query->lookup->comments && !short_form) {
if (query->lookup->cmdline[0] != 0)
if (query->lookup->cmdline[0] != 0 && printcmd)
printf("; %s\n", query->lookup->cmdline);
if (msg == query->lookup->sendmsg)
printf(";; Sending:\n");
@@ -1445,7 +1452,7 @@ plus_option(char *option, bool is_batchfile,
lookup->trace = state;
lookup->trace_root = state;
if (state) {
lookup->recurse = false;
lookup->recurse = true;
lookup->identify = true;
lookup->comments = false;
lookup->rrcomments = 0;

View File

@@ -53,6 +53,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -593,9 +594,11 @@
<listitem>
<para>
Toggles the printing of the initial comment in the
output identifying the version of <command>dig</command>
and the query options that have been applied. This
comment is printed by default.
output, identifying the version of <command>dig</command>
and the query options that have been applied. This option
always has global effect; it cannot be set globally
and then overridden on a per-lookup basis. The default
is to print this comment.
</para>
</listitem>
</varlistentry>
@@ -604,8 +607,18 @@
<term><option>+[no]comments</option></term>
<listitem>
<para>
Toggle the display of comment lines in the output.
The default is to print comments.
Toggles the display of some comment lines in the output,
containing information about the packet header and
OPT pseudosection, and the names of the response
section. The default is to print these comments.
</para>
<para>
Other types of comments in the output are not affected by
this option, but can be controlled using other command
line switches. These include <command>+[no]cmd</command>,
<command>+[no]question</command>,
<command>+[no]stats</command>, and
<command>+[no]rrcomments</command>.
</para>
</listitem>
</varlistentry>
@@ -955,8 +968,8 @@
<term><option>+[no]qr</option></term>
<listitem>
<para>
Print [do not print] the query as it is sent. By
default, the query is not printed.
Toggles the display of the query message as it is sent.
By default, the query is not printed.
</para>
</listitem>
</varlistentry>
@@ -965,7 +978,7 @@
<term><option>+[no]question</option></term>
<listitem>
<para>
Print [do not print] the question section of a query
Toggles the display of the question section of a query
when an answer is returned. The default is to print
the question section as a comment.
</para>
@@ -1000,8 +1013,10 @@
in the query. This bit is set by default, which means
<command>dig</command> normally sends recursive
queries. Recursion is automatically disabled when
the <parameter>+nssearch</parameter> or
<parameter>+trace</parameter> query options are used.
using the <parameter>+nssearch</parameter> option, and
when using <parameter>+trace</parameter> except for
an initial recursive query to get the list of root
servers.
</para>
</listitem>
</varlistentry>
@@ -1054,7 +1069,9 @@
<listitem>
<para>
Provide a terse answer. The default is to print the
answer in a verbose form.
answer in a verbose form. This option always has global
effect; it cannot be set globally and then overridden on
a per-lookup basis.
</para>
</listitem>
</varlistentry>
@@ -1099,10 +1116,9 @@
<term><option>+[no]stats</option></term>
<listitem>
<para>
This query option toggles the printing of statistics:
when the query was made, the size of the reply and
so on. The default behavior is to print the query
statistics.
Toggles the printing of statistics: when the query was made,
the size of the reply and so on. The default behavior is to
print the query statistics as a comment after each lookup.
</para>
</listitem>
</varlistentry>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2011, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -481,16 +481,28 @@
<dd>
<p>
Toggles the printing of the initial comment in the
output identifying the version of <span class="command"><strong>dig</strong></span>
and the query options that have been applied. This
comment is printed by default.
output, identifying the version of <span class="command"><strong>dig</strong></span>
and the query options that have been applied. This option
always has global effect; it cannot be set globally
and then overridden on a per-lookup basis. The default
is to print this comment.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd>
<p>
Toggle the display of comment lines in the output.
The default is to print comments.
Toggles the display of some comment lines in the output,
containing information about the packet header and
OPT pseudosection, and the names of the response
section. The default is to print these comments.
</p>
<p>
Other types of comments in the output are not affected by
this option, but can be controlled using other command
line switches. These include <span class="command"><strong>+[no]cmd</strong></span>,
<span class="command"><strong>+[no]question</strong></span>,
<span class="command"><strong>+[no]stats</strong></span>, and
<span class="command"><strong>+[no]rrcomments</strong></span>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
@@ -757,14 +769,14 @@
<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
<dd>
<p>
Print [do not print] the query as it is sent. By
default, the query is not printed.
Toggles the display of the query message as it is sent.
By default, the query is not printed.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]question</code></span></dt>
<dd>
<p>
Print [do not print] the question section of a query
Toggles the display of the question section of a query
when an answer is returned. The default is to print
the question section as a comment.
</p>
@@ -790,8 +802,10 @@
in the query. This bit is set by default, which means
<span class="command"><strong>dig</strong></span> normally sends recursive
queries. Recursion is automatically disabled when
the <em class="parameter"><code>+nssearch</code></em> or
<em class="parameter"><code>+trace</code></em> query options are used.
using the <em class="parameter"><code>+nssearch</code></em> option, and
when using <em class="parameter"><code>+trace</code></em> except for
an initial recursive query to get the list of root
servers.
</p>
</dd>
<dt><span class="term"><code class="option">+retry=T</code></span></dt>
@@ -832,7 +846,9 @@
<dd>
<p>
Provide a terse answer. The default is to print the
answer in a verbose form.
answer in a verbose form. This option always has global
effect; it cannot be set globally and then overridden on
a per-lookup basis.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
@@ -865,10 +881,9 @@
<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
<dd>
<p>
This query option toggles the printing of statistics:
when the query was made, the size of the reply and
so on. The default behavior is to print the query
statistics.
Toggles the printing of statistics: when the query was made,
the size of the reply and so on. The default behavior is to
print the query statistics as a comment after each lookup.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]subnet=addr[/prefix-length]</code></span></dt>

View File

@@ -810,8 +810,8 @@ clone_lookup(dig_lookup_t *lookold, bool servers) {
memmove(looknew->ecs_addr, lookold->ecs_addr, len);
}
dns_name_copy(dns_fixedname_name(&lookold->fdomain),
dns_fixedname_name(&looknew->fdomain), NULL);
dns_name_copynf(dns_fixedname_name(&lookold->fdomain),
dns_fixedname_name(&looknew->fdomain));
if (servers)
clone_server_list(lookold->my_server_list,
@@ -1399,6 +1399,7 @@ typedef struct dig_ednsoptname {
} dig_ednsoptname_t;
dig_ednsoptname_t optnames[] = {
{ 1, "LLQ" }, /* draft-sekar-dns-llq */
{ 3, "NSID" }, /* RFC 5001 */
{ 5, "DAU" }, /* RFC 6975 */
{ 6, "DHU" }, /* RFC 6975 */
@@ -1411,6 +1412,8 @@ dig_ednsoptname_t optnames[] = {
{ 12, "PAD" }, /* shorthand */
{ 13, "CHAIN" }, /* RFC 7901 */
{ 14, "KEY-TAG" }, /* RFC 8145 */
{ 16, "CLIENT-TAG" }, /* draft-bellis-dnsop-edns-tags */
{ 17, "SERVER-TAG" }, /* draft-bellis-dnsop-edns-tags */
{ 26946, "DEVICEID" }, /* Brian Hartvigsen */
};
@@ -1821,7 +1824,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
if (lookup->ns_search_only)
lookup->recurse = false;
domain = dns_fixedname_name(&lookup->fdomain);
dns_name_copy(name, domain, NULL);
dns_name_copynf(name, domain);
}
debug("adding server %s", namestr);
num = getaddresses(lookup, namestr, &lresult);
@@ -2025,6 +2028,9 @@ setup_lookup(dig_lookup_t *lookup) {
char cookiebuf[256];
char *origin = NULL;
char *textname = NULL;
REQUIRE(lookup != NULL);
#ifdef HAVE_LIBIDN2
char idn_origin[MXNAME], idn_textname[MXNAME];
@@ -2033,7 +2039,6 @@ setup_lookup(dig_lookup_t *lookup) {
check_result(result, "dns_name_settotextfilter");
#endif /* HAVE_LIBIDN2 */
REQUIRE(lookup != NULL);
INSIST(!free_now);
debug("setup_lookup(%p)", lookup);
@@ -2134,22 +2139,26 @@ setup_lookup(dig_lookup_t *lookup) {
isc_buffer_init(&b, textname, len);
isc_buffer_add(&b, len);
result = dns_name_fromtext(name, &b, NULL, 0, NULL);
if (result == ISC_R_SUCCESS &&
!dns_name_isabsolute(name))
result = dns_name_concatenate(name,
lookup->oname,
lookup->name,
&lookup->namebuf);
else if (result == ISC_R_SUCCESS)
result = dns_name_copy(name, lookup->name,
&lookup->namebuf);
if (result == ISC_R_SUCCESS) {
if (!dns_name_isabsolute(name)) {
result = dns_name_concatenate(name,
lookup->oname,
lookup->name,
&lookup->namebuf);
} else {
result = dns_name_copy(name,
lookup->name,
&lookup->namebuf);
}
}
if (result != ISC_R_SUCCESS) {
dns_message_puttempname(lookup->sendmsg,
&lookup->name);
dns_message_puttempname(lookup->sendmsg,
&lookup->oname);
if (result == DNS_R_NAMETOOLONG)
if (result == DNS_R_NAMETOOLONG) {
return (false);
}
fatal("'%s' is not in legal name syntax (%s)",
lookup->textname,
isc_result_totext(result));
@@ -2189,12 +2198,14 @@ setup_lookup(dig_lookup_t *lookup) {
lookup->sendmsg->id = (dns_messageid_t)isc_random16();
lookup->sendmsg->opcode = lookup->opcode;
lookup->msgcounter = 0;
/*
* If this is a trace request, completely disallow recursion, since
* it's meaningless for traces.
* If this is a trace request, completely disallow recursion after
* looking up the root name servers, since it's meaningless for traces.
*/
if (lookup->trace || (lookup->ns_search_only && !lookup->trace_root))
if ((lookup->trace || lookup->ns_search_only) && !lookup->trace_root) {
lookup->recurse = false;
}
if (lookup->recurse &&
lookup->rdtype != dns_rdatatype_axfr &&
@@ -4374,9 +4385,20 @@ idn_ace_to_locale(const char *src, char **dst) {
*/
res = idn2_to_unicode_8zlz(utf8_src, &local_src, 0);
if (res != IDN2_OK) {
fatal("Cannot represent '%s' in the current locale (%s), "
"use +noidnout or a different locale",
src, idn2_strerror(res));
static bool warned = false;
res = idn2_to_ascii_8z(utf8_src, &local_src, 0);
if (res != IDN2_OK) {
fatal("Cannot represent '%s' "
"in the current locale nor ascii (%s), "
"use +noidnout or a different locale",
src, idn2_strerror(res));
} else if (!warned) {
fprintf(stderr, ";; Warning: cannot represent '%s' "
"in the current locale",
local_src);
warned = true;
}
}
/*

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -269,5 +269,5 @@ runs\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -396,7 +396,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &cname, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_copy(&cname.cname, qname, NULL);
dns_name_copynf(&cname.cname, qname);
dns_rdata_freestruct(&cname);
}
}
@@ -455,7 +455,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
/* Add AAAA and MX lookups. */
name = dns_fixedname_initname(&fixed);
dns_name_copy(query->lookup->name, name, NULL);
dns_name_copynf(query->lookup->name, name);
chase_cnamechain(msg, name);
dns_name_format(name, namestr, sizeof(namestr));
lookup = clone_lookup(query->lookup, false);

View File

@@ -48,6 +48,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -233,7 +233,10 @@ Change the default TCP/UDP name server port to
.RS 4
Change the type of the information query\&.
.sp
(Default = A; abbreviations = q, ty)
(Default = A and then AAAA; abbreviations = q, ty)
.sp
\fBNote:\fR
It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBrecurse\fR
@@ -301,5 +304,5 @@ runs or when the standard output is not a tty\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -425,7 +425,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &cname, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_copy(&cname.cname, qname, NULL);
dns_name_copynf(&cname.cname, qname);
dns_rdata_freestruct(&cname);
}
}
@@ -478,7 +478,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, bool headers) {
/* Add AAAA lookup. */
name = dns_fixedname_initname(&fixed);
dns_name_copy(query->lookup->name, name, NULL);
dns_name_copynf(query->lookup->name, name);
chase_cnamechain(msg, name);
dns_name_format(name, namestr, sizeof(namestr));
lookup = clone_lookup(query->lookup, false);

View File

@@ -72,6 +72,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -307,7 +308,7 @@ nslookup -query=hinfo -timeout=10
The class specifies the protocol group of the information.
</para>
<para>
<para>
(Default = IN; abbreviation = cl)
</para>
</listitem>
@@ -317,10 +318,10 @@ nslookup -query=hinfo -timeout=10
<term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
<listitem>
<para>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</para>
<para>
<para>
(Default = nodebug; abbreviation = <optional>no</optional>deb)
</para>
</listitem>
@@ -331,9 +332,9 @@ nslookup -query=hinfo -timeout=10
<listitem>
<para>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
what nslookup is doing.
</para>
<para>
<para>
(Default = nod2)
</para>
</listitem>
@@ -357,7 +358,7 @@ nslookup -query=hinfo -timeout=10
names in the domain search list to the request until an
answer is received.
</para>
<para>
<para>
(Default = search)
</para>
</listitem>
@@ -369,7 +370,7 @@ nslookup -query=hinfo -timeout=10
<para>
Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
</para>
<para>
<para>
(Default = 53; abbreviation = po)
</para>
</listitem>
@@ -388,9 +389,15 @@ nslookup -query=hinfo -timeout=10
<para>
Change the type of the information query.
</para>
<para>
(Default = A; abbreviations = q, ty)
<para>
(Default = A and then AAAA; abbreviations = q, ty)
</para>
<para>
<emphasis role="bold">Note:</emphasis> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</para>
</listitem>
</varlistentry>
@@ -402,7 +409,7 @@ nslookup -query=hinfo -timeout=10
have the
information.
</para>
<para>
<para>
(Default = recurse; abbreviation = [no]rec)
</para>
</listitem>
@@ -412,9 +419,9 @@ nslookup -query=hinfo -timeout=10
<term><constant>ndots=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</para>
</listitem>
</varlistentry>
@@ -445,7 +452,7 @@ nslookup -query=hinfo -timeout=10
Always use a virtual circuit when sending requests to the
server.
</para>
<para>
<para>
(Default = novc)
</para>
</listitem>
@@ -455,15 +462,15 @@ nslookup -query=hinfo -timeout=10
<term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
<listitem>
<para>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</para>
<para>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</para>
<para>
(Default = nofail)
</para>
</listitem>
</varlistentry>
</listitem>
</varlistentry>
</variablelist>
</para>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004-2007, 2010, 2013-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -229,17 +229,17 @@ nslookup -query=hinfo -timeout=10
The class specifies the protocol group of the information.
</p>
<p>
<p>
(Default = IN; abbreviation = cl)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</p>
<p>
<p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
</p>
</dd>
@@ -247,9 +247,9 @@ nslookup -query=hinfo -timeout=10
<dd>
<p>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
what nslookup is doing.
</p>
<p>
<p>
(Default = nod2)
</p>
</dd>
@@ -267,7 +267,7 @@ nslookup -query=hinfo -timeout=10
names in the domain search list to the request until an
answer is received.
</p>
<p>
<p>
(Default = search)
</p>
</dd>
@@ -276,7 +276,7 @@ nslookup -query=hinfo -timeout=10
<p>
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
</p>
<p>
<p>
(Default = 53; abbreviation = po)
</p>
</dd>
@@ -289,9 +289,15 @@ nslookup -query=hinfo -timeout=10
<p>
Change the type of the information query.
</p>
<p>
(Default = A; abbreviations = q, ty)
<p>
(Default = A and then AAAA; abbreviations = q, ty)
</p>
<p>
<span class="bold"><strong>Note:</strong></span> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
<dd>
@@ -300,16 +306,16 @@ nslookup -query=hinfo -timeout=10
have the
information.
</p>
<p>
<p>
(Default = recurse; abbreviation = [no]rec)
</p>
</dd>
<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</p>
</dd>
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
@@ -331,21 +337,21 @@ nslookup -query=hinfo -timeout=10
Always use a virtual circuit when sending requests to the
server.
</p>
<p>
<p>
(Default = novc)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
<dd>
<p>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</p>
<p>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</p>
<p>
(Default = nofail)
</p>
</dd>
</dd>
</dl></div>
<p>
</p>

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{F938F9B8-D395-4A40-BEC7-0122D289C692}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>dig</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{140DE800-E552-43CC-B0C7-A33A92E368CA}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>dighost</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{BA1048A8-6961-4A20-BE12-08BE20611C9D}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>host</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{C15A6E1A-94CE-4686-99F9-6BC5FD623EB5}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>nslookup</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -20,7 +20,7 @@ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LIBS@

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -293,5 +293,5 @@ RFC 7344\&.
.RE
.SH "COPYRIGHT"
.br
Copyright \(co 2017-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2017-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -28,6 +28,7 @@
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/platform.h>
#include <isc/print.h>
#include <isc/serial.h>
#include <isc/string.h>
@@ -61,10 +62,6 @@
#include "dnssectool.h"
#ifndef PATH_MAX
#define PATH_MAX 1024 /* WIN32, and others don't define this. */
#endif
const char *program = "dnssec-cds";
int verbose;
@@ -86,7 +83,7 @@ static dns_rdataclass_t rdclass = dns_rdataclass_in;
* List of digest types used by ds_from_cdnskey(), filled in by add_dtype()
* from -a arguments. The size of the array is an arbitrary limit.
*/
static uint8_t dtype[8];
static dns_dsdigest_t dtype[8];
static const char *startstr = NULL; /* from which we derive notbefore */
static isc_stdtime_t notbefore = 0; /* restrict sig inception times */
@@ -129,7 +126,7 @@ static int nkey; /* number of child zone DNSKEY records */
typedef struct keyinfo {
dns_rdata_t rdata;
dst_key_t *dst;
uint8_t algo;
dns_secalg_t algo;
dns_keytag_t tag;
} keyinfo_t;
@@ -614,12 +611,12 @@ free_keytable(keyinfo_t **keytable_p) {
* otherwise the key algorithm. This is used by the signature coverage
* check functions below.
*/
static uint8_t *
static dns_secalg_t *
matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
dns_rdataset_t *sigset)
{
isc_result_t result;
uint8_t *algo;
dns_secalg_t *algo;
int i;
algo = isc_mem_get(mctx, nkey);
@@ -702,7 +699,7 @@ matching_sigs(keyinfo_t *keytbl, dns_rdataset_t *rdataset,
* fetched from the child zone, any working signature is enough.
*/
static bool
signed_loose(uint8_t *algo) {
signed_loose(dns_secalg_t *algo) {
bool ok = false;
int i;
for (i = 0; i < nkey; i++) {
@@ -721,7 +718,7 @@ signed_loose(uint8_t *algo) {
* RRset.
*/
static bool
signed_strict(dns_rdataset_t *dsset, uint8_t *algo) {
signed_strict(dns_rdataset_t *dsset, dns_secalg_t *algo) {
isc_result_t result;
bool all_ok = true;
@@ -844,14 +841,14 @@ ds_from_cdnskey(dns_rdatalist_t *dslist, isc_buffer_t *buf,
*/
static int
cmp_dtype(const void *ap, const void *bp) {
int a = *(const uint8_t *)ap;
int b = *(const uint8_t *)bp;
int a = *(const dns_dsdigest_t *)ap;
int b = *(const dns_dsdigest_t *)bp;
return (a - b);
}
static void
add_dtype(const char *dn) {
uint8_t dt;
dns_dsdigest_t dt;
unsigned i, n;
dt = strtodsdigest(dn);
@@ -936,7 +933,7 @@ consistent_digests(dns_rdataset_t *dsset) {
dns_rdata_t *arrdata;
dns_rdata_ds_t *ds;
dns_keytag_t key_tag;
uint8_t algorithm;
dns_secalg_t algorithm;
bool match;
int i, j, n, d;

View File

@@ -41,6 +41,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2017-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2017-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -237,5 +237,5 @@ RFC 7344
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -21,6 +21,7 @@
#include <isc/commandline.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/platform.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
@@ -49,10 +50,6 @@
#include "dnssectool.h"
#ifndef PATH_MAX
#define PATH_MAX 1024 /* WIN32, and others don't define this. */
#endif
const char *program = "dnssec-dsfromkey";
int verbose;
@@ -207,9 +204,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
rdclass = dst_key_class(key);
name = dns_fixedname_initname(&fixed);
result = dns_name_copy(dst_key_name(key), name, NULL);
if (result != ISC_R_SUCCESS)
fatal("can't copy name");
dns_name_copynf(dst_key_name(key), name);
dst_key_free(&key);
}
@@ -235,7 +230,7 @@ logkey(dns_rdata_t *rdata)
}
static void
emit(unsigned int dtype, bool showall, char *lookaside,
emit(dns_dsdigest_t dtype, bool showall, char *lookaside,
bool cds, dns_rdata_t *rdata)
{
isc_result_t result;
@@ -348,9 +343,9 @@ main(int argc, char **argv) {
char *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *lookaside = NULL;
char *endp;
char *endp, *arg1;
int ch;
unsigned int dtype = DNS_DSDIGEST_SHA1;
dns_dsdigest_t dtype = DNS_DSDIGEST_SHA1;
bool cds = false;
bool both = true;
bool usekeyset = false;
@@ -362,12 +357,14 @@ main(int argc, char **argv) {
dns_rdata_init(&rdata);
if (argc == 1)
if (argc == 1) {
usage();
}
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
fatal("out of memory");
}
#if USE_PKCS11
pk11_result_register();
@@ -395,9 +392,10 @@ main(int argc, char **argv) {
both = false;
break;
case 'C':
if (lookaside != NULL)
if (lookaside != NULL) {
fatal("lookaside and CDS are mutually"
" exclusive");
}
cds = true;
break;
case 'c':
@@ -409,16 +407,18 @@ main(int argc, char **argv) {
/* fall through */
case 'K':
dir = isc_commandline_argument;
if (strlen(dir) == 0U)
if (strlen(dir) == 0U) {
fatal("directory must be non-empty string");
}
break;
case 'f':
filename = isc_commandline_argument;
break;
case 'l':
if (cds)
if (cds) {
fatal("lookaside and CDS are mutually"
" exclusive");
}
lookaside = isc_commandline_argument;
if (strlen(lookaside) == 0U)
fatal("lookaside must be a non-empty string");
@@ -432,16 +432,18 @@ main(int argc, char **argv) {
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
if (*endp != '\0') {
fatal("-v must be followed by a number");
}
break;
case 'F':
/* Reserved for FIPS mode */
/* FALLTHROUGH */
case '?':
if (isc_commandline_option != '?')
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
}
/* FALLTHROUGH */
case 'h':
/* Does not return. */
@@ -460,46 +462,61 @@ main(int argc, char **argv) {
rdclass = strtoclass(classname);
if (usekeyset && filename != NULL)
if (usekeyset && filename != NULL) {
fatal("cannot use both -s and -f");
}
/* When not using -f, -A is implicit */
if (filename == NULL)
if (filename == NULL) {
showall = true;
}
if (argc < isc_commandline_index + 1 && filename == NULL)
/*
* Use local variable arg1 so that clang can correctly analyse
* reachable paths rather than 'argc < isc_commandline_index + 1'.
*/
arg1 = argv[isc_commandline_index];
if (arg1 == NULL && filename == NULL) {
fatal("the key file name was not specified");
if (argc > isc_commandline_index + 1)
}
if (arg1 != NULL && argv[isc_commandline_index + 1] != NULL) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx, NULL);
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
}
setup_logging(mctx, &log);
dns_rdataset_init(&rdataset);
if (usekeyset || filename != NULL) {
if (argc < isc_commandline_index + 1 && filename != NULL) {
/* using zone name as the zone file name */
if (arg1 == NULL) {
/* using file name as the zone name */
namestr = filename;
} else
namestr = argv[isc_commandline_index];
} else {
namestr = arg1;
}
result = initname(namestr);
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
fatal("could not initialize name %s", namestr);
}
if (usekeyset)
if (usekeyset) {
result = loadkeyset(dir, &rdataset);
else
} else {
INSIST(filename != NULL);
result = loadset(filename, &rdataset);
}
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
fatal("could not load DNSKEY set: %s\n",
isc_result_totext(result));
}
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
@@ -507,30 +524,32 @@ main(int argc, char **argv) {
dns_rdata_init(&rdata);
dns_rdataset_current(&rdataset, &rdata);
if (verbose > 2)
if (verbose > 2) {
logkey(&rdata);
}
if (both) {
emit(DNS_DSDIGEST_SHA1, showall, lookaside,
cds, &rdata);
emit(DNS_DSDIGEST_SHA256, showall, lookaside,
cds, &rdata);
} else
} else {
emit(dtype, showall, lookaside, cds, &rdata);
}
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
loadkey(argv[isc_commandline_index], key_buf,
DST_KEY_MAXSIZE, &rdata);
loadkey(arg1, key_buf, DST_KEY_MAXSIZE, &rdata);
if (both) {
emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
&rdata);
emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
&rdata);
} else
} else {
emit(dtype, showall, lookaside, cds, &rdata);
}
}
if (dns_rdataset_isassociated(&rdataset))
@@ -538,14 +557,16 @@ main(int argc, char **argv) {
cleanup_logging(&log);
dst_lib_destroy();
dns_name_destroy();
if (verbose > 10)
if (verbose > 10) {
isc_mem_stats(mctx, stdout);
}
isc_mem_destroy(&mctx);
fflush(stdout);
if (ferror(stdout)) {
fprintf(stderr, "write error\n");
return (1);
} else
} else {
return (0);
}
}

View File

@@ -42,6 +42,7 @@
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -134,5 +134,5 @@ RFC 5011\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -20,6 +20,7 @@
#include <isc/commandline.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/platform.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
@@ -48,10 +49,6 @@
#include "dnssectool.h"
#ifndef PATH_MAX
#define PATH_MAX 1024 /* WIN32, and others don't define this. */
#endif
const char *program = "dnssec-importkey";
int verbose;
@@ -181,9 +178,7 @@ loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
rdclass = dst_key_class(key);
name = dns_fixedname_initname(&fixed);
result = dns_name_copy(dst_key_name(key), name, NULL);
if (result != ISC_R_SUCCESS)
fatal("can't copy name");
dns_name_copynf(dst_key_name(key), name);
dst_key_free(&key);
}

View File

@@ -39,6 +39,7 @@
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2013-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -92,7 +92,7 @@ Specifies the label for a key pair in the crypto hardware\&.
.sp
When
BIND
9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:\fIkeylabel\fR"\&.
9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&.
.sp
When
BIND
@@ -307,5 +307,5 @@ The PKCS#11 URI Scheme (draft\-pechanec\-pkcs11uri\-13)\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -44,6 +44,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -172,9 +173,7 @@
<para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<replaceable>keylabel</replaceable>".
identifies a particular key.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2008-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2008-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -146,9 +146,7 @@
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<em class="replaceable"><code>keylabel</code></em>".
identifies a particular key.
</p>
<p>
When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -39,7 +39,7 @@
dnssec-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP \w'\fBdnssec\-keygen\fR\ 'u
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
\fBdnssec\-keygen\fR [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
@@ -58,6 +58,13 @@ may be preferable to direct use of
\fBdnssec\-keygen\fR\&.
.SH "OPTIONS"
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
@@ -83,29 +90,15 @@ to generate TSIG keys\&.
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 4096 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
\fB\-f KSK\fR) default to 2048 bits\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata\&. By default,
Compatibility mode: generates an old\-style key, without any timing metadata\&. By default,
\fBdnssec\-keygen\fR
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
@@ -150,11 +143,6 @@ Prints a short summary of the options and arguments to
Sets the directory in which the key files are to be written\&.
.RE
.PP
\-k
.RS 4
Deprecated in favor of \-T KEY\&.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
@@ -164,9 +152,17 @@ none
is the same as leaving it unset\&.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key\&. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
.RE
.PP
\-p \fIprotocol\fR
.RS 4
Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
Sets the protocol value for the generated key, for use with
\fB\-T KEY\fR\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
.RE
.PP
\-q
@@ -193,27 +189,25 @@ Specifies the strength value of the key\&. The strength is a number between 0 an
Specifies the resource record type to use for the key\&.
\fBrrtype\fR
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
Specifying any TSIG algorithm (HMAC\-* or DH) with
\fB\-a\fR
forces this option to KEY\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key\&.
Indicates the use of the key, for use with
\fB\-T KEY\fR\&.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.PP
\-V
.RS 4
Prints version information\&.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level\&.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
@@ -314,23 +308,24 @@ contains the private key\&.
.PP
The
\&.key
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
file contains a DNSKEY or KEY record\&. When a zone is being signed by
\fBnamed\fR
or
\fBdnssec\-signzone\fR\fB\-S\fR, DNSKEY records are included automatically\&. In other cases, the
\&.key
file can be inserted into a zone file manually or with a
\fB$INCLUDE\fR
statement\&.
.PP
The
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
.PP
Both
\&.key
and
\&.private
files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
.SH "EXAMPLE"
.PP
To generate an ECDSAP256SHA256 key for the domain
\fBexample\&.com\fR, the following command would be issued:
To generate an ECDSAP256SHA256 zone\-signing key for the zone
\fBexample\&.com\fR, issue the command:
.PP
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-n ZONE example\&.com\fR
\fBdnssec\-keygen \-a ECDSAP256SHA256 example\&.com\fR
.PP
The command would print a string of the form:
.PP
@@ -342,6 +337,10 @@ creates the files
Kexample\&.com\&.+013+26160\&.key
and
Kexample\&.com\&.+013+26160\&.private\&.
.PP
To generate a matching key\-signing key, issue the command:
.PP
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example\&.com\fR
.SH "SEE ALSO"
.PP
\fBdnssec-signzone\fR(8),
@@ -354,5 +353,5 @@ RFC 4034\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -241,7 +241,7 @@ main(int argc, char **argv) {
/*
* Process memory debugging argument first.
*/
#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:" \
#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:L:m:n:P:p:qR:r:S:s:T:t:" \
"v:V"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
@@ -322,11 +322,6 @@ main(int argc, char **argv) {
fatal("cannot open directory %s: %s",
directory, isc_result_totext(ret));
break;
case 'k':
fatal("The -k option has been deprecated.\n"
"To generate a key-signing key, use -f KSK.\n"
"To generate a key with TYPE=KEY, use -T KEY.\n");
break;
case 'L':
ttl = strtottl(isc_commandline_argument);
setttl = true;

View File

@@ -51,6 +51,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
@@ -58,11 +59,10 @@
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>dnssec-keygen</command>
<arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-3</option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -77,6 +77,7 @@
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
@@ -87,7 +88,6 @@
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="req" rep="norepeat">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -118,6 +118,20 @@
<variablelist>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
specifies the NSEC3RSASHA1 algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
@@ -157,11 +171,9 @@
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 1024 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
between 1024 and 4096 bits. Diffie Hellman keys must be between
128 and 4096 bits. Elliptic curve algorithms don't need this
parameter.
</para>
<para>
If the key size is not specified, some algorithms have
@@ -173,43 +185,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <command>dnssec-keygen -3a RSASHA1</command>
specifies the NSEC3RSASHA1 algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keygen</command>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
Compatibility mode: generates an old-style key, without any
timing metadata. By default, <command>dnssec-keygen</command>
will include the key's creation date in the metadata stored with
the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include this
data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
@@ -293,15 +278,6 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Deprecated in favor of -T KEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
@@ -318,14 +294,28 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
Sets the protocol value for the generated key, for use
with <option>-T KEY</option>. The protocol is a number between 0
and 255. The default is 3 (DNSSEC). Other possible values for
this argument are listed in RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
@@ -383,10 +373,6 @@
<option>rrtype</option> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
<para>
</para>
Specifying any TSIG algorithm (HMAC-* or DH) with
<option>-a</option> forces this option to KEY.
</para>
</listitem>
</varlistentry>
@@ -395,19 +381,11 @@
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
Indicates the use of the key, for use with <option>-T
KEY</option>. <option>type</option> must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
refers to the ability to authenticate data, and CONF the ability
to encrypt data.
</para>
</listitem>
</varlistentry>
@@ -421,6 +399,15 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
@@ -585,10 +572,12 @@
key.
</para>
<para>
The <filename>.key</filename> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
The <filename>.key</filename> file contains a DNSKEY or KEY record.
When a zone is being signed by <command>named</command>
or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
records are included automatically. In other cases,
the <filename>.key</filename> file can be inserted into a zone file
manually or with a <userinput>$INCLUDE</userinput> statement.
</para>
<para>
The <filename>.private</filename> file contains
@@ -596,21 +585,16 @@
fields. For obvious security reasons, this file does not have
general read permission.
</para>
<para>
Both <filename>.key</filename> and <filename>.private</filename>
files are generated for symmetric cryptography algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</para>
</refsection>
<refsection><info><title>EXAMPLE</title></info>
<para>
To generate an ECDSAP256SHA256 key for the domain
<userinput>example.com</userinput>, the following command would be
issued:
To generate an ECDSAP256SHA256 zone-signing key for the zone
<userinput>example.com</userinput>, issue the command:
</para>
<para><userinput>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</userinput>
<para>
<userinput>dnssec-keygen -a ECDSAP256SHA256 example.com</userinput>
</para>
<para>
The command would print a string of the form:
@@ -623,6 +607,12 @@
and
<filename>Kexample.com.+013+26160.private</filename>.
</para>
<para>
To generate a matching key-signing key, issue the command:
</para>
<para>
<userinput>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</userinput>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2005, 2007-2012, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -33,11 +33,10 @@
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">dnssec-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-3</code>]
[<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-C</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
@@ -52,6 +51,7 @@
[<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-k</code>]
[<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
[<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
@@ -62,7 +62,6 @@
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-V</code>]
[<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-z</code>]
{name}
</p></div>
</div>
@@ -95,6 +94,16 @@
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
@@ -130,11 +139,9 @@
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 1024 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
between 1024 and 4096 bits. Diffie Hellman keys must be between
128 and 4096 bits. Elliptic curve algorithms don't need this
parameter.
</p>
<p>
If the key size is not specified, some algorithms have
@@ -144,36 +151,15 @@
<code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used with an algorithm that has both
NSEC and NSEC3 versions, then the NSEC3 version will be
used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
Compatibility mode: generates an old-style key, without any
timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored with
the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include this
data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
@@ -234,12 +220,6 @@
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Deprecated in favor of -T KEY.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
@@ -253,13 +233,24 @@
or <code class="literal">none</code> is the same as leaving it unset.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
with a host (KEY)), USER (for a key associated with a
user(KEY)) or OTHER (DNSKEY). These values are case
insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
Sets the protocol value for the generated key, for use
with <code class="option">-T KEY</code>. The protocol is a number between 0
and 255. The default is 3 (DNSSEC). Other possible values for
this argument are listed in RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-q</span></dt>
@@ -306,26 +297,15 @@
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
<p>
Specifying any TSIG algorithm (HMAC-* or DH) with
<code class="option">-a</code> forces this option to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
Indicates the use of the key, for use with <code class="option">-T
KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
refers to the ability to authenticate data, and CONF the ability
to encrypt data.
</p>
</dd>
<dt><span class="term">-V</span></dt>
@@ -334,6 +314,12 @@
Prints version information.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
</dl></div>
</div>
@@ -476,10 +462,12 @@
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
When a zone is being signed by <span class="command"><strong>named</strong></span>
or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
records are included automatically. In other cases,
the <code class="filename">.key</code> file can be inserted into a zone file
manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
</p>
<p>
The <code class="filename">.private</code> file contains
@@ -487,22 +475,17 @@
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric cryptography algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>EXAMPLE</h2>
<p>
To generate an ECDSAP256SHA256 key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
To generate an ECDSAP256SHA256 zone-signing key for the zone
<strong class="userinput"><code>example.com</code></strong>, issue the command:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
</p>
<p>
The command would print a string of the form:
@@ -515,6 +498,12 @@
and
<code class="filename">Kexample.com.+013+26160.private</code>.
</p>
<p>
To generate a matching key-signing key, issue the command:
</p>
<p>
<strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
</p>
</div>
<div class="refsection">

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -99,5 +99,5 @@ RFC 5011\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -39,6 +39,7 @@
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2011, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2009, 2011, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -200,5 +200,5 @@ RFC 5011\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -188,110 +188,6 @@ main(int argc, char **argv) {
#define CMDLINE_FLAGS "A:D:E:fhI:i:K:L:P:p:R:S:uv:V"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = true;
break;
case 'p':
p = isc_commandline_argument;
if (!strcasecmp(p, "all")) {
printcreate = true;
printpub = true;
printact = true;
printrev = true;
printinact = true;
printdel = true;
printsyncadd = true;
printsyncdel = true;
break;
}
do {
switch (*p++) {
case 'C':
printcreate = true;
break;
case 'P':
if (!strncmp(p, "sync", 4)) {
p += 4;
printsyncadd = true;
break;
}
printpub = true;
break;
case 'A':
printact = true;
break;
case 'R':
printrev = true;
break;
case 'I':
printinact = true;
break;
case 'D':
if (!strncmp(p, "sync", 4)) {
p += 4;
printsyncdel = true;
break;
}
printdel = true;
break;
case ' ':
break;
default:
usage();
break;
}
} while (*p != '\0');
break;
case 'u':
epoch = true;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
directory = isc_mem_strdup(mctx,
isc_commandline_argument);
if (directory == NULL) {
fatal("Failed to allocate memory for "
"directory");
}
break;
case 'L':
ttl = strtottl(isc_commandline_argument);
setttl = true;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncadd || setsyncadd)
fatal("-P sync specified more than "
"once");
changed = true;
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
unsetsyncadd = !setsyncadd;
break;
}
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub)
fatal("-P specified more than once");
changed = true;
pub = strtotime(isc_commandline_argument,
now, now, &setpub);
unsetpub = !setpub;
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
@@ -301,24 +197,6 @@ main(int argc, char **argv) {
now, now, &setact);
unsetact = !setact;
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
changed = true;
rev = strtotime(isc_commandline_argument,
now, now, &setrev);
unsetrev = !setrev;
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
changed = true;
inact = strtotime(isc_commandline_argument,
now, now, &setinact);
unsetinact = !setinact;
break;
case 'D':
/* -Dsync ? */
if (isoptarg("sync", argv, usage)) {
@@ -342,11 +220,11 @@ main(int argc, char **argv) {
now, now, &setdel);
unsetdel = !setdel;
break;
case 'S':
predecessor = isc_commandline_argument;
case 'E':
engine = isc_commandline_argument;
break;
case 'i':
prepub = strtottl(isc_commandline_argument);
case 'f':
force = true;
break;
case '?':
if (isc_commandline_option != '?')
@@ -356,11 +234,131 @@ main(int argc, char **argv) {
case 'h':
/* Does not return. */
usage();
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
changed = true;
inact = strtotime(isc_commandline_argument,
now, now, &setinact);
unsetinact = !setinact;
break;
case 'i':
prepub = strtottl(isc_commandline_argument);
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
directory = isc_mem_strdup(mctx,
isc_commandline_argument);
if (directory == NULL) {
fatal("Failed to allocate memory for "
"directory");
}
break;
case 'L':
ttl = strtottl(isc_commandline_argument);
setttl = true;
break;
case 'P':
/* -Psync ? */
if (isoptarg("sync", argv, usage)) {
if (unsetsyncadd || setsyncadd)
fatal("-P sync specified more than "
"once");
changed = true;
syncadd = strtotime(isc_commandline_argument,
now, now, &setsyncadd);
unsetsyncadd = !setsyncadd;
break;
}
(void)isoptarg("dnskey", argv, usage);
if (setpub || unsetpub)
fatal("-P specified more than once");
changed = true;
pub = strtotime(isc_commandline_argument,
now, now, &setpub);
unsetpub = !setpub;
break;
case 'p':
p = isc_commandline_argument;
if (!strcasecmp(p, "all")) {
printcreate = true;
printpub = true;
printact = true;
printrev = true;
printinact = true;
printdel = true;
printsyncadd = true;
printsyncdel = true;
break;
}
do {
switch (*p++) {
case 'A':
printact = true;
break;
case 'C':
printcreate = true;
break;
case 'D':
if (!strncmp(p, "sync", 4)) {
p += 4;
printsyncdel = true;
break;
}
printdel = true;
break;
case 'I':
printinact = true;
break;
case 'P':
if (!strncmp(p, "sync", 4)) {
p += 4;
printsyncadd = true;
break;
}
printpub = true;
break;
case 'R':
printrev = true;
break;
case ' ':
break;
default:
usage();
break;
}
} while (*p != '\0');
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
changed = true;
rev = strtotime(isc_commandline_argument,
now, now, &setrev);
unsetrev = !setrev;
break;
case 'S':
predecessor = isc_commandline_argument;
break;
case 'u':
epoch = true;
break;
case 'V':
/* Does not return. */
version(program);
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);

View File

@@ -41,6 +41,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009-2011, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2009-2011, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -468,5 +468,5 @@ RFC 4641\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -44,6 +44,7 @@
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/os.h>
#include <isc/platform.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/rwlock.h>
@@ -88,10 +89,6 @@
#include "dnssectool.h"
#ifndef PATH_MAX
#define PATH_MAX 1024 /* WIN32, and others don't define this. */
#endif
const char *program = "dnssec-signzone";
int verbose;
@@ -204,7 +201,7 @@ savezonecut(dns_fixedname_t *fzonecut, dns_name_t *name) {
dns_name_t *result;
result = dns_fixedname_initname(fzonecut);
dns_name_copy(name, result, NULL);
dns_name_copynf(name, result);
return (result);
}
@@ -794,7 +791,10 @@ hashlist_comp(const void *a, const void *b) {
static void
hashlist_sort(hashlist_t *l) {
qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
INSIST(l->hashbuf != NULL || l->length == 0);
if (l->length > 0) {
qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
}
}
static bool
@@ -1946,7 +1946,7 @@ addnsec3param(const unsigned char *salt, size_t salt_len,
check_result(result, "dns_rdatalist_tordataset()");
result = dns_db_findnode(gdb, gorigin, true, &node);
check_result(result, "dns_db_find(gorigin)");
check_result(result, "dns_db_findnode(gorigin)");
/*
* Delete any current NSEC3PARAM records.
@@ -2346,7 +2346,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
break;
}
if (result == ISC_R_NOMORE) {
dns_name_copy(gorigin, nextname, NULL);
dns_name_copynf(gorigin, nextname);
done = true;
} else if (result != ISC_R_SUCCESS)
fatal("iterating through the database failed: %s",
@@ -2480,7 +2480,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,
break;
}
if (result == ISC_R_NOMORE) {
dns_name_copy(gorigin, nextname, NULL);
dns_name_copynf(gorigin, nextname);
done = true;
} else if (result != ISC_R_SUCCESS)
fatal("iterating through the database failed: %s",

View File

@@ -51,6 +51,7 @@
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2009, 2011-2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2009, 2011-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -1,4 +1,4 @@
.\" Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -113,5 +113,5 @@ RFC 4033\&.
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Copyright \(co 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -38,6 +38,7 @@
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>

View File

@@ -1,6 +1,6 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this

View File

@@ -17,6 +17,7 @@
#include <stdbool.h>
#include <isc/log.h>
#include <isc/platform.h>
#include <isc/stdtime.h>
#include <dns/rdatastruct.h>
#include <dst/dst.h>

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{0EB1727E-2BBD-47A6-AD12-418F9DEB0531}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>cds</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -20,18 +20,21 @@
<ProjectGuid>{2CB7DC75-023B-4AA3-AF3A-AE5046A4EE70}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>dnssectool</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>StaticLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="@TOOLS_VERSION@" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|@PLATFORM@">
<Configuration>Debug</Configuration>
@@ -14,18 +14,21 @@
<ProjectGuid>{6E6297F4-69D7-4533-85E1-BD17C30017C8}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>dsfromkey</RootNamespace>
@WINDOWS_TARGET_PLATFORM_VERSION@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
@PLATFORM_TOOLSET@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">

Some files were not shown because too many files have changed in this diff Show More