The MSVS C compiler requires every struct to have at least one member.
The dns_geoip_databases_t structure had one set of members for
HAVE_GEOIP and a different set for HAVE_GEOIP2, and none when neither
API is in use.
This commit silences the compiler error by moving the declaration of
dns_geoip_databases_t to types.h as an opaque reference, and commenting
out the contents of geoip.h when neither version of GeoIP is enabled.
(cherry picked from commit 81fcde5953)
- revise mapping of search terms to database types to match the
GeoIP2 schemas.
- open GeoIP2 databases when starting up; close when shutting down.
- clarify the logged error message when an unknown database type
is configured.
- add new geoip ACL subtypes to support searching for continent in
country databases.
- map geoip ACL subtypes to specific MMDB database queries.
- perform MMDB lookups based on subtype, saving state between
queries so repeated lookups for the same address aren't necessary.
(cherry picked from commit 6e0b93e5a0)
(cherry picked from commit 0283ab7512)
- "--with-geoip" is used to enable the legacy GeoIP library.
- "--with-geoip2" is used to enable the new GeoIP2 library
(libmaxminddb), and is on by default if the library is found.
- using both "--with-geoip" and "--with-geoip2" at the same time
is an error.
- an attempt is made to determine the default GeoIP2 database path at
compile time if pkg-config is able to report the module prefix. if
this fails, it will be necessary to set the path in named.conf with
geoip-directory
- Makefiles have been updated, and a stub lib/dns/geoip2.c has been
added for the eventual GeoIP2 search implementation.
(cherry picked from commit fea6b5bf10)
(cherry picked from commit 6a7e805796)
When trying to extract the key ID from a key file name, some test code
incorrectly attempts to strip all leading zeros. This breaks tests when
keys with ID 0 are generated. Add a new helper shell function,
keyfile_to_key_id(), which properly handles keys with ID 0 and use it in
test code whenever a key ID needs to be extracted from a key file name.
(cherry picked from commit 7d6eaad1bd)
When printing a packet, dnstap-read checks whether its text form takes
up more than the 2048 bytes allocated for the output buffer by default.
If that is the case, the output buffer is automatically expanded, but
the truncated output is left in the buffer, resulting in malformed data
being printed. Clear the output buffer before expanding it to prevent
this issue from occurring.
(cherry picked from commit 3549abe81d)
In ISC-Bugs 45340, I wrote:
The Statistics channel offers links to Zones and Traffic.
Both produce valid data, but display as blank pages with
a web browser.
Zones never had XSL (I provided the original
implementation, but punted on the XSL).
Traffic has XSL, but it wasn't updated to reflect the
split between IPv4 and IPv6 data.
I've picked up enough XSL to fix my original omission,
and as penance for my sloth, fixed the Traffic bug as well.
(cherry picked from commit 96f0bbd4d5)
- when processing authoritative queries for ./NS, set 'gluedb' so
that glue will be included in the response, regardless of how
'minimal-responses' has been configured.
(cherry picked from commit e7684c7b64)
if "rndc reload" fails, the result code is supposed to be passed to
zone_postload, but for inline-signing zones, the result can be
overwritten first by a call to the ZONE_TRYLOCK macro. this can lead
to the partially-loaded unsigned zone being synced over to the signed
zone instead of being rejected.
(cherry picked from commit 0b792bd37b)
libidn2 2.2.0+ parses Punycode more strictly than older versions and
thus "dig +idnin +noidnout xn--19g" fails with libidn2 2.2.0+ but
succeeds with older versions.
We could preserve the old behavior by using the IDN2_NO_ALABEL_ROUNDTRIP
flag available in libidn2 2.2.0+, but:
- this change in behavior is considered a libidn2 bug fix [1],
- we want to make sure dig behaves as expected, not libidn2,
- implementing that would require additional configure.ac cruft.
Removing the problematic check appears to be the simplest solution as it
does not prevent the relevant block of checks in the "idna" system test
from achieving its purpose, i.e. ensuring dig properly handles invalid
U-labels.
[1] see upstream commit 241e8f486134793cb0f4a5b0e5817a97883401f5
(cherry picked from commit 60ce0ed411)
We increase recursclients when we attach to recursion quota,
decrease when we detach. In some cases, when we hit soft
quota, we might attach to quota without increasing recursclients
gauge. We then decrease the gauge when we detach from quota,
and it causes the statistics to underflow.
Fix makes sure that we increase recursclients always when we
succesfully attach to recursion quota.
BIND 9.11.0 has bumped DNS_CLIENTINFOMETHODS_VERSION and _AGE to
version 2 and 1 in the dlz_minimal.h because a member was addet to the
dnsclientinfo struct. It was found out that the new member is not
used anywhere and there are no accessor functions therefore the change
was reverted.
Later on, it was found out that the revert caused some problems to the
users of BIND 9, and thus this changes takes a different approach by
syncing the values other way around.
(cherry picked from commit 39344dfb3e)
In certain situations (e.g. a named instance crashing upon shutdown in a
system test which involves shutting down a server and restarting it
afterwards), a system test may succeed despite a named crash being
triggered. This must never be the case. Extend run.sh to mark a test
as failed if core dumps or log lines indicating assertion failures are
detected (the latter is only an extra measure aimed at test environments
in which core dumps are not generated; note that some types of crashes,
e.g. segmentation faults, will not be detected using this method alone).
(cherry picked from commit 7706f22924)
If ns1/setup.sh generates a key with ID 0, the "KEYID" token in
ns1/named.conf.in will be replaced with an empty string, causing the
following broken statement to appear in ns1/named.conf:
tkey-dhkey "server" ;
Such a statement triggers false positives for the "tkey" system test due
to ns1 being unable to start with a broken configuration file. Fix by
tweaking the regular expression used for removing leading zeros from the
key ID, so that it removes at most 4 leading zeros.
(cherry picked from commit 0b7b1161c2)
Compiling with -O3 triggers the following warnings with GCC 9.1:
task.c: In function ‘isc__taskmgr_create’:
task.c:1456:44: warning: ‘%04u’ directive output may be truncated writing between 4 and 10 bytes into a region of size 6 [-Wformat-truncation=]
1456 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~
task.c:1456:33: note: directive argument in the range [0, 4294967294]
1456 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~~~~~~~~~~~~~
task.c:1456:4: note: ‘snprintf’ output between 15 and 21 bytes into a destination of size 16
1456 | snprintf(name, sizeof(name), "isc-worker%04u", i);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rrl.c: In function ‘debit_rrl_entry’:
rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~
rrl.c:602:30: note: directive argument in the range [0, 2147483647]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~
rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~
rrl.c:602:30: note: directive argument in the range [0, 2147483647]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~
rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
rrl.c:602:35: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 9 [-Werror=format-truncation=]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~
rrl.c:602:30: note: directive argument in the range [0, 2147483647]
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~
rrl.c:602:3: note: ‘snprintf’ output between 6 and 15 bytes into a destination of size 13
602 | snprintf(buf, sizeof(buf), "age=%d", age);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
private_test.c: In function ‘private_nsec3_totext_test’:
private_test.c:114:9: warning: array subscript 4 is outside array bounds of ‘uint32_t[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
114 | while (*sp == '\0' && slen > 0) {
| ^~~
private_test.c:107:11: note: while referencing ‘salt’
107 | uint32_t salt;
| ^~~~
Prevent these warnings from being triggered by increasing the size of
the relevant arrays (task.c, rrl.c) and reordering conditions
(private_test.c).
(cherry picked from commit ce796ac1f4)
Compiling with -O3 triggers the following warning with GCC 8.3:
driver.c: In function ‘dlz_findzonedb’:
driver.c:198:29: warning: ‘%u’ directive output may be truncated writing between 1 and 5 bytes into a region of size between 0 and 99 [-Wformat-truncation=]
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~
driver.c:198:25: note: directive argument in the range [0, 65535]
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~~~~~~
driver.c:198:2: note: ‘snprintf’ output between 3 and 106 bytes into a destination of size 100
snprintf(buffer, size, "%s#%u", addr_buf, port);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Increase the size of the relevant array to prevent this warning from
being triggered.
(cherry picked from commit 44e6bb8b93)
Change the compiler optimization level for Debian sid build jobs from
-O2 to -O3 in order to enable triggering compilation warnings which are
not raised when -O2 is used.
(cherry picked from commit 3569487875)
this change silences a warning message and prevents the unwanted
use of smart quotes when using pandoc 2.7.1 to generate human-readable
versions of README and other markdown files.
(cherry picked from commit 3663f61e0e)
Backport "legacy" system test checks which are present in master and
v9_14 branches, but missing in the v9_11 branch, in order to improve the
consistency of this test across all maintained branches. Note that the
"ednsnotimp" check is expected to succeed with 9.11 whereas it is
expected to fail with 9.14 and later versions.
Backport named command line switches implemented in commit
c81c9660f5 as they are needed by the
"legacy" system checks which are currently present in master and v9_14
branches, but missing in the v9_11 branch.
Performing server setup checks using "+tries=3 +time=5" is redundant as
a single query is arguably good enough for determining whether a given
named instance was set up properly. Only use multiple queries with a
long timeout for resolution checks in the "legacy" system test, in order
to significantly reduce its run time (on a contemporary machine, from
about 1m45s to 0m40s).
(cherry picked from commit 47b850348c)
Send a test TCP query to the "plain" server during its setup check to
improve its consistency with the setup check for the "plain + no TCP"
server.
(cherry picked from commit bb939a03ff)
In the "legacy" system test, in order to make server setup checks more
consistent with each other, add further checks for either presence or
absence of the EDNS OPT pseudo-RR in the responses returned by the
tested named instances.
(cherry picked from commit 56ed1275c6)
Extract repeated dig and grep calls into two helper shell functions,
resolution_succeeds() and resolution_fails(), in order to reduce code
duplication in the "legacy" system test, emphasize the similarity
between all the resolution checks in that test, and make the conditions
for success and failure uniform for all resolution checks in that test.
(cherry picked from commit effd16ab25)
When testing named instances which are configured to drop outgoing UDP
responses larger than 512 bytes, querying with DO=1 may be used instead
of querying for large TXT records as the effect achieved will be
identical: an unsigned response for a SOA query will be below 512 bytes
in size while a signed response for the same query will be over 512
bytes in size. Doing this makes all resolution checks in the "legacy"
system test more similar. Add checks for the TC flag being set in UDP
responses which are expected to be truncated to further make sure that
tested named instances behave as expected.
(cherry picked from commit aaf81ca6ef)
One of the checks in the "legacy" system test inspects dig.out.1.test$n
instead of dig.out.2.test$n. Fix the file name used in that check.
(cherry picked from commit 3e7fa15ca3)
Sending TCP queries to test named instances with TCP support disabled
should cause dig output to contain the phrase "connection refused", not
"connection timed out", as such instances never open the relevant
sockets. Make sure that the "legacy" system test fails if the expected
phrase is not found in any of the relevant files containing dig output.
(cherry picked from commit 9491616e5c)
On some systems (namely Debian buster armhf) the readdir() call fails
with `Value too large for defined data type` unless the
_FILE_OFFSET_BITS=64 is defined. The correct way to fix this is to
get the appropriate compilation parameters from getconf system
interface.
(cherry picked from commit 4c7345bcb6)
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders. As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.
(cherry picked from commit 5e80488270)
Previously, only a message about missing Python was printed, which was
misleading to many users. The new message clearly states that Python
AND PLY is required and prints basic instructions how to install PLY
package.
(cherry picked from commit 55b48700da)
already sent a recv/send event.
When doing isc_socket_cancel we need to purge the event that might
already be in flight. If it has been launched already we need
to inform it that it has to bail.
Resolve "Bind returning malformed packet error when sshfp record has fingerprint value less than 4 characters"
See merge request isc-projects/bind9!1906
this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.
(cherry picked from commit bbae24c140)
Windows systems do not allow a trailing period in file names while Unix
systems do. When BIND system tests are run, the $TP environment
variable is set to an empty string on Windows systems and to "." on Unix
systems. This environment variable is then used by system test scripts
for handling this discrepancy properly.
In multiple system test scripts, a variable holding a zone name is set
to a string with a trailing period while the names of the zone's
corresponding dlvset-* and/or dsset-* files are determined using
numerous sed invocations like the following one:
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
In order to improve code readability, use zone names without trailing
periods and replace sed invocations with variable substitutions.
To retain local consistency, also remove the trailing period from
certain other zone names used in system tests that are not subsequently
processed using sed.
(cherry picked from commit da2c1b74ad)
in the "refactor tcpquota and pipeline refs" commit, the counting
of active interfaces was tightened in such a way that named could
fail to listen on an interface if there were more interfaces than
tcp-clients. when checking the quota to start accepting on an
interface, if the number of active clients was above zero, then
it was presumed that some other client was able to handle accepting
new connections. this, however, ignored the fact that the current client
could be included in that count, so if the quota was already exceeded
before all the interfaces were listening, some interfaces would never
listen.
we now check whether the current client has been marked active; if so,
then the number of active clients on the interface must be greater
than 1, not 0.
(cherry picked from commit 0b4e2cd4c3192ba88569dd344f542a8cc43742b5)
(cherry picked from commit d01023aaac)
- if the TCP quota has been exceeded but there are no clients listening
for new connections on the interface, we can now force attachment to the
quota using isc_quota_force(), instead of carrying on with the quota not
attached.
- the TCP client quota is now referenced via a reference-counted
'ns_tcpconn' object, one of which is created whenever a client begins
listening for new connections, and attached to by members of that
client's pipeline group. when the last reference to the tcpconn
object is detached, it is freed and the TCP quota slot is released.
- reduce code duplication by adding mark_tcp_active() function.
- convert counters to atomic.
(cherry picked from commit 7e8222378ca24f1302a0c1c638565050ab04681b)
(cherry picked from commit 4939451275722bfda490ea86ca13e84f6bc71e46)
(cherry picked from commit 13f7c918b8)
- ensure that tcpactive is cleaned up correctly when accept() fails.
- set 'client->tcpattached' when the client is attached to the tcpquota.
carry this value on to new clients sharing the same pipeline group.
don't call isc_quota_detach() on the tcpquota unless tcpattached is
set. this way clients that were allowed to accept TCP connections
despite being over quota (and therefore, were never attached to the
quota) will not inadvertently detach from it and mess up the
accounting.
- simplify the code for tcpquota disconnection by using a new function
tcpquota_disconnect().
- before deciding whether to reject a new connection due to quota
exhaustion, check to see whether there are at least two active
clients. previously, this was "at least one", but that could be
insufficient if there was one other client in READING state (waiting
for messages on an open connection) but none in READY (listening
for new connections).
- before deciding whether a TCP client object can to go inactive, we
must ensure there are enough other clients to maintain service
afterward -- both accepting new connections and reading/processing new
queries. A TCP client can't shut down unless at least one
client is accepting new connections and (in the case of pipelined
clients) at least one additional client is waiting to read.
(cherry picked from commit c7394738b2445c16f728a88394864dd61baad900)
(cherry picked from commit e965d5f11d3d0f6d59704e614fceca2093cb1856)
(cherry picked from commit 87d4311614)
Track pipeline groups using a shared reference counter
instead of a linked list.
(cherry picked from commit 513afd33eb17d5dc41a3f0d2d38204ef8c5f6f91)
(cherry picked from commit 9446629b73)
the TCP client quota could still be ineffective under some
circumstances. this change:
- improves quota accounting to ensure that TCP clients are
properly limited, while still guaranteeing that at least one client
is always available to serve TCP connections on each interface.
- uses more descriptive names and removes one (ntcptarget) that
was no longer needed
- adds comments
(cherry picked from commit 924651f1d5e605cd186d03f4f7340bcc54d77cc2)
(cherry picked from commit 55a7a458e3)
tcp-clients settings could be exceeded in some cases by
creating more and more active TCP clients that are over
the set quota limit, which in the end could lead to a
DoS attack by e.g. exhaustion of file descriptors.
If TCP client we're closing went over the quota (so it's
not attached to a quota) mark it as mortal - so that it
will be destroyed and not set up to listen for new
connections - unless it's the last client for a specific
interface.
(cherry picked from commit f97131d21b97381cef72b971b157345c1f9b4115)
(cherry picked from commit 9689ffc485)
Key IDs may accidentally match dig output that is not the key ID (for
example the RRSIG inception or expiration time, the query ID, ...).
Search for key ID + signer name should prevent that, as that is what
only should occur in the RRSIG record, and signer name always follows
the key ID.
(cherry picked from commit 83473b9758)
Remove sleep calls from test, rely on wait_for_log(). Make
wait_for_log() and dnssec_loadkeys_on() fail the test if the
appropriate log line is not found.
Slightly adjust the echo_i() lines to print only the key ID (not the
key name).
(cherry picked from commit 67f0635f3c)
One second may not be enough for an NSEC3 chain change triggered by an
UPDATE message to complete. Wait up to 10 seconds when checking whether
a given NSEC3 chain change is complete in the "nsupdate" system test.
(cherry picked from commit f8746cddbc)
In the "nsupdate" system test, do not sleep before checking results of
changes which are expected to be processed synchronously, i.e. before
nsupdate returns.
(cherry picked from commit 1c8e5ea333)
Make bin/tests/system/ifconfig.bat also configure addresses ending with
9 and 10, so that the script is in sync with its Unix counterpart.
Update comments listing the interfaces created by ifconfig.{bat,sh} so
that they do not include addresses whose last octet is zero (since an
address like 10.53.1.0/24 is not a valid host address and thus the
aforementioned scripts do not even attempt configuring them).
(cherry picked from commit b6c1cdfffe)
On Windows, the bin/tests/system/dnssec/signer/example.db.signed file
contains carriage return characters at the end of each line. Remove
them before passing the aforementioned file to the awk script extracting
key IDs so that the latter can work properly.
(cherry picked from commit e4280ed9f5)
As signals are currently not handled by named on Windows, instances
terminated using signals are not able to perform a clean shutdown, which
involves e.g. removing the lock file. Thus, waiting for a given
instance's lock file to be removed beforing assuming it is shut down
is pointless on Windows, so do not even attempt it.
(cherry picked from commit 761ba4514f)
5213. [bug] win32: Eliminated a race which allowed named.exe running
as a service to be killed prematurely during shutdown.
[GL #978]
(cherry picked from commit e7332343ed)
When a Windows service receives a request to stop, it should not set its
state to SERVICE_STOPPED until it is completely shut down as doing that
allows the operating system to kill that service prematurely, which in
the case of named may e.g. prevent the PID file and/or the lock file
from being cleaned up.
Set service state to SERVICE_STOP_PENDING when named begins its shutdown
and only report the SERVICE_STOPPED state immediately before exiting.
(cherry picked from commit 964749dfdb)
This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.
(cherry picked from commit 3b7c849a3f)
The following changes were needed:
* Remove dnskey-sig-validity option (added in 9.12)
* Replace rndccmd, dig_with_opts with export variables
* Remove tests for CDNSKEY and CDS (in 9.11 always signed with ZSK)
The option `update-check-ksk` will look if both KSK and ZSK are
available before signing records. It will make sure the keys are
active and available. However, for operational practices keys may
be offline. This commit relaxes the update-check-ksk check and will
mark a key that is offline to be available when adding signature
tasks.
(cherry picked from commit 3cb8c49c73)
(cherry picked from commit b508cffeee3bfb8bc7dcf39db59ec3782a5d9e4c)
This commit adds a lengthy test where the ZSK is rolled but the
KSK is offline (except for when the DNSKEY RRset is changed). The
specific scenario has the `dnskey-kskonly` configuration option set
meaning the DNSKEY RRset should only be signed with the KSK.
A new zone `updatecheck-kskonly.secure` is added to test against,
that can be dynamically updated, and that can be controlled with rndc
to load the DNSSEC keys.
There are some pre-checks for this test to make sure everything is
fine before the ZSK roll, after the new ZSK is published, and after
the old ZSK is deleted. Note there are actually two ZSK rolls in
quick succession.
When the latest added ZSK becomes active and its predecessor becomes
inactive, the KSK is offline. However, the DNSKEY RRset did not
change and it has a good signature that is valid for long enough.
The expected behavior is that the DNSKEY RRset stays signed with
the KSK only (signature does not need to change). However, the
test will fail because after reconfiguring the keys for the zone,
it wants to add re-sign tasks for the new active keys (in sign_apex).
Because the KSK is offline, named determines that the only other
active key, the latest ZSK, will be used to resign the DNSKEY RRset,
in addition to keeping the RRSIG of the KSK.
The question is: Why do we need to resign the DNSKEY RRset
immediately when a new key becomes active? This is not required,
only once the next resign task is triggered the new active key
should replace signatures that are in need of refreshing.
(cherry-picked from commit c48b85d0a3c34480179d44e736e3e535dbae1001)
Add dns_rdata_totext() and dns_rdata_fromtext() to fromwire for
valid inputs to ensure that what we accept in dns_rdata_fromwire()
can be written out and read back in.
(cherry picked from commit 36f30f5731)
Some system tests assume dig's default setings are in effect. While
these defaults may only be silently overridden (because of specific
options set in /etc/resolv.conf) for BIND releases using liblwres for
parsing /etc/resolv.conf (i.e. BIND 9.11 and older), it is arguably
prudent to make sure that tests relying on specific +timeout and +tries
settings specify these explicitly in their dig invocations, in order to
prevent test failures from being triggered by any potential changes to
current defaults.
(cherry picked from commit b6cce0fb8b)
If the path to the source of random data is not passed explicitly to
dnssec-keygen or dnssec-signzone and the --with-randomdev compile-time
switch is not used, the aforementioned utilities will hang if the
default source of random data (/dev/random) runs out of entropy. Use
"-r $RANDFILE" to prevent that from happening in affected system tests.
When parsing message with DNS_MESSAGE_BESTEFFORT (used exclusively in
tools, never in named itself) if we hit an invalid SIG(0) in wrong
place we continue parsing the message, and put the sig0 in msg->sig0.
If we then hit another sig0 in a proper place we see that msg->sig0
is already 'taken' and we don't free name and rdataset, and we don't
set seen_problem. This causes an assertion failure.
This fixes that issue by setting seen_problem if we hit second sig0,
tsig or opt, which causes name and rdataset to be always freed.
(cherry picked from commit 51a55ddbb7)
This changes dns_dtdata struct to not expose data types from dnstap.pb-c.h to
prevent the need for including this header where not really needed.
(cherry picked from commit 8ccce7e24b)
Simply looking for the key ID surrounded by spaces in the tested
dnssec-signzone output file is not a precise enough method of checking
for signatures prepared using a given key ID: it can be tripped up by
cross-algorithm key ID collisions and certain low key IDs (e.g. 60, the
TTL specified in bin/tests/system/dnssec/signer/example.db.in), which
triggers false positives for the "dnssec" system test. Make key ID
extraction precise by using an awk script which operates on specific
fields.
(cherry picked from commit a40c60e4c1)
bin/tests/system/stop.pl only waits for the PID file to be cleaned up
while named cleans up the lock file after the PID file. Thus, the
aforementioned script may consider a named instance to be fully shut
down when in fact it is not.
Fix by also checking whether the lock file exists when determining a
given instance's shutdown status. This change assumes that if a named
instance uses a lock file, it is called "named.lock", and that if an
lwresd instance uses a lock file, it is called "lwresd.lock".
Also rename clean_pid_file() to pid_file_exists(), so that it is called
more appropriately (it does not clean up the PID file itself, it only
returns the server's identifier if its PID file is not yet cleaned up).
(cherry picked from commit c787a539d2)
MR !1141 broke the way stop.pl is invoked when start.pl fails:
- start.pl changes the working directory to $testdir/$server before
attempting to start $server,
- commit 27ee629e6b causes the $testdir
variable in stop.pl to be determined using the $SYSTEMTESTTOP
environment variable, which is set to ".." by all tests.sh scripts,
- commit e227815af5 makes start.pl pass
$test (the test's name) rather than $testdir (the path to the test's
directory) to stop.pl when a given server fails to start.
Thus, when a server is restarted from within a tests.sh script and such
a restart fails, stop.pl attempts to look for the server directory in a
nonexistent location ($testdir/$server/../$test, i.e. $testdir/$test,
instead of $testdir/../$test). Fix the issue by changing the working
directory before stop.pl is invoked in the scenario described above.
(cherry picked from commit 4afad2a047)
Change to cmocka broken initialization of TZ environment. This time,
commit 1cf1254051 is not soon enough. Has
to be moved more forward, before any other tests. It library is not full
reinitialized on each test.
(cherry picked from commit 71c4fad592)
When sending an udp query (resquery_send) we first issue an asynchronous
isc_socket_connect and increment query->connects, then isc_socket_sendto2
and increment query->sends.
If we happen to cancel this query (fctx_cancelquery) we need to cancel
all operations we might have issued on this socket. If we are under very high
load the callback from isc_socket_connect (resquery_udpconnected) might have
not yet been fired. In this case we only cancel the CONNECT event on socket,
and ignore the SEND that's waiting there (as there is an `else if`).
Then we call dns_dispatch_removeresponse which kills the dispatcher socket
and calls isc_socket_close - but if system is under very high load, the send
we issued earlier might still not be complete - which triggers an assertion
because we're trying to close a socket that's still in use.
The fix is to always check if we have incomplete sends on the socket and cancel
them if we do.
(cherry picked from commit 56183a3917)
On Unix systems, the CYGWIN environment variable is not set at all when
BIND system tests are run. If a named instance crashes on shutdown or
otherwise fails to clean up its pidfile and the CYGWIN environment
variable is not set, stop.pl will print an uninitialized value warning
on standard error. Prevent this by using defined().
(cherry picked from commit 91e5a99b9b)
ifconfig.sh depends on config.guess for platform guessing. It uses it to
choose between ifconfig or ip tools to configure interfaces. If
system-wide automake script is installed and local was not found, use
platform guess. It should work well on mostly any sane platform. Still
prefers local guess, but passes when if cannot find it.
(cherry picked from commit 38301052e1)
In the "gost" system test, the ./NS RRset returned in the response to
ns2's priming query might not yet be validated when ns2 assembles the
response to the ./SOA query. If that happens, the ./NS RRset will not
be placed in the AUTHORITY section of the response to the ./SOA query,
triggering a false positive for the "gost" system test as the ./NS RRset
is always present in the response sent by ns1 (since it is authoritative
for the root zone). As the purpose of the "gost" system test is to
check whether a zone signed using GOST is properly validated and only
positive responses are inspected, use the +noauth dig option for all
queries in that test, so that the contents of the AUTHORITY section do
not influence its outcome.
When a zone is converted from NSEC to NSEC3, the private record at zone
apex indicating that NSEC3 chain creation is in progress may be removed
during a different (later) zone_nsec3chain() call than the one which
adds the NSEC3PARAM record. The "delzsk.example" zone check only waits
for the NSEC3PARAM record to start appearing in dig output while private
records at zone apex directly affect "rndc signing -list" output. This
may trigger false positives for the "autosign" system test as the output
of the "rndc signing -list" command used for checking ZSK deletion
progress may contain extra lines which are not accounted for. Ensure
the private record is removed from zone apex before triggering ZSK
deletion in the aforementioned check.
Also future-proof the ZSK deletion progress check by making it only look
at lines it should care about.
(cherry picked from commit e02de04e97)
For checks querying a named instance with "dnssec-accept-expired yes;"
set, authoritative responses have a TTL of 300 seconds. Assuming empty
resolver cache, TTLs of RRsets in the ANSWER section of the first
response to a given query will always match their authoritative
counterparts. Also note that for a DNSSEC-validating named resolver,
validated RRsets replace any existing non-validated RRsets with the same
owner name and type, e.g. cached from responses received while resolving
CD=1 queries. Since TTL capping happens before a validated RRset is
inserted into the cache and RRSIG expiry time does not impose an upper
TTL bound when "dnssec-accept-expired yes;" is set and, as pointed out
above, the original TTLs of the relevant RRsets equal 300 seconds, the
RRsets in the ANSWER section of the responses to expiring.example/SOA
and expired.example/SOA queries sent with CD=0 should always be exactly
120 seconds, never a lower value. Make the relevant TTL checks stricter
to reflect that.
(cherry picked from commit a85cc41486)
Always expecting a TTL of exactly 300 seconds for RRsets found in the
ADDITIONAL section of responses received for CD=1 queries sent during
TTL capping checks is too strict since these responses will contain
records cached from multiple DNS messages received during the resolution
process.
In responses to queries sent with CD=1, ns.expiring.example/A in the
ADDITIONAL section will come from a delegation returned by ns2 while the
ANSWER section will come from an authoritative answer returned by ns3.
If the queries to ns2 and ns3 happen at different Unix timestamps,
RRsets cached from the older response will have a different TTL by the
time they are returned to dig, triggering a false positive.
Allow a safety margin of 60 seconds for checks inspecting the ADDITIONAL
section of responses to queries sent with CD=1 to fix the issue. A
safety margin this large is likely overkill, but it is used nevertheless
for consistency with similar safety margins used in other TTL capping
checks.
(cherry picked from commit 8baf859063)
Changes introduced by commit 6b8e4d6e69
were incomplete as not all time-sensitive checks were updated to match
revised "nta-lifetime" and "nta-recheck" values. Prevent rare false
positives by updating all NTA-related checks so that they work reliably
with "nta-lifetime 12s;" and "nta-recheck 9s;". Update comments as well
to prevent confusion.
(cherry picked from commit 9a36a1bba3)
During "dlv" system test setup, the "sed" regex used for mangling the
DNSKEY RRset for the "druz" zone does not include the plus sign ("+"),
which may:
- cause the replacement to happen near the end of DNSKEY RDATA, which
can cause the latter to become an invalid Base64 string,
- prevent the replacement from being performed altogether.
Both cases prevent the "dlv" system test from behaving as intended and
may trigger false positives. Add the missing character to the
aforementioned regex to ensure the replacement is always performed on
bytes 10-25 of DNSKEY RDATA.
(cherry picked from commit fd13fef299)
Make delv honor the operating system's preferred ephemeral port range
instead of always using the default 1024-65535 range for outgoing
messages.
(cherry picked from commit ada6846a10)
Use them in structs for various rdata types where they are missing.
This doesn't change the structs since we are replacing explicit
uint8_t field types with aliases for uint8_t.
Use dns_dsdigest_t in library function arguments.
(cherry picked from commit 0f219714e1)
Alphabetize options and synopsis; remove spurious -z from synopsis;
refer to -T KEY in options that are only relevant to pre-RFC3755
DNSSEC, and add a -f KSK example.
(cherry picked from commit 1954f8d2bf)
Make nsupdate honor the operating system's preferred ephemeral port
range instead of always using the default 1024-65535 range for outgoing
messages.
(cherry picked from commit 06f582f23e)
The "check key refreshes are resumed after root servers become
available" check may trigger a false positive for the "mkeys" system
test if the second example/TXT query sent by dig is received by ns5 less
than a second after it receives a REFUSED response to the upstream query
it sends to ns1 in order to resolve the first example/TXT query sent by
dig. Since that REFUSED response from ns1 causes ns5 to return a
SERVFAIL answer to dig, example/TXT is added to the SERVFAIL cache,
which is enabled by default with a TTL of 1 second. This in turn may
cause ns5 to return a cached SERVFAIL response to the second example/TXT
query sent by dig, i.e. make ns5 not perform full query processing as
expected by the check.
Since the primary purpose of the check in question is to ensure that key
refreshes are resumed once initially unavailable root servers become
available, the optimal solution appears to be disabling SERVFAIL cache
for ns5 as doing that still allows the check to fulfill its purpose and
it is arguably more prudent than always sleeping for 1 second.
(cherry picked from commit 7c6bff3c4e)
For consistency between all system tests, add missing setup.sh scripts
for tests which do not have one yet and ensure every setup.sh script
calls its respective clean.sh script.
(cherry picked from commit e410803919)
Temporary files created by a given system test should be removed by its
clean.sh script, not its setup.sh script. Remove redundant "rm"
invocations from setup.sh scripts. Move required "rm" invocations from
setup.sh scripts to their corresponding clean.sh scripts.
(cherry picked from commit c64ed484c8)
If dots are not escaped in the "1.2.3.4" regular expressions used for
checking whether IP address 1.2.3.4 is present in the tested resolver's
answers, a COOKIE that matches such a regular expression will trigger a
false positive for the "resolver" system test. Properly escape dots in
the aforementioned regular expressions to prevent that from happening.
(cherry picked from commit 70ae48e5cb)
For all system tests utilizing named instances, call clean.sh from each
test's setup.sh script in a consistent way to make sure running the same
system test multiple times using run.sh does not trigger false positives
caused by stale files created by previous runs.
Ideally we would just call clean.sh from run.sh, but that would break
some quirky system tests like "rpz" or "rpzrecurse" and being consistent
for the time being does not hurt.
(cherry picked from commit a077a3ae8a)
If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.
(cherry picked from commit b1d5411569ae10830b63f07560091193646cc739)
These tests check if a key with an unsupported algorithm in
managed-keys is ignored and when seeing an algorithm rollover to
an unsupported algorithm, the new key will be ignored too.
(cherry picked from commit 144cb53d0ae3aa5e6e3123720b603f9ab2bd1fa9)
If `dns_dnssec_keyfromrdata` failed we don't need to call
`dst_key_free` because no `dstkey` was created. Doing so
nevertheless will result in an assertion failure.
This can happen if the key uses an unsupported algorithm.
(cherry picked from commit 7a1ca39b950b7d5230b605ac60f15a1cb94e3d69)
- dig command had the @ parameter in the wrong place
- private-dnskey and private-cdnskey are queried in a separate
loop, which strips 'private-' from the name to determine the qtype
(cherry picked from commit bc7b34d6ef)
Illustrate the syntax for the policy options, with semicolons.
Explicitly mention the "default" policy.
Fix a few typos and remove some redundant wording.
(cherry picked from commit 7ee56e2abd)
* Alphabetize the option lists in the man page and help text
* Make the synopses more consistent between the man page and help
text, in particular the number of different modes
* Group mutually exclusive options in the man page synopses, and order
options so that it is more clear which are available in every mode
* Expand the DESCRIPTION to provide an overview of the output modes
and input modes
* Improve cross-references between options
* Leave RFC citations to the SEE ALSO section, and clarify which RFC
specifies what
* Clarify list of digest algorithms in dnssec-dsfromkey man page
(cherry picked from commit 6ca8e130ac)
(cherry picked from commit fb9bc8f871)
Running "make install" in a separate job in the "test" phase of a CI
pipeline causes a lot of object files to be rebuilt due to the way
artifacts are passed between GitLab CI jobs (object files extracted from
the artifacts archive have older modification times than their
respective source files checked out using Git by the worker running the
"install" job). Test "make install" in one of the build jobs instead,
in order to prevent object rebuilding.
Using 'after_script' for this purpose was not an option because its
failures are ignored.
Duplicating the build script in two places would be error-prone in the
long run and thus was rejected as a solution. YAML anchors would also
not help in this case.
A "positive" test (`test -n "${RUN_MAKE_INSTALL}" && make install`)
would not work because:
- it would cause the build script to fail for any job not supposed to
run "make install",
- appending `|| :` to the shell pipeline would prevent "make install"
errors from causing a job failure.
Due to the above, a "negative" test is performed, so that:
- jobs not supposed to run "make install" succeed immediately,
- jobs supposed to run "make install" only succeed when "make install"
succeeds.
(cherry picked from commit 2a231b6239)
the occluded-key test creates both a KEY and a DNSKEY. the second
call to dnssec-keygen calls dns_dnssec_findmatchingkeys(), which causes
a spurious warning to be printed when it sees the type KEY record.
this should be fixed in dnssec.c, but the meantime this change silences
the warning by reversing the order in which the keys are created.
(cherry picked from commit 6661db9564)
- there was a memory leak when using negotiated TSIG keys.
- TKEY responses could only be signed when using a newly negotiated
key; if an existent matching TSIG was found in in the keyring it
would not be used.
(cherry picked from commit 73ba24fb36)
up until now, message->tsigkey could only be set during parsing
of the request, but gss-tsig allows one to be created afterward.
(cherry picked from commit 879fc0285e)
this prevents servers that use arguments specified in named.args
from appearing different in 'ps' output from servers run with arguments
from start.pl
(cherry picked from commit 175d6e9bfb)
use a lame server configuration to force SERVFAILs instead of killing ns2.
this prevents test failures that occurred due to a different behavior of
the netowrking stack in windows.
test the average delay between notifies instead of the minimum delay;
this helps avoid unnecessary test failures on systems with bursty
network performance.
- mishandling of trailing dots caused bad behavior with the
root zone or names like "example.com."
- fixing this exposed an error in dnssec-coverage caused the
wrong return value if there were KSK errors but no ZSK errors
- incidentally silenced the dnssec-keygen output in the coverage
system test
(cherry picked from commit 1ccf4e6c16)
When multilabel name is already cached, child_of_zone fails check when
zone_name is direct child of name. Error is ignored and crashes on
expectation child_name was initialized. Handle the error and relax the
check.
Reproducer:
dig isc.org
dig +sigchase +topdown isc.org
In an attempt to ensure that:
- all important changes to repository contents are tested,
- pipelines are not automatically created for every single push,
- some flexibility is allowed for corner cases,
change pipeline triggering settings so that:
- full build & test pipelines are only automatically created for merge
requests and tags (both for creation and updates),
- pipelines for other repository changes (e.g. pushes to arbitrary
branches) can only be created manually, using GitLab's web
interface,
- merging a merge request only causes jobs pushing the updated ARM to
GitLab Pages to be run (as semi-linear Git history is enforced and
thus testing a MR is identical to testing the target branch
post-merge in terms of code),
- repository synchronization does not trigger duplicate pipelines in
projects which are set as mirroring targets.
(cherry picked from commit 1c8c1815e4)
Group jobs by build type and operating system to make the layout of
.gitlab-ci.yml more consistent and improve locality of YAML references.
(cherry picked from commit a1dbec3b08)
Make sure all jobs are named using the following pattern:
[<job-type>:]<build-type>:<system>:<architecture>
where specifying <job-type> is optional for "precheck" and "build" jobs.
This should make it easier to quickly recognize:
- what kind of actions are performed by each job,
- which BIND build flavor is used by each job,
- which operating system image is used by each job.
(cherry picked from commit 1fe432c6c3)
While we are at it, drop use of the "docker" tag since all BIND CI jobs
are currently run inside Docker containers.
(cherry picked from commit 7dd329d385)
There is no need to build BIND binaries before building docs and thus
the job building the current version of the ARM can be moved to the
build stage of CI.
(cherry picked from commit 41a67147fe)
Remove the following from .gitlab-ci.yml:
- unused variable definitions,
- unused Docker image definitions,
- commands which have no effect,
- sections which were commented out.
(cherry picked from commit 9893bd3246)
If we try to fetch a record from cache and need to look into
hints database we assume that the resolver is not primed and
start dns_resolver_prime(). Priming query is supposed to return
NSes for "." in ANSWER section and glue records for them in
ADDITIONAL section, so that we can fill that info in 'regular'
cache and not use hints db anymore.
However, if we're using a forwarder the priming query goes through
it, and if it's configured to return minimal answers we won't get
the addresses of root servers in ADDITIONAL section. Since the
only records for root servers we have are in hints database we'll
try to prime the resolver with every single query.
This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using
forwarders if possible (that is if we have forward-first policy).
Using this flag on priming fetch fixes the problem as we get the
proper glue. With forward-only policy the problem is non-existent,
as we'll never ask for root server addresses because we'll never
have a need to query them.
Also added a test to confirm priming queries are not forwarded.
(cherry picked from commit b49310ac06)
(cherry picked from commit f8963ad70e)
The handling of class and view arguments was broken, because the code
didn't realise that next_token() would overwrite the class name when
it parsed the view name. The code was trying to implement a syntax
like `refresh [[class] view]`, but it was documented to have a syntax
like `refresh [class [view]]`. The latter is consistent with other rndc
commands, so that is how I have fixed it.
Before:
$ rndc managed-keys refresh in rec
rndc: 'managed-keys' failed: unknown class/type
unknown class 'rec'
After:
$ rndc managed-keys refresh in rec
refreshing managed keys for 'rec'
There were missing newlines in the output from `rndc managed-keys
refresh` and `rndc managed-keys destroy`.
Before:
$ rndc managed-keys refresh
refreshing managed keys for 'rec'refreshing managed keys for 'auth'
After:
$ rndc managed-keys refresh
refreshing managed keys for 'rec'
refreshing managed keys for 'auth'
(cherry picked from commit 6a3b851f72)
(cherry picked from commit bc984ace12)
- the checkprivate function in the dnssec test set ret=0, erasing
results from previous tests and making the test appear to have passed
when it shouldn't have
- checkprivate needed a delay loop to ensure there was time for all
private signing records to be updated before the test
(cherry picked from commit 82e83d5dc7)
Resolve "Large NSEC3 responses cause failure in adding records to ncache and, eventually, FORMERR (instead of NXDOMAIN)"
See merge request isc-projects/bind9!1316
Resolve "Large NSEC3 responses cause failure in adding records to ncache and, eventually, FORMERR (instead of NXDOMAIN)"
See merge request isc-projects/bind9!1315
When a query times out after a socket is created and associated with a
given dig_query_t structure, calling isc_socket_cancel() causes
connect_done() to be run, which in turn takes care of all necessary
cleanups. However, certain errors (e.g. get_address() returning
ISC_R_FAMILYNOSUPPORT) may prevent a TCP socket from being created in
the first place. Since force_timeout() may be used in code handling
such errors, connect_timeout() needs to properly clean up a TCP query
which is not associated with any socket. Call clear_query() from
connect_timeout() after attempting to send a TCP query to the next
available server if the timed out query does not have a socket
associated with it, in order to prevent dig from hanging indefinitely
due to the dig_query_t structure not being detached from its parent
dig_lookup_t structure.
(cherry picked from commit 13975b32c6)
When a query times out and another server is available for querying
within the same lookup, the timeout handler - connect_timeout() - is
responsible for sending the query to the next server. Extract the
relevant part of connect_timeout() to a separate function in order to
improve code readability.
(cherry picked from commit c108fc5c6e)
Before commit c2ec022f57, using the "-b"
command line switch for dig did not disable use of the other address
family than the one to which the address supplied to that option
belonged to. Thus, bind9_getaddresses() could e.g. prepare an
isc_sockaddr_t structure for an IPv6 address when an IPv4 address has
been passed to the "-b" command line option. To avoid attempting the
impossible (e.g. querying an IPv6 address from a socket bound to an IPv4
address), a certain code block in send_tcp_connect() checked whether the
address family of the server to be queried was the same as the address
family of the socket set up for sending that query; if there was a
mismatch, that particular server address was skipped.
Commit c2ec022f57 made
bind9_getaddresses() fail upon an address family mismatch between the
address the hostname passed to it resolved to and the address supplied
to the "-b" command line option. Such failures were fatal to dig back
then.
Commit 7f65860391 made
bind9_getaddresses() failures non-fatal, but also ensured that a
get_address() failure in send_tcp_connect() still causes the given query
address to be skipped (and also made such failures trigger an early
return from send_tcp_connect()).
Summing up, the code block handling address family mismatches in
send_tcp_connect() has been redundant since commit
c2ec022f57. Remove it.
(cherry picked from commit ef1da8731b)
5122. [bug] In a "forward first;" configuration, a forwarder
timeout did not prevent that forwarder from being
queried again after falling back to full recursive
resolution. [GL #315]
(cherry picked from commit 1df9ca9e6a)
Since following a delegation resets most fetch context state, address
marks (FCTX_ADDRINFO_MARK) set inside lib/dns/resolver.c are not
preserved when a delegation is followed. This is fine for full
recursive resolution but when named is configured with "forward first;"
and one of the specified forwarders times out, triggering a fallback to
full recursive resolution, that forwarder should no longer be consulted
at each delegation point subsequently reached within a given fetch
context.
Add a new badnstype_t enum value, badns_forwarder, and use it to mark a
forwarder as bad when it times out in a "forward first;" configuration.
Since the bad server list is not cleaned when a fetch context follows a
delegation, this prevents a forwarder from being queried again after
falling back to full recursive resolution. Yet, as each fetch context
maintains its own list of bad servers, this change does not cause a
forwarder timeout to prevent that forwarder from being used by other
fetch contexts.
(cherry picked from commit 33350626f9)
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm. Current behavior is that it will
fail, hitting a fatal error. The fix detects unsupported algorithms
and will not try to add it to the keylist.
Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.
(cherry picked from commit 1dd11fc754)
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.
(cherry picked from commit 6d976b37c1)
(cherry picked from commit 8619318a1e6207e487438a93bd7a620967091347)
If you have a catalog zone containing 10.in-addr.arpa and an
explicitly-configured version which overrides the catz version,
`named` used to log:
catz: error "success" while trying to add zone "10.in-addr.arpa"
After this patch it logs:
catz: zone "10.in-addr.arpa" is overridden by explicitly configured zone
(cherry picked from commit 16eb35187a)
Apply various fixes and tweaks to Python configuration logic implemented
in the "configure" script:
- Prevent PYTHON_INSTALL_DIR, which holds the value passed to the
--with-python-install-dir option, from being set to "unspec" by
default as this breaks installing Python modules when the
--with-python-install-dir option is not used.
- Make the --with-python-install-dir option also work when the Python
interpreter is specified explicitly (using --with-python=<...>).
- Improve contents and placement of error messages.
- Reduce duplication of code checking Python dependencies.
- Use Autoconf macros AS_CASE() and AS_IF() instead of plain shell
code.
- Update comments. Capitalize the word "Python" when referring to the
language itself rather than a specific executable.
(cherry picked from commit ed4c700c33)
- also added code to dnstest.c to optionally suppress printing of errors
from dns_rdata_fromtxt()
(cherry picked from commit bb5ed5a4ac)
(cherry picked from commit 87d702aaa6)
- assert if {isc,dns,ns}_test_begin() is called when a prior test is running
- add dns_test_init() and dns_test_final(), which can be run before and
after all tests. this ensures openssl doesn't have to be reinitialized.
If a tool using the routines defined in bin/dig/dighost.c is sent an
interruption signal around the time a connection timeout is scheduled to
fire, connect_timeout() may be executed after destroy_libs() detaches
from the global task (setting 'global_task' to NULL), which results in a
crash upon a UDP retry due to bringup_timer() attempting to create a
timer with 'task' set to NULL. Fix by preventing connect_timeout() from
attempting a retry when shutdown is in progress.
(cherry picked from commit 4621756596)
The ATOMIC_*_LOCK_FREE can evalutate either 0, 1, or 2 which indicate the
lock-free property of the corresponding atomic types (both signed and unsigned).
Value Explanation
----- --------------------------------------
0 The atomic type is never lock-free
1 The atomic type is sometimes lock-free
2 The atomic type is always lock-free
----- --------------------------------------
(cherry picked from commit a5e7901eb9)
(v9_11) Resolve "Follow-up from "Redefine ISC's int and boolean types to use <stdint.h> and <stdbool.h> types""
See merge request isc-projects/bind9!1002
Utimaco HSM requires user to be logged in before executing DigestUpdate, thus
breaking dst_lib_init2 that ran isc_md5_check and isc_sha1_check before sending
PIN to the HSM. Therefore isc_*_check needs to be disabled when Utimaco HSM is
being used as PKCS#11 library.
While implementing the new unit testing framework cmocka, it was found that the
BIND 9 code doesn't compile when assertions are disabled or replaced with any
function (such as mock_assert() from cmocka unit testing framework) that's not
directly recognized as assertion by the compiler.
This made the compiler to complain about blocks of code that was recognized as
unreachable before, but now it isn't.
The changes in this commit include:
* assigns default values to couple of local variables,
* moves some return statements around INSIST assertions,
* adds __builtin_unreachable(); annotations after some INSIST assertions,
* fixes one broken assertion (= instead of ==)
(cherry picked from commit fbd2e47f51)
(cherry picked from commit b222783ae9)
5072. [bug] Add unit tests for isc_buffer_copyregion() and fix its
behavior for auto-reallocated buffers. [GL #644]
(cherry picked from commit 07050fb49a)
While isc_buffer_copyregion() calls isc_buffer_reserve() to ensure the
target buffer will have enough available space to append the contents of
the source region to it, the variables used for subsequently checking
available space are not updated accordingly after that call. This
prevents isc_buffer_copyregion() from working as expected for
auto-reallocated buffers: ISC_R_NOSPACE will be returned if enough space
is not already available in the target buffer before it is reallocated.
Fix by calling isc_buffer_used() and isc_buffer_availablelength()
directly instead of assigning their return values to local variables.
(cherry picked from commit e1f0aed034)
Add some basic checks for isc_buffer_copyregion() to ensure it behaves
as expected for both fixed-size buffers and buffers which can be
automatically reallocated. Adjust the list of headers included by
lib/isc/tests/buffer_test.c so that it matches what that test program
really uses.
(cherry picked from commit 15440d8027)
The XSL stylesheet used by the web interface does not currently include
any element which would cause a list of zones configured in each view to
be displayed, making the "Zones" section of the web interface empty
unless some zone has been configured with "zone-statistics full;" and
queried. Since this can be confusing, modify the XSL stylesheet so that
a list of zones configured in each view is displayed in the web
interface.
(cherry picked from commit aeda3f389e)
5051. [doc] Documentation incorrectly stated that the
"server-addresses" static-stub zone option accepts
custom port numbers. [GL #582]
(cherry picked from commit 6b1c0a8e6f)
Contrary to what the documentation states, the "server-addresses"
static-stub zone option does not accept custom port numbers. Fix the
configuration type used by the "server-addresses" option to ensure
documentation matches source code. Remove a check_zoneconf() test which
is unnecessary with this fix in place.
(cherry picked from commit b324576858)
Whenever master or one for the v9_* branches gets updated, the current
ARM should be published on GitLab Pages. Add a pipeline stage which
takes care of triggering GitLab Pages pipelines. Extend the lifetime of
artifact archives containing the ARM to prevent GitLab Pages pipelines
from failing due to artifacts being unavailable.
(cherry picked from commit 31bde118db)
Add a CI job which generates the HTML version of the ARM and makes it
available for download. Since this is expected to be a quick process,
the new job is enabled for all pipelines.
(cherry picked from commit 3f443468e0)
Use GitLab Registry for CI purposes. Disable EdDSA support for Debian
sid since the OpenSSL version shipped with it has broken Ed448 support.
Use /dev/urandom as the random device in the "ecdsa" system test to
prevent newer OpenSSL versions from running out of entropy when
verifying ECDSA signatures.
(cherry picked from commit e5ebc13989)
- update_log() is called to log update errors, but if those errors
occur before the zone is set (for example, when returning NOTAUTH)
it returns without logging anything.
(cherry picked from commit 395f6a1474)
getnameinfo() parameters are detected by configure. Current glibc uses
socklen_t for BUFLEN and int for flags. Because that parameters are
tested only as fallback, it does detect it different way on 32-bit
system. socklen_t is compatible with size_t type on these systems.
Try all variants with int flags, use unsigned flags as last resort.
(cherry picked from commit b427dcce83)
The race condition is the timer elapses before isc__timer_create()
returns the pointer to the caller. Assigning the return pointer before
enabling the timer will fix it.
(cherry picked from commit 21966423cd)
5034. [bug] A race between threads could prevent zone maintenance
scheduled immediately after zone load from being
performed. [GL #542]
(cherry picked from commit feb2a41b7c)
Zone loading happens in a different task (zone->loadtask) than other
zone actions (zone->task). Thus, when zone_postload() is called in the
context of zone->loadtask, it may cause zone maintenance to be queued in
zone->task and another thread can then execute zone_maintenance() before
zone_postload() gets a chance to finish its work in the first thread.
This would not be a problem if zone_maintenance() accounted for this
possibility by locking the zone before checking the state of its
DNS_ZONEFLG_LOADPENDING flag. However, the zone is currently not locked
before the state of that flag is checked, which may prevent zone
maintenance from happening despite zone_postload() scheduling it. Fix
by locking the zone in zone_maintenance() before checking the state of
the zone's DNS_ZONEFLG_LOADPENDING flag.
(cherry picked from commit 56003e9f9f)
- the text returned by "rndc nta" when adding NTAs to multiple views
was incorrectly terminated after the first line, so users only saw
on NTA added unless they checked the logs.
(cherry picked from commit 83dc5a704a)
The "exitcode" variable is set to 9 if a TCP connection fails, but is
not reset to 0 if a subsequent TCP connection succeeds. This causes dig
to return a non-zero exit code if it succeeds in getting a TCP response
after a retry. Fix by resetting "exitcode" to 0 if connect_done()
receives an event with the "result" field set to ISC_R_SUCCESS.
(cherry picked from commit deb3b85cb2)
5019. [cleanup] A message is now logged when ixfr-from-differences is
set at zone level for an inline-signed zone. [GL #470]
(cherry picked from commit 4fb5d072c2)
For inline-signed zones, the value of "ixfr-from-differences" is
hardcoded to:
- "yes" for the raw version of the zone,
- "no" for the signed version of the zone.
In other words, any user-provided "ixfr-from-differences" setting is
effectively ignored for an inline-signed zone. Ensure the user is aware
of that by adding a note to the ARM and logging a message when an
"ixfr-from-differences" option is found at the zone level.
(cherry picked from commit 087157d14f)
$RANDFILE, i.e. bin/tests/system/random.data, should only be written to
if a system test requires support for cryptography and that file does
not already exist. Otherwise, when multiple system tests are run in
parallel, that file might get truncated due to bin/tools/genrandom.c
using fopen() with mode "w" when writing the destination file. With
unfortunate timing, this may cause system tests employing BIND tools
which need entropy (e.g. dnssec-keygen) to fail.
Make sure bin/tests/system/metadata/tests.sh no longer calls
bin/tools/genrandom since $RANDFILE is guaranteed to already be created
by the time bin/tools/genrandom is currently called because
bin/tests/system/metadata/prereq.sh uses bin/tests/system/testcrypto.sh.
Make sure bin/tests/system/sfcache/prereq.sh only writes to $RANDFILE if
it does not already exist.
(cherry picked from commit c12388f5e8)
A short time window exists between logging the addition of an NSEC3PARAM
record to a zone and committing it to the current version of the zone
database. If a query arrives during such a time window, an unsigned
response will be returned. One of the checks in the "inline" system
test requires NSEC3 records to be present in an answer - that check
would fail in the case described above. Use rndc instead of log
watching for checking whether zone signing and NSEC3 chain modifications
are complete in order to prevent intermittent "inline" system test
failures.
(cherry picked from commit e36c869e85)
While "rndc reload" causes dns_zone_asyncload() to be called for the
signed version of an inline-signed zone, the subsequent zone_load() call
causes the raw version to be reloaded from storage. This means that
DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
dns_zone_asyncload() before the reload is attempted, but zone_postload()
is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
cleared for the raw version, but not for the signed version. This in
turn prevents zone maintenance from happening for the signed version of
the zone.
Until commit 749b3cacfc, this problem
remained dormant because DNS_ZONEFLG_LOADPENDING was previously
immediately, unconditionally cleared after zone loading was started
(whereas it should only be cleared when zone loading is finished or an
error occurs). This behavior caused other issues [1] and thus had to be
changed.
Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
for the signed version of the zone once the raw version reload
completes. Take care not to clear it prematurely during initial zone
load. Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
zone_postload() encounters an error or returns early, to prevent other
scenarios from resulting in the same problem. Add comments aiming to
help explain code flow.
[1] see RT #47076
(cherry picked from commit 5431583971)
5014. [bug] Signatures loaded from the journal for the signed
version of an inline-signed zone were not scheduled for
refresh. [GL #482]
(cherry picked from commit b3b1a9081b)
When an inline-signed zone is loaded, the master file for its signed
version is loaded and then a rollforward of the journal for the signed
version of the zone is performed. If DNS_JOURNALOPT_RESIGN is not set
during the latter phase, signatures loaded from the journal for the
signed version of the zone will not be scheduled for refresh. Fix the
conditional expression determining which flags should be used for the
dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
zone_postload() is called for the signed version of an inline-signed
zone.
Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
of "rndc stop" as the former allows master file flushing upon shutdown
to be suppressed.
(cherry picked from commit 8db550c42f)
dst__openssl_toresult3() first calls toresult() and subsequently uses
ERR_get_error_line_data() in a loop. Given this, it is a mistake to use
ERR_get_error() in toresult() because it causes the retrieved error to
be removed from the OpenSSL error queue, thus preventing it from being
retrieved by the subsequent ERR_get_error_line_data() calls. Fix by
using ERR_peek_error() instead of ERR_get_error() in toresult().
(cherry picked from commit 36436268b5)
When two or more absolute, two-label names are added to a completely
empty RBT, an extra, empty node for the root name will be created due to
node splitting. check_tree() expects that, but the extra node will not
be created when just one name is added to a completely empty RBT. This
problem could be handled inside check_tree(), but that would introduce
unnecessary complexity into it since adding a single name will result in
a different node count for a completely empty RBT (node count will be 1)
and an RBT containing only an empty node for the root name, created due
to prior node splitting (node count will be 2). Thus, first explicitly
create a node for the root name to prevent rare check_tree() failures
caused by a single name being added in the first iteration of the
insert/remove loop.
(cherry picked from commit 13fe763798)
Each zone used in the "inline" system test contains a few dozen records.
Over a dozen of these zones are used in the test. Most records present
in these zones are not subsequently used in the test itself, but all of
them need to be signed by the named instances launched by the test,
which puts quite a bit of strain on lower-end machines, leading to
intermittent failures of the "inline" system test. Remove all redundant
records from the zones used in the "inline" system test in order to
stabilize it.
(cherry picked from commit 24dd865b97)
5008. [bug] "rndc signing -nsec3param ..." requests were silently
ignored for zones which were not yet loaded or
transferred. [GL #468]
(cherry picked from commit eed6778be4)
If "rndc signing -nsec3param ..." is ran for a zone which has not yet
been loaded or transferred (i.e. its "db" field is NULL), it will be
silently ignored by named despite rndc logging an "nsec3param request
queued" message, which is misleading. Prevent this by keeping a
per-zone queue of NSEC3PARAM change requests which arrive before a zone
is loaded or transferred and processing that queue once the raw version
of an inline-signed zone becomes available.
(cherry picked from commit cb40c5229a)
5007. [cleanup] Replace custom ISC boolean and integer data types
with C99 stdint.h and stdbool.h types. [GL #9]
(cherry picked from commit 75c2356f42)
(cherry picked from commit b6c281ee7c)
Make will choose modified manual from build directory or original from source
directory automagically. Take advantage of install tool feature.
Install all files in single command instead of iterating on each of them.
(cherry picked from commit 88f913ac81)
dns_view_zonecut() may associate the dns_rdataset_t structure passed to
it even if it returns a result different then ISC_R_SUCCESS. Not
handling this properly may cause a reference leak. Fix by ensuring
'nameservers' is cleaned up in all relevant failure modes.
(cherry picked from commit f4b403e8b2)
lo0 and lo0:0 are the same interface on Solaris. Make sure
bin/tests/system/ifconfig.sh does not touch lo0:0 in order to prevent it
from changing the address of the loopback interface on Solaris.
(cherry picked from commit 618921902a)
Modify .gitlab-ci.yml so that every CI pipeline also builds and tests
BIND on CentOS versions 6 and 7. Use --disable-warn-error on CentOS 6
since it uses GCC 4.4.7 which suffers from bugs causing bogus warnings
to be generated, e.g.:
sigs_test.c: In function 'compare_tuples':
sigs_test.c:75: warning: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: warning: shadowed declaration is here
sigs_test.c: In function 'updatesigs_test':
sigs_test.c:193: warning: declaration of 'index' shadows a global declaration
/usr/include/string.h:489: warning: shadowed declaration is here
(cherry picked from commit f0966d1485)
The "git status" command in Git versions before 1.7.2 does not support
the "--ignored" option. Prevent spamming the console when running
system tests from a Git repository on a host with an ancient Git version
installed.
(cherry picked from commit 2be97feb46)
The output of certain "dig +idnout" invocations may be locale-dependent.
Remove the "dig +idnout" subtest from the "digdelv" system test as IDN
support is already thoroughly tested by the "idna" system test.
(cherry picked from commit fd30a03f2b)
While idn2_to_unicode_8zlz() takes a 'flags' argument, it is ignored and
thus cannot be used to perform IDN checks on the output string.
The bug in libidn2 versions before 2.0.5 was not that a call to
idn2_to_unicode_8zlz() with certain flags set did not cause IDN checks
to be performed. The bug was that idn2_to_unicode_8zlz() did not check
whether a conversion can be performed between UTF-8 and the current
locale's character encoding. In other words, with libidn2 version
2.0.5+, if the current locale's character encoding is ASCII, then
idn2_to_unicode_8zlz() will fail when it is passed any Punycode string
which decodes to a non-ASCII string, even if it is a valid IDNA2008
name.
Rework idn_ace_to_locale() so that invalid IDNA2008 names are properly
and consistently detected for all libidn2 versions and locales.
Update the "idna" system test accordingly. Add checks for processing a
server response containing Punycode which decodes to an invalid IDNA2008
name. Fix invalid subtest description.
(cherry picked from commit 7fe0f00a3b)
Every prereq.sh script must include bin/tests/system/conf.sh, otherwise
if some prerequisite is not met, errors about echo_i not being found
will be printed instead of actual error messages.
(cherry picked from commit cc0e8cda71)
The Docker images used for CI install ATF to /usr, not /usr/local.
Update the ./configure invocation in .gitlab-ci.yml accordingly in order
to prevent confusion.
(cherry picked from commit 12df6829d1)
Depending on tool versions being used, "autoreconf -i" may not update
all Autoconf-generated files, which in turn may result in build errors.
Make autogen.sh call autoreconf with the "-f" command line argument to
ensure all Autoconf-generated files are updated when autogen.sh is run.
(cherry picked from commit 45e77a3680)
Trying to resolve a trust anchor telemetry query for a locally served
zone does not cause upstream queries to be sent as the response is
determined just by consulting local data. Work around this issue by
calling dns_view_findzonecut() first in order to determine the NS RRset
for a given domain name and then passing the zone cut found to
dns_resolver_createfetch().
Note that this change only applies to TAT queries generated by the
resolver itself, not to ones received from downstream resolvers.
(cherry picked from commit 873c091408)
Extract the part of dotat() reponsible for preparing the QNAME for a TAT
query to a separate function in order to limit the number of local
variables used by each function and improve code readability.
Rename 'name' to 'origin' to better convey the purpose of that variable.
(cherry picked from commit 2e7dd0d61f)
Net::DNS versions older than 0.68 insert a ./ANY RR into the QUESTION
section if the latter is empty. Since the latest Net::DNS version
available with stock RHEL/CentOS 6 packages is 0.65 and we officially
support that operating system, bin/tests/system/resolver/ans8/ans.pl
should behave consistently for various Net::DNS versions. Ensure that
by making handleUDP() return the query ID and flags generated by
Net::DNS with 8 zero bytes appended.
(cherry picked from commit 6c3c6aea37)
4979. [bug] Non-libcap builds were not checking whether all
requested capabilities are present in the permitted
capability set. [GL #321]
(cherry picked from commit 731b003854)
While libcap-enabled builds check whether any capability named requests
is within the permitted capability set, non-libcap builds just try
requesting them, which potentially causes a misleading error message to
be output ("Operation not permitted: please ensure that the capset
kernel module is loaded"). Ensure non-libcap builds also check whether
any requested capability is within the permitted capability set.
(cherry picked from commit 8c66f32e53)
4971. [bug] dnssec-signzone and dnssec-verify did not treat records
below a DNAME as out-of-zone data. [GL #298]
(cherry picked from commit f9637ae0e5)
DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains. Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records. Check that DNAME-obscured
records are not signed.
(cherry picked from commit ff7015a0f8)
The keyfile and key ID for the original managed key do not change
throughout the mkeys system test. Keep them in helper variables to
prevent calling "cat" multiple times and improve code readability.
(cherry picked from commit 2cad382552)
Reduce code duplication by replacing a code snippet repeated throughout
system tests using "trusted-keys" and/or "managed-keys" configuration
sections with calls to keyfile_to_{managed,trusted}_keys() helper
functions.
(cherry picked from commit dce66f7635)
Add a set of helper functions for system test scripts which enable
converting key data from a set of keyfiles to either a "trusted-keys"
section or a "managed-keys" section suitable for including in a
resolver's configuration file.
(cherry picked from commit 21d3658bcb)
In order to decrease code duplication, express the logic contained in
all zone logging functions using dns_zone_logv() calls.
(cherry picked from commit 5c03cd339e)
Add a new libdns function, dns_zone_logv(), which takes a single va_list
argument rather than a variable number of arguments and can be used as a
base for implementing more specific zone logging functions.
(cherry picked from commit bb2dfb3f49)
- use RADIX_V4, RADIX_V6, RADIX_V4_ECS, and RADIX_V6_ECS as array
indices instead of 0 through 3.
- remove some unused macros
(cherry picked from commit f7f20b1202)
Resolve "Multiple RRSIGs on some records in signed zone even though only one key is ever active at a time"
Closes#240
See merge request isc-projects/bind9!231
Resolve "9.11.3-S1 totext_nsec3 inserts a redundant white space between next hash and type map [ISC-support #12887]"
See merge request isc-projects/bind9!313
- clarify the behavior of the name and identity fields for various
rule types, particularly tcp-self and 6to4-self.
(cherry picked from commit dea89f2a52)
Certain isc_buffer_*() functions might call memmove() with the second
argument (source) set to NULL and the third argument (length) set to 0.
While harmless, it triggers an ubsan warning:
runtime error: null pointer passed as argument 2, which is declared to never be null
Modify all memmove() call sites in lib/isc/include/isc/buffer.h and
lib/isc/buffer.c which may potentially use NULL as the second argument
(source) so that memmove() is only called if the third argument (length)
is non-zero.
(cherry picked from commit 6ddbca6f2b)
compare_rdata() was meant to be used as a qsort() callback. Meanwhile,
dns_rdataslab_merge() calls compare_rdata() for a pair of dns_rdata_t
structures rather than a pair of struct xrdata structures, which is
harmless, but triggers an ubsan warning:
rdataslab.c:84:33: runtime error: member access within address <address> with insufficient space for an object of type 'const struct xrdata'
Use dns_rdata_compare() instead of compare_rdata() to prevent the
warning from being triggered.
(cherry picked from commit 9bc6ba0be9)
Add some basic test cases ensuring dns__zone_updatesigs() behaves as
expected.
(cherry picked from commit 8b9d2c27b4)
(cherry picked from commit 3e93e4bb62)
Add a new ATF test, sigs_test, containing everything required to start
defining test cases for dns__zone_updatesigs(). The framework is
written in a way which ensures that changes to zone database applied by
any dns__zone_updatesigs() invocation are preserved between subsequent
checks.
(cherry picked from commit 1f10186476)
(cherry picked from commit 3dde7c42db)
Rename find_zone_keys() to dns__zone_findkeys() and move it to
lib/dns/zone_p.h, so that it can be used in unit tests. Add a comment
describing the purpose of this function.
(cherry picked from commit d7143986b1)
(cherry picked from commit fc0e99c7d7)
Rename update_sigs() to dns__zone_updatesigs() and move it to
lib/dns/zone_p.h, so that it can be unit tested. Add a comment
describing the purpose of this function.
(cherry picked from commit b1947cee82)
(cherry picked from commit 4d06f50ba8)
Rename zonediff_t to dns__zonediff_t and move it to lib/dns/zone_p.h, so
that unit tests can be written for functions taking pointers to
structures of this type as arguments.
(cherry picked from commit ace465a9f9)
(cherry picked from commit ea15c54d8a)
Add a new private header file, lib/dns/zone_p.h, which will hold type
definitions and function prototypes not meant to be exported by libdns,
but required by zone-related unit tests.
(cherry picked from commit c1bc3be806)
(cherry picked from commit 2b0add6d1a)
Implement dns_test_difffromchanges(), a function which enables preparing
a dns_diff_t structure from a mostly-textual representation of zone
database changes to be applied. This will improve readability of test
case definitions by allowing contents of a dns_diff_t structure, passed
e.g. to update_sigs(), to be represented in a human-friendly manner.
(cherry picked from commit 3c22af0d35)
(cherry picked from commit d4c603eb8a)
Remove the underscore from "rdata_fromstring" so that all helper
functions for libdns tests use a common naming covention.
(cherry picked from commit 2980cbd55f)
(cherry picked from commit 107102d333)
The dns_test_makezone() helper function always assigns the created zone
to some view, which is not always necessary and complicates cleanup of
non-managed zones as they are required not to be assigned to any view.
Rework dns_test_makezone() in order to make it easier to use in unit
tests operating on non-managed zones. Use dns_name_fromstring() instead
of dns_name_fromtext() to simplify code. Do not use the CHECK() macro
and add comments to make code flow simpler to follow. Use
dns_test_makeview() instead of dns_view_create().
Adjust existing unit tests using this function so that they still pass.
(cherry picked from commit bfbeef3609)
(cherry picked from commit f70c02d2c2)
4916. [bug] Not creating signing keys for an inline signed zone
prevented changes applied to the raw zone from being
reflected in the secure zone until signing keys were
made available. [GL #159]
4915. [bug] Bumped signed serial of an inline signed zone was
logged even when an error occurred while updating
signatures. [GL #159]
(cherry picked from commit 7d2c09c905)
(cherry picked from commit e4995efe24)
When inline signing is enabled for a zone without creating signing keys
for it, changes subsequently applied to the raw zone will not be
reflected in the secure zone due to the dns_update_signaturesinc() call
inside receive_secure_serial() failing. Given that an inline zone will
be served (without any signatures) even with no associated signing keys
being present, keep applying raw zone deltas to the secure zone until
keys become available in an attempt to follow the principle of least
astonishment.
(cherry picked from commit 6acf326969)
(cherry picked from commit 8a58a60772)
If a raw zone is modified, but the dns_update_signaturesinc() call in
receive_secure_serial() fails, the corresponding secure zone's database
will not be modified, even though by that time a message containing the
bumped signed serial will already have been logged. This creates
confusion, because a different secure zone version will be served than
the one announced in the logs. Move the relevant dns_zone_log() call so
that it is only performed if the secure zone's database is modified.
(cherry picked from commit cfbc8e264d)
(cherry picked from commit cdc7ab42b1)
- IMHO we should consider removing dnsconf.c and deprecating the
/etc/dns.conf file, though, as I don't think it's likely anyone
is using it
(cherry picked from commit a08ba418ef)
Commit f87e0c03ee removed the "system" directory from the TESTDIRS
variable in bin/tests/Makefile.in in an attempt to fix "make distclean"
which was broken since commit 0d784de16a. However, this change
prevented any system tests from being run when "make test" is invoked.
We now put it back into both SUBDIRS and TESTDIRS, but with a modified
rule to check for the existence of a Makefile in each subdirectory before
trying to run make there. This prevents "make distclean" from trying to
run again in a directory where it's already been run.
(cherry picked from commit 93ee6b8a22)
Apart from ensuring "make test" returns 0, also check whether any system
test output was generated as a result of running it. This prevents the
CI job running system tests from succeeding unless it actually tests
something.
(cherry picked from commit 80ab2c0f22)
4921. [cleanup] Add dns_fixedname_initname() and refactor the caller
code to make usage of the new function, as a part of
refactoring dns_fixedname_*() macros were turned into
functions. [GL #183]
(cherry picked from commit d7faee2566)
(cherry picked from commit d7676d0fa8)
Employ dns_fixedname_name() and dns_fixedname_initname() to no longer
directly access dns_fixedname_t fields.
(cherry picked from commit 39ddf9991f)
(cherry picked from commit 706f865a20)
Replace dns_fixedname_init() calls followed by dns_fixedname_name()
calls with calls to dns_fixedname_initname() where it is possible
without affecting current behavior and/or performance.
This patch was mostly prepared using Coccinelle and the following
semantic patch:
@@
expression fixedname, name;
@@
- dns_fixedname_init(&fixedname);
...
- name = dns_fixedname_name(&fixedname);
+ name = dns_fixedname_initname(&fixedname);
The resulting set of changes was then manually reviewed to exclude false
positives and apply minor tweaks.
It is likely that more occurrences of this pattern can be refactored in
an identical way. This commit only takes care of the low-hanging fruit.
(cherry picked from commit 4df4a8e731)
(cherry picked from commit 0041aeb751)
Emit fatal failures on locale to ACE encoding
Separate idnout support, disable it for libidn2 < 2.0
Add custom path to libidn. Leave default path for multilib support.
Allow turning off IDN input processing by dig option
Improve documentation, fix support in host
Fix configure changes to adjust help text
Use strlcpy with size guard
Improve IDN variants choosing. Fix idn2 function name.
Remove immediate idn_locale_to_ace and idn_ace_to_locale.
Signed-off-by: Petr Menšík <pemensik@redhat.com>
(cherry picked from commit 94757c1545)
Added two new configure options:
--with-libidn2 - to enable IDN using GNU libidn2
idnkit, libidn and libidn2 support can not be used at the same time.
NOTE: libidn2 does not support punycode back to Unicode
characters, so support for this is missing.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Removed iconv, convert directly from locale to ACE
Fix libidn2 and idnkit origin appending
Make IDN options in help less different
Signed-off-by: Petr Menšík <pemensik@redhat.com>
(cherry picked from commit 505f673451)
Added new configure option:
--with-libidn - to enable IDN using GNU libidn
Renamed configure option:
--with-idn to --with-idnkit to make the option usage more clear
idnkit and libidn support can not be used at the same time.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
(cherry picked from commit 2320443f63)
- added tests to the dnssec system test that duplicate the ones
from bin/tests/dnssec-signzone
- changed cleanall.sh so it doesn't automatically remove all
key files, because there are now some of those that are part of the
distribution
(cherry picked from commit ccfe778c01)
(cherry picked from commit d8f8eee381)
- some of these tests are obsolete and should be cleared up,
others overlap with ATF tests and may be removed later.
for now, let's just tidy up the bin/tests directory by
moving these files down a level.
(cherry picked from commit 344ab0eb7d)
(cherry picked from commit dafdf2c09b)
Calling nextpart() after reconfiguring ns1 is not safe, because the
expected log message may appear in ns5/named.run before nextpart() is
run. With the TTL for ./DNSKEY set to 20 seconds, ns5 will refresh it
after 10 seconds, by which time wait_for_log() will already have failed.
This results in a false negative.
However, just calling nextpart() before reconfiguring ns1 would
introduce a different problem: if ns5 refreshed ./DNSKEY between these
two steps, the subsequent wait_for_log() call would return immediately
as it would come across the log message about a failure while refreshing
./DNSKEY instead of the expected success. This in turn would result in
a different false negative as the root key would still be uninitialized
by the time "rndc secroots" is called.
Prevent both kinds of false negatives by:
- calling nextpart() before reconfiguring ns1, in order to prevent the
first case described above,
- looking for a more specific log message, in order to prevent the
second case described above.
Also look for a more specific log message in the first part of the
relevant check, not to fix any problem, but just to emphasize that a
different fetch result is expected in that case.
With these tweaks in place, if a (failed) ./DNSKEY refresh is scheduled
between nextpart() and reconfiguring ns1, wait_for_log() will just wait
for two more seconds (one "hour"), at which point another refresh
attempt will be made that will succeed.
(cherry picked from commit 012ca0a27d)
- wait for the transfer completion message to apear in the log instead
of the notify message. this ensures we don't check for the presense of
transfered records during the time between the notify and the
transfer.
(cherry picked from commit ad32553c1d)
4905. [bug] irs_resconf_load() ignored resolv.conf syntax errors
when "domain" or "search" options were present in that
file. [GL #110]
(cherry picked from commit 1f18d33804)
The "sortlist-v4.conf" unit test for irs_resconf_load() is always run
twice due to a duplicate entry in the "tests" table. Remove one of them
to prevent this.
(cherry picked from commit 6c09f305ae)
irs_resconf_load() stores the value returned by add_search() into ret
without consulting its current value first. This causes any previous
errors raised while parsing resolv.conf to be ignored as long as any
"domain" or "search" statement is present in the file.
Prevent this by returning early in case an error is detected while
parsing resolv.conf. Ensure that "searchlist" and "magic" members of
the created irs_resconf_t structure are always initialized before
isc_resconf_destroy() is called.
(cherry picked from commit 1f400b68a8)
- don't bail out of the loop if clients are exceeded, just count incidents
- verbosely describe expectations and results
(cherry picked from commit 86838b2a02)
Print a list of failed system tests, if any, below the system test
summary to avoid the need to manually search through the test log.
(cherry picked from commit 28068857e7)
The current regular expression used for extracting system test results
from systests.output, "^R:", is anchored at the start of a line, which
prevents colored system test output from being properly processed. As
just "R:" would arguably be too general, extend the pattern a bit to
ensure it will only match lines containing system test results.
(cherry picked from commit 9006d6dbbd)
- removed a few remaing places where output wasn't being passed
through echo_i or cat_i
- added a "digcomp" function to conf.sh.in to send digcomp.pl output
through cat_i and return the correct exit value
- set SYSTESTDIR when calling echo_i from nsX directories, so that
the test name will always be printed correctly
- fixed a test name typo in conf.sh.in
(cherry picked from commit 0e52fbd0b3)
4903. [bug] "check-mx fail;" did not prevent MX records containing
IP addresses from being added to a zone by a dynamic
update. [GL #112]
(cherry picked from commit 1d403f9d3c)
(cherry picked from commit 71a35bc8e5)
The check_mx() function in lib/ns/update.c incorrectly tests whether the
DNS_RDATA_CHECKMX/DNS_RDATA_CHECKMXFAIL flags are set for each applied
MX record update as these flags are never set in code paths related to
dynamic updates; they can only be set when loading a zone from a master
file (DNS_ZONEOPT_CHECKMX -> DNS_MASTER_CHECKMX -> DNS_RDATA_CHECKMX).
This flaw allows MX records containing IP addresses to be added to a
zone even when "check-mx fail;" is used.
Ensure correct behavior by modifying the relevant tests in check_mx() so
that they use DNS_ZONEOPT_CHECKMX/DNS_ZONEOPT_CHECKMXFAIL instead.
(cherry picked from commit 857a40c87b)
(cherry picked from commit 590f092e00)
Prevent runall.sh and "make test" from even attempting to run system
tests when "ifconfig.sh up" has not been run beforehand. This ensures
the user is not flooded with error messages in such a case.
(cherry picked from commit e0221f2d25)
This enables the environment variables controlling run.sh behavior to be
permanently set in a working environment (e.g. to automatically force
colored output without using "-c" in each runall.sh invocation).
Relevant runall.sh command line arguments still have a higher priority.
(cherry picked from commit d989d20fe5)
As parallel.mk and runsequential.sh both pipe system test output through
"tee" (for the purpose of creating test.output), run.sh invoked from
these two files detects it is not writing to a terminal, which prevents
colored output from being generated. Allow forcing colored output using
a new command line argument for runall.sh, "-c", which sets an
environment variable (SYSTEMTEST_FORCE_COLOR) causing conf.sh to
unconditionally enable colored output.
The same environment variable can also be used directly to force colored
output when using "make test" instead of runall.sh.
(cherry picked from commit a324031a82)
Instead of exporting an environment variable containing a command line
argument (NOCLEAN="-n"), extend run.sh to handle a "boolean" environment
variable (SYSTEMTEST_NO_CLEAN) itself. The former method is buggy
because the value of NOCLEAN is set in parallel.mk when that file is
first created, but it is not subsequently updated upon each test run
(because make considers parallel.mk to be up to date).
To retain backward compatibility, the "-n" command line argument for
run.sh is still supported (and has a higher priority than the relevant
environment variable).
The SYSTEMTEST_NO_CLEAN environment variable can also be used directly
to prevent cleanup when using "make test" instead of runall.sh.
Apart from fixing a bug, this simplifies the way runall.sh controls
run.sh behavior due to the Makefile being bypassed. Direct processing
of environment variables in run.sh is more scalable in the long run,
given that the previously utilized technique, even with its
implementation fixed, would still require Makefile.in to be modified in
two places each time a new flag needed to be passed from runall.sh to
run.sh.
(cherry picked from commit 3862043879)
generated into builddir. If out-of-tree build is used, make unit
will always fail. Kyuafiles and testdata still have to be copied
manually into the builddir.
(cherry picked from commit 95cde3608a)
- no longer grep for specific line numbers when checking
parameter logging, as those can change
- report the failure immediatey if parameter check fails
(cherry picked from commit 749df056be)
- this was a test for the allow-v6-synthesis option, which was
deprecated and no longer works. the test was removed
from conf.sh.in long ago.
(cherry picked from commit 474b10a133)
(cherry picked from commit 7971873639)
1. Track changes to conf.sh.in in conf.sh.win32
2. Modifications to prevent Windows "Configure" script replacing
the sed "@PORT@" substitution tokens in conf.sh.win32.
3. runall.sh now runs Windows tests sequentially
(cherry picked from commit 7bb9a97904)
It was TESTNAME, but this is an obvious name and was used in one of
the system tests, something that interfered with the content of
progress messages. It is now SYSTESTDIR.
(cherry picked from commit 30cd931a0d)
Ensure case clauses are in sync with the string passed to getopts.
Remove catch-all clauses as they will never be evaluated.
(cherry picked from commit 0dcee1cad3)
Commit 57aa7b60fd caused catz/setup.sh to no longer call clean.sh, which
results in the catz system test failing on subsequent runs if the first
run is interrupted or fails.
(cherry picked from commit 344d05063f)
Escape the line ends in a multi-line variable assignment. Under some
circumstances, substituting the variable caused syntax errors when
used as the list of values in a shell script "for" statement.
(cherry picked from commit 462766cd76)
Added descriptions of how nameservers are started and stopped
during the tests, and how the framework cleans up the files created.
(cherry picked from commit f606b17dfb)
Some tests may need to examine all output files from all system tests.
Allow the deletion of these files to be inhibited if required.
(cherry picked from commit 00bc29640b)
Error messages concerning the invocation of run.sh are output to
stderr. Messages after the test has started are output to stdout.
(cherry picked from commit 244d1c30e2)
When running all the system tests, output from a test is sent to a
test.output file in the test directory. These are combined in to
systests.output when the run finishes.
(cherry picked from commit 055e5be9fd)
Add more information on running the tests, together with a section
on how the tests are organised, aimed at new developers.
(cherry picked from commit af005cdbcf)
Tidy up the stop/start files and make switch usage consistent. Also
tidy up the various "clean" targets in the Makefile.
(cherry picked from commit b24c2e11d8)
Miscellaneous tidying up of run management. The most significant
change is that "runall.sh" now runs _all_ the tests, even the
ones that can run in parallel. runsequential.sh is the script
to run tests that have not been converted to parallel running.
(cherry picked from commit 32fe6f7682)
Some tests use more ports than just the query and control ports.
Each test that can run in parallel with other tests is now assigned
a unique block of 10 ports.
(cherry picked from commit e0ff77f9d3)
Currently these tests are allow_query, rpzrecurse and serve-stale
1. Function to copy files and set port numbers renamed from copy_config
to copy_setports, as this is used to change the ports in Perl and Python
test scripts as well.
2. Changes to rpzrecurse/tests.sh to handle two calls to getopts (one to
parse port numbers, the other to parse rpzrecurse-specific options). Also
fixed various commands to use correct ports.
3. Updates to "clean.sh" scripts to ensure that all files created in the
test are removed.
(cherry picked from commit 78f2b9ca01)
Via an intermediate make file, tests that have been modified to be able
to run in parallel are assigned unique query and control port numbers
(other than 5300 and 9953 respectively). Tests that have not yet been
modified all use ports 5300 and 9953, so must be run sequentially.
(cherry picked from commit e7429b124b)
Stabilize cacheclean system test
Closes#67
See merge request isc-projects/bind9!43
(cherry picked from commit 643c8c27ff)
01de79b3 Assign an index to each check in the cacheclean system test
aeea1faf Do not overwrite cache dumps
2bbff06d Wait until a cache dump completes instead of waiting for a fixed amount of time
ca1049b2 Improve the way cache contents are searched for "ns.flushtest.example"
4892. [bug] named could leak memory when "rndc reload" was invoked
before all zone loading actions triggered by a previous
"rndc reload" command were completed. [RT #47076]
Remove a block of code which dates back to commit 8a2ab2b920, when
dns_zone_asyncload() did not yet check DNS_ZONEFLG_LOADPENDING.
Currently, no race in accessing DNS_ZONEFLG_LOADPENDING is possible any
more, because:
- dns_zone_asyncload() is still the only function which may queue
zone_asyncload(),
- dns_zone_asyncload() accesses DNS_ZONEFLG_LOADPENDING under a lock
(and potentially queues an event under the same lock),
- DNS_ZONEFLG_LOADPENDING is not cleared until the load actually
completes.
Thus, the rechecking code can be safely removed from zone_asyncload().
Note that this also brings zone_asyncload() to a state in which the
completion callback is always invoked. This is required to prevent
leaking memory in case something goes wrong in zone_asyncload() and a
zone table the zone belongs to is indefinitely left with a positive
reference count.
Code handling cancellation of asynchronous zone load events was likely
copied over from other functions when asynchronous zone loading was
first implemented in commit 8a2ab2b920. However, unlike those other
functions, asynchronous zone loading events currently have no way of
getting canceled once they get posted, which means the aforementioned
code is effectively dead. Remove it to prevent confusion.
zone_load() is not always synchronous, it may only initiate an
asynchronous load and return DNS_R_CONTINUE, which means zone loading
has not yet been completed. In such a case, zone_asyncload() must not
clear DNS_ZONEFLG_LOADPENDING immediately and leave that up to
zone_postload().
While this is not an issue in named, which only calls
dns_zone_asyncload() from task-exclusive mode, this function is exported
by libdns and thus may in theory be concurrently called for the same
zone by multiple threads. It also does not hurt to be consistent
locking-wise with other DNS_ZONEFLG_LOADPENDING accesses.
root key being present. Warn about dlv.isc.org's
key being present. Warn about both managed and
trusted root keys being present. [RT #43670]
(cherry picked from commit baef0ca988)
4888. [test] Initialize sockets correctly in sample-update so
that nsupdate system test will will run on Windows.
[RT #47097]
(cherry picked from commit 6757dc6488)
field now require that it be set to "." to ensure
that any type list present is properly interpreted.
[RT #47126]
(cherry picked from commit ec771bbdc8)
4873. [doc] Grammars for named.conf included in the ARM are now
automatically generated by the configuration parser
itself. As a side effect of the work needed to
separate zone type grammars from each other, this
also makes checking of zone statements in
named-checkconf more correct and consistent.
[RT #36957]
(cherry picked from commit 129c4414cb)
(cherry picked from commit f662d5484e)
4867. [cleanup] Normalize rndc on/off commands (validation and
querylog) so they accept the same synonyms
for on/off (yes/no, true/false, enable/disable).
Thanks to Tony Finch. [RT #47022]
(cherry picked from commit cf8f4241e7)
4864. [bug] named acting as a slave for a catalog zone crashed if
the latter contained a master definition without an IP
address. [RT #45999]
(cherry picked from commit ae51a676c9)
4859. [bug] A loop was possible when attempting to validate
unsigned CNAME responses from secure zones;
this caused a delay in returning SERVFAIL and
also increased the chances of encountering
CVE-2017-3145. [RT #46839]
4858. [security] Addresses could be referenced after being freed
in resolver.c, causing an assertion failure.
(CVE-2017-3145) [RT #46839]
if there were active KSK and ZSK keys for
a algorithm when update-check-ksk is true
(default) leaving records unsigned with one or
more DNSKEY algorithms. [RT #46774]
(cherry picked from commit 00f5ea91cf)
if there were active KSK and ZSK keys for
a algorithm when update-check-ksk is true
(default) leaving records unsigned with one or
more DNSKEY algorithms. [RT #46754]
(cherry picked from commit 6fa2a0691e)
properly determining if there were active KSK and
ZSK keys for a algorithm when update-check-ksk is
true (default) leaving records unsigned. [RT #46743]
(cherry picked from commit 196e01da5f)
4836. [bug] Zones created using "rndc addzone" could
temporarily fail to inherit an "allow-transfer"
ACL that had been configured in the options
statement. [RT #46603]
(cherry picked from commit e197a2bd15)
4835. [cleanup] Clean up and refactor LMDB-related code. [RT #46718]
4834. [port] Fix LMDB support on OpenBSD. [RT #46718]
(cherry picked from commit 2c20fc0d13)
4830. [bug] Failure to configure ATF when requested did not cause
an error in top-level configure script. [RT #46655]
(cherry picked from commit 376d5996a1)
4819. [bug] Fully backout the transaction when adding a RRset
to the resigning / removal heaps fails. [RT #46473]
(cherry picked from commit 19f6a63184)
4826. [cleanup] Prevent potential build failures in bin/confgen/ and
bin/named/ when using parallel make. [RT #46648]
(cherry picked from commit a573b93b46)
4825. [bug] Prevent a bogus "error during managed-keys processing
(no more)" warning from being logged. [RT #46645]
(cherry picked from commit 165df18f75)
always later that the resigning time of other records.
[RT #46473]
4820. [bug] dns_db_subtractrdataset should transfer the resigning
information to the new header. [RT #46473]
4819. [bug] Fully backout the transaction when adding a RRset
to the resigning / removal heaps fail. [RT #46473]
(cherry picked from commit 656eed7c9b)
4818. [test] The logfileconfig system test could intermittently
report false negatives on some platforms. [RT #46615]
(cherry picked from commit 7a0188774f)
This prevents a Linux kernel bug discussed in RT #32355 from being
triggered and thus makes "checking notify to multiple views using tsig"
stable.
(cherry picked from commit 27bf48327c)
4801. [func] 'dnssec-lookaside auto;' and 'dnssec-lookaside .
trust-anchor dlv.isc.org;' now elicit warnings rather
than being fatal configuration errors. [RT #46410]
(cherry picked from commit f5e1b555c5)
4788. [cleanup] When using "update-policy local", log a warning
when an update matching the session key is received
from a remote host. [RT #46213]
- this completes change #4762.
4786. [cleanup] Turn nsec3param_salt_totext() into a public function,
dns_nsec3param_salttotext(), and add unit tests for it.
[RT #46289]
(cherry picked from commit 910a01550a)
Change 4592 was supposed to replace a REQUIRE with a conditional return.
While the latter was added, the former was not removed. Remove the
relevant REQUIRE to fix RT #43822 for good.
(cherry picked from commit a94d68ce43)
4769. [bug] Enforce the requirement that the managed keys
directory (specified by "managed-keys-directory",
and defaulting to the working directory if not
specified) must be writable. [RT #46077]
4770. [bug] Cache additional data from priming queries as glue.
Previously they were ignored as unsigned
non-answer data from a secure zone, and never
actually got added to the cache, causing hints
to be used frequently for root-server
addresses, which triggered re-priming. [RT #45241]
(cherry picked from commit 5de02a075b)
4762. [func] "update-policy local" is now restricted to updates
from local addresses. (Previously, other addresses
were allowed so long as updates were signed by the
local session key.) [RT #45492]
record trust-anchor-telementry in incoming requests.
Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
are logged. [RT #46124]
(cherry picked from commit b41c1aacbc)
4756. [bug] Interrupting dig could lead to an INSIST failure after
certain errors were encountered while querying a host
whose name resolved to more than one address. Change
4537 increased the odds of triggering this issue by
causing dig to hang indefinitely when certain error
paths were evaluated. dig now also retries TCP queries
(once) if the server gracefully closes the connection
before sending a response. [RT #42832, #45159]
(cherry picked from commit 14afc8425b)
4753. [contrib] Software obtainable from known upstream locations
(i.e., zkt, nslint, query-loc) has been removed.
Links to these and other packages can be found at
https://www.isc.org/community/tools [RT #46182]
(cherry picked from commit 319aad330d)
4749. [func] The ISC DLV service has been shut down, and all
DLV records have been removed from dlv.isc.org.
- Removed references to ISC DLV in documentation
- Removed DLV key from bind.keys
- No longer use ISC DLV by default in delv
[RT #46155]
4745. [test] Add color-coded pass/fail messages to system
tests when running on terminals that support them.
[RT #45977]
(cherry picked from commit 3bb6150cae)
4736. [cleanup] (a) Added comments to NSEC3-related functions in
lib/dns/zone.c. (b) Refactored NSEC3 salt formatting
code. (c) Minor tweaks to lock and result handling.
[RT #46053]
(cherry picked from commit acc3728c47)
4727. [bug] Retransferring an inline-signed slave using NSEC3
around the time its NSEC3 salt was changed could result
in an infinite signing loop. [RT #45080]
(cherry picked from commit f665c724e4)
4726. [port] Prevent setsockopt() errors related to TCP_FASTOPEN
from being logged on FreeBSD if the kernel does not
support it. Notify the user when the kernel does
support TCP_FASTOPEN, but it is disabled by sysctl.
Add a new configure option, --disable-tcp-fastopen, to
disable use of TCP_FASTOPEN altogether. [RT #44754]
(cherry picked from commit c2179857de)
4722. [cleanup] Clean up uses of strcpy() and strcat() in favor of
strlcpy() and strlcat() for safety. [RT #45981]
(cherry picked from commit 114f95089c)
4717. [bug] Treat replies with QCOUNT=0 as truncated if TC=1,
FORMERR if TC=0, and log the error correctly.
[RT #45836]
(cherry picked from commit 25b33bede4)
4678. [cleanup] Turn on minimal responses for CDNSKEY and CDS in
addition to DNSKEY and DS. Thanks to Tony Finch.
[RT #45690]
(cherry picked from commit 391a3a2f20)
4686. [bug] dnssec-settime -p could print a bogus warning about
key deletion scheduled before its inactivation when a
key had an inactivation date set but no deletion date
set. [RT #45807]
(cherry picked from commit 330365566d)
4685. [bug] dnssec-settime incorrectly calculated publication and
activation dates for a successor key. [RT #45806]
(cherry picked from commit 5201b96d03)
4684. [bug] delv could send bogus DNS queries when an explicit
server address was specified on the command line along
with -4/-6. [RT #45804]
(cherry picked from commit 367fcd7454)
4679. [cleanup] Suggest using -o when dnssec-verify finds a SOA record
not at top of zone and -o is not used. [RT #45519]
(cherry picked from commit 877c264edc)
4670. [cleanup] Ensure that a request MAC is never sent back
in an XFR response unless the signature was
verified. [RT #45494]
(cherry picked from commit 0ad72b96d2)
4666. [bug] dnssec-keymgr: Domain names beginning with digits (0-9)
could cause a parser error when reading the policy
file. This now works correctly so long as the domain
name is quoted. [RT #45641]
4662. [performance] Improve cache memory cleanup of zero TTL records
by putting them at the tail of LRU header lists.
[RT #45274]
(cherry picked from commit e924155211)
4661. [bug] A race condition could occur if a zone was reloaded
while resigning, triggering a crash in
rbtdb.c:closeversion(). [RT #45276]
(cherry picked from commit 036305f00d)
4656. [bug] Apply "port" and "dscp" values specified in catalog
zone's "default-masters" option to the generated
configuration of its member zones. [RT #45545]
(cherry picked from commit 383240d572)
4643. [security] An error in TSIG handling could permit unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
(cherry picked from commit 581c1526ab)
4642. [cleanup] Add more logging of RFC 5011 events affecting the
status of managed keys: newly observed keys,
deletion of revoked keys, etc. [RT #45354]
(cherry picked from commit 0d90835d2a)
4532. [security] The BIND installer on Windows used an unquoted
service path, which can enable privilege escalation.
(CVE-2017-3141) [RT #45229]
(cherry picked from commit 967a3b9419)
4625. [bug] Running "rndc addzone" and "rndc delzone" at close
to the same time could trigger a deadlock if using
LMDB. [RT #45209]
(cherry picked from commit 03a7a952c0)
4616. [bug] When using LMDB, zones deleted using "rndc delzone"
were not correctly removed from the new-zone
database. [RT #45185]
(cherry picked from commit 3a554a444c)
4602. [func] Threads are now set to human-readable
names to assist debugging, when supported by
the OS. [RT #43234]
(cherry picked from commit d26ae7fc08)
4588. [bug] nsupdate could send queries for TKEY to the wrong
server when using GSSAPI. Thanks to Tomas Hozza.
[RT #39893]
(cherry picked from commit 66b71679b7)
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
(cherry picked from commit f240f4a5de)
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
(cherry picked from commit a1365a0042)
4569. [func] Store both local and remote addresses in dnstap
logging, and modify dnstap-read output format to
print them. [RT #43595]
(cherry picked from commit 650b5e7592)
4565. [cleanup] The inline macro versions of isc_buffer_put*()
did not implement automatic buffer reallocation.
[RT #44216]
(cherry picked from commit 7769c92946)
than have in on all the time. [RT #44509]
4559. [bug] Openssl_link.c didn't compile if ISC_MEM_TRACKLINES
was turned off. [RT #44509]
(cherry picked from commit 25da687db7)
4521. [cleanup] Log it as an error if an entropy source is not
found and there is no fallback available. [RT #43659]
(cherry picked from commit 6bdb70057d)
4509. [test] Make the rrl system test more reliable on slower
machines by using mdig instead of dig. [RT #43280]
(cherry picked from commit 1e2aca8d90)
4503. [cleanup] "make uninstall" now removes file installed by
BIND. (This currently excludes Python files
due to lack of support in setup.py.) [RT #42912]
(cherry picked from commit 6087f87afb)
4499. [port] MacOSX: silence deprecated function warning
by using arc4random_stir() when available
instead of arc4random_addrandom(). [RT #43503]
(cherry picked from commit 3fb62a5a4e)
4471. [cleanup] Render client/query logging format consistent for
ease of log file parsing. (Note that this affects
"querylog" format: there is now an additional field
indicating the client object address.) [RT #43238]
(cherry picked from commit c4b7db4932)
4459. [bug] TCP client objects created to handle pipeline queries
were not cleaned up correctly, causing uncontrolled
memory growth. [RT #43106]
(cherry picked from commit a26a62cef2)
4455. [cleanup] Allow dyndb modules to correctly log the filename
and line number when processing configuration text
from named.conf. [RT #43050]
(cherry picked from commit 02fb764681)
4446. [bug] The cache_find() and _findrdataset() functions
could find rdatasets that had been marked stale.
[RT #42853]
(cherry picked from commit 46e7763d19)
4445. [cleanup] isc_errno_toresult() can now be used to call the
formerly private function isc__errno2result().
[RT #43050]
4444. [bug] Fixed some issues related to dyndb: A bug caused
braces to be omitted when passing configuration text
from named.conf to a dyndb driver, and there was a
use-after-free in the sample dyndb driver. [RT #43050]
Patch for dyndb driver submitted by Petr Spacek at Red Hat.
(cherry picked from commit 3390d74e33)
no-auth and no-auth-recursive which suppress
adding the NS records to the authority section
as well as the associated address records for the
nameservers. [RT #42005]
(cherry picked from commit 78e31dd187)
to provide feedback to the trust-anchor administrators
about how key rollovers are progressing as per
draft-ietf-dnsop-edns-key-tag-02. This can be
disabled using 'trust-anchor-telemetry no;'.
[RT #40583]
(cherry picked from commit f20179857a)
4421. [func] When built with LMDB (Lightning Memory-mapped
Database), named will now use a database to store
the configuration for zones added by "rndc addzone"
instead of using a flat NZF file. This improves
performance of "rndc delzone" and "rndc modzone"
significantly. Existing NZF files will
automatically by converted to NZD databases.
To view the contents of an NZD or to roll back to
NZF format, use "named-nzd2nzf". To disable
this feature, use "configure --without-lmdb".
[RT #39837]
4417. [bug] dnssec-keymgr could fail to create successor keys
if the prepublication interval was set to a value
smaller than the default. [RT #42820]
Patch submitted by Nis Wechselberg (enbewe@enbewe.de).
4416. [bug] dnssec-keymgr: Domain names in policy files could
fail to match due to trailing dots. [RT #42807]
Patch submitted by Armin Pech (mail@arminpech.de).
4414. [bug] Corrected a bug in the MIPS implementation of
isc_atomic_xadd(). [RT #41965]
Submitted by Lamont Jones (lamont@debian.org). Closes Debian issue #406409.
4411. [func] "rndc dnstap -roll" automatically rolls the
dnstap output file; the previous version is
saved with ".0" suffix, and earlier versions
with ".1" and so on. An optional numeric argument
indicates how many prior files to save. [RT #42830]
trigger a infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. [RT #42694]
(cherry picked from commit 38cc2d14e2)
added better text to describe the license change
added information about the following changes to notes.xml
+4396. [func] dnssec-keymgr now takes a '-r randomfile' option.
+ [RT #42455]
+4392. [func] Collect statistics for RSSAC02v3 traffic-volume,
+ traffic-sizes and rcode-volume reporting. [RT #41475]
+4388. [func] Support for master entries with TSIG keys in catalog
+ zones. [RT #42577]
+4385. [func] Add support for allow-query and allow-transfer ACLs
+ to catalog zones. [RT #42578]
4380. [experimental] Added a "zone-directory" option to "catalog-zones"
syntax, allowing local masterfiles for slaves
that are provisioned by catalog zones to be stored
in a directory other than the server's working
directory. [RT #42527]
provisioning secondary servers in which a list of
zones to be served is stored in a DNS zone and can
be propagated to slaves via AXFR/IXFR. [RT #41581]
4375. [func] Add support for automatic reallocation of isc_buffer
to isc_buffer_put* functions. [RT #42394]
4371. [func] New "minimal-any" option reduces the size of UDP
responses for qtype ANY by returning a single
arbitrarily selected RRset instead of all RRsets.
Thanks to Tony Finch. [RT #41615]
4354. [func] "pkcs11-list" now displays the extractability
attribute of private or secret keys stored in
an HSM, as either "true", "false", or "never"
Thanks to Daniel Stirnimann. [RT #36557]
4352. [cleanup] The ISC DNSSEC Lookaside Validation (DLV) service
is scheduled to be disabled in 2017. A warning is
now logged when named is configured to use it,
either explicitly or via "dnssec-lookaside auto;"
[RT #42207]
4349. [contrib] kasp2policy: A python script to create a DNSSEC
policy file from an OpenDNSSEC KASP XML file.
4348. [func] dnssec-keymgr: A new python-based DNSSEC key
management utility, which reads a policy definition
file and can create or update DNSSEC keys as needed
to ensure that a zone's keys match policy, roll over
correctly on schedule, etc. Thanks to Sebastian
Castro for assistance in development. [RT #39211]
4324. [bug] When deleting records from a zone database, interior
nodes could be left empty but not deleted, damaging
search performance afterward. [RT #40997]
4307. [bug] "dig +subnet" and "mdig +subnet" could send
incorrectly-formatted Client Subnet options
if the prefix length was not divisble by 8.
Also fixed a memory leak in "mdig". [RT #45178]
4303. [bug] "dig +subnet" was unable to send a prefix length of
zero, as it was incorrectly changed to 32 for v4
prefixes or 128 for v6 prefixes. In addition to
fixing this, "dig +subnet=0" has been added as a
short form for 0.0.0.0/0. The same changes have
also been made in "mdig". [RT #41553]
4300. [bug] A flag could be set in the wrong field when setting
up nonrecursive queries; this could cause the
SERVFAIL cache to cache responses it shouldn't.
New querytrace logging has been added which
identified this error. [RT #41155]
Added test for RT #39197. Made the rrl test more
tolerant of minor differences in results due to
timing. Removed the failure override for the rrl
test.
commit 01a15bc80ef4c20171ddfe9b5ceb2ebe008c8e0d
Author: Curtis Blackburn <ckb@isc.org>
Date: Tue Dec 15 15:08:03 2015 -0800
added a new nameserver to the rrl test
4290. [func] The timers returned by the statistics channel
(indicating current time, server boot time, and
most recent reconfiguration time) are now reported
with millisecond accuracy. [RT #40082]
4284. [bug] Some GeoIP options were incorrectly documented
using abbreviated forms which were not accepted by
named. The code has been updated to allow both
long and abbreviated forms. [RT #41381]
4269. [bug] Zones using "map" format master files currently
don't work as policy zones. This limitation has
now been documented; attempting to use such zones
in "response-policy" statements is now a
configuration error. [RT #38321]
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #4098]
This is to be consistent with other manuals:
- no period punctuation at end
- no capitalization at beginning unless acronym or proper noun
- and no simple article (like "A") to start sentence.
While the docbook specification says refpurpose is a "one sentence",
its examples show it with the rules shown above.
Also compared with many manpages as this is common format for the
.Nd macro's one line description.
4235. [func] Added support in named for "dnstap", a fast method of
capturing and logging DNS traffic, and a new command
"dnstap-read" to read a dnstap log file. Use
"configure --enable-dnstap" to enable this
feature (note that this requires libprotobuf-c
and libfstrm). See the ARM for configuration details.
Thanks to Robert Edmonds of Farsight Security.
[RT #40211]
4224. [func] Added support for "dyndb", a new interface for loading
zone data from an external database, developed by
Red Hat for the FreeIPA project.
DynDB drivers fully implement the BIND database
API, and are capable of significantly better
performance and functionality than DLZ drivers,
while taking advantage of advanced database
features not available in BIND such as multi-master
replication.
Thanks to Adam Tkac and Petr Spacek of Red Hat.
[RT #35271]
This is for ticket #36955.
Improve grammar for zone-statistics to list new arguments.
Refer to the docs in the options section.
Clarify about stats may not show view name.
dblatex generated LaTeX that failed with the "id" for link reference
in the sect1 when itr had no <title> to reference.
(A workaround is to set a <title>.)
But since this appendix only had one section
and looked off to have B1 with no title and no B2, just remove the
sect1 tags.
I added the id to the first <para> tag just in case someone uses
it to link.
Note I didn't reformat the content there.
I didn't get this reviewed as was trivial change.
I just used "string" as the value type.
There is no real order here so just put by another "nxdomain" option.
This was not reviewed.
This is for ticket #39384 which also considers other work.
This is for ticket 38106.
The initial patch was okayed, but then another commenter mentioned
that max-zone-ttl also allows TTL units so I mention that also
without review.
Note for the ticket, resolver-query-timeout change was
already handled last month in my commit 8789f39b
I didn't get this reviewed but looked at source where
dns_resolver_settimeout value is called "seconds"
and the comments for the maximum and default macros say "seconds".
4184. [bug] Fixed a possible memory leak in name compression
when rendering long messages. (Also, improved
wire_test for testing such messages.) [RT #40375]
4183. [cleanup] Use timing-safe memory comparisons in cryptographic
code. Also, the timing-safe comparison functions have
been renamed to avoid possible confusion with
memcmp(). [RT #40148]
4152. [func] Implement DNS COOKIE option. This replaces the
experimental SIT option of BIND 9.10. The following
named.conf directives are available: send-cookie,
cookie-secret, cookie-algorithm, nocookie-udp-size
and require-server-cookie. The following dig options
are available: +[no]cookie[=value] and +[no]badcookie.
[RT #39928]
Squashed commit of the following:
commit 73f0bba7d8d4763763ff88731c739ac646714ac8
Author: Mukund Sivaraman <muks@isc.org>
Date: Mon Jul 13 05:40:35 2015 +0530
Update rndc usage output
This is based on a patch sent by Tony Finch.
Squashed commit of the following:
commit 77f12b02cf4e81f13e10db3cfac90e9de0b53928
Author: Mukund Sivaraman <muks@isc.org>
Date: Mon Jul 13 05:28:13 2015 +0530
Some tweaks
commit 9c521020b03c2fe7293ec4c970225fff479efd40
Author: Tony Finch <dot@dotat.at>
Date: Thu Jul 9 15:36:15 2015 +0100
rndc addzone error reporting improvements
Clearer error messages from rndc addzone and modzone when the view is not
known or when allow-new-zones is off.
Also, remove a spurious newline from the delzone response.
4161. [test] Add JSON test for traffic size stats; also test
for consistency between "rndc stats" and the XML
and JSON statistics channel contents. [RT #38700]
3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
See the ARM for details of these options. [RT #37125]
4156. [func] Added statistics counters to track the sizes
of incoming queries and outgoing responses in
histogram buckets, as specified in RSSAC002.
[RT #39049]
response when there is a malformed EDNS option.
[RT #39647]
4153. [bug] Dig should zero non significant +subnet bits. Check
that non significant ECS bits are zero on receipt.
[RT #39647]
experimental SIT option of BIND 9.10. The following
named.conf directives are avaliable: send-cookie,
cookie-secret, cookie-algorithm and nocookie-udp-size.
The following dig options are available:
+[no]cookie[=value] and +[no]badcookie. [RT #39928]
4124. [func] Log errors or warnings encountered when parsing the
internal default configuration. Clarify the logging
of errors and warnings encountered in rndc
addzone or modzone parameters. [RT #39440]
4121. [bug] When updating a response-policy zone via AXFR,
summary data about other policy zones could fall
out of sync. Ultimately this could trigger an
assertion failure in rpz.c. [RT #39567]
4120. [bug] A bug in RPZ could cause the server to crash if
policy zones were updated while recursion was
pending for RPZ processing of an active query.
[RT #39415]
4108. [func] An additional NXDOMAIN redirect method (option
"nxdomain-redirect") has been added, allowing
redirection to a specified DNS namespace instead
of a single redirect zone. [RT #37989]
4083. [cleanup] Print of the number of CPUs and UDP listeners
in the log and in "rndc status" output; indicate
whether threads are supported in "named -V" output.
[RT #38811]
4080. [func] Completed change #4022, adding a "lock-file" option
to named.conf to override the default lock file,
in addition to the "named -X <filename>" command
line option. Setting the lock file to "none"
using either method disables the check completely.
[RT #37908]
4064. [contrib] dnssec-keyset.sh: Generates a specified number
of DNSSEC keys with timing set to implement a
pre-publication key rollover strategy. Thanks
to Jeffry A. Spain. [RT #38459]
4063. [bug] Asynchronous zone loads were not handled
correctly when the zone load was already in
progress; this could trigger a crash in zt.c.
[RT #37573]
This triggers a Valgrind out-of-bounds read report. It was introduced by
commit 5d7849ad7f.
No CHANGES entry necessary as it doesn't have any user-visible or
behavioral change. It removes an out-of-bounds read issue that went
undetected when allocated through isc_mem as the memory was present.
The memory read was compared to itself, so it has no behavioral change.
4056. [bug] Expanded automatic testing of trust anchor
management and fixed several small bugs including
a memory leak and a possible loss of key state
information. [RT #38458]
4055. [func] "rndc managed-keys" can be used to check status
of trust anchors or to force keys to be refreshed,
Also, the managed keys data file has easier-to-read
comments. [RT #38458]
4053. [security] Revoking a managed trust anchor and supplying
an untrusted replacement could cause named
to crash with an assertion failure.
(CVE-2015-1349) [RT #38344]
4040. [func] Added server-side support for pipelined TCP
queries. TCP connections are no longer closed after
the first query received from a client. (The new
"keep-response-order" option allows clients to be
specified for which the old behavior will still be
used.) [RT #37821]
Based on a patch sent in by Tony Finch <dot@dotat.at>.
Also fix win32 implementation of isc_file_openunique() to use a random
filename instead of using the process id.
4034. [func] When added, negative trust anchors (NTA) are now
saved to files (viewname.nta), in order to
persist across restarts of the named server.
[RT #37087]
4030. [func] "rndc delzone" is now applicable to zones that were
configured in named.conf, as well as zones that
were added via "rndc addzone". (Note, however, that
if named.conf is not also modified, the deleted zone
will return when named is reloaded.) [RT #37887]
4029. [func] "rndc showzone" displays the current configuration
of a specified zone. [RT #37887]
- hpux returns EADDRINUSE when listening on UDP sockets, so
we need to check for that
- also need to ensure that subsidiary named processes are shut
down in the runtime system test
dns_rdata_opt_current, dns_rdata_txt_first,
dns_rdata_txt_next and dns_rdata_txt_current were
documented but not implemented. These have now been
implemented.
dns_rdata_spf_first, dns_rdata_spf_next and
dns_rdata_spf_current were document but not
implemented. The prototypes for these
functions have been removed. [RT #38068]
4023. [bug] win32: socket handling with explict ports and
invoking named with -4 was broken for some
configurations. [RT #38068]
Conflicts:
bin/tests/system/conf.sh.in
lib/dns/win32/libdns.def.in
lib/isc/win32/file.c
The merge also needed to update files in legacy and tcp system tests
(newly introduced in master after branch was created) to introduce use
of lockfile.
The crash (#37591) seems to happen because the query is taken out of
lookup->q(query->link), and put on lookup->connecting(query->clink).
The code checks query->link where it is detached (-1 in next pointer).
However, there's no need to call send_tcp_connect() there as the queries
are already connecting at that point.
4006. [security] A flaw in delegation handling could be exploited
to put named into an infinite loop. This has
been addressed by placing limits on the number
of levels of recursion named will allow (default 7),
and the number of iterative queries that it will
send (default 50) before terminating a recursive
query (CVE-2014-8500).
The recursion depth limit is configured via the
"max-recursion-depth" option. [RT #35780]
4003. [security] When geoip-directory was reconfigured during
named run-time, the previously loaded GeoIP
data could remain, potentially causing wrong
ACLs to be used or wrong results to be served
based on geolocation. [RT #37720]
4002. [security] Lookups in GeoIP databases that were not
loaded could cause an assertion failure.
[RT #37679]
4001. [security] The caching of GeoIP lookups did not always
handle address families correctly, potentially
resulting in an assertion failure. [RT #37672]
4005. [func] The buffer used for returning text from rndc
commands is now dynamically resizable, allowing
arbitrarily large amounts of text to be sent back
to the client. (Prior to this change, it was
possible for the output of "rndc tsig-list" to be
truncated.) [RT #37731]
3999. [func] "mkeys" and "nzf" files are now named after
their corresponding views, unless the view name
contains characters that would be incompatible
with use in a filename (i.e., slash, backslash,
or capital letters). If a view name does contain
these characters, the files will still be named
using a cryptographic hash of the view name.
Regardless of this, if a file using the old name
format is found to exist, it will continue to be
used. [RT #37704]
3983. [bug] Change #3940 was incomplete: negative trust anchors
could be set to last up to a week, but the
"nta-lifetime" and "nta-recheck" options were
still limted to one day. [RT #37522]
3976. [bug] When refreshing managed-key trust anchors, clear
any cached trust so that they will always be
revalidated with the current set of secure
roots. [RT #37506]
This is to be consistent with our common usage of just using a
plural "s" without apostrophe.
This was brought up via discussion in ticket 37505.
I didn't have this reviewed.
startup-notify-rate instead of serial-query-rate.
[RT #24454]
3955. [bug] Notify messages due to changes are no longer queued
behind startup notify messages. [RT #24454]
EDNS(1) queries (define DRAFT_ANDREWS_EDNS1 when
building). Add support for limiting the EDNS version
advertised to servers: server { edns-version 0; };
Log the EDNS version received in the query log.
[RT #35864]
3943. [func] SERVFAIL responses can now be cached for a
limited time (configured by "servfail-ttl",
default 10 seconds, limit 30). This can reduce
the frequency of retries when an authoritative
server is known to be failing, e.g., due to
ongoing DNSSEC validation problems. [RT #21347]
3936. [func] Added authoritative support for the EDNS Client
Subnet (ECS) option.
ACLs can now include "ecs" elements which specify
an address or network prefix; if an ECS option is
included in a DNS query, then the address encoded
in the option will be matched against "ecs" ACL
elements.
Also, if an ECS address is included in a query,
then it will be used instead of the client source
address when matching "geoip" ACL elements. This
behavior can be overridden with "geoip-use-ecs no;".
When "ecs" or "geoip" ACL elements are used to
select a view for a query, the response will include
an ECS option to indicate which client network the
answer is valid for.
(Thanks to Vincent Bernat.) [RT #36781]
3935. [bug] "geoip asnum" ACL elements would not match unless
the full organization name was specified. They
can now match against the AS number alone (e.g.,
AS1234). [RT #36945]
3933. [bug] Corrected the implementation of dns_rdata_casecompare()
for the HIP rdata type. [RT #36911]
3932. [test] Improved named-checkconf tests. [RT #36911]
This was in the bibliography <biblioentry> entries which
already generates the desired punctuation.
Most was already correct, but some had junk periods.
3922. [bug] When resigning, dnssec-signzone was removing
all signatures from delegation nodes. It now
retains DS and (if applicable) NSEC signatures.
[RT #36946]
Say named instead of Named (be consistent).
add sit-secret, automatic-interface-scan, policy tcp-only to grammar
lowercase All-per-second to all-per-second
fix typo cn to can
Note this was not reviewed.
Squashed commit of the following:
commit ebdade4dfe59fc11d3c4ad8111729f722aab2008
Author: Mukund Sivaraman <muks@isc.org>
Date: Thu Jul 24 22:52:54 2014 +0530
Move statement to be after comment
commit 4b5d6a33350a469afb8e273bc552055824a32570
Author: Mukund Sivaraman <muks@isc.org>
Date: Thu Jul 24 21:42:52 2014 +0530
Return NULL in *rs so that caller doesn't PQclear() it again
3882. [func] By default, negative trust anchors will be tested
periodically to see whether data below them can be
validated, and if so, they will be allowed to
expire early. The "rndc nta -force" option
overrides this behvaior. The default NTA lifetime
and the recheck frequency can be configured by the
"nta-lifetime" and "nta-recheck" options. [RT #36146]
No CHANGES entry for this as it isn't proved to cause an issue for
anyone (isc_msgcat_get() has to return a format specifier) and isn't a
user visible change.
Squashed commit of the following:
commit bcb15c9aa17b0b706aefd9efef5f7e0e951064a3
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed Jun 4 16:55:16 2014 +0530
[27303] Supply format string as first arg to printf()
The old code only had a problem if isc_msgcat_get() returned a format
specifier (%n).
3867. [func] "rndc nta" can now be used to set a temporary
negative trust anchor, which disables DNSSEC
validation below a specified name for a specified
period of time (not exceeding 24 hours). This
can be used when validation for a domain is known
to be failing due to a configuration error on
the part of the domain owner rather than a
spoofing attack. [RT #29358]
No CHANGES entry was added as this commit mainly adds tests related
code.
Squashed commit of the following:
commit d3d44508daa128fb8b60f64b3a8c81f80602273d
Author: Evan Hunt <each@isc.org>
Date: Wed May 7 09:36:41 2014 -0700
[rt35904] remove private non-static names from .def file
commit dbca45661c3939f21c3bb3f405d08cfe1b35d7aa
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed May 7 21:39:32 2014 +0530
Remove test for shortcut findnode()
The implementation was not included in this review branch, but the tests
erroneously made it through.
This functionality will be addressed in a different ticket (RT#35906).
commit 94ff14576ab3407f2612d34727b7eacfefc3668c
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed May 7 21:36:50 2014 +0530
Minor indent fix
commit 50972f17697bb222996e433faa8224843366f9b2
Author: Evan Hunt <each@isc.org>
Date: Tue May 6 20:05:21 2014 -0700
[rt35904] style
commit 5c4d5d41fcc5bfecdeebc008896974385c841b8d
Author: Mukund Sivaraman <muks@isc.org>
Date: Sun May 4 19:19:36 2014 +0530
RBT related updates
* Add various RBT unit tests
* Add some helper methods useful in unit testing RBT code
* General cleanup
3852. [func] Increase the default number of clients available
for servicing lightweight resolver queries, and
make them configurable via the "lwres-tasks" and
"lwres-clients" options. (Thanks to Tomas Hozza.)
[RT #35857]
3851. [func] Allow libseccomp based system-call filtering
on Linux; use "configure --enable-seccomp" to
turn it on. Thanks to Loganaden Velvindron for
the contribution. [RT #35347]
a REQUIRE assertion failure when a fetch is actually
initiated. [ RT #35899]
Squashed commit of the following:
commit 7f4e1f3917d743089c42cc52ec2c0eea598d2c00
Author: Mukund Sivaraman <muks@isc.org>
Date: Sun May 4 22:34:34 2014 +0530
Fix a comment
commit 6a35a6a2346013fa8e3798b9b680d8a3031fcb03
Author: Mark Andrews <marka@isc.org>
Date: Sun May 4 23:34:25 2014 +1000
pass the correct name to query_prefetch
3832. [func] "named -L <filename>" causes named to send log
messages to the specified file by default instead
of to the system log. (Thanks to Tony Finch.)
[RT #35845]
3829. [func] "dig +ttlunits" causes dig to print TTL values
with time-unit suffixes: w, d, h, m, s for
weeks, days, hours, minutes, and seconds. (Thanks
to Tony Finch.) [RT #35823]
3826. [bug] Corrected a use-after-free in isc_radix_remove().
(This function is not used in BIND, but could have
caused problems in programs linking to libisc.)
[RT #35870]
3821. [contrib] Added a new "mysqldyn" DLZ module with dynamic
update and transaction support. Thanks to Marty
Lee for the contribution. [RT #35656]
3820. [func] The DLZ API doesn't pass the database version to
the lookup() function; this can cause DLZ modules
that allow dynamic updates to mishandle prerequisite
checks. This has been corrected by adding a
'dbversion' field to the dns_clientinfo_t
structure. [RT #35656]
3814. [func] The "masterfile-style" zone option controls the
formatting of dumped zone files. Options are
"relative" (multiline format) and "full" (one
record per line). The default is "relative".
[RT #20798]
3813. [func] "host" now recognizes the "timeout", "attempts" and
"debug" options when set in /etc/resolv.conf.
(Thanks to Adam Tkac at RedHat.) [RT #21885]
3811. [func] "serial-update-method date;" sets serial number
on dynamic update to today's date in YYYYMMDDNN
format. (Thanks to Bradley Forschinger.) [RT #24903]
2014-04-17 16:05:50 -07:00
5218 changed files with 396382 additions and 407658 deletions
Due to a large ticket backlog, we are sometimes slow to respond,
especially if a bug is cosmetic or if a feature request is vague or
low in priority, but we will try at least to acknowledge legitimate
bug reports within a week.
ISC's ticketing system is publicly readable; however, you must have
an account to file a new issue. You can either register locally or
use credentials from an existing account at GitHub, GitLab, Google,
Twitter, or Facebook.
### Reporting possible security issues
If you think you may be seeing a potential security vulnerability in BIND
(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
report it immediately by emailing to security-officer@isc.org. Plain-text
e-mail is not a secure choice for communications concerning undisclosed
security issues so please encrypt your communications to us if possible,
using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
Do not discuss undisclosed security vulnerabilites on any public mailing list.
ISC has a long history of handling reported vulnerabilities promptly and
effectively and we respect and acknowledge responsible reporters.
ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
If you have a crash, you may want to consult
[‘What to do if your BIND or DHCP server has crashed.’](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
### <a name="bugs"></a>Contributing code
BIND is licensed under the
[Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
ISC does not require an explicit copyright assignment for patch
contributions. However, by submitting a patch to ISC, you implicitly
certify that you are the author of the code, that you intend to reliquish
exclusive copyright, and that you grant permission to publish your work
under the open source license used for the BIND version(s) to which your
patch will be applied.
#### <a name="bind"></a>BIND code
Patches for BIND may be submitted directly via merge requests in
|`-DISC_MEM_FILL=0`|Don't ovewrite memory when allocating or freeing it; this improves performance but makes debugging more difficult.|
|`-DISC_MEM_TRACKLINES=0`|Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult.|
|<nobr>`-DISC_FACILITY=LOG_LOCAL0`</nobr>|Change the default syslog facility for `named`|
|`-DNS_CLIENT_DROPPORT=0`|Disable dropping queries from particular well-known ports:|
|`-DCHECK_SIBLING=0`|Don't check sibling glue in `named-checkzone`|
|`-DCHECK_LOCAL=0`|Don't check out-of-zone addresses in `named-checkzone`|
|`-DNS_RUN_PID_DIR=0`|Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/{named,lwresd}/`|
|`-DDIG_SIGCHASE=1`|Enable DNSSEC signature chasing support in `dig`. (Note: This feature is deprecated. Use `delv` instead.)|
|`-DNS_RPZ_MAX_ZONES=64`|Increase the maximum number of configurable response policy zones from 32 to 64; this is the highest possible setting|
|`-DISC_HEAP_CHECK`|Test heap consistency after every heap operation; used when debugging|
|`-DISC_BUFFER_USEINLINE=0`|Disable the use of inline functions to implement the `isc_buffer` API: this reduces performance but may be useful when debugging |
|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.|
|`CFLAGS`|C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. |
|`STD_CINCLUDES`|System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.|
|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
|`LDFLAGS`|Linker flags. Defaults to empty string.|
|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
|`BUILD_CFLAGS`|Optional, used for cross-compiling|
|`BUILD_CPPFLAGS`||
|`BUILD_LDFLAGS`||
|`BUILD_LIBS`||
#### <a name="macos"> macOS
Building on macOS assumes that the "Command Tools for Xcode" is installed.
This can be downloaded from https://developer.apple.com/download/more/
or if you have Xcode already installed you can run "xcode-select --install".
This will add /usr/include to the system and install the compiler and other
tools so that they can be easily found.
### <a name="dependencies"/> Dependencies
Portions of BIND that are written in Python, including
`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
system tests, require the 'argparse' and 'ply' modules to be available.
'argparse' is a standard module as of Python 2.7 and Python 3.2.
'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
#### <a name="opts"/> Compile-time options
To see a full list of configuration options, run `configure --help`.
On most platforms, BIND 9 is built with multithreading support, allowing it
to take advantage of multiple CPUs. You can configure this by specifying
`--enable-threads` or `--disable-threads` on the `configure` command line.
The default is to enable threads, except on some older operating systems on
which threads are known to have had problems in the past. (Note: Prior to
BIND 9.10, the default was to disable threads on Linux systems; this has
now been reversed. On Linux systems, the threaded build is known to change
BIND's behavior with respect to file permissions; it may be necessary to
specify a user with the -u option when running `named`.)
To build shared libraries, specify `--with-libtool` on the `configure`
command line.
For the server to support DNSSEC, you need to build it with crypto support.
To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix
using "--with-openssl=<PREFIX>" on the configure command line. To use a
PKCS#11 hardware service module for cryptographic operations, specify the
path to the PKCS#11 provider library using "--with-pkcs11=<PREFIX>", and
configure BIND with "--enable-native-pkcs11".
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2
[http://xmlsoft.org](http://xmlsoft.org) or json-c
[https://github.com/json-c](https://github.com/json-c). If these are
installed at a nonstandard location, specify the prefix using
`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
specify the prefix using `--with-zlib=/prefix`.
To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in a
nonstandard location, specify the prefix using "with-lmdb=/prefix".
To support GeoIP location-based ACLs, the server must be linked with
libGeoIP. This is not turned on by default; BIND must be configured with
"--with-geoip". If the library is installed in a nonstandard location, use
specify the prefix using "--with-geoip=/prefix".
For DNSTAP packet logging, you must have installed libfstrm
| [security] | Fix for a significant security flaw |
| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
| [port] | Portability enhancement |
| [maint] | Updates to built-in data such as root server addresses and keys |
| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
| [performance] | Other changes to improve server performance |
| [protocol] | Updates to the DNS protocol such as new RR types |
| [test] | Changes to the automatic tests, not affecting server functionality |
| [cleanup] | Minor corrections and refactoring |
| [doc] | Documentation |
| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
#### Bug report identifiers
Most notes in the CHANGES file include a reference to a bug report or
issue number. Prior to 2018, these were usually of the form `[RT #NNN]`
and referred to entries in the "bind9-bugs" RT database, which was not open
to the public. More recent entries use the form `[GL #NNN]` or, less often,
`[GL !NNN]`, which, respectively, refer to issues or merge requests in the
Gitlab database. Most of these are publicly readable, unless they include
information which is confidential or security senstive.
To look up a Gitlab issue by its number, use the URL
configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified,
\fI/etc/named.conf\fR
is read by default.
configuration file\&. The file is parsed and checked for syntax errors, along with all files included by it\&. If no file is specified,
/etc/named\&.conf
is read by default\&.
.PP
Note: files that
\fBnamed\fR
reads in separate parser contexts, such as
\fIrndc.key\fR
rndc\&.key
and
\fIbind.keys\fR, are not automatically read by
\fBnamed\-checkconf\fR. Configuration errors in these files may cause
bind\&.keys, are not automatically read by
\fBnamed\-checkconf\fR\&. Configuration errors in these files may cause
\fBnamed\fR
to fail to run, even if
\fBnamed\-checkconf\fR
was successful.
was successful\&.
\fBnamed\-checkconf\fR
can be run on these files explicitly, however.
can be run on these files explicitly, however\&.
.SH"OPTIONS"
.PP
\-h
.RS4
Print the usage summary and exit.
Print the usage summary and exit\&.
.RE
.PP
\-j
.RS4
When loading a zonefile read the journal if it exists\&.
.RE
.PP
\-p
.RS4
Print out the
named\&.conf
and included files in canonical form if no errors were detected\&. See also the
\fB\-x\fR
option\&.
.RE
.PP
\-t \fIdirectory\fR
.RS4
Chroot to
\fIdirectory\fR
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
directory
so that include directives in the configuration file are processed as if run by a similarly chrooted
\fBnamed\fR\&.
.RE
.PP
\-v
.RS4
Print the version of the
\fBnamed\-checkconf\fR
program and exit.
.RE
.PP
\-p
.RS4
Print out the
\fInamed.conf\fR
and included files in canonical form if no errors were detected.
program and exit\&.
.RE
.PP
\-x
.RS4
When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks ('?'). This allows the contents of
\fInamed.conf\fR
and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data. This option cannot be used without
\fB\-p\fR.
When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
named\&.conf
and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data\&. This option cannot be used without
\fB\-p\fR\&.
.RE
.PP
\-z
.RS4
Perform a test load of all master zones found in
\fInamed.conf\fR.
.RE
.PP
\-j
.RS4
When loading a zonefile read the journal if it exists.
named\&.conf\&.
.RE
.PP
filename
.RS4
The name of the configuration file to be checked. If not specified, it defaults to
\fI/etc/named.conf\fR.
The name of the configuration file to be checked\&. If not specified, it defaults to
/etc/named\&.conf\&.
.RE
.SH"RETURN VALUES"
.PP
\fBnamed\-checkconf\fR
returns an exit status of 1 if errors were detected and 0 otherwise.
returns an exit status of 1 if errors were detected and 0 otherwise\&.
.SH"SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed\-checkzone\fR(8),
BIND 9 Administrator Reference Manual.
\fBnamed-checkzone\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH"AUTHOR"
.PP
Internet Systems Consortium
\fBInternet Systems Consortium, Inc\&.\fR
.SH"COPYRIGHT"
Copyright \(co 2004, 2005, 2007, 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
checks the syntax and integrity of a zone file. It performs the same checks as
checks the syntax and integrity of a zone file\&. It performs the same checks as
\fBnamed\fR
does when loading a zone. This makes
does when loading a zone\&. This makes
\fBnamed\-checkzone\fR
useful for checking zone files before configuring them into a name server.
useful for checking zone files before configuring them into a name server\&.
.PP
\fBnamed\-compilezone\fR
is similar to
\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
\fBnamed\fR. When manually specified otherwise, the check levels must at least be as strict as those specified in the
\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format\&. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
\fBnamed\fR\&. When manually specified otherwise, the check levels must at least be as strict as those specified in the
\fBnamed\fR
configuration file.
configuration file\&.
.SH"OPTIONS"
.PP
\-d
.RS4
Enable debugging.
Enable debugging\&.
.RE
.PP
\-h
.RS4
Print the usage summary and exit.
Print the usage summary and exit\&.
.RE
.PP
\-q
.RS4
Quiet mode \- exit code only.
Quiet mode \- exit code only\&.
.RE
.PP
\-v
.RS4
Print the version of the
\fBnamed\-checkzone\fR
program and exit.
program and exit\&.
.RE
.PP
\-j
.RS4
When loading a zone file, read the journal if it exists. The journal file name is assumed to be the zone file name appended with the string
\fI.jnl\fR.
When loading a zone file, read the journal if it exists\&. The journal file name is assumed to be the zone file name appended with the string
\&.jnl\&.
.RE
.PP
\-J \fIfilename\fR
.RS4
When loading the zone file read the journal from the given file, if it exists. (Implies \-j.)
When loading the zone file read the journal from the given file, if it exists\&. (Implies \-j\&.)
.RE
.PP
\-c \fIclass\fR
.RS4
Specify the class of the zone. If not specified, "IN" is assumed.
Specify the class of the zone\&. If not specified, "IN" is assumed\&.
.RE
.PP
\-i \fImode\fR
.RS4
Perform post\-load zone integrity checks. Possible modes are
Perform post\-load zone integrity checks\&. Possible modes are
\fB"full"\fR
(default),
\fB"full\-sibling"\fR,
\fB"local"\fR,
\fB"local\-sibling"\fR
and
\fB"none"\fR.
\fB"none"\fR\&.
.sp
Mode
\fB"full"\fR
checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
\fB"local"\fR
only checks MX records which refer to in\-zone hostnames.
only checks MX records which refer to in\-zone hostnames\&.
.sp
Mode
\fB"full"\fR
checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
\fB"local"\fR
only checks SRV records which refer to in\-zone hostnames.
only checks SRV records which refer to in\-zone hostnames\&.
.sp
Mode
\fB"full"\fR
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. It also checks that glue address records in the zone match those advertised by the child\&. Mode
\fB"local"\fR
only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.
only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone\&.
.sp
Mode
\fB"full\-sibling"\fR
@@ -128,26 +134,26 @@ disable sibling glue checks but are otherwise the same as
\fB"full"\fR
and
\fB"local"\fR
respectively.
respectively\&.
.sp
Mode
\fB"none"\fR
disables the checks.
disables the checks\&.
.RE
.PP
\-f \fIformat\fR
.RS4
Specify the format of the zone file. Possible formats are
Specify the format of the zone file\&. Possible formats are
\fB"text"\fR
(default),
\fB"raw"\fR, and
\fB"map"\fR.
\fB"map"\fR\&.
.RE
.PP
\-F \fIformat\fR
.RS4
Specify the format of the output file specified. For
\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents.
Specify the format of the output file specified\&. For
\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents\&.
.sp
Possible formats are
\fB"text"\fR
@@ -155,169 +161,169 @@ Possible formats are
\fB"map"\fR,
\fB"raw"\fR, and
\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
\fBnamed\fR.
\fBnamed\fR\&.
\fB"raw=N"\fR
specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
\fBnamed\fR; if N is 1, the file can be read by release 9.9.0 or higher; the default is 1.
\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
.RE
.PP
\-k \fImode\fR
.RS4
Perform
\fB"check\-names"\fR
checks with the specified failure mode. Possible modes are
checks with the specified failure mode\&. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR.
\fB"ignore"\fR\&.
.RE
.PP
\-l \fIttl\fR
.RS4
Sets a maximum permissible TTL for the input file. Any record with a TTL higher than this value will cause the zone to be rejected. This is similar to using the
Sets a maximum permissible TTL for the input file\&. Any record with a TTL higher than this value will cause the zone to be rejected\&. This is similar to using the
\fBmax\-zone\-ttl\fR
option in
\fInamed.conf\fR.
named\&.conf\&.
.RE
.PP
\-L \fIserial\fR
.RS4
When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
.RE
.PP
\-m \fImode\fR
.RS4
Specify whether MX records should be checked to see if they are addresses. Possible modes are
Specify whether MX records should be checked to see if they are addresses\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
\fB"ignore"\fR\&.
.RE
.PP
\-M \fImode\fR
.RS4
Check if a MX record refers to a CNAME. Possible modes are
Check if a MX record refers to a CNAME\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
\fB"ignore"\fR\&.
.RE
.PP
\-n \fImode\fR
.RS4
Specify whether NS records should be checked to see if they are addresses. Possible modes are
Specify whether NS records should be checked to see if they are addresses\&. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR.
\fB"ignore"\fR\&.
.RE
.PP
\-o \fIfilename\fR
.RS4
Write zone output to
\fIfilename\fR. If
\fIfilename\fR
filename\&. If
filename
is
\fI\-\fR
then write to standard out. This is mandatory for
\fBnamed\-compilezone\fR.
\-
then write to standard out\&. This is mandatory for
\fBnamed\-compilezone\fR\&.
.RE
.PP
\-r \fImode\fR
.RS4
Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are
Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
\fB"ignore"\fR\&.
.RE
.PP
\-s \fIstyle\fR
.RS4
Specify the style of the dumped zone file. Possible styles are
Specify the style of the dumped zone file\&. Possible styles are
\fB"full"\fR
(default) and
\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For
\fB"relative"\fR\&. The full format is most suitable for processing automatically by a separate script\&. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand\&. For
\fBnamed\-checkzone\fR
this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.
this does not cause any effects unless it dumps the zone contents\&. It also does not have any meaning if the output format is not text\&.
.RE
.PP
\-S \fImode\fR
.RS4
Check if a SRV record refers to a CNAME. Possible modes are
Check if a SRV record refers to a CNAME\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
\fB"ignore"\fR\&.
.RE
.PP
\-t \fIdirectory\fR
.RS4
Chroot to
\fIdirectory\fR
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
directory
so that include directives in the configuration file are processed as if run by a similarly chrooted
\fBnamed\fR\&.
.RE
.PP
\-T \fImode\fR
.RS4
Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present\&. Possible modes are
\fB"warn"\fR
(default),
\fB"ignore"\fR.
\fB"ignore"\fR\&.
.RE
.PP
\-w \fIdirectory\fR
.RS4
chdir to
\fIdirectory\fR
so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
\fInamed.conf\fR.
directory
so that relative filenames in master file $INCLUDE directives work\&. This is similar to the directory clause in
named\&.conf\&.
.RE
.PP
\-D
.RS4
Dump zone file in canonical format. This is always enabled for
\fBnamed\-compilezone\fR.
Dump zone file in canonical format\&. This is always enabled for
\fBnamed\-compilezone\fR\&.
.RE
.PP
\-W \fImode\fR
.RS4
Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are
Specify whether to check for non\-terminal wildcards\&. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034)\&. Possible modes are
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
\fB"ignore"\fR\&.
.RE
.PP
zonename
.RS4
The domain name of the zone being checked.
The domain name of the zone being checked\&.
.RE
.PP
filename
.RS4
The name of the zone file.
The name of the zone file\&.
.RE
.SH"RETURN VALUES"
.PP
\fBnamed\-checkzone\fR
returns an exit status of 1 if errors were detected and 0 otherwise.
returns an exit status of 1 if errors were detected and 0 otherwise\&.
.SH"SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed\-checkconf\fR(8),
\fBnamed-checkconf\fR(8),
RFC 1035,
BIND 9 Administrator Reference Manual.
BIND 9 Administrator Reference Manual\&.
.SH"AUTHOR"
.PP
Internet Systems Consortium
\fBInternet Systems Consortium, Inc\&.\fR
.SH"COPYRIGHT"
Copyright \(co 2004\-2007, 2009\-2014 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
<p><spanclass="application">named-checkzone</span>, <spanclass="application">named-compilezone</span>— zone file validity checking or converting tool</p>
<p>
<spanclass="application">named-checkzone</span>,
<spanclass="application">named-compilezone</span>
— zone file validity checking or converting tool
are invokation methods for a utility that generates keys for use in TSIG signing. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
are invocation methods for a utility that generates keys for use in TSIG signing\&. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
\fBrndc\fR
command channel.
command channel\&.
.PP
When run as
\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key. If no name is specified, the default is
\fBtsig\-key\fR.
\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key\&. If no name is specified, the default is
\fBtsig\-key\fR\&.
.PP
When run as
\fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
@@ -55,34 +62,34 @@ and
\fBnamed\fR
when setting up dynamic DNS, including an example
\fBupdate\-policy\fR
statement. (This usage similar to the
statement\&. (This usage similar to the
\fBrndc\-confgen\fR
command for setting up command channel security.)
command for setting up command channel security\&.)
.PP
Note that
\fBnamed\fR
itself can configure a local DDNS key for use with
\fBnsupdate \-l\fR: it does this when a zone is configured with
\fBupdate\-policy local;\fR.
\fBupdate\-policy local;\fR\&.
\fBddns\-confgen\fR
is only needed when a more elaborate configuration is required: for instance, if
\fBnsupdate\fR
is to be used from a remote system.
is to be used from a remote system\&.
.SH"OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS4
Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256. Options are case\-insensitive, and the "hmac\-" prefix may be omitted.
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&. Options are case\-insensitive, and the "hmac\-" prefix may be omitted\&.
.RE
.PP
\-h
.RS4
Prints a short summary of options and arguments.
Prints a short summary of options and arguments\&.
.RE
.PP
\-k \fIkeyname\fR
.RS4
Specifies the key name of the DDNS authentication key. The default is
Specifies the key name of the DDNS authentication key\&. The default is
\fBddns\-key\fR
when neither the
\fB\-s\fR
@@ -90,62 +97,63 @@ nor
\fB\-z\fR
option is specified; otherwise, the default is
\fBddns\-key\fR
as a separate label followed by the argument of the option, e.g.,
\fBddns\-key.example.com.\fR
The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
as a separate label followed by the argument of the option, e\&.g\&.,
\fBddns\-key\&.example\&.com\&.\fR
The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
.RE
.PP
\-q
.RS4
(\fBddns\-confgen\fR
only.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
\fBtsig\-keygen\fR.
only\&.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
\fBtsig\-keygen\fR\&.
.RE
.PP
\-r \fIrandomfile\fR
.RS4
Specifies a source of random data for generating the authorization. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
Specifies a source of random data for generating the authorization\&. If the operating system does not provide a
/dev/random
or equivalent device, the default source of randomness is keyboard input\&.
randomdev
specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
keyboard
indicates that keyboard input should be used\&.
.RE
.PP
\-s \fIname\fR
.RS4
(\fBddns\-confgen\fR
only.) Generate configuration example to allow dynamic updates of a single hostname. The example
\fBnamed.conf\fR
only\&.) Generate configuration example to allow dynamic updates of a single hostname\&. The example
\fBnamed\&.conf\fR
text shows how to set an update policy for the specified
\fIname\fR
using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
using the "name" nametype\&. The default key name is ddns\-key\&.\fIname\fR\&. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name\&. This option cannot be used with the
\fB\-z\fR
option.
option\&.
.RE
.PP
\-z \fIzone\fR
.RS4
(\fBddns\-confgen\fR
only.) Generate configuration example to allow dynamic updates of a zone: The example
\fBnamed.conf\fR
only\&.) Generate configuration example to allow dynamic updates of a zone: The example
\fBnamed\&.conf\fR
text shows how to set an update policy for the specified
\fIzone\fR
using the "zonesub" nametype, allowing updates to all subdomain names within that
\fIzone\fR. This option cannot be used with the
\fIzone\fR\&. This option cannot be used with the
\fB\-s\fR
option.
option\&.
.RE
.SH"SEE ALSO"
.PP
\fBnsupdate\fR(1),
\fBnamed.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual.
BIND 9 Administrator Reference Manual\&.
.SH"AUTHOR"
.PP
Internet Systems Consortium
\fBInternet Systems Consortium, Inc\&.\fR
.SH"COPYRIGHT"
Copyright \(co 2009, 2014 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2009, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
\fBrndc\fR. It can be used as a convenient alternative to writing the
\fIrndc.conf\fR
\fBrndc\fR\&. It can be used as a convenient alternative to writing the
rndc\&.conf
file and the corresponding
\fBcontrols\fR
and
\fBkey\fR
statements in
\fInamed.conf\fR
by hand. Alternatively, it can be run with the
named\&.conf
by hand\&. Alternatively, it can be run with the
\fB\-a\fR
option to set up a
\fIrndc.key\fR
rndc\&.key
file and avoid the need for a
\fIrndc.conf\fR
rndc\&.conf
file and a
\fBcontrols\fR
statement altogether.
statement altogether\&.
.SH"OPTIONS"
.PP
\-a
.RS4
Do automatic
\fBrndc\fR
configuration. This creates a file
\fIrndc.key\fR
configuration\&. This creates a file
rndc\&.key
in
\fI/etc\fR
/etc
(or whatever
\fIsysconfdir\fR
was specified as when
@@ -73,13 +79,13 @@ was built) that is read by both
\fBrndc\fR
and
\fBnamed\fR
on startup. The
\fIrndc.key\fR
on startup\&. The
rndc\&.key
file defines a default command channel and authentication key allowing
\fBrndc\fR
to communicate with
\fBnamed\fR
on the local host with no further configuration.
on the local host with no further configuration\&.
.sp
Running
\fBrndc\-confgen \-a\fR
@@ -87,8 +93,8 @@ allows BIND 9 and
\fBrndc\fR
to be used as drop\-in replacements for BIND 8 and
\fBndc\fR, with no changes to the existing BIND 8
\fInamed.conf\fR
file.
named\&.conf
file\&.
.sp
If a more elaborate configuration than that generated by
\fBrndc\-confgen \-a\fR
@@ -97,20 +103,20 @@ is required, for example if rndc is to be used remotely, you should run
without the
\fB\-a\fR
option and set up a
\fIrndc.conf\fR
rndc\&.conf
and
\fInamed.conf\fR
as directed.
named\&.conf
as directed\&.
.RE
.PP
\-A \fIalgorithm\fR
.RS4
Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-md5.
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-md5 or if MD5 was disabled hmac\-sha256\&.
.RE
.PP
\-b \fIkeysize\fR
.RS4
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is the hash size.
Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is the hash size\&.
.RE
.PP
\-c \fIkeyfile\fR
@@ -118,19 +124,19 @@ Specifies the size of the authentication key in bits. Must be between 1 and 512
Used with the
\fB\-a\fR
option to specify an alternate location for
\fIrndc.key\fR.
rndc\&.key\&.
.RE
.PP
\-h
.RS4
Prints a short summary of the options and arguments to
\fBrndc\-confgen\fR.
\fBrndc\-confgen\fR\&.
.RE
.PP
\-k \fIkeyname\fR
.RS4
Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
\fBrndc\-key\fR.
Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is
\fBrndc\-key\fR\&.
.RE
.PP
\-p \fIport\fR
@@ -138,18 +144,18 @@ Specifies the key name of the rndc authentication key. This must be a valid doma
Specifies the command channel port where
\fBnamed\fR
listens for connections from
\fBrndc\fR. The default is 953.
\fBrndc\fR\&. The default is 953\&.
.RE
.PP
\-r \fIrandomfile\fR
.RS4
Specifies a source of random data for generating the authorization. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
Specifies a source of random data for generating the authorization\&. If the operating system does not provide a
/dev/random
or equivalent device, the default source of randomness is keyboard input\&.
randomdev
specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
keyboard
indicates that keyboard input should be used\&.
.RE
.PP
\-s \fIaddress\fR
@@ -157,7 +163,7 @@ indicates that keyboard input should be used.
Specifies the IP address where
\fBnamed\fR
listens for command channel connections from
\fBrndc\fR. The default is the loopback address 127.0.0.1.
\fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
.RE
.PP
\-t \fIchrootdir\fR
@@ -166,10 +172,10 @@ Used with the
\fB\-a\fR
option to specify a directory where
\fBnamed\fR
will run chrooted. An additional copy of the
\fIrndc.key\fR
will run chrooted\&. An additional copy of the
rndc\&.key
will be written relative to this directory so that it will be found by the chrooted
\fBnamed\fR.
\fBnamed\fR\&.
.RE
.PP
\-u \fIuser\fR
@@ -177,10 +183,10 @@ will be written relative to this directory so that it will be found by the chroo
Used with the
\fB\-a\fR
option to set the owner of the
\fIrndc.key\fR
file generated. If
rndc\&.key
file generated\&. If
\fB\-t\fR
is also specified only the file in the chroot area has its owner changed.
is also specified only the file in the chroot area has its owner changed\&.
.RE
.SH"EXAMPLES"
.PP
@@ -191,13 +197,13 @@ to be used with no manual configuration, run
\fBrndc\-confgen \-a\fR
.PP
To print a sample
\fIrndc.conf\fR
rndc\&.conf
file and corresponding
\fBcontrols\fR
and
\fBkey\fR
statements to be manually inserted into
\fInamed.conf\fR, run
named\&.conf, run
.PP
\fBrndc\-confgen\fR
.SH"SEE ALSO"
@@ -205,12 +211,11 @@ statements to be manually inserted into
\fBrndc\fR(8),
\fBrndc.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual.
BIND 9 Administrator Reference Manual\&.
.SH"AUTHOR"
.PP
Internet Systems Consortium
\fBInternet Systems Consortium, Inc\&.\fR
.SH"COPYRIGHT"
Copyright \(co 2004, 2005, 2007, 2009, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2001, 2003 Internet Software Consortium.
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
\fBnamed\fR\&.
.PP
\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
\fBdelv\fR
does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy\&.
.PP
Unless it is told to query a specific name server,
\fBdelv\fR
will try each of the servers listed in
/etc/resolv\&.conf\&. If no usable server addresses are found,
\fBdelv\fR
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
.PP
When no command line arguments or options are given,
\fBdelv\fR
will perform an NS query for "\&." (the root zone)\&.
.SH"SIMPLE USAGE"
.PP
A typical invocation of
\fBdelv\fR
looks like:
.sp
.ifn\{\
.RS4
.\}
.nf
delv @server name type
.fi
.ifn\{\
.RE
.\}
.sp
where:
.PP
\fBserver\fR
.RS4
is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
\fIserver\fR
argument is a hostname,
\fBdelv\fR
resolves that name before querying that name server (note, however, that this initial lookup is
\fInot\fR
validated by DNSSEC)\&.
.sp
If no
\fIserver\fR
argument is provided,
\fBdelv\fR
consults
/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
\fBdelv\fR
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
.RE
.PP
\fBname\fR
.RS4
is the domain name to be looked up\&.
.RE
.PP
\fBtype\fR
.RS4
indicates what type of query is required \(em ANY, A, MX, etc\&.
\fItype\fR
can be any valid query type\&. If no
\fItype\fR
argument is supplied,
\fBdelv\fR
will perform a lookup for an A record\&.
.RE
.SH"OPTIONS"
.PP
\-a \fIanchor\-file\fR
.RS4
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
BIND
9 and contains one or more trust anchors for the root zone ("\&.")\&.
.sp
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
options\&. DNSSEC Lookaside Validation can also be turned on by using the
\fB+dlv=NAME\fR
to specify the name of a zone containing DLV records\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBmanaged\-keys\fR
statements and
\fBtrusted\-keys\fR
statements identically\&. That is, for a managed key, it is the
\fIinitial\fR
key that is trusted; RFC 5011 key management is not supported\&.
\fBdelv\fR
will not consult the managed\-keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
is revoked and rolled over, it will be necessary to update
/etc/bind\&.keys
to use DNSSEC validation in
\fBdelv\fR\&.
.RE
.PP
\-b \fIaddress\fR
.RS4
Sets the source IP address of the query to
\fIaddress\fR\&. This must be a valid address on one of the host\*(Aqs network interfaces or "0\&.0\&.0\&.0" or "::"\&. An optional source port may be specified by appending "#<port>"
.RE
.PP
\-c \fIclass\fR
.RS4
Sets the query class for the requested data\&. Currently, only class "IN" is supported in
\fBdelv\fR
and any other value is ignored\&.
.RE
.PP
\-d \fIlevel\fR
.RS4
Set the systemwide debug level to
\fBlevel\fR\&. The allowed range is from 0 to 99\&. The default is 0 (no debugging)\&. Debugging traces from
\fBdelv\fR
become more verbose as the debug level increases\&. See the
\fB+mtrace\fR,
\fB+rtrace\fR, and
\fB+vtrace\fR
options below for additional debugging details\&.
.RE
.PP
\-h
.RS4
Display the
\fBdelv\fR
help usage output and exit\&.
.RE
.PP
\-i
.RS4
Insecure mode\&. This disables internal DNSSEC validation\&. (Note, however, this does not set the CD bit on upstream queries\&. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
\fBdelv\fR
to time out\&. When it is necessary to examine invalid data to debug a DNSSEC problem, use
\fBdig +cd\fR\&.)
.RE
.PP
\-m
.RS4
Enables memory usage debugging\&.
.RE
.PP
\-p \fIport#\fR
.RS4
Specifies a destination port to use for queries instead of the standard DNS port number 53\&. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number\&.
.RE
.PP
\-q \fIname\fR
.RS4
Sets the query name to
\fIname\fR\&. While the query name can be specified without using the
\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH)\&.
.RE
.PP
\-t \fItype\fR
.RS4
Sets the query type to
\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR\&. As with
\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous\&. it is sometimes necessary to disambiguate names from types\&.
.sp
The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup, in which case it is "PTR"\&.
.RE
.PP
\-v
.RS4
Print the
\fBdelv\fR
version and exit\&.
.RE
.PP
\-x \fIaddr\fR
.RS4
Performs a reverse lookup, mapping an addresses to a name\&.
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR
or
\fItype\fR
arguments\&.
\fBdelv\fR
automatically performs a lookup for a name like
11\&.12\&.13\&.10\&.in\-addr\&.arpa
and sets the query type to PTR\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-4
.RS4
Forces
\fBdelv\fR
to only use IPv4\&.
.RE
.PP
\-6
.RS4
Forces
\fBdelv\fR
to only use IPv6\&.
.RE
.SH"QUERY OPTIONS"
.PP
\fBdelv\fR
provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed\&.
.PP
Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
no
to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
\fB+keyword=value\fR\&. The query options are:
.PP
\fB+[no]cdflag\fR
.RS4
Controls whether to set the CD (checking disabled) bit in queries sent by
\fBdelv\fR\&. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver\&. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis\&. Setting the CD flag on queries will cause the resolver to return invalid responses, which
\fBdelv\fR
can then validate internally and report the errors in detail\&.
.RE
.PP
\fB+[no]class\fR
.RS4
Controls whether to display the CLASS when printing a record\&. The default is to display the CLASS\&.
.RE
.PP
\fB+[no]ttl\fR
.RS4
Controls whether to display the TTL when printing a record\&. The default is to display the TTL\&.
.RE
.PP
\fB+[no]rtrace\fR
.RS4
Toggle resolver fetch logging\&. This reports the name and type of each query sent by
\fBdelv\fR
in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation\&.
.sp
This is equivalent to setting the debug level to 1 in the "resolver" logging category\&. Setting the systemwide debug level to 1 using the
\fB\-d\fR
option will product the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]mtrace\fR
.RS4
Toggle message logging\&. This produces a detailed dump of the responses received by
\fBdelv\fR
in the process of carrying out the resolution and validation process\&.
.sp
This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category\&. Setting the systemwide debug level to 10 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]vtrace\fR
.RS4
Toggle validation logging\&. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid\&.
.sp
This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category\&. Setting the systemwide debug level to 3 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]short\fR
.RS4
Provide a terse answer\&. The default is to print the answer in a verbose form\&.
.RE
.PP
\fB+[no]comments\fR
.RS4
Toggle the display of comment lines in the output\&. The default is to print comments\&.
.RE
.PP
\fB+[no]rrcomments\fR
.RS4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is to print per\-record comments\&.
.RE
.PP
\fB+[no]crypto\fR
.RS4
Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
.RE
.PP
\fB+[no]trust\fR
.RS4
Controls whether to display the trust level when printing a record\&. The default is to display the trust level\&.
.RE
.PP
\fB+[no]split[=W]\fR
.RS4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4)\&.
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
.RE
.PP
\fB+[no]all\fR
.RS4
Set or clear the display options
\fB+[no]comments\fR,
\fB+[no]rrcomments\fR, and
\fB+[no]trust\fR
as a group\&.
.RE
.PP
\fB+[no]multiline\fR
.RS4
Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdelv\fR
output\&.
.RE
.PP
\fB+[no]dnssec\fR
.RS4
Indicates whether to display RRSIG records in the
\fBdelv\fR
output\&. The default is to do so\&. Note that (unlike in
\fBdig\fR) this does
\fInot\fR
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR
or
\fB+noroot\fR
and
\fB+nodlv\fR\&.
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS4
Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
\fB\-a\fR
must be used to specify a file containing the key\&.
.RE
.PP
\fB+[no]dlv[=DLV]\fR
.RS4
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The
\fB\-a\fR
option must also be used to specify a file containing the DLV key\&.
.RE
.PP
\fB+[no]tcp\fR
.RS4
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
.RE
.PP
\fB+[no]unknownformat\fR
.RS4
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
.RE
.SH"FILES"
.PP
/etc/bind\&.keys
.PP
/etc/resolv\&.conf
.SH"SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8),
RFC4034,
RFC4035,
RFC4431,
RFC5074,
RFC5155\&.
.SH"AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH"COPYRIGHT"
.br
Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC")
(Domain Entity Lookup & Validation Engine) is a tool for sending DNS queries and validating the results, using the the same internal resolver and validator logic as
\fBnamed\fR.
.PP
\fBdelve\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.
.PP
By default, responses are validated using built\-in DNSSEC trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org"). Records returned by
\fBdelve\fR
are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because
\fBdelve\fR
does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.
.PP
Unless it is told to query a specific name server,
\fBdelve\fR
will try each of the servers listed in
\fI/etc/resolv.conf\fR. If no usable server addresses are found,
\fBdelve\fR
will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
.PP
When no command line arguments or options are given,
\fBdelve\fR
will perform an NS query for "." (the root zone).
.SH"SIMPLE USAGE"
.PP
A typical invocation of
\fBdelve\fR
looks like:
.sp
.RS4
.nf
delve @server name type
.fi
.RE
.sp
where:
.PP
\fBserver\fR
.RS4
is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
\fIserver\fR
argument is a hostname,
\fBdelve\fR
resolves that name before querying that name server (note, however, that this initial lookup is
\fInot\fR
validated by DNSSEC).
.sp
If no
\fIserver\fR
argument is provided,
\fBdelve\fR
consults
\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
\fBdelve\fR
will send queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
.RE
.PP
\fBname\fR
.RS4
is the domain name to be looked up.
.RE
.PP
\fBtype\fR
.RS4
indicates what type of query is required \(em ANY, A, MX, etc.
\fItype\fR
can be any valid query type. If no
\fItype\fR
argument is supplied,
\fBdelve\fR
will perform a lookup for an A record.
.RE
.SH"OPTIONS"
.PP
\-a \fIanchor\-file\fR
.RS4
Specifies a file from which to read DNSSEC trust anchors. The default is
\fI/etc/bind.keys\fR, which is included with
BIND
9 and contains trust anchors for the root zone (".") and for the ISC DNSSEC lookaside validation zone ("dlv.isc.org").
.sp
Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
\fB+dlv=NAME\fR
or
\fB+root=NAME\fR
options.
.sp
Note: When reading the trust anchor file,
\fBdelve\fR
treats
\fBmanaged\-keys\fR
statements and
\fBtrusted\-keys\fR
statements identically. That is, for a managed key, it is the
\fIinitial\fR
key that is trusted; RFC 5011 key management is not supported.
\fBdelve\fR
will not consult the managed\-keys database maintained by
\fBnamed\fR. This means that if either of the keys in
\fI/etc/bind.keys\fR
is revoked and rolled over, it will be necessary to update
\fI/etc/bind.keys\fR
to use DNSSEC validation in
\fBdelve\fR.
.RE
.PP
\-b \fIaddress\fR
.RS4
Sets the source IP address of the query to
\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional source port may be specified by appending "#<port>"
.RE
.PP
\-c \fIclass\fR
.RS4
Sets the query class for the requested data. Currently, only class "IN" is supported in
\fBdelve\fR
and any other value is ignored.
.RE
.PP
\-d \fIlevel\fR
.RS4
Set the systemwide debug level to
\fBlevel\fR. The allowed range is from 0 to 99. The default is 0 (no debugging). Debugging traces from
\fBdelve\fR
become more verbose as the debug level increases. See the
\fB+mtrace\fR,
\fB+rtrace\fR, and
\fB+vtrace\fR
options below for additional debugging details.
.RE
.PP
\-h
.RS4
Display the
\fBdelve\fR
help usage output and exit.
.RE
.PP
\-i
.RS4
Insecure mode. This disables internal DNSSEC validation. (Note, however, this does not set the CD bit on upstream queries. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
\fBdelve\fR
to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use
\fBdig +cd\fR.)
.RE
.PP
\-m
.RS4
Enables memory usage debugging.
.RE
.PP
\-p \fIport#\fR
.RS4
Specifies a destination port to use for queries instead of the standard DNS port number 53. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number.
.RE
.PP
\-q \fIname\fR
.RS4
Sets the query name to
\fIname\fR. While the query name can be specified without using the
\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH).
.RE
.PP
\-t \fItype\fR
.RS4
Sets the query type to
\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR. As with
\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous. it is sometimes necessary to disambiguate names from types.
.sp
The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup, in which case it is "PTR".
.RE
.PP
\-v
.RS4
Print the
\fBdelve\fR
version and exit.
.RE
.PP
\-x \fIaddr\fR
.RS4
Performs a reverse lookup, mapping an addresses to a name.
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR
or
\fItype\fR
arguments.
\fBdelve\fR
automatically performs a lookup for a name like
11.12.13.10.in\-addr.arpa
and sets the query type to PTR. IPv6 addresses are looked up using nibble format under the IP6.ARPA domain.
.RE
.PP
\-4
.RS4
Forces
\fBdelve\fR
to only use IPv4.
.RE
.PP
\-6
.RS4
Forces
\fBdelve\fR
to only use IPv6.
.RE
.SH"QUERY OPTIONS"
.PP
\fBdelve\fR
provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed.
.PP
Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
no
to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
\fB+keyword=value\fR. The query options are:
.PP
\fB+[no]cdflag\fR
.RS4
Controls whether to set the CD (checking disabled) bit in queries sent by
\fBdelve\fR. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis. Setting the CD flag on queries will cause the resolver to return invalid responses, which
\fBdelve\fR
can then validate internally and report the errors in detail.
.RE
.PP
\fB+[no]class\fR
.RS4
Controls whether to display the CLASS when printing a record. The default is to display the CLASS.
.RE
.PP
\fB+[no]ttl\fR
.RS4
Controls whether to display the TTL when printing a record. The default is to display the TTL.
.RE
.PP
\fB+[no]rtrace\fR
.RS4
Toggle resolver fetch logging. This reports the name and type of each query sent by
\fBdelve\fR
in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation.
.sp
This is equivalent to setting the debug level to 1 in the "resolver" logging category. Setting the systemwide debug level to 1 using the
\fB\-d\fR
option will product the same output (but will affect other logging categories as well).
.RE
.PP
\fB+[no]mtrace\fR
.RS4
Toggle message logging. This produces a detailed dump of the responses received by
\fBdelve\fR
in the process of carrying out the resolution and validation process.
.sp
This is equivalent to setting the debug level to 10 for the the "packets" module of the "resolver" logging category. Setting the systemwide debug level to 10 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well).
.RE
.PP
\fB+[no]vtrace\fR
.RS4
Toggle validation logging. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid.
.sp
This is equivalent to setting the debug level to 3 for the the "validator" module of the "dnssec" logging category. Setting the systemwide debug level to 3 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well).
.RE
.PP
\fB+[no]short\fR
.RS4
Provide a terse answer. The default is to print the answer in a verbose form.
.RE
.PP
\fB+[no]comments\fR
.RS4
Toggle the display of comment lines in the output. The default is to print comments.
.RE
.PP
\fB+[no]rrcomments\fR
.RS4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records). The default is to print per\-record comments.
.RE
.PP
\fB+[no]crypto\fR
.RS4
Toggle the display of cryptographic fields in DNSSEC records. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures. The default is to display the fields. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e.g. "[ key id = value ]".
.RE
.PP
\fB+[no]trust\fR
.RS4
Controls whether to display the trust level when printing a record. The default is to display the trust level.
.RE
.PP
\fB+[no]split[=W]\fR
.RS4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4).
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active.
.RE
.PP
\fB+[no]all\fR
.RS4
Set or clear the display options
\fB+[no]comments\fR,
\fB+[no]rrcomments\fR, and
\fB+[no]trust\fR
as a group.
.RE
.PP
\fB+[no]multiline\fR
.RS4
Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdelve\fR
output.
.RE
.PP
\fB+[no]dnssec\fR
.RS4
Indicates whether to display RRSIG records in the
\fBdelve\fR
output. The default is to do so. Note that (unlike in
\fBdig\fR) this does
\fInot\fR
control whether to request DNSSEC records or whether to validate them. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR
or
\fB+noroot\fR
and
\fB+nodlv\fR.
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS4
Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a trust anchor of "." (the root zone), for which there is a built\-in key. If specifying a different trust anchor, then
\fB\-a\fR
must be used to specify a file containing the key.
.RE
.PP
\fB+[no]dlv[=DLV]\fR
.RS4
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor. The default is to perform lookaside validation using a trust anchor of "dlv.isc.org", for which there is a built\-in key. If specifying a different name, then
\fB\-a\fR
must be used to specify a file containing the DLV key.
.RE
.SH"FILES"
.PP
\fI/etc/bind.keys\fR
.PP
\fI/etc/resolv.conf\fR
.SH"SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8),
RFC4034,
RFC4035,
RFC4431,
RFC5074,
RFC5155.
.SH"COPYRIGHT"
Copyright \(co 2014 Internet Systems Consortium, Inc. ("ISC")
File diff suppressed because it is too large
Load Diff
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
