In a3d0f43d2 I moved the script that does this to the QA repo and
screwed up the path.
Fix the path and make the job run properly again.
(cherry picked from commit 4ed6c4e4e7)
Move some scripts to the QA repo, rename others to adhere to the snake-case Python convention.
Partial backport of MR !11499
Merge branch 'backport-stepan/python-tooling-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11575
Cloning to a stable location allows clearer handling of paths when
calling scripts from CI jobs.
`unit:gcc:tarball` and `system:gcc:tarball` do `cd bind-*` in
`before_script` which lead to the `bind9-qa` directory ending up in
a different place in exactly these two jobs and that made reasoning
about paths in `.system_test_common` and `.unit_test_common` tricky.
(cherry picked from commit 482c1cc72f)
When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
harmless out-of-bound read of the isdelegation() stack. This has been
fixed.
Closes#5749
Backport of MR !11553
Merge branch 'backport-5749-fix-OOB-read-in-isdelegation-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11595
Adds text and wire format unit tests to verify the newly enforced
maximum NSEC3 hash length constraints. These tests ensure that hash
lengths up to the 39-byte maximum are accepted, while larger sizes
correctly fail.
(cherry picked from commit e83a182056)
NSEC3 hashes are required to fit within a single DNS label. Since there
are 5 bits per label byte without pad characters, the maximum hash size
is floor(63*5/8) (39 bytes).
This patch enforces this maximum length for unknown algorithms, while
strictly enforcing the exact expected digest length for known algorithms
like SHA-1.
(cherry picked from commit 3801d0ebbf)
When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
harmless out-of-bound read of the isdelegation() stack. This patch
fixes the issue by skipping NSEC3 records with an oversized hash length
during validation.
(cherry picked from commit 67b4fb56e4)
In the last few years, the capabilities of coding tools have exploded.
As those capabilities have expanded, contributors and maintainers have
more and more questions about how and when to apply those capabilities.
Add new documentation to guide contributors on how to best use BIND 9
development tools, new and old.
In short: Please show your work and make sure your contribution is
easy to review.
This has been adopted from the Linux Kernel guidelines.
Backport of MR !11447
Merge branch 'backport-ondrej/clarify-the-use-of-tools-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11582
In the last few years, the capabilities of coding tools have exploded.
As those capabilities have expanded, contributors and maintainers have
more and more questions about how and when to apply those capabilities.
Add new documentation to guide contributors on how to best use BIND 9
development tools, new and old.
In short: Please show your work and make sure your contribution is
easy to review.
This has been adopted from the Linux Kernel guidelines.
(cherry picked from commit 3fe2215afb)
Closes#5730
Backport of MR !11526
Merge branch 'backport-5730-document-query-options-order-sensitive-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11543
In dst_gssapi_acceptctx(), the gnamebuf could leak a little bit of
memory if dns_name_fromtext() would theoretically fail. This would
require a Kerberos principal with invalid DNS name.
Closes#5737
Backport of MR !11536
Merge branch 'backport-5737-memory-leak-in-dst_gssapi_acceptctx-on-dns_name_fromtext-failure-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11538
In dst_gssapi_acceptctx(), the gnamebuf could leak a little bit of
memory if dns_name_fromtext() would theoretically fail. This would
require a Kerberos principal with invalid DNS name.
(cherry picked from commit 3ad87f1ad6)
Add two short records to example.com.db that cause assertion failures
when converted to wire form.
The checks added to tests.sh are technically not required: the relevant
assertion failures are already hit when the zone is transferred out of
ns1.
Update the relevant unit tests with 1-byte records.
Co-authored-by: Mark Andrews <marka@isc.org>
Closes#5616
Backport of MR !11522
Merge branch 'backport-5616-add-brid-hhit-towire-tests-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11524
Add two short records to example.com.db that cause assertion failures
when converted to wire form.
The checks added to tests.sh are technically not required: the relevant
assertion failures are already hit when the zone is transferred out of
ns1.
Update the relevant unit tests with 1-byte records.
Co-authored-by: Mark Andrews <marka@isc.org>
(cherry picked from commit ce1d68cbc5)
These functions don't need to be called from multiple places and
by making them static we will detect when they are not added to the
list functions to be tested.
Closes#5715
Backport of MR !11480
Merge branch 'backport-5715-isc_run_test_impl-should-use-a-static-declaration-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11503
These functions don't need to be called from multiple places and
by making them static we will detect when they are not added to the
list functions to be tested.
(cherry picked from commit 22d664aa15)
If the system_test_dir contains a symlink, then it might cause issues
further down when using relative_to(), unless it is resolved first. This
has been observed on FreeBSD13 in CI where /home is a symlink to
/usr/home.
Backport of MR !11490
Merge branch 'backport-nicki/pytest-freebsd13-artifacts-path-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11495
If the system_test_dir contains a symlink, then it might cause issues
further down when using relative_to(), unless it is resolved first. This
has been observed on FreeBSD13 in CI where /home is a symlink to
/usr/home.
(cherry picked from commit b1e3469059)
Fix bugs in BRID and HHIT implementation and enable
the unit tests.
Closes#5710
Backport of MR !11491
Merge branch 'backport-5710-fix-hhit-and-brid-issues-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11493
When creating the `DSYNC` record from a structure, `uint16_tobuffer` was used instead of `uint8_tobuffer` when adding the scheme, causing a `DSYNC` record that was one octet too long. This has been fixed.
Closes#5711
Backport of MR !11477
Merge branch 'backport-5711-dsync_fromstruct-produces-an-invalid-record-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11484
uint16_tobuffer was used instead of uint8_tobuffer when adding the
scheme to the buffer. This produced a record that was one octet
too long. This has been fixed.
(cherry picked from commit 3180e50459)
Some CI jobs spend more time pulling the docker image and setting up their environment than running the script. This MR adds a tag `smalljob` to jobs considered lightweight in order to run them on a dedicated small VM.
Backport of MR !11266
Merge branch 'backport-andoni/try-small-vm-for-lightweight-ci-jobs-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11482
Jobs using the "post_merge" and "manual_release_job_qa" anchors also
complete in less than a minute, so they now include the "smalljob" tag.
Since the "release" job is also a fast one, but without an anchor, the
"smalljob" tag is added to its definition.
The "autoconf_job" definion also includes the tag and it is kept in its
own stage.
(cherry picked from commit e9f2b7944e)
In .gitlab-ci.yml, since "&other_checks_job" has "needs: []", remove
that line from the jobs that use that anchor.
(cherry picked from commit 66175b448c)
Most jobs in this stage have it by default, so it makes sense to
add it to their common anchor. Jobs with different "needs:" will
override it.
(cherry picked from commit 432b7d7954)
Given the short runtime (<1min) of the "linkcheck" and
"generate-tsan-stress-test-configs" CI jobs, move them to the
"quick-checks" stage.
(cherry picked from commit ae76829157)
Move CI stage "other-checks" right after "quick-checks" and get the jobs
in it as close to each other as possible in .gitlab-ci.yml.
Since no job is allowed to depend (via "needs") on any job that is
assigned to a stage later than its own, move the "tsan:stress" and
"gcov" jobs to the "system" stage.
(cherry picked from commit 4f89d32bff)
Jobs with more than one minute of runtime are not considered for the
small VM.
The "tarball-create" job goes to the more appropriate "build" stage.
"coccinelle" and "checkbashisms" are moved to the generic
"other-checks".
(cherry picked from commit ba5844a1de)
Rename the "postcheck" CI stage to the more generic "other-checks".
Slower jobs that still run in autoscaled runners belong here, as opposed
to the lightweight ones in "quick-checks".
(cherry picked from commit 6d442c4a06)
Most jobs in the "precheck" stage spend more time setting up their
environment than running the script (seconds), this allows us to add a
small always on dedicated runner instead of the autoscaled ones.
Hence, the stage is renamed to "quick-checks", and a tag "smalljob" is
added to the anchor so that these jobs are picked by the dedicated
runner.
(cherry picked from commit 9aa5041a88)
