We do not want to re-release tags we create in the private project
anyway. Moreover pushing tags back into the public project after release
caused to Gitlab to create tag pipelines which never finished, which was
only confusing thing.
(cherry picked from commit 675d9c7425)
Push without merge request reference on top happens when merging tags
back into the public project so these failures would produce log noise.
(cherry picked from commit 545ef542a1)
As an additional perk, I hope JOB_ID will make it easier to debug it
something goes wrong with automated commits.
(cherry picked from commit 43b9628955)
Indicate in the `rndc showzone` documentation that this command requires the configuration option `allow-new-zones` to be `true`.
Merge branch 'colin/rndc-showzone-doc' into 'bind-9.20'
See merge request isc-projects/bind9!11118
Reimplement the custom server written in Perl in Python using the AsyncDnsServer class.
Backport of MR !10915
Merge branch 'backport-stepan/nsupdate-asyncserver-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11140
Add a TCP connection handler, IgnoreAllConnections that allows
establishing TCP connection but not reading anything from it.
This re-uses the horrible hack from ConnectionReset handler and might
break at any point in the future.
See the comments and e407888507 for more
details.
(cherry picked from commit 4042b805ff)
Sometimes spatch fails to process the source code:
EXN: Failure("replacement: node 80: {7[1,2,30,31,32] in isc__nm_base64_to_base64url reachable by inconsistent control-flow paths") in ./lib/isc/netmgr/http.c
Closes#5567
Backport of MR !11115
Merge branch 'backport-5567-spatch-detect-more-error-conditions-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11133
Sometimes spatch fails to process the source code:
EXN: Failure("replacement: node 80: {7[1,2,30,31,32] in isc__nm_base64_to_base64url reachable by inconsistent control-flow paths") in ./lib/isc/netmgr/http.c
(cherry picked from commit 44d1a97870)
Previously, dnssec-verify exited with code 0 if the options could not be parsed. This has been fixed.
Closes#5574
Backport of MR !11106
Merge branch 'backport-5574-dnssec-verify-uses-exit-code-0-when-failing-due-to-illegal-option-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11129
The :iscman:`dnssec-keygen` utility program failed to detect
possible Key ID collisions with the existing keys generated
using the non-default ``-T KEY`` option (e.g. for ``SIG(0)``).
This has been fixed.
Closes#5506
Backport of MR !11047
Merge branch 'backport-5506-dnssec-keygen-sig0-keys-collision-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11128
When generating a new key, dnssec-keygen checks for possible
key ID collisions with existing keys. The dnssec.c:findmatchingkeys()
function, which is supposed to get the list of the existing keys,
fails to do that for the existing KEY rrtype keys (i.e. generated
using 'dnssec-keygen -T KEY') because it doesn't pass down to the
dst_key_fromnamedfile() -> dst_key_read_public() functions the type
of the keys it's interested in. Fix the issue by introducing a new
function parameter which tells in which type of keys the caller is
currently interested in.
(cherry picked from commit 49b7ce9a54)
During the system test execution, allow use of module-specific setup()
function in addition to the setup.sh script which this function should
ultimately replace.
The purpose of setup() is two-fold. First, it can execute any commands
needed to create the initial conditions for the test, such as creating
key materials, manipulating files etc. Second, it should return any
test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
Backport of MR !10983
Merge branch 'backport-nicki/pytest-add-python-setup-func-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11126
Unify the names of autouse module-wide fixtures that perform
after_servers_start() setup. The consistent naming doesn't just help
readability, but also makes it simpler for the vulture exception (since
it doesn't properly deal with autouse fixtures).
(cherry picked from commit 377724c26d)
Replace the autouse fixtures which were only used to change the initial
server configuration into proper bootstrap() functions. This gets rid of
an extraneous reconfigure.
In the tests_validation_many_anchors.py, split the fixture into a proper
bootstrap() and a separate test for checking the expected log lines for
the ignored keys. Previously, the test was broken - it should check for
all the messages being present in the log, and some of the keys are
actually initial-key rather than static-key. This has been fixed in the
parametrized test.
(cherry picked from commit fb4345afd4)
During the system test execution, allow use of module-specific
bootstrap() function in addition to the setup.sh script which this
function should ultimately replace.
The purpose of bootstrap() is two-fold. First, it can execute any
commands needed to create the initial conditions for the test, such as
creating key materials, manipulating files etc. Second, it should return
any test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
(cherry picked from commit 7474d38295)
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
Closes#5581
Backport of MR !11109
Merge branch 'backport-5581-parse_dnskey-in-lib-dns-skr-c-was-failing-to-reset-comments-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11113
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
(cherry picked from commit a949184eb7)
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
(cherry picked from commit 2d0fb3f25d)
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
Backport of !865Closesisc-projects/bind9#5343
Merge branch 'ondrej/security-fix-crash-in-selfsigned-key-handling-9.20' into 'v9.20.15-release'
See merge request isc-private/bind9!866
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
(cherry picked from commit 7b26176c46)
Expect created.* and unused.* files at the end of running
the multisigner test.
Closes#5565
Backport of MR !11089
Merge branch 'backport-5565-multisigner-test-can-leave-created-and-unused-files-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11102
`nextpart file | grep -q` doesn't work as expected. `grep -q` is not
required to read all of the input and that causes `nextpart` to fail.
Closes#5566
Backport of MR !11090
Merge branch 'backport-5566-nextpart-piped-to-grep-q-doesn-t-work-as-expected-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11092
'nextpart file | grep -q' doesn't work as expected. 'grep -q' is not
required to read all of the input and that causes 'nextpart' to fail.
(cherry picked from commit 5beba4d292)
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
Closes#5564
Backport of MR !11088
Merge branch 'backport-5564-fix-bug-in-skr-c-parse_rr-on-error-path-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11091
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
(cherry picked from commit e5ceda617d)
:program:`dnssec-importkey` should not be used to import DNSKEY records from other providers (for example when setting up multi-signer). Clarify this in the manpage.
Backport of MR !11064
Merge branch 'backport-matthijs-clarify-import-key-dnssec-policy-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11078
You should not use dnssec-importkey to import DNSKEY records from
other providers (for example when setting up multi-signer).
Clarify this in the manpage.
(cherry picked from commit 4df536e0dc)
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Closes#5554
Backport of MR !11066
Merge branch 'backport-5554-disable-keyfromlabel-collision-avoidance-in-tests-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11074
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
(cherry picked from commit 2ecbe46e0d)
