Dealing with OpenSSL has been rapidly turning into an unwieldy situation
as post-3.0 changes turn the library into a different beast.
Start treating pre and post-3.0 versions differently for easier
maintenance.
`dns_rdataset_clone()` takes now a const source rdataset. Also,
`dns_rdataset_isassociated()` also takes a const rdataset.
Merge branch 'colin/rdataset-const' into 'main'
See merge request isc-projects/bind9!11462
ANY queries are widely abused by attackers doing reflection attacks as
they return the largest answers. Enable minimal ANY answers by default
to reduce the attack surface of the DNS servers.
Closes#5723
Merge branch '5723-change-minimal_any-default-to-yes' into 'main'
See merge request isc-projects/bind9!11505
ANY queries are widely abused by attackers doing reflection attacks as
they return the largest answers. Enable minimal ANY answers by default
to reduce the attack surface of the DNS servers.
These functions don't need to be called from multiple places and
by making them static we will detect when they are not added to the
list functions to be tested.
Closes#5715
Merge branch '5715-isc_run_test_impl-should-use-a-static-declaration' into 'main'
See merge request isc-projects/bind9!11480
These functions don't need to be called from multiple places and
by making them static we will detect when they are not added to the
list functions to be tested.
Use isc_one_or_more and isc_zero_or_more rather than (-2) and
(-1) when calling isc_base64_tobuffer. Similarly for
isc_hex_tobuffer. This should help reduce the probability
that the wrong number is used and it makes the intent clearer.
Closes#5713
Merge branch '5713-use-macros-with-isc_base64_tobuffer-and-isc_hex_tobuffer' into 'main'
See merge request isc-projects/bind9!11479
This adds the following enum isc_one_or_more and isc_zero_or_more
which specify if one or more or zeror or more bytes are required
when reading the unbounded base64 / hex encoded data.
If a response policy zone (RPZ) or a catalog zone contained an
`$INCLUDE` directive, then manually reloading that zone could
fail to process the changes in the response policy or in the
catalog, respectively. This has been fixed.
Closes#5714
Merge branch '5714-zone_loaddone-rpz-and-catz-bugfix' into 'main'
See merge request isc-projects/bind9!11489
The zone_loaddone() function disables database notifications for
a catalog zones and response policy zones (RPZ) when loading had
failed. Howerer, the 'result != ISC_R_SUCCESS' check is insufficient,
because the DNS_R_SEENINCLUDE result also indicates success.
Add a second condition for the "if" block.
If the system_test_dir contains a symlink, then it might cause issues
further down when using relative_to(), unless it is resolved first. This
has been observed on FreeBSD13 in CI where /home is a symlink to
/usr/home.
Merge branch 'nicki/pytest-freebsd13-artifacts-path' into 'main'
See merge request isc-projects/bind9!11490
If the system_test_dir contains a symlink, then it might cause issues
further down when using relative_to(), unless it is resolved first. This
has been observed on FreeBSD13 in CI where /home is a symlink to
/usr/home.
Fix bugs in BRID and HHIT implementation and enable
the unit tests.
Closes#5710
Merge branch '5710-fix-hhit-and-brid-issues' into 'main'
See merge request isc-projects/bind9!11491
When dumpdb command is executed, it might take a while until the file is
written. Rather than checking the file once, use the WatchLog mechanism
to allow the desired line to appear before a timeout happens.
This affected test_validation_recovery and test_cache tests which have
been intermittently failing on EL8 in our CI.
Merge branch 'nicki/fix-dnssec-test-dumpdb-race' into 'main'
See merge request isc-projects/bind9!11487
When dumpdb command is executed, it might take a while until the file is
written. Rather than checking the file once, use the WatchLog mechanism
to allow the desired line to appear before a timeout happens.
This affected test_validation_recovery and test_cache tests which have
been intermittently failing on EL8 in our CI.
Turns out the original ans.pl implementation before (!10928) was a copy
of an old version of the ans2 server from the resolver system test.
I reimplemented it fully, even though only two ResponseHandlers are
actually used in the statistics test.
Store the most specific matching domain in DomainHandler and
expose it through the `matched_domain` property for subclasses
to use in their implementations of `get_responses`.
Additionally, the test was badly implemented. This has been fixed.
Closes#5712
Merge branch '5712-unit-test-tsig_badsig-was-not-being-called' into 'main'
See merge request isc-projects/bind9!11478
When creating the `DSYNC` record from a structure, `uint16_tobuffer` was used instead of `uint8_tobuffer` when adding the scheme, causing a `DSYNC` record that was one octet too long. This has been fixed.
Closes#5711
Merge branch '5711-dsync_fromstruct-produces-an-invalid-record' into 'main'
See merge request isc-projects/bind9!11477
uint16_tobuffer was used instead of uint8_tobuffer when adding the
scheme to the buffer. This produced a record that was one octet
too long. This has been fixed.
When building the NSEC rdata, lowercase the next owner name before
storing it in the Next Domain Name Field.
Note that this is not required according to RFC 6840, but since there
is inconsistency in the documents over time, having uppercase next
owner names in the NSEC records may cause validation failures if
validators are not following RFC 6840.
Closes#5702
Merge branch '5702-lowercase-nsec-next-owner-name' into 'main'
See merge request isc-projects/bind9!11442
When building the NSEC rdata, lower case the next owner name before
storing it in the Next Domain Name Field.
Note that this is not required according to RFC 6840, Section 5.1:
When canonicalizing DNS names (for both ordering and signing), DNS
names in the RDATA section of NSEC resource records are not converted
to lowercase. DNS names in the RDATA section of RRSIG resource
records are converted to lowercase.
The guidance in the above paragraph differs from what has been
published before but is consistent with current common practice.
Item 3 of Section 6.2 of [RFC4034] says that names in both of these
RR types should be converted to lowercase. The earlier [RFC3755]
says that they should not.
Since there is inconsistency in the documents over time, having
uppercase next owner names in the NSEC records may cause validation
failures if validators are not implementing RFC 6840.
Also, RFC 4034 section 6.2 is not about how NSEC record content is
created, but how RRset content is normalized in order to produce and
validate RRSIG records for a given RRset. Since the next owner name
of the NSEC record is about ordening, and the canonical DNS name order
requires that uppercase US-ASCII letters must be treated as if they
were lowercase US-ASCII letters, case is not meaningful for NSEC
next owner names, as it cannot be compressed on the wire, so we may
lowercase the next owner name in the NSEC rdata before signing, being
more kind to validators.
Some CI jobs spend more time pulling the docker image and setting up their environment than running the script. This MR adds a tag `smalljob` to jobs considered lightweight in order to run them on a dedicated small VM.
Merge branch 'andoni/try-small-vm-for-lightweight-ci-jobs' into 'main'
See merge request isc-projects/bind9!11266
Jobs using the "post_merge" and "manual_release_job_qa" anchors also
complete in less than a minute, so they now include the "smalljob" tag.
Since the "release" job is also a fast one, but without an anchor, the
"smalljob" tag is added to its definition.
Move CI stage "other-checks" right after "quick-checks" and get the jobs
in it as close to each other as possible in .gitlab-ci.yml.
Since no job is allowed to depend (via "needs") on any job that is
assigned to a stage later than its own, move the "tsan:stress" and
"gcov" jobs to the "system" stage.
