When an IPv6 rpz prefix entry is entered incorrectly the log
message was just displaying the prefix rather than the full
entry. This has been corrected.
Closes#5491
Backport of MR !10890
Merge branch 'backport-5491-rpz-canonical-warning-displays-zone-entry-incorrectly-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10931
Do not insert a NUL into ip_str too early as the full value
is needed later. Only insert the NUL immediately before
displaying just the prefix string.
(cherry picked from commit 283da99f02)
Mark the :any:`tkey-domain` statement as deprecated since it is only
used by code implementing TKEY Mode 2 (Diffie-Hellman), which was
removed from newer BIND 9 branches.
See #4204
Merge branch '4204-deprecate-tkey-domain' into 'bind-9.18'
See merge request isc-projects/bind9!10783
Mark the "tkey-domain" statement as deprecated since it is only used by
code implementing TKEY Mode 2 (Diffie-Hellman), which was removed from
newer BIND 9 branches.
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in
a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`.
See #4204
Backport of MR !10782
Merge branch 'backport-4204-deprecate-tkey-gssapi-credential-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10925
The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).
Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named. Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.
(cherry picked from commit 6de435c528)
Clang 20 was spuriously warning about the possibility of passing a NULL file pointer
to `fprintf()`, which uses the 'nonnull' attribute. To silence the warning, the functions
calling `fprintf()` have been marked with the same attribute to assure that NULL can't be
passed to them in the first place.
Close#5487
Backport of MR !10888
Merge branch 'backport-5487-mark-passed-file-pointer-as-nonnull-in-dnssec-signzone-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10914
Clang 20 is complaining about passing NULL to an argument with 'nonnull'
attribute. Mark these two functions with the same attribute to assure
that these two function also don't accept NULL as an argument.
(cherry picked from commit 9e350c1774)
Clarify that forwarding points to a resolver and stub to auths.
Add cross-links. Rewrite stub zone type description.
(cherry picked from commit e84b98a9fc)
Under certain circumstances, BIND 9 can return SERVFAIL when updating
existing entries in the cache with new NS, A, AAAA, or DS records with 0-TTL.
Closes#5294
Backport of MR !10897
Merge branch 'backport-5294-preserve-ZEROTTL-on-cache-update-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10899
Under certain circumstances, cache entries with equivalent rdataset
might not get replaced. Previously such entry would get preserved
regardless of the new TTL and expire time on the existing header would
get updated when the expire time was less than the expire time on the
existing header. Change the logic to preserve the existing header only
if the new expire time is larger than the existing one and replace the
existing cache entry when the new expire time is less than the existing
one.
Co-authored-by: Jinmei Tatuya <jtatuya@infoblox.com>
(cherry picked from commit 9f7ba584cf)
Previously, BIND 9 would drop the ZEROTTL attribute when updating
previously cached NS entry with ZEROTTL attribute set.
Co-authored-by: Jinmei Tatuya <jtatuya@infoblox.com>
(cherry picked from commit 982ca161c2)
Add and apply InsertBraces statement to add missing curly braces around one-line statements and use ControlStatementsExceptControlMacros for SpaceBeforeParens to remove space between foreach macro and the brace, e.g. `FOREACH (x) {` becomes `FOREACH(x) {`.
Backport of MR !10863
Merge branch 'backport-ondrej/update-clang-format-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10865
> Put a space before opening parentheses only after control statement
> keywords (for/if/while...) except this option doesn’t apply to ForEach
> and If macros. This is useful in projects where ForEach/If macros are
> treated as function calls instead of control statements.
(cherry picked from commit 42496f3f4a)
> Insert braces after control statements (if, else, for, do, and while)
> in C++ unless the control statements are inside macro definitions or
> the braces would enclose preprocessor directives.
(cherry picked from commit d051e1e8f8)
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
Backport of MR !10841
Merge branch 'backport-nicki/ci-shotgun-load-new-dataset-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10857
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
(cherry picked from commit 338389b3eb)
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
(cherry picked from commit 9acc0c8543)
Backport of MR !10293
Merge branch 'backport-mnowak/more-lenient-respdiff-limits-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10848
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
(cherry picked from commit 9acc0c8543)
Initialization of the common members of rdata type structures varies across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` macro for all types, so that new types are more likely to use it, and hence backport more cleanly.
Closes#5467
Merge branch '5467-use-dns_rdatacommon_init-to-hide-branch-differences-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10833
Initialization of the common members of rdata type structures varies
across branches. Standardize it by using the DNS_RDATACOMMON_INIT
macro for all types, so that new types are more likely to use it,
and hence backport more cleanly.
Previously the location of the .hypothesis directory would depend on the
current working directory when running pytest.
Set the HYPOTHESIS_STORAGE_DIRECTORY explicitly.
Closes#5424
Backport of MR !10825
Merge branch 'backport-5424-hypothesis-artifacts-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10829
Previously the location of the .hypothesis directory would depend on the
current working directory when running pytest.
Set the HYPOTHESIS_STORAGE_DIRECTORY explicitly.
(cherry picked from commit a4e74ab8cd)
Since the isctest.name module uses `pytest.importorskip()` to check for
dnspython version, it can't be imported automatically on `import
isctest`, because that is used in conftest.py, causing an error during
test setup.
Note that this behavior only manifested on AlmaLinux 8, so perhaps newer
pytest versions are able to handle this edge case more gracefully.
This doesn't affect 9.20+, as this issue was introduced as an erroneous
conflict resolution during a 9.18 backport.
Merge branch 'nicki/fix-isctest-name-import-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10822
Since the isctest.name module uses `pytest.importorskip()` to check for
dnspython version, it can't be imported automatically on `import
isctest`, because that is used in conftest.py, causing an error during
test setup.
Note that this behavior only manifested on AlmaLinux 8, so perhaps newer
pytest versions are able to handle this edge case more gracefully.
This doesn't affect 9.20+, as this issue was introduced as an erroneous
conflict resolution during a 9.18 backport.
On FreeBSD, the server would not listen on the configured 'localhost'
interfaces immediately, but only after the 'interface-interval' period
has passed. After the fix for default interface-interval was merged in
!10281, this means the server would listen on the localhost after 60
minutes.
Rescan the interfaces immediately after configuring the
interface-interval value to start listening on the 'localhost' interface
immediately.
Merge branch 'ondrej/rescan-the-interface-on-time-0' into 'bind-9.18'
See merge request isc-projects/bind9!10758
On FreeBSD, the server would not listen on the configured 'localhost'
interfaces immediately, but only after the 'interface-interval' period
has passed. After the fix for default interface-interval was merged in
!10281, this means the server would listen on the localhost after 60
minutes.
Rescan the interfaces immediately after configuring the
interface-interval value to start listening on the 'localhost' interface
immediately.
Under rare circumstances, validation could fail if multiple clients simultaneously iterated the same set of signatures.
References #3014
Backport of MR !5578
Merge branch 'backport-3014-validator-c-check_signer-fails-to-call-dns_rdataset_clone-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10816
Spurious validation failures were traced back to check_signer looping
over val->event->sigrdataset directly. Cloning val->event->sigrdataset
prevents check_signer from interacting with callers that are also
looping over val->event->sigrdataset.
(cherry picked from commit 8aa130f253)
