if a zone reload is already in progress when 'rndc reload <zone>' is
run, currently the message returned in "zone reload queued", which
is correct, but it's identical to the message returned when a reload
was *not* in progress, so the user can't easily tell what happened.
a user could reload a zone twice and not realize that only one
reload actually took place.
this has been addressed by changing the message returned to
"zone reload was already queued".
a new result code ISC_R_LOADING has been added to signal this
condition, taking the place of ISC_R_RELOAD, which was obsolete
and has been removed.
One of the synthrecord system tests uses a test function to generate an expected name based on some randomly generated IPv6 (using Hypothesis). Turns out the test function generating the name didn't handle the case where the label which encodes the IPv6 could have a leading or trailing '-' character. (The plugin needs to add a leading or trailing 0 so as not to break IDN compatibility.)
Merge branch 'colin/fix-synthrecord-v6test' into 'main'
See merge request isc-projects/bind9!11073
One of the synthrecord system tests uses a test function to generate an
expected name based on some randomly generated IPv6 (using Hypothesis).
Turns out the test function generating the name didn't handle the case
where the label which encodes the IPv6 could have a leading or trailing
'-' character. (The plugin needs to add a leading or trailing 0 so as
not to break IDN compatibility.)
It was possible for the result to be overwritten after a validation failure, causing `check_signer()` to return success when it should have returned an error.
Closes#5575
Merge branch '5575-ensure-correct-result-from-check_signer' into 'main'
See merge request isc-projects/bind9!11103
It was possible for the result to be overwritten after a
validation failure, causing check_signer() to return success
when it should have returned an error.
Co-Authored-By: Ondřej Surý <ondrej@isc.org>
Generally speaking, no AI generated slop is permitted. If AI has been
used to find an actual problem, the findings need to be verified by a
person, and the report should be written by the person. No copy and
paste is allowed. Anyone reporting the problem needs to be able to
verify the problem independently of the AI.
Merge branch 'ondrej/no-ai-templates' into 'main'
See merge request isc-projects/bind9!11105
Generally speaking, no AI generated slop is permitted. If AI has been
used to find an actual problem, the findings need to be verified by a
person, and the report should be written by the person. No copy and
paste is allowed. Anyone reporting the problem needs to be able to
verify the problem independently of the AI.
Expect created.* and unused.* files at the end of running
the multisigner test.
Closes#5565
Merge branch '5565-multisigner-test-can-leave-created-and-unused-files' into 'main'
See merge request isc-projects/bind9!11089
`nextpart file | grep -q` doesn't work as expected. `grep -q` is not
required to read all of the input and that causes `nextpart` to fail.
Closes#5566
Merge branch '5566-nextpart-piped-to-grep-q-doesn-t-work-as-expected' into 'main'
See merge request isc-projects/bind9!11090
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
Closes#5564
Merge branch '5564-fix-bug-in-skr-c-parse_rr-on-error-path' into 'main'
See merge request isc-projects/bind9!11088
The `bindkeys-file` option was only used for testing purposes, and has now been replaced with a `-T bindkeys=<filename>` option for `named`.
Merge branch 'each-remove-bindkeys-file' into 'main'
See merge request isc-projects/bind9!11081
the comments in the bind.keys file were outdated; the file now only
exists to be converted into bind.keys.h and compiled into named and
delv.
some tests also referenced it, and have been cleaned up, since
the keys in it are already built into named.
:program:`dnssec-importkey` should not be used to import DNSKEY records from other providers (for example when setting up multi-signer). Clarify this in the manpage.
Merge branch 'matthijs-clarify-import-key-dnssec-policy' into 'main'
See merge request isc-projects/bind9!11064
You should not use dnssec-importkey to import DNSKEY records from
other providers (for example when setting up multi-signer).
Clarify this in the manpage.
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Closes#5554
Merge branch '5554-disable-keyfromlabel-collision-avoidance-in-tests' into 'main'
See merge request isc-projects/bind9!11066
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
We agreed to make "expect" a direct attribute of KeyProperties, but it turns out the property is unused, so we can just remove it.
Closes#5278
Merge branch '5278-kasp-system-test-follow-up-1' into 'main'
See merge request isc-projects/bind9!11042
Zone API `dns_zone_dump` is dead code in 9.21 (and was also dead code at
least in 9.20), removing it.
Merge branch 'colin/remove-dns_zone_dump' into 'main'
See merge request isc-projects/bind9!11060
Disable unsigned-int spatch in db.h to silence the following error from coccinelle v1.1:
```
EXN: Failure("./lib/dns/include/dns/db.h: 188: try to delete an expanded token: unsigned") in ./lib/dns/include/dns/db.h
```
Merge branch 'marka-cocci-fix' into 'main'
See merge request isc-projects/bind9!11062
Disable unsigned-int spatch in db.h to silence the following error
from coccinelle v1.1:
EXN: Failure("./lib/dns/include/dns/db.h: 188: try to delete an expanded token: unsigned") in ./lib/dns/include/dns/db.h
Fixing an (invalid) Coverity NULL-dereference (ns_pluginctx_t is always
defined) by enforcing a REQUIRE, and add a missing return value check.
Closes#1586
Merge branch 'colin/synthrecord-fixup' into 'main'
See merge request isc-projects/bind9!11053
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Merge branch 'nicki/reuse-remove-m4-annotations' into 'main'
See merge request isc-projects/bind9!11056
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
The previously deprecated ``tkey-domain`` statement has now been
removed.
Closes#4204
Merge branch '4204-remove-tkey-domain' into 'main'
See merge request isc-projects/bind9!10801
The previously deprecated ``tkey-gssapi-credential`` statement and all
code related to it have now been removed.
Closes#4204
Merge branch '4204-remove-tkey-gssapi-credential' into 'main'
See merge request isc-projects/bind9!10800
With the code handling the "tkey-gssapi-credential" statement removed,
the named_tkeyctx_fromconfig() function can no longer fail. Update its
return type to void and revise its only call site accordingly. Clean up
the function's documentation. Declare the 's' helper variable only in
the scope it is used in to improve readability.
Since the "tkey-gssapi-credential" statement has been previously
deprecated, mark it as ancient and remove all code related to it:
- The code processing the "tkey-gssapi-credential" statement in the
configuration is the only user of the dst_gssapi_acquirecred() and
dst_gssapi_releasecred() functions, so remove them along with their
static helper functions and a backup definition of the
GSS_KRB5_MECHANISM macro.
- When calling gss_accept_sec_context(), pass GSS_C_NO_CREDENTIAL
instead of the credential acquired by gss_acquire_cred().
(Previously, NULL was passed when "tkey-gssapi-credential" was not
specified. Kerberos headers define GSS_C_NO_CREDENTIAL as
(gss_cred_id_t) 0, so the logic was effectively the same, but using
the GSS_C_NO_CREDENTIAL macro is more appropriate.) This renders
the 'cred' parameter for dst_gssapi_acceptctx() redundant, so remove
it from the prototype of the latter. (Contrary to what the
documentation for dst_gssapi_acceptctx() claims,
dst_gssapi_releasecred() does not need to subsequently be called to
free the GSS-API context; a dst_gssapi_deletectx() call in
gssapi_destroy() takes care of that when the dynamically generated
TSIG key is destroyed.)
- Remove the 'gsscred' member from struct dns_tkeyctx, along with its
related dns_gss_cred_id_t typedef.
Update the relevant sections of the ARM and code comments accordingly.
This makes the "tkey-gssapi-keytab" statement the only way to set up
GSS-TSIG in named.
Remove redundant code from bin/named/tkeyconf.c while at it.
