Use .sh(.in) file extension consistently for shell scripts
to allow more reliable detection of shell scripts based on their file
extension.
(cherry picked from commit 2d690499dd)
Fixes an issue where failing to reconfigure/reload the server would prevent to preserved the views caches on the subsequent server reconfiguration/reload.
Closes#5523
Backport of MR !10984
Merge branch 'backport-colin/fix-cache-revert-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10988
namedconf `request-zoneversion` option doesn't exists on 9.20, and was
actually useless for the purpose of the reload/fail/success cache test.
Remove this option so the test can run on 9.20
If the server is reloaded, new views are created and preexisting cache
is attached to those _but_ something goes wrong later, the previous
views are restored but the previous cache list is destroyed. This makes
the subsequent reload to drop the existing cache. This fixes it by
avoiding a mutation of the old cache list.
(cherry picked from commit a1703fa35b)
A named bug scrap the cache on a second reload after an initial reload
failure. Adds a test checking that the cache is preserved between server
reconfiguration/reloads even if it fails at some point (after attempting
to re-use the cache) and the server is re-loaded later.
(cherry picked from commit 714693742e)
We would prefer if explicit $ORIGIN is used only for root zone and
nothing else, solely to avoid zone files named "..db". For all other
zones the file name should match zone name.
(cherry picked from commit 339e5162d6)
The dns_qpmulti_memusage() causes assertion failure when called on
freshly created qpmulti instance because the qp->usage hasn't been
allocated yet.
Backport of MR !10977
Merge branch 'backport-ondrej/fix-qpmulti_memusage-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10982
The dns_qpmulti_memusage() causes assertion failure when called on
freshly created qpmulti instance because the qp->usage hasn't been
allocated yet.
(cherry picked from commit b2f653b332)
Sphinx's smartquotes feature was rewriting -- to en-dash, "" to proper
English quotes etc. This was messing up syntax at unpredictable places.
Disable this feature instead of attempting to escape all the places in
the manual.
(cherry picked from commit 66e58d3315)
The new order hopefully reflects likelihood of someone reading from start
to the end:
DNSSEC Guide
Manual Pages
General DNS Reference Information
Release Notes
Changelog
A Brief History of the DNS and BIND
(cherry picked from commit ed0db245be)
The RRSIGs for glue records were not being cached correctly for CD=1 queries. This has been fixed.
Closes#5502
Backport of MR !10938
Merge branch 'backport-5502-fix-missing-rrsig-with-cd-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10956
The code to test whether to store the RRSIGs on DNS_R_UNCHANGED
with CD=1 was failing because the comparison methods of the two
rdatatset instances were not compatible. Move the testing into
dns_db_addrdataset(), and request it by setting the DNS_ADD_EQUALOK
option. If the option is set and the old and new rrsets compare
as equal, dns_db_addrdataset() returns ISC_R_SUCCESS instead of
DNS_R_UNCHANGED.
(cherry picked from commit b954a1df43)
Update to REUSE Specification 3.2+ that uses REUSE.toml instead of DEP5
based specification.
Backport of MR !10945
Merge branch 'backport-ondrej/cover-reuse-dep5-to-toml-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10949
Two inconsequential bug fixes are not release note worthy.
Use more user-centric terminology about dnssec-policy manual-mode.
Add links, shorten notes.
Merge branch 'pspacek/prepare-documentation-for-bind-9.20.13' into 'v9.20.13-release'
See merge request isc-private/bind9!836
Two inconsequential bug fixes are not release note worthy.
Use more user-centric terminology about dnssec-policy manual-mode.
Add links, shorten notes.
Related to #4606
Backport of MR !10941
Merge branch 'backport-4606-document-rndc-dnssec-step-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10943
In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
Backport of MR !10904
Merge branch 'backport-aram/rpz-servfail-until-ready-tunings-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10940
Since the log level has been raised, busy servers can "explode" from
the amount of log messages. Use the usual practice of logging "every
once in a while".
(cherry picked from commit 1962857ac4)
The "RPZ not ready yet" message is logged at debug 3 level. Use the
info level instead for better visibility.
After raising the log level, the rpz_log_fail_helper() function starts
appending " failed: " the the message. Change the log message so it
makes more sense.
(cherry picked from commit 49356ce944)
In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
(cherry picked from commit d9b5f6c502)
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
Closes#5485
Backport of MR !10909
Merge branch 'backport-ondrej/clarify-rrset-order-random-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10935
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
(cherry picked from commit 369c8dc388)
Closes#5444
Backport of MR !10795
Merge branch 'backport-5444-add-hhit-and-brid-records-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10932
When an IPv6 rpz prefix entry is entered incorrectly the log
message was just displaying the prefix rather than the full
entry. This has been corrected.
Closes#5491
Backport of MR !10890
Merge branch 'backport-5491-rpz-canonical-warning-displays-zone-entry-incorrectly-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10930
Do not insert a NUL into ip_str too early as the full value
is needed later. Only insert the NUL immediately before
displaying just the prefix string.
(cherry picked from commit 283da99f02)
Waiting for "keymgr: done" logs caused some manual-mode tests to fail intermittently. Waiting for "rekey done" logs should be more reliable.
Closes#5493
Backport of MR !10923
Merge branch 'backport-5493-algoroll-csk-step3-manual-unstable-test-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10929
Waiting for "keymgr: done" logs caused some manual-mode tests to fail
intermittently. Waiting for "rekey done" logs should be more reliable.
(cherry picked from commit 4141ae1275)
Add a test to check serve-stale with the 'stale-answer-client-timeout 0'
configuration option and with a delegation which is a CNAME to a auth
zone.
Closes#5372
Backport of MR !10920
Merge branch 'backport-5372-serve-stale-crash-on-insist-unreachable-test-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10927
Add a test to check serve-stale with the 'stale-answer-client-timeout 0'
configuration option and with a delegation which is a CNAME to a auth
zone.
(cherry picked from commit 04ed44e7d7)
Mark the ``tkey-domain`` statement as obsolete, since it has not had any
effect on server behavior since support for TKEY Mode 2 (Diffie-Hellman)
was removed (in BIND 9.20.0).
See #4204
Backport of MR !10798
Merge branch 'backport-4204-obsolete-tkey-domain-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10926
The "tkey-domain" statement has effectively been a no-op since commit
bd4576b3ce, which removed the only bit of
code using it: the logic implementing TKEY Mode 2 (Diffie-Hellman).
A subsequent cleanup commit, 885c132f4a,
also missed the opportunity to remove the "tkey-domain" statement
altogether.
Mark the "tkey-domain" statement as obsolete and remove all code and
documentation related to it.
(cherry picked from commit 805f1c0f65)
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in
a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`.
See #4204
Backport of MR !10782
Merge branch 'backport-4204-deprecate-tkey-gssapi-credential-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10924
The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).
Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named. Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.
(cherry picked from commit 6de435c528)