previously, there were over 40 separate definitions of CHECK macros, of
which most used "goto cleanup", and the rest "goto failure" or "goto
out". there were another 10 definitions of RETERR, of which most were
identical to CHECK, but some simply returned a result code instead of
jumping to a cleanup label.
this has now been standardized throughout the code base: RETERR is for
returning an error code in the case of an error, and CHECK is for jumping
to a cleanup tag, which is now always called "cleanup". both macros are
defined in isc/util.h.
When EDNS DO flag (`dig +dnssec`) flag is set, an rdataset is allocated
to hold the RRSIG of an RR, if present in DB. However, this allocation
is not done if the zone DB is not considered as secure
(`dns_db_issecure() == false`). Changes this behaviour by allocating the
rdataset anyway, so the RRSIG can be associated in the answer section of
the response as soon it is found from the DB.
The fact we attach the rrsig potentially more often (though it probably
occurs in edge cases) doesn't seems to affect performance in any ways:
Merge branch 'colin/rrsig-nonsecure-db' into 'main'
See merge request isc-projects/bind9!11317
Add a system test which checks that a server authoritative on zone which
is not fully signed (here, it is missing the DNSKEY records as well as the
RRSIG on the RR `b`) still return the RRSIG associated with an RR if
provided in the zone.
When EDNS DO flag (`dig +dnssec`) flag is set, an rdataset is allocated
to hold the RRSIG of an RR, if present in DB. However, this allocation
is not done if the zone DB is not considered as secure
(`dns_db_issecure() == false`). Changes this behaviour by allocating the
rdataset anyway, so the RRSIG can be associated in the answer section of
the response as soon it is found from the DB.
The isc_stdtime_now() function used by dns_unreachcache_find() to
check if the entry needs to be expired has a one-second resolution,
and the test sleeps for 1 second and then for the amount of the
expiration interval, which in a worst-case scenario can cause the
test to fail, because the entry was expected to be expired but it
wasn't. Sleep for 2 seconds instead of 1 to avoid the timing
resolution issue.
Closes#5601
Merge branch '5601-unreachable-cache-expire-test-fix' into 'main'
See merge request isc-projects/bind9!11224
The isc_stdtime_now() function used by dns_unreachcache_find() to
check if the entry needs to be expired has a one-second resolution,
and the test sleeps for 1 second and then for the amount of the
expiration interval, which in a worst-case scenario can cause the
test to fail, because the entry was expected to be expired but it
wasn't. Sleep for 2 seconds instead of 1 to avoid the timing
resolution issue.
The dig option +showtruncated adds the ability to display
the truncated message before retrying the query over TCP.
The dig option +showallmessages add a short cut which is
the equivalent of "dig +qr +showbadcookie +showbadversion
+showtruncated".
Closes#5657
Merge branch '5657-add-showtruncated-to-dig' into 'main'
See merge request isc-projects/bind9!11275
Account for the recent nomenclature change in the CVE checklist.
Add a placeholder for a link to an Earliest Notification draft for every
vulnerability handled.
Use consistent Markdown reference names for all URLs in the summary
table. Provide a template for all URLs to indicate naming expectations.
Merge branch 'michal/update-cve-checklist' into 'main'
See merge request isc-projects/bind9!11313
In some cases we wait for the log message "sending notifies" before
proceeding with the test case. Notifies are rate limited. They are not
sent on every change to the zone. The "zone_needdump" messages happen on
every change.
In commit aea251f3bc, `isc_buffer_reserve()` was changed to
take a simple `isc_buffer_t *` instead of `isc_buffer_t **`.
A number of functions calling it have now been similarly
modified.
Merge branch 'each-text-buffers' into 'main'
See merge request isc-projects/bind9!11282
In commit aea251f3bc, `isc_buffer_reserve()` was changed to
take a simple `isc_buffer_t *` instead of `isc_buffer_t **`.
A number of functions calling it have now been similarly
modified.
Add a new parameter ``-v`` to the ``rndc dnssec -status`` command for more verbose output. Previously, key states were printed, and keys that can be purged were listed. This made the output hard to read. This information is now only shown in the verbose output.
Add more meaningful messages to the status output, making it clearer what the state of a rollover is.
This makes the output more condense, improving its readability.
Closes#3938
Merge branch '3938-improve-rndc-dnssec-status-output' into 'main'
See merge request isc-projects/bind9!11099
Wrap 'dns_keymgr_status()' in 'dns_zone_dnssecstatus()' so we can easily
retrieve the zone string name and refresh key time value.
In addition to the current time, output when the next key event is
expected.
Don't log keys that are completely hidden unless verbose is set.
Don't log key state values unless verbose is set, or they are in a
weird state.
For expected key states, log a more useful message of the stage of
the rollover. If we are in the middle of a key rollover, don't log
when the next key rollover is scheduled.
Condense the output for better readability.
We are not actually retrieving these records from the other provider,
they are available as key files to us and we are using those files
to send a dynamic update to the server.
This test is similar to model2.multisigner, but now the two providers
are both secondary, both using the same hidden primary. The DNSKEY,
CDNSKEY, and CDS records need to be published at the hidden primary,
ns5, the zone is transferred to both secondaries, ns3 and ns4.
To avoid intermittent test failures, we wait for the line
"zone {zone}/IN (signed): serial {serial2} (unsigned {serial1})" in
the secondary server logs. This is a signal that the unsigned zone
with serial <serial1> has a signed version ready with serial <serial2>.
To speed up the test, disable 'notify-delay'.
When testing multi-signer as bump-in-the-wire (upcoming test), we want
to be able to do dynamically updates to a hidden primary. Update the
test functions such that we can set a specific primary server.
This converts the model2.multisigner tests from the multisigner system
test to pytest based code. Crappy shell test functions such as
'zsks_are_published', 'records_published' and others are replaced with
the standard test code from isctest.kasp and by setting 'private=False'
and 'legacy=True' on the keys from the other providers so we don't do
any key file testing.
Provide more information about the failure when the memory allocation fails.
Merge branch 'ondrej/print-helpful-message-on-oom' into 'main'
See merge request isc-projects/bind9!11272
Instead of just crashing when memory allocation fails, also print a
message saying "Out of memory!", the size of the allocation that failed,
total allocated memory from all memory contexts and value of errno.
In !11121, a .merge member was added to cfg_clausedef_t. This caused
a build failure with -Werror,-Wmissing-field-initializers enabled.
Add the missing initializer and set them all to NULL to match the
intent.
Merge branch 'ondrej/fix-compilation-on-macos' into 'main'
See merge request isc-projects/bind9!11302
In !11121, a .merge member was added to cfg_clausedef_t. This caused
a build failure with -Werror,-Wmissing-field-initializers enabled.
Add the missing initializer and set them all to NULL to match the
intent.
Function `named_config_getipandkeylist` could, in case of error in the early code attempting to get the `port` or `tls-port`, make a pointer check on a non-initialized value. This is now fixed.
Merge branch 'colin/getipandkeylist-uinitstate' into 'main'
See merge request isc-projects/bind9!11303
Function `named_config_getipandkeylist` could, in case of error in the
early code attempting to get the `port` or `tls-port`, make a pointer
check on a non-initialized value. This is now fixed.
Python has been required to run the system test suite for quite a while.
Remove the dated checks inside system tests which are no longer needed.
Merge branch 'nicki/cleanup-python-checks-system-tests' into 'main'
See merge request isc-projects/bind9!11292
When a RRSIG for type that we already have cached NODATA record was cached due to mismatch of the records on the upstream nameservers, an assertion failure could trigger. This has been fixed.
Closes#5633
Merge branch '5633-evict-related-rrsig-when-adding-negative-header' into 'main'
See merge request isc-projects/bind9!11228
During refactoring, a condition that prevented caching RRSIGs for
records that we already have cached NODATA records was changed in an
invalid way. This was caught later when a cached NODATA(type) +
RRSIG(type) was found in the cache and caused an assertion failure.
Fix and simplify condition that prevents adding such RRSIGs.
Formerly, we've evicted the RRSIG(type) only when we were changing
existing header from positive to negative. Move the eviction routine
for the RRSIG to a common path, so the RRSIG also gets evicted when we
are adding new negative header for a specific type.
The :any:`remote-servers` clause enable the following pattern using a named ``server-list``:
remote-servers a { 1.2.3.4; ... };
remote-servers b { a key foo; };
However, such configuration was wrongly rejected, with an "unexpected token 'foo'" error. Such configuration is now accepted.
Closes#5646
Merge branch '5646-fix-named-remote-servers-key-tls' into 'main'
See merge request isc-projects/bind9!11252
