A configuration where a key was defined inside a view, then used in a
`primary` statement wasn't covered. This is now fixed.
(cherry picked from commit d8f46b09a7)
Commit `2956e4fc45b3c2142a3351682d4200647448f193` hardened the `key`
name check when used in `primaries` to reject the configuration if
the key was not defined, rather than simply checking whether the
key name was correctly formed.
However, the key name check didn't include the view configuration,
causing keys not to be recognized if they were defined inside the
view and not at the global level. This regression is now fixed.
(cherry picked from commit b90399ebdc)
Replace the two-pass "random start index and wrap around" logic in
fctx_getaddresses_nameservers() with a statistically sound partial
Fisher-Yates shuffle.
The previous implementation picked a random starting node and did two
passes over the linked list to find query candidates. The new logic
introduces fctx_getaddresses_nsorder() to perform an in-place
randomization of indices into a bounded, stack-allocated lookup array
(nsorder) representing the "winning" fetch slots.
The nameserver dataset is now traversed in exactly one sequential pass:
1. Every nameserver is evaluated for local cached data.
2. If the current nameserver's sequential index exists in the randomized
nsorder array, it is permitted to launch an outgoing network fetch.
3. If not, it is restricted to local lookups via DNS_ADBFIND_NOFETCH.
This guarantees a fair random distribution for outbound queries while
maximizing local cache hits, entirely within O(1) memory and without
the overhead of linked-list pointer shuffling or dynamic allocation.
Closes#5695
Backport of MR !11604
Merge branch 'backport-5695-refactor-the-random-NS-selection-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11606
Introduce a new system test (nsprocessinglimit) to verify that the
resolver strictly respects outgoing network fetch quotas when presented
with heavily delegated, unresponsive zones.
This test acts as a regression check for the recent Fisher-Yates nameserver
selection refactor. It sets up an authoritative server delegating a zone
to 23 distinct nameservers (all pointing to unresponsive loopback IPs).
Using dnstap, the test forces a resolution failure and verifies that:
1. The resolver successfully traverses the zone delegation path.
2. The resolver caps the outgoing network queries to the delegated
nameservers exactly at the processing limit (20 fetches), ensuring
array boundaries and dynamic fetch quotas are strictly enforced without
crashing or hanging.
(cherry picked from commit 5274e764c4)
Replace the two-pass "random start index and wrap around" logic in
fctx_getaddresses_nameservers() with a statistically sound Fisher-Yates
shuffle.
The previous implementation picked a random starting node and did two
passes over the linked list to find query candidates. The new logic
extracts the available nameservers into a bounded, stack-allocated array
of dns_rdata_t structures.
This array is then randomized in-place using a Fisher-Yates shuffle.
Finally, the shuffled array is traversed sequentially to launch fetches
until the dynamic quota (fctx->pending_running >= fetches_allowed) is
reached.
This guarantees a fair random distribution for outbound queries while
properly respecting dynamic query limits, entirely within O(1) memory
and without the overhead of linked-list pointer shuffling or multiple
dataset traversals.
(cherry picked from commit 3c33e7d937)
A debug message that logs a PKCS#11 object has been generated was erroneously
logged at error level. This has been fixed.
Backport of MR !11586
Merge branch 'backport-matthijs-fix-loglevel-keystore-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11601
A debug message that logs a PKCS#11 object has been generated was
erroneously logged at error level. This has been fixed.
(cherry picked from commit 5bd6322739)
In a3d0f43d2 I moved the script that does this to the QA repo and
screwed up the path.
Fix the path and make the job run properly again.
Backport of MR !11599
Merge branch 'backport-stepan/fix-tsan-stress-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11602
In a3d0f43d2 I moved the script that does this to the QA repo and
screwed up the path.
Fix the path and make the job run properly again.
(cherry picked from commit 4ed6c4e4e7)
With the Python version bumped to 3.10 and the dependency situation cleared with !11415 it is now time to run linters and formatters on more parts of the Python code that was previously skipped or ignored.
Switch configuration of the various Python-adjacent tools to `pyproject.toml` to ensure that the same configuration is used in CI and locally.
See the individual commits for details on settings changed and linters added.
Tweaks to type checking and enabling more `ruff` lints will come in a subsequent MRs.
Prerequisites:
- bind9-qa!160.
- images!442
Backport of MR !11499
Merge branch 'backport-stepan/python-tooling-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11574
More specific modules (like collections.abc) can now be used.
Generated with: ruff check --extend-select UP035 --fix
(cherry picked from commit ced002c4ab)
Add a pylint plugin that enforces:
- There is no bare `import dns` statement.
- All `dns.<module>` used are explicitly imported.
- There are no unused `dns.<module>` imports.
Fix all the imports to conform with this check.
(cherry picked from commit d3186c7038)
In Python 3.10 strings don't support the | operator, so ruff doesn't
attempt to fix these. Quote the entire type specification to avoid the
typing.Optional import.
Alternatives I considered:
- leaving it as is (only use of Optional in the code base)
- using `from future import __annotations__` (replacing one import with
another one)
(cherry picked from commit 1d5924c82f)
Importing pytest fixture trips up static analysis tools, so move
default_algorithm to conftest.py and use it instead of os.environ
accesses in various system tests.
For use outside test function, use Algorithm.default().
(cherry picked from commit ef21b77912)
Fix ruff's F401 unused-import errors in these files.
Also sort them with: ruff check --extend-select RUF022 --fix.
(cherry picked from commit 2b9c5ccd77)
Cloning to a stable location allows clearer handling of paths when
calling scripts from CI jobs.
`unit:gcc:tarball` and `system:gcc:tarball` do `cd bind-*` in
`before_script` which lead to the `bind9-qa` directory ending up in
a different place in exactly these two jobs and that made reasoning
about paths in `.system_test_common` and `.unit_test_common` tricky.
(cherry picked from commit 482c1cc72f)
