Not doing this has lead to breakage caused by different dnspython
versions on different platforms only discovered in full nightly
pipelines.
Add a triggering rule for MRs changing code in bin/test/system.
Apply this rule to all nightly-only system test jobs.
Merge branch 'stepan/run-all-system-tests-on-system-test-change' into 'main'
See merge request isc-projects/bind9!11214
Not doing this has lead to breakage caused by different dnspython
versions on different platforms only discovered in full nightly
pipelines.
Add a triggering rule for MRs changing code in bin/test/system.
Apply this rule to all nightly-only system test jobs.
Compare only the dumped configuration as the `cfg_printx` does not NULL-terminate the configuration strings.
Merge branch 'colin/fix-parser-test' into 'main'
See merge request isc-projects/bind9!11215
Parser test could crash because the `dumpb2` buffer hasn't explicit C
NULL string termination after dumping the configuration tree in it.
`cfg_printx` does not doing this by default.
Fix the test by comparing only the strings written with strncmp.
a94aab9440 removed importorskip call from
isctest.name on which the functionality of this test relied.
Add an explicit importorskip call to the test.
Merge branch 'stepan/fix-tools-nsec3hash-on-jammy' into 'main'
See merge request isc-projects/bind9!11213
A mix of supported and unsupported DNSSEC algorithms in the same zone could have caused validation failures. Ignore the DNSSEC keys with unsupported algorithm when looking for the signing keys.
Closes#5622
Merge branch '5622-dont-fail-on-unsupported-algorithms' into 'main'
See merge request isc-projects/bind9!11208
When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search. Instead, skip
such keys and continue searching for the right key.
Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path. This could lead to double-unlink
which causes assertion failure. Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
Closes#5606
Merge branch '5606-fix-assertion-failure-in-overmem-cleaning' into 'main'
See merge request isc-projects/bind9!11166
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path. This could lead to double-unlink
which causes assertion failure. Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
Full removal of pre-2.0.0 `dnspython` support is planned for after 9.18
goes EoL.
Merge branch 'stepan/require-dnspython-2-for-asyncserver' into 'main'
See merge request isc-projects/bind9!11191
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
They can be used outside of test modules (like ans.py custom servers)
which leads to pytest.outcomes.Skipped being raised in weird places and
skipping of tests which don't need dnspython this new.
Remove pytest.importskip from top scope in isctest.name, only run the
check when ZoneAnalyzer is used.
Add a new GitLab CI job that automatically generates post-disclosure
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
Add a new GitLab CI job that automatically generates T-1 packager
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
Add a new GitLab CI job that automatically generates public T-5
pre-announcements for BIND 9 security releases based on the metadata for
the current release cycle.
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of security releases in a given release cycle in case
autodetection fails for any reason.
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of CVE IDs fixed in a given release cycle in case
autodetection fails for any reason.
Extract common YAML keys used by release-related job definitions into
reusable anchors to ensure consistency and limit repetition across
multiple similar jobs.
`named-checkconf` now supports the command line switch `-b`, which prints the default built-in configuration used by `named`.
When `-b` is in use, other options are ignored.
Closes#1326
Merge branch '1326-named-checkconf-builtin' into 'main'
See merge request isc-projects/bind9!11177
`named-checkconf` now supports the command line switch `-b`, which
prints the default built-in configuration used by `named`.
When `-b` is in use, other options are ignored.
Previously, :iscman:`dig` could exit with an assertion failure when the server was specified before the :option:`dig -b` option. This has been fixed.
Closes#5609
Merge branch '5609-fix-dig-crash-with-at-and-dash-b-on-main' into 'main'
See merge request isc-projects/bind9!11183
Check that dig doesn't exit with an assertion failure when a IPv4
source address is defined after defining a server address which has
both IPv4 and IPv6 addresses (in this case, @localhost).
Previously, if there's no more server to try in force_next,
it attempted to retry the current server similar to a query
timeout case. But, force_next() is called only when the
current server's address is unusable and the query was not
even sent, so recvcount was not incremented, causing an
assertion failure.
We might be able to fix it so the retry doesn't cause a crash,
but it doesn't make sense to retry the server when its address
is known to be unusable. So, simply avoiding the retry would be
the easiest and safest way to prevent the crash.
Without this, start_udp or start_tcp would trigger an assertion
failure. Detaching it at this point is also consistent with
other failure handling cases, such as in recv_done.
Extended DNS Error 24 (Invalid Data) is returned when the server cannot answer data for a zone it is configured for. This occurs typically when an authoritative server does not have loaded the DB of a configured zone, or a secondary server zone is expired.
See RFC 8914 section 4.25.
See #1836
Merge branch 'colin/ede24' into 'main'
See merge request isc-projects/bind9!11169
When a (secondary) zone is expired, the log message `<zone> expired` is
printed and the flag `DNS_ZONEFLG_EXPIRED` is set. Change the order by
setting the expired flag first, then printing the log.
This should fixes (rare but persistent) timing-related CI error when the
EDE 24 tests expect the zone to be expired (from the log) and
immediately after request and expect an EDE 24 error. (In some rare
cases, the server was still answering the response).
Add system test covering EDE 24 being added in the response in both
common cases: when the server has not loaded the DB of a zone and when
the zone has expired (secondary).
Extended DNS Error 24 (Invalid Data) is returned when the server cannot
answer data for a zone it is configured for. This occurs typically when
an authoritative server does not have loaded the DB of a configured
zone, or a secondary server zone is expired.
See RFC 8914 section 4.25.
If `query_getzonedb()` finds a zone but the zone is expired it
immediately returns `DNS_R_EXPIRED` and doesn't attempt to get the zone
DB (which would be NULL in this case).
This enable caller to have a more precise reason of why getting the DB
has failed.
Introduce the `dns_zone_isexpired()` API which returns `true` when a
secondary, mirror, etc. zone is expired.
This internally use the `DNS_ZONEFLG_EXPIRED` which was already set when
the zone gets expired, but never used.
The flag `DNS_ZONEFLG_EXPIRED` is also now cleared when the expiration
time of the zone is updated and in the future.
CID 638286: Concurrent data access violations (MISSING_LOCK). This
complains about accessing "zone->notifyctx.notify_acl" without holding
the lock "dns_zone.lock". Elsewhere, reading this data does have the
lock, so it makes sense that in the getter function this must also be
so. However, the function is unused so we can just remove it.
CID 638287: Concurrent data access violations (MISSING_LOCK). This
complains about accessing "zone->locked" without holding the lock
"dns_zone.lock". I think this is a false positive as "dns__zone_lock()"
and "dns__zone_unlock() are wrappers around "LOCK_ZONE()" and
"UNLOCK_ZONE()" and where these macros were used they were only
replaced with the internal zone functions. Moreover, "zone->locked"
is only accessed in these macros (and "TRYLOCK_ZONE()" and
"LOCKED_ZONE()").
Changes introduced by 72862c2a moved the
default configuration from within `bin/named` to a central place
`bin/includes`.
The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.
As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
Merge branch 'colin/fix-reuseport-default' into 'main'
See merge request isc-projects/bind9!11180
Changes introduced by 72862c2abc moved the
default configuration from within `bin/named` to a central place
`bin/includes`.
The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.
As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
Move notify code in separate source files in preparation for support of generalized DNS notifications.
Merge branch 'matthijs-refactor-notify-code-2' into 'main'
See merge request isc-projects/bind9!11146
Move dns_notify_destroy, dns_notify_log, dns_notify_cancel,
dns_notify_queue, dns_notify_isqueued, dns_notify_find_address, and
notify related static functions over to the notify source files.