coccinelle v1.1 trips over a superfluous isc_mem_get() NULL check in
tests/libtest/ns.c and reports the following failure in CI:
EXN: Failure("rule starting on line 26: already tagged token:\nC code context\nFile \"./tests/libtest/ns.c\", line 350, column 1, charpos = 7939\n around = 'if',\n whole content = \tif (qctx != NULL) {") in ./tests/libtest/ns.c
(cherry picked from commit cf76851c75)
Fix the loop terminating condition to get consistent sample sizes and increase the minimum number of samples from 20 to 40.
Closes#5091
Backport of MR !9894
Merge branch 'backport-5091-investigate-checking-startup-notify-rate-limit-failure-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9910
The terminating conditions for the startup notify test would
occasionally get ~20 records or get +10 seconds of records due to
a bad terminating condition. Additionally 20 samples lead to test
failures. Fix the terminating condition to use the correct conditional
(-eq -> -ge) and increase the minimum number of log entries to
average over to 22.
(cherry picked from commit 46388d07a2)
Closes#5088
Backport of MR !9884
Merge branch 'backport-5088-tests-irs-resconf_test-c-is-missing-check-callbacks-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9908
Include the recent changes such as:
- changes to running system tests
- gitlab development workflow
- changelog and release note process
Closes#5045
Backport of MR !9784
Merge branch 'backport-5045-update-contributing-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9903
Include the recent changes such as:
- changes to running system tests
- gitlab development workflow
- changelog and release note process
(cherry picked from commit 39485c1f70)
After the rndc reload command finished, we might have queried the
database zone sooner than it was reloaded because rndc reloads zones
asynchronously if no specific zone was provided. We should wait for "all
zones loaded" in the ns1 log to be sure.
Closes#5075
Backport of MR !9829
Merge branch 'backport-5075-database-rndc-reload-ensure-all-zones-loaded-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9901
After the rndc reload command finished, we might have queried the
database zone sooner than it was reloaded because rndc reloads zones
asynchronously if no specific zone was provided. We should wait for "all
zones loaded" in the ns1 log to be sure.
(cherry picked from commit 0bdd03db66)
The style guide now mentions clang-format, doesn't parenthesize return values, and no longer calls for backward compatibility in public function names.
Backport of MR !9892
Merge branch 'backport-each-style-update-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9897
It now mentions clang-format, doesn't parenthesize return values,
and no longer calls for backward compatibility in public function names.
(cherry picked from commit 9f7314eaa4)
The December releases suffer from the ns2/managed1.conf file not being
in the mkeys extra_artifacts. This manifests only when pytest is run
with the --setup-only option, which is the case in the
cross-version-config-tests CI job. The original issue is fixed in !9815,
but the fix will be effective only when subsequent releases are out.
(cherry picked from commit 97a9d7287c)
This allows easier identification of which burst is which in
named.run.
Backport of MR !9881
Merge branch 'backport-marka-use-different-burst-name-for-forensics-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9883
This subtest exercises static stub behaviour when server-addresses has an address. This was misidentified in the description.
Closes!9799
Backport of MR !9799
Merge branch 'backport-marka-fix-stub-subtest-description-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9880
The line after an unknown directive in resolv.conf could accidentally be skipped, potentially affecting dig, host, nslookup, nsupdate, or delv. This has been fixed.
Closes#5084
Backport of MR !9865
Merge branch 'backport-5084-plain-unknown-keyword-in-resolv-conf-not-handled-propely-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9878
Update to the new unit test framework.
Add a test for an unknown directive without any arguments.
Add test for an unknown directive without arguments, followed
by a search directive.
(cherry picked from commit c44c4fcbfb)
Only call eatline() to skip to the next line if we're not
already at the end of a line when parsing an unknown directive.
We were accidentally skipping the next line when there was only
a single unknown directive on the current line.
(cherry picked from commit eb78ad2080)
Prereq: isc-projects/images!345
Backport of MR !9612
Merge branch 'backport-mnowak/fedora-41-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9876
Prereq: isc-projects/images!359
Backport of MR !9872
Merge branch 'backport-mnowak/alpine-3.21-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9874
Commit af7db89513 as part of #4141 was supposed to apply the 'max-recursion-queries' quota to validator queries, but the counter was never actually passed on to 'dns_resolver_createfetch()'. This has been fixed, and the global query counter ('max-query-count', per client request) is now also added.
Related to #4980
Backport of MR !9856
Merge branch 'backport-4980-pass-counters-in-validator-createfetch-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9867
Commit af7db89513 as part of #4141 was
supposed to apply the 'max-recursion-queries' quota to validator
queries, but the counter was never actually passed on to
dns_resolver_createfetch(). This has been fixed, and the global query
counter ('max-query-count', per client request) is now also added.
(cherry picked from commit 5b1ae4a948)
Upstream code doesn't do regular releases, so we need to regularly
sync the code from the upstream repository. This is synchronization up
to the commit f8d0513 from Jan 29, 2024.
(cherry picked from commit d14a76e115)
Related to #4980
Backport of MR !9850
Merge branch 'backport-4980-remove-unused-maxqueryqount-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9854
While implementing the global limit 'max-query-count', initially I
thought adding the variable to the resolver structure. But the limit
is per client request so it was moved to the view structure (and
counter in ns_query structure). However, I forgot to remove the
variable from the resolver structure again. This commit fixes that.
(cherry picked from commit 397ca34e34)
The configuration option 'max-query-count' sets how many outgoing queries per client request is allowed. The existing 'max-recursion-queries' is the number of permissible queries for a single name and is reset on every CNAME redirection. This new option is a global limit on the client request. The default is 200.
This allows us to send a bit more queries while looking up a single name. The default for 'max-recursion-queries' is changed from 32 to 50.
Closes#4980Closes#4921
Backport of MR !9737
Merge branch 'backport-4980-global-limit-outgoing-queries-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9847
Changing the default for max-recursion-queries from 100 to 32 was too
strict in some cases, especially lookups in reverse IPv6 trees started
to fail more frequently. From issue #4921 it looks like 50 is a better
default.
Now that we have 'max-query-count' as a global limit of outgoing queries
per client request, we can increase the default for
'max-recursion-queries' again, as the number of recursive queries is
no longer bound by the multiple of 'max-recursion-queries' and
'max-query-restarts'.
(cherry picked from commit 84df920d9e)
This adds a new test directory specifically for CAMP attacks. This first
test in this test directory follows multiple CNAME chains, restarting
the max-recursion-queries counter, but should bail when the global
maximum quota max-query-count is reached.
(cherry picked from commit 73eafaba14)
This global limit is not reset on query restarts and is a hard limit
for any client request.
Note: This commit has been significantly modified because of many
merge conflicts due to the dns_resolver_createfetch api changes.
(cherry picked from commit 16b3bd1cc7)
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.
(cherry picked from commit bbc16cc8e6)
To mitigate DNS flood attacks over a single TCP connection, we throttle the connection when the other side does not read the data. Throttling should only occur on server-side sockets, but erroneously also happened for nsupdate, which acts as a client. When nsupdate started throttling the connection, it never attempts to read again. This has been fixed.
Closes#4910
Backport of MR !9709
Merge branch 'backport-4910-nsupdate-hangs-when-processing-large-update-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9835
The root cause is the fix for CVE-2024-0760 (part 3), which resets
the TCP connection on a failed send. Specifically commit
4b7c6138 stops reading on the socket
because the TCP connection is throttling.
When the tcpdns_send_cb callback thinks about restarting reading
on the socket, this fails because the socket is a client socket.
And nsupdate is a client and is using the same netmgr code.
This commit removes the requirement that the socket must be a server
socket, allowing reading on the socket again after being throttled.
(manually picked from commit aa24b77d8b)
`dnssec-signzone` was using revoked keys for signing RRsets other than DNSKEY. This has been corrected.
Closes#5070
Backport of MR !9800
Merge branch 'backport-5070-dnssec-signzone-fix-revoke-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!9841
