named was asserting when the notify source address was not available
and TSIG was being used. Check this scenario by adding a nameserver
to the zone which is configured to uses a non-existent source address
and a blackholed destination address and a TSIG using a server clause
for that destination address.
(cherry picked from commit f99d7f4217)
Prevent retrying the notify over TCP in case the source address is not
available or the source vs the destination address family mismatch or
when the destination address has been blackholed. Properly log the
hard notify failures.
(cherry picked from commit 5a5bc6de22)
When dns_request_create() fails in notify_send_toaddr() the TSIG key was
not cleared when retrying over TCP causing assertion failure. Set the
TSIG key to NULL in the dns_message to prevent the assertion failure.
(cherry picked from commit ee3391a146)
Fix the `update-stable-tag` job, necessary for updating Read the Docs.
Backport of MR !11559
Merge branch 'backport-andoni/fix-update-stable-branch-for-rtd-job-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11568
The update script clones a fresh copy each time, if more than one
invocation is needed intermediate copies need to be removed.
(cherry picked from commit 81b71d5aa6)
RFC 7871 only defines family 1 (IPv4) and 2 (IPv6). Additionally
it requires FORMERR to be returned for all unknown families.
Backport of MR !11563
Merge branch 'backport-marka-formerr-family-0-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11565
RFC 7871 only defines family 1 (IPv4) and 2 (IPv6). Additionally
it requires FORMERR to be returned for all unknown families.
(cherry picked from commit 757e503536)
List 'rndc dnssec' arguments in alphabetic order.
The `-step` argument was erroneously omitted from the usage output.
Closes#5731
Backport of MR !11529
Merge branch 'backport-5731-rndc-documentation-corrections-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11554
Closes#5724
Backport of MR !11509
Merge branch 'backport-5724-dnstap-forwarder-queries-logging-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11555
Replace the custom DNS server used in the "pipelined" system test with
new code based on the isctest.asyncserver module.
Backport of MR !11516
Merge branch 'backport-michal/pipelined-asyncserver-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11552
Replace the custom DNS server used in the "pipelined" system test with
new code based on the isctest.asyncserver module.
(cherry picked from commit 3954025218)
Add a new response handler, ForwarderHandler, which enables forwarding
all queries to another DNS server. To simplify implementation, always
forward queries to the target server via UDP, even if they are
originally received using a different transport protocol.
(cherry picked from commit 10a2fc7f1f)
Extend AsyncDnsServer._log_query() and AsyncDnsServer._log_response() so
that they also log the <address, port> tuple for the socket on which a
given query was received on. Minimize the signatures of those methods
by taking advantage of all the information contained in the QueryContext
instances passed to them.
(cherry picked from commit d3d9d166ed)
Extend the QueryContext class with a field holding the <address, port>
tuple for the socket on which a given query was received. This will
enable query handlers to act upon that information in arbitrary ways.
(cherry picked from commit 94a4793596)
Closes#5730
Backport of MR !11526
Merge branch 'backport-5730-document-query-options-order-sensitive-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11542
In dst_gssapi_acceptctx(), the gnamebuf could leak a little bit of
memory if dns_name_fromtext() would theoretically fail. This would
require a Kerberos principal with invalid DNS name.
Closes#5737
Backport of MR !11536
Merge branch 'backport-5737-memory-leak-in-dst_gssapi_acceptctx-on-dns_name_fromtext-failure-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11537
In dst_gssapi_acceptctx(), the gnamebuf could leak a little bit of
memory if dns_name_fromtext() would theoretically fail. This would
require a Kerberos principal with invalid DNS name.
(cherry picked from commit 3ad87f1ad6)
Not all DNS responses had the query time set in their corresponding
dnstap messages. This has been fixed.
Closes#3695
Backport of MR !11527
Merge branch 'backport-3695-record-query-time-for-all-dnstap-responses-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11534
The description in the protobuf specification is not a list of request
types to process but rather a list of examples to qualify the
description of whether the time indicates when the message is received
or sent.
(cherry picked from commit 479c737517)
Previously, the issue when the kasp.test_kasp_case[secondary.kasp] fails
due to a timeout has been only ocassionally observed on FreeBSD 13
in our CI. It seems to have come back on FreeBSD 15.
(cherry picked from commit e4abb5bd07)
The zone file is updated too soon causing the reload to fail.
Add a 1 second sleep to ensure the modification time has changed.
Closes#5734
Backport of MR !11525
Merge branch 'backport-5734-fix-tests-nsec3-change-py-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11528
The zone file is updated too soon causing the reload to fail.
Add a 1 second sleep to ensure the modification time has changed.
(cherry picked from commit 8f413fd589)
Add two short records to example.com.db that cause assertion failures
when converted to wire form.
The checks added to tests.sh are technically not required: the relevant
assertion failures are already hit when the zone is transferred out of
ns1.
Update the relevant unit tests with 1-byte records.
Co-authored-by: Mark Andrews <marka@isc.org>
Closes#5616
Backport of MR !11522
Merge branch 'backport-5616-add-brid-hhit-towire-tests-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11523
Add two short records to example.com.db that cause assertion failures
when converted to wire form.
The checks added to tests.sh are technically not required: the relevant
assertion failures are already hit when the zone is transferred out of
ns1.
Update the relevant unit tests with 1-byte records.
Co-authored-by: Mark Andrews <marka@isc.org>
(cherry picked from commit ce1d68cbc5)
Very large inbound IXFR transfers were much slower compared to BIND
9.18. The performance was improved by adding specialized logic to
handle IXFR transfers.
Closes#5442
Backport of MR !11077
Merge branch 'backport-5442-ixfr-batch-transaction-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11355
Non qp/rbt databases might not implement the
dns_db_(begin|commit|abort)update methods. This commit ensures that we
return ISC_R_NOTIMPLEMENTED in those cases.
