Move CI stage "other-checks" right after "quick-checks" and get the jobs
in it as close to each other as possible in .gitlab-ci.yml.
Since no job is allowed to depend (via "needs") on any job that is
assigned to a stage later than its own, move the "tsan:stress" and
"gcov" jobs to the "system" stage.
Jobs with more than one minute of runtime are not considered for the
small VM.
The "tarball-create" job goes to the more appropriate "build" stage.
"coccinelle" and "checkbashisms" are moved to the generic
"other-checks".
Rename the "postcheck" CI stage to the more generic "other-checks".
Slower jobs that still run in autoscaled runners belong here, as opposed
to the lightweight ones in "quick-checks".
Most jobs in the "precheck" stage spend more time setting up their
environment than running the script (seconds), this allows us to add a
small always on dedicated runner instead of the autoscaled ones.
Hence, the stage is renamed to "quick-checks", and a tag "smalljob" is
added to the anchor so that these jobs are picked by the dedicated
runner.
Read the Docs fails to pick the latest version when updating the `stable` tag, i.e. a build is triggered but it takes the previous version of it. This is a known bug in RtD: https://github.com/readthedocs/readthedocs.org/issues/10838.
The only approach that seems to solve this on our end, is to wait some time and trigger the build again so that it picks the latest version of the tag.
Merge branch 'andoni/fix-rtd-picking-old-version-when-stable-branch-update' into 'main'
See merge request isc-projects/bind9!11475
Read the Docs fails to pick the latest version of the stable tag when
updated, i.e. a build is triggered but it takes the previous version.
This commit triggers a second build after 5 minutes to ensure that the
correct tag version is used for the documentation.
This is a known bug in RtD:
https://github.com/readthedocs/readthedocs.org/issues/10838.
The included defaultconfig.h in named-checkconf uses bind.keys.h.
Closes#5709
Merge branch '5709-meson-freebsd-compilation' into 'main'
See merge request isc-projects/bind9!11474
Fixes a couple of comment/documentation issues in the resolver.
Merge branch 'colin/resolver-doc' into 'main'
See merge request isc-projects/bind9!11465
When a fetch result gets a delegation, `rctx_referral()` sets the
`rctx->get_nameserver = true`, which tells the resolver to retry another
server, not because of an error with the current server, but simply to
follow the delegation.
Update the comment of `rctx_nextserver()` which is quite confusing here
(as it's not immediately obvious from the code how we recurse when
getting a delegation back from a query).
Also add a log line, which helps figuring out this is happening.
In case on positive response, the `rctx_authority_positive()` function
is called to scan the AUTHORITY section to find NS servers and related
RR (glues) to be cached.
The doc says the function was called `rctx_authority_scan()`, but it is
called `rctx_authority_positive()`.
Python 3.10 or newer is now required for running the system test suite. The required python packages and their version requirements are now tracked in `bin/tests/system/requirements.txt`.
Support for pytest 9.0.0 has been added its minimum supported version has been raised to 7.0.0. The minimum supported dnspython version has been raised to 2.3.0.
Closes#5690Closes#5614
Merge branch 'nicki/pytest-9-compat' into 'main'
See merge request isc-projects/bind9!11415
The minimum required hypothesis version has been set in requirements.txt
and no longer needs to be checked at runtime.
Since the hypothesis package is now a mandatory prerequisite, include it
in isctest as the other subpackages.
This ensures that python3.12 is used testing on older distributions
like EL8 and EL9, where the platform default python3 is older.
python3.11 was explicitly added due to FreeBSD, which doesn't have that
binary symlinked to any other name (like python3). Previously, it worked
only incidentally - when python3 was listed first, it triggered special
meson code for python detection, which is no longer the case when
python3.12 is listed first.
Drop support of EoL python versions for running system tests. The
maintenance cost of supporting end of life ecosystem, especially Python
3.6 on EL8 and the related outdated packages (pytest, dnspython, ...),
has become unreasonable.
Use collection_path rather than the deprecated path argument for
pytest_ignore_collect() hook.
The collection_path argument was added in pytest 7.0.0, which is the
minimum supported pytest version from now on.
This file lists the required Python packages and versions for running
system tests. The easiest way to obtain them is:
pip install -r requirements.txt
The minimum dnspython version is 2.7.0 because it supports TSIG parsing
without validation (for tsig/tests_tsig_hypothesis.py) and wire() (for
names/tests_names.py).
The minimum pytest version was bumped to 7.0.0 because it supports the
collection hook API required by pytest 9.
The minimum hypothesis version was set to 4.41.2 as prior versions might
have issues on FIPS systems.
There is a bug in qpzone.c:first_existing_header_indirect() where
it does not advance the pointer in the FOREACH type loop.
Remove the static function altogether, as it was used only once and
had some other problems too, and use simpler custom code instead in
the place where it was used.
Closes#5691
Merge branch '5691-qpzone.c-first_existing_header_indirect-fix' into 'main'
See merge request isc-projects/bind9!11460
Test that closing a writer with a rollback, then opening another
writer and adding a rdataset (while still holding the node reference)
works correctly.
This test checks that the bugfix in the previous commit is correct.
The first_existing_header_indirect() static function is used only
in one place and it has bugs:
1. It doesn't advance the pointer and can cause an infinite loop
if it doesn't break out from the loop on the first iteration.
2. It doesn't check if the header EXISTS, though its name indicates
that it should.
3. Even if the infinite loop bug is fixed, it would eventually
return the last checked header's pointer even if all the
candidates do not match the criteria of the selection.
Instead of fixing it, remove the function and use simpler code in
the place where it was being called.
`ns3/nsec3-ent.kasp.db` is regenerated too fast resulting in
the subsequent `rndc reload` call failing. This has been
fixed.
Closes#5707
Merge branch '5707-timing-issues-in-nsec3-tests_nsec3_reconfig-py' into 'main'
See merge request isc-projects/bind9!11467
C23 now has qualifier preserving standard functions for strchr,
bsearch, strpbrk, strrchr, strstr, memchr. There where a few places
where the return value was not assigned to a const qualified pointer.
These have been fixed.
Since the `sigrdataset` "output" parameter of `dns_view_findzonecut()` is never used (always called with NULL), it is now removed. As the resolver is moving towards a parent-centric direction, there is no point having a signature for the NS record (which is not authoritative in the parent, so never signed) when `dns_view_findzonecut()` is called.
Also, rename `dns_view_findzonecut()` as `dns_view_bestzonecut()` as it is used only in the context where the closest name servers for a name need to be queried and to avoid ambiguities with other code flows using `dns_db_findzonecut()`.
Merge branch 'colin/findzonecut-removesig' into 'main'
See merge request isc-projects/bind9!11444
`dns_view_findzonecut()` is used only in the context where the closest
name servers for a name need to be queried. In the future, this API
will also return the glues (if known) for those name servers, as well
as (exclusively, if both NS and DELEG exist) the DELEG record.
To avoid ambiguities with other code flows using `dns_db_findzonecut()`,
`dns_view_findzonecut()` has been renamed into `dns_view_bestzonecut()`.
Since the `sigrdataset` "output" parameter of `dns_view_findzonecut()`
is never used (always called with NULL), it is now removed.
Also, since the resolver is moving towards a parent-centric direction,
there is no point having a signature for the NS record (which is not
authoritative in the parent, so never signed) in the contextes where
`dns_view_findzonecut()` is called.
When built with '-Doptimization=1', GCC produces a compiler warning:
In file included from ../lib/isc/include/isc/lib.h:44,
from ../tests/dns/qp_test.c:26:
../tests/dns/qp_test.c: In function ‘check_predecessors_withchain’:
../lib/isc/include/isc/util.h:182:33: error: ‘ival’ may be used uninitialized [-Werror=maybe-uninitialized]
182 | (((a) == (b)) ? (void)0 : (_assert_int_equal(a, b, f, l), abort()))
| ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/cmocka.h🔢5: note: in expansion of macro ‘_assert_int_equal’
1234 | _assert_int_equal(cast_to_largest_integral_type(a), \
| ^~~~~~~~~~~~~~~~~
../tests/dns/qp_test.c:859:18: note: ‘ival’ was declared here
859 | uint32_t ival;
| ^~~~
This is apparently a false positive, because the qpiter_prev_with_name()
function, when returning ISC_R_SUCCESS, sets the 'ival' (passed to
it by a pointer), and the caller checks that the return value is
ISC_R_SUCCESS before using 'ival'.
Initialize the 'ival' variable to 0 anyway to avoid the build error.
Closes#5704
Merge branch '5704-qp_test-uninitialized-false-positive-error-fix' into 'main'
See merge request isc-projects/bind9!11455
When built with '-Doptimization=1', GCC produces a compiler warning:
In file included from ../lib/isc/include/isc/lib.h:44,
from ../tests/dns/qp_test.c:26:
../tests/dns/qp_test.c: In function ‘check_predecessors_withchain’:
../lib/isc/include/isc/util.h:182:33: error: ‘ival’ may be used uninitialized [-Werror=maybe-uninitialized]
182 | (((a) == (b)) ? (void)0 : (_assert_int_equal(a, b, f, l), abort()))
| ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/cmocka.h🔢5: note: in expansion of macro ‘_assert_int_equal’
1234 | _assert_int_equal(cast_to_largest_integral_type(a), \
| ^~~~~~~~~~~~~~~~~
../tests/dns/qp_test.c:859:18: note: ‘ival’ was declared here
859 | uint32_t ival;
| ^~~~
This is apparently a false positive, because the qpiter_prev_with_name()
function, when returning ISC_R_SUCCESS, sets the 'ival' (passed to
it by a pointer), and the caller checks that the return value is
ISC_R_SUCCESS before using 'ival'.
Initialize the 'ival' variable to 0 anyway to avoid the build error.
Without querytrace set, test_malformed_ecdsa and test_multiple_rrsigs
fail on the log_validation_failed string.
Merge branch 'mnowak/dnssec-malformed-dnskey-needs-querytrace' into 'main'
See merge request isc-projects/bind9!11454
To provide feature parity with `bin/tests/system/ans.pl` add a control
command to allow easy switching between different sequences of
ResponseHandlers.
It saves an indent and brackets on the call sites.
Also sort the handlers alphabetically where their order doesn't matter
and split the fallback handlers into a separate call to signify that
their position in the end matters.
Previously, the catalog zone names and their member zones' entry
names were unintentionally case-sensitive. This has been fixed.
Closes#5693
Merge branch '5693-catz-case-sensitivity-fix' into 'main'
See merge request isc-projects/bind9!11410
