Commit graph

42872 commits

Author SHA1 Message Date
Mark Andrews
b6df481f3f Fix ifconfig.sh script
Add missing test for the variable 'a' being empty on linux.

(cherry picked from commit 7ba91e3820)
2025-07-16 22:13:25 +00:00
Andoni Duarte Pintado
4255d6d80a Merge tag 'v9.20.11' into bind-9.20 2025-07-16 17:20:09 +02:00
Mark Andrews
5aefaa4b97 [9.20] chg: usr: Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1
RSASHA1 and RSASHA1-NSEC-SHA1 DNSKEY algorithms have been deprecated
by the IETF and should no longer be used for DNSSEC. DS digest type
1 (SHA1) has also been deprecated. Validators are now expected
to treat these algorithms and digest as unknown, resulting in
some zones being treated as insecure when they were previously treated
as secure. Warnings have been added to named and tools when these
algorithms and this digest are being used for signing.

Zones signed with RSASHA1 or RSASHA1-NSEC-SHA1 should be migrated
to a different DNSKEY algorithm. 

Zones with DS or CDS records with digest type 1 (SHA1) should be
updated to use a different digest type (e.g. SHA256) and the digest
type 1 records should be removed.

Related to #5358

Backport of MR !10559

Merge branch 'backport-5358-add-sha1-deprecation-warnings-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10738
2025-07-16 09:31:28 +10:00
Mark Andrews
f702cb85ab Remove leftover test development echo
(cherry picked from commit 1a82a1999b)
2025-07-16 01:42:17 +10:00
Mark Andrews
ae47f5732e Redirect named-checkzone output to file
(cherry picked from commit 370d28de97)
2025-07-16 01:42:17 +10:00
Mark Andrews
77e6b07fae Digest type GOST is also deprecated
(cherry picked from commit 125a232bfb)
2025-07-16 01:42:17 +10:00
Mark Andrews
13afcc8af4 Check deprecated algorithms in dnssec-policy
(cherry picked from commit 86fb638085)
2025-07-16 01:42:17 +10:00
Mark Andrews
05062b6f66 Check that named-checkzone reports deprecated digests
(cherry picked from commit 95a82d0893)
2025-07-16 01:42:17 +10:00
Mark Andrews
2ee06d5b9d Check that named-checkzone reports deprecated algorithms
(cherry picked from commit 5d406677f1)
2025-07-16 01:42:15 +10:00
Mark Andrews
6d8281b913 Update man pages for deprecated algorithms
(cherry picked from commit 1e3e61ba53)
2025-07-16 01:40:00 +10:00
Mark Andrews
d03d58a10f Warn about deprecated DNSKEY and DS algorithms / digest types
DNSKEY algorithms RSASHA1 and RSASHA-NSEC3-SHA1 and DS digest type
SHA1 are deprecated.  Log when these are present in primary zone
files and when generating new DNSKEYs, DS and CDS records.

(cherry picked from commit cb6903c55e)
2025-07-16 01:39:58 +10:00
Štěpán Balážik
00239110f6 [9.20] chg: test: Use isctest.asyncserver in the "tsig" test
Replace the custom DNS server used in the "tsig" system test with
new code based on the isctest.asyncserver module.

Changes to isctest.asyncserver are required, previously it did not
handle TSIG signed queries at all. Now, with some hacking around
a [dnspython bug](https://github.com/rthalley/dnspython/issues/1205) it does.

Backport of MR !10566

Merge branch 'backport-stepan/tsig-asyncserver-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10732
2025-07-13 10:07:25 +00:00
Štěpán Balážik
cbee7c6c52 Use isctest.asyncserver in the "tsig" test
Replace the custom DNS server used in the "tsig" system test with
new code based on the isctest.asyncserver module.

(cherry picked from commit e34e831cab)
2025-07-13 09:34:22 +00:00
Štěpán Balážik
58571d588f Let queries with TSIG parse in isctest.asyncserver.AsyncDnsServer
Previously, upon receiving a query with TSIG, the server would log
an error and timeout. As there is no way to set up the keyring in the
class anyway (and I believe we don't need it), this commit lets such
queries parse but logs the fact that the query has TSIG.

However, there is a bug [1] in dnspython, which causes `make_response`
and `to_wire` to crash on messages constructed by `from_wire` with
`keyring=False`, so the hack with `message.__class__` is needed to work
around this.

This makes just enough changes for the tsig system test to work with
dnspython >= 2.0.0. On older version the server gives up.

[1] https://github.com/rthalley/dnspython/issues/1205

(cherry picked from commit 72ac1fe234)
2025-07-13 09:34:22 +00:00
Ondřej Surý
b7e7923daa [9.20] fix: usr: Clean enough memory when adding new ADB names/entries under memory pressure
The ADB memory cleaning is opportunistic even when we are under
memory pressure (in the overmem condition).  Split the opportunistic
LRU cleaning and overmem cleaning and make the overmem cleaning
always cleanup double of the newly allocated adbname/adbentry to
ensure we never allocate more memory than the assigned limit.

Backport of MR !10637

Merge branch 'backport-ondrej/enforce-memory-cleanup-in-ADB-when-overmem-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10707
2025-07-11 14:31:26 +02:00
Ondřej Surý
822ada5db1 When overmem, clean enough memory when adding new ADB names/entries
The purge_stale_names()/purge_stale_entries() is opportunistic even when
we are under memory pressure (overmem).  Split the opportunistic LRU
cleaning and overmem cleaning.  This makes the stale purging much
simpler as we don't have to try that hard and makes the overmem cleaning
always cleanup double the amount of the newly allocated ADB name/entry.

(cherry picked from commit eb0ffa0d5f)
2025-07-11 13:58:11 +02:00
Michal Nowak
20312d23e9 [9.20] chg: ci: Add "fips" tags to AlmaLinux FIPS machines
Backport of MR !10724

Merge branch 'backport-mnowak/add-fips-tags-to-fips-machines-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10729
2025-07-10 15:24:54 +02:00
Michal Nowak
99c23041ea Add "fips" tags to AlmaLinux FIPS machines
(cherry picked from commit 75dda37aa8)
2025-07-10 15:24:31 +02:00
Arаm Sаrgsyаn
8c50819aa8 [9.20] fix: usr: Fix dig issues
When used with the ``+keepopen`` option with a TCP connection, iscman:`dig`
could terminate unexpectedly in rare situations. Additionally, iscman:`dig`
could hang and fail to shutdown properly when interrupted during a query.
These have been fixed.

Closes #5381

Backport of MR !10681

Merge branch 'backport-5381-dig-keepalive-crash-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10727
2025-07-10 13:16:23 +00:00
Aram Sargsyan
33e37f7030 Fix a possible hang in dig if a send is interrupted/canceled
When send_done() is called with a ISC_R_CANCELED status (e.g. because
of a signal from ctrl+c), dig can fail to shutdown because
check_if_done() is not called in the branch. Add a check_if_done()
call.

(cherry picked from commit 5d1a8fe755)
2025-07-10 11:59:26 +00:00
Aram Sargsyan
b52d2e0392 Fix a query reference counting issue in dig
When reusing a TCP connection (because of the '+keepopen' option),
dig detaches from the query after launching it. This can cause a
crash in dig in rare cases when the "receive" callback is called
earlier than the "send" callback.

The '_cancel_lookup()' function detaches a query only if it's
found in the 'lookup->q' list. Before this commit, with one
additional detach happening before recv_done() -> _cancel_lookup()
is called, it didn't cause problems because an earlier _query_detach()
was unlinking the query from 'lookup->q' (because it was the last
reference), so the additional detach and the skipped detach were
undoing each other.

That is unless the "receive" callback was called earlier than the
"send" callback, in which case the additional detach wasn't destroying
the query (and wasn't unlinking it from 'lookup->q') because the "send"
callback's attachment was still there, and so _cancel_lookup() was
trying to "steal" the "send" callback's attachment and causing an
assertion on 'INSIST(query->sendhandle == NULL);'.

Delete the detachment which caused the described situation.

(cherry picked from commit a2685696aa)
2025-07-10 11:59:26 +00:00
Arаm Sаrgsyаn
47470b586d [9.20] fix: usr: Log dropped or slipped responses in the query-errors category
Responses which were dropped or slipped because of RRL (Response Rate
Limiting) were logged in the ``rate-limit`` category instead of the
``query-errors`` category, as documented in ARM. This has been fixed.

Closes #5388

Backport of MR !10676

Merge branch 'backport-5388-rrl-log-category-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10725
2025-07-10 11:15:59 +00:00
Aram Sargsyan
6a33125d7a Log dropped or slipped responses in the query-errors category
As mentioned in the comments block before the changed code block,
the dropped or slipped responses should be logged in the query
category (or rather query-errors category as done in lib/ns/client.c),
so that requests are not silently lost.

Also fix a couple of errors/typos in the code comments.

(cherry picked from commit 27e7961479)
2025-07-10 08:57:27 +00:00
Mark Andrews
7a3ec8dd94 [9.20] fix: dev: Fix a possible crash when adding a zone while recursing
A query for a zone that was not yet loaded may yield an unexpected result such as a CNAME or DNAME, triggering an assertion failure. This has been fixed.

Closes #5357

Backport of MR !10562

Merge branch 'backport-5357-resume-qmin-cname-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10718
2025-07-09 11:43:30 +10:00
Petr Menšík
c2f37f5da4 Add few extra WANT_QUERYTRACE logs into resume_qmin
Print optionally a bit more details not passed to event in case
dns_view_findzonecut returns unexpected result. Result would be
visible later in foundevent, but found fname would be lost. Print it
into the log.

(cherry picked from commit d2c6966232)
2025-07-09 11:05:27 +10:00
Petr Mensik
5fa9008a2d Handle CNAME and DNAME in resume_min in a special way
When authoritative zone is loaded when query minimization query for the
same zone is already pending, it might receive unexpected result codes.

Normally DNS_R_CNAME would follow to query_cname after processing sent
events, but dns_view_findzonecut does not fill CNAME target into
event->foundevent. Usual lookup via query_lookup would always have that
filled.

Ideally we would restart the query with unmodified search name, if
unexpected change from recursing to local zone cut were detected. Until
dns_view_findzonecut is modified to export zone/cache source of the cut,
at least fail queries which went into unexpected state.

(cherry picked from commit 2fd3da54f9)
2025-07-09 00:56:04 +00:00
Michal Nowak
f4fe7763d2 [9.20] new: ci: Add AlmaLinux 10
Backport of MR !10682

Merge branch 'backport-mnowak/add-almalinux-10-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10713
2025-07-08 16:37:10 +02:00
Michal Nowak
3ff4a8a478
Do not add AlmaLinux 9 unit and system test in MR pipelines
(cherry picked from commit 7c5c16ea6b)
2025-07-08 16:04:04 +02:00
Michal Nowak
42c1aea410
Add AlmaLinux 10
(cherry picked from commit 42367082cc)
2025-07-08 16:04:04 +02:00
Michal Nowak
9d63e6ef51 [9.20] fix: ci: Ensure PYTHON is set for every parse_tsan.py invocation
System tests' after_script missed the PYTHON environmental variable
setup.

Backport of MR !10683

Merge branch 'backport-mnowak/fix-parse_tsan-invocation-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10710
2025-07-08 12:59:58 +02:00
Michal Nowak
50c179ed4a
Ensure PYTHON is set for every parse_tsan.py invocation
(cherry picked from commit 8f858c4f03)
2025-07-08 12:25:33 +02:00
Nicki Křížek
f0aa484a2c [9.20] chg: test: Improve system test stability
Tweak various system test which have been unstable in the past weeks.

Closes #5406

Backport of MR !10690

Merge branch 'backport-nicki/improve-system-test-stability-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10703
2025-07-07 15:28:59 +02:00
Nicki Křížek
6566225033 Remove unstable check from digdelv test
The code which checks for both IPv4 and IPv6 mixed usage is inherently
unstable, since the address family is chosen randomly for each
connection.

Closes #5406

(cherry picked from commit b98660e93e)
2025-07-07 14:45:21 +02:00
Nicki Křížek
5f95ab6c54 Use pytest.mark.flaky as the flaky marker
It's possible to use pytest.mark.flaky, which achieves the exact same
thing as our custom-defined isctest.mark.flaky -- attempts to rerun the
test on failure, but only is flaky package is available.

(cherry picked from commit 4c487c811d)
2025-07-07 14:45:21 +02:00
Nicki Křížek
b88db3302b Mark secondary.kasp test case as flaky on freebsd13
The test_kasp_case[secondary.kasp] can sometimes fail on freebsd13. It
appears the test gets stuck on some operation which should be very
quick, but for some reason takes at least a few seconds, causing the
cb_ixfr_is_signed() function to time out.

In one of the cases I investigated, it wasn't a query/response that
caused a timeout, but rather some operation in between. The test
attempts to read from a keyfile/statefile, but I see no reason why that
should block.

In any case, try to increase the timeout for the verification, as that
shouldn't hurt. Also allow the test to be re-run on freebsd13, as it's
likely to be caused by some odd behaviour on that platform -- the issue
doesn't appear anywhere else.

(cherry picked from commit 126a59cef2)
2025-07-07 14:45:21 +02:00
Nicki Křížek
683e7e21ef Allow dnstap system test rerun on freebsd13
The check "unix socket message counts" sometimes fails with "dnstap
output file smaller than expected". This only happens on freebsd13 and
can't be reproduced easily. There was an attempt to decrease the
required file size in the past, but apparently, the issue can still
occur.

(cherry picked from commit 34867e1693)
2025-07-07 14:45:21 +02:00
Nicki Křížek
9a5050eaa7 Mark the serve_stale system test as flaky
The serve_stale test has some inherent instabilities affecting many
different checks. While the failure rate isn't too high (about four
failures in past three weeks of nightlies), it gets ignored, because the
test has been unstable for a very long time.

(cherry picked from commit 1e0df480c7)
2025-07-07 14:45:21 +02:00
Nicki Křížek
586973216d Remove token deletion check in keyfromlabel test
This removes a leftover check which should've been removed in a prior
change (see #5244). The softhsm2 failures when attempting to delete the
token should be ignored.

(cherry picked from commit 6755d741e4)
2025-07-07 14:45:21 +02:00
Nicki Křížek
92d79549c1 Increase test re-runs for enginepkcs11
The enginepkcs11 test has been chronically unstable for quite a while.
With no fix in sight, increase the number of allowed re-runs to reduce
the number of failures we see in the CI.

(cherry picked from commit 87ab198b73)
2025-07-07 14:45:08 +02:00
Nicki Křížek
1b9c63a501 Allow reruns for test_json and test_xml tests
These tests have been unstable under TSAN in the past, but it appears
that the same failure mode can happen outside of TSAN tests as well.
These tests have produced 12 failures combined in the past three weeks
in nightlies.

(cherry picked from commit 66f6f4bba9)
2025-07-07 14:12:58 +02:00
Nicki Křížek
a949294317 Increase test reruns for fetchlimit
The fetchlimit test has failed 8 times in the nightly CI over the past
three weeks. That makes the overall failure rate somewhere around 1 %,
which isn't a lot, but is still annoying when lots of testing is going
on.

(cherry picked from commit ae932eefc5)
2025-07-07 12:04:38 +00:00
Mark Andrews
1bbad947f7 [9.20] fix: test: rndc test: second 'rndc reconfig' happens too soon
Rndc test "test 'rndc reconfig' with a broken config" was failing
intermittently.

Wait for 'running' to be logged rather than just using 'sleep 1' before
calling 'rndc reconfig' a second time to get the expected error message
rather than 'reconfig request ignored: already running'.

Closes #5408

Backport of MR !10687

Merge branch 'backport-5408-rndc-test-second-rndc-reconfig-happens-too-soon-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10700
2025-07-07 12:58:36 +10:00
Mark Andrews
3bcaf7b3cb rndc test: second 'rndc reconfig' happens too soon
Rndc test "test 'rndc reconfig' with a broken config" was failing
intermittently.

Wait for 'running' to be logged rather than just using 'sleep 1' before
calling 'rndc reconfig' a second time to get the expected error message
rather than 'reconfig request ignored: already running'.

(cherry picked from commit 8b7bbda2f1)
2025-07-07 02:22:27 +00:00
Mark Andrews
fc689c6525 [9.20] fix: dev: Separate out adbname type flags
There are three adbname flags that are used to identify different
types of adbname lookups when hashing rather than using multiple
hash tables.  Separate these to their own structure element as these
need to be able to be read without locking the adbname structure.

Closes #5404

Backport of MR !10677

Merge branch 'backport-5404-seperate-out-adbname-type-flags-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10695
2025-07-07 11:44:24 +10:00
Mark Andrews
5c0057cc11 Separate out adbname flags that are hashed
There are three adbname flags that are used to identify different
types of adbname lookups when hashing rather than using multiple
hash tables.  Separate these to their own structure element as these
need to be able to be read without locking the adbname structure.

(cherry picked from commit 9158e63218)
2025-07-07 11:10:07 +10:00
Štěpán Balážik
0f5508b730 [9.20] chg: test: Disable DNSSEC validation instead of enabling it with empty TAs in system tests
There are many system tests where we set `dnssec-validation yes;` only
to also set `trust-anchors { };` which effectively disables the
validation.

This MR replaces this convoluted setup with just `dnssec-validation no;`.

Backport of MR !10684

Merge branch 'backport-stepan/empty-trust-anchors-in-system-tests-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10698
2025-07-06 19:04:00 +00:00
Štěpán Balážik
bb1c79fd72 Disable DNSSEC validation instead of enabling it with empty TAs in tests
There are many system tests where we set `dnssec-validation yes;` only
to also set `trust-anchors { };` which effectively disables the
validation.

This commit replaces this convoluted setup with just
`dnssec-validation no;`.

(cherry picked from commit 01d1ad7988)
2025-07-06 16:55:03 +00:00
Štěpán Balážik
23f48d1781 [9.20] new: ci: Run an additional respdiff job for merge requests and schedules
On MRs it uses the merge target as the reference.
In schedules it uses the latest released version for this branch as the reference.

This MR lays the ground work for using respdiff on non-standard configurations (like ECS) in the public repo, see https://gitlab.isc.org/isc-private/bind9/-/merge_requests/807#note_573140.

To reduce the future hassle when maintaining the -S version, most of the work (including an added job, so we know that it actually works) is done here.

Backport of MR !10664

Merge branch 'backport-stepan/respdiff-against-merge-target-or-last-release-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10696
2025-07-06 14:43:06 +00:00
Štěpán Balážik
3d0da96a90 Run an additional respdiff job for merge requests and schedules
On MRs it uses the merge target as the reference.
In schedules it uses the latest released version for this branch as the
reference.

(cherry picked from commit 9a6e8b9190)
2025-07-06 16:08:24 +02:00
Michał Kępień
9d3fd52413 chg: doc: Set up version for BIND 9.20.12
Merge branch 'michal/set-up-version-for-bind-9.20.12' into 'bind-9.20'

See merge request isc-projects/bind9!10693
2025-07-04 22:16:27 +02:00