Commit graph

43171 commits

Author SHA1 Message Date
Michal Nowak
bc35b646b9
Use clang-format-21 to update formatting 2025-10-21 12:12:01 +02:00
Michal Nowak
a3f30525d4
Update Clang to version 21
(cherry picked from commit 6770f3d608)
2025-10-21 12:08:42 +02:00
Mark Andrews
df78279777 [9.20] fix: nil: Fix parse_dnskey in bin/dnssec/dnssec-ksr.c was failing to reset comments
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.

Closes #5581

Backport of MR !11109

Merge branch 'backport-5581-parse_dnskey-in-lib-dns-skr-c-was-failing-to-reset-comments-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11113
2025-10-20 12:21:00 +11:00
Mark Andrews
174355101e Fix parse_dnskey in bin/dnssec/dnssec-ksr.c was failing to reset comments
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.

(cherry picked from commit a949184eb7)
2025-10-20 00:33:04 +00:00
Mark Andrews
525d821e1a [9.20] fix: test: multisigner test can leave created.* and unused.* files
Expect created.* and unused.* files at the end of running
the multisigner test.

Closes #5565

Backport of MR !11089

Merge branch 'backport-5565-multisigner-test-can-leave-created-and-unused-files-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11102
2025-10-16 12:15:41 +11:00
Mark Andrews
09745353dd Expect created.* and unused.* files
(cherry picked from commit 3a7f8e1d12)
2025-10-16 00:35:53 +00:00
Mark Andrews
916f539602 [9.20] fix: test: "nextpart" piped to "grep -q" doesn't work as expected
`nextpart file | grep -q` doesn't work as expected.  `grep -q` is not
required to read all of the input and that causes `nextpart` to fail.

Closes #5566

Backport of MR !11090

Merge branch 'backport-5566-nextpart-piped-to-grep-q-doesn-t-work-as-expected-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11092
2025-10-14 22:02:31 +11:00
Mark Andrews
294fd7300f 'nextpart' and 'grep -q' don't work together
'nextpart file | grep -q' doesn't work as expected.  'grep -q' is not
required to read all of the input and that causes 'nextpart' to fail.

(cherry picked from commit 5beba4d292)
2025-10-14 21:26:47 +11:00
Mark Andrews
a7eed45fa1 [9.20] fix: nil: Fix parse_rr in lib/dns/skr.c was failing to reset the comments
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.

Closes #5564

Backport of MR !11088

Merge branch 'backport-5564-fix-bug-in-skr-c-parse_rr-on-error-path-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11091
2025-10-14 18:28:01 +11:00
Mark Andrews
d70cb26231 Fix parse_rr in lib/dns/skr.c was failing to reset the comments
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.

(cherry picked from commit e5ceda617d)
2025-10-14 06:48:57 +00:00
Michał Kępień
595ebac9a4 chg: doc: Set up version for BIND 9.20.16
Merge branch 'michal/set-up-version-for-bind-9.20.16' into 'bind-9.20'

See merge request isc-projects/bind9!11084
2025-10-13 15:42:56 +02:00
Michał Kępień
48956122d5 Update BIND version to 9.20.16-dev 2025-10-13 15:39:42 +02:00
Matthijs Mekking
f9cbd3484e [9.20] chg: nil: Add dnssec-policy text for dnssec-importkey
:program:`dnssec-importkey` should not be used to import DNSKEY records from other providers (for example when setting up multi-signer). Clarify this in the manpage.

Backport of MR !11064

Merge branch 'backport-matthijs-clarify-import-key-dnssec-policy-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11078
2025-10-11 08:32:14 +00:00
Matthijs Mekking
97cc940286 Add dnssec-policy text for dnssec-importkey
You should not use dnssec-importkey to import DNSKEY records from
other providers (for example when setting up multi-signer).

Clarify this in the manpage.

(cherry picked from commit 4df536e0dc)
2025-10-10 17:35:59 +00:00
Nicki Křížek
190240d4ec [9.20] fix: test: Disable keyfromlabel collision avoidance in tests
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.

Closes #5554

Backport of MR !11066

Merge branch 'backport-5554-disable-keyfromlabel-collision-avoidance-in-tests-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11074
2025-10-10 13:07:27 +02:00
Nicki Křížek
acc9e61bfa Disable keyfromlabel collision avoidance in tests
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.

(cherry picked from commit 2ecbe46e0d)
2025-10-10 11:31:53 +02:00
Matthijs Mekking
4833ba7657 [9.20] chg: test: Remove KeyProperties property expect
We agreed to make "expect" a direct attribute of KeyProperties, but it turns out the property is unused, so we can just remove it.

Closes #5278

Backport of MR !11042

Merge branch 'backport-5278-kasp-system-test-follow-up-1-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11065
2025-10-08 09:57:22 +00:00
Matthijs Mekking
4851d88ac4 Make properties direct attribute of KeyProperties
There is no real reason to keep those in a dictionary.

(cherry picked from commit 2d7ab28ce2)
2025-10-08 08:33:37 +00:00
Matthijs Mekking
5f70e40c9e Remove KeyProperties property expect
This property is unused, so we can just remove it.

(cherry picked from commit ade333bb64)
2025-10-08 08:33:37 +00:00
Mark Andrews
fb85075815 [9.20] fix: nil: Exclude lib/dns/include/dns/db.h from unsigned-int.spatch
Disable unsigned-int spatch in db.h to silence the following error from coccinelle v1.1:

```
EXN: Failure("./lib/dns/include/dns/db.h: 188: try to delete an expanded token: unsigned") in ./lib/dns/include/dns/db.h
```

Backport of MR !11062

Merge branch 'backport-marka-cocci-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11063
2025-10-08 18:07:30 +11:00
Mark Andrews
feb2222ff6 Exclude lib/dns/include/dns/db.h from unsigned-int.spatch
Disable unsigned-int spatch in db.h to silence the following error
from coccinelle v1.1:

    EXN: Failure("./lib/dns/include/dns/db.h: 188: try to delete an expanded token: unsigned") in ./lib/dns/include/dns/db.h

(cherry picked from commit d89a535040)
2025-10-08 17:28:03 +11:00
Nicki Křížek
8909bb1fdc [9.20] fix: ci: Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.

Backport of MR !11056

Merge branch 'backport-nicki/reuse-remove-m4-annotations-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11057
2025-10-06 18:12:56 +02:00
Nicki Křížek
2d0fb3f25d Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.

(cherry picked from commit e77f349240)
2025-10-06 18:07:02 +02:00
Michał Kępień
92b8ddb0ff chg: doc: Set up version for BIND 9.20.15
Merge branch 'michal/set-up-version-for-bind-9.20.15' into 'bind-9.20'

See merge request isc-projects/bind9!11050
2025-10-02 17:53:31 +02:00
Michał Kępień
b688d49af8 Update BIND version to 9.20.15-dev 2025-10-02 17:51:22 +02:00
Matthijs Mekking
ed9b7ea8ab [9.20] chg: test: Convert kasp sub-test comments to info logs
Follow-up on the discussion on the kasp system test rewrite to pytest.

Closes #5289

Backport of MR !11043

Merge branch 'backport-5289-kasp-system-test-follow-up-2-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11045
2025-10-02 08:02:31 +00:00
Matthijs Mekking
553128e125 Convert kasp sub-test comments to info logs
Follow-up on the discussion on the kasp system test rewrite to pytest.

(cherry picked from commit 893f417e1e)
2025-10-02 07:25:46 +00:00
Michał Kępień
9a959353b0 [9.20] new: ci: Prepare release announcement MR
In the 'release' stage, create an MR automatically with the
corresponding release announcement. The input for this is taken from
metadata.json in bind9-qa.

Backport of MR !11039

Merge branch 'backport-andoni/release-announcement-preparation-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11040
2025-10-01 20:55:34 +02:00
Andoni Duarte Pintado
05cf0b28b0 Create release announcement MR
In the 'release' stage, create an MR automatically with the
corresponding release announcement. The input for this is taken from
metadata.json in bind9-qa.

(cherry picked from commit 0f75741341)
2025-10-01 14:21:18 +00:00
Matthijs Mekking
c6acbaa020 [9.20] chg: dev: Minor refactor of dst code
Convert the defines to enums. Initialize the tags more explicitly and less ugly.

Backport of MR !11000

Merge branch 'backport-matthijs-ugly-kid-joe-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11038
2025-10-01 13:09:14 +00:00
Matthijs Mekking
c2c6f60928 Minor refactor of dst code
Convert the defines to enums. Initialize the tags more explicitly and
less ugly.

(cherry picked from commit 4a0c829584)
2025-10-01 12:26:40 +00:00
Colin Vidal
e2260b8070 [9.20] fix: dev: check plugin config before registering
In `named_config_parsefile()`, when checking the validity of
`named.conf`, the checking of plugin correctness was deliberately
postponed until the plugin is loaded and registered. However,
the checking was never actually done: the `plugin_register()`
implementation was called, but `plugin_check()` was not.

`ns_plugin_register()` (used by `named`) now calls the check function
before the register function, and aborts if either one fails.
`ns_plugin_check()` (used by `named-checkconf`) calls only
the check function.

Backport of MR !11031

Merge branch 'backport-each-check-plugin-named-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11032
2025-10-01 11:55:48 +02:00
Colin Vidal
5a98141a00 check plugin config before registering
In named_config_parsefile(), when checking the validity of
named.conf, the checking of plugin correctness was deliberately
postponed until the plugin is loaded and registered. However,
when the plugin was registered, the checking was never actually
done: the plugin_register() implementation was called, but
plugin_check() was not.

This made it necessary to duplicate the correctness checking in both
functions, so that both named-checkconf and named could catch errors.
That should not be required.

ns_plugin_register() now calls the check function before the register
function, and aborts if either one fails.  ns_plugin_check() calls only
the check function.  ns_plugin_check() is used by named-checkconf, and
ns_plugin_register() is used by named. (Note: this design has a
side effect that a call to ns_plugin_register() will result in the
plugin parameters being parsed twice at registration time.)

Partial backport of !11031
2025-10-01 11:16:11 +02:00
Nicki Křížek
acbdfec68d [9.20] chg: test: Don't check the EDE extra text in dnssec tests
While the extra text field in EDE can be useful debug information, it
doesn't need to be checked in the tests. In some cases, differences in
caching could lead to slightly different messages which would trigger a
false positive test result. Omit these checks, as they're no longer
checked for anyway in 9.21+ where the test has been rewritten to python.

Closes #5512

Merge branch '5512-dont-check-ede-text-in-tests' into 'bind-9.20'

See merge request isc-projects/bind9!11026
2025-09-29 16:20:06 +02:00
Nicki Křížek
db1e7c5332 Don't check the EDE extra text in dnssec tests
While the extra text field in EDE can be useful debug information, it
doesn't need to be checked in the tests. In some cases, differences in
caching could lead to slightly different messages which would trigger a
false positive test result. Omit these checks, as they're no longer
checked for anyway in 9.21+ where the test has been rewritten to python.
2025-09-29 15:42:20 +02:00
Michał Kępień
1f5a0405f7 [9.20] new: usr: Add dnssec-policy keys configuration check to named-checkconf
A new option `-k` is added to `named-checkconf` that allows checking the `dnssec-policy` `keys` configuration against the configured key stores. If the found key files are not in sync with the given `dnssec-policy`, the check will fail.

This is useful to run before migrating to `dnssec-policy`.

Closes #5486

Backport of MR !10907

Merge branch 'backport-5486-named-checkconf-dnssec-policy-key-directory-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11011
2025-09-29 15:13:55 +02:00
Matthijs Mekking
c1bf603bb6
Change checkconf to include built-in dnssec-policy
The configuration should also take into account the built-in
DNSSEC policies when verifying the keys in the key-directory match the
given policy. Update the code accordingly and add some good and
failure test cases.

(cherry picked from commit dcd49f2ead)
2025-09-29 15:13:26 +02:00
Matthijs Mekking
bde4f699ab
Test named-checkconf -k
Test named-checkconf -k option, that checks the dnssec-policy against
the configured keystores.

(cherry picked from commit 3918a8ca4c)
2025-09-29 15:13:26 +02:00
Matthijs Mekking
079898cbf6
Implement named-checkconf -k (check keys)
With named-checkconf -k you can check your configuration including
checking the dnssec-policy keys against the configured keystores. If
there is a mismatch in the key files versus the policy, named-checkconf
will fail. This is useful for running before migrating to dnssec-policy.

For logging purposes, introduce a function that writes the identifying
information about a policy key into a string.

Allow a dnssec key to be initialized outside the keymgr code.

Add 'log_errors' to 'cfg_kasp_fromconfig' to avoid duplicate error
logs.

(cherry picked from commit 9fe520ece9)
2025-09-29 15:13:26 +02:00
Andoni Duarte
8090fbb5b6 [9.20] new: ci: Merge tag back to its base branch in tag pipeline
Add a CI job to merge tags back to the respective base branch in tag pipelines.

Backport of MR !11001

Merge branch 'backport-andoni/add-merge-tag-to-tag-pipeline-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11024
2025-09-29 12:56:55 +00:00
Andoni Duarte Pintado
beab1db789 Merge tag back to its base branch in tag pipeline
Merging a tag to its base branch will now be a manual job in its tag
pipeline.

(cherry picked from commit 22bc6a7063)
2025-09-29 12:02:38 +00:00
Michał Kępień
64b4f5abd2 [9.20] fix: nil: Reformat strings broken by successive clang-format runs
Backport of MR !11002

Merge branch 'backport-marka-re-format-strings-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11006
2025-09-29 13:17:12 +02:00
Mark Andrews
2ce20f6e49
re-split STATIC_ASSERT message
(cherry picked from commit ccc41c7044)
2025-09-29 13:08:04 +02:00
Mark Andrews
0c1dc9a3eb
re-split log message text
(cherry picked from commit a64c350523)
2025-09-29 13:08:04 +02:00
Mark Andrews
986816baa7 [9.20] fix: usr: Use signer name when disabling DNSSEC algorithms
``disable-algorithms`` could cause DNSSEC validation failures when the parent zone was
signed with the algorithms that were being disabled for the child zone.
This has been fixed; `disable-algorithms` now works
on a whole-of-zone basis.

If the zone's name is at or below the ``disable-algorithms`` name the algorithm
is disabled for that zone, using deepest match when there are multiple
``disable-algorithms`` clauses. 

Closes #5165

Backport of MR !10837

Merge branch 'backport-5165-use-signer-name-when-disabling-dnssec-algorithms-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11014
2025-09-29 11:52:00 +10:00
Matthijs Mekking
dd891dd761 Check disable-algorithms with non-zone names
Test that if disable-algorithms is configured on a name that is below
the zonecut, it still validates (z.secure.example).

Test that if disable-algorithms is configured on a name that is above
the zonecut, it is treated as insecure (zonecut.ent.secure.example).

(cherry picked from commit 81d3a29e4e)
2025-09-29 11:16:24 +10:00
Mark Andrews
3ddf4e957b Make it clearer that disable-algorithms applies to zone names
(cherry picked from commit 28848ab578)
2025-09-29 11:16:24 +10:00
Mark Andrews
3a6021beb3 Check that badalg.secure.example resolves
Previously, badalg.secure.example would return SERVFAIL because the DS
records (from the parent) could not be validated.

(cherry picked from commit 21934102d3)
2025-09-29 11:16:24 +10:00
Mark Andrews
2554a724d4 Use signer name when disabling DNSSEC algorithms
When disabling algorithms, use the signer name to determine if the
algorithm is disabled or not.  This allows for algorithms to be
cleanly disabled on a zone level basis.  Previously, just using the
records owner name, "disable-algorithms" could impact resolution of
names that where not disabled.  This does now mean that
"disable-algorithms" can not be used to disable part of a zone anymore.

(cherry picked from commit a0945f6337)
2025-09-29 11:16:24 +10:00
Matthijs Mekking
d2f551140c [9.20] fix: usr: rndc sign during ZSK rollover will now replace signatures
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the :option:`rndc sign` command now signs the zone completely with the successor key, replacing all zone signatures from the predecessor key with new ones.

Closes #5483

Backport of MR !10867

Merge branch 'backport-5483-smooth-operator-bug-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11017
2025-09-26 13:11:45 +00:00