If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
Closes#5581
Backport of MR !11109
Merge branch 'backport-5581-parse_dnskey-in-lib-dns-skr-c-was-failing-to-reset-comments-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11113
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
(cherry picked from commit a949184eb7)
Expect created.* and unused.* files at the end of running
the multisigner test.
Closes#5565
Backport of MR !11089
Merge branch 'backport-5565-multisigner-test-can-leave-created-and-unused-files-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11102
`nextpart file | grep -q` doesn't work as expected. `grep -q` is not
required to read all of the input and that causes `nextpart` to fail.
Closes#5566
Backport of MR !11090
Merge branch 'backport-5566-nextpart-piped-to-grep-q-doesn-t-work-as-expected-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11092
'nextpart file | grep -q' doesn't work as expected. 'grep -q' is not
required to read all of the input and that causes 'nextpart' to fail.
(cherry picked from commit 5beba4d292)
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
Closes#5564
Backport of MR !11088
Merge branch 'backport-5564-fix-bug-in-skr-c-parse_rr-on-error-path-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11091
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
(cherry picked from commit e5ceda617d)
:program:`dnssec-importkey` should not be used to import DNSKEY records from other providers (for example when setting up multi-signer). Clarify this in the manpage.
Backport of MR !11064
Merge branch 'backport-matthijs-clarify-import-key-dnssec-policy-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11078
You should not use dnssec-importkey to import DNSKEY records from
other providers (for example when setting up multi-signer).
Clarify this in the manpage.
(cherry picked from commit 4df536e0dc)
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Closes#5554
Backport of MR !11066
Merge branch 'backport-5554-disable-keyfromlabel-collision-avoidance-in-tests-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11074
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
(cherry picked from commit 2ecbe46e0d)
We agreed to make "expect" a direct attribute of KeyProperties, but it turns out the property is unused, so we can just remove it.
Closes#5278
Backport of MR !11042
Merge branch 'backport-5278-kasp-system-test-follow-up-1-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11065
Disable unsigned-int spatch in db.h to silence the following error from coccinelle v1.1:
```
EXN: Failure("./lib/dns/include/dns/db.h: 188: try to delete an expanded token: unsigned") in ./lib/dns/include/dns/db.h
```
Backport of MR !11062
Merge branch 'backport-marka-cocci-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11063
Disable unsigned-int spatch in db.h to silence the following error
from coccinelle v1.1:
EXN: Failure("./lib/dns/include/dns/db.h: 188: try to delete an expanded token: unsigned") in ./lib/dns/include/dns/db.h
(cherry picked from commit d89a535040)
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Backport of MR !11056
Merge branch 'backport-nicki/reuse-remove-m4-annotations-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11057
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
(cherry picked from commit e77f349240)
Follow-up on the discussion on the kasp system test rewrite to pytest.
Closes#5289
Backport of MR !11043
Merge branch 'backport-5289-kasp-system-test-follow-up-2-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11045
In the 'release' stage, create an MR automatically with the
corresponding release announcement. The input for this is taken from
metadata.json in bind9-qa.
Backport of MR !11039
Merge branch 'backport-andoni/release-announcement-preparation-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11040
In the 'release' stage, create an MR automatically with the
corresponding release announcement. The input for this is taken from
metadata.json in bind9-qa.
(cherry picked from commit 0f75741341)
Convert the defines to enums. Initialize the tags more explicitly and less ugly.
Backport of MR !11000
Merge branch 'backport-matthijs-ugly-kid-joe-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11038
In `named_config_parsefile()`, when checking the validity of
`named.conf`, the checking of plugin correctness was deliberately
postponed until the plugin is loaded and registered. However,
the checking was never actually done: the `plugin_register()`
implementation was called, but `plugin_check()` was not.
`ns_plugin_register()` (used by `named`) now calls the check function
before the register function, and aborts if either one fails.
`ns_plugin_check()` (used by `named-checkconf`) calls only
the check function.
Backport of MR !11031
Merge branch 'backport-each-check-plugin-named-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11032
In named_config_parsefile(), when checking the validity of
named.conf, the checking of plugin correctness was deliberately
postponed until the plugin is loaded and registered. However,
when the plugin was registered, the checking was never actually
done: the plugin_register() implementation was called, but
plugin_check() was not.
This made it necessary to duplicate the correctness checking in both
functions, so that both named-checkconf and named could catch errors.
That should not be required.
ns_plugin_register() now calls the check function before the register
function, and aborts if either one fails. ns_plugin_check() calls only
the check function. ns_plugin_check() is used by named-checkconf, and
ns_plugin_register() is used by named. (Note: this design has a
side effect that a call to ns_plugin_register() will result in the
plugin parameters being parsed twice at registration time.)
Partial backport of !11031
While the extra text field in EDE can be useful debug information, it
doesn't need to be checked in the tests. In some cases, differences in
caching could lead to slightly different messages which would trigger a
false positive test result. Omit these checks, as they're no longer
checked for anyway in 9.21+ where the test has been rewritten to python.
Closes#5512
Merge branch '5512-dont-check-ede-text-in-tests' into 'bind-9.20'
See merge request isc-projects/bind9!11026
While the extra text field in EDE can be useful debug information, it
doesn't need to be checked in the tests. In some cases, differences in
caching could lead to slightly different messages which would trigger a
false positive test result. Omit these checks, as they're no longer
checked for anyway in 9.21+ where the test has been rewritten to python.
A new option `-k` is added to `named-checkconf` that allows checking the `dnssec-policy` `keys` configuration against the configured key stores. If the found key files are not in sync with the given `dnssec-policy`, the check will fail.
This is useful to run before migrating to `dnssec-policy`.
Closes#5486
Backport of MR !10907
Merge branch 'backport-5486-named-checkconf-dnssec-policy-key-directory-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11011
The configuration should also take into account the built-in
DNSSEC policies when verifying the keys in the key-directory match the
given policy. Update the code accordingly and add some good and
failure test cases.
(cherry picked from commit dcd49f2ead)
With named-checkconf -k you can check your configuration including
checking the dnssec-policy keys against the configured keystores. If
there is a mismatch in the key files versus the policy, named-checkconf
will fail. This is useful for running before migrating to dnssec-policy.
For logging purposes, introduce a function that writes the identifying
information about a policy key into a string.
Allow a dnssec key to be initialized outside the keymgr code.
Add 'log_errors' to 'cfg_kasp_fromconfig' to avoid duplicate error
logs.
(cherry picked from commit 9fe520ece9)
Add a CI job to merge tags back to the respective base branch in tag pipelines.
Backport of MR !11001
Merge branch 'backport-andoni/add-merge-tag-to-tag-pipeline-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11024
``disable-algorithms`` could cause DNSSEC validation failures when the parent zone was
signed with the algorithms that were being disabled for the child zone.
This has been fixed; `disable-algorithms` now works
on a whole-of-zone basis.
If the zone's name is at or below the ``disable-algorithms`` name the algorithm
is disabled for that zone, using deepest match when there are multiple
``disable-algorithms`` clauses.
Closes#5165
Backport of MR !10837
Merge branch 'backport-5165-use-signer-name-when-disabling-dnssec-algorithms-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11014
Test that if disable-algorithms is configured on a name that is below
the zonecut, it still validates (z.secure.example).
Test that if disable-algorithms is configured on a name that is above
the zonecut, it is treated as insecure (zonecut.ent.secure.example).
(cherry picked from commit 81d3a29e4e)
Previously, badalg.secure.example would return SERVFAIL because the DS
records (from the parent) could not be validated.
(cherry picked from commit 21934102d3)
When disabling algorithms, use the signer name to determine if the
algorithm is disabled or not. This allows for algorithms to be
cleanly disabled on a zone level basis. Previously, just using the
records owner name, "disable-algorithms" could impact resolution of
names that where not disabled. This does now mean that
"disable-algorithms" can not be used to disable part of a zone anymore.
(cherry picked from commit a0945f6337)
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the :option:`rndc sign` command now signs the zone completely with the successor key, replacing all zone signatures from the predecessor key with new ones.
Closes#5483
Backport of MR !10867
Merge branch 'backport-5483-smooth-operator-bug-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11017