After a full sign we no longer have to need to take the sign delay into
account. Update the timing checks in keymgr_transition_time to determine
the start of the interval: Either the last change, or if SigPublish/
SigDelete is set. The latter case indicates a full sign was done and
so we no longer have to take the sign delay into account.
(cherry picked from commit 489752eb1f)
When introducing the kasp logic, a full sign of the zone did not
generate new signatures for the new active keys during a ZSK rollover.
The introduced kasp logic ensured that the rollover is performed
smoothly, as in the signatures are only replaced if the old signature
is close to expiring (depending on the signatures-refresh option).
Fix by maintaining a fullsign boolean value in the signing structure,
that will ensure the RRsets are signed with the correct key, rather
than a similar good key.
In case of a fullsign, we can also remove signatures from inactive
keys.
Remove the unused dns_zone_signwithkey function.
(cherry picked from commit 844bde0c70)
Add a check to the ZSK rollover test case that ensures the zone is
signed with the successor key only, after a 'rndc sign' is commanded.
(cherry picked from commit 008d3d2a9c)
There's currently an issue with the shotgun workflow that's being
investigated. Until it's resolved, there's no point in creating the
shotgun jobs as they'll just fail.
Backport of MR !11005
Merge branch 'backport-nicki/ci-temporarily-disable-shotgun-jobs-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11008
There's currently an issue with the shotgun workflow that's being
investigated. Until it's resolved, there's no point in creating the
shotgun jobs as they'll just fail.
(cherry picked from commit 2669463b43)
With the loopmgr rewrite in 9.20, the delv issue shoud no longer happen,
thus the delv tests can be executed under TSAN as well.
Related #4119
Backport of MR !10996
Merge branch 'backport-nicki/delv-reenable-under-tsan-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11004
With the loopmgr rewrite in 9.20, the delv issue shoud no longer happen,
thus the delv tests can be executed under TSAN as well.
(cherry picked from commit 7e118fdb06)
Trigger selected CI jobs on MR automatically only if there are related
code changes. Otherwise, offer an option to run the jobs manually in
MRs. For other sources, like schedules, tags etc., execute the jobs as
usual.
Backport of MR !10987
Merge branch 'backport-nicki/ci-restrict-rules-changes-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10992
Trigger selected CI jobs on MR automatically only if there are related
code changes. Otherwise, offer an option to run the jobs manually in
MRs. For other sources, like schedules, tags etc., execute the jobs as
usual.
(cherry picked from commit 02c58d9baa)
Use .sh(.in) file extension consistently for shell scripts
to allow more reliable detection of shell scripts based on their file
extension.
(cherry picked from commit 2d690499dd)
Fixes an issue where failing to reconfigure/reload the server would prevent to preserved the views caches on the subsequent server reconfiguration/reload.
Closes#5523
Backport of MR !10984
Merge branch 'backport-colin/fix-cache-revert-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10988
namedconf `request-zoneversion` option doesn't exists on 9.20, and was
actually useless for the purpose of the reload/fail/success cache test.
Remove this option so the test can run on 9.20
If the server is reloaded, new views are created and preexisting cache
is attached to those _but_ something goes wrong later, the previous
views are restored but the previous cache list is destroyed. This makes
the subsequent reload to drop the existing cache. This fixes it by
avoiding a mutation of the old cache list.
(cherry picked from commit a1703fa35b)
A named bug scrap the cache on a second reload after an initial reload
failure. Adds a test checking that the cache is preserved between server
reconfiguration/reloads even if it fails at some point (after attempting
to re-use the cache) and the server is re-loaded later.
(cherry picked from commit 714693742e)
We would prefer if explicit $ORIGIN is used only for root zone and
nothing else, solely to avoid zone files named "..db". For all other
zones the file name should match zone name.
(cherry picked from commit 339e5162d6)
The dns_qpmulti_memusage() causes assertion failure when called on
freshly created qpmulti instance because the qp->usage hasn't been
allocated yet.
Backport of MR !10977
Merge branch 'backport-ondrej/fix-qpmulti_memusage-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10982
The dns_qpmulti_memusage() causes assertion failure when called on
freshly created qpmulti instance because the qp->usage hasn't been
allocated yet.
(cherry picked from commit b2f653b332)
Sphinx's smartquotes feature was rewriting -- to en-dash, "" to proper
English quotes etc. This was messing up syntax at unpredictable places.
Disable this feature instead of attempting to escape all the places in
the manual.
(cherry picked from commit 66e58d3315)
The new order hopefully reflects likelihood of someone reading from start
to the end:
DNSSEC Guide
Manual Pages
General DNS Reference Information
Release Notes
Changelog
A Brief History of the DNS and BIND
(cherry picked from commit ed0db245be)
The RRSIGs for glue records were not being cached correctly for CD=1 queries. This has been fixed.
Closes#5502
Backport of MR !10938
Merge branch 'backport-5502-fix-missing-rrsig-with-cd-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10956
The code to test whether to store the RRSIGs on DNS_R_UNCHANGED
with CD=1 was failing because the comparison methods of the two
rdatatset instances were not compatible. Move the testing into
dns_db_addrdataset(), and request it by setting the DNS_ADD_EQUALOK
option. If the option is set and the old and new rrsets compare
as equal, dns_db_addrdataset() returns ISC_R_SUCCESS instead of
DNS_R_UNCHANGED.
(cherry picked from commit b954a1df43)
Update to REUSE Specification 3.2+ that uses REUSE.toml instead of DEP5
based specification.
Backport of MR !10945
Merge branch 'backport-ondrej/cover-reuse-dep5-to-toml-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10949
Two inconsequential bug fixes are not release note worthy.
Use more user-centric terminology about dnssec-policy manual-mode.
Add links, shorten notes.
Merge branch 'pspacek/prepare-documentation-for-bind-9.20.13' into 'v9.20.13-release'
See merge request isc-private/bind9!836
Two inconsequential bug fixes are not release note worthy.
Use more user-centric terminology about dnssec-policy manual-mode.
Add links, shorten notes.
Related to #4606
Backport of MR !10941
Merge branch 'backport-4606-document-rndc-dnssec-step-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10943
In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
Backport of MR !10904
Merge branch 'backport-aram/rpz-servfail-until-ready-tunings-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10940
Since the log level has been raised, busy servers can "explode" from
the amount of log messages. Use the usual practice of logging "every
once in a while".
(cherry picked from commit 1962857ac4)
The "RPZ not ready yet" message is logged at debug 3 level. Use the
info level instead for better visibility.
After raising the log level, the rpz_log_fail_helper() function starts
appending " failed: " the the message. Change the log message so it
makes more sense.
(cherry picked from commit 49356ce944)
In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
(cherry picked from commit d9b5f6c502)
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
Closes#5485
Backport of MR !10909
Merge branch 'backport-ondrej/clarify-rrset-order-random-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10935
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
(cherry picked from commit 369c8dc388)
Closes#5444
Backport of MR !10795
Merge branch 'backport-5444-add-hhit-and-brid-records-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10932
