In `named_config_parsefile()`, when checking the validity of
`named.conf`, the checking of plugin correctness was deliberately
postponed until the plugin is loaded and registered. However,
the checking was never actually done: the `plugin_register()`
implementation was called, but `plugin_check()` was not.
`ns_plugin_register()` (used by `named`) now calls the check function
before the register function, and aborts if either one fails.
`ns_plugin_check()` (used by `named-checkconf`) calls only
the check function.
Backport of MR !11031
Merge branch 'backport-each-check-plugin-named-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11032
In named_config_parsefile(), when checking the validity of
named.conf, the checking of plugin correctness was deliberately
postponed until the plugin is loaded and registered. However,
when the plugin was registered, the checking was never actually
done: the plugin_register() implementation was called, but
plugin_check() was not.
This made it necessary to duplicate the correctness checking in both
functions, so that both named-checkconf and named could catch errors.
That should not be required.
ns_plugin_register() now calls the check function before the register
function, and aborts if either one fails. ns_plugin_check() calls only
the check function. ns_plugin_check() is used by named-checkconf, and
ns_plugin_register() is used by named. (Note: this design has a
side effect that a call to ns_plugin_register() will result in the
plugin parameters being parsed twice at registration time.)
Partial backport of !11031
While the extra text field in EDE can be useful debug information, it
doesn't need to be checked in the tests. In some cases, differences in
caching could lead to slightly different messages which would trigger a
false positive test result. Omit these checks, as they're no longer
checked for anyway in 9.21+ where the test has been rewritten to python.
Closes#5512
Merge branch '5512-dont-check-ede-text-in-tests' into 'bind-9.20'
See merge request isc-projects/bind9!11026
While the extra text field in EDE can be useful debug information, it
doesn't need to be checked in the tests. In some cases, differences in
caching could lead to slightly different messages which would trigger a
false positive test result. Omit these checks, as they're no longer
checked for anyway in 9.21+ where the test has been rewritten to python.
A new option `-k` is added to `named-checkconf` that allows checking the `dnssec-policy` `keys` configuration against the configured key stores. If the found key files are not in sync with the given `dnssec-policy`, the check will fail.
This is useful to run before migrating to `dnssec-policy`.
Closes#5486
Backport of MR !10907
Merge branch 'backport-5486-named-checkconf-dnssec-policy-key-directory-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11011
The configuration should also take into account the built-in
DNSSEC policies when verifying the keys in the key-directory match the
given policy. Update the code accordingly and add some good and
failure test cases.
(cherry picked from commit dcd49f2ead)
With named-checkconf -k you can check your configuration including
checking the dnssec-policy keys against the configured keystores. If
there is a mismatch in the key files versus the policy, named-checkconf
will fail. This is useful for running before migrating to dnssec-policy.
For logging purposes, introduce a function that writes the identifying
information about a policy key into a string.
Allow a dnssec key to be initialized outside the keymgr code.
Add 'log_errors' to 'cfg_kasp_fromconfig' to avoid duplicate error
logs.
(cherry picked from commit 9fe520ece9)
Add a CI job to merge tags back to the respective base branch in tag pipelines.
Backport of MR !11001
Merge branch 'backport-andoni/add-merge-tag-to-tag-pipeline-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11024
``disable-algorithms`` could cause DNSSEC validation failures when the parent zone was
signed with the algorithms that were being disabled for the child zone.
This has been fixed; `disable-algorithms` now works
on a whole-of-zone basis.
If the zone's name is at or below the ``disable-algorithms`` name the algorithm
is disabled for that zone, using deepest match when there are multiple
``disable-algorithms`` clauses.
Closes#5165
Backport of MR !10837
Merge branch 'backport-5165-use-signer-name-when-disabling-dnssec-algorithms-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11014
Test that if disable-algorithms is configured on a name that is below
the zonecut, it still validates (z.secure.example).
Test that if disable-algorithms is configured on a name that is above
the zonecut, it is treated as insecure (zonecut.ent.secure.example).
(cherry picked from commit 81d3a29e4e)
Previously, badalg.secure.example would return SERVFAIL because the DS
records (from the parent) could not be validated.
(cherry picked from commit 21934102d3)
When disabling algorithms, use the signer name to determine if the
algorithm is disabled or not. This allows for algorithms to be
cleanly disabled on a zone level basis. Previously, just using the
records owner name, "disable-algorithms" could impact resolution of
names that where not disabled. This does now mean that
"disable-algorithms" can not be used to disable part of a zone anymore.
(cherry picked from commit a0945f6337)
When performing a ZSK rollover, if the new DNSKEY is omnipresent, the :option:`rndc sign` command now signs the zone completely with the successor key, replacing all zone signatures from the predecessor key with new ones.
Closes#5483
Backport of MR !10867
Merge branch 'backport-5483-smooth-operator-bug-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11017
After a full sign we no longer have to need to take the sign delay into
account. Update the timing checks in keymgr_transition_time to determine
the start of the interval: Either the last change, or if SigPublish/
SigDelete is set. The latter case indicates a full sign was done and
so we no longer have to take the sign delay into account.
(cherry picked from commit 489752eb1f)
When introducing the kasp logic, a full sign of the zone did not
generate new signatures for the new active keys during a ZSK rollover.
The introduced kasp logic ensured that the rollover is performed
smoothly, as in the signatures are only replaced if the old signature
is close to expiring (depending on the signatures-refresh option).
Fix by maintaining a fullsign boolean value in the signing structure,
that will ensure the RRsets are signed with the correct key, rather
than a similar good key.
In case of a fullsign, we can also remove signatures from inactive
keys.
Remove the unused dns_zone_signwithkey function.
(cherry picked from commit 844bde0c70)
Add a check to the ZSK rollover test case that ensures the zone is
signed with the successor key only, after a 'rndc sign' is commanded.
(cherry picked from commit 008d3d2a9c)
There's currently an issue with the shotgun workflow that's being
investigated. Until it's resolved, there's no point in creating the
shotgun jobs as they'll just fail.
Backport of MR !11005
Merge branch 'backport-nicki/ci-temporarily-disable-shotgun-jobs-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11008
There's currently an issue with the shotgun workflow that's being
investigated. Until it's resolved, there's no point in creating the
shotgun jobs as they'll just fail.
(cherry picked from commit 2669463b43)
With the loopmgr rewrite in 9.20, the delv issue shoud no longer happen,
thus the delv tests can be executed under TSAN as well.
Related #4119
Backport of MR !10996
Merge branch 'backport-nicki/delv-reenable-under-tsan-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11004
With the loopmgr rewrite in 9.20, the delv issue shoud no longer happen,
thus the delv tests can be executed under TSAN as well.
(cherry picked from commit 7e118fdb06)
Trigger selected CI jobs on MR automatically only if there are related
code changes. Otherwise, offer an option to run the jobs manually in
MRs. For other sources, like schedules, tags etc., execute the jobs as
usual.
Backport of MR !10987
Merge branch 'backport-nicki/ci-restrict-rules-changes-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10992
Trigger selected CI jobs on MR automatically only if there are related
code changes. Otherwise, offer an option to run the jobs manually in
MRs. For other sources, like schedules, tags etc., execute the jobs as
usual.
(cherry picked from commit 02c58d9baa)
Use .sh(.in) file extension consistently for shell scripts
to allow more reliable detection of shell scripts based on their file
extension.
(cherry picked from commit 2d690499dd)
Fixes an issue where failing to reconfigure/reload the server would prevent to preserved the views caches on the subsequent server reconfiguration/reload.
Closes#5523
Backport of MR !10984
Merge branch 'backport-colin/fix-cache-revert-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10988
namedconf `request-zoneversion` option doesn't exists on 9.20, and was
actually useless for the purpose of the reload/fail/success cache test.
Remove this option so the test can run on 9.20
If the server is reloaded, new views are created and preexisting cache
is attached to those _but_ something goes wrong later, the previous
views are restored but the previous cache list is destroyed. This makes
the subsequent reload to drop the existing cache. This fixes it by
avoiding a mutation of the old cache list.
(cherry picked from commit a1703fa35b)
A named bug scrap the cache on a second reload after an initial reload
failure. Adds a test checking that the cache is preserved between server
reconfiguration/reloads even if it fails at some point (after attempting
to re-use the cache) and the server is re-loaded later.
(cherry picked from commit 714693742e)
We would prefer if explicit $ORIGIN is used only for root zone and
nothing else, solely to avoid zone files named "..db". For all other
zones the file name should match zone name.
(cherry picked from commit 339e5162d6)
The dns_qpmulti_memusage() causes assertion failure when called on
freshly created qpmulti instance because the qp->usage hasn't been
allocated yet.
Backport of MR !10977
Merge branch 'backport-ondrej/fix-qpmulti_memusage-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10982
The dns_qpmulti_memusage() causes assertion failure when called on
freshly created qpmulti instance because the qp->usage hasn't been
allocated yet.
(cherry picked from commit b2f653b332)
Sphinx's smartquotes feature was rewriting -- to en-dash, "" to proper
English quotes etc. This was messing up syntax at unpredictable places.
Disable this feature instead of attempting to escape all the places in
the manual.
(cherry picked from commit 66e58d3315)
The new order hopefully reflects likelihood of someone reading from start
to the end:
DNSSEC Guide
Manual Pages
General DNS Reference Information
Release Notes
Changelog
A Brief History of the DNS and BIND
(cherry picked from commit ed0db245be)
The RRSIGs for glue records were not being cached correctly for CD=1 queries. This has been fixed.
Closes#5502
Backport of MR !10938
Merge branch 'backport-5502-fix-missing-rrsig-with-cd-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10956
The code to test whether to store the RRSIGs on DNS_R_UNCHANGED
with CD=1 was failing because the comparison methods of the two
rdatatset instances were not compatible. Move the testing into
dns_db_addrdataset(), and request it by setting the DNS_ADD_EQUALOK
option. If the option is set and the old and new rrsets compare
as equal, dns_db_addrdataset() returns ISC_R_SUCCESS instead of
DNS_R_UNCHANGED.
(cherry picked from commit b954a1df43)
Update to REUSE Specification 3.2+ that uses REUSE.toml instead of DEP5
based specification.
Backport of MR !10945
Merge branch 'backport-ondrej/cover-reuse-dep5-to-toml-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10949
