Add a TCP connection handler, IgnoreAllConnections that allows
establishing TCP connection but not reading anything from it.
This re-uses the horrible hack from ConnectionReset handler and might
break at any point in the future.
See the comments and e407888507 for more
details.
(cherry picked from commit 4042b805ff)
Sometimes spatch fails to process the source code:
EXN: Failure("replacement: node 80: {7[1,2,30,31,32] in isc__nm_base64_to_base64url reachable by inconsistent control-flow paths") in ./lib/isc/netmgr/http.c
Closes#5567
Backport of MR !11115
Merge branch 'backport-5567-spatch-detect-more-error-conditions-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11133
Sometimes spatch fails to process the source code:
EXN: Failure("replacement: node 80: {7[1,2,30,31,32] in isc__nm_base64_to_base64url reachable by inconsistent control-flow paths") in ./lib/isc/netmgr/http.c
(cherry picked from commit 44d1a97870)
Previously, dnssec-verify exited with code 0 if the options could not be parsed. This has been fixed.
Closes#5574
Backport of MR !11106
Merge branch 'backport-5574-dnssec-verify-uses-exit-code-0-when-failing-due-to-illegal-option-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11129
The :iscman:`dnssec-keygen` utility program failed to detect
possible Key ID collisions with the existing keys generated
using the non-default ``-T KEY`` option (e.g. for ``SIG(0)``).
This has been fixed.
Closes#5506
Backport of MR !11047
Merge branch 'backport-5506-dnssec-keygen-sig0-keys-collision-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11128
When generating a new key, dnssec-keygen checks for possible
key ID collisions with existing keys. The dnssec.c:findmatchingkeys()
function, which is supposed to get the list of the existing keys,
fails to do that for the existing KEY rrtype keys (i.e. generated
using 'dnssec-keygen -T KEY') because it doesn't pass down to the
dst_key_fromnamedfile() -> dst_key_read_public() functions the type
of the keys it's interested in. Fix the issue by introducing a new
function parameter which tells in which type of keys the caller is
currently interested in.
(cherry picked from commit 49b7ce9a54)
During the system test execution, allow use of module-specific setup()
function in addition to the setup.sh script which this function should
ultimately replace.
The purpose of setup() is two-fold. First, it can execute any commands
needed to create the initial conditions for the test, such as creating
key materials, manipulating files etc. Second, it should return any
test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
Backport of MR !10983
Merge branch 'backport-nicki/pytest-add-python-setup-func-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11126
Unify the names of autouse module-wide fixtures that perform
after_servers_start() setup. The consistent naming doesn't just help
readability, but also makes it simpler for the vulture exception (since
it doesn't properly deal with autouse fixtures).
(cherry picked from commit 377724c26d)
Replace the autouse fixtures which were only used to change the initial
server configuration into proper bootstrap() functions. This gets rid of
an extraneous reconfigure.
In the tests_validation_many_anchors.py, split the fixture into a proper
bootstrap() and a separate test for checking the expected log lines for
the ignored keys. Previously, the test was broken - it should check for
all the messages being present in the log, and some of the keys are
actually initial-key rather than static-key. This has been fixed in the
parametrized test.
(cherry picked from commit fb4345afd4)
During the system test execution, allow use of module-specific
bootstrap() function in addition to the setup.sh script which this
function should ultimately replace.
The purpose of bootstrap() is two-fold. First, it can execute any
commands needed to create the initial conditions for the test, such as
creating key materials, manipulating files etc. Second, it should return
any test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
(cherry picked from commit 7474d38295)
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
Closes#5581
Backport of MR !11109
Merge branch 'backport-5581-parse_dnskey-in-lib-dns-skr-c-was-failing-to-reset-comments-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11113
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
(cherry picked from commit a949184eb7)
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
(cherry picked from commit 2d0fb3f25d)
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
Backport of !865Closesisc-projects/bind9#5343
Merge branch 'ondrej/security-fix-crash-in-selfsigned-key-handling-9.20' into 'v9.20.15-release'
See merge request isc-private/bind9!866
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
(cherry picked from commit 7b26176c46)
Expect created.* and unused.* files at the end of running
the multisigner test.
Closes#5565
Backport of MR !11089
Merge branch 'backport-5565-multisigner-test-can-leave-created-and-unused-files-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11102
`nextpart file | grep -q` doesn't work as expected. `grep -q` is not
required to read all of the input and that causes `nextpart` to fail.
Closes#5566
Backport of MR !11090
Merge branch 'backport-5566-nextpart-piped-to-grep-q-doesn-t-work-as-expected-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11092
'nextpart file | grep -q' doesn't work as expected. 'grep -q' is not
required to read all of the input and that causes 'nextpart' to fail.
(cherry picked from commit 5beba4d292)
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
Closes#5564
Backport of MR !11088
Merge branch 'backport-5564-fix-bug-in-skr-c-parse_rr-on-error-path-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11091
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
(cherry picked from commit e5ceda617d)
:program:`dnssec-importkey` should not be used to import DNSKEY records from other providers (for example when setting up multi-signer). Clarify this in the manpage.
Backport of MR !11064
Merge branch 'backport-matthijs-clarify-import-key-dnssec-policy-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11078
You should not use dnssec-importkey to import DNSKEY records from
other providers (for example when setting up multi-signer).
Clarify this in the manpage.
(cherry picked from commit 4df536e0dc)
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Closes#5554
Backport of MR !11066
Merge branch 'backport-5554-disable-keyfromlabel-collision-avoidance-in-tests-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11074
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
(cherry picked from commit 2ecbe46e0d)
We agreed to make "expect" a direct attribute of KeyProperties, but it turns out the property is unused, so we can just remove it.
Closes#5278
Backport of MR !11042
Merge branch 'backport-5278-kasp-system-test-follow-up-1-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11065
Disable unsigned-int spatch in db.h to silence the following error from coccinelle v1.1:
```
EXN: Failure("./lib/dns/include/dns/db.h: 188: try to delete an expanded token: unsigned") in ./lib/dns/include/dns/db.h
```
Backport of MR !11062
Merge branch 'backport-marka-cocci-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11063
Disable unsigned-int spatch in db.h to silence the following error
from coccinelle v1.1:
EXN: Failure("./lib/dns/include/dns/db.h: 188: try to delete an expanded token: unsigned") in ./lib/dns/include/dns/db.h
(cherry picked from commit d89a535040)
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Backport of MR !11056
Merge branch 'backport-nicki/reuse-remove-m4-annotations-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11057
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
(cherry picked from commit e77f349240)
