Exclude named.args.j2 files from license header checks so named.args can
be generated from Jinja templates. Also exclude system test README files
from the license header checks.
Backport of MR !11690
Merge branch 'backport-colin/reuse-namedargs-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11697
New CI jobs are added to update the RPM packages in the context of a new
release. To be run only in tag pipelines.
Backport of MR !11677
Merge branch 'backport-andoni/andoni/new-ci-add-job-to-update-rpms-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11679
New CI jobs are added to update the RPM packages in the context of a new
release. To be run only in tag pipelines.
(cherry picked from commit 985a1e1664)
As hinted upon by the comment preceding it, the job preparing packager
notifications was (rather unsurprisingly) supposed to be called
"prepare-packager-notification". Fix the typo in its name.
(cherry picked from commit 50e18f6720)
Technically this is not necessary because the token expires in one week
after creation, and new code would have got there only one week before
the next public release, but better be safe than sorry.
Catch is, after_script gets executed even if a job fails or is
canceled. Delete distros token only if publication succeeded.
(cherry picked from commit 98cbde5233)
tostruct_in_dhcid was not setting the length field in the
dns_rdata_in_dhcid structure. This has been fixed.
Fixes#5796
Backport of MR !11668
Merge branch 'backport-marka-set-dhcid-length-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11673
Clarify the behavior of negated addresses within the `blackhole`
statement to prevent common configuration misunderstandings.
Closes#5733
Backport of MR !11541
Merge branch 'backport-5733-expand-blackhole-description-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11671
Clarify the behavior of negated addresses within the `blackhole`
statement to prevent common configuration misunderstandings.
(cherry picked from commit 2b23c7011e)
Add isctest.kasp.Key and the minimal methods which are required to
convert the key into DS / DNSKEY trust anchor for BIND config. Add a
shared template trusted.conf.j2 which can be linked to in tests to
create the trust anchor configuration from trust anchor data returned
from bootstrap() function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
Backport of !11201
Merge branch 'nicki/pytest-add-trust-anchor-template-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11653
Add isctest.kasp.Key and the minimal methods which are required tp
convert the key into DS / DNSKEY trust anchor for BIND config. Add a
shared template trusted.conf.j2 which can be linked to in tests to
create the trust anchor configuration from trust anchor data returned
from bootstrap() function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
(manually picked from 0bf20f8d and f6cb154b)
The recent rewrite of DNS Shotgun infrastructure might've improved the
prior instability. In order to evaluate, re-enable the regular shotgun
pipelines to gather data.
Backport of MR !11506
Merge branch 'backport-nicki/ci-shotgun-enable-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11645
Make the shotgun pipelines on-demand with 5 samples (and no retry) by
defautl. MRs are compared to their base, while other sources (triggers,
web, schedule...) are compared against the latest released version.
For schedules, run the shotgun pipelines on Monday morning only, but
with the increased number of samples. This should provide useful data
without too many false positives.
(cherry picked from commit f2f255d67e)
Some dns message modifications like TSIG happen only after .to_wire() is
called on the message. To ensure there isn't a discrepancy between what
has been logged and what has been sent, log the query after
dns.query.udp() is executed (which calls .to_wire() on the message).
Backport of MR !11623
Merge branch 'backport-nicki/pytest-log-querymsg-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11643
Some dns message modifications like TSIG happen only after .to_wire() is
called on the message. To ensure there isn't a discrepancy between what
has been logged and what has been sent, log the query after
dns.query.udp() is executed (which calls .to_wire() on the message).
Co-Authored-By: Štěpán Balážik <stepan@isc.org>
(cherry picked from commit a22e03f71b)
Add a new CI job that updates the Docker image for a specific release.
Backport of MR !11564
Merge branch 'backport-andoni/update-bind9-docker-images-for-release-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11638
This commit adds a new CI job to update the BIND9 version in the
isc-projects/bind9-docker project, which will cause the docker images
to be rebuilt for release. Previously a manual step.
A notification is sent to the relevant Mattermost channel.
(cherry picked from commit 0ad724558e)
Previously, on 9.20 and 9.18, both builds (reference and the version
being tested) would use the same .so files which lead to a crash if the
ABI changed.
Use `git worktree` to get completely separate build environment for the
reference version.
This is not a problem on 9.21 as Meson is smart and covers this mistake,
but apply the fix to it as well for consistency.
This also is not a problem on non-MR pipelines: the latest released version
was used as a reference there, so the .so versions would differ.
See the 9.20 pre-backport branch and the jobs:
- Broken: https://gitlab.isc.org/isc-projects/bind9/-/jobs/6951217
- Fixed: https://gitlab.isc.org/isc-projects/bind9/-/jobs/6951220
Backport of MR !11616
Merge branch 'backport-stepan/respdiff-fails-on-abi-breakage-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11620
Previously, on 9.20 and 9.18, both builds (reference and the version
being tested) would use the same .so files which lead to a crash if the
ABI changed.
Use `git worktree` to get completely separate build environment for the
reference version.
This is not a problem on 9.21 as Meson is smart and covers this mistake,
but apply the fix to it as well for consistency.
(cherry picked from commit a719341314)
A stale answer could have been served in case of multiple upstream
failures when following the CNAME chains. This has been fixed.
Closes#5751
Backport of MR !11558
Merge branch 'backport-5751-clear-staleflags-in-CNAME-chains-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11584
A stale answer or SERVFAIL could have been served in case of multiple
upstream failures when following the CNAME chains. This has been fixed.
(cherry picked from commit d46277b398)
Three variants of YWH-PGM40640-56: Stale/Wrong DNS Data Served via
CNAME Flag Leak (DNS_DBFIND_STALEOK persistence) are presented in
GitLab issue #5751. All these variants have been converted to system
tests.
Variant 1 forwards source.stale to another server, that provides a
CNAME record, while the resolver is authoritative for target.stale.
The CNAME points to a non-existing name. A stale CNAME record should
result in a stale NXDOMAIN (instead of SERVFAIL).
Variant 2 forwards both source.stale and target.stale to other servers.
This time the CNAME points to an A RRset. If the source.stale server
is not available (and stale-answer-client-timeout is off), the cached
CNAME should be followed and pick up the fresh RRset (instead of the
stale A RRset).
Variant 3 is similar to variant 2, but this time the CNAME points to
a non-existing name again. After flushing the target, BIND should
return a stale NXDOMAIN (instead of SERVFAIL).
(cherry picked from commit c32de7df95)
In a3d0f43d2 I moved the script that does this to the QA repo and
screwed up the path.
Fix the path and make the job run properly again.
Backport of MR !11599
Merge branch 'backport-stepan/fix-tsan-stress-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11603
In a3d0f43d2 I moved the script that does this to the QA repo and
screwed up the path.
Fix the path and make the job run properly again.
(cherry picked from commit 4ed6c4e4e7)
Move some scripts to the QA repo, rename others to adhere to the snake-case Python convention.
Partial backport of MR !11499
Merge branch 'backport-stepan/python-tooling-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11575
Cloning to a stable location allows clearer handling of paths when
calling scripts from CI jobs.
`unit:gcc:tarball` and `system:gcc:tarball` do `cd bind-*` in
`before_script` which lead to the `bind9-qa` directory ending up in
a different place in exactly these two jobs and that made reasoning
about paths in `.system_test_common` and `.unit_test_common` tricky.
(cherry picked from commit 482c1cc72f)
When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
harmless out-of-bound read of the isdelegation() stack. This has been
fixed.
Closes#5749
Backport of MR !11553
Merge branch 'backport-5749-fix-OOB-read-in-isdelegation-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11595
Adds text and wire format unit tests to verify the newly enforced
maximum NSEC3 hash length constraints. These tests ensure that hash
lengths up to the 39-byte maximum are accepted, while larger sizes
correctly fail.
(cherry picked from commit e83a182056)
NSEC3 hashes are required to fit within a single DNS label. Since there
are 5 bits per label byte without pad characters, the maximum hash size
is floor(63*5/8) (39 bytes).
This patch enforces this maximum length for unknown algorithms, while
strictly enforcing the exact expected digest length for known algorithms
like SHA-1.
(cherry picked from commit 3801d0ebbf)
