LoadScopeScheduling._split_scope() uses rsplit("::", 1) to
extract the test file scope from a node ID. When parametrized
test values contain "::" (IPv6 addresses like "cafe:cafe::cafe"
or "::1"), the split lands inside the parameter instead of at
the .py:: boundary. This creates spurious scopes that get
assigned to different workers, each triggering a full fixture
setup (starting named instances).
Override _split_scope() in conftest.py to split on ".py::"
which is unambiguous.
Six tests in synthrecord/tests_synthrecord.py are affected.
A verification script is included in util/.
Assisted-by: Claude:claude-opus-4-7
Merge branch 'mnowak/fix-xdist-loadscope-split' into 'main'
See merge request isc-projects/bind9!12103
LoadScopeScheduling._split_scope() uses rsplit("::", 1) to
extract the test file scope from a node ID. When parametrized
test values contain "::" (IPv6 addresses like "cafe:cafe::cafe"
or "::1"), the split lands inside the parameter instead of at
the .py:: boundary. This creates spurious scopes that get
assigned to different workers, each triggering a full fixture
setup (starting named instances).
Override _split_scope() in conftest.py to split on ".py::"
which is unambiguous.
Six tests in synthrecord/tests_synthrecord.py are affected.
A verification script is included in util/.
Assisted-by: Claude:claude-opus-4-7
The issue #6007 failed to mark cross-version-config-tests with
allow_failure: true. This should be reverted when the June release is
out.
Closes#6007
Merge branch '6007-allow-failure-cross-version-config-tests' into 'main'
See merge request isc-projects/bind9!12136
Update PRIORITY_TESTS with the 10 longest-running test
scopes measured from CI (job 7468217). These get scheduled
first so that with --dist=loadscope they land on separate
workers instead of piling up at the end.
Also fix "serve-stale/" to "serve_stale/" to match the
actual directory name, and add a startup check that fails
if any PRIORITY_TESTS entry does not match an existing
directory.
Assisted-by: Claude:claude-opus-4-7
Merge branch 'mnowak/prioritize-slow-system-tests' into 'main'
See merge request isc-projects/bind9!12104
Update PRIORITY_TESTS with the 10 longest-running test
scopes measured from CI (job 7468217). These get scheduled
first so that with --dist=loadscope they land on separate
workers instead of piling up at the end.
Also fix "serve-stale/" to "serve_stale/" to match the
actual directory name, and add a startup check that fails
if any PRIORITY_TESTS entry does not match an existing
directory.
Assisted-by: Claude:claude-opus-4-7
`named-checkconf` should reject a template that has options that must be non-zero
(`max-refresh-time`, `max-retry-time`, `min-refresh-time`, `min-retry-time`).
`rndc addzone` with a zone that refers to such template should fail cleanly.
Closes#6041
Merge branch '6041-check-nonzero-skips-templates' into 'main'
See merge request isc-projects/bind9!12126
named-checkconf should reject a template that has options that must be
non-zero (max-refresh-time, max-retry-time, min-refresh-time,
min-retry-time).
rndc addzone with a zone that refers to such template should fail
cleanly.
The population of the compile cache is so slow, that a BIND 9 build can
take 20 minutes.
Assisted-by: Claude:claude-opus-4-7
Merge branch 'mnowak/drop-ccache-support' into 'main'
See merge request isc-projects/bind9!12127
When the delegation database was flushed using `rndc flush`, its size was also reset but not restored. As a result, after `rndc flush` was used at least once, the delegation database size could grow unbounded. This has now been fixed.
Merge branch 'colin/delegdb-config' into 'main'
See merge request isc-projects/bind9!12101
Test that flushing the delegdb via `rndc flush` preserves its
configured size limit. The test checks delegdb watermarks after
`named` startup, flushes caches, and verifies that the delegdb
watermarks are correctly restored afterwards.
To distinguish between the previous `delegdb` memory contexts and the
new ones, we need to know exactly when the previous `delegdb` memory
contexts are removed (this is not immediate, since those are removed
during RCU reclamation phase). A trace is therefore added when a memory
context is destroyed, if `ISC_MEM_DEBUGTRACE` is set.
The `rndc flush` command flushes the delegdb by deleting the
existing database and creating a new one. In the process, the
delegdb was losing its configured size limit; as a result, once
flushed, the delegdb size became unbounded.
This is now fixed by using `dns_delegdb_getconfig()` to back up the
current configuration before instantiating a new delegdb, then
restoring it with `dns_delegdb_setconfig()`.
Instead of having independent APIs to configure various aspects of the
delegdb (i.e. cache size, other settings that may come up later), a
single configuration struct is passed to `dns_delegdb_setconfig()`, which
internally does all the plumbing. To avoid relying on
atomics/synchronization, `dns_delegdb_setconfig()` must be called from
exclusive mode (for now).
The configuration can be retrieved at any time (not necessarily from
exclusive mode) using `dns_delegdb_getconfig()`. This is useful, for
instance, to flush the delegdb without losing its parameters.
BIND no longer applies legacy RFC 2535 handling to the obsolete ``SIG``, ``NXT``
and ``KEY`` record types; they are now served as plain zone data. Zones with
both a ``CNAME`` and a ``KEY`` and or ``NXT`` at the same name — invalid under
:rfc:`2181` — will now fail to load and must be corrected.
Closes#6007
Merge branch '6007-remove-SIG-and-NXT-special-handling' into 'main'
See merge request isc-projects/bind9!12056
After SIG and NXT lost their special handling, KEY remained the only
RFC 2535-era type still receiving coexistence allowances: KEY
alongside CNAME at the same owner, KEY answered from the parent side
of a zone cut, KEY kept across CNAME eviction in the cache. RFC 3755
retains type 25 only for SIG(0) and TKEY transaction signatures, and
neither relies on those allowances in practice. The in-tree comment
that flagged the RFC 3007 parent-side carve-out as "unclear" predicted
this cleanup.
Zones that publish CNAME and KEY at the same owner — already invalid
under RFC 2181 — now fail to load. System test fixtures are updated
accordingly, and a new test asserts that SIG, NXT, and KEY records
pick up covering RRSIGs when their zone is signed.
RFC 3755 retired SIG and NXT in favour of RRSIG and NSEC. BIND still
warned about them at zone load, refused them in dynamic updates,
parsed SIG with a non-zero "type covered" field as a signature on an
RRset, and tracked them via dns_rdatatype_issig(). Those carve-outs
were the sole path that made the GL#5818 crash class reachable.
Treat both types as ordinary unknown rdata: they load, transfer, sign
and answer like any other record, and dynamic updates carry them
through the generic path. SIG(0) is unaffected; its message-parsing
carve-out is preserved.
Tests that exercise instrumentation, log output, or other behaviour
that only exists in developer builds (the gcc:almalinux9:amd64 CI job
sets -Ddeveloper=disabled to guard against such accidental coupling)
can now decorate themselves with isctest.mark.with_developer to skip on
non-developer builds.
Assisted-by: Claude:claude-opus-4-7
System tests can check FEATURE_DEVELOPER in the environment, but the
recommended pattern is the with_developer pytest marker added next.
Assisted-by: Claude:claude-opus-4-7
System tests that depend on log output, instrumentation, or other
behaviour only present in developer builds can use this probe to detect
the build configuration at runtime.
Assisted-by: Claude:claude-opus-4-7
So that build-time consumers (e.g. feature-test) can detect developer
mode through a single dedicated symbol rather than proxying through
implementation-detail defines like ISC_MEM_TRACKLINES.
Assisted-by: Claude:claude-opus-4-7
When a resolver was configured with both `nxdomain-redirect` and `dns64`
in the same view, an AAAA query for a nonexistent name could abort
`named`. The combination failed whenever the redirect zone held A
records but no AAAA records. The server now serves the empty AAAA
response from the redirect zone as-is, instead of attempting DNS64
synthesis on top of it.
Closes#5789
Merge branch '5789-fix-nxdomain-redirect-dns64-assert' into 'main'
See merge request isc-projects/bind9!12059
redirect2() swaps qctx->db to the redirect zone before
query_nodata() runs. The DNS64 fallback there issues an A lookup
for the original query name, which is out of zone for the
redirect db, and the resulting query_notfound() trips
INSIST(!is_zone). The cached NCACHENXRRSET variant trips a
REQUIRE in dns_rdataset_first() on a disassociated rdataset.
The synth-from-dnssec entry reaches the same fallback via
query_coveringnsec(). Guarding the fallback with
!qctx->redirected leaves the nxdomain-redirect NXRRSET answer to
be served as-is.
An AAAA query for a non-existent name into a view that combines
nxdomain-redirect with dns64 used to abort named via the DNS64
fallback in query_nodata(). The new module exercises all three
documented entry paths into query_redirect(): the authoritative
NXDOMAIN path (ns7, tripping INSIST(!is_zone) in
query_notfound()), the recursive NCACHENXRRSET path (ns8,
tripping REQUIRE in dns_rdataset_first() on a disassociated
rdataset), and the synth-from-dnssec path (ns10 validating
against ns9's signed root, with a primer A query so the second
AAAA reaches query_redirect() via query_coveringnsec()). ns9
serves as a neutral upstream so the cached and synthesized
negatives land real NXRRSETs.
Assisted-by: Claude:claude-opus-4-7
The experiment was a failure, the PR-Agent doesn't send a full context
to the AI Agents and the results are abysmal because of that.
Merge branch 'ondrej/remove-useless-pr-agent' into 'main'
See merge request isc-projects/bind9!12119
- Enable rendering ns-specific data in jinja2 templates using the `ns` varible.
- Add common zone/config snippets an `_common` templates.
- Allow jinja2 imports from `_common`.
- Improve the `_common/controls.conf.j2` snippet to render ns-specific IP rather than hardocded one.
Merge branch 'nicki/pytest-template-improvements' into 'main'
See merge request isc-projects/bind9!11805
The previous loader was a FileSystemLoader rooted at $srcdir, which
allowed any system test to include any other test's templates -- a
wider scope than intended. Every existing cross-test include already
targets _common/, so make that the only path.
ChoiceLoader + PrefixLoader keeps the existing '_common/foo.j2' path
convention working without changes to call sites. The '_common/'
prefix is deliberately kept rather than dropping it by rooting the
FileSystemLoader at _common/ directly:
- It signals at the include site that the file is a shared
template, not a sibling of the current test; readers don't need
to know the loader configuration to understand where the file
lives.
- It prevents shadowing: a test-local 'controls.conf.j2' would
not collide with the shared one, and the unqualified name keeps
its test-local meaning.
- It makes the dependency greppable: 'grep -rl _common/'
identifies every test that consumes shared snippets.
Assisted-by: Claude:claude-opus-4-7
Add commonly used zone-related data (config snippet and zone file
snippets) as templates which can be reused by filling in different data.
Adjust the isctest.template.Zone to use filepath argument rather than
filename for clarity.
Omit extra newlines when combining and including templates.
Adjust the xfer/ns8/small.db.j2 so it doesn't trim the endline twice
(as that would join the two subsequent records on the same line).
In some cases, the template data might need to be set directly in the
jinja2 templates using `{% set %}`. Expose the template dataclasses to
the templates so we can use these existing classes, rather than creating
ad-hoc data containers.
If a template is being rendered into a directory that represents a
nameserver (e.g. "ns1"), include a nameserver-specific information in
the data - variable called "ns" which has information about the
nameserver this file belongs to.
Ensure the "ns" variable is only exposed to the template when rendered,
without affecting the environment variables (always work with a copy of
the env_vars).
Extend the Nameserver to generate the default IPv4/IPv6 values, add NSX
values for the predefined nameservers (there are 11 of them, as per
bin/tests/system/ifconfig.sh.in max value). Add the missing ns11
fixture.
Extend the Zone to derive the zone filename by default, unless
specified.
Adjust the existing uses of these classes to utilize the simplified
defaults.
A badly configured secondary signer that was missing the 'file' entry caused the server to crash, rather than to reject the configuration. This has been fixed.
Closes#5993
Merge branch '5993-fix-bump-in-the-wire-crash' into 'main'
See merge request isc-projects/bind9!12045
Add a variant of checking configuration where inline-signing is
enabled on the secondary, requiring the 'file' entry. This time,
inline-signing is implicitly enabled via dnssec-policy.
Drop the #Lxxx-Lyyy fragments (replaced with prose line numbers) and
unwrap the line-broken URLs so Sphinx linkcheck can validate them.
Assisted-by: Claude:claude-opus-4-7
GNOME GitLab returns HTTP 406 to Sphinx's linkcheck requests, the
same behavior already worked around for gitlab.isc.org.
Assisted-by: Claude:claude-opus-4-7
Add a rule to match open source stable tags in CI and apply it to the
update-stable-tag job.
Merge branch 'andoni/show-update-stable-tag-job-in-stable-versions' into 'main'
See merge request isc-projects/bind9!11646
The update-stable-tag job should only be run for the stable tag, which
is used by Read the Docs to build the docs for the "stable" version.
A new rule called rule_tag_open_source_stable is introduced, in order to
prevent the job from appearing in the pipeline for non-stable versions.
Having this rule in YAML is necessary, because if it were in the script
itself, the job would show up in the pipeline.
Besides, the new rule allows other jobs to be run only for the stable
tag in the future, without modifying their internal logic.
The CI variable STABLE_VERSION contains a regular expression in
Gitlab CI sense[1]: it uses the RE2 syntax[2] and must be enclosed by
slashes (i.e. /.../). It must be updated every time the minor version
is changed: releasing v9.22 will require changing STABLE_VERSION from
"/v9.20/" to "/v9.22/".
The variable is imported from common Gitlab CI YAML in the project
isc-projects/bind9-qa, so as to maintain it in a central place.
[1]: https://docs.gitlab.com/ci/jobs/job_rules/#compare-a-variable-to-a-regular-expression
[2]: https://github.com/google/re2/wiki/Syntax
This leads to nicer logging if requirements aren't met.
Merge branch 'stepan/dont-run-system-tests-without-requirements' into 'main'
See merge request isc-projects/bind9!11551
