Clarify the behavior of negated addresses within the `blackhole`
statement to prevent common configuration misunderstandings.
Closes#5733
Backport of MR !11541
Merge branch 'backport-5733-expand-blackhole-description-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11670
Clarify the behavior of negated addresses within the `blackhole`
statement to prevent common configuration misunderstandings.
(cherry picked from commit 2b23c7011e)
Enabling ans6 responses and xfr-and-reconfig zone reload sometimes takes
more time on FreeBSD than the default timeout allows; bump it to 30
seconds.
(cherry picked from commit 77a7430a5f)
The recent rewrite of DNS Shotgun infrastructure might've improved the
prior instability. In order to evaluate, re-enable the regular shotgun
pipelines to gather data.
Backport of MR !11506
Merge branch 'backport-nicki/ci-shotgun-enable-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11644
Make the shotgun pipelines on-demand with 5 samples (and no retry) by
defautl. MRs are compared to their base, while other sources (triggers,
web, schedule...) are compared against the latest released version.
For schedules, run the shotgun pipelines on Monday morning only, but
with the increased number of samples. This should provide useful data
without too many false positives.
(cherry picked from commit f2f255d67e)
Some dns message modifications like TSIG happen only after .to_wire() is
called on the message. To ensure there isn't a discrepancy between what
has been logged and what has been sent, log the query after
dns.query.udp() is executed (which calls .to_wire() on the message).
Backport of MR !11623
Merge branch 'backport-nicki/pytest-log-querymsg-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11642
Some dns message modifications like TSIG happen only after .to_wire() is
called on the message. To ensure there isn't a discrepancy between what
has been logged and what has been sent, log the query after
dns.query.udp() is executed (which calls .to_wire() on the message).
Co-Authored-By: Štěpán Balážik <stepan@isc.org>
(cherry picked from commit a22e03f71b)
Add a new CI job that updates the Docker image for a specific release.
Backport of MR !11564
Merge branch 'backport-andoni/update-bind9-docker-images-for-release-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11637
This commit adds a new CI job to update the BIND9 version in the
isc-projects/bind9-docker project, which will cause the docker images
to be rebuilt for release. Previously a manual step.
A notification is sent to the relevant Mattermost channel.
(cherry picked from commit 0ad724558e)
Previously, on 9.20 and 9.18, both builds (reference and the version
being tested) would use the same .so files which lead to a crash if the
ABI changed.
Use `git worktree` to get completely separate build environment for the
reference version.
This is not a problem on 9.21 as Meson is smart and covers this mistake,
but apply the fix to it as well for consistency.
This also is not a problem on non-MR pipelines: the latest released version
was used as a reference there, so the .so versions would differ.
See the 9.20 pre-backport branch and the jobs:
- Broken: https://gitlab.isc.org/isc-projects/bind9/-/jobs/6951217
- Fixed: https://gitlab.isc.org/isc-projects/bind9/-/jobs/6951220
Backport of MR !11616
Merge branch 'backport-stepan/respdiff-fails-on-abi-breakage-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11619
Previously, on 9.20 and 9.18, both builds (reference and the version
being tested) would use the same .so files which lead to a crash if the
ABI changed.
Use `git worktree` to get completely separate build environment for the
reference version.
This is not a problem on 9.21 as Meson is smart and covers this mistake,
but apply the fix to it as well for consistency.
(cherry picked from commit a719341314)
Commit `2956e4fc` hardened the `key` name check when used in `primaries` to reject the configuration if the key was not defined, rather than simply checking whether the key name was correctly formed.
However, the key name check didn't include the view configuration, causing keys not to be recognized if they were defined inside the view and not at the global level. This regression is now fixed.
Backport of MR !11588Closes#5761
Merge branch 'backport-5761-key-view-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11613
A configuration where a key was defined inside a view, then used in a
`primary` statement wasn't covered. This is now fixed.
(cherry picked from commit d8f46b09a7)
Commit `2956e4fc45b3c2142a3351682d4200647448f193` hardened the `key`
name check when used in `primaries` to reject the configuration if
the key was not defined, rather than simply checking whether the
key name was correctly formed.
However, the key name check didn't include the view configuration,
causing keys not to be recognized if they were defined inside the
view and not at the global level. This regression is now fixed.
(cherry picked from commit b90399ebdc)
Replace the two-pass "random start index and wrap around" logic in
fctx_getaddresses_nameservers() with a statistically sound partial
Fisher-Yates shuffle.
The previous implementation picked a random starting node and did two
passes over the linked list to find query candidates. The new logic
introduces fctx_getaddresses_nsorder() to perform an in-place
randomization of indices into a bounded, stack-allocated lookup array
(nsorder) representing the "winning" fetch slots.
The nameserver dataset is now traversed in exactly one sequential pass:
1. Every nameserver is evaluated for local cached data.
2. If the current nameserver's sequential index exists in the randomized
nsorder array, it is permitted to launch an outgoing network fetch.
3. If not, it is restricted to local lookups via DNS_ADBFIND_NOFETCH.
This guarantees a fair random distribution for outbound queries while
maximizing local cache hits, entirely within O(1) memory and without
the overhead of linked-list pointer shuffling or dynamic allocation.
Closes#5695
Backport of MR !11604
Merge branch 'backport-5695-refactor-the-random-NS-selection-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11606
Introduce a new system test (nsprocessinglimit) to verify that the
resolver strictly respects outgoing network fetch quotas when presented
with heavily delegated, unresponsive zones.
This test acts as a regression check for the recent Fisher-Yates nameserver
selection refactor. It sets up an authoritative server delegating a zone
to 23 distinct nameservers (all pointing to unresponsive loopback IPs).
Using dnstap, the test forces a resolution failure and verifies that:
1. The resolver successfully traverses the zone delegation path.
2. The resolver caps the outgoing network queries to the delegated
nameservers exactly at the processing limit (20 fetches), ensuring
array boundaries and dynamic fetch quotas are strictly enforced without
crashing or hanging.
(cherry picked from commit 5274e764c4)
Replace the two-pass "random start index and wrap around" logic in
fctx_getaddresses_nameservers() with a statistically sound Fisher-Yates
shuffle.
The previous implementation picked a random starting node and did two
passes over the linked list to find query candidates. The new logic
extracts the available nameservers into a bounded, stack-allocated array
of dns_rdata_t structures.
This array is then randomized in-place using a Fisher-Yates shuffle.
Finally, the shuffled array is traversed sequentially to launch fetches
until the dynamic quota (fctx->pending_running >= fetches_allowed) is
reached.
This guarantees a fair random distribution for outbound queries while
properly respecting dynamic query limits, entirely within O(1) memory
and without the overhead of linked-list pointer shuffling or multiple
dataset traversals.
(cherry picked from commit 3c33e7d937)
A debug message that logs a PKCS#11 object has been generated was erroneously
logged at error level. This has been fixed.
Backport of MR !11586
Merge branch 'backport-matthijs-fix-loglevel-keystore-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11601
A debug message that logs a PKCS#11 object has been generated was
erroneously logged at error level. This has been fixed.
(cherry picked from commit 5bd6322739)
In a3d0f43d2 I moved the script that does this to the QA repo and
screwed up the path.
Fix the path and make the job run properly again.
Backport of MR !11599
Merge branch 'backport-stepan/fix-tsan-stress-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11602
In a3d0f43d2 I moved the script that does this to the QA repo and
screwed up the path.
Fix the path and make the job run properly again.
(cherry picked from commit 4ed6c4e4e7)
With the Python version bumped to 3.10 and the dependency situation cleared with !11415 it is now time to run linters and formatters on more parts of the Python code that was previously skipped or ignored.
Switch configuration of the various Python-adjacent tools to `pyproject.toml` to ensure that the same configuration is used in CI and locally.
See the individual commits for details on settings changed and linters added.
Tweaks to type checking and enabling more `ruff` lints will come in a subsequent MRs.
Prerequisites:
- bind9-qa!160.
- images!442
Backport of MR !11499
Merge branch 'backport-stepan/python-tooling-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11574
More specific modules (like collections.abc) can now be used.
Generated with: ruff check --extend-select UP035 --fix
(cherry picked from commit ced002c4ab)
Add a pylint plugin that enforces:
- There is no bare `import dns` statement.
- All `dns.<module>` used are explicitly imported.
- There are no unused `dns.<module>` imports.
Fix all the imports to conform with this check.
(cherry picked from commit d3186c7038)
In Python 3.10 strings don't support the | operator, so ruff doesn't
attempt to fix these. Quote the entire type specification to avoid the
typing.Optional import.
Alternatives I considered:
- leaving it as is (only use of Optional in the code base)
- using `from future import __annotations__` (replacing one import with
another one)
(cherry picked from commit 1d5924c82f)
Importing pytest fixture trips up static analysis tools, so move
default_algorithm to conftest.py and use it instead of os.environ
accesses in various system tests.
For use outside test function, use Algorithm.default().
(cherry picked from commit ef21b77912)
