ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2022-09-30T10:13:20Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/2003host reservations and replicated databases2022-09-30T10:13:20ZPeter Davieshost reservations and replicated databaseshost reservations and replicated databases:
In order to increase availability would it be possible to configure Kea so that Host Reservation (HR) lookups could be directed to one or more read only database replicates.
Also that HR u...host reservations and replicated databases:
In order to increase availability would it be possible to configure Kea so that Host Reservation (HR) lookups could be directed to one or more read only database replicates.
Also that HR update commands in the Host Commands hooks libraries (host_cmd) can be configured to use a read/write database, or to be able to identify a read/write database from the set of "hosts-databases".
Maybe something like:
```
"hosts-databases": [
{
"type": "mysql",
"name": "Repicate-1",
"user-context": {
"use": "query",
"next": "Master"
},
...
},
"type": "mysql,
"name": "Repicate-2",
"user-context": {
"use": "query",
"next": "Master"
},
"type": "mysql,
"name": "Master",
"user-context": {
"use": "update",
"next": ""
},
...
}
],
```
[support#18800](https://support.isc.org/Ticket/Display.html?id=18800)kea2.3.1Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3587Debugging named ACLs is hard2022-10-20T09:34:31ZMichał KępieńDebugging named ACLs is hardSee #3481 & #3482 for context.
There is much room for improvement in terms of making `named` more
verbose about which ACLs matched during query processing and which ones
did not. Better logging would help administrators understand and
...See #3481 & #3482 for context.
There is much room for improvement in terms of making `named` more
verbose about which ACLs matched during query processing and which ones
did not. Better logging would help administrators understand and
fine-tune ACLs.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3578Retain the possibility to use OpenSSL engines with OpenSSL 3.x2022-10-05T08:59:01ZMichał KępieńRetain the possibility to use OpenSSL engines with OpenSSL 3.xSee #2996 for context.
It would be useful to retain the possibility to use OpenSSL engines with
OpenSSL 3.x; it is possible to build against the latter in API
compatibility mode (`-DOPENSSL_API_COMPAT=10100`), so we should take
advantag...See #2996 for context.
It would be useful to retain the possibility to use OpenSSL engines with
OpenSSL 3.x; it is possible to build against the latter in API
compatibility mode (`-DOPENSSL_API_COMPAT=10100`), so we should take
advantage of that before a "native" OpenSSL 3.x provider gets
implemented.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3577reloads in ixfr system test happen too fast2022-10-06T09:28:53ZMark Andrewsreloads in ixfr system test happen too fastThe ixfr system test can fail because reloads happen too fast causing the reload of
zone files to be skipped as up to date.
```
I:ixfr:testing 'request-ixfr yes' option inheritance from view (7)
I:ixfr:ns3 server reload successful
I:ixf...The ixfr system test can fail because reloads happen too fast causing the reload of
zone files to be skipped as up to date.
```
I:ixfr:testing 'request-ixfr yes' option inheritance from view (7)
I:ixfr:ns3 server reload successful
I:ixfr:exceeded time limit waiting for literal 'got incremental response' in ns4/named.run
I:ixfr:failed
```
```
05-Oct-2022 16:18:18.158 received control channel command 'reload'
05-Oct-2022 16:18:18.254 received control channel command 'reload'
05-Oct-2022 16:18:18.350 received control channel command 'reload'
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3575CID 357159 Double free in lib/dns/request.c2022-10-05T09:29:12ZMichal NowakCID 357159 Double free in lib/dns/request.cCoverity Scan reports on `v9_18`:
```
/lib/dns/request.c: 794 in dns_request_create()
788 /* connect failed, detach here */
789 req_detach(&(dns_request_t *){ request });
790
791 cleanup:
792 isc_task_detach(&(isc...Coverity Scan reports on `v9_18`:
```
/lib/dns/request.c: 794 in dns_request_create()
788 /* connect failed, detach here */
789 req_detach(&(dns_request_t *){ request });
790
791 cleanup:
792 isc_task_detach(&(isc_task_t *){ task });
793 /* final detach to shut down request */
>>> CID 357159: (USE_AFTER_FREE)
>>> Calling "req_detach" frees pointer "request" which has already been freed.
794 req_detach(&request);
795 req_log(ISC_LOG_DEBUG(3), "dns_request_create: failed %s",
796 isc_result_totext(result));
797 return (result);
798 }
799
```
This seems to come from 8f61d07918d083600404b230c7254dab72e5fd5f.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/3572Sphinx 5.2 reports a warning for doc/arm/catz.inc.rst2022-10-05T12:11:57ZMichał KępieńSphinx 5.2 reports a warning for doc/arm/catz.inc.rstSphinx 5.2.2 reports the following warning when `make doc` is run for
current `main` and `v9_18`:
```
Running Sphinx v5.2.2
making output directory... done
building [mo]: all of 0 po files
building [html]: all source files
updating envi...Sphinx 5.2.2 reports the following warning when `make doc` is run for
current `main` and `v9_18`:
```
Running Sphinx v5.2.2
making output directory... done
building [mo]: all of 0 po files
building [html]: all source files
updating environment: [new config] 16 added, 0 changed, 0 removed
reading sources... [100%] reference
looking for now-outdated files... none found
pickling environment... done
checking consistency... done
preparing documents... done
writing output... [100%] reference
Warning, treated as error:
/tmp/bind9/doc/arm/catz.inc.rst:234:more than one target found for 'any' cross-reference 'allow-query': could be :std:ref:`allow-query` or :namedconf:ref:`namedconf-statement-allow-query`
make[2]: *** [Makefile:757: html-local] Error 2
```
The line being flagged above has been around for the past two months and
it worked fine with Sphinx 5.1.1, so I assume that it is some new check
in the most up-to-date Sphinx version that triggers this warning.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3569dns_message_checksig under oss_fuzz is not seeing the data files2022-10-06T09:21:47ZMark Andrewsdns_message_checksig under oss_fuzz is not seeing the data filesoss_fuzz is reporting an assertion that happens when the data files are not available.
https://google.github.io/oss-fuzz/further-reading/fuzzer-environment/ says very little about how to rectify this but as `/tmp` is available we can ju...oss_fuzz is reporting an assertion that happens when the data files are not available.
https://google.github.io/oss-fuzz/further-reading/fuzzer-environment/ says very little about how to rectify this but as `/tmp` is available we can just create a key directory there.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3565AddressSanitizer: stack-use-after-scope in dns_tsig_verify (dns_message_check...2022-09-29T10:24:54ZPetr Špačekpspacek@isc.orgAddressSanitizer: stack-use-after-scope in dns_tsig_verify (dns_message_checksig test)### Summary
ASAN error:
```
testing 63 bytes from /builds/isc-projects/bind9/fuzz/dns_message_checksig.in/tsig-reply
=================================================================
==1074==ERROR: AddressSanitizer: stack-use-after-scop...### Summary
ASAN error:
```
testing 63 bytes from /builds/isc-projects/bind9/fuzz/dns_message_checksig.in/tsig-reply
=================================================================
==1074==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe14b1d780 at pc 0x55eeaf01c3ff bp 0x7ffe14b1c990 sp 0x7ffe14b1c160
READ of size 12 at 0x7ffe14b1d780 thread T0
#0 0x55eeaf01c3fe in __asan_memmove (/builds/isc-projects/bind9/fuzz/.libs/dns_message_checksig+0xa63fe) (BuildId: 73cf12c5424a9fda378fddea924b696e6cb966ca)
#1 0x7f93f3d6a227 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40:10
#2 0x7f93f3d6a227 in dns_tsig_verify /builds/isc-projects/bind9/lib/dns/tsig.c:1241:3
#3 0x7f93f3dd122d in dns_view_checksig /builds/isc-projects/bind9/lib/dns/view.c:1471:10
#4 0x7f93f38f42a8 in dns_message_checksig /builds/isc-projects/bind9/lib/dns/message.c:3145:12
#5 0x55eeaf058c18 in LLVMFuzzerTestOneInput /builds/isc-projects/bind9/fuzz/dns_message_checksig.c:393:11
#6 0x55eeaf05c189 in test_one_file /builds/isc-projects/bind9/fuzz/main.c:53:3
#7 0x55eeaf05c468 in test_all_from /builds/isc-projects/bind9/fuzz/main.c:89:3
#8 0x55eeaf05bc18 in main /builds/isc-projects/bind9/fuzz/main.c:130:2
#9 0x7f93f2dc5d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#10 0x55eeaef9a569 in _start (/builds/isc-projects/bind9/fuzz/.libs/dns_message_checksig+0x24569) (BuildId: 73cf12c5424a9fda378fddea924b696e6cb966ca)
```
Jobs:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/2793490: [test-suite.log](/uploads/83a286ac6c986172669ad2e5579a8716/test-suite.log)
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/2793597: [test-suite.log](/uploads/e091fdf3e65bbbd62b360da2d700fe51/test-suite.log)
### BIND version used
4108d79c9a3bc7a617d7ca24adc1180043ee9919 (!6822), but change in this MR affects only tests.
### Steps to reproduce
Run unit:clang:asan job in CI.
### What is the current *bug* behavior?October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3562suffix may be used before being assigned in qmin/ans3/ans.py2022-09-29T10:03:12ZMark Andrewssuffix may be used before being assigned in qmin/ans3/ans.pyCoverity reports `Bad use of null-like value`
```
139 if lqname == "zoop.boing." and rrtype == NS:
CID 350722 (#1 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
140 r.answer.append(
141 dns.r...Coverity reports `Bad use of null-like value`
```
139 if lqname == "zoop.boing." and rrtype == NS:
CID 350722 (#1 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
140 r.answer.append(
141 dns.rrset.from_text(lqname + suffix, 1, IN, NS, "ns3." + suffix)
142 )
143 r.flags |= dns.flags.AA
11. Condition endswith(lqname, "icky.ptang.zoop.boing."), taking true branch.
144 elif endswith(lqname, "icky.ptang.zoop.boing."):
CID 350722 (#5 of 7): Bad use of null-like value (FORWARD_NULL)
12. invalid_operation: Invalid operation on null-like value suffix.
145 r.authority.append(
146 dns.rrset.from_text(
147 "icky.ptang.zoop.boing." + suffix,
148 1,
149 IN,
150 NS,
151 "a.bit.longer.ns.name." + suffix,
152 )
153 )
154 elif endswith("icky.ptang.zoop.boing.", lqname):
CID 350722 (#3 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
155 r.authority.append(
156 dns.rrset.from_text(
157 "zoop.boing." + suffix,
158 1,
159 IN,
160 SOA,
161 "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
162 )
163 )
164 if bad:
165 r.set_rcode(NXDOMAIN)
166 if ugly:
167 r.set_rcode(FORMERR)
168 elif endswith(lqname, "zoop.boing."):
CID 350722 (#4 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
169 r.authority.append(
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3557Catalog zone processing failed to detect TSIG key changes for primaries2022-10-19T11:01:53ZMark AndrewsCatalog zone processing failed to detect TSIG key changes for primariesIf only the TSIG key names where changed in primary statements of catalog zone entries the zone's configuration was not being updated to reflect that change.
[RT #21307](https://support.isc.org/Ticket/Display.html?id=21307)If only the TSIG key names where changed in primary statements of catalog zone entries the zone's configuration was not being updated to reflect that change.
[RT #21307](https://support.isc.org/Ticket/Display.html?id=21307)October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3553followups from #34932022-09-27T12:59:11ZEvan Huntfollowups from #3493Now that the minimal fix for the statistics channel overread issue has been merged to the public repository, related code that was written while fixing it can be made public as well:
- further cleaning up httpd.c
- adding assertions to ...Now that the minimal fix for the statistics channel overread issue has been merged to the public repository, related code that was written while fixing it can be made public as well:
- further cleaning up httpd.c
- adding assertions to the `ISC__BUFFER` macros
- changing `ISC__BUFFER` macros to static inline functions in 9.19 and 9.18October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/3551Missing RSA_free call in opensslrsa_verify22022-09-28T00:06:52ZMark AndrewsMissing RSA_free call in opensslrsa_verify2If `e == NULL` then we should be freeing `rsa`. I don't believe that there is a path where we construct a `rsa` key without `e` and thereby trigger this path but marking confidential until that review is done. This was reported by Seth...If `e == NULL` then we should be freeing `rsa`. I don't believe that there is a path where we construct a `rsa` key without `e` and thereby trigger this path but marking confidential until that review is done. This was reported by Seth Arnold <seth.arnold@canonical.com>.
```
#if OPENSSL_VERSION_NUMBER < 0x30000000L
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
RSA_get0_key(rsa, NULL, &e, NULL);
if (e == NULL) {
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
}
bits = BN_num_bits(e);
RSA_free(rsa);
#else
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3548Static declaration of 'sallocx' follows non-static declaration on FreeBSD 13.12022-09-27T13:35:39ZMichal NowakStatic declaration of 'sallocx' follows non-static declaration on FreeBSD 13.1`main` fails to build on FreeBSD 13.1-RELEASE-p2 when `--without-jemalloc` is present:
```
In file included from mem.c:58:
./jemalloc_shim.h:70:1: error: static declaration of 'sallocx' follows non-static declaration
sallocx(void *ptr, i...`main` fails to build on FreeBSD 13.1-RELEASE-p2 when `--without-jemalloc` is present:
```
In file included from mem.c:58:
./jemalloc_shim.h:70:1: error: static declaration of 'sallocx' follows non-static declaration
sallocx(void *ptr, int flags) {
^
/usr/include/malloc_np.h:99:8: note: previous declaration is here
size_t sallocx(const void *ptr, int flags);
^
1 error generated.
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3547memory leak in dns_message_checksig function - SIG(0) without view2022-09-29T10:48:45ZPetr Špačekpspacek@isc.orgmemory leak in dns_message_checksig function - SIG(0) without viewReproduced using code from !5923 commit 4a3aa7abc8fb0610a807dcbd5ca34af1b332d97e.
It was caught by AFL fuzzer when tests were crashing wildly.
AFL output:
```
american fuzzy lop ++4.02c {default} (.libs/lt-dns_message_checksig) [fast...Reproduced using code from !5923 commit 4a3aa7abc8fb0610a807dcbd5ca34af1b332d97e.
It was caught by AFL fuzzer when tests were crashing wildly.
AFL output:
```
american fuzzy lop ++4.02c {default} (.libs/lt-dns_message_checksig) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│ run time : 0 days, 0 hrs, 0 min, 26 sec │ cycles done : 14 │
│ last new find : 0 days, 0 hrs, 0 min, 0 sec │ corpus count : 117 │
│last saved crash : 0 days, 0 hrs, 0 min, 4 sec │saved crashes : 27 │
│ last saved hang : none seen yet │ saved hangs : 0 │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│ now processing : 31.274 (26.5%) │ map density : 0.31% / 1.41% │
│ runs timed out : 0 (0.00%) │ count coverage : 1.45 bits/tuple │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│ now trying : havoc │ favored items : 60 (51.28%) │
│ stage execs : 117/220 (53.18%) │ new edges on : 76 (64.96%) │
│ total execs : 1.62M │ total crashes : 158 (27 saved) │
│ exec speed : 61.6k/sec │ total tmouts : 0 (0 saved) │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│ bit flips : disabled (default, enable with -D) │ levels : 8 │
│ byte flips : disabled (default, enable with -D) │ pending : 27 │
│ arithmetics : disabled (default, enable with -D) │ pend fav : 0 │
│ known ints : disabled (default, enable with -D) │ own finds : 114 │
│ dictionary : n/a │ imported : 0 │
│havoc/splice : 93/655k, 48/959k │ stability : 99.27% │
│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘
│ trim/eff : 32.43%/2274, disabled │ [cpu000: 25%]
└────────────────────────────────────────────────────┘^C
+++ Baking aborted by the chef +++
[+] We're done here. Have a nice day!
```
Reproducer:
```shell
autoreconf -fiv
CC='afl-clang-fast' CFLAGS='-O2 -march=native' CPPFLAGS='-D_FORTIFY_SOURCE=0' ./configure --enable-fuzzing=afl
make
cd fuzz
make check # fails, but nevermind
./dns_message_checksig
```
This will print a message with a value you sound set in the next step. E.g.
```
Warning: AFL++ tools might need to set AFL_MAP_SIZE to 67237 to be able to run this instrumented program if this crashes!
```
Go on:
```
AFL_MAP_SIZE=67237 afl-fuzz -i dns_message_checksig.in -o dns_message_checksig.out .libs/lt-dns_message_checksig
```
:boom:
Versions used:
```
$ pacman -Q afl clang
aflplusplus 4.02c-1
clang 14.0.6-2
BIND 90949da78f048eca660417906a25165de676e8c1
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3544Add dohpath parsing to SVCB2022-10-04T04:36:43ZMark AndrewsAdd dohpath parsing to SVCB"dohpath" has key value 7 per https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml and is specified in https://datatracker.ietf.org/doc/html/draft-ietf-add-svcb-dns"dohpath" has key value 7 per https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml and is specified in https://datatracker.ietf.org/doc/html/draft-ietf-add-svcb-dnsOctober 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3542BIND sometimes exits with "assertion failure" when accessing the statistics c...2022-09-27T13:01:48ZGreg ChoulesBIND sometimes exits with "assertion failure" when accessing the statistics channelThe following Support ticket provide evidence of this happening:
[Named crashes "critical: httpd.c:871: REQUIRE(httpd->state == RECV) failed" with statistics-channel call](https://support.isc.org/Ticket/Display.html?id=21145)
This may a...The following Support ticket provide evidence of this happening:
[Named crashes "critical: httpd.c:871: REQUIRE(httpd->state == RECV) failed" with statistics-channel call](https://support.isc.org/Ticket/Display.html?id=21145)
This may also be related to CVE-2022-2881October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3541Have 'named -V' report supported algorithms2023-06-15T16:19:32ZMark AndrewsHave 'named -V' report supported algorithmsThese vary depending upon the version of OpenSSL in use and how OpenSSL is configured.
These may also depend on FIPS mode and crypto graphic engine configuration.
These may also depend on what is discovered at compile time.
e.g.
```
D...These vary depending upon the version of OpenSSL in use and how OpenSSL is configured.
These may also depend on FIPS mode and crypto graphic engine configuration.
These may also depend on what is discovered at compile time.
e.g.
```
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3536Out-of-tree system tests fail2022-09-20T13:28:38ZTony FinchOut-of-tree system tests failThe `testsock.pl` changes in the fix for #3519 accidentally broke out-of-tree buildsThe `testsock.pl` changes in the fix for #3519 accidentally broke out-of-tree buildsOctober 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Tony FinchTony Finchhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3531server.c:10017:15: runtime error: load of value 190, which is not a valid val...2022-09-12T10:27:20ZMichal Nowakserver.c:10017:15: runtime error: load of value 190, which is not a valid value for type 'bool'`rpz` system test fails with Clang 15 ASAN.
Job [#2753728](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2753728) failed for 63da91660c799119664154522d31823e6bb5fc50:
```
server.c:10017:15: runtime error: load of value 190, which is ...`rpz` system test fails with Clang 15 ASAN.
Job [#2753728](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2753728) failed for 63da91660c799119664154522d31823e6bb5fc50:
```
server.c:10017:15: runtime error: load of value 190, which is not a valid value for type 'bool'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior server.c:10017:15 in
```
We had a similar one in the past: isc-projects/bind9#2446.
This error is in every `rpz/ns*/named.run` but does not seem to cause an immediate crash.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3525key id clashes across algorithms cause problems with statistics2022-09-15T23:50:00ZMark Andrewskey id clashes across algorithms cause problems with statisticsJob [#2743211](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2743211) failed for 785d021d00ed178a6c778cbc0a36885289cc9cc7:
Key id 756 is a duplicate. The stats channel only has 756 once in its output when it is expected to be there t...Job [#2743211](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2743211) failed for 785d021d00ed178a6c778cbc0a36885289cc9cc7:
Key id 756 is a duplicate. The stats channel only has 756 once in its output when it is expected to be there twice.
```
ant-5853:tests/system/statschannel] marka% more zones.expect.8
dnssec-refresh operations 23405: 1
dnssec-refresh operations 33537: 1
dnssec-refresh operations 5354: 10
dnssec-refresh operations 5727: 1
dnssec-refresh operations 756: 10
dnssec-refresh operations 756: 10
dnssec-sign operations 23405: 1
dnssec-sign operations 33537: 1
dnssec-sign operations 5354: 10
dnssec-sign operations 5727: 1
dnssec-sign operations 756: 10
dnssec-sign operations 756: 10
[ant-5853:tests/system/statschannel] marka% head ns2/manykeys.ksk*.id
==> ns2/manykeys.ksk13.id <==
33537
==> ns2/manykeys.ksk14.id <==
5727
==> ns2/manykeys.ksk8.id <==
23405
[ant-5853:tests/system/statschannel] marka% head ns2/manykeys.zsk*.id
==> ns2/manykeys.zsk13.id <==
756
==> ns2/manykeys.zsk14.id <==
5354
==> ns2/manykeys.zsk8.id <==
756
[ant-5853:tests/system/statschannel] marka%
```
```
[ant-5853:tests/system/statschannel] marka% more zones.out.x8
dnssec-refresh operations 23405: 1
dnssec-refresh operations 33537: 1
dnssec-refresh operations 5354: 10
dnssec-refresh operations 5727: 1
dnssec-refresh operations 756: 10
dnssec-sign operations 23405: 1
dnssec-sign operations 33537: 1
dnssec-sign operations 5354: 10
dnssec-sign operations 5727: 1
dnssec-sign operations 756: 10
[ant-5853:tests/system/statschannel] marka%
```
The same key id across multiple algorithms.
```
Kmanykeys.+008+00756.key Kmanykeys.+008+00756.state Kmanykeys.+013+00756.private
Kmanykeys.+008+00756.private Kmanykeys.+013+00756.key Kmanykeys.+013+00756.state
```
It looks like the XML correctly captures both counts but JSON doesn't.
```
<counters type="dnssec-sign">
<counter name="756">10</counter>
<counter name="756">10</counter>
<counter name="5354">10</counter>
<counter name="23405">1</counter>
<counter name="33537">1</counter>
<counter name="5727">1</counter>
</counters>
<counters type="dnssec-refresh">
<counter name="756">10</counter>
<counter name="756">10</counter>
<counter name="5354">10</counter>
<counter name="23405">1</counter>
<counter name="33537">1</counter>
<counter name="5727">1</counter>
</counters>
```
```
{
"name":"manykeys",
"class":"IN",
"serial":2,
"type":"primary",
"loaded":"2022-09-06T12:58:57Z",
"dnssec-sign":{
"756":10,
"5354":10,
"23405":1,
"33537":1,
"5727":1
},
"dnssec-refresh":{
"756":10,
"5354":10,
"23405":1,
"33537":1,
"5727":1
}
```
I think we are going to have to embed the algorithm into the counter names.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Mark AndrewsMark Andrews