ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2018-05-10T16:50:52Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/135Add basic unit tests for update_sigs()2018-05-10T16:50:52ZMichał KępieńAdd basic unit tests for update_sigs()The static [`update_sigs()`](https://gitlab.isc.org/isc-projects/bind9/blob/c9f4bdde949dd337f900f47995537076d2370d1d/lib/dns/zone.c#L7345-7391) function could use some basic unit tests so that it can be safely [refactored](!10).The static [`update_sigs()`](https://gitlab.isc.org/isc-projects/bind9/blob/c9f4bdde949dd337f900f47995537076d2370d1d/lib/dns/zone.c#L7345-7391) function could use some basic unit tests so that it can be safely [refactored](!10).BIND-9.13.0Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/128mkeys system test fails intermittently2018-03-08T13:09:18ZMichał Kępieńmkeys system test fails intermittentlyThe failure mode below has been observed once so far:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/3026
```
S:mkeys:Tue Mar 6 07:42:47 UTC 2018
T:mkeys:1:A
A:mkeys:System test mkeys
I:mkeys:PORTRANGE:9600 - 9699
I:mkeys:check fo...The failure mode below has been observed once so far:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/3026
```
S:mkeys:Tue Mar 6 07:42:47 UTC 2018
T:mkeys:1:A
A:mkeys:System test mkeys
I:mkeys:PORTRANGE:9600 - 9699
I:mkeys:check for signed record (1)
I:mkeys:check positive validation with valid trust anchor (2)
I:mkeys:check positive validation using delv (3)
I:mkeys:check for failed validation due to wrong key in managed-keys (4)
I:mkeys:check new trust anchor can be added (5)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:check new trust anchor can't be added with bad initial key (6)
I:mkeys:ns3 refreshing managed keys for '_default'
I:mkeys:remove untrusted standby key, check timer restarts (7)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:restore untrusted standby key, revoke original key (8)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:refresh managed-keys, ensure same result (9)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:restore revoked key, ensure same result (10)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:reinitialize trust anchors, add second key to bind.keys
I:mkeys:check that no key from bind.keys is marked as an initializing key (11)
I:mkeys:reinitialize trust anchors, revert to one key in bind.keys
I:mkeys:check that standby key is now trusted (12)
I:mkeys:revoke original key, add new standby (13)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:revoke standby before it is trusted (14)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:wait 20 seconds for key add/remove holddowns to expire (15)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:revoke all keys, confirm roll to insecure (16)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:check for insecure response (17)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:reset the root server
I:mkeys:reinitialize trust anchors
I:mkeys:check positive validation (18)
I:mkeys:revoke key with bad signature, check revocation is ignored (19)
I:mkeys:ns1 zone reload queued
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:check validation fails with bad DNSKEY rrset (20)
I:mkeys:restore DNSKEY rrset, check validation succeeds again (21)
I:mkeys:ns1 zone reload queued
I:mkeys:reset the root server with no keys, check for minimal update (22)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:reset the root server with no signatures, check for minimal update (23)
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:restore root server, check validation succeeds again (24)
I:mkeys:ns1 zone reload queued
I:mkeys:ns2 refreshing managed keys for '_default'
I:mkeys:check that trust-anchor-telemetry queries are logged (25)
I:mkeys:check that trust-anchor-telemetry queries are received (26)
I:mkeys:check 'rndc-managed-keys destroy' (27)
I:mkeys:ns2 destroying managed-keys database for '_default'
I:mkeys:check that trust-anchor-telemetry queries contain the correct key (28)
I:mkeys:check initialization fails if managed-keys can't be created (29)
I:mkeys:check failure to contact root servers does not prevent key refreshes after restart (30)
I:mkeys:check key refreshes are resumed after root servers become available (31)
I:mkeys:exceeded time limit waiting for 'Returned from key fetch in keyfetch_done()' in ns5/named.run
I:mkeys:failed
I:mkeys:exit status: 1
R:mkeys:FAIL
E:mkeys:Tue Mar 6 07:44:44 UTC 2018
```
Contents of `bin/tests/system/mkeys/` [attached](/uploads/1d49120036975b1478ae848ad3bc0689/mkeys.tar.gz).BIND-9.13.0Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/126"make distclean" fails.2018-03-19T22:18:27ZMark Andrews"make distclean" fails."make distclean" fails as some make cannot handle macros that end in '\' which is currently the case for SUBDIR in bin/tests if @PKCS11_TOOLS@ is empty. The last element gets repeated which causes the system directory to be entered twic..."make distclean" fails as some make cannot handle macros that end in '\' which is currently the case for SUBDIR in bin/tests if @PKCS11_TOOLS@ is empty. The last element gets repeated which causes the system directory to be entered twice. This can also cause timing issues when building.
<pre>
-SUBDIRS = atomic db dst master mem hashes names \
- net rbt resolver sockaddr tasks timers system \
- @PKCS11_TOOLS@
+SUBDIR = atomic db dst master mem hashes names net rbt resolver \
+ sockaddr tasks timers system @PKCS11_TOOLS@
</pre>BIND-9.13.0Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/125in-view duplicate zone not detected by named-checkconf2018-03-19T22:16:09ZCathy Almondin-view duplicate zone not detected by named-checkconfIt doesn't seem that the configuration checker is applied effectively to zones of type 'in-view' that are declared referencing a copy of the zone that is being loaded in another view.
For example:
```
view "my-default" {
...
z...It doesn't seem that the configuration checker is applied effectively to zones of type 'in-view' that are declared referencing a copy of the zone that is being loaded in another view.
For example:
```
view "my-default" {
...
zone "yum.co.uk" IN {
type master;
file "yum.co.uk.zone";
};
...
};
```
```
view "another-one" {
match-clients { any; };
zone "yum.co.uk" IN {
type master;
file "yum.co.uk.zone";
};
zone "yum.co.uk" IN {
in-view "my-default";
};
};
```
There are no errors reported when it is run through named-checkconf, but when loading, named fails when parsing the second instance of "yum.co.uk" in the second view - having not previously detected that there might be a problem loading it.
The error message reported is not particularly helpful:
```
02-Mar-2018 18:37:43.266 automatic empty zone: view my-default: EMPTY.AS112.ARPA
02-Mar-2018 18:37:43.266 loading configuration: already exists
02-Mar-2018 18:37:43.266 exiting (due to fatal error)
```
Compare this with the scenario where the same zone has been declared identically in the view:
...
```
view "another-one" {
match-clients { any; };
zone "yum.co.uk" IN {
type master;
file "yum.co.uk.zone";
};
zone "yum.co.uk" IN {
type master;
file "yum.co.uk.zone";
};
```
```
$ named-checkconf /etc/named.conf
/etc/named.conf:180: zone 'yum.co.uk': already exists previous definition: /etc/named.conf:175
$
```
Which of course is repeated if you try to start named without checking the configuration first:
```
02-Mar-2018 18:51:24.689 loading configuration from '/etc/named.conf'
02-Mar-2018 18:51:24.690 /etc/named.conf:180: zone 'yum.co.uk': already exists previous definition: /etc/named.conf:175
02-Mar-2018 18:51:24.690 loading configuration: failure
02-Mar-2018 18:51:24.690 exiting (due to fatal error)
```
It would be helpful if the in-view zones were included in the same sanity checking as other zone types, and thus generate a more helpful error message (including the line number of named.conf) for the administrator to fix.BIND-9.13.0Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/123Support 64 RPZ zones by default from 9.13 onwards2018-03-18T10:25:34ZGhost UserSupport 64 RPZ zones by default from 9.13 onwardsSupport 64 RPZ zones by default from 9.13 onwards. Right now it's 32 or 64, and there doesn't seem to be any pressing need to have this choice going forward.Support 64 RPZ zones by default from 9.13 onwards. Right now it's 32 or 64, and there doesn't seem to be any pressing need to have this choice going forward.BIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/121views system test has wrong test strings for reload completion.2018-03-19T22:21:19ZMark Andrewsviews system test has wrong test strings for reload completion.We should be looking for "all zones loaded" rather than "reloading zones succeeded". The later results in timing issues.
<pre>
S:views/:Wed 28 Feb 2018 17:07:34 AEDT
T:views/:1:A
A:views/:System test views/
I:views/:PORTRANGE:5300 - 53...We should be looking for "all zones loaded" rather than "reloading zones succeeded". The later results in timing issues.
<pre>
S:views/:Wed 28 Feb 2018 17:07:34 AEDT
T:views/:1:A
A:views/:System test views/
I:views/:PORTRANGE:5300 - 5399
I:views:fetching a.example from ns2's initial configuration
I:views:fetching a.example from ns3's initial configuration
I:views:copying in new configurations for ns2 and ns3
I:views:reloading ns2 and ns3 with rndc
I:views:ns2 server reload successful
I:views:ns3 server reload successful
I:views:wait for reload
ns2/named.run
28-Feb-2018 17:07:37.082 zone_settimer: zone example/IN/internal: enter
28-Feb-2018 17:07:37.082 zone_settimer: zone example/IN/internal: settimer inactive
28-Feb-2018 17:07:37.119 zone_settimer: zone example/IN/external: enter
28-Feb-2018 17:07:37.120 zone_settimer: zone example/IN/external: settimer inactive
28-Feb-2018 17:07:37.203 zone example/IN: (master) removed
28-Feb-2018 17:07:37.205 reloading zones succeeded
28-Feb-2018 17:07:37.244 zone_shutdown: zone example/IN: shutting down
28-Feb-2018 17:07:37.249 zone example/IN/internal: starting load
28-Feb-2018 17:07:37.251 zone example/IN/internal: number of nodes in database: 5
28-Feb-2018 17:07:37.251 zone example/IN/internal: journal rollforward completed successfully: no journal
28-Feb-2018 17:07:37.251 zone example/IN/internal: loaded; checking validity
28-Feb-2018 17:07:37.251 zone_settimer: zone example/IN/internal: enter
28-Feb-2018 17:07:37.251 zone example/IN/internal: loaded serial 2
28-Feb-2018 17:07:37.259 zone_timer: zone example/IN/internal: enter
28-Feb-2018 17:07:37.259 zone_maintenance: zone example/IN/internal: enter
28-Feb-2018 17:07:37.259 zone example/IN/internal: sending notifies (serial 2)
28-Feb-2018 17:07:37.259 zone_settimer: zone example/IN/internal: enter
28-Feb-2018 17:07:37.259 zone_settimer: zone example/IN/internal: settimer inactive
28-Feb-2018 17:07:37.263 zone example/IN/internal: sending notify to 10.53.0.3#5300
28-Feb-2018 17:07:37.307 zone example/IN/external: starting load
28-Feb-2018 17:07:37.308 zone example/IN/external: number of nodes in database: 4
28-Feb-2018 17:07:37.308 zone example/IN/external: journal rollforward completed successfully: no journal
28-Feb-2018 17:07:37.309 zone example/IN/external: loaded; checking validity
28-Feb-2018 17:07:37.309 zone_settimer: zone example/IN/external: enter
28-Feb-2018 17:07:37.309 zone example/IN/external: loaded serial 2
28-Feb-2018 17:07:37.313 zone example/IN/internal: notify response from 10.53.0.3#5300: NOERROR
28-Feb-2018 17:07:37.313 all zones loaded
28-Feb-2018 17:07:37.314 zone_timer: zone example/IN/external: enter
28-Feb-2018 17:07:37.314 zone_maintenance: zone example/IN/external: enter
28-Feb-2018 17:07:37.314 zone example/IN/external: sending notifies (serial 2)
28-Feb-2018 17:07:37.315 zone_settimer: zone example/IN/external: enter
28-Feb-2018 17:07:37.315 dns_zone_maintenance: zone example/IN/internal: enter
28-Feb-2018 17:07:37.315 zone_settimer: zone example/IN/external: settimer inactive
28-Feb-2018 17:07:37.315 zone_settimer: zone example/IN/internal: enter
28-Feb-2018 17:07:37.315 zone_settimer: zone example/IN/internal: settimer inactive
28-Feb-2018 17:07:37.325 dns_zone_maintenance: zone example/IN/external: enter
28-Feb-2018 17:07:37.325 zone_settimer: zone example/IN/external: enter
28-Feb-2018 17:07:37.326 zone_settimer: zone example/IN/external: settimer inactive
28-Feb-2018 17:07:37.391 client @0x7f93d08dfe10 10.53.0.3#56010 (example): view internal: transfer of 'example/IN': AXFR question section OK
28-Feb-2018 17:07:37.391 client @0x7f93d08dfe10 10.53.0.3#56010 (example): view internal: transfer of 'example/IN': AXFR authority section OK
28-Feb-2018 17:07:37.391 client @0x7f93d08dfe10 10.53.0.3#56010 (example): view internal: transfer of 'example/IN': AXFR started (serial 2)
28-Feb-2018 17:07:37.392 client @0x7f93d08dfe10 10.53.0.3#56010 (example): view internal: transfer of 'example/IN': sending TCP message of 227 bytes
28-Feb-2018 17:07:37.392 client @0x7f93d08dfe10 10.53.0.3#56010 (example): view internal: transfer of 'example/IN': AXFR ended
ns3/named.run
28-Feb-2018 17:07:37.220 zone example/IN: not reusable: type mismatch
28-Feb-2018 17:07:37.286 zone example/IN: (master) removed
28-Feb-2018 17:07:37.287 zone_shutdown: zone example/IN: shutting down
28-Feb-2018 17:07:37.287 zone example/IN: notify from 10.53.0.2#56578: no serial
28-Feb-2018 17:07:37.287 queue_soa_query: zone example/IN: enter
28-Feb-2018 17:07:37.288 reloading zones succeeded
28-Feb-2018 17:07:37.288 soa_query: zone example/IN: enter
28-Feb-2018 17:07:37.388 refresh_callback: zone example/IN: enter
28-Feb-2018 17:07:37.388 refresh_callback: zone example/IN: serial: new 2, old not loaded
28-Feb-2018 17:07:37.389 queue_xfrin: zone example/IN: enter
28-Feb-2018 17:07:37.389 zone example/IN: Transfer started.
28-Feb-2018 17:07:37.389 zone example/IN: no database exists yet, requesting AXFR of initial version from 10.53.0.2#5300
28-Feb-2018 17:07:37.390 transfer of 'example/IN' from 10.53.0.2#5300: connected using 10.53.0.3#56010
28-Feb-2018 17:07:37.390 transfer of 'example/IN' from 10.53.0.2#5300: sent request data
28-Feb-2018 17:07:37.392 transfer of 'example/IN' from 10.53.0.2#5300: received 227 bytes
28-Feb-2018 17:07:37.393 transfer of 'example/IN' from 10.53.0.2#5300: got nonincremental response
28-Feb-2018 17:07:37.395 zone example/IN: replacing zone database
28-Feb-2018 17:07:37.395 zone example/IN: zone transfer finished: success
28-Feb-2018 17:07:37.395 zone example/IN: transferred serial 2
28-Feb-2018 17:07:37.395 zone_needdump: zone example/IN: enter
28-Feb-2018 17:07:37.395 zone_settimer: zone example/IN: enter
28-Feb-2018 17:07:37.395 zone_settimer: zone example/IN: enter
28-Feb-2018 17:07:37.395 transfer of 'example/IN' from 10.53.0.2#5300: Transfer status: success
28-Feb-2018 17:07:37.395 transfer of 'example/IN' from 10.53.0.2#5300: Transfer completed: 1 messages, 9 records, 227 bytes, 0.005 secs (45400 bytes/sec)
28-Feb-2018 17:07:37.395 zone_timer: zone example/IN: enter
28-Feb-2018 17:07:37.395 zone_maintenance: zone example/IN: enter
28-Feb-2018 17:07:37.402 all zones loaded
28-Feb-2018 17:07:37.405 dns_zone_maintenance: zone example/IN: enter
28-Feb-2018 17:07:37.405 zone_settimer: zone example/IN: enter
28-Feb-2018 17:07:37.405 zone_timer: zone example/IN: enter
28-Feb-2018 17:07:37.405 zone_maintenance: zone example/IN: enter
28-Feb-2018 17:07:37.405 zone example/IN: sending notifies (serial 2)
28-Feb-2018 17:07:37.405 zone_dump: zone example/IN: enter
28-Feb-2018 17:07:37.405 zone_settimer: zone example/IN: enter
28-Feb-2018 17:07:37.405 zone example/IN: sending notify to 10.53.0.2#5300
28-Feb-2018 17:07:37.405 zone_gotwritehandle: zone example/IN: enter
28-Feb-2018 17:07:37.406 dump_done: zone example/IN: enter
28-Feb-2018 17:07:37.406 zone_journal_compact: zone example/IN: target journal size 2240
28-Feb-2018 17:07:37.406 zone example/IN: dns_journal_compact: not found
28-Feb-2018 17:07:37.407 zone example/IN: notify response from 10.53.0.2#5300: NOERROR
I:views:fetching a.example from ns2's 10.53.0.4, source address 10.53.0.4
I:views:fetching a.example from ns2's 10.53.0.2, source address 10.53.0.2
I:views:fetching a.example from ns3's 10.53.0.3, source address defaulted
I:views:comparing ns3's initial a.example to one from reconfigured 10.53.0.2
I:views:comparing ns3's initial a.example to one from reconfigured 10.53.0.3
I:views:comparing ns2's initial a.example to one from reconfigured 10.53.0.4
I:views:comparing ns2's initial a.example to one from reconfigured 10.53.0.3
I:views:(should be different)
I:views:updating cloned zone in internal view
I:views:sleeping to allow update to take effect
I:views:verifying update affected both views
I:views:verifying forwarder in cloned zone works
I:views:verifying inline zones work with views
I:views:exit status: 0
R:views/:PASS
E:views/:Wed 28 Feb 2018 17:07:44 AEDT
</pre>BIND-9.13.0Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/119Remove unnecessary INSIST() in code2018-03-19T22:18:09ZGhost UserRemove unnecessary INSIST() in code```
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 6f8df29dce..e9f0590f07 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -3882,8 +3882,8 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
st->popt = popt;...```
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 6f8df29dce..e9f0590f07 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -3882,8 +3882,8 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
st->popt = popt;
st->rpz_ver = rpz_ver;
client->query.rpz_st = st;
- if (popt.dnsrps_enabled) {
#ifdef USE_DNSRPS
+ if (popt.dnsrps_enabled) {
if (st->rpsdb != NULL) {
dns_db_detach(&st->rpsdb);
}
@@ -3898,10 +3898,8 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
st->m.policy = DNS_RPZ_POLICY_ERROR;
return (ISC_R_SUCCESS);
}
-#else
- INSIST(0);
-#endif
}
+#endif
}
/*
```BIND-9.13.0Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/116dnsrpz-enable log message appears to be broken2018-03-19T22:16:40ZGhost Userdnsrpz-enable log message appears to be brokenSee the following log message:
```c
#ifndef USE_DNSRPS
if (dnsrps_enabled) {
cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
"\"dnsrps-enable yes\" but"
" with `./configure --enable-d...See the following log message:
```c
#ifndef USE_DNSRPS
if (dnsrps_enabled) {
cfg_obj_log(rpz_obj, named_g_lctx, DNS_RPZ_ERROR_LEVEL,
"\"dnsrps-enable yes\" but"
" with `./configure --enable-dnsrps`");
return (ISC_R_FAILURE);
}
#else
```
Should it not say **without**? That log message is better thrown away and handled as a `CFG_CLAUSEFLAG_NOTCONFIGURED`.BIND-9.13.0Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/115clean up bin/tests, convert unit tests to ATF2018-03-19T22:15:47ZEvan Huntclean up bin/tests, convert unit tests to ATFThis is an old item on the TODO list whose time has come. Let's clean up bin/tests:
- remove bin/tests/master, it's been superfluous for a long time; it was turned into lib/isc/tests/master_test.c, but the original was never removed
- m...This is an old item on the TODO list whose time has come. Let's clean up bin/tests:
- remove bin/tests/master, it's been superfluous for a long time; it was turned into lib/isc/tests/master_test.c, but the original was never removed
- move dnssec-signzone tests into bin/tests/system/dnssec (if they aren't already there)
- rewrite atomic, db, dst, hashes, mem, names, net, rbt, resolver, sockaddr, tasks and timers as ATF tests (and ideally do something about how slow a few of them are)
- review the remaining tests in bin/tests/*_test.c and see if there are others that should be converted
- remove lib/tests and bin/tests/t_api.pl after all tests using them are convertedBIND-9.13.0Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/113Minor testsummary.sh improvements (handling colored output, failure summary)2020-09-16T10:05:12ZMichał KępieńMinor testsummary.sh improvements (handling colored output, failure summary)`bin/tests/system/testsummary.sh` could be slightly improved, so that it:
* correctly processes colored system test output,
* prints a summary of failed system tests, if any.`bin/tests/system/testsummary.sh` could be slightly improved, so that it:
* correctly processes colored system test output,
* prints a summary of failed system tests, if any.BIND-9.13.0Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/112MX checks are not applied to dynamic updates2018-03-19T22:18:39ZMichał KępieńMX checks are not applied to dynamic updatesThe `check_mx()` function in `lib/ns/update.c` [incorrectly](https://gitlab.isc.org/isc-projects/bind9/blob/e1d6c9a6631f2db967d1a6331b5a177b78e08b89/lib/ns/update.c#L1740) [tests](https://gitlab.isc.org/isc-projects/bind9/blob/e1d6c9a663...The `check_mx()` function in `lib/ns/update.c` [incorrectly](https://gitlab.isc.org/isc-projects/bind9/blob/e1d6c9a6631f2db967d1a6331b5a177b78e08b89/lib/ns/update.c#L1740) [tests](https://gitlab.isc.org/isc-projects/bind9/blob/e1d6c9a6631f2db967d1a6331b5a177b78e08b89/lib/ns/update.c#L1749) whether the `DNS_RDATA_CHECKMX`/`DNS_RDATA_CHECKMXFAIL` flags are set for each applied MX record update as these flags are never set in code paths related to dynamic updates; they can only be set when loading a zone from a master file (`DNS_ZONEOPT_CHECKMX` → `DNS_MASTER_CHECKMX` → `DNS_RDATA_CHECKMX`). This flaw allows MX records containing IP addresses to be added to a zone even when `check-mx fail;` is used.BIND-9.13.0Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/110libirs: Errors raised while parsing resolv.conf are ignored2018-03-19T22:18:15ZMichał Kępieńlibirs: Errors raised while parsing resolv.conf are ignored`irs_resconf_load()` [stores](https://gitlab.isc.org/isc-projects/bind9/blob/e1d6c9a6631f2db967d1a6331b5a177b78e08b89/lib/irs/resconf.c#L569-582) the value returned by `add_search()` into `ret` without consulting its current value first....`irs_resconf_load()` [stores](https://gitlab.isc.org/isc-projects/bind9/blob/e1d6c9a6631f2db967d1a6331b5a177b78e08b89/lib/irs/resconf.c#L569-582) the value returned by `add_search()` into `ret` without consulting its current value first. This causes any previous errors raised while parsing `resolv.conf` to be ignored as long as any `domain` or `search` statement is present in the file.BIND-9.13.0Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/109[PATCH] dnssec-keygen: double free after keygen error2018-04-06T04:28:14ZPetr Menšík[PATCH] dnssec-keygen: double free after keygen errorHello,
while I was playing with FIPS mode support, I found dnssec-keygen is
crashing reliably in that mode. If RSA_generate_key_ex fails for any
reason and OpenSSL 1.1+ is used, freed pointer is not reset to null. In
err label it is the...Hello,
while I was playing with FIPS mode support, I found dnssec-keygen is
crashing reliably in that mode. If RSA_generate_key_ex fails for any
reason and OpenSSL 1.1+ is used, freed pointer is not reset to null. In
err label it is then freed again. I doubt it is possible to trigger this
error remotely, but it might be security related. I will leave that to
you for consideration. I think always assigning explicit NULL outside
BN_GENCB_free would not hurt. Changed by the second patch.
Is there reason why EVP_PKEY_CTX is not used for key generation instead?
Is patch with more recent generic API welcome?
[0001-Fix-double-free-on-RSA_generate_key_ex-failure.patch](/uploads/b89822b9cb21f828215e07c924c38cf2/0001-Fix-double-free-on-RSA_generate_key_ex-failure.patch)[0002-Do-not-assign-NULL-conditionally-in-OpenSSL-1.1-make.patch](/uploads/0bb04e2a3d9414f44794804a41f4ac29/0002-Do-not-assign-NULL-conditionally-in-OpenSSL-1.1-make.patch)BIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/97Windows version of BIND failing to build2018-03-19T22:18:33ZStephen MorrisWindows version of BIND failing to buildThe Windows build of master has just started failing with the following error:
```
libisc.def : error LNK2001: unresolved external symbol isc_net_aton [c:\cygwin64\home\jenkins\workspace\bind9-master-win2012-x64-systests\lib\isc\win32\l...The Windows build of master has just started failing with the following error:
```
libisc.def : error LNK2001: unresolved external symbol isc_net_aton [c:\cygwin64\home\jenkins\workspace\bind9-master-win2012-x64-systests\lib\isc\win32\libisc.vcxproj]
.\Release\libisc.lib : fatal error LNK1120: 1 unresolved externals [c:\cygwin64\home\jenkins\workspace\bind9-master-win2012-x64-systests\lib\isc\win32\libisc.vcxproj]
```
When fixing that, consideration should also be given to fixing a warning reported in the build:
` ..\random.c(391): warning C4267: '-=' : conversion from 'size_t' to 'int', possible loss of data [c:\cygwin64\home\jenkins\workspace\bind9-master-win2012-x64-systests\lib\isc\win32\libisc.vcxproj]`BIND-9.13.0Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/95dyndb system test fails intermittently2018-02-23T22:52:07ZOndřej Surýdyndb system test fails intermittentlyThree failures have been observed so far:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1603
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2081
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2082
```
S:dyndb:Thu Feb 22 12...Three failures have been observed so far:
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/1603
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2081
* https://gitlab.isc.org/isc-projects/bind9/-/jobs/2082
```
S:dyndb:Thu Feb 22 12:21:06 UTC 2018
T:dyndb:1:A
A:dyndb:System test dyndb
I:dyndb:PORTRANGE:5300 - 5399
I:adding test1.ipv4.example.nil. A 10.53.0.10 (1)
I:adding test2.ipv4.example.nil. A 10.53.0.11 (2)
I:adding test3.ipv4.example.nil. A 10.53.0.12 (3)
I:adding test4.ipv6.example.nil. AAAA 2001:db8::1 (4)
I:deleting test1.ipv4.example.nil. A (was 10.53.0.10) (5)
I:deleting test2.ipv4.example.nil. A (was 10.53.0.11) (6)
I:deleting test3.ipv4.example.nil. A (was 10.53.0.12) (7)
I:deleting test4.ipv6.example.nil. AAAA (was 2001:db8::1) (8)
I:checking parameter logging (9)
I:checking dyndb still works after reload
I:ns1 server reload successful
I:adding test5.ipv4.example.nil. A 10.53.0.10 (10)
I:adding test6.ipv6.example.nil. AAAA 2001:db8::1 (11)
I:deleting test5.ipv4.example.nil. A (was 10.53.0.10) (12)
I:deleting test6.ipv6.example.nil. AAAA (was 2001:db8::1) (13)
I:exit status: 1
R:dyndb:FAIL
E:dyndb:Thu Feb 22 12:21:11 UTC 2018
```
Repacked artifacts (removed .o, .a and .libs) from the first failure attached: [dyndb-artifacts.tar.xz](/uploads/70ad65f49760afedb72f03d53ee14231/dyndb-artifacts.tar.xz)BIND-9.13.0Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/94Replace idnkit-1 support with idnkit-2 support (or drop it)2018-03-19T22:14:18ZOndřej SurýReplace idnkit-1 support with idnkit-2 support (or drop it)Currently, BIND doesn't compile with idnkit-2:
```
host.c:20:10: fatal error: 'idn/result.h' file not found
#include <idn/result.h>
^~~~~~~~~~~~~~
dighost.c:30:10: fatal error: 'idn/result.h' file not found
#include <idn/result...Currently, BIND doesn't compile with idnkit-2:
```
host.c:20:10: fatal error: 'idn/result.h' file not found
#include <idn/result.h>
^~~~~~~~~~~~~~
dighost.c:30:10: fatal error: 'idn/result.h' file not found
#include <idn/result.h>
^~~~~~~~~~~~~~
1 error generated.
```
and for IDNA2008 support, we need to either add support for [idnkit-2](https://jprs.co.jp/idn/index-e.html) or drop idnkit-1 support and leave only libidn2 support (!56). The only reason why to keep idnkit-2 would be the licensing. idnkit-2 is licensed under custom JPRS BSD-like (with additional restrictions) license, and libidn2 is LGPL3+ (for our purposes) licensed.BIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/93Drop seccomp support [RT #46729]2018-03-19T22:18:59ZOndřej SurýDrop seccomp support [RT #46729]This ticket proposes complete removal of seccomp support from BIND
source code due to a number of issues with both seccomp itself and the
way it is implemented in BIND. Removal is planned to be announced in
BIND 9.12.0 release notes and ...This ticket proposes complete removal of seccomp support from BIND
source code due to a number of issues with both seccomp itself and the
way it is implemented in BIND. Removal is planned to be announced in
BIND 9.12.0 release notes and then performed in the next .0 release.
The reasons for suggesting removal of seccomp support from BIND are:
- Compiling an exhaustive list of system calls which should be
whitelisted is very tricky for a piece of software as complex as
BIND; while an application needs to declare a complete whitelist of
system calls which need to be allowed, it cannot assume anything
about what system calls libc is going to use in response to the
standard C library calls issued (see e.g. open() vs. openat(),
setrlimit() vs. prlimit()).
- Alternative mechanisms for achieving the same kind of protection
exist, e.g. SELinux or AppArmor. Fine-tuning policies enforced by
those mechanisms does not require any changes to be introduced into
BIND's source code.
- For threaded builds of BIND, seccomp is implemented in a way which
provides virtually no extra protection as the only thread which is
protected using seccomp is the main thread which waits for libisc to
exit its main loop; worker threads are not protected at all because
seccomp is initialized after worker threads are spawned. However,
this causes odd system test issues e.g. due to named getting killed
by SIGSYS after it logs an "exiting" message, but before it gets a
chance to clean up its lock file and PID file.
- For non-threaded builds of BIND, we are currently whitelisting over
60 systems calls, including open(), read(), write(), close(),
mmap(), chdir() and unlink(). These system calls alone are enough
for potential exploits to wreak havoc in the system, so such
protection arguably does not limit the attack surface significantly.
- Considering planned implementation of hooks and enabling external
hook modules to be loaded at runtime, either users will potentially
need to locally update the seccomp system call whitelist if their
module is going to use anything not currently on the list or we will
need to provide hook modules with a way of adding extra system calls
to the whitelist. Both of these options would further limit
seccomp's usefulness.
[NOTE: Not copying the other conversation from RT, it could be looked up there.]BIND-9.13.0Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/92Add Release Note about the fix for dnstap output file rolling2018-03-19T22:21:34ZOndřej SurýAdd Release Note about the fix for dnstap output file rolling@vicky wrote in !21:
> There is no release note about this in the 9.12.1 RC - can we please mention that this is fixed? I think there were users who noticed it was broken in 9.12.0 who will be wondering if it is now fixed. https://bugs...@vicky wrote in !21:
> There is no release note about this in the 9.12.1 RC - can we please mention that this is fixed? I think there were users who noticed it was broken in 9.12.0 who will be wondering if it is now fixed. https://bugs.isc.org/Public/Bug/Display.html?id=46942BIND-9.13.0Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/91complete the conversion of system tests to parallel2018-03-19T22:18:55ZEvan Huntcomplete the conversion of system tests to parallelThis is mostly done in the branch parallel-tests. On my system using four processors, system tests now complete in a little over four minutes. There are a couple of trivial tests remaining to convert (ecdsa, eddsa, gost), and I'll do a s...This is mostly done in the branch parallel-tests. On my system using four processors, system tests now complete in a little over four minutes. There are a couple of trivial tests remaining to convert (ecdsa, eddsa, gost), and I'll do a squash rebase before I put in a merge request.BIND-9.13.0Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/82cacheclean test is not robust.2018-03-19T22:19:05ZMark Andrewscacheclean test is not robust.sed -n '/plain success\/timeout/,/Unassociated entries/p' ns2/named_dump.db.$n.b
should be checked that it contains both the start and end lines. Similarly for ns2/named_dump.db.$n.ased -n '/plain success\/timeout/,/Unassociated entries/p' ns2/named_dump.db.$n.b
should be checked that it contains both the start and end lines. Similarly for ns2/named_dump.db.$n.aBIND-9.13.0