ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2021-10-05T10:12:27Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2925Defining "default" "http" clause should not be allowed in the configuration2021-10-05T10:12:27ZArtem BoldarievDefining "default" "http" clause should not be allowed in the configurationDefining 'default' 'http' configuration should not be allowed in configuration files, as `default` is reserved for internal use in `listen-on` statements. For example, the following configuration file should be rejected:
```
tls local-t...Defining 'default' 'http' configuration should not be allowed in configuration files, as `default` is reserved for internal use in `listen-on` statements. For example, the following configuration file should be rejected:
```
tls local-tls {
key-file "key.pem";
cert-file "cert.pem";
};
http default {
endpoints { "/dns-query"; };
listener-clients 100;
streams-per-connection 100;
};
options {
listen-on { 10.53.0.1; };
http-port 80;
https-port 443;
http-listener-clients 100;
http-streams-per-connection 100;
listen-on port 443 tls local-tls http default { 10.53.0.1; };
listen-on port 8080 tls none http default { 10.53.0.1; };
};
```October 2021 (9.11.36, 9.11.36-S1, 9.16.22, 9.16.22-S1, 9.17.19)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/kea/-/issues/2117keactl does not color code status for DHCP-DDNS2021-11-16T07:13:00ZAndrey Pevnevkeactl does not color code status for DHCP-DDNSContinuing https://gitlab.isc.org/isc-projects/kea/-/issues/1424 - it looks like [this](https://gitlab.isc.org/isc-projects/kea/-/blob/master/src/bin/keactrl/keactrl.in#L544) line needs to say `$active` not `"active"`. Thanks!Continuing https://gitlab.isc.org/isc-projects/kea/-/issues/1424 - it looks like [this](https://gitlab.isc.org/isc-projects/kea/-/blob/master/src/bin/keactrl/keactrl.in#L544) line needs to say `$active` not `"active"`. Thanks!kea2.1.1Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/2118bump up kea version2021-10-07T09:57:56ZWlodzimierz Wencelbump up kea versionafter 2.0.0 release we need 2.1.0-git in configure.acafter 2.0.0 release we need 2.1.0-git in configure.ackea2.1.0https://gitlab.isc.org/isc-projects/stork/-/issues/589Kea timeout in system tests2022-06-22T14:51:49ZSlawek FigielKea timeout in system testsDuring resolving #552 we found a rare problem with a Kea timeout.
It looks like the problem occurs when the Kea uses many network configurations.
```
> assert data['total'] == 6912
E KeyError: 'total'
agent = <container...During resolving #552 we found a rare problem with a Kea timeout.
It looks like the problem occurs when the Kea uses many network configurations.
```
> assert data['total'] == 6912
E KeyError: 'total'
agent = <containers.StorkAgentContainer object at 0x7f25865631f0>
data = {'items': None}
i = 29
m = {'address': '10.69.61.73', 'agentPort': 8080, 'agentToken': '79C7F48C7860CA179B14E01CAFC07C383B86E630F3EB3573CE0E83162FFD57F0', 'agentVersion': '0.20.0', ...}
r = <Response [200]>
server = <containers.StorkServerContainer object at 0x7f2586558640>
tests.py:267: KeyError
```
I think that our test shouldn't fail in this case, but wait for the end of processing.
I attach all collected logs to this issue.
[stork-agent-0.log](/uploads/e6327e9188b14fbcb7772e719658363b/stork-agent-0.log)
[stork-server-0.log](/uploads/b8e0b97d42377948223c3f2bf5021519/stork-server-0.log)
[raw.txt](/uploads/e75df69ca44eadc2d0c2943f0de220b3/raw.txt)outstandinghttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/6Add gss-tsig hook2021-10-07T12:17:14ZFrancis DupontAdd gss-tsig hookAdding a package for the gss-tsig hook.Adding a package for the gss-tsig hook.Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/bind9/-/issues/2926use netmgr for route sockets and remove isc_socket2022-01-21T13:44:36ZEvan Huntuse netmgr for route sockets and remove isc_socketThe last remaining use of `isc_socket` and `isc_socketmgr` in BIND is for the netlink/route sockets that are used to scan for interface changes.
The libuv documentation indicates that any socket that honors the datagram contract can be ...The last remaining use of `isc_socket` and `isc_socketmgr` in BIND is for the netlink/route sockets that are used to scan for interface changes.
The libuv documentation indicates that any socket that honors the datagram contract can be passed to `uv_udp_open()`, so we should be able to make the netmgr do this instead.November 2021 (9.16.23, 9.16.23-S1, 9.17.20)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/kea/-/issues/2119Wiki link to Developer's guide is broken2021-10-04T10:38:32ZFrancis DupontWiki link to Developer's guide is brokenCurrent link under the `jenkins` name is https://jenkins.isc.org/job/Kea_doc/doxygen/
Obviously it should point to the new AWS Jenkins or another site...Current link under the `jenkins` name is https://jenkins.isc.org/job/Kea_doc/doxygen/
Obviously it should point to the new AWS Jenkins or another site...Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2927lame servers with IPv6 unreachable make dispatch@netmgr stuck on shutdown2022-01-26T11:33:41ZOndřej Surýlame servers with IPv6 unreachable make dispatch@netmgr stuck on shutdownSo, I narrowed it down to a single query:
```
dig -p 5300 IN A mail.lab.comcor.ru. @10.10.10.20
```
which goes like this:
```
04-Oct-2021 09:25:59.507 resolver priming query complete
04-Oct-2021 09:26:16.119 network unreachable resolvi...So, I narrowed it down to a single query:
```
dig -p 5300 IN A mail.lab.comcor.ru. @10.10.10.20
```
which goes like this:
```
04-Oct-2021 09:25:59.507 resolver priming query complete
04-Oct-2021 09:26:16.119 network unreachable resolving '_.ru/A/IN': 2001:500:2f::f#53
04-Oct-2021 09:26:16.119 network unreachable resolving '_.ru/A/IN': 2001:500:12::d0d#53
04-Oct-2021 09:26:16.135 network unreachable resolving '_.comcor.ru/A/IN': 2001:678:15:0:193:232:142:17#53
04-Oct-2021 09:26:16.135 network unreachable resolving '_.comcor.ru/A/IN': 2001:678:18:0:194:190:124:17#53
04-Oct-2021 09:26:16.135 network unreachable resolving '_.comcor.ru/A/IN': 2001:678:17:0:193:232:128:6#53
04-Oct-2021 09:26:16.135 network unreachable resolving '_.comcor.ru/A/IN': 2001:678:16:0:194:85:252:62#53
04-Oct-2021 09:26:16.135 network unreachable resolving '_.comcor.ru/A/IN': 2001:678:14:0:193:232:156:17#53
04-Oct-2021 09:26:16.143 network unreachable resolving '_.lab.comcor.ru/A/IN': 2a02:290:0:2::5#53
04-Oct-2021 09:26:16.143 network unreachable resolving '_.lab.comcor.ru/A/IN': 2a02:290:0:1::4#53
04-Oct-2021 09:26:16.203 network unreachable resolving 'ns.lab.comcor.ru/AAAA/IN': 2001:678:17:0:193:232:128:6#53
04-Oct-2021 09:26:16.207 network unreachable resolving 'ns.lab.comcor.ru/AAAA/IN': 2001:678:18:0:194:190:124:17#53
04-Oct-2021 09:26:16.207 network unreachable resolving 'ns.lab.comcor.ru/AAAA/IN': 2001:678:16:0:194:85:252:62#53
04-Oct-2021 09:26:16.251 lame server resolving 'mail.lab.comcor.ru' (in 'lab.COMCOR.ru'?): 212.45.0.3#53
04-Oct-2021 09:26:16.335 network unreachable resolving 'ns.lab.comcor.ru/AAAA/IN': 2a02:290:0:2::5#53
04-Oct-2021 09:26:16.443 lame server resolving 'ns.lab.comcor.ru' (in 'lab.COMCOR.ru'?): 212.45.0.3#53
```
You also need to have broken IPv6 :-), it doesn't happen when I run `named -4`.
#### Edited ####
This is caused by the new dispatch code:
1. Start `named -p 5300 -g -c /dev/null`
2. Start `dnsperf -s 127.0.0.1 -p 5300 -D -d queryfile-example-10million-201202`
3. Press Ctrl-C
4. `named` doesn't stop:
```
$ eu-stack -p $(pidof named)
PID 275694 - process
TID 275694:
#0 0x00007f4b7bac9c61 clock_nanosleep@@GLIBC_2.17
#1 0x00007f4b7bacf443 __nanosleep
#2 0x00007f4b7bafa125 usleep
#3 0x00007f4b7c476f19 isc__taskmgr_destroy
#4 0x00007f4b7c45b994 isc_managers_destroy
#5 0x0000564d877b86cf destroy_managers
#6 0x0000564d877b86da cleanup
#7 0x0000564d877ba041 main
#8 0x00007f4b7ba2ad0a __libc_start_main
#9 0x0000564d877ae9ca _start
TID 275708:
#0 0x00007f4b7bb02116 epoll_wait
#1 0x00007f4b7be18b3f uv__io_poll
#2 0x00007f4b7be07714 uv_run
#3 0x00007f4b7c43c33e nm_thread
#4 0x00007f4b7c47ce50 isc__trampoline_run
#5 0x00007f4b7bbd1ea7 start_thread
#6 0x00007f4b7bb01def __clone
TID 275709:
#0 0x00007f4b7bbd8ad8 pthread_cond_timedwait@@GLIBC_2.3.2
#1 0x00007f4b7c44f081 isc_condition_waituntil
#2 0x00007f4b7c479dab run
#3 0x00007f4b7c47ce50 isc__trampoline_run
#4 0x00007f4b7bbd1ea7 start_thread
#5 0x00007f4b7bb01def __clone
TID 275710:
#0 0x00007f4b7bb02116 epoll_wait
#1 0x00007f4b7c46f6f2 netthread
#2 0x00007f4b7c47ce50 isc__trampoline_run
#3 0x00007f4b7bbd1ea7 start_thread
#4 0x00007f4b7bb01def __clone
```
+1 we are obviously missing a system test for this kind of scenario.November 2021 (9.16.23, 9.16.23-S1, 9.17.20)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/2928Coverity issues in the merged dispatch branch2023-01-11T13:58:16ZOndřej SurýCoverity issues in the merged dispatch branch```
** CID 339073: Error handling issues (CHECKED_RETURN)
/lib/dns/resolver.c: 4379 in fctx_doshutdown()
________________________________________________________________________________________________________
*** CID 339073: Error ...```
** CID 339073: Error handling issues (CHECKED_RETURN)
/lib/dns/resolver.c: 4379 in fctx_doshutdown()
________________________________________________________________________________________________________
*** CID 339073: Error handling issues (CHECKED_RETURN)
/lib/dns/resolver.c: 4379 in fctx_doshutdown()
4373 */
4374 fctx_increference(fctx);
4375 fctx_cancelqueries(fctx, false, false);
4376 fctx_cleanup(fctx);
4377
4378 LOCK(&res->buckets[bucketnum].lock);
CID 339073: Error handling issues (CHECKED_RETURN)
Calling "fctx_decreference" without checking return value (as is done elsewhere 6 out of 7 times).
4379 fctx_decreference(fctx);
4380
4381 FCTX_ATTR_SET(fctx, FCTX_ATTR_SHUTTINGDOWN);
4382
4383 INSIST(fctx->state == fetchstate_active ||
4384 fctx->state == fetchstate_done);
```
```
** CID 339072: Error handling issues (CHECKED_RETURN)
/lib/dns/rpz.c: 2247 in rpz_detach()
________________________________________________________________________________________________________
*** CID 339072: Error handling issues (CHECKED_RETURN)
/lib/dns/rpz.c: 2247 in rpz_detach()
2241 false);
2242 }
2243 dns_db_detach(&rpz->updb);
2244 }
2245 }
2246
CID 339072: Error handling issues (CHECKED_RETURN)
Calling "isc_timer_reset" without checking return value (as is done elsewhere 9 out of 10 times).
2247 isc_timer_reset(rpz->updatetimer, isc_timertype_inactive, NULL,
2248 NULL, true);
2249 isc_timer_detach(&rpz->updatetimer);
2250
2251 isc_ht_destroy(&rpz->nodes);
2252
```
```
** CID 339071: (USE_AFTER_FREE)
/lib/dns/resolver.c: 2846 in resquery_connected()
/lib/dns/resolver.c: 2846 in resquery_connected()
/lib/dns/resolver.c: 2846 in resquery_connected()
/lib/dns/resolver.c: 2846 in resquery_connected()
________________________________________________________________________________________________________
*** CID 339071: (USE_AFTER_FREE)
/lib/dns/resolver.c: 2846 in resquery_connected()
2840 fctx_cancelquery(query, NULL, false, false);
2841 fctx_done(fctx, eresult, __LINE__);
2842 break;
2843 }
2844
2845 detach:
CID 339071: (USE_AFTER_FREE)
Calling "resquery_detach" frees pointer "query" which has already been freed.
2846 resquery_detach(&query);
2847 }
2848
2849 static void
2850 fctx_finddone(isc_task_t *task, isc_event_t *event) {
2851 fetchctx_t *fctx;
/lib/dns/resolver.c: 2846 in resquery_connected()
2840 fctx_cancelquery(query, NULL, false, false);
2841 fctx_done(fctx, eresult, __LINE__);
2842 break;
2843 }
2844
2845 detach:
CID 339071: (USE_AFTER_FREE)
Calling "resquery_detach" frees pointer "query" which has already been freed.
2846 resquery_detach(&query);
2847 }
2848
2849 static void
2850 fctx_finddone(isc_task_t *task, isc_event_t *event) {
2851 fetchctx_t *fctx;
/lib/dns/resolver.c: 2846 in resquery_connected()
2840 fctx_cancelquery(query, NULL, false, false);
2841 fctx_done(fctx, eresult, __LINE__);
2842 break;
2843 }
2844
2845 detach:
CID 339071: (USE_AFTER_FREE)
Calling "resquery_detach" frees pointer "query" which has already been freed.
2846 resquery_detach(&query);
2847 }
2848
2849 static void
2850 fctx_finddone(isc_task_t *task, isc_event_t *event) {
2851 fetchctx_t *fctx;
/lib/dns/resolver.c: 2846 in resquery_connected()
2840 fctx_cancelquery(query, NULL, false, false);
2841 fctx_done(fctx, eresult, __LINE__);
2842 break;
2843 }
2844
2845 detach:
CID 339071: (USE_AFTER_FREE)
Calling "resquery_detach" frees pointer "query" which has already been freed.
2846 resquery_detach(&query);
2847 }
2848
2849 static void
2850 fctx_finddone(isc_task_t *task, isc_event_t *event) {
2851 fetchctx_t *fctx;
```
```
** CID 339070: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 339070: Memory - corruptions (USE_AFTER_FREE)
/lib/dns/request.c: 920 in request_cancel()
914
915 request->flags |= DNS_REQUEST_F_CANCELED;
916 request->flags &= ~DNS_REQUEST_F_CONNECTING;
917
918 if (request->dispentry != NULL) {
919 dns_dispatch_cancel(request->dispentry);
CID 339070: Memory - corruptions (USE_AFTER_FREE)
Calling "dns_dispatch_removeresponse" frees pointer "request->dispentry" which has already been freed.
920 dns_dispatch_removeresponse(&request->dispentry);
921 }
922
923 dns_dispatch_detach(&request->dispatch);
924 }
925 }
```
```
** CID 339069: (USE_AFTER_FREE)
/lib/dns/resolver.c: 1776 in resquery_senddone()
/lib/dns/resolver.c: 1776 in resquery_senddone()
________________________________________________________________________________________________________
*** CID 339069: (USE_AFTER_FREE)
/lib/dns/resolver.c: 1776 in resquery_senddone()
1770 fctx_cancelquery(query, NULL, false, false);
1771 fctx_done(fctx, eresult, __LINE__);
1772 break;
1773 }
1774
1775 detach:
CID 339069: (USE_AFTER_FREE)
Calling "resquery_detach" frees pointer "query" which has already been freed.
1776 resquery_detach(&query);
1777 }
1778
1779 static inline isc_result_t
1780 fctx_addopt(dns_message_t *message, unsigned int version, uint16_t udpsize,
1781 dns_ednsopt_t *ednsopts, size_t count) {
/lib/dns/resolver.c: 1776 in resquery_senddone()
1770 fctx_cancelquery(query, NULL, false, false);
1771 fctx_done(fctx, eresult, __LINE__);
1772 break;
1773 }
1774
1775 detach:
CID 339069: (USE_AFTER_FREE)
Calling "resquery_detach" frees pointer "query" which has already been freed.
1776 resquery_detach(&query);
1777 }
1778
1779 static inline isc_result_t
1780 fctx_addopt(dns_message_t *message, unsigned int version, uint16_t udpsize,
1781 dns_ednsopt_t *ednsopts, size_t count) {
```
```
** CID 339068: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 339068: Memory - corruptions (USE_AFTER_FREE)
/lib/dns/resolver.c: 1397 in fctx_cancelquery()
1391 /*
1392 * Check for any outstanding dispatch responses and if they
1393 * exist, cancel them.
1394 */
1395 if (query->dispentry != NULL) {
1396 dns_dispatch_cancel(query->dispentry);
CID 339068: Memory - corruptions (USE_AFTER_FREE)
Calling "dns_dispatch_removeresponse" frees pointer "query->dispentry" which has already been freed.
1397 dns_dispatch_removeresponse(&query->dispentry);
1398 }
1399
1400 if (ISC_LINK_LINKED(query, link)) {
1401 ISC_LIST_UNLINK(fctx->queries, query, link);
1402 }
```January 2023 (9.16.37, 9.16.37-S1, 9.18.11, 9.18.11-S1, 9.19.9)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/kea/-/issues/2120Fix TSIG key hierarchy2021-12-09T15:46:06ZFrancis DupontFix TSIG key hierarchyContexts depend on key classes so the hierarchy should be: key1 -> context -> key2 with the context factory in the key2 class.Contexts depend on key classes so the hierarchy should be: key1 -> context -> key2 with the context factory in the key2 class.kea2.1.0Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/bind9/-/issues/2929Replace more "master" and "slave" keywords2021-10-27T11:25:17ZPeter DaviesReplace more "master" and "slave" keywordsThe following error message from the ```rndc freeze``` command:
```rndc: 'freeze' failed: not master```
It may be preferable to use the term ```primary```.
There are other instances in code and in the rndc man page.The following error message from the ```rndc freeze``` command:
```rndc: 'freeze' failed: not master```
It may be preferable to use the term ```primary```.
There are other instances in code and in the rndc man page.November 2021 (9.16.23, 9.16.23-S1, 9.17.20)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2930Remove support for the "map" zone file format2021-10-04T10:57:58ZMichał KępieńRemove support for the "map" zone file formatThe `masterfile-format map;` options has already been [deprecated][1] in
9.16/9.17. This issue is for dropping the "map" zone file format
altogether in 9.19+. See #2882 for the rationale.
[1]: #2882The `masterfile-format map;` options has already been [deprecated][1] in
9.16/9.17. This issue is for dropping the "map" zone file format
altogether in 9.19+. See #2882 for the rationale.
[1]: #2882BIND 9.19.xhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2931Dynamically added CDS is deleted on signing2022-08-15T15:26:03ZJP MensDynamically added CDS is deleted on signing### Summary
When a CDS record is dynamically added to a zone, BIND deletes it when it next signs the zone. The reason for my wanting to add a CDS "manually" is in order to test [CDS Delete](https://datatracker.ietf.org/doc/html/rfc8078#...### Summary
When a CDS record is dynamically added to a zone, BIND deletes it when it next signs the zone. The reason for my wanting to add a CDS "manually" is in order to test [CDS Delete](https://datatracker.ietf.org/doc/html/rfc8078#section-4).
### BIND version used
```
BIND 9.17.18 (Development Release) <id:1af9d8d>
running on Darwin x86_64 19.6.0 Darwin Kernel Version 19.6.0: Thu Sep 16 20:58:47 PDT 2021; root:xnu-6153.141.40.1~1/RELEASE_X86_64
built by make with '--prefix=/usr/local/bind9git' '--with-libxml2' '--with-json-c' '--with-openssl=/usr/local/Cellar/openssl@1.1/1.1.1i/' 'LDFLAGS=-L/usr/local/Cellar/openssl@1.1/1.1.1i/lib/' 'CPPFLAGS=-I/usr/local/Cellar/openssl@1.1/1.1.1i/include/' 'PYTHON=/usr/local/bin/python3.9'
compiled by CLANG Apple LLVM 12.0.0 (clang-1200.0.32.29)
compiled with OpenSSL version: OpenSSL 1.1.1i 8 Dec 2020
linked to OpenSSL version: OpenSSL 1.1.1i 8 Dec 2020
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libnghttp2 version: 1.42.0
linked to libnghttp2 version: 1.42.0
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /usr/local/bind9git/etc/named.conf
rndc configuration: /usr/local/bind9git/etc/rndc.conf
DNSSEC root key: /usr/local/bind9git/etc/bind.keys
nsupdate session key: /usr/local/bind9git/var/run/named/session.key
named PID file: /usr/local/bind9git/var/run/named/named.pid
named lock file: /usr/local/bind9git/var/run/named/named.lock
```
### Steps to reproduce
1. Use `dnssec-settime` to set CDS publication time
```
$ dnssec-settime -P sync now Ktcp.aa.+013+41706.
```
2. Sign the zone
```
$ rndc sign tcp.aa
```
```
05-Oct-2021 10:12:50.430 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:12:50.431 CDS for key tcp.aa/ECDSAP256SHA256/41706 is now published
05-Oct-2021 10:12:50.431 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now published
```
3. Remove the BIND-generated CDS and sign the zone
```
$ dnssec-settime -D sync now Ktcp.aa.+013+41706.
$ rndc sign tcp.aa
```
```
05-Oct-2021 10:15:49.902 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:15:49.903 CDS (SHA-256) for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
05-Oct-2021 10:15:49.903 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
```
4. Manually add a Delete CDS and initiate signing
```
$ nsupdate -k jp.tsig <<E
> server ::1
> zone tcp.aa.
> ttl 61
> add tcp.aa. CDS 0 0 0 00
> send
E
$ rndc sign tcp.aa
```
5. Observe console
```
05-Oct-2021 10:17:03.549 received control channel command 'sign tcp.aa'
05-Oct-2021 10:17:03.549 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:17:03.550 CDS (DELETE) for zone tcp.aa is now deleted
```
If I remove the SyncDelete setting with `dnssec-settime -D sync none Ktcp.aa.+013+41706.` and try to update the zone dynamically with the Delete CDS, the update failes with a `REFUSED`, and the console logs:
```
05-Oct-2021 15:37:12.604 client @0x10cb1e168 ::1#59312/key jp: updating zone 'tcp.aa/IN': adding an RR at 'tcp.aa' CDS 0 0 0 00
05-Oct-2021 15:37:12.604 client @0x10cb1e168 ::1#59312/key jp: updating zone 'tcp.aa/IN': update rejected: bad CDS RRset
```
### What is the current *bug* behavior?
The manually added `CDS` record is removed from the zone.
### What is the expected *correct* behavior?
I would expect the CDS to happily continue to exist in the zone and be signed.
### Relevant configuration files
```
zone "tcp.aa" in {
type primary;
file "master/tcp.aa/tcp.aa";
key-directory "/var/named/master/tcp.aa";
auto-dnssec maintain;
update-policy {
grant "jp" zonesub ANY;
};
};
```
### Relevant logs and/or screenshots
```
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: loaded serial 1
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: sending notifies (serial 1)
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:11:05.511 all zones loaded
05-Oct-2021 10:11:05.511 running
05-Oct-2021 10:11:05.511 zone tcp.aa/IN: next key event: 05-Oct-2021 11:11:05.511
05-Oct-2021 10:11:05.540 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
05-Oct-2021 10:11:05.556 resolver priming query complete
05-Oct-2021 10:12:16.966 received control channel command 'sign tcp.aa'
05-Oct-2021 10:12:16.966 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:12:16.967 Fetching tcp.aa/ECDSAP256SHA256/41706 (ZSK) from key repository.
05-Oct-2021 10:12:16.967 DNSKEY tcp.aa/ECDSAP256SHA256/41706 (ZSK) is now published
05-Oct-2021 10:12:16.967 DNSKEY tcp.aa/ECDSAP256SHA256/41706 (ZSK) is now active
05-Oct-2021 10:12:16.968 zone tcp.aa/IN: next key event: 05-Oct-2021 11:12:16.966
05-Oct-2021 10:12:16.968 zone tcp.aa/IN: sending notifies (serial 2)
05-Oct-2021 10:12:21.969 zone tcp.aa/IN: sending notifies (serial 3)
05-Oct-2021 10:12:50.430 received control channel command 'sign tcp.aa'
05-Oct-2021 10:12:50.430 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:12:50.431 CDS for key tcp.aa/ECDSAP256SHA256/41706 is now published
05-Oct-2021 10:12:50.431 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now published
05-Oct-2021 10:12:50.432 zone tcp.aa/IN: next key event: 05-Oct-2021 11:12:50.430
05-Oct-2021 10:12:50.432 zone tcp.aa/IN: sending notifies (serial 4)
05-Oct-2021 10:13:09.058 client @0x11307c168 ::1#60208 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:14:18.870 received control channel command 'reconfig'
05-Oct-2021 10:14:18.870 loading configuration from '/usr/local/etc/named-cds.conf'
05-Oct-2021 10:14:18.870 unable to open '/usr/local/bind9git/etc/bind.keys'; using built-in keys instead
05-Oct-2021 10:14:18.870 max open files (10240) is smaller than max sockets (21000)
05-Oct-2021 10:14:18.870 using default UDP/IPv4 port range: [49152, 65535]
05-Oct-2021 10:14:18.870 using default UDP/IPv6 port range: [49152, 65535]
05-Oct-2021 10:14:18.871 sizing zone task pool based on 1 zones
05-Oct-2021 10:14:18.872 using built-in root key for view _default
05-Oct-2021 10:14:18.873 not using config file logging statement for logging due to -g option
05-Oct-2021 10:14:18.873 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:14:18.873 reloading configuration succeeded
05-Oct-2021 10:14:18.874 zone tcp.aa/IN: next key event: 05-Oct-2021 11:14:18.873
05-Oct-2021 10:14:18.874 scheduled loading new zones
05-Oct-2021 10:14:18.874 any newly configured zones are now loaded
05-Oct-2021 10:14:18.874 running
05-Oct-2021 10:14:18.888 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
05-Oct-2021 10:15:05.413 client @0x113257168 ::1#60312/key jp: updating zone 'tcp.aa/IN': update failed: update RR is outside zone (NOTZONE)
05-Oct-2021 10:15:14.306 client @0x11326f168 ::1#60312/key jp: updating zone 'tcp.aa/IN': adding an RR at 'a.tcp.aa' A 1.1.1.1
05-Oct-2021 10:15:14.308 zone tcp.aa/IN: sending notifies (serial 5)
05-Oct-2021 10:15:23.646 client @0x112a53168 ::1#49444 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:15:27.533 client @0x113295168 ::1#49446 (a.tcp.aa): query: a.tcp.aa IN A +E(0)K (::1)
05-Oct-2021 10:15:49.902 received control channel command 'sign tcp.aa'
05-Oct-2021 10:15:49.902 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:15:49.903 CDS (SHA-256) for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
05-Oct-2021 10:15:49.903 CDNSKEY for key tcp.aa/ECDSAP256SHA256/41706 is now deleted
05-Oct-2021 10:15:49.904 zone tcp.aa/IN: next key event: 05-Oct-2021 11:15:49.902
05-Oct-2021 10:15:49.904 zone tcp.aa/IN: sending notifies (serial 6)
05-Oct-2021 10:15:56.252 client @0x1132bc168 ::1#49448 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:16:46.347 client @0x113257168 ::1#53009/key jp: updating zone 'tcp.aa/IN': adding an RR at 'tcp.aa' CDS 0 0 0 00
05-Oct-2021 10:16:46.349 zone tcp.aa/IN: sending notifies (serial 7)
05-Oct-2021 10:16:57.813 client @0x113257168 ::1#60572 (tcp.aa): query: tcp.aa IN CDS +E(0)K (::1)
05-Oct-2021 10:17:03.549 received control channel command 'sign tcp.aa'
05-Oct-2021 10:17:03.549 zone tcp.aa/IN: reconfiguring zone keys
05-Oct-2021 10:17:03.550 CDS (DELETE) for zone tcp.aa is now deleted
05-Oct-2021 10:17:03.551 zone tcp.aa/IN: next key event: 05-Oct-2021 11:17:03.549
05-Oct-2021 10:17:03.551 zone tcp.aa/IN: sending notifies (serial 8)
```
### Related
These issues are possibly related:
- [Allow for arbitrary CDS/CDNSKEY records to be published](https://gitlab.isc.org/isc-projects/bind9/-/issues/2710)
- [Simplify adding CDS and CDNSKEY deletion records to a inline zone](https://gitlab.isc.org/isc-projects/bind9/-/issues/1634)May 2022 (9.16.29, 9.16.29-S1, 9.18.3, 9.19.1)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2932TSAN reports indicating reference counting issues with dispatch@netmgr2021-11-02T15:39:31ZMichał KępieńTSAN reports indicating reference counting issues with dispatch@netmgrIn the following GitLab CI job, previously unseen TSAN reports have been
generated during the `fetchlimit` system test:
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2020086
If I am reading these reports correctly, it seems that a f...In the following GitLab CI job, previously unseen TSAN reports have been
generated during the `fetchlimit` system test:
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2020086
If I am reading these reports correctly, it seems that a fetch context
is simultaneously being destroyed and started, which does not look quite
right. It needs a look from @each and/or @ondrej, though, as I may be
misinterpreting these reports.
<details>
<summary>Click here to expand/fold TSAN reports</summary>
### Report 1 (for `fctx->altfinds`)
```
WARNING: ThreadSanitizer: data race
Write of size 8 at 0x000000000001 by thread T1:
#0 sort_finds lib/dns/resolver.c:3178
#1 fctx_getaddresses lib/dns/resolver.c:3633
#2 fctx_try lib/dns/resolver.c:3912
#3 fctx_start lib/dns/resolver.c:4471
#4 task_run lib/isc/task.c:827
#5 isc_task_run lib/isc/task.c:907
#6 isc__nm_async_task netmgr/netmgr.c:827
#7 process_netievent netmgr/netmgr.c:906
#8 process_queue netmgr/netmgr.c:998
#9 process_all_queues netmgr/netmgr.c:746
#10 async_cb netmgr/netmgr.c:775
#11 <null> <null>
#12 isc__trampoline_run lib/isc/trampoline.c:185
#13 <null> <null>
Previous read of size 8 at 0x000000000001 by thread T2 (mutexes: write M1):
#0 fctx_decreference lib/dns/resolver.c:6881
#1 dns_resolver_destroyfetch lib/dns/resolver.c:10604
#2 fetch_callback lib/ns/query.c:6253
#3 task_run lib/isc/task.c:827
#4 isc_task_run lib/isc/task.c:907
#5 isc__nm_async_task netmgr/netmgr.c:827
#6 process_netievent netmgr/netmgr.c:906
#7 process_queue netmgr/netmgr.c:998
#8 process_all_queues netmgr/netmgr.c:746
#9 async_cb netmgr/netmgr.c:775
#10 <null> <null>
#11 isc__trampoline_run lib/isc/trampoline.c:185
#12 <null> <null>
Location is heap block of size 3728 at 0x000000000017 allocated by thread T2:
#0 malloc <null>
#1 mallocx lib/isc/jemalloc_shim.h:30
#2 mem_get lib/isc/mem.c:341
#3 isc__mem_get lib/isc/mem.c:754
#4 fctx_create lib/dns/resolver.c:4574
#5 dns_resolver_createfetch lib/dns/resolver.c:10463
#6 ns_query_recurse lib/ns/query.c:6455
#7 query_delegation_recurse lib/ns/query.c:8924
#8 query_delegation lib/ns/query.c:8870
#9 query_gotanswer lib/ns/query.c:7607
#10 query_lookup lib/ns/query.c:5989
#11 ns__query_start lib/ns/query.c:5631
#12 query_setup lib/ns/query.c:5344
#13 ns_query_start lib/ns/query.c:12183
#14 ns__client_request lib/ns/client.c:2153
#15 isc__nm_async_readcb netmgr/netmgr.c:2748
#16 isc__nm_readcb netmgr/netmgr.c:2721
#17 udp_recv_cb netmgr/udp.c:418
#18 <null> <null>
#19 isc__trampoline_run lib/isc/trampoline.c:185
#20 <null> <null>
Mutex M1 (0x000000000035) created at:
#0 pthread_mutex_init <null>
#1 isc__mutex_init lib/isc/mutex.c:288
#2 dns_resolver_create lib/dns/resolver.c:9915
#3 dns_view_createresolver lib/dns/view.c:819
#4 configure_view bin/named/server.c:4714
#5 load_configuration bin/named/server.c:9199
#6 loadconfig bin/named/server.c:10380
#7 named_server_reconfigcommand bin/named/server.c:10777
#8 named_control_docommand bin/named/control.c:248
#9 control_command bin/named/controlconf.c:392
#10 task_run lib/isc/task.c:827
#11 isc_task_run lib/isc/task.c:907
#12 isc__nm_async_task netmgr/netmgr.c:827
#13 process_netievent netmgr/netmgr.c:906
#14 process_queue netmgr/netmgr.c:998
#15 process_all_queues netmgr/netmgr.c:746
#16 async_cb netmgr/netmgr.c:775
#17 <null> <null>
#18 isc__trampoline_run lib/isc/trampoline.c:185
#19 <null> <null>
Thread T1 (running) created by main thread at:
#0 pthread_create <null>
#1 isc_thread_create lib/isc/thread.c:79
#2 isc__netmgr_create netmgr/netmgr.c:321
#3 isc_managers_create lib/isc/managers.c:39
#4 create_managers bin/named/main.c:927
#5 setup bin/named/main.c:1200
#6 main bin/named/main.c:1472
Thread T2 (running) created by main thread at:
#0 pthread_create <null>
#1 isc_thread_create lib/isc/thread.c:79
#2 isc__netmgr_create netmgr/netmgr.c:321
#3 isc_managers_create lib/isc/managers.c:39
#4 create_managers bin/named/main.c:927
#5 setup bin/named/main.c:1200
#6 main bin/named/main.c:1472
SUMMARY: ThreadSanitizer: data race lib/dns/resolver.c:3178 in sort_finds
```
### Report 2 (for `fctx->finds`)
```
WARNING: ThreadSanitizer: data race
Write of size 8 at 0x000000000001 by thread T1:
#0 findname lib/dns/resolver.c:3257
#1 fctx_getaddresses lib/dns/resolver.c:3522
#2 fctx_try lib/dns/resolver.c:3912
#3 fctx_start lib/dns/resolver.c:4471
#4 task_run lib/isc/task.c:827
#5 isc_task_run lib/isc/task.c:907
#6 isc__nm_async_task netmgr/netmgr.c:827
#7 process_netievent netmgr/netmgr.c:906
#8 process_queue netmgr/netmgr.c:998
#9 process_all_queues netmgr/netmgr.c:746
#10 async_cb netmgr/netmgr.c:775
#11 <null> <null>
#12 isc__trampoline_run lib/isc/trampoline.c:185
#13 <null> <null>
Previous read of size 8 at 0x000000000001 by thread T2 (mutexes: write M1):
#0 fctx_decreference lib/dns/resolver.c:6880
#1 dns_resolver_destroyfetch lib/dns/resolver.c:10604
#2 fetch_callback lib/ns/query.c:6253
#3 task_run lib/isc/task.c:827
#4 isc_task_run lib/isc/task.c:907
#5 isc__nm_async_task netmgr/netmgr.c:827
#6 process_netievent netmgr/netmgr.c:906
#7 process_queue netmgr/netmgr.c:998
#8 process_all_queues netmgr/netmgr.c:746
#9 async_cb netmgr/netmgr.c:775
#10 <null> <null>
#11 isc__trampoline_run lib/isc/trampoline.c:185
#12 <null> <null>
Location is heap block of size 3728 at 0x000000000017 allocated by thread T2:
#0 malloc <null>
#1 mallocx lib/isc/jemalloc_shim.h:30
#2 mem_get lib/isc/mem.c:341
#3 isc__mem_get lib/isc/mem.c:754
#4 fctx_create lib/dns/resolver.c:4574
#5 dns_resolver_createfetch lib/dns/resolver.c:10463
#6 ns_query_recurse lib/ns/query.c:6455
#7 query_delegation_recurse lib/ns/query.c:8924
#8 query_delegation lib/ns/query.c:8870
#9 query_gotanswer lib/ns/query.c:7607
#10 query_lookup lib/ns/query.c:5989
#11 ns__query_start lib/ns/query.c:5631
#12 query_setup lib/ns/query.c:5344
#13 ns_query_start lib/ns/query.c:12183
#14 ns__client_request lib/ns/client.c:2153
#15 isc__nm_async_readcb netmgr/netmgr.c:2748
#16 isc__nm_readcb netmgr/netmgr.c:2721
#17 udp_recv_cb netmgr/udp.c:418
#18 <null> <null>
#19 isc__trampoline_run lib/isc/trampoline.c:185
#20 <null> <null>
Mutex M1 (0x000000000035) created at:
#0 pthread_mutex_init <null>
#1 isc__mutex_init lib/isc/mutex.c:288
#2 dns_resolver_create lib/dns/resolver.c:9915
#3 dns_view_createresolver lib/dns/view.c:819
#4 configure_view bin/named/server.c:4714
#5 load_configuration bin/named/server.c:9199
#6 loadconfig bin/named/server.c:10380
#7 named_server_reconfigcommand bin/named/server.c:10777
#8 named_control_docommand bin/named/control.c:248
#9 control_command bin/named/controlconf.c:392
#10 task_run lib/isc/task.c:827
#11 isc_task_run lib/isc/task.c:907
#12 isc__nm_async_task netmgr/netmgr.c:827
#13 process_netievent netmgr/netmgr.c:906
#14 process_queue netmgr/netmgr.c:998
#15 process_all_queues netmgr/netmgr.c:746
#16 async_cb netmgr/netmgr.c:775
#17 <null> <null>
#18 isc__trampoline_run lib/isc/trampoline.c:185
#19 <null> <null>
Thread T1 (running) created by main thread at:
#0 pthread_create <null>
#1 isc_thread_create lib/isc/thread.c:79
#2 isc__netmgr_create netmgr/netmgr.c:321
#3 isc_managers_create lib/isc/managers.c:39
#4 create_managers bin/named/main.c:927
#5 setup bin/named/main.c:1200
#6 main bin/named/main.c:1472
Thread T2 (running) created by main thread at:
#0 pthread_create <null>
#1 isc_thread_create lib/isc/thread.c:79
#2 isc__netmgr_create netmgr/netmgr.c:321
#3 isc_managers_create lib/isc/managers.c:39
#4 create_managers bin/named/main.c:927
#5 setup bin/named/main.c:1200
#6 main bin/named/main.c:1472
SUMMARY: ThreadSanitizer: data race lib/dns/resolver.c:3257 in findname
```
</details>November 2021 (9.16.23, 9.16.23-S1, 9.17.20)https://gitlab.isc.org/isc-projects/bind9/-/issues/2933Bump the LLVM/clang version to 13.02021-10-27T11:13:14ZOndřej SurýBump the LLVM/clang version to 13.0The LLVM/clang 13.0 has been released and it fixes some `clang-format` issues that I've been seeing with `clang-format-12`. This needs to be done post-release.The LLVM/clang 13.0 has been released and it fixes some `clang-format` issues that I've been seeing with `clang-format-12`. This needs to be done post-release.November 2021 (9.16.23, 9.16.23-S1, 9.17.20)https://gitlab.isc.org/isc-projects/kea/-/issues/2122Update d2/d2srv developer doc2021-12-09T15:46:04ZFrancis DupontUpdate d2/d2srv developer docSome code was moved from src/bin/d2 to src/lib/d2srv. This is now finished but the dev doc (src/bin/d2/d2.dox) needs to be update to reflect file moves.
- [x] update d2.dox
- [x] update gss_tsig.doxSome code was moved from src/bin/d2 to src/lib/d2srv. This is now finished but the dev doc (src/bin/d2/d2.dox) needs to be update to reflect file moves.
- [x] update d2.dox
- [x] update gss_tsig.doxkea2.1.2Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/2124Add GSS-TSIG hook statistics2021-12-09T15:46:05ZFrancis DupontAdd GSS-TSIG hook statisticsSee https://gitlab.isc.org/isc-projects/kea/-/issues/1926#note_240026 for a proposal.See https://gitlab.isc.org/isc-projects/kea/-/issues/1926#note_240026 for a proposal.kea2.1.0Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/2125Add a fallback to GSS-TSIG select_key2021-12-09T15:46:05ZFrancis DupontAdd a fallback to GSS-TSIG select_keyCurrently when GSS-TSIG is enabled for the DNS server but no GSS-TSIG key is available to select_key gets a SKIP status and the next DNS server is tried. The idea is to add a knob which allows when configured to fallback to the D2 TSIG k...Currently when GSS-TSIG is enabled for the DNS server but no GSS-TSIG key is available to select_key gets a SKIP status and the next DNS server is tried. The idea is to add a knob which allows when configured to fallback to the D2 TSIG key or unsecure in this case.
If there is no better proposal the name of the knob will be 'fallback' (both toplevel and per server).kea2.1.0Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/stork/-/issues/5900.21.0 release2021-10-06T07:49:55ZAndrei Pavelandrei@isc.org0.21.0 release0.21https://gitlab.isc.org/isc-projects/bind9/-/issues/2934CID 339111: Memory - corruptions (USE_AFTER_FREE)2021-10-11T13:05:43ZMark AndrewsCID 339111: Memory - corruptions (USE_AFTER_FREE)```
*** CID 339111: Memory - corruptions (USE_AFTER_FREE)
/lib/dns/dispatch.c: 1533 in dns_dispatch_cancel()
1527 } else if (resp->response != NULL) {
1528 resp->response(ISC_R_CANCELED, NULL, resp->arg);
1529 }
1530...```
*** CID 339111: Memory - corruptions (USE_AFTER_FREE)
/lib/dns/dispatch.c: 1533 in dns_dispatch_cancel()
1527 } else if (resp->response != NULL) {
1528 resp->response(ISC_R_CANCELED, NULL, resp->arg);
1529 }
1530 }
1531
1532 done:
CID 339111: Memory - corruptions (USE_AFTER_FREE)
Calling "dns_dispatch_done" frees pointer "*respp" which has already been freed.
1533 dns_dispatch_done(respp);
1534 }
1535
1536 void
1537 dns_dispatch_done(dns_dispentry_t **respp) {
1538 dns_dispatchmgr_t *mgr = NULL;
```October 2021 (9.11.36, 9.11.36-S1, 9.16.22, 9.16.22-S1, 9.17.19)Mark AndrewsMark Andrews