ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2021-10-07T09:51:20Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/1668kea-admin alpine 3.11 wrong admin-utils.sh and scripts path / packaging error2021-10-07T09:51:20ZJordiekea-admin alpine 3.11 wrong admin-utils.sh and scripts path / packaging error**Describe the bug**
On the alpine linux (v3.11) latest stable version (1.8.2) distributed via Cloudsmith the path to the database scripts and the `admin-utils.sh` file are wrong. According to the script the path of these files should ...**Describe the bug**
On the alpine linux (v3.11) latest stable version (1.8.2) distributed via Cloudsmith the path to the database scripts and the `admin-utils.sh` file are wrong. According to the script the path of these files should be under `/usr/share/kea/scripts` but the package has these files actually located under `/usr/share/kea/kea/scripts`. This looks to be a packaging error. the package for alpine 3.10 is correct, but for alpine 3.11 it is not.
the contents of the isc-kea-admin package can be seen without installing here: https://cloudsmith.io/~isc/repos/kea-1-8/packages/detail/alpine/isc-kea-admin/1.8.2-risc0001520201206093433/a=noarch;d=alpine%252Fv3.11/#files
**To Reproduce**
Steps to reproduce the behavior:
1. On alpine linux version 3.11, install the repository
2. Install `isc-kea-admin`
3. Run `kea-admin` to read or modify a database
4. See an error: (this is the error when trying to initialize a mysql database, but this issue will be present for almost any command as `admin-utils.sh` is not included properly)
```
/usr/sbin/kea-admin: line 218: mysql_execute: not found
ERROR/kea-admin: mysql_init table query failed, mysql status = 127
```
**Environment:**
- Kea version: 1.8.2
- OS: alpine linux v3.11 (amd64 / x86_64)
- installed from official cloudsmith repository
**Workaround**
```sh
mv /usr/share/kea/kea/* /usr/share/kea/
```kea2.1.0Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2396BIND 9.16 unit tests failing reliably on x86_64 NUMA machines2021-10-07T09:42:24ZPetr MenšíkBIND 9.16 unit tests failing reliably on x86_64 NUMA machines<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
Some libisc unit tests are reliably failing on 9.16.10 build
### BIND version used
(Paste the output of `named -V`.)
```
BIND 9.16.10-RedHat-9.16.10-2.fc34 (Stable Release) <id:fac8def>
running on Linux x86_64 5.11.0-0.rc2.20210108gitf5e6c330254a.119.fc34.x86_64 #1 SMP Fri Jan 8 16:28:08 UTC 2021
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--with-maxminddb' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=yes' '--without-libjson' '--with-json-c' '--enable-dnstap' '--with-cmocka' '--enable-fixed-rrset' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS= -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld ' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 11.0.0 20210113 (Red Hat 11.0.0-0)
compiled with OpenSSL version: OpenSSL 1.1.1i FIPS 8 Dec 2020
linked to OpenSSL version: OpenSSL 1.1.1i FIPS 8 Dec 2020
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.4.3
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
Run unit tests on numa machine with 40+ processors.
### What is the current *bug* behavior?
Few lib/isc tests end with signal 6.
```
gdb .libs/lt-buffer_test
(gdb) run
(gdb) bt
#0 0x00007ffff7da0272 in raise () from /lib64/libc.so.6
#1 0x00007ffff7d898a4 in abort () from /lib64/libc.so.6
#2 0x00007ffff7f5f1a5 in isc_assertion_failed (file=file@entry=0x7ffff7fa60ea "../../../lib/isc/hp.c", line=line@entry=88,
type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7ffff7fa60ce "tid_v < isc__hp_max_threads")
at ../../../lib/isc/assertions.c:47
#3 0x00007ffff7f6363d in tid () at ../../../lib/isc/hp.c:85
#4 tid () at ../../../lib/isc/hp.c:85
#5 isc_hp_protect (hp=0x55555db5adb8, ihp=<optimized out>, atom=0x555558f9ef80) at ../../../lib/isc/hp.c:167
#6 0x00007ffff7f8036c in isc_queue_dequeue (queue=<optimized out>) at ../../../lib/isc/queue.c:181
#7 isc_queue_dequeue (queue=queue@entry=0x555558f9ef80) at ../../../lib/isc/queue.c:173
#8 0x00007ffff7f84e90 in process_queue (worker=worker@entry=0x5555555744c0, queue=0x555558f9ef80)
at netmgr/../../../../lib/isc/netmgr/netmgr.c:606
#9 0x00007ffff7f8567b in process_priority_queue (worker=0x5555555744c0) at netmgr/../../../../lib/isc/netmgr/netmgr.c:585
#10 process_queues (worker=0x5555555744c0) at netmgr/../../../../lib/isc/netmgr/netmgr.c:595
#11 async_cb (handle=<optimized out>) at netmgr/../../../../lib/isc/netmgr/netmgr.c:556
#12 0x00007ffff7a3bffd in uv__async_io (loop=0x5555555744d0, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163
#13 0x00007ffff7a54ac3 in uv__io_poll (loop=0x5555555744d0, timeout=<optimized out>) at src/unix/linux-core.c:462
#14 0x00007ffff7a44794 in uv_run (loop=loop@entry=0x5555555744d0, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:385
#15 0x00007ffff7f852f9 in nm_thread (worker0=0x5555555744c0) at netmgr/../../../../lib/isc/netmgr/netmgr.c:496
#16 0x00007ffff786a269 in start_thread () from /lib64/libpthread.so.0
#17 0x00007ffff7e64143 in clone () from /lib64/libc.so.6
(gdb) frame 2
#2 0x00007ffff7f5f1a5 in isc_assertion_failed (file=file@entry=0x7ffff7fa60ea "../../../lib/isc/hp.c", line=line@entry=88,
type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7ffff7fa60ce "tid_v < isc__hp_max_threads")
at ../../../lib/isc/assertions.c:47
47 abort();
(gdb) p tid_v
$1 = 145
(gdb) p isc__hp_max_threads
$2 = 128
```
### What is the expected *correct* behavior?
It should pass, just like on older
### Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
`named-checkconf -px`.)
### Relevant logs and/or screenshots
Fails oten on BIND build on Fedora infrastructure.
https://kojipkgs.fedoraproject.org//work/tasks/3832/59983832/build.log
https://koji.fedoraproject.org/koji/taskinfo?taskID=59983579
```
22/28 passed (6 failed)
===> Broken tests
buffer_test:main -> broken: Received signal 6 [3.586s]
mem_test:main -> broken: Received signal 6 [6.796s]
pool_test:main -> broken: Received signal 6 [3.524s]
socket_test:main -> broken: Received signal 6 [3.409s]
task_test:main -> broken: Received signal 6 [15.954s]
taskpool_test:main -> broken: Received signal 6 [3.504s]
===> Summary
Results read from /root/.kyua/store/results.root_bind_bind-9.16.10_build_lib_isc_tests.20210119-125008-906997.db
Test cases: 28 total, 0 skipped, 0 expected failures, 6 broken, 0 failed
Total time: 62.697s
R:FAIL:status:1
E:unit:Tue Jan 19 07:51:12 AM EST 2021
```
```
# tail -30 /proc/cpuinfo
power management:
processor : 55
vendor_id : GenuineIntel
cpu family : 6
model : 63
model name : Intel(R) Xeon(R) CPU E5-2697 v3 @ 2.60GHz
stepping : 2
microcode : 0x2d
cpu MHz : 2400.000
cache size : 35840 KB
physical id : 1
siblings : 28
core id : 14
cpu cores : 14
apicid : 61
initial apicid : 61
fpu : yes
fpu_exception : yes
cpuid level : 15
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand lahf_lm abm cpuid_fault epb invpcid_single pti intel_ppin tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid cqm xsaveopt cqm_llc cqm_occup_llc dtherm ida arat pln pts
vmx flags : vnmi preemption_timer posted_intr invvpid ept_x_only ept_ad ept_1gb flexpriority apicv tsc_offset vtpr mtf vapic ept vpid unrestricted_guest vapic_reg vid ple shadow_vmcs
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit
bogomips : 5187.78
clflush size : 64
cache_alignment : 64
address sizes : 46 bits physical, 48 bits virtual
power management:
```
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)March 2021 (9.11.29, 9.11.29-S1, 9.16.13, 9.16.13-S1, 9.17.11)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2206Revisit the DNS Flag Day 2020 documentation and release notes for 9.18.02021-10-07T08:41:45ZOndřej SurýRevisit the DNS Flag Day 2020 documentation and release notes for 9.18.0https://gitlab.isc.org/isc-projects/bind9/-/issues/719Make isc_results static2021-10-07T06:48:12ZWitold KrecickiMake isc_results staticCurrently there's a dynamic list of results handled by lib/isc/result.c, and e.g. isc_result_totext requires a lock.
Since we don't have any external users now, and nobody will be adding any results from the outside, we can move all the...Currently there's a dynamic list of results handled by lib/isc/result.c, and e.g. isc_result_totext requires a lock.
Since we don't have any external users now, and nobody will be adding any results from the outside, we can move all the result codes from libdns, ns, isccfg, etc. to libisc - and make the list static.October 2021 (9.11.36, 9.11.36-S1, 9.16.22, 9.16.22-S1, 9.17.19)https://gitlab.isc.org/isc-projects/bind9/-/issues/2939TLS protocol Statement Grammar may be incorrect2021-10-07T04:58:15ZkalfeherTLS protocol Statement Grammar may be incorrect<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
The documentation for the tls `protocols` statement indicates placing the protocol between curly braces, however this results in the following error with both `named-checkconf` and when attempting an `rndc reconfig`:
`protocols { TLSv1.3; };`
```
/etc/opt/isc/scls/isc-bind/named.conf: 10:expected string near '{'
```
When quotes are used instead of brackets, there is no error.
`protocols "TLSv1.3";`
### BIND version used
```
BIND 9.17.18 (Development Release) <id:019a476>
running on Linux x86_64 4.18.0-305.19.1.el8_4.x86_64 #1 SMP Wed Sep 15 15:39:39 UTC 2021
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu'
'--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr'
'--exec-prefix=/opt/isc/isc-bind/root/usr' '--bindir=/opt/isc/isc-bind/root/usr/bin'
'--sbindir=/opt/isc/isc-bind/root/usr/sbin' '--sysconfdir=/etc/opt/isc/scls/isc-bind'
'--datadir=/opt/isc/isc-bind/root/usr/share' '--includedir=/opt/isc/isc-bind/root/usr/include'
'--libdir=/opt/isc/isc-bind/root/usr/lib64' '--libexecdir=/opt/isc/isc-bind/root/usr/libexec'
'--localstatedir=/var/opt/isc/scls/isc-bind' '--sharedstatedir=/var/opt/isc/scls/isc-bind/lib'
'--mandir=/opt/isc/isc-bind/root/usr/share/man' '--infodir=/opt/isc/isc-bind/root/usr/share/info'
'--disable-static' '--enable-dnstap' '--with-pic' '--with-gssapi' '--with-json-c' '--with-libxml2'
'--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/opt/isc/isc-bind/root/usr/lib64'
'CPPFLAGS= -I/opt/isc/isc-bind/root/usr/include' 'LT_SYS_LIBRARY_PATH=/usr/lib64'
'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig'
'SPHINX_BUILD=/builddir/build/BUILD/bind-9.17.18/sphinx/bin/sphinx-build'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
default paths:
named configuration: /etc/opt/isc/scls/isc-bind/named.conf
rndc configuration: /etc/opt/isc/scls/isc-bind/rndc.conf
DNSSEC root key: /etc/opt/isc/scls/isc-bind/bind.keys
nsupdate session key: /var/opt/isc/scls/isc-bind/run/named/session.key
named PID file: /var/opt/isc/scls/isc-bind/run/named/named.pid
named lock file: /var/opt/isc/scls/isc-bind/run/named/named.lock
```
### Steps to reproduce
Using the statement grammar for the `protocols` option found here:
https://bind9.readthedocs.io/en/latest/reference.html?highlight=DoH#tls-statement-grammar
for example the following protocols line in the tls statement will fail:
`protocols { TLSv1.3; };`
When quotes are used, no error is encountered:
`protocols "TLSv1.3";`
### What is the current *bug* behavior?
When `rndc reconfig` is run:
```
rndc: 'reconfig' failed: unexpected token
```
In bind logs the following entry is included:
`config: error: /etc/opt/isc/scls/isc-bind/named.conf:10: expected string near '{'`
Line 10 is where I have protocols configured.
### What is the expected *correct* behavior?
no errors and rndc reconfig succeeds.
### Relevant configuration files
Full TLS statement below:
```
tls resolver01 {
cert-file "/etc/certificates/isc_bind/resolver01-cert.pem";
key-file "/etc/certificates/isc_bind/resolver01.pem";
hostname "resolver01.lab.home";
protocols "TLSv1.3"; // This works as expected
// protocols { TLSv1.3; }; // This fails.
};
```
### Possible fixes
Quoting appears to work fine, so updating the documentation may be an option. However it feels more idiomatic to support brackets.https://gitlab.isc.org/isc-projects/dhcp/-/issues/210Log Separation on Ubuntu 20.042021-10-06T21:50:43ZAndy JacksonLog Separation on Ubuntu 20.04So I'm trying to get the DHCPD logs sent to a separate file so we can track IP address assignments easier without all the system logs mixed in.
I changed /etc/dhcp/dhcpd.conf with:
log-facility local7;
I then changed /etc/rsyslog.d/50...So I'm trying to get the DHCPD logs sent to a separate file so we can track IP address assignments easier without all the system logs mixed in.
I changed /etc/dhcp/dhcpd.conf with:
log-facility local7;
I then changed /etc/rsyslog.d/50-default.conf with:
local7.* /var/log/dhcp/dhcp.log
I created the directory and file in the system, restarted the services and even tried rebooting the server, but none of the logs are being sent to the folder.https://gitlab.isc.org/isc-projects/bind9/-/issues/2937DIG defaults to A only rather than A+AAAA search2021-10-06T18:24:29ZOwen DeLongDIG defaults to A only rather than A+AAAA search### Summary
when using dig in the dig <host> form, only A records are searched. AAAA records are ignored.
### BIND version used
DiG 9.10.6
Also DiG 9.16.11-RedHat-9.16.11-5.fc34
### Steps to reproduce
dig split-pao1-64.e-r.fsi.io
o...### Summary
when using dig in the dig <host> form, only A records are searched. AAAA records are ignored.
### BIND version used
DiG 9.10.6
Also DiG 9.16.11-RedHat-9.16.11-5.fc34
### Steps to reproduce
dig split-pao1-64.e-r.fsi.io
or
dig split-pao1-6.e-r.fsi.io
### What is the current *bug* behavior?
Returns A record only in the first case.
Worse, returns NXDOMAIN in the second case.
### What is the expected *correct* behavior?
In the first case, should see A and AAAA records.
In the second case, should see AAAA record and not NXDOMAIN.
### Relevant configuration files
None... DIG is not configurable or at least does not require any configuration for this exercise.
### Relevant logs and/or screenshots
```
kiev:owen (129) ~ % dig split-pao1-64.e-r.fsi.io 2021/10/06 11:14:43
; <<>> DiG 9.10.6 <<>> split-pao1-64.e-r.fsi.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50746
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;split-pao1-64.e-r.fsi.io. IN A
;; ANSWER SECTION:
split-pao1-64.e-r.fsi.io. 2702 IN A 104.244.13.23
;; Query time: 79 msec
;; SERVER: 104.244.14.16#53(104.244.14.16)
;; WHEN: Wed Oct 06 11:14:55 PDT 2021
;; MSG SIZE rcvd: 69
0.001u 0.003s 0:00.08 0.0% 0+0k 0+0io 0pf+0w
; <<>> DiG 9.10.6 <<>> split-pao1-6.e-r.fsi.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21958
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;split-pao1-6.e-r.fsi.io. IN A
;; AUTHORITY SECTION:
fsi.io. 2657 IN SOA fsi.io. hostmaster.fsi.io. 2021100601 7200 3600 604800 3600
;; Query time: 76 msec
;; SERVER: 104.244.14.16#53(104.244.14.16)
;; WHEN: Wed Oct 06 11:14:43 PDT 2021
;; MSG SIZE rcvd: 99
0.001u 0.003s 0:00.08 0.0% 0+0k 0+0io 0pf+0w
```
### Possible fixes
In this day and age, I would expect any default search for name resolution to include both protocols. The fact that dig has not changed this default even now is surprising.https://gitlab.isc.org/isc-projects/stork/-/issues/592dockerized kea has reservations outside subnet2021-10-06T15:37:54ZAndrei Pavelandrei@isc.orgdockerized kea has reservations outside subnetWhen authorizing a kea-dhcp6 machine with Kea 2.0.0 as backend:
```
stork-0-agent-kea6-1 | ERROR DHCP6_PARSER_FAIL failed to create or run parser for configuration element subnet6: specified reservation '3001:db8:1:cafe::1' ...When authorizing a kea-dhcp6 machine with Kea 2.0.0 as backend:
```
stork-0-agent-kea6-1 | ERROR DHCP6_PARSER_FAIL failed to create or run parser for configuration element subnet6: specified reservation '3001:db8:1:cafe::1' is not within the IPv6 subnet '3001:db8:1::/64'
stork-0-agent-kea6-1 | 2021-10-06 13:35:13.617 ERROR [kea-dhcp6.dhcp6/81.139893512860800] DHCP6_CONFIG_LOAD_FAIL configuration error using file: /etc/kea/kea-dhcp6.conf, reason: specified reservation '3001:db8:1:cafe::1' is not within the IPv6 subnet '3001:db8:1::/64'
stork-0-agent-kea6-1 | 2021-10-06 13:35:13.617 ERROR [kea-dhcp6.dhcp6/81.139893512860800] DHCP6_INIT_FAIL failed to initialize Kea server: configuration error using file '/etc/kea/kea-dhcp6.conf': specified reservation '3001:db8:1:cafe::1' is not within the IPv6 subnet '3001:db8:1::/64'
```
Out-of-subnet reserved addresses are no longer supported since https://gitlab.isc.org/isc-projects/kea/-/issues/1254.0.21Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/stork/-/issues/593Revert the Kea 2.0 in Docker containers2021-10-06T15:13:43ZSlawek FigielRevert the Kea 2.0 in Docker containershttps://gitlab.isc.org/isc-projects/kea/-/issues/1254kea accept out-of-subnet reservations2021-10-06T14:50:38ZWlodzimierz Wencelkea accept out-of-subnet reservationsThis configuration is allowed by Kea:
```
{
"id": 2,
"interface": "enp0s8",
"option-data": [
{
"code": 22,
"data": "2001:db8::1,2001:db8::2",
"name": "sip-server-addr",
...This configuration is allowed by Kea:
```
{
"id": 2,
"interface": "enp0s8",
"option-data": [
{
"code": 22,
"data": "2001:db8::1,2001:db8::2",
"name": "sip-server-addr",
"space": "dhcp6"
}
],
"pools": [
{
"option-data": [
{
"code": 40,
"data": "3000::66,3000::77",
"name": "pana-agent",
"space": "dhcp6"
}
],
"pool": "2001:db8:2::1-2001:db8:2::ffff:ffff:ffff:ffff"
}
],
"reservations": [
{
"hostname": "reserved-hostname",
"hw-address": "00:0c:01:02:03:0a",
"ip-addresses": [
"3000:2::1"
]
},
{
"hostname": "reserved-hostname",
"hw-address": "00:0c:01:02:03:0b",
"ip-addresses": [
"3000:2::2"
]
},
{
"hostname": "reserved-hostname",
"hw-address": "00:0c:01:02:03:0c",
"ip-addresses": [
"3000:2::3"
]
},
{
"hostname": "reserved-hostname",
"hw-address": "00:0c:01:02:03:0d",
"ip-addresses": [
"3000:2::4"
]
},
{
"hostname": "reserved-hostname",
"hw-address": "00:0c:01:02:03:0e",
"ip-addresses": [
"3000:2::5"
]
}
],
"subnet": "2001:db8:2::/64"
}
```
and Kea assign such out-of-subnet reservations. That leads to a problem if it's working in HA mode:
```
HA_LEASE_UPDATE_FAILED duid=[00:03:00:01:00:0c:01:02:03:08], tid=0xfa05: lease update to server2 (http://192.168.59.3:8000/) failed: The address 3000:1::4 does not b
elong to subnet 2001:db8:1::/64, subnet-id=1, error code 1
```
Related #158kea1.8.0Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/stork/-/issues/5900.21.0 release2021-10-06T07:49:55ZAndrei Pavelandrei@isc.org0.21.0 release0.21https://gitlab.isc.org/isc-projects/stork/-/issues/527stork-agent support for TLS in Kea2021-10-06T05:53:51ZTomek Mrugalskistork-agent support for TLS in KeaThe recent Kea release 1.9.6 introduced the ability to use HTTPS, rather than HTTP connections in CA. This is expected to be a popular feature. We should extend stork-agent to be able to use that.The recent Kea release 1.9.6 introduced the ability to use HTTPS, rather than HTTP connections in CA. This is expected to be a popular feature. We should extend stork-agent to be able to use that.0.21Slawek FigielSlawek Figielhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2004ddns-confgen needs to be tested post install2021-10-06T05:33:40ZMark Andrewsddns-confgen needs to be tested post installddns-confgen needs to be tested post install as libtool gets in the way of testing in the build tree.ddns-confgen needs to be tested post install as libtool gets in the way of testing in the build tree.https://gitlab.isc.org/isc-projects/bind9/-/issues/2153Rebuild RBTDB while rehashing2021-10-05T15:35:42ZBrian ConryRebuild RBTDB while rehashing@ondrej had an idea related to rebuilding the RBTDB while rehashing as a means of clearing out empty interior nodes.
This issue is a reminder.
Description to be updated and amended.@ondrej had an idea related to rebuilding the RBTDB while rehashing as a means of clearing out empty interior nodes.
This issue is a reminder.
Description to be updated and amended.BIND 9.19.xOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2135Documentation suggestion for pkcs11-keygen, pkcs11-list ARM documentation2021-10-05T15:33:49ZMichael McNallyDocumentation suggestion for pkcs11-keygen, pkcs11-list ARM documentationA customer who struggled with this a bit while trying to get our native pkcs11 implementation and its tools working, suggests (via their [Support ticket](https://support.isc.org/Ticket/Display.html?id=15826)) that it might help users of ...A customer who struggled with this a bit while trying to get our native pkcs11 implementation and its tools working, suggests (via their [Support ticket](https://support.isc.org/Ticket/Display.html?id=15826)) that it might help users of our provided tools if we were more explicit / clearer about when the slot must be specified with a -s command-line argument:
> With your permission, I would like to remark:
> In the [Bind ARM](https://ftp.isc.org/isc/bind9/cur/9.11/doc/arm/Bv9ARM.ch04.html#pkcs11) it would be better to note that when using pksc11-list and pkcs11-keygen commands it may be needed to define the slot.
>
> otherwise the error..
> ```
> pkcs11-keygen -b 2048 -l sample-ksk
> Enter Pin:
> Unrecoverable error initializing PKCS#11: not found
>
> pkcs11-list -s 12129377564
> slot 12129377564
> Enter Pin:
> object[0]: handle 2 class 2 label[10] 'sample-ksk' id[0]
> object[1]: handle 3 class 3 label[10] 'sample-ksk' id[0] E:never
> ```
> same with pkcs11-list commandhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2100assert in process_fd in libisc2021-10-05T15:29:36ZTomek Mrugalskiassert in process_fd in libiscThere's an issue reported on Ubuntu [1] that ISC DHCP aborts on assert. But bear with me before you yell "get off my lawn then!". The exact backtrace reported is in [1]. There apparently seems to be a race condition that after a while le...There's an issue reported on Ubuntu [1] that ISC DHCP aborts on assert. But bear with me before you yell "get off my lawn then!". The exact backtrace reported is in [1]. There apparently seems to be a race condition that after a while leads to an assert in sock->pending_send called in process_fd in libisc. This was reported to ISC as [2] and [3]. @tmark looked at the issue and found out that one way to solve the problem is to build libisc with threads disabled. However, Ubuntu folks decided to go another route. They developed a patch for this problem [5] and that fix has been confirmed to solving their specific problem.
I'm opening this ticket to make sure the BIND team is aware of this problem and its potential solution. To be clear, if you decide it's not worth fixing, we can live without that fine.
The original report and patch is for bind 9.11.16, but I just checked that the code where assert blows up seems to be the same in 9.11.22.
References:
- [1] Ubuntu report (backtrace, patch and discussion): https://bugs.launchpad.net/dhcp/+bug/1872118
- [2] DHCP report #1 for Ubuntu: https://gitlab.isc.org/isc-projects/dhcp/-/issues/121
- [3] DHCP report #2 for Ubuntu: https://gitlab.isc.org/isc-projects/dhcp/-/issues/128
- [4] DHCP report from Yocto users: https://gitlab.isc.org/isc-projects/dhcp/-/issues/110
- [5] patch: https://bugs.launchpad.net/dhcp/+bug/1872118/comments/46BIND 9.17 Backburnerhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2092runall.sh/testsummary.sh needs update2021-10-05T15:27:10ZOndřej Surýrunall.sh/testsummary.sh needs updateThe `runall.sh` and `testsummary.sh` scripts needs a refresh to sync up with the automake - it's only used on Windows, so perhaps we might want to replace the shell scripts with something better suited to be run on Windows?The `runall.sh` and `testsummary.sh` scripts needs a refresh to sync up with the automake - it's only used on Windows, so perhaps we might want to replace the shell scripts with something better suited to be run on Windows?BIND 9.17 Backburnerhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2082Cache Cleaning Diagnostic Information2021-10-05T15:26:10ZBrian ConryCache Cleaning Diagnostic Information1. A counter in `cachestats` (JSON/XML) and `++ Cache Statistics ++` (named.stats) for the number of nodes without data
1. A counter in `cachestats` (JSON/XML) and `++ Cache Statistics ++` (named.stats) for the number of deadnodes
1. A c...1. A counter in `cachestats` (JSON/XML) and `++ Cache Statistics ++` (named.stats) for the number of nodes without data
1. A counter in `cachestats` (JSON/XML) and `++ Cache Statistics ++` (named.stats) for the number of deadnodes
1. A counter in `cachestats` (JSON/XML) and `++ Cache Statistics ++` (named.stats) for the number of times that the function `lib/dns/cache.c:incremental_cleaning_action` is called
1. A counter in `cachestats` (JSON/XML) and `++ Cache Statistics ++` (named.stats) for the number of times that the function `lib/dns/cache.c:overmem_cleaning_action` is called
1. A counter in `cachestats` (JSON/XML) and `++ Cache Statistics ++` (named.stats) for the number of times that the function `lib/dns/rbtdb.c:overmem_purge` is called
1. A counter in `cachestats` (JSON/XML) and `++ Cache Statistics ++` (named.stats) for the number of times that the function `lib/dns/rbtdb.c:cleanup_dead_nodes` is called
Additional logging at `DNS_LOGCATEGORY_DATABASE`, `DNS_LOGMODULE_CACHE`, `ISC_LOG_DEBUG(1)` in the following functions:
1. `lib/dns/rbtdb.c:overmem_purge` - log node name (local name plus tree origin?) purged; log mctx in_use delta for both heap and tree after the purge
1. `lib/dns/rbtdb.c:cleanup_dead_nodes` - log `bucketnum`; log number of nodes purged; log mctx in_use delta for both heap and tree after the purge
Noting for the record that we already have CacheNodes/"cache database nodes" giving us the total node count.
Also noting that counts of fully expired and fully ancient nodes would be nice, but there aren't usually code events marking a node's transition from one group to another, so that will have to be something left for core dumps or full database traversals.
Finally, if this is to be prepared as a patch, can it please also include adding an `INSIST(0)` in `lib/dns/rootns.c:dns_root_checkhints()` immediately following the logging of "unable to get root NS rrset from cache"?BIND 9.19.xhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2072host: misleading documentation for the -a option2021-10-05T15:23:19Zwferihost: misleading documentation for the -a option`host.rst` states:
```
The -a ("all") option is normally equivalent to -v -t ANY. It also affects the behavior of the -l list zone option.
```
However, `-t ANY` uses TCP by default, whereas `-a` uses UDP.
(Aside: it's also unclear how `-...`host.rst` states:
```
The -a ("all") option is normally equivalent to -v -t ANY. It also affects the behavior of the -l list zone option.
```
However, `-t ANY` uses TCP by default, whereas `-a` uses UDP.
(Aside: it's also unclear how `-a` affects the `-l` option.)
Please fix the documentation or the code as you see fit. Thanks.https://gitlab.isc.org/isc-projects/bind9/-/issues/2044app_api.c:25:1: error: braces around scalar initializer on illumos2021-10-05T15:20:31ZMichal Nowakapp_api.c:25:1: error: braces around scalar initializer on illumosBIND `9_11` fails to build on OpenIndiana (`illumos-2509632a43`) with GCC 7.5.0 (10.1.0 is the same):
```
libtool: compile: /usr/gcc/7/bin/gcc -I/export/home/newman/bind9 -I../../.. -I./include -I./../pthreads/include -I../include -I./....BIND `9_11` fails to build on OpenIndiana (`illumos-2509632a43`) with GCC 7.5.0 (10.1.0 is the same):
```
libtool: compile: /usr/gcc/7/bin/gcc -I/export/home/newman/bind9 -I../../.. -I./include -I./../pthreads/include -I../include -I./../include -I./.. -D_REENTRANT -DOPENSSL -DISC_LIST_CHECKINIT=1 -D_XPG4_2 -D__EXTENSIONS__ -m64 -O3 -D_XOPEN_SOURCE=600 -D__EXTENSIONS__=1 -D_XPG6 -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -Wshadow -Werror -c app.c -fPIC -DPIC -o .libs/app.o
...
In file included from app.c:1047:0:
../app_api.c:25:1: error: braces around scalar initializer [-Werror]
static isc_once_t once = ISC_ONCE_INIT;
^~~~~~
../app_api.c:25:1: note: (near initialization for 'once.__pthread_once_pad[0]')
../app_api.c:25:26: error: excess elements in scalar initializer [-Werror]
static isc_once_t once = ISC_ONCE_INIT;
^~~~~~~~~~~~~
../app_api.c:25:26: note: (near initialization for 'once.__pthread_once_pad[0]')
../app_api.c:25:26: error: excess elements in scalar initializer [-Werror]
../app_api.c:25:26: note: (near initialization for 'once.__pthread_once_pad[0]')
../app_api.c:25:26: error: excess elements in scalar initializer [-Werror]
../app_api.c:25:26: note: (near initialization for 'once.__pthread_once_pad[0]')
```
The error is present in may other files, e.g.:
```
net.c:106:1: error: braces around scalar initializer [-Werror]
static isc_once_t once_ipv6only = ISC_ONCE_INIT;
^~~~~~
net.c:106:1: note: (near initialization for 'once_ipv6only.__pthread_once_pad[0]')
...
strerror.c: In function 'isc__strerror':
strerror.c:44:2: error: braces around scalar initializer [-Werror]
static isc_once_t once = ISC_ONCE_INIT;
^~~~~~
strerror.c:44:2: note: (near initialization for 'once.__pthread_once_pad[0]')
...
```
Other maintained branches build fine.BIND 9.17 Backburner