ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2021-11-18T14:52:26Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/2189master:ChangeLog missing 1.8.1 and 1.8.22021-11-18T14:52:26ZPeter Daviesmaster:ChangeLog missing 1.8.1 and 1.8.2master:ChangeLog missing 1.8.1 and 1.8.2
...
Kea 1.9.1 (development) released on Oct 28, 2020
Kea 1.9.0 (development) released on Sep 30, 2020
Kea 1.8.0 (stable) released on Aug 26, 2020
...master:ChangeLog missing 1.8.1 and 1.8.2
...
Kea 1.9.1 (development) released on Oct 28, 2020
Kea 1.9.0 (development) released on Sep 30, 2020
Kea 1.8.0 (stable) released on Aug 26, 2020
...kea2.1.2Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/bind9/-/issues/3014Broken ECDSA signatures may be generated with certain private keys2021-11-22T22:04:37ZMark AndrewsBroken ECDSA signatures may be generated with certain private keysSee [below][1] for what is currently believed to be the actual culprit
behind intermittent validation failures occurring in system tests.
The original description of this issue follows:
---
check_signer loops directly over `val->event...See [below][1] for what is currently believed to be the actual culprit
behind intermittent validation failures occurring in system tests.
The original description of this issue follows:
---
check_signer loops directly over `val->event->sigrdataset` which lead to spurious validation failures. Cloning `val->event->sigrdataset` will make its use independent of any looping over the rdataset.
This was found by examining some unexpected failures in the dnssec system test. This was possibly exposed by the use of OpenSSL 3.0.0.
```
17-Nov-2021 12:04:59.413 received packet from 10.53.0.2#5300
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36571
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 2273409052bb1631010000006194553b76a5297853293327
;; QUESTION SECTION:
;auto-nsec3.example. IN A
;; AUTHORITY SECTION:
;auto-nsec3.example. 300 IN NS ns.auto-nsec3.example.
;auto-nsec3.example. 300 IN DS 52528 13 2 (
; 549C4AB8A70D7AA3A65C3F8003DF
; 53E425C5B9AFDE20399C6CA61009
; 3D89781E )
;auto-nsec3.example. 300 IN RRSIG DS 8 2 300 (
; 20211217000313 20211117000313 34390 example.
; jFWU9BNShOu9DCawKevJQi9twGb7
; eNmGWPzkMUT7qkDgK2Cyk9Duz1GA
; ibrcbY0sIp4Rp0kkJnZmtGIsp0Xh
; 54GWYFOGgCZZ0dnVTSSxWnvhtNOl
; TdpppKq6E1sZDHV0NTfiofP1Nmlo
; rYrUyouy5BwMW3F7taUvRZ4L/QVK
; IMU6nN6Ql4F1f/5f5Anr2PAPfJR0
; ctA3+Y/Kh9E9kylJLg== )
;; ADDITIONAL SECTION:
;ns.auto-nsec3.example. 300 IN A 10.53.0.3
```
```
17-Nov-2021 12:04:59.414 received packet from 10.53.0.3#5300
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29588
;; flags: qr aa; QUESTION: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: ed700d3254682696010000006194553b1dedf2a8fb5abfa4
;; QUESTION SECTION:
;auto-nsec3.example. IN DNSKEY
;; ANSWER SECTION:
;auto-nsec3.example. 300 IN DNSKEY 256 3 13 (
; fwG+e1gwVJk7+gwjLrzYKK/QDkSo
; ZBapSLxWf/9m/oGHP2QMuH0td1UD
; XeWw486VfvyGr9WfFVqUiMqsYea+
; 8A==
; ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 52210
;auto-nsec3.example. 300 IN DNSKEY 257 3 13 (
; Zo+EoLnluv1C/L6QiZlj/Mywrv4/
; kX3s0L4jx9hQ78S862nhIGlMndLX
; fdq+D+sfEFf9WvN2LDK/olykcPc7
; 1A==
; ) ; KSK; alg = ECDSAP256SHA256 ; key id = 52528
;auto-nsec3.example. 300 IN DNSKEY 257 3 13 (
; zdEFO/z7PiHd4NwRkZ94ef4m76yi
; GwrhUd3oGIssEgN73XvDbdWyPiQl
; EVvVmnTjwF/rFDIRF+8Ip4yvJheI
; Ow==
; ) ; KSK; alg = ECDSAP256SHA256 ; key id = 6412
;auto-nsec3.example. 300 IN DNSKEY 256 3 13 (
; 1O4dFAm+FtWWN/h10whUgudZxPvj
; hFm7xYcPdWTbhG9v8lI3nqdvwAz0
; 42KmR6bOhfHBo96/s8ENKiVSdGH4
; Kg==
; ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 64471
;auto-nsec3.example. 300 IN RRSIG DNSKEY 13 2 300 (
; 20211217010315 20211117000316 6412 auto-nsec3.example.
; /ASeAP/nKeeOIPGYfDY/iexF/UWz
; lbum+6++QYIyjQt5pw6zmSfo/yZz
; QS1KD0uImVqGC/dTotg3s9abo8hY
; nA== )
;auto-nsec3.example. 300 IN RRSIG DNSKEY 13 2 300 (
; 20211217010315 20211117000316 52528 auto-nsec3.example.
; QEwKW9Hzufb4savsi2Wagt0Ts6Cg
; miQkNCKNzmcGyNGHrreMeOGMC+so
; XnrQbYgVLd9geyDSXDGkjDjvkPa4
; nQ== )
```
```
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): rctx_answer
17-Nov-2021 12:04:59.414 log_ns_ttl: fctx 0x123a0ec00: rctx_answer: auto-nsec3.example (in 'auto-nsec3.example'?): 1 300
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): cache_message
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): cache_name
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): resquery_response done
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): [result: success] query canceled in rctx_done(); responding
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): cancelquery
17-Nov-2021 12:04:59.414 dispatch 0x121f0eef0: detach: refcount 2
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): wait for validator
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): cancelqueries
17-Nov-2021 12:04:59.414 dispatch 0x121f0eef0: detach: refcount 1
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: starting
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: attempting positive response validation
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: validate_dnskey: creating validator for auto-nsec3.example DS
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DS: starting
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DS: attempting positive response validation
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DS: keyset with trust secure
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DS: verify rdataset (keyid=34390): success
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DS: marking as secure, noqname proof not needed
17-Nov-2021 12:04:59.414 validator @0x123a14e00: dns_validator_destroy
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: in validator_callback_ds
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: dsset with trust secure
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: verify rdataset (keyid=52528): RRSIG failed to verify
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: no RRSIG matching DS key
17-Nov-2021 12:04:59.414 validating auto-nsec3.example/DNSKEY: no valid signature found (DS)
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): received validation completion event
17-Nov-2021 12:04:59.414 validator @0x12393cc00: dns_validator_destroy
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): validation failed
17-Nov-2021 12:04:59.414 fctx 0x123a0ec00(auto-nsec3.example/DNSKEY): add_bad
17-Nov-2021 12:04:59.414 no valid RRSIG resolving 'auto-nsec3.example/DNSKEY/IN': 10.53.0.3#5300
```
[1]: #note_249054December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3016Warning, treated as error: node class 'meta' is already registered, its visit...2021-11-17T16:33:56ZHQuestWarning, treated as error: node class 'meta' is already registered, its visitors will be overridden### Summary
When building bind-9.17.20 man pages, sphinx fails with message "node class 'meta' is already registered, its visitors will be overridden".
### BIND version used
BIND 9.17.20 (Development Release)
### Steps to reproduce
...### Summary
When building bind-9.17.20 man pages, sphinx fails with message "node class 'meta' is already registered, its visitors will be overridden".
### BIND version used
BIND 9.17.20 (Development Release)
### Steps to reproduce
build documentation with latest versions of sphinx and docbuild (0.18)
### What is the current *bug* behavior?
man pages fail to be built
### What is the expected *correct* behavior?
man pages built
### Relevant configuration files
N/A
### Relevant logs and/or screenshots
```
Making all in doc
make[2]: Entering directory '/tmp/bind-9.17.20/doc'
Making all in .
make[3]: Entering directory '/tmp/bind-9.17.20/doc'
make[3]: Nothing to be done for 'all-am'.
make[3]: Leaving directory '/tmp/bind-9.17.20/doc'
Making all in misc
make[3]: Entering directory '/tmp/bind-9.17.20/doc/misc'
make all-am
make[4]: Entering directory '/tmp/bind-9.17.20/doc/misc'
make[4]: Nothing to be done for 'all-am'.
make[4]: Leaving directory '/tmp/bind-9.17.20/doc/misc'
make[3]: Leaving directory '/tmp/bind-9.17.20/doc/misc'
Making all in man
make[3]: Entering directory '/tmp/bind-9.17.20/doc/man'
SPHINX manpages.stamp
Warning, treated as error:
node class 'meta' is already registered, its visitors will be overridden
make[3]: *** [Makefile:976: manpages.stamp] Error 2
make[3]: Leaving directory '/tmp/bind-9.17.20/doc/man'
make[2]: *** [Makefile:442: all-recursive] Error 1
make[2]: Leaving directory '/tmp/bind-9.17.20/doc'
make[1]: *** [Makefile:614: all-recursive] Error 1
make[1]: Leaving directory '/tmp/bind-9.17.20'
make: *** [Makefile:520: all] Error 2
```
### Possible fixes
Until man pages are updated to docutils 0.18 (or newer) standards, downgrade to docutils 0.17 (see https://github.com/sphinx-doc/sphinx/issues/9841)https://gitlab.isc.org/isc-projects/bind9/-/issues/3017Is there a CVE-2021-25219 research and testing report?2021-11-18T07:14:17Zjin ggIs there a CVE-2021-25219 research and testing report?I see in the CVE doc that you have researched and tested the impact of disable lame cache.
Do you have any specific details?
https://kb.isc.org/v1/docs/cve-2021-25219
![image](/uploads/189f6e63ce79c9d25606104a4b8875ff/image.png)I see in the CVE doc that you have researched and tested the impact of disable lame cache.
Do you have any specific details?
https://kb.isc.org/v1/docs/cve-2021-25219
![image](/uploads/189f6e63ce79c9d25606104a4b8875ff/image.png)https://gitlab.isc.org/isc-projects/bind9/-/issues/3018fctx_cancelquery() attempts to process a query which has already been freed2022-01-17T14:55:55ZMichał Kępieńfctx_cancelquery() attempts to process a query which has already been freedhttps://gitlab.isc.org/isc-projects/bind9/-/jobs/2108955
<details>
<summary>Click to expand/collapse AddressSanitizer report</summary>
<pre>==4603==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000ad810 at pc 0x7fef0381a...https://gitlab.isc.org/isc-projects/bind9/-/jobs/2108955
<details>
<summary>Click to expand/collapse AddressSanitizer report</summary>
<pre>==4603==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000ad810 at pc 0x7fef0381a873 bp 0x7feef9e24e80 sp 0x7feef9e24e78
READ of size 8 at 0x6170000ad810 thread T7
#0 0x7fef0381a872 in fctx_cancelquery /builds/isc-projects/bind9/lib/dns/resolver.c:1256
#1 0x7fef03843a95 in rctx_done /builds/isc-projects/bind9/lib/dns/resolver.c:9438
#2 0x7fef0384a49c in resquery_response /builds/isc-projects/bind9/lib/dns/resolver.c:7343
#3 0x7fef0345c22c in udp_recv /builds/isc-projects/bind9/lib/dns/dispatch.c:583
#4 0x7fef0478ddc7 in isc__nm_async_readcb netmgr/netmgr.c:2778
#5 0x7fef0478e426 in isc__nm_readcb netmgr/netmgr.c:2751
#6 0x7fef047caed5 in udp_recv_cb netmgr/udp.c:637
#7 0x7fef047cef11 in isc__nm_udp_read_cb netmgr/udp.c:1021
#8 0x7fef020d8a41 in uv__udp_recvmsg /usr/src/libuv-v1.42.0/src/unix/udp.c:302
#9 0x7fef020d8365 in uv__udp_io /usr/src/libuv-v1.42.0/src/unix/udp.c:178
#10 0x7fef020df3ad in uv__io_poll /usr/src/libuv-v1.42.0/src/unix/epoll.c:374
#11 0x7fef020c3b5b in uv_run /usr/src/libuv-v1.42.0/src/unix/core.c:389
#12 0x7fef04791c34 in nm_thread netmgr/netmgr.c:688
#13 0x7fef0488cde4 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:185
#14 0x7fef01ea6298 in start_thread (/lib64/libpthread.so.0+0x9298)
#15 0x7fef0145c352 in clone (/lib64/libc.so.6+0x100352)
0x6170000ad810 is located 16 bytes inside of 720-byte region [0x6170000ad800,0x6170000adad0)
freed by thread T7 here:
#0 0x7fef05112647 in free (/lib64/libasan.so.6+0xae647)
#1 0x7fef0482ff97 in sdallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:38
#2 0x7fef0482ff97 in mem_put /builds/isc-projects/bind9/lib/isc/mem.c:361
#3 0x7fef0482ff97 in isc__mem_put /builds/isc-projects/bind9/lib/isc/mem.c:770
#4 0x7fef03819f4b in resquery_destroy /builds/isc-projects/bind9/lib/dns/resolver.c:1194
#5 0x7fef03819f4b in resquery_detach /builds/isc-projects/bind9/lib/dns/resolver.c:1219
#6 0x7fef0381bd10 in fctx_cancelquery /builds/isc-projects/bind9/lib/dns/resolver.c:1433
#7 0x7fef0381d2e7 in fctx_cancelqueries /builds/isc-projects/bind9/lib/dns/resolver.c:1485
#8 0x7fef03820412 in fctx_done /builds/isc-projects/bind9/lib/dns/resolver.c:1746
#9 0x7fef038439f0 in rctx_next /builds/isc-projects/bind9/lib/dns/resolver.c:9348
#10 0x7fef038439f0 in rctx_done /builds/isc-projects/bind9/lib/dns/resolver.c:9431
#11 0x7fef0384a49c in resquery_response /builds/isc-projects/bind9/lib/dns/resolver.c:7343
#12 0x7fef0345c22c in udp_recv /builds/isc-projects/bind9/lib/dns/dispatch.c:583
#13 0x7fef0478ddc7 in isc__nm_async_readcb netmgr/netmgr.c:2778
#14 0x7fef0478e426 in isc__nm_readcb netmgr/netmgr.c:2751
#15 0x7fef047caed5 in udp_recv_cb netmgr/udp.c:637
#16 0x7fef047cef11 in isc__nm_udp_read_cb netmgr/udp.c:1021
#17 0x7fef020d8a41 in uv__udp_recvmsg /usr/src/libuv-v1.42.0/src/unix/udp.c:302
#18 0x7fef020d8365 in uv__udp_io /usr/src/libuv-v1.42.0/src/unix/udp.c:178
#19 0x7fef020df3ad in uv__io_poll /usr/src/libuv-v1.42.0/src/unix/epoll.c:374
#20 0x7fef020c3b5b in uv_run /usr/src/libuv-v1.42.0/src/unix/core.c:389
#21 0x7fef04791c34 in nm_thread netmgr/netmgr.c:688
#22 0x7fef0488cde4 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:185
#23 0x7fef01ea6298 in start_thread (/lib64/libpthread.so.0+0x9298)
previously allocated by thread T7 here:
#0 0x7fef0511293f in __interceptor_malloc (/lib64/libasan.so.6+0xae93f)
#1 0x7fef0482f3de in mallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:30
#2 0x7fef0482f3de in mem_get /builds/isc-projects/bind9/lib/isc/mem.c:340
#3 0x7fef0482f3de in isc__mem_get /builds/isc-projects/bind9/lib/isc/mem.c:753
#4 0x7fef0382a923 in fctx_query /builds/isc-projects/bind9/lib/dns/resolver.c:2003
#5 0x7fef03844334 in rctx_resend /builds/isc-projects/bind9/lib/dns/resolver.c:9322
#6 0x7fef03844334 in rctx_done /builds/isc-projects/bind9/lib/dns/resolver.c:9452
#7 0x7fef0384749b in rctx_timedout /builds/isc-projects/bind9/lib/dns/resolver.c:7740
#8 0x7fef0384749b in resquery_response /builds/isc-projects/bind9/lib/dns/resolver.c:7223
#9 0x7fef0345c22c in udp_recv /builds/isc-projects/bind9/lib/dns/dispatch.c:583
#10 0x7fef0478ddc7 in isc__nm_async_readcb netmgr/netmgr.c:2778
#11 0x7fef0478e426 in isc__nm_readcb netmgr/netmgr.c:2751
#12 0x7fef0478e9fc in isc__nmsocket_readtimeout_cb netmgr/netmgr.c:2066
#13 0x7fef020beb19 in uv__run_timers /usr/src/libuv-v1.42.0/src/timer.c:178
#14 0x7fef020c3afb in uv_run /usr/src/libuv-v1.42.0/src/unix/core.c:380
#15 0x7fef04791c34 in nm_thread netmgr/netmgr.c:688
#16 0x7fef0488cde4 in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:185
#17 0x7fef01ea6298 in start_thread (/lib64/libpthread.so.0+0x9298)
Thread T7 created by T0 here:
#0 0x7fef050ba8d6 in pthread_create (/lib64/libasan.so.6+0x568d6)
#1 0x7fef0487b4b9 in isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:79
#2 0x7fef04776c4a in isc__netmgr_create netmgr/netmgr.c:328
#3 0x7fef0482cd42 in isc_managers_create /builds/isc-projects/bind9/lib/isc/managers.c:36
#4 0x43d99a in create_managers /builds/isc-projects/bind9/bin/named/main.c:920
#5 0x43d99a in setup /builds/isc-projects/bind9/bin/named/main.c:1184
#6 0x43d99a in main /builds/isc-projects/bind9/bin/named/main.c:1452
#7 0x7fef01383b74 in __libc_start_main (/lib64/libc.so.6+0x27b74)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/isc-projects/bind9/lib/dns/resolver.c:1256 in fctx_cancelquery
Shadow bytes around the buggy address:
0x0c2e8000dab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000dac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000dad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000dae0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c2e8000daf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2e8000db00: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e8000db50: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
===4803==ABORTING</pre>
</details>
Looks like a reference counting issue? `resquery_destroy()` is only
called when the reference count for the query reaches 0, but `rctx`
still wants to access it. AFAICT, `rctx_respinit()` does not
`resquery_attach()` to the query structure and instead [uses a plain
assignment][1], but I am not sure how easily this could be changed.
As a side note, could this maybe be related to #3013? It may be a long
shot, but the code location mentioned in the ASAN backtrace above
matches a branch handling a question section mismatch, so it made me
think of that one.
```c
7338 default:
7339 result = same_question(fctx, query->rmessage);
7340 if (result != ISC_R_SUCCESS) {
7341 FCTXTRACE3("response did not match question", result);
7342 rctx.nextitem = true;
7343 rctx_done(&rctx, result);
7344 return;
7345 }
7346 break;
7347 }
```
[1]: https://gitlab.isc.org/isc-projects/bind9/-/blob/a814f722615d2433cc57fd1f2fca1693febb3977/lib/dns/resolver.c#L7594December 2021 (9.16.24, 9.16.24-S1, 9.17.21)https://gitlab.isc.org/isc-projects/kea/-/issues/2193add install missing dependency in debian 112021-11-18T12:27:24ZWlodzimierz Wenceladd install missing dependency in debian 11`dh-python` have to be installed on debian 11 so we could build packages there`dh-python` have to be installed on debian 11 so we could build packages therekea2.1.1Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea/-/issues/2194The hardware address type is not saved for lease4 on some backends.2022-02-03T11:01:19ZFrancis DupontThe hardware address type is not saved for lease4 on some backends.Related to the from/to memfile and database migration subject.
Current status for hardware address in DHCPv4 leases is:
- in memory memfile uses the lease object but only the address part is used for indexing
- the CSV file has only a...Related to the from/to memfile and database migration subject.
Current status for hardware address in DHCPv4 leases is:
- in memory memfile uses the lease object but only the address part is used for indexing
- the CSV file has only an address column (name hwaddr, second column since 1.0)
- MySQL stores only the address part (hwaddr VARBINARY(20) column since 1.0)
- PostgreSQL stores only the address part (hwaddr BYTEA since 1.0)
- Cassandra stores only the address part (hwaddr BLOB since 1.0)
Current status for hardware address in DHCPv6 leases is:
- in memory memfile uses the lease object and the hardware address is not used for indexing
- the CSV file has only an address column (name hwaddr, 13th column added in 2.0)
- MySQL stores hwaddr, hwtype and hwaddr_source since 2.0
- PostgreSQL stores hwaddr, hwtype and hwaddr_source since 3.0
- Cassandra stores hwaddr, hwtype and hwaddr_source since 1.0
Options are between doing nothing to fully aligning the different backends...kea2.1.2https://gitlab.isc.org/isc-projects/bind9/-/issues/3019doth max-age tests failing on ALPN negotiation MacOS (macports)2021-11-25T09:19:42ZMark Andrewsdoth max-age tests failing on ALPN negotiation MacOS (macports)```
I:doth:checking max-age for positive answer (136)
I:doth:failed
I:doth:checking max-age for negative answer (137)
I:doth:failed
I:doth:exit status: 2
```
```
[ant-2875:bin/tests/system] marka% /opt/local/bin/curl -vkD headers 'https...```
I:doth:checking max-age for positive answer (136)
I:doth:failed
I:doth:checking max-age for negative answer (137)
I:doth:failed
I:doth:exit status: 2
```
```
[ant-2875:bin/tests/system] marka% /opt/local/bin/curl -vkD headers 'https://10.53.0.1:5303/dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ'
* Trying 10.53.0.1:5303...
* Connected to 10.53.0.1 (10.53.0.1) port 5303 (#0)
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=AQ; O=BIND9 ephemeral certificate; CN=bind9.local
* start date: Nov 19 01:27:08 2021 GMT
* expire date: Nov 17 01:27:08 2031 GMT
* issuer: C=AQ; O=BIND9 ephemeral certificate; CN=bind9.local
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /dns-query?dns=AAEAAAABAAAAAAAAB2V4YW1wbGUAAAYAAQ HTTP/1.1
> Host: 10.53.0.1:5303
> User-Agent: curl/7.80.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS alert, close notify (256):
* Empty reply from server
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server
[ant-2875:bin/tests/system] marka%
```
Nothing is logged in `named.run`.December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/kea/-/issues/2195bump up lib versions for the release 2.1.12021-11-19T19:31:17ZRazvan Becheriubump up lib versions for the release 2.1.1kea2.1.1Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/21962.1.1 release2022-01-19T07:50:33ZAndrei Pavelandrei@isc.org2.1.1 release---
name: Release Checklist
about: Create a new issue using this checklist for each release
---
# Kea Release Checklist
This is thoroughly documented in [the Kea Release Process guide](https://wiki.isc.org/bin/view/QA/KeaReleaseProcess...---
name: Release Checklist
about: Create a new issue using this checklist for each release
---
# Kea Release Checklist
This is thoroughly documented in [the Kea Release Process guide](https://wiki.isc.org/bin/view/QA/KeaReleaseProcess).
## Pre-Release Preparation
Some of those checks and updates can be made before the actual freeze.
1. Check Jenkins results:
1. [x] Check Jenkins jobs for failures: [distcheck](https://jenkins.aws.isc.org/job/kea-dev/job/distcheck/), etc...
1. [x] Check [Jenkins Tests Report](https://jenkins.aws.isc.org/job/kea-dev/job/jenkins-tests-report/).
1. [x] Check [tarball check report](https://jenkins.aws.isc.org/job/kea-dev/job/tarball-internal/Kea_20Build_20Checks/)
1. [x] Check [Performance Test Results](https://jenkins.isc.org/job/kea-dev/job/performance/KeaPerformanceReport/) in Jenkins for drops in performance.
1. Check versioning, ask the development team if:
- the library versions are being updated
- `KEA_HOOKS_VERSION` is being updated
- [x] create an issue for that for developers in Gitlab
- script: [./tools/bump-lib-versions.sh](https://gitlab.isc.org/isc-projects/kea/-/blob/master/tools/bump-lib-versions.sh) Kea-q.w.e Kea-a.b.c (where `a.b.c` is the version to be released and `q.w.e` is the version previous to that)
1. Prepare Release Notes
1. [x] Create Release Notes on Kea GitLab wiki and notify @tomek about that. It should be created under "release notes" directory, like this one: https://gitlab.isc.org/isc-projects/kea/-/wikis/release%20notes/release-notes-2.1.0
1. [ ] Finish release notes and conduct its review
1. [ ] Run [release-pkgs-upload-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-pkgs-upload-internal/) and [release-pkgs-check-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-pkgs-check-internal/) to test repositories for correctness.
1. If a new Cloudsmith repository is used, make sure access tokens have been been synchronized from previous Cloudsmith repositories and to the [check-pkgs.py](https://gitlab.isc.org/isc-private/qa-dhcp/-/blob/master/kea/pkgs-check/check-pkgs.py) QA tool.
1. [x] Check if ReadTheDocs can build Kea documentation.
1. Trigger rebuilding docs on [readthedocs.org](https://readthedocs.org/projects/kea/builds) and wait for the build to complete.
The following steps may involve changing files in the repository.
1. [x] Run [update-code-for-release.py](https://gitlab.isc.org/isc-private/qa-dhcp/-/blob/master/kea/build/update-code-for-release.py) <br>
Example command: `GITLAB_KEA_TOKEN='...' GITLAB_KEA_PREMIUM_TOKEN='...' ./update-code-for-release.py 1.9.7 'Apr 28, 2021' ~/isc/repos/kea/` <br>
The script:
- creates Gitlab issue and MR for release changes
- adds release entries to ChangeLogs
- regenerates BNF grammar
- regenerates documentation
- regenerates messages
- reorders messages in alphabetical order
- regenerates parsers
- updates copyright dates
- pushes the changes to MR
1. Check manually User's Guide sections:
1. Chapter 1. Introduction
1. [x] On what platforms we are running tests using Jenkins? Update Supported Platforms in platforms.rst file.
1. [x] Did we add any additional 3rd party software? Update if needed
1. [x] Is there a new tool installed in bin or sbin released this time? If yes, is it documented?
1. Chapter 2. Quick Start
1. [x] Has the default installation process changed (for kea and hooks)? If yes, are those changes documented and highlighted in the release notes?
1. Chapter 3. Installation
1. [x] Check installation hierarchy (this is also automatically checked at the end of [ut-extended job](https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/))
1. [x] Check and update Build Requirements
1. [x] Check configure options against what `./configure -h` says
1. [x] Check ChangeLog entries in Kea main and premium: spelling, trailing whitespaces, etc.
1. [x] Check AUTHORS, INSTALL, README files in Kea main and premium.
- AUTHORS: update credits
- README: check "provides" with Release Notes, User Guide (1.3 Kea Software)
1. [x] If changes were made, commit the change, push the branch to the main repository and request a review. Once the changes have been approved, merge the MR to master.
## Build selection, tarballs upload and sanity checks
This is the last moment to freeze code! :snowflake:
1. [x] Go to [tarball-internal](https://jenkins.aws.isc.org/job/kea-dev/job/tarball-internal/) Jenkins job and pick the last tarball built - it will be a release candidate.
1. [x] Check tarball before requesting sanity checks from the development team.
1. Download tarballs from picked Jenkins build
1. Check hook libraries.
1. Are there any new hook libraries installed in this release?
1. Are they in the proper tarball? Premium or subscription?
1. Do they have their own package?
1. Check sizes - is the new package reasonable?
1. Check installation tree, compare it with the previous release
1. Check installed libraries.
1. which were updated? (save results)
1. Do any of the libraries from the current release have lower version than in the previous release?
1. Uninstall Kea, check what left (there should be just configuration files)
1. Check if all of the installed binaries has man page
1. if not, is it in the tarball?
1. are man page up-to-date?
1. Check if documentation is properly formatted, has correct versions and dates.
1. it's advised to search for previous version numbers, some of them are statically added in statements that are no longer valid
1. [x] Upload tarballs to repo.isc.org using Jenkins and send sanity checks request.
1. Go to [release-tarball-upload-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-tarball-upload-internal/) Jenkins job.
1. Click "Build with Parameters"
1. In field "Tarball" select picked tarball build
1. In field "Release_Candidate" pick:
1. rc1 if this is the first selected build for release, it will push the selected tarballs to repo.isc.org, to a directory suffixed with indicated rc#
1. next rc# if this is a respin after some fixes (note: it is not possible to pick previous rc number - it will result in an error)
1. final if the last rc number was ok, this will push the selected tarball to repo.isc.org, to a directory with no suffixes
1. Submit the job that will automatically:
1. Upload the tarballs <br>
and if this is not the final version:
1. Create a GitLab issue for sanity checks, put there the announcement
1. Send Sanity Checks announcement via email to dhcp-team@isc.org and to DHCP channel on Mattermost.<br>
The announcement includes:
- a link to chapter 4 Sanity Checks of the release process: [KeaReleaseProcess - SanityChecks](https://wiki.isc.org/bin/view/QA/KeaReleaseProcess#4.%20Sanity%20Checks)
- a link to the GitLab issue
- tarballs locations with SHA256 checksums
- rpm/deb packages locations and versions
## Releasing Tarballs and Packages
1. [x] Update Release Notes with ChangeLog entries
1. [x] Upload final RPM & DEB packages to cloudsmith.io
1. Go to [release-pkgs-upload-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-pkgs-upload-internal/).
1. Click "Build with Parameters" link
1. Pick your selected pkg build in Packages field, and select `PrivPubRepos: "both"`, `TestProdRepos: "production"` and click Build button.
1. When it finishes run check: [releases-pkgs-check-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-pkgs-check-internal/).
1. [x] Upload final tarballs to repo.isc.org
1. Go to [release-tarball-upload-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-tarball-upload-internal/) Jenkins job.
1. Click "Build with Parameters"
1. In field "Tarball" select picked tarball build
1. In field "Release_Candidate" pick final <br>
This job will also:
- open an issue on [the signing repository](https://gitlab.isc.org/isc-private/signing/-/issues) requesting signing final tarballs on repo.isc.org
- create Git tags `Kea-a.b.c` in Kea main and premium repositories
- send a signing request issue link on the DHCP Mattermost channel
1. [x] Update ReadTheDocs
1. Trigger rebuilding docs on [readthedocs.org](https://readthedocs.org/projects/kea/builds).
1. Publish currently released version. On the `Versions` tab, scroll down to `Activate a version`, search for `kea-a.b.c` and click `Activate`.
1. For stable releases, change the default version to point to this stable release.
1. [x] Mark Jenkins jobs with release artifacts to be kept forever: <br>
Go to the following Jenkins jobs, click release build and then, on the build page, click `Keep this build forever` button: <br>
1. [tarball-internal job](https://jenkins.aws.isc.org/job/kea-dev/job/tarball-internal/)
1. [pkg job](https://jenkins.aws.isc.org/job/kea-dev/job/pkg/)
1. [x] Create an issue and a merge request to bump up Kea version in `configure.ac` to next development version which could be, based on just released version `a.b.c`:
* `a.b.z-git` where `z == c + 1` or
* `a.y.0-git` where `y == b + 1` or
* `x.1.0-git` where `x == a + 1`
1. [x] Send a request for publishing the release on the Support Mattermost channel linking the Signing issue and the release checklist issue.
### On the Day of Public Release
- [x] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
- [x] ***(Support)*** Place tarballs in public location on FTP site.
- [x] ***(Support)*** Publish links to downloads on ISC website.
- [x] ***(Support)*** Write release email to *kea-announce*.
- [ ] ***(Support)*** Write email to *kea-users* (if a major release).
- [x] ***(Support)*** Send eligible customers updated links to the Subscription software FTP site.
- [ ] ***(Support)*** If it is a new `major.minor` version, SWENG will have created a new repo in Cloudsmith, which will need the customer tokens migrated from an existing repo. Then update support customers that this new private repo exists.
- [x] ***(Support)*** Update tickets in case of waiting for support customers.
- [ ] ***(QA)*** Inform Marketing of the release.
- [ ] ***(Marketing)*** If a new Cloudsmith repository is used, update the Zapier scripts.
- [ ] ***(Marketing)*** Upload Premium hooks tarball to SendOwl. Create a new product if a new branch, otherwise update existing product. Send notifications to existing subscribers of the new version.
- [ ] ***(Marketing)*** Announce on social media.
- [ ] ***(Marketing)*** Update [Wikipedia entry for Kea](https://en.wikipedia.org/wiki/Kea_(software)).
- [ ] ***(Marketing)*** Write blog article (if a major release).
- [ ] ***(Marketing)*** Update [Kea page on web site if any new hooks](https://www.isc.org/kea/).
- [ ] ***(Marketing)*** Update Kea Premium and Kea Subscription data sheets if any new hooks.
- [ ] ***(Marketing)*** Update [significant features matrix](https://kb.isc.org/docs/en/aa-01615) (if any significant new features).
- [ ] ***(Marketing)*** Update [Kea documentation page in KB](https://kb.isc.org/docs/en/kea-administrator-reference-manual).kea2.1.1Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/2197Changes for Kea 2.1.1 release2021-11-23T18:18:57ZAndrei Pavelandrei@isc.orgChanges for Kea 2.1.1 release- [x] added release entry to ChangeLogs
- [x] regenerated BNF grammar
- [x] regenerated message headers
- [x] regenerated parsers
- [x] reordered messages in alphabetical order
- [x] updated copyright years- [x] added release entry to ChangeLogs
- [x] regenerated BNF grammar
- [x] regenerated message headers
- [x] regenerated parsers
- [x] reordered messages in alphabetical order
- [x] updated copyright yearskea2.1.1Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/2198PostgreSQL corrections for schema 7.02021-11-23T20:36:37ZAndrei Pavelandrei@isc.orgPostgreSQL corrections for schema 7.0* [ ] revert `dhcp4_subnet_id` to INT for the initial creation. It is already altered to BIGINT on dhcpdb_create.pgsql:542 and upgrade_3.2_to_3.3.sh.in:44.
* [x] make `upgrade_6.2_to_7.0.sh.in` consistent with `dhcpdb_create.pgsql`
Othe...* [ ] revert `dhcp4_subnet_id` to INT for the initial creation. It is already altered to BIGINT on dhcpdb_create.pgsql:542 and upgrade_3.2_to_3.3.sh.in:44.
* [x] make `upgrade_6.2_to_7.0.sh.in` consistent with `dhcpdb_create.pgsql`
Other less important changes:
* [ ] `CREATE OR REPLACE` everywhere, just as it was recently modified in `dhcpdb_create.pgsql`
* [ ] add `INSERT INTO host_identifier_type VALUES (3, 'client-id');` to upgrade script. Not related to changes made in #90 and #2166, but it is missing since 2016. I would prefer it in its intended upgrade script.kea2.1.1Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/2199release checklist additions2022-01-21T16:15:20ZAndrei Pavelandrei@isc.orgrelease checklist additions* [x] make sure changelog is not missing any entries
* [x] if any changes are done to a database schemas, check that a previously released schema version hasn't been changed and check that the additions to `dhcpdb_create.*ql` are consist...* [x] make sure changelog is not missing any entries
* [x] if any changes are done to a database schemas, check that a previously released schema version hasn't been changed and check that the additions to `dhcpdb_create.*ql` are consistent with added upgrade scriptskea2.1.2Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea/-/issues/2201DHCPv6 request dropped with rfc7217 link-local addresses and too long flex-id2022-01-11T10:04:52ZJohan MulderDHCPv6 request dropped with rfc7217 link-local addresses and too long flex-id---
name: dhcpv6 request dropped with rfc7217 link-local address
about: DHCPv6 message dropped with rfc7217 link-local addresses and too long flex-id
---
**Describe the bug**
When flex-id is used for static host reservation in combin...---
name: dhcpv6 request dropped with rfc7217 link-local address
about: DHCPv6 message dropped with rfc7217 link-local addresses and too long flex-id
---
**Describe the bug**
When flex-id is used for static host reservation in combination with replace-client-id set to true **and** the client has a link-local address that doesn't match the hardware address (actually the mac address), kea wil drop the message with the following message:
```
ERROR DHCP6_PACKET_PROCESS_STD_EXCEPTION exception occurred during packet processing: hwaddr length exceeds MAX_HWADDR_LEN
```
This only happens when the evaluated flex-id value exceeds MAX_HWADDR_LEN (which appears to be set to 20 in kea 2.0.0).
**To Reproduce**
Steps to reproduce the behavior:
1. Run kea-dhcp6 with the following flex-id configuration:
```jsonc
{
"library": "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_flex_id.so",
"parameters": {
// Obviously this can be anything, as long as the result exceeds the max of 20 chars
"identifier-expression": "substring(relay6[0].option[37].hex, 4, all)",
"replace-client-id": true
}
}
```
2. Generate and send a DHCPv6 request which causes the flex-id to exceed MAX_HWADDR_LEN, with a client identifier option containing a duid which contains the proper hardware address (DUID-LLT or DUID-LL will do) from a link-local address based on rfc7217.
3. The server receives the request, evaluates flex-id and replaces the duid with the evaluated flex-id value.
4. It then breaks with the forementioned error message and the request is then dropped.
**Expected behavior**
The server is not supposed to break in this kind of a situation.
**Environment:**
- Kea version (from the ISC provided packages):
```
2.0.0
tarball
linked with:
log4cplus 1.1.2
OpenSSL 1.1.1d 10 Sep 2019
database:
MySQL backend 12.0, library 10.3.29
PostgreSQL backend 6.2, library 110012
Memfile backend 2.1
```
- OS: Debian 10.10 on x86_64.
- Features: See ISC provided packages.
- hooks: legal log, flex-id, host_cmds
**Additional Information**
Complete debug log message:
```
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG DHCP6_BUFFER_RECEIVED received buffer from 2001:db8:1:8::23:547 to 2001:db8:3:117::117:1:0 over interface eth0
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG DHCP6_BUFFER_UNPACK parsing buffer received from 2001:db8:1:8::23 to 2001:db8:3:117::117:1 over interface eth0
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG DHCP6_PACKET_RECEIVED duid=[00:01:00:01:29:2e:5d:11:dc:a6:32:dd:8c:c3], tid=0x6df500: SOLICIT (type 1) received from 2001:db8:1:8::23 to 2001:db8:3:117::117:1 on interface eth0
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG DHCP6_QUERY_DATA duid=[00:01:00:01:29:2e:5d:11:dc:a6:32:dd:8c:c3], tid=0x6df500, packet details: localAddr=[2001:db8:3:117::117:1]:0 remoteAddr=[2001:db8:1:8::23]:547
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: msgtype=1(SOLICIT), transid=0x6df500
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00001, len=00014: 00:01:00:01:29:2e:5d:11:dc:a6:32:dd:8c:c3
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00003(IA_NA), len=00012: iaid=1, t1=0, t2=0
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00006, len=00010: 23(uint16) 24(uint16) 39(uint16) 82(uint16) 83(uint16)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00008, len=00002: 49244 (uint16)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00014, len=00000:
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=16, len=4, enterprise id=0x9f08
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00020, len=00000:
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00025(IA_PD), len=00012: iaid=2, t1=0, t2=0
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00037, len=00026: 941806 (uint32) 616C722D6F66662D61737730323B323033343B302F36 (binary)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=39(CLIENT_FQDN), flags: (N=0, O=0, S=1), domain-name='pi-port-6' (partial)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: 1 relay(s):
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: relay[0]: msg-type=12(RELAY_FORWARD), hop-count=0,
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: link-address=2001:db8:1:8::23, peer-address=fe80::57a1:95ad:1fc4:13d1, 2 option(s)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00018, len=00008: 76:6c:61:6e:32:30:33:34
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: type=00037, len=00026: 941806 (uint32) 616C722D6F66662D61737730323B323033343B302F36 (binary)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG HOOKS_CALLOUTS_BEGIN begin all callouts for hook pkt6_receive
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG HOOKS_CALLOUT_CALLED hooks library with index 1 has called a callout on hook pkt6_receive that has address 0x7f0a5a0bc9a0 (callout duration: 0.048 ms)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG EVAL_DEBUG_OPTION Pushing option 37 with value 0x000E5EEE616C722D6F66662D61737730323B323033343B302F36
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG EVAL_DEBUG_STRING Pushing text string '4'
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG EVAL_DEBUG_STRING Pushing text string 'all'
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG EVAL_DEBUG_SUBSTRING Popping length all, start 4, string 0x000E5EEE616C722D6F66662D61737730323B323033343B302F36 pushing result 0x616C722D6F66662D61737730323B323033343B302F36
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG FLEX_ID_EXPRESSION_EVALUATED Expression evaluated for packet to "alr-off-asw02;2034;0/6" (size: 22)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG FLEX_ID_EXPRESSION_HEX evaluated expression in hexadecimal form "61:6c:72:2d:6f:66:66:2d:61:73:77:30:32:3b:32:30:33:34:3b:30:2f:36"
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG FLEX_ID_USED_AS_DUID using flexible identifier "00:00:61:6c:72:2d:6f:66:66:2d:61:73:77:30:32:3b:32:30:33:34:3b:30:2f:36" as DUID
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG HOOKS_CALLOUT_CALLED hooks library with index 2 has called a callout on hook pkt6_receive that has address 0x7f0a5a074700 (callout duration: 0.389 ms)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG HOOKS_CALLOUTS_COMPLETE completed callouts for hook pkt6_receive (total callouts duration: 0.437 ms)
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG DHCPSRV_CFGMGR_SUBNET6_RELAY selected subnet 2001:db8:1:b::/64, because of matching relay addr 2001:db8:1:8::23
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG DHCP6_SUBNET_SELECTED duid=[00:00:61:6c:72:2d:6f:66:66:2d:61:73:77:30:32:3b:32:30:33:34:3b:30:2f:36], tid=0x6df500: the subnet with ID 1 was selected for client assignments
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: DEBUG DHCP6_SUBNET_DATA duid [00:00:61:6c:72:2d:6f:66:66:2d:61:73:77:30:32:3b:32:30:33:34:3b:30:2f:36], tid=0x6df500: the selected subnet details: 2001:db8:1:b::/64
Nov 22 16:00:20 dhcpradius kea-dhcp6[18922]: ERROR DHCP6_PACKET_PROCESS_STD_EXCEPTION exception occurred during packet processing: hwaddr length exceeds MAX_HWADDR_LEN
```
The request in this case was relayed and received via unicast by kea. The mac address of the client can be derived from the duid and the link-local address can be found in the log above.
**Contacting you**
Sending a message on github or replying in this ticket is ok.kea2.1.2Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/2202Continue review/update of ARM hooks sections2021-12-03T18:01:43ZSuzanne GoldlustContinue review/update of ARM hooks sectionsOngoing review of the Kea ARM, focusing on the hooks-related sections (followup from #2139)Ongoing review of the Kea ARM, focusing on the hooks-related sections (followup from #2139)kea2.1.2Thomas MarkwalderThomas Markwalderhttps://gitlab.isc.org/isc-projects/stork/-/issues/618build_kea_premium_container and run_kea_premium_container don't work because ...2021-12-03T07:27:36ZAndrei Pavelandrei@isc.orgbuild_kea_premium_container and run_kea_premium_container don't work because of renamed containers9e024d6e7448b7e1795038d0ac5d6697ea6cb1b1 renamed `agent-kea-hosts` to `agent-kea-premium` in some parts, but left it in others. As a result, `rake build_kea_hosts_container` and `rake run_kea_hosts_container` don't work anymore. This is ...9e024d6e7448b7e1795038d0ac5d6697ea6cb1b1 renamed `agent-kea-hosts` to `agent-kea-premium` in some parts, but left it in others. As a result, `rake build_kea_hosts_container` and `rake run_kea_hosts_container` don't work anymore. This is meant to finish the job.1.0Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3020netmgr/netmgr.c:1737: (...) failed2022-04-26T13:28:04ZNelson A. de Oliveiranetmgr/netmgr.c:1737: (...) failedHi!
I am seeing this for some internal DNS queries:
```
$ host www.unesp.br 200.145.86.1
Using domain server:
Name: 200.145.86.1
Address: 200.145.86.1#53
Aliases:
www.unesp.br has address 200.145.6.98
netmgr/netmgr.c:1737: REQUIRE(((...Hi!
I am seeing this for some internal DNS queries:
```
$ host www.unesp.br 200.145.86.1
Using domain server:
Name: 200.145.86.1
Address: 200.145.86.1#53
Aliases:
www.unesp.br has address 200.145.6.98
netmgr/netmgr.c:1737: REQUIRE((((handle) != ((void *)0) && ((const isc__magic_t *)(handle))->magic == ((('N') << 24 | ('M') << 16 | ('H') << 8 | ('D')))) && __extension__ ({ __auto_type __atomic_load_ptr = (&(handle)->references); __typeof__ ((void)0, *__atomic_load_ptr) __atomic_load_tmp; __atomic_load (__atomic_load_ptr, &__atomic_load_tmp, (5)); __atomic_load_tmp; }) > 0)) failed, back trace
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(+0x3552f)[0x7fae10e0f52f]
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(isc_assertion_failed+0xa)[0x7fae10e0f48a]
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(isc__nmhandle_attach+0x63)[0x7fae10df9aa3]
host(+0xe3aa)[0x55c5f12963aa]
host(+0xf2c7)[0x55c5f12972c7]
host(+0x1177b)[0x55c5f129977b]
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(isc__nm_async_readcb+0xad)[0x7fae10dfce6d]
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(isc__nm_readcb+0x97)[0x7fae10dfcf97]
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(+0x30cd0)[0x7fae10e0acd0]
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(isc__nm_udp_read_cb+0x46)[0x7fae10e0c4c6]
/usr/lib/x86_64-linux-gnu/libuv.so.1(+0x1ee8d)[0x7fae10956e8d]
/usr/lib/x86_64-linux-gnu/libuv.so.1(+0x22c75)[0x7fae1095ac75]
/usr/lib/x86_64-linux-gnu/libuv.so.1(uv_run+0x114)[0x7fae10947854]
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(+0x247da)[0x7fae10dfe7da]
/usr/lib/x86_64-linux-gnu/libisc-9.17.20-2-Debian.so(isc__trampoline_run+0x16)[0x7fae10e36bd6]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x8eae)[0x7fae10b36eae]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7fae10a66a5f]
zsh: IOT instruction (core dumped) host www.unesp.br 200.145.86.1
```
I hope that some of these files are helpful :-)
[core dump](/uploads/325a587af3cbf8c8862b554c57597f93/core-isc-net-0000.55659.neon.1637667477)
[gdb's "thread apply all bt full"](/uploads/56e9ac73d79041b0ed8606e102813b88/gdb.txt)
[tcpdump output](/uploads/60932dfe55240b848a0ef2902bae3289/tcpdump.txt)
This is also https://bugs.debian.org/1000447
If you need anything else, just let me know, please.
Thank you!April 2022 (9.16.28, 9.16.28-S1, 9.18.2, 9.19.0)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3021dns_sdlz_putrr does not auto increase buffer2021-11-25T20:48:33ZRainer W.dns_sdlz_putrr does not auto increase buffer### Summary
dns_sdlz_putrr does not auto increase buffer
### BIND version used
9.16, but the in the current master the bug exists.
### Steps to reproduce
add dlz ldap support and create long dlzDomain
### What is the current *bug*...### Summary
dns_sdlz_putrr does not auto increase buffer
### BIND version used
9.16, but the in the current master the bug exists.
### Steps to reproduce
add dlz ldap support and create long dlzDomain
### What is the current *bug* behavior?
when "dns_rdata_fromtext: buffer-0x7f17cc6ea940:1: near '604800': ran out of space" is "detected" and buffer < 64k, dns_sdlz_putrr imediatly exits with DNS_R_SERVFAIL.
### What is the expected *correct* behavior?
loop in dns_sdlz_putrr to increase the buffer so parsing can happen.
### Relevant configuration files
-
### Relevant logs and/or screenshots
-
### Possible fixes
commenting out `result = DNS_R_SERVFAIL;` in https://gitlab.isc.org/isc-projects/bind9/-/blob/main/lib/dns/sdlz.c#L1855 fixes the issue.
As far as i understand the code in dns_sdlz_putrr it does run a while loop until the buffer had been increased enough so the input could be sucessfully parsed ( or 64k buffer size is reached).
But the line mentioned above does overwrite the result hard to DNS_R_SERVFAIL. Yes, only when `result != ISC_R_SUCCESS` but for my understanding a result ISC_R_NOSPACE will always be != ISC_R_SUCCESS, so the loop will never happen / is basically dead code.
Which in my case does break lookup, but removing the 1855 line enables the original buffer increment logic and a patched instance does loop a second time with an increased buffer and therefor can parse the dlz ldap input correctly and resolve sucessfully.
I'm not sure if just removing line 1855 is the correct solution. I would say 1866 does already handle the jump to failure: in case the result is != success.December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/kea/-/issues/2204Sanity checks for Kea 2.1.1 rc12021-11-24T20:28:34ZjenkinsSanity checks for Kea 2.1.1 rc1```
We are now at step SANITY CHECKS of Kea 2.1.1 rc1.
Please verify the packages and files according to "4. Sanity Checks" chapter on:
https://wiki.isc.org/bin/view/QA/KeaReleaseProcess#4.%20Sanity%20Checks
and your imagination.
Be...```
We are now at step SANITY CHECKS of Kea 2.1.1 rc1.
Please verify the packages and files according to "4. Sanity Checks" chapter on:
https://wiki.isc.org/bin/view/QA/KeaReleaseProcess#4.%20Sanity%20Checks
and your imagination.
Before starting any checks, please state what check you are doing in a
thread/discussion (not as comment) in Sanity Checks issue in GitLab:
None
When you finish given check state in the same thread/discussion what is the result.
This way we know what is covered upfront and we can avoid repeating ourselves.
Release content is located on:
1) [tarballs] repo.isc.org in the following folders:
/data/shared/sweng/kea/releases/2.1.1-rc1
/data/shared/sweng/kea/releases/premium-2.1.1-rc1
/data/shared/sweng/kea/releases/subscription-2.1.1-rc1
SHA256 (kea-2.1.1.tar.gz) = d787a629cd28b020b731dbbd599f5d5e40423decad89ea7e8526d00fb3289757
SHA256 (kea-premium-2.1.1.tar.gz) = e53a64dbd91c89972e4fd59311d2d0420606a5c53c07a0f6bb6845277889f037
SHA256 (kea-subscription-2.1.1.tar.gz) = 0da9e61dec3cb77b82c9ac5be61e7620d4c53dfd5bbdd2ec62e7e3cdcf0a2c47
2) APK, deb, RPM packages on packages.aws.isc.org, exact packages versions are stored here:
https://jenkins.aws.isc.org/job/kea-dev/job/pkg/632/
Release versions are:
APK: 2.1.1-r20211123204920: https://packages.aws.isc.org/#browse/search/raw=format%3Draw%20AND%20name.raw%3D*r20211123204920.apk
deb: 2.1.1-isc20211123204920: https://packages.aws.isc.org/#browse/search/apt=format%3Dapt%20AND%20version%3D2.1.1-isc20211123204920
RPM: 2.1.1-isc20211123204920.[os]: https://packages.aws.isc.org/#browse/search/yum=format%3Dyum%20AND%20version%3D2.1.1-isc20211123204920*
Installation instructions are here: https://wiki.isc.org/bin/view/QA/KeaReleaseProcess#4.%20Sanity%20Checks, chapter 4. Sanity Checks, point 9.
```https://gitlab.isc.org/isc-projects/bind9/-/issues/3022DoH: dig eventually aborts on ALPN negotiation failure when issuing a DoH que...2021-12-01T08:58:44ZArtem BoldarievDoH: dig eventually aborts on ALPN negotiation failure when issuing a DoH query (because of dangling handles)It was found by accident that `dig` crashes when issuing a query against a server which does not support HTTP/2, or to be more precise, when 'h2' ALPN token negotiation fails.
```
;; Connection to 127.0.0.1#44344(127.0.0.1) for example ...It was found by accident that `dig` crashes when issuing a query against a server which does not support HTTP/2, or to be more precise, when 'h2' ALPN token negotiation fails.
```
;; Connection to 127.0.0.1#44344(127.0.0.1) for example failed: ALPN for HTTP/2 failed.
;; Connection to 127.0.0.1#44344(127.0.0.1) for example failed: ALPN for HTTP/2 failed.
;; Connection to 127.0.0.1#44344(127.0.0.1) for example failed: ALPN for HTTP/2 failed.
Outstanding sockets
=================
Active server socket 0x7f172da91a00, type isc_nm_tlssocket, refs 1
Parent (nil), listener (nil), server (nil), statichandle = (nil)
Flags: closing
Created by:
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc___nmsocket_init+0x276)[0x7f1732594301]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc_nm_tlsconnect+0xb9)[0x7f17325fbfdb]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc_nm_httpconnect+0x89f)[0x7f17325f1ce2]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x18fb5)[0x560157b26fb5]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x1e20d)[0x560157b2c20d]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x14874)[0x560157b22874]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x1e2a6)[0x560157b2c2a6]
=================
Active server socket 0x7f172da93800, type isc_nm_tlssocket, refs 1
Parent (nil), listener (nil), server (nil), statichandle = (nil)
Flags: closing
Created by:
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc___nmsocket_init+0x276)[0x7f1732594301]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc_nm_tlsconnect+0xb9)[0x7f17325fbfdb]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc_nm_httpconnect+0x89f)[0x7f17325f1ce2]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x18fb5)[0x560157b26fb5]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x1e20d)[0x560157b2c20d]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x14874)[0x560157b22874]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x13dfd)[0x560157b21dfd]
=================
Active server socket 0x7f172da91000, type isc_nm_tlssocket, refs 1
Parent (nil), listener (nil), server (nil), statichandle = (nil)
Flags: closing
Created by:
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc___nmsocket_init+0x276)[0x7f1732594301]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc_nm_tlsconnect+0xb9)[0x7f17325fbfdb]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc_nm_httpconnect+0x89f)[0x7f17325f1ce2]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x18fb5)[0x560157b26fb5]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x1e20d)[0x560157b2c20d]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x14874)[0x560157b22874]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x13dfd)[0x560157b21dfd]
netmgr/netmgr.c:578: INSIST(0) failed, back trace
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(+0x42894)[0x7f17325b2894]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc_assertion_failed+0x31)[0x7f17325b27a7]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc__netmgr_destroy+0x10d)[0x7f173258f0d8]
/home/artem/projects/isc/open/bind9/lib/isc/.libs/libisc-9.17.20.so(isc_managers_destroy+0xf5)[0x7f17325ca823]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x1e815)[0x560157b2c815]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0xef35)[0x560157b1cf35]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0xef96)[0x560157b1cf96]
/usr/lib/libc.so.6(__libc_start_main+0xd5)[0x7f1731645b25]
/home/artem/projects/isc/open/bind9/bin/dig/.libs/lt-dig(+0x5e9e)[0x560157b13e9e]
Aborted (core dumped)
```December 2021 (9.16.24, 9.16.24-S1, 9.17.21)Artem BoldarievArtem Boldariev