ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2021-07-28T12:58:34Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/1892Deprecate Cassandra2021-07-28T12:58:34ZTomek MrugalskiDeprecate CassandraCassandra backend is by far the least popular and it is lagging behind. We looked at it and determined that it's not feasible to provide config backend implementation based on Cassandra.
For those two reasons, we're going to deprecate C...Cassandra backend is by far the least popular and it is lagging behind. We looked at it and determined that it's not feasible to provide config backend implementation based on Cassandra.
For those two reasons, we're going to deprecate Cassandra.
Cassandra will remain available in 2.x, but will be marked as deprecated. We will keep the code around as long as there are customers who still use it.kea1.9.9Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/18191.9.7 release checklist2021-05-10T10:12:04ZMichal Nowikowski1.9.7 release checklist---
name: Release Checklist
about: Create a new issue using this checklist for each release
---
# Kea Release Checklist
This is thoroughly documented in [the Kea Release Process guide](https://wiki.isc.org/bin/view/QA/KeaReleaseProcess...---
name: Release Checklist
about: Create a new issue using this checklist for each release
---
# Kea Release Checklist
This is thoroughly documented in [the Kea Release Process guide](https://wiki.isc.org/bin/view/QA/KeaReleaseProcess).
## Pre-Release Preparation
Some of those checks and updates can be made before actual freeze.
1. Check Jenkins results:
1. [x] Check Jenkins jobs for failures: [distcheck](https://jenkins.aws.isc.org/job/kea-dev/job/distcheck/), etc...
1. [x] Check [Jenkins Tests Report](https://jenkins.aws.isc.org/job/kea-dev/job/jenkins-tests-report/).
1. [x] Check [tarball check report](https://jenkins.aws.isc.org/job/kea-dev/job/tarball-internal/Kea_20Build_20Checks/)
1. [ ] Check [Performance Test Results](https://jenkins.isc.org/job/kea-dev/job/performance/KeaPerformanceReport/) in Jenkins for drops in performance.
1. Check versioning, ask the development team if:
- the library versions are being updated
- `KEA_HOOKS_VERSION` is being updated
- [x] create an issue for that for developers in Gitlab
- script: [./tools/bump-lib-versions.sh](https://gitlab.isc.org/isc-projects/kea/-/blob/master/tools/bump-lib-versions.sh) Kea-q.w.e Kea-a.b.c (where `a.b.c` is the version to be released and `q.w.e` is the version previous to that)
1. Prepare Release Notes
1. [x] Create Release Notes on Kea GitLab wiki and notify @tomek about that. It should be created under "release notes" directory, like this one: https://gitlab.isc.org/isc-projects/kea/-/wikis/release%20notes/release-notes-1.9.2
1. [x] Finish release notes and conduct its review
1. [x] Run [release-pkgs-upload-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-pkgs-upload-internal/) and [release-pkgs-check-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-pkgs-check-internal/) to test repositories for correctness.
The following steps may involve changing files in the repository.
1. [x] Run [update-code-for-release.py](https://gitlab.isc.org/isc-private/qa-dhcp/-/blob/master/kea/build/update-code-for-release.py) <br>
Example command: `GITLAB_KEA_TOKEN='...' GITLAB_KEA_PREMIUM_TOKEN='...' ./update-code-for-release.py 1.9.7 'Apr 28, 2021' ~/isc/repos/kea/` <br>
The script:
- creates a Kea issue and MR for release changes,
- runs several updating scripts
- pushes the changes to MR
1. Check manually User's Guide sections:
1. Chapter 1. Introduction
1. [x] On what platforms we are running tests using Jenkins? Update Supported Platforms in platforms.rst file.
1. [x] Did we add any additional 3rd party software? Update if needed
1. [x] Is there a new tool installed in bin or sbin released this time? If yes, is it documented?
1. Chapter 2. Quick Start
1. [x] Has the default installation process changed (for kea and hooks)? If yes, are those changes documented and highlighted in the release notes?
1. Chapter 3. Installation
1. [x] Check installation hierarchy
1. [x] Check and update Build Requirements
1. [x] Check configure options against what `./configure -h` says
1. [x] Check ChangeLog entries in Kea main and premium: spelling, trailing whitspaces, etc.
1. [x] Check AUTHORS, INSTALL, README files in Kea main and premium.
- AUTHORS: update credits
- README: check "provides" with Release Notes, User Guide (1.3 Kea Software)
1. [x] If changes were made, commit the change, push the branch to the main repository and request a review. Once the changes have been approved, merge the MR to master.
## Build selection, tarballs upload and sanity checks
This is the last moment to freeze code! :snowflake:
1. [x] Go to [tarball-internal](https://jenkins.aws.isc.org/job/kea-dev/job/tarball-internal/) Jenkins job and pick last tarball built - it will be a release candidate.
1. [x] Check tarball before requesting sanity checks from the development team.
1. Download tarballs from picked Jenkins build
1. Check sizes - is new package reasonable?
1. Check installation tree, compare it with previous release
1. Check installed lib versions
1. which were updated? (save results)
1. any of the lib from current release has lower number then corresponding lib from previous release? (!)
1. Uninstall Kea, check what left (there should be just configuration files)
1. Check if all of installed binaries has man page
1. if not, is it in the tarball?
1. are man page up-to-date?
1. Check if documentation is properly formatted, has correct versions and dates.
1. it's advised to search for previous version numbers, some of them are statically added in statements that are no longer valid
1. [x] Upload tarballs to repo.isc.org using Jenkins
1. Go to [release-tarball-upload-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-tarball-upload-internal/) Jenkins job.
1. Click "Build with Parameters"
1. In field "Tarball" select picked tarball build
1. In field "Release_Candidate" pick:
1. rc1 if this is the first selected build for release, it will push selected tarballs to repo.isc.org, to a directory suffixed with indicated rc#
1. next rc# if this is a respin after some fixes (note: it is not possible to pick previous rc number - it will result in error)
1. final if the last rc number was ok, this will push the selected tarball to repo.isc.org, to a directory with no suffixes
1. Submit the job that will automatically:
1. Upload the tarballs upload <br>
and if this is not the final version:
1. Create a GitLab issue for sanity checks, put there the announcement
1. Send Sanity Checks announcement via email to dhcp-team@isc.org and to DHCP channel on Mattermost.<br>
The announcement includes:
- a link to chapter 4 Sanity Checks of the release process: [KeaReleaseProcess - SanityChecks](https://wiki.isc.org/bin/view/QA/KeaReleaseProcess#4.%20Sanity%20Checks)
- a link to an issue created in the previous step
- tarballs locations with SHA256 checksums
- rpm/deb packages locations and versions
## Releasing Tarballs and Packages
1. [x] Update Release Notes with ChangeLog entries
1. [x] Upload final RPM & DEB packages to cloudsmith.io
1. Go to [release-pkgs-upload-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-pkgs-upload-internal/).
1. Click "Build with Parameters" link
1. Pick your selected pkg build in Packages field, and select `PrivPubRepos: "both"`, `TestProdRepos: "production"` and click Build button.
1. When it finishes run check: [releases-pkgs-check-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-pkgs-check-internal/).
1. [x] Upload final tarballs to repo.isc.org
1. Go to [release-tarball-upload-internal](https://jenkins.aws.isc.org/job/kea-dev/job/release-tarball-upload-internal/) Jenkins job.
1. Click "Build with Parameters"
1. In field "Tarball" select picked tarball build
1. In field "Release_Candidate" pick final <br>
This job will also: <br>
- open an issue on [the signing repository](https://gitlab.isc.org/isc-private/signing/-/issues) requesting signing final tarballs on repo.isc.org
- send a signing request issue link on the DHCP Mattermost channel
- create Git tags `Kea-a.b.c` in Kea main and premium repositories
1. [x] Send a request for publishing the release on the Support Mattermost channel linking the Signing issue and the release checklist.
1. Mark Jenkins jobs with release artifacts to be kept forever: <br>
Go to the following Jenkins jobs, click release build and then, on the build page, click `Keep this build forever` button: <br>
1. [x] [tarball-internal job](https://jenkins.aws.isc.org/job/kea-dev/job/tarball-internal/)
1. [x] [pkg job](https://jenkins.aws.isc.org/job/kea-dev/job/pkg/)
1. Update ReadTheDocs
1. [x] Trigger rebuilding docs on [readthedocs.org](https://readthedocs.org/projects/kea/builds).
1. [x] Publish currently released version. On the `Versions` tab, scroll down to `Activate a version`, search for `kea-a.b.c` and click `Activate`.
1. [x] For stable releases, change the default version to point to this stable release.
### On the Day of Public Release
- [ ] ***(Support)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
- [ ] ***(Support)*** Place tarballs in public location on FTP site.
- [ ] ***(Support)*** Publish links to downloads on ISC website.
- [ ] ***(Support)*** Write release email to *kea-announce*.
- [ ] ***(Support)*** Write email to *kea-users* (if a major release).
- [ ] ***(Support)*** Send eligible customers updated links to the Subscription software FTP site.
- [ ] ***(Support)*** If it is a new major version, sweng will have created a new repo in Cloudsmith, which will need the customer tokens migrated from an existing repo. Then update support customers that this new private repo exists.
- [ ] ***(Support)*** Update tickets in case of waiting support customers.
- [x] ***(QA)*** Inform Marketing of the release.
- [ ] ***(Marketing)*** Upload Premium hooks tarball to SendOwl. Create a new product if a new branch, otherwise update existing product. Send notifications to existing subscribers of the new version.
- [x] ***(Marketing)*** Announce on social media.
- [x] ***(Marketing)*** Update [Wikipedia entry for Kea](https://en.wikipedia.org/wiki/Kea_(software)).
- [x] ***(Marketing)*** Write blog article (if a major release).
- [x] ***(Marketing)*** Update [Kea page on web site if any new hooks](https://www.isc.org/kea/).
- [x] ***(Marketing)*** Update Kea Premium and Kea Subscription data sheets if any new hooks.
- [x] ***(Marketing)*** Update [significant features matrix](https://kb.isc.org/docs/en/aa-01615) (if any significant new features).
- [x] ***(Marketing)*** Update [Kea documentation page in KB](https://kb.isc.org/docs/en/kea-administrator-reference-manual).
## Post-Release, But Before Code Unfreeze
- [x] Bump up Kea version in `configure.ac` to next development version which could be, based on just released version `a.b.c`:
* `a.b.z-git` where `z == c + 1` or
* `a.y.0-git` where `y == b + 1` or
* `x.1.0-git` where `x == a + 1`kea1.9.7https://gitlab.isc.org/isc-projects/kea/-/issues/1820bump up libs and hooks versions for 1.9.7 release2021-04-26T07:56:00ZMichal Nowikowskibump up libs and hooks versions for 1.9.7 releasescript: [./tools/bump-lib-versions.sh](https://gitlab.isc.org/isc-projects/kea/-/blob/master/tools/bump-lib-versions.sh) Kea-q.w.e Kea-a.b.c (where `a.b.c` is the version to be released and `q.w.e` is the version previous to that)script: [./tools/bump-lib-versions.sh](https://gitlab.isc.org/isc-projects/kea/-/blob/master/tools/bump-lib-versions.sh) Kea-q.w.e Kea-a.b.c (where `a.b.c` is the version to be released and `q.w.e` is the version previous to that)kea1.9.7Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2563rndc modzone to change dnssec-policy retire existing keys immediately2021-04-01T11:19:56ZArth Pauliterndc modzone to change dnssec-policy retire existing keys immediately<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
Changing dnssec-policy using rndc modzone for existing signed zone causes keymgr to retire existing keys. I have bind configured with "allow-new-zones yes;" so I could add, delete, modify zone using rndc. Also configured bind with 2 dnssec-policy: rsasha256 and ecdsap256. I'm hoping this should allow me to do algorithm rollover by changing dnssec-policy using rndc modzone. The following command immediately retire existing DNSKEY and create a new one.
```
rndc modzone example.com. '{ type slave; masters { 192.168.0.53; }; dnssec-policy ecdsap256; file "data/example.com"; };'
```
### Tested version
* BIND-9.16.11 (Stable Release)
* BIND 9.16.12 (Stable Release)
### Steps to reproduce
1. Configure bind with "allow-new-zones yes;" and two dnssec-policy with different algorithm. This will allow rndc addzone to add zone and rndc modzone to change dnssec-policy of existing zone. I also configured logging with dnssec category.
2. Load the zone with dnssec-policy:
```
rndc addzone example.com. '{ type slave; masters { 192.168.0.53; }; dnssec-policy rsasha256; file "data/example.com"; };'
```
dnssec log result:
```
09-Mar-2021 16:06:10.627 dnssec: info: zone example.com/IN (signed): generated salt: CB4EAB14FFF8A6D4731D94FD2EC9DFD8
09-Mar-2021 16:06:10.634 dnssec: info: zone example.com/IN (signed): reconfiguring zone keys
09-Mar-2021 16:06:10.700 dnssec: info: keymgr: DNSKEY example.com/RSASHA256/25870 (KSK) created for policy rsasha256
09-Mar-2021 16:06:10.749 dnssec: info: keymgr: DNSKEY example.com/RSASHA256/54564 (ZSK) created for policy rsasha256
09-Mar-2021 16:06:10.750 dnssec: info: Fetching example.com/RSASHA256/25870 (KSK) from key repository.
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now published
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now active
09-Mar-2021 16:06:10.750 dnssec: info: Fetching example.com/RSASHA256/54564 (ZSK) from key repository.
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now published
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now active
09-Mar-2021 16:06:10.765 dnssec: info: zone example.com/IN (signed): zone_addnsec3chain(1,INITIAL|CREATE,5,CB4EAB14FFF8A6D4731D94FD2EC9DFD8)
09-Mar-2021 16:06:10.765 dnssec: info: zone example.com/IN (signed): next key event: 09-Mar-2021 18:11:10.634
```
3. Check that both KSK & ZSK are RSASHA256 (Algorithm 8)
```
dig dnskey example.com. @localhost +multiline
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 257 3 8 (
AwEAAbPGinhOiZq3JyeUWyGF3DxjXtQqoBjQeWzoyhSJ
ZtrqVLkz6ocoQ3y6trcjGN2f7YTSWNPIffwdZ69XHmyV
QvUkJYCCrskiP6RzhZffU9AMP1GR1k5QXWX+/RMOCJta
yasvdQo/2gbplzz78nLmXRzhnSzl1GSNGeG9orGtdbyo
89uPP+SJv13zB5rR7mxIj78bl3eVV0bdWf4G4okBE64M
2NJqG0tJwpI2XFysEkNT0JtLPjtiKgK4dFUzxuc5Cq4W
258611VoGWXlqSwBI03UABwLrzO7q4R0oijEtNjWlSNw
vohw/EGkJcTARofVFFo9Aar0AoP3YzjbdA4r+Ls=
) ; KSK; alg = RSASHA256 ; key id = 41266
example.com. 3600 IN DNSKEY 256 3 8 (
AwEAAd0OQXZ//c6Msr1FVK9qJ8QSUehOETVgPmslvrfv
J94LwS9VAgJAE/mZfJdq/OJwcD6uvwycmfpuOjCpr5OL
k/eVAoVcIRBX2NGnhANPIqDo6n9VzqCeNcxX3tJt6uW4
JDxN2GLgaJ7mQAaQr8LIOTe+YLqbVs1s43YaDVfEfLxd
xh0sUS+HErTAt/7DVPV+nkgf2S8yuwdHniVDFfGOgGbp
t42OlVJaqHo7lj6boAZRaIPTX+aoGKuOz4EhXnRwqmwK
/Y9W9NIkT0H0MHSlfcM0B3KtRBwJ+jD3XM7hu8mm4XBU
cFArX/Od/wP3VCB4CNArtoZS4/agMFIEEBIVMhc=
) ; ZSK; alg = RSASHA256 ; key id = 44445
```
4. Change the zone dnssec-policy using rndc modzone
```
rndc modzone example.com. '{ type slave; masters { 192.168.0.53; }; dnssec-policy ecdsap256; file "data/example.com"; };'
```
dnssec log result:
```
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: retire DNSKEY example.com/RSASHA256/25870 (KSK)
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: retire DNSKEY example.com/RSASHA256/54564 (ZSK)
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: DNSKEY exampl.com/ECDSAP256SHA256/23518 (KSK) created for policy ecdsap256
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) created for policy ecdsap256
09-Mar-2021 16:07:48.459 dnssec: info: Removing expired key 25870/RSASHA256 from DNSKEY RRset.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now deleted
09-Mar-2021 16:07:48.459 dnssec: info: Removing expired key 54564/RSASHA256 from DNSKEY RRset.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now deleted
09-Mar-2021 16:07:48.459 dnssec: info: Fetching example.com/ECDSAP256SHA256/23518 (KSK) from key repository.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) is now published
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) is now active
09-Mar-2021 16:07:48.459 dnssec: info: Fetching example.com/ECDSAP256SHA256/12118 (ZSK) from key repository.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) is now published
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) is now active
```
5. Check both KSK & ZSK are now both ECDSHAP256 (algorithm 13) and no more RSASHA256 DNSKEY
```
dig dnskey example.com. @localhost +multiline
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 256 3 13 (
bn2PN0mWvMhjgDiVCnO/dDwPS8JaK6Cas5vBI6D7gds8
PXlMeTSJRQSVcyM1OuZIo/V5JIFiQUiiME1IBD+TNw==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 14912
example.com. 3600 IN DNSKEY 257 3 13 (
u6dqheaPjAhwSzuVrroi9na4L4biKfUQDBWRfsjcDyfz
EkPvHIoOZ/DM+FQynz+vyrZ7HnG6fCk9jtz/cmB8vw==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 2113
```
### What is the current *bug* behavior?
Using rndc modzone to change zone dnssec-policy retire existing keys immidiately.
```
rndc modzone example.com. '{ type slave; masters { 192.168.0.53; }; dnssec-policy ecdsap256; file "data/example.com"; };'
```
### (What actually happens.)
The initial RSASHA256 DNSKEYs were retired immediately and were replaced by ECDSAP256 after running "rndc modzone example.com" with another dnssec-policy containing ECDSAP256 algorithm.
### What is the expected *correct* behavior?
If algoritm rollover is supported with dnssec-policy, existing RSHASHA256 keys and ECDSAP256 keys should be visible.
The following command should show 4 DNSKEY. There should be 2 DNSKEY with algorithm 8 and 2 DNSKEY with algorithm 13.
```
dig dnskey example.com. @localhost +multiline
;; ANSWER SECTION:
example.com. 3600 IN DNSKEY 257 3 8 (
AwEAAbPGinhOiZq3JyeUWyGF3DxjXtQqoBjQeWzoyhSJ
ZtrqVLkz6ocoQ3y6trcjGN2f7YTSWNPIffwdZ69XHmyV
QvUkJYCCrskiP6RzhZffU9AMP1GR1k5QXWX+/RMOCJta
yasvdQo/2gbplzz78nLmXRzhnSzl1GSNGeG9orGtdbyo
89uPP+SJv13zB5rR7mxIj78bl3eVV0bdWf4G4okBE64M
2NJqG0tJwpI2XFysEkNT0JtLPjtiKgK4dFUzxuc5Cq4W
258611VoGWXlqSwBI03UABwLrzO7q4R0oijEtNjWlSNw
vohw/EGkJcTARofVFFo9Aar0AoP3YzjbdA4r+Ls=
) ; KSK; alg = RSASHA256 ; key id = 41266
example.com. 3600 IN DNSKEY 256 3 8 (
AwEAAd0OQXZ//c6Msr1FVK9qJ8QSUehOETVgPmslvrfv
J94LwS9VAgJAE/mZfJdq/OJwcD6uvwycmfpuOjCpr5OL
k/eVAoVcIRBX2NGnhANPIqDo6n9VzqCeNcxX3tJt6uW4
JDxN2GLgaJ7mQAaQr8LIOTe+YLqbVs1s43YaDVfEfLxd
xh0sUS+HErTAt/7DVPV+nkgf2S8yuwdHniVDFfGOgGbp
t42OlVJaqHo7lj6boAZRaIPTX+aoGKuOz4EhXnRwqmwK
/Y9W9NIkT0H0MHSlfcM0B3KtRBwJ+jD3XM7hu8mm4XBU
cFArX/Od/wP3VCB4CNArtoZS4/agMFIEEBIVMhc=
) ; ZSK; alg = RSASHA256 ; key id = 44445
example.com. 3600 IN DNSKEY 256 3 13 (
bn2PN0mWvMhjgDiVCnO/dDwPS8JaK6Cas5vBI6D7gds8
PXlMeTSJRQSVcyM1OuZIo/V5JIFiQUiiME1IBD+TNw==
) ; ZSK; alg = ECDSAP256SHA256 ; key id = 14912
example.com. 3600 IN DNSKEY 257 3 13 (
u6dqheaPjAhwSzuVrroi9na4L4biKfUQDBWRfsjcDyfz
EkPvHIoOZ/DM+FQynz+vyrZ7HnG6fCk9jtz/cmB8vw==
) ; KSK; alg = ECDSAP256SHA256 ; key id = 2113
```
### Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
`named-checkconf -px`.)
named.conf
```
options {
key-directory "/data/keys";
allow-new-zones yes;
request-ixfr yes;
ixfr-from-differences yes;
provide-ixfr yes;
};
# DNSSEC Policy ECDSA
dnssec-policy "ecdsap256" {
nsec3param iterations 5 optout no salt-length 16;
keys {
ksk key-directory lifetime P1Y algorithm 13;
zsk key-directory lifetime 60d algorithm 13;
};
// Signatures
signatures-refresh P1D;
signatures-validity P2D;
signatures-validity-dnskey P7D;
// Keys
dnskey-ttl 3600;
publish-safety PT3600S;
retire-safety PT3600S;
};
# DNSSEC Policy RSASHA2
dnssec-policy "rsasha256" {
nsec3param iterations 5 optout no salt-length 16;
keys {
ksk key-directory lifetime P1Y algorithm RSASHA256;
zsk key-directory lifetime 30d algorithm RSASHA256;
};
// Signatures
signatures-refresh P1D;
signatures-validity P7D;
signatures-validity-dnskey P14D;
// Keys
dnskey-ttl 3600;
publish-safety PT3600S;
retire-safety PT3600S;
};
```
### Relevant logs and/or screenshots
```
09-Mar-2021 16:06:10.627 dnssec: info: zone example.com/IN (signed): generated salt: CB4EAB14FFF8A6D4731D94FD2EC9DFD8
09-Mar-2021 16:06:10.634 dnssec: info: zone example.com/IN (signed): reconfiguring zone keys
09-Mar-2021 16:06:10.700 dnssec: info: keymgr: DNSKEY example.com/RSASHA256/25870 (KSK) created for policy rsasha256
09-Mar-2021 16:06:10.749 dnssec: info: keymgr: DNSKEY example.com/RSASHA256/54564 (ZSK) created for policy rsasha256
09-Mar-2021 16:06:10.750 dnssec: info: Fetching example.com/RSASHA256/25870 (KSK) from key repository.
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now published
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now active
09-Mar-2021 16:06:10.750 dnssec: info: Fetching example.com/RSASHA256/54564 (ZSK) from key repository.
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now published
09-Mar-2021 16:06:10.750 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now active
09-Mar-2021 16:06:10.765 dnssec: info: zone example.com/IN (signed): zone_addnsec3chain(1,INITIAL|CREATE,5,CB4EAB14FFF8A6D4731D94FD2EC9DFD8)
09-Mar-2021 16:06:10.765 dnssec: info: zone example.com/IN (signed): next key event: 09-Mar-2021 18:11:10.634
09-Mar-2021 16:07:48.457 dnssec: info: zone example.com/IN (signed): reconfiguring zone keys
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: retire DNSKEY example.com/RSASHA256/25870 (KSK)
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: retire DNSKEY example.com/RSASHA256/54564 (ZSK)
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) created for policy ecdsap256
09-Mar-2021 16:07:48.458 dnssec: info: keymgr: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) created for policy ecdsap256
09-Mar-2021 16:07:48.459 dnssec: info: Removing expired key 25870/RSASHA256 from DNSKEY RRset.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/RSASHA256/25870 (KSK) is now deleted
09-Mar-2021 16:07:48.459 dnssec: info: Removing expired key 54564/RSASHA256 from DNSKEY RRset.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/RSASHA256/54564 (ZSK) is now deleted
09-Mar-2021 16:07:48.459 dnssec: info: Fetching example.com/ECDSAP256SHA256/23518 (KSK) from key repository.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) is now published
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/23518 (KSK) is now active
09-Mar-2021 16:07:48.459 dnssec: info: Fetching example.com/ECDSAP256SHA256/12118 (ZSK) from key repository.
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) is now published
09-Mar-2021 16:07:48.459 dnssec: info: DNSKEY example.com/ECDSAP256SHA256/12118 (ZSK) is now active
09-Mar-2021 16:07:48.464 dnssec: info: zone example.com/IN (signed): next key event: 09-Mar-2021 17:12:48.457
```
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)April 2021 (9.11.30/9.11.31, 9.11.30-S1/9.11.31-S1, 9.16.14/9.16.15, 9.16.14-S1/9.16.15-S1, 9.17.12)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/1821Changes for Kea 1.9.7 release2021-04-26T09:38:38Zrelease changes scriptChanges for Kea 1.9.7 release- updated copyright years
- regenerated parsers
- regenerated message headers
- added release entry in ChangeLog
- update kea version- updated copyright years
- regenerated parsers
- regenerated message headers
- added release entry in ChangeLog
- update kea versionkea1.9.7https://gitlab.isc.org/isc-projects/bind9/-/issues/2564nslookup segfaults for SERVFAIL2022-04-26T13:18:18ZJohn Peronenslookup segfaults for SERVFAIL### Summary
nslookup (and host) segfault when the answer is SERVFAIL. dig works as expected.
### BIND version used
BIND 9.17.10 (Development Release) <id:5fbd5ff><br>
Tested also 9.17.9 with the same results
### Steps to reproduce
nsl...### Summary
nslookup (and host) segfault when the answer is SERVFAIL. dig works as expected.
### BIND version used
BIND 9.17.10 (Development Release) <id:5fbd5ff><br>
Tested also 9.17.9 with the same results
### Steps to reproduce
nslookup redpress.gr<br>
Segmentation fault
### What is the current *bug* behavior?
isc-net-0000[21534]: segfault at ffffffffffffffff ip 000000000040f661 sp 00007faad57a9820 error 4 in nslookup[400000+17000]
### What is the expected *correct* behavior?
nslookup redpress.gr<br>
Server: 127.0.0.1<br>
Address: 127.0.0.1#53<br>
<br>
** server can't find redpress.gr: SERVFAILMay 2021 (9.11.32, 9.11.32-S1, 9.16.16, 9.16.16-S1, 9.17.13)Diego dos Santos FronzaDiego dos Santos Fronzahttps://gitlab.isc.org/isc-projects/kea/-/issues/1822update release checklist template2021-04-23T10:56:23ZMichal Nowikowskiupdate release checklist templateUpdated step for changing or updating source code so it uses new script update-code-for-release.py.Updated step for changing or updating source code so it uses new script update-code-for-release.py.kea1.9.7Michal NowikowskiMichal Nowikowskihttps://gitlab.isc.org/isc-projects/bind9/-/issues/2565A flaw in serve-stale's interaction with fetch limits causes crashes for dual...2021-03-11T15:32:06ZMichal NowakA flaw in serve-stale's interaction with fetch limits causes crashes for dual-mode (authoritative + recursive) serversThere's a [crash](https://gitlab.isc.org/isc-private/bind9/-/jobs/1564386) on `v9_16_sub` in the `serve-stale` system test:
```
rbtdb.c:5195: REQUIRE(version == ((void *)0)) failed, back trace
```
```
Core was generated by `/builds/isc-p...There's a [crash](https://gitlab.isc.org/isc-private/bind9/-/jobs/1564386) on `v9_16_sub` in the `serve-stale` system test:
```
rbtdb.c:5195: REQUIRE(version == ((void *)0)) failed, back trace
```
```
Core was generated by `/builds/isc-private/bind9/bin/named/.libs/lt-named -D serve-stale-ns1 -X named.'.
Program terminated with signal 6, Aborted.
#0 0x00007f6a3c45b387 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
55 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
#0 0x00007f6a3c45b387 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1 0x00007f6a3c45ca78 in __GI_abort () at abort.c:90
#2 0x000000000041fe04 in assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at ./main.c:267
#3 0x00007f6a3e6f2ba0 in isc_assertion_failed (file=file@entry=0x7f6a3faf3b13 "rbtdb.c", line=line@entry=5195, type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7f6a3fb12e6a "version == ((void *)0)") at assertions.c:46
#4 0x00007f6a3f9e88e4 in cache_findext (db=0x7f6a2792b020, name=0x7f69d800ece0, version=<optimized out>, type=16, options=3072, now=1615310907, nodep=0x7f6a3a8f9c20, foundname=0x7f69d800ec90, methods=0x7f6a3a8f9c58, clientinfo=0x0, rdataset=0x7f69d80135a0, sigrdataset=0x0) at rbtdb.c:5195
#5 0x00007f6a3f96f3a0 in dns_db_findext (db=0x7f6a2792b020, name=name@entry=0x7f69d800ece0, version=0x7f6a27977348, type=<optimized out>, options=options@entry=3072, now=1615310907, nodep=nodep@entry=0x7f6a3a8f9c20, foundname=0x7f69d800ec90, methods=methods@entry=0x7f6a3a8f9c58, clientinfo=clientinfo@entry=0x0, rdataset=0x7f69d80135a0, sigrdataset=0x0) at db.c:526
#6 0x00007f6a3fd7615c in query_lookup (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:6011
#7 0x00007f6a3fd77f2a in query_delegation_recurse (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:9109
#8 0x00007f6a3fd782a7 in query_delegation (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:9036
#9 0x00007f6a3fd78688 in query_notfound (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:8813
#10 0x00007f6a3fd75821 in query_gotanswer (qctx=qctx@entry=0x7f6a3a8f9790, res=res@entry=23) at query.c:7791
#11 0x00007f6a3fd764bd in query_lookup (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:6217
#12 0x00007f6a3fd77cf4 in query_zone_delegation (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:8960
#13 0x00007f6a3fd7805b in query_delegation (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:8988
#14 0x00007f6a3fd7582e in query_gotanswer (qctx=qctx@entry=0x7f6a3a8f9790, res=res@entry=65565) at query.c:7794
#15 0x00007f6a3fd764bd in query_lookup (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:6217
#16 0x00007f6a3fd777c7 in ns__query_start (qctx=qctx@entry=0x7f6a3a8f9790) at query.c:5659
#17 0x00007f6a3fd7b5f2 in query_setup (client=client@entry=0x7f69d8005a08, qtype=qtype@entry=16) at query.c:5372
#18 0x00007f6a3fd7bf7a in ns_query_start (client=client@entry=0x7f69d8005a08, handle=handle@entry=0x7f69d80058a0) at query.c:12294
#19 0x00007f6a3fd588ad in ns__client_request (handle=0x7f69d80058a0, eresult=<optimized out>, region=<optimized out>, arg=<optimized out>) at client.c:2250
#20 0x00007f6a3e70b3e4 in isc__nm_async_readcb (worker=worker@entry=0x0, ev0=ev0@entry=0x7f6a3a8fa8a0) at netmgr.c:1861
#21 0x00007f6a3e70b4c0 in isc__nm_readcb (sock=sock@entry=0x7f6a2050bf10, uvreq=<optimized out>, eresult=eresult@entry=0) at netmgr.c:1836
#22 0x00007f6a3e70fdd8 in udp_recv_cb (handle=<optimized out>, nrecv=53, buf=0x7f6a3a8fa9d0, addr=0x7f6a3a8faa20, flags=<optimized out>) at udp.c:466
#23 0x00007f6a3d30906f in uv__udp_io () from /lib64/libuv.so.1
#24 0x00007f6a3d30a8c3 in uv__io_poll () from /lib64/libuv.so.1
#25 0x00007f6a3d2fa0d0 in uv_run () from /lib64/libuv.so.1
#26 0x00007f6a3e70bedc in nm_thread (worker0=0xdc8da0) at netmgr.c:553
#27 0x00007f6a3e729950 in isc__trampoline_run (arg=0xdb7b00) at trampoline.c:191
#28 0x00007f6a3c7faea5 in start_thread (arg=0x7f6a3a8fe700) at pthread_create.c:307
#29 0x00007f6a3c52396d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
```
`thread apply all bt full`: [1564386-bt.txt](/uploads/67fe32e3b33e7ce89b71b4a5c5211c37/1564386-bt.txt)
core: [core.1436.gz](/uploads/9042f6a521c3f71dbf283efe3a5019dd/core.1436.gz)
`named.run`: [named.run](/uploads/8b31e811f7f9a25da955d6c079642ae2/named.run)March 2021 (9.11.29, 9.11.29-S1, 9.16.13, 9.16.13-S1, 9.17.11)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/1823ut-extended not running for alpine & freebsd2021-06-25T16:38:40ZAndrei Pavelandrei@isc.orgut-extended not running for alpine & freebsdhttps://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/258/
```
00:06:10.158 + python3 ./hammer.py prepare-system -p local -w radius
00:06:10.429 [HAMMER] 2021-04-23 14:37:05,513 Enabled features: unittest radius perfdhcp docs insta...https://jenkins.aws.isc.org/job/kea-dev/job/ut-extended/258/
```
00:06:10.158 + python3 ./hammer.py prepare-system -p local -w radius
00:06:10.429 [HAMMER] 2021-04-23 14:37:05,513 Enabled features: unittest radius perfdhcp docs install
00:06:10.442 [HAMMER] 2021-04-23 14:37:05,514 Preparing deps for alpine 3.12
00:06:10.442 [HAMMER] 2021-04-23 14:37:05,516 >>>>> Executing sudo apk add gcc g++ make autoconf automake libtool openssl-dev boost-libs boost-dev procps tar py3-sphinx py3-sphinx_rtd_theme in /tmp/workspace/kea-dev/ut-extended
00:06:10.699 [HAMMER] 2021-04-23 14:37:05,757 >>>>> Executing sudo apk add log4cplus log4cplus-dev --update-cache --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ --allow-untrusted in /tmp/workspace/kea-dev/ut-extended
00:06:10.974 [HAMMER] 2021-04-23 14:37:06,197 Can't add 'vagrant' user to 'abuild' group. Vagrant or abuild does not exist.
00:06:10.987 [HAMMER] 2021-04-23 14:37:06,197 >>>>> Executing sudo adduser jenkins abuild in /tmp/workspace/kea-dev/ut-extended
00:06:10.987 fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
00:06:10.987 fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
00:06:10.987 OK: 1474 MiB in 360 packages
00:06:10.987 fetch http://dl-3.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
00:06:10.987 OK: 1474 MiB in 360 packages
00:06:10.987 Traceback (most recent call last):
00:06:10.987 File "./hammer.py", line 2630, in <module>
00:06:10.987 main()
00:06:10.987 File "./hammer.py", line 2602, in main
00:06:10.987 prepare_system_cmd(args)
00:06:10.987 File "./hammer.py", line 2443, in prepare_system_cmd
00:06:10.987 prepare_system_local(features, args.check_times)
00:06:10.987 File "./hammer.py", line 1548, in prepare_system_local
00:06:10.987 _install_freeradius_client(system, revision, features, env, check_times)
00:06:10.987 File "./hammer.py", line 1207, in _install_freeradius_client
00:06:10.987 raise NotImplementedError('no implementation for %s' % system)
00:06:10.987 NotImplementedError: no implementation for alpine
```kea1.9.9Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2566dig: Machine friendly output expected (tabs, spaces, etc)2021-03-19T09:11:34Zflindebergdig: Machine friendly output expected (tabs, spaces, etc)<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
`dig` is not consistent with the use of tabs and spaces in output, which is confusing per the the `man`-page itself (for the `+[no]multiline`-option):
> The default is to print each record on a single line to facilitate machine parsing of the dig output.
This should, in my interpretation, mean that the intention is for `dig` to produce machine friendly output by default. Therefore this is filed as a `bug` rather than a feature request. However, I realize the hassle of of changing the default output format since most often it is possible to work around it, and most users, I assume, have not encountered it. I encountered it when going through entire zones-files by AXFR when I realized that some outputs were a bit off after doing some yoga on the zone-contents.
### BIND version used
`BIND 9.16.12 (Stable Release) <id:aeb943d>`
### Steps to reproduce
Illustration (using one long domain name and one short domain name which causes the issue):
```
> dig +noall +answer ns iis.se abbekaslagerologistik.se | cut -f1,4,5
iis.se. 3417 IN
iis.se. 3417 IN
iis.se. 3417 IN
abbekaslagerologistik.se. 118 ns1.teleservice.net.
abbekaslagerologistik.se. 118 ns2.teleservice.net.
```
I get different fields depending on how many tabs and spaces `dig` chooses to use for that particular record. I would expect that "machine friendly" output would be in line with POSIX command behavior.
Also note above that `field1` is `iis.se` and `abbekaslagerologistik.se. 118` (since there is a space here, not a tab). And that the `abbekaslagerologistik.se.` lack a `field3`.
### What is the current *bug* behavior?
Using alias defined at https://superuser.com/a/1503113/ in below examples.
> alias whitespace="sed 's/ /·/g;s/\t/→/g;s/\r/§/g;s/$/¶/g'"
For example:
```
> dig +noall +answer ns iis.se abbekaslagerologistik.se
iis.se. 358 IN NS ns.nic.se.
iis.se. 358 IN NS i.ns.se.
iis.se. 358 IN NS ns3.nic.se.
abbekaslagerologistik.se. 120 IN NS ns1.teleservice.net.
abbekaslagerologistik.se. 120 IN NS ns2.teleservice.net.
```
With whitespaces marked (`→` is tab, `·` is space, `¶` newline):
```
> dig +noall +answer ns iis.se abbekaslagerologistik.se | whitespace
iis.se.→→→208→IN→NS→ns.nic.se.¶
iis.se.→→→208→IN→NS→i.ns.se.¶
iis.se.→→→208→IN→NS→ns3.nic.se.¶
abbekaslagerologistik.se.·120→IN→NS→ns1.teleservice.net.¶
abbekaslagerologistik.se.·120→IN→NS→ns2.teleservice.net.¶
```
This output is not machine friendly, it is rather human friendly :-) This has the effect than when machine friendly tools, such as `cut` are used, the output becomes both human and machine hostile:
```
> dig +noall +answer ns iis.se abbekaslagerologistik.se | cut -f1,4,5
iis.se. 3417 IN
iis.se. 3417 IN
iis.se. 3417 IN
abbekaslagerologistik.se. 118 ns1.teleservice.net.
abbekaslagerologistik.se. 118 ns2.teleservice.net.
```
```
> dig +noall +answer ns iis.se abbekaslagerologistik.se | cut -f1,4,5 | whitespace
iis.se.→3244→IN¶
iis.se.→3244→IN¶
iis.se.→3244→IN¶
abbekaslagerologistik.se.·120→ns1.teleservice.net.¶
abbekaslagerologistik.se.·120→ns2.teleservice.net.¶
```
### What is the expected *correct* behavior?
Illustration using `sed` and `tr` to provide expected behavior. `sed` to get rid of spaces, and `tr` to get rid of double tabs (and converted spaces). This command line is based on bashisms (i.e. `$'\t'`), which most shells seem to support.
```
> dig +noall +answer ns iis.se abbekaslagerologistik.se | sed 's/ /\t/g' | tr -s $'\t' | cut -f1,4,5
iis.se. NS ns.nic.se.
iis.se. NS i.ns.se.
iis.se. NS ns3.nic.se.
abbekaslagerologistik.se. NS ns1.teleservice.net.
abbekaslagerologistik.se. NS ns2.teleservice.net.
```
And with whitespace to illustrate the machine friendlyness:
```
> dig +noall +answer ns iis.se abbekaslagerologistik.se | sed 's/ /\t/g' | tr -s $'\t' | cut -f1,4,5 | whitespace
iis.se.→NS→ns.nic.se.¶
iis.se.→NS→i.ns.se.¶
iis.se.→NS→ns3.nic.se.¶
abbekaslagerologistik.se.→NS→ns1.teleservice.net.¶
abbekaslagerologistik.se.→NS→ns2.teleservice.net.¶
```
### Relevant configuration files
Defaults
### Relevant logs and/or screenshots
See above
### Possible fixes
I have not looked into the codebase (yet), unsure if I will since it is possible to work around it.https://gitlab.isc.org/isc-projects/kea/-/issues/1824Add the plus operator (+) to make eval expressions simpler2021-04-30T17:34:09ZAndrei Pavelandrei@isc.orgAdd the plus operator (+) to make eval expressions simplerDiscussion started in [this thread](https://gitlab.isc.org/isc-private/kea-premium/-/merge_requests/161#note_207881). The larger consensus was on replacing `concat(a, b)` with `a + b` (or `+(a, b)`?). This would reduce the number of para...Discussion started in [this thread](https://gitlab.isc.org/isc-private/kea-premium/-/merge_requests/161#note_207881). The larger consensus was on replacing `concat(a, b)` with `a + b` (or `+(a, b)`?). This would reduce the number of paranthese nesting levels (at least in the case of the infix notation), thus reducing eye strain :eyes: and eyeglass numbers :eyeglasses:.
NOTE: The idea is to add an alias, so both `concat(a, b)` and `a + b` would work. We need to keep `concat` for backward compatibility and we want `+` for ease of use.kea1.9.8Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/bind9/-/issues/2567warning: array subscript is of type 'char' on NetBSD 92021-03-29T12:16:09ZMichal Nowakwarning: array subscript is of type 'char' on NetBSD 9`main` produces warnings on NetBSD 9.1 with Clang 10.0.1:
```
url.c:240:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (isalpha(ch)) {
^~~~~~~~~~~
/usr/include/sys/ctype_inline.h...`main` produces warnings on NetBSD 9.1 with Clang 10.0.1:
```
url.c:240:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (isalpha(ch)) {
^~~~~~~~~~~
/usr/include/sys/ctype_inline.h:49:44: note: expanded from macro 'isalpha'
#define isalpha(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_A))
^~~~
url.c:247:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (isalpha(ch)) {
^~~~~~~~~~~
/usr/include/sys/ctype_inline.h:49:44: note: expanded from macro 'isalpha'
#define isalpha(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_A))
^~~~
url.c:291:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (IS_USERINFO_CHAR(ch) || ch == '[' || ch == ']') {
^~~~~~~~~~~~~~~~~~~~
url.c:194:3: note: expanded from macro 'IS_USERINFO_CHAR'
(isalnum(c) || IS_MARK(c) || (c) == '%' || (c) == ';' || (c) == ':' || \
^~~~~~~~~~
/usr/include/sys/ctype_inline.h:48:44: note: expanded from macro 'isalnum'
#define isalnum(c) ((int)((_ctype_tab_ + 1)[(c)] & (_CTYPE_A|_CTYPE_D)))
^~~~
url.c:377:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (IS_USERINFO_CHAR(ch)) {
^~~~~~~~~~~~~~~~~~~~
url.c:194:3: note: expanded from macro 'IS_USERINFO_CHAR'
(isalnum(c) || IS_MARK(c) || (c) == '%' || (c) == ';' || (c) == ':' || \
^~~~~~~~~~
/usr/include/sys/ctype_inline.h:48:44: note: expanded from macro 'isalnum'
#define isalnum(c) ((int)((_ctype_tab_ + 1)[(c)] & (_CTYPE_A|_CTYPE_D)))
^~~~
url.c:387:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (IS_HOST_CHAR(ch)) {
^~~~~~~~~~~~~~~~
url.c:199:26: note: expanded from macro 'IS_HOST_CHAR'
#define IS_HOST_CHAR(c) (isalnum(c) || (c) == '.' || (c) == '-')
^~~~~~~~~~
/usr/include/sys/ctype_inline.h:48:44: note: expanded from macro 'isalnum'
#define isalnum(c) ((int)((_ctype_tab_ + 1)[(c)] & (_CTYPE_A|_CTYPE_D)))
^~~~
url.c:394:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (IS_HOST_CHAR(ch)) {
^~~~~~~~~~~~~~~~
url.c:199:26: note: expanded from macro 'IS_HOST_CHAR'
#define IS_HOST_CHAR(c) (isalnum(c) || (c) == '.' || (c) == '-')
^~~~~~~~~~
/usr/include/sys/ctype_inline.h:48:44: note: expanded from macro 'isalnum'
#define isalnum(c) ((int)((_ctype_tab_ + 1)[(c)] & (_CTYPE_A|_CTYPE_D)))
^~~~
url.c:413:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (isxdigit(ch) || ch == ':' || ch == '.') {
^~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:58:45: note: expanded from macro 'isxdigit'
#define isxdigit(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_X))
^~~~
url.c:430:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (isalnum(ch) || ch == '%' || ch == '.' || ch == '-' ||
^~~~~~~~~~~
/usr/include/sys/ctype_inline.h:48:44: note: expanded from macro 'isalnum'
#define isalnum(c) ((int)((_ctype_tab_ + 1)[(c)] & (_CTYPE_A|_CTYPE_D)))
^~~~
url.c:439:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (isdigit(ch)) {
^~~~~~~~~~~
/usr/include/sys/ctype_inline.h:51:44: note: expanded from macro 'isdigit'
#define isdigit(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_D))
^~~~
9 warnings generated.
```
```
netmgr/http.c:2694:20: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (MATCH('_') || MATCH_ALPHA()) {
^~~~~~~~~~~~~
netmgr/http.c:2588:24: note: expanded from macro 'MATCH_ALPHA'
#define MATCH_ALPHA() isalpha(st->str[0])
^~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:49:44: note: expanded from macro 'isalpha'
#define isalpha(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_A))
^~~~
netmgr/http.c:2701:23: warning: array subscript is of type 'char' [-Wchar-subscripts]
while (MATCH('_') || MATCH_ALNUM()) {
^~~~~~~~~~~~~
netmgr/http.c:2589:24: note: expanded from macro 'MATCH_ALNUM'
#define MATCH_ALNUM() isalnum(st->str[0])
^~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:48:44: note: expanded from macro 'isalnum'
#define isalnum(c) ((int)((_ctype_tab_ + 1)[(c)] & (_CTYPE_A|_CTYPE_D)))
^~~~
netmgr/http.c:2735:6: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (MATCH_ALNUM() || MATCH('_') || MATCH('.') || MATCH('-') ||
^~~~~~~~~~~~~
netmgr/http.c:2589:24: note: expanded from macro 'MATCH_ALNUM'
#define MATCH_ALNUM() isalnum(st->str[0])
^~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:48:44: note: expanded from macro 'isalnum'
#define isalnum(c) ((int)((_ctype_tab_ + 1)[(c)] & (_CTYPE_A|_CTYPE_D)))
^~~~
netmgr/http.c:2751:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (!MATCH_XDIGIT()) {
^~~~~~~~~~~~~~
netmgr/http.c:2590:24: note: expanded from macro 'MATCH_XDIGIT'
#define MATCH_XDIGIT() isxdigit(st->str[0])
^~~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:58:45: note: expanded from macro 'isxdigit'
#define isxdigit(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_X))
^~~~
netmgr/http.c:2756:7: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (!MATCH_XDIGIT()) {
^~~~~~~~~~~~~~
netmgr/http.c:2590:24: note: expanded from macro 'MATCH_XDIGIT'
#define MATCH_XDIGIT() isxdigit(st->str[0])
^~~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:58:45: note: expanded from macro 'isxdigit'
#define isxdigit(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_X))
^~~~
```April 2021 (9.11.30/9.11.31, 9.11.30-S1/9.11.31-S1, 9.16.14/9.16.15, 9.16.14-S1/9.16.15-S1, 9.17.12)https://gitlab.isc.org/isc-projects/kea/-/issues/1825dhcp pkt getIndex() and setIndex() should use int64_t instead of uint32_t typ...2023-03-30T02:33:46Zbglsriramdhcp pkt getIndex() and setIndex() should use int64_t instead of uint32_t type for ifindex
**Describe the bug**
https://github.com/isc-projects/kea/commit/2a453ec2f66ea4681283df5a4d9e99410a974507 modified ifindex_ to int64_t from an earlier int type and introduced methods: resetIndex() which sets ifindex_ to -1 and indexSet()...
**Describe the bug**
https://github.com/isc-projects/kea/commit/2a453ec2f66ea4681283df5a4d9e99410a974507 modified ifindex_ to int64_t from an earlier int type and introduced methods: resetIndex() which sets ifindex_ to -1 and indexSet() which checks if ifindex_ is greater than equal to 0
However, the getIndex() and setIndex() methods still work with a uint32_t ifindex and this causes ifindex to be truncated for the users of these 2 methods.
So, if a resetIndex() is followed either by getIndex() OR setIndex()[for example - copying of pkt], indexSet() invocation on the same pkt will return true.
**To Reproduce**
Steps to reproduce the behavior:
1. Run Kea dhcpv4
2. Install a pkt4_receive() kea dhcp library hook which does a query4/pkt->resetIndex()
3. IfaceMgr::getIface(const PktPtr& pkt) will return an invalid interface.
**Expected behavior**
If a resetIndex() is followed either by getIndex() OR setIndex()[for example - copying of pkt], indexSet() invocation on the same pkt should return false.
**Environment:**
- Kea version: 1.8.2
- OS: Ubuntu 16.04 x64
- Which features were compiled in (in particular which backends): Stock features enabled in the Makefile.
- If/which hooks where loaded in: libdhcp_ha.so, libdhcp_lease_cmds.so, libdhcp_stat_cmds.so and a custom hook to reproduce the issue by installing a pkt4_receive() kea dhcp library hook which does a query4/pkt->resetIndex()
**Additional Information**
**Contacting you**
bglsriram@gmail.comkea1.9.11Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/2568test_client.c: error: static declaration of 'yield' follows non-static declar...2022-04-11T14:48:24ZMichal Nowaktest_client.c: error: static declaration of 'yield' follows non-static declaration on SolarisSolaris 11.4 and OpenIndiana define [`yield(2)`](https://illumos.org/man/2/yield) in `unistd.h`. Defining function of the same name in `test_client.c` fails with:
```
test_client.c:329:1: error: static declaration of 'yield' follows non-...Solaris 11.4 and OpenIndiana define [`yield(2)`](https://illumos.org/man/2/yield) in `unistd.h`. Defining function of the same name in `test_client.c` fails with:
```
test_client.c:329:1: error: static declaration of 'yield' follows non-static declaration
329 | yield(void) {
| ^~~~~
In file included from test_client.c:24:
/usr/include/unistd.h:563:13: note: previous declaration of 'yield' was here
563 | extern void yield(void);
| ^~~~~
```
`/usr/include/unistd.h`:
```
#if !defined(__XOPEN_OR_POSIX) || defined(__EXTENSIONS__)
extern void yield(void);
#endif /* !defined(__XOPEN_OR_POSIX) || defined(__EXTENSIONS__) */
```March 2021 (9.11.29, 9.11.29-S1, 9.16.13, 9.16.13-S1, 9.17.11)https://gitlab.isc.org/isc-projects/kea/-/issues/1826kea lefts many subfolders and man pages in a system after make uninstall2023-06-19T13:54:49ZMichal Nowikowskikea lefts many subfolders and man pages in a system after make uninstallThis is a list of folders and files that were not deleted by make uninstall.
All these should be deleted.
```
$PREFIX/lib/kea
$PREFIX/lib/kea/hooks
$PREFIX/lib/python3.8
$PREFIX/lib/python3.8/site-packages
$PREFIX/lib/python3.8/site-pac...This is a list of folders and files that were not deleted by make uninstall.
All these should be deleted.
```
$PREFIX/lib/kea
$PREFIX/lib/kea/hooks
$PREFIX/lib/python3.8
$PREFIX/lib/python3.8/site-packages
$PREFIX/lib/python3.8/site-packages/kea
$PREFIX/lib/python3.8/site-packages/kea/__pycache__
$PREFIX/include/kea
$PREFIX/include/kea/dhcpsrv
$PREFIX/include/kea/dhcpsrv/parsers
$PREFIX/include/kea/process
$PREFIX/include/kea/cfgrpt
$PREFIX/include/kea/eval
$PREFIX/include/kea/dhcp_ddns
$PREFIX/include/kea/asiodns
$PREFIX/include/kea/stats
$PREFIX/include/kea/config
$PREFIX/include/kea/http
$PREFIX/include/kea/dhcp
$PREFIX/include/kea/hooks
$PREFIX/include/kea/config_backend
$PREFIX/include/kea/database
$PREFIX/include/kea/cc
$PREFIX/include/kea/asiolink
$PREFIX/include/kea/dns
$PREFIX/include/kea/cryptolink
$PREFIX/include/kea/log
$PREFIX/include/kea/log/interprocess
$PREFIX/include/kea/util
$PREFIX/include/kea/util/random
$PREFIX/include/kea/util/io
$PREFIX/include/kea/util/encode
$PREFIX/include/kea/exceptions
$PREFIX/share/man/man8/perfdhcp.8
$PREFIX/share/man/man8/kea-shell.8
$PREFIX/share/man/man8/kea-netconf.8
$PREFIX/share/man/man8/kea-lfc.8
$PREFIX/share/man/man8/kea-dhcp-ddns.8
$PREFIX/share/man/man8/kea-dhcp6.8
$PREFIX/share/man/man8/kea-dhcp4.8
$PREFIX/share/man/man8/kea-ctrl-agent.8
$PREFIX/share/man/man8/keactrl.8
$PREFIX/share/man/man8/kea-admin.8
$PREFIX/share/kea
$PREFIX/share/kea/scripts
$PREFIX/share/kea/scripts/cql
$PREFIX/share/kea/scripts/pgsql
$PREFIX/share/kea/scripts/mysql
$PREFIX/var/run/kea
$PREFIX/var/lib/kea
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1475user-context examples, API commands2022-06-03T12:08:47ZPeter Daviesuser-context examples, API commandsIt has been noted that there is an apparent lack of examples of the use of "user-context" in the Kea Arm.
It could be instructive to users if they had examples of the creation and use of "user-context" on different objects.
[RT #171...It has been noted that there is an apparent lack of examples of the use of "user-context" in the Kea Arm.
It could be instructive to users if they had examples of the creation and use of "user-context" on different objects.
[RT #17135](https://support.isc.org/Ticket/Display.html?id=17135)
UPDATE: Looking at the support ticket, it seems the question also covers whether user context can be manipulated using commands.kea2.1.7Marcin GodzinaMarcin Godzinahttps://gitlab.isc.org/isc-projects/bind9/-/issues/2569nsupdate on Solaris produces different failure text than expected2021-03-29T12:22:12ZMichal Nowaknsupdate on Solaris produces different failure text than expectedThe `nsupdate` system test fails on Solaris 11.4 because `nsupdate` fails with "failure" where "not found" is expected:
```
I:nsupdate:ensure unresolvable server name is fatal in non-interactive mode (40)
couldn't get address for 'unreso...The `nsupdate` system test fails on Solaris 11.4 because `nsupdate` fails with "failure" where "not found" is expected:
```
I:nsupdate:ensure unresolvable server name is fatal in non-interactive mode (40)
couldn't get address for 'unresolvable..': failure
syntax error
I:nsupdate:failed
I:nsupdate:ensure unresolvable server name is not fatal in interactive mode (41)
couldn't get address for 'unresolvable..': failure
I:nsupdate:failed
```
```shell
n=`expr $n + 1`
ret=0
echo_i "ensure unresolvable server name is fatal in non-interactive mode ($n)"
$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
server unresolvable..
END
cat nsupdate.out
grep "couldn't get address for 'unresolvable..': not found" nsupdate.out > /dev/null || ret=1
grep "syntax error" nsupdate.out > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
n=`expr $n + 1`
ret=0
echo_i "ensure unresolvable server name is not fatal in interactive mode ($n)"
$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1
server unresolvable..
END
cat nsupdate.out
grep "couldn't get address for 'unresolvable..': not found" nsupdate.out > /dev/null || ret=1
[ $ret = 0 ] || { echo_i "failed"; status=1; }
```April 2021 (9.11.30/9.11.31, 9.11.30-S1/9.11.31-S1, 9.16.14/9.16.15, 9.16.14-S1/9.16.15-S1, 9.17.12)https://gitlab.isc.org/isc-projects/kea/-/issues/1827Sanity checks for Kea 1.9.7 rc12021-05-10T09:35:36ZjenkinsSanity checks for Kea 1.9.7 rc1```We are now at step SANITY CHECKS of Kea 1.9.7 rc1.
Please verify the packages and files according to "4. Sanity Checks" chapter on:
https://wiki.isc.org/bin/view/QA/KeaReleaseProcess#4.%20Sanity%20Checks
and your imagination.
Bef...```We are now at step SANITY CHECKS of Kea 1.9.7 rc1.
Please verify the packages and files according to "4. Sanity Checks" chapter on:
https://wiki.isc.org/bin/view/QA/KeaReleaseProcess#4.%20Sanity%20Checks
and your imagination.
Before starting any checks, please state what check you are doing in a
thread/discussion (not as comment) in Sanity Checks issue in GitLab:
When you finish given check state in the same thread/discussion what is the result.
This way we know what is covered upfront and we can avoid repeating ourselves.
Release content is located on:
1) [tarballs] repo.isc.org in the following folders:
/data/shared/sweng/kea/releases/1.9.7-rc1
/data/shared/sweng/kea/releases/premium-1.9.7-rc1
/data/shared/sweng/kea/releases/subscription-1.9.7-rc1
SHA256 (kea-1.9.7.tar.gz) = dff034706f408b2896324d065237940079b4b91c3943d3ec100d92e9667c725a
SHA256 (kea-premium-1.9.7.tar.gz) = 909c653ee770a1fac4be02451f541669382232900a42311efd81c0ccba0a39b6
SHA256 (kea-subscription-1.9.7.tar.gz) = b2fe31cdfd386a968e7e57bd31e7093d2dfb35d3e9eceeab2256ccce0169c2b8
2) [rpm/deb packages] on packages.isc.org, exact packages versions are stored here:
https://jenkins.aws.isc.org/job/kea-dev/job/pkg/332/
Release version is 1.9.7-isc0030320210426094706 (please verify if it is this version while installing).
Install instruction is here: https://wiki.isc.org/bin/view/QA/KeaReleaseProcess, chapter 4. Sanity Checks, point 9.
```kea1.9.7https://gitlab.isc.org/isc-projects/bind9/-/issues/2570Testing issue2021-03-11T11:59:54ZDan MahoneyTesting issueThis is a testing issue, please ignore.This is a testing issue, please ignore.https://gitlab.isc.org/isc-projects/kea/-/issues/1828update release checklist: installation tree check and automated sanity checks...2021-04-28T12:51:02ZMichal Nowikowskiupdate release checklist: installation tree check and automated sanity checks requestkea1.9.8Michal NowikowskiMichal Nowikowski