ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2021-12-06T18:23:41Zhttps://gitlab.isc.org/isc-projects/stork/-/issues/641Rename STORK_AGENT_ADDRESS to STORK_AGENT_HOST2021-12-06T18:23:41ZMarcin SiodelskiRename STORK_AGENT_ADDRESS to STORK_AGENT_HOSTOur agent uses the `STORK_AGENT_ADDRESS` env variable to configure the address on which the agent listens. On the other hand we have `STORK_DATABASE_HOST` and `STORK_REST_HOST`. The command line switch for the agent's address is `--host`...Our agent uses the `STORK_AGENT_ADDRESS` env variable to configure the address on which the agent listens. On the other hand we have `STORK_DATABASE_HOST` and `STORK_REST_HOST`. The command line switch for the agent's address is `--host`. To be consistent we should rename it to `STORK_AGENT_HOST`.1.0Slawek FigielSlawek Figielhttps://gitlab.isc.org/isc-projects/stork/-/issues/642Assorted ARM fixes before the 1.0 release2021-12-06T16:47:29ZMarcin SiodelskiAssorted ARM fixes before the 1.0 release2.1 Supported Systems
CentOS 7 - should be CentOS 8
macOS 10.5 - should be MacOS 11.3.1
2.3.2.3. Securing Connections
"should be readable/writable only for the user running the Stork Agent"
"should be readable/writable only BY the us...2.1 Supported Systems
CentOS 7 - should be CentOS 8
macOS 10.5 - should be MacOS 11.3.1
2.3.2.3. Securing Connections
"should be readable/writable only for the user running the Stork Agent"
"should be readable/writable only BY the user running the Stork Agent"
"All credentials must to contains the values for 4 keys"
"All credentials must contain the values for 4 keys"
"ip", "port" etc should use the `
2.3.2.10/2.3.2.11
There is an example stork-tool command line. Maybe we should add an alternative using individual switches for password, host etc. There is a known problem when someone uses an invalid URL.
2.4.3.
"There are several components of Stork". Should be: "There are two Stork components"
"By default, all components are installed to the root folder in the current directory." Should be: "By default, all components are installed IN the root folder in the current directory."
2.5. Database Migration Tool
It neglects the tool's cert-export feature.
All chapters:
We use Stork Agent, Stork agent, Stork server and Stork Server. We should probably unify.
3. Using Stork
The first sentence instructs the user to navigate to localhost:8080 without mentioning that the URL varies depending on the configuration.
3.4.2. Deleting a Machine
"The preferred way to achieve that is to issue the killall stork-agent command"
Is it really killall stork-agent?
3.5.8. Kea HA Status
The picture is heavily outdated.
3.5.6.3. Sources of Host Reservations
"This interval is currently not configurable." is not true.
7. Demo
Lacks BIND9_2 container and premium container.
7.2.1
Using kea-1-7 in the example URL for getting the token. It should rather be 2.0.1.0Marcin SiodelskiMarcin Siodelskihttps://gitlab.isc.org/isc-projects/kea/-/issues/2222min-valid-lifetime and max-valid-lifetime not written by config-write2022-01-20T16:24:34ZMaria Hrabosovamin-valid-lifetime and max-valid-lifetime not written by config-writeThe min/max lifetimes in subnets are missing when the configuration is written using `config-write` management API command.
Subnet configuration tested and set using `config-test` and `config-set`:
```
{
"subnet": "192.168.0.0/24",
....The min/max lifetimes in subnets are missing when the configuration is written using `config-write` management API command.
Subnet configuration tested and set using `config-test` and `config-set`:
```
{
"subnet": "192.168.0.0/24",
...
"valid-lifetime": 3600,
"min-valid-lifetime": 3600,
"max-valid-lifetime": 3600,
}
```
Subnet configuration written using `config-write`:
```
{
"subnet": "192.168.0.0/24",
...
"valid-lifetime": 3600,
}
```
_Kea 1.9.6 on CentOS 7_kea2.1.2Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/2225Allow extra arguments for database command line tools in kea-admin2022-01-25T15:24:34ZFrancis DupontAllow extra arguments for database command line tools in kea-adminThe idea is to allow multiple -x / --extra <argument> to kea-admin: these extra arguments are passed to the database command line tool, e.g. -x --ssl will pass --ssl to mysql when the user managing a MySQL database was configured to requ...The idea is to allow multiple -x / --extra <argument> to kea-admin: these extra arguments are passed to the database command line tool, e.g. -x --ssl will pass --ssl to mysql when the user managing a MySQL database was configured to require SSL/TLS protection of the connection to the server.kea2.1.2Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/stork/-/issues/6441.0 release2021-12-08T11:15:01ZWlodzimierz Wencel1.0 release1.0Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea/-/issues/2226Kea ARM review, continued (shell, integrations, netconf, gss-tsig)2021-12-09T13:12:08ZSuzanne GoldlustKea ARM review, continued (shell, integrations, netconf, gss-tsig)Continuing update of Kea ARMContinuing update of Kea ARMThomas MarkwalderThomas Markwalderhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3047Change reject-000-label default to false in BIND 9.192021-12-08T07:05:44ZMark AndrewsChange reject-000-label default to false in BIND 9.19As per documented road map for reject-000-label.
- [ ] change default
- [ ] update documentation
- [ ] update synthfromdnssec system test
- [ ] update release notes
- [ ] create future issue to remove reject-000-label (9.21.x)As per documented road map for reject-000-label.
- [ ] change default
- [ ] update documentation
- [ ] update synthfromdnssec system test
- [ ] update release notes
- [ ] create future issue to remove reject-000-label (9.21.x)BIND 9.19.xhttps://gitlab.isc.org/isc-projects/stork/-/issues/645sanity checks 1.02022-02-03T11:48:23ZWlodzimierz Wencelsanity checks 1.0* rpm and debs: https://gitlab.isc.org/isc-projects/stork/-/jobs/2147979/artifacts/browse
* tarball: https://gitlab.isc.org/isc-projects/stork/-/jobs/2147978/artifacts/browse
good luck :)* rpm and debs: https://gitlab.isc.org/isc-projects/stork/-/jobs/2147979/artifacts/browse
* tarball: https://gitlab.isc.org/isc-projects/stork/-/jobs/2147978/artifacts/browse
good luck :)1.0https://gitlab.isc.org/isc-projects/kea/-/issues/2228backport GSS-TSIG to Kea 2.02021-12-09T15:46:01ZRazvan Becheriubackport GSS-TSIG to Kea 2.0kea2.0.1Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3048The hp_max_threads initial value is maximum value2022-01-20T10:21:45ZOndřej SurýThe hp_max_threads initial value is maximum valueIn a011d422117, the `isc_hp_init()` was changed, so the maximum number of threads cannot ever go down, only up. At the same time the initial value of `isc__hp_max_threads` is set to the maximum, so in the end, it's always the maximum (`...In a011d422117, the `isc_hp_init()` was changed, so the maximum number of threads cannot ever go down, only up. At the same time the initial value of `isc__hp_max_threads` is set to the maximum, so in the end, it's always the maximum (`128` threads).
Related issue: #2398January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/kea/-/issues/2229allow the options that perfdhcp inserts by itself to be overwritten2022-01-27T14:47:15ZAndrei Pavelandrei@isc.orgallow the options that perfdhcp inserts by itself to be overwrittenLike DHCPv4 option 50 DHO_DHCP_REQUESTED_ADDRESS for example. If you try to insert it via the `-o` command, you get `Option already present in this message`. I suggest if the user wants to send a different requested addresss, perfdhcp sh...Like DHCPv4 option 50 DHO_DHCP_REQUESTED_ADDRESS for example. If you try to insert it via the `-o` command, you get `Option already present in this message`. I suggest if the user wants to send a different requested addresss, perfdhcp should delete the option and insert the provided one.https://gitlab.isc.org/isc-projects/bind9/-/issues/3049Expired zone signatures are not replaced with KSK signatures2022-01-12T10:08:42ZMatthijs Mekkingmatthijs@isc.orgExpired zone signatures are not replaced with KSK signaturesWe fixed #763 to make sure not to sign the DNSKEY RRset with the ZSK if the KSK was offline (even if the signatures were expired).
The change caused the definition of "having both keys": if one key is offline, we still consider having b...We fixed #763 to make sure not to sign the DNSKEY RRset with the ZSK if the KSK was offline (even if the signatures were expired).
The change caused the definition of "having both keys": if one key is offline, we still consider having both keys, so we don't fallback signing with the ZSK if KSK is offline.
That change also works the other way, if the ZSK is offline, we don't fallback signing with the KSK. But in this case the fallback could actually help preventing the zone from going bogus.
Update the fix for #763 to allow fallback of signing zone RRsets with the KSK in case the ZSK is offline.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/stork/-/issues/646Stork Documentation review2022-01-31T16:46:34ZVicky Riskvicky@isc.orgStork Documentation reviewThis is a place holder for an editorial review of the Stork doc. The purpose is to clean up references to old releases, improve the English usage as needed, clarify bits that might not be clear to the reader, etc.
We had hoped to do thi...This is a place holder for an editorial review of the Stork doc. The purpose is to clean up references to old releases, improve the English usage as needed, clarify bits that might not be clear to the reader, etc.
We had hoped to do this for 1.0, but Suzanne has been reviewing the Kea ARM, which is nearly finished now.1.1Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/stork/-/issues/649Doc updates from Sanity checking 1.0 release2021-12-08T11:01:31ZVicky Riskvicky@isc.orgDoc updates from Sanity checking 1.0 releaseI will try to fix the doc issues Marcin identified in the 1.0 sanity checking.
- [ ] In the Stork Tool section of our ARM we have this text: "To initialize the database directly, the Stork Tool must be built and used to initialize and u...I will try to fix the doc issues Marcin identified in the 1.0 sanity checking.
- [ ] In the Stork Tool section of our ARM we have this text: "To initialize the database directly, the Stork Tool must be built and used to initialize and upgrade the database to the latest schema. However, this is optional, as the database migration is triggered automatically upon server startup."
In fact, the `rake install_server` builds and installs the tool. So, there is no optionality.
>> I didn't find this and actually, it seems to me that the explanation implies it is triggered automatically so I don't see the problem...?
- [x] The `stork-agent` man page (perhaps other man pages too), says this:
```
Once Stork becomes more mature, ISC will provide professional support for Stork services.
```
It should be removed.
>> I removed this from several places.
- [ ] Stork Agent has a silly brief description in its help:
```
./stork-agent --help
NAME:
Stork Agent - A new cli application
```
>>> completely agree this should be fixed but I couldn't find where this text is.
- [x] CONTRIBUTING.md: invalid link: https://gitlab.isc.org/isc-projects/stork/forks/new
A new cli application?
- [x] "Submitting MR" section in CONTRIBUTING.md should be updated to remove Godfryd and add Slawek.
- [x] This TODO in CONTRIBUTING.md doesn't make sense: "TODO: Describe how to run unit-tests and system tests for Stork" because the previous section describes how to run the unit tests.
- [x] CONTRIBUTING.md: we should remove Godfryd from here:
"ask someone from the ISC team to give you permission to fork Stork\*\* (ask @tomek, @vicky, @ondrej or @godfryd or basically anyone from the Stork dev team)".
- [x] Another nit in the README.md. I think we should remove this sentence: "Stork is in early stages of its development, but it's getting new features rapidly". It will take some time to get new fancy features but we accomplished a major milestone, so saying it is in early stage is probably a bit confusing.
- [x] A nit in the AUTHORS.md file: the `agent` should be also included on my list of components.Marcin SiodelskiMarcin Siodelskihttps://gitlab.isc.org/isc-projects/kea/-/issues/2231Kea ARM review, continued (stork.rst, security.rst)2021-12-09T15:32:11ZSuzanne GoldlustKea ARM review, continued (stork.rst, security.rst)Continuing review of Kea ARMContinuing review of Kea ARMThomas MarkwalderThomas Markwalderhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3051Missing destroy(s) for rwlocks, mutexes and conditions2022-01-11T14:13:40ZOndřej SurýMissing destroy(s) for rwlocks, mutexes and conditionsIt was reported to us that there's a runaway memory leak on FreeBSD which was identified as missing dtor for pthread primitives:
1. `sock->cond` in netmgr - the one causing runaway memory use
2. `worker->lock` - one per worker
3. rwlock...It was reported to us that there's a runaway memory leak on FreeBSD which was identified as missing dtor for pthread primitives:
1. `sock->cond` in netmgr - the one causing runaway memory use
2. `worker->lock` - one per worker
3. rwlocks in db.c and dlz.c - initialized once per `named` (fixing would require dtor at library unload, not worth fixing)
4. rwlock in `lib/*/result.c` - initialized once per `named` (fixing would require dtor at library unload, not worth fixing)January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/stork/-/issues/650sanity check 1.0 after respin2022-02-03T11:48:11ZWlodzimierz Wencelsanity check 1.0 after respintarball: https://gitlab.isc.org/isc-projects/stork/-/jobs/2150368/artifacts/browse
rpms and debs: https://gitlab.isc.org/isc-projects/stork/-/jobs/2150369/artifacts/browsetarball: https://gitlab.isc.org/isc-projects/stork/-/jobs/2150368/artifacts/browse
rpms and debs: https://gitlab.isc.org/isc-projects/stork/-/jobs/2150369/artifacts/browse1.0https://gitlab.isc.org/isc-projects/bind9/-/issues/3053named crash after reconfiguration when "allow-recursion" changed2022-04-05T16:02:29ZMichal Nowaknamed crash after reconfiguration when "allow-recursion" changedWith BIND 9.17.20 on Fedora 35 from my [Copr fork](https://copr.fedorainfracloud.org/coprs/mnohime/bind-dev/packages/) I get a reproducible `named` segfault few seconds after I add IP entry to `allow-recursion` list, save `named.conf` (a...With BIND 9.17.20 on Fedora 35 from my [Copr fork](https://copr.fedorainfracloud.org/coprs/mnohime/bind-dev/packages/) I get a reproducible `named` segfault few seconds after I add IP entry to `allow-recursion` list, save `named.conf` (attached), and reconfigure `named` with `rndc reconfig` (if I restart `named` service instead of reconfiguration in the last step, no crash happens).
Also happens with Fedora 34 BIND 9.17.20 packages on Fedora 35 from the official Copr repo (we don't provide official Fedora 35 packages yet).
backtrace:
```
Core was generated by `/opt/isc/isc-bind/root/usr/sbin/named -u named'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:476
476 VMOVU -VEC_SIZE(%rsi, %rdx), %VEC(5)
[Current thread is 1 (Thread 0x7f0479b7f640 (LWP 1360))]
(gdb) bt
#0 __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:476
#1 0x00007f047b342de2 in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:29
#2 OPENSSL_sk_dup (sk=0x7f04740138f0) at crypto/stack/stack.c:66
#3 0x00007f047ad25111 in sk_SSL_CIPHER_dup (sk=<optimized out>) at include/openssl/ssl.h:963
#4 SSL_new (ctx=ctx@entry=0x7f04740161a0) at ssl/ssl_lib.c:717
#5 0x00007f047b7d1a23 in isc_tls_create (ctx=0x7f04740161a0) at /usr/src/debug/isc-bind-bind-9.17.20-1.1.fc35.x86_64/lib/isc/tls.c:607
#6 0x00007f047b7df109 in tlslisten_acceptcb (handle=0x7f04789ee280, result=<optimized out>, cbarg=0x7f0478976800) at netmgr/tlsstream.c:595
#7 0x00007f047b7a062e in accept_connection (ssock=ssock@entry=0x7f0478977c00, quota=<optimized out>) at netmgr/tcp.c:1018
#8 0x00007f047b7a137e in tcp_connection_cb (server=<optimized out>, status=<optimized out>) at netmgr/tcp.c:632
#9 0x00007f047b1892f7 in uv__server_io (loop=0x7f047a231010, w=0x7f04789781b8, events=<optimized out>) at src/unix/stream.c:570
#10 0x00007f047b18ed3d in uv__io_poll (loop=0x7f047a231010, timeout=<optimized out>) at src/unix/linux-core.c:462
#11 0x00007f047b17e8e4 in uv_run (loop=loop@entry=0x7f047a231010, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:385
#12 0x00007f047b7a201e in nm_thread (worker0=0x7f047a231000) at netmgr/netmgr.c:688
#13 0x00007f047b7d517a in isc__trampoline_run (arg=0x561a73df6500) at /usr/src/debug/isc-bind-bind-9.17.20-1.1.fc35.x86_64/lib/isc/trampoline.c:185
#14 0x00007f047ae0bad7 in start_thread (arg=<optimized out>) at pthread_create.c:435
#15 0x00007f047ae90770 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
```
[full backtrace](/uploads/f32799c1cd4ec7910ca867060a4cc82b/coredump.txt)
<details><summary>named.conf</summary>
```
tls local-tls {
key-file "/etc/letsencrypt/live/dns.mnowak.cz/privkey.pem";
cert-file "/etc/letsencrypt/live/dns.mnowak.cz/fullchain.pem";
};
options {
directory "/var/opt/isc/scls/isc-bind/named/data";
listen-on port 443 tls local-tls http default { any; };
listen-on-v6 port 443 tls local-tls http default { any; };
listen-on { any; };
listen-on-v6 { any; };
listen-on tls ephemeral { any; };
listen-on-v6 tls ephemeral { any; };
dnssec-validation auto;
recursion yes;
allow-recursion { 2a02:8308:a007:f700::0/64; 86.49/16; localhost; };
querylog yes;
max-cache-size 90%;
};
statistics-channels {
inet * port 666 allow { 2a02:8308:a007:f700::0/64; 86.49/16; localhost; };
};
logging {
channel default_debug {
file "named.run";
print-time yes;
severity dynamic;
};
};
key "rndc-key" {
algorithm hmac-sha256;
secret "5BLhJni/LLWlg8Lo09iTqhvJgvLmViEmcf60b+XX07o=";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
```
</details>
[core.gz](/uploads/b1e7ef5c910e925f1a8392237f3408ad/core.gz)
[named.gz](/uploads/b1ce3ea46b71e50fa430e4be0838a5a4/named.gz)January 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/kea/-/issues/2232Kea ARM review - hooks.rst, man pages2021-12-13T18:15:06ZSuzanne GoldlustKea ARM review - hooks.rst, man pagesContinuing review of/edits to the Kea ARMContinuing review of/edits to the Kea ARMThomas MarkwalderThomas Markwalderhttps://gitlab.isc.org/isc-projects/kea/-/issues/2233ARM shows "option-data-list" field instead of "option-data" for reservation-add2022-01-14T14:04:10ZAndrei Pavelandrei@isc.orgARM shows "option-data-list" field instead of "option-data" for reservation-addIf you try to `reservation-add` with `"option-data-list"` as the [ARM suggests](https://kea.readthedocs.io/en/latest/api.html#ref-reservation-add), you get `"unsupported configuration parameter 'option-data-list' (:0:0)"`. `"option-data"...If you try to `reservation-add` with `"option-data-list"` as the [ARM suggests](https://kea.readthedocs.io/en/latest/api.html#ref-reservation-add), you get `"unsupported configuration parameter 'option-data-list' (:0:0)"`. `"option-data"` works however.kea2.1.2Francis DupontFrancis Dupont