ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2022-10-26T09:07:48Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3618dynamic TTL shortening in auth after RR change2022-10-26T09:07:48ZPetr Špačekpspacek@isc.orgdynamic TTL shortening in auth after RR change### Description
TL;DR version: Withdrawing DS is a nightmare because TLDs have too long TTLs. COM with 1 day is a total nightmare and risk-averse bussinesses like google.com are not going to risk 1 day disruption of service => no prospe...### Description
TL;DR version: Withdrawing DS is a nightmare because TLDs have too long TTLs. COM with 1 day is a total nightmare and risk-averse bussinesses like google.com are not going to risk 1 day disruption of service => no prospect of deploying DNSSEC.
Long version:
https://indico.dns-oarc.net/event/44/contributions/962/
### Request
I'm considering an _experiment_, not a production-ready feature. Auth DNS is not a good place for what I'm going to propose, but I still think it is a nice experiment:
Add magic which shortens TTLs sent out in answers after RR modification. Say, in the first hour after modification shorten TTL of modified DS RR to 60 seconds. After that use the original TTL. (Of course we can invent any other schema, this is just a simple example.)
Obviously this requires knowing when RR was modified - and this is a nightmare by itself. For an experiment I think it would be good enough to look at RRSIG inception time to detect the initial window. Obviously this will have false positives after resigning, but for an experiment I think we don't need to care.
An experiment would allow us to detect if something breaks when TTL on RR and it's RRSIG do not match when sent as an answer from auth. (It should work, but you know how it is ...)
### Links / references
- https://indico.dns-oarc.net/event/44/contributions/962/
- https://chat.dns-oarc.net/community/pl/u36txi1cw3ykzx7iaos4rqo95c
- https://www.ripe.net/ripe/mail/archives/dns-wg/2021-December/003935.htmlhttps://gitlab.isc.org/isc-projects/stork/-/issues/873System tests for top-level server functionalities2022-10-25T13:58:00ZSlawek FigielSystem tests for top-level server functionalitiesDue to technical details, we cannot actually write unit tests for top-level Stork Server functionalities as:
* Interpreting CLI commands
* Running server
* Remembering DB password for reload
* Handling reloading
* Handling shutdown
We ...Due to technical details, we cannot actually write unit tests for top-level Stork Server functionalities as:
* Interpreting CLI commands
* Running server
* Remembering DB password for reload
* Handling reloading
* Handling shutdown
We should split the main server function according to the Single Responsibility Principle to make it testable.
After that, we should cover the individual features with unit tests.backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/833Avoid creating separate metrics per transport2022-10-25T13:36:55ZSlawek FigielAvoid creating separate metrics per transportReported by @ray - [Source](https://mattermost.isc.org/isc/pl/n5hqa4gzmigjj87p6c4exbs8zc):
> \# TYPE bind_traffic_incoming_requests_udp4_size histogram
> bind_traffic_incoming_requests_udp4_size_bucket{le="47"} 2
> bind_traffic_inco...Reported by @ray - [Source](https://mattermost.isc.org/isc/pl/n5hqa4gzmigjj87p6c4exbs8zc):
> \# TYPE bind_traffic_incoming_requests_udp4_size histogram
> bind_traffic_incoming_requests_udp4_size_bucket{le="47"} 2
> bind_traffic_incoming_requests_udp4_size_bucket{le="+Inf"} 2
> bind_traffic_incoming_requests_udp4_size_sum NaN
> bind_traffic_incoming_requests_udp4_size_count 2
I'd also like to suggest that the udp4 part of these metrics should be a label e.g. {transport="udp4" } and not separate metrics per transport
the rationale is that as an operator, I want to be able to graph these things (udp4, tcp6, etc) in aggregate, and also in isolation, and IIUC, labels are the Prometheus way to accomplish thatoutstandinghttps://gitlab.isc.org/isc-projects/stork/-/issues/828Unstable TestRpsWorkerPullRps unit test2022-10-25T13:36:22ZSlawek FigielUnstable TestRpsWorkerPullRps unit testOne of our unit tests is unstable and sometimes fails.
```
=== RUN TestRpsWorkerPullRps
time="2022-08-01T10:15:28Z" level=info msg="Checking connection to database"
time="2022-08-01T10:15:28Z" level=info msg="Checking connection to da...One of our unit tests is unstable and sometimes fails.
```
=== RUN TestRpsWorkerPullRps
time="2022-08-01T10:15:28Z" level=info msg="Checking connection to database"
time="2022-08-01T10:15:28Z" level=info msg="Checking connection to database"
time="2022-08-01T10:15:28Z" level=info msg="Updating KeaDHCPDaemonStats: {RPS1:0 RPS2:0}"
time="2022-08-01T10:15:29Z" level=info msg="Updating KeaDHCPDaemonStats: {RPS1:0 RPS2:0}"
time="2022-08-01T10:15:31Z" level=info msg="Updating KeaDHCPDaemonStats: {RPS1:1 RPS2:1}"
time="2022-08-01T10:15:31Z" level=info msg="Updating KeaDHCPDaemonStats: {RPS1:2 RPS2:2}"
rps_test.go:279:
Error Trace: rps_test.go:279
rps_test.go:153
Error: Not equal:
expected: 2
actual : 1
Test: TestRpsWorkerPullRps
--- FAIL: TestRpsWorkerPullRps (2.42s)
```backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/811Limit maintenance downtime during deploying the demo2022-10-25T13:33:56ZSlawek FigielLimit maintenance downtime during deploying the demoCurrently, to deploy a demo, we first shut down an old version, and next, we build and run a new one. The build takes ~1 hour. The demo is not available at this time. We can refactor our solution to build the demo in the first order and ...Currently, to deploy a demo, we first shut down an old version, and next, we build and run a new one. The build takes ~1 hour. The demo is not available at this time. We can refactor our solution to build the demo in the first order and restart it next. It should significantly limit maintenance downtime.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/1566host entry conflict: same identifier, identifier type and subnet id2022-10-25T13:27:59ZFrancis Duponthost entry conflict: same identifier, identifier type and subnet idThis comes from the test_v4_host_reservation_conflicts_duplicate_reservations forge test.
The question is what happens with 2 host reservations using the same identifier, identifier type and subnet id.
In the config the host container ...This comes from the test_v4_host_reservation_conflicts_duplicate_reservations forge test.
The question is what happens with 2 host reservations using the same identifier, identifier type and subnet id.
In the config the host container uses 3 different not unique indexes for the identifier+type, subnet id v4 and v6. As far I know there is no conflict check at config time. The get methods throw DuplicateHost.
MySQL database since schema 5.0 (Kea 1.1.0) uses unique key_dhcp[46]_identifier_subnet_id indexes so does not allow the same identifier + type with the same not null subnet id. The not null matters because the host reservation table is shared between v4 and v6 so same identier and type is allowed with for instance different v4 subnet ids even both v6 subnet ids are null.
MySQL backend get methods do not check: they return the first host if the query returns at least one.
PostgreSQL database is very close to MySQL with a small difference introduced in schema 3.2 (Kea 1.4.0): the unique constraint does not apply when the subnet id is 0.
Cassanda/CQL schema has no constaint. The get methods check if more than one host is found and throw MultipleRecords.
On the forge side:
- test_v4_host_reservation_conflicts_duplicate_reservations verifies that the configuration case allows conflicts
- test_v4_host_reservation_conflicts_duplicate_reservations_mysql verifies that the MySQL case allows conflicts and fails because it is not allowed
There is no check for PostgreSQL but it should fail if reservations are not global.
Note a similar constraint was removed on the same address and subnet id by #1428 in 1.9.1 (search for ip-reservations-unique).
Proposed action: reverse forge tests, add a PgSQL one and consider to add a check for the configuration case: at least an unit test should verify an incorrect configuration giving failures at run time is rejected.outstandinghttps://gitlab.isc.org/isc-projects/stork/-/issues/784Generate IPv6 traffic in system tests2022-10-25T13:23:08ZSlawek FigielGenerate IPv6 traffic in system testsThere is a problem with starting the Kea DHCPv6 daemon.
It cannot bind the sockets. I didn't find any way to check if the binding would be available. The Kea has implemented a solution to retry the binding in kea#1716, but there is no po...There is a problem with starting the Kea DHCPv6 daemon.
It cannot bind the sockets. I didn't find any way to check if the binding would be available. The Kea has implemented a solution to retry the binding in kea#1716, but there is no possibility to check if the binding has already finished successfully. I opened kea#2434 to add an opportunity to inspect the binding status.
We can use the interface statuses to wait until the Kea is ready to allocate the leases.backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/774Missing Grafana links for IPv6 on dashboard2022-10-25T11:38:33ZSlawek FigielMissing Grafana links for IPv6 on dashboard![image](https://gitlab.isc.org/isc-projects/stork/uploads/3413238389d924d5b085501c8f0fefb2/image.png)
DHCPv6 subnets have no Grafana-link buttons on the dashboard.![image](https://gitlab.isc.org/isc-projects/stork/uploads/3413238389d924d5b085501c8f0fefb2/image.png)
DHCPv6 subnets have no Grafana-link buttons on the dashboard.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/501remote-option4-global-set accepts option with empty data2022-10-24T08:02:55ZWlodzimierz Wencelremote-option4-global-set accepts option with empty data```
{
"arguments": {
"options": [
{
"code": 6
}
],
"remote": {
"type": "mysql"
},
"server-tags": [
"abc"
]
},
"command": "remote-option4-global-set"
}
```
Response:
```
{
"a...```
{
"arguments": {
"options": [
{
"code": 6
}
],
"remote": {
"type": "mysql"
},
"server-tags": [
"abc"
]
},
"command": "remote-option4-global-set"
}
```
Response:
```
{
"arguments": {
"options": [
{
"code": 6,
"space": "dhcp4"
}
]
},
"result": 0,
"text": "DHCPv4 option successfully set."
}
```
Kea should not be configured with empty option. Possible that it's not yet implemented.outstandinghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3602udp_test fails with atomic_load(&sreads) >= expected_creads2022-10-20T16:51:28ZOndřej Surýudp_test fails with atomic_load(&sreads) >= expected_creadsReproduced under `rr record -h`:
```
[==========] Running 18 test(s).
[ RUN ] mock_listenudp_uv_udp_open
[ OK ] mock_listenudp_uv_udp_open
[ RUN ] mock_listenudp_uv_udp_bind
[ OK ] mock_listenudp_uv_udp_bind
[ RUN ...Reproduced under `rr record -h`:
```
[==========] Running 18 test(s).
[ RUN ] mock_listenudp_uv_udp_open
[ OK ] mock_listenudp_uv_udp_open
[ RUN ] mock_listenudp_uv_udp_bind
[ OK ] mock_listenudp_uv_udp_bind
[ RUN ] mock_listenudp_uv_udp_recv_start
[ OK ] mock_listenudp_uv_udp_recv_start
[ RUN ] mock_udpconnect_uv_udp_open
[ OK ] mock_udpconnect_uv_udp_open
[ RUN ] mock_udpconnect_uv_udp_bind
[ OK ] mock_udpconnect_uv_udp_bind
[ RUN ] mock_udpconnect_uv_udp_connect
[ OK ] mock_udpconnect_uv_udp_connect
[ RUN ] mock_udpconnect_uv_recv_buffer_size
[ OK ] mock_udpconnect_uv_recv_buffer_size
[ RUN ] mock_udpconnect_uv_send_buffer_size
[ OK ] mock_udpconnect_uv_send_buffer_size
[ RUN ] udp_noop
[ OK ] udp_noop
[ RUN ] udp_noresponse
[ OK ] udp_noresponse
[ RUN ] udp_shutdown_connect
[ OK ] udp_shutdown_connect
[ RUN ] udp_shutdown_read
[ OK ] udp_shutdown_read
[ RUN ] udp_cancel_read
[ OK ] udp_cancel_read
[ RUN ] udp_timeout_recovery
[ OK ] udp_timeout_recovery
[ RUN ] udp_double_read
[ OK ] udp_double_read
[ RUN ] udp_recv_one
[ OK ] udp_recv_one
[ RUN ] udp_recv_two
[ OK ] udp_recv_two
[ RUN ] udp_recv_send
atomic_load(&sreads) >= expected_creads
[ LINE ] --- udp_test.c:947: error: Failure!Aborted
```Not plannedOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/dhcp/-/issues/225Dev guide update: building ATF tests2022-10-20T09:42:01ZTomek MrugalskiDev guide update: building ATF testsThe developer's guide explains how to build old ATF 0.19. Sadly, to compile it on newer systems, such as Ubuntu 21.04, a small patch is needed to atf sources. This should be documented.The developer's guide explains how to build old ATF 0.19. Sadly, to compile it on newer systems, such as Ubuntu 21.04, a small patch is needed to atf sources. This should be documented.4.5.0-betahttps://gitlab.isc.org/isc-projects/kea/-/issues/2582ISC DHCP sub classes2022-10-18T12:11:49ZFrancis DupontISC DHCP sub classesISC DHCP support sub classes:
```
In addition to classes, it is possible to declare subclasses. A subclass
is a class with the same name as a regular class, but with a specific
submatch expression which is hashed fo...ISC DHCP support sub classes:
```
In addition to classes, it is possible to declare subclasses. A subclass
is a class with the same name as a regular class, but with a specific
submatch expression which is hashed for quick matching. This is
essentially a speed hack - the main difference between five classes with
match expressions and one class with five subclasses is that it will be
quicker to find the subclasses. Subclasses work as follows:
class "allocation-class-1" {
match pick-first-value (option dhcp-client-identifier, hardware);
}
class "allocation-class-2" {
match pick-first-value (option dhcp-client-identifier, hardware);
}
subclass "allocation-class-1" 1:8:0:2b:4c:39:ad;
subclass "allocation-class-2" 1:8:0:2b:a9:cc:e3;
subclass "allocation-class-1" 1:0:0:c4:aa:29:44;
subnet 10.0.0.0 netmask 255.255.255.0 {
pool {
allow members of "allocation-class-1";
range 10.0.0.11 10.0.0.50;
}
pool {
allow members of "allocation-class-2";
range 10.0.0.51 10.0.0.100;
}
}
The data following the class name in the subclass declaration is a
constant value to use in matching the match expression for the class.
When class matching is done, the server will evaluate the match
expression and then look the result up in the hash table. If it finds a
match, the client is considered a member of both the class and the
subclass.
Subclasses can be declared with or without scope. In the above example,
the sole purpose of the subclass is to allow some clients access to one
address pool, while other clients are given access to the other pool, so
these subclasses are declared without scopes. If part of the purpose of
the subclass were to define different parameter values for some clients,
you might want to declare some subclasses with scopes.
In the above example, if you had a single client that needed some
configuration parameters, while most didn't, you might write the
following subclass declaration for that client:
subclass "allocation-class-2" 1:08:00:2b:a1:11:31 {
option root-path "samsara:/var/diskless/alphapc";
filename "/tftpboot/netbsd.alphapc-diskless";
}
In this example, we've used subclassing as a way to control address
allocation on a per-client basis. However, it's also possible to use
subclassing in ways that are not specific to clients - for example, to
use the value of the vendor-class-identifier option to determine what
values to send in the vendor-encapsulated-options option. An example of
this is shown under the VENDOR ENCAPSULATED OPTIONS head in the
dhcp-options(5) manual page.
```
Sub-classes are essentially an improvement in both the evaluation process (match expression is evaluated once and its value is compared with a hash table) and configuration (less things to repeat and exposed relationship). The same idea can be used in Kea: currently Keama just recombines match expression and value in regular classes, losing the fact the parent depends on a matching sub class...ISC DHCP Migrationhttps://gitlab.isc.org/isc-projects/kea/-/issues/1365Implement MAC assignment (IA_LL option) - RFC8947, RFC89482022-10-14T11:20:06ZTomek MrugalskiImplement MAC assignment (IA_LL option) - RFC8947, RFC8948There are two drafts at IETF that are clearing IESG review and will likely soon be published as RFCs:
- [dhc-mac-assign](https://datatracker.ietf.org/doc/draft-ietf-dhc-mac-assign/) - now RFC8947
- [dhc-slap-quadrant](https://datatracke...There are two drafts at IETF that are clearing IESG review and will likely soon be published as RFCs:
- [dhc-mac-assign](https://datatracker.ietf.org/doc/draft-ietf-dhc-mac-assign/) - now RFC8947
- [dhc-slap-quadrant](https://datatracker.ietf.org/doc/draft-ietf-dhc-slap-quadrant/) - now RFC8948
The first one defines a MAC address assignment mechanism. It is similar to IPv6 address assignment, but manages link-layer (MAC) addresses. It defines two new options: IA_LL (a container similar to IA_NA) and LLADDR option (similar to IAADDR).
The second draft extends this mechanism slightly. The whole MAC address space is split into 4 ranges (quadrants) that has different intended usage purpose. This draft introduces a SLAP_QUAD option, which signals between clients and the server, which pool of MAC addresses should be used for allocation.
Yes, the MAC assignment by DHCPv6 (which requires MAC to send and receive data) seems backwards, but there are at least two major use cases for this: assigning MAC addresses to new VMs in large scale datacenters and handling IoT devices, especially disposable ones.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2518RFC9243: YANG for DHCPv62022-10-14T11:17:11ZTomek MrugalskiRFC9243: YANG for DHCPv6Now that [rfc9243](https://datatracker.ietf.org/doc/html/rfc9243) has been published, it's a good time to consider whether we want to abandon Kea specific YANG model and migrate to a standard one or stick with it.
If you are a user who ...Now that [rfc9243](https://datatracker.ietf.org/doc/html/rfc9243) has been published, it's a good time to consider whether we want to abandon Kea specific YANG model and migrate to a standard one or stick with it.
If you are a user who deployed Kea with NETCONF, please share your thoughts on this.
Alternatively, we could support both models, but it seems more troublesome to maintain in the long term.outstandinghttps://gitlab.isc.org/isc-projects/stork/-/issues/668Non-descriptive event panel2022-10-13T10:41:04ZSlawek FigielNon-descriptive event panelThe issue was found during sanity checks for the 1.0 release.
Source: https://gitlab.isc.org/isc-projects/stork/-/issues/645#note_253189
The events panel shows level as icons. There is no way to see the actual levels.
Maybe the filter...The issue was found during sanity checks for the 1.0 release.
Source: https://gitlab.isc.org/isc-projects/stork/-/issues/645#note_253189
The events panel shows level as icons. There is no way to see the actual levels.
Maybe the filtering panel at the top can guide a bit, but it won't be visible when there are many events. I always browse as 100 per page and expect most admins with busy system would do the same.backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/832Feature Request: Documentation not clear about the syntax2022-10-13T10:32:28ZmikygeeFeature Request: Documentation not clear about the syntaxHello,
The documentation
https://stork.readthedocs.io/en/latest/install.html#setup
is not clear about syntax to use netween the parameter and the value
"STORK_REST_HOST - the IP address on which the server listen"
I know by having rea...Hello,
The documentation
https://stork.readthedocs.io/en/latest/install.html#setup
is not clear about syntax to use netween the parameter and the value
"STORK_REST_HOST - the IP address on which the server listen"
I know by having read the issues and mailing list that an equal sign should separate the parameter STORK_REST_HOST and the value defined by an IP
STORK_REST_HOST=1.1.1.1
But when I first read the documentation I was wondering if it should be an equal sign, a colon, something else...
Same for
https://stork.readthedocs.io/en/latest/install.html#agent-configuration-settings
Sometimes configuration lines end with a semi colon, here we don't know if it's the case or not.
Regardsbackloghttps://gitlab.isc.org/isc-projects/stork/-/issues/806UX improvement: the machine authorized should mention name2022-10-13T10:32:28ZTomek MrugalskiUX improvement: the machine authorized should mention nameEveryone's been through the drill many times. You start the demo, then mass authorize machines one after another. It would be good for the popup to mention actual name of the machine that was authorized. Obviously, this is a minor user e...Everyone's been through the drill many times. You start the demo, then mass authorize machines one after another. It would be good for the popup to mention actual name of the machine that was authorized. Obviously, this is a minor user experience improvement.
![Screenshot_from_2022-07-12_09-59-26](/uploads/5695ded0519544afbcd392adb1f736ac/Screenshot_from_2022-07-12_09-59-26.png)backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/773Utilization bar is not rounded for high value2022-10-13T10:32:28ZSlawek FigielUtilization bar is not rounded for high valueThe issue was found during 1.4 sanity checks. [Source](https://gitlab.isc.org/isc-projects/stork/-/issues/771#note_289508)
![image](https://gitlab.isc.org/isc-projects/stork/uploads/30e80aac4e57c2bca1b4d4462736e09a/image.png), ![image](...The issue was found during 1.4 sanity checks. [Source](https://gitlab.isc.org/isc-projects/stork/-/issues/771#note_289508)
![image](https://gitlab.isc.org/isc-projects/stork/uploads/30e80aac4e57c2bca1b4d4462736e09a/image.png), ![image](https://gitlab.isc.org/isc-projects/stork/uploads/496b2d05c89ad4a653b22a5ee9e561d5/image.png)
The utilization bar has no rounded right side if utilization is max.backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/693Utilization UI glitches2022-10-13T10:32:28ZSlawek FigielUtilization UI glitchesThe issue was found during 1.1.0 sanity checks.
[Source](https://gitlab.isc.org/isc-projects/stork/-/issues/685#note_264709)
Minor visual glitches:
1. The warning icons don't fit in the Used column and wraps strangely.
2. When the pool...The issue was found during 1.1.0 sanity checks.
[Source](https://gitlab.isc.org/isc-projects/stork/-/issues/685#note_264709)
Minor visual glitches:
1. The warning icons don't fit in the Used column and wraps strangely.
2. When the pool utilization hits 100%, it's rounded on the left, but sharp on the right end.
3. The exclamation icon near the utilization bar isn't centered vertically. [Source](https://gitlab.isc.org/isc-projects/stork/-/issues/685#note_264803)
This is on zoom 100% on firefox 96.0 running on Ubuntu 21.04.backloghttps://gitlab.isc.org/isc-projects/dhcp/-/issues/265dhcp server function doesn't work after interface status changes from DOWN to UP2022-10-10T07:17:51Zpoe luodhcp server function doesn't work after interface status changes from DOWN to UPafter configured /etc/default/isc-dhcp-server and /etc/dhcp/dhcpd.conf, i started isc-dhcp-server via systemctl restart isc-dhcp-server (interface is DOWN currently).
checking process status with systemctl status isc-dhcp-server, it sho...after configured /etc/default/isc-dhcp-server and /etc/dhcp/dhcpd.conf, i started isc-dhcp-server via systemctl restart isc-dhcp-server (interface is DOWN currently).
checking process status with systemctl status isc-dhcp-server, it showed like below:
No subnet declaration for eno6 (no IPv4 addresses).
** Ignoring requests on eno6. If this is not what
you want, please write a subnet declaration
in your dhcpd.conf file for the network segment
to which interface eno6 is attached. **
then i plugged in a cable into eno6, it turned to UP status, but dhcp server function seems not working, because the client didn't get any ip address.
however, if i plugged in a cable first, then start isc-dhcp-server, it worked well if i unplugged the cable and re-plugged back.
what i want to know is that can isc-dhcp-server auto detect the listed interfaces status, when interfaces turn to UP status, it will always assign ip address to client successfully without restarting process manually.
my env is Ubuntu 18.04.
thanks.