ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2020-04-29T06:39:54Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/500Use libltdl to wrap around dynamically loaded modules2020-04-29T06:39:54ZOndřej SurýUse libltdl to wrap around dynamically loaded modulesSee https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html#Using-libltdl
Libtool provides a small library, called libltdl, that aims at hiding the various difficulties of dlopening libraries from programmers. It consis...See https://www.gnu.org/software/libtool/manual/html_node/Using-libltdl.html#Using-libltdl
Libtool provides a small library, called libltdl, that aims at hiding the various difficulties of dlopening libraries from programmers. It consists of a few headers and small C source files that can be distributed with applications that need dlopening functionality. On some platforms, whose dynamic linkers are too limited for a simple implementation of libltdl services, it requires GNU DLD, or it will only emulate dynamic linking with libtool’s dlpreopening mechanism.
libltdl supports currently the following dynamic linking mechanisms:
* dlopen (POSIX compliant systems, GNU/Linux, etc.)
* shl_load (HP-UX)
* LoadLibrary (Win16 and Win32)
* load_add_on (BeOS)
* NSAddImage or NSLinkModule (Darwin and Mac OS X)
* GNU DLD (emulates dynamic linking for static libraries)
* libtool’s dlpreopen (see Dlpreopening)
libltdl is licensed under the terms of the GNU Lesser General Public License, with the following exception:
> As a special exception to the GNU Lesser General Public License, if you distribute this file as part of a program or library that is built using GNU Libtool, you may include it under the same distribution terms that you use for the rest of that program.May 2020 (9.11.19, 9.11.19-S1, 9.14.12, 9.16.3)https://gitlab.isc.org/isc-projects/kea/-/issues/500remote-option-def4-set accepts incorrect code values2019-05-16T05:07:26ZWlodzimierz Wencelremote-option-def4-set accepts incorrect code valuesuser can configure option definition using code 0 or any code from standard options list.user can configure option definition using code 0 or any code from standard options list.Kea1.6Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/bind9/-/issues/501ED25519/ED448: unsupported algorithm2018-08-27T17:54:44ZleonED25519/ED448: unsupported algorithmI've installed `bind9utils 9.11.4+dfsg-4~bpo9+1` from `stretch-backports` which includes support for the ED25519 and ED448 signing algorithm, yet `dnssec-keygen` apparently can't handle it:
```sh
$ dnssec-keygen -a ED25519 test
dnssec-k...I've installed `bind9utils 9.11.4+dfsg-4~bpo9+1` from `stretch-backports` which includes support for the ED25519 and ED448 signing algorithm, yet `dnssec-keygen` apparently can't handle it:
```sh
$ dnssec-keygen -a ED25519 test
dnssec-keygen: fatal: unsupported algorithm: 15
$ dnssec-keygen -a ED448 test
dnssec-keygen: fatal: unsupported algorithm: 16
$ dnssec-keygen -h 2>&1 | grep Version
Version: 9.11.4-4~bpo9+1-Debian
```https://gitlab.isc.org/isc-projects/bind9/-/issues/502named-checkzone hangs when compiled with afl-clang-fast2018-11-30T12:27:24ZStephen Morrisnamed-checkzone hangs when compiled with afl-clang-fastOne of the fuzzing tests carried out is to fuzz named-checkzone. To do this, BIND is built with aft-clang-fast using the "configure" command:
`AFL_HARDEN=1 CFLAGS=afl-clang-fast ./configure`
When built with the code in commit 1c57b73e...One of the fuzzing tests carried out is to fuzz named-checkzone. To do this, BIND is built with aft-clang-fast using the "configure" command:
`AFL_HARDEN=1 CFLAGS=afl-clang-fast ./configure`
When built with the code in commit 1c57b73e34a46d5c88d5afb7bf25cbd9b6eb4e78 (*oss-fuzz: Improve interaction with fuzzing tools and add new tests in fuzz/ directory*) named-checkconf hangs when run on a simple zone file. It runs correctly when BIND is built with the code in the previous commit (d30b90dba676c50866bb40c95c2fcd272af5d1b5 *Merge branch '484-fix-non-libtool-build' into 'master'*).
This occurs on Debian 9 with AFL 2.52b. (The hang also occurs with the latest version of master on Fedora 27.) FWIW, the zone file used contained:
```
$TTL 300
@ IN SOA marka.isc.org. ns.server. (
2010 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
@ NS ns
ns A 10.53.0.5
foo TXT "From NS 5"
bar TXT "From NS 5"
```https://gitlab.isc.org/isc-projects/bind9/-/issues/503dnsrps test no longer runs2018-09-27T20:23:25ZEvan Huntdnsrps test no longer runsThe DNSRPS portions of the rpz and rpzrecurse tests were inadvertently disabled some time ago. It doesn't cause a test failure; the only way to know it happened is that "DNSRPS is disabled" appears in the test output. We do have a jenkin...The DNSRPS portions of the rpz and rpzrecurse tests were inadvertently disabled some time ago. It doesn't cause a test failure; the only way to know it happened is that "DNSRPS is disabled" appears in the test output. We do have a jenkins system that builds with --enable-dnsrps, but because the test itself thought DNSRPS had been disabled, it was skipped over and nobody was the wiser.
The culprit seems to have been commit b98a92071d06.https://gitlab.isc.org/isc-projects/kea/-/issues/503Refuse option definitions which duplicate a name/space2019-04-12T13:45:13ZFrancis DupontRefuse option definitions which duplicate a name/spaceToday it is allowed to define two options in the same space and with the same name because duplicates are checked only for code (already existing definition with the same code or conflicts with a standard option definition still with the...Today it is allowed to define two options in the same space and with the same name because duplicates are checked only for code (already existing definition with the same code or conflicts with a standard option definition still with the same code).Kea1.6Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/bind9/-/issues/504mirror system test died on shutdown with a quota != 0.2019-01-28T10:47:18ZMark Andrewsmirror system test died on shutdown with a quota != 0.in ns_server_detach isc_quota_destroy(&sctx->tcpquota) failed. used was 1.in ns_server_detach isc_quota_destroy(&sctx->tcpquota) failed. used was 1.BIND 9.13.xMichał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/kea/-/issues/505renew-timer should not be accepted in configuration if it is greater then reb...2023-02-21T11:46:35ZMichal Nowikowskirenew-timer should not be accepted in configuration if it is greater then rebind-timer (and vice versa)Currently it is possible to specify e.g. renew-timer=1500 and rebind-timer=1000,
ie. the former is bigger than latter. Kea accepts such configuration.
Expected behaviour is that a warning or en error is raised to Kea administrator.
Sti...Currently it is possible to specify e.g. renew-timer=1500 and rebind-timer=1000,
ie. the former is bigger than latter. Kea accepts such configuration.
Expected behaviour is that a warning or en error is raised to Kea administrator.
Still, in such case, in ACK packet from Kea only rebind-timer field is present
ie. renew-timer will be skipped as it is bigger than rebind-timer.
The configuration was set via cb-cmds. It was not verified if the behaviour is the same in case of config
from json file.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/103CB: Add periodic fetch of the incremental DHCPv4 configuration changes2021-10-25T16:03:58ZMarcin SiodelskiCB: Add periodic fetch of the incremental DHCPv4 configuration changesThe Config Backend design: https://gitlab.isc.org/isc-projects/kea/wikis/designs/configuration-in-db-design#kea-configuration-backend-design calls for implementing a periodic fetch of configuration changes in the database. If there are c...The Config Backend design: https://gitlab.isc.org/isc-projects/kea/wikis/designs/configuration-in-db-design#kea-configuration-backend-design calls for implementing a periodic fetch of configuration changes in the database. If there are changes detected these changes are applied to the CfgMgr. This ticket covers implementing such mechanism in the DHCPv4 server.Kea1.6https://gitlab.isc.org/isc-projects/bind9/-/issues/506Requesting more explicit support for and demonstration of FIPS compliant cryp...2019-10-23T12:41:10ZSara DickisnonRequesting more explicit support for and demonstration of FIPS compliant crypto library [ISC-support #13613]### Description
Certain environments mandate the use of FIPS compliant TLS libraries for DNSSEC signing. At the moment restricting BIND to only build/run against FIPS compliant crypto libraries or demonstrating that a given instance is ...### Description
Certain environments mandate the use of FIPS compliant TLS libraries for DNSSEC signing. At the moment restricting BIND to only build/run against FIPS compliant crypto libraries or demonstrating that a given instance is using a FIPS compliant library is rather implicit. This capability is often required to demonstrate compliance to auditors.
### Request
I'd like to request more explicit handling of FIPS in BIND, for example:
1. It would be nice to have a BIND runtime command tool that reported the capabilities of the currently used crypto library. Since libraries might be opened dynamically and system/environment variables can affect library behavior this would provide certainty for the user.
2. It would be nice to have a compile and/or runtime method to restrict BIND to using only crypto libraries with certain characteristics e.g. FIPS compliance which are typically exposed via library APIs.
### Links / referencesOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/kea/-/issues/506command remote-global-parameter4-set for valid-lifetime, renew-timer and rebi...2019-02-28T05:58:13ZMichal Nowikowskicommand remote-global-parameter4-set for valid-lifetime, renew-timer and rebind-timer does not accept integersit requires stringsit requires stringshttps://gitlab.isc.org/isc-projects/bind9/-/issues/508"rndc reload" causes assertion failure under certain conditions2018-08-29T00:37:43ZGhost User"rndc reload" causes assertion failure under certain conditions<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email ...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
'rndc reload' causes an assertion failure when "168.192.in-addr.arpa" slave zone (which fails to transfer because the master doesn't have it) is removed from named.conf
### Steps to reproduce
1. Install bind-9.9.4-61.el7_5.1.x86_64
1. Start named using "named.conf" shown below
1. Remove the "168.192.in-addr.arpa" zone from named.conf
1. ``rndc reload``
### What is the current *bug* behavior?
named crashes with the message below
### What is the expected *correct* behavior?
'rndc reload' completes successfully, named loads the new config
### Relevant configuration files
```
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
forwarders { 1.1.1.1; 8.8.8.8; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { any; };
recursion yes;
allow-recursion { any; };
dnssec-enable false;
dnssec-validation false;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel main_log {
file "/var/log/named/named.log" versions 3 size 5m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default{
main_log;
};
category lame-servers {
null;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
zone "168.192.in-addr.arpa" IN { type slave; masters { 192.168.1.1; }; file "slaves/168.192.in-addr.arpa.db"; };
```
### Relevant logs and/or screenshots
```
28-Aug-2018 13:54:23.481 general: critical: zone.c:4586: REQUIRE(prev > 0) failed, back trace
28-Aug-2018 13:54:23.481 general: critical: #0 0x7f796dec0b60 in ??
28-Aug-2018 13:54:23.481 general: critical: #1 0x7f796c02117a in ??
28-Aug-2018 13:54:23.481 general: critical: #2 0x7f796d7d6471 in ??
28-Aug-2018 13:54:23.481 general: critical: #3 0x7f796d7e7a70 in ??
28-Aug-2018 13:54:23.481 general: critical: #4 0x7f796d70e5cd in ??
28-Aug-2018 13:54:23.481 general: critical: #5 0x7f796d70e73b in ??
28-Aug-2018 13:54:23.481 general: critical: #6 0x7f796d7e87da in ??
28-Aug-2018 13:54:23.481 general: critical: #7 0x7f796d7e8892 in ??
28-Aug-2018 13:54:23.481 general: critical: #8 0x7f796d7b6371 in ??
28-Aug-2018 13:54:23.481 general: critical: #9 0x7f796ded96e5 in ??
28-Aug-2018 13:54:23.481 general: critical: #10 0x7f796dedca26 in ??
28-Aug-2018 13:54:23.481 general: critical: #11 0x7f796dedcf18 in ??
28-Aug-2018 13:54:23.481 general: critical: #12 0x7f796deb93e5 in ??
28-Aug-2018 13:54:23.481 general: critical: #13 0x7f796debc197 in ??
28-Aug-2018 13:54:23.481 general: critical: #14 0x7f796c044066 in ??
28-Aug-2018 13:54:23.481 general: critical: #15 0x7f796bbf4dc5 in ??
28-Aug-2018 13:54:23.481 general: critical: #16 0x7f796ac6d73d in ??
28-Aug-2018 13:54:23.481 general: critical: exiting (due to assertion failure)
```
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)https://gitlab.isc.org/isc-projects/kea/-/issues/507Tighten-up config-set checking so that servers more reliably roll-back and re...2020-07-27T08:51:45ZCathy AlmondTighten-up config-set checking so that servers more reliably roll-back and recover from invalid changesAs reported to us via [#14200](https://support.isc.org/Ticket/Display.html?id=14200):
We found a problem in how config-set is behaving when configuration has errors.
It is supposed to keep the old configuration, but instead the dhcp li...As reported to us via [#14200](https://support.isc.org/Ticket/Display.html?id=14200):
We found a problem in how config-set is behaving when configuration has errors.
It is supposed to keep the old configuration, but instead the dhcp listener stops responding to DHCP requests.
The scenario in which this was uncovered was pre-production system in which there's a client polling every 5 seconds, then a process reads the running configuration and changes the id of one of the subnets from:
"id": 1685525504,
to:
"id": "1685525504",
This incorrect configuration was due to a local process error but it is supposed to be handled by the config-set checking routine...
The error is logged as "invalid type specified for parameter 'id' (<wire>:0:15321)" and then the server is not receiving DHCP requests anymore, but still responds to commands from the ctrl-agent.
A restart is needed to unlock the service.
A log of the incident is available in Support ticket [#14200](https://support.isc.org/Ticket/Display.html?id=14200)kea1.7.10Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/bind9/-/issues/509current master not building on ubuntu 16.04 using --with-libtool --enable-dev...2018-08-29T11:43:52ZCurtis Blackburncurrent master not building on ubuntu 16.04 using --with-libtool --enable-developerthe build fails with the following:
```
libtool: compile: gcc -I/home/jenkins/workspace/bind9-master-ubuntu1604-amd64 -I../../.. -I./include -I./../pthreads/include -I../include -I./../include -I./.. -I/usr/include -I/home/jenkins/work...the build fails with the following:
```
libtool: compile: gcc -I/home/jenkins/workspace/bind9-master-ubuntu1604-amd64 -I../../.. -I./include -I./../pthreads/include -I../include -I./../include -I./.. -I/usr/include -I/home/jenkins/workspace/bind9-master-ubuntu1604-amd64/unit/atf/include -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DNS_HOOKS_ENABLE=1 -D_GNU_SOURCE -DNS_HOOKS_ENABLE=1 -g -O2 -pthread -I/usr/include/libxml2 -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -Wshadow -Werror -c app.c -fPIC -DPIC -o .libs/app.o
app.c: In function ‘isc__app_ctxstart’:
app.c:305:3: error: ignoring return value of ‘strerror_r’, declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r(errno, strbuf, sizeof(strbuf));
^
app.c:313:3: error: ignoring return value of ‘strerror_r’, declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r(presult, strbuf, sizeof(strbuf));
^
app.c: In function ‘handle_signal’:
app.c:184:3: error: ignoring return value of ‘strerror_r’, declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r(errno, strbuf, sizeof(strbuf));
^
app.c: In function ‘isc__app_ctxrun’:
app.c:505:5: error: ignoring return value of ‘strerror_r’, declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r(errno, strbuf, sizeof(strbuf));
^
app.c: In function ‘isc__app_ctxshutdown’:
app.c:586:6: error: ignoring return value of ‘strerror_r’, declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r(result,
^
app.c: In function ‘isc__app_ctxsuspend’:
app.c:659:6: error: ignoring return value of ‘strerror_r’, declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r(result,
^
cc1: all warnings being treated as errors
Makefile:172: recipe for target 'app.lo' failed
make[3]: *** [app.lo] Error 1
```Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/kea/-/issues/508remote-network4-set doesn't save subnet2019-05-07T11:46:12ZWlodzimierz Wencelremote-network4-set doesn't save subnetWasn't it fixed in isc-projects/kea#493
Command:
```
{
"arguments": {
"remote": {
"type": "mysql"
},
"server-tags": [
"abc"
],
"shared-networks": [
{
"name": "net1",
"interface": "e...Wasn't it fixed in isc-projects/kea#493
Command:
```
{
"arguments": {
"remote": {
"type": "mysql"
},
"server-tags": [
"abc"
],
"shared-networks": [
{
"name": "net1",
"interface": "enp0s9",
"subnet4": [
{
"interface": "enp0s9",
"pools": [
{
"pool": "192.168.52.1-192.168.52.100"
}
],
"subnet": "192.168.52.0/24"
}
]
}
]
},
"command": "remote-network4-set"
}
```
result:
```
{
"arguments": {
"shared-networks": [
{
"name": "net1"
}
]
},
"result": 0,
"text": "IPv4 shared network successfully set."
}
```
but mysql db is missing subnet:
```
mysql> select * from dhcp4_shared_network;
+----+------+--------------+-----------+-----------------+---------------------+--------------+-------+-------------+------------------------+------------------+--------------+----------------+
| id | name | client_class | interface | match_client_id | modification_ts | rebind_timer | relay | renew_timer | require_client_classes | reservation_mode | user_context | valid_lifetime |
+----+------+--------------+-----------+-----------------+---------------------+--------------+-------+-------------+------------------------+------------------+--------------+----------------+
| 1 | | NULL | enp0s9 | 1 | 2019-02-21 05:40:02 | NULL | NULL | NULL | [ ] | 3 | NULL | NULL |
+----+------+--------------+-----------+-----------------+---------------------+--------------+-------+-------------+------------------------+------------------+--------------+----------------+
1 row in set (0.00 sec)
mysql> select * from dhcp4_subnet;
Empty set (0.00 sec)
```
and network4-get return incorrect network:
```
{
"arguments": {
"count": 1,
"shared-networks": [
{
"authoritative": false,
"interface": "enp0s9",
"match-client-id": true,
"name": "net1",
"option-data": [],
"relay": {
"ip-addresses": []
},
"reservation-mode": "all",
"subnet4": []
}
]
},
"result": 0,
"text": "IPv4 shared network 'net1' found."
}
```Kea1.6Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/bind9/-/issues/510Resolver test was failing2018-08-31T07:56:17ZMark AndrewsResolver test was failingI:resolver:check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP (67)
I:resolver:failed
QR=1 was not being set causing the reply to be ignored.I:resolver:check that the resolver accepts a reply with empty question section with TC=1 and retries over TCP (67)
I:resolver:failed
QR=1 was not being set causing the reply to be ignored.Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/kea/-/issues/509Configuration knob to disable client-id lookup2019-05-10T11:22:24ZTomek MrugalskiConfiguration knob to disable client-id lookupWhile investigating a performance issue for a [customer issue](https://support.isc.org/Ticket/Display.html?id=14124), @tmark came up with an optimization idea to optionally disable client-id lookup.
Kea does two lease lookups: client-id...While investigating a performance issue for a [customer issue](https://support.isc.org/Ticket/Display.html?id=14124), @tmark came up with an optimization idea to optionally disable client-id lookup.
Kea does two lease lookups: client-id (if client sent client-id) and if a lease is not found, another one by MAC address. If admin doesn't care about client-id, the first one could be disabled.
This ticket's goal is to make this lookup optional. Obviously it should be enabled by default, but there should be a knob to disable it.
Instead of adding a new config knob, we should expand the meaning of existing match-client-id parameter.Kea1.6Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/bind9/-/issues/511add ms-selfsub and krb5-selfsub2018-09-13T01:52:24ZMark Andrewsadd ms-selfsub and krb5-selfsubMark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/512inconsistent comments, documentation and behavior with some ACLs2019-03-17T19:58:29ZEvan Huntinconsistent comments, documentation and behavior with some ACLsIn 9.5.1, change #2373 had the unintended side effect of making it so that `allow-transfer` and `allow-notify` ACLs (in addition to `allow-update` and `allow-update-forwarding`, for which this behavior was desirable) could only be set in...In 9.5.1, change #2373 had the unintended side effect of making it so that `allow-transfer` and `allow-notify` ACLs (in addition to `allow-update` and `allow-update-forwarding`, for which this behavior was desirable) could only be set in zone statements, not at the options or view level.
In 9.12.0, 9.11.3, 9.10.7, and 9.9.12, change #4836 fixed this. It was only meant to address a problem with `rndc addzone` but it fixed the broader problem at the same time; I simply didn't notice.
Later I noticed that the behavior for `allow-notify` had changed; I thought this was a bug and submitted MR !342 to fix it. After discussion with @marka it became clear that the current behavior is actually what we wanted all along. The code comments are still wrong, though, and I'm concerned that this behavior was able to change twice without a test catching it.
So I propose to do the following:
- for 9.13, move `allow-update` and `allow-update-forwarding` to `zone_only_clauses` so that they'll cause a configuration error when used; for 9.12 and earlier, make this log a warning
- go over the documentation for all four ACLs and make sure it's completely clear
- fix the code comments
- add tests
An argument could be made that we should retroactively disclose the bug that existed from 9.5.1 until 9.12.0 in an operational notification, but we decided we were inclined against it in today's support meeting. Nevertheless, @mcnally advised marking this issue confidential for the time being.Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/513New metrics to report DNSSEC signing operations and IXFRs [ISC-support #13431]2020-04-02T07:20:18ZSara DickisnonNew metrics to report DNSSEC signing operations and IXFRs [ISC-support #13431]### Description
For large DNSSEC signed zones with frequent updates there are many signing operations happening both due to the updates and part of routing re-signing. If the zone has a secondary configured there are also frequent IXFRs...### Description
For large DNSSEC signed zones with frequent updates there are many signing operations happening both due to the updates and part of routing re-signing. If the zone has a secondary configured there are also frequent IXFRs, some of which can be very big. It would be helpful to have metrics to report and monitor this activity on the master.
### Versions
9.14.X, 9.15.X
### Request
The main request is to add the following metrics to the statistics:
1. Total number of signing operations
2. Number of maintenance signing operations (i.e. signature refresh/update)
It would be helpful to also give the key id used for signing.
Two further requests that would help with monitoring of outgoing IXFRs on busy masters (particularly when the secondary is operated by a different organisation):
1. Add metrics on the size of the IXFRs e.g. min, max and average size of IXFRs
2. Add the same details to the XFR log on the master that are reported on the secondary:
`transfer of 'example.com/IN' from 127.0.0.1#7753: Transfer completed: 1 messages, 14 records, 986 bytes, 0.001 secs (986000 bytes/sec)`. The log on the master currently only reports that the transfer started and ended.
### Links / referencesBIND 9.14.4