ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2023-09-14T14:23:48Zhttps://gitlab.isc.org/isc-projects/keama/-/issues/8keama build fails on illumos because of incorrect headers2023-09-14T14:23:48ZGhost Userkeama build fails on illumos because of incorrect headerskeama build fails with
```
keama.c: In function 'main':
keama.c:127:33: error: 'errno' undeclared (first use in this function)
"input: %s", strerror(errno));
^~~~~
```
on OpenIndiana, because ...keama build fails with
```
keama.c: In function 'main':
keama.c:127:33: error: 'errno' undeclared (first use in this function)
"input: %s", strerror(errno));
^~~~~
```
on OpenIndiana, because sys/errno.h doesn't define errno.
The following patch helps.
[004-errno.patch](/uploads/5df1a6ea904a544f2444cac4d6895fa6/004-errno.patch)4.5.0https://gitlab.isc.org/isc-projects/keama/-/issues/14Keama should be more verbose2023-09-14T14:23:48ZTomek MrugalskiKeama should be more verboseRight now keama is completely silent in positive case. It would be useful to write something to stdout when the conversion happens. Something like:
- "Reading input file xyz.conf"
- "Subnet 123.45.67.89/24 converted"
- "Hostname 11:22:3...Right now keama is completely silent in positive case. It would be useful to write something to stdout when the conversion happens. Something like:
- "Reading input file xyz.conf"
- "Subnet 123.45.67.89/24 converted"
- "Hostname 11:22:33:44:55:66 converted"
- "Written output to xyz.json"
This would be useful for users to know how the conversion went. When implementing the web interface, I've tried to capture stdout and stderr from keama, but couldn't make it print anything useful on stdout.4.5.0Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/keama/-/issues/26Tweak migrated.html template for migration fail cases2023-09-14T14:23:48ZPiotrek ZadrogaTweak migrated.html template for migration fail casesWhen using keama web interface for migration, when there is any error during migration then `migrated.html` template is rendered in the same way like in case of a success.
e.g. `download` and `share` links have `(empty)` file.
I think ...When using keama web interface for migration, when there is any error during migration then `migrated.html` template is rendered in the same way like in case of a success.
e.g. `download` and `share` links have `(empty)` file.
I think it should be rendered differently, have another feedback to the user, links should be hidden etc.4.5.0Piotrek ZadrogaPiotrek Zadrogahttps://gitlab.isc.org/isc-projects/keama/-/issues/13web interface for keama2023-09-14T14:23:48ZTomek Mrugalskiweb interface for keamaWe need a web interface for Keama. Let's do some experiments.We need a web interface for Keama. Let's do some experiments.4.5.0Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/keama/-/issues/31Change keama web interface to be inline with isc.org style2023-09-14T14:23:48ZPiotrek ZadrogaChange keama web interface to be inline with isc.org styleKeama web interface, especially the one hosted as https://dhcp.isc.org/, could look more like official isc.org page.Keama web interface, especially the one hosted as https://dhcp.isc.org/, could look more like official isc.org page.4.5.0Piotrek ZadrogaPiotrek Zadrogahttps://gitlab.isc.org/isc-projects/keama/-/issues/1Isolate keama from DHCP sources2023-09-14T14:23:48ZTomek MrugalskiIsolate keama from DHCP sourcesThis repository started as a clone of ISC DHCP, with client, server, relay, omapi etc.
The goal of this ticket is to do the initial:
- removal of client, relay, server code
- enable keama to be built by default
- update some basic docum...This repository started as a clone of ISC DHCP, with client, server, relay, omapi etc.
The goal of this ticket is to do the initial:
- removal of client, relay, server code
- enable keama to be built by default
- update some basic documentation
- update the project to identify as keama4.5.0Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/bind9/-/issues/4317The primary server does not send notify information2023-09-14T09:10:44Zliangzyeu liangzeThe primary server does not send notify information<!--
My primary bind server needed to synchronize 13 zone files to 3 secondary servers, but 1-2 zone synchronization was missed each time. I found through logs that the primary bind did not send notify information to the secondary server...<!--
My primary bind server needed to synchronize 13 zone files to 3 secondary servers, but 1-2 zone synchronization was missed each time. I found through logs that the primary bind did not send notify information to the secondary server. But one solution I have is to execute rndc reload twice every time you modify the zone file to synchronize it all. What's the problem?
-->
### Summary
My primary bind server needed to synchronize 13 zone files to 3 secondary servers, but 1-2 zone synchronization was missed each time. I found through logs that the primary bind did not send notify information to the secondary server. But one solution I have is to execute rndc reload twice every time you modify the zone file to synchronize it all. What's the problem?
### BIND version used
[root@ops-sandbox-86-10 zone]# named -V
BIND 9.12.2-P1 <id:8914b83>
running on Linux x86_64 3.10.0-1062.52.2.el7.x86_64 #1 SMP Thu Jul 8 09:03:01 UTC 2021
built by make with '--prefix=/usr/local/named' '--sysconfdir=/data/named/named_53' '--enable-threads' '--enable-largefile' '--enable-epoll' '--disable-ipv6' '--with-openssl'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-16)
compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
threads support is enabledhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4303dnstap logging based on rcode2023-09-13T14:09:41ZPetr Špačekpspacek@isc.orgdnstap logging based on rcode### Motivation
When FORMERR or SERVFAIL happen in the middle of resolution, we don't have exact information what we have sent and what exactly came back. We have to guess and attempt to reproduce the problem with `dig` or other tools.
#...### Motivation
When FORMERR or SERVFAIL happen in the middle of resolution, we don't have exact information what we have sent and what exactly came back. We have to guess and attempt to reproduce the problem with `dig` or other tools.
### Request
Add parameter to `dnstap` statement which would allow logging just selected RCODEs. Presumably FORMERR and/or SERVFAIL. I imagine that this could be so low-touch that it could be running in production indefinitely (as a cyclic buffer).
### Links / referencesNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3847rndc test fails because zone was still frozen2023-09-13T13:32:43ZMichal Nowakrndc test fails because zone was still frozenJob [#3125905](https://gitlab.isc.org/isc-private/bind9/-/jobs/3125905) failed for 99783f9a5ee4691963a7c96001c13bfb3d72d740:
```
I:rndc:checking zone now writable (5)
I:rndc:failed
I:rndc:rndc sync
I:rndc:checking zone was dumped (6)
I:r...Job [#3125905](https://gitlab.isc.org/isc-private/bind9/-/jobs/3125905) failed for 99783f9a5ee4691963a7c96001c13bfb3d72d740:
```
I:rndc:checking zone now writable (5)
I:rndc:failed
I:rndc:rndc sync
I:rndc:checking zone was dumped (6)
I:rndc:failed
```
`rndc:checking zone now writable` fails because `nsupdate`, which updates zone `nil.`, adding `text3.nil. 600 IN TXT "addition 3"`, failed with `update failed: REFUSED`. `named` says that the `nil.` zone is still frozen and needs to be thawed:
```
client @0x7f1a6d0f5f68 10.53.0.1#34800/key local-ddns: updating zone 'nil/IN': update failed: dynamic update temporarily disabled because the zone is frozen. Use 'rndc thaw' to re-enable updates. (REFUSED)
```
It appears that `rndc thaw` command, [issued shortly before](https://gitlab.isc.org/isc-private/bind9/-/jobs/3125905#L8057), did not thaw the zone yet. (Likely due to IO load in the CI.)
As "addition 3" hasn't been added to the zone, `rndc:checking zone was dumped` subsequently fails as well.
[nsupdate.out.1.test5.txt](/uploads/46de1b39846f30fa8f2314b870b8ce78/nsupdate.out.1.test5.txt)
[dig.out.1.test5.txt](/uploads/4a5c5701ca17059150339e5ef248d498/dig.out.1.test5.txt)
[named.run.txt](/uploads/06162facd4d5d0ffca4921ad7af6a540/named.run.txt)
[nil.db.txt](/uploads/b1e0e79f8ec7cec4461a938d680d2919/nil.db.txt)August 2023 (9.16.43, 9.16.43-S1, 9.18.18, 9.18.18-S1, 9.19.16)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/stork/-/issues/1153add pool statistics to prometheus2023-09-12T13:48:16ZRazvan Becheriuadd pool statistics to prometheusnew stats have been added in 2.4.0:
v4:
```
"subnet[1].pool[0].assigned-addresses": [
[
0,
"2023-06-13 20:42:46.836205"
]
],
"subnet[1...new stats have been added in 2.4.0:
v4:
```
"subnet[1].pool[0].assigned-addresses": [
[
0,
"2023-06-13 20:42:46.836205"
]
],
"subnet[1].pool[0].cumulative-assigned-addresses": [
[
0,
"2023-06-13 20:42:46.836137"
]
],
"subnet[1].pool[0].declined-addresses": [
[
0,
"2023-06-13 20:42:46.836213"
]
],
"subnet[1].pool[0].reclaimed-declined-addresses": [
[
0,
"2023-06-13 20:42:46.836225"
]
],
"subnet[1].pool[0].reclaimed-leases": [
[
0,
"2023-06-13 20:42:46.836236"
]
],
"subnet[1].pool[0].total-addresses": [
[
11010049,
"2023-06-13 20:42:46.836128"
]
],
```
v6:
```
"subnet[1].pd-pool[0].assigned-pds": [
[
0,
"2023-06-13 21:28:57.196785"
]
],
"subnet[1].pd-pool[0].cumulative-assigned-pds": [
[
0,
"2023-06-13 21:28:57.196744"
]
],
"subnet[1].pd-pool[0].reclaimed-leases": [
[
0,
"2023-06-13 21:28:57.196789"
]
],
"subnet[1].pd-pool[0].total-pds": [
[
256,
"2023-06-13 21:28:57.196741"
]
],
"subnet[1].pool[0].assigned-nas": [
[
0,
"2023-06-13 21:28:57.196773"
]
],
"subnet[1].pool[0].cumulative-assigned-nas": [
[
0,
"2023-06-13 21:28:57.196739"
]
],
"subnet[1].pool[0].declined-addresses": [
[
0,
"2023-06-13 21:28:57.196775"
]
],
"subnet[1].pool[0].reclaimed-declined-addresses": [
[
0,
"2023-06-13 21:28:57.196779"
]
],
"subnet[1].pool[0].reclaimed-leases": [
[
0,
"2023-06-13 21:28:57.196783"
]
],
"subnet[1].pool[0].total-nas": [
[
281474976710656,
"2023-06-13 21:28:57.196736"
]
],
```
```backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/1149Distinguish between the Agent hostname and binds address2023-09-12T13:45:51ZSlawek FigielDistinguish between the Agent hostname and binds addressThe issue was reported on [our mailing list](https://lists.isc.org/pipermail/stork-users/2023-August/000168.html).
> Configuration of STORK_AGENT_HOST required special handling. Within the Kea container, I do not know what the IP addres...The issue was reported on [our mailing list](https://lists.isc.org/pipermail/stork-users/2023-August/000168.html).
> Configuration of STORK_AGENT_HOST required special handling. Within the Kea container, I do not know what the IP address will be. Setting it to 0.0.0.0 allows Stork Agent to bind, but Stork Server will naturally never be able to connect to this. Stork Server communicates with Kea via a ClusterIP service pointing to Kea pod(s). However, within the Kea pod, Stork Agent cannot bind to this ClusterIP service. In the end, I had to resort to DNS trickery: I let the Stork Server pod resolve the ClusterIP service name as normal, though within the Kea pod this ClusterIP service resolves to 0.0.0.0, which is sufficient for Stork Agent to bind. (For those interested, I used hostAliases in the deployment YAML to override the pod DNS.) Could another environment variable be introduced to distinguish between the Stork Agent hostname as called by Stork Server and what Stork Agent binds to?backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/1146Human readable User Context on lease page2023-09-12T13:38:56ZSorin EsanuHuman readable User Context on lease pageMost of the content in User Context section of the lease page is hex encoded and contains valuable information:
- option 82 for DHCPv4
- interface-id and remote-id (options 18 & 37) for DHCPv6.
It would be very useful if these options w...Most of the content in User Context section of the lease page is hex encoded and contains valuable information:
- option 82 for DHCPv4
- interface-id and remote-id (options 18 & 37) for DHCPv6.
It would be very useful if these options would be printed in a human readable format and be searchable via leases search field.
Thank you!backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/1139Any plans to implement DHCP Bulk Leasequery?2023-09-12T13:35:24Zfue36Any plans to implement DHCP Bulk Leasequery?---
name: Feature request
about: Suggest an idea for this project
---
Command support added to leasequery hook in Kea-DHCP as of 2.3.5 on dhcp-4 and dhcp-6 when using memfile back-end. :smile:
https://kea.readthedocs.io/en/latest/arm/...---
name: Feature request
about: Suggest an idea for this project
---
Command support added to leasequery hook in Kea-DHCP as of 2.3.5 on dhcp-4 and dhcp-6 when using memfile back-end. :smile:
https://kea.readthedocs.io/en/latest/arm/hooks.html#lease-query-leasequerybackloghttps://gitlab.isc.org/isc-projects/stork/-/issues/237Req 2.2.1: Show host reservation status2023-09-12T13:33:55ZTomek MrugalskiReq 2.2.1: Show host reservation statusThis is a follow-up to req 2.2 (#45) that asked for host reservations. This set of requirements outlined here require also getting lease information and correlating it with the host reservations:
* [ ] I would like to be able to sort th...This is a follow-up to req 2.2 (#45) that asked for host reservations. This set of requirements outlined here require also getting lease information and correlating it with the host reservations:
* [ ] I would like to be able to sort this date the lease was assigned to a client.
* [ ] I would like to be able to apply a filter to show either all addresses assigned, or all host reservations not claimed.
* [x] I would like to see if a lease for this reservation has actually been requested and assigned. #530
The use case is, determining if there are configured host reservations not being used (I might remove them) or hosts that I expect to be using leases that are not on-line for some reason.backloghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4313automate root.hints up-to-date check2023-09-12T13:12:02ZPetr Špačekpspacek@isc.orgautomate root.hints up-to-date check### Problem
Right now root.hints file content is hardcoded into lib/dns/rootns.c, and not checked in any automated way I know of.
### Request
Use some automated process to check content of the file. E.g. a new job in the scheduled pip...### Problem
Right now root.hints file content is hardcoded into lib/dns/rootns.c, and not checked in any automated way I know of.
### Request
Use some automated process to check content of the file. E.g. a new job in the scheduled pipeline which would check content of the file against https://www.internic.net/domain/db.cache or something like that.
### Links / referenceshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3958Adjust default tcp-clients value upward2023-09-12T09:09:13ZVicky Riskvicky@isc.orgAdjust default tcp-clients value upwardThe default for tcp-clients is set at 150. As more users are now supporting encrypted DNS, which sessions use TCP, it is likely that the % of overall DNS sessions using TCP will increase, and the current default quota will be too low for...The default for tcp-clients is set at 150. As more users are now supporting encrypted DNS, which sessions use TCP, it is likely that the % of overall DNS sessions using TCP will increase, and the current default quota will be too low for many users.
Although it is impossible to determine the ideal setting for all users, it seems likely that users who need to limit TCP sessions can support at least an order of magnitude more sessions, like maybe 2,000.
If we are very worried about impacting small-system users of BIND, perhaps we could just change the setting for BIND -S, which is not available to hobbyists?https://gitlab.isc.org/isc-projects/stork/-/issues/1159REST API call for 'config-set' seems to be not applying configuration2023-09-12T05:25:39ZSandeep GagalapallyREST API call for 'config-set' seems to be not applying configurationHello,
I am trying to apply new dhcp4 configuration using the 'config-set' command and I get an output as "Configuration successful" but I don't see the changes in effect on the configuration file or the new configuration is not updated...Hello,
I am trying to apply new dhcp4 configuration using the 'config-set' command and I get an output as "Configuration successful" but I don't see the changes in effect on the configuration file or the new configuration is not updated.
Reading through the documentation I see the change is applied in memory and a reload with keep the old config? What should i do to have the changes to config take place ?
Thanks
Sandeephttps://gitlab.isc.org/isc-projects/bind9/-/issues/3813Duplicate key IDs across algorithms are not handled correctly.2023-09-11T16:19:33ZMark AndrewsDuplicate key IDs across algorithms are not handled correctly.Job [#3089156](https://gitlab.isc.org/isc-projects/bind9/-/jobs/3089156) failed for e706fb81ca2f46f893bc96216544b73a16022884:
```
I:nsec3:check number of keys for zone nsec3-to-rsasha1.kasp in dir ns3 (103)
I:nsec3:check key id 08113
I:...Job [#3089156](https://gitlab.isc.org/isc-projects/bind9/-/jobs/3089156) failed for e706fb81ca2f46f893bc96216544b73a16022884:
```
I:nsec3:check number of keys for zone nsec3-to-rsasha1.kasp in dir ns3 (103)
I:nsec3:check key id 08113
I:nsec3:check key id 08113
I:nsec3:KEY1 ID 8113
I:nsec3:KEY2 ID 8113
I:nsec3:error: bad DNSKEY RRset for zone nsec3-to-rsasha1.kasp
I:nsec3:failed
```
```
% ls ns3/*nsec3-to-rsasha1.kasp*
ns3/Knsec3-to-rsasha1.kasp.+005+08113.key ns3/Knsec3-to-rsasha1.kasp.+013+08113.private ns3/nsec3-to-rsasha1.kasp.db.signed
ns3/Knsec3-to-rsasha1.kasp.+005+08113.private ns3/Knsec3-to-rsasha1.kasp.+013+08113.state ns3/nsec3-to-rsasha1.kasp.db.signed.jnl
ns3/Knsec3-to-rsasha1.kasp.+005+08113.state ns3/nsec3-to-rsasha1.kasp.db
ns3/Knsec3-to-rsasha1.kasp.+013+08113.key ns3/nsec3-to-rsasha1.kasp.db.jbk
%
```
```
% more *103
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50279
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: b4e1d78c34d15ba70100000063c9e02dac6c36fa7c841c69 (good)
;; QUESTION SECTION:
;nsec3-to-rsasha1.kasp. IN DNSKEY
;; ANSWER SECTION:
nsec3-to-rsasha1.kasp. 3600 IN DNSKEY 257 3 5 AwEAAawagVzMn34eS6HLSz9abmIkj9l1migiobJkbGX2CoDqh+xaQ5mI UIPmS6AUMqKEsPL5hH0YWkD4qRKLe9HtC8e73mqpZBYmd5KhEsvPPSaB Za17TRTlTSpfJpE3XTL5LCUIxDBpgfz/NNLNChIMTLM4hKLnVoWhvz13 3Q9Xvma+wpb7l1OZVEf0kDxapvJo2Hug941E7OxNuGI8h0QmE5XA9Pxj c+BpIbx01U5iwKK47q0Zh57El7E86wxgzw+hBdE0sK/tJPFFA0WwvPl8 zY/MzyNunDiOUG9PdmB2hWszDAVzlUXheHv4/Glf/bK8JTYBeuA8zxe7 i8OlSwvST60=
nsec3-to-rsasha1.kasp. 3600 IN RRSIG DNSKEY 5 2 3600 20230203002817 20230119232817 8113 nsec3-to-rsasha1.kasp. DhIH5wi/8VCZ3WEr+R4B1NGvOD7U1UKUZQPQCg+xWAxmldsNAMhCdvTu eJpg4WryFyrmlZcbfzHEMv29tqpUMn+azZORdjX9VI0unBzElwfIAdn1 6Dapbq8n4CuBm3CsDM5plxVj/EUnJET/PKacyimC8CfuwqRlxDoxesuF ohY2Xt01NUqHp9ETrOJkPdd+hiL45j1YcrPYPWCpCFrpHVhMbnOpXajq UqQw5WgH0P2O/vPEwaqSVjgUtdQqguv/ebQAZ4C7N7zxQa9gv+Y7YEJa OJl0IMmmJt4FMuqAytvdSsZjz1QslYWXCkiAEVIxmsd2x7kDB44s6ml/ yApNxw==
%
```Not plannedMatthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/stork/-/issues/983CodeQL: Hardcoded credentials2023-09-11T11:54:32ZSlawek FigielCodeQL: Hardcoded credentialsCodeQL is unhappy with our hardcoded certificates for testing purposes and namings in the `pki` package.
We can generate the certificates on demand in test runtime. [Gist](https://gist.github.com/sdorra/1c95de8cb80da31610d2ad767cd6f251)
...CodeQL is unhappy with our hardcoded certificates for testing purposes and namings in the `pki` package.
We can generate the certificates on demand in test runtime. [Gist](https://gist.github.com/sdorra/1c95de8cb80da31610d2ad767cd6f251)
Sources:
- https://github.com/isc-projects/stork/security/code-scanning/136
- https://github.com/isc-projects/stork/security/code-scanning/135
- https://github.com/isc-projects/stork/security/code-scanning/134
- https://github.com/isc-projects/stork/security/code-scanning/133
- https://github.com/isc-projects/stork/security/code-scanning/132
- https://github.com/isc-projects/stork/security/code-scanning/131
- https://github.com/isc-projects/stork/security/code-scanning/130
- https://github.com/isc-projects/stork/security/code-scanning/129
- https://github.com/isc-projects/stork/security/code-scanning/128
- https://github.com/isc-projects/stork/security/code-scanning/127
- https://github.com/isc-projects/stork/security/code-scanning/126backloghttps://gitlab.isc.org/isc-projects/kea-docker/-/issues/15CI: Fix hadolint issues2023-09-11T11:09:54ZTomek MrugalskiCI: Fix hadolint issuesNow that we have `hadolint` as part of our CI pipelines, we should address the issues it reports.
Here's an [Aug 24 pipeline](https://gitlab.isc.org/isc-projects/kea-docker/-/jobs/3609017).
As of today, the amount of issues reported is...Now that we have `hadolint` as part of our CI pipelines, we should address the issues it reports.
Here's an [Aug 24 pipeline](https://gitlab.isc.org/isc-projects/kea-docker/-/jobs/3609017).
As of today, the amount of issues reported is minimal. If we do not want to do what hadolint suggest, we should selectively disable its specific warnings.
Once the pipelines are clean, we should enable the "pipelines must succeed" option for this project.