ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2024-01-04T18:32:15Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4516Handle multiple NSEC3PARAM records in tests2024-01-04T18:32:15ZMark AndrewsHandle multiple NSEC3PARAM records in testsThe dnssec system test failed when there were multiple NSEC3PARAM records in the zone. This happened in https://gitlab.isc.org/isc-projects/bind9/-/jobs/3898340 Extract the already reviewed and approved commit 1a52dccd323ece352da073ae01c...The dnssec system test failed when there were multiple NSEC3PARAM records in the zone. This happened in https://gitlab.isc.org/isc-projects/bind9/-/jobs/3898340 Extract the already reviewed and approved commit 1a52dccd323ece352da073ae01c8ede62c852b17 from the back port and treat it as a seperate issue.https://gitlab.isc.org/isc-projects/bind9/-/issues/4515Release Checklist for BIND 9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.202024-01-17T16:25:59ZMichal NowakRelease Checklist for BIND 9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20## Release Schedule
**Code Freeze:** Wednesday, 3 January 2024
**Tagging Deadline:** Monday, 8 January 2024
**Public Release:** Wednesday, 17 January 2024
## Documentation Review Links
**Closed issues assigned to the milestone wit...## Release Schedule
**Code Freeze:** Wednesday, 3 January 2024
**Tagging Deadline:** Monday, 8 January 2024
**Public Release:** Wednesday, 17 January 2024
## Documentation Review Links
**Closed issues assigned to the milestone without a release note:**
- [9.16.46](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.16)
- [9.16.46-S1](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.16-S)
- [9.18.22](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.18)
- [9.18.22-S1](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.18-S)
- [9.19.20](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.19)
**Merge requests merged into the milestone without a release note:**
- [9.16.46](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.16)
- [9.16.46-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.16-sub)
- [9.18.22](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.18)
- [9.18.22-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.18-sub)
- [9.19.20](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=main)
**Merge requests merged into the milestone without a `CHANGES` entry:**
- [9.16.46](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.16)
- [9.16.46-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.16-sub)
- [9.18.22](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.18)
- [9.18.22-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.18-sub)
- [9.19.20](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=January+2024+%289.16.46%2C+9.16.46-S1%2C+9.18.22%2C+9.18.22-S1%2C+9.19.20%29&label_name%5B%5D=No+CHANGES&target_branch=main)
## Release Checklist
### Before the Code Freeze
- [x] ***(QA)*** Rebase -S editions on top of current open-source versions: `git checkout bind-9.18-sub && git rebase origin/bind-9.18`
- [x] ***(QA)*** [Inform](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/inform_supp_marketing.py) Support and Marketing of impending release (and give estimated release dates).
- [x] ***(QA)*** Ensure there are no permanent test failures on any platform. Check [public](https://gitlab.isc.org/isc-projects/bind9/-/pipelines?scope=all&source=schedule) and [private](https://gitlab.isc.org/isc-private/bind9/-/pipelines?scope=all&source=schedule) scheduled pipelines.
- [x] ***(QA)*** Check charts from `shotgun:*` jobs in the scheduled pipelines to verify there is no unexplained performance drop for any protocol.
- [x] ***(QA)*** Check [Perflab](https://perflab.isc.org/) to ensure there has been no unexplained drop in performance for the versions being released.
- [x] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- [x] ***(QA)*** Ensure that there are no outstanding [merge requests in the private repository](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/)[^1] (Subscription Edition only).
- [x] ***(QA)*** [Ensure](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/check_backports.py) all merge requests marked for backporting have been indeed backported.
- [x] ***(QA)*** [Announce](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/inform_code_freeze.py) (on Mattermost) that the code freeze is in effect.
### Before the Tagging Deadline
- [x] ***(QA)*** Inspect the current output of the `cross-version-config-tests` job to verify that no unexpected backward-incompatible change was introduced in the current release cycle.
- [x] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well. [Example](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/510)
- [x] ***(QA)*** Add a release marker to `CHANGES`. Examples: [9.18](https://gitlab.isc.org/isc-projects/bind9/-/commit/f14d8ad78c0506fd4247187f2177f8eceeb6b3b9), [9.16](https://gitlab.isc.org/isc-projects/bind9/-/commit/1bcdf21874f99a00da389d723e0ad07dfd70f9f1)
- [x] ***(QA)*** Add a release marker to `CHANGES.SE` (Subscription Edition only). [Example](https://gitlab.isc.org/isc-private/bind9/-/commit/0f03d5737bcbdaa1bf713c6db1887b14938c3421)
- [x] ***(QA)*** Update BIND 9 version in `configure.ac` ([9.18+](https://gitlab.isc.org/isc-projects/bind9/-/commit/3c85ab7f4c35e6d8acef1393606002a0a8730100)) or `version` ([9.16](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7692/diffs?commit_id=1bcdf21874f99a00da389d723e0ad07dfd70f9f1)).
- [x] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org` (9.16).
- [x] ***(QA)*** Update GitLab settings for all maintained branches to disallow merging to them: [public](https://gitlab.isc.org/isc-projects/bind9/-/settings/repository), [private](https://gitlab.isc.org/isc-private/bind9/-/settings/repository)
- [x] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9.x.y`).
### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
- [x] ***(QA)*** Check that the formatting is correct for the HTML version of release notes.
- [x] ***(QA)*** Check that the formatting of the generated man pages is correct.
- [x] ***(QA)*** Verify GitLab CI results [for the tags](https://gitlab.isc.org/isc-private/bind9/-/pipelines?scope=tags) created and sign off on the releases to be published.
- [x] ***(QA)*** Update GitLab settings for all maintained branches to allow merging to them again: [public](https://gitlab.isc.org/isc-projects/bind9/-/settings/repository), [private](https://gitlab.isc.org/isc-private/bind9/-/settings/repository)
- [x] ***(QA)*** Prepare (using [`version_bump.py`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/version_bump.py)) and merge MRs resetting the release notes and updating the version string for each maintained branch.
- [x] ***(QA)*** Rebase the Subscription Edition branches (including recent release prep commits) on top of the open source branches with updated version strings.
- [x] ***(QA)*** Announce (on Mattermost) that the code freeze is over.
- [x] ***(QA)*** Request signatures for the tarballs, providing their location and checksums. Ask [signers on Mattermost](https://mattermost.isc.org/isc/channels/bind-9-qa).
- [x] ***(Signers)*** Ensure that the contents of tarballs and tags are identical.
- [x] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
- [x] ***(QA)*** Verify tarball signatures and check tarball checksums again: Run `publish_bind.sh` on repo.isc.org to pre-publish.
- [x] ***(QA)*** Prepare the `patches/` subdirectory for each security release (if applicable).
- [x] ***(QA)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
- [x] ***(QA)*** Build and test ASN and/or Subscription Edition packages (in [cloudsmith branch in private repo](https://gitlab.isc.org/isc-private/rpms/bind/-/tree/cloudsmith)). [Example](https://gitlab.isc.org/isc-private/rpms/bind/-/commit/e2512f4cfaf991827a635e374e7e93b27a5f38ba)
- [x] ***(QA)*** Use the [Printing Press project](https://gitlab.isc.org/isc-private/printing-press/-/wikis/home#adding-new-documents) to prepare a release announcement email.
- [x] ***(Marketing)*** Update ASN documents in the SF portal.
- [x] ***(Marketing)*** Send out ASN emails (if applicable).
### On the Day of Public Release
- [x] ***(QA)*** ~~Wait for clearance from Security Officer to proceed with the public release (if applicable).~~
- [x] ***(QA)*** ~~Place tarballs in public location on FTP site.~~
- [x] ***(QA)*** ~~Inform Marketing of the release, providing FTP links for the published tarballs.~~
- [x] ***(Marketing)*** ~~Publish links to downloads on ISC website. [Example](https://gitlab.isc.org/website/theme-staging-site/-/commit/1ac7b30b73cb03228df4cd5651fa4e774ac35625)~~
- [x] ***(Marketing)*** ~~Update the BIND -S information document in SF with download links to the new versions. (If this is a security release, this will have already been done as part of the ASN process.)~~
- [x] ***(Marketing)*** ~~Update the Current Software Versions document in the SF portal if any stable versions were released.~~
- [x] ***(Marketing)*** ~~Send the release announcement email to the *bind-announce* mailing list (and to *bind-users* if a major release - [example](https://lists.isc.org/pipermail/bind-users/2022-January/105624.html)).~~
- [x] ***(Marketing)*** ~~Announce release on social media sites.~~
- [x] ***(Marketing)*** ~~Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).~~
- [x] ***(Support)*** ~~Add the new releases to the [vulnerability matrix in the Knowledge Base](https://kb.isc.org/docs/aa-00913).~~
- [x] ***(Support)*** ~~Update tickets in case of waiting support customers.~~
- [x] ***(QA)*** ~~Build and test any outstanding private packages in [private repo](https://gitlab.isc.org/isc-private/rpms/bind/-/tree/cloudsmith). [Example](https://gitlab.isc.org/isc-private/rpms/bind/-/commit/2007d566db81dd9dfd79e571e2f600a3bc284da4)~~
- [x] ***(QA)*** ~~Build [public RPMs](https://gitlab.isc.org/isc-packages/rpms/bind). [Example commit](https://gitlab.isc.org/isc-packages/rpms/bind/-/commit/3b5e851ea7c4e3570371a4878b5461f02a44f8cc) which triggers [Copr builds](https://copr.fedorainfracloud.org/coprs/isc/) automatically~~
- [x] ***(SwEng)*** ~~Build Debian/Ubuntu packages.~~
- [x] ***(SwEng)*** ~~Update Docker files [here](https://gitlab.isc.org/isc-projects/bind9-docker/-/branches) and make sure push is synchronized to [GitHub](https://github.com/isc-projects/bind9-docker). [Docker Hub](https://hub.docker.com/r/internetsystemsconsortium/bind9) should pick it up automatically. [Example](https://gitlab.isc.org/isc-projects/bind9-docker/-/commit/cada7e10e9af951595c98bfffc4bd42512faac05)~~
- [x] ***(QA)*** ~~Ensure all new tags are annotated and signed. `git show --show-signature v9.19.12`~~
- [x] ***(QA)*** ~~Push tags for the published releases to the public repository.~~
- [x] ***(QA)*** ~~Using [`merge_tag.py`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/merge_tag.py), merge published release tags back into the their relevant development/maintenance branches.~~
- [x] ***(QA)*** ~~Ensure `allow_failure: true` is removed from the `cross-version-config-tests` job if it was set during the current release cycle.~~
- [x] ***(QA)*** ~~Sanitize confidential issues which are assigned to the current release milestone and do not describe a security vulnerability, then make them public.~~
- [x] ***(QA)*** ~~Sanitize [confidential issues](https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=milestone_due_desc&state=opened&confidential=yes) which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2].~~
- [x] ***(QA)*** ~~Update QA tools used in GitLab CI (e.g. Black, PyLint, Sphinx) by modifying the relevant [`Dockerfile`](https://gitlab.isc.org/isc-projects/images/-/merge_requests/228/diffs).~~
- [x] ***(QA)*** ~~Run a pipeline to rebuild all [images](https://gitlab.isc.org/isc-projects/images) used in GitLab CI.~~
- [x] ***(QA)*** ~~Update [`metadata.json`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/metadata.json) with the upcoming release information.~~
[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
[^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure.January 2024 (9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20) (❗RECALLED❗)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/stork/-/issues/1270Feature request - bulk authorize machines2024-01-17T17:58:42ZPiotrek ZadrogaFeature request - bulk authorize machinesFeature proposal - bulk authorize more than one machine.
- Easy way - `Authorize all machines`
- More complicated way - `select machines and then bulk authorize selected`Feature proposal - bulk authorize more than one machine.
- Easy way - `Authorize all machines`
- More complicated way - `select machines and then bulk authorize selected`1.15Piotrek ZadrogaPiotrek Zadrogahttps://gitlab.isc.org/isc-projects/bind9/-/issues/4513System tests fail with Net::DNS 1.422024-01-03T01:01:34ZMark AndrewsSystem tests fail with Net::DNS 1.42Net::DNS::Nameserver->main_loop no longer loops. This breaks reclimit and chain system tests which use Net::DNS::Nameserver in ans.pl.Net::DNS::Nameserver->main_loop no longer loops. This breaks reclimit and chain system tests which use Net::DNS::Nameserver in ans.pl.January 2024 (9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20) (❗RECALLED❗)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4512Unable to Query DoH with No TLS2024-01-01T10:56:16Z4c8lkkmy ufx71qkdUnable to Query DoH with No TLS### Summary
I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed server.
### BIND version affected
BIND 9.18.18-0u...### Summary
I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed server.
### BIND version affected
BIND 9.18.18-0ubuntu2-Ubuntu (Extended Support Version)
### Steps to reproduce
1. Run BIND9 with the below config
2. Query the BIND9 server with the following command
```plaintext
curl -v -H 'accept: application/dns-message' --http1.1 'http://<IP address of the BIND9 server>:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
```
### What is the current _bug_ behavior?
Returns the following
```plaintext
➜ curl -v -H 'accept: application/dns-message' --http1.1 'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
* Trying 172.23.0.2:80...
* Connected to 172.23.0.2 (172.23.0.2) port 80
> GET /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
> Host: 172.23.0.2
> User-Agent: curl/8.5.0
> accept: application/dns-message
>
* Received HTTP/0.9 when not allowed
* Closing connection
curl: (1) Received HTTP/0.9 when not allowed
```
### What is the expected _correct_ behavior?
Returns DNS results such as this (This is with `tls ephemeral` in config)
```plaintext
➜ curl -k -H 'accept: application/dns-message' 'https://10.0.0.75:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 49 100 49 0 0 1866 0 --:--:-- --:--:-- --:--:-- 1884
00000000 00 00 81 80 00 01 00 01 00 00 00 00 03 77 77 77 |.............www|
00000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 |.example.com....|
00000020 01 c0 0c 00 01 00 01 00 01 51 2a 00 04 5d b8 d8 |.........Q*..]..|
00000030 22 |"|
00000031
```
### Relevant configuration files
```plaintext
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
// Custom Options From Here
allow-query { any;};
allow-transfer { none; };
listen-on port 53 { any; };
listen-on port 80 tls none http default { any; };
};
```
### Relevant logs
No new line available after issue happenshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4511Bind9 Rpz Bug2023-12-29T05:15:58ZBei ChenBind9 Rpz BugIn bind9.18.16, when there are many domain names in the rpz.zone file, some domain names cannot be bocked and can be resolved normally.chroot.tar__4_.gz The configuration file is attached. Run the command "./sbin/named -u named -c /etc/n...In bind9.18.16, when there are many domain names in the rpz.zone file, some domain names cannot be bocked and can be resolved normally.chroot.tar__4_.gz The configuration file is attached. Run the command "./sbin/named -u named -c /etc/named.conf -t./chroot/named/" to run bind9.18.16.
For example, there is an intercepted domain name "www.f2pool.com" in my rpz file, which can be resolved normally when I try to access it. This is not normal, it should be able to intercept and return to the NXDOMAIN.
This could be a bug,please help me,Thank you.https://gitlab.isc.org/isc-projects/kea/-/issues/3199Minor Netconf documentation issue2024-01-11T15:07:21ZDarren AnkneyMinor Netconf documentation issueAs of the 2.4.1 version of the documentation, the ARM shows `output-options` in the example `kea-netconf` configurations found under https://kea.readthedocs.io/en/kea-2.4.1/arm/integrations.html#yang-netconf The `kea-netconf` daemon refu...As of the 2.4.1 version of the documentation, the ARM shows `output-options` in the example `kea-netconf` configurations found under https://kea.readthedocs.io/en/kea-2.4.1/arm/integrations.html#yang-netconf The `kea-netconf` daemon refuses to start until these are changed to `output_options` when using Kea 2.4.1 matching the version of the ARM.https://gitlab.isc.org/isc-projects/bind9/-/issues/4510Wrongly considering signatures-validity in "key lifetime is shorter than the ...2024-03-07T22:43:37ZLibor PeltanWrongly considering signatures-validity in "key lifetime is shorter than the time it takes to do a rollover"### Summary
For testing purposes, I tried to configure as short ZSK lifetime as possible (like 10 seconds). I kept failing with the error `key lifetime is shorter than the time it takes to do a rollover` until I discovered (by trial and...### Summary
For testing purposes, I tried to configure as short ZSK lifetime as possible (like 10 seconds). I kept failing with the error `key lifetime is shorter than the time it takes to do a rollover` until I discovered (by trial and error!) that this error wrongly considers `signatures-validity` and `signatures-refresh`.
This is in contrary to the documentation https://bind9.readthedocs.io/en/v9.18.18/reference.html#namedconf-statement-dnskey-ttl which claims that the ZSK lifetime minimum depends only on `dnskey-ttl`, `publish-safety`, `max-zone-ttl`, `retire-safety`, and `zone-propagation-delay`. See also #3416 .
It would be possible to fix this by adjusting the documentation, but I'd prefer to adjust the behaviour: there is no reason why ZSK lifetime should depend on RRSIG validity, only TTLs matter.
### BIND version affected
`BIND 9.18.18-0ubuntu0.22.04.1-Ubuntu (Extended Support Version)`
### Steps to reproduce
```
dnssec-policy "triumph." {
keys {
zsk lifetime 18 algorithm ecdsa256;
ksk lifetime unlimited algorithm ecdsa256;
};
dnskey-ttl 3;
max-zone-ttl 4;
zone-propagation-delay 2;
publish-safety 1;
retire-safety 1;
};
```
(signatures-validity defaults to 14d and signatures-refresh to 5d, the difference is 9d and the zsk lifetime is denied unless I set it to more than 9d)
### What is the current *bug* behavior?
The configuration load fails with the aforementioned error whenever I set the ZSK lifetime to less than `signatures-validity - signatures-refresh`, which is contrary to the documentation https://bind9.readthedocs.io/en/v9.18.18/reference.html#namedconf-statement-dnskey-ttl
### What is the expected *correct* behavior?
Either the documentation should be aligned with the observed behavior, or the behavior (appearance of the error and failure to load conf) should be adjusted to not consider signatures-validity.March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/3198vivso-suboptions not properly supported in Netconf2024-01-26T10:58:09ZDarren Ankneyvivso-suboptions not properly supported in NetconfAn example of configuration of `vivso-suboptions` is shown in the ARM (simplified here):
```
"Dhcp4": {
"option-data": [
{
"name": "vivso-suboptions",
"space": "dhcp4",
"data": "2234"
...An example of configuration of `vivso-suboptions` is shown in the ARM (simplified here):
```
"Dhcp4": {
"option-data": [
{
"name": "vivso-suboptions",
"space": "dhcp4",
"data": "2234"
},
{
"name": "vivso-suboptions",
"space": "dhcp4",
"data": "3561"
},
...
]
}
```
In the Kea yang definition found in: src/share/yang/modules/kea-dhcp4-server@2023-06-28.yang the keys are "code space" as shown here:
```
grouping option-data-list {
description "Option data list grouping.";
list option-data {
key "code space";
description "Option data entry.";
leaf code {
type uint8;
mandatory true;
description "Option code.";
}
leaf space {
type string;
mandatory true;
description "Option space.";
}
uses dhcp:option-data-name;
uses dhcp:option-data-data;
uses dhcp:option-data-csv-format;
uses dhcp:option-data-always-send;
uses dhcp:option-data-never-send;
uses dhcp:option-data-user-context;
}
}
```
which makes it impossible to create two option-data entries with the same space (dhcp4) and code (125 for VIVSO). This is as stated in [RFC6020](https://datatracker.ietf.org/doc/html/rfc6020#section-7.8.2):
> The combined values of all the leafs specified in the key are used to uniquely identify a list entry. All key leafs MUST be given values when a list entry is created.
So this `sysrepocfg` xml works:
```
<config xmlns="urn:ietf:params:xml:ns:yang:kea-dhcp4-server">
<subnet4>
<id>1</id>
<pool>
<start-address>192.168.20.100</start-address>
<end-address>192.168.20.200</end-address>
</pool>
<subnet>192.168.20.0/24</subnet>
</subnet4>
<option-data>
<code>125</code>
<space>dhcp4</space>
<data>2234</data>
</option-data>
<interfaces-config>
<interfaces>enp0s3</interfaces>
</interfaces-config>
<control-socket>
<socket-name>/tmp/kea-dhcp4-ctrl.sock</socket-name>
<socket-type>unix</socket-type>
</control-socket>
</config>
```
while this, with second entry for option 125, does not:
```
<config xmlns="urn:ietf:params:xml:ns:yang:kea-dhcp4-server">
<subnet4>
<id>1</id>
<pool>
<start-address>192.168.20.100</start-address>
<end-address>192.168.20.200</end-address>
</pool>
<subnet>192.168.20.0/24</subnet>
</subnet4>
<option-data>
<code>125</code>
<space>dhcp4</space>
<data>2234</data>
<code>125</code>
<space>dhcp4</space>
<data>3561</data>
</option-data>
<interfaces-config>
<interfaces>enp0s3</interfaces>
</interfaces-config>
<control-socket>
<socket-name>/tmp/kea-dhcp4-ctrl.sock</socket-name>
<socket-type>unix</socket-type>
</control-socket>
</config>
```
When an attempt to apply the configuration is made, the output is as follows:
```
$ sudo sysrepocfg -v debug -d startup -f xml -m kea-dhcp4-server --edit=startup4.xml
[INF] Connection 52 created.
[INF] Session 20 (user "root", CID 52) created.
libyang error: Invalid position of the key "code" in a list. (Data location "/kea-dhcp4-server:config/option-data[code='125'][space='dhcp4']/code", line number 14.)
sysrepocfg error: Data parsing failed
[INF] No datastore changes to apply.
```
Please see [SF1556](https://isc.lightning.force.com/lightning/r/Case/500S6000002qbYdIAI/view) for further details including some proposed solutions.kea2.5.5Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4508Crash in "host"2024-03-07T22:44:28ZAnand BuddhdevCrash in "host"### Summary
Running "host" with the -C option causes it to crash sometimes. I've observed it on my MacOS Sonoma 14.2.1 laptop, and I've also seen a report by Francisco Obispo of a similar crash on the bind-users mailing list.
### BIND ...### Summary
Running "host" with the -C option causes it to crash sometimes. I've observed it on my MacOS Sonoma 14.2.1 laptop, and I've also seen a report by Francisco Obispo of a similar crash on the bind-users mailing list.
### BIND version affected
```
BIND 9.18.21 (Extended Support Version) <id:cb6cff6>
running on Darwin x86_64 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:10 PST 2023; root:xnu-10002.61.3~2/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.18.21' '--sysconfdir=/usr/local/etc/bind' '--localstatedir=/usr/local/var' '--with-json-c' '--with-libidn2=/usr/local/opt/libidn2' '--with-openssl=/usr/local/opt/openssl@3' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/libidn2/lib/pkgconfig:/usr/local/opt/libnghttp2/lib/pkgconfig:/usr/local/opt/libuv/lib/pkgconfig:/usr/local/opt/openssl@3/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/14'
compiled by CLANG Apple LLVM 15.0.0 (clang-1500.1.0.2.5)
compiled with OpenSSL version: OpenSSL 3.2.0 23 Nov 2023
linked to OpenSSL version: OpenSSL 3.2.0 23 Nov 2023
compiled with libuv version: 1.47.0
linked to libuv version: 1.47.0
compiled with libnghttp2 version: 1.58.0
linked to libnghttp2 version: 1.58.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.2.12
linked to zlib version: 1.2.12
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /usr/local/etc/bind/named.conf
rndc configuration: /usr/local/etc/bind/rndc.conf
DNSSEC root key: /usr/local/etc/bind/bind.keys
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
named lock file: /usr/local/var/run/named/named.lock
```
### Steps to reproduce
Run `host -C by` or `host -C id.iq`
### What is the current *bug* behavior?
Sometimes, "host" crashes with this error:
```
% host -C by
Nameserver 31.44.1.137:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261150 3600 600 604800 3600
Nameserver 2a0e:b81:8001:1001::2:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261150 3600 600 604800 3600
netmgr/netmgr.c:1737: REQUIRE(handlep != ((void*)0) && *handlep == ((void*)0)) failed, back trace
0 libisc-9.18.21.dylib 0x000000011055bdd3 default_callback + 63
1 libisc-9.18.21.dylib 0x000000011055bd74 isc_assertion_failed + 10
2 libisc-9.18.21.dylib 0x0000000110546e12 isc__nmhandle_attach + 104
3 host 0x000000010ffd2e8f launch_next_query + 145
4 host 0x000000010ffd188f start_udp + 150
5 host 0x000000010ffd4963 recv_done + 3929
6 libisc-9.18.21.dylib 0x000000011054bd35 isc__nm_async_readcb + 149
7 libisc-9.18.21.dylib 0x000000011054aa8e isc__nm_readcb + 271
8 libisc-9.18.21.dylib 0x0000000110558f36 udp_recv_cb + 459
9 libisc-9.18.21.dylib 0x0000000110559fb4 isc__nm_udp_read_cb + 72
10 libuv.1.dylib 0x00000001104ded89 uv__udp_io + 354
11 libuv.1.dylib 0x00000001104e1c9f uv__io_poll + 1680
12 libuv.1.dylib 0x00000001104d214d uv_run + 258
13 libisc-9.18.21.dylib 0x0000000110545036 nm_thread + 115
14 libisc-9.18.21.dylib 0x000000011057e7ef isc__trampoline_run + 22
15 libsystem_pthread.dylib 0x00007ff80a073202 _pthread_start + 99
16 libsystem_pthread.dylib 0x00007ff80a06ebab thread_start + 15
[1] 85023 abort host -C by
```
### What is the expected *correct* behavior?
```
% host -C by
Nameserver 31.44.1.137:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
Nameserver 2a0e:b81:8001:1001::2:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
Nameserver 93.125.25.73:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
Nameserver 2a00:c827:a:3::2:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
Nameserver 185.98.83.4:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
Nameserver 2a00:c827:a:2::2:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
Nameserver 93.125.25.72:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
Nameserver 2a01:ba80:e:c:1::4c:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
Nameserver 31.44.5.245:
by has SOA record dns1.tld.becloud.by. support.becloud.by. 2312261200 3600 600 604800 3600
```
### Relevant configuration files
No relevant configuration file.
### Relevant logs
No relevant log.March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4506FTBFS: configure: error: linking with -L/usr/lib/x86_64-linux-gnu/mit-krb5 do...2024-01-17T00:20:10ZJean-Christophe ManciotFTBFS: configure: error: linking with -L/usr/lib/x86_64-linux-gnu/mit-krb5 does not work### Summary
- ./configure fails with v9.19.19
- no such issue with v9.19.18 with the same workflow
### BIND version affected
v9.19.19
### Steps to reproduce
```
git checkout v9.19.19
export CFLAGS+=-Wno-error
export NOCONFIGURE=yes
a...### Summary
- ./configure fails with v9.19.19
- no such issue with v9.19.18 with the same workflow
### BIND version affected
v9.19.19
### Steps to reproduce
```
git checkout v9.19.19
export CFLAGS+=-Wno-error
export NOCONFIGURE=yes
autoreconf -f -i
./configure --build=x86_64-pc-linux-gnu \
--prefix=/usr --sysconfdir=/etc/bind --localstatedir=/ \
--datarootdir=/usr/share --docdir=/usr/share/doc --mandir=/usr/share/man \
--disable-querytrace \
--enable-auto-validation \
--enable-dnstap \
--enable-doh \
--enable-fixed-rrset \
--enable-full-report \
--enable-geoip \
--enable-largefile \
--enable-shared=yes \
--with-cmocka=yes \
--with-gnu-ld=yes \
--with-gssapi=/usr/bin/krb5-config \
--with-jemalloc=detect \
--with-json-c=yes \
--with-libidn2 \
--with-libxml2=yes \
--with-lmdb=auto \
--with-maxminddb=yes \
--with-openssl=/usr/lib/x86_64-linux-gnu \
--with-zlib=yes
```
### What is the current *bug* behavior?
```
checking for gss_acquire_cred... no
configure: error: linking with -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err does not work
```
### What is the expected *correct* behavior?
no configure error
### Environment
```
- Ubuntu mantic 23.10
- linux 6.6.0-14-generic #14-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 30 10:27:29 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
- krb5-multidev: 1.20.1-3ubuntu1
- libkrb5-dev: 1.20.1-3ubuntu1
```
```
git-bind9 ((v9.19.19))$ ls -al /usr/lib/x86_64-linux-gnu/mit-krb5
total 244
drwxr-xr-x 2 root root 4096 Dec 22 20:38 .
drwxr-xr-x 215 root root 241664 Dec 22 20:43 ..
lrwxrwxrwx 1 root root 24 Aug 24 20:07 libgssapi_krb5.so -> ../libgssapi_krb5.so.2.2
lrwxrwxrwx 1 root root 19 Aug 24 20:07 libgssrpc.so -> ../libgssrpc.so.4.2
lrwxrwxrwx 1 root root 21 Aug 24 20:07 libk5crypto.so -> ../libk5crypto.so.3.1
lrwxrwxrwx 1 root root 27 Aug 24 20:07 libkadm5clnt_mit.so -> ../libkadm5clnt_mit.so.12.0
lrwxrwxrwx 1 root root 19 Aug 24 20:07 libkadm5clnt.so -> libkadm5clnt_mit.so
lrwxrwxrwx 1 root root 26 Aug 24 20:07 libkadm5srv_mit.so -> ../libkadm5srv_mit.so.12.0
lrwxrwxrwx 1 root root 18 Aug 24 20:07 libkadm5srv.so -> libkadm5srv_mit.so
lrwxrwxrwx 1 root root 18 Aug 24 20:07 libkdb5.so -> ../libkdb5.so.10.0
lrwxrwxrwx 1 root root 17 Aug 24 20:07 libkrb5.so -> ../libkrb5.so.3.3
lrwxrwxrwx 1 root root 24 Aug 24 20:07 libkrb5support.so -> ../libkrb5support.so.0.1
```https://gitlab.isc.org/isc-projects/bind9/-/issues/4504named generates core and ends with signal SIGFPE, Arithmetic exception.2024-01-02T15:27:20Zsagar sagarnamed generates core and ends with signal SIGFPE, Arithmetic exception.<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confident...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confidential by clicking the checkbox at the bottom!
-->
### Summary
For max-cache-size value, 1823420M named is crashing with arithmetic exception and generating the core.
### BIND version affected
Version info
````
BIND 9.16.23-RH (Extended Support Version) <id:fde3b1f>
running on Linux x86_64 5.15.0-105.125.6.2.1.el9uek.x86_64 #2 SMP Thu Sep 14 21:51:15 PDT 2023
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--with-maxminddb' '--with-dlopen=yes' '--with-gssapi=yes' '--with-lmdb=yes' '--without-libjson' '--with-json-c' '--enable-dnstap' '--enable-fixed-rrset' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS= -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 ' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 11.4.1 20230605 (Red Hat 11.4.1-2.1.0.1)
compiled with OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
linked to OpenSSL version: OpenSSL 3.0.7 1 Nov 2022
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
````
### Relevant configuration files
Add max-cache-size value 1823420M option in named.conf to replicate the issue, why this particular value will be explained further in the report.
In our ssystem total memory is cat ./proc/meminfo | grep -i MemTotal
MemTotal: 2124386752 kB
we haven't configured the max cache size option in our configuration file so it takes the max-cache size to 90% of its total memory as seen in the log
````none:89: 'max-cache-size 90%' - setting to 1867136MB (out of 2074596MB)````
### Relevant logs
As soon as it start running it generates
````
Program terminated with signal SIGFPE, Arithmetic exception.
#0 0x00007f29bc9f5a8d in more_frags (new_size=0, ctx=0x7f29b032e6c0) at ../../../lib/isc/mem.c:457
457 frags = (int)(total_size / new_size);
[Current thread is 1 (Thread 0x7f29bb9e5640 (LWP 346082))]
(gdb) bt
#0 0x00007f29bc9f5a8d in more_frags (new_size=0, ctx=0x7f29b032e6c0) at ../../../lib/isc/mem.c:457
#1 mem_getunlocked (ctx=ctx@entry=0x7f29b032e6c0, size=size@entry=4294967296) at ../../../lib/isc/mem.c:522
#2 0x00007f29bca003ce in isc___mem_get (ctx0=0x7f29b032e6c0, size=4294967296, file=0x7f29bcc8e980 "../../../lib/dns/rbt.c", line=2387) at ../../../lib/isc/mem.c:1066
#3 0x00007f29bcb6c465 in rehash (newbits=<optimized out>, rbt=0x7f29b682d010) at ../../../lib/dns/rbt.c:2387
#4 maybe_rehash (rbt=0x7f29b682d010, newcount=<optimized out>) at ../../../lib/dns/rbt.c:2409
#5 0x00007f29bcb6d9d0 in dns_rbt_adjusthashsize (size=<optimized out>, rbt=<optimized out>) at ../../../lib/dns/rbt.c:1098
#6 dns_rbt_adjusthashsize (rbt=<optimized out>, size=<optimized out>) at ../../../lib/dns/rbt.c:1084
#7 0x00007f29bcb84dd9 in adjusthashsize (db=0x7f29b6829010, size=1911994449920) at ../../../lib/dns/rbtdb.c:8129
#8 0x000055742d5bd66b in configure_view (view=<optimized out>, viewlist=<optimized out>, config=0x7f29b6d60ee8, vconfig=0x0, cachelist=<optimized out>, kasplist=<optimized out>, bindkeys=0x0,
mctx=0x55742e088c40, actx=0x7f29bbb2f538, need_hints=true) at ../../../bin/named/server.c:4625
#9 0x000055742d5cba8b in load_configuration (filename=<optimized out>, server=server@entry=0x7f29b6d32010, first_time=first_time@entry=true) at ../../../bin/named/server.c:8997
#10 0x000055742d5cdc1e in run_server (task=<optimized out>, event=<optimized out>) at ../../../bin/named/server.c:9709
#11 0x00007f29bca221bd in task_run (task=0x7f29b6d3d010) at ../../../lib/isc/task.c:857
#12 isc_task_run (task=0x7f29b6d3d010) at ../../../lib/isc/task.c:950
#13 0x00007f29bca0d2a9 in isc__nm_async_task (worker=0x55742e09bfb0, ev0=0x7f29b6d478a8) at netmgr/../../../../lib/isc/netmgr/netmgr.c:873
#14 process_netievent (worker=worker@entry=0x55742e09bfb0, ievent=0x7f29b6d478a8) at netmgr/../../../../lib/isc/netmgr/netmgr.c:958
#15 0x00007f29bca0d425 in process_queue (worker=worker@entry=0x55742e09bfb0, type=type@entry=NETIEVENT_TASK) at netmgr/../../../../lib/isc/netmgr/netmgr.c:1027
#16 0x00007f29bca0dc17 in process_all_queues (worker=0x55742e09bfb0) at netmgr/../../../../lib/isc/netmgr/netmgr.c:798
#17 async_cb (handle=0x55742e09c310) at netmgr/../../../../lib/isc/netmgr/netmgr.c:827
#18 0x00007f29bc7a6b3d in uv__async_io (loop=0x55742e09bfc0, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163
#19 0x00007f29bc7c285e in uv__io_poll (loop=0x55742e09bfc0, timeout=<optimized out>) at src/unix/epoll.c:374
#20 0x00007f29bc7ac5a8 in uv__io_poll (timeout=<optimized out>, loop=0x55742e09bfc0) at src/unix/udp.c:122
#21 uv_run (loop=loop@entry=0x55742e09bfc0, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:389
#22 0x00007f29bca0d4b7 in nm_thread (worker0=0x55742e09bfb0) at netmgr/../../../../lib/isc/netmgr/netmgr.c:733
#23 0x00007f29bca1ff9a in isc__trampoline_run (arg=0x55742e09fe90) at ../../../lib/isc/trampoline.c:196
#24 0x00007f29bc200812 in start_thread (arg=<optimized out>) at pthread_create.c:443
#25 0x00007f29bc1a0450 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
(gdb)
````
I did some analysis the quantize function in mem_getunlocked is returning value zero for size =4294967296
I did testing around this and it seems like it can return zero for these cases and ours is one of them
````
for(size_t i=1;i<4294967399;i++)
{
size_t result = quantize(i);
if(result==0)
printf("%lu=%lu\n",i,result);
}
4294967289=0
4294967290=0
4294967291=0
4294967292=0
4294967293=0
4294967294=0
4294967295=0
4294967296=0
````https://gitlab.isc.org/isc-projects/kea-quick-config/-/issues/58Client Classification: At least one must be specified :(2023-12-21T20:21:20ZDarren AnkneyClient Classification: At least one must be specified :(At least one client classification must be specified or the configuration output fails with error `Unknown test expression encountered () while evaluating client-classes`. It should not be a requirement that a client class be specified....At least one client classification must be specified or the configuration output fails with error `Unknown test expression encountered () while evaluating client-classes`. It should not be a requirement that a client class be specified. Fix this error so it is possible to create a configuration that does not include client-classes.0.3Darren AnkneyDarren Ankneyhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4501ccmsg.c:156: REQUIRE(((ccmsg) != ((void *)0) && ((const isc__magic_t *)(ccmsg...2024-02-08T08:25:35ZMichal Nowakccmsg.c:156: REQUIRE(((ccmsg) != ((void *)0) && ((const isc__magic_t *)(ccmsg))->magic == ((('C') << 24 | ('C') << 16 | ('m') << 8 | ('s'))))) failedThe "resolver" BIND server of the `shutdown` system test (270c51f3289ef90d11136201555e665714e9c6a4) hit this assertion failure:
```
ccmsg.c:156: REQUIRE(((ccmsg) != ((void *)0) && ((const isc__magic_t *)(ccmsg))->magic == ((('C') << 24 ...The "resolver" BIND server of the `shutdown` system test (270c51f3289ef90d11136201555e665714e9c6a4) hit this assertion failure:
```
ccmsg.c:156: REQUIRE(((ccmsg) != ((void *)0) && ((const isc__magic_t *)(ccmsg))->magic == ((('C') << 24 | ('C') << 16 | ('m') << 8 | ('s'))))) failed
```
```
Core was generated by `/home/newman/isc/ws/bind9/bin/named/.libs/named -c /home/newman/isc/ws/bind9/bi'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c
Downloading source file /usr/src/debug/glibc-2.38-14.fc39.x86_64/nptl/pthread_kill.c...
44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret)
[Current thread is 1 (Thread 0x7f21e1ac5600 (LWP 2500157))]
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c
#1 0x00007f21e0e598a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c
#2 0x00007f21e0e078ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c
#3 0x00007f21e0def8ff in __GI_abort () at abort.c
#4 0x0000000000417b2a in assertion_failed (file=0x7f21e205d504 "ccmsg.c", line=156, type=isc_assertiontype_require, cond=0x7f21e205d3b8 "((ccmsg) != ((void *)0) && ((const isc__magic_t *)(ccmsg))->magic == ((('C') << 24 | ('C') << 16 | ('m') << 8 | ('s'))))") at main.c
#5 0x00007f21e20e52da in isc_assertion_failed (file=file@entry=0x7f21e205d504 "ccmsg.c", line=line@entry=156, type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7f21e205d3b8 "((ccmsg) != ((void *)0) && ((const isc__magic_t *)(ccmsg))->magic == ((('C') << 24 | ('C') << 16 | ('m') << 8 | ('s'))))") at assertions.c
#6 0x00007f21e205ac35 in ccmsg_senddone (handle=<optimized out>, eresult=<optimized out>, arg=<optimized out>) at ccmsg.c
#7 0x00007f21e20d1823 in isc___nm_sendcb () at netmgr/netmgr.c
#8 0x00007f21e20f207e in isc__job_cb (handle=<optimized out>) at job.c
#9 0x00007f21e1b7c4c1 in uv__run_idle (loop=0x7f21e06d3120) at /usr/src/debug/libuv-1.47.0-3.fc39.x86_64/src/unix/loop-watcher.c
#10 uv_run (loop=loop@entry=0x7f21e06d3120, mode=mode@entry=UV_RUN_DEFAULT) at /usr/src/debug/libuv-1.47.0-3.fc39.x86_64/src/unix/core.c
#11 0x00007f21e20f7c1c in loop_thread (arg=0x7f21e06d3100) at loop.c
#12 0x0000000000418928 in main (argc=4, argv=<optimized out>) at main.c
```
[core.2500157.gz](/uploads/4df47365e82ac8b142a829aec12b33e5/core.2500157.gz)
[named.conf](/uploads/c423a777ed372280af2f955ee966409a/named.conf)
[root.db](/uploads/4da97ae339cae47d2c59759d33d725c4/root.db)
[core.2500157-backtrace.txt](/uploads/ee973ce57716d32cf5b0507d869d20f7/core.2500157-backtrace.txt)
[named.run](/uploads/7c0ee4afa30cb3d164ae679d2445b4f0/named.run)
```
/home/newman/isc/ws/bind9/bin/tests/system/shutdown/tests_shutdown.py:207: in test_named_shutdown
assert named_proc.returncode == 0, "named crashed"
E AssertionError: named crashed
E assert -6 == 0
E + where -6 = <Popen: returncode: -6 args: ['/home/newman/isc/ws/bind9/bin/named/named', '...>.returncode
```March 2024 (9.16.49, 9.16.49-S1, 9.18.25, 9.18.25-S1, 9.19.22)https://gitlab.isc.org/isc-projects/stork/-/issues/1267Applications list filters by text when it's not supposed to2024-02-05T12:41:51ZPiotrek ZadrogaApplications list filters by text when it's not supposed toSteps to reproduce:
- Pagination must occur in Apps list (Kea or Bind, no difference here)
- filter by something that doesn't exist => zero results returned by filter
- navigate to different view
- go back to Apps list
- issue happens: ...Steps to reproduce:
- Pagination must occur in Apps list (Kea or Bind, no difference here)
- filter by something that doesn't exist => zero results returned by filter
- navigate to different view
- go back to Apps list
- issue happens: filtering is still applied (this may happen after going to other page in pagination)
Filter text input is empty
![image](/uploads/f31a9377bd6b13070ffed208f409d005/image.png)
But in the request to API the filter is still on, hence empty apps list
![image](/uploads/1a15084a115c187268dc639575b8c40e/image.png)
Bind apps (no results AND BTW also wrong breadcrumb :disappointed: ):
![image](/uploads/c69b858a310bedea7c7dcf2c26ce7544/image.png)
![image](/uploads/6b49eff412c3e718be21a2869a555869/image.png)1.15Piotrek ZadrogaPiotrek Zadrogahttps://gitlab.isc.org/isc-projects/bind9/-/issues/4500Log the change that generated "not exact" when applying a diff.2024-01-04T16:56:21ZMark AndrewsLog the change that generated "not exact" when applying a diff.Provide more information a "not exact" response is detected. Log name, class, type and operation being attempted.Provide more information a "not exact" response is detected. Log name, class, type and operation being attempted.January 2024 (9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20) (❗RECALLED❗)https://gitlab.isc.org/isc-projects/bind9/-/issues/4499The question about named_server_flushcache2023-12-19T12:39:09ZchengyechunThe question about named_server_flushcache
After analyzing the execution process of the rndc flush command based on the 9.19 branch, I found that the two judgment conditions in the 11813 line of the named_server_flushcache function cannot be met at the same time.
Scenario 1: If ...
After analyzing the execution process of the rndc flush command based on the 9.19 branch, I found that the two judgment conditions in the 11813 line of the named_server_flushcache function cannot be met at the same time.
Scenario 1: If the rdnc flush [view] parameter view is transferred, ptr is not empty and the first condition is met. However, needflush corresponding to the view is set to True in the 11781 branch, and the second condition is not met.
Scenario 2: If the view parameter is not transferred in rdnc flush [view], ptr is empty and the first condition cannot be met. In this case, the second condition is short-circuited in the 11813 line. Therefore, 11814 cannot be executed.
To sum up, I think the code in the 11813 line may be faulty. I hope to maintain the code for review. Thank you.https://gitlab.isc.org/isc-projects/bind9/-/issues/4498[GL #4494] followup: regression test was too strict2024-01-04T16:58:18ZMark Andrews[GL #4494] followup: regression test was too strictThe delta which records the addition of the private record for the NSEC3 to NSEC conversion can sometimes not be the first delta. Update the system test to handle it in a later delta.
https://gitlab.isc.org/isc-projects/bind9/-/jobs/38...The delta which records the addition of the private record for the NSEC3 to NSEC conversion can sometimes not be the first delta. Update the system test to handle it in a later delta.
https://gitlab.isc.org/isc-projects/bind9/-/jobs/3883570January 2024 (9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20) (❗RECALLED❗)https://gitlab.isc.org/isc-projects/bind9/-/issues/4497Kindly mute the 'trust-anchor-telemetry' experimental warning.2023-12-18T14:15:22ZJakub MocKindly mute the 'trust-anchor-telemetry' experimental warning.<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confident...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confidential by clicking the checkbox at the bottom!
-->
### Summary
<!-- Concisely summarize the bug encountered. -->
Kindly mute the 'trust-anchor-telemetry' experimental warning.
### BIND version affected
<!--
Make sure you are testing with the **latest** supported version of BIND
for a given branch. Many bugs have been fixed over time!
See https://kb.isc.org/docs/supported-platforms for the current list.
The latest source is available from https://www.isc.org/download/#BIND
Paste the output of `named -V` here.
-->
```
BIND 9.18.20 (Extended Support Version) <id:>
running on FreeBSD amd64 13.2-RELEASE-p7 FreeBSD 13.2-RELEASE-p7 stable/23.7-n254871-d5ec322cffc SMP
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr/local' '--enable-dnsrps' '--with-readline=libedit' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd13.2' 'build_alias=amd64-portbld-freebsd13.2' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -Wl,-rpath,/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/usr/obj/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'READLINE_CFLAGS=-L/usr/local/lib'
compiled by CLANG FreeBSD Clang 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc12386ae247c)
compiled with OpenSSL version: OpenSSL 1.1.1w 11 Sep 2023
linked to OpenSSL version: OpenSSL 1.1.1w 11 Sep 2023
compiled with libuv version: 1.47.0
linked to libuv version: 1.47.0
compiled with libnghttp2 version: 1.58.0
linked to libnghttp2 version: 1.58.0
compiled with libxml2 version: 2.10.4
linked to libxml2 version: 21004
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
```
### Steps to reproduce
<!--
This is extremely important! Be precise and use itemized lists, please.
Even if a default configuration is affected, please include the full configuration
files _you were testing with_.
Example:
1. Use _attached_ configuration file
2. Start BIND server with command: `named -g -c named.conf ...`
3. Simulate legitimate clients using command `dnsperf -S1 -d legit-queries ...`
4. Simulate attack traffic using command `dnsperf -S1 -d attack-queries ...`
-->
1. Use _attached_ configuration file and start BIND server
### What is the current *bug* behavior?
<!-- What actually happens. -->
So this "experimental" features has been introduced about 5 years ago. Yet, after all that time, one or two warning lines are logged to syslog with `LOG_WARNING` severity, depending on whether you foolishly tried to mute the annoying hardcoded warning with the `trust-anchor-telemetry no;` option [as suggested in KB](https://kb.isc.org/docs/aa-01528). The hardcoded warning is annoying, doubling the pointless noise when you try to disable the feature - and, if fact, with a configuration that completely ignores DNSSEC since BIND is only used here to filter out AAAA for certain domains to avoid geolocation with IPv6 tunnels with certain domains - is just inexplicable.
### What is the expected *correct* behavior?
<!-- What you should see instead. -->
Do not log pointless warnings to syslog.
### Relevant configuration files
<!-- Paste any relevant configuration files here - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential issue, it is advisable to
obscure key secrets; this can be done automatically by using
`named-checkconf -px`. -->
```
acl "Allow_ACL" {
127.0.0.0/8;
};
controls {
inet 127.0.0.1 port 9530 allow {
127.0.0.1/32;
} keys {
"rndc-key";
};
};
logging {
channel "default_log" {
file "/var/log/named/named.log" versions 3 size 5242880;
print-time yes;
print-severity yes;
print-category yes;
};
channel "query_log" {
file "/var/log/named/query.log" versions 3 size 5242880;
print-time yes;
};
channel "rpz_log" {
file "/var/log/named/rpz.log" versions 3 size 5242880;
print-time yes;
};
category "default" {
"default_log";
};
category "general" {
"default_log";
};
category "queries" {
"query_log";
};
category "rpz" {
"rpz_log";
};
category "lame-servers" {
"null";
};
};
options {
directory "/usr/local/etc/namedb/working";
dump-file "/var/dump/named_dump.db";
listen-on port 53530 {
127.0.0.1/32;
};
listen-on-v6 port 53530 {
::1/128;
};
pid-file "/var/run/named/pid";
statistics-file "/var/stats/named.stats";
allow-recursion {
"Allow_ACL";
};
dnssec-validation no;
max-cache-size 80%;
recursion yes;
allow-query {
"Allow_ACL";
};
};
key "rndc-key" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
plugin query "/usr/local/lib/bind/filter-aaaa.so" {
filter-aaaa-on-v4 break-dnssec;
filter-aaaa-on-v6 break-dnssec;
};
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
zone "localhost" {
type primary;
file "/usr/local/etc/namedb/primary/localhost-forward.db";
};
zone "127.in-addr.arpa" {
type primary;
file "/usr/local/etc/namedb/primary/localhost-reverse.db";
};
zone "0.ip6.arpa" {
type primary;
file "/usr/local/etc/namedb/primary/localhost-reverse.db";
};
```
### Relevant logs
<!-- Paste any relevant logs here - please use code blocks (```) to format console
output, logs, and code, as it's very hard to read otherwise. -->
```
<28>1 2023-12-18T08:21:44+01:00 gw.example.com named 57351 - [meta sequenceId="31"] /usr/local/etc/namedb/named.conf:27: option 'trust-anchor-telemetry' is experimental and subject to change in the future
<28>1 2023-12-18T08:21:44+01:00 gw.example.com named 57351 - [meta sequenceId="30"] config.c: option 'trust-anchor-telemetry' is experimental and subject to change in the future
```January 2024 (9.16.46, 9.16.46-S1, 9.18.22, 9.18.22-S1, 9.19.20) (❗RECALLED❗)https://gitlab.isc.org/isc-projects/kea/-/issues/3193fix use after free when using botan2024-02-23T18:44:19ZRazvan Becheriufix use after free when using botan```plaintext
WARNING: ThreadSanitizer: heap-use-after-free (pid=73943)
Atomic write of size 4 at 0x7b0800000e68 by main thread:
#0 boost::detail::atomic_decrement(unsigned int*) /usr/include/boost/smart_ptr/detail/sp_counted_base_g...```plaintext
WARNING: ThreadSanitizer: heap-use-after-free (pid=73943)
Atomic write of size 4 at 0x7b0800000e68 by main thread:
#0 boost::detail::atomic_decrement(unsigned int*) /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:40 (libkea-cryptolink.so.48+0x8a2c)
#1 boost::detail::sp_counted_base::release() /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:118 (libkea-cryptolink.so.48+0x8a2c)
#2 boost::detail::shared_count::~shared_count() /usr/include/boost/smart_ptr/detail/shared_count.hpp:432 (libkea-cryptolink.so.48+0x8a2c)
#3 boost::shared_ptr<isc::cryptolink::RNG>::~shared_ptr() /usr/include/boost/smart_ptr/shared_ptr.hpp:335 (libkea-cryptolink.so.48+0x8a2c)
#4 boost::shared_ptr<isc::cryptolink::RNG>::reset() /usr/include/boost/smart_ptr/shared_ptr.hpp:687 (libkea-cryptolink.so.48+0x8a2c)
#5 operator() /home/razvan/isc/git/kea-work/src/lib/cryptolink/botan_link.cc:74 (libkea-cryptolink.so.48+0x8a2c)
#6 _FUN /home/razvan/isc/git/kea-work/src/lib/cryptolink/botan_link.cc:74 (libkea-cryptolink.so.48+0x8a2c)
#7 cxa_at_exit_wrapper ../../../../src/libsanitizer/tsan/tsan_interceptors_posix.cpp:389 (libtsan.so.2+0x2e813)
Previous write of size 8 at 0x7b0800000e68 by main thread:
#0 operator delete(void*, unsigned long) ../../../../src/libsanitizer/tsan/tsan_new_delete.cpp:150 (libtsan.so.2+0x8cef5)
#1 boost::detail::sp_counted_impl_p<isc::cryptolink::RNGImpl>::~sp_counted_impl_p() /usr/include/boost/smart_ptr/detail/sp_counted_impl.hpp:64 (libkea-cryptolink.so.48+0x914e)
#2 boost::detail::sp_counted_base::destroy() /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:99 (libkea-cryptolink.so.48+0x8c27)
#3 boost::detail::sp_counted_base::weak_release() /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:134 (libkea-cryptolink.so.48+0x8c27)
#4 boost::detail::sp_counted_base::release() /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:121 (libkea-cryptolink.so.48+0x8c27)
#5 boost::detail::shared_count::~shared_count() /usr/include/boost/smart_ptr/detail/shared_count.hpp:432 (libkea-cryptolink.so.48+0x8c27)
#6 boost::shared_ptr<isc::cryptolink::RNG>::~shared_ptr() /usr/include/boost/smart_ptr/shared_ptr.hpp:335 (libkea-cryptolink.so.48+0x8c27)
#7 isc::cryptolink::CryptoLink::~CryptoLink() /home/razvan/isc/git/kea-work/src/lib/cryptolink/botan_link.cc:27 (libkea-cryptolink.so.48+0x8c27)
#8 cxa_at_exit_wrapper ../../../../src/libsanitizer/tsan/tsan_interceptors_posix.cpp:389 (libtsan.so.2+0x2e813)
SUMMARY: ThreadSanitizer: heap-use-after-free /usr/include/boost/smart_ptr/detail/sp_counted_base_gcc_atomic.hpp:40 in boost::detail::atomic_decrement(unsigned int*)
==================
ThreadSanitizer: reported 1 warnings
```kea2.5.6Razvan BecheriuRazvan Becheriu