1. 04 Sep, 2020 9 commits
  2. 03 Sep, 2020 4 commits
  3. 02 Sep, 2020 27 commits
    • Mark Andrews's avatar
      Merge branch... · 4e6635f1
      Mark Andrews authored
      Merge branch '2115-the-load-of-huge-zone-can-take-over-100-secs-when-running-under-a-sanitiser-v9_16' into 'v9_16'
      
      Increase zone load timeout in the "rndc" test
      
      See merge request isc-projects/bind9!4076
      4e6635f1
    • Mark Andrews's avatar
      Increase zone load timeout in the "rndc" test · 91daae5c
      Mark Andrews authored
      The "huge.zone" zone can take longer than 100 seconds to load when
      running under a sanitizer.  Increase the relevant zone load timeout to
      prevent intermittent failures of the "rndc" system test.
      
      (cherry picked from commit fd08918d)
      91daae5c
    • Mark Andrews's avatar
      Merge branch '2084-9-11-data-race-in-dispatch_test-2-v9_16' into 'v9_16' · 0b4b2e99
      Mark Andrews authored
      Resolve "9.11 data race in dispatch_test"
      
      See merge request isc-projects/bind9!4075
      0b4b2e99
    • Mark Andrews's avatar
      watch_fd also requires thread->fdlock[lockid] to be held · e6332e4a
      Mark Andrews authored
      (cherry picked from commit 22f499cd)
      e6332e4a
    • Mark Andrews's avatar
      remove dead code · eadfe4b6
      Mark Andrews authored
      (cherry picked from commit e923e62f)
      eadfe4b6
    • Ondřej Surý's avatar
      Merge branch '2091-print-out-more-diagnostics-on-dns_name_issubdomain-v9_16' into 'v9_16' · cfeb3bf8
      Ondřej Surý authored
      Print diagnostics on dns_name_issubdomain() failure in fctx_create()
      
      See merge request isc-projects/bind9!4073
      cfeb3bf8
    • Ondřej Surý's avatar
      Print diagnostics on dns_name_issubdomain() failure in fctx_create() · 56d2cf6f
      Ondřej Surý authored
      Log diagnostic message when dns_name_issubdomain() in the fctx_create()
      when the resolver is qname minimizing and forwarding at the same time.
      
      (cherry picked from commit 0a22024c)
      56d2cf6f
    • Ondřej Surý's avatar
      Merge branch '1847-recursor-has-issues-recursing-ip6-arpa-v9_16' into 'v9_16' · 184b6087
      Ondřej Surý authored
      Resolve "9.16.* recursor has issues recursing" [v9.16]
      
      See merge request isc-projects/bind9!4070
      184b6087
    • Diego dos Santos Fronza's avatar
      Add CHANGES and release note for GL #1847 · d791f049
      Diego dos Santos Fronza authored
      (cherry picked from commit 044a72cc)
      d791f049
    • Diego dos Santos Fronza's avatar
      Added test for the proposed fix · 55c0fa2b
      Diego dos Santos Fronza authored
      The test works as follows:
      
      1. Client wants to resolve unusual ip6.arpa. name:
      
         test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. IN TXT
      
      2. Query is sent to ns7, a qmin enabled resolver.
      
      3. ns7 do the first stage in query minimization for the name and send a new
         query to root (ns1):
      
        _.1.0.0.2.ip6.arpa.        IN  A
      
      4. ns1 delegates ip6.arpa. to ns2.good.:
      
          ;; AUTHORITY SECTION:
          ;ip6.arpa.      20  IN  NS  ns2.good.
      
          ;; ADDITIONAL SECTION:
          ;ns2.good.      20  IN  A   10.53.0.2
      
      5. ns7 do a second round in minimizing the name and send a new query
         to ns2.good. (10.53.0.2):
      
         _.8.2.6.0.1.0.0.2.ip6.arpa.    IN  A
      
      6. ans2 delegates 8.2.6.0.1.0.0.2.ip6.arpa. to ns3.good.:
      
          ;; AUTHORITY SECTION:
          ;8.2.6.0.1.0.0.2.ip6.arpa. 60   IN  NS  ns3.good.
      
          ;; ADDITIONAL SECTION:
          ;ns3.good.      60  IN  A   10.53.0.3
      
      7. ns7 do a third round in minimizing the name and send a new query to
         ns3.good.:
      
          _.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. IN A
      
      8. ans3 delegates 1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. to ns4.good.:
      
          ;; AUTHORITY SECTION:
          ;1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. 60 IN    NS  ns4.good.
      
          ;; ADDITIONAL SECTION:
          ;ns4.good.      60  IN  A   10.53.0.4
      
      9. ns7 do fourth round in minimizing the name and send a new query to
         ns4.good.:
      
      	_.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.    IN A
      
      10. ns4.good. doesn't know such name, but answers stating it is authoritative for
          the domai:
      
      	;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  53815
      	...
      	;; AUTHORITY SECTION:
      	1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. 60 IN    SOA ns4.good.  ...
      
      11. ns7 do another minimization on name:
         _.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa
         sends to ns4.good. and gets the same SOA response stated in item #10
      
      12. ns7 do another minimization on name:
      	_.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa
      	sends to ns4.good. and gets the same SOA response stated in item #10.
      
      13. ns7 do the last query minimization name for the ip6.arpa. QNAME.
      	After all IPv6 labels are exausted the algorithm falls back to the
      	original QNAME:
      	test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa
      
          ns7 sends a new query with the original QNAME to ans4.
      
      14. Finally ans4 answers with the expected response:
      	;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  40969
      	;; flags: qr aa; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      	;; OPT PSEUDOSECTION:
      	; EDNS: version: 0, flags:; udp: 8192
      	;; QUESTION SECTION:
      	;test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. IN TXT
      
      	;; ANSWER SECTION:
      	;test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa. 1    IN TXT "long_ip6_name"
      
      (cherry picked from commit 11add691)
      55c0fa2b
    • Diego dos Santos Fronza's avatar
      Fix resolution of unusual ip6.arpa names · eb9d8e9e
      Diego dos Santos Fronza authored
      Before this commit, BIND was unable to resolve ip6.arpa names like
      the one reported in issue #1847 when using query minimization.
      
      As reported in the issue, an attempt to resolve a name like
      'rec-test-dom-158937817846788.test123.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.3.4.3.5.4.0.8.2.6.0.1.0.0.2.ip6.arpa'
      using default settings would fail.
      
      The reason was that query minimization algorithm in 'fctx_minimize_qname'
      would divide any ip6.arpa names in increasing number of labels,
      7,11, ... up to 35, thus limiting the destination name (minimized) to a number
      of 35 labels.
      
      In case the last query minimization attempt (with 35 labels) would fail with
      NXDOMAIN, BIND would attempt the query mininimization again with the exact
      same QNAME, limited on the 35 labels, and that in turn would fail again.
      
      This fix avoids this fail loop by considering the extra labels that may appear
      in the leftmost part of an ip6.arpa name, those after the IPv6 part.
      
      (cherry picked from commit 230d79c1)
      eb9d8e9e
    • Matthijs Mekking's avatar
      Merge branch '1748-log-cds-cdnskey-publication-v9_16' into 'v9_16' · bd2932e1
      Matthijs Mekking authored
      Resolve "Logging of CDS/CDNSKEY generation for workflow"
      
      See merge request isc-projects/bind9!4067
      bd2932e1
    • Matthijs Mekking's avatar
      Add change entry and release note for #1748 · 72966884
      Matthijs Mekking authored
      (cherry picked from commit ff006a17)
      72966884
    • Matthijs Mekking's avatar
      Log when CDS/CDNSKEY is published in zone. · 4a7f87aa
      Matthijs Mekking authored
      Log when named decides to add a CDS/CDNSKEY record to the zone. Now
      you understand how the bug was found that was fixed in the previous
      commits.
      
      (cherry picked from commit f9ef5120)
      4a7f87aa
    • Matthijs Mekking's avatar
      Fix CDS (non-)publication · 6405b044
      Matthijs Mekking authored
      The CDS/CDNSKEY record will be published when the DS is in the
      rumoured state. However, with the introduction of the rndc '-checkds'
      command, the logic in the keymgr was changed to prevent the DS
      state to go in RUMOURED unless the specific command was given. Hence,
      the CDS was never published before it was seen in the parent.
      
      Initially I thought this was a policy approval rule, however it is
      actually a DNSSEC timing rule. Remove the restriction from
      'keymgr_policy_approval' and update the 'keymgr_transition_time'
      function. When looking to move the DS state to OMNIPRESENT it will
      no longer calculate the state from its last change, but from when
      the DS was seen in the parent, "DS Publish". If the time was not set,
      default to next key event of an hour.
      
      Similarly for moving the DS state to HIDDEN, the time to wait will
      be derived from the "DS Delete" time, not from when the DS state
      last changed.
      
      (cherry picked from commit c8205bfa)
      6405b044
    • Matthijs Mekking's avatar
      Silence two grep calls · 7065299a
      Matthijs Mekking authored
      (cherry picked from commit 2d2b8e7c)
      7065299a
    • Matthijs Mekking's avatar
      Update rndc_checkds test util · 94fe9f1f
      Matthijs Mekking authored
      The 'rndc_checkds' utility now allows "now" as the time when the DS
      has been seen in/seen removed from the parent.
      
      Also it uses "KEYX" as the key argument, rather than key id.
      The 'rndc_checkds' will retrieve the key from the "KEYX" string. This
      makes the call a bit more readable.
      
      (cherry picked from commit dd754a97)
      94fe9f1f
    • Matthijs Mekking's avatar
      Improve kasp test readability · 2a9e4fea
      Matthijs Mekking authored
      This commit has a lot of updates on comments, mainly to make the
      system test more readable.
      
      Also remove some redundant signing policy checks (check_keys,
      check_dnssecstatus, check_keytimes).
      
      Finally, move key time checks and expected key time settings above
      'rndc_checkds' calls (with the new way of testing next key event
      times there is no need to do them after 'rndc_checkds', and moving
      them above 'rndc_checkds' makes the flow of testing easier to follow.
      
      (cherry picked from commit 8cb394e0)
      2a9e4fea
    • Matthijs Mekking's avatar
      Add dnssec-settime [-P ds|-D ds] to kasp test · a33c49a8
      Matthijs Mekking authored
      Add the new '-P ds' and '-D ds' calls to the kasp test setup so that
      next key event times can reliably be tested.
      
      (cherry picked from commit 4a67cdab)
      a33c49a8
    • Matthijs Mekking's avatar
      Add '-P ds' and '-D ds' to dnssec-settime · 75adf06f
      Matthijs Mekking authored
      Add two more arguments to the dnssec-settime tool. '-P ds' sets the
      time that the DS was published in the parent, '-D ds' sets the time
      that the DS was removed from the parent (these times are not accurate,
      but rely on the user to use them appropriately, and as long as the
      time is not before actual publication/withdrawal, it is fine).
      
      These new arguments are needed for the kasp system test. We want to
      test when the next key event is once a DS is published, and now
      that 'parent-registration-delay' is obsoleted, we need a different
      approach to reliable test the timings.
      
      (cherry picked from commit d4c4f6a6)
      75adf06f
    • Ondřej Surý's avatar
      Merge branch '2037-deferred-system-test-fix-v9_16' into 'v9_16' · 3b5eb620
      Ondřej Surý authored
      Fix the new pkcs11 and tcp test [v9.16]
      
      See merge request isc-projects/bind9!4050
      3b5eb620
    • Ondřej Surý's avatar
    • Ondřej Surý's avatar
    • Mark Andrews's avatar
      Dump the returned packet · 02be5fc9
      Mark Andrews authored
      02be5fc9
    • Ondřej Surý's avatar
      Multiply 1996-alloc_dnsbuf-crash-test.pkt by 300000 via TCP · 92df4ba6
      Ondřej Surý authored
      The test for assertion failure via large TCP packet needs to be repeated
      multiple times (we use 300000).  This commit fixes the input file to be
      properly hexlified and uses the new packet.pl -r feature to send it
      300000 times via TCP.
      
      (cherry picked from commit 5f6eb014)
      92df4ba6
    • Ondřej Surý's avatar
      Add `-r <repeats>` option to packet.pl · 4dc666d4
      Ondřej Surý authored
      For some tests, we need to send big data streams (for TCP) or repeated
      packets (for UDP), this commits adds `-r` option to packet.pl that sends
      the same input <repeats> times using the specified protocol.
      
      (cherry picked from commit dd46559a)
      4dc666d4
    • Ondřej Surý's avatar
      Properly format 2037-pk11_numbits-crash-test.pkt file · 677e569d
      Ondřej Surý authored
      (cherry picked from commit 22e02720)
      677e569d