GitLab

5161.	[bug]		Do not require the SEP bit to be set for mirror zone
			trust anchors. [GL #873]

When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false.  This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor.  This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.

Improve stability of mirror zone system tests

See merge request !1505

The "mirror" system test checks whether log messages announcing a mirror
zone coming into effect are emitted properly.  However, the helper
functions responsible for waiting for zone transfers and zone loading to
complete do not wait for these exact log messages, but rather for other
ones preceding them, which introduces a possibility of false positives.

This problem cannot be addressed by just changing the log message to
look for because the test still needs to discern between transferring a
zone and loading a zone.

Add two new log messages at debug level 99 (which is what named
instances used in system tests are configured with) that are to be
emitted after the log messages announcing a mirror zone coming into
effect.  Tweak the aforementioned helper functions to only return once
the log messages they originally looked for are followed by the newly
added log messages.  This reliably prevents races when looking for
"mirror zone is now in use" log messages and also enables a workaround
previously put into place in the "mirror" system test to be reverted.

In the "mirror" system test, ns3 periodically sends trust anchor
telemetry queries to ns1 and ns2.  It may thus happen that for some
non-recursive queries for names inside mirror zones which are not yet
loaded, ns3 will be able to synthesize a negative answer from the cached
records it obtained from trust anchor telemetry responses.  In such
cases, NXDOMAIN responses will be sent with the root zone SOA in the
AUTHORITY section.  Since the root zone used in the "mirror" system test
has the same serial number as ns2/verify.db.in and zone verification
checks look for the specified serial numbers anywhere in the answer, the
test could be broken if different zone names were used.

The +noauth dig option could be used to address this weakness, but that
would prevent entire responses from being stored for later inspection,
which in turn would hamper troubleshooting test failures.  Instead, use
a different serial number for ns2/verify.db.in than for any other zone
used in the "mirror" system test and check the number of records in the
ANSWER section of each response.

Due to the way the "mirror" system test is set up, it is impossible for
the "verify-unsigned" and "verify-untrusted" zones to contain any serial
number other than the original one present in ns2/verify.db.in.  Thus,
using presence of a different serial number in the SOA records of these
zones as an indicator of problems with mirror zone verification is
wrong.  Look for the original zone serial number instead as that is the
one that will be returned by ns3 if one of the aforementioned zones is
successfully verified.

Add a CI check for missing prereq.sh scripts

Closes #871

See merge request !1494

added DNAME support to DLZ LDAP schema, and fixed a DLZ compile error

Closes #872

See merge request !1502

Thanks to Roland Gruber for the schema contribution.

Correct ZONEMD expansion in ARM

See merge request !1497

Resolve "prereq.sh needed in forward test"

Closes #869

See merge request !1479

Add a comment explaining a mirror zone glitch

Closes #870

See merge request !1480

Explain why in a certain edge case mirror zone data may not be used for
resolution purposes despite being available.

Resolve "rrtypes missing from named"

Closes #867

See merge request !1490

dnssec-coverage was improperly ignoring some zones

See merge request !1487

After change 5143, zones listed on the command line without trailing
dots were ignored.

Resolve "rrtypes missing from named"

Closes #867

See merge request !1484

Resolve "rrtypes missing from named"

See merge request !1475

Resolve "nslookup takes >2 argvs w/o errors, uses only 1st and last"

Closes #207

See merge request !1382

configure could fail if cmocka was not detected

See merge request !1474

Improve mirror zone documentation

Closes #774

See merge request !1449

5156.	[doc]		Extended and refined the section of the ARM describing
			mirror zones. [GL #774]

Add a warning about potential performance implications of configuring a
non-root zone as a mirror zone.  Explain in more detail how each mirror
zone version is validated and how validation failures are handled.  Move
the paragraphs describing how to set up IANA root zone mirroring higher
up, so that they can be more easily found by the reader.  Explicitly
state that the "masters" option needs to be present for any mirror zone
which is not the root zone.  Tweak the description of the interaction
between the "dnssec-validation" setting and root zone mirroring to make
it less ambiguous.  Specify what the default "notify" setting is for
mirror zones.

Always use cmocka if available

See merge request !1463