1. 18 May, 2020 2 commits
  2. 15 May, 2020 1 commit
  3. 13 May, 2020 1 commit
  4. 12 May, 2020 2 commits
  5. 06 May, 2020 1 commit
  6. 05 May, 2020 1 commit
  7. 04 May, 2020 1 commit
  8. 02 May, 2020 1 commit
  9. 01 May, 2020 7 commits
  10. 30 Apr, 2020 1 commit
  11. 28 Apr, 2020 1 commit
  12. 22 Apr, 2020 1 commit
  13. 20 Apr, 2020 2 commits
    • Mark Andrews's avatar
    • Matthijs Mekking's avatar
      Address Coverity warnings in keymgr.c · 7ac4966a
      Matthijs Mekking authored
      Coverity showed that the return value of `dst_key_gettime` was
      unchecked in INITIALIZE_STATE. If DST_TIME_CREATED was not set we
      would set the state to be initialized to a weird last changed time.
      
      This would normally not happen because DST_TIME_CREATED is always
      set. However, we would rather set the time to now (as the comment
      also indicates) not match the creation time.
      
      The comment on INITIALIZE_STATE also needs updating as we no
      longer always initialize to HIDDEN.
      
      (cherry picked from commit 564f9dca)
      7ac4966a
  14. 17 Apr, 2020 1 commit
  15. 16 Apr, 2020 2 commits
  16. 08 Apr, 2020 5 commits
    • Michał Kępień's avatar
      Tweak CHANGES for BIND 9.16.2 · aeb1eb20
      Michał Kępień authored
      aeb1eb20
    • Ondřej Surý's avatar
      Add missing CHANGES notes from v9_16 branch · cb100ed5
      Ondřej Surý authored
      (cherry picked from commit 2ef11495)
      cb100ed5
    • Ondřej Surý's avatar
      Add missing CHANGES notes from v9_11 branch · 9777aab8
      Ondřej Surý authored
      (cherry picked from commit 434929b5)
      9777aab8
    • Matthijs Mekking's avatar
      Fix kasp timing issue on Windows · 9b57ad68
      Matthijs Mekking authored
      This fixes another intermittent failure in the kasp system test.
      It does not happen often, except for in the Windows platform tests
      where it takes a long time to run the tests.
      
      In the "kasp" system test, there is an "rndc reconfig" call which
      triggers a new rekey event.  check_next_key_event() verifies the time
      remaining from the moment "rndc reconfig" is called until the next key
      event.  However, the next key event time is calculated from the key
      times provided during key creation (i.e. during test setup).  Given
      this, if "rndc reconfig" is called a significant amount of time after
      the test is started, some check_next_key_event() checks will fail.
      
      Fix by calculating the time passed since the start of the test and
      when 'rndc reconfig' happens.  Substract this time from the
      calculated next key event.
      
      This only needs to be done after an "rndc reconfig" on zones where
      the keymgr needs to wait for a period of time (for example for keys
      to become OMNIPRESENT, or HIDDEN). This is on step 2 and step 5 of
      the algorithm rollover.  In step 2 there is a waiting period before
      the DNSKEY is OMNIPRESENT, in step 5 there is a waiting period
      before the DNSKEY is HIDDEN.
      
      In step 1 new keys are created, in step 3 and 4 key states just
      entered OMNIPRESENT, and in step 6 we no longer care because the
      key lifetime is unlimited and we default to checking once per hour.
      
      Regardless of our indifference about the next key event after step 6,
      change some of the key timings in the setup script to better
      reflect reality: DNSKEY is in HIDDEN after step 5, DS times have
      changed when the new DS became active.
      
      (cherry picked from commit 62a97570)
      9b57ad68
    • Ondřej Surý's avatar
      Add CHANGES · d092db34
      Ondřej Surý authored
      d092db34
  17. 03 Apr, 2020 4 commits
    • Ondřej Surý's avatar
      Add CHANGES · dfe202e2
      Ondřej Surý authored
      (cherry picked from commit 22aaeb51)
      dfe202e2
    • Matthijs Mekking's avatar
      Replace hard coded value with constant · df16e24d
      Matthijs Mekking authored
      (cherry picked from commit c1723b25)
      df16e24d
    • Matthijs Mekking's avatar
      Redesign dnssec sign statistics · f59f4461
      Matthijs Mekking authored
      The first attempt to add DNSSEC sign statistics was naive: for each
      zone we allocated 64K counters, twice.  In reality each zone has at
      most four keys, so the new approach only has room for four keys per
      zone. If after a rollover more keys have signed the zone, existing
      keys are rotated out.
      
      The DNSSEC sign statistics has three counters per key, so twelve
      counters per zone. First counter is actually a key id, so it is
      clear what key contributed to the metrics.  The second counter
      tracks the number of generated signatures, and the third tracks
      how many of those are refreshes.
      
      This means that in the zone structure we no longer need two separate
      references to DNSSEC sign metrics: both the resign and refresh stats
      are kept in a single dns_stats structure.
      
      Incrementing dnssecsignstats:
      
      Whenever a dnssecsignstat is incremented, we look up the key id
      to see if we already are counting metrics for this key.  If so,
      we update the corresponding operation counter (resign or
      refresh).
      
      If the key is new, store the value in a new counter and increment
      corresponding counter.
      
      If all slots are full, we rotate the keys and overwrite the last
      slot with the new key.
      
      Dumping dnssecsignstats:
      
      Dumping dnssecsignstats is no longer a simple wrapper around
      isc_stats_dump, but uses the same principle.  The difference is that
      rather than dumping the index (key tag) and counter, we have to look
      up the corresponding counter.
      
      (cherry picked from commit 705810d5)
      f59f4461
    • Matthijs Mekking's avatar
      Update documentation with !1706 fix · 1553411d
      Matthijs Mekking authored
      (cherry picked from commit f47e697d)
      1553411d
  18. 01 Apr, 2020 1 commit
  19. 30 Mar, 2020 1 commit
  20. 20 Mar, 2020 2 commits
    • Tinderbox User's avatar
      Update changes after QA review · ecfea36b
      Tinderbox User authored
      ecfea36b
    • Tinderbox User's avatar
      prep 9.16.1 · aed7d77c
      Tinderbox User authored
      Updated version and CHANGES files with new release number.
      
      Check the API files:
      - lib/bind9/api:
        Source code changes, but no interface changes: increment
        LIBREVISION.
      - lib/dns/api:
        Function dns_acl_match changed, struct dns_badcache changed,
        function dns_badcache_add changed, function dns_clent_startupdate
        changed, struct dns_compress changed, struct dns_resolver changed,
        rwlock size changed. This means a LIBINTERFACE increment.
      - lib/irs/api:
        Source code changes, but no interface changes: increment
        LIBREVISION.
      - lib/isc/api:
        The structs isc__networker and isc_nmsocket changed. This means
        increment LIBINTERFACE.  The functions isc_uv_export and
        isc_uv_import are removed, so LIBAGE must beq zero.
      - lib/isccc/api:
        Source code changes, but no interface changes: increment
        LIBREVISION.
      - lib/isccfg/api:
        Source code changes, but no interface changes: increment
        LIBREVISION.
      - lib/ns/api:
        Function ns_clientmgr_create, ns_interfacemgr_create, and
        structs ns_clientmg...
      aed7d77c
  21. 13 Mar, 2020 1 commit
  22. 12 Mar, 2020 1 commit
    • Evan Hunt's avatar
      improve calculation of database size · c5405c27
      Evan Hunt authored
      "max-journal-size" is set by default to twice the size of the zone
      database. however, the calculation of zone database size was flawed.
      
      - change the size calculations in dns_db_getsize() to more accurately
        represent the space needed for a journal file or *XFR message to
        contain the data in the database. previously we returned the sizes
        of all rdataslabs, including header overhead and offset tables,
        which resulted in the database size being reported as much larger
        than the equivalent journal transactions would have been.
      - map files caused a particular problem here: the full name can't be
        determined from the node while a file is being deserialized, because
        the uppernode pointers aren't set yet. so we store "full name length"
        in the dns_rbtnode structure while serializing, and clear it after
        deserialization is complete.
      c5405c27