GitLab

The first step in all existing setup.sh scripts is to call clean.sh.  To
reduce code duplication and ensure all system tests added in the future
behave consistently with existing ones, invoke clean.sh from run.sh
before calling setup.sh.

Temporary files created by a given system test should be removed by its
clean.sh script, not its setup.sh script.  Remove redundant "rm"
invocations from setup.sh scripts.  Move required "rm" invocations from
setup.sh scripts to their corresponding clean.sh scripts.

When an inline-signed zone is loaded, the master file for its signed
version is loaded and then a rollforward of the journal for the signed
version of the zone is performed.  If DNS_JOURNALOPT_RESIGN is not set
during the latter phase, signatures loaded from the journal for the
signed version of the zone will not be scheduled for refresh.  Fix the
conditional expression determining which flags should be used for the
dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
zone_postload() is called for the signed version of an inline-signed
zone.

Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
of "rndc stop" as the former allows master file flushing upon shutdown
to be suppressed.

When inline signing is enabled for a zone without creating signing keys
for it, changes subsequently applied to the raw zone will not be
reflected in the secure zone due to the dns_update_signaturesinc() call
inside receive_secure_serial() failing.  Given that an inline zone will
be served (without any signatures) even with no associated signing keys
being present, keep applying raw zone deltas to the secure zone until
keys become available in an attempt to follow the principle of least
astonishment.

- add CHANGES note
- update copyrights and license headers
- add -j to the make commands in .gitlab-ci.yml to take
  advantage of parallelization in the gitlab CI process

                        KSK. [RT #46787]

                        properly determining if there were active KSK and
                        ZSK keys for a algorithm when update-check-ksk is
                        true (default) leaving records unsigned. [RT #46743]

[master] Prevent possible infinite signing loop after retransferring an inline-signed slave using NSEC3

4727.	[bug]		Retransferring an inline-signed slave using NSEC3
			around the time its NSEC3 salt was changed could result
			in an infinite signing loop. [RT #45080]

                        in named.conf. [RT #37172]

3839.	[test]		Use only posix-compatible shell in system tests.
			[RT #35625]

3806.	[test]		Improved system test portability. [RT #35625]

3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]

                        into the DNSKEY management framework.  A new tool
                        dnssec-importkey is used to this. [RT #34698]

                        only KSK keys for a algorithm. [RT #24439]

			inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]

			updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]

                        [RT #26224]

                        named has finished signing the zone with the
                        corresponding key.  [RT #26206]

3166.   [bug]           Upgrading a zone to support inline-signing failed.                         [RT #26014]