GitLab

- add util/cformat.sh, which runs clang-format on all C files with
  the default .clang-format, and on all header files with a slightly
  modified version.
- use correct bracing after multi-line control statements
- stop aligning variable declarations to avoid problems with pointer
  alignment, but retain aligned declarations in header files so that
  struct definitions look cleaner.
- static function prototypes in C files can skip the line break after
  the return type, but function prototypes in header files still have
  the line break.
- don't break-before-brace in function definitions. ISC style calls
  for braces on the same line when function parameters fit on a single
  line, and a line break if they don't, but clang-format doesn't yet
  support that distinction. one-line function definitions are about
  four times more common than multi-line, so let's use the option that
  deviates less.

- Add quotes before and after zone name when generating "addzone"
  input so avoid "unexpected token" errors.
- Use a hex digest for zone filenames when the zone or view name
  contains a slash.
- Test with a domain name containing a slash.
- Incidentally added 'catzhash.py' to contrib/scripts to generate
  hash labels for catalog zones, as it was needed to write the test.

pipelined test: we no longer have -Tdelay option, use a python proxy that delays packets as a workaround

These functions can be used to pass a uv handle between threads in a
safe manner. The other option is to use uv_pipe and pass the uv_handle
via IPC, which is way more complex.  uv_export() and uv_import() functions
existed in libuv at some point but were removed later. This code is
based on the original removed code.

The Windows version of the code uses two functions internal to libuv;
a patch for libuv is attached for exporting these functions.

Happy New Year!

The util/prepare-softhsm2.sh script is useful for initializing a working
SoftHSM environment which can be used by unit tests and system tests.
However, since it is a test-specific script, it does not really belong
in the util/ subdirectory which is mostly pruned during the BIND source
tarball creation process.  Move the prepare-softhsm2.sh script to
bin/tests/ so that its location is more appropriate for its purpose and
also so that it does not get removed during the BIND source tarball
creation process, allowing it to be used for setting up test
environments for tarball-based builds.

This might be removed when we stop supporting older libuv versions.

The first step in all existing setup.sh scripts is to call clean.sh.  To
reduce code duplication and ensure all system tests added in the future
behave consistently with existing ones, invoke clean.sh from run.sh
before calling setup.sh.

Since the role of the bin/tests/system/clean.sh script has now been
reduced to calling a given system test's clean.sh script, remove the
former altogether and replace its only use with a direct invocation of
the latter.

The "runtime" system test currently fails on Windows because it waits
for named to log a message indicating successful startup ("running"),
but that never happens since named on Windows fails to open the
configuration file as its path includes control characters.

Instead of putting control characters in directory names, put them in
the value of the -D command line switch passed to named, which is used
for identifying an instance of named in a process listing and whose
value is completely ignored by named, but still logged.

While a similar check using special characters appears to be working
fine on Windows for the time being, modify it in the same way to avoid
potential future problems on other platforms and make the test cleaner.

Intertwining release notes from different BIND releases in a single XML
file has caused confusion in the past due to different (and often
arbitrary) approaches to keeping/removing release notes from older
releases on different BIND branches.  Divide doc/arm/notes.xml into
per-version sections to simplify determining the set of changes
introduced by a given release and to make adding/reviewing release notes
less error-prone.

- ns__client_request() is now called by netmgr with an isc_nmhandle_t
  parameter. The handle can then be permanently associated with an
  ns_client object.
- The task manager is paused so that isc_task events that may be
  triggred during client processing will not fire until after the netmgr is
  finished with it. Before any asynchronous event, the client MUST
  call isc_nmhandle_ref(client->handle), to prevent the client from
  being reset and reused while waiting for an event to process. When
  the asynchronous event is complete, isc_nmhandle_unref(client->handle)
  must be called to ensure the handle can be reused later.
- reference counting of client objects is now handled in the nmhandle
  object.  when the handle references drop to zero, the client's "reset"
  callback is used to free temporary resources and reiniialize it,
  whereupon the handle (and associated client) is placed in the
  "inactive handles" queue.  when the sysstem is shutdown and the
  handles are cleaned up, the client's "put" callback is called to free
  all remaining resources.
- because client allocation is no longer handled in the same way,
  the '-T clienttest' option has now been removed and is no longer
  used by any system tests.
- the unit tests require wrapping the isc_nmhandle_unref() function;
  when LD_WRAP is supported, that is used. otherwise we link a
  libwrap.so interposer library and use that.

This is a replacement for the existing isc_socket and isc_socketmgr
implementation. It uses libuv for asynchronous network communication;
"networker" objects will be distributed across worker threads reading
incoming packets and sending them for processing.

UDP listener sockets automatically create an array of "child" sockets
so each worker can listen separately.

TCP sockets are shared amongst worker threads.

A TCPDNS socket is a wrapper around a TCP socket, which handles the
the two-byte length field at the beginning of DNS messages over TCP.

(Other wrapper socket types can be implemented in the future to handle
DNS over TLS, DNS over HTTPS, etc.)

this is a lockless queue based on hazard pointers.

this is a mechanism to allow safe lock-free data structures.

'dnssec-policy' can now also be set on the options and view level and
a zone that does not set 'dnssec-policy' explicitly will inherit it
from the view or options level.

This requires a new keyword to be introduced: 'none'.  If set to
'none' the zone will not be DNSSEC maintained, in other words it will
stay unsigned.  You can use this to break the inheritance.  Of course
you can also break the inheritance by referring to a different
policy.

The keywords 'default' and 'none' are not allowed when configuring
your own dnssec-policy statement.

Add appropriate tests for checking the configuration (checkconf)
and add tests to the kasp system test to verify the inheritance
works.

Edit the kasp system test such that it can deal with unsigned zones
and views (so setting a TSIG on the query).

Add more tests for kasp:

- Add tests for different algorithms.

- Add a test to ensure that an edit in an unsigned zone is
  picked up and properly signed.

- Add two tests that ensures that a zone gets signed when it is
  configured as so-called 'inline-signing'.  In other words, a
  secondary zone that is configured with a 'dnssec-policy'.  A zone
  that is transferred over AXFR or IXFR will get signed.

- Add a test to ensure signatures are reused if they are still
  fresh enough.

- Adds two more tests to verify that expired and unfresh signatures
  will be regenerated.

- Add tests for various cases with keys already available in the
  key-directory.

Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
will run a key manager on the matching keys.  This will do a couple
of things:

1. Create keys when needed (in case of rollover for example)
   according to the set policy.

2. Retire keys that are in excess of the policy.

3. Maintain key states according to "Flexible and Robust Key
   Rollover" [1]. After key manager ran, key files will be saved to
   disk.

   [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf

KEY GENERATION

Create keys according to DNSSEC policy.  Zones configured with
'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
to dnssec-keymgr) if not available.

KEY ROLLOVER

Rather than determining the desired state from timing metadata,
add a key state goal.  Any keys that are created or picked from the
key ring and selected to be a successor has its key state goal set
to OMNIPRESENT (this key wants to be signing!). At the same time,
a key that is being retired has its key state goal set to HIDDEN.

The keymgr state machine with the three rules will make sure no
introduction or withdrawal of DNSSEC records happens too soon.

KEY TIMINGS

All timings are based on RFC 7583.

The keymgr will return when the next action is happening so
that the zone can set the proper rekey event. Prior to this change
the rekey event will run every hour by default (configurable),
but with kasp we can determine exactly when we need to run again.

The prepublication time is derived from policy.

This commit adds code for generating keys with dnssec-keygen given
a specific dnssec-policy.

The dnssec-policy can be set with a new option '-k'. The '-l'
option can be used to set a configuration file that contains a
specific dnssec-policy.

Because the dnssec-policy dictates how the keys should look like,
many of the existing dnssec-keygen options cannot be used together
with '-k'.

If the dnssec-policy lists multiple keys, dnssec-keygen has now the
possibility to generate multiple keys at one run.

Add two tests for creating keys with '-k': One with the default
policy, one with multiple keys from the configuration.

Add code for creating, configuring, and destroying KASP keys.  When
using the default policy, create one CSK, no rollover.

This stores the dnssec-policy configuration and adds methods to
create, destroy, and attach/detach, as well as find a policy with
the same name in a list.

Also, add structures and functions for creating and destroying
kasp keys.

This commit introduces the initial `dnssec-policy` configuration
statement. It has an initial set of options to deal with signature
and key maintenance.

Add some checks to ensure that dnssec-policy is configured at the
right locations, and that policies referenced to in zone statements
actually exist.

Add some checks that when a user adds the new `dnssec-policy`
configuration, it will no longer contain existing DNSSEC
configuration options.  Specifically: `inline-signing`,
`auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
`update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
and `sig-validity-interval`.

Test a good kasp configuration, and some bad configurations.

Initial design document.