1. 03 Mar, 2020 1 commit
  2. 24 Feb, 2020 2 commits
  3. 14 Feb, 2020 1 commit
  4. 13 Feb, 2020 2 commits
    • Evan Hunt's avatar
      revise .clang-format and add a C formatting script in util · 0255a974
      Evan Hunt authored
      - add util/cformat.sh, which runs clang-format on all C files with
        the default .clang-format, and on all header files with a slightly
        modified version.
      - use correct bracing after multi-line control statements
      - stop aligning variable declarations to avoid problems with pointer
        alignment, but retain aligned declarations in header files so that
        struct definitions look cleaner.
      - static function prototypes in C files can skip the line break after
        the return type, but function prototypes in header files still have
        the line break.
      - don't break-before-brace in function definitions. ISC style calls
        for braces on the same line when function parameters fit on a single
        line, and a line break if they don't, but clang-format doesn't yet
        support that distinction. one-line function definitions are about
        four times more common than multi-line, so let's use the option that
        deviates less.
    • Ondřej Surý's avatar
  5. 12 Feb, 2020 2 commits
  6. 04 Feb, 2020 1 commit
    • Evan Hunt's avatar
      Correctly handle catalog zone entries containing slashes · dba0163d
      Evan Hunt authored
      - Add quotes before and after zone name when generating "addzone"
        input so avoid "unexpected token" errors.
      - Use a hex digest for zone filenames when the zone or view name
        contains a slash.
      - Test with a domain name containing a slash.
      - Incidentally added 'catzhash.py' to contrib/scripts to generate
        hash labels for catalog zones, as it was needed to write the test.
  7. 22 Jan, 2020 1 commit
  8. 16 Jan, 2020 1 commit
  9. 13 Jan, 2020 2 commits
    • Witold Krecicki's avatar
      Add isc_uv_export()/isc_uv_import() functions to libuv compatibility layer. · c6c0a9fd
      Witold Krecicki authored
      These functions can be used to pass a uv handle between threads in a
      safe manner. The other option is to use uv_pipe and pass the uv_handle
      via IPC, which is way more complex.  uv_export() and uv_import() functions
      existed in libuv at some point but were removed later. This code is
      based on the original removed code.
      The Windows version of the code uses two functions internal to libuv;
      a patch for libuv is attached for exporting these functions.
    • Ondřej Surý's avatar
      Update copyrights · 2eaab404
      Ondřej Surý authored
  10. 06 Jan, 2020 2 commits
  11. 03 Jan, 2020 1 commit
  12. 11 Dec, 2019 2 commits
    • Ondřej Surý's avatar
    • Michał Kępień's avatar
      Include prepare-softhsm2.sh in source tarballs · c0be772e
      Michał Kępień authored
      The util/prepare-softhsm2.sh script is useful for initializing a working
      SoftHSM environment which can be used by unit tests and system tests.
      However, since it is a test-specific script, it does not really belong
      in the util/ subdirectory which is mostly pruned during the BIND source
      tarball creation process.  Move the prepare-softhsm2.sh script to
      bin/tests/ so that its location is more appropriate for its purpose and
      also so that it does not get removed during the BIND source tarball
      creation process, allowing it to be used for setting up test
      environments for tarball-based builds.
  13. 09 Dec, 2019 1 commit
  14. 06 Dec, 2019 2 commits
    • Michał Kępień's avatar
      Automatically run clean.sh from run.sh · d8905b7a
      Michał Kępień authored
      The first step in all existing setup.sh scripts is to call clean.sh.  To
      reduce code duplication and ensure all system tests added in the future
      behave consistently with existing ones, invoke clean.sh from run.sh
      before calling setup.sh.
    • Michał Kępień's avatar
      Remove bin/tests/system/clean.sh · bf3eeac0
      Michał Kępień authored
      Since the role of the bin/tests/system/clean.sh script has now been
      reduced to calling a given system test's clean.sh script, remove the
      former altogether and replace its only use with a direct invocation of
      the latter.
  15. 05 Dec, 2019 1 commit
  16. 29 Nov, 2019 1 commit
    • Michał Kępień's avatar
      Improve portability of the "runtime" system test · 58121f5f
      Michał Kępień authored
      The "runtime" system test currently fails on Windows because it waits
      for named to log a message indicating successful startup ("running"),
      but that never happens since named on Windows fails to open the
      configuration file as its path includes control characters.
      Instead of putting control characters in directory names, put them in
      the value of the -D command line switch passed to named, which is used
      for identifying an instance of named in a process listing and whose
      value is completely ignored by named, but still logged.
      While a similar check using special characters appears to be working
      fine on Windows for the time being, modify it in the same way to avoid
      potential future problems on other platforms and make the test cleaner.
  17. 27 Nov, 2019 1 commit
  18. 20 Nov, 2019 1 commit
  19. 08 Nov, 2019 1 commit
    • Michał Kępień's avatar
      Split release notes into per-version sections · 2f37ab1d
      Michał Kępień authored
      Intertwining release notes from different BIND releases in a single XML
      file has caused confusion in the past due to different (and often
      arbitrary) approaches to keeping/removing release notes from older
      releases on different BIND branches.  Divide doc/arm/notes.xml into
      per-version sections to simplify determining the set of changes
      introduced by a given release and to make adding/reviewing release notes
      less error-prone.
  20. 07 Nov, 2019 6 commits
    • Evan Hunt's avatar
      remove ISC_QUEUE as it is no longer used · b9a5508e
      Evan Hunt authored
    • Evan Hunt's avatar
      convert ns_client and related objects to use netmgr · 53f0b6c3
      Evan Hunt authored
      - ns__client_request() is now called by netmgr with an isc_nmhandle_t
        parameter. The handle can then be permanently associated with an
        ns_client object.
      - The task manager is paused so that isc_task events that may be
        triggred during client processing will not fire until after the netmgr is
        finished with it. Before any asynchronous event, the client MUST
        call isc_nmhandle_ref(client->handle), to prevent the client from
        being reset and reused while waiting for an event to process. When
        the asynchronous event is complete, isc_nmhandle_unref(client->handle)
        must be called to ensure the handle can be reused later.
      - reference counting of client objects is now handled in the nmhandle
        object.  when the handle references drop to zero, the client's "reset"
        callback is used to free temporary resources and reiniialize it,
        whereupon the handle (and associated client) is placed in the
        "inactive handles" queue.  when the sysstem is shutdown and the
        handles are cleaned up, the client's "put" callback is called to free
        all remaining resources.
      - because client allocation is no longer handled in the same way,
        the '-T clienttest' option has now been removed and is no longer
        used by any system tests.
      - the unit tests require wrapping the isc_nmhandle_unref() function;
        when LD_WRAP is supported, that is used. otherwise we link a
        libwrap.so interposer library and use that.
    • Witold Krecicki's avatar
      netmgr: libuv-based network manager · 70397f9d
      Witold Krecicki authored
      This is a replacement for the existing isc_socket and isc_socketmgr
      implementation. It uses libuv for asynchronous network communication;
      "networker" objects will be distributed across worker threads reading
      incoming packets and sending them for processing.
      UDP listener sockets automatically create an array of "child" sockets
      so each worker can listen separately.
      TCP sockets are shared amongst worker threads.
      A TCPDNS socket is a wrapper around a TCP socket, which handles the
      the two-byte length field at the beginning of DNS messages over TCP.
      (Other wrapper socket types can be implemented in the future to handle
      DNS over TLS, DNS over HTTPS, etc.)
    • Evan Hunt's avatar
    • Witold Krecicki's avatar
      implement fetch-and-add array queue data structure · 402969bf
      Witold Krecicki authored
      this is a lockless queue based on hazard pointers.
    • Witold Krecicki's avatar
      implement hazard pointer data structure · aa57fa70
      Witold Krecicki authored
      this is a mechanism to allow safe lock-free data structures.
  21. 06 Nov, 2019 8 commits
    • Matthijs Mekking's avatar
      dnssec-policy inheritance from options/view · 5f464d15
      Matthijs Mekking authored
      'dnssec-policy' can now also be set on the options and view level and
      a zone that does not set 'dnssec-policy' explicitly will inherit it
      from the view or options level.
      This requires a new keyword to be introduced: 'none'.  If set to
      'none' the zone will not be DNSSEC maintained, in other words it will
      stay unsigned.  You can use this to break the inheritance.  Of course
      you can also break the inheritance by referring to a different
      The keywords 'default' and 'none' are not allowed when configuring
      your own dnssec-policy statement.
      Add appropriate tests for checking the configuration (checkconf)
      and add tests to the kasp system test to verify the inheritance
      Edit the kasp system test such that it can deal with unsigned zones
      and views (so setting a TSIG on the query).
    • Matthijs Mekking's avatar
      Add kasp tests · c9f1ec83
      Matthijs Mekking authored
      Add more tests for kasp:
      - Add tests for different algorithms.
      - Add a test to ensure that an edit in an unsigned zone is
        picked up and properly signed.
      - Add two tests that ensures that a zone gets signed when it is
        configured as so-called 'inline-signing'.  In other words, a
        secondary zone that is configured with a 'dnssec-policy'.  A zone
        that is transferred over AXFR or IXFR will get signed.
      - Add a test to ensure signatures are reused if they are still
        fresh enough.
      - Adds two more tests to verify that expired and unfresh signatures
        will be regenerated.
      - Add tests for various cases with keys already available in the
    • Matthijs Mekking's avatar
      Introduce keymgr in named · 7e7aa538
      Matthijs Mekking authored
      Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
      will run a key manager on the matching keys.  This will do a couple
      of things:
      1. Create keys when needed (in case of rollover for example)
         according to the set policy.
      2. Retire keys that are in excess of the policy.
      3. Maintain key states according to "Flexible and Robust Key
         Rollover" [1]. After key manager ran, key files will be saved to
         [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
      Create keys according to DNSSEC policy.  Zones configured with
      'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
      to dnssec-keymgr) if not available.
      Rather than determining the desired state from timing metadata,
      add a key state goal.  Any keys that are created or picked from the
      key ring and selected to be a successor has its key state goal set
      to OMNIPRESENT (this key wants to be signing!). At the same time,
      a key that is being retired has its key state goal set to HIDDEN.
      The keymgr state machine with the three rules will make sure no
      introduction or withdrawal of DNSSEC records happens too soon.
      All timings are based on RFC 7583.
      The keymgr will return when the next action is happening so
      that the zone can set the proper rekey event. Prior to this change
      the rekey event will run every hour by default (configurable),
      but with kasp we can determine exactly when we need to run again.
      The prepublication time is derived from policy.
    • Matthijs Mekking's avatar
      dnssec-keygen can create keys given dnssec-policy · 09ac224c
      Matthijs Mekking authored
      This commit adds code for generating keys with dnssec-keygen given
      a specific dnssec-policy.
      The dnssec-policy can be set with a new option '-k'. The '-l'
      option can be used to set a configuration file that contains a
      specific dnssec-policy.
      Because the dnssec-policy dictates how the keys should look like,
      many of the existing dnssec-keygen options cannot be used together
      with '-k'.
      If the dnssec-policy lists multiple keys, dnssec-keygen has now the
      possibility to generate multiple keys at one run.
      Add two tests for creating keys with '-k': One with the default
      policy, one with multiple keys from the configuration.
    • Matthijs Mekking's avatar
      Add code for creating kasp from config · 7bfac503
      Matthijs Mekking authored
      Add code for creating, configuring, and destroying KASP keys.  When
      using the default policy, create one CSK, no rollover.
    • Matthijs Mekking's avatar
      Introduce kasp structure · e9ccebd9
      Matthijs Mekking authored
      This stores the dnssec-policy configuration and adds methods to
      create, destroy, and attach/detach, as well as find a policy with
      the same name in a list.
      Also, add structures and functions for creating and destroying
      kasp keys.
    • Matthijs Mekking's avatar
      Introduce dnssec-policy configuration · a50d707f
      Matthijs Mekking authored
      This commit introduces the initial `dnssec-policy` configuration
      statement. It has an initial set of options to deal with signature
      and key maintenance.
      Add some checks to ensure that dnssec-policy is configured at the
      right locations, and that policies referenced to in zone statements
      actually exist.
      Add some checks that when a user adds the new `dnssec-policy`
      configuration, it will no longer contain existing DNSSEC
      configuration options.  Specifically: `inline-signing`,
      `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
      `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
      and `sig-validity-interval`.
      Test a good kasp configuration, and some bad configurations.
    • Matthijs Mekking's avatar
      Design documentation 'dnssec-policy' · 1fbd8bb1
      Matthijs Mekking authored
      Initial design document.