- 09 Dec, 2019 1 commit
-
-
Witold Krecicki authored
This might be removed when we stop supporting older libuv versions.
-
- 06 Dec, 2019 2 commits
-
-
Michał Kępień authored
The first step in all existing setup.sh scripts is to call clean.sh. To reduce code duplication and ensure all system tests added in the future behave consistently with existing ones, invoke clean.sh from run.sh before calling setup.sh.
-
Michał Kępień authored
Since the role of the bin/tests/system/clean.sh script has now been reduced to calling a given system test's clean.sh script, remove the former altogether and replace its only use with a direct invocation of the latter.
-
- 05 Dec, 2019 1 commit
-
-
Matthijs Mekking authored
-
- 29 Nov, 2019 1 commit
-
-
Michał Kępień authored
The "runtime" system test currently fails on Windows because it waits for named to log a message indicating successful startup ("running"), but that never happens since named on Windows fails to open the configuration file as its path includes control characters. Instead of putting control characters in directory names, put them in the value of the -D command line switch passed to named, which is used for identifying an instance of named in a process listing and whose value is completely ignored by named, but still logged. While a similar check using special characters appears to be working fine on Windows for the time being, modify it in the same way to avoid potential future problems on other platforms and make the test cleaner.
-
- 27 Nov, 2019 1 commit
-
-
Ondřej Surý authored
-
- 20 Nov, 2019 1 commit
-
-
Ondřej Surý authored
-
- 08 Nov, 2019 1 commit
-
-
Michał Kępień authored
Intertwining release notes from different BIND releases in a single XML file has caused confusion in the past due to different (and often arbitrary) approaches to keeping/removing release notes from older releases on different BIND branches. Divide doc/arm/notes.xml into per-version sections to simplify determining the set of changes introduced by a given release and to make adding/reviewing release notes less error-prone.
-
- 07 Nov, 2019 6 commits
-
-
Evan Hunt authored
-
Evan Hunt authored
- ns__client_request() is now called by netmgr with an isc_nmhandle_t parameter. The handle can then be permanently associated with an ns_client object. - The task manager is paused so that isc_task events that may be triggred during client processing will not fire until after the netmgr is finished with it. Before any asynchronous event, the client MUST call isc_nmhandle_ref(client->handle), to prevent the client from being reset and reused while waiting for an event to process. When the asynchronous event is complete, isc_nmhandle_unref(client->handle) must be called to ensure the handle can be reused later. - reference counting of client objects is now handled in the nmhandle object. when the handle references drop to zero, the client's "reset" callback is used to free temporary resources and reiniialize it, whereupon the handle (and associated client) is placed in the "inactive handles" queue. when the sysstem is shutdown and the handles are cleaned up, the client's "put" callback is called to free all remaining resources. - because client allocation is no longer handled in the same way, the '-T clienttest' option has now been removed and is no longer used by any system tests. - the unit tests require wrapping the isc_nmhandle_unref() function; when LD_WRAP is supported, that is used. otherwise we link a libwrap.so interposer library and use that.
-
Witold Krecicki authored
This is a replacement for the existing isc_socket and isc_socketmgr implementation. It uses libuv for asynchronous network communication; "networker" objects will be distributed across worker threads reading incoming packets and sending them for processing. UDP listener sockets automatically create an array of "child" sockets so each worker can listen separately. TCP sockets are shared amongst worker threads. A TCPDNS socket is a wrapper around a TCP socket, which handles the the two-byte length field at the beginning of DNS messages over TCP. (Other wrapper socket types can be implemented in the future to handle DNS over TLS, DNS over HTTPS, etc.)
-
Evan Hunt authored
-
Witold Krecicki authored
this is a lockless queue based on hazard pointers.
-
Witold Krecicki authored
this is a mechanism to allow safe lock-free data structures.
-
- 06 Nov, 2019 10 commits
-
-
Matthijs Mekking authored
'dnssec-policy' can now also be set on the options and view level and a zone that does not set 'dnssec-policy' explicitly will inherit it from the view or options level. This requires a new keyword to be introduced: 'none'. If set to 'none' the zone will not be DNSSEC maintained, in other words it will stay unsigned. You can use this to break the inheritance. Of course you can also break the inheritance by referring to a different policy. The keywords 'default' and 'none' are not allowed when configuring your own dnssec-policy statement. Add appropriate tests for checking the configuration (checkconf) and add tests to the kasp system test to verify the inheritance works. Edit the kasp system test such that it can deal with unsigned zones and views (so setting a TSIG on the query).
-
Matthijs Mekking authored
Add more tests for kasp: - Add tests for different algorithms. - Add a test to ensure that an edit in an unsigned zone is picked up and properly signed. - Add two tests that ensures that a zone gets signed when it is configured as so-called 'inline-signing'. In other words, a secondary zone that is configured with a 'dnssec-policy'. A zone that is transferred over AXFR or IXFR will get signed. - Add a test to ensure signatures are reused if they are still fresh enough. - Adds two more tests to verify that expired and unfresh signatures will be regenerated. - Add tests for various cases with keys already available in the key-directory.
-
Matthijs Mekking authored
Add a key manager to named. If a 'dnssec-policy' is set, 'named' will run a key manager on the matching keys. This will do a couple of things: 1. Create keys when needed (in case of rollover for example) according to the set policy. 2. Retire keys that are in excess of the policy. 3. Maintain key states according to "Flexible and Robust Key Rollover" [1]. After key manager ran, key files will be saved to disk. [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf KEY GENERATION Create keys according to DNSSEC policy. Zones configured with 'dnssec-policy' will allow 'named' to create DNSSEC keys (similar to dnssec-keymgr) if not available. KEY ROLLOVER Rather than determining the desired state from timing metadata, add a key state goal. Any keys that are created or picked from the key ring and selected to be a successor has its key state goal set to OMNIPRESENT (this key wants to be signing!). At the same time, a key that is being retired has its key state goal set to HIDDEN. The keymgr state machine with the three rules will make sure no introduction or withdrawal of DNSSEC records happens too soon. KEY TIMINGS All timings are based on RFC 7583. The keymgr will return when the next action is happening so that the zone can set the proper rekey event. Prior to this change the rekey event will run every hour by default (configurable), but with kasp we can determine exactly when we need to run again. The prepublication time is derived from policy.
-
Matthijs Mekking authored
This commit adds code for generating keys with dnssec-keygen given a specific dnssec-policy. The dnssec-policy can be set with a new option '-k'. The '-l' option can be used to set a configuration file that contains a specific dnssec-policy. Because the dnssec-policy dictates how the keys should look like, many of the existing dnssec-keygen options cannot be used together with '-k'. If the dnssec-policy lists multiple keys, dnssec-keygen has now the possibility to generate multiple keys at one run. Add two tests for creating keys with '-k': One with the default policy, one with multiple keys from the configuration.
-
Matthijs Mekking authored
Add code for creating, configuring, and destroying KASP keys. When using the default policy, create one CSK, no rollover.
-
Matthijs Mekking authored
This stores the dnssec-policy configuration and adds methods to create, destroy, and attach/detach, as well as find a policy with the same name in a list. Also, add structures and functions for creating and destroying kasp keys.
-
Matthijs Mekking authored
This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
-
Matthijs Mekking authored
Initial design document.
-
Matthijs Mekking authored
The ttlval configuration types are replaced by duration configuration types. The duration is an ISO 8601 duration that is going to be used for DNSSEC key timings such as key lifetimes, signature resign intervals and refresh periods, etc. But it is also still allowed to use the BIND ttlval ways of configuring intervals (number plus optional unit). A duration is stored as an array of 7 different time parts. A duration can either be expressed in weeks, or in a combination of the other datetime indicators. Add several unit tests to ensure the correct value is parsed given different string values.
-
Diego dos Santos Fronza authored
Note: ans6/ans6.py is a helper script that allows tests.sh to open/close TCP connections to some BIND instance.
-
- 04 Oct, 2019 1 commit
-
-
Ondřej Surý authored
-
- 16 Sep, 2019 1 commit
-
-
Ondřej Surý authored
The OASIS pkcs11.h header has a restrictive license. Replace the pkcs11.h pkcs11f.h and pkcs11t.h headers with pkcs11.h from p11-kit. For source distribution, the license for the OASIS headers itself doesn't pose any licensing problem when combined with MPL license, but it possibly creates problem for downstream distributors of BIND 9.
-
- 12 Sep, 2019 1 commit
-
-
Mark Andrews authored
-
- 03 Sep, 2019 1 commit
-
-
Evan Hunt authored
-
- 29 Aug, 2019 1 commit
-
-
Ondřej Surý authored
-
- 27 Aug, 2019 1 commit
-
-
Evan Hunt authored
- the cache-file and check-itegrity options were not needed - some zones and files were not used
-
- 25 Aug, 2019 1 commit
-
-
Evan Hunt authored
-
- 09 Aug, 2019 3 commits
-
-
Evan Hunt authored
- this required modification to the code that generates grammar text for the documentation, because the "dnssec-lookaside" option spanned more than one line in doc/misc/options, so grepping out only the lines marked "// obsolete" didn't remove the whole option. this commit adds an option to cfg_test to print named.conf clauses only if they don't have the obsolete, ancient, test-only, or not-yet-implemented flags set.
-
Evan Hunt authored
-
Evan Hunt authored
-
- 31 Jul, 2019 1 commit
-
-
Ondřej Surý authored
The isc-config.sh script was introduced before pkg-config as is a purely historical thing. There are two reason for removal of isc-config.sh scripts: a) The BIND 9 libraries are now meant to be used only from BIND 9, so there's no reason to provide convenience script to link with the libraries. b) Even if that was not the case, we should and would replace the isc-config.sh with respective pkg-config (.pc) file for every library.
-
- 12 Jul, 2019 1 commit
-
-
Ondřej Surý authored
-
- 09 Jul, 2019 1 commit
-
-
Witold Krecicki authored
Special, for-tests-only, mode with atomics emulated by a mutex-locked variable - useful for finding atomics congestions
-
- 04 Jul, 2019 1 commit
-
-
Evan Hunt authored
-
- 28 Jun, 2019 1 commit
-
-
Michał Kępień authored
When printing a packet, dnstap-read checks whether its text form takes up more than the 2048 bytes allocated for the output buffer by default. If that is the case, the output buffer is automatically expanded, but the truncated output is left in the buffer, resulting in malformed data being printed. Clear the output buffer before expanding it to prevent this issue from occurring.
-
- 27 Jun, 2019 1 commit
-
-
Evan Hunt authored
-