GitLab

Since following a delegation resets most fetch context state, address
marks (FCTX_ADDRINFO_MARK) set inside lib/dns/resolver.c are not
preserved when a delegation is followed.  This is fine for full
recursive resolution but when named is configured with "forward first;"
and one of the specified forwarders times out, triggering a fallback to
full recursive resolution, that forwarder should no longer be consulted
at each delegation point subsequently reached within a given fetch
context.

Add a new badnstype_t enum value, badns_forwarder, and use it to mark a
forwarder as bad when it times out in a "forward first;" configuration.
Since the bad server list is not cleaned when a fetch context follows a
delegation, this prevents a forwarder from being queried again after
falling back to full recursive resolution.  Yet, as each fetch context
maintains its own list of bad servers, this change does not cause a
forwarder timeout to prevent that forwarder from being used by other
fetch contexts.

dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.

This reverts commit 4af9f971, reversing
changes made to 0289f3f2.

will be addressed in a separate issue

Refactor synthfromdnssec system test to use $DEFAULT_ALGORITHM, be shellcheck clean and run under set -e

- "hook" is now used only for hook points and hook actions
- the "hook" statement in named.conf is now "plugin"
- ns_module and ns_modlist are now ns_plugin and ns_plugins
- ns_module_load is renamed ns_plugin_register
- the mandatory functions in plugin modules (hook_register,
  hook_check, hook_version, hook_destroy) have been renamed

- added functionality to check hook parameters in named-checkconf,
  and restored the checkconf tests that were removed from the
  filter-aaaa test.

- the AD flag was not being cleared correctly when filtering
- enabled dnssec valdiation in the filter-aaaa test to confirm this
  works correctly now

- make some cfg-parsing functions global so they can be run
  from filter-aaaa.so
- add filter-aaaa options to the hook module's parser
- mark filter-aaaa options in named.conf as obsolete, remove
  from named and checkconf, and update the filter-aaaa test not to
  use checkconf anymore
- remove filter-aaaa-related struct members from dns_view

- allow multiple "hook" statements at global or view level
- add "optional bracketed text" type for optional parameter list
- load hook module from specified path rather than hardcoded path
- add a hooktable pointer (and a callback for freeing it) to the
  view structure
- change the hooktable functions so they no longer update ns__hook_table
  by default, and modify PROCESS_HOOK so it uses the view hooktable, if
  set, rather than ns__hook_table. (ns__hook_table is retained for
  use by unit tests.)
- update the filter-aaaa system test to load filter-aaaa.so
- add a prereq script to check for dlopen support before running
  the filter-aaaa system test

not yet done:
- configuration parameters are not being passed to the filter-aaaa
  module; the filter-aaaa ACL and filter-aaaa-on-{v4,v6} settings are
  still stored in dns_view

 - the goal of this change is for AAAA filtering to be fully contained
   in the query logic, and implemented at discrete points that can be
   replaced with hook callouts later on.
 - the new code may be slightly less efficient than the old filter-aaaa
   implementation, but maximum efficiency was never a priority for AAAA
   filtering anyway.
 - we now use the rdataset RENDERED attribute to indicate that an AAAA
   rdataset should not be included when rendering the message. (this
   flag was originally meant to indicate that an rdataset has already
   been rendered and should not be repeated, but it can also be used to
   prevent rendering in the first place.)
 - the DNS_MESSAGERENDER_FILTER_AAAA, NS_CLIENTATTR_FILTER_AAAA,
   and DNS_RDATASETGLUE_FILTERAAAA flags are all now unnecessary and
   have been removed.