GitLab

(cherry picked from commit 05531d3a)

(cherry picked from commit 4742f4ec)

Merge branch '445-filter-aaaa-and-dns64-can-both-attempt-to-recurse-for-a-records-at-the-same-time-v9_12' into 'v9_12'

Resolve "filter-aaaa and dns64 can both attempt to recurse for A records at the same time"

See merge request !685

(cherry picked from commit c1bc3baf)

(cherry picked from commit 1056376d)

[v9_12] Fix reloading inline-signed zones

See merge request !674

5015.	[bug]		Reloading all zones caused zone maintenance to cease
			for inline-signed zones. [GL #435]

(cherry picked from commit f9931f1d)

While "rndc reload" causes dns_zone_asyncload() to be called for the
signed version of an inline-signed zone, the subsequent zone_load() call
causes the raw version to be reloaded from storage.  This means that
DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
dns_zone_asyncload() before the reload is attempted, but zone_postload()
is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
cleared for the raw version, but not for the signed version.  This in
turn prevents zone maintenance from happening for the signed version of
the zone.

Until commit 7c64547d, this problem
remained dormant because DNS_ZONEFLG_LOADPENDING was previously
immediately, unconditionally cleared after zone loading was started
(whereas it should only be cleared when zone loading is finished or an
error occurs).  This behavior caused other issues [1] and thus had to be
changed.

Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
for the signed version of the zone once the raw version reload
completes.  Take care not to clear it prematurely during initial zone
load.  Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
zone_postload() encounters an error or returns early, to prevent other
scenarios from resulting in the same problem.  Add comments aiming to
help explain code flow.

[1] see RT #47076

(cherry picked from commit 54315839)

[v9_12] Set DNS_JOURNALOPT_RESIGN when loading the secure journal for an inline-signed zone

See merge request !672

5014.	[bug]		Signatures loaded from the journal for the signed
			version of an inline-signed zone were not scheduled for
			refresh. [GL #482]

(cherry picked from commit b3b1a908)

When an inline-signed zone is loaded, the master file for its signed
version is loaded and then a rollforward of the journal for the signed
version of the zone is performed.  If DNS_JOURNALOPT_RESIGN is not set
during the latter phase, signatures loaded from the journal for the
signed version of the zone will not be scheduled for refresh.  Fix the
conditional expression determining which flags should be used for the
dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
zone_postload() is called for the signed version of an inline-signed
zone.

Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
of "rndc stop" as the former allows master file flushing upon shutdown
to be suppressed.

(cherry picked from commit 8db550c4)

Merge branch '390-do-not-treat-a-referral-with-a-non-empty-answer-section-as-an-error-v9_12' into 'v9_12'

[v9_12] Do not treat a referral with a non-empty ANSWER section as an error

See merge request !671

5013.	[bug]		A referral response with a non-empty ANSWER section was
			inadvertently being treated as an error. [GL #390]

(cherry picked from commit 2923ab49)

As part of resquery_response() refactoring [1], a goto statement was
replaced [2] with a call to a new function - originally called
rctx_delegation(), now folded into rctx_answer_none() - extracted from
existing code.  However, one call site of that refactored function does
not reset the "result" variable, causing a referral with a non-empty
ANSWER section to be inadvertently treated as an error, which prevents
resolution of names reliant on servers sending such responses.  Fix by
resetting the "result" variable to ISC_R_SUCCESS when a response
containing a non-empty ANSWER section can be treated as a delegation.

[1] see RT #45362

[2] see commit e1380a16741a3b4a57e54d7a9ce09dd12691522f

(cherry picked from commit 24b9ec55)

Install isc/boolean.h and isc/int.h shim headers

See merge request !670

fix lock order reversal

See merge request !666

(cherry picked from commit 083007e9)

(cherry picked from commit 2bb4392b)

Resolve "Replace custom datatypes (isc_<foo>_t) with C11 equivalents"

See merge request !634

Resolve "Missing check in acl_test.c unit test"

See merge request !651

Mark Andrews authored Aug 14, 2018 and Evan Hunt committed Aug 14, 2018

(cherry picked from commit 0ce82e9d)

Resolve "mempool is broken if object size is below the alignment size"

See merge request !649

Mark Andrews authored Aug 14, 2018 and Evan Hunt committed Aug 14, 2018

(cherry picked from commit 5dd1beec)

[v9_12] Fix OpenSSL error logging

See merge request !645

5009.	[bug]		Upon an OpenSSL failure, the first error in the OpenSSL
			error queue was not logged. [GL #476]

(cherry picked from commit cab7c34f)

dst__openssl_toresult3() first calls toresult() and subsequently uses
ERR_get_error_line_data() in a loop.  Given this, it is a mistake to use
ERR_get_error() in toresult() because it causes the retrieved error to
be removed from the OpenSSL error queue, thus preventing it from being
retrieved by the subsequent ERR_get_error_line_data() calls.  Fix by
using ERR_peek_error() instead of ERR_get_error() in toresult().

(cherry picked from commit fe20f8fe)

[v9_12] Prevent rare rbt_insert_and_remove unit test failures

See merge request !642

When two or more absolute, two-label names are added to a completely
empty RBT, an extra, empty node for the root name will be created due to
node splitting.  check_tree() expects that, but the extra node will not
be created when just one name is added to a completely empty RBT.  This
problem could be handled inside check_tree(), but that would introduce
unnecessary complexity into it since adding a single name will result in
a different node count for a completely empty RBT (node count will be 1)
and an RBT containing only an empty node for the root name, created due
to prior node splitting (node count will be 2).  Thus, first explicitly
create a node for the root name to prevent rare check_tree() failures
caused by a single name being added in the first iteration of the
insert/remove loop.

(cherry picked from commit 13fe7637)

[v9_12] Make the "inline" system test more lightweight

See merge request !640

Each zone used in the "inline" system test contains a few dozen records.
Over a dozen of these zones are used in the test.  Most records present
in these zones are not subsequently used in the test itself, but all of
them need to be signed by the named instances launched by the test,
which puts quite a bit of strain on lower-end machines, leading to
intermittent failures of the "inline" system test.  Remove all redundant
records from the zones used in the "inline" system test in order to
stabilize it.

(cherry picked from commit 24dd865b)

[v9_12] Queue "rndc signing -nsec3param ..." requests if needed

See merge request !637

5008.	[bug]		"rndc signing -nsec3param ..." requests were silently
			ignored for zones which were not yet loaded or
			transferred. [GL #468]

(cherry picked from commit eed6778b)

If "rndc signing -nsec3param ..." is ran for a zone which has not yet
been loaded or transferred (i.e. its "db" field is NULL), it will be
silently ignored by named despite rndc logging an "nsec3param request
queued" message, which is misleading.  Prevent this by keeping a
per-zone queue of NSEC3PARAM change requests which arrive before a zone
is loaded or transferred and processing that queue once the raw version
of an inline-signed zone becomes available.

(cherry picked from commit cb40c522)

Resolve "Full Recv-Queue"

See merge request !630

(cherry picked from commit ebf3083e)

[v9_12]: Resolve "Fix for Configure to find the path to VC++ redistributables under Visual Studio 2017"

See merge request !618