GitLab

Clean up the parts of configure.in responsible for handling libidn2
detection and adjust other pieces of the build system to match these
cleanups:

  - use pkg-config when --with-libidn2 is used without an explicit path,

  - look for idn2_to_ascii_lz() rather than idn2_to_ascii_8z() as the
    former is used in BIND while the latter is not,

  - do not look for idn2_to_unicode_8zlz() as it is present in all
    libidn2 versions which have idn2_to_ascii_lz(),

  - check whether the <idn2.h> header is usable,

  - set LDFLAGS in the Makefile for dig so that, if specified, the
    requested libidn2 path is used when linking with libidn2,

  - override CPPFLAGS when looking for libidn2 components so that the
    configure script does not produce warnings when libidn2 is not
    installed system-wide,

  - merge the AS_CASE() call into the AS_IF() call below it to simplify
    code,

  - indicate the default value of --with-libidn2 in "./configure --help"
    output,

  - use $with_libidn2 rather than $use_libidn2 to better match the name
    of the configure script argument,

  - stop differentiating between IDN "in" and "out" support, i.e. make
    dig either support libidn2 or not; remove WITH_* Autoconf macros and
    use a new one, HAVE_LIBIDN2, to determine whether libidn2 support
    should be enabled.

Don't synthesize NXDOMAIN from NSEC for records under a DNAME.

Closes #386

See merge request !481

the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata

Resolve "Memory Leak found in file 'fuzz.c' in BIND-9.12.1-P2"

Closes #402

See merge request !488

prep 9.13.2

See merge request !473

clarify documentation of the 'mirror' option

See merge request !469

Remove dns_rdataslab_tordataset() and its related dns_rdatasetmethods_t callbacks

Closes #371

See merge request !456

4987.	[cleanup]	dns_rdataslab_tordataset() and its related
			dns_rdatasetmethods_t callbacks were removed as they
			were not being used by anything in BIND. [GL #371]

Since BIND libraries are no longer considered public and
dns_rdataslab_tordataset() is not used anywhere in the tree, remove the
latter and its associated dns_rdatasetmethods_t callbacks from
lib/dns/rdataslab.c.

fix doc issues

See merge request !466

Improve documentation on libcap change in 9.13+

See merge request !461

Remove ability to build without libcap when Linux capabilities are enabled

Closes #321

See merge request !421

libcap ships with <sys/capability.h>, so use an #ifdef associated with that header to determine whether to enable capabilities support

add missing symbols for windows build

See merge request !454

Implement mirror zones

Closes #33

See merge request !329

4985.	[func]		Add a new slave zone option, "mirror", to enable
			serving a non-authoritative copy of a zone that
			is subject to DNSSEC validation before being
			used.  For now, this option is only meant to
			facilitate deployment of an RFC 7706-style local
			copy of the root zone. [GL #33]

Update the ARM and various option lists with information about the
"mirror" option for slave zones.

Replace "type: slave" with "type: mirror" in "rndc zonestatus" output
for mirror zones in order to enable the user to tell a regular slave
zone and a mirror zone apart.

Since the mirror zone feature is expected to mostly be used for the root
zone, prevent slaves from sending NOTIFY messages for mirror zones by
default.  Retain the possibility to use "also-notify" as it might be
useful in certain cases.

As mirror zone data should be treated the way validated, cached DNS
responses are, outgoing mirror zone transfers should be disabled unless
they are explicitly enabled by zone configuration.

As mirror zone data should be treated the way validated, cached DNS
responses are, it should not be used when responding to clients who are
not allowed cache access.  Reuse code responsible for determining cache
database access for evaluating mirror zone access.

Modify query_checkcacheaccess() so that it only contains a single return
statement rather than three and so that the "check_acl" variable is no
longer needed.  Tweak and expand comments.  Fix coding style issues.

Modify query_getcachedb() so that it uses a common return path for both
success and failure.  Remove a redundant NULL check since 'db' will
never be NULL after being passed as a target pointer to dns_db_attach().
Fix coding style issues.

Extract the parts of query_getcachedb() responsible for checking whether
the client is allowed to access the cache to a separate function, so
that it can be reused for determining mirror zone access.

If transferring or loading a mirror zone fails, resolution should still
succeed by means of falling back to regular recursive queries.
Currently, though, if a slave zone is present in the zone table and not
loaded, a SERVFAIL response is generated.  Thus, mirror zones need
special handling in this regard.

Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
domain name is looked up rather than a zone itself.  Handle that flag in
dns_zt_find() in such a way that a mirror zone which is expired or not
yet loaded is ignored when looking up domain names, but still possible
to find when the caller wants to know whether the zone is configured.
This causes a fallback to recursion when mirror zone data is unavailable
without making unloaded mirror zones invisible to code checking a zone's
existence.

Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.

Section 4 of RFC 7706 suggests that responses sourced from a local copy
of a zone should not have the AA bit set.  Follow that recommendation by
setting 'qctx->authoritative' to ISC_FALSE when a response to a query is
coming from a mirror zone.

When a resolver is a regular slave (i.e. not a mirror) for some zone,
non-recursive queries for names below that slaved zone will return a
delegation sourced from it.  This behavior is suboptimal for mirror
zones as their contents should rather be treated as validated, cached
DNS responses.  Modify query_delegation() and query_zone_delegation() to
permit clients allowed cache access to check its contents for a better
answer when responding to non-recursive queries.