GitLab

Some operating systems (e.g. CentOS, OpenBSD) install the main pytest
script as "py.test-3".  Add that name to the list of names passed to
AC_PATH_PROGS() in order for pytest to be properly detected on a broader
range of operating systems.

Use str.format() instead of f-strings in Python system tests to enable
them to work on Python 3 versions older than 3.6 as the latter is not
available on some operating systems used in GitLab CI that are still
actively supported (CentOS 6, Debian 9, Ubuntu 16.04).

As documentation building utilities are now all included in operating
system images used in GitLab CI, do not install them in each "docs" CI
job any more.

As Python QA tools, BIND system test prerequisites, and documentation
building utilities are now all included in operating system images used
in GitLab CI, do not use pip for installing them in each CI job any
more.

Update release checklist

See merge request !3566

  - First merge release branches to maintenance branches, then push
    tags.  If tags are pushed first and a given set of releases contains
    security fixes, the push will be rejected by a server-side Git hook.

  - Update ABI check job name.

  - Add an item for updating QA tools used in GitLab CI after each
    public release.

Resolve "Extend loop limit by 1."

Closes #1854

See merge request !3548

Fix possible deadlock in unix/socket.c

Closes #1859

See merge request !3561

In process_fd we lock sock->lock and then internal_accept locks mgr->lock,
in isc_sockmgr_render* functions we lock mgr->lock and then lock sock->lock,
that can cause a deadlock when accessing stats. Unlock sock->lock early in
all the internal_{send,recv,connect,accept} functions instead of late
in process_fd.

[CVE-2020-8616] [CVE-2020-8617] May 2020 CVE fixes

Closes #1703 and #1388

See merge request !3562

1388 confidential issue

See merge request isc-private/bind9!135

from max-recursion-queries limits.

Add a system test that counts how many address fetches are made
for different numbers of NS records and checks that the number
are successfully limited.

If there are more that 5 NS record for a zone only perform a
maximum of 4 address lookups for all the name servers.  This
limits the amount of remote lookup performed for server
addresses at each level for a given query.

Resolve "Race in 'clear signing records' in dnssec system test."

Closes #1856

See merge request !3557

as the update triggers by the rndc command to clear the signing records
may not have completed by the time the subsequent rndc command to test
that the records have been removed is commenced.  Loop several times to
prevent false negative.

Resolve ""check max-journal-size limits" failed as not enough time allowed"

Closes #1855

See merge request !3551

Miscellaneous cppcheck tweaks

See merge request !3541

cppcheck 2.0 reports false positives about uninitialized variables in a
lot of places throughout BIND source code, e.g.:

    bin/dnssec/dnssec-cds.c:283:6: error: Uninitialized variable: length [uninitvar]
     if (isc_buffer_availablelength(&buf) <= len) {
         ^

Apparently cppcheck 2.0 has issues with processing (&var)->field syntax,
which is what the macros from lib/isc/include/isc/buffer.h are evaluated
to.  This issue was reported upstream [1] and will hopefully be
addressed in a future cppcheck release.

In the meantime, to avoid modifying BIND source code in multiple places
just because of a static checker false positive, work around the issue
by adding intermediate variables to buffer macro definitions using a sed
invocation in the cppcheck job script.

[1] https://sourceforge.net/p/cppcheck/discussion/general/thread/122153e3c1/

Add whitespace to the regular expression used for extracting the GCC
version from "gcc --version" output so that it works properly with
multi-digit major version numbers.

Commit ec72d110 broke the cppcheck job
in GitLab CI: when cppcheck fails, the script is immediately
interrupted, preventing cppcheck-htmlreport from being run.  To ensure
the HTML report is generated when cppcheck fails, revert to invoking
cppcheck-htmlreport in the "after_script" part of the job.

Resolve "race in autosign system test."

Closes #1852

See merge request !3546

There a race between when the delta is logged and when the
server returns signed record.  Retry the queries if the
lookups fail to meet expectations.

move wire_test

See merge request !3544

the dnstap test was pausing for 20 seconds to search for a string in
named.run, which only appears if named is built with --enable-developer or
--enable-querytrace.

wire_test is not only used by the dnstap system test, but also in
fuzz testing. it doesn't need to be installed, but it's useful to have it
built when BIND is.  this commit moves it back from bin/tests/system to
bin/tests, as a noinst_PROGRAM so that it's built by "make all" but
not installed.

Collect TXT and HTML reports produced by ABI checker

See merge request !3501