GitLab

This stores the dnssec-policy configuration and adds methods to
create, destroy, and attach/detach, as well as find a policy with
the same name in a list.

Also, add structures and functions for creating and destroying
kasp keys.

This commit introduces the initial `dnssec-policy` configuration
statement. It has an initial set of options to deal with signature
and key maintenance.

Add some checks to ensure that dnssec-policy is configured at the
right locations, and that policies referenced to in zone statements
actually exist.

Add some checks that when a user adds the new `dnssec-policy`
configuration, it will no longer contain existing DNSSEC
configuration options.  Specifically: `inline-signing`,
`auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
`update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
and `sig-validity-interval`.

Test a good kasp configuration, and some bad configurations.

Initial design document.

The ttlval configuration types are replaced by duration configuration
types. The duration is an ISO 8601 duration that is going to be used
for DNSSEC key timings such as key lifetimes, signature resign
intervals and refresh periods, etc. But it is also still allowed to
use the BIND ttlval ways of configuring intervals (number plus
optional unit).

A duration is stored as an array of 7 different time parts.
A duration can either be expressed in weeks, or in a combination of
the other datetime indicators.

Add several unit tests to ensure the correct value is parsed given
different string values.

This commit does not change anything significant, it just makes
the file more readable in preparation for upcoming changes related
to the `dnssec-policy` configuration option.

Fix TCP high-water release note

Closes #1206

See merge request !2541

Add missing GitLab issue number to the TCP high-water release note.

Do not use <sys/sysctl.h> on Linux

Closes #1298

See merge request !2525

glibc 2.30 deprecated the <sys/sysctl.h> header [1].  However, that
header is still used on other Unix-like systems, so only prevent it from
being used on Linux, in order to prevent compiler warnings from being
triggered.

[1] https://sourceware.org/ml/libc-alpha/2019-08/msg00029.html

Add assert_int_equal() shell function

Closes #1206

See merge request !2535

Add a shell function which is used in the "tcp" system test, but has
been accidentally omitted from !2425.  Make sure the function does not
change the value of "ret" itself, so that the caller can decide what to
do with the function's return value.

Resolve "Signature Expiration Jitter not working for dynamic NSEC3 zones"

Closes #1256

See merge request !2451

Test jitter distribution in NSEC3 dynamic zone and for a zone that has old
signatures.  In both cases the generated signatures should be spread nicely.

When doing regular signing expiry time is jittered to make sure
that the re-signing times are not clumped together. This expands
this behaviour to expiry times of dynamically added records.

When incrementally re-signing a zone use the full jitter range if
the server appears to have been offline for greater than 5 minutes
otherwise use a small jitter range of 3600 seconds.  This will stop
the signatures becoming more clustered if the server has been off
line for a significant period of time (> 5 minutes).

Avoid an extra atomic_load call when doing atomic_compare_exchange_loop

See merge request !2531

arm: Add a sentence about overlaping selectors in sortlist statement

Closes #1285

See merge request !2517

Added tcp-high-water statistics variable.

Closes #1206

See merge request !2425

Note: ans6/ans6.py is a helper script that allows tests.sh to open/close
TCP connections to some BIND instance.

This variable will report the maximum number of simultaneous tcp clients
that BIND has served while running.

It can be verified by running rndc status, then inspect "tcp high-water:
count", or by generating statistics file, rndc stats, then inspect the
line with "TCP connection high-water" text.

The tcp-highwater variable is atomically updated based on an existing
tcp-quota system handled in ns/client.c.

Add {isc,ns}_stats_{update_if_greater,get_counter}() functions that
are used to set and collect high-water type of statistics.

The isc_stat_t type was too similar to isc_stats_t type, so the name was
changed to something more distinguishable.

For TCP high-water work, we need to keep the used integer types widths
in sync.

Note: int_fast32_t is used on WIN32 platform

Resolve "geoip2 default data path"

Closes #1301

See merge request !2520

Describe the polynomial backoff curve used in the quota adjustment

Closes #664

See merge request !2519

Add LLVM/Clang scan-build checks into the GitLab CI

Closes #45

See merge request !2452

Related scan-build report:

dnstap_test.c:169:2: warning: Value stored to 'result' is never read
        result = dns_test_makeview("test", &view);
        ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dnstap_test.c:193:2: warning: Value stored to 'result' is never read
        result = dns_compress_init(&cctx, -1, dt_mctx);
        ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.

The named_g_defaultdnstap was never used as the dnstap requires
explicit configuration of the output file.

Related scan-build report:

./server.c:3476:14: warning: Value stored to 'dpath' during its initialization is never read
        const char *dpath = named_g_defaultdnstap;
                    ^~~~~   ~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

libdns: Change check_dnskey_sigs() return type to void to match the reality how the function is used