GitLab

xmllint doesn't know about the HTML 5 <section> tag so filter
those out.

Fix CID 332468: Memory - illegal accesses (UNINIT)

Closes #1126

See merge request !5241

*** CID 332468:  Memory - illegal accesses  (UNINIT)
/lib/dns/zone.c: 6613 in dns_zone_getdnsseckeys()
6607                 ISC_LIST_UNLINK(dnskeys, k1, link);
6608                 ISC_LIST_APPEND(*keys, k1, link);
6609             }
6610         }
6611     6612     failure:
>>>     CID 332468:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "keyset.methods" when calling
>>>     "dns_rdataset_isassociated".
6613         if (dns_rdataset_isassociated(&keyset)) {
6614             dns_rdataset_disassociate(&keyset);
6615         }
6616         if (node != NULL) {
6617             dns_db_detachnode(db, &node);
6618         }

Fix by initializing the 'keyset' with 'dns_rdataset_init'.

Fix possible deadlock when locking key files

Closes #2786

See merge request !5210

Resolve "journal rollforward failed: journal out of sync with zone"

Closes #2769, #2728, and #2686

See merge request !5177

A placeholder keydata record can appear in a zone file.  Allow them
to be read back in.

checkds

Closes #1126

See merge request !5234

The function 'private_type_record()' is now used in multiple system
setup scripts and should be moved to the common configuration script
conf.sh.common.

Seems pretty newsworthy.

Update ARM and DNSSEC guide with the new checkds feature.

The DST key metadata can be written by several threads in parralel.
Protect the dst_key_get* and dst_key_set* functions with a mutex.

The old approach where each zone structure has its own mutex that
a thread needs to obtain multiple locks to do safe keyfile I/O
operations lead to a race condition ending in a possible deadlock.

Consider a zone in two views. Each such zone is stored in a separate
zone structure. A thread that needs to read or write the key files for
this zone needs to obtain both mutexes in seperate structures. If
another thread is working on the same zone in a different view, they
race to get the locks. It would be possible that thread1 grabs the
lock of the zone in view1, while thread2 wins the race for the lock
of the zone in view2. Now both threads try to get the other lock,  both
of them are already locked.

Ideally, when a thread wants to do key file operations, it only needs
to lock a single mutex. This commit introduces a key management hash
table, stored in the zonemgr structure. Each time a zone is being
managed, an object is added to the hash table (and removed when the
zone is being released). This object is identified by the zone name
and contains a mutex that needs to be locked prior to reading or
writing key files.

(cherry-picked from commit ef461936)

Similar to notify, add code to send and keep track of checkds requests.

On every zone_rekey event, we will check the DS at parental agents
(but we will only actually query parental agents if theree is a DS
scheduled to be published/withdrawn).

On a zone_rekey event, we will first clear the ongoing checkds requests.
Reset the counter, to avoid continuing KSK rollover premature.

This has the risk that if zone_rekey events happen too soon after each
other, there are redundant DS queries to the parental agents. But
if TTLs and the configured durations in the dnssec-policy are sane (as
in not ridiculous short) the chance of this happening is low.

When the checkds published/withdrawn is activated, log a notice. Can
be used for testing, but also operationally useful.

In order to keep track of how many parents have the DS for a given key
published or withdrawn, keep a counter.

This makes the 'dnssec-verify' tool visible to the test environment.

Return the offending key state identifier.

This code gathers DNSSEC keys from key files and from the DNSKEY RRset.
It is used for the 'rndc dnssec -status' command, but will also be
needed for "checkds". Turn it into a function.

Similar to "notify-source" and "transfer-source", add options to
set the source address when querying parental agents for DS records.

Change the static function 'get_ksk_zsk' to a library function that
can be used to determine the role of a dst_key. Add checks if the
boolean parameters to store the role are not NULL. Rename to
'dst_key_role'.

Parse the new "parental-agents" configuration and store it in the zone
structure.

Make the code to parse "primaries" configuration more generic so
it can be reused for "parental-agents".

Add a Pytest based system test for the 'checkds' feature. There is
one nameserver (ns9, because it should be started the latest) that
has configured several zones with dnssec-policy. The zones are set
in such a state that they are waiting for DS publication or DS
withdrawal.

Then several other name servers act as parent servers that either have
the DS for these published, or not. Also one server in the mix is
to test a badly configured parental-agent.

There are tests for DS publication, DS publication error handling,
DS withdrawal and DS withdrawal error handling.

The tests ensures that the zone is DNSSEC valid, and that the
DSPublish/DSRemoved key metadata is set (or not in case of the error
handling).

It does not test if the rollover continues, this is already tested in
the kasp system test (that uses 'rndc -dnssec checkds' to set the
DSPublish/DSRemoved key metadata).

Add checks for "parental-agents" configuration, checking for the option
being at wrong type of zone (only allowed for primaries and
secondaries), duplicate definitions, duplicate references, and
undefined parental clauses (the name referenced in the zone clause
does not have a matching "parental-agent" clause).

Introduce a way to configure parental agents that can be used to
query DS records to be used in automatic key rollovers.

Change the primaries configuration objects to the more generic
remote-servers, that we can reuse for other purposes (such as
parental-agents).

fix tcp-send-buffer, udp-receive-buffer, udp-send-buffer limits

Closes #2797

See merge request !5235

Fix setnsec3param shutdown hang

Closes #2791

See merge request !5219

When performing the 'setnsec3param' task, zones that are not loaded will have
their task rescheduled. We should do this only if the zone load is still
pending, this prevents zones that failed to load get stuck in a busy wait and
causing a hang on shutdown.

Add a zone to the configuration file that uses NSEC3 with dnssec-policy
and fails to load. This will cause setnsec3param to go into a busy wait
and will cause a hang on shutdown.

Move the include Makefile.tests to the bottom of Makefile.am(s)

See merge request !4927

Ondřej Surý authored Apr 21, 2021 and Ondřej Surý committed Jun 24, 2021

The Makefile.tests was modifying global AM_CFLAGS and LDADD and could
accidentally pull /usr/include to be listed before the internal
libraries, which is known to cause problems if the headers from the
previous version of BIND 9 has been installed on the build machine.

Remove unused or outdated utils, developer and design documentation

Closes #2745

See merge request !5131

Matthijs Mekking authored Jun 02, 2021 and Ondřej Surý committed Jun 24, 2021

We should drop the HISTORY file because it's confusing and the same
information is covered by the release notes for .0 releases (or at
least they should be).

Remove references to the HISTORY file, update the README to tell
people go look somewhere else.

Matthijs Mekking authored Jun 02, 2021 and Ondřej Surý committed Jun 24, 2021

This was written down in the outdated doc/dev/release documentation.
Since the rest of that file can go, add these steps to a separate file
and update it to current standards (e.g. use git commands).