1. 19 May, 2020 1 commit
  2. 21 Apr, 2020 1 commit
    • Ondřej Surý's avatar
      Complete rewrite the BIND 9 build system · 978c7b2e
      Ondřej Surý authored
      The rewrite of BIND 9 build system is a large work and cannot be reasonable
      split into separate merge requests.  Addition of the automake has a positive
      effect on the readability and maintainability of the build system as it is more
      declarative, it allows conditional and we are able to drop all of the custom
      make code that BIND 9 developed over the years to overcome the deficiencies of
      autoconf + custom Makefile.in files.
      This squashed commit contains following changes:
      - conversion (or rather fresh rewrite) of all Makefile.in files to Makefile.am
        by using automake
      - the libtool is now properly integrated with automake (the way we used it
        was rather hackish as the only official way how to use libtool is via
      - the dynamic module loading was rewritten from a custom patchwork to libtool's
        libltdl (which includes the patchwork to support module loading on different
        systems internally)
      - conversion of the unit test executor from kyua to automake parallel driver
      - conversion of the system test executor from custom make/shell to automake
        parallel driver
      - The GSSAPI has been refactored, the custom SPNEGO on the basis that
        all major KRB5/GSSAPI (mit-krb5, heimdal and Windows) implementations
        support SPNEGO mechanism.
      - The various defunct tests from bin/tests have been removed:
        bin/tests/optional and bin/tests/pkcs11
      - The text files generated from the MD files have been removed, the
        MarkDown has been designed to be readable by both humans and computers
      - The xsl header is now generated by a simple sed command instead of
        perl helper
      - The <irs/platform.h> header has been removed
      - cleanups of configure.ac script to make it more simpler, addition of multiple
        macros (there's still work to be done though)
      - the tarball can now be prepared with `make dist`
      - the system tests are partially able to run in oot build
      Here's a list of unfinished work that needs to be completed in subsequent merge
      - `make distcheck` doesn't yet work (because of system tests oot run is not yet
      - documentation is not yet built, there's a different merge request with docbook
        to sphinx-build rst conversion that needs to be rebased and adapted on top of
        the automake
      - msvc build is non functional yet and we need to decide whether we will just
        cross-compile bind9 using mingw-w64 or fix the msvc build
      - contributed dlz modules are not included neither in the autoconf nor automake
  3. 21 Feb, 2020 1 commit
  4. 22 Jan, 2020 1 commit
    • Diego dos Santos Fronza's avatar
      Added test for the proposed fix · 7417b79c
      Diego dos Santos Fronza authored
      Added test to ensure that NXDOMAIN is returned when BIND is queried for a
      non existing domain in CH class (if a view of CHAOS class is configured)
      and that it also doesn't crash anymore in those cases.
  5. 04 Dec, 2019 3 commits
    • Diego dos Santos Fronza's avatar
      Improved prefetch disabled test code · 994fc2e8
      Diego dos Santos Fronza authored
      Using retry_quiet to test that prefetch is disabled instead of a
      standard loop with sleep 1 between each iteration.
    • Diego dos Santos Fronza's avatar
      Fix resolver tests: prefetch 40/41 · a711d6f8
      Diego dos Santos Fronza authored
      These two tests were failing basically because in order for prefetching to
      happen, the TTL for a given DNS record must be greater than or equal to
      the prefetch config value + 9.
      The previous TTL for both records was 10, while prefetch value in
      configuration was 3, thus making only records with TTL >= 12 elligible
      for prefetching.
      TTL value for both records was adjusted to the value 13, and prefetch
      value was set to 4 (inc by 1), so records with TTL (4 + 9) >= 13 are
      elligible for prefetching.
      Adjusting prefetch value to 4 gives the test 1 second more to avoid time
      problems when sharing resources on a heavy loaded PC.
      Also prefetch value in settings is now read by the script and used
      by it to corrrectly calculate the amount of time needed to delay before
      sending a request to trigger prefetch, adding a bit of flexibility to
      fine tune the test in the future.
    • Diego dos Santos Fronza's avatar
      Fix resolver test: prefetch disabled · dd524cc8
      Diego dos Santos Fronza authored
      The previous test had two problems:
      1. It wasn't written specifically for testing what it was supposed to:
      prefetch disabled.
      2. It could fail in some circunstances if the computer's load is too
      high, due to sleeps not taking parallel tests and cpu load into account.
      The new test is testing prefetch disabled as follows:
      1. It asks for a txt record for a given domain and takes note of the
      record's TTL (which is 10).
      2. It sleeps for (TTL - 5) = 5 seconds, having a window of 5 seconds to
      issue new queries before the record expires from cache.
      3. Three(3) queries are executed in a row, with a interval of 1 second
      between them, and for each query we verify that the TTL in response is
      less than the previous one, thus ensuring that prefetch is disabled (if
      it were enabled this record would have been refreshed already and TTL
      would be >= the first TTL).
      Having a window of 5 seconds to perform 3 queries with a interval of 1
      second between them gives the test a reasonable amount of time
      to not suffer from a machine with heavy load.
  6. 23 Nov, 2019 1 commit
    • Evan Hunt's avatar
      improve system tests · d484b66a
      Evan Hunt authored
      - increase prefetch test timing tolerance.
      - remove five-second pause and explicit connection closing in tcp test
        as they are no longer necessary.
  7. 26 Sep, 2019 1 commit
  8. 30 Aug, 2019 1 commit
  9. 09 May, 2019 1 commit
  10. 03 Apr, 2019 1 commit
    • Michał Kępień's avatar
      Do not rely on default dig options in system tests · b6cce0fb
      Michał Kępień authored
      Some system tests assume dig's default setings are in effect.  While
      these defaults may only be silently overridden (because of specific
      options set in /etc/resolv.conf) for BIND releases using liblwres for
      parsing /etc/resolv.conf (i.e. BIND 9.11 and older), it is arguably
      prudent to make sure that tests relying on specific +timeout and +tries
      settings specify these explicitly in their dig invocations, in order to
      prevent test failures from being triggered by any potential changes to
      current defaults.
  11. 01 Mar, 2019 1 commit
    • Michał Kępień's avatar
      Fix IP regex used in the "resolver" system test · 70ae48e5
      Michał Kępień authored
      If dots are not escaped in the "" regular expressions used for
      checking whether IP address is present in the tested resolver's
      answers, a COOKIE that matches such a regular expression will trigger a
      false positive for the "resolver" system test.  Properly escape dots in
      the aforementioned regular expressions to prevent that from happening.
  12. 19 Dec, 2018 1 commit
  13. 23 Oct, 2018 1 commit
    • Witold Krecicki's avatar
      Set result to SERVFAIL if upstream responded with FORMERR · b5c9a8ca
      Witold Krecicki authored
      Commit ba912435 causes the resolver to
      respond to a client query with FORMERR when all upstream queries sent to
      the servers authoritative for QNAME elicit FORMERR responses.  This
      happens because resolver code returns DNS_R_FORMERR in such a case and
      dns_result_torcode() acts as a pass-through for all arguments which are
      already a valid RCODE.
      The correct RCODE to set in the response returned to the client in the
      case described above is SERVFAIL.  Make sure this happens by overriding
      the RCODE in query_gotanswer(), on the grounds that any format errors in
      the client query itself should be caught long before execution reaches
      that point.  This change should not reduce query error logging accuracy
      as the resolver code itself reports the exact reason for returning a
      DNS_R_FORMERR result using log_formerr().
  14. 22 Aug, 2018 1 commit
    • Michał Kępień's avatar
      Do not treat a referral with a non-empty ANSWER section as an error · 24b9ec55
      Michał Kępień authored
      As part of resquery_response() refactoring [1], a goto statement was
      replaced [2] with a call to a new function - originally called
      rctx_delegation(), now folded into rctx_answer_none() - extracted from
      existing code.  However, one call site of that refactored function does
      not reset the "result" variable, causing a referral with a non-empty
      ANSWER section to be inadvertently treated as an error, which prevents
      resolution of names reliant on servers sending such responses.  Fix by
      resetting the "result" variable to ISC_R_SUCCESS when a response
      containing a non-empty ANSWER section can be treated as a delegation.
      [1] see RT #45362
      [2] see commit e1380a16741a3b4a57e54d7a9ce09dd12691522f
  15. 08 Aug, 2018 1 commit
  16. 23 Feb, 2018 2 commits
  17. 22 Feb, 2018 1 commit
  18. 12 Sep, 2017 1 commit
  19. 02 May, 2017 2 commits
  20. 13 Dec, 2016 2 commits
  21. 31 Oct, 2016 1 commit
  22. 19 Oct, 2016 1 commit
  23. 26 Aug, 2016 1 commit
  24. 24 Aug, 2016 1 commit
  25. 27 Jun, 2016 1 commit
  26. 14 Jun, 2016 1 commit
  27. 21 Mar, 2016 2 commits
  28. 30 Sep, 2015 1 commit
  29. 09 Jul, 2015 1 commit
    • Evan Hunt's avatar
      [master] DDoS mitigation features · 1479200a
      Evan Hunt authored
      3938.	[func]		Added quotas to be used in recursive resolvers
      			that are under high query load for names in zones
      			whose authoritative servers are nonresponsive or
      			are experiencing a denial of service attack.
      			- "fetches-per-server" limits the number of
      			  simultaneous queries that can be sent to any
      			  single authoritative server.  The configured
      			  value is a starting point; it is automatically
      			  adjusted downward if the server is partially or
      			  completely non-responsive. The algorithm used to
      			  adjust the quota can be configured via the
      			  "fetch-quota-params" option.
      			- "fetches-per-zone" limits the number of
      			  simultaneous queries that can be sent for names
      			  within a single domain.  (Note: Unlike
      			  "fetches-per-server", this value is not
      			- New stats counters have been added to count
      			  queries spilled due to these quotas.
      			See the ARM for details of these options. [RT #37125]
  30. 06 Jul, 2015 1 commit
  31. 05 Jul, 2015 1 commit
    • Mark Andrews's avatar
      4152. [func] Implement DNS COOKIE option. This replaces the · ce67023a
      Mark Andrews authored
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are avaliable: send-cookie,
                              cookie-secret, cookie-algorithm and nocookie-udp-size.
                              The following dig options are available:
                              +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
  32. 21 May, 2015 1 commit
  33. 19 May, 2015 1 commit
  34. 03 Dec, 2014 1 commit