GitLab

Check zonefile is untouched if dnssec-policy none

Closes #2603

See merge request !4888

When looking for key files, we could use isdigit rather than checking
if the character is within the range [0-9].

Use (unsigned char) cast to ensure the value is representable in the
unsigned char type (as suggested by the isdigit manpage).

Change " & 0xff" occurrences to the recommended (unsigned char) type
cast.

Just like with dynamic and/or inline-signing zones, check if no two
or more zone configurations set the same filename. In these cases,
the zone files are not read-only and named-checkconf should catch
a configuration where multiple zone statements write to the same file.

Add some bad configuration tests where KASP zones reference the same
zone file.

Update the good-kasp test to allow for two zones configure the same
file name, dnssec-policy none.

Make sure no DNSSEC contents are added to the zonefile if dnssec-policy
is set to "none" (and no .state files exist for the zone).

Resolve "Always set 'rewrite' when compacting a version 1 journal."

Closes #2670

See merge request !4985

version 1 journals may have a mix of type 1 and type 2 transaction
headers so always use the recovery code.

Remove double "insecure" check

See merge request !4997

This was a conflict between dba13d28
and 636ff1e1.

Don't roll keys when the private key file is offline

Closes #2596

See merge request !4885

When we introduced "dnssec-policy insecure" we could have removed the
'strcmp' check for "none", because if it was set to "none", the 'kasp'
variable would have been set to NULL.

Add a test for default.kasp that if we remove the private key file,
no successor key is created for it. We need to update the kasp script
to deal with a missing private key. If this is the case, skip checks
for private key files.

Add a test with a zone for which the private key of the ZSK is missing.

Add a test with a zone for which the private key of the KSK is missing.

BIND 9 is smart about when to sign with what key. If a key is offline,
BIND will delete the old signature anyway if there is another key to
sign the RRset with.

With KASP we don't want to fallback to the KSK if the ZSK is missing,
only for the SOA RRset. If the KSK is missing, but we do have a ZSK,
deleting the signature is fine. Otherwise it depends on if we use KASP
or not. Update the 'delsig_ok' function to reflect that.

When checking the current DNSSEC state against the policy, consider
offline keys. If we didn't found an active key, check if the key is
offline by checking the public key list. If there is a match in the
public key list (the key data is retrieved from the .key and the
.state files), treat the key as offline and don't create a successor
key for it.

The rndc command 'dnssec -status' only considered keys from
'dns_dnssec_findmatchingkeys' which only includes keys with accessible
private keys. Change it so that offline keys are also listed in the
status.

The function 'dns_dnssec_keylistfromrdataset()' creates a keylist from
the DNSKEY RRset. If we attempt to read the private key, we also store
the key state. However, if the private key is offline, the key state
will not be stored. To fix this, first attempt to read the public key
file. If then reading the private key file fails, and we do have a
public key, add that to the keylist, with appropriate state. If we
also failed to read the public key file, add the DNSKEY to the keylist,
as we did before.

The 'dst_key_fromnamedfile()' function did not read and store the
key state from the .state file when reading a public key file.

The kasp lock would stay locked if 'dns_keymgr_run' failed.

Merge branch '2678-named-checkconf-doesn-t-catch-redefinition-of-dnssec-policy-insecure' into 'main'

Resolve "named-checkconf doesn't catch redefinition of dnssec-policy insecure"

Closes #2678

See merge request !4994

Resolve "inline-signing documentation doesn't match reality"

Closes #2536

See merge request !4751

Fix RFC292 -> RFC952 typo

Closes #2675

See merge request !4990

Fix intermittent kasp test failure

Closes #2624

See merge request !4884

The kasp system test performs for each zone a couple of checks to make
sure the zone is signed correctly. To avoid test failures caused by
timing issues, there is first a check to ensure the zone is done
signing, 'wait_for_done_signing'. This function waits with the DNSSEC
checks until a "zone_rekey done" log message is seen for a specific
key.

Unfortunately this is not sufficient to avoid test failures due to
timing issues, because there is a small amount of time in between this
log message and the newly signed zone actually being served.

Therefore, in 'check_apex', retry for three seconds the DNSKEY query
check. After that, additional checks should pass without retries,
because at that point we know for sure the zone has been resigned with
the expected keys.

Also reduce the number of redundant 'check_signatures'

Resolve "Pull request to fix rdnc-addzone doc"

Closes #2621

See merge request !4882

Add support for generating backtraces on Windows

See merge request !4982

This commit adds support for generating backtraces on Windows and
refactors the isc_backtrace API to match the Linux/BSD API (without
the isc_ prefix)

 * isc_backtrace_gettrace() was renamed to isc_backtrace(), the third
   argument was removed and the return type was changed to int
 * isc_backtrace_symbols() was added
 * isc_backtrace_symbols_fd() was added and used as appropriate

Add nanosleep and usleep Windows shims

See merge request !4981

Add trampoline around iocompletionport_createthreads()

See merge request !4980