Fix DNSRPS builds

Closes #3827

See merge request !7450

Commit b69e7831 changed the scope of the
local 'view' variable in load_configuration(), but the code section
guarded by the #ifdef USE_DNSRPS directive was not adjusted accordingly,
causing build errors for DNSRPS-enabled builds.  Fix the latter by
declaring the 'view' variable inside the loop in the DNSRPS-specific
block of code.

Commit 7695c36a added a new parameter,
'options', to the prototype of the 'allrdatasets' function pointer in
struct dns_dbmethods.  Handle this new parameter accordingly in
rpsdb_allrdatasets().

The --enable-dnsrps-dl switch for ./configure enables preparing a
DNSRPS-enabled build of BIND 9 that is not directly linked against a
DNSRPS provider library (dlopen() at runtime is used instead).  Employ
this switch to test DNSRPS-enabled builds in the pairwise testing job in
GitLab CI.

refactor isc_ratelimiter to use loop callbacks

See merge request !7366

the rate limter now uses loop callbacks rather than task events.
the API for isc_ratelimiter_enqueue() has been changed; we now pass
in a loop, a callback function and a callback argument, and
receive back a rate limiter event object (isc_rlevent_t). it
is no longer necessary for the caller to allocate the event.

the callback argument needs to include a pointer to the rlevent
object so that it can be freed using isc_rlevent_free(), or by
dequeueing.

Resolve "fuzz/dns_message_checksig.c fails to call dst_lib_destroy"

Closes #3828

See merge request isc-projects/bind9!7442

This returns BIGNUMs to OpenSSL allowing libcrypto to fully clean up.

Resolve "nsupdate failed to handle primary server address lookup gracefully"

Closes #3830

See merge request !7444

If the address lookup of the primary server fails just abort
the current update request rather than calling exit.  This allows
nsupdate to cleanup gracefully.

Resolve "'named -V' leaks memory when shutting down"

Closes #3829

See merge request !7443

There were unbalanced calls to dns_lib_init and dns_lib_destroy
leading to an OpenSSL memory leak.

Properly name ADB hashmap and named log memory contexts

Closes #3806

See merge request isc-projects/bind9!7449

Ondřej Surý authored Jan 30, 2023 and Ondřej Surý committed Jan 30, 2023

The ADB hashmaps are stored in extra memory contexts, so the hash
tables are excluded from the overmem accounting.  The new memory
context was unnamed, give it a proper name.

Same thing has happened with extra memory context used for named
global log context - give the extra memory context a proper name.

Properly name ADB hashmap memory context

Closes #3806

See merge request isc-projects/bind9!7447

Ondřej Surý authored Jan 30, 2023 and Ondřej Surý committed Jan 30, 2023

The ADB hashmaps are stored in extra memory contexts, so the hash
tables are excluded from the overmem accounting.  The new memory
context was unnamed, give it a proper name.

Same thing has happened with extra memory context used for named
global log context - give the extra memory context a proper name.

Force set DS state after 'rndc dnssec -checkds'

Closes #3822

See merge request isc-projects/bind9!7423

Set the DS state after issuing 'rndc dnssec -checkds'. If the DS
was published, it should go in RUMOURED state, regardless whether it
is already safe to do so according to the state machine.

Leaving it in HIDDEN (or if it was magically already in OMNIPRESENT or
UNRETENTIVE) would allow for easy shoot in the foot situations.

Similar, if the DS was withdrawn, the state should be set to
UNRETENTIVE. Leaving it in OMNIPRESENT (or RUMOURED/HIDDEN)
would also allow for easy shoot in the foot situations.

danger: refine existing rules

See merge request !7428

The following are not also accepted as single-line commits without
generating warnings:
- CHANGES/release note may appear in the beginning of the commit message
- Release note may be capitalized
- Allow commits with "GL #" (e.g. Update documentation for [GL #XXXX])

When updating the -S edition, the CHANGES.SE file is modified. Make sure
danger accepts that.

Rework the Security Incident Handling Checklist

See merge request !6980

Update the release checklist to incorporate some minor tweaks that we
have been applying manually for the past few months as a result of
release process evolution.

Rework the Security Incident Handling Checklist so that it does not only
contain the SWENG-side steps for handling a security incident, but also
all the other steps required by ISC procedures.

Extend artifact lifetime for release-related jobs

See merge request !7432

Artifacts of the "stress" jobs in GitLab CI are used for generating the
QA summary for a given set of releases.  It happened in the past that
these artifacts were purged before the QA summary was prepared,
unnecessarily prolonging the release process.  A complete set of
artifacts from all such jobs for a single pipeline should be less than 1
GB in size, so extend their lifetime from one day to one week as a more
reasonable compromise between availability and disk space usage.  (Note:
these jobs are also run in scheduled pipelines, but that is expected to
be acceptable in the context of artifact lifetime.)

Artifacts of the "release" jobs in GitLab CI are what we eventually
publish on the FTP server.  It happened in the past that these artifacts
were purged before we copied them to their destination, unnecessarily
prolonging the release process, even though we usually press the "Keep"
button for the "release" jobs manually to keep them around indefinitely
(...

Resolve "Teach danger about amend!"

Closes #3824

See merge request isc-projects/bind9!7430

commit --fixup=amend:<hash> produces a subject starting with amend!
by default.  Have danger look for this to ensure that it is squashed
before merging.

Add release tarball comparison script

See merge request !7419

The util/release-tarball-comparison.sh script compares a release-ready
BIND 9 tarball to a temporary BIND 9 tarball created from the same
signed Git tag to ensure that their content does not differ
(significantly).

BIND 9.19.9

Improve OpenSSL RSA key extraction

See merge request !7424

Add check for extracting the public 'n' component on OpenSSL 3.0
path. This is mandatory component, and it's presence is checked
already on the other code path.

Also document the reason why private key component getting errors
are ignored.

Reduce the memory statistics to a bare minimum

Closes #3718

See merge request !7412