- 08 Apr, 2022 2 commits
-
-
Petr Špaček authored
[CVE-2021-25220] Add tests for forwarder cache poisoning scenarios [v9_11] See merge request !6108
-
- Check that an NS in an authority section returned from a forwarder which is above the name in a configured "forward first" or "forward only" zone (i.e., net/NS in a response from a forwarder configured for local.net) is not cached. - Test that a DNAME for a parent domain will not be cached when sent in a response from a forwarder configured to answer for a child. - Check that glue is rejected if its name falls below that of zone configured locally. - Check that an extra out-of-bailiwick data in the answer section is not cached (this was already working correctly, but was not explicitly tested before). - v9_11 backport: Revert primary/secondary to master/slave, backport rndc helper, backport ns8 config. (cherry picked from commit bf3fffff)
-
- 23 Mar, 2022 2 commits
-
-
Ondřej Surý authored
Save parsed tsan files with .txt extension See merge request !6022
-
Ondřej Surý authored
When the parse tsan files have text extension they can be viewed directly in the GitLab web UI without downloading them locally. (cherry picked from commit 80582073)
-
- 16 Mar, 2022 1 commit
-
-
Michał Kępień authored
Merge 9.11.37 release branch See merge request !5992
-
- 07 Mar, 2022 3 commits
-
-
Tinderbox User authored
-
Tinderbox User authored
-
Michał Kępień authored
Prepare documentation for BIND 9.11.37 See merge request isc-private/bind9!394
-
- 04 Mar, 2022 1 commit
-
-
Michał Kępień authored
-
- 03 Mar, 2022 8 commits
-
-
Michał Kępień authored
[CVE-2021-25220] [v9_11] prevent cache poisoning from forwarder responses See merge request isc-private/bind9!381
-
Compound literals are not used in BIND 9.11, in order to ensure backward compatibility with ancient compilers. Rework the relevant parts of the BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals are not used.
-
-
-
When caching glue, we need to ensure that there is no closer source of truth for the name. If the owner name for the glue record would be answered by a locally configured zone, do not cache.
-
When caching additional and glue data *not* from a forwarder, we must check that there is no "forward only" clause covering the owner name that would take precedence. Such names would normally be allowed by baliwick rules, but a "forward only" zone introduces a new baliwick scope.
-
If we are using a fowarder, in addition to checking that names to be cached are subdomains of the forwarded namespace, we must also check that there are no subsidiary forwarded namespaces which would take precedence. To be safe, we don't cache any responses if the forwarding configuration has changed since the query was sent.
-
When using a forwarder, check that the owner name of response records are within the bailiwick of the forwarded name space.
-
- 14 Feb, 2022 4 commits
-
-
Michal Nowak authored
[v9_11] Run spatch jobs in parallel See merge request !5834
-
Michal Nowak authored
Also make the script more verbose to identify which patch is being processed and check for failures in spatch standard error output. (cherry picked from commit 48c44fe6)
-
Michal Nowak authored
[v9_11] Update Coverity Scan CI job to 2021.12.1 See merge request !5831
-
Michal Nowak authored
(cherry picked from commit f0edf07f)
-
- 03 Jan, 2022 2 commits
-
-
Michal Nowak authored
[v9_11] Update copyrights to 2022 See merge request !5683
-
Michal Nowak authored
(cherry picked from commit befd654e)
-
- 23 Dec, 2021 3 commits
-
-
Michal Nowak authored
[v9_11] Make bullseye the base image See merge request !5671
-
Michal Nowak authored
This prevents resolver timeouts for the reference (BIND 9.11) servers used in respdiff tests run on Debian 11 "bullseye". --with-randomdev=/dev/urandom is part of the "configure" template. (cherry picked from commit 4d7e3438)
-
Michal Nowak authored
"buster" jobs are now only going to be run in scheduled pipelines. "--without-gssapi" ./configure option of "bullseye" before it became the base image is dropped from "bullseye"-the-base-image because it reduces gcov coverage by 0.38 % (651 lines) and is used in Debian 9 "stretch". "--enable-openssl-hash" is on purpose not being tested because it fails linking when either of --with-ecdsa, --with-gost, --with-eddsa, or --with-aes is used as well because it can't find f.e. HMAC_CTX_new() as "-lcrypto" is missing: /usr/bin/ld: ../../lib/isc/libisc.a(hmacmd5.o): in function `isc_hmacmd5_init': /root/bind9/lib/isc/hmacmd5.c:49: undefined reference to `HMAC_CTX_new' /usr/bin/ld: /root/bind9/lib/isc/hmacmd5.c:51: undefined reference to `EVP_md5' /usr/bin/ld: /root/bind9/lib/isc/hmacmd5.c:51: undefined reference to `HMAC_Init_ex' BIND 9.11 is in security-fixes-only-mode and configure.ac code should not be fixed to include "-lcrypto" in this corner case; better eliminate a pairwise hint. (cherry picked from commit 910d595f)
-
- 22 Dec, 2021 2 commits
-
-
Michal Nowak authored
[v9_11] Execute respdiff jobs out-of-order See merge request !5667
-
Michal Nowak authored
Commit 9aa1c580 dropped dependency of "respdiff" and "respdiff-third-party" jobs on "tarball-create" job because these jobs don't need to depend on in (e.g., for its artifacts). This, however, caused that respdiff jobs weren't started out-of-order and artifacts from all the "Build" stage jobs plus "unit:gcc:buster:amd64" job were downloaded to project directory and caused problems with compilation: Originally, the dependency on "tarball-create" has been added in 45d59c50 to indicate that respdiff "is meant to operate on two different BIND versions". It seems that the intent didn't work out, and we better make it obvious that respdiff jobs don't depend on any other job and should be run out-of-order. (cherry picked from commit 87578efc)
-
- 21 Dec, 2021 4 commits
-
-
Michal Nowak authored
[v9_11] Add respdiff job with third-party recursors See merge request !5663
-
Michal Nowak authored
The order of directories with reference and test BIND 9 are now reversed for respdiff.sh. The data.mdb file has more than 10 GB and makes artifact download take an unnecessarily long time. (cherry picked from commit 2ececf2c)
-
Michal Nowak authored
Suppress OpenSSL 3.0 deprecated declarations warning See merge request !5550
-
Michal Nowak authored
Alpine Linux image has OpenSSL 3.0.0 from the "edge" repository to test OpenSSL 3.0.0 support in the BIND 9 "main" branch. However, this breaks compilation of branches without OpenSSL 3.0.0 support and therefore OpenSSL deprecated declarations need to be suppressed with -DOPENSSL_SUPPRESS_DEPRECATED.
-
- 20 Dec, 2021 2 commits
-
-
Michal Nowak authored
[v9_11] Add FreeBSD 12.3 See merge request !5660
-
Michal Nowak authored
(cherry picked from commit a4d8571f)
-
- 17 Dec, 2021 4 commits
-
-
Michal Nowak authored
[v9_11] Add Fedora 35 See merge request !5658
-
Michal Nowak authored
(cherry picked from commit 668be429)
-
Michal Nowak authored
[v9_11] Drop FreeBSD 11 See merge request !5655
-
Michal Nowak authored
Support for FreeBSD 11.4, the last FreeBSD 11.x release, ended on September 30, 2021. Link: https://www.freebsd.org/security/unsupported/ Also drop $WITH_READLINE_LIBEDIT from clang:freebsd13:amd64, it should not have been added in the first place. (cherry picked from commit 981579f3)
-
- 16 Dec, 2021 2 commits
-
-
Michal Nowak authored
[v9_11] Add Alpine Linux 3.15 See merge request !5652
-
Michal Nowak authored
(cherry picked from commit d43127a3)
-