1. 08 Apr, 2022 2 commits
    • Petr Špaček's avatar
      Merge branch '2950-cache-acceptance-rules-test-v9_11' into 'v9_11' · 5349dbc6
      Petr Špaček authored
      [CVE-2021-25220] Add tests for forwarder cache poisoning scenarios [v9_11]
      See merge request !6108
    • Mark Andrews's avatar
      Add tests for forwarder cache poisoning scenarios · 29f08170
      Mark Andrews authored and Petr Špaček's avatar Petr Špaček committed
      - Check that an NS in an authority section returned from a forwarder
        which is above the name in a configured "forward first" or "forward
        only" zone (i.e., net/NS in a response from a forwarder configured for
        local.net) is not cached.
      - Test that a DNAME for a parent domain will not be cached when sent
        in a response from a forwarder configured to answer for a child.
      - Check that glue is rejected if its name falls below that of zone
        configured locally.
      - Check that an extra out-of-bailiwick data in the answer section is
        not cached (this was already working correctly, but was not explicitly
        tested before).
      - v9_11 backport: Revert primary/secondary to master/slave,
        backport rndc helper, backport ns8 config.
      (cherry picked from commit bf3fffff)
  2. 23 Mar, 2022 2 commits
  3. 16 Mar, 2022 1 commit
  4. 07 Mar, 2022 3 commits
  5. 04 Mar, 2022 1 commit
  6. 03 Mar, 2022 8 commits
  7. 14 Feb, 2022 4 commits
  8. 03 Jan, 2022 2 commits
  9. 23 Dec, 2021 3 commits
    • Michal Nowak's avatar
      Merge branch 'mnowak/make-debian-11-bullseye-base-image-v9_11' into 'v9_11' · 8d96225f
      Michal Nowak authored
      [v9_11] Make bullseye the base image
      See merge request !5671
    • Michal Nowak's avatar
      Use /dev/urandom as BIND 9.11 randomness source · 4b96bed8
      Michal Nowak authored
      This prevents resolver timeouts for the reference (BIND 9.11) servers
      used in respdiff tests run on Debian 11 "bullseye".
      --with-randomdev=/dev/urandom is part of the "configure" template.
      (cherry picked from commit 4d7e3438)
    • Michal Nowak's avatar
      Make bullseye the base image · e984b398
      Michal Nowak authored
      "buster" jobs are now only going to be run in scheduled pipelines.
      "--without-gssapi" ./configure option of "bullseye" before it became the
      base image is dropped from "bullseye"-the-base-image because it reduces
      gcov coverage by 0.38 % (651 lines) and is used in Debian 9 "stretch".
      "--enable-openssl-hash" is on purpose not being tested because it fails
      linking when either of --with-ecdsa, --with-gost, --with-eddsa, or
      --with-aes is used as well because it can't find f.e. HMAC_CTX_new() as
      "-lcrypto" is missing:
          /usr/bin/ld: ../../lib/isc/libisc.a(hmacmd5.o): in function `isc_hmacmd5_init':
          /root/bind9/lib/isc/hmacmd5.c:49: undefined reference to `HMAC_CTX_new'
          /usr/bin/ld: /root/bind9/lib/isc/hmacmd5.c:51: undefined reference to `EVP_md5'
          /usr/bin/ld: /root/bind9/lib/isc/hmacmd5.c:51: undefined reference to `HMAC_Init_ex'
      BIND 9.11 is in security-fixes-only-mode and configure.ac code should
      not be fixed to include "-lcrypto" in this corner case; better eliminate
      a pairwise hint.
      (cherry picked from commit 910d595f)
  10. 22 Dec, 2021 2 commits
    • Michal Nowak's avatar
      Merge branch 'mnowak/respdiff-job-dependency-fix-v9_11' into 'v9_11' · 1352db11
      Michal Nowak authored
      [v9_11] Execute respdiff jobs out-of-order
      See merge request !5667
    • Michal Nowak's avatar
      Execute respdiff jobs out-of-order · 06fd3662
      Michal Nowak authored
      Commit 9aa1c580 dropped dependency of "respdiff" and
      "respdiff-third-party" jobs on "tarball-create" job because these jobs
      don't need to depend on in (e.g., for its artifacts). This, however,
      caused that respdiff jobs weren't started out-of-order and artifacts
      from all the "Build" stage jobs plus "unit:gcc:buster:amd64" job were
      downloaded to project directory and caused problems with compilation:
      Originally, the dependency on "tarball-create" has been added in
      45d59c50 to indicate that respdiff "is meant to operate on two different
      BIND versions". It seems that the intent didn't work out, and we better
      make it obvious that respdiff jobs don't depend on any other job and
      should be run out-of-order.
      (cherry picked from commit 87578efc)
  11. 21 Dec, 2021 4 commits
  12. 20 Dec, 2021 2 commits
  13. 17 Dec, 2021 4 commits
  14. 16 Dec, 2021 2 commits