GitLab

[v9_11] Update to OpenBSD 6.8

See merge request !4337

(cherry picked from commit 773649f4)

[v9_11] Miscellaneous backtrace fixes

See merge request !4335

The following compiler warning is emitted for the BACKTRACE_X86STACK
part of lib/isc/backtrace.c:

    backtrace.c: In function ‘getrbp’:
    backtrace.c:139:1: warning: no return statement in function returning non-void [-Wreturn-type]

While getrbp() stores the value of the RBP register in the RAX register
and thus does attempt to return a value, this is not enough for an
optimizing compiler to always produce the expected result.  With -O2,
the following machine code may be generated in isc_backtrace_gettrace():

    0x00007ffff7b0ff7a <+10>:	mov    %rbp,%rax
    0x00007ffff7b0ff7d <+13>:	mov    $0x17,%eax
    0x00007ffff7b0ff82 <+18>:	retq

The above is equivalent to:

    sp = (void **)getrbp();
    return (ISC_R_NOTFOUND);

and results in the backtrace never getting printed.

Fix by using an intermediate variable.  With this change in place, the
machine code generated with -O2 becomes something like:

    0x00007ffff7af5638 <+24>:	mov    $0x17,%eax
    0x00007ffff7af563d <+29>:	mov    %rbp,%rdx
    0x00007ffff7af5640 <+32>:	test   %rdx,%rdx
    0x00007ffff7af5643 <+35>:	je     0x7ffff7af56bd <isc_backtrace_gettrace+157>
    ...
    0x00007ffff7af56bd <+157>:	retq

(Note that this method of grabbing a stack trace is finicky anyway
because in order for RBP to be relied upon, -fno-omit-stack-frame must
be present among CFLAGS.)

(cherry picked from commit 923c4433)

Some operating systems (e.g. Linux, FreeBSD) provide the
_Unwind_Backtrace() function in libgcc_s.so, which is automatically
linked into any binary using the functions provided by that library.  On
OpenBSD, though, _Unwind_Backtrace() is provided by libc++abi.so, which
is not automatically linked into binaries produced by the stock system C
compiler.

Meanwhile, lib/isc/backtrace.c assumes that any GNU-compatible toolchain
allows _Unwind_Backtrace() to be used without any extra provisions in
the build system.  This causes build failures on OpenBSD (and possibly
other systems).

Instead of making assumptions, actually check for _Unwind_Backtrace()
support in the toolchain if the backtrace() function is unavailable.

(cherry picked from commit 10d70557)

[v9_11] Fix the "make depend" check in GitLab CI

See merge request !4334

The make/mkdep script does not understand the concept of generated
source files (like lib/dns/dnstap.pb-c.c), which prevents it from
working correctly for out-of-tree builds.  As "make depend" is not
required for building BIND and the "depend" make target was removed
altogether in the development branch, just prevent the "make depend"
check from being performed for out-of-tree builds in GitLab CI instead
of trying to add support for handling generated source files to
make/mkdep.

(cherry picked from commit 1b5a8a91)

"make depend" prints errors to stderr, not to stdout.  This means that
the check for "make depend" errors currently used in the definition of
every build job in GitLab CI could never fail.  Fix that check by
redirecting stderr to stdout.  Also employ tee to prevent the output of
"make depend" from being hidden in the job log.  (While using tee hides
the exit code of "make depend" itself, the next line still checks for
errors anyway.)

(cherry picked from commit 0ab099ca)

Merge branch '2236-resolver-sometimes-treats-signed-insecure-zone-with-broken-dnskey-as-bogus-v9_11' into 'v9_11'

Resolve "Resolver sometimes treats signed, insecure zone with broken DNSKEY as bogus"

See merge request !4333

(cherry picked from commit decf117e)

ans10 simulates a local anycast server which has both signed and
unsigned instances of a zone.  'A' queries get answered from the
signed instance.  Everything else gets answered from the unsigned
instance.  The resulting answer should be insecure.

(cherry picked from commit d7840f4b)

DNS_R_NCACHENXRRSET can be return when zones are in transition state
from being unsigned to signed and signed to unsigned.  The validation
should be resumed and should result in a insecure answer.

(cherry picked from commit 718e597d)

[v9_11] Update to FreeBSD 12.2

See merge request !4330

(cherry picked from commit 11ab0528)

[v9_11] Add Fedora 33

See merge request !4328

(cherry picked from commit 91e28d1f)

fix a typo in rpz test

See merge request !4322

"tcp-only" was not being tested correctly in the RPZ system test
because the option to the "digcmd" function that causes queries to
be sent via TCP was misspelled in one case, and was being interpreted
as a query name.

the "ckresult" function has also been changed to be case sensitive
for consistency with "digcmd".

(cherry picked from commit 78af071c)

address 'make depend' issues

See merge request !4317

(cherry picked from commit 06fa0d7b)

[v9_11] Enable Test Coverage Visualization for merge requests

See merge request !4315

This feature allows GitLab to visualize test coverage information in the
file diff view of merge requests.

This commit makes the gcov CI job depend on the following chain of jobs:

    gcc:buster:amd64 → unit:gcc:buster:amd64 → system:gcc:buster:amd64

The reason for running the last two jobs above sequentially rather than
in parallel is that both of them create *.gcda files (containing
coverage data) in the same locations.  While some way of merging these
files from different job artifact archives could probably be designed
with the help of additional tools, the simplest thing to do is not to
run unit test and system test jobs in parallel, carrying *.gcda files
over between jobs as gcov knows how to append coverage data to existing
*.gcda files.

Also note that test coverage will not be visualized if any of the jobs
in the above dependency chain fails (because the gcov job will not be
run).

(cherry picked from commit 2dabf328)

[v9_11] Add "stress" tests to GitLab CI

See merge request !4308

Run "stress" tests for scheduled pipelines and pipelines created for
tags.  These tests were previously only performed manually (as part of
pre-release testing of each new BIND version).  Their purpose is to
detect memory leaks and potential performance issues.

As the run time of each "stress" test itself is set to 1 hour, set the
GitLab CI job timeout to 2 hours in order to account for the extra time
needed to set the test up and gather its results.

(cherry picked from commit 39305411)
(cherry picked from commit 06f721fd)

[v9_11] Fix system test backtrace generation on OpenBSD

See merge request !4305

On Linux core dump contains absolute path to crashed binary

    Core was generated by `/home/newman/isc/ws/bind9/bin/named/.libs/lt-named -D glue-ns1 -X named.lock -m'.

However, on OpenBSD there's only a basename

    Core was generated by `named'.

This commit adds support for the latter, retains the former.

(cherry picked from commit f0b13873)
(cherry picked from commit 659feff9)

Resolve "stub zone foiled by minimal-responses"

See merge request !4284

After the updates from this branch, BIND now sends glue records for
NS queries even when configured with minimal-responses yes.

This test is very simple, two nameserver instances are created:
    - ns4: master, with 'minimal-responses yes', authoritative
        for example. zone
    - ns5: slave, stub zone

The first thing verified is the transfer of zone data from master
to slave, which should be saved in ns5/example.db.

After that, a query is issued to ns5 asking for target.example.
TXT, a record present in the master database with the "test" string
as content.

If that query works, it means stub zone successfully request
nameserver addresses from master, ns4.example. A/AAAA

The presence of both A/AAAA records for ns4 is also verified in the
stub zone local file, ns5/example.db.

Stub zones don't make use of AXFR/IXFR for the transfering of zone
data, instead, a single query is issued to the master asking for
their nameserver records (NS).

That works fine unless master is configured with 'minimal-responses'
set to yes, in which case glue records are not provided by master
in the answer with nameservers authoritative for the zone, leaving
stub zones with incomplete databases.

This commit fix this problem in a simple way, when the answer with
the authoritative nameservers is received from master (stub_callback),
for each nameserver listed (save_nsrrset), a A and AAAA records for
the name is verified in the additional section, and if not present
a query is created to resolve the corresponsing missing glue.

A struct 'stub_cb_args' was added to keep relevant information for
performing a query, like TSIG key, udp size, dscp value, etc, this
information is borrowed from, and created within function 'ns_query',
where the resolving of nameserver from master starts.

A new field was added to the struct 'dns_stub', an atomic integer,
namely pending_requests, which is used to keep how many queries are
created when resolving nameserver addresses that were missing in
the glue.

When the value of pending_requests is zero we know we can release
resources, adjust zone timers, dump to zone file, etc.

Hold qid->lock when calling deref_portentry() as

See merge request !4303

socket_search() need portentry to be unchanging.

    WARNING: ThreadSanitizer: data race
    Write of size 8 at 0x000000000001 by thread T1 (mutexes: write M1):
    #0 deref_portentry lib/dns/dispatch.c:630
    #1 deactivate_dispsocket lib/dns/dispatch.c:861
    #2 udp_recv lib/dns/dispatch.c:1105
    #3 udp_exrecv lib/dns/dispatch.c:1028
    #4 dispatch lib/isc/task.c:1152
    #5 run lib/isc/task.c:1344
    #6 <null> <null>

    Previous read of size 8 at 0x000000000001 by thread T2 (mutexes: write M1, write M2):
    #0 socket_search lib/dns/dispatch.c:661
    #1 get_dispsocket lib/dns/dispatch.c:744
    #2 dns_dispatch_addresponse lib/dns/dispatch.c:3120
    #3 resquery_send lib/dns/resolver.c:2467
    #4 fctx_query lib/dns/resolver.c:2217
    #5 fctx_try lib/dns/resolver.c:4245
    #6 fctx_timeout lib/dns/resolver.c:4570
    #7 dispatch lib/isc/task.c:1152
    #8 run lib/isc/task.c:1344
    #9 <null> <null>

(cherry picked from commit 5c253c41)

DNS_ZONEFLAG_NOIXFR should be DNS_ZONEFLG_NOIXFR

See merge request !4301

(cherry picked from commit 3a044444)

Test a --disable-atomic build in GitLab CI

See merge request !4280

Extend GitLab CI with build and test jobs utilizing the --disable-atomic
configure switch as it is used to work around broken atomics support in
certain build toolchains.

[v9_11] Ensure use of "echo_i" where possible

See merge request !4291