1. 09 Apr, 2020 5 commits
  2. 08 Apr, 2020 20 commits
    • Stephen Morris's avatar
      Tweak release notes for BIND 9.16.2 · 2b79ffb2
      Stephen Morris authored
    • Michał Kępień's avatar
      Tweak CHANGES for BIND 9.16.2 · aeb1eb20
      Michał Kępień authored
    • Ondřej Surý's avatar
      Merge branch 'bug/master/libisc-link-v9_16' into 'v9_16' · 2c0adf7e
      Ondřej Surý authored
      Link all required libraries to libisc
      See merge request !3360
    • Petr Menšík's avatar
      Link all required libraries to libisc · ad79e7c0
      Petr Menšík authored
      It would fail to link -lisc without additional libraries, which should
      not be required.
      (cherry picked from commit 4cc7d241)
    • Ondřej Surý's avatar
      Merge branch 'ondrej/changes-notes-v9_16-v9_16' into 'v9_16' · e11d690a
      Ondřej Surý authored
      Add missing CHANGES notes from v9_16 branch
      See merge request !3358
    • Ondřej Surý's avatar
      Add missing CHANGES notes from v9_16 branch · cb100ed5
      Ondřej Surý authored
      (cherry picked from commit 2ef11495)
    • Ondřej Surý's avatar
      Merge branch 'ondrej/missing-changes-v9_11-v9_16' into 'v9_16' · d42318d1
      Ondřej Surý authored
      Add missing CHANGES notes from v9_11 branch
      See merge request !3353
    • Ondřej Surý's avatar
      Add missing CHANGES notes from v9_11 branch · 9777aab8
      Ondřej Surý authored
      (cherry picked from commit 434929b5)
    • Michał Kępień's avatar
      Merge branch '1742-work-around-an-msvc-bug-v9_16' into 'v9_16' · cc19294a
      Michał Kępień authored
      [v9_16] Work around an MSVC bug
      See merge request !3351
    • Michał Kępień's avatar
      Work around an MSVC bug · 5b32f736
      Michał Kępień authored
      The assembly code generated by MSVC for at least some signed comparisons
      involving atomic variables incorrectly uses unsigned conditional jumps
      instead of signed ones.  In particular, the checks in isc_log_wouldlog()
      are affected in a way which breaks logging on Windows and thus also all
      system tests involving a named instance.  Work around the issue by
      assigning the values returned by atomic_load_acquire() calls in
      isc_log_wouldlog() to local variables before performing comparisons.
      (cherry picked from commit 4c4f5ccc)
    • Matthijs Mekking's avatar
      Merge branch '1669-kasp-test-fails-on-windows-v9_16' into 'v9_16' · 83dcb741
      Matthijs Mekking authored
      Resolve ""kasp" system test is failing consistently on Windows"
      See merge request !3340
    • Matthijs Mekking's avatar
      Increase migrate.kasp DNSKEY TTL · 0d050323
      Matthijs Mekking authored
      Increate the DNSKEY TTL of the migrate.kasp zone for the following
      reason:  The key states are initialized depending on the timing
      metadata. If a key is present long enough in the zone it will be
      initialized to OMNIPRESENT.  Long enough here is the time when it
      was published (when the setup script was run) plus DNSKEY TTL.
      Otherwise it is set to RUMOURED, or to HIDDEN if no timing metadata
      is set or the time is still in the future.
      Since the TTL is "only" 5 minutes, the DNSKEY state may be
      initialized to OMNIPRESENT if the test is slow, but we expect it
      to be in RUMOURED state.  If we increase the TTL to a couple of
      hours it is very unlikely that it will be initialized to something
      else than RUMOURED.
      (cherry picked from commit 04e67110)
    • Matthijs Mekking's avatar
      Fix ns6 template zonefile · 02a2de8a
      Matthijs Mekking authored
      The template zone file for server ns6 should have the ns6 domain
      name, not ns3.
      (cherry picked from commit 8d3c0156)
    • Matthijs Mekking's avatar
      Remove kasp Windows prereq check · c923532b
      Matthijs Mekking authored
      Now that the timing issue is fixed, we can enable the kasp test
      again on Windows.
      (cherry picked from commit 87c05fa6)
    • Matthijs Mekking's avatar
      Fix kasp timing issue on Windows · 9b57ad68
      Matthijs Mekking authored
      This fixes another intermittent failure in the kasp system test.
      It does not happen often, except for in the Windows platform tests
      where it takes a long time to run the tests.
      In the "kasp" system test, there is an "rndc reconfig" call which
      triggers a new rekey event.  check_next_key_event() verifies the time
      remaining from the moment "rndc reconfig" is called until the next key
      event.  However, the next key event time is calculated from the key
      times provided during key creation (i.e. during test setup).  Given
      this, if "rndc reconfig" is called a significant amount of time after
      the test is started, some check_next_key_event() checks will fail.
      Fix by calculating the time passed since the start of the test and
      when 'rndc reconfig' happens.  Substract this time from the
      calculated next key event.
      This only needs to be done after an "rndc reconfig" on zones where
      the keymgr needs to wait for a period of time (for example for keys
      to become OMNIPRESENT, or HIDDEN). This is on step 2 and step 5 of
      the algorithm rollover.  In step 2 there is a waiting period before
      the DNSKEY is OMNIPRESENT, in step 5 there is a waiting period
      before the DNSKEY is HIDDEN.
      In step 1 new keys are created, in step 3 and 4 key states just
      entered OMNIPRESENT, and in step 6 we no longer care because the
      key lifetime is unlimited and we default to checking once per hour.
      Regardless of our indifference about the next key event after step 6,
      change some of the key timings in the setup script to better
      reflect reality: DNSKEY is in HIDDEN after step 5, DS times have
      changed when the new DS became active.
      (cherry picked from commit 62a97570)
    • Ondřej Surý's avatar
      Merge branch... · 81259f8c
      Ondřej Surý authored
      Merge branch '1574-confidential-issue-rebinding-protection-fail-in-forwarding-mode-v9_16' into 'v9_16'
      Resolve "DNS rebinding protection is ineffective when BIND is configured as a forwarding DNS server"
      See merge request !3343
    • Ondřej Surý's avatar
      Add release notes · 48110357
      Ondřej Surý authored
    • Ondřej Surý's avatar
      Add CHANGES · d092db34
      Ondřej Surý authored
    • Diego dos Santos Fronza's avatar
      Add test for the proposed fix · 2cba24a6
      Diego dos Santos Fronza authored
      This test asserts that option "deny-answer-aliases" works correctly
      when forwarding requests.
      As a matter of example, the behavior expected for a forwarder BIND
      instance, having an option such as deny-answer-aliases { "domain"; }
      is that when forwarding a request for *.anything-but-domain, it is
      expected that it will return SERVFAIL if any answer received has a CNAME
      for "*.domain".
      (cherry picked from commit 9bdb960a)
    • Diego dos Santos Fronza's avatar
      Fixed rebinding protection bug when using forwarder setups · bba353d5
      Diego dos Santos Fronza authored
      BIND wasn't honoring option "deny-answer-aliases" when configured to
      forward queries.
      Before the fix it was possible for nameservers listed in "forwarders"
      option to return CNAME answers pointing to unrelated domains of the
      original query, which could be used as a vector for rebinding attacks.
      The fix ensures that BIND apply filters even if configured as a forwarder
      (cherry picked from commit af6a4de3)
  3. 06 Apr, 2020 4 commits
  4. 04 Apr, 2020 1 commit
  5. 03 Apr, 2020 10 commits