BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2023-11-02T16:32:29Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/733Rewrite various logging functions to variadic macros...2023-11-02T16:32:29ZOndřej SurýRewrite various logging functions to variadic macros...There's a lot of pre-C99 code that defines extra logging functions in different places in the code, like this:
```
static void
manager_log(isc__socketmgr_t *sockmgr,
isc_logcategory_t *category, isc_logmodule_t *module, int l...There's a lot of pre-C99 code that defines extra logging functions in different places in the code, like this:
```
static void
manager_log(isc__socketmgr_t *sockmgr,
isc_logcategory_t *category, isc_logmodule_t *module, int level,
const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
static void
manager_log(isc__socketmgr_t *sockmgr,
isc_logcategory_t *category, isc_logmodule_t *module, int level,
const char *fmt, ...)
{
char msgbuf[2048];
va_list ap;
if (! isc_log_wouldlog(isc_lctx, level))
return;
va_start(ap, fmt);
vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
va_end(ap);
isc_log_write(isc_lctx, category, module, level,
"sockmgr %p: %s", sockmgr, msgbuf);
}
```
With C99, this could be rewritten using variadic macros like this:
```
#define manager_log(sockmgr, category, module, level, fmt, ...) \
if (isc_log_wouldlog(isc_lctx, level)) { \
isc_log_write(isc_lctx, category, module, level, "sockmgr %p: " # fmt, sockmgr, __VA_ARGS__); \
}
```
Using variadic macros would lead to having fewer functions.
@joey, could you take care of it please?Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/736Unify the way we use different __attribute__s2023-11-02T16:32:29ZOndřej SurýUnify the way we use different __attribute__sWe use different `__attribute__(())`` where available in a different way.
Refactor the usage (and documentation), so there's only one "style".We use different `__attribute__(())`` where available in a different way.
Refactor the usage (and documentation), so there's only one "style".Not plannedOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/737Uniquely number and document emitted log messages2018-11-23T15:24:27ZOndřej SurýUniquely number and document emitted log messagesCathy Almond @cathya wrote:
> Can we, off the back of this, take a look at the Kea model for uniquely numbering and documenting emitted logged messages and open a feature request for doing something similar in BIND?
Brian Conry wrote:
>...Cathy Almond @cathya wrote:
> Can we, off the back of this, take a look at the Kea model for uniquely numbering and documenting emitted logged messages and open a feature request for doing something similar in BIND?
Brian Conry wrote:
> I've had it on my personal wish-todo-list to figure out how to generate the catalog files as part of a make operation, ever since I had to troubleshoot a problem with the text start typing instead of out of memory because the OS vendor had pre-installed catalog files that that matched their build of BIND.
>
> But eliminating the (almost completely) unused catalog functionality would work too.
>
> Actually, doing the "unique numbering" thing seems to me like it would be a helpful step if we were to try to preserve support for catalog files, so it seems to me to be something that we should do regardless.Long-termhttps://gitlab.isc.org/isc-projects/bind9/-/issues/903Remove obsolete RRtypes2023-11-02T16:32:30ZWitold KrecickiRemove obsolete RRtypesWe support virtually all rrtypes, some of them obsolete since 1988, and maybe it's time to get rid of them, this ticket is to discuss which one can we get rid and which we should keep.
| rrtype | id | description | To be ...We support virtually all rrtypes, some of them obsolete since 1988, and maybe it's time to get rid of them, this ticket is to discuss which one can we get rid and which we should keep.
| rrtype | id | description | To be removed? |
| -------------- | ---- | -------------- | -------------- |
| md | 3 | OB | Yes |
| mf | 4 | SO | Yes |
| mb | 7 | LE | Yes |
| mg | 8 | T | Yes |
| mr | 9 | E | Yes |
| null | 10 | | |
| wks | 11 | | Yes |
| hinfo | 13 | See RFC 8482 | No |
| minfo | 14 | Obsolete | Yes |
| rp | 17 | | |
| afsdb | 18 | | |
| x25 | 19 | | |
| isdn | 20 | | |
| rt | 21 | | |
| nsap | 22 | | Yes |
| nsap-ptr | 23 | | Yes |
| sig | 24 | | |
| key | 25 | | |
| px | 26 | | |
| gpos | 27 | | |
| loc | 29 | | |
| nxt | 30 | | |
| eid | 31 | | |
| nimloc | 32 | | |
| atma | 34 | | |
| naptr | 35 | | |
| kx | 36 | | |
| cert | 37 | | |
| a6 | 38 | Obsolete | |
| sink | 40 | no RFC, just draft | Yes |
| apl | 42 | used in catz | |
| ipseckey | 45 | | |
| smimea | 53 | | |
| hip | 55 | | |
| ninfo | 56 | | |
| rkey | 57 | | |
| talink | 58 | | |
| cds | 59 | RFC 7344 | No |
| cdnskey | 60 | RFC 7344 | No |
| openpgpkey | 61 | RFC 7929 | No |
| csync | 62 | RFC 7477 | No |
| zonemd | 63 | | |
| spf | 99 | RFC 7208 | No |
| unspec | 103 | | Yes |
| nid | 104 | | |
| l32 | 105 | | |
| l64 | 106 | | |
| lp | 107 | | |
| eui48 | 108 | RFC 7043 | No |
| eui64 | 109 | RFC 7043 | No |
| tkey | 249 | | |
| uri | 256 | RFC 7553 | No |
| caa | 257 | RFC 6844 | No |
| avc | 258 | | |
| doa | 259 | | |
| amtrelay | 260 | | |
| ta | 32768 | | |
| dlv | 32769 | Not yet | No |
| keydata | 65533 | | |Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1558libuv doesn't support pktinfo - we need to bind to all IPv6 interfaces explic...2023-11-02T16:44:01ZWitold Krecickilibuv doesn't support pktinfo - we need to bind to all IPv6 interfaces explicitlyIn 'old' code we only bound to all ipv6 interfaces on Windows - on Unices that supported it we bound to :: and then used pktinfo to determine which destination the packet was sent to. This doesn't work in libuv as there's no portable way...In 'old' code we only bound to all ipv6 interfaces on Windows - on Unices that supported it we bound to :: and then used pktinfo to determine which destination the packet was sent to. This doesn't work in libuv as there's no portable way - we need to bind to all interfaces.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2938CID 339072 (#1 of 1): Unchecked return value (CHECKED_RETURN)2023-01-09T11:11:24ZMark AndrewsCID 339072 (#1 of 1): Unchecked return value (CHECKED_RETURN)lib/dns/rpz.c:
```
2246
CID 339072 (#1 of 1): Unchecked return value (CHECKED_RETURN)
25. check_return: Calling isc_timer_reset without checking return value (as is done elsewhere 9 out of 10 times).
2247 isc_timer_...lib/dns/rpz.c:
```
2246
CID 339072 (#1 of 1): Unchecked return value (CHECKED_RETURN)
25. check_return: Calling isc_timer_reset without checking return value (as is done elsewhere 9 out of 10 times).
2247 isc_timer_reset(rpz->updatetimer, isc_timertype_inactive, NULL,
2248 NULL, true);
```Not plannedMark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3027Move setting of @SO@ to copy_setports2022-03-01T09:43:31ZMark AndrewsMove setting of @SO@ to copy_setportsSetting @SO@ in conf files is currently done by configure. copy_setports should be capable of doing this.Setting @SO@ in conf files is currently done by configure. copy_setports should be capable of doing this.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3038refactor peer.c to reduce copy-and-paste needed for new options.2021-12-02T02:05:21ZMark Andrewsrefactor peer.c to reduce copy-and-paste needed for new options.This should reduce copy-paste-replace errors.This should reduce copy-paste-replace errors.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3261Run cache cleaning as offloaded work2024-03-01T10:04:56ZOndřej SurýRun cache cleaning as offloaded workThe cache cleaning is on-task incremental process which is ideal candidate for running it as offloaded work.
NOTE for myself or whomever is going to do the job - great care needs to be taken care with signaling the end of cleaning - cur...The cache cleaning is on-task incremental process which is ideal candidate for running it as offloaded work.
NOTE for myself or whomever is going to do the job - great care needs to be taken care with signaling the end of cleaning - currently this is being serialized by the task, but if we move this into the threadpool the signalling needs to be done by atomic variable (or something like that).Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3324clean up fctx_minimize_qname2022-06-02T11:15:31ZMark Andrewsclean up fctx_minimize_qnameThere are redundant variables and multiple initialisations of the same variable when constructing the next qminname.There are redundant variables and multiple initialisations of the same variable when constructing the next qminname.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3657Time and related disasters in software (y2k38)2023-03-31T15:51:56ZTony FinchTime and related disasters in software (y2k38)There are some opportunities to simplify:
* BIND now targets POSIX, which gives us much more useful guarantees about the behaviour of `time_t`, so we can replace most uses of `isc_stdtime_t`.
* ISO C has adopted `struct timespec` s...There are some opportunities to simplify:
* BIND now targets POSIX, which gives us much more useful guarantees about the behaviour of `time_t`, so we can replace most uses of `isc_stdtime_t`.
* ISO C has adopted `struct timespec` so we can use that instead of `isc_time_t`. It is used for C's timed mutex and thread sleep.
- This will need some care, though, because `isc_time_t` has unsigned members, whereas `struct timespec` is signed, for instance, `long tv_nsec`.
- On the other hand, 64 bit nanoseconds since the epoch is much easier to use than `struct timespec` or `isc_time_t`
* Most uses of time in BIND should probably be changed to use CLOCK_MONOTONIC instead of wall timeNot plannedTony FinchTony Finchhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3729Drop RHEL/CentOS 7 support after 30. June 20242023-03-14T16:11:32ZOndřej SurýDrop RHEL/CentOS 7 support after 30. June 2024RHEL/CentOS 7 Maitentance Phase 2 ends on 30. June 2024. As BIND 9.20 will be released in Q.I 2024, there's little point in supporting RHEL/CentOS/Oracle/RockyLinux/... 7 in BIND 9.19 now. We should also drop the support for RHEL-and-c...RHEL/CentOS 7 Maitentance Phase 2 ends on 30. June 2024. As BIND 9.20 will be released in Q.I 2024, there's little point in supporting RHEL/CentOS/Oracle/RockyLinux/... 7 in BIND 9.19 now. We should also drop the support for RHEL-and-clones 7 support after 30. June 2024 in BIND 9.18.
- Phase I - drop EL7 support in 9.19+
- [x] Drop EL7 jobs from GitLab CI for `main` (https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7346)
- [x] Remove EL7 bind-dev RPM builds from Cloudsmith pipeline (https://gitlab.isc.org/isc-private/rpms/bind/-/merge_requests/19)
- [x] Remove EL7 buildroot from [isc/bind-dev](https://copr.fedorainfracloud.org/coprs/isc/bind-dev/) COPR
- [x] Update installation instructions on `isc/bind-dev` COPR so that they do not include EL7-specific bits
- [ ] [Remove](https://help.cloudsmith.io/docs/delete-a-package#bulk-package-delete) old 9.19 EL7 packages from bind-dev Cloudsmith repo (after a few months)
- Phase II - drop EL7 support in 9.18 (after EOL - 2024-06-30)
- [ ] Drop EL7 jobs from GitLab CI for `v9_18`
- [ ] Drop EL7-specific parts from all Packer image recipes
- [ ] Drop EL7 support from the `packager:rpm` Docker image
- [ ] Drop EL7-specific parts from BIND RPM build&test scripts
- [ ] Remove EL7 buildroots from COPR
- [ ] Update installation instructions on COPR so that they do not include EL7-specific bits
- [ ] Remove EL7 from CI images build scripts ([Docker](https://gitlab.isc.org/isc-projects/images/-/blob/main/docker/bind9/oraclelinux-template/Dockerfile), [Packer](https://gitlab.isc.org/isc-projects/images/-/tree/main/packer/oraclelinux), ...)
- [ ] Remove all EL7 packages from Cloudsmith (after a few months); update "Due date"Michał KępieńMichał Kępień2024-06-30https://gitlab.isc.org/isc-projects/bind9/-/issues/3843Remove options allowing source ports to be specified2024-01-31T08:53:45ZMichał KępieńRemove options allowing source ports to be specifiedWith the options allowing source ports to be specified being deprecated
in 9.18 & 9.19/9.20, all the code associated with those options should
subsequently be completely removed in the 9.21/9.22 cycle, as previously
announced on *bind-us...With the options allowing source ports to be specified being deprecated
in 9.18 & 9.19/9.20, all the code associated with those options should
subsequently be completely removed in the 9.21/9.22 cycle, as previously
announced on *bind-users*:
https://lists.isc.org/pipermail/bind-users/2023-January/107165.html
The following features are going to be marked as ancient and made
non-functional:
* specifying `port` in the following statements:
- `query-source`
- `query-source-v6`
- `transfer-source`
- `transfer-source-v6`
- `notify-source`
- `notify-source-v6`
- `parental-source`
- `parental-source-v6`
* the following statements as a whole:
- `use-v4-udp-ports`
- `use-v6-udp-ports`
- `avoid-v4-udp-ports`
- `avoid-v6-udp-ports`
See #3781 for the corresponding option deprecation issue.Not plannedMichał KępieńMichał Kępień2024-03-01https://gitlab.isc.org/isc-projects/bind9/-/issues/3858Deprecate (or improve/replace) the fetches-per-zone option2023-12-19T09:21:45ZOndřej SurýDeprecate (or improve/replace) the fetches-per-zone optionThe `fetches-per-zone` is a measure to prevent abuse of the nameservers.
### How we pick a bucket?
When fetch (`fctx`) is created, the `fctx->domain` is initialized with a domain name that could be:
#### Argument passed by the called
...The `fetches-per-zone` is a measure to prevent abuse of the nameservers.
### How we pick a bucket?
When fetch (`fctx`) is created, the `fctx->domain` is initialized with a domain name that could be:
#### Argument passed by the called
`domain` passed by the caller - from `dns_adb`/`fetch_name` when `start_at_name` is set and from `ns_query`/`ns_query_recurse()`
No example here, we can (sort of) ignore this case.
#### In the forward-only mode
The `.` when we are in **forward-only** mode - there's only a single counter!
With QNAME Minimization On and Off
```
increasing counter for '.' in the '0x7fed97e3e000/www.google.com/A' to 1 (allowed 1 spilled 0)
increasing counter for '.' in the '0x7fed97a26800/com/DS' to 2 (allowed 2 spilled 0)
increasing counter for '.' in the '0x7fed97a25400/google.com/DS' to 3 (allowed 3 spilled 0)
decreasing counter for '.' in the '0x7fed97a26800/com/DS' to 2 (allowed 3 spilled 0)
increasing counter for '.' in the '0x7fed97226800/com/DNSKEY' to 3 (allowed 4 spilled 0)
decreasing counter for '.' in the '0x7fed97226800/com/DNSKEY' to 2 (allowed 4 spilled 0)
decreasing counter for '.' in the '0x7fed97a25400/google.com/DS' to 1 (allowed 4 spilled 0)
dropping counter for '.' in the '0x7fed97e3e000/www.google.com/A' to 0 (allowed 4 spilled 0)
```
#### Everything else
Whatever `dns_view_findzonecut()` returns. This includes **forward-first** configurations.
Example with QNAME minimization:
```
increasing counter for '.' in the '0x7f4b9983e000/www.google.com/A' to 1 (allowed 1 spilled 0)
increasing counter for '.' in the '0x7f4b9b81a000/_.com/A' to 2 (allowed 2 spilled 0)
decreasing counter for '.' in the '0x7f4b9b81a000/_.com/A' to 1 (allowed 2 spilled 0)
increasing counter for 'com' in the '0x7f4b9b81a000/_.com/A' to 1 (allowed 1 spilled 0)
dropping counter for 'com' in the '0x7f4b9b81a000/_.com/A' to 0 (allowed 1 spilled 0)
dropping counter for '.' in the '0x7f4b9983e000/www.google.com/A' to 0 (allowed 2 spilled 0)
increasing counter for 'com' in the '0x7f4b9983e000/www.google.com/A' to 1 (allowed 1 spilled 0)
increasing counter for 'com' in the '0x7f4b9b81a000/_.google.com/A' to 2 (allowed 2 spilled 0)
decreasing counter for 'com' in the '0x7f4b9b81a000/_.google.com/A' to 1 (allowed 2 spilled 0)
increasing counter for 'google.com' in the '0x7f4b9b81a000/_.google.com/A' to 1 (allowed 1 spilled 0)
dropping counter for 'google.com' in the '0x7f4b9b81a000/_.google.com/A' to 0 (allowed 1 spilled 0)
dropping counter for 'com' in the '0x7f4b9983e000/www.google.com/A' to 0 (allowed 2 spilled 0)
increasing counter for 'google.com' in the '0x7f4b9983e000/www.google.com/A' to 1 (allowed 1 spilled 0)
increasing counter for 'com' in the '0x7f4b9b81c800/google.com/DS' to 1 (allowed 1 spilled 0)
increasing counter for 'com' in the '0x7f4b99027800/com/DNSKEY' to 2 (allowed 2 spilled 0)
decreasing counter for 'com' in the '0x7f4b99027800/com/DNSKEY' to 1 (allowed 2 spilled 0)
dropping counter for 'com' in the '0x7f4b9b81c800/google.com/DS' to 0 (allowed 2 spilled 0)
dropping counter for 'google.com' in the '0x7f4b9983e000/www.google.com/A' to 0 (allowed 1 spilled 0)
```
Example without QNAME minimization:
```
increasing counter for '.' in the '0x7fc30803e000/www.google.com/A' to 1 (allowed 1 spilled 0)
dropping counter for '.' in the '0x7fc30803e000/www.google.com/A' to 0 (allowed 1 spilled 0)
increasing counter for 'com' in the '0x7fc30803e000/www.google.com/A' to 1 (allowed 1 spilled 0)
dropping counter for 'com' in the '0x7fc30803e000/www.google.com/A' to 0 (allowed 1 spilled 0)
increasing counter for 'com' in the '0x7fc30803e000/www.google.com/A' to 1 (allowed 1 spilled 0)
dropping counter for 'com' in the '0x7fc30803e000/www.google.com/A' to 0 (allowed 1 spilled 0)
increasing counter for 'google.com' in the '0x7fc30803e000/www.google.com/A' to 1 (allowed 1 spilled 0)
dropping counter for 'google.com' in the '0x7fc30803e000/www.google.com/A' to 0 (allowed 1 spilled 0)
increasing counter for 'google.com' in the '0x7fc30803e000/www.google.com/A' to 1 (allowed 1 spilled 0)
increasing counter for 'com' in the '0x7fc307c28c00/google.com/DS' to 1 (allowed 1 spilled 0)
increasing counter for 'com' in the '0x7fc307c27800/com/DNSKEY' to 2 (allowed 2 spilled 0)
decreasing counter for 'com' in the '0x7fc307c27800/com/DNSKEY' to 1 (allowed 2 spilled 0)
dropping counter for 'com' in the '0x7fc307c28c00/google.com/DS' to 0 (allowed 2 spilled 0)
dropping counter for 'google.com' in the '0x7fc30803e000/www.google.com/A' to 0 (allowed 1 spilled 0)
```
NOTE: The similar effect here has the `fetches-per-server` - but `fetches-per-server` is more fine-grained.BIND 9.21.xhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3948Remove the artificial limit on max zone keys2023-03-15T09:37:28ZOndřej SurýRemove the artificial limit on max zone keysThe `struct dns_update_state` contains the following member `dst_key_t *zone_keys[DNS_MAXZONEKEYS];` limiting the number of the zone keys to `32`. This seems enough, but since we already pass memory context to both `lib/dns/zone.c:dns__...The `struct dns_update_state` contains the following member `dst_key_t *zone_keys[DNS_MAXZONEKEYS];` limiting the number of the zone keys to `32`. This seems enough, but since we already pass memory context to both `lib/dns/zone.c:dns__zone_findkeys()`, `lib/dns/dnssec.c:dns_dnssec_findzonekeys()`, and `lib/dns/update.c:find_zone_keys()` and return the number of found keys in `&nkeys`, we could as well allocate the array in `dns_dnssec_findzonekeys()` by calling `dns_rdataset_count()` first, allocating the array to hold all the possible keys and then shrinking to the actual number of keys.
Alternatively, this could be converted to `ISC_LIST()` instead of a static array.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4204Deprecate and remove the "tkey-gssapi-credential" option2023-07-11T10:49:40ZMichał KępieńDeprecate and remove the "tkey-gssapi-credential" optionThe `CHANGES` entry accompanying the introduction of the
`tkey-gssapi-keytab` option ([back from 2010][1]) suggests that this
option is intended to supersede `tkey-gssapi-credential`:
2987. [func] Improve ease of configuring TKEY/G...The `CHANGES` entry accompanying the introduction of the
`tkey-gssapi-keytab` option ([back from 2010][1]) suggests that this
option is intended to supersede `tkey-gssapi-credential`:
2987. [func] Improve ease of configuring TKEY/GSS updates by
adding a "tkey-gssapi-keytab" option. If set,
updates will be allowed with any key matching
a principal in the specified keytab file.
"tkey-gssapi-credential" is no longer required
and is expected to be deprecated. (Contributed
by Andrew Tridgell of the Samba project.)
[RT #22629]
Given that the documentation for TKEY-related configuration knobs is
already tricky to plow through for someone not well-versed in GSSAPI
(like yours truly), I guess having multiple ways of configuring that
machinery is a cherry on top.
If I am reading the documentation correctly, I think `tkey-domain` could
perhaps also be ripped out, but the relationship between all the moving
parts is not quite clear to me.
[1]: 71bd858d8ed62672e7c23999dc7c02fd16a55089Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4237Remove "dialup" and "heartbeat-interval"2024-03-01T04:30:01ZEvan HuntRemove "dialup" and "heartbeat-interval"The "dialup" and "heartbeat-interval" options have been deprecated in 9.20 (see #3700, !8080) and will need to be removed later.
The due date for this issue has been set to an arbitrary date that is presumed to fall within the BIND 9.21...The "dialup" and "heartbeat-interval" options have been deprecated in 9.20 (see #3700, !8080) and will need to be removed later.
The due date for this issue has been set to an arbitrary date that is presumed to fall within the BIND 9.21 development cycle.Not plannedEvan HuntEvan Hunt2024-08-01https://gitlab.isc.org/isc-projects/bind9/-/issues/4482Remove the "dnssec-must-be-secure" feature2023-12-07T10:23:58ZMichał KępieńRemove the "dnssec-must-be-secure" featureSee #4263 for the deprecation issue.
Full removal is expected to happen in the 9.21/9.22 development cycle
and it should only affect the development branch.See #4263 for the deprecation issue.
Full removal is expected to happen in the 9.21/9.22 development cycle
and it should only affect the development branch.BIND 9.21.x2024-12-01