BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2024-03-29T09:53:07Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4630CID 487883: Null pointer dereference in lib/dns/qpzone.c2024-03-29T09:53:07ZMichal NowakCID 487883: Null pointer dereference in lib/dns/qpzone.cCoverity Scan claims null pointer dereference in `lib/dns/qpzone.c`.
```c
/lib/dns/qpzone.c: 4935 in addrdataset()
4929
4930 /*
4931 * Update the zone's secure status. If version is non-NULL
4932 * this is deferre...Coverity Scan claims null pointer dereference in `lib/dns/qpzone.c`.
```c
/lib/dns/qpzone.c: 4935 in addrdataset()
4929
4930 /*
4931 * Update the zone's secure status. If version is non-NULL
4932 * this is deferred until closeversion() is called.
4933 */
4934 if (result == ISC_R_SUCCESS && version == NULL) {
>>> CID 487883: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "version" to "setsecure", which dereferences it.
4935 setsecure(db, version, qpdb->origin);
4936 }
4937
4938 return (result);
4939 }
4940
```April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/issues/4645CID 488064: Passing null pointer "version" to "maybe_update_recordsandsize", ...2024-03-29T09:32:56ZMichal NowakCID 488064: Passing null pointer "version" to "maybe_update_recordsandsize", which dereferences itCoverity Scan claims the following issues:
```
/lib/dns/qpzone.c: 1994 in add()
1988 newheader->down = topheader;
1989 topheader->next = newheader;
1990 node->dirty = 1;
1991 if (changed != NULL) {
1992 ...Coverity Scan claims the following issues:
```
/lib/dns/qpzone.c: 1994 in add()
1988 newheader->down = topheader;
1989 topheader->next = newheader;
1990 node->dirty = 1;
1991 if (changed != NULL) {
1992 changed->dirty = true;
1993 }
>>> CID 488064: (FORWARD_NULL)
>>> Passing null pointer "version" to "maybe_update_recordsandsize", which dereferences it.
1994 maybe_update_recordsandsize(false, version, header,
1995 nodename->length);
1996 }
1997 } else {
1998 /*
1999 * No non-IGNORED rdatasets of the given type exist at
/lib/dns/qpzone.c: 1972 in add()
1966 if (topheader_prev != NULL) {
1967 topheader_prev->next = newheader;
1968 } else {
1969 node->data = newheader;
1970 }
1971 newheader->next = topheader->next;
>>> CID 488064: (FORWARD_NULL)
>>> Passing null pointer "version" to "maybe_update_recordsandsize", which dereferences it.
1972 maybe_update_recordsandsize(false, version, header,
1973 nodename->length);
1974 dns_slabheader_destroy(&header);
1975 } else {
1976 idx = HEADERNODE(newheader)->locknum;
1977 if (RESIGN(newheader)) {
/lib/dns/qpzone.c: 1979 in add()
1973 nodename->length);
1974 dns_slabheader_destroy(&header);
1975 } else {
1976 idx = HEADERNODE(newheader)->locknum;
1977 if (RESIGN(newheader)) {
1978 resigninsert(qpdb, idx, newheader);
>>> CID 488064: (FORWARD_NULL)
>>> Passing null pointer "version" to "resigndelete", which dereferences it.
1979 resigndelete(qpdb, version,
1980 header DNS__DB_FLARG_PASS);
1981 }
1982 if (topheader_prev != NULL) {
1983 topheader_prev->next = newheader;
1984 } else {
/lib/dns/qpzone.c: 2061 in add()
2055 newheader->next = node->data;
2056 node->data = newheader;
2057 }
2058 }
2059 }
2060
>>> CID 488064: (FORWARD_NULL)
>>> Passing null pointer "version" to "maybe_update_recordsandsize", which dereferences it.
2061 maybe_update_recordsandsize(true, version, newheader, nodename->length);
2062
2063 /*
2064 * Check if the node now contains CNAME and other data.
2065 */
2066 if (version != NULL && cname_and_other(node, version->serial)) {
```April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/issues/4631CID 487884: Dead code in lib/dns/qpcache.c2024-03-29T09:25:06ZMichal NowakCID 487884: Dead code in lib/dns/qpcache.cCoverity Scan claims two instances of dead code in `lib/dns/qpcache.c`:
```c
/lib/dns/qpcache.c: 3459 in add()
3453 }
3454 newheader->next = topheader->next;
3455 newheader->down = topheader;
3456 topheader->...Coverity Scan claims two instances of dead code in `lib/dns/qpcache.c`:
```c
/lib/dns/qpcache.c: 3459 in add()
3453 }
3454 newheader->next = topheader->next;
3455 newheader->down = topheader;
3456 topheader->next = newheader;
3457 qpnode->dirty = 1;
3458 if (changed != NULL) {
>>> CID 487884: (DEADCODE)
>>> Execution cannot reach this statement: "changed->dirty = true;".
3459 changed->dirty = true;
3460 }
3461 } else {
3462 /*
3463 * No rdatasets of the given type exist at the node.
3464 */
```
```c
/lib/dns/qpcache.c: 3409 in add()
3403 }
3404 newheader->next = topheader->next;
3405 newheader->down = topheader;
3406 topheader->next = newheader;
3407 qpnode->dirty = 1;
3408 if (changed != NULL) {
>>> CID 487884: (DEADCODE)
>>> Execution cannot reach this statement: "changed->dirty = true;".
3409 changed->dirty = true;
3410 }
3411 mark_ancient(header);
3412 if (sigheader != NULL) {
3413 mark_ancient(sigheader);
3414 }
```April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/issues/3141Remove artificial limit on number of pipelined TCP queries2024-01-25T10:59:49ZOndřej SurýRemove artificial limit on number of pipelined TCP queriesThere's a artificial limit (`23`) on the number of pipelined TCP queries processed at the same time. We need to remove the limit and test the impact.There's a artificial limit (`23`) on the number of pipelined TCP queries processed at the same time. We need to remove the limit and test the impact.March 2022 (9.11.37, 9.11.37-S1, 9.16.27, 9.16.27-S1, 9.18.1)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4405deprecate/remove resolver-nonbackoff-tries, resolver-retry-interval2023-12-08T12:18:01ZEvan Huntdeprecate/remove resolver-nonbackoff-tries, resolver-retry-intervalThese options were added to `named` at the same time as serve-stale support. I suspect they were meant to be used for testing, but they weren't documented as test-only options (or, really, as anything else either - see #1687).
They are ...These options were added to `named` at the same time as serve-stale support. I suspect they were meant to be used for testing, but they weren't documented as test-only options (or, really, as anything else either - see #1687).
They are not, in fact, used in any of the system tests, and I can't think of a reason one would want to modify them in production. I suggest we remove them as of 9.20.December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/3781Deprecate source port configuration2023-12-07T13:15:14ZEvan HuntDeprecate source port configurationDeprecate the definition of the source ports and rely on the operating system to provide reasonable ephemeral port range for outgoing UDP and TCP connections.
Specifying outgoing ports is a bad practice, it's already discouraged, it's ...Deprecate the definition of the source ports and rely on the operating system to provide reasonable ephemeral port range for outgoing UDP and TCP connections.
Specifying outgoing ports is a bad practice, it's already discouraged, it's prone to errors (it's not only specifying single port, but specifying not enough ports removes a layer of protection) and is already full of caveats like:
```
.. note:: The address specified in the :any:`query-source` option is used for both
UDP and TCP queries, but the port applies only to UDP queries. TCP
queries always use a random unprivileged port.
.. warning:: Specifying a single port is discouraged, as it removes a layer of
protection against spoofing errors.
.. warning:: The configured :term:`port` must not be the same as the listening port.
```
The deprecation will include:
* specifying **port** in the following statements:
- `query-source`
- `query-source-v6`
- `transfer-source`
- `transfer-source-v6`
- `notify-source`
- `notify-source-v6`
- `parental-source`
- `parental-source-v6`
-
* the following statements as a whole:
- `use-v4-udp-ports`
- `use-v6-udp-ports`
- `avoid-v4-udp-ports`
- `avoid-v6-udp-ports`
See #3843 for the corresponding option removal issue.February 2023 (9.16.38, 9.16.38-S1, 9.18.12, 9.18.12-S1, 9.19.10)https://gitlab.isc.org/isc-projects/bind9/-/issues/4263Deprecate the "dnssec-must-be-secure" feature2023-12-07T10:23:40ZOndřej SurýDeprecate the "dnssec-must-be-secure" featureThe `dnssec-must-be-secure` feature was added in the early days of BIND 9 and DNSSEC and it makes sense only as a debugging feature. Remove it to simplify the code.
See #4482 for the removal issue.The `dnssec-must-be-secure` feature was added in the early days of BIND 9 and DNSSEC and it makes sense only as a debugging feature. Remove it to simplify the code.
See #4482 for the removal issue.September 2023 (9.16.44, 9.16.44-S1, 9.18.19, 9.18.19-S1, 9.19.17)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4251remove the legacy system test runner2023-12-06T18:30:10ZTom Krizekremove the legacy system test runnerRemoving the legacy system test runner in favor of the pytest runner will allow us to do a major cleanup in the way system tests are executed. Without having to support two different modes of operation, various issues are easier to resol...Removing the legacy system test runner in favor of the pytest runner will allow us to do a major cleanup in the way system tests are executed. Without having to support two different modes of operation, various issues are easier to resolve. It also enables the rewrite of the various perl scripts which the legacy runner uses into python in a way that is more in-line with the general pytest approach.
pytest runner has the capabilities to run both shell and python system tests and will continue to do so in the foreseeable future.
Related #3810December 2023 (9.18.21, 9.18.21-S1, 9.19.19)Tom KrizekTom Krizekhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4421Remove support for AES-based DNS cookies and AES implementation2023-12-06T18:12:06ZEric SesterhennRemove support for AES-based DNS cookies and AES implementationThe legacy support for AES-based DNS cookies should go, which will resolve following:
> The functions `isc_aes256_crypt()` and `isc_aes192_crypt()` in `lib/isc/aes.c` have no callers besides test code and should be removed.
as we are g...The legacy support for AES-based DNS cookies should go, which will resolve following:
> The functions `isc_aes256_crypt()` and `isc_aes192_crypt()` in `lib/isc/aes.c` have no callers besides test code and should be removed.
as we are going to remove the AES implementation in libisc completely.December 2023 (9.18.21, 9.18.21-S1, 9.19.19)https://gitlab.isc.org/isc-projects/bind9/-/issues/4391Remove lock-file configuration and -X option to named2023-11-07T11:20:21ZOndřej SurýRemove lock-file configuration and -X option to namedBoth the `lock-file` and `-X` option is solving problem that should be solved by operating system e.g. supervisor (systemd, runit, OpenRC, or whatever BSDs and Solaris has).Both the `lock-file` and `-X` option is solving problem that should be solved by operating system e.g. supervisor (systemd, runit, OpenRC, or whatever BSDs and Solaris has).November 2023 (9.16.45, 9.16.45-S1, 9.18.20, 9.18.20-S1, 9.19.18)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4406cleanup 'b' in dnstap-read main2023-11-07T10:27:34ZMark Andrewscleanup 'b' in dnstap-read main'b' is unused.'b' is unused.November 2023 (9.16.45, 9.16.45-S1, 9.18.20, 9.18.20-S1, 9.19.18)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4326Reduce adb names locking contention2023-11-07T09:15:39ZOndřej SurýReduce adb names locking contentionWith our new userspace tracing probes, we were able to pinpoint the source of the contention:
| fn | type | count | min | max | sum | avg |
|-------------------------------|--------|-----...With our new userspace tracing probes, we were able to pinpoint the source of the contention:
| fn | type | count | min | max | sum | avg |
|-------------------------------|--------|---------|-------|---------|-------------|---------|
| dns_adb_createfind | mutex | 1597343 | 5772 | 210015 | 10540878621 | 6599 |
| dns_adb_agesrtt | mutex | 806318 | 5772 | 236964 | 5284236828 | 6553 |
| dns__rbtdb_detachnode | rwlock | 928583 | 4290 | 310557 | 4803076356 | 5172 |
| dns_adb_destroyfind | mutex | 556873 | 5811 | 192972 | 3703797591 | 6651 |
| dns_adb_createfind | rwlock | 556873 | 4329 | 172419 | 2802134985 | 5031 |
| dns__rbtdb_addrdataset | rwlock | 462176 | 4290 | 274560 | 2295845409 | 4967 |
| cache_find | rwlock | 439323 | 4290 | 280293 | 2276739816 | 5182 |
| isc__mempool_destroy | mutex | 271276 | 5811 | 204321 | 1926270294 | 7100 |
| isc__mempool_create | mutex | 271276 | 5850 | 141609 | 1885239369 | 6949 |
| fctx_cancelqueries | mutex | 189589 | 5850 | 144027 | 1301757054 | 6866 |
| dns__rbtdb_nodefullname | rwlock | 229742 | 4368 | 187512 | 1157715000 | 5039 |
| dns_adb_getcookie | mutex | 132632 | 5928 | 139035 | 1137403254 | 8575 |
| find_deepest_zonecut | rwlock | 224027 | 4290 | 156936 | 1105641693 | 4935 |
| dns__rbtdb_findnodeintree | rwlock | 181563 | 4368 | 168246 | 948466155 | 5223 |
| reactivate_node | rwlock | 181581 | 4329 | 163917 | 928872165 | 5115 |
| dns_ntatable_covered | rwlock | 158872 | 4407 | 176280 | 857866503 | 5399 |
| fctx__done.constprop.0 | mutex | 109350 | 5889 | 122031 | 750861813 | 6866 |
| dns_adb_setudpsize | mutex | 68673 | 6318 | 222495 | 682022757 | 9931 |
| dns_adb_adjustsrtt | mutex | 80787 | 5928 | 165360 | 606351837 | 7505 |
| fctx_cancelquery | mutex | 80787 | 6006 | 141921 | 573609972 | 7100 |
| fctx_query | mutex | 80787 | 5967 | 137943 | 552959550 | 6844 |
| rctx_done | mutex | 80778 | 5889 | 118326 | 549924336 | 6807 |
| resquery_destroy | mutex | 80787 | 5850 | 129090 | 541517847 | 6703 |
| activeempty | rwlock | 107788 | 4251 | 139464 | 521984073 | 4842 |
| dns_resolver_destroyfetch | mutex | 54899 | 6006 | 126360 | 447498324 | 8151 |
| validated | mutex | 58506 | 5850 | 127608 | 442221507 | 7558 |
| fctx_start | mutex | 54666 | 5928 | 135954 | 429194220 | 7851 |
| dns_resolver_createfetch | mutex | 53692 | 6006 | 140088 | 390963261 | 7281 |
| resquery_response | mutex | 51786 | 6123 | 155922 | 382768581 | 7391 |
| dns_aclelement_match | rwlock | 62649 | 4329 | 120900 | 371844018 | 5935 |
| get_attached_fctx | mutex | 53692 | 5967 | 120627 | 367318809 | 6841 |
| fetch_callback | mutex | 49034 | 5772 | 142896 | 364519662 | 7434 |
| get_attached_and_locked_entry | mutex | 53556 | 5928 | 117000 | 361141638 | 6743 |
| zone_find | rwlock | 71262 | 4251 | 182871 | 347663121 | 4878 |
| dns__rbtdb_currentversion | rwlock | 69986 | 4368 | 111696 | 346155108 | 4946 |
| cache_findzonecut | rwlock | 64631 | 4329 | 226278 | 335597886 | 5192 |
| clean_namehooks | mutex | 51702 | 5811 | 124995 | 332844369 | 6437 |
| release_fctx | rwlock | 53459 | 4446 | 112476 | 278282199 | 5205 |
| get_attached_and_locked_entry | rwlock | 53556 | 4368 | 98592 | 271329786 | 5066 |
| get_attached_fctx | rwlock | 53692 | 4329 | 709020 | 266725095 | 4967 |
| delete_callback | rwlock | 44974 | 4368 | 49569 | 212821830 | 4732 |
| ns_query_cancel | mutex | 21337 | 6045 | 118404 | 196894893 | 9227 |
| prune_tree | rwlock | 22934 | 4290 | 94029 | 172068039 | 7502 |
| purge_stale_entries | mutex | 21807 | 5928 | 130143 | 147269265 | 6753 |
| mutex_lock | mutex | 11905 | 6006 | 1802736 | 145038075 | 12182 |
| dns_adb_changeflags | mutex | 20232 | 5889 | 110916 | 138579753 | 6849 |
| ns_client_recursing | mutex | 15949 | 6357 | 110526 | 135737472 | 8510 |
| dns_adb_setcookie | mutex | 16890 | 6084 | 139503 | 126144447 | 7468 |
| rdataset_getownercase | rwlock | 23833 | 4329 | 122538 | 125803704 | 5278 |
| cds_wfcq_dequeue_blocking | mutex | 15988 | 6240 | 187980 | 122401383 | 7655 |
| shutdown_names | mutex | 18901 | 5967 | 49569 | 121754802 | 6441 |
| clean_finds_at_name | mutex | 14878 | 5850 | 116922 | 100255584 | 6738 |
| find_coveringnsec | rwlock | 18681 | 4485 | 110487 | 100217130 | 5364 |
| resume_qmin | mutex | 12414 | 6006 | 122928 | 95990232 | 7732 |
| fctx_finddone | mutex | 12404 | 5889 | 100425 | 91508859 | 7377 |
| zone_shutdown | rwlock | 104 | 5382 | 6337149 | 90942969 | 874451 |
| dns_adb_ednsto | mutex | 9616 | 6435 | 74568 | 90021906 | 9361 |
| je_malloc_mutex_lock_slow | mutex | 32 | 18564 | 6550284 | 78068913 | 2439653 |
| dns_zonemgr_releasezone | rwlock | 208 | 4836 | 4666077 | 66756261 | 320943 |
| ns_client_qnamereplace | mutex | 7387 | 6162 | 89661 | 56466618 | 7644 |
| isc_log_doit | mutex | 3463 | 5889 | 87477 | 23883873 | 6896 |
| isc_log_doit | rwlock | 3463 | 4524 | 70863 | 20813169 | 6010 |
| dns_adb_getudpsize | mutex | 2118 | 6786 | 91767 | 20512557 | 9684 |
| destroy | mutex | 106 | 6942 | 1579539 | 16286439 | 153645 |
| zone_maintenance | mutex | 732 | 5928 | 133653 | 13287963 | 18152 |
| rdataset_settrust | rwlock | 1176 | 4446 | 48048 | 6342882 | 5393 |
| zone__settimer | mutex | 317 | 6045 | 394290 | 5682846 | 17926 |
| zone_postload | rwlock | 207 | 4680 | 67431 | 4023786 | 19438 |
| dns_adb_plainresponse | mutex | 380 | 6708 | 53859 | 4017819 | 10573 |
(The table continues with less important stuff...)
If you look closely, the cumulative time we spend in the adb mutexes is huge:
| fn | type | count | min | max | sum | avg |
|-------------------------------|--------|---------|-------|---------|-------------|---------|
| dns_adb_createfind | mutex | 1597343 | 5772 | 210015 | 10540878621 | 6599 |
| dns_adb_agesrtt | mutex | 806318 | 5772 | 236964 | 5284236828 | 6553 |
| dns_adb_destroyfind | mutex | 556873 | 5811 | 192972 | 3703797591 | 6651 |
| dns_adb_getcookie | mutex | 132632 | 5928 | 139035 | 1137403254 | 8575 |
| dns_adb_setudpsize | mutex | 68673 | 6318 | 222495 | 682022757 | 9931 |
| dns_adb_adjustsrtt | mutex | 80787 | 5928 | 165360 | 606351837 | 7505 |
| dns_adb_changeflags | mutex | 20232 | 5889 | 110916 | 138579753 | 6849 |
| dns_adb_setcookie | mutex | 16890 | 6084 | 139503 | 126144447 | 7468 |
| dns_adb_ednsto | mutex | 9616 | 6435 | 74568 | 90021906 | 9361 |
| dns_adb_getudpsize | mutex | 2118 | 6786 | 91767 | 20512557 | 9684 |
| dns_adb_plainresponse | mutex | 380 | 6708 | 53859 | 4017819 | 10573 |
This is something that is definitely worth addressing.November 2023 (9.16.45, 9.16.45-S1, 9.18.20, 9.18.20-S1, 9.19.18)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2251bin/rndc/rndc.conf is of questionable use2023-11-01T07:31:53ZMichal Nowakbin/rndc/rndc.conf is of questionable useSome files tracked by Git are of questionable use, e.g. `bin/rndc/rndc.conf`.
(Branched off from https://gitlab.isc.org/isc-projects/bind9/-/issues/1913.)Some files tracked by Git are of questionable use, e.g. `bin/rndc/rndc.conf`.
(Branched off from https://gitlab.isc.org/isc-projects/bind9/-/issues/1913.)BIND 9.17 Backburnerhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1702Make isc_quota and isc_quota_cb opaque2023-10-31T13:50:45ZWitold KrecickiMake isc_quota and isc_quota_cb opaquehttps://gitlab.isc.org/isc-projects/bind9/-/issues/1234dns_client_destroyrestrans can be called on object in use2023-10-31T13:24:53ZOndřej Surýdns_client_destroyrestrans can be called on object in useThe `dns_client_destroyrestrans()` function contains this snippet:
```
/*
* Wait for the lock in client_resfind to be released before
* destroying the lock.
*/
LOCK(&rctx->lock);
UNLOCK(...The `dns_client_destroyrestrans()` function contains this snippet:
```
/*
* Wait for the lock in client_resfind to be released before
* destroying the lock.
*/
LOCK(&rctx->lock);
UNLOCK(&rctx->lock);
```
basically meaning that the object being destroyed might be still in use.
It seems to me that the `dns_clientrestrans_t` (aka `resctx_t`) is missing some basic reference counting.BIND 9.19.xhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4311Remove support for Unix Domain Sockets in control channel2023-10-04T13:26:29ZOndřej SurýRemove support for Unix Domain Sockets in control channelThe support for UDS in control channel (and `rndc`) has been an fatal error since BIND 9.18. Properly cleanup the code to remove the remnants of it.
We might want to partially backport the `named-checkconf` changes to BIND 9.18, so it'...The support for UDS in control channel (and `rndc`) has been an fatal error since BIND 9.18. Properly cleanup the code to remove the remnants of it.
We might want to partially backport the `named-checkconf` changes to BIND 9.18, so it's also a fatal error in BIND 9.18.November 2023 (9.16.45, 9.16.45-S1, 9.18.20, 9.18.20-S1, 9.19.18)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3700consider deprecating "dialup" option2023-08-04T09:42:20ZPetr Špačekpspacek@isc.orgconsider deprecating "dialup" optionIt is unclear if [dialup](https://bind9.readthedocs.io/en/v9_19_7/reference.html#namedconf-statement-dialup) statement is useful in practice, and at the same time it adds fair amount of logic to zone refresh/notify handling.
Consider th...It is unclear if [dialup](https://bind9.readthedocs.io/en/v9_19_7/reference.html#namedconf-statement-dialup) statement is useful in practice, and at the same time it adds fair amount of logic to zone refresh/notify handling.
Consider the fun of finding out how following flags interact:
`lib/dns/zone.c`:
```c
19964 void
19965 dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
19966 REQUIRE(DNS_ZONE_VALID(zone));
19967
19968 LOCK_ZONE(zone);
19969 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
19970 DNS_ZONEFLG_DIALREFRESH |
19971 DNS_ZONEFLG_NOREFRESH);
19972 switch (dialup) {
19973 case dns_dialuptype_no:
19974 break;
19975 case dns_dialuptype_yes:
19976 DNS_ZONE_SETFLAG(zone, (DNS_ZONEFLG_DIALNOTIFY |
19977 DNS_ZONEFLG_DIALREFRESH |
19978 DNS_ZONEFLG_NOREFRESH));
19979 break;
19980 case dns_dialuptype_notify:
19981 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
19982 break;
19983 case dns_dialuptype_notifypassive:
19984 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
19985 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19986 break;
19987 case dns_dialuptype_refresh:
19988 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
19989 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19990 break;
19991 case dns_dialuptype_passive:
19992 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
19993 break;
19994 default:
19995 UNREACHABLE();
19996 }
19997 UNLOCK_ZONE(zone);
19998 }
```August 2023 (9.16.43, 9.16.43-S1, 9.18.18, 9.18.18-S1, 9.19.16)https://gitlab.isc.org/isc-projects/bind9/-/issues/3672Remove auto-dnssec feature2023-07-28T12:11:02ZMatthijs Mekkingmatthijs@isc.orgRemove auto-dnssec featureAfter deprecating `auto-dnssec` (#3667) we can remove the feature from 9.19.
This issue is blocked by #2710After deprecating `auto-dnssec` (#3667) we can remove the feature from 9.19.
This issue is blocked by #2710August 2023 (9.16.43, 9.16.43-S1, 9.18.18, 9.18.18-S1, 9.19.16)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3686Remove dynamic update DNSSEC management2023-07-18T13:39:29ZMatthijs Mekkingmatthijs@isc.orgRemove dynamic update DNSSEC managementIn Porto we discussed DNSSEC multi-signer models. One of the issues is that DNSSEC related dynamic updates triggers key management operations because in the multi-signer model we have to deal with DNSKEY records that are not under our co...In Porto we discussed DNSSEC multi-signer models. One of the issues is that DNSSEC related dynamic updates triggers key management operations because in the multi-signer model we have to deal with DNSKEY records that are not under our control. Therefor, trying to activate them leads to bug corner cases and inappropriate log messages.
We decided those are no longer needed because DNSSEC management needs to be done via `dnssec-policy`. Thus when adding or removing a `DNSKEY` via dynamic update, we do still change the publication, but we no longer walk through the set of keys to mark them active or inactive.
Also deprecate the feature of NSEC3 re-chaining triggered by dynamic update.December 2022 (9.16.36, 9.16.36-S1, 9.18.10, 9.19.8)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4098Compiling options --enable-epoll and --disable-epoll are not working.2023-06-14T09:28:53ZXuesong BaiCompiling options --enable-epoll and --disable-epoll are not working.I'm working on a project in which I need to run BIND 9 in an environment where `SYS_epoll_create1` call is not supported. But I cannot compile directly in that environment. So I'm compiling BIND 9 on a supported machine.
From the [sourc...I'm working on a project in which I need to run BIND 9 in an environment where `SYS_epoll_create1` call is not supported. But I cannot compile directly in that environment. So I'm compiling BIND 9 on a supported machine.
From the [source code](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/configure.ac#L525), there are two options, `--enable-epoll`, `--disable-epoll`,that I can use to disable epoll.
But when I compiled the software with these options separately and tested them on the target environment, `SYS_epoll_create1` call is still used.
So I wonder if anyone can help me solve this problem. Many thanks!June 2023 (9.16.42, 9.16.42-S1, 9.18.16, 9.18.16-S1, 9.19.14)