BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2023-12-04T05:39:28Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4458dnssec auto fails across multiple views + unable to add/remove DS records fro...2023-12-04T05:39:28ZTom Shawdnssec auto fails across multiple views + unable to add/remove DS records from second view + invalid DS records### Summary
- When using multiple views, the affected views fail to manage dnssec properly
- When using dnssec to auto sign zones, across multiple views, all but one of the views will fail to add DS records through nsupdate.
- The view ...### Summary
- When using multiple views, the affected views fail to manage dnssec properly
- When using dnssec to auto sign zones, across multiple views, all but one of the views will fail to add DS records through nsupdate.
- The view fails to manage and purge old key/state/private files and these start to build up over time
- Unable to get DS records, publish CDS log entries stop appearing for the view
### BIND version used
BIND 9.18.20-1+ubuntu22.04.1+deb.sury.org+1-Ubuntu
### Steps to reproduce
Create a config which has two views, with the same domain in each view. One of the views must only be available to an internal ip range (internal), the other must be available from all (external). Enable dnssec on both domains in both views using separate policies.
### What is the current *bug* behavior?
- keys in the internal view will not be managed correctly and will build up over time
- nsupdate will appear to add/delete the DS records correctly but these are not added or deleted in bind.
### What is the expected *correct* behavior?
- keys in both views should be managed correctly
- nsupdate should be able to manipulate the DS records in the internal view
### Relevant configuration files
I will share my configs privately if possible
Use this yearly internal policy for TDL level domains
```
dnssec-policy "yearly-internal" {
keys {
ksk lifetime P365D algorithm ECDSAP384SHA384;
zsk lifetime P1D algorithm ECDSAP384SHA384;
};
//
dnskey-ttl PT5M;
publish-safety PT3M;
retire-safety PT5M;
purge-keys PT10M;
// Signature timings
signatures-refresh PT5M;
signatures-validity PT10M;
signatures-validity-dnskey PT10M;
//
max-zone-ttl PT5M;
parent-ds-ttl PT3M;
parent-propagation-delay PT3M;
nsec3param iterations 10 optout no salt-length 16;
};
Use this aggressive standard internal policy for sub domains
dnssec-policy "standard" {
keys {
ksk lifetime PT40M algorithm ECDSAP384SHA384;
zsk lifetime PT20M algorithm ECDSAP384SHA384;
};
//
dnskey-ttl 60;
publish-safety PT2M;
retire-safety PT2M;
purge-keys PT10M;
// Signature timings
signatures-refresh PT5M;
signatures-validity PT10M;
signatures-validity-dnskey PT10M;
//
max-zone-ttl 300;
parent-ds-ttl 60;
parent-propagation-delay 60;
nsec3param iterations 10 optout no salt-length 16;
};
options {
check-names master ignore;
check-names slave ignore;
check-names response ignore;
masterfile-format text;
listen-on-v6 { none; };
listen-on port 53 { 127.0.0.1; 165.227.238.11; 10.0.254.1; 10.0.254.2; };
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
querylog yes;
pid-file "/var/run/named/named.pid";
include "/etc/bind/named.options.transfer.conf";
# if running a natted server, set the public ip address here
# this will not work in a multihomed box (specifically linode fails)
# notify the NS servers - only on master
notify yes;
# some dnssec stuff
include "/etc/bind/named.options.dnssec.conf";
max-cache-size 10485760;
};
```
Zone file
```
#ns1.node.flipkick.media
zone "entitywind.dev" {
key-directory "/var/cache/bind/keys/internals-master";
file "internals.master.dev.entitywind.db";
update-policy {
grant 127.0.0.1 subdomain entitywind.dev;
grant internal subdomain entitywind.dev;
grant internal zonesub any;
grant internal-externaldns subdomain entitywind.dev;
grant internal-externaldns zonesub any;
grant internal-rndc-key subdomain entitywind.dev;
grant internal-rndc-key zonesub any;
};
include "/etc/bind/named.zone.internals-master.conf";
include "/etc/bind/named.zone.dnssec.policy.yearly-internal.conf";
parental-agents { "externals"; };
};
#ns1.node.flipkick.media
zone "node.entitywind.dev" {
key-directory "/var/cache/bind/keys/internals-master";
file "internals.master.dev.entitywind.db";
update-policy {
grant 127.0.0.1 subdomain entitywind.dev;
grant internal subdomain entitywind.dev;
grant internal zonesub any;
grant internal-externaldns subdomain entitywind.dev;
grant internal-externaldns zonesub any;
grant internal-rndc-key subdomain entitywind.dev;
grant internal-rndc-key zonesub any;
};
include "/etc/bind/named.zone.internals-master.conf";
include "/etc/bind/named.zone.dnssec.policy.yearly-internal.conf";
parental-agents { "externals"; };
};
```
### Relevant logs and/or screenshots
```
28-Nov-2023 12:58:02.305 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/25339 (KSK) is now inactive
28-Nov-2023 12:58:02.309 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/53449 (KSK) is now inactive
28-Nov-2023 12:58:02.309 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/43625 (KSK) is now inactive
28-Nov-2023 12:58:02.309 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/26195 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/33520 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/26171 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/37281 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/7041 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/63692 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/9156 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/29571 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/44364 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/44662 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/40817 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/22890 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/64449 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/39830 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/30931 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/57355 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/23733 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/25059 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/20634 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/2754 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/19617 (KSK) is now inactive
28-Nov-2023 12:58:02.313 dnssec: info: DNSKEY prod.node.flipkick.media/ECDSAP384SHA384/61960 (KSK) is now inactive
```
### Possible fixes
Run two bind servers and attach to differing ipshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4453Switching to a different dnssec-policy broke my zone.2024-02-24T07:54:16ZBjörn PerssonSwitching to a different dnssec-policy broke my zone.### Summary
My zone was previously signed with a KSK and a ZSK with unlimited lifetime. I switched the zone over to a dnssec-policy using CSKs and automatic key rotation. After the DS record was updated, most of the RRSIG records were r...### Summary
My zone was previously signed with a KSK and a ZSK with unlimited lifetime. I switched the zone over to a dnssec-policy using CSKs and automatic key rotation. After the DS record was updated, most of the RRSIG records were removed, leaving the zone broken to validating resolvers.
### BIND version used
```
# named -V
BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) <id:>
running on Linux x86_64 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.18.19=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.10 1 Aug 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.52.0
linked to libnghttp2 version: 1.52.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
I have two zones that both exist in an external and an internal view. Each zone was previously signed with a KSK and a ZSK with unlimited lifetime. To proceed cautiously with the change to `dnssec-policy` I defined one policy that matched the existing keys and another that would use CSKs and automatic key rotation:
```
dnssec-policy "as_it_was" {
keys {
ksk lifetime unlimited algorithm rsasha256 2048;
zsk lifetime unlimited algorithm rsasha256 2048;
};
dnskey-ttl P1D;
purge-keys 0;
};
dnssec-policy "automation" {
keys {
csk lifetime P1M algorithm rsasha256 2048;
};
dnskey-ttl P1D;
max-zone-ttl P1D;
signatures-validity P1W;
signatures-refresh P2D;
};
```
First I switched the zones from "`auto-dnssec maintain;`" to "`dnssec-policy as_it_was;`". Bind continued using the existing keys. Once I had the exchange of CDS and DS records working between my zones and the parent zone, I switched one zone over to "`dnssec-policy automation;`" in both views.
The rollover from the old keys to a CSK seemed to go smoothly, but after a while I discovered that the zone was only partially signed in the external view. Several records lacked RRSIG records. Dynamic updates of the unsigned records caused corresponding RRSIG records to appear.
After that initial problem, the following rollover from one CSK to another worked fine, so I proceeded to switch the second zone over to "`dnssec-policy automation;`". This time I took notes and watched for missing signatures.
2023-11-18 16:05:49 a CSK was generated. DNSKEY, CDS and CDNSKEY were signed with both the old KSK and the CSK. SOA got a new signature by the old ZSK. All other records kept their existing signatures.
2023-11-19 17:10:49 CDS and CDNSKEY records for the CSK were published. DNSKEY, CDS and CDNSKEY got new signatures by the KSK and the CSK. SOA was signed with the ZSK and the CSK.
2023-11-20 17:10:49 Bind noticed that DS had been updated in the parent zone.
2023-11-20 18:15:49 the ZSK and all its signatures were removed. DNSKEY, CDS and CDNSKEY got new signatures by the CSK and the KSK. SOA got a new signature by the CSK. All other records were left without RRSIG records.
This time I fixed the external view with "`rndc sign xn--rombobjrn-67a.se IN external`". All the unsigned records were then signed with the CSK. DNSKEY, CDS, CDNSKEY and SOA had their signatures renewed. I left the internal view alone.
2023-11-21 19:10:50 the KSK was removed. DNSKEY, CDS, CDNSKEY and SOA got new signatures by the CSK. At the same time, many but not all other records in the internal view were finally signed with the CSK, having lacked signatures for 24 hours and 55 minutes. Some more records were signed a few minutes later.
As I'm posting this, one NS and one MX record in the internal view are still unsigned after more than four days.
### What is the current *bug* behavior?
The zone becomes only partially signed. Validating resolvers reject the unsigned records.
### What is the expected *correct* behavior?
All records should be signed with the new key before the old keys and signatures are removed.
### Relevant configuration files
See the policies above. After the changes, all the zone declarations look essentially like this:
```
zone "xn--rombobjrn-67a.se" {
type master;
file "/var/lib/bind/db.xn--rombobjrn-67a.se.external";
dnssec-policy automation;
parental-agents { ::1; };
inline-signing no;
update-policy { [omitted] };
};
```
### Relevant logs and/or screenshots
Excerpts from the system log:
```
2023-11-19T17:10:49.436468+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-19T17:10:49.437286+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-19T17:10:49.488666+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-19T17:10:49.489192+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-19T17:10:49.501444+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-19T17:10:49.502076+01:00 cutie named[443161]: CDS (SHA-256) for key xn--rombobjrn-67a.se/RSASHA256/53584 is now deleted
2023-11-19T17:10:49.502515+01:00 cutie named[443161]: CDNSKEY for key xn--rombobjrn-67a.se/RSASHA256/53584 is now deleted
2023-11-19T17:10:49.502904+01:00 cutie named[443161]: CDS for key xn--rombobjrn-67a.se/RSASHA256/17339 is now published
2023-11-19T17:10:49.503279+01:00 cutie named[443161]: CDNSKEY for key xn--rombobjrn-67a.se/RSASHA256/17339 is now published
2023-11-19T17:10:49.530343+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-19T17:10:49.530897+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-19T17:10:49.534298+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-19T17:10:49.534962+01:00 cutie named[443161]: CDS (SHA-256) for key xn--rombobjrn-67a.se/RSASHA256/53584 is now deleted
2023-11-19T17:10:49.535337+01:00 cutie named[443161]: CDNSKEY for key xn--rombobjrn-67a.se/RSASHA256/53584 is now deleted
2023-11-19T17:10:49.535684+01:00 cutie named[443161]: CDS for key xn--rombobjrn-67a.se/RSASHA256/17339 is now published
2023-11-19T17:10:49.536038+01:00 cutie named[443161]: CDNSKEY for key xn--rombobjrn-67a.se/RSASHA256/17339 is now published
2023-11-19T17:10:49.637732+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 19-Nov-2023 18:10:49.432
2023-11-19T17:10:49.638433+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092737)
2023-11-19T17:10:49.651717+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 19-Nov-2023 18:10:49.432
2023-11-19T17:10:49.673263+01:00 cutie named[443161]: client @0x7efdf9b21368 10.1.0.5#54619 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092736 -> 2023092737)
2023-11-19T17:10:49.674244+01:00 cutie named[443161]: client @0x7efdf9b21368 10.1.0.5#54619 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 23 records, 5465 bytes, 0.004 secs (1366250 bytes/sec) (serial 2023092737)
2023-11-19T17:10:50.192637+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.2.1#57043 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092736 -> 2023092737)
2023-11-19T17:10:50.193661+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.2.1#57043 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 23 records, 5465 bytes, 0.001 secs (5465000 bytes/sec) (serial 2023092737)
```
```
2023-11-20T17:10:49.472806+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-20T17:10:49.473891+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-20T17:10:49.525113+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T17:10:49.525655+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T17:10:49.529210+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T17:10:49.530341+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 20-Nov-2023 18:10:49.466
2023-11-20T17:10:49.557565+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T17:10:49.558183+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T17:10:49.561418+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T17:10:49.562620+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 20-Nov-2023 18:10:49.466
2023-11-20T17:10:49.617384+01:00 cutie named[443161]: keymgr: checkds DS for key xn--rombobjrn-67a.se/RSASHA256/17339 seen published at Mon Nov 20 17:10:49 2023
2023-11-20T17:10:49.621343+01:00 cutie named[443161]: keymgr: checkds DS for key xn--rombobjrn-67a.se/RSASHA256/53584 seen withdrawn at Mon Nov 20 17:10:49 2023
2023-11-20T17:10:49.624985+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-20T17:10:49.667546+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T17:10:49.668097+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T17:10:49.671602+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T17:10:49.672714+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 20-Nov-2023 18:15:49.618
2023-11-20T17:10:50.027333+01:00 cutie named[443161]: keymgr: checkds DS for key xn--rombobjrn-67a.se/RSASHA256/17339 seen published at Mon Nov 20 17:10:50 2023
2023-11-20T17:10:50.031352+01:00 cutie named[443161]: keymgr: checkds DS for key xn--rombobjrn-67a.se/RSASHA256/53584 seen withdrawn at Mon Nov 20 17:10:50 2023
2023-11-20T17:10:50.035151+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-20T17:10:50.077904+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T17:10:50.078540+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T17:10:50.081828+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T17:10:50.083015+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 20-Nov-2023 18:15:49.030
```
```
2023-11-20T18:15:49.036472+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-20T18:15:49.076389+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T18:15:49.077010+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T18:15:49.088905+01:00 cutie named[443161]: Removing expired key xn--rombobjrn-67a.se/13398/RSASHA256 from DNSKEY RRset.
2023-11-20T18:15:49.089406+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK) is now deleted
2023-11-20T18:15:49.089784+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T18:15:49.192756+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 20-Nov-2023 18:20:49.033
2023-11-20T18:15:49.193416+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092738)
2023-11-20T18:15:49.275467+01:00 cutie named[443161]: client @0x7efdebdc6d68 10.1.0.5#41397 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092737 -> 2023092739)
2023-11-20T18:15:49.278365+01:00 cutie named[443161]: client @0x7efdebdc6d68 10.1.0.5#41397 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 3 messages, 128 records, 38648 bytes, 0.004 secs (9662000 bytes/sec) (serial 2023092739)
2023-11-20T18:15:49.622949+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-20T18:15:49.664238+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-20T18:15:49.664712+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-20T18:15:49.667624+01:00 cutie named[443161]: Removing expired key xn--rombobjrn-67a.se/13398/RSASHA256 from DNSKEY RRset.
2023-11-20T18:15:49.668019+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK) is now deleted
2023-11-20T18:15:49.668373+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-20T18:15:49.764336+01:00 cutie named[443161]: client @0x7efdebdc5168 10.1.2.1#58091 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092737 -> 2023092739)
2023-11-20T18:15:49.767341+01:00 cutie named[443161]: client @0x7efdebdc5168 10.1.2.1#58091 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 3 messages, 128 records, 38648 bytes, 0.004 secs (9662000 bytes/sec) (serial 2023092739)
2023-11-20T18:15:49.779256+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 20-Nov-2023 18:20:49.621
2023-11-20T18:15:54.192437+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092739)
```
```
2023-11-21T13:15:40.402451+01:00 cutie named[443161]: received control channel command 'sign xn--rombobjrn-67a.se IN external'
2023-11-21T13:15:40.405362+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T13:15:40.431241+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T13:15:40.431697+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T13:15:40.433742+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now inactive
2023-11-21T13:15:40.528574+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 19:10:50.395
2023-11-21T13:15:40.529172+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092740)
2023-11-21T13:15:40.773096+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.0.5#33623 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092739 -> 2023092742)
2023-11-21T13:15:40.774513+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.0.5#33623 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 46 records, 12419 bytes, 0.004 secs (3104750 bytes/sec) (serial 2023092742)
2023-11-21T13:15:41.172719+01:00 cutie named[443161]: client @0x7efdf9b20568 10.1.2.1#33203 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092739 -> 2023092745)
2023-11-21T13:15:41.174657+01:00 cutie named[443161]: client @0x7efdf9b20568 10.1.2.1#33203 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 2 messages, 89 records, 24907 bytes, 0.004 secs (6226750 bytes/sec) (serial 2023092745)
2023-11-21T13:15:45.528370+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092750)
2023-11-21T13:15:45.561710+01:00 cutie named[443161]: client @0x7efdebdc6d68 10.1.0.5#52787 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092742 -> 2023092750)
2023-11-21T13:15:45.564494+01:00 cutie named[443161]: client @0x7efdebdc6d68 10.1.0.5#52787 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 2 messages, 114 records, 31108 bytes, 0.004 secs (7777000 bytes/sec) (serial 2023092750)
2023-11-21T13:15:46.078928+01:00 cutie named[443161]: client @0x7efdfa51bd68 10.1.2.1#60701 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092745 -> 2023092750)
2023-11-21T13:15:46.080874+01:00 cutie named[443161]: client @0x7efdfa51bd68 10.1.2.1#60701 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 2 messages, 71 records, 18769 bytes, 0.001 secs (18769000 bytes/sec) (serial 2023092750)
```
```
2023-11-21T19:10:50.400377+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T19:10:50.432532+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:10:50.433038+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:10:50.443664+01:00 cutie named[443161]: Removing expired key xn--rombobjrn-67a.se/53584/RSASHA256 from DNSKEY RRset.
2023-11-21T19:10:50.444123+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now deleted
2023-11-21T19:10:50.511795+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 19:15:50.396
2023-11-21T19:10:50.512265+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092751)
2023-11-21T19:10:50.576696+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.0.5#54307 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092750 -> 2023092752)
2023-11-21T19:10:50.577645+01:00 cutie named[443161]: client @0x7efdfa51af68 10.1.0.5#54307 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 27 records, 5832 bytes, 0.001 secs (5832000 bytes/sec) (serial 2023092752)
2023-11-21T19:10:50.626991+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-21T19:10:50.660686+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:10:50.661150+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:10:50.663077+01:00 cutie named[443161]: Removing expired key xn--rombobjrn-67a.se/53584/RSASHA256 from DNSKEY RRset.
2023-11-21T19:10:50.663489+01:00 cutie named[443161]: DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK) is now deleted
2023-11-21T19:10:50.738310+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 21-Nov-2023 19:15:50.624
2023-11-21T19:10:51.191122+01:00 cutie named[443161]: client @0x7efdf9b20568 10.1.2.1#43631 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR started (serial 2023092750 -> 2023092752)
2023-11-21T19:10:51.191859+01:00 cutie named[443161]: client @0x7efdf9b20568 10.1.2.1#43631 (xn--rombobjrn-67a.se): view external: transfer of 'xn--rombobjrn-67a.se/IN': IXFR ended: 1 messages, 27 records, 5832 bytes, 0.001 secs (5832000 bytes/sec) (serial 2023092752)
2023-11-21T19:10:55.511787+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: sending notifies (serial 2023092752)
2023-11-21T19:15:50.404325+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T19:15:50.427941+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:15:50.428397+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:15:50.440377+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 19:20:49.398
2023-11-21T19:15:50.630905+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-21T19:15:50.656580+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:15:50.657098+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:15:50.659929+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 21-Nov-2023 19:20:49.626
2023-11-21T19:20:49.405293+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T19:20:49.429191+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:20:49.429646+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:20:49.438021+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 19:20:50.399
2023-11-21T19:20:49.630959+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-21T19:20:49.656677+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:20:49.657172+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:20:49.659897+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 21-Nov-2023 19:20:50.627
2023-11-21T19:20:50.401138+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: reconfiguring zone keys
2023-11-21T19:20:50.427552+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:20:50.428010+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:20:50.434902+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/external: next key event: 21-Nov-2023 20:20:50.399
2023-11-21T19:20:50.629148+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: reconfiguring zone keys
2023-11-21T19:20:50.654607+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/13398 (ZSK)
2023-11-21T19:20:50.655054+01:00 cutie named[443161]: keymgr: retire DNSKEY xn--rombobjrn-67a.se/RSASHA256/53584 (KSK)
2023-11-21T19:20:50.657686+01:00 cutie named[443161]: zone xn--rombobjrn-67a.se/IN/internal: next key event: 21-Nov-2023 20:20:50.627
```
Some possibly useful status data from when the zone lacked signatures:
```
# rndc dnssec -status xn--rombobjrn-67a.se IN external
dnssec-policy: automatik
current time: Tue Nov 21 12:57:26 2023
key: 17339 (RSASHA256), CSK
published: yes - since Sat Nov 18 16:05:49 2023
key signing: yes - since Sat Nov 18 16:05:49 2023
zone signing: yes - since Sat Nov 18 16:05:49 2023
Next rollover scheduled on Mon Dec 18 15:00:49 2023
- goal: omnipresent
- dnskey: omnipresent
- ds: rumoured
- zone rrsig: omnipresent
- key rrsig: omnipresent
key: 13398 (RSASHA256), ZSK
published: no
zone signing: no
Key has been removed from the zone
- goal: hidden
- dnskey: hidden
- zone rrsig: unretentive
key: 53584 (RSASHA256), KSK
published: yes - since Sun Nov 3 04:26:07 2019
key signing: yes - since Sun Nov 3 04:26:07 2019
Rollover is due since Sun Nov 19 18:05:49 2023
- goal: hidden
- dnskey: omnipresent
- ds: unretentive
- key rrsig: omnipresent
# rndc zonestatus xn--rombobjrn-67a.se IN external
name: xn--rombobjrn-67a.se
type: primary
files: /var/lib/bind/db.xn--rombobjrn-67a.se.external
serial: 2023092739
nodes: 42
last loaded: Tue, 24 Oct 2023 12:43:57 GMT
secure: no
key maintenance: automatic
next key event: Tue, 21 Nov 2023 18:10:50 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
```
The output of `rndc zonestatus` changed when I ran `rndc sign`:
```
# rndc zonestatus xn--rombobjrn-67a.se IN external
name: xn--rombobjrn-67a.se
type: primary
files: /var/lib/bind/db.xn--rombobjrn-67a.se.external
serial: 2023092750
nodes: 42
last loaded: Tue, 24 Oct 2023 12:43:57 GMT
secure: yes
inline signing: no
key maintenance: automatic
next key event: Tue, 21 Nov 2023 18:10:50 GMT
next resign node: 7c2ecd07f155648431e0f94b89247d713c5786e1e73e953f2fe7eca3._openpgpkey.xn--rombobjrn-67a.se/NSEC
next resign time: Wed, 22 Nov 2023 22:55:09 GMT
dynamic: yes
frozen: no
reconfigurable via modzone: no
```May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4268There is a performance waste in the rpz check2023-08-22T07:06:22ZMr BenThere is a performance waste in the rpz check
### Summary
This is not a strict bug, it should belong to performance optimization.
When using rpz, if a domain name contains a cname domain name, the domain name will go through multiple rpz checks.
### BIND version used
```
BIND 9....
### Summary
This is not a strict bug, it should belong to performance optimization.
When using rpz, if a domain name contains a cname domain name, the domain name will go through multiple rpz checks.
### BIND version used
```
BIND 9.16.11 (Stable Release) <id:5218cdf>
running on Linux x86_64 3.10.0-1160.45.1.el7.x86_64 #1 SMP Wed Oct 13 17:20:51 UTC 2021
built by make with '--enable-dnstap' '--enable-epoll' '--with-dlz-filesystem' '--with-libjson' '--with-libtool' '--enable-dnsdrps' '--prefix=/data/named/' 'CFLAGS= -O0 -g -DDEBUG' 'PKG_CONFIG_PATH=/usr/local/lib/pkgconfig'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.1.1p 21 Jun 2022
linked to OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
compiled with libuv version: 1.43.0
linked to libuv version: 1.43.0
compiled with libxml2 version: 2.9.1
linked to libxml2 version: 20901
compiled with json-c version: 0.11
linked to json-c version: 0.11
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
compiled with protobuf-c version: 1.3.0
linked to protobuf-c version: 1.3.0
threads support is enabled
default paths:
named configuration: /data/named/etc/named.conf
rndc configuration: /data/named/etc/rndc.conf
DNSSEC root key: /data/named/etc/bind.keys
nsupdate session key: /data/named/var/run/named/session.key
named PID file: /data/named/var/run/named/named.pid
named lock file: /data/named/var/run/named/named.lock
```
### Steps to reproduce
```
options {
response-policy {
zone "in-addr.arpa.";
};
};
zone "in-addr.arpa." {
type primary;
file "badlist.zone";
allow-query {none;};
};
```
### What is the current *bug* behavior?
It is not reflected in the function, but it is reflected in the code logic.
```
eg:
dig @127.0.0.1 www.microsoft.com
;; ANSWER SECTION:
www.microsoft.com. 1496 IN CNAME www.microsoft.com-c-3.edgekey.net.
www.microsoft.com-c-3.edgekey.net. 247 IN CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net.
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net. 203 IN CNAME e13678.ca2.s.tl88.net.
e13678.ca2.s.tl88.net. 158 IN A 218.58.101.49
```
The rpz module checks the following domain names twice, which is a huge waste of performance:
www.microsoft.com, www.microsoft.com-c-3.edgekey.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
### What is the expected *correct* behavior?
Each domain name is checked only once。
### Relevant configuration files
```
Configure the rpz module normally:
options {
response-policy {
zone "in-addr.arpa.";
};
};
zone "in-addr.arpa." {
type primary;
file "badlist.zone";
allow-query {none;};
};
and the file of badlist.zone is:
$TTL 1H
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
NS LOCALHOST.
nxdomain.domain.com CNAME . ; NXDOMAIN policy
```
### Relevant logs and/or screenshots
none.
### Possible fixes
The call of the rpz module should be migrated from query_gotanswer to before query_gotanswer:
```
if (!RECURSING(qctx->client) &&
!dns_name_equal(qctx->client->query.qname, dns_rootname))
{
result = query_checkrpz(qctx, result);
if (result == ISC_R_COMPLETE) {
return (ns_query_done(qctx));
}
}
```
After the query resume function is triggered, it will execute to ns_query_start. It is not necessary to call rpz in query_gotanswer after query_resume, but call rpz in ns_query_start, which reduces the number of rpz calls.Long-termhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2530Bind 9.16.11 segfault on DLZ with mysql2022-03-01T09:45:37ZjpsollieBind 9.16.11 segfault on DLZ with mysql### Summary
When running bind with DLZ against a mysql database, the system aborts with segfault
This database is set up to answer all spam domains
### BIND version used
BIND 9.16.11 (Stable Release) <id:9ff601b>
running on Linux x86_64 ...### Summary
When running bind with DLZ against a mysql database, the system aborts with segfault
This database is set up to answer all spam domains
### BIND version used
BIND 9.16.11 (Stable Release) <id:9ff601b>
running on Linux x86_64 5.10.17+ #8 SMP Mon Feb 22 18:54:47 CET 2021
built by make with '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.16.11' '--htmldir=/usr/share/doc/bind-9.16.11/html' '--with-sysroot=/' '--libdir=/usr/lib64' 'AR=/usr/bin/x86_64-pc-linux-gnu-ar' '--prefix=/usr' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--with-openssl=/usr' '--without-cmocka' '--enable-linux-caps' '--disable-dnsrps' '--disable-dnstap' '--disable-fixed-rrset' '--without-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gssapi' '--without-json-c' '--without-dlz-ldap' '--with-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-libxml2' '--with-zlib' '--without-python' '--with-maxminddb' '--enable-geoip' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=znver1 -O3 -ggdb3 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
compiled by GCC 9.3.0
compiled with OpenSSL version: OpenSSL 1.1.1j 16 Feb 2021
linked to OpenSSL version: OpenSSL 1.1.1j 16 Feb 2021
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.0
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
### Steps to reproduce
1. install BIND 9.16.11 with DLZ support
2. install mariadb 10.5.8
3. install DLZ converted spam domain list (view attachment)
4. install DLZ connector
### What is the current *bug* behavior?
Bind crashes with segfaults, when using file instead of dlz, everything is OK.
### What is the expected *correct* behavior?
Bind loads zones + runs correctly
### Relevant configuration files
DLZ connector:
```
dlz "null_dlz" {
database "mysql
{host=127.0.0.1 port=3306 dbname=dlz_null ssl=false user=named pass=named}
{select '$zone$' AS zone from dns_records where zone = 'null' OR zone = '$zone$' LIMIT 1}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"')
else data end from dns_records where (zone = 'null' OR zone = '$zone$') and (host = '*' OR host = '$record$') AND NOT (type = 'SOA' or type='NS')}
{select ttl, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum
from dns_records where (zone = 'null' OR zone = '$zone$') AND (type = 'SOA' or type='NS')}
{select ttl, type, host, mx_priority, data, resp_person, serial, refresh, retry, expire,
minimum from dns_records where (zone = 'null' OR zone = '$zone$') and NOT (type = 'SOA' or type = 'NS')}
{select '$zone$' AS zone from xfr_table where (zone = 'null' OR zone = '$zone$') and client = '$client$'}
{update data_count set count = count + 1 where (zone ='null' OR zone = '$zone$') AND client = '$client$'}";
search no;
};
include "blacklist.inc.dlz"
```
SQL database dump:
```
Enter password:
-- MariaDB dump 10.18 Distrib 10.5.8-MariaDB, for Linux (x86_64)
--
-- Host: localhost Database: dlz_null
-- ------------------------------------------------------
-- Server version 10.5.8-MariaDB-log
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `data_count`
--
DROP TABLE IF EXISTS `data_count`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `data_count` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`count` bigint(20) unsigned NOT NULL DEFAULT 0,
`zone` varchar(255) DEFAULT 'null',
`client` varchar(255) NOT NULL DEFAULT '',
PRIMARY KEY (`id`),
KEY `zone` (`zone`)
) ENGINE=Aria AUTO_INCREMENT=2 DEFAULT CHARSET=utf8 PAGE_CHECKSUM=1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `data_count`
--
LOCK TABLES `data_count` WRITE;
/*!40000 ALTER TABLE `data_count` DISABLE KEYS */;
INSERT INTO `data_count` VALUES (1,0,'null','');
/*!40000 ALTER TABLE `data_count` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `dns_records`
--
DROP TABLE IF EXISTS `dns_records`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `dns_records` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`zone` varchar(255) NOT NULL,
`host` varchar(255) NOT NULL DEFAULT '@',
`type` varchar(255) NOT NULL,
`data` text DEFAULT NULL,
`ttl` int(11) NOT NULL DEFAULT 86400,
`mx_priority` int(11) DEFAULT NULL,
`refresh` int(11) DEFAULT NULL,
`retry` int(11) DEFAULT NULL,
`expire` int(11) DEFAULT NULL,
`minimum` int(11) DEFAULT NULL,
`serial` bigint(20) DEFAULT NULL,
`resp_person` varchar(255) DEFAULT NULL,
`primary_ns` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`),
KEY `type` (`type`),
KEY `host` (`host`),
KEY `zone` (`zone`),
KEY `zone_host_index` (`zone`(30),`host`(30)),
KEY `type_index` (`type`(8))
) ENGINE=Aria AUTO_INCREMENT=6 DEFAULT CHARSET=utf8 PAGE_CHECKSUM=1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `dns_records`
--
LOCK TABLES `dns_records` WRITE;
/*!40000 ALTER TABLE `dns_records` DISABLE KEYS */;
INSERT INTO `dns_records` VALUES (1,'null','@','SOA',NULL,180,NULL,10800,7200,604800,86400,2011091101,'localhost.','admin.localhost.'),(2,'null','@','NS','localhost',180,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL),(3,'null','@','A','0.0.0.0',180,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL),(4,'null','*','A','0.0.0.0',180,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL),(5,'null','*','AAAA','::',180,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL);
/*!40000 ALTER TABLE `dns_records` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `xfr_table`
--
DROP TABLE IF EXISTS `xfr_table`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `xfr_table` (
`zone` varchar(255) NOT NULL,
`client` varchar(255) NOT NULL,
KEY `zone` (`zone`),
KEY `client` (`client`),
KEY `zone_client_index` (`zone`(30),`client`(30))
) ENGINE=Aria DEFAULT CHARSET=utf8 PAGE_CHECKSUM=1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `xfr_table`
--
LOCK TABLES `xfr_table` WRITE;
/*!40000 ALTER TABLE `xfr_table` DISABLE KEYS */;
INSERT INTO `xfr_table` VALUES ('null','*');
/*!40000 ALTER TABLE `xfr_table` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2021-02-25 10:21:58
```
GDB backtrace:
```
(gdb) setargs -d 1 -u named -n 1 -g -c /etc/named/named2.conf
(gdb) run
... -- truncated
Query String: select 'paczkonnat.app' AS zone from dns_records where zone = 'null' OR zone = 'paczkonnat.app' LIMIT 1
Thread 3 "isc-worker0000" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff6211640 (LWP 20149)]
0x00007ffff7116746 in strlen () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff7116746 in strlen () from /lib64/libc.so.6
#1 0x00005555555ab3bd in sdlzh_build_querystring (mctx=mctx@entry=0x5555555eb090, querylist=0x7fffd6acd210) at ../../contrib/dlz/drivers/sdlz_helper.c:287
#2 0x00005555555ac8ac in mysql_get_resultset (zone=<optimized out>, record=<optimized out>, client=<optimized out>, query=5, dbdata=0x7fffd6adfd68, rs=0x0) at ../../contrib/dlz/drivers/dlz_mysql_driver.c:276
#3 0x00005555555ad5f7 in mysql_findzone (driverarg=<optimized out>, methods=<optimized out>, clientinfo=<optimized out>, name=0x7ffff6210740 "paczkonnat.app", dbdata=0x7fffd6adfd68) at ../../contrib/dlz/drivers/dlz_mysql_driver.c:508
#4 mysql_findzone (driverarg=<optimized out>, dbdata=0x7fffd6adfd68, name=0x7ffff6210740 "paczkonnat.app", methods=<optimized out>, clientinfo=<optimized out>) at ../../contrib/dlz/drivers/dlz_mysql_driver.c:478
#5 0x00007ffff7e70cc6 in dns_sdlzfindzone (driverarg=0x7ffff6b552e0, dbdata=0x7fffd6adfd68, mctx=0x5555555eb090, rdclass=<optimized out>, name=0x7fffde822720, methods=0x0, clientinfo=0x0, dbp=0x7ffff6210bd8) at sdlz.c:1681
#6 0x00007ffff7ed2c84 in zone_load (zone=0x7fffde8225e0, flags=<optimized out>, locked=locked@entry=true) at zone.c:2159
#7 0x00007ffff7ed3141 in zone_asyncload (task=0x7ffff091f220, event=<optimized out>) at zone.c:2303
#8 0x00007ffff7c91150 in dispatch (threadid=<optimized out>, manager=0x7ffff6b60010) at task.c:1152
#9 run (queuep=<optimized out>) at task.c:1344
#10 0x00007ffff7574fde in start_thread () from /lib64/libpthread.so.0
#11 0x00007ffff717973f in clone () from /lib64/libc.so.6
(gdb)
```
[blacklist.inc.dlz](/uploads/ce48ba8e26a6e4e5657c4a5d22e12d98/blacklist.inc.dlz)Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2186rndc thaw does not correctly process zone changes2022-03-01T09:47:44ZJean-Christophe Manciotrndc thaw does not correctly process zone changes- Debian bullseye
- bind9 9.17.5
For instance, when changing $TTL from 604800 (1 week) to 3600 in ```/etc/bind/db.sdxlive.com```, when no RR (other than SOA) has a defined TTL:
```
# rndc freeze sdxlive.com
in /etc/bind/zone-file:
$TTL ...- Debian bullseye
- bind9 9.17.5
For instance, when changing $TTL from 604800 (1 week) to 3600 in ```/etc/bind/db.sdxlive.com```, when no RR (other than SOA) has a defined TTL:
```
# rndc freeze sdxlive.com
in /etc/bind/zone-file:
$TTL 604800 --> $TTL 3600
# rndc thaw sdxlive.com
```
Most RRs keep their original TTL:
```
# bind-get-all-resource-records.sh sdxlive.com|grep " 604800 "
zone sdxlive.com/IN: loaded serial 2020092411 (DNSSEC signed)
OK
sdxlive.com. 604800 IN NS ns1.sdxlive.com.
sdxlive.com. 604800 IN RRSIG NS 13 2 604800 20201011132540 20200911124442 33345 sdxlive.com. WgQwG0FpqPOPiTZKi65qn01Fe4g3qRkQ0OybOLawl7PlWWKc9XdYMTwf 7AP3c/fKnE0l0BujSSir8HKf4IBVjw==
sdxlive.com. 604800 IN A 176.139.106.168
sdxlive.com. 604800 IN RRSIG A 13 2 604800 20201011132540 20200911124442 33345 sdxlive.com. sqeyUzMxZ6JlK+hr6XlLKBJHAZmmVo+ku8oElfuc+6rH8Cr+uKNovK6F Awu76tmcURpR5grYDA0vsC5Cl3B0aQ==
sdxlive.com. 604800 IN MX 1 mail.sdxlive.com.
sdxlive.com. 604800 IN RRSIG MX 13 2 604800 20201011132540 20200911124442 33345 sdxlive.com. xZiYSxYb4gX3e2ZbcC2cmEHT7IKUT/c+wil3ZioViRsW+4RLH/LAJ6Mp eC9+ooWgN7jjArM4EvEQCl6xkuln3Q==
and so on...
```
Same issue if I begin with a ```rndc sync -clean sdxlive.com``` before the zone freeze.
Am I missing something?Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2117BIND sometimes fixates on one server address for a zone2024-01-17T14:25:21ZBrian ConryBIND sometimes fixates on one server address for a zoneA customer has reported:
> I noticed I focused on the wrong nameservers before (I sent the nameservers for akamaiedge.net, instead of g.akamaiedge.net), but the issue is the same. The authoritative nameservers to consider are:
> ```
> n...A customer has reported:
> I noticed I focused on the wrong nameservers before (I sent the nameservers for akamaiedge.net, instead of g.akamaiedge.net), but the issue is the same. The authoritative nameservers to consider are:
> ```
> n0g.akamaiedge.net. 152 IN A 88.221.81.192
> n0g.akamaiedge.net. 152 IN AAAA 2600:1480:e800::c0
> n1g.akamaiedge.net. 152 IN A 2.16.65.53
> n2g.akamaiedge.net. 152 IN A 2.16.65.86
> n3g.akamaiedge.net. 152 IN A 2.16.65.44
> n4g.akamaiedge.net. 152 IN A 2.16.65.68
> n5g.akamaiedge.net. 162 IN A 2.16.65.77
> n6g.akamaiedge.net. 162 IN A 2.21.25.118
> n7g.akamaiedge.net. 181 IN A 2.17.41.132
> ```
> response times are:
> ```
> 88.221.81.192: 147 msec
> 2600:1480:e800::c0: 146 msec
> 2.16.65.53: 1 msec
> 2.16.65.86: 1 msec
> 2.16.65.44: 1 msec
> 2.16.65.68: 1 msec
> 2.16.65.77: 1 msec
> 2.21.25.118: 15 msec
> 2.17.41.132: 13 msec
> ```
They have provided data from `rndc dumpdb -all`.
selected cache data:
```
; glue
g.akamaiedge.net. 865 NS n0g.akamaiedge.net.
865 NS n7g.akamaiedge.net.
865 NS n5g.akamaiedge.net.
865 NS n4g.akamaiedge.net.
865 NS n3g.akamaiedge.net.
865 NS n1g.akamaiedge.net.
865 NS n2g.akamaiedge.net.
865 NS n6g.akamaiedge.net.
; answer
e11550.g.akamaiedge.net. 433 \-TYPE65 ;-$NXRRSET
; g.akamaiedge.net. SOA n0g.akamaiedge.net. hostmaster.akamai.com. 1599033648 1000 1000 1000 1800
; authanswer
n0g.akamaiedge.net. 2246 A 88.221.81.192
; authanswer
2246 AAAA 2600:1480:e800::c0
; authanswer
n1g.akamaiedge.net. 2246 A 2.16.65.53
; authanswer
n2g.akamaiedge.net. 2246 A 2.16.65.86
; authanswer
n3g.akamaiedge.net. 2246 A 2.16.65.44
; authanswer
n4g.akamaiedge.net. 2246 A 2.16.65.68
; authanswer
n5g.akamaiedge.net. 2256 A 2.16.65.77
; authanswer
n6g.akamaiedge.net. 2256 A 2.21.25.118
; authanswer
n7g.akamaiedge.net. 2275 A 2.17.41.132
```
selected ADB entries:
```
; selected ADB data
; n0g.akamaiedge.net [v4 TTL 46] [v6 TTL 46] [v4 success] [v6 success]
; 88.221.81.192 [srtt 121879] [flags 00004000] [edns 63/0/0/0/0] [plain 0/0] [udpsize 512] [ttl -991]
; 2600:1480:e800::c0 [srtt 146019] [flags 00004000] [edns 135/0/0/0/0] [plain 0/0] [udpsize 512] [ttl -991]
; n1g.akamaiedge.net [v4 TTL 46] [v4 success] [v6 unexpected]
; 2.16.65.53 [srtt 6] [flags 00000000] [edns 0/0/0/0/0] [plain 0/0] [ttl 810]
; n2g.akamaiedge.net [v4 TTL 46] [v4 success] [v6 unexpected]
; 2.16.65.86 [srtt 21] [flags 00000000] [edns 0/0/0/0/0] [plain 0/0] [ttl 810]
; n3g.akamaiedge.net [v4 TTL 46] [v4 success] [v6 unexpected]
; 2.16.65.44 [srtt 20] [flags 00000000] [edns 0/0/0/0/0] [plain 0/0] [ttl 810]
; n4g.akamaiedge.net [v4 TTL 46] [v4 success] [v6 unexpected]
; 2.16.65.68 [srtt 29] [flags 00000000] [edns 0/0/0/0/0] [plain 0/0] [ttl 810]
; n5g.akamaiedge.net [v4 TTL 56] [v4 success] [v6 unexpected]
; 2.16.65.77 [srtt 30] [flags 00000000] [edns 0/0/0/0/0] [plain 0/0] [ttl 810]
; n6g.akamaiedge.net [v4 TTL 56] [v4 success] [v6 unexpected]
; 2.21.25.118 [srtt 27] [flags 00000000] [edns 0/0/0/0/0] [plain 0/0] [ttl 810]
; n7g.akamaiedge.net [v4 TTL 75] [v4 success] [v6 unexpected]
; 2.17.41.132 [srtt 9] [flags 00000000] [edns 0/0/0/0/0] [plain 0/0] [ttl 810]
```
One thing to note about the ADB entries is that the entries for `n1g` through `n7g` have not been used and appear to have been added, but unused, prior to the `dumpdb` (new entries are initialized to a value between 1 and 32 microseconds).
The core of the cycle appears to be:
1. As long as at least one address is found in the ADB for at least one of the names in the NS rrset, no new data is fetched or moved into the ADB
2. As long a `named` is waiting for a response from an address, that ADB entry is preserved
3. `named` sets how long to wait for a response based on the current SRTT
4. An ADB entry can be used even if it is expired
While theoretically any address could be the one fixated on, by virtue point 3 above the ones with the higher SRTT are more likely to be selected than the ones with the lower SRTT.
This is also more likely to happen for a frequently-queried zone with many records with low TTLs, such as the zone of a CDN.
This is not the first time I've seen behavior that I've believed linked to this, but it is the first time a customer has noticed it and it's also the clearest documentation yet for it.
I expect that there are multiple possible solutions to this, with the hard part being choosing the one that we believe will be the easiest to implement and have the lowest chances of unintended consequences.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2098Move wire_test to standalone tool with man page and such...2023-11-02T17:00:02ZOndřej SurýMove wire_test to standalone tool with man page and such...The following discussion from !4006 should be addressed:
- [ ] @each started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4006#note_156160): (+3 comments)
> We did this a while ago, but I had to revert...The following discussion from !4006 should be addressed:
- [ ] @each started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4006#note_156160): (+3 comments)
> We did this a while ago, but I had to revert it (see commit e45be9d1349). It's used for fuzz testing as well as system tests. I also use it myself sometimes for converting DNS data to and from wire format, and I know I'm not the only one because someone at infoblox asked me to restore it as part of the regular build instead of the test build.
>
> Rather than moving it to bin/tests/system I wonder if we should consider putting it in bin/tools, like we did with named-journalprint or named-rrchecker or nsec3hash.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2094ns_query_done hooks can cause reference leaks2023-11-02T17:00:02ZMichael McNallyns_query_done hooks can cause reference leaksAnother suggestion from Jinmei, opened via [Support #17009](https://support.isc.org/Ticket/Display.html?id=17009). He writes:
> I've noticed NS_QUERY_DONE_BEGIN and NS_QUERY_DONE_SEND called from ns_query_done can cause reference leaks ...Another suggestion from Jinmei, opened via [Support #17009](https://support.isc.org/Ticket/Display.html?id=17009). He writes:
> I've noticed NS_QUERY_DONE_BEGIN and NS_QUERY_DONE_SEND called from ns_query_done can cause reference leaks if they return "NS_HOOK_RETURN". For example, this hook
>
> static ns_hookresult_t
> query_done_begin(void *arg, void *cbdata, isc_result_t *resp) {
> query_ctx_t *qctx = (query_ctx_t *)arg;
> *resp = ISC_R_SUCCESS;
> return (NS_HOOK_RETURN);
> }
>
> will make 'named' hang on shutdown once it handles a query. The following patch to query.c will prevent it, but that's probably not the best way to address this issue as we may not always want to cleanup everything in the 'cleanup' part of ns_query_done. There may also be other places that can cause a similar leak.
>
> So I'm just reporting what I've noticed and would leave to you whether/how to handle it.
And provides this patch:
```
diff --git a/bind-9.16.5/lib/ns/query.c b/bind-9.16.5/lib/ns/query.c
index 70277b9..e531fe2 100644
--- a/bind-9.16.5/lib/ns/query.c
+++ b/bind-9.16.5/lib/ns/query.c
@@ -5142,6 +5142,9 @@ static void
qctx_destroy(query_ctx_t *qctx) {
CALL_HOOK_NORETURN(NS_QUERY_QCTX_DESTROYED, qctx);
+ qctx_clean(qctx);
+ qctx_freedata(qctx);
+
dns_view_detach(&qctx->view);
}
@@ -10928,6 +10931,8 @@ ns_query_done(query_ctx_t *qctx) {
return (qctx->result);
cleanup:
+ isc_nmhandle_unref(qctx->client->handle);
+ qctx->detach_client = true;
return (result);
}
```
but adds that we may wish to give additional consideration to see if there is a better way to handle it.
I'm not sure that this needs to be confidential but I have created it as such initially, until we have a chance to scrutinize whether there is any easy path in a common use scenario that would allow an attacker to cause mischief with this.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2088Listen explicitly on exact addresses without checking their presence2023-11-02T17:00:02ZPetr MenšíkListen explicitly on exact addresses without checking their presence### Description
Listen explicitly on exact addresses without checking their presence
### Request
Currently, listening on addresses listen in options are handled in [interfacemgr](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/l...### Description
Listen explicitly on exact addresses without checking their presence
### Request
Currently, listening on addresses listen in options are handled in [interfacemgr](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/lib/ns/interfacemgr.c#L992). Because of the way it is used, it requires working enumeration of existing addresses to listen on them.
There are some cases when enumerating would not work, but binding for listening would anyway.
For example, Linux kernel allows listening on address 127.0.0.2 without configuration of anything special. Just have 127.0.0.1/8 network configured on lo interface.
```
options {
listen-on { 127.0.0.2; };
};
```
Above configuration would not work. Also, some special quirks useful for testing cannot work, unless they provide also interface enumeration abstraction. This breaks [socker_wrapper](https://cwrap.org/socket_wrapper.html). Similar requirement is also for [deckard](https://gitlab.nic.cz/knot/deckard).
My request is to allow explicit IPv4 and IPv6 address to listen and bind without requirement to find it in interface list. It iterates over interfaces now and applies dns_acl_match to each interface address. It seems it is hard to extract exact address in ACL list in easy way. Either API for examination of ACL networks or additional list for addresses would be required.
I would like listening for UDP queries would try listening on address (no network range, but single unicast address). It it fails, retry on interface scan. But if it succeeds, allow listeners on it.
It is interesting control channel can listen quite nice this way on (alternative) localhost.
```
controls {
inet 127.0.0.2 port 2953
allow { 127.0.0.2; } keys { "rndc-key"; };
};
```
```
# test-named.conf
include "/etc/rndc.key";
options {
listen-on port 2053 { 127.0.0.2; };
};
statistics-channels {
inet 127.0.0.3 port 8080 allow { localhost; };
};
controls {
inet 127.0.0.4 port 2953
allow { localhost; } keys { "rndc-key"; };
};
```
named running this configuration listens only on control and statistics channel.
```
$ ss -lntp | grep named
LISTEN 0 4096 127.0.0.4:2953 0.0.0.0:* users:(("named",pid=1290435,fd=37))
LISTEN 0 4096 127.0.0.3:8080 0.0.0.0:* users:(("named",pid=1290435,fd=36))
```
### Links / references
1. https://cwrap.org/socket_wrapper.html
2. https://gitlab.nic.cz/knot/deckardNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2072host: misleading documentation for the -a option2021-10-05T15:23:19Zwferihost: misleading documentation for the -a option`host.rst` states:
```
The -a ("all") option is normally equivalent to -v -t ANY. It also affects the behavior of the -l list zone option.
```
However, `-t ANY` uses TCP by default, whereas `-a` uses UDP.
(Aside: it's also unclear how `-...`host.rst` states:
```
The -a ("all") option is normally equivalent to -v -t ANY. It also affects the behavior of the -l list zone option.
```
However, `-t ANY` uses TCP by default, whereas `-a` uses UDP.
(Aside: it's also unclear how `-a` affects the `-l` option.)
Please fix the documentation or the code as you see fit. Thanks.https://gitlab.isc.org/isc-projects/bind9/-/issues/2049Compiler warnings identified by Intel C++ Compiler2022-03-01T09:43:08ZMichal NowakCompiler warnings identified by Intel C++ CompilerI successfully build BIND `main` (a14445d472e6287a3bbf7208cb2c7cdba0704be4) with Intel C++ Compiler (`icc (ICC) 19.1.2.254 20200623`), though there were warnings along the way, one unit test failed, and many system test failed (the root ...I successfully build BIND `main` (a14445d472e6287a3bbf7208cb2c7cdba0704be4) with Intel C++ Compiler (`icc (ICC) 19.1.2.254 20200623`), though there were warnings along the way, one unit test failed, and many system test failed (the root cause seems in all these crashes seems to be the same, see below).
Also, there are a lot of optimization "remarks" like:
```
CCLD named-rrchecker
remark #11074: Inlining inhibited by limit max-size
```
One such file: [named-rrchecker.optrpt](/uploads/585ef97dfba19a948aa2be1669aa5d01/named-rrchecker.optrpt).
-----------------
**Warnings**
```
CC unix/libisc_la-net.lo
unix/net.c(535): warning #3179: deprecated conversion of string literal to char* (should be const char*)
typestr = (type == IP_TOS) ? "IP_TOS" : "IPV6_TCLASS";
^
--
CC unix/libisc_la-resource.lo
unix/resource.c(132): warning #188: enumerated type mixed with another type
unixresult = setrlimit(unixresource, &rl);
^
unix/resource.c(163): warning #188: enumerated type mixed with another type
unixresult = setrlimit(unixresource, &rl);
^
unix/resource.c(170): warning #188: enumerated type mixed with another type
if (getrlimit(unixresource, &rl) == 0) {
^
unix/resource.c(172): warning #188: enumerated type mixed with another type
unixresult = setrlimit(unixresource, &rl);
^
unix/resource.c(192): warning #188: enumerated type mixed with another type
if (getrlimit(unixresource, &rl) != 0) {
^
unix/resource.c(211): warning #188: enumerated type mixed with another type
if (getrlimit(unixresource, &rl) != 0) {
^
--
CC unix/libisc_la-socket.lo
unix/socket.c(1094): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
^
unix/socket.c(1100): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_CTRUNC;
^
unix/socket.c(1125): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
^
unix/socket.c(1130): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_MULTICAST;
^
unix/socket.c(1143): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_TIMESTAMP;
^
unix/socket.c(1153): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_DSCP;
^
unix/socket.c(1168): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_DSCP;
^
unix/socket.c(1441): warning #188: enumerated type mixed with another type
ev->attributes = 0;
^
unix/socket.c(3944): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
^
unix/socket.c(3935): warning #589: transfer of control bypasses initialization of:
variable "do_poke" (declared at line 3955)
switch (io_state) {
--
unix/socket.c(4024): warning #188: enumerated type mixed with another type
event->attributes = 0;
^
unix/socket.c(4055): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
^
unix/socket.c(4095): warning #188: enumerated type mixed with another type
dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
^
unix/socket.c(4199): warning #188: enumerated type mixed with another type
event->attributes &= ~ISC_SOCKEVENTATTR_ATTACHED;
^
--
CC libisc_la-task.lo
task.c(1559): warning #188: enumerated type mixed with another type
return (atomic_load(&manager->mode));
^
--
CC libdns_la-dispatch.lo
dispatch.c(749): warning #188: enumerated type mixed with another type
bindoptions = 0;
^
dispatch.c(753): warning #188: enumerated type mixed with another type
bindoptions |= ISC_SOCKET_REUSEADDRESS;
^
dispatch.c(990): warning #188: enumerated type mixed with another type
ev->attributes = 0;
^
dispatch.c(1747): warning #188: enumerated type mixed with another type
result = isc_socket_bind(sock, local, options);
^
--
CC libdns_la-dst_api.lo
dst_api.c(1940): warning #188: enumerated type mixed with another type
dst_key_state_t value = 0;
^
--
CC libdns_la-rbtdb.lo
rbtdb.c(1365): warning #188: enumerated type mixed with another type
version->hash = 0;
^
rbtdb.c(8715): warning #188: enumerated type mixed with another type
rbtdb->current_version->hash = 0;
^
--
from rdata.c(553):
rdata/generic/nsec3_50.c(300): warning #188: enumerated type mixed with another type
nsec3->hash = uint8_consume_fromregion(®ion);
^
--
from rdata.c(553):
rdata/generic/nsec3param_51.c(236): warning #188: enumerated type mixed with another type
nsec3param->hash = uint8_consume_fromregion(®ion);
^
--
from rdata.c(553):
rdata/generic/amtrelay_260.c(156): warning #3179: deprecated conversion of string literal to char* (should be const char*)
space = (gateway != 0U) ? " " : "";
^
--
CC libdns_la-request.lo
request.c(159): warning #592: variable "sock" is used before its value is set
UNUSED(sock);
^
request.c(440): warning #188: enumerated type mixed with another type
sendevent->attributes &= ~ISC_SOCKEVENTATTR_DSCP;
^
request.c(443): warning #188: enumerated type mixed with another type
sendevent->attributes |= ISC_SOCKEVENTATTR_DSCP;
^
request.c(564): warning #188: enumerated type mixed with another type
result = isc_socket_bind(sock, &bind_any, 0);
^
request.c(568): warning #188: enumerated type mixed with another type
result = isc_socket_bind(sock, &src, 0);
^
--
CC libdns_la-resolver.lo
resolver.c(1233): warning #188: enumerated type mixed with another type
query->attributes |= RESQUERY_ATTR_CANCELED;
^
resolver.c(2016): warning #188: enumerated type mixed with another type
query->attributes = 0;
^
resolver.c(2098): warning #188: enumerated type mixed with another type
result = isc_socket_bind(query->tcpsocket, &addr, 0);
^
resolver.c(2387): warning #1292: unknown attribute "nonstring"
uint8_t buf[16] ISC_NONSTRING = { 0 };
^
resolver.c(2390): warning #1292: unknown attribute "nonstring"
uint8_t digest[ISC_SIPHASH24_TAG_LENGTH] ISC_NONSTRING = { 0 };
^
resolver.c(2913): warning #188: enumerated type mixed with another type
query->sendevent.attributes &= ~ISC_SOCKEVENTATTR_DSCP;
^
resolver.c(2916): warning #188: enumerated type mixed with another type
query->sendevent.attributes |= ISC_SOCKEVENTATTR_DSCP;
^
resolver.c(9669): warning #3179: deprecated conversion of string literal to char* (should be const char*)
FCTXTRACE4("query canceled in response(); ",
^
--
CC libdns_la-rrl.lo
rrl.c(496): warning #188: enumerated type mixed with another type
ratep = get_rate(rrl, e->key.s.rtype);
^
rrl.c(642): warning #188: enumerated type mixed with another type
ratep = get_rate(rrl, e->key.s.rtype);
^
rrl.c(1116): warning #188: enumerated type mixed with another type
return (ISC_R_SUCCESS);
^
--
CC libdns_la-zone.lo
zone.c(5814): warning #188: enumerated type mixed with another type
return (atomic_load_relaxed(&zone->options));
^
zone.c(20704): warning #188: enumerated type mixed with another type
param.hash = hash;
^
--
CC libdns_la-zoneverify.lo
zoneverify.c(1977): warning #3179: deprecated conversion of string literal to char* (should be const char*)
const char *keydesc = (secroots == NULL ? "self-signed" : "trusted");
^
--
CC libns_la-client.lo
client.c(1076): warning #1292: unknown attribute "nonstring"
unsigned char digest[ISC_MAX_MD_SIZE] ISC_NONSTRING = { 0 };
^
client.c(1089): warning #1292: unknown attribute "nonstring"
unsigned char input[16 + 16] ISC_NONSTRING = { 0 };
^
client.c(1124): warning #1292: unknown attribute "nonstring"
unsigned char input[4 + 4 + 16] ISC_NONSTRING = { 0 };
^
--
CC libns_la-query.lo
query.c(1211): warning #3179: deprecated conversion of string literal to char* (should be const char*)
str_blank = (*str != ' ' && *str != '\0') ? " " : "";
^
query.c(4574): warning #188: enumerated type mixed with another type
hash = 1;
^
--
CC libbind9_la-check.lo
check.c(1596): warning #188: enumerated type mixed with another type
enum { MAS = 1, PRI = 2, SLA = 4, SCN = 8 } values = 0;
^
check.c(1612): warning #188: enumerated type mixed with another type
values |= PRI;
^
check.c(1622): warning #188: enumerated type mixed with another type
values |= MAS;
^
check.c(1632): warning #188: enumerated type mixed with another type
values |= SCN;
^
check.c(1642): warning #188: enumerated type mixed with another type
values |= SLA;
^
--
CC server.o
server.c(3730): warning #188: enumerated type mixed with another type
fstrm_iothr_options_set_queue_model(fopt, i);
^
server.c(11139): warning #3179: deprecated conversion of string literal to char* (should be const char*)
sep = (ptr == NULL) ? "" : ": ";
^
--
CC statschannel.o
statschannel.c(115): warning #188: enumerated type mixed with another type
{ 0, NULL } };
^
--
CC dighost.lo
dighost.c(2831): warning #188: enumerated type mixed with another type
result = isc_socket_bind(query->sock, &bind_any, 0);
^
dighost.c(2934): warning #188: enumerated type mixed with another type
result = isc_socket_bind(query->sock, &bind_any, 0);
^
--
CC named-checkconf.o
named-checkconf.c(201): warning #188: enumerated type mixed with another type
zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
^
named-checkconf.c(299): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
^
named-checkconf.c(300): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
^
named-checkconf.c(302): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
^
named-checkconf.c(303): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
^
named-checkconf.c(305): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
^
named-checkconf.c(306): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
^
named-checkconf.c(312): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
^
named-checkconf.c(313): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
^
named-checkconf.c(319): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKMX;
^
named-checkconf.c(320): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
^
named-checkconf.c(322): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKMX;
^
named-checkconf.c(323): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKMXFAIL;
^
named-checkconf.c(325): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKMX;
^
named-checkconf.c(326): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
^
named-checkconf.c(332): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKMX;
^
named-checkconf.c(333): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
^
named-checkconf.c(339): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
^
named-checkconf.c(341): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
^
named-checkconf.c(344): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
^
named-checkconf.c(350): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
^
named-checkconf.c(351): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
^
named-checkconf.c(353): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
^
named-checkconf.c(354): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
^
named-checkconf.c(356): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
^
named-checkconf.c(357): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
^
named-checkconf.c(363): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
^
named-checkconf.c(364): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
^
named-checkconf.c(370): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
^
named-checkconf.c(371): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
^
named-checkconf.c(373): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
^
named-checkconf.c(374): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
^
named-checkconf.c(376): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
^
named-checkconf.c(377): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
^
named-checkconf.c(383): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
^
named-checkconf.c(384): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
^
named-checkconf.c(390): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKSIBLING;
^
named-checkconf.c(392): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
^
named-checkconf.c(399): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKSPF;
^
named-checkconf.c(401): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKSPF;
^
named-checkconf.c(407): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKSPF;
^
named-checkconf.c(413): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNAMES;
^
named-checkconf.c(414): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
^
named-checkconf.c(416): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNAMES;
^
named-checkconf.c(417): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
^
named-checkconf.c(419): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
^
named-checkconf.c(420): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
^
named-checkconf.c(426): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNAMES;
^
named-checkconf.c(427): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
^
named-checkconf.c(449): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKTTL;
^
--
CC check-tool.lo
check-tool.c(93): warning #188: enumerated type mixed with another type
dns_zoneopt_t zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_CHECKMX |
^
check-tool.c(760): warning #3179: deprecated conversion of string literal to char* (should be const char*)
flags = (fileformat == dns_masterformat_text) ? "w" : "wb";
^
--
CC named-checkzone.o
named-checkzone.c(155): warning #188: enumerated type mixed with another type
zone_options |= (DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_FATALNS |
^
named-checkzone.c(161): warning #188: enumerated type mixed with another type
zone_options |= (DNS_ZONEOPT_CHECKDUPRR | DNS_ZONEOPT_CHECKSPF);
^
named-checkzone.c(183): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
^
named-checkzone.c(189): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
^
named-checkzone.c(190): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
^
named-checkzone.c(195): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
^
named-checkzone.c(196): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKSIBLING;
^
named-checkzone.c(201): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
^
named-checkzone.c(202): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
^
named-checkzone.c(207): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
^
named-checkzone.c(208): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
^
named-checkzone.c(238): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNAMES;
^
named-checkzone.c(239): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
^
named-checkzone.c(241): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNAMES |
^
named-checkzone.c(244): warning #188: enumerated type mixed with another type
zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
^
named-checkzone.c(265): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKTTL;
^
named-checkzone.c(277): warning #188: enumerated type mixed with another type
zone_options &= ~(DNS_ZONEOPT_CHECKNS |
^
named-checkzone.c(280): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNS;
^
named-checkzone.c(281): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_FATALNS;
^
named-checkzone.c(283): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKNS |
^
named-checkzone.c(294): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKMX;
^
named-checkzone.c(295): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
^
named-checkzone.c(297): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKMX |
^
named-checkzone.c(300): warning #188: enumerated type mixed with another type
zone_options &= ~(DNS_ZONEOPT_CHECKMX |
^
named-checkzone.c(319): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
^
named-checkzone.c(320): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
^
named-checkzone.c(322): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKDUPRR |
^
named-checkzone.c(325): warning #188: enumerated type mixed with another type
zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
^
named-checkzone.c(371): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
^
named-checkzone.c(372): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
^
named-checkzone.c(374): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
^
named-checkzone.c(375): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
^
named-checkzone.c(377): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
^
named-checkzone.c(378): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
^
named-checkzone.c(388): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
^
named-checkzone.c(389): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
^
named-checkzone.c(391): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
^
named-checkzone.c(392): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
^
named-checkzone.c(394): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
^
named-checkzone.c(395): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
^
named-checkzone.c(405): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKSPF;
^
named-checkzone.c(407): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKSPF;
^
named-checkzone.c(417): warning #188: enumerated type mixed with another type
zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
^
named-checkzone.c(419): warning #188: enumerated type mixed with another type
zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
^
--
CC tsig-keygen.o
tsig-keygen.c(228): warning #3179: deprecated conversion of string literal to char* (should be const char*)
: CONFGEN_DEFAULT);
^
```
Check:
```
CC socket_test.o
socket_test.c(192): warning #188: enumerated type mixed with another type
result = isc_socket_bind(s1, &addr1, 0);
^
socket_test.c(200): warning #188: enumerated type mixed with another type
result = isc_socket_bind(s2, &addr2, 0);
^
socket_test.c(250): warning #188: enumerated type mixed with another type
result = isc_socket_bind(s1, &addr1, 0);
^
socket_test.c(258): warning #188: enumerated type mixed with another type
result = isc_socket_bind(s2, &addr2, 0);
^
socket_test.c(363): warning #188: enumerated type mixed with another type
socketevent->attributes |= ISC_SOCKEVENTATTR_DSCP;
^
socket_test.c(367): warning #188: enumerated type mixed with another type
socketevent->attributes &= ~ISC_SOCKEVENTATTR_DSCP;
^
socket_test.c(420): warning #188: enumerated type mixed with another type
result = isc_socket_bind(s1, &addr1, 0);
^
socket_test.c(429): warning #188: enumerated type mixed with another type
result = isc_socket_bind(s2, &addr2, 0);
^
socket_test.c(500): warning #188: enumerated type mixed with another type
result = isc_socket_bind(s1, &addr1, 0);
^
socket_test.c(587): warning #188: enumerated type mixed with another type
result = isc_socket_bind(s1, &addr1, 0);
^
--
CC dispatch_test.o
dispatch_test.c(291): warning #188: enumerated type mixed with another type
result = isc_socket_bind(sock, &local, 0);
^
--
CC private_test.o
private_test.c(119): warning #188: enumerated type mixed with another type
params.hash = testcase->hash;
^
CC sigs_test.o
sigs_test.c(329): warning #188: enumerated type mixed with another type
ZONECHANGE_SENTINEL,
^
sigs_test.c(336): warning #188: enumerated type mixed with another type
ZONEDIFF_SENTINEL,
^
sigs_test.c(347): warning #188: enumerated type mixed with another type
ZONECHANGE_SENTINEL,
^
sigs_test.c(354): warning #188: enumerated type mixed with another type
ZONEDIFF_SENTINEL,
^
sigs_test.c(365): warning #188: enumerated type mixed with another type
ZONECHANGE_SENTINEL,
^
sigs_test.c(372): warning #188: enumerated type mixed with another type
ZONEDIFF_SENTINEL,
^
sigs_test.c(382): warning #188: enumerated type mixed with another type
ZONECHANGE_SENTINEL,
^
sigs_test.c(387): warning #188: enumerated type mixed with another type
ZONEDIFF_SENTINEL,
^
sigs_test.c(400): warning #188: enumerated type mixed with another type
ZONECHANGE_SENTINEL,
^
sigs_test.c(410): warning #188: enumerated type mixed with another type
ZONEDIFF_SENTINEL,
^
--
CC dnstap_test-dnstap_test.o
dnstap_test.c(123): warning #188: enumerated type mixed with another type
result = dns_dt_create(dt_mctx, 33, TAPSOCK, &fopt, NULL, &dtenv);
^
--
CC zt_test.o
zt_test.c(201): warning #2332: a value of type "atomic_bool={_Atomic(_Bool)} *" cannot be assigned to an entity of type "void *" (dropping qualifiers)
args.arg2 = &done;
^
zt_test.c(223): warning #2332: a value of type "atomic_bool={_Atomic(_Bool)} *" cannot be assigned to an entity of type "void *" (dropping qualifiers)
args.arg2 = &done;
^
zt_test.c(240): warning #2332: a value of type "atomic_bool={_Atomic(_Bool)} *" cannot be assigned to an entity of type "void *" (dropping qualifiers)
args.arg2 = &done;
^
zt_test.c(316): warning #2332: a value of type "atomic_bool={_Atomic(_Bool)} *" cannot be assigned to an entity of type "void *" (dropping qualifiers)
args.arg2 = &done;
^
--
CC nstest.lo
nstest.c(97): warning #188: enumerated type mixed with another type
client->state = 4;
^
--
```
`ns_listenlist_default_test` and a lot of system tests fail with:
```
[ RUN ] ns_listenlist_default_test
netmgr/netmgr.c:694: REQUIRE(target != ((void*)0) && *target == ((void*)0)) failed, back trace
/home/newman/isc/ws/bind9/lib/isc/.libs/libisc.so.1703(+0x2ec7d) [0x7fc5ec0ffc7d]
/home/newman/isc/ws/bind9/lib/isc/.libs/libisc.so.1703(isc_assertion_failed+0x7) [0x7fc5ec0ffd45]
/home/newman/isc/ws/bind9/lib/isc/.libs/libisc.so.1703(isc__nmsocket_attach+0x56) [0x7fc5ec0ea61c]
/home/newman/isc/ws/bind9/lib/isc/.libs/libisc.so.1703(isc__nm_tcp_stoplistening+0x52) [0x7fc5ec0edb0c]
/home/newman/isc/ws/bind9/lib/isc/.libs/libisc.so.1703(isc__nm_tcpdns_stoplistening+0x63) [0x7fc5ec0eea38]
/home/newman/isc/ws/bind9/lib/isc/.libs/libisc.so.1703(isc_nm_stoplistening+0x6e) [0x7fc5ec0eb674]
/home/newman/isc/ws/bind9/lib/ns/.libs/libns.so.1703(ns_interface_shutdown+0x33) [0x7fc5ebea5c2d]
/home/newman/isc/ws/bind9/lib/ns/.libs/libns.so.1703(+0x15925) [0x7fc5ebea5925]
/home/newman/isc/ws/bind9/lib/ns/tests/.libs/lt-listenlist_test() [0x403d69]
/home/newman/isc/ws/bind9/lib/isc/.libs/libisc.so.1703(+0x49793) [0x7fc5ec11a793]
/home/newman/isc/ws/bind9/lib/isc/.libs/libisc.so.1703(+0x49249) [0x7fc5ec11a249]
/lib64/libpthread.so.0(+0x9432) [0x7fc5eb6b2432]
/lib64/libc.so.6(clone+0x43) [0x7fc5eb5e0913]
./../../unit-test-driver.sh: line 13: 528599 Aborted (core dumped) "${TEST_PROGRAM}"
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2048Compiler warnings identified by Oracle Developer Studio2023-11-02T16:26:05ZMichal NowakCompiler warnings identified by Oracle Developer StudioI compiled BIND `main` (a14445d472e6287a3bbf7208cb2c7cdba0704be4) with [Oracle Developer Studio](https://www.oracle.com/application-development/technologies/developerstudio.html) 12.6 (`Studio 12.6 Sun C 5.15 Linux_i386 2017/05/30`) on F...I compiled BIND `main` (a14445d472e6287a3bbf7208cb2c7cdba0704be4) with [Oracle Developer Studio](https://www.oracle.com/application-development/technologies/developerstudio.html) 12.6 (`Studio 12.6 Sun C 5.15 Linux_i386 2017/05/30`) on Fedora 32 and it produced a bunch of warnings and few errors.
Compilation commands:
```
autoreconf -fi && CC=/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc CFLAGS="-O1 -g -Wall -Wextra" ./configure --disable-maintainer-mode --with-libtool --disable-static --with-cmocka --with-libxml2 --with-json-c --prefix=$HOME/.local --without-make-clean --with-python=python3 --enable-dnstap --with-libidn2 && make -j12 V=1
```
I disabled following GCC options for the Studio output to be cleaner as they produces a lot of warnings:
```
cc: Warning: Option -fno-delete-null-pointer-checks passed to ld, if ld is invoked, ignored otherwise
cc: Warning: Option -fdiagnostics-show-option passed to ld, if ld is invoked, ignored otherwise
"/usr/include/features.h", line 397: #warning: _FORTIFY_SOURCE requires compiling with optimization (-O)
```
```patch
diff --git a/configure.ac b/configure.ac
index a32fb68f18..5d7f93d8f9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -137,7 +137,7 @@ STD_CFLAGS="-Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missi
STD_CFLAGS="$STD_CFLAGS -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes"
# Fortify the sources by default
-STD_CPPFLAGS="-D_FORTIFY_SOURCE=2"
+#STD_CPPFLAGS="-D_FORTIFY_SOURCE=2"
#
# Additional compiler settings.
@@ -145,10 +145,10 @@ STD_CPPFLAGS="-D_FORTIFY_SOURCE=2"
AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing],
[STD_CFLAGS="$STD_CFLAGS -fno-strict-aliasing"])
# Clang only issues a warning so use -Werror to force a error.
-AX_CHECK_COMPILE_FLAG([-Werror -fno-delete-null-pointer-checks],
- [STD_CFLAGS="$STD_CFLAGS -fno-delete-null-pointer-checks"])
-AX_CHECK_COMPILE_FLAG([-fdiagnostics-show-option],
- [STD_CFLAGS="$STD_CFLAGS -fdiagnostics-show-option"])
+#AX_CHECK_COMPILE_FLAG([-Werror -fno-delete-null-pointer-checks],
+# [STD_CFLAGS="$STD_CFLAGS -fno-delete-null-pointer-checks"])
+#AX_CHECK_COMPILE_FLAG([-fdiagnostics-show-option],
+# [STD_CFLAGS="$STD_CFLAGS -fdiagnostics-show-option"])
#
# Change defaults for developers if not explicity set.
```
I had to manually undef `HAVE_BUILTIN_EXPECT` via `sed -i -e '/HAVE_BUILTIN_EXPECT/s/.*/#undef HAVE_BUILTIN_EXPECT/' config.h`, otherwise I get a lot of lines like this: `"radix.c", line 78: internal compiler error: __builtin_expect undefined`:
```
checking compiler support for __builtin_unreachable()... no
checking compiler support for __builtin_expect... yes
checking compiler support for __builtin_clz... no
```
Studio's `acomp` binary (a preprocessor) crashes on some input files (this may be fixed in Studio production patches we don't have access to):
```
/bin/sh ../../libtool --tag=CC --mode=compile /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o libdns_la-peer.lo `test -f 'peer.c' || echo './'`peer.c
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c peer.c -KPIC -DPIC -o .libs/libdns_la-peer.o
cc: Fatal error in /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/lib/compilers/bin/acomp : Signal number = 139
```
Full list of warnings and errors detected:
```
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c pk11.c -KPIC -DPIC -o .libs/libisc_la-pk11.o
"pk11.c", line 881: warning: statement not reached
"pk11.c", line 885: warning: statement not reached
"pk11.c", line 909: warning: statement not reached
"pk11.c", line 915: warning: statement not reached
"pk11.c", line 919: warning: statement not reached
"pk11.c", line 984: warning: statement not reached
"pk11.c", line 990: warning: statement not reached
"pk11.c", line 994: warning: statement not reached
"pk11.c", line 1010: warning: statement not reached
"pk11.c", line 1019: warning: statement not reached
"pk11.c", line 1026: warning: statement not reached
"pk11.c", line 1039: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c md.c -KPIC -DPIC -o .libs/libisc_la-md.o
"md.c", line 168: warning: syntax error: empty declaration
"md.c", line 169: warning: syntax error: empty declaration
"md.c", line 170: warning: syntax error: empty declaration
"md.c", line 171: warning: syntax error: empty declaration
"md.c", line 172: warning: syntax error: empty declaration
"md.c", line 173: warning: syntax error: empty declaration
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c unix/socket.c -KPIC -DPIC -o unix/.libs/libisc_la-socket.o
"unix/socket.c", line 4755: warning: statement not reached
"unix/socket.c", line 4756: warning: statement not reached
"unix/socket.c", line 4757: warning: statement not reached
"unix/socket.c", line 4758: warning: statement not reached
"unix/socket.c", line 4759: warning: statement not reached
"unix/socket.c", line 4761: warning: statement not reached
"unix/socket.c", line 4763: warning: statement not reached
"unix/socket.c", line 4764: warning: statement not reached
"unix/socket.c", line 4765: warning: statement not reached
"unix/socket.c", line 4766: warning: statement not reached
"unix/socket.c", line 4767: warning: statement not reached
"unix/socket.c", line 4768: warning: statement not reached
"unix/socket.c", line 4772: warning: statement not reached
"unix/socket.c", line 4900: warning: statement not reached
"unix/socket.c", line 4901: warning: statement not reached
"unix/socket.c", line 4902: warning: statement not reached
"unix/socket.c", line 4903: warning: statement not reached
"unix/socket.c", line 4904: warning: statement not reached
"unix/socket.c", line 4906: warning: statement not reached
"unix/socket.c", line 4908: warning: statement not reached
"unix/socket.c", line 4909: warning: statement not reached
"unix/socket.c", line 4910: warning: statement not reached
"unix/socket.c", line 4911: warning: statement not reached
"unix/socket.c", line 4912: warning: statement not reached
"unix/socket.c", line 4913: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c pthreads/thread.c -KPIC -DPIC -o pthreads/.libs/libisc_la-thread.o
"pthreads/thread.c", line 61: warning: statement not reached
"pthreads/thread.c", line 67: warning: statement not reached
"pthreads/thread.c", line 75: warning: statement not reached
"pthreads/thread.c", line 87: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c dst_api.c -KPIC -DPIC -o .libs/libdns_la-dst_api.o
"dst_api.c", line 1550: warning: statement not reached
"dst_api.c", line 1557: warning: statement not reached
"dst_api.c", line 1573: warning: statement not reached
"dst_api.c", line 1583: warning: statement not reached
"dst_api.c", line 1592: warning: statement not reached
"dst_api.c", line 1600: warning: statement not reached
"dst_api.c", line 1706: warning: statement not reached
"dst_api.c", line 1713: warning: statement not reached
"dst_api.c", line 1725: warning: statement not reached
"dst_api.c", line 1732: warning: statement not reached
"dst_api.c", line 1748: warning: statement not reached
"dst_api.c", line 1758: warning: statement not reached
"dst_api.c", line 1772: warning: statement not reached
"dst_api.c", line 1780: warning: statement not reached
"dst_api.c", line 1794: warning: statement not reached
"dst_api.c", line 1815: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c hmac_link.c -KPIC -DPIC -o .libs/libdns_la-hmac_link.o
"hmac_link.c", line 511: warning: syntax error: empty declaration
"hmac_link.c", line 512: warning: syntax error: empty declaration
"hmac_link.c", line 513: warning: syntax error: empty declaration
"hmac_link.c", line 514: warning: syntax error: empty declaration
"hmac_link.c", line 515: warning: syntax error: empty declaration
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c openssldh_link.c -KPIC -DPIC -o .libs/libdns_la-openssldh_link.o
"openssldh_link.c", line 678: warning: statement not reached
"openssldh_link.c", line 683: warning: statement not reached
"openssldh_link.c", line 693: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../../../../.. -include ../../../../../config.h -I./include -I../../../../../include -I../../../../../lib/isc/unix/include -I../../../../../lib/isc/pthreads/include -I../../../../../lib/isc/include -I../../../../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../../../../lib/dns/include -I../../../../../lib/dns/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c zone.c -KPIC -DPIC -o .libs/zone.o
"zone.c", line 127: warning: end-of-loop code not reached
"zone.c", line 137: warning: end-of-loop code not reached
"zone.c", line 145: warning: end-of-loop code not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../../../../.. -include ../../../../../config.h -I./include -I../../../../../include -I../../../../../lib/isc/unix/include -I../../../../../lib/isc/pthreads/include -I../../../../../lib/isc/include -I../../../../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../../../../lib/dns/include -I../../../../../lib/dns/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c syncptr.c -KPIC -DPIC -o .libs/syncptr.o
"syncptr.c", line 134: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../../../../.. -include ../../../../../config.h -I./include -I../../../../../include -I../../../../../lib/isc/unix/include -I../../../../../lib/isc/pthreads/include -I../../../../../lib/isc/include -I../../../../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../../../../lib/dns/include -I../../../../../lib/dns/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c db.c -KPIC -DPIC -o .libs/db.o
"db.c", line 112: warning: statement not reached
"db.c", line 128: warning: statement not reached
"db.c", line 151: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -DRNDC_KEYFILE=\"/home/newman/.local/etc/rndc.key\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o rndc-confgen.o rndc-confgen.c
"rndc-confgen.c", line 174: warning: statement not reached
"rndc-confgen.c", line 200: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -DRNDC_KEYFILE=\"/home/newman/.local/etc/rndc.key\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o tsig-keygen.o tsig-keygen.c
"tsig-keygen.c", line 174: warning: statement not reached
"tsig-keygen.c", line 197: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/isccfg/include -I../../lib/irs/include -I../../lib/bind9/include -DSESSION_KEYFILE=\"/home/newman/.local/var/run/named/session.key\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o nsupdate.o nsupdate.c
"nsupdate.c", line 1234: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/bind9/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o mdig-mdig.o `test -f 'mdig.c' || echo './'`mdig.c
"mdig.c", line 1691: warning: statement not reached
"mdig.c", line 1702: warning: statement not reached
"mdig.c", line 1708: warning: statement not reached
"mdig.c", line 1720: warning: statement not reached
"mdig.c", line 1810: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -DNAMED_CONFFILE=\"/home/newman/.local/etc/named.conf\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o dnssec-signzone.o dnssec-signzone.c
"dnssec-signzone.c", line 463: warning: statement not reached
"dnssec-signzone.c", line 3487: warning: statement not reached
"dnssec-signzone.c", line 3529: warning: statement not reached
"dnssec-signzone.c", line 3541: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -DNAMED_CONFFILE=\"/home/newman/.local/etc/named.conf\" -I../../lib/isccfg/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o dnssec_keygen-dnssec-keygen.o `test -f 'dnssec-keygen.c' || echo './'`dnssec-keygen.c
"dnssec-keygen.c", line 1017: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -DNAMED_CONFFILE=\"/home/newman/.local/etc/named.conf\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o dnssec-keyfromlabel.o dnssec-keyfromlabel.c
"dnssec-keyfromlabel.c", line 645: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -DNAMED_CONFFILE=\"/home/newman/.local/etc/named.conf\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o dnssec-dsfromkey.o dnssec-dsfromkey.c
"dnssec-dsfromkey.c", line 424: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -DNAMED_CONFFILE=\"/home/newman/.local/etc/named.conf\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c dnssectool.c -KPIC -DPIC -o .libs/dnssectool.o
"dnssectool.c", line 222: warning: statement not reached
"dnssectool.c", line 240: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -DNAMED_CONFFILE=\"/home/newman/.local/etc/named.conf\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o dnssec-cds.o dnssec-cds.c
"dnssec-cds.c", line 1122: warning: statement not reached
"dnssec-cds.c", line 1131: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/isccfg/include -I../../lib/irs/include -I../../lib/bind9/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o host.o host.c
"host.c", line 665: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/isccfg/include -I../../lib/irs/include -I../../lib/bind9/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o dig.o dig.c
"dig.c", line 1889: warning: statement not reached
"dig.c", line 1899: warning: statement not reached
"dig.c", line 1916: warning: statement not reached
"dig.c", line 1936: warning: statement not reached
"dig.c", line 2150: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/isccfg/include -I../../lib/isccc/include/ -I../../lib/bind9/include -DRNDC_CONFFILE=\"/home/newman/.local/etc/rndc.conf\" -DRNDC_KEYFILE=\"/home/newman/.local/etc/rndc.key\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o rndc.o rndc.c
"rndc.c", line 980: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I./unix/include -I../../include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/ns/include -I../../lib/isccc/include/ -I../../lib/isccfg/include -I../../lib/bind9/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -DNAMED_LOCALSTATEDIR=\"/home/newman/.local/var\" -DNAMED_SYSCONFDIR=\"/home/newman/.local/etc\" -DMAXMINDDB_PREFIX=\"/usr\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o unix/os.o unix/os.c
"unix/os.c", line 193: warning: statement not reached
"unix/os.c", line 226: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I./unix/include -I../../include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/ns/include -I../../lib/isccc/include/ -I../../lib/isccfg/include -I../../lib/bind9/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -DNAMED_LOCALSTATEDIR=\"/home/newman/.local/var\" -DNAMED_SYSCONFDIR=\"/home/newman/.local/etc\" -DMAXMINDDB_PREFIX=\"/usr\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o server.o server.c
"server.c", line 830: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I./unix/include -I../../include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/ns/include -I../../lib/isccc/include/ -I../../lib/isccfg/include -I../../lib/bind9/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -DNAMED_LOCALSTATEDIR=\"/home/newman/.local/var\" -DNAMED_SYSCONFDIR=\"/home/newman/.local/etc\" -DMAXMINDDB_PREFIX=\"/usr\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o main.o main.c
"/usr/include/maxminddb.h", line 92: syntax error before or at: mmdb_uint128_t
"/usr/include/maxminddb.h", line 122: syntax error before or at: mmdb_uint128_t
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/irs/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o nsprobe.o nsprobe.c
"nsprobe.c", line 1074: warning: statement not reached
"nsprobe.c", line 1080: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/isccfg/include -I../../lib/ns/include -I../../lib/bind9/include -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c check.c -KPIC -DPIC -o .libs/libbind9_la-check.o
"check.c", line 497: warning: const object should have initializer: zeros
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c opensslrsa_link.c -KPIC -DPIC -o .libs/libdns_la-opensslrsa_link.o
"opensslrsa_link.c", line 595: warning: statement not reached
"opensslrsa_link.c", line 601: warning: statement not reached
"opensslrsa_link.c", line 609: warning: statement not reached
"opensslrsa_link.c", line 892: warning: statement not reached
"opensslrsa_link.c", line 895: warning: statement not reached
"opensslrsa_link.c", line 929: warning: statement not reached
"opensslrsa_link.c", line 933: warning: statement not reached
"opensslrsa_link.c", line 939: warning: statement not reached
"opensslrsa_link.c", line 945: warning: statement not reached
"opensslrsa_link.c", line 948: warning: statement not reached
"opensslrsa_link.c", line 952: warning: statement not reached
"opensslrsa_link.c", line 970: warning: statement not reached
"opensslrsa_link.c", line 975: warning: statement not reached
"opensslrsa_link.c", line 978: warning: statement not reached
"opensslrsa_link.c", line 993: warning: statement not reached
"opensslrsa_link.c", line 1058: warning: statement not reached
"opensslrsa_link.c", line 1061: warning: statement not reached
"opensslrsa_link.c", line 1100: warning: statement not reached
"opensslrsa_link.c", line 1104: warning: statement not reached
"opensslrsa_link.c", line 1111: warning: statement not reached
"opensslrsa_link.c", line 1117: warning: statement not reached
"opensslrsa_link.c", line 1123: warning: statement not reached
"opensslrsa_link.c", line 1126: warning: statement not reached
"opensslrsa_link.c", line 1130: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c openssleddsa_link.c -KPIC -DPIC -o .libs/libdns_la-openssleddsa_link.o
"openssleddsa_link.c", line 182: warning: statement not reached
"openssleddsa_link.c", line 189: warning: statement not reached
"openssleddsa_link.c", line 194: warning: statement not reached
"openssleddsa_link.c", line 247: warning: statement not reached
"openssleddsa_link.c", line 330: warning: statement not reached
"openssleddsa_link.c", line 336: warning: statement not reached
"openssleddsa_link.c", line 523: warning: statement not reached
"openssleddsa_link.c", line 526: warning: statement not reached
"openssleddsa_link.c", line 561: warning: statement not reached
"openssleddsa_link.c", line 563: warning: statement not reached
"openssleddsa_link.c", line 567: warning: statement not reached
"openssleddsa_link.c", line 578: warning: statement not reached
"openssleddsa_link.c", line 631: warning: statement not reached
"openssleddsa_link.c", line 636: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c opensslecdsa_link.c -KPIC -DPIC -o .libs/libdns_la-opensslecdsa_link.o
"opensslecdsa_link.c", line 174: warning: statement not reached
"opensslecdsa_link.c", line 179: warning: statement not reached
"opensslecdsa_link.c", line 185: warning: statement not reached
"opensslecdsa_link.c", line 234: warning: statement not reached
"opensslecdsa_link.c", line 239: warning: statement not reached
"opensslecdsa_link.c", line 288: warning: statement not reached
"opensslecdsa_link.c", line 290: warning: statement not reached
"opensslecdsa_link.c", line 295: warning: statement not reached
"opensslecdsa_link.c", line 302: warning: statement not reached
"opensslecdsa_link.c", line 305: warning: statement not reached
"opensslecdsa_link.c", line 348: warning: statement not reached
"opensslecdsa_link.c", line 353: warning: statement not reached
"opensslecdsa_link.c", line 357: warning: statement not reached
"opensslecdsa_link.c", line 411: warning: statement not reached
"opensslecdsa_link.c", line 415: warning: statement not reached
"opensslecdsa_link.c", line 466: warning: statement not reached
"opensslecdsa_link.c", line 469: warning: statement not reached
"opensslecdsa_link.c", line 474: warning: statement not reached
"opensslecdsa_link.c", line 478: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c client.c -KPIC -DPIC -o .libs/libdns_la-client.o
"client.c", line 2939: warning: argument #2 is incompatible with prototype:
prototype: pointer to void : "../../lib/isc/include/isc/event.h", line 86
argument : pointer to function(pointer to struct dns_client {unsigned int magic, unsigned int attributes, union {..} lock, pointer to struct isc_mem {..} mctx, pointer to struct isc_appctx {..} actx, pointer to struct isc_taskmgr {..} taskmgr, pointer to struct isc_task {..} task, pointer to struct isc_socketmgr {..} socketmgr, pointer to struct isc_timermgr {..} timermgr, pointer to struct dns_dispatchmgr {..} dispatchmgr, pointer to struct dns_dispatch {..} dispatchv4, pointer to struct dns_dispatch {..} dispatchv6, unsigned int update_timeout, unsigned int update_udptimeout, unsigned int update_udpretries, unsigned int find_timeout, unsigned int find_udpretries, atomic unsigned long references, struct {..} viewlist, struct {..} resctxs, struct {..} reqctxs, struct {..} updatectxs}, unsigned short, pointer to const struct dns_name {unsigned int magic, pointer to unsigned char ndata, unsigned int length, unsigned int labels, unsigned int attributes, pointer to unsigned char offsets, pointer to struct isc_buffer {..} buffer, struct {..} link, struct {..} list}, pointer to struct {pointer to struct dns_name {..} head, pointer to struct dns_name {..} tail}, pointer to struct {pointer to struct dns_name {..} head, pointer to struct dns_name {..} tail}, pointer to struct {pointer to struct isc_sockaddr {..} head, pointer to struct isc_sockaddr {..} tail}, pointer to struct dns_tsec {}, unsigned int, pointer to struct isc_task {unsigned int impmagic, unsigned int magic}, pointer to function(..) returning void, pointer to void, pointer to pointer to void) returning unsigned int
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c zone.c -KPIC -DPIC -o .libs/libdns_la-zone.o
"zone.c", line 500: warning: enumerator value overflows INT_MAX (2147483647)
"zone.c", line 5711: internal compiler error: NAME with no symbol table entry
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c sdlz.c -KPIC -DPIC -o .libs/libdns_la-sdlz.o
"sdlz.c", line 739: warning: Function has no return statement : expirenode
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c sdb.c -KPIC -DPIC -o .libs/libdns_la-sdb.o
"sdb.c", line 1072: warning: Function has no return statement : expirenode
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c rpz.c -KPIC -DPIC -o .libs/libdns_la-rpz.o
"rpz.c", line 215: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c rdata.c -KPIC -DPIC -o .libs/libdns_la-rdata.o
"rdata/generic/amtrelay_260.c", line 295: warning: statement not reached
"rdata/generic/amtrelay_260.c", line 300: warning: statement not reached
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c rbtdb.c -KPIC -DPIC -o .libs/libdns_la-rbtdb.o
"rbtdb.c", line 4514: warning: statement not reached
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I./unix/include -I../../include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/ns/include -I../../lib/isccc/include/ -I../../lib/isccfg/include -I../../lib/bind9/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -DNAMED_LOCALSTATEDIR=\"/home/newman/.local/var\" -DNAMED_SYSCONFDIR=\"/home/newman/.local/etc\" -DMAXMINDDB_PREFIX=\"/usr\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o main.o main.c
"/usr/include/maxminddb.h", line 92: syntax error before or at: mmdb_uint128_t
"/usr/include/maxminddb.h", line 122: syntax error before or at: mmdb_uint128_t
cc: acomp failed for main.c
/home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I./unix/include -I../../include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../lib/ns/include -I../../lib/isccc/include/ -I../../lib/isccfg/include -I../../lib/bind9/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -DNAMED_LOCALSTATEDIR=\"/home/newman/.local/var\" -DNAMED_SYSCONFDIR=\"/home/newman/.local/etc\" -DMAXMINDDB_PREFIX=\"/usr\" -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c -o geoip.o geoip.c
"/usr/include/maxminddb.h", line 92: syntax error before or at: mmdb_uint128_t
"/usr/include/maxminddb.h", line 122: syntax error before or at: mmdb_uint128_t
cc: acomp failed for geoip.c
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c geoip2.c -KPIC -DPIC -o .libs/libdns_la-geoip2.o
"/usr/include/maxminddb.h", line 92: syntax error before or at: mmdb_uint128_t
"/usr/include/maxminddb.h", line 122: syntax error before or at: mmdb_uint128_t
"geoip2.c", line 202: improper member use: utf8_string
"geoip2.c", line 207: improper member use: utf8_string
"geoip2.c", line 219: improper member use: uint32
cc: acomp failed for geoip2.c
libtool: compile: /home/newman/Downloads/OracleDeveloperStudio12.6-linux-x86-bin/developerstudio12.6/bin/cc -DHAVE_CONFIG_H -I. -I../.. -include ../../config.h -I./include -I../../include -I../../lib/isc/unix/include -I../../lib/isc/pthreads/include -I../../lib/isc/include -I../../lib/isc/include -I/usr/include/json-c -I/usr/include/libxml2 -I../../lib/dns/include -I../../lib/dns/include -I../../libltdl -I/usr/include/json-c -I/usr/include/libxml2 -Wall -Wextra -Wwrite-strings -Wcast-qual -Wpointer-arith -Wno-missing-field-initializers -Wformat -Wshadow -Werror=implicit-function-declaration -Werror=missing-prototypes -Werror=format-security -Werror=parentheses -Werror=implicit -Werror=strict-prototypes -fno-strict-aliasing -O1 -g -Wall -Wextra -mt -c zone.c -KPIC -DPIC -o .libs/libdns_la-zone.o
"zone.c", line 500: warning: enumerator value overflows INT_MAX (2147483647)
"zone.c", line 5711: internal compiler error: NAME with no symbol table entry
```
If these warnings are believed to be meaningfull, we may run Studio on the rest of maintained branches and more offen and, eventually, integrate it to the CI.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2007QNAME minimization may trigger "premature" priming queries2023-11-02T17:00:02ZMichał KępieńQNAME minimization may trigger "premature" priming queriesI do not believe this is a serious issue, maybe it can even be closed
with `-EWORKSASDESIGNED`, but perhaps there is room for improvement
here. I mostly wanted to document what is happening because figuring it
out required me to run `rr...I do not believe this is a serious issue, maybe it can even be closed
with `-EWORKSASDESIGNED`, but perhaps there is room for improvement
here. I mostly wanted to document what is happening because figuring it
out required me to run `rr` for 10 days straight :-)
With QNAME minimization enabled, a `named` resolver might send priming
queries before the last cached `./NS` response expires. The "root
cause" here is that the glue TTL for the `root-servers.net.` zone
differs between the root servers (3600000) and the servers authoritative
for `net.` (172800). This can be demonstrated using the following `dig`
invocations:
$ dig @a.root-servers.net root-servers.net. NS +norec
$ dig @a.gtld-servers.net root-servers.net. NS +norec +multi
Since the `root-servers.net.` zone is unsigned, the RFC 2181 trust level
of the RRsets found in the ADDITIONAL section of the referrals returned
by `net.` authoritative servers is *higher* than those returned in the
ADDITIONAL section of unsigned authoritative responses generated by the
root servers (which are authoritative for `root-servers.net.`). This
results in the 172800 TTL for `[a-m].root-servers.net/A(AAA)` overriding
the higher one received from the root servers.
To reproduce the issue:
1. Start a `named` resolver with QNAME minimization enabled and
preferably `max-stale-ttl 0;` set, so that the DB dump from the next
step is easier to interpret.
2. Do an `rndc dumpdb -cache`, then run:
grep -F root-servers.net named_dump.db
The result should contain lines like:
a.root-servers.net. 518399 A 198.41.0.4
b.root-servers.net. 518399 A 199.9.14.201
c.root-servers.net. 518399 A 192.33.4.12
d.root-servers.net. 518399 A 199.7.91.13
e.root-servers.net. 518399 A 192.203.230.10
f.root-servers.net. 518399 A 192.5.5.241
g.root-servers.net. 518399 A 192.112.36.4
h.root-servers.net. 518399 A 198.97.190.53
i.root-servers.net. 518399 A 192.36.148.17
j.root-servers.net. 518399 A 192.58.128.30
k.root-servers.net. 518399 A 193.0.14.129
l.root-servers.net. 518399 A 199.7.83.42
m.root-servers.net. 518399 A 202.12.27.33
These are cache entries created by the resolver priming query sent
during startup. The TTL is about 1 week, which is consistent with
`max-cache-ttl`.
3. Query the resolver for `root-servers.net/NS`. This will cause the
resolver to first ask the root servers about `_.net.`, which will
allow it to learn about the servers authoritative for
`root-servers.net.`. These will subsequently be queried for
`_.root-servers.net.`, triggering a referral with TTL=172800.
4. Repeat step 2. The relevant lines should now turn into something
like:
a.root-servers.net. 172799 A 198.41.0.4
b.root-servers.net. 172799 A 199.9.14.201
c.root-servers.net. 172799 A 192.33.4.12
d.root-servers.net. 172799 A 199.7.91.13
e.root-servers.net. 172799 A 192.203.230.10
f.root-servers.net. 172799 A 192.5.5.241
g.root-servers.net. 172799 A 192.112.36.4
h.root-servers.net. 172799 A 198.97.190.53
i.root-servers.net. 172799 A 192.36.148.17
j.root-servers.net. 172799 A 192.58.128.30
k.root-servers.net. 172799 A 193.0.14.129
l.root-servers.net. 172799 A 199.7.83.42
m.root-servers.net. 172799 A 202.12.27.33
With the TTL lowered, this resolver will now send the next priming query
in about 2 days instead of 6 days.
This scenario does not happen without QNAME minimization, in which case
the resolver would start processing the `root-servers.net/NS` query by
immediately querying the root servers - and since the root servers are
authoritative for `root-servers.net.`, the servers authoritative for
`net.` would not get a chance to send any TTL=172800 referrals.
I found this purely because I was curious why a `named` resolver whose
cache size limit never gets exceeded would *sometimes* send a priming
query earlier than 6 days after the last priming query. This "problem"
with the interaction of QNAME minimization with root servers is not
nearly as grave as the [other one][1] described in #1896.
I *think* triggering this requires a client query for something in the
`root-servers.net.` zone. The issue manifests itself two days later :-)
[1]: https://gitlab.isc.org/isc-projects/bind9/-/issues/1896#note_141492Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1964Improve A/AAAA ADB and expiration synchronization for servers with addresses...2024-02-19T07:02:23ZBrian ConryImprove A/AAAA ADB and expiration synchronization for servers with addresses in both families[Support ticket #16736](https://support.isc.org/Ticket/Display.html?id=16738)
A customer had sufficient issues with the upstream IPv6 routing that they followed the advice from one of our KB articles and added `server ::/0 { bogus yes; ...[Support ticket #16736](https://support.isc.org/Ticket/Display.html?id=16738)
A customer had sufficient issues with the upstream IPv6 routing that they followed the advice from one of our KB articles and added `server ::/0 { bogus yes; };` to their configuration.
Unexpectedly, this led to an increase in their SERVFAIL rate, impacting their customers.
The customer has done a detailed investigation into this and has identified that in a lot of cases the SERVFAIL is generated when the server is fetching fresh address records and the AAAA response returns before the A response, with the SERVFAIL being generated in the gap between the responses.
It seems that maybe we should wait for responses to both queries before proceeding?
In thinking about this further, I believe the same thing could happen if the A response arrives before the AAAA response and the two responses are processed in different seconds, pushing the expiration of the AAAA records to be later even if they are received with the same TTL.
Could/should we maybe force all of the address records for a name (A and AAAA) to expire at the same time by clamping them to all match the soonest expiration?Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1961RFC 5011: confusing use of add hold-down timer2023-11-02T16:58:17ZMichał KępieńRFC 5011: confusing use of add hold-down timerThe add hold-down timer in each trust anchor's `managed-keys.bind`
record is "overloaded" with multiple semantic meanings:
a) it is the point in time in the future when an untrusted key should
become trusted,
b) it is also the po...The add hold-down timer in each trust anchor's `managed-keys.bind`
record is "overloaded" with multiple semantic meanings:
a) it is the point in time in the future when an untrusted key should
become trusted,
b) it is also the point in time in the past since which a given key has
been trusted,
c) it also determines whether a given key is an initializing key or not
(if the add hold-down timer is set to 0, the key is treated as an
initializing one).
This does *not* break RFC 5011, but mixing different semantic meanings
in code causes at least three undesired side effects:
1. **"Doubled refresh cycles" after loading a `managed-keys.bind` file
created by a previous `named` instance.**
I think log excerpts best demonstrate this issue:
```
$ cat /etc/named.conf
options {
directory "/tmp";
};
key rndc_key {
algorithm hmac-md5;
secret "1234abcd8765";
};
controls {
inet ::1 port 9953 allow { ::1; } keys { rndc_key; };
};
$ named
$ rndc managed-keys status
view: _default
next scheduled event: Tue, 23 Jun 2020 07:12:16 GMT
name: .
keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Tue, 23 Jun 2020 07:12:16 GMT
trusted since: Mon, 22 Jun 2020 07:12:16 GMT
$ rndc stop
$ named
$ rndc managed-keys status
view: _default
next scheduled event: Tue, 23 Jun 2020 07:12:16 GMT
name: .
keyid: 20326
algorithm: RSASHA256
flags: SEP
next refresh: Tue, 23 Jun 2020 07:12:25 GMT
trusted since: Mon, 22 Jun 2020 07:12:16 GMT
```
During the first `named` run, everything looks as expected.
During the second run, however, here is what happens:
1. `load_secroots()` schedules an immediate key refresh.
2. When the key refresh is started, the `set_refreshkeytimer()`
[call][1] in `zone_refreshkeys()` schedules the next key event
to the key refresh time stored in `managed-keys.bind` by the
previous `named` instance (this is fine).
3. When the refresh is finished (i.e. a `./DNSKEY` response is
received), the refresh timer for the key is [updated][2], but
the timer set in step 2 does *not* get updated because... it is
(understandably) set to a time earlier than the revised key
refresh time.
Effectively, this causes `named` to refresh each key twice per each
refresh period - once according to the previous instance's cycle,
once according to the current instance's cycle.
A keen reader would notice that the above only means that `named`
will *consider* refreshing a given key twice during each refresh
period because key timers are examined before sending out a refresh
query and only the keys really needing a refresh at that point are
queried for. Well, yes, but this is where we reach the second
issue.
2. **All trusted keys are refreshed during all key events, regardless
of their refresh timer.**
Due to semantic meanings a) and b) being conflated, the `kd.addhd <=
now` [check][3] which is meant to trigger a key refresh when a given
(untrusted) key is meant to become trusted always evaluates to
`true` for all keys which are already trusted (because, by
definition, their add hold-down timer must be in the past).
Issues 1 & 2 combined cause `named` to send way more refresh queries
than actually mandated by RFC 5011 (at least 2x as many as required
with a single trust anchor).
3. **Confusing log messages.**
Another issue stemming from semantic meanings a) and b) being
conflated is that a different `kd.addhd <= now` [check][4] which is
meant to log a message once a given (untrusted) key becomes trusted
always evaluates to `true` for keys which are already trusted,
causing the following message to be logged after *every* refresh of
each key:
```
managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
```
This message is confusing because it suggests that the key's add
hold-down timer has only fired just now - but in fact that key has
likely been trusted before the refresh was even scheduled.
Here is a two-line summary of all three issues:
```
22-Jun-2020 09:43:16.871 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
22-Jun-2020 09:43:26.896 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
```
As an administrator, I find these log messages unexpected at best.
I do not have any verified solutions to propose; one idea I have is to
implement a helper routine that would replace the `keydata.addhd <= now`
checks with something more nuanced that would also check the trust
status of a given key. I believe this could solve issues 2 & 3, which
would make issue 1 more benign.
@each: thoughts?
[1]: https://gitlab.isc.org/isc-projects/bind9/-/blob/5238433f784935cb1c84a9f5dcb32d28f243fb0c/lib/dns/zone.c#L10737
[2]: https://gitlab.isc.org/isc-projects/bind9/-/blob/5238433f784935cb1c84a9f5dcb32d28f243fb0c/lib/dns/zone.c#L10522
[3]: https://gitlab.isc.org/isc-projects/bind9/-/blob/5238433f784935cb1c84a9f5dcb32d28f243fb0c/lib/dns/zone.c#L10727-10730
[4]: https://gitlab.isc.org/isc-projects/bind9/-/blob/5238433f784935cb1c84a9f5dcb32d28f243fb0c/lib/dns/zone.c#L10447-10457Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1916Check ECS response in DiG for RFC compliance2024-03-13T13:11:50ZMark AndrewsCheck ECS response in DiG for RFC complianceWe have seen servers that return ECS responses that don't meet this requirement.
```
RFC 7871, 7.2.1. Authoritative Nameserver
FAMILY, SOURCE PREFIX-LENGTH, and ADDRESS in the response MUST match
those in the query. Echoing back ...We have seen servers that return ECS responses that don't meet this requirement.
```
RFC 7871, 7.2.1. Authoritative Nameserver
FAMILY, SOURCE PREFIX-LENGTH, and ADDRESS in the response MUST match
those in the query. Echoing back these values helps to mitigate
certain attack vectors, as described in Section 11.
```
Add a warning when the ECS response fails to meet this requirement.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1896spurious root queries on timeout2023-11-02T16:58:16ZEvan Huntspurious root queries on timeoutReported by Ke Li <kl3158@columbia.edu> against 9.11.18 and 9.16.1.
```
Dear BIND authors,
We have documented specific cases where BIND9 (9.11.18 and 9.16.1)
generates generate requests to root servers which we think are not very
usef...Reported by Ke Li <kl3158@columbia.edu> against 9.11.18 and 9.16.1.
```
Dear BIND authors,
We have documented specific cases where BIND9 (9.11.18 and 9.16.1)
generates generate requests to root servers which we think are not very
useful. We would like to know if it is a known behavior or if there is
an underlying design choice for these queries that we do not understand?
Below is a brief overview of what we found.
The behavior we found is that when BIND9 has TLD servers' addresses in
the cache, which authoritative for domains like "com", and BIND9 gets an
A or AAAA type request like "some.example.com" from users, it still
sends requests like "ns1.example.com" to root and root server replies
with addresses of TLD servers again. The pattern looks like this:
user asks BIND9 Query: bidder.criteo.com, Type A =
BIND9 asks TLD servers To: 192.42.93.30 (g.gtld) Query: =
bidder.criteo.com, Type A =
Get a response from TLD servers From: 192.42.93.30 (g.gtld) Query: =
bidder.criteo.com =
=
Response: NS ns23.criteo.com NS =
ns22.criteo.com NS ns25.criteo.com NS =
ns26.criteo.com NS ns27.criteo.com NS =
ns28.criteo.com. All with A-type records in =
"Additional Records". =
BIND9 asks one of the nameservers. No reply To: 74.119.119.1 (ns25.criteo.=
com) Query: =
bidder.criteo.com, Type A =
BIND9 asks another nameserver. To: 182.161.73.4 (ns28.criteo.com) Query: =
bidder.criteo.com Type A =
And at the same time, =
=
BIND9 sends requests to root =
To: 192.58.128.30 (j.root) Query: =
ns22.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns23.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns27.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns25.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns26.criteo.com Type AAAA =
To: 192.58.128.30 (j.root) Query: =
ns28.criteo.com Type AAAA =
We deployed a BIND9 v9.11.18 instance and a BIND9 v9.16.1 locally and
loaded web captured traffic by Wireshark on port 53. Then we analyzed
the data and found several about these interesting requests to root.
1. they are requesting authoritative nameservers of a subdomain or a
hostname. For "ns23.criteo.com" and "ns22.criteo.com" are authoritative
nameservers for
2. they are requesting records that are not in the last level
nameserver's response. For in the response from the TLD server to
BIND9's request on "bidder.criteo.com", there is no type record (in
"Additional Records") for nameserver "ns23.criteo.com", so BIND9 later
AAAA type request on "ns23.criteo.com" to root.
3. if BIND9 timeouts when it queries one of these nameservers, BIND9
will generate these requests to root. For example, after getting the
response from the TLD server on "bidder.criteo.com", BIND9 goes ahead
and sends a request on "bidder.criteo.com" to "ns25.criteo.com", but
there is no reply. Then BIND9 will send the request to another name
server (randomly chose) "ns28.criteo.com" and also generate requests to
root.
Therefore, we guess this kind of request are generated by timeouts when
BIND9 queries nameservers. We then tried to validate our hypothesis. We
manually created timeouts iptables to ban IPs of some nameservers and
the same behavior happened. A simple test pcap file as an example is
attached, with an explanation. Also, the configuration file of our
deployment is attached. We then validated our hypothesis on a recursive
resolver at an academic institution running BIND9 v9.11.14, found out
that around 80% A and AAAA root servers were in this pattern.
We'd appreciate it if you help us understand this behavior. We mainly
are curious about reason behind it. Is it a necessary design or is it
avoidable? We think maybe some DNS root servers would be saved if BIND9
could avoid this kind of behavior.
Thank you very much!
````Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1879ARM and named man page incorrect regarding -U and number of listeners2024-02-14T14:48:26ZCathy AlmondARM and named man page incorrect regarding -U and number of listenersAs verified in 9.16.3 ARM. From [Support ticket #16280](https://support.isc.org/Ticket/Display.html?id=16280)
The ARM still says (about the options for starting named):
```
-U #listeners
Use #listeners worker threads to listen for inc...As verified in 9.16.3 ARM. From [Support ticket #16280](https://support.isc.org/Ticket/Display.html?id=16280)
The ARM still says (about the options for starting named):
```
-U #listeners
Use #listeners worker threads to listen for incoming UDP packets on each address. If
not specified, named will calculate a default value based on the number of detected CPUs:
1 for 1 CPU, and the number of detected CPUs minus one for machines with more than 1
CPU. This cannot be increased to a value higher than the number of CPUs. If -n has been
set to a higher value than the number of detected CPUs, then -U may be increased as high
as that value, but no higher. On Windows, the number of UDP listeners is hardwired to 1
and this option has no effect.
```
This is in fact untrue - we're using '-n' throughout (apart from Windows), as of 9.12 and up.
E.g. from named starting up:
> ...
> 16-Apr-2020 05:51:48.172 found 24 CPUs, using 24 worker threads
> 16-Apr-2020 05:51:48.172 using 24 UDP listeners per interface
> 16-Apr-2020 05:51:48.201 using up to 21000 sockets
> ...
I expect this changed post-9.11 at some point when we changed how the legacy server sockets code works.
Please fix the ARM and man page appropriately (maybe in the next maintenance releases?)Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1878Improve mirror zone implementation by using an iterator for the zone validati...2023-11-02T16:58:15ZCathy AlmondImprove mirror zone implementation by using an iterator for the zone validation stepTying loosely into [Support ticket #16268](https://support.isc.org/Ticket/Display.html?id=16268)
We were never able to replicate problems with client resolution during mirror zone refresh (using IXFR), and neither were we able to replic...Tying loosely into [Support ticket #16268](https://support.isc.org/Ticket/Display.html?id=16268)
We were never able to replicate problems with client resolution during mirror zone refresh (using IXFR), and neither were we able to replicated 'slowness' of updating the zone itself. The suspicion is now that the reported issues were due to `something else` and what we were seeing was symptom not cause.
However, along the way (and in #1802 and #1803) what was re-exposed is that the validation step for mirror zone updates doesn't take place within an iterator, so it's anti-social, in that it doesn't relinquish the CPU/thread it's working on until it's finished. This is documented as a known feature of the mirror zone implementation, and most of the time it really should not matter (it doesn't take long to validate the entire root zone, which is what the mirror zone implementation was designed for).
This issue ticket is a placeholder to note that we considered this something that we'd like to do, although it's not burningly urgent in the bigger picture of Things That Need To Be Done.
(We also uncovered that the validation step takes place against the entire zone, for each increment being applied (increment = bundled set of changes between SOA start and end RRs, not each individual change), so is potentially inefficient when pulling IXFRs rather than AXFRs from the root servers - but this has to be balanced against the rate of flux of the mirror zone (low for the root zone), so it's probably not worth tackling this too. )Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1831Feature request: Separate NXDOMAIN cache with its own max-ncache-size2024-03-01T10:04:57ZCathy AlmondFeature request: Separate NXDOMAIN cache with its own max-ncache-sizeThis relates to PRSD DDoS attacks, and the effect on participating resolvers when the domain under onslaught is able to keep responding and does not die or rate-limit the resolvers.
The scenario is one in which a very large number of un...This relates to PRSD DDoS attacks, and the effect on participating resolvers when the domain under onslaught is able to keep responding and does not die or rate-limit the resolvers.
The scenario is one in which a very large number of unique names are being queried, the objective being to bypass cached NXDOMAINs in resolvers and to force every name to become a query to the authoritative servers for the domain (or hosting provider) that is being attacked.
Typically, the target servers will either die, or will commence rate-limiting their perceived attackers. In the case of a resolver, this will result in a large number of recursive queries being backlogged while they wait for the server responses that never arrive.
BIND uses fetch-limits to mitigate the non-responding servers scenario.
But in the situation where the servers never die or never rate-limit, the outcome is rather different. Resolvers that can cope with the increase in traffic (which usually isn't actually that much), instead see a rapid increase in memory consumption (and decrease in cache hits!) due to the NXDOMAIN responses that are received and then cached (never to be used again).
One mitigation for resolver operators has been to reduce max-ncache-ttl to silly small values - but the effectiveness of this depends on the structure of the cache nodes and how often opportunistic cache cleaning hits these nodes.
Yes, overmem (LRU-based logic) cache-cleaning will help with this, but for many, it is going to be at the expense of 'positive' cache content, and regular clients will start to suffer with more cache-misses, as well as cache churn increasing as negative and positive cache content keeps being 'swapped'.
Mark suggested keeping negative answers in a separate cache, where they could have their own max-ncache-size and churn all by themselves, without affecting main cache.
This sounds like A Good Idea - but one that we've never get got around to, as part of ongoing DDoS mitigation work.
(Also tagging this as 'Customer' since I can find many a customer ticket where customers have been bitten by this when one specific and well-known DNS hosting company have been under attack, and their servers never falter in sending back NXDOMAIN responses to their 'attackers').Not planned