BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2019-07-31T08:39:42Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1160Replace the isc_mem_put(mctx, ...)+isc_mem_detach(&mctx) usage with isc_mem_p...2019-07-31T08:39:42ZOndřej SurýReplace the isc_mem_put(mctx, ...)+isc_mem_detach(&mctx) usage with isc_mem_putanddetach(&mctx)BIND 9.15.xOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/970Add support for XPF2019-11-01T10:54:35ZOndřej SurýAdd support for XPFhttps://tools.ietf.org/html/draft-bellis-dnsop-xpf-04
Needs ACL and processing on the server side?
Do we also want to add client-side support (for forwarders, etc.)?https://tools.ietf.org/html/draft-bellis-dnsop-xpf-04
Needs ACL and processing on the server side?
Do we also want to add client-side support (for forwarders, etc.)?BIND 9.15.xhttps://gitlab.isc.org/isc-projects/bind9/-/issues/956`lib/dns/tests/dnstap_test.c` appears to be broken - it crashes on every run2019-04-26T22:53:12ZOndřej Surý`lib/dns/tests/dnstap_test.c` appears to be broken - it crashes on every runThe following discussion from !1744 should be addressed:
- [x] @michal started a [discussion](https://gitlab.isc.org/isc-projects/bind9/merge_requests/1744#note_51378):
> I verified that the changes from this branch compile fine i...The following discussion from !1744 should be addressed:
- [x] @michal started a [discussion](https://gitlab.isc.org/isc-projects/bind9/merge_requests/1744#note_51378):
> I verified that the changes from this branch compile fine in my environment and do not prevent dnstap from working.
>
> However, `lib/dns/tests/dnstap_test.c` appears to be broken - it crashes on every run. I suspect its cmocka rework is the root cause. Interestingly enough, we do not test `--enable-dnstap` in CI, even though we produce packages with dnstap support.
>
> Since these problems were not introduced by this branch, I am obviously okay with resolving this discussion by opening separate issues.BIND 9.15.xEvan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/866DEPRECATE dnssec-enable option2019-03-15T06:44:10ZOndřej SurýDEPRECATE dnssec-enable optionBIND 9.15.xEvan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/738Cleanup unused checks from configure.ac2020-07-02T06:26:14ZOndřej SurýCleanup unused checks from configure.acThere's a lot of accumulated cruft in `configure.ac`, it would be great to cross-check macros in generated `config.h` with their actual usage in the rest of the code, and remove the cruft from `configure.ac`, and matching stuff from `win...There's a lot of accumulated cruft in `configure.ac`, it would be great to cross-check macros in generated `config.h` with their actual usage in the rest of the code, and remove the cruft from `configure.ac`, and matching stuff from `win32util/Configure`.BIND 9.15.xOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/713Use atomics instead of locks in isc_mem2019-05-10T21:20:28ZOndřej SurýUse atomics instead of locks in isc_memBIND 9.15.xOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/669Intermittent TCP test failure2019-11-28T12:25:32ZOndřej SurýIntermittent TCP test failureJob [#86348](https://gitlab.isc.org/isc-projects/bind9/-/jobs/86348) failed for 68ca9877921892968c718865363e9115ba5095bf:Job [#86348](https://gitlab.isc.org/isc-projects/bind9/-/jobs/86348) failed for 68ca9877921892968c718865363e9115ba5095bf:BIND 9.15.xWitold KrecickiWitold Krecickihttps://gitlab.isc.org/isc-projects/bind9/-/issues/658$sysconfdir is silently overridden with /etc when "--prefix" is not used2020-01-14T21:16:05ZMichał Kępień$sysconfdir is silently overridden with /etc when "--prefix" is not used@pspacek pointed out to me that when you use `./configure` without `--prefix`, `make install` puts everything under `/usr/local`... except the configuration files. I ran `./configure --help`, which yielded:
```
...
Installation directo...@pspacek pointed out to me that when you use `./configure` without `--prefix`, `make install` puts everything under `/usr/local`... except the configuration files. I ran `./configure --help`, which yielded:
```
...
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
...
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
...
...
```
So far so good. Then I checked `configure.ac` and found [this][1]:
```sh
#
# Special processing of paths depending on whether --prefix,
# --sysconfdir or --localstatedir arguments were given. What's
# desired is some compatibility with the way previous versions
# of BIND built; they defaulted to /usr/local for most parts of
# the installation, but named.boot/named.conf was in /etc
# and named.pid was in /var/run.
#
# So ... if none of --prefix, --sysconfdir or --localstatedir are
# specified, set things up that way. If --prefix is given, use
# it for sysconfdir and localstatedir the way configure normally
# would. To change the prefix for everything but leave named.conf
# in /etc or named.pid in /var/run, then do this the usual configure way:
# ./configure --prefix=/somewhere --sysconfdir=/etc
# ./configure --prefix=/somewhere --localstatedir=/var
#
# To put named.conf and named.pid in /usr/local with everything else,
# set the prefix explicitly to /usr/local even though that's the default:
# ./configure --prefix=/usr/local
#
case "$prefix" in
NONE)
case "$sysconfdir" in
'${prefix}/etc')
sysconfdir=/etc
;;
esac
case "$localstatedir" in
'${prefix}/var')
localstatedir=/var
;;
esac
;;
esac
```
`git blame` indicates that this bit was added in 2000. I think that in 2018 this is wrong and confusing, especially given that `./configure --help` claims that the default value for `$sysconfdir` is `PREFIX/etc`. IMHO we should at least address this in *master*.
[1]: https://gitlab.isc.org/isc-projects/bind9/blob/d88efa7e40cbf244ca7886d8ddf0f0361ce8a518/configure.ac#L334-367BIND 9.15.xMichał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/622BIND should accept trust anchors / keys in DS format too, not just DNSKEY2021-05-11T13:17:24ZRay BellisBIND should accept trust anchors / keys in DS format too, not just DNSKEYper title.
This would simplify use for those registries that would prefer to only receive DS records from their delegated children.
Also, the ICANN root trust anchor is mostly only distributed in DS format.per title.
This would simplify use for those registries that would prefer to only receive DS records from their delegated children.
Also, the ICANN root trust anchor is mostly only distributed in DS format.BIND 9.15.xhttps://gitlab.isc.org/isc-projects/bind9/-/issues/605Add SipHash24 and synchronize the Cookie algorithm with other vendors2019-07-22T12:15:37ZOndřej SurýAdd SipHash24 and synchronize the Cookie algorithm with other vendorsBIND 9.15.xOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/472Intermittent statschannel test failure2019-11-28T12:25:18ZOndřej SurýIntermittent statschannel test failureProbably timing issue, but it needs to be investigated.
https://gitlab.isc.org/isc-projects/bind9/-/jobs/35045Probably timing issue, but it needs to be investigated.
https://gitlab.isc.org/isc-projects/bind9/-/jobs/35045BIND 9.15.xWitold KrecickiWitold Krecickihttps://gitlab.isc.org/isc-projects/bind9/-/issues/225Ed448 broken with OpenSSL 1.1.1-pre62019-05-30T12:39:40ZOndřej SurýEd448 broken with OpenSSL 1.1.1-pre6```
$ $KEYGEN -a 16 -n zone example
Generating key pair.
dnssec-keygen: warning: dns_dnssec_findmatchingkeys: error reading key file Kexample.+016+32343.private: failure
dnssec-keygen: warning: dns_dnssec_findmatchingkeys: error reading...```
$ $KEYGEN -a 16 -n zone example
Generating key pair.
dnssec-keygen: warning: dns_dnssec_findmatchingkeys: error reading key file Kexample.+016+32343.private: failure
dnssec-keygen: warning: dns_dnssec_findmatchingkeys: error reading key file Kexample.+016+19532.private: failure
dnssec-keygen: warning: dns_dnssec_findmatchingkeys: error reading key file Kexample.+005+25545.private: file not found
Kexample.+016+30073
```BIND 9.15.xOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/198All channels are configured for a specific log facility, however bind9 still ...2018-11-13T13:01:02ZGhost UserAll channels are configured for a specific log facility, however bind9 still logs to daemon.info and daemon.notice### Summary
All channels are configured for a specific log facility, however bind9 still logs to daemon.info and daemon.notice
### Steps to reproduce
Configure logging and specify default_syslog and default_debug to use locale6, rath...### Summary
All channels are configured for a specific log facility, however bind9 still logs to daemon.info and daemon.notice
### Steps to reproduce
Configure logging and specify default_syslog and default_debug to use locale6, rather than file. All documented categories are also defined to use default_syslog only, including the default and unmatched as catchalls.
```
logging {
channel default_syslog {
print-time yes;
print-category yes;
print-severity yes;
syslog local6;
severity info;
};
// is anything usinig this by default?
channel default_debug {
print-time yes;
print-category yes;
print-severity yes;
syslog local6;
severity dynamic;
};
channel default_stderr {
null;
};
channel null {
// toss anything sent to this channel
null;
};
category client { default_syslog; };
category cname { default_syslog; };
category config { default_syslog; };
category database { default_syslog; };
category delegation-only { default_syslog; };
category dispatch { default_syslog; };
category dnssec { default_syslog; };
category edns-disabled { default_syslog; };
category general { default_syslog; };
category lame-servers { default_syslog; };
category network { default_syslog; };
category notify { default_syslog; };
category queries { default_syslog; };
category query-errors { default_syslog; };
category rate-limit { default_syslog; };
category resolver { default_syslog; };
category rpz { default_syslog; };
category security { default_syslog; };
category spill { default_syslog; };
category update { default_syslog; };
category update-security { default_syslog; };
category xfer-in { default_syslog; };
category xfer-out { default_syslog; };
// why doesn't this work - to redirect everything????
category unmatched { default_syslog; };
category default { default_syslog; };
};
options {
...
```
(How one can reproduce the issue - this is very important.)
### What is the current *bug* behavior?
Some output is correctly directed to local6
```
Apr 11 12:24:26 local6.info: apu named[19291]: 11-Apr-2018 12:24:26.074 network: info: no longer listening on 192.168.201.1#53
Apr 11 12:24:26 local6.info: apu named[19291]: 11-Apr-2018 12:24:26.075 network: info: no longer listening on 192.168.202.1#53
Apr 11 12:24:26 local6.info: apu named[19291]: 11-Apr-2018 12:24:26.075 network: info: no longer listening on 192.168.203.1#53
Apr 11 12:24:26 local6.info: apu named[19291]: 11-Apr-2018 12:24:26.075 network: info: no longer listening on 192.168.204.1#53
Apr 11 12:24:26 local6.notice: apu named[19291]: 11-Apr-2018 12:24:26.105 general: notice: exiting
Apr 11 12:24:26 local6.info: apu named[19307]: 11-Apr-2018 12:24:26.255 general: info: managed-keys-zone: journal file is out of date: removing journal file
Apr 11 12:24:26 local6.info: apu named[19307]: 11-Apr-2018 12:24:26.256 general: info: managed-keys-zone: loaded serial 439
Apr 11 12:24:26 local6.info: apu named[19307]: 11-Apr-2018 12:24:26.258 general: info: zone 0.in-addr.arpa/IN: loaded serial 1
Apr 11 12:24:26 local6.info: apu named[19307]: 11-Apr-2018 12:24:26.272 general: info: zone 255.in-addr.arpa/IN: loaded serial 1
Apr 11 12:24:26 local6.info: apu named[19307]: 11-Apr-2018 12:24:26.273 general: info: zone 127.in-addr.arpa/IN: loaded serial 1
Apr 11 12:24:26 local6.info: apu named[19307]: 11-Apr-2018 12:24:26.277 rpz: info: (re)loading policy zone 'rpz' changed from 0 to 2 qname, 0 to 0 nsdname, 0 to 0 IP, 0 to 0 NSIP, 0 to 0 CLIENTIP entries
```
But a lot of output is sent to rsyslod daemon.info and daemon.notice
```
Apr 11 12:22:03 daemon.info: apu systemd[1]: Started BIND Domain Name Server.
Apr 11 12:22:03 daemon.notice: apu named[19291]: starting BIND 9.10.3-P4-Debian <id:ebd72b3> -f -u bind
Apr 11 12:22:03 daemon.notice: apu named[19291]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu' '-
-infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-l
ibtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--w
ith-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libs
ofthsm2.so' '--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-VypbYM/bind9-9.10.3.dfsg.P4=. -fstack-protector-stron
g -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro
-Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Apr 11 12:22:03 daemon.notice: apu named[19291]: ----------------------------------------------------
Apr 11 12:22:03 daemon.notice: apu named[19291]: BIND 9 is maintained by Internet Systems Consortium,
Apr 11 12:22:03 daemon.notice: apu named[19291]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Apr 11 12:22:03 daemon.notice: apu named[19291]: corporation. Support and training for BIND 9 are
Apr 11 12:22:03 daemon.notice: apu named[19291]: available at https://www.isc.org/support
Apr 11 12:22:03 daemon.notice: apu named[19291]: ----------------------------------------------------
Apr 11 12:22:03 daemon.notice: apu named[19291]: adjusted limit on open files from 4096 to 1048576
Apr 11 12:22:03 daemon.info: apu named[19291]: found 2 CPUs, using 2 worker threads
Apr 11 12:22:03 daemon.info: apu named[19291]: using 2 UDP listeners per interface
Apr 11 12:22:03 daemon.info: apu named[19291]: using up to 4096 sockets
Apr 11 12:22:03 daemon.info: apu named[19291]: loading configuration from '/etc/bind/named.conf'
...
Apr 11 12:22:03 daemon.info: apu named[19291]: automatic empty zone: B.E.F.IP6.ARPA
Apr 11 12:22:03 daemon.info: apu named[19291]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Apr 11 12:22:03 daemon.info: apu named[19291]: automatic empty zone: EMPTY.AS112.ARPA
Apr 11 12:22:03 daemon.info: apu named[19291]: configuring command channel from '/etc/bind/rndc.key'
Apr 11 12:22:03 daemon.notice: apu named[19291]: command channel listening on 127.0.0.1#953
Apr 11 12:22:03 daemon.info: apu named[19291]: configuring command channel from '/etc/bind/rndc.key'
Apr 11 12:22:03 daemon.notice: apu named[19291]: command channel listening on ::1#953
```
### What is the expected *correct* behavior?
I expect only the configured channel (locale6 ) to be used.
### Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
`named-checkconf -px`.)
### Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console
output, logs, and code, as it's very hard to read otherwise.)
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)BIND 9.15.xMichał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/84Crash at shutdown in rpz.c2020-06-18T11:31:48ZTony FinchCrash at shutdown in rpz.cAfter running `rndc stop` shortly after starting the server,
```
2018-02-21.12:58:47.215 general: critical: rpz.c:2202: REQUIRE(rpz != ((void *)0)) failed
2018-02-21.12:58:47.215 general: critical: exiting (due to assertion failure)
```...After running `rndc stop` shortly after starting the server,
```
2018-02-21.12:58:47.215 general: critical: rpz.c:2202: REQUIRE(rpz != ((void *)0)) failed
2018-02-21.12:58:47.215 general: critical: exiting (due to assertion failure)
```
```
#0 0x00007fc47dcc2067 in __GI_raise (sig=sig@entry=6)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007fc47dcc3448 in __GI_abort () at abort.c:89
#2 0x000055ad8a459439 in assertion_failed (file=0x55ad8a6e0e8f "rpz.c", line=2202,
type=2325208112, cond=0x55ad8a6e0efa "rpz != ((void *)0)") at ./main.c:248
#3 0x000055ad8a64f9ba in isc_assertion_failed (
file=file@entry=0x55ad8a6e0e8f "rpz.c", line=line@entry=2202,
type=type@entry=isc_assertiontype_require,
cond=cond@entry=0x55ad8a6e0efa "rpz != ((void *)0)") at assertions.c:49
#4 0x000055ad8a5bc932 in dns_rpz_add (rpzs=0x7fc470200500, rpz_num=2 '\002',
src_name=<optimized out>) at rpz.c:2202
#5 0x000055ad8a5bd08b in update_quantum (task=0x5045, event=0x0) at rpz.c:1914
#6 0x000055ad8a676177 in dispatch (manager=0x7fc47f89f010) at task.c:1138
#7 run (uap=0x7fc47f89f010) at task.c:1310
#8 0x00007fc47e3a7064 in start_thread (arg=0x7fc47a72c700) at pthread_create.c:309
#9 0x00007fc47dd7562d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
```
I have not investigated this in any detail yet - I'll add more info to this issue if/when I have it.BIND 9.15.xMichał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/29Improve overall (networking) performance2019-11-07T21:32:34ZOndřej SurýImprove overall (networking) performanceThe asynchronous socket code is the next candidate to get replaced by external library that does things better and is actually maintained. [libuv](http://libuv.org/) is a multi-platform support library with a focus on asynchronous I/O.
...The asynchronous socket code is the next candidate to get replaced by external library that does things better and is actually maintained. [libuv](http://libuv.org/) is a multi-platform support library with a focus on asynchronous I/O.
Apart from the networking I/O, the library can also other things in a multiplatform manner:
* File system operations
* Thread pool work scheduling
* DNS utility functions
* Shared library handling
* Threading and synchronization utilities
* Miscellaneous utilities
The library is well maintained, and it would remove a great burden of maintaining our custom code. I asked @muks to look into it.BIND 9.15.xWitold KrecickiWitold Krecicki