BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2021-10-04T12:33:06Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/141RT 43435 - Upload BIND Python module to pypi, package for BIND users2021-10-04T12:33:06ZVicky Riskvicky@isc.orgRT 43435 - Upload BIND Python module to pypi, package for BIND usersRT 43435 - text below is migrated from bugsRT
On Wed, May 3, 2017 at 1:04 PM, Vicky Risk via RT <bind9-bugs@isc.org> wrote:
We discussed uploading a python module for BIND to the pypi repository in our development meeting today. ... ...RT 43435 - text below is migrated from bugsRT
On Wed, May 3, 2017 at 1:04 PM, Vicky Risk via RT <bind9-bugs@isc.org> wrote:
We discussed uploading a python module for BIND to the pypi repository in our development meeting today. ... The open question we are considering is whether to submit just the RNDC components, or <more>. I think Evan is wondering whether it might cause user confusion having multiple different copies of the python library (assuming they are also running BIND).
.......
I wasn't aware the python library was going to be distributed with BIND... but here are some thoughts on that:
A very common (nearly standard) way of operating with python is to work inside what's referred to as a "python virtual environment," or virtualenv/venv. In this environment, libraries and other python packages required by one's work can be installed without interfering with the system packages.. this is very important, for example, when working on tools that have conflicting package (version) requirements.
The packages inside a venv are typically installed using 'pip'.. the python package manager that uses pypi as its back-end.
Getting something installed into a venv that is not on pypi is irritating at best, and occasionally difficult to do. This is especially true for automated deployments where the virtualenv is used in production operations.
For a real-world example, the ldns python bindings are only shipped with the ldns source code, and not in pypi, and as a result I need to have a very compelling reason to need them over any other DNS library (and over just shelling out to an ldns binary) in order to deal with the complexities of working with them.
To view this from another angle: If BIND's 'make install' places the RNDC python libraries on the system in such a way that they're visible to/registered with pip, then end users aren't going to find anything confusing .. because as far as pip is concerned it doesn't matter where the library came from. If the RNDC python library is not visible to/registered with pip, then BIND shouldn't be installing it that way.. it will cause confusion regardless of whether the library is available on pypi or not.
--------
Adding Matt Pounsett as stakeholder, because he has offered us a package that includes just the python RNDC stuff that is ready to upload.
Matt, I can’t find the email from you about the Python package for the BIND RNDC interface. Did you submit it to bind-bugs@isc.org? If you want to reply to this ticket and attach it, it will be easier for us to find it to work on.
I didn't.. this started as a conversation with Ray, and so I emailed him about it. The work I've done so far is in a private repo on github. Github, because it seemed a reasonable place to work on it, and private so that I don't inadvertently share it with anyone other than ISC prior to ISC applying a license to it.
My email to Ray included an offer to add ISC employees' accounts to access the repository and/or hand over full ownership of the repository. Whichever you like. The repo is at <https://github.com/mpounsett/rndc> but that won't be accessible until we do something with access.
There are still a few small steps to be taken before it's ready for upload: notably decisions I couldn't make on behalf of ISC about licensing, development status indicators, etc.https://gitlab.isc.org/isc-projects/bind9/-/issues/142add more checks to precheck CI stage2018-08-24T20:18:53ZEvan Huntadd more checks to precheck CI stageIt should also call util/checklibs.sh, to make sure that needed include files are present and .def files are up to date.
It could also check xmllint when documentation is updated, look for $Id$ tags that haven't been removed, etc.It should also call util/checklibs.sh, to make sure that needed include files are present and .def files are up to date.
It could also check xmllint when documentation is updated, look for $Id$ tags that haven't been removed, etc.https://gitlab.isc.org/isc-projects/bind9/-/issues/143rndc command crashes bind-9.10.6-P1 - ev_ratelink.prev on Debian 92018-03-10T16:03:47ZGhost Userrndc command crashes bind-9.10.6-P1 - ev_ratelink.prev on Debian 9Good evening,
Running fresh install of Debian 9 (x64), named is running in background, but when issuing rndc status (any command really) it crashes with:
task.c:551: REQUIRE(!((void *)((event)->ev_ratelink.prev) != (void *)(-1))) faile...Good evening,
Running fresh install of Debian 9 (x64), named is running in background, but when issuing rndc status (any command really) it crashes with:
task.c:551: REQUIRE(!((void *)((event)->ev_ratelink.prev) != (void *)(-1))) failed, back trace
#0 0x7f2a69b070e4 in ??
#1 0x7f2a69b0704a in ??
#2 0x7f2a69b2c4aa in ??
#3 0x7f2a6a378cd8 in ??
#4 0x7f2a69b2a570 in ??
#5 0x7f2a69247494 in ??
#6 0x7f2a68f89aff in ??
Aborted
Here's the named -V dump:
BIND 9.10.6-P1 <id:f941e36>
running on Linux x86_64 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23)
built by make with '--without-gost' '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--with-libtool' '--mandir=/usr/man' '--enable-shared' '--disable-static' '--with-libxml2=no' '--enable-threads' '--with-openssl' '--enable-developer'
compiled by GCC 6.3.0 20170516
compiled with OpenSSL version: OpenSSL 1.1.0f 25 May 2017
linked to OpenSSL version: OpenSSL 1.1.0f 25 May 2017
Obtained the core and dropped it through gdb and issued
thread apply all bt full
[gdb_dump.txt](/uploads/b3a791b04155edd8eacff57bccaf46f7/gdb_dump.txt)
I am able to install bind-9.10.6-P1 on a fresh install of Debian 8 (x64) with no problems.
Thank you for reviewing this.
Erichttps://gitlab.isc.org/isc-projects/bind9/-/issues/144CVE-2016-2776 and CVE-2015-46202018-03-13T14:39:26ZGhost UserCVE-2016-2776 and CVE-2015-4620Dear
The bind version we used is 9.10.0-P1.We want to fix the loophole(CVE-2016-2776 and CVE-2015-4620).and I have compared the changes between the problem version and fixed version.I can't ensure the specific modification points of the...Dear
The bind version we used is 9.10.0-P1.We want to fix the loophole(CVE-2016-2776 and CVE-2015-4620).and I have compared the changes between the problem version and fixed version.I can't ensure the specific modification points of the loopholes.Can you apply the the specific modification points of the loopholes(CVE-2016-2776 and CVE-2015-4620)?Please.
best regards!https://gitlab.isc.org/isc-projects/bind9/-/issues/145different RRSIG expiry for DNSKEY2018-08-02T19:33:02ZEvan Huntdifferent RRSIG expiry for DNSKEYAs reported by @cathya, a customer has a use case in which they keep the KSK offline most of the time, but bring it online periodically so that the zone's DNSKEY RRSIGs can be refreshed. They'd like to have a longer signature validity pe...As reported by @cathya, a customer has a use case in which they keep the KSK offline most of the time, but bring it online periodically so that the zone's DNSKEY RRSIGs can be refreshed. They'd like to have a longer signature validity period for the DNSKEY only. This is similar to what's done by `dnssec-signzone -X`, but done by the automatic signing process in `named`.BIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/146Fix existing auth ECS support as much as possible2018-03-28T16:08:47ZGhost UserFix existing auth ECS support as much as possibleBIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/147Add Windows to GitLab CI2022-11-10T14:18:14ZOndřej SurýAdd Windows to GitLab CIOctober 2019 (9.11.12, 9.14.7, 9.15.5)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/148Add BSDs to GitLab CI2019-11-05T11:03:22ZOndřej SurýAdd BSDs to GitLab CINovember 2019 (9.11.13, 9.14.8, 9.15.6)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/150Remove workarounds for servers that are not EDNS compliant.2019-09-04T23:48:20ZMark AndrewsRemove workarounds for servers that are not EDNS compliant.BIND-9.13.4Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/151arpaname segfault on OpenBSD 6.2 i3862018-03-15T18:55:12ZCarsten Strotmannarpaname segfault on OpenBSD 6.2 i386### Summary
the command "arpaname" segfaults and writes a core file when used
OpenBSD 6.2 i386 BIND 9.12.0
### Steps to reproduce
call arpaname with an ipv4 or ipv6 address
### What is the current *bug* behavior?
arpaname segfauls ...### Summary
the command "arpaname" segfaults and writes a core file when used
OpenBSD 6.2 i386 BIND 9.12.0
### Steps to reproduce
call arpaname with an ipv4 or ipv6 address
### What is the current *bug* behavior?
arpaname segfauls and writes a core dump file
```
# arpaname 2001:db8::1
Segmentation fault (core dumped)
```
### What is the expected *correct* behavior?
arpaname prints the arpaname of the ip address
### Relevant logs and/or screenshots
````
(gdb) bt
#0 malloc (size=65536) at /usr/src/lib/libc/stdlib/malloc.c:1165
#1 0x024efde9 in __smakebuf (fp=0x22453798) at /usr/src/lib/libc/stdio/makebuf.c:62
#2 0x024ef113 in __swsetup (fp=0x22453798) at /usr/src/lib/libc/stdio/wsetup.c:73
#3 0x024dccea in __vfprintf (fp=0x22453798, fmt0=0x358d8000 "%X.%X.", ap=0xcf7c2468 "\001") at /usr/src/lib/libc/stdio/vfprintf.c:461
#4 0x024dfabf in vfprintf (fp=0x22453798, fmt0=0x358d8000 "%X.%X.", ap=0xcf7c2468 "\001") at /usr/src/lib/libc/stdio/vfprintf.c:267
#5 0x024c08e9 in fprintf (fp=0x22453798, fmt=0x358d8000 "%X.%X.") at /usr/src/lib/libc/stdio/fprintf.c:45
#6 0x158d8d1d in main (argc=Cannot access memory at address 0x0
) at arpaname.c:38
````https://gitlab.isc.org/isc-projects/bind9/-/issues/153Review the needed libraries to link...2020-04-28T09:09:42ZOndřej SurýReview the needed libraries to link...f.e. arpaname links to libisc (and friends) and there's really no reason to (it just uses `inet_pton` and `fprintf`). There might be more.
It's probably easy (with right tools) to review the symbols actually needed in the binary and re...f.e. arpaname links to libisc (and friends) and there's really no reason to (it just uses `inet_pton` and `fprintf`). There might be more.
It's probably easy (with right tools) to review the symbols actually needed in the binary and remove the unnecessary linking.https://gitlab.isc.org/isc-projects/bind9/-/issues/154Build failure on OSX with --disable-atomic --enable-developer2018-03-19T22:14:14ZCurtis BlackburnBuild failure on OSX with --disable-atomic --enable-developer<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
BIND9 fails to build on OSX with --disable-atomic and --enable developer
see output at: https://jenkins.isc.org/view/BIND/job/bind9-master-macmini--disable-atomic/513/console
### Steps to reproduce
$ ./configure --disable-atomic --without-zlib --with-atf=/Users/jenkins/opt/atf --with-openssl=/usr/local/opt/openssl/ --with-libxml2=/usr/local/opt/libxml2 --enable-full-report --enable-developer
$ make
### What is the current *bug* behavior?
atomic_test.c:319:16: error: unused parameter 'tp' [-Werror,-Wunused-parameter]
ATF_TP_ADD_TCS(tp) {
^
1 error generated.
make[3]: *** [atomic_test.o] Error 1
### What is the expected *correct* behavior?
a successful build
### Relevant configuration files
none
### Relevant logs and/or screenshots
see https://jenkins.isc.org/view/BIND/job/bind9-master-macmini--disable-atomic/513/console
### Possible fixes
we probably need an UNUSED(tp) on line 320 of atomic_test.cBIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/156Test Issue [ISC-support #12616]2018-03-21T16:02:17ZGhost UserTest Issue [ISC-support #12616]### Description
Please ignore this.
### Request
Please ignore this.
### Links / references### Description
Please ignore this.
### Request
Please ignore this.
### Links / referenceshttps://gitlab.isc.org/isc-projects/bind9/-/issues/157Windows build fails2018-03-19T22:15:43ZCurtis BlackburnWindows build failsThe build fails on windows, because the sln file still references lib/tests, which was removed.
see: https://jenkins.isc.org/view/BIND/job/bind9-master-win2012-x64-systests/1072/consoleThe build fails on windows, because the sln file still references lib/tests, which was removed.
see: https://jenkins.isc.org/view/BIND/job/bind9-master-win2012-x64-systests/1072/consoleBIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/158crash at shutdown in rbtdb.c2020-05-20T20:49:34ZTony Finchcrash at shutdown in rbtdb.cDunno if this is related to #84 and/or my patch !71
```
2018-03-16.11:33:05.661 general: critical: rbtdb.c:1300: INSIST((((rbtdb->rdatasets[i]).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
2018-03-16.11:33:05.67...Dunno if this is related to #84 and/or my patch !71
```
2018-03-16.11:33:05.661 general: critical: rbtdb.c:1300: INSIST((((rbtdb->rdatasets[i]).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)) failed
2018-03-16.11:33:05.675 general: critical: exiting (due to assertion failure)
```
```
(gdb) bt
#0 0x00007ff885a46067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ff885a47448 in __GI_abort () at abort.c:89
#2 0x000055cefcca24c9 in assertion_failed (file=0x55cefcf1e8aa "rbtdb.c", line=1300, type=4246502448,
cond=0x55cefcf1c7b0 "(((rbtdb->rdatasets[i]).head == ((void *)0)) ? isc_boolean_true : isc_boolean_false)") at ./main.c:248
#3 0x000055cefce98a7a in isc_assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at assertions.c:49
#4 0x000055cefcd802c1 in free_rbtdb (rbtdb=0x7ff87c98d010, log=(unknown: 16), event=0x0) at rbtdb.c:1300
#5 0x000055cefcd832a6 in maybe_free_rbtdb (rbtdb=0x7ff87c98d010) at rbtdb.c:1416
#6 0x000055cefcd833b5 in detach (dbp=0x7ff87c989090) at rbtdb.c:1431
#7 0x000055cefcd22470 in dns_db_detach (dbp=dbp@entry=0x7ff87c989090) at db.c:164
#8 0x000055cefcd188d7 in cache_free (cache=0x7ff87c989010) at cache.c:385
#9 0x000055cefcd19eac in dns_cache_detach (cachep=<optimized out>) at cache.c:476
#10 0x000055cefce358d2 in destroy (view=0x7ff8781fcbf0) at view.c:413
#11 0x000055cefce36ab2 in dns_view_weakdetach (viewp=viewp@entry=0x7ff8788671e8) at view.c:689
#12 0x000055cefce40639 in zone_free (zone=zone@entry=0x7ff878866890) at zone.c:1144
#13 0x000055cefce5c728 in zone_shutdown (task=<optimized out>, event=<optimized out>) at zone.c:12845
#14 0x000055cefcebf237 in dispatch (manager=0x7ff887623010) at task.c:1138
#15 run (uap=0x7ff887623010) at task.c:1310
#16 0x00007ff88612b064 in start_thread (arg=0x7ff8844b4700) at pthread_create.c:309
#17 0x00007ff885af962d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
```https://gitlab.isc.org/isc-projects/bind9/-/issues/159Improve handling of inline signed zones with missing signing keys2018-04-25T19:25:27ZMichał KępieńImprove handling of inline signed zones with missing signing keys[RT #35502](https://bugs.isc.org/Ticket/Display.html?id=35502) points out that `named` treats inline signed zones with no associated signing keys in a somewhat confusing way. It boils down to two issues:
1. Bumped signed serial is logg...[RT #35502](https://bugs.isc.org/Ticket/Display.html?id=35502) points out that `named` treats inline signed zones with no associated signing keys in a somewhat confusing way. It boils down to two issues:
1. Bumped signed serial is logged even when an error occurs while updating signatures later on. To reproduce the problem, configure a zone like this:
```
zone "foo." {
type master;
file "foo.db";
inline-signing yes;
auto-dnssec maintain;
};
```
Do not create any signing keys, prepare zone file `foo.db` with serial number 1, start `named`. Then update `foo.db` by setting the serial number to 2 and run `rndc reload foo`. Something like this will be logged:
```
16-Mar-2018 23:33:46.839 zone foo/IN (unsigned): loaded serial 2
16-Mar-2018 23:33:46.839 zone foo/IN (signed): serial 2 (unsigned 2)
16-Mar-2018 23:33:46.840 zone foo/IN (signed): could not get zone keys for secure dynamic update
16-Mar-2018 23:33:46.840 zone foo/IN (signed): receive_secure_serial: not found
```
However, `named` will still be serving version 1 of the zone.
1. While configuring an inline signed zone without any signing keys results in an unsigned version of the zone being served, any subsequent updates to the raw zone are not reflected in the secure zone. While not creating signing keys for a zone explicitly designated to be signed may be considered a self-foot-shoot, it would arguably be a more user-friendly approach to keep applying raw zone changes to the secure zone as long as it is safe to do so, i.e. until signing keys become available (at which point applying raw zone changes without the accompanying signature changes would break existing signatures).BIND-9.13.0Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/160Several BIND 9.11.3 system test fail on Solaris 10 (SunOS 5.10)2018-11-08T19:19:36ZGhost UserSeveral BIND 9.11.3 system test fail on Solaris 10 (SunOS 5.10)<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
<pre>
### Summary
(Summarize the bug encountered concisely.)
bind 9.11.3 make test failed.
paltform:
SunOS pepper 5.10 Generic_142901-10 i86pc i386 i86pc
config line:
./configure --enable-shared --enable-threads --with-libtool --with-openssl=/usr/local/ssl
openssl,gcc and perl version:
OpenSSL 1.0.2n 7 Dec 2017
This is perl 5, version 24, subversion 0 (v5.24.0) built for i86pc-solaris
gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath)
path etc:
PATH=/usr/local/perl5/bin:/usr/ccs/bin:/usr/local/ssl/bin:/usr/sfw/bin:/usr/sbin:/usr/bin:/usr/local/bin
### Steps to reproduce
(How one can reproduce the issue - this is very important.)
run as root.
cd /usr/local/src/bind/bind-9.11.3
./configure --enable-shared --enable-threads --with-libtool --with-openssl=/usr/local/ssl
make depend && make &&
make test
### What is the current *bug* behavior?
(What actually happens.)
no compile error but reports 3 errors (autosign, runtime and sfcache) in test.
results:
I:System test result summary:
I: 3 FAIL
I: 76 PASS
I: 5 SKIPPED
I: 1 UNTESTED
9.9.12 also reports 5 errors with same configuration.
I:System test result summary:
I: 5 FAIL
I: 58 PASS
I: 1 PKCS11ONLY
I: 4 SKIPPED
I: 1 UNTESTED
in 9.9.11-P1, no compile errors and no error reports in test.
### What is the expected *correct* behavior?
(What you should see instead.)
### Relevant configuration files
(Paste any relevant configuration files - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
`named-checkconf -px`.)
### Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console
output, logs, and code, as it's very hard to read otherwise.)
S:autosign:Thu Mar 15 13:41:14 JST 2018
T:autosign:1:A
A:System test autosign
I:generating keys and preparing zones
I:setting up zone: secure.example
I:setting up zone: secure.nsec3.example
I:setting up zone: nsec3.nsec3.example
I:setting up zone: optout.nsec3.example
I:setting up zone: nsec3.example
I:setting up zone: autonsec3.example
I:setting up zone: secure.optout.example
I:setting up zone: nsec3.optout.example
I:setting up zone: optout.optout.example
I:setting up zone: optout.example
I:setting up zone: rsasha256.example
I:setting up zone: rsasha512.example
I:setting up zone: nsec.example
I:setting up zone: oldsigs.example
I:setting up zone: nsec3-to-nsec.example
I:setting up zone: secure-to-insecure.example
I:setting up zone: secure-to-insecure2.example
I:setting up zone: prepub.example
I:setting up zone: ttl1.example
I:setting up zone: ttl2.example
I:setting up zone: ttl3.example
I:setting up zone: ttl4.example
I:setting up zone: delay.example
I:setting up zone: nozsk.example
I:setting up zone: inaczsk.example
I:setting up zone: reconf.example
I:setting up zone: sync.example
I:setting up zone: inacksk2.example
I:setting up zone: inaczsk2.example
I:setting up zone: inacksk3.example
I:setting up zone: inaczsk3.example
I:waiting for autosign changes to take effect
I:waiting ... (1)
I:waiting ... (2)
I:waiting ... (3)
I:done
I:check that zone with active and inactive KSK and active ZSK is properly
I: resigned after the active KSK is deleted - stage 1: Verify that DNSKEY
I: is initially signed with a KSK and not a ZSK. (1)
dnssec-settime: fatal: Invalid keyfile Kinacksk3.example.+007+%05uu: file not found
I:check that zone with active and inactive ZSK and active KSK is properly
I: resigned after the active ZSK is deleted - stage 1: Verify that zone
I: is initially signed with a ZSK and not a KSK. (2)
dnssec-settime: fatal: Invalid keyfile Kinaczsk3.example.+007+%05uu: file not found
I:checking NSEC->NSEC3 conversion prerequisites (3)
I:checking NSEC3->NSEC conversion prerequisites (4)
I:converting zones from nsec to nsec3
I:preset nsec3param in unsigned zone via nsupdate (5)
I:checking for nsec3param in unsigned zone (5)
I:checking for nsec3param signing record (6)
I:resetting nsec3param via rndc signing (7)
I:signing preset nsec3 zone
I:waiting for changes to take effect
I:converting zone from nsec3 to nsec
I:waiting for change to take effect
I:checking that expired RRSIGs from missing key are not deleted (8)
I:checking that expired RRSIGs from inactive key are not deleted (9)
I:checking that non-replaceable RRSIGs are logged only once (missing private key) (10)
I:checking that non-replaceable RRSIGs are logged only once (inactive private key) (11)
I:dumping zone files
I:checking expired signatures were updated (12)
I:checking NSEC->NSEC3 conversion succeeded (13)
I:checking direct NSEC3 autosigning succeeded (14)
I:checking NSEC->NSEC3 conversion failed with NSEC-only key (15)
I:checking NSEC3->NSEC conversion succeeded (16)
I:checking NSEC3->NSEC conversion with 'rndc signing -nsec3param none' (17)
I:checking TTLs of imported DNSKEYs (no default) (18)
I:checking TTLs of imported DNSKEYs (with default) (19)
I:checking TTLs of imported DNSKEYs (mismatched) (20)
I:checking TTLs of imported DNSKEYs (existing RRset) (21)
I:checking positive validation NSEC (22)
I:checking positive validation NSEC3 (23)
I:checking positive validation OPTOUT (24)
I:checking negative validation NXDOMAIN NSEC (25)
I:checking negative validation NXDOMAIN NSEC3 (26)
I:checking negative validation NXDOMAIN OPTOUT (27)
I:checking negative validation NODATA NSEC (28)
I:checking negative validation NODATA NSEC3 (29)
I:checking negative validation NODATA OPTOUT (30)
I:checking 1-server insecurity proof NSEC (31)
I:checking 1-server negative insecurity proof NSEC (32)
I:checking multi-stage positive validation NSEC/NSEC (33)
I:checking multi-stage positive validation NSEC/NSEC3 (34)
I:checking multi-stage positive validation NSEC/OPTOUT (35)
I:checking multi-stage positive validation NSEC3/NSEC (36)
I:checking multi-stage positive validation NSEC3/NSEC3 (37)
I:checking multi-stage positive validation NSEC3/OPTOUT (38)
I:checking multi-stage positive validation OPTOUT/NSEC (39)
I:checking multi-stage positive validation OPTOUT/NSEC3 (40)
I:checking multi-stage positive validation OPTOUT/OPTOUT (41)
I:checking empty NODATA OPTOUT (42)
I:checking 2-server insecurity proof (43)
I:checking 2-server insecurity proof with a negative answer (44)
I:checking security root query (45)
I:checking positive validation RSASHA256 NSEC (46)
I:checking positive validation RSASHA512 NSEC (47)
I:checking that positive validation in a privately secure zone works (48)
I:checking that negative validation in a privately secure zone works (49)
I:checking privately secure to nxdomain works (50)
I:checking that validation returns insecure due to revoked trusted key (51)
I:checking that revoked key is present (52)
I:checking that revoked key self-signs (53)
I:checking for unpublished key (54)
I:checking for activated but unpublished key (55)
I:checking that standby key does not sign records (56)
I:checking that deactivated key does not sign records (57)
I:checking insertion of public-only key (58)
I:checking key deletion (59)
I:checking secure-to-insecure transition, nsupdate (60)
I:checking secure-to-insecure transition, scheduled (61)
I:checking that serial number and RRSIGs are both updated (rt21045) (62)
I:preparing to test key change corner cases
I:removing a private key file
I:preparing ZSK roll
I:revoking key to duplicated key ID
dnssec-settime: warning: Permissions on the file ns2/Kbar.+005+30676.private have changed from 0644 to 0600 as a result of this operation.
I:waiting for changes to take effect
I:checking former standby key is now active (63)
I:checking former standby key has only signed incrementally (64)
I:checking that signing records have been marked as complete (65)
I:forcing full sign
I:waiting for change to take effect
I:checking former standby key has now signed fully (66)
I:checking SOA serial number has been incremented (67)
I:checking delayed key publication/activation (68)
I:checking scheduled key publication, not activation (69)
I:waiting for changes to take effect
I:checking scheduled key activation (70)
I:waiting for changes to take effect
I:checking former active key was removed (71)
I:checking private key file removal caused no immediate harm (72)
I:checking revoked key with duplicate key ID (failure expected) (73)
I:not yet implemented
I:checking key event timers are always set (74)
I:checking automatic key reloading interval (75)
I:checking for key reloading loops (76)
I:forcing full sign with unreadable keys (77)
I:test turning on auto-dnssec during reconfig (78)
I:ns3 zone 'reconf.example' reconfigured.
I:test CDS and CDNSKEY auto generation (79)
I:setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'
ns3/Ksync.example.+007+13704.key
ns3/Ksync.example.+007+13704.private
I:waiting for deletion to occur
I:checking that the CDS and CDNSKEY are deleted (80)
I:check that dnssec-settime -p Dsync works (81)
I:check that dnssec-settime -p Psync works (82)
I:check that zone with inactive KSK and active ZSK is properly autosigned (83)
I:check that zone with inactive ZSK and active KSK is properly autosigned (84)
I:check that zone with active and inactive KSK and active ZSK is properly
I: resigned after the active KSK is deleted - stage 2: Verify that DNSKEY
I: is now signed with the ZSK. (85)
I:failed
I:check that zone with active and inactive ZSK and active KSK is properly
I: resigned after the active ZSK is deleted - stage 2: Verify that zone
I: is now signed with the KSK. (86)
I:failed
I:exit status: 2
R:FAIL
E:autosign:Thu Mar 15 13:43:40 JST 2018
S:runtime:Thu Mar 15 14:16:31 JST 2018
T:runtime:1:A
A:System test runtime
I:verifying that named started normally (1)
I:verifying that named checks for conflicting listeners (2)
I:verifying that named checks for conflicting named processes (3)
I:verifying that 'lock-file none' disables process check (4)
I: checking that named refuses to reconfigure if managed-keys-directory is set and not writable (5)
I:failed
I: checking that named refuses to reconfigure if managed-keys-directory is unset and working directory is not writable (6)
I:failed
I: checking that named reconfigures if working directory is not writable but managed-keys-directory is (7)
I: shutting down existing named
I: checking that named refuses to start if managed-keys-directory is set and not writable (8)
I:failed
I: checking that named refuses to start if managed-keys-directory is unset and working directory is not writable (9)
I: checking that named starts if managed-keys-directory is writable and working directory is not writable (10)
I:exit status: 3
R:FAIL
E:runtime:Thu Mar 15 14:16:47 JST 2018
S:sfcache:Thu Mar 15 14:16:47 JST 2018
T:sfcache:1:A
A:System test sfcache
I:checking DNSSEC SERVFAIL is cached (0)
I:checking SERVFAIL is returned from cache (1)
I:checking that +cd bypasses cache check (2)
I:disabling server to force non-dnssec SERVFAIL
I:checking SERVFAIL is cached (3)
I:checking SERVFAIL is returned from cache (4)
I:checking with +cd query (5)
I:failed
I:checking with +dnssec query (6)
I:failed
I:exit status: 2
R:FAIL
E:sfcache:Thu Mar 15 14:16:54 JST 2018
### Possible fixes
(If you can, link to the line of code that might be responsible for the
problem.)
</pre>https://gitlab.isc.org/isc-projects/bind9/-/issues/161Several time related unit tests fail on Mac OS X2019-06-19T12:13:29ZOndřej SurýSeveral time related unit tests fail on Mac OS X```
===> Failed tests
lib/dns/tests/update_test:future_to_date -> failed: update_test.c:320: serial != 2014040101 [0.058s]
lib/dns/tests/update_test:future_to_unix -> failed: update_test.c:156: serial != old + 1 [0.055s]
lib/dns/te...```
===> Failed tests
lib/dns/tests/update_test:future_to_date -> failed: update_test.c:320: serial != 2014040101 [0.058s]
lib/dns/tests/update_test:future_to_unix -> failed: update_test.c:156: serial != old + 1 [0.055s]
lib/dns/tests/update_test:now_to_date -> failed: update_test.c:296: serial != 2014040101 [0.054s]
lib/dns/tests/update_test:now_to_unix -> failed: update_test.c:133: serial != old + 1 [0.053s]
lib/dns/tests/update_test:past_to_date -> failed: update_test.c:273: serial != 2014040100 [0.052s]
lib/dns/tests/update_test:past_to_unix -> failed: update_test.c:110: serial != mystdtime [0.055s]
lib/dns/tests/update_test:undefined_plus1_to_unix -> failed: update_test.c:180: serial != mystdtime [0.056s]
lib/dns/tests/update_test:unixtime_zero -> failed: update_test.c:250: serial != old + 1 [0.054s]
```
Master on latest Mac OS X, compiler:
```
$ clang --version
Apple LLVM version 9.0.0 (clang-900.0.39.2)
Target: x86_64-apple-darwin17.4.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin
```Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/issues/162Remove idnkit-1.0 from BIND sources2018-03-17T13:15:03ZOndřej SurýRemove idnkit-1.0 from BIND sourcesThere's a local copy of outdated idnkit-1.0 library in BIND source. Let's just get rid of it (and cleanup relevant documentation).There's a local copy of outdated idnkit-1.0 library in BIND source. Let's just get rid of it (and cleanup relevant documentation).BIND-9.13.0https://gitlab.isc.org/isc-projects/bind9/-/issues/163Add libidn2 info to "Configuration summary"2018-04-05T10:08:12ZOndřej SurýAdd libidn2 info to "Configuration summary"BIND-9.13.0Ondřej SurýOndřej Surý