BIND merge requestshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests2024-03-28T14:37:12Zhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8918Extract CHANGES checks to a separate GitLab CI job2024-03-28T14:37:12ZMichał KępieńExtract CHANGES checks to a separate GitLab CI jobChecking the contents of the CHANGES file currently requires invoking
multiple shell scripts. These invocations are conflated with those for
other test scripts in the "misc" GitLab CI job. Extract the commands
checking the contents of ...Checking the contents of the CHANGES file currently requires invoking
multiple shell scripts. These invocations are conflated with those for
other test scripts in the "misc" GitLab CI job. Extract the commands
checking the contents of the CHANGES file to a separate GitLab CI job,
"changes", to improve readability. Remove similar checks for the
CHANGES.SE file altogether as they are only relevant for BIND -S and
therefore should not be present in an open source branch.
Since pre-release testing is usually carried out for branches in which
CHANGES entries are intentionally malformed to prevent entry numbering
conflicts down the road, do not run the "changes" GitLab CI job in
pipelines that are triggered by a parent pipeline (which can currently
only be a pre-release testing pipeline) to prevent triggering job
failures that would be meaningless anyway.April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8914Improve the reference counting in newref()2024-03-26T13:58:39ZOndřej SurýImprove the reference counting in newref()In qpcache (and rbtdb), there are some functions that don't acquire
neither the tree lock nor the node lock when calling newref(). In
theory, this could lead to a new reference to a node that's just going
to be deleted. As the delete_n...In qpcache (and rbtdb), there are some functions that don't acquire
neither the tree lock nor the node lock when calling newref(). In
theory, this could lead to a new reference to a node that's just going
to be deleted. As the delete_node() is always protected by both the
tree and the node lock write-locked, improve the logic to require either
the tree or the node lock to be at least read locked when incrementing
unreferenced node (the reference is zero before the increment).April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8901[9.18] CI hazard improvements2024-03-21T17:04:13ZPetr Špačekpspacek@isc.org[9.18] CI hazard improvementsBackport of MR !8843Backport of MR !8843April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8827Bump the LLVM version to 18 and reformat sources2024-03-14T09:14:20ZMichal NowakBump the LLVM version to 18 and reformat sourcesPrereq: https://gitlab.isc.org/isc-projects/images/-/merge_requests/300Prereq: https://gitlab.isc.org/isc-projects/images/-/merge_requests/300May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8806Draft: Rewrite include-multiplecfg system test to pytest2024-03-22T15:27:41ZMichal NowakDraft: Rewrite include-multiplecfg system test to pytestMay 2024 (9.18.27, 9.18.27-S1, 9.19.24)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8759Rewrite names system test to pytest2024-03-06T09:12:36ZMichal NowakRewrite names system test to pytestdnspython 2.7.0 or newer is needed because of [`wire()`](https://github.com/rthalley/dnspython/issues/1055). Hence ~"DO NOT MERGE" before many CI images have it.dnspython 2.7.0 or newer is needed because of [`wire()`](https://github.com/rthalley/dnspython/issues/1055). Hence ~"DO NOT MERGE" before many CI images have it.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8749[9.18] Draft: Resolve "Don't count expired / future RRSIGs in verification fa...2024-02-24T08:07:47ZMark Andrews[9.18] Draft: Resolve "Don't count expired / future RRSIGs in verification failure quota"Closes #4586Closes #4586May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8745Draft: Resolve "warning: checkhints: unable to get root NS rrset from cache: ...2024-03-27T00:37:48ZMark AndrewsDraft: Resolve "warning: checkhints: unable to get root NS rrset from cache: not found"Closes #2744Closes #2744May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8731Draft: Resolve "Restore the ability to select individual unit tests and turn ...2024-03-07T00:57:13ZMark AndrewsDraft: Resolve "Restore the ability to select individual unit tests and turn on debugging"Closes #4579Closes #4579May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8694Draft: Resolve "dispatch test needs to ignore unexpected sources"2024-03-07T01:56:26ZMark AndrewsDraft: Resolve "dispatch test needs to ignore unexpected sources"Closes #4562Closes #4562May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8686Draft: Add signatures-jitter option2024-03-28T11:23:51ZMatthijs Mekkingmatthijs@isc.orgDraft: Add signatures-jitter optionAdd an option to speficy signatures jitter.
Closes #4554Add an option to speficy signatures jitter.
Closes #4554May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8662Draft: Rewrite cipher-suites system test to pytest2024-03-06T09:12:31ZMichal NowakDraft: Rewrite cipher-suites system test to pytestThis started as a serious effort to rewrite the cipher-suites system test to pytest, but because the minimal required dnspython version that has the "verify" argument for [`dns.query.tls()`](https://dnspython.readthedocs.io/en/latest/que...This started as a serious effort to rewrite the cipher-suites system test to pytest, but because the minimal required dnspython version that has the "verify" argument for [`dns.query.tls()`](https://dnspython.readthedocs.io/en/latest/query.html#dns.query.tls) is [2.5.0rc1](https://dnspython.readthedocs.io/en/latest/whatsnew.html#id1) it ended up as a worthwhile dnspython learning exercise. So, ~"DO NOT MERGE" until most CI images have dnspython 2.5.0+. Locally tested on Fedora 39 (non-FIPS) and OL9 (FIPS) with dnspython 2.5.0rc1.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8645Draft: Resolve "Data races in isc_buffer_peekuint8, rdataset_settrust, and me...2024-03-28T11:38:53ZMark AndrewsDraft: Resolve "Data races in isc_buffer_peekuint8, rdataset_settrust, and memmove"Lock access to the trust byte in lib/dns/ncache.c as they where causing TSAN errors.
Closes #4475Lock access to the trust byte in lib/dns/ncache.c as they where causing TSAN errors.
Closes #4475May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8631Draft: Resolve "dnssec-verify reports errors in NSEC3 chain"2024-03-07T00:58:22ZMark AndrewsDraft: Resolve "dnssec-verify reports errors in NSEC3 chain"Closes #4517Closes #4517May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8524Draft: clean up files in addzone system test2024-02-24T08:08:24ZEvan HuntDraft: clean up files in addzone system testsome generated files were not cleaned up after running the test.some generated files were not cleaned up after running the test.May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8522Draft: Resolve "IPv4-only mode not respected for zone transfers"2024-03-08T05:48:42ZMark AndrewsDraft: Resolve "IPv4-only mode not respected for zone transfers"Closes #3472Closes #3472April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8477Rework isccc_ccmsg to support multiple messages per tcp read2024-03-08T15:24:38ZDominik ThalhammerRework isccc_ccmsg to support multiple messages per tcp readThe current implementation of rndc assumes a tcp read to contain exactly one message.
This can fail in a number of cases:
* A message exceeds the tcp read size and is split into multiple messages
* Multiple messages are part of a single ...The current implementation of rndc assumes a tcp read to contain exactly one message.
This can fail in a number of cases:
* A message exceeds the tcp read size and is split into multiple messages
* Multiple messages are part of a single read
Both cases result in the some of the messages getting dropped or the connection being closed because of a protocol error.
This commit changes the rndc reader to have a working buffer where the full message is reassembled before invoking the callback.
If there is already a valid message in the buffer when rndc attempts to read a message it is returned from the buffer without ever requesting a tcp read. This ensures low memory usage inside bind and allows for the OS to properly signal the sender to slow down if bind can't keep up.
closes #4416May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Dominik ThalhammerDominik Thalhammerhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8461Draft: Expand the wildcard system test with wider use of hypothesis2024-03-07T07:23:37ZŠtěpán BalážikDraft: Expand the wildcard system test with wider use of hypothesisI expanded the test so it now also tests:
- expansion works with multiple labels
- asterisk in qname does not cause expansion
There is also a more general way to generate dnspython's `dns.name.Name` objects for use with property based ...I expanded the test so it now also tests:
- expansion works with multiple labels
- asterisk in qname does not cause expansion
There is also a more general way to generate dnspython's `dns.name.Name` objects for use with property based tests using hypothesis.
`strategies.py` is to be moved out, once some other test will be using `hypothesis` as well.April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)Štěpán BalážikŠtěpán Balážikhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8384Test serve-stale behavior in a shared cache setup2024-03-06T08:06:25ZMichał KępieńTest serve-stale behavior in a shared cache setupAdd a test that intends to trigger a very specific order of events that
led to a crash before commit bbd163acf67843c76099921e467dd0ef90f3f670:
1. Two views, view A and view B, are attached to a shared cache.
Serve-stale is enabled;...Add a test that intends to trigger a very specific order of events that
led to a crash before commit bbd163acf67843c76099921e467dd0ef90f3f670:
1. Two views, view A and view B, are attached to a shared cache.
Serve-stale is enabled; "stale-answer-client-timeout" is set to a
positive integer.
2. The following DNS response chain is cached:
cname.selective. 5 IN CNAME a.selective.
a.selective. 10 IN A 10.53.0.2
3. cname.selective/CNAME expires from cache. a.selective/A remains
active.
4. Both view A and view B are queried for cname.selective/A.
5. The resolvers for both views start recursion due to the
cname.selective/CNAME record being expired.
6. The resolver for view A manages to successfully resolve the query.
Due to packet loss, the resolver for view B fails to resolve the
query and continues querying the authoritative servers.
7. "stale-answer-client-timeout" fires for cname.selective/A in view B.
Since the resolver for view A managed to resolve
cname.selective/CNAME in the meantime and the a.selective/A record
has not expired from cache yet, the final answer for the client
query received by view B is readily available and is therefore sent
back to the client.
8. The a.selective/A record expires from cache.
9. The resolver for view B manages to resolve cname.selective/CNAME and
resumes resolution for its target name, i.e. a.selective/A. Since
the latter expired from cache (in step 8), recursive resolution is
started for a.selective/A.
10. Due to packet loss, the a.selective/A queries that the resolver for
view B sends to authoritative servers remain unanswered.
11. "stale-answer-client-timeout" fires for a.selective/A in view B.
The resolver for view B finds a stale a.selective/A record and
attempts to send it back to the client. However, the a.selective/A
record was already added to the response (and sent back to the
client) in step 7. named crashes due to an assertion failure.
With the right timing, the new test causes affected named versions to
crash with the following assertion failure:
query.c:8250: INSIST(qctx->rdataset == ((void *)0) || qctx->qtype == ((dns_rdatatype_t)dns_rdatatype_dname))
Closes #4287May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8303Draft: Resolve "Check the size of the structure passed to dns_rdata_*struct m...2024-01-03T13:35:11ZMark AndrewsDraft: Resolve "Check the size of the structure passed to dns_rdata_*struct methods"Closes #4318Closes #4318Not planned