BIND merge requestshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests2022-01-11T14:13:55Zhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5626Stop leaking mutex in nmworker and cond in nm socket2022-01-11T14:13:55ZOndřej SurýStop leaking mutex in nmworker and cond in nm socketOn FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory...On FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory.
Properly destroy the leaking mutex (worker->lock) and
the leaking condition (sock->cond).
(cherry picked from commit 57d0fabaddf0e7ac297a046b084df8fb22d54d51)
Closes #3051January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5625Add OPENSSL_cleanup to tls_shutdown function (9.16)2022-01-11T14:28:35ZMatthijs Mekkingmatthijs@isc.orgAdd OPENSSL_cleanup to tls_shutdown function (9.16)This prevents a direct leak in OPENSSL_init_crypto (called from
OPENSSL_init_ssl).
Add shim version of OPENSSL_cleanup because it is missing in LibreSSL on
OpenBSD.
(cherry picked from commit 89f4f8f0c89a5243ba9fa343d492b15fd97e4df0)This prevents a direct leak in OPENSSL_init_crypto (called from
OPENSSL_init_ssl).
Add shim version of OPENSSL_cleanup because it is missing in LibreSSL on
OpenBSD.
(cherry picked from commit 89f4f8f0c89a5243ba9fa343d492b15fd97e4df0)January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5623Call OPENSSL_cleanup() when shutting down2021-12-08T11:08:47ZOndřej SurýCall OPENSSL_cleanup() when shutting downThe OPENSSL_cleanup() cleans the OpenSSL allocated resources explicitly
instead of relying on the atexit mechanism to do the cleanup. This is
needed in case that we want to use custom allocator to manage OpenSSL
memory.The OPENSSL_cleanup() cleans the OpenSSL allocated resources explicitly
instead of relying on the atexit mechanism to do the cleanup. This is
needed in case that we want to use custom allocator to manage OpenSSL
memory.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5622Stop leaking mutex in nmworker and cond in nm socket2022-01-11T14:13:49ZOndřej SurýStop leaking mutex in nmworker and cond in nm socketOn FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory...On FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory.
Properly destroy the leaking mutex (worker->lock) and the leaking condition (sock->cond).
Closes #3051January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5621remove reject-000 and broken-nsec options (related to synth-from-dnssec feature)2021-12-23T05:14:55ZMark Andrewsremove reject-000 and broken-nsec options (related to synth-from-dnssec feature)Closes #3041Closes #3041January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5620Fix the isc_hp initialization and memory usage2022-01-20T10:21:45ZOndřej SurýFix the isc_hp initialization and memory usagePreviously, the isc_hp_init() could not lower the value of
isc__hp_max_threads, but because of a mistake the isc__hp_max_threads
would be set to HP_MAX_THREADS (e.g. 128 threads) thus it would be
always set to 128. This would result in ...Previously, the isc_hp_init() could not lower the value of
isc__hp_max_threads, but because of a mistake the isc__hp_max_threads
would be set to HP_MAX_THREADS (e.g. 128 threads) thus it would be
always set to 128. This would result in increased memory usage even
when small number of workers were in use.
Change the default value of isc__hp_max_threads to be -1 (uninitialized)
and require the isc_hp_init() to be called and called only once.
Additionally, enforce the max_hps value in isc_hp_new() to be smaller or
equal to HP_MAX_HPS. The only user is isc_queue which uses just 1
hazard pointer, so it's only theoretical issue.
Closes #3048January 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5619Add FreeBSD 12.32021-12-20T15:58:40ZMichal NowakAdd FreeBSD 12.3Prereq: isc-projects/images!150
I tested BIND 9.17, 9.16, and 9.11 (build & tests) locally with image build by Packer and hooked to Virt Manager.Prereq: isc-projects/images!150
I tested BIND 9.17, 9.16, and 9.11 (build & tests) locally with image build by Packer and hooked to Virt Manager.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5617Fix autosign system test, allow expired zone signatures to be replaced with K...2022-01-12T10:09:20ZMatthijs Mekkingmatthijs@isc.orgFix autosign system test, allow expired zone signatures to be replaced with KSK RRSIGsBIND can log this warning:
```
zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
missing or inactive and has no replacement: retaining signatures.
```
This log can happen when BIND tries to remove signatures bec...BIND can log this warning:
```
zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
missing or inactive and has no replacement: retaining signatures.
```
This log can happen when BIND tries to remove signatures because the
are about to expire or to be resigned. These RRsets may be signed with
the KSK if the ZSK files has been removed from disk. When we have
created a new ZSK we can replace the signatures creeated by the KSK
with signatures from the new ZSK.
It complains about the KSK being missing or inactive, but actually it
takes the key id from the RRSIG.
The warning is logged if BIND detects the private ZSK file is missing.
The warning is logged even if we were able to delete the signature.
With the change from this commit it only logs this warning if it is not
okay to delete the signature.
Closes #3035, #3049January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5616prevent a shutdown hang on non-matching TCP responses2022-01-11T14:15:05ZEvan Huntprevent a shutdown hang on non-matching TCP responsesWhen a non-matching DNS response is received by the resolver,
it calls dns_dispatch_getnext() to resume reading. This is necessary
for UDP but not for TCP, because TCP connections automatically
resume reading after any response.
This MR...When a non-matching DNS response is received by the resolver,
it calls dns_dispatch_getnext() to resume reading. This is necessary
for UDP but not for TCP, because TCP connections automatically
resume reading after any response.
This MR adds a 'tcpreading' flag to TCP dispatches, so that
`dispatch_getnext()` can be called multiple times without subsequent
calls having any effect.
Closes #3042January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5615Added a spare x as a test2021-12-02T19:15:51ZGreg ChoulesAdded a spare x as a testJanuary 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5610Drop Debian SoftHSM v2.4 CI jobs2021-12-14T11:58:54ZMichal NowakDrop Debian SoftHSM v2.4 CI jobsThe base image is in the process of being upgraded from Debian Buster to
Debian Bullseye, which has SoftHSM v2.6, the same SoftHSM version we
already test PKCS#11 with on Fedora. We don't need to test with two
SoftHSM 2.6 versions, drop ...The base image is in the process of being upgraded from Debian Buster to
Debian Bullseye, which has SoftHSM v2.6, the same SoftHSM version we
already test PKCS#11 with on Fedora. We don't need to test with two
SoftHSM 2.6 versions, drop CI jobs running on the base image.
Prereq for: isc-projects/images!145January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5606Drop FreeBSD 112021-12-17T11:48:36ZMichal NowakDrop FreeBSD 11Support for FreeBSD 11.4, the last FreeBSD 11.x release, [ended on
September 30, 2021](https://www.freebsd.org/security/unsupported/) and the image can't be build without a workaround anymore.
The `--with-readline` `./configure` option ...Support for FreeBSD 11.4, the last FreeBSD 11.x release, [ended on
September 30, 2021](https://www.freebsd.org/security/unsupported/) and the image can't be build without a workaround anymore.
The `--with-readline` `./configure` option has been added to `gcc:sid:amd64`
CI job; otherwise, it would be lost with the FreeBSD 11 removal.
This complements isc-projects/images!148.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5601Improve error message when directory name is given2022-01-11T15:08:00ZPetr MenšíkImprove error message when directory name is givenSurprising error IO error is returned when directory name
is given instead of named.conf file. It can be passed to named-checkconf
or include statement. Make a simple change to return Invalid file
instead. Still not precise, but much bet...Surprising error IO error is returned when directory name
is given instead of named.conf file. It can be passed to named-checkconf
or include statement. Make a simple change to return Invalid file
instead. Still not precise, but much better error message is returned.
Fix of rhbz#490837.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5598Update auto-dnssec documentation2022-01-05T11:26:17ZMatthijs Mekkingmatthijs@isc.orgUpdate auto-dnssec documentationExplain that `auto-dnssec` may only be activated at zone level.
Closes #3023Explain that `auto-dnssec` may only be activated at zone level.
Closes #3023January 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5595Add Alpine Linux 3.152021-12-16T15:52:20ZMichal NowakAdd Alpine Linux 3.15Prereq: https://gitlab.isc.org/isc-projects/images/-/merge_requests/146Prereq: https://gitlab.isc.org/isc-projects/images/-/merge_requests/146January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5574Drop cppcheck2022-01-11T14:25:43ZMichal NowakDrop cppcheckRemove `cppcheck` CI job and `cppcheck`-related suppressions and
workarounds.
Every `cppcheck` update brings the cost of addressing new false positives
in the BIND 9 source code while not reaping any benefits in case of
identified issue...Remove `cppcheck` CI job and `cppcheck`-related suppressions and
workarounds.
Every `cppcheck` update brings the cost of addressing new false positives
in the BIND 9 source code while not reaping any benefits in case of
identified issues with the code. Coverity Scan seems to provide a better
cost-benefit ratio.
Associated MR: isc-projects/images!143.
Closes #2698, #2886January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5554Add Fedora 352021-12-22T17:53:47ZMichal NowakAdd Fedora 35Prerequisite: https://gitlab.isc.org/isc-projects/images/-/merge_requests/142Prerequisite: https://gitlab.isc.org/isc-projects/images/-/merge_requests/142January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5367Make bullseye the base image2021-12-30T07:42:35ZMichal NowakMake bullseye the base imagePrerequisite: https://gitlab.isc.org/isc-projects/images/-/merge_requests/132 & https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5330
Changes:
- makes bullseye the default image
- drops `gcc:softhsm2.4` job as bullseye has sof...Prerequisite: https://gitlab.isc.org/isc-projects/images/-/merge_requests/132 & https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5330
Changes:
- makes bullseye the default image
- drops `gcc:softhsm2.4` job as bullseye has softhsm 2.6 (as Fedora does already)
Issues:
- ~~`pylint` - https://gitlab.isc.org/isc-projects/bind9/-/issues/2885 (fix: patch dnspython, see https://gitlab.isc.org/isc-projects/images/-/merge_requests/132/diffs?commit_id=e2a7edb59d95867e98490aebf79248916ab26a53)~~
- ~~`cppcheck` - https://gitlab.isc.org/isc-projects/bind9/-/issues/2886 (fix: build cppcheck 2.2 for Bullseye or drop cppcheck altogether)~~
- ~~`tsan` - isc-projects/bind9#3010 (fix: custom libuv for Bullseye or move Clang from Bullseye to Fedora 35)~~
- ~~`respdiff` - https://gitlab.isc.org/isc-projects/bind9/-/issues/2887 (fix: build BIND 9.11 with `randomdev` set, see https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5367/diffs?commit_id=329b1681b38602b09a1175872dc3edc634cda39f)~~
- ~~`gcov` - `gcovr` [reports](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2172727) 0 % coverage~~January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5355Add respdiff jobs with third-party recursors2021-12-22T17:53:47ZMichal NowakAdd respdiff jobs with third-party recursorsPrerequisities: https://gitlab.isc.org/isc-private/bind-qa/-/merge_requests/36 & isc-projects/images!130.Prerequisities: https://gitlab.isc.org/isc-private/bind-qa/-/merge_requests/36 & isc-projects/images!130.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5205Set version and release variables in conf.py2021-12-29T09:02:12ZMichał KępieńSet version and release variables in conf.pySome Sphinx variables used in the ARM are only set in Makefile.docs.
This works fine when building the ARM using "make", but does not work
with Read the Docs, which only looks at conf.py files.
Since Read the Docs does not run ./configu...Some Sphinx variables used in the ARM are only set in Makefile.docs.
This works fine when building the ARM using "make", but does not work
with Read the Docs, which only looks at conf.py files.
Since Read the Docs does not run ./configure, renaming conf.py to
conf.py.in and using Autoconf output variables is not a feasible
solution.
Instead, extend doc/arm/conf.py with some Python code which processes
configure.ac using regular expressions and sets the relevant Sphinx
variables accordingly. As this solution also works fine when building
the ARM using "make", drop the relevant -D options from the list of
sphinx-build options used for building the ARM in Makefile.docs.
Note that the man_SPHINXOPTS counterparts of the removed -D switches are
left intact because doc/man/conf.py is a separate Sphinx project which
is only processed using "make" and duplicating the Python code added to
doc/arm/conf.py by this commit would be inelegant.
Closes #2782January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michał KępieńMichał Kępień