BIND merge requestshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests2022-01-11T15:13:45Zhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5147Remove the copyright handling via util/copyrights2022-01-11T15:13:45ZOndřej SurýRemove the copyright handling via util/copyrightsThe copyright handling has been long obsolete, the works is covered as
whole by the COPYING/LICENSE file even if a specific file doesn't have
a copyright header.
The important thing to remember here is that any work is covered by a
copy...The copyright handling has been long obsolete, the works is covered as
whole by the COPYING/LICENSE file even if a specific file doesn't have
a copyright header.
The important thing to remember here is that any work is covered by a
copyright law and by explicitly giving it license we provide extra
rights to the users of the works.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5205Set version and release variables in conf.py2021-12-29T09:02:12ZMichał KępieńSet version and release variables in conf.pySome Sphinx variables used in the ARM are only set in Makefile.docs.
This works fine when building the ARM using "make", but does not work
with Read the Docs, which only looks at conf.py files.
Since Read the Docs does not run ./configu...Some Sphinx variables used in the ARM are only set in Makefile.docs.
This works fine when building the ARM using "make", but does not work
with Read the Docs, which only looks at conf.py files.
Since Read the Docs does not run ./configure, renaming conf.py to
conf.py.in and using Autoconf output variables is not a feasible
solution.
Instead, extend doc/arm/conf.py with some Python code which processes
configure.ac using regular expressions and sets the relevant Sphinx
variables accordingly. As this solution also works fine when building
the ARM using "make", drop the relevant -D options from the list of
sphinx-build options used for building the ARM in Makefile.docs.
Note that the man_SPHINXOPTS counterparts of the removed -D switches are
left intact because doc/man/conf.py is a separate Sphinx project which
is only processed using "make" and duplicating the Python code added to
doc/arm/conf.py by this commit would be inelegant.
Closes #2782January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michał KępieńMichał Kępieńhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5355Add respdiff jobs with third-party recursors2021-12-22T17:53:47ZMichal NowakAdd respdiff jobs with third-party recursorsPrerequisities: https://gitlab.isc.org/isc-private/bind-qa/-/merge_requests/36 & isc-projects/images!130.Prerequisities: https://gitlab.isc.org/isc-private/bind-qa/-/merge_requests/36 & isc-projects/images!130.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5367Make bullseye the base image2021-12-30T07:42:35ZMichal NowakMake bullseye the base imagePrerequisite: https://gitlab.isc.org/isc-projects/images/-/merge_requests/132 & https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5330
Changes:
- makes bullseye the default image
- drops `gcc:softhsm2.4` job as bullseye has sof...Prerequisite: https://gitlab.isc.org/isc-projects/images/-/merge_requests/132 & https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5330
Changes:
- makes bullseye the default image
- drops `gcc:softhsm2.4` job as bullseye has softhsm 2.6 (as Fedora does already)
Issues:
- ~~`pylint` - https://gitlab.isc.org/isc-projects/bind9/-/issues/2885 (fix: patch dnspython, see https://gitlab.isc.org/isc-projects/images/-/merge_requests/132/diffs?commit_id=e2a7edb59d95867e98490aebf79248916ab26a53)~~
- ~~`cppcheck` - https://gitlab.isc.org/isc-projects/bind9/-/issues/2886 (fix: build cppcheck 2.2 for Bullseye or drop cppcheck altogether)~~
- ~~`tsan` - isc-projects/bind9#3010 (fix: custom libuv for Bullseye or move Clang from Bullseye to Fedora 35)~~
- ~~`respdiff` - https://gitlab.isc.org/isc-projects/bind9/-/issues/2887 (fix: build BIND 9.11 with `randomdev` set, see https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5367/diffs?commit_id=329b1681b38602b09a1175872dc3edc634cda39f)~~
- ~~`gcov` - `gcovr` [reports](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2172727) 0 % coverage~~January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5554Add Fedora 352021-12-22T17:53:47ZMichal NowakAdd Fedora 35Prerequisite: https://gitlab.isc.org/isc-projects/images/-/merge_requests/142Prerequisite: https://gitlab.isc.org/isc-projects/images/-/merge_requests/142January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5574Drop cppcheck2022-01-11T14:25:43ZMichal NowakDrop cppcheckRemove `cppcheck` CI job and `cppcheck`-related suppressions and
workarounds.
Every `cppcheck` update brings the cost of addressing new false positives
in the BIND 9 source code while not reaping any benefits in case of
identified issue...Remove `cppcheck` CI job and `cppcheck`-related suppressions and
workarounds.
Every `cppcheck` update brings the cost of addressing new false positives
in the BIND 9 source code while not reaping any benefits in case of
identified issues with the code. Coverity Scan seems to provide a better
cost-benefit ratio.
Associated MR: isc-projects/images!143.
Closes #2698, #2886January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5595Add Alpine Linux 3.152021-12-16T15:52:20ZMichal NowakAdd Alpine Linux 3.15Prereq: https://gitlab.isc.org/isc-projects/images/-/merge_requests/146Prereq: https://gitlab.isc.org/isc-projects/images/-/merge_requests/146January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5598Update auto-dnssec documentation2022-01-05T11:26:17ZMatthijs Mekkingmatthijs@isc.orgUpdate auto-dnssec documentationExplain that `auto-dnssec` may only be activated at zone level.
Closes #3023Explain that `auto-dnssec` may only be activated at zone level.
Closes #3023January 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5606Drop FreeBSD 112021-12-17T11:48:36ZMichal NowakDrop FreeBSD 11Support for FreeBSD 11.4, the last FreeBSD 11.x release, [ended on
September 30, 2021](https://www.freebsd.org/security/unsupported/) and the image can't be build without a workaround anymore.
The `--with-readline` `./configure` option ...Support for FreeBSD 11.4, the last FreeBSD 11.x release, [ended on
September 30, 2021](https://www.freebsd.org/security/unsupported/) and the image can't be build without a workaround anymore.
The `--with-readline` `./configure` option has been added to `gcc:sid:amd64`
CI job; otherwise, it would be lost with the FreeBSD 11 removal.
This complements isc-projects/images!148.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5610Drop Debian SoftHSM v2.4 CI jobs2021-12-14T11:58:54ZMichal NowakDrop Debian SoftHSM v2.4 CI jobsThe base image is in the process of being upgraded from Debian Buster to
Debian Bullseye, which has SoftHSM v2.6, the same SoftHSM version we
already test PKCS#11 with on Fedora. We don't need to test with two
SoftHSM 2.6 versions, drop ...The base image is in the process of being upgraded from Debian Buster to
Debian Bullseye, which has SoftHSM v2.6, the same SoftHSM version we
already test PKCS#11 with on Fedora. We don't need to test with two
SoftHSM 2.6 versions, drop CI jobs running on the base image.
Prereq for: isc-projects/images!145January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5616prevent a shutdown hang on non-matching TCP responses2022-01-11T14:15:05ZEvan Huntprevent a shutdown hang on non-matching TCP responsesWhen a non-matching DNS response is received by the resolver,
it calls dns_dispatch_getnext() to resume reading. This is necessary
for UDP but not for TCP, because TCP connections automatically
resume reading after any response.
This MR...When a non-matching DNS response is received by the resolver,
it calls dns_dispatch_getnext() to resume reading. This is necessary
for UDP but not for TCP, because TCP connections automatically
resume reading after any response.
This MR adds a 'tcpreading' flag to TCP dispatches, so that
`dispatch_getnext()` can be called multiple times without subsequent
calls having any effect.
Closes #3042January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5617Fix autosign system test, allow expired zone signatures to be replaced with K...2022-01-12T10:09:20ZMatthijs Mekkingmatthijs@isc.orgFix autosign system test, allow expired zone signatures to be replaced with KSK RRSIGsBIND can log this warning:
```
zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
missing or inactive and has no replacement: retaining signatures.
```
This log can happen when BIND tries to remove signatures bec...BIND can log this warning:
```
zone example.ch/IN (signed): Key example.ch/ECDSAP256SHA256/56340
missing or inactive and has no replacement: retaining signatures.
```
This log can happen when BIND tries to remove signatures because the
are about to expire or to be resigned. These RRsets may be signed with
the KSK if the ZSK files has been removed from disk. When we have
created a new ZSK we can replace the signatures creeated by the KSK
with signatures from the new ZSK.
It complains about the KSK being missing or inactive, but actually it
takes the key id from the RRSIG.
The warning is logged if BIND detects the private ZSK file is missing.
The warning is logged even if we were able to delete the signature.
With the change from this commit it only logs this warning if it is not
okay to delete the signature.
Closes #3035, #3049January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5619Add FreeBSD 12.32021-12-20T15:58:40ZMichal NowakAdd FreeBSD 12.3Prereq: isc-projects/images!150
I tested BIND 9.17, 9.16, and 9.11 (build & tests) locally with image build by Packer and hooked to Virt Manager.Prereq: isc-projects/images!150
I tested BIND 9.17, 9.16, and 9.11 (build & tests) locally with image build by Packer and hooked to Virt Manager.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5620Fix the isc_hp initialization and memory usage2022-01-20T10:21:45ZOndřej SurýFix the isc_hp initialization and memory usagePreviously, the isc_hp_init() could not lower the value of
isc__hp_max_threads, but because of a mistake the isc__hp_max_threads
would be set to HP_MAX_THREADS (e.g. 128 threads) thus it would be
always set to 128. This would result in ...Previously, the isc_hp_init() could not lower the value of
isc__hp_max_threads, but because of a mistake the isc__hp_max_threads
would be set to HP_MAX_THREADS (e.g. 128 threads) thus it would be
always set to 128. This would result in increased memory usage even
when small number of workers were in use.
Change the default value of isc__hp_max_threads to be -1 (uninitialized)
and require the isc_hp_init() to be called and called only once.
Additionally, enforce the max_hps value in isc_hp_new() to be smaller or
equal to HP_MAX_HPS. The only user is isc_queue which uses just 1
hazard pointer, so it's only theoretical issue.
Closes #3048January 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5621remove reject-000 and broken-nsec options (related to synth-from-dnssec feature)2021-12-23T05:14:55ZMark Andrewsremove reject-000 and broken-nsec options (related to synth-from-dnssec feature)Closes #3041Closes #3041January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5622Stop leaking mutex in nmworker and cond in nm socket2022-01-11T14:13:49ZOndřej SurýStop leaking mutex in nmworker and cond in nm socketOn FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory...On FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory.
Properly destroy the leaking mutex (worker->lock) and the leaking condition (sock->cond).
Closes #3051January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5625Add OPENSSL_cleanup to tls_shutdown function (9.16)2022-01-11T14:28:35ZMatthijs Mekkingmatthijs@isc.orgAdd OPENSSL_cleanup to tls_shutdown function (9.16)This prevents a direct leak in OPENSSL_init_crypto (called from
OPENSSL_init_ssl).
Add shim version of OPENSSL_cleanup because it is missing in LibreSSL on
OpenBSD.
(cherry picked from commit 89f4f8f0c89a5243ba9fa343d492b15fd97e4df0)This prevents a direct leak in OPENSSL_init_crypto (called from
OPENSSL_init_ssl).
Add shim version of OPENSSL_cleanup because it is missing in LibreSSL on
OpenBSD.
(cherry picked from commit 89f4f8f0c89a5243ba9fa343d492b15fd97e4df0)January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5626Stop leaking mutex in nmworker and cond in nm socket2022-01-11T14:13:55ZOndřej SurýStop leaking mutex in nmworker and cond in nm socketOn FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory...On FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory.
Properly destroy the leaking mutex (worker->lock) and
the leaking condition (sock->cond).
(cherry picked from commit 57d0fabaddf0e7ac297a046b084df8fb22d54d51)
Closes #3051January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5627Use ECDSA P-256 instead of 4096-bit RSA for 'tls ephemeral'2022-01-20T10:21:45ZArаm SаrgsyаnUse ECDSA P-256 instead of 4096-bit RSA for 'tls ephemeral'ECDSA P-256 performs considerably better than the previously used
4096-bit RSA (can be observed using `openssl speed`), and, according
to RFC 6605, provides a security level comparable to 3072-bit RSA.
Closes #2264ECDSA P-256 performs considerably better than the previously used
4096-bit RSA (can be observed using `openssl speed`), and, according
to RFC 6605, provides a security level comparable to 3072-bit RSA.
Closes #2264January 2022 (9.16.25, 9.16.25-S1, 9.17.22)https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5629Remove mutex profiling code2021-12-10T00:01:02ZMichał KępieńRemove mutex profiling codeMutex profiling code (used when the ISC_MUTEX_PROFILE preprocessor macro
is set to 1) has been broken for the past 3 years (since commit
0bed9bfc28a204cde57c6f68170ecc89ebfa6dc8) and nobody complained, which
is a strong indication that t...Mutex profiling code (used when the ISC_MUTEX_PROFILE preprocessor macro
is set to 1) has been broken for the past 3 years (since commit
0bed9bfc28a204cde57c6f68170ecc89ebfa6dc8) and nobody complained, which
is a strong indication that this code is not being used these days any
more. External tools for both measuring performance and detecting
locking issues are already wired into various GitLab CI checks. Drop
all code depending on the ISC_MUTEX_PROFILE preprocessor macro being
set.January 2022 (9.16.25, 9.16.25-S1, 9.17.22)Michał KępieńMichał Kępień