Use 2048 bits as the default ZSK RSA key size in dnssec-keygen

Closes #1097

See merge request !2055

merge security-master

See merge request !2061

Fix lib/dns/tests/update_test spurious errors on macOS

Closes #161

See merge request !2050

The common construct seen in the BIND 9 source is func(isc_mem_t *mctx, ...).
Unfortunately, the dnstest.{h,c} has been using mctx as a global symbol, which
in turn generated a lot of errors when update.c got included in update_test.c.

As a rule of thumb, we should avoid naming global symbols with generic names
(like mctx) and we should prefix them with "namespace" (like dt_mctx).

The CHECK() macro has been defined both in dnstest.h and update.c
files.  This has created a conflict between macro definitions when
including both of the files in update_test.c.  While the CHECK() macro
is convenient for the tests, it has been really used in just two
files, so the MR moves them into those respective .c files.

lib/dns/tests/update_test was failing on macOS on random occasions.  It
turned out this was a linker problem - it preferred isc_stdtime_get()
from libisc instead of the local version in lib/dns/tests/update_test.c.

Fix by including the original .c file in the unit test.  This has two
benefits:

 a) linking order may no longer cause issues as symbols found in the
    same compilation unit are always preferred,

 b) it allows writing tests for static functions in lib/dns/update.c.

Use couple more autoconf convenience macros to cleanup configure.ac

See merge request !2054

Pull and use several autoconf archive convenience macros to simplify
configure.ac.

* AX_CHECK_COMPILE_FLAG(FLAG, ...) - check whether given CFLAG works
* AX_CHECK_LINK_FLAG(FLAG, ...) - check whether given LDFLAG works
* AX_CHECK_PREPROC_FLAG(FLAG, ...) - check whether give CPPFLAG works
* AX_SAVE_FLAGS/AX_RESTORE_FLAGS - save and restore *FLAGS

Always fail a system test if crashes are detected

Closes #1088

See merge request !2041

In certain situations (e.g. a named instance crashing upon shutdown in a
system test which involves shutting down a server and restarting it
afterwards), a system test may succeed despite a named crash being
triggered.  This must never be the case.  Extend run.sh to mark a test
as failed if core dumps or log lines indicating assertion failures are
detected (the latter is only an extra measure aimed at test environments
in which core dumps are not generated; note that some types of crashes,
e.g. segmentation faults, will not be detected using this method alone).

Fix transfer statistics extraction

See merge request !2038

Make the get_named_xfer_stats() helper shell function more precise in
order to prevent it from matching the wrong lines as that may trigger
false positives for the "ixfr" and "xfer" system tests.  As an example,
the regular expression responsible for extracting the number of bytes
transmitted throughout an entire zone transfer could also match a line
containing the following string:

    transfer of '<zone-name>/IN': sending TCP message of <integer> bytes

However, such a line is not one summarizing a zone transfer.

Also simplify both get_dig_xfer_stats() and get_named_xfer_stats() by
eliminating the need for "echo" statements in them.

remove geoip-use-ecs from default config

See merge request !2032

"tkey" system test: fix key ID processing

See merge request !2033

If ns1/setup.sh generates a key with ID 0, the "KEYID" token in
ns1/named.conf.in will be replaced with an empty string, causing the
following broken statement to appear in ns1/named.conf:

    tkey-dhkey "server" ;

Such a statement triggers false positives for the "tkey" system test due
to ns1 being unable to start with a broken configuration file.  Fix by
tweaking the regular expression used for removing leading zeros from the
key ID, so that it removes at most 4 leading zeros.

Resolve "Underflow in Stats Channel RecursClients value?"

Closes #1067

See merge request !2030

We increase recursclients when we attach to recursion quota,
decrease when we detach. In some cases, when we hit soft
quota, we might attach to quota without increasing recursclients
gauge. We then decrease the gauge when we detach from quota,
and it causes the statistics to underflow.
Fix makes sure that we increase recursclients always when we
succesfully attach to recursion quota.

Address compilation warnings for -O3 builds

See merge request !1994

Compiling with -O3 triggers the following warnings with GCC 9.1:

    task.c: In function ‘isc_taskmgr_create’:
    task.c:1384:43: warning: ‘%04u’ directive output may be truncated writing between 4 and 10 bytes into a region of size 6 [-Wformat-truncation=]
     1384 |   snprintf(name, sizeof(name), "isc-worker%04u", i);
          |                                           ^~~~
    task.c:1384:32: note: directive argument in the range [0, 4294967294]
     1384 |   snprintf(name, sizeof(name), "isc-worker%04u", i);
          |                                ^~~~~~~~~~~~~~~~
    task.c:1384:3: note: ‘snprintf’ output between 15 and 21 bytes into a destination of size 16
     1384 |   snprintf(name, sizeof(name), "isc-worker%04u", i);
          |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    private_test.c: In function ‘private_nsec3_totext_test’:
    private_test.c:110:9: warning: array subscript 4 is outside array bounds of ‘uint32_t[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
      110 |  while (*sp == '\0' && slen > 0) {
          |         ^~~
    private_test.c:103:11: note: while referencing ‘salt’
      103 |  uint32_t salt;
          |           ^~~~

Prevent these warnings from being triggered by increasing the size of
the relevant array (task.c) and reordering conditions (private_test.c).

Compiling with -O3 triggers the following warning with GCC 8.3:

    driver.c: In function ‘dlz_findzonedb’:
    driver.c:191:29: warning: ‘%u’ directive output may be truncated writing between 1 and 5 bytes into a region of size between 0 and 99 [-Wformat-truncation=]
      snprintf(buffer, size, "%s#%u", addr_buf, port);
                                 ^~
    driver.c:191:25: note: directive argument in the range [0, 65535]
      snprintf(buffer, size, "%s#%u", addr_buf, port);
                             ^~~~~~~
    driver.c:191:2: note: ‘snprintf’ output between 3 and 106 bytes into a destination of size 100
      snprintf(buffer, size, "%s#%u", addr_buf, port);
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Increase the size of the relevant array to prevent this warning from
being triggered.

Change the compiler optimization level for Debian sid build jobs from
-O2 to -O3 in order to enable triggering compilation warnings which are
not raised when -O2 is used.

Resolve "Use zonemgr unreachable cache more effectively"

Closes #1070

See merge request !2017

write locking.

Unreachable cache in zonemgr is realized as an static LRU list.
When we 'use' an entry we need to update the last-used time, we
can use atomics to do so without the necessity to upgrading
read-lock to write-lock.

allocate memory for symtab keys

Closes #1082

See merge request !2026

this prevents an intermittent failure when conflicts between
static and initializing keys are not detected by named-checkconf.

util/git-replay-merge.sh: make the tool compatible with git worktrees

See merge request !1985

specify title metadata and markdown format when calling pandoc

See merge request !2022

this change silences a warning message and prevents the unwanted
use of smart quotes when using pandoc 2.7.1 to generate human-readable
versions of README and other markdown files.