GitLab

Add a CHANGES placeholder

See merge request isc-projects/bind9!2502

See [GL !2476].

Merge branch '1288-log-dns_r_unchanged-from-sync_secure_journal-at-info-level-in-receive_secure_serial' into 'master'

Resolve "Log DNS_R_UNCHANGED from sync_secure_journal at info level in receive_secure_serial."

Closes #1288

See merge request isc-projects/bind9!2490

Fix hang in `named-compilezone | head`

See merge request isc-projects/bind9!2481

I was truncating zone files for experimental purposes when I found
that `named-compilezone | head` got stuck. The full command line that
exhibited the problem was:

	dig axfr dotat.at |
	named-compilezone -o /dev/stdout dotat.at /dev/stdin |
	head

This requires a large enough zone to exhibit the problem, more than
about 70000 bytes of plain text output from named-compilezone.
I was running the command on Debian Stretch amd64.

This was puzzling since it looked like something was suppressing the
SIGPIPE. I used `strace` to examine what was happening at the hang.
The program was just calling write() a lot to print the zone file, and
the last write() hanged until I sent it a SIGINT.

During some discussion with friends, Ian Jackson guessed that opening
/dev/stdout O_RDRW might be the problem, and after some tests we found
that this does in fact suppress SIGPIPE.

Since `named-compilezone` only needs to write to its output file, the
fix is to omit the stdio "+" update flag.

placeholder.

See merge request isc-projects/bind9!2495

Update the list of supported and unsupported PLATFORMS for BIND 9.15

See merge request !2486

Disable synth-from-dnssec by default

See merge request !2491

It was found that NSEC Aggressive Caching has a significant performance impact
on BIND 9 when used as recursor.  This commit disables the synth-from-dnssec
configuration option by default to provide immediate remedy for people running
BIND 9.12+.  The NSEC Aggressive Cache will be enabled again after a proper fix
will be prepared.

Revamp the release checklist

See merge request !2488

Make the release checklist match the current release process better by
adding missing steps, rearranging existing ones, reassigning
responsibilities, and dividing the list into sections (by due date).

Add CentOS 8 to GitLab CI

See merge request !2489

Ensure BIND can be tested on CentOS 8 in GitLab CI to more quickly catch
build and test errors on that operating system.

"dnskey-sig-validity 0;" was not accepted

Closes #876

See merge request isc-projects/bind9!2484

placeholder

See merge request isc-projects/bind9!2485

Update the coding style to reflect the year 2019 and C99/C11 standard

Closes #5

See merge request isc-projects/bind9!2148

Resolve "dnstap per view configuration"

Closes #1281

See merge request isc-projects/bind9!2477

Address cppcheck 1.89 warnings

See merge request !2472

cppcheck 1.89 emits a false positive for lib/dns/spnego_asn1.c:

    lib/dns/spnego_asn1.c:698:9: error: Uninitialized variable: data [uninitvar]
     memset(data, 0, sizeof(*data));
            ^
    lib/dns/spnego.c:1707:47: note: Calling function 'decode_NegTokenResp', 3rd argument '&resp' value is <Uninit>
     ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
                                                  ^
    lib/dns/spnego_asn1.c:698:9: note: Uninitialized variable: data
     memset(data, 0, sizeof(*data));
            ^

This message started appearing with cppcheck 1.89 [1], but it will be
gone in the next release [2], so just suppress it for the time being.

[1] https://github.com/danmar/cppcheck/commit/af214e8212efa303e664920a468de00ee0b1fe3d

[2] https://github.com/danmar/cppcheck/commit/2595b826349a7ffbe1c958b806498b6e336bea33

cppcheck 1.89 enabled certain value flow analysis mechanisms [1] which
trigger null pointer dereference false positives in lib/dns/rpz.c:

    lib/dns/rpz.c:582:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1419:44: note: Calling function 'adj_trigger_cnt', 4th argument 'NULL' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:582:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:596:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1419:44: note: Calling function 'adj_trigger_cnt', 4th argument 'NULL' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:596:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:610:7: warning: Possible null pointer dereference: tgt_ip [nullPointer]
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^
    lib/dns/rpz.c:1419:44: note: Calling function 'adj_trigger_cnt', 4th argument 'NULL' value is 0
      adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
                                               ^
    lib/dns/rpz.c:610:7: note: Null pointer dereference
      if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
          ^

It seems that cppcheck no longer treats at least some REQUIRE()
assertion failures as fatal, so add extra assertion macro definitions to
lib/isc/include/isc/util.h that are only used when the CPPCHECK
preprocessor macro is defined; these definitions make cppcheck 1.89
behave as expected.

There is an important requirement for these custom definitions to work:
cppcheck must properly treat abort() as a function which does not
return.  In order for that to happen, the __GNUC__ macro must be set to
a high enough number (because system include directories are used and
system headers compile attributes away if __GNUC__ is not high enough).
__GNUC__ is thus set to the major version number of the GCC compiler
used, which is what that latter does itself during compilation.

[1] https://github.com/danmar/cppcheck/commit/aaeec462e6d96bb70c2b1cf030979d09e2d7c959

Remove remnants of the --with-cc-alg option

See merge request isc-projects/bind9!2436

Commit afa81ee4 omitted some spots in
the source tree which are still referencing the removed --with-cc-alg
"configure" option.  Make sure the latter is removed completely.

Limit triggers for OpenBSD system test jobs

See merge request isc-projects/bind9!2468