1. 17 Mar, 2021 4 commits
    • Matthijs Mekking's avatar
      Merge branch '2523-thaw-dnssec-policy-zone' into 'main' · 8d8373c2
      Matthijs Mekking authored
      Resolve "Unable to thaw a frozen dynamic zone when KASP is configured."
      Closes #2523
      See merge request isc-projects/bind9!4777
    • Matthijs Mekking's avatar
      Add test for thaw dynamic kasp zone · 0cae3249
      Matthijs Mekking authored
      Add a test for freezing, manually updating, and then thawing a dynamic
      zone with "dnssec-policy". In the kasp system test we add parameters
      to the "update_is_signed" check to signal the indicated IP addresses
      for the labels "a" and "d". If set to '-', the test is skipped.
      After nsupdating the dynamic.kasp zone, we revert the update (with
      nsupdate) and update the zone again, but now with the freeze/thaw
    • Matthijs Mekking's avatar
      Fully sign a thawed zone · b90846f2
      Matthijs Mekking authored
      When thawing a zone, we don't know what changes have been made. If we
      do DNSSEC maintenance on this zone, schedule a full sign.
    • Matthijs Mekking's avatar
      Fix "unable to thaw dynamic kasp zone" · b518ed9f
      Matthijs Mekking authored
      Dynamic zones with dnssec-policy could not be thawed because KASP
      zones were considered always dynamic. But a dynamic KASP zone should
      also check whether updates are disabled.
  2. 16 Mar, 2021 8 commits
  3. 15 Mar, 2021 4 commits
  4. 11 Mar, 2021 4 commits
    • Michal Nowak's avatar
      Merge branch '2565-servestale-fetchlimits-crash' into 'main' · e3912092
      Michal Nowak authored
      Fix servestale fetchlimits crash
      Closes #2565
      See merge request isc-projects/bind9!4797
    • Matthijs Mekking's avatar
      Fix servestale fetchlimits crash · 87591de6
      Matthijs Mekking authored
      When we query the resolver for a domain name that is in the same zone
      for which is already one or more fetches outstanding, we could
      potentially hit the fetch limits. If so, recursion fails immediately
      for the incoming query and if serve-stale is enabled, we may try to
      return a stale answer.
      If the resolver is also is authoritative for the parent zone (for
      example the root zone), first a delegation is found, but we first
      check the cache for a better response.
      Nothing is found in the cache, so we try to recurse to find the
      answer to the query.
      Because of fetch-limits 'dns_resolver_createfetch()' returns an error,
      which 'ns_query_recurse()' propagates to the caller,
      Because serve-stale is enabled, 'query_usestale()' is called,
      setting 'qctx->db' to the cache db, but leaving 'qctx->version'
      untouched. Now 'query_lookup()' is called to search for stale data
      in the cache database with a non-NULL 'qctx->version'
      (which is set to a zone db versio...
    • Ondřej Surý's avatar
      Merge branch... · 74a0294b
      Ondřej Surý authored
      Merge branch '2568-test_client-c-error-static-declaration-of-yield-follows-non-static-declaration-on-solaris' into 'main'
      Resolve "test_client.c: error: static declaration of 'yield' follows non-static declaration on Solaris"
      Closes #2568
      See merge request isc-projects/bind9!4795
    • Mark Andrews's avatar
  5. 08 Mar, 2021 15 commits
  6. 05 Mar, 2021 5 commits
    • Artem Boldariev's avatar
      Merge branch '1641-doh-dig' into 'main' · d6f33fcd
      Artem Boldariev authored
      Resolve "RFC8484, DoH support in DIG (and any other relevant utilities)"
      Closes #2464 and #1641
      See merge request isc-projects/bind9!4672
    • Evan Hunt's avatar
      CHANGES, release notes · f3b13c60
      Evan Hunt authored
    • Evan Hunt's avatar
      add basic DoH system tests · dbffb212
      Evan Hunt authored
      - rename dot to doth, as it now covers both dot and doh.
      - merge xot into doth as it's closely related.
      - added long-lived key and cert files (expiring 2121).
      - add tests with https-get, https-post, http-plain, alternate
        endpoints, and both static and ephemeral TLS configuration.
      - incidentally fixed a memory leak in dig that occurred if +https
        was specified more than once.
    • Artem Boldariev's avatar
      Disable Nagle's algorithm for HTTP/2 connections · 7a59fb82
      Artem Boldariev authored
      It is advisable to disable Nagle's algorithm for HTTP/2 connections
      because multiple HTTP/2 streams could be multiplexed over one
      transport connection. Thus, delays when delivering small packets could
      bring down performance for the whole session. HTTP/2 is meant to be
      used this way.
    • Artem Boldariev's avatar
      Fix deadlock in isc_nm_tlsconnect() · 66d20cf2
      Artem Boldariev authored
      when called from within the context of a network thread,
      isc_nm_tlsconnect() hangs. it is waiting for the socket's
      result code to be updated, but that update is supposed to happen
      asynchronously in the network thread, and if we're already blocking
      in the network thread, it can never occur.
      we can kluge around this by setting the socket result code
      early; this works for most clients (including "dig"), but it causes
      inconsistent behaviors that manifest as test failures in the DoH unit
      so we kluged around it even more by setting the socket result code
      early *only when running in the network thread*. we need a better
      solution for this problem, but this will do for now.