1. 22 Mar, 2021 12 commits
    • Matthijs Mekking's avatar
      Merge branch 'matthijs-test-keymgr2kasp' into 'main' · 052ec16a
      Matthijs Mekking authored
      Test migrating to dnssec-policy
      Closes #2544
      See merge request isc-projects/bind9!4758
    • Matthijs Mekking's avatar
      Retry quiet check keys · d5531df7
      Matthijs Mekking authored
      Change the 'check_keys' function to try three times. Some intermittent
      kasp test failures are because we are inspecting the key files
      before the actual change has happen. The 'retry_quiet' approach allows
      for a bit more time to let the write operation finish.
    • Matthijs Mekking's avatar
      Update copyrights for keymgr2kasp · 923c2a07
      Matthijs Mekking authored
      This MR introduces a new system test 'keymgr2kasp' to test
      migration to 'dnssec-policy'. It moves some existing tests from
      the 'kasp' system test to here.
      Also a common script 'kasp.sh', to be used in kasp specific tests,
      is introduced.
    • Matthijs Mekking's avatar
      Fix keymgr key init bug · 27e7d5f6
      Matthijs Mekking authored
      The 'keymgr_key_init()' function initializes key states if they have
      not been set previously. It looks at the key timing metadata and
      determines using the given times whether a state should be set to
      However, the DNSKEY and ZRRSIG states were mixed up: When looking
      at the Activate timing metadata we should set the ZRRSIG state, and
      when looking at the Published timing metadata we should set the
      DNSKEY state.
    • Matthijs Mekking's avatar
      Test keymgr2kasp state from timing metadata · c40c1ebc
      Matthijs Mekking authored
      Add two test zones that migrate to dnssec-policy. Test if the key
      states are set accordingly given the timing metadata.
      The rumoured.kasp zone has its Publish/Active/SyncPublish times set
      not too long ago so the key states should be set to RUMOURED. The
      omnipresent.kasp zone has its Publish/Active/SyncPublish times set
      long enough to set the key states to OMNIPRESENT.
      Slightly change the init_migration_keys function to set the
      key lifetime to "none" (legacy keys don't have lifetime). Then in the
      test case set the expected key lifetime explicitly.
    • Matthijs Mekking's avatar
      Editorial commit keymgr2kasp test · f6fa2542
      Matthijs Mekking authored
      This commit is somewhat editorial as it does not introduce something
      new nor fixes anything.
      The layout in keymgr2kasp/tests.sh has been changed, with the
      intention to make more clear where a test scenario ends and begins.
      The publication time of some ZSKs has been changed. It makes a more
      clear distinction between publication time and activation time.
    • Matthijs Mekking's avatar
      Introduce kasp.sh · ecb073bd
      Matthijs Mekking authored
      Add a script similar to conf.sh to include common functions and
      variables for testing KASP. Currently used in kasp, keymgr2kasp, and
    • Matthijs Mekking's avatar
      Move kasp migration tests to different directory · 53891721
      Matthijs Mekking authored
      The kasp system test was getting pretty large, and more tests are on
      the way. Time to split up. Move tests that are related to migrating
      to dnssec-policy to a separate directory 'keymgr2kasp'.
    • Michał Kępień's avatar
      Merge branch '1946-man-page-fixes' into 'main' · ea26306e
      Michał Kępień authored
      Man page fixes
      See merge request isc-projects/bind9!4817
    • Michał Kępień's avatar
      Install man page for named-compilezone · 185a1a56
      Michał Kępień authored
      The named-checkzone tool can also be invoked as named-compilezone.  Make
      sure a man page is installed for that alias.  Move and rename the
      "man_named-checkzone" label to prevent a Sphinx duplicate label warning
      from being raised (see commit 84862e96
      for more information).
    • Michał Kępień's avatar
      Install named-nzd2nzf man page conditionally · dcab218a
      Michał Kępień authored
      The named-nzd2nzf utility is only built and installed for LMDB-enabled
      builds.  Adjust the relevant Makefile.am file to make sure the
      named-nzd2nzf.1 man page is also only built and installed for
      LMDB-enabled builds.
    • Michał Kępień's avatar
      Install dnstap-read man page conditionally · ceedee07
      Michał Kępień authored
      The dnstap-read utility is only built and installed for dnstap-enabled
      builds.  Adjust the relevant Makefile.am file to make sure the
      dnstap-read.1 man page is also only built and installed for
      dnstap-enabled builds.
  2. 20 Mar, 2021 6 commits
    • Evan Hunt's avatar
      Merge branch 'placeholder' into 'main' · d04aa1d4
      Evan Hunt authored
      placeholder for #2575
      See merge request isc-projects/bind9!4828
    • Evan Hunt's avatar
      placeholder for #2575 · c452c0a0
      Evan Hunt authored
      Issue #2575 was merged to 9.16 only as change 5603, but a placeholder
      was not added to CHANGES in the main branch. This commit adds the
      placeholder and renumbers the two subsequent changes.
    • Evan Hunt's avatar
      Merge branch '2592-dig-clock-realtime' into 'main' · 8e0902b7
      Evan Hunt authored
      Resolve "dig -u is extremely inaccurate, especially on machines with the kernel timer tick set at 100Hz"
      Closes #2592
      See merge request isc-projects/bind9!4826
    • Evan Hunt's avatar
      CHANGES · 1933bcf1
      Evan Hunt authored
    • Patrick McLean's avatar
      dig: Use high resolution clocks when microsecond accuracy is requested · 56cef149
      Patrick McLean authored
      The TIME_NOW macro calls isc_time_now which uses CLOCK_REALTIME_COARSE
      for getting the current time. This is perfectly fine for millisecond,
      however when the user request microsecond resolutiuon, they are going
      to get very inaccurate results. This is especially true on a server
      class machine where the clock ticks may be set to 100HZ.
      This changes dig to use the new TIME_NOW_HIRES macro that uses the
      CLOCK_MONOTONIC_RAW that is more expensive, but gets the *actual*
      current time rather than the at the last kernel time tick.
    • Patrick McLean's avatar
      Add isc_time_now_hires function to get current time with high resolution · ebced74b
      Patrick McLean authored
      The current isc_time_now uses CLOCK_REALTIME_COARSE which only updates
      on a timer tick. This clock is generally fine for millisecond accuracy,
      but on servers with 100hz clocks, this clock is nowhere near accurate
      enough for microsecond accuracy.
      This commit adds a new isc_time_now_hires function that uses
      CLOCK_REALTIME, which gives the current time, though it is somewhat
      expensive to call. When microsecond accuracy is required, it may be
      required to use extra resources for higher accuracy.
  3. 19 Mar, 2021 9 commits
    • Ondřej Surý's avatar
      Merge branch '2416-improve-netmgr-unit-tests-reliability' into 'main' · bee4ee93
      Ondřej Surý authored
      Improve reliability of the netmgr unit tests
      Closes #2455 and #2416
      See merge request isc-projects/bind9!4628
    • Ondřej Surý's avatar
      Require CMocka >= 1.1.3 to run the unit tests · d96c94d7
      Ondřej Surý authored
      In CMocka versions << 1.1.3, the skip() function would cause the whole
      unit test to abort when CMOCKA_TEST_ABORT is set.  As this is problem
      only in Debian 9 Stretch and Ubuntu 16.04 Xenial, we just require the
      CMocka >= 1.1.3 and disable the unit testing on Debian 9 Stretch until
      we can pull the libcmocka-dev from stretch-backports and remove the
      Ubuntu 16.04 Xenial from the CI as it is reaching End of Standard
      Support at the end of April 2021.
    • Ondřej Surý's avatar
      Fix compilation with NETMGR_TRACE(_VERBOSE) enabled on non-Linux · d016ea74
      Ondřej Surý authored
      When NETMGR_TRACE(_VERBOSE) is enabled, the build would fail on some
      non-Linux non-glibc platforms because:
        * Use <stdint.h> print macros because uint_fast32_t is not always
          unsigned long
        * The header <execinfo.h> is not available on non-glibc, thus commit
          adds dummy backtrace() and backtrace_symbols_fd() functions for
          platforms without HAVE_BACKTRACE
    • Ondřej Surý's avatar
      Improve reliability of the netmgr unit tests · 42e4e3b8
      Ondřej Surý authored
      The netmgr unit tests were designed to push the system limits to maximum
      by sending as many queries as possible in the busy loop from multiple
      threads.  This mostly works with UDP, but in the stateful protocol where
      establishing the connection takes more time, it failed quite often in
      the CI.  On FreeBSD, this happened more often, because the socket() call
      would fail spuriosly making the problem even worse.
      This commit does several things to improve reliability:
      * return value of isc_nm_<proto>connect() is always checked and retried
        when scheduling the connection fails
      * The busy while loop has been slowed down with usleep(1000); so the
        netmgr threads could schedule the work and get executed.
      * The isc_thread_yield() was replaced with usleep(1000); also to allow
        the other threads to do any work.
      * Instead of waiting on just one variable, we wait for multiple
        variables to reach the final value
      * We are wrapping the netmgr operations (connects, reads, writes,
        accepts) with reference counting and waiting for all the callbacks to
        be accounted for.
        This has two effects:
        a) the isc_nm_t is always clean of active sockets and handles when
           destroyed, so it will prevent the spurious INSIST(references == 1)
           from isc_nm_destroy()
        b) the unit test now ensures that all the callbacks are always called
           when they should be called, so any stuck test means that there was
           a missing callback call and it is always a real bug
      These changes allows us to remove the workaround that would not run
      certain tests on systems without port load-balancing.
    • Ondřej Surý's avatar
      Merge branch 'ondrej/call-failed_read-from-tls_error' into 'main' · e8cd3d3c
      Ondřej Surý authored
      Call isc__nm_tlsdns_failed_read on tls_error to cleanup the socket
      See merge request isc-projects/bind9!4824
    • Ondřej Surý's avatar
      Call isc__nm_tlsdns_failed_read on tls_error to cleanup the socket · e4e0e9e3
      Ondřej Surý authored
      In tls_error(), we now call isc__nm_tlsdns_failed_read() instead of just
      stopping timer and reading from the socket.  This allows us to properly
      cleanup any pending operation on the socket.
    • Matthijs Mekking's avatar
      Merge branch 'treysis-filter-a' into 'main' · 085c2e32
      Matthijs Mekking authored
      filter-a plugin
      Closes #2585
      See merge request isc-projects/bind9!4816
    • Matthijs Mekking's avatar
      Add changes for filter-a plugin · 9a256347
      Matthijs Mekking authored
    • treysis's avatar
      Add filter-a plugin for IPv6-dominant environments · 6b2ea006
      treysis authored
      (cherry picked from commit 78f6cd57)
  4. 18 Mar, 2021 13 commits
    • Ondřej Surý's avatar
      Merge branch '2581-oldsize-assertion' into 'main' · 6ae0a905
      Ondřej Surý authored
      Fix memory accounting bug in TLSDNS
      Closes #2581
      See merge request isc-projects/bind9!4809
    • Ondřej Surý's avatar
      Call the isc__nm_failed_connect_cb() early when shutting down · e4b07303
      Ondřej Surý authored
      When shutting down, calling the isc__nm_failed_connect_cb() was delayed
      until the connect callback would be called.  It turned out that the
      connect callback might not get called at all when the socket is being
      shut down.  Call the failed_connect_cb() directly in the
      tlsdns_shutdown() instead of waiting for the connect callback to call it.
    • Ondřej Surý's avatar
      Fix typo in processbuffer() - tcpdns vs tlsdns · 73c574e5
      Ondřej Surý authored
      The processbuffer() would call isc__nm_tcpdns_processbuffer() instead of
      isc__nm_tlsdns_processbuffer() for the isc_nm_tlsdnssocket type of
    • Ondřej Surý's avatar
      Fix memory accounting bug in TLSDNS · 1d64d4cd
      Ondřej Surý authored
      After a partial write the tls.senddata buffer would be rearranged to
      contain only the data tha wasn't sent and the len part would be made
      shorter, which would lead to attempt to free only part of a socket's
      tls.senddata buffer.
    • Ondřej Surý's avatar
      Merge branch 'ondrej/fix-dangling-uvreq-in-tlsdns' into 'main' · 15f676f1
      Ondřej Surý authored
      Fix dangling uvreq when data is sent from tlsdns_cycle()
      See merge request isc-projects/bind9!4820
    • Ondřej Surý's avatar
      Fix dangling uvreq when data is sent from tlsdns_cycle() · 5cc406a9
      Ondřej Surý authored
      The tlsdns_cycle() might call uv_write() to write data to the socket,
      when this happens and the socket is shutdown before the callback
      completes, the uvreq structure was not freed because the callback would
      be called with non-zero status code.
    • Ondřej Surý's avatar
      Merge branch '2573-dont-timeout-when-sending-data' into 'main' · 06913d3d
      Ondřej Surý authored
      Resolve "Fix TCPDNS and TLSDNS timers"
      Closes #2583 and #2573
      See merge request isc-projects/bind9!4807
    • Michal Nowak's avatar
      Merge branch 'v9_17_11-release' into 'main' · 2edba877
      Michal Nowak authored
      Merge 9.17.11 release branch
      See merge request isc-projects/bind9!4818
    • Ondřej Surý's avatar
      Add CHANGES and release note for GL #2573 · 98f74954
      Ondřej Surý authored
    • Ondřej Surý's avatar
      Change the isc_nm_(get|set)timeouts() to work with milliseconds · 36ddefac
      Ondřej Surý authored
      The RFC7828 specifies the keepalive interval to be 16-bit, specified in
      units of 100 milliseconds and the configuration options tcp-*-timeouts
      are following the suit.  The units of 100 milliseconds are very
      unintuitive and while we can't change the configuration and presentation
      format, we should not follow this weird unit in the API.
      This commit changes the isc_nm_(get|set)timeouts() functions to work
      with milliseconds and convert the values to milliseconds before passing
      them to the function, not just internally.
    • Ondřej Surý's avatar
      Merge the common parts between udp, tcpdns and tlsdns protocol · 1ef232f9
      Ondřej Surý authored
      The udp, tcpdns and tlsdns contained lot of cut&paste code or code that
      was very similar making the stack harder to maintain as any change to
      one would have to be copied to the the other protocols.
      In this commit, we merge the common parts into the common functions
      under isc__nm_<foo> namespace and just keep the little differences based
      on the socket type.
    • Ondřej Surý's avatar
      Fix TCPDNS and TLSDNS timers · caa5b654
      Ondřej Surý authored
      After the TCPDNS refactoring the initial and idle timers were broken and
      only the tcp-initial-timeout was always applied on the whole TCP
      This broke any TCP connection that took longer than tcp-initial-timeout,
      most often this would affect large zone AXFRs.
      This commit changes the timeout logic in this way:
        * On TCP connection accept the tcp-initial-timeout is applied
          and the timer is started
        * When we are processing and/or sending any DNS message the timer is
        * When we stop processing all DNS messages, the tcp-idle-timeout
          is applied and the timer is started again
    • Ondřej Surý's avatar
      Add TCP timeouts system test · 64cff61c
      Ondřej Surý authored
      The system tests were missing a test that would test tcp-initial-timeout
      and tcp-idle-timeout.
      This commit adds new "timeouts" system test that adds:
        * Test that waits longer than tcp-initial-timeout and then checks
          whether the socket was closed
        * Test that sends and receives DNS message then waits longer than
          tcp-initial-timeout but shorter time than tcp-idle-timeout than
          sends DNS message again than waits longer than tcp-idle-timeout
          and checks whether the socket was closed
        * Similar test, but bursting 25 DNS messages than waiting longer than
          tcp-initial-timeout and shorter than tcp-idle-timeout than do second
          25 DNS message burst
        * Check whether transfer longer than tcp-initial-timeout succeeds