1. 22 Mar, 2021 15 commits
    • Matthijs Mekking's avatar
      Add CHANGES and notes for [#2517] · 841e90c6
      Matthijs Mekking authored
    • Matthijs Mekking's avatar
      Delete CDS/CDNSKEY records when zone is unsigned · 6f31f62d
      Matthijs Mekking authored
      CDS/CDNSKEY DELETE records are only useful if they are signed,
      otherwise the parent cannot verify these RRsets anyway. So once the DS
      has been removed (and signaled to BIND), we can remove the DNSKEY and
      RRSIG records, and at this point we can also remove the CDS/CDNSKEY
    • Matthijs Mekking's avatar
      Allow CDS/CDNSKEY DELETE records in unsigned zone · f211c7c2
      Matthijs Mekking authored
      While not useful, having a CDS/CDNSKEY DELETE record in an unsigned
      zone is not an error and "named-checkzone" should not complain.
    • Matthijs Mekking's avatar
      Merge branch 'matthijs-test-keymgr2kasp' into 'main' · 052ec16a
      Matthijs Mekking authored
      Test migrating to dnssec-policy
      Closes #2544
      See merge request isc-projects/bind9!4758
    • Matthijs Mekking's avatar
      Retry quiet check keys · d5531df7
      Matthijs Mekking authored
      Change the 'check_keys' function to try three times. Some intermittent
      kasp test failures are because we are inspecting the key files
      before the actual change has happen. The 'retry_quiet' approach allows
      for a bit more time to let the write operation finish.
    • Matthijs Mekking's avatar
      Update copyrights for keymgr2kasp · 923c2a07
      Matthijs Mekking authored
      This MR introduces a new system test 'keymgr2kasp' to test
      migration to 'dnssec-policy'. It moves some existing tests from
      the 'kasp' system test to here.
      Also a common script 'kasp.sh', to be used in kasp specific tests,
      is introduced.
    • Matthijs Mekking's avatar
      Fix keymgr key init bug · 27e7d5f6
      Matthijs Mekking authored
      The 'keymgr_key_init()' function initializes key states if they have
      not been set previously. It looks at the key timing metadata and
      determines using the given times whether a state should be set to
      However, the DNSKEY and ZRRSIG states were mixed up: When looking
      at the Activate timing metadata we should set the ZRRSIG state, and
      when looking at the Published timing metadata we should set the
      DNSKEY state.
    • Matthijs Mekking's avatar
      Test keymgr2kasp state from timing metadata · c40c1ebc
      Matthijs Mekking authored
      Add two test zones that migrate to dnssec-policy. Test if the key
      states are set accordingly given the timing metadata.
      The rumoured.kasp zone has its Publish/Active/SyncPublish times set
      not too long ago so the key states should be set to RUMOURED. The
      omnipresent.kasp zone has its Publish/Active/SyncPublish times set
      long enough to set the key states to OMNIPRESENT.
      Slightly change the init_migration_keys function to set the
      key lifetime to "none" (legacy keys don't have lifetime). Then in the
      test case set the expected key lifetime explicitly.
    • Matthijs Mekking's avatar
      Editorial commit keymgr2kasp test · f6fa2542
      Matthijs Mekking authored
      This commit is somewhat editorial as it does not introduce something
      new nor fixes anything.
      The layout in keymgr2kasp/tests.sh has been changed, with the
      intention to make more clear where a test scenario ends and begins.
      The publication time of some ZSKs has been changed. It makes a more
      clear distinction between publication time and activation time.
    • Matthijs Mekking's avatar
      Introduce kasp.sh · ecb073bd
      Matthijs Mekking authored
      Add a script similar to conf.sh to include common functions and
      variables for testing KASP. Currently used in kasp, keymgr2kasp, and
    • Matthijs Mekking's avatar
      Move kasp migration tests to different directory · 53891721
      Matthijs Mekking authored
      The kasp system test was getting pretty large, and more tests are on
      the way. Time to split up. Move tests that are related to migrating
      to dnssec-policy to a separate directory 'keymgr2kasp'.
    • Michał Kępień's avatar
      Merge branch '1946-man-page-fixes' into 'main' · ea26306e
      Michał Kępień authored
      Man page fixes
      See merge request isc-projects/bind9!4817
    • Michał Kępień's avatar
      Install man page for named-compilezone · 185a1a56
      Michał Kępień authored
      The named-checkzone tool can also be invoked as named-compilezone.  Make
      sure a man page is installed for that alias.  Move and rename the
      "man_named-checkzone" label to prevent a Sphinx duplicate label warning
      from being raised (see commit 84862e96
      for more information).
    • Michał Kępień's avatar
      Install named-nzd2nzf man page conditionally · dcab218a
      Michał Kępień authored
      The named-nzd2nzf utility is only built and installed for LMDB-enabled
      builds.  Adjust the relevant Makefile.am file to make sure the
      named-nzd2nzf.1 man page is also only built and installed for
      LMDB-enabled builds.
    • Michał Kępień's avatar
      Install dnstap-read man page conditionally · ceedee07
      Michał Kępień authored
      The dnstap-read utility is only built and installed for dnstap-enabled
      builds.  Adjust the relevant Makefile.am file to make sure the
      dnstap-read.1 man page is also only built and installed for
      dnstap-enabled builds.
  2. 20 Mar, 2021 6 commits
    • Evan Hunt's avatar
      Merge branch 'placeholder' into 'main' · d04aa1d4
      Evan Hunt authored
      placeholder for #2575
      See merge request isc-projects/bind9!4828
    • Evan Hunt's avatar
      placeholder for #2575 · c452c0a0
      Evan Hunt authored
      Issue #2575 was merged to 9.16 only as change 5603, but a placeholder
      was not added to CHANGES in the main branch. This commit adds the
      placeholder and renumbers the two subsequent changes.
    • Evan Hunt's avatar
      Merge branch '2592-dig-clock-realtime' into 'main' · 8e0902b7
      Evan Hunt authored
      Resolve "dig -u is extremely inaccurate, especially on machines with the kernel timer tick set at 100Hz"
      Closes #2592
      See merge request isc-projects/bind9!4826
    • Evan Hunt's avatar
      CHANGES · 1933bcf1
      Evan Hunt authored
    • Patrick McLean's avatar
      dig: Use high resolution clocks when microsecond accuracy is requested · 56cef149
      Patrick McLean authored
      The TIME_NOW macro calls isc_time_now which uses CLOCK_REALTIME_COARSE
      for getting the current time. This is perfectly fine for millisecond,
      however when the user request microsecond resolutiuon, they are going
      to get very inaccurate results. This is especially true on a server
      class machine where the clock ticks may be set to 100HZ.
      This changes dig to use the new TIME_NOW_HIRES macro that uses the
      CLOCK_MONOTONIC_RAW that is more expensive, but gets the *actual*
      current time rather than the at the last kernel time tick.
    • Patrick McLean's avatar
      Add isc_time_now_hires function to get current time with high resolution · ebced74b
      Patrick McLean authored
      The current isc_time_now uses CLOCK_REALTIME_COARSE which only updates
      on a timer tick. This clock is generally fine for millisecond accuracy,
      but on servers with 100hz clocks, this clock is nowhere near accurate
      enough for microsecond accuracy.
      This commit adds a new isc_time_now_hires function that uses
      CLOCK_REALTIME, which gives the current time, though it is somewhat
      expensive to call. When microsecond accuracy is required, it may be
      required to use extra resources for higher accuracy.
  3. 19 Mar, 2021 9 commits
    • Ondřej Surý's avatar
      Merge branch '2416-improve-netmgr-unit-tests-reliability' into 'main' · bee4ee93
      Ondřej Surý authored
      Improve reliability of the netmgr unit tests
      Closes #2455 and #2416
      See merge request isc-projects/bind9!4628
    • Ondřej Surý's avatar
      Require CMocka >= 1.1.3 to run the unit tests · d96c94d7
      Ondřej Surý authored
      In CMocka versions << 1.1.3, the skip() function would cause the whole
      unit test to abort when CMOCKA_TEST_ABORT is set.  As this is problem
      only in Debian 9 Stretch and Ubuntu 16.04 Xenial, we just require the
      CMocka >= 1.1.3 and disable the unit testing on Debian 9 Stretch until
      we can pull the libcmocka-dev from stretch-backports and remove the
      Ubuntu 16.04 Xenial from the CI as it is reaching End of Standard
      Support at the end of April 2021.
    • Ondřej Surý's avatar
      Fix compilation with NETMGR_TRACE(_VERBOSE) enabled on non-Linux · d016ea74
      Ondřej Surý authored
      When NETMGR_TRACE(_VERBOSE) is enabled, the build would fail on some
      non-Linux non-glibc platforms because:
        * Use <stdint.h> print macros because uint_fast32_t is not always
          unsigned long
        * The header <execinfo.h> is not available on non-glibc, thus commit
          adds dummy backtrace() and backtrace_symbols_fd() functions for
          platforms without HAVE_BACKTRACE
    • Ondřej Surý's avatar
      Improve reliability of the netmgr unit tests · 42e4e3b8
      Ondřej Surý authored
      The netmgr unit tests were designed to push the system limits to maximum
      by sending as many queries as possible in the busy loop from multiple
      threads.  This mostly works with UDP, but in the stateful protocol where
      establishing the connection takes more time, it failed quite often in
      the CI.  On FreeBSD, this happened more often, because the socket() call
      would fail spuriosly making the problem even worse.
      This commit does several things to improve reliability:
      * return value of isc_nm_<proto>connect() is always checked and retried
        when scheduling the connection fails
      * The busy while loop has been slowed down with usleep(1000); so the
        netmgr threads could schedule the work and get executed.
      * The isc_thread_yield() was replaced with usleep(1000); also to allow
        the other threads to do any work.
      * Instead of waiting on just one variable, we wait for multiple
        variables to reach the final value
      * We are wrapping the netmgr operations (connects, reads, writes,
        accepts) with reference counting and waiting for all the callbacks to
        be accounted for.
        This has two effects:
        a) the isc_nm_t is always clean of active sockets and handles when
           destroyed, so it will prevent the spurious INSIST(references == 1)
           from isc_nm_destroy()
        b) the unit test now ensures that all the callbacks are always called
           when they should be called, so any stuck test means that there was
           a missing callback call and it is always a real bug
      These changes allows us to remove the workaround that would not run
      certain tests on systems without port load-balancing.
    • Ondřej Surý's avatar
      Merge branch 'ondrej/call-failed_read-from-tls_error' into 'main' · e8cd3d3c
      Ondřej Surý authored
      Call isc__nm_tlsdns_failed_read on tls_error to cleanup the socket
      See merge request isc-projects/bind9!4824
    • Ondřej Surý's avatar
      Call isc__nm_tlsdns_failed_read on tls_error to cleanup the socket · e4e0e9e3
      Ondřej Surý authored
      In tls_error(), we now call isc__nm_tlsdns_failed_read() instead of just
      stopping timer and reading from the socket.  This allows us to properly
      cleanup any pending operation on the socket.
    • Matthijs Mekking's avatar
      Merge branch 'treysis-filter-a' into 'main' · 085c2e32
      Matthijs Mekking authored
      filter-a plugin
      Closes #2585
      See merge request isc-projects/bind9!4816
    • Matthijs Mekking's avatar
      Add changes for filter-a plugin · 9a256347
      Matthijs Mekking authored
    • treysis's avatar
      Add filter-a plugin for IPv6-dominant environments · 6b2ea006
      treysis authored
      (cherry picked from commit 78f6cd57e1cc166823415438fe2d19a324cf7a67)
  4. 18 Mar, 2021 10 commits