1. 27 Mar, 2021 1 commit
  2. 26 Mar, 2021 4 commits
  3. 25 Mar, 2021 6 commits
  4. 24 Mar, 2021 2 commits
  5. 22 Mar, 2021 19 commits
    • Matthijs Mekking's avatar
      Merge branch '2488-refresh-keys-after-rndc-rollover' into 'main' · c2c5701d
      Matthijs Mekking authored
      Rekey immediately after rndc checkds/rollover
      Closes #2488
      See merge request !4813
    • Matthijs Mekking's avatar
      Fix some intermittent kasp failures · 82d667e1
      Matthijs Mekking authored
      When calling "rndc dnssec -checkds", it may take some milliseconds
      before the appropriate changes have been written to the state file.
      Add retry_quiet mechanisms to allow the write operation to finish.
      Also retry_quiet the check for the next key event. A "rndc dnssec"
      command may trigger a zone_rekey event and this will write out
      a new "next key event" log line, but it may take a bit longer than
      than expected in the tests.
    • Matthijs Mekking's avatar
      Rekey immediately after rndc checkds/rollover · 82f72ae2
      Matthijs Mekking authored
      Call 'dns_zone_rekey' after a 'rndc dnssec -checkds' or 'rndc dnssec
      -rollover' command is received, because such a command may influence
      the next key event. Updating the keys immediately avoids unnecessary
      rollover delays.
      The kasp system test no longer needs to call 'rndc loadkeys' after
      a 'rndc dnssec -checkds' or 'rndc dnssec -rollover' command.
    • Matthijs Mekking's avatar
      Merge branch '2517-cds-dnskey-delete-records-prevent-loading-unsigned-zone' into 'main' · 28923bc6
      Matthijs Mekking authored
      Resolve "CDS and CDNSKEY DELETE records prevent (re-)loading unsigned zone"
      Closes #2517
      See merge request !4810
    • Matthijs Mekking's avatar
      Add CHANGES and notes for [#2517] · 841e90c6
      Matthijs Mekking authored
    • Matthijs Mekking's avatar
      Delete CDS/CDNSKEY records when zone is unsigned · 6f31f62d
      Matthijs Mekking authored
      CDS/CDNSKEY DELETE records are only useful if they are signed,
      otherwise the parent cannot verify these RRsets anyway. So once the DS
      has been removed (and signaled to BIND), we can remove the DNSKEY and
      RRSIG records, and at this point we can also remove the CDS/CDNSKEY
    • Matthijs Mekking's avatar
      Allow CDS/CDNSKEY DELETE records in unsigned zone · f211c7c2
      Matthijs Mekking authored
      While not useful, having a CDS/CDNSKEY DELETE record in an unsigned
      zone is not an error and "named-checkzone" should not complain.
    • Matthijs Mekking's avatar
      Merge branch 'matthijs-test-keymgr2kasp' into 'main' · 052ec16a
      Matthijs Mekking authored
      Test migrating to dnssec-policy
      Closes #2544
      See merge request !4758
    • Matthijs Mekking's avatar
      Retry quiet check keys · d5531df7
      Matthijs Mekking authored
      Change the 'check_keys' function to try three times. Some intermittent
      kasp test failures are because we are inspecting the key files
      before the actual change has happen. The 'retry_quiet' approach allows
      for a bit more time to let the write operation finish.
    • Matthijs Mekking's avatar
      Update copyrights for keymgr2kasp · 923c2a07
      Matthijs Mekking authored
      This MR introduces a new system test 'keymgr2kasp' to test
      migration to 'dnssec-policy'. It moves some existing tests from
      the 'kasp' system test to here.
      Also a common script 'kasp.sh', to be used in kasp specific tests,
      is introduced.
    • Matthijs Mekking's avatar
      Fix keymgr key init bug · 27e7d5f6
      Matthijs Mekking authored
      The 'keymgr_key_init()' function initializes key states if they have
      not been set previously. It looks at the key timing metadata and
      determines using the given times whether a state should be set to
      However, the DNSKEY and ZRRSIG states were mixed up: When looking
      at the Activate timing metadata we should set the ZRRSIG state, and
      when looking at the Published timing metadata we should set the
      DNSKEY state.
    • Matthijs Mekking's avatar
      Test keymgr2kasp state from timing metadata · c40c1ebc
      Matthijs Mekking authored
      Add two test zones that migrate to dnssec-policy. Test if the key
      states are set accordingly given the timing metadata.
      The rumoured.kasp zone has its Publish/Active/SyncPublish times set
      not too long ago so the key states should be set to RUMOURED. The
      omnipresent.kasp zone has its Publish/Active/SyncPublish times set
      long enough to set the key states to OMNIPRESENT.
      Slightly change the init_migration_keys function to set the
      key lifetime to "none" (legacy keys don't have lifetime). Then in the
      test case set the expected key lifetime explicitly.
    • Matthijs Mekking's avatar
      Editorial commit keymgr2kasp test · f6fa2542
      Matthijs Mekking authored
      This commit is somewhat editorial as it does not introduce something
      new nor fixes anything.
      The layout in keymgr2kasp/tests.sh has been changed, with the
      intention to make more clear where a test scenario ends and begins.
      The publication time of some ZSKs has been changed. It makes a more
      clear distinction between publication time and activation time.
    • Matthijs Mekking's avatar
      Introduce kasp.sh · ecb073bd
      Matthijs Mekking authored
      Add a script similar to conf.sh to include common functions and
      variables for testing KASP. Currently used in kasp, keymgr2kasp, and
    • Matthijs Mekking's avatar
      Move kasp migration tests to different directory · 53891721
      Matthijs Mekking authored
      The kasp system test was getting pretty large, and more tests are on
      the way. Time to split up. Move tests that are related to migrating
      to dnssec-policy to a separate directory 'keymgr2kasp'.
    • Michał Kępień's avatar
      Merge branch '1946-man-page-fixes' into 'main' · ea26306e
      Michał Kępień authored
      Man page fixes
      See merge request !4817
    • Michał Kępień's avatar
      Install man page for named-compilezone · 185a1a56
      Michał Kępień authored
      The named-checkzone tool can also be invoked as named-compilezone.  Make
      sure a man page is installed for that alias.  Move and rename the
      "man_named-checkzone" label to prevent a Sphinx duplicate label warning
      from being raised (see commit 84862e96
      for more information).
    • Michał Kępień's avatar
      Install named-nzd2nzf man page conditionally · dcab218a
      Michał Kępień authored
      The named-nzd2nzf utility is only built and installed for LMDB-enabled
      builds.  Adjust the relevant Makefile.am file to make sure the
      named-nzd2nzf.1 man page is also only built and installed for
      LMDB-enabled builds.
    • Michał Kępień's avatar
      Install dnstap-read man page conditionally · ceedee07
      Michał Kępień authored
      The dnstap-read utility is only built and installed for dnstap-enabled
      builds.  Adjust the relevant Makefile.am file to make sure the
      dnstap-read.1 man page is also only built and installed for
      dnstap-enabled builds.
  6. 20 Mar, 2021 6 commits
    • Evan Hunt's avatar
      Merge branch 'placeholder' into 'main' · d04aa1d4
      Evan Hunt authored
      placeholder for #2575
      See merge request isc-projects/bind9!4828
    • Evan Hunt's avatar
      placeholder for #2575 · c452c0a0
      Evan Hunt authored
      Issue #2575 was merged to 9.16 only as change 5603, but a placeholder
      was not added to CHANGES in the main branch. This commit adds the
      placeholder and renumbers the two subsequent changes.
    • Evan Hunt's avatar
      Merge branch '2592-dig-clock-realtime' into 'main' · 8e0902b7
      Evan Hunt authored
      Resolve "dig -u is extremely inaccurate, especially on machines with the kernel timer tick set at 100Hz"
      Closes #2592
      See merge request isc-projects/bind9!4826
    • Evan Hunt's avatar
      CHANGES · 1933bcf1
      Evan Hunt authored
    • Patrick McLean's avatar
      dig: Use high resolution clocks when microsecond accuracy is requested · 56cef149
      Patrick McLean authored
      The TIME_NOW macro calls isc_time_now which uses CLOCK_REALTIME_COARSE
      for getting the current time. This is perfectly fine for millisecond,
      however when the user request microsecond resolutiuon, they are going
      to get very inaccurate results. This is especially true on a server
      class machine where the clock ticks may be set to 100HZ.
      This changes dig to use the new TIME_NOW_HIRES macro that uses the
      CLOCK_MONOTONIC_RAW that is more expensive, but gets the *actual*
      current time rather than the at the last kernel time tick.
    • Patrick McLean's avatar
      Add isc_time_now_hires function to get current time with high resolution · ebced74b
      Patrick McLean authored
      The current isc_time_now uses CLOCK_REALTIME_COARSE which only updates
      on a timer tick. This clock is generally fine for millisecond accuracy,
      but on servers with 100hz clocks, this clock is nowhere near accurate
      enough for microsecond accuracy.
      This commit adds a new isc_time_now_hires function that uses
      CLOCK_REALTIME, which gives the current time, though it is somewhat
      expensive to call. When microsecond accuracy is required, it may be
      required to use extra resources for higher accuracy.
  7. 19 Mar, 2021 2 commits