Nicki Křížek [Fri, 24 Oct 2025 14:47:59 +0000 (16:47 +0200)]
Parse DNSKEY into a dnspython type in isctest.kasp.Key.dnskey
Previously, a DNSKEY string from keyfile was returned. This made the
function brittle for further processing, as the string would have to be
split up, concatenated, and TTL could be missing, making string indices
context-dependent.
Parse the DNSKEY rrset into a proper dnspython object and return it.
This makes the output more predictable and reliable, as all the
neccessary parsing is done by dnspython.
Meson boolean options are usually configured with enabled/disabled
instead of on/off. Make things more consistent with other meson options
by renaming -Dnamed-lto=off to -Dnamed-lto=disabled.
Ondřej Surý [Thu, 27 Nov 2025 11:42:09 +0000 (12:42 +0100)]
chg: dev: Use malloc_usable_size()/malloc_size() for memory accounting
Restore usage of malloc_usable_size()/malloc_size(), but this time only
for memory accounting and statistics purposes. This should reduce the
memory footprint in case of compilation without jemalloc as we don't
have to keep track of the allocated memory size ourselves.
Merge branch 'ondrej/use-malloc_usable_size-when-available' into 'main'
Ondřej Surý [Mon, 24 Nov 2025 08:41:31 +0000 (09:41 +0100)]
Use malloc_usable_size()/malloc_size() for memory accounting
Restore usage of malloc_usable_size()/malloc_size(), but this time only
for memory accounting and statistics purposes. This should reduce the
memory footprint in case of compilation without jemalloc as we don't
have to keep track of the allocated memory size ourselves.
Ondřej Surý [Wed, 26 Nov 2025 10:45:03 +0000 (11:45 +0100)]
Enable junk filling via jemalloc option in the CI
Since the filling memory with junk patterns have been removed from ISC
memory context in favor of jemalloc opt.junk option, enable the jemalloc
behaviour by default in the GitLab CI.
As the fetch context reference counting was converted to userspace RCU
reference counting, the ability to debug the reference counting was
lost. Restore the debugging by adding the optional compile-time enabled
debugging output again.
Merge branch 'ondrej/add-tracing-to-fctx-reference-counting' into 'main'
Ondřej Surý [Thu, 23 Oct 2025 11:11:45 +0000 (13:11 +0200)]
Add optional debugging output for fetch context reference counting
As the fetch context reference counting was converted to userspace RCU
reference counting, the ability to debug the reference counting was
lost. Restore the debugging by adding the optional compile-time enabled
debugging output again.
Ondřej Surý [Thu, 27 Nov 2025 09:38:58 +0000 (10:38 +0100)]
chg: nil: Split qctx_destroy() into qctx_deinit() and qctx_destroy()
The qctx_destroy() only needs to be called on allocated memory and
qctx_deinit() needs to be called always. Also remove .allocated member
from the query_ctx_t structure.
Ondřej Surý [Mon, 24 Nov 2025 09:49:18 +0000 (10:49 +0100)]
Split qctx_destroy() into qctx_deinit() and qctx_destroy()
The qctx_destroy() only needs to be called on allocated memory and
qctx_deinit() needs to be called always. Also remove .allocated member
from the query_ctx_t structure.
Ondřej Surý [Thu, 27 Nov 2025 09:37:36 +0000 (10:37 +0100)]
fix: nil: Remove .delegating flag from the qpcache
The .delegating flag was only set, but never used in the dns_qpcache.
Remove it completely together with the code that was locking the node
to set the flag if the added type was DNAME.
Merge branch 'ondrej/remove-delegating-from-qpcache' into 'main'
The .delegating flag was only set, but never used in the dns_qpcache.
Remove it completely together with the code that was locking the node
to set the flag if the added type was DNAME.
Ondřej Surý [Thu, 27 Nov 2025 09:31:57 +0000 (10:31 +0100)]
chg: dev: Use atomics for CMM_{LOAD,STORE}_SHARED with ThreadSanitizer
Upstream has removed the atomics implementation of CMM_LOAD_SHARED and
CMM_STORE_SHARED as these can be used also with non-stdatomics types.
As we only use the CMM api with stdatomics types, we can restore the
previous behaviour to prevent ThreadSanitizer warnings.
Closes #5660
Merge branch '5660-use-atomics-for-CMM-api-with-thread-sanitizer' into 'main'
Ondřej Surý [Wed, 26 Nov 2025 16:10:37 +0000 (17:10 +0100)]
Use atomics for CMM_{LOAD,STORE}_SHARED with ThreadSanitizer
Upstream has removed the atomics implementation of CMM_LOAD_SHARED and
CMM_STORE_SHARED as these can be used also with non-stdatomics types.
As we only use the CMM api with stdatomics types, we can restore the
previous behaviour to prevent ThreadSanitizer warnings.
Andoni Duarte [Wed, 26 Nov 2025 14:06:24 +0000 (14:06 +0000)]
chg: ci: Fix wiki.wireshark.org links in doc/arm
Fix the broken link https://wiki.wireshark.org/TLS#tls-decryption to
simply https://wiki.wireshark.org/TLS. The links in the wireshark
wiki have been updated somewhen after october 2025 as shown by
https://web.archive.org/web/20251008165051/https://wiki.wireshark.org/TLS#tls-decryption and https://wiki.wireshark.org/TLS.
Merge branch 'andoni/fix-wireshark-links-in-doc-arm' into 'main'
Fix the broken link https://wiki.wireshark.org/TLS#tls-decryption.
Since their TOC also has the wrong anchor, we remove it altogether,
i.e. https://wiki.wireshark.org/TLS.
Nicki Křížek [Fri, 21 Nov 2025 14:05:36 +0000 (15:05 +0100)]
Increase the threshold for respdiff-third-party
There are multiple reasons for the increased amount of differences we've
been seeing lately and for the raise of the threshold:
1. Recent hardening against cache poisoning (CVE-2025-40778) have
uncovered a few edge cases where the domain can't be properly
resolved with the new protections in place, but those are issues with
upstream configuration and DNS setup.
2. The same hardening magnified some behaviour differences between 9.21
and older versions. Some misconfigured domains, which can be resolved
with BIND 9.20 and older are no longer resolvable in 9.21+. This can
be again attributed to upstream DNS misconfiguration. See #5649.
3. A change in the respdiff CI job to include timeouts in the
comparison, or rather, increasing the timeouts to resolve the
previously timed out queries, which are typically failures. With the
previous job configuration, those were omitted from comparison,
because they were timeouts. Now, there should be no timeouts, but
there is a slight increase in the amount of differences for the
threshold evaluation.
Nicki Křížek [Fri, 21 Nov 2025 13:35:57 +0000 (14:35 +0100)]
Set stricter respdiff:recent-named threshold
This job is testing the current BIND implementation against the latest
released version. Unless there has been a behaviour change, there should
be no difference.
In practice, there is a small number of differences caused by upstream
discrepencies. Some of those cause "upstream unstable" answers which are
excluded from the results, but statistically, some of those will end up
being detected as differences on the resolver under test.
Currently, there seems to be about 300 upstream unstable answers with
typically around 50-60 differences. Setting the threshold to 0.1 should
be stable enough to pass if there are no changes, yet sensitive enough
to detect even fairly small changes to behaviour.
Matthijs Mekking [Mon, 24 Nov 2025 13:23:21 +0000 (13:23 +0000)]
fix: usr: Fix bug where zone switches from NSEC3 to NSEC after retransfer
When a zone is re-transferred, but the zone journal on an inline-signing secondary is out of sync, the zone could fall back to using NSEC records instead of NSEC3. This has been fixed.
Closes #5527
Merge branch '5527-retransfer-nsec3-bug' into 'main'
When synchronizing the secure database, we skip DNSSEC records that
BIND 9 maintains with inline-signing. We should also skip private
RDATA type records that are used to track the current state of a
zone-signing process.
If the primary has been updated, but the secondary has not been
notified, the journal will go out of date. An 'rndc retransfer' causes
the zone to force an AXFR, removing and rebuilding zone and journal
files.
This test reproduces a bug that in such scenario, an NSEC3 signed zone
falls back to NSEC.
Colin Vidal [Sat, 22 Nov 2025 03:51:30 +0000 (04:51 +0100)]
fix: nil: Do not log no root hints of _bind chaos view
The "no root hints for view X" message must not be shown for the default
_bind/CH view. However, it is shown since 27c4f68dcc1 (part of effective
configuration changes).
The reason is that since 27c4f68dcc1, `configure_views()` now processes
a single list of views, which contains both builtin and user views as
they are both part of the effective configuration. The changes omit the
(now removed, since 6b5f714e53) `need_hints` bool that was disabling the
warning for the builtin view (_bind/CH).
This disable that log again when configuring _bind/CH view.
Merge branch 'colin/nohintswarn-bindchaos' into 'main'
Colin Vidal [Fri, 21 Nov 2025 14:07:54 +0000 (15:07 +0100)]
do not log "no root hints for view '_bind'"
The "no root hints for view X" message must not be shown for the default
_bind/CH view. However, it is shown since 27c4f68dcc1 (part of effective
configuration changes).
The reason is that since 27c4f68dcc1, `configure_views()` now processes
a single list of views, which contains both builtin and user views as
they are both part of the effective configuration. Those changes omitted
the `need_hints` bool that disabled the warning for the builtin view.
This commit silences the log message again.
Evan Hunt [Fri, 21 Nov 2025 21:18:25 +0000 (21:18 +0000)]
chg: dev: add dns_message functions to set EDNS options
The new `dns_message_ednsinit()` and `dns_message_ednsaddopt()` functions
allow EDNS options to be added to a message one at a time; it is no
longer necessary to construct a full array of EDNS options and set
them all at once.
This allows us to simplify EDNS option handling code, and in the
future it wlil allow plugins to add EDNS options to existing
messages.
Merge branch 'each-refactor-message-edns' into 'main'
Evan Hunt [Fri, 21 Nov 2025 07:33:29 +0000 (23:33 -0800)]
remove dns_message_buildopt
now that the EDNS state is stored within dns_message_t, it's no longer
necessary to have a public API call to build an opt rdataset; we can
just have dns_message_setopt() build the opt record internally.
Evan Hunt [Wed, 19 Nov 2025 07:29:12 +0000 (23:29 -0800)]
add dns_message API to add EDNS options
The new dns_message_ednsinit() and dns_message_ednsaddopt() functions
allow EDNS options to be added to a message one at a time; it is no
longer necessary to construct a full array of EDNS options and set
them all at once.
This allows us to simplify EDNS option handling code, and in the
future it wlil allow plugins to add EDNS options to existing
messages.
Nicki Křížek [Thu, 20 Nov 2025 17:09:58 +0000 (18:09 +0100)]
Only render required zones in config for nsec3 tests
When all zones are configured, regardless of whether the test module
actually uses them, it makes debugging the logs needlessly more
complicated, as there is a bunch of stuff going on that is completely
unrelated to the test.
Define a list of tested zones in each test module and only render the
named.conf with those zones defined.
1. A zone that previously failed to load is now fixed. Make sure the
zone is signed correctly with the right NSEC3 parameters.
2. Test case to ensure the salt is the same after a restart, i.e. no
re-salting takes place. Previously we only tested with salt length
0, this commit adds a test case for salt length 8 as well.
This converts the nsec3 system test cases after to reconfiguring the
name server.
Two extra test for nsec3-change.kasp is updated. It depends on the
zone being updated, and a reconfig. This test code is moved to
tests_nsec3_reconfig.py.
Furthermore, an additional 'rndc signing -nsec3param' error test
case has been added.
Change the named.conf templating to make use of jinja template
rendering. The ns2 server is trivial. The ns3 server configuration
structure has changed:
The common configuration is moved out of named-fips.conf.
The main named.conf file is in named.conf.j2. It always includes the
common part, named-common.conf.j2, and the FIPS part,
named-fips.conf.j2.
The named-fips.conf.j2 and named-rsasha1.conf.j2 templates are
rendered differently depending on the reconfiged status. Mainly the
dnssec-policy for zones are different after reconfiguration, but there
are some other changes to, for example some zones change their
inline-signing setting.
Some zones only exist prior or after the configuration.
Finally, this is a bit hackish: If RSASHA1 is supported, named.conf
includes "named-rsasha1.conf", otherwise it includes the deliberately
empty "named-rsasha0.conf".
This converts all the nsec3 system test cases prior to reconfiguring the
name server. There are two main classes, one that tests the zone is
correctly signed with NSEC, the other with NSEC3.
Two extra tests for nsec3-dynamic-update-inline.kasp and
nsec3-change.kasp are also rewritten. For the former, we need to
change the 'nsupdate' definition to be able to set the expected RCODE.
The merging of the user options and defaults into the effective configuration broke the mutual inheritance of the `allow-recursion`, `allow-query`, and `allow-query-cache` ACLs, and of the `allow-recursion-on` and `allow-query-cache-on` ACLs. This has been fixed.
Closes #5647
Merge branch '5647-allow-recursion-inheritance' into 'main'
Evan Hunt [Thu, 20 Nov 2025 06:09:53 +0000 (22:09 -0800)]
fix ACL settings when merging views
when merging view objects into the effective configuration, add
allow-query-cache, allow-recursion, allow-query-cache-on and
allow-recursion-on ACLs as needed to reflect the way those
options inherit from each other.
this means the effective configuration is now correct for each
view. ACLs no longer need to be corrected when applying the
configuration, and the actual effective ACL values will be
displayed in "rndc showconf" and "named-checkconf -pe".
Evan Hunt [Thu, 20 Nov 2025 01:52:39 +0000 (17:52 -0800)]
fix allow-recursion/allow-query-cache inheritance
the merging of options and defaults into the effective configuration
broke the mutual inheritance of the allow-recursion, allow-query, and
allow-query-cache ACLs, and of the allow-recursion-on and
allow-query-cache-on ACLs.
this has been corrected by adding a 'cloned' flag to the cfg_obj
structure to indicate whether it was configured explicitly or
cloned from the defaults during parsing. we can then adjust the
ACLs while configuring a view, favoring user-configured values
when they're available over cloned defaults.
currently the adjustments to the ACLs are done in configure_view();
later they'll be moved into the effective configuration and this
special handling can be removed.
Evan Hunt [Thu, 20 Nov 2025 00:35:31 +0000 (16:35 -0800)]
add a test for allow-recursion/allow-query-cache inheritance
allow-recursion is set to "none" in the options block and to
"any" in the view. allow-query-cache in the view should inherit
the "any", not the "none". (currently this test does not pass.)
Colin Vidal [Thu, 20 Nov 2025 17:52:29 +0000 (18:52 +0100)]
fix: dev: Attach socket before async streamdns_resume_processing
Call to `streamdns_resume_processing` is asynchronous but the socket
passed as argument is not attached when scheduling the call.
While there is no reproducible way (so far) to make the socket reference
number down to 0 before `streamdns_resume_processing` is called, attach
the socket before scheduling the call. This guard against an hypothetic
case where, for some reasons, the socket refcount would reach 0, and be
freed from memory when `streamdns_resume_processing` is called.
Closes #5620
Merge branch '5620-attach-socket-streamdns_resume_processing' into 'main'
Colin Vidal [Tue, 18 Nov 2025 09:31:24 +0000 (10:31 +0100)]
attach socket before async streamdns_resume_processing
Call to `streamdns_resume_processing` is asynchronous but the socket
passed as argument is not attached when scheduling the call.
While there is no reproducible way (so far) to make the socket reference
number down to 0 before `streamdns_resume_processing` is called, attach
the socket before scheduling the call. This guard against an hypothetic
case where, for some reasons, the socket refcount would reach 0, and be
freed from memory when `streamdns_resume_processing` is called.
Ondřej Surý [Thu, 20 Nov 2025 12:32:42 +0000 (13:32 +0100)]
chg: usr: Reduce the number of outgoing queries
Reduces the number of outgoing queries when resolving the nameservers
for delegation points. This helps the DNS resolver with cold cache
resolve client queries with complex delegation chains and redirections.
Merge branch 'ondrej/fctx_getaddresses' into 'main'
Ondřej Surý [Wed, 19 Nov 2025 07:57:09 +0000 (08:57 +0100)]
Refactor fctx_getaddresses() into couple smaller functions
The fctx_getaddresses() was lengthy and little bit confusing with
goto statements. Split the single function into smaller parts:
one for forwarders, one for nameservers and one for alternates.
Ondřej Surý [Thu, 23 Oct 2025 11:11:45 +0000 (13:11 +0200)]
Reduce the number of outgoing queries
The dns_resolver mode of operation is to resolve all the domains as it
iterates the DNS tree to fill up the cache as quickly as possible.
This commit reduces the number of outgoing queries by reducing the
number of remote fetches started for the nameserver addresses resolution
via dns_adb_createfind() to a smaller number per depth of the recursion
since the delegation point (3 2 1 0) - where 0 means only create fetch
on demand if we don't have any addresses yet.
Mark Andrews [Thu, 20 Nov 2025 08:46:10 +0000 (19:46 +1100)]
fix: usr: AMTRELAY type 0 presentation format handling was wrong
RFC 8777 specifies a placeholder value of "." for the gateway field when the
gateway type is 0 (no gateway). This was not being checked for nor emitted
when displaying the record. This has been corrected.
Instances of this record will need the placeholder period added to them when upgrading.
Closes #5639
Merge branch '5639-fix-atmrelay-type-0-support' into 'main'
Colin Vidal [Tue, 18 Nov 2025 11:16:39 +0000 (12:16 +0100)]
chg: dev: Remove exclusive mode when scheduling zone load
Remove exclusive mode when scheduling the zone load, as it is no longer necessary;
data that can be read or written by multiple threads are locked or atomic.
The detection of the post zone DB loading logic has been refactored
to take into account the fact that zone databases may be loaded before the
function scheduling the loads.
Merge branch 'colin/remove-exclusive-zone-load' into 'main'
Colin Vidal [Mon, 10 Nov 2025 14:14:44 +0000 (15:14 +0100)]
refactor detection of zone DB load completion
Because the asynchronous loading logic expected all jobs to be scheduled
then to be run (because it used to be scheduled during the exclusive
mode) and because all jobs are scheduled on various threads, there were
random situations where load_zones() would return after the scheduled
DB zone loading actually ran. In such cases, the zl->refs ref counter
in view_loaded() wouldn't go down to 0 and the remaining task to do
once all zones were loaded was never called. In particular,
server->reload_status kept the NAMED_RELOAD_PENDING state.
This problem is fixed by handling zoneload_t as a ref-counted object,
shared between load_zones() and each instance of scheduled zone DB
loading. Its destructor function is actually the content of
view_loaded() in the case the zt->refs went to 0. This ensures a
correct post-loading routine to be called once the last load is done.
Colin Vidal [Mon, 10 Nov 2025 11:07:18 +0000 (12:07 +0100)]
harden configloading system test
The configloading system script attempts multiple `rndc
{reconfig,reload}` commands without ensuring the system left
exclusive mode; which normally raise an RNDC error as the server is
currently reloading already. This used to work because the request was
enqueued while the server was in exclusive mode, and was processed
after the server `reload_status` was reset to `NAMED_RELOAD_DONE`.
Due to the fact the exclusive mode is not retaken after
`apply_configuration()` by `load_zones()`, the scheduling of
pending tasks is changed and, regularly, the RNDC command sent by the
test is processed before `NAMED_RELOAD_DONE` is set. This is the same
kind of issue the views system tests had, solved by
`4b2dcb3128fbd5af4609a5a73aeeee1f93bde237`
Fix the problem by waiting for a log line matching the end of
the reloading phase.
Colin Vidal [Mon, 10 Nov 2025 12:11:05 +0000 (13:11 +0100)]
set `reload_status` to fail before logging it
The `reload_status` is set to `NAMED_RELOAD_FAILED` after the log line is
printed about this change. Update `reload_status` first, to avoid
(unlikely) case where a test waiting for this log line would attempt a
RNDC reload query but it would be processed by `named` before the status
is updated.
Colin Vidal [Mon, 10 Nov 2025 08:49:06 +0000 (09:49 +0100)]
remove exclusive mode when scheduling zone load
Remove the exclusive mode when scheduling the zone load right after
(re)loading `named` configuration, as there is no reason anymore to
schedule zone loading while the exclusive lock is held. Data which can
be read or written by multiple threads are locked or atomic.
Colin Vidal [Tue, 18 Nov 2025 10:04:49 +0000 (11:04 +0100)]
chg: usr: Enforce bounds of prefetch configuration option
The prefetch configuration option now enforces boundaries. The configuration (including when using `named-checkconf`) now fails if the trigger (first value) is above 10, and if the eligibility (second optional value) isn't at least six seconds greater than the trigger value.
Merge branch 'colin/prefetch-enforcebounds' into 'main'
Colin Vidal [Mon, 17 Nov 2025 11:33:48 +0000 (12:33 +0100)]
enforces bounds of prefetch statement
The prefetch statement now enforces its bounds. The configuration
(including `named-checkconf`) now fails if the trigger (first value) is
above 10, or if the eligibility (second optional value) isn't at least
six seconds more than the trigger value.
Colin Vidal [Tue, 18 Nov 2025 09:08:57 +0000 (10:08 +0100)]
chg: usr: Enforces the fact that catalog-zone can not be used in non IN views
Catalog-zones can't be used in a view which is not from the IN class.
This is now enforced as the server won't load (instead of loading
without the catalog-zone) if such configuration is detected. This
configuration error is now also caught by `named-checkconf`.
Merge branch 'colin/catz-enforce-non-in' into 'main'
Colin Vidal [Mon, 17 Nov 2025 16:00:27 +0000 (17:00 +0100)]
enforces that catalog-zone can't be used in non IN views
Catalog-zones can't be used in view which are not from the IN class.
This is now enforced as the server won't load (instead of loading
without the catalog-zone). This configuration error is now also caught
by `named-checkconf`.
Colin Vidal [Mon, 17 Nov 2025 14:23:58 +0000 (15:23 +0100)]
remove need_hints parameters to configure_view
The `configure_view()` `need_hints` is removed as it this function was
always called with the value `true`.
The `need_hints` wasn't even used in the function. The only thing it was
actually used was to throw a warning which can be done simply in an
`else` condition branch.
Moreoever, in the case of catalog zones and response-policy, it fixes a
possible bug that would affect root zones, as those wouldn't be reverted
back to their previous version in case of the view fails to load
(during a server reconfiguration).
Colin Vidal [Tue, 18 Nov 2025 08:16:57 +0000 (09:16 +0100)]
chg: dev: No effective config as text if allow-new-zones is yes
Do not save the text version of the effective configuration when
`allow-new-zones` is enabled, as in that case the object tree can
be printed on demand, reducing unnecessary memory consumption.
Merge branch 'colin/no-effective-config-as-text-allownewzones' into 'main'
Colin Vidal [Mon, 17 Nov 2025 10:06:34 +0000 (11:06 +0100)]
no effective config as text if allow-new-zones is yes
Do not save the textual version of the effective configuration when
`allow-new-zones` is enabled, as it can be printed on-demand. This
enable to reduce the memory footprint of ~70MB on huge configurations
(1M zones).
Colin Vidal [Thu, 13 Nov 2025 14:33:02 +0000 (15:33 +0100)]
fix: dev: Remove holes in `dns_zoneflg_t` enum
The `dns_zoneflg_t` enum defined multiple possible flags for a zone, but
contains numerous holes (likely from flag removed in the past). This
fixes the holes, and use a bit-shift and decimal notation to make holes
easier to spot.
Merge branch 'colin/remove-zoneflag-holes' into 'main'
Colin Vidal [Fri, 31 Oct 2025 09:32:53 +0000 (10:32 +0100)]
remove holes in `dns_zoneflg_t` enum
`dns_zoneflg_t` enum defined multiple possible flags for a zone, but
contains numerous holes (likely from flag removed in the past). This
fixes the holes, and use a bit-shift and decimal notation to make holes
easier to spot.
Colin Vidal [Wed, 12 Nov 2025 10:40:33 +0000 (11:40 +0100)]
fix: dev: Save configuration as text
A `cfg_obj_t` object tree structure takes up considerably more space than the equivalent canonical text. If `allow-new-zones` is disabled and catalog zones are not in use, then we don't need the object tree. By storing the configuration in text format, we can use less memory, and `rndc showconf` and `rndc showzone` still work.
Evan Hunt [Wed, 12 Nov 2025 02:50:23 +0000 (18:50 -0800)]
save effective configuration as text
the effective configuration tree is now detached if allow-new-zones
or catalog-zones aren't enabled in any views. this reduces memory
consumption while still allowing "rndc showconf -effective" to work.
Evan Hunt [Tue, 11 Nov 2025 23:46:23 +0000 (15:46 -0800)]
save zone configuration as text
as previously mentioned in commit c65b2868ab, a cfg_obj_t
configuration tree structure takes up considerably more space than
the canonical text. since the zone configuration saved in the zone
object using dns_zone_setcfg() is only currently used for "rndc
showzone", it can be saved as text more efficiently than as an
object tree. (and, if a tree were needed, the text could be
re-parsed quickly; zone configuration text is generally small.)
Colin Vidal [Wed, 15 Oct 2025 13:35:59 +0000 (15:35 +0200)]
check-cocci fails in WARNING is found on stderr
As the implicit cast check print "WARNING: ..." on stderr, add a pattern
to make sure that check-cocci would fails if such warning is found on
stderr. This is generic (not specific like the existing "parse error")
so it should be able to support future Coccinelle spatch warnings.
Colin Vidal [Tue, 14 Oct 2025 11:31:44 +0000 (13:31 +0200)]
mdig: fix implicit bool to int cast
The `display_rrcomments` is a tri-state (-1, 0, 1) which is (in some
cases) initialized with `state`, a boolean, through an implicit cast.
This was spot by Coccinelle. Remove the implcit cast by explicitly
assigning 0 or 1 to `display_rrcomments` based on `state` value.
Nicki Křížek [Mon, 10 Nov 2025 15:21:52 +0000 (16:21 +0100)]
new: test: Add isctest.check.ede() helper for pytest
Add a utility function to check for EDE codes present in the DNS
message. The primary benefit of this helper function is that it
handles the compatibility issues with different dnspython versions
and the actual test code doesn't have to deal with that any more.
Merge branch 'nicki/isctest-check-ede-helper' into 'main'
Nicki Křížek [Thu, 30 Oct 2025 17:12:25 +0000 (18:12 +0100)]
Use new EDE helper in existing system tests
Previously, hasattr("extended_errors") was used as a check to detect a
mimumum required dnspython version in order to only perform the EDE
check if a new-enough dnspython was present. This is now abstracted into
isctest.check.ede().
In order to support dnspython<2.2.0, use isctest.compat.EDECode rather
than using dns.edns.EDECode directly.
Nicki Křížek [Thu, 30 Oct 2025 17:08:01 +0000 (18:08 +0100)]
Add isctest.check.ede() helper for pytest
Add a utility function to check for EDE options present in the DNS
message. The primary benefit of this helper function is that it
handles the compatibility issues with different dnspython versions
and the actual test code doesn't have to deal with that any more.
Rather than using the convenience .extended_errors() method
introduced in dnspython 2.7.0, iterate over the options and find
EDEOption types, which is supported from 2.2.0 onwards.
To work around the issue of using dns.edns.EDECode to specify EDE codes
in our tests, create an isctest.compat.EDECode wrapper. This can be used
even with dnspython versions prior to 2.2.0 and will simply result in
no-op, since EDE isn't supported in the older dnspython anyway.
Colin Vidal [Fri, 7 Nov 2025 14:46:15 +0000 (15:46 +0100)]
fix: test: Rewrite views/addzone in loop system test
A part of the `views` system test attempts to add multiples zones in a
loop, and after each zone being added, reconfig the server.
However, the test didn't take into account the fact that the server
might take a bit more time to reload than the script to move to the next
iteration, and in some case the test was re-requesting the server reload
when it was still reloading.
Since `b49f83a3`, `named` explicitly fails to reload when a load/reload
is pending, which is (unless proved otherwise) the reason of the test
was now randomly failing.
That part of the test is now waiting for the server log message saying
the server has added the new zone and is running. Also, that part of the
test has been rewrote in Python.
Closes #5617
Merge branch '5617-rewrite-reload-view-test' into 'main'
Colin Vidal [Fri, 7 Nov 2025 09:45:09 +0000 (10:45 +0100)]
rewrite views/addzone in loop system test
A part of the `views` system test attempts to add multiples zones in a
loop, and after each zone being added, reconfig the server.
However, the test didn't take into account the fact that the server
might take a bit more time to reload than the script to move to the next
iteration, and in some case the test was re-requesting the server reload
when it was still reloading.
Since `b49f83a3`, `named` explicitly fails to reload when a load/reload
is pending, which is (unless proved otherwise) the reason of the test
was now randomly failing.
That part of the test is now waiting for the server log message saying
the server has added the new zone and is running. Also, that part of the
test has been rewrote in Python.
projects / thirdparty / bind9.git / log
