Evan Hunt [Fri, 14 Mar 2025 02:57:24 +0000 (19:57 -0700)]
Remove -n option from dnssec-keygen/keyfromlabel
The -n (nametype) option for keys defaults to ZONE for DNSKEY
type keys, and HOST for KEY type keys. There is currently no
practical reason to use any other name type; we can simplify
things by removing the option.
Evan Hunt [Thu, 13 Mar 2025 19:20:55 +0000 (12:20 -0700)]
Remove -t option from dnssec-keygen/keyfromlabel
The key type flag (indicating whether a key is valid for
authentication, confidentiality, or both) is essentially
unused. By default, all DNSKEY and KEY records are valid
for both uses. Non-authenticating DNSKEY records are undefined
and meaningless, and validity checks for flags in KEY records
are sporadic at best.
We can simplify the parameters to dnssec-keygen by removing
the -t option completely.
Michal Nowak [Tue, 25 Mar 2025 15:52:47 +0000 (15:52 +0000)]
fix: test: Limit X-Bloat header size to 100KB
Otherwise curl 8.13 rejects the line with:
I:Check HTTP/1.1 keep-alive with truncated stream (21)
curl: option --header: error encountered when reading a file
curl: try 'curl --help' or 'curl --manual' for more information
Also, see https://github.com/curl/curl/pull/16572.
Closes #5249
Merge branch '5249-statschannel-limit-http-header-size' into 'main'
Michal Nowak [Tue, 25 Mar 2025 13:14:52 +0000 (14:14 +0100)]
Limit X-Bloat header size to 100KB
Otherwise curl 8.13 rejects the line with:
I:Check HTTP/1.1 keep-alive with truncated stream (21)
curl: option --header: error encountered when reading a file
curl: try 'curl --help' or 'curl --manual' for more information
Also, see https://github.com/curl/curl/pull/16572.
Ondřej Surý [Tue, 25 Mar 2025 09:58:09 +0000 (09:58 +0000)]
rem: dev: Remove lock upgrading from the hot path in the QP cache
In QPcache, there were two places that tried to upgrade the lock. In `clean_stale_header()`, the code would try to upgrade the lock and clean up the header, and in `qpzonode_release()`, the tree lock would be optionally upgraded, so we can clean up the node directly if empty. These
optimizations are not needed and they have no effect on the performance.
Merge branch 'ondrej/no-lock-upgrade-in-check_stale_headers' into 'main'
Ondřej Surý [Fri, 21 Mar 2025 02:06:16 +0000 (03:06 +0100)]
Remove lock upgrading from the hot path in the cache
In QPcache, there were two places that tried to upgrade the lock. In
clean_stale_header(), the code would try to upgrade the lock and cleanup
the header, and in qpzonode_release(), the tree lock would be optionally
upgraded, so we can cleanup the node directly if empty. These
optimizations are not needed and they have no effect on the performance.
Evan Hunt [Tue, 25 Mar 2025 06:39:07 +0000 (06:39 +0000)]
fix: usr: Don't enforce NOAUTH/NOCONF flags in DNSKEYs
All DNSKEY keys are able to authenticate. The `DNS_KEYTYPE_NOAUTH` (and `DNS_KEYTYPE_NOCONF`) flags were defined for the KEY rdata type, and are not applicable to DNSKEY. Previously, however, because the DNSKEY implementation was built on top of KEY, the `_NOAUTH` flag prevented authentication in DNSKEYs as well. This has been corrected.
Closes #5240
Merge branch '5240-ignore-noauth-flag' into 'main'
Evan Hunt [Fri, 14 Mar 2025 00:44:49 +0000 (17:44 -0700)]
Don't check DNS_KEYFLAG_NOAUTH
All DNSKEY keys are able to authenticate. The DNS_KEYTYPE_NOAUTH
(and DNS_KEYTYPE_NOCONF) flags were defined for the KEY rdata type,
and are not applicable to DNSKEY.
Previously, because the DNSKEY implementation was built on top of
KEY, the NOAUTH flag prevented authentication in DNSKEYs as well.
This has been corrected.
Evan Hunt [Thu, 13 Mar 2025 19:20:40 +0000 (12:20 -0700)]
Tidy up keyvalue.h definitions
Use enums for DNS_KEYFLAG_, DNS_KEYTYPE_, DNS_KEYOWNER_, DNS_KEYALG_,
and DNS_KEYPROTO_ values.
Remove values that are never used.
Eliminate the obsolete DNS_KEYFLAG_SIGNATORYMASK. Instead, add three
more RESERVED bits for the key flag values that it covered but which
were never used.
Michał Kępień [Tue, 25 Mar 2025 04:06:01 +0000 (04:06 +0000)]
chg: test: Use isctest.asyncserver in the "upforwd" test
Replace the custom DNS server used in the "upforwd" system test with new
code based on the isctest.asyncserver module. The ans4 server currently
used in that test is a copy of bin/tests/system/ans.pl modified to
receive queries over UDP and TCP without ever responding to any of them.
Closes #5012
Merge branch '5012-upforwd-asyncserver' into 'main'
Michał Kępień [Tue, 25 Mar 2025 04:01:34 +0000 (05:01 +0100)]
Use isctest.asyncserver in the "upforwd" test
Replace the custom DNS server used in the "upforwd" system test with new
code based on the isctest.asyncserver module. The ans4 server currently
used in that test is a copy of bin/tests/system/ans.pl modified to
receive queries over UDP and TCP without ever responding to any of them.
Michał Kępień [Tue, 25 Mar 2025 04:01:34 +0000 (05:01 +0100)]
Add a response handler for ignoring all queries
Dropping all incoming queries is a typical use case for a custom server
used in BIND 9 system tests. Add a response handler implementing that
behavior so that it can be reused.
Michał Kępień [Tue, 25 Mar 2025 04:01:34 +0000 (05:01 +0100)]
Make response handlers global by default
Instead of requiring each class inheriting from ResponseHandler to
define its match() method, make the latter non-abstract and default to
returning True for all queries. This will reduce the amount of
boilerplate code in custom servers.
Evan Hunt [Tue, 25 Mar 2025 01:11:07 +0000 (01:11 +0000)]
chg: usr: When forwarding, query with CD=0 first
Previously, when queries were forwarded to a remote resolver, the CD (checking disabled) bit was used, which could lead to bogus data being retrieved that might have been corrected if validation had been permitted. The CD bit is now only used as a fallback if an initial query without CD fails. See #5132.
Evan Hunt [Sat, 25 Jan 2025 02:00:14 +0000 (18:00 -0800)]
when forwarding, try with CD=0 first
when sending a query to a forwarder for a name within a secure domain,
the first query is now sent with CD=0. when the forwarder itself
is validating, this will give it a chance to detect bogus data and
replace it with valid data before answering. this reduces our chances
of being stuck with data that can't be validated.
if the forwarder returns SERVFAIL to the initial query, the query
will be repeated with CD=1, to allow for the possibility that the
forwarder's validator is faulty or that the bogus answer is covered
by an NTA.
note: previously, CD=1 was only sent when the query name was in a
secure domain. today, validating servers have a trust anchor at the
root by default, so virtually all queries are in a secure domain.
therefore, the code has been simplified. as long as validation is
enabled, any forward query that receives a SERVFAIL response will be
retried with CD=1.
Mark Andrews [Mon, 24 Mar 2025 23:09:39 +0000 (23:09 +0000)]
new: usr: Add support for EDNS ZONEVERSION option
`dig` and `named` can now make requests with an EDNS `ZONEVERSION` option present.
Two new `named.conf` options have been added: `request-zoneversion` and
`provide-zoneversion`. `request-zoneversion` is `off` by default. `provide-zoneversion`
is `on` by default.
Closes #4767
Merge branch '4767-implement-zoneversion' into 'main'
Mark Andrews [Fri, 14 Jun 2024 01:23:53 +0000 (11:23 +1000)]
Add option request-zoneversion
This can be set at the option, view and server levels and causes
named to add an EDNS ZONEVERSION option to requests. Replies are
logged to the 'zoneversion' category.
Mark Andrews [Wed, 12 Jun 2024 22:36:32 +0000 (08:36 +1000)]
Return EDNS ZONEVERSION if requested
If there was an EDNS ZONEVERSION option in the DNS request and the
answer was from a zone, return the zone's serial and number of
labels excluding the root label with the type set to 0 (ZONE-SERIAL).
Michal Nowak [Mon, 24 Mar 2025 14:11:03 +0000 (14:11 +0000)]
fix: ci: Set more lenient respdiff limits
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
Merge branch 'mnowak/more-lenient-respdiff-limits' into 'main'
Michal Nowak [Wed, 19 Mar 2025 13:02:32 +0000 (14:02 +0100)]
Set more lenient respdiff limits
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
Evan Hunt [Thu, 20 Mar 2025 18:25:05 +0000 (18:25 +0000)]
fix: dev: Optimize key ID check when searching for matching keys
When searching through a DNSKEY or KEY rrset for the key matching a particular algorithm and ID, it's a waste of time to convert every key into a `dst_key` object; it's faster to compute the key ID from the rdata, then do the full key conversion after determining that we've found the right key. This optimization was already used in the validator, but it's been refactored for code clarity, and is now also used in query.c and message.c.
Merge branch 'each-refactor-key-search' into 'main'
Evan Hunt [Fri, 14 Mar 2025 23:41:47 +0000 (16:41 -0700)]
optimize key ID check when searching for matching keys
when searching a DNSKEY or KEY rrset for the key that matches
a particular algorithm and ID, it's a waste of time to convert
every key into a dst_key object; it's faster to compute the key
ID by checksumming the region, and then only do the full key
conversion once we know we've found the correct key.
this optimization was already in use in the validator, but it's
been refactored for code clarity, and is now also used in query.c
and message.c.
Evan Hunt [Thu, 13 Mar 2025 20:01:47 +0000 (13:01 -0700)]
move dns_zonekey_iszonekey() to dns_dnssec module
dns_zonekey_iszonekey() was the only function defined in the
dns_zonekey module, and was only called from one place. it
makes more sense to group this with dns_dnssec functions.
Alessio Podda [Thu, 20 Mar 2025 13:00:12 +0000 (13:00 +0000)]
chg: dev: Switch symtab to use fxhash hashing
This merge request resolves some performance regressions introduced
with the change from isc_symtab_t to isc_hashmap_t.
The key improvements are:
1. Using a faster hash function than both isc_hashmap_t and
isc_symtab_t. The previous implementation used SipHash, but the
hashflood resistance properties of SipHash are unneeded for config
parsing.
2. Shrinking the initial size of the isc_hashmap_t used inside
isc_symtab_t. Symtab is mainly used for config parsing, and the
when used that way it will have between 1 and 50 keys, but the
previous implementation initialized a map with 128 slots.
By initializing a smaller map, we speed up mallocs and optimize for
the typical case of few config keys.
3. Slight optimization of the string matching in the hashmap, so that
the tail is handled in a single load + comparison, instead of byte
by byte.
Of the three improvements, this is the least important.
alessio [Thu, 27 Feb 2025 06:37:04 +0000 (07:37 +0100)]
Switch symtab to use fxhash hashing
This merge request resolves some performance regressions introduced
with the change from isc_symtab_t to isc_hashmap_t.
The key improvements are:
1. Using a faster hash function than both isc_hashmap_t and
isc_symtab_t. The previous implementation used SipHash, but the
hashflood resistance properties of SipHash are unneeded for config
parsing.
2. Shrinking the initial size of the isc_hashmap_t used inside
isc_symtab_t. Symtab is mainly used for config parsing, and the
when used that way it will have between 1 and ~50 keys, but the
previous implementation initialized a map with 128 slots.
By initializing a smaller map, we speed up mallocs and optimize for
the typical case of few config keys.
3. Slight optimization of the string matching in the hashmap, so that
the tail is handled in a single load + comparison, instead of byte
by byte.
Of the three improvements, this is the least important.
Matthijs Mekking [Thu, 20 Mar 2025 10:13:22 +0000 (10:13 +0000)]
fix: usr: Fix several small DNSSEC timing issues
The following small issues related to `dnssec-policy` have been fixed:
- In some cases the key manager inside BIND 9 could run every hour, while it could have run less often.
- While `CDS` and `CDNSKEY` records will be removed correctly from the zone when the corresponding `DS` record needs to be updated, the expected timing metadata when this will happen was never set.
- There were a couple of cases where the safety intervals are added inappropriately, delaying key rollovers longer than necessary.
- If you have identical `keys` in your `dnssec-policy`, they may be retired inappropriately. Note that having keys with identical properties is discouraged in all cases.
Closes #5242
Merge branch '5242-several-keymgr-issues' into 'main'
Matthijs Mekking [Mon, 24 Feb 2025 10:36:53 +0000 (11:36 +0100)]
Fix a key generation issue in the tests
The dnssec-keygen command for the ZSK generation for the zone
multisigner-model2.kasp was wrong (no ZSK was generated in the setup
script, but when 'named' is started, the missing ZSK was created
anyway by 'dnssec-policy'.
Only set the next time the keymgr should run if the value is non zero.
Otherwise we default back to one hour. This may happen if there is one
or more key with an unlimited lifetime.
keymgr: also set DeleteCDS when setting PublishCDS
The keymgr never set the expected timing metadata when CDS/CDNSKEY
records for the corresponding key will be removed from the zone. This
is not troublesome, as key states dictate when this happens, but with
the new pytest we use the timing metadata to determine if the CDS and/or
CDNSKEY for the given key needs to be published.
There are a couple of cases where the safety intervals are added
inappropriately:
1. When setting the PublishCDS/SyncPublish timing metadata, we don't
need to add the publish-safety value if we are calculating the time
when the zone is completely signed for the first time. This value
is for when the DNSKEY has been published and we add a safety
interval before considering the DNSKEY omnipresent.
2. The retire-safety value should only be added to ZSK rollovers if
there is an actual rollover happening, similar to adding the sign
delay.
3. The retire-safety value should only be added to KSK rollovers if
there is an actual rollover happening. We consider the new DS
omnipresent a bit later, so that we are forced to keep the old DS
a bit longer.
Matthijs Mekking [Tue, 25 Feb 2025 07:40:33 +0000 (08:40 +0100)]
Fix a small keymgr bug
While converting the kasp system test to pytest, I encountered a small
bug in the keymgr code. We retire keys when there is more than one
key matching a 'keys' line from the dnssec-policy. But if there are
multiple identical 'keys' lines, as is the case for the test zone
'checkds-doubleksk.kasp', we retire one of the two keys that have the
same properties.
Fix this by checking if there are double matches. This is not fool proof
because there may be many keys for a few identical 'keys' lines, but it
is good enough for now. In practice it makes no sense to have a policy
that dictates multiple keys with identical properties.
Mark Andrews [Thu, 20 Mar 2025 01:30:11 +0000 (01:30 +0000)]
fix: usr: Fix write after free in validator code
Raw integer pointers were being used for the validator's nvalidations
and nfails values but the memory holding them could be freed before
they ceased to be used. Use reference counted counters instead.
Closes #5239
Merge branch '5239-use-counter-for-nvalidations-and-nfailss' into 'main'
Mark Andrews [Fri, 14 Mar 2025 04:23:43 +0000 (15:23 +1100)]
Use reference counted counters for nfail and nvalidations
The fetch context that held these values could be freed while there
were still active pointers to the memory. Using a reference counted
pointer avoids this.
Michal Nowak [Wed, 19 Mar 2025 08:00:42 +0000 (08:00 +0000)]
fix: test: Fix the log-report-channel zones check
The check looks for logs that are not present, fails to make the
possible failure visible, and fails to bump the check enumerator:
I:checking that log-report-channel zones fail if '*._er/TXT' is missing (129)
grep: test.out4.129: No such file or directory
grep: test.out4.129: No such file or directory
I:checking that raw zone with bad class is handled (129)
The issue appeared in #3659.
Merge branch 'mnowak/checkzone-test-fix' into 'main'
Michal Nowak [Tue, 18 Mar 2025 15:10:49 +0000 (16:10 +0100)]
Fix the log-report-channel zones check
The check looks for logs that are not present, fails to make the
possible failure visible, and fails to bump the check enumerator:
I:checking that log-report-channel zones fail if '*._er/TXT' is missing (129)
grep: test.out4.129: No such file or directory
grep: test.out4.129: No such file or directory
I:checking that raw zone with bad class is handled (129)
Mark Andrews [Wed, 19 Mar 2025 00:04:39 +0000 (00:04 +0000)]
fix: test: Fix failing grep invocation on OpenBSD
Lines starting with A or NSEC are expected but not matched with the
OpenBSD grep. Extended regular expressions with direct use of
parentheses and the pipe symbol is more appropriate.
I:checking RRSIG query from cache (154)
I:failed
The issue appeared in #4805.
Merge branch 'mnowak/openbsd-grep-fix' into 'main'
Michal Nowak [Tue, 18 Mar 2025 15:00:53 +0000 (16:00 +0100)]
Fix failing grep invocation on OpenBSD
Lines starting with A or NSEC are expected but not matched with the
OpenBSD grep. Extended regular expressions with direct use of
parentheses and the pipe symbol is more appropriate.
Arаm Sаrgsyаn [Tue, 18 Mar 2025 17:05:23 +0000 (17:05 +0000)]
fix: usr: Fix resolver statistics counters for timed out responses
When query responses timed out, the resolver could incorrectly increase the regular responses counters, even if no response was received. This has been fixed.
Closes #5193
Merge branch '5193-resolver-statistics-counters-fix' into 'main'
Aram Sargsyan [Thu, 6 Mar 2025 14:28:48 +0000 (14:28 +0000)]
Fix the resolvers RTT-ranged responses statistics counters
When a response times out the fctx_cancelquery() function
incorrectly calculates it in the 'dns_resstatscounter_queryrtt5'
counter (i.e. >=1600 ms). To avoid this, the rctx_timedout()
function should make sure that 'rctx->finish' is NULL. And in order
to adjust the RTT values for the timed out server, 'rctx->no_response'
should be true. Update the rctx_timedout() function to make those
changes.
Aram Sargsyan [Thu, 6 Mar 2025 14:26:23 +0000 (14:26 +0000)]
Fix resolver responses statistics counter
The resquery_response() function increases the response counter without
checking if the response was successful. Increase the counter only when
the result indicates success.
Michał Kępień [Tue, 18 Mar 2025 15:30:35 +0000 (15:30 +0000)]
chg: test: asyncserver.py: TCP improvements
This branch started off as `michal/upforwd-asyncserver`. It quickly
turned out that the critical `asyncserver.py` change that was needed for
the `upforwd` system test was for the server to be able to read multiple
TCP queries on a single connection. As currently present in `main`,
`asyncserver.py` closes every client connection after servicing a single
query. Retaining that behavior would cause the `upforwd` system test to
fail and, in general, capturing all data sent by a client seems more
useful in tests than just closing connections quickly. `asyncserver.py`
can always be extended in the future (e.g. by adding a new
`ResponseAction` that the networking code would react to) to reinstate
the original behavior, if it turns out to be necessary.
While working on changing that particular `asyncserver.py` behavior, I
noticed a couple of other deficiencies in the TCP connection handling
code, so I started addressing them. One thing led to another and before
I noticed, enough changes were applied to be worth doing a separate
merge request, particularly given that the actual rewrite of
`upforwd/ans4/ans.pl` using `asyncserver.py` is trivial once the
required changes to `asyncserver.py` itself are applied.
Merge branch 'michal/asyncserver-tcp-improvements' into 'main'
Michał Kępień [Tue, 18 Mar 2025 15:28:18 +0000 (16:28 +0100)]
Handle queries indefinitely on each TCP connection
Instead of closing every incoming TCP connection after handling a single
query, continue receiving queries on each TCP connection until the
client disconnects itself. When coupled with response dropping, this
enables silently receiving all incoming data, simulating an unresponsive
server.
Michał Kępień [Tue, 18 Mar 2025 15:28:18 +0000 (16:28 +0100)]
Enable receiving chunked TCP DNS messages
A TCP DNS client may send its queries in chunks, causing
StreamReader.read() to return less data than previously declared by the
client as the DNS message length; even the two-octet DNS message length
itself may be split up into two single-octet transmissions. Sending
data in chunks is valid client behavior that should not be treated as an
error. Add a new helper method for reading TCP data in a loop, properly
distinguishing between chunked queries and client disconnections. Use
the new method for reading all TCP data from clients.
Michał Kępień [Tue, 18 Mar 2025 15:28:18 +0000 (16:28 +0100)]
Handle connection resets during reading
A TCP peer may reset the connection at any point, but asyncserver.py
currently only handles connection resets when it is sending data to the
client. Handle connection resets during reading in the same way.
Michał Kępień [Tue, 18 Mar 2025 15:28:18 +0000 (16:28 +0100)]
Simplify peer address formatting
Add a helper class, Peer, which holds the <host, port> tuple of a
connection endpoint and gets pretty-printed when formatted as a string.
This enables passing instances of this new class directly to logging
functions, eliminating the need for the AsyncDnsServer._format_peer()
helper method.
Nicki Křížek [Tue, 18 Mar 2025 09:29:10 +0000 (09:29 +0000)]
chg: ci: Allow re-run of the shotgun jobs to reduce false positives
The false positive rate is about 10-20 % when evaluating shotgun results
from a single run. Attempt to reduce the false positive rate by allowing
a re-run of failed jobs.
Merge branch 'nicki/ci-shotgun-reduce-false-positives' into 'main'
Nicki Křížek [Wed, 12 Mar 2025 16:24:05 +0000 (17:24 +0100)]
Allow re-run of the shotgun jobs to reduce false positive
The false positive rate is about 10-20 % when evaluating shotgun results
from a single run. Attempt to reduce the false positive rate by allowing
a re-run of failed jobs.
While there is a slight risk that barely noticable decreases in
performance might slip by more easily in MRs, they'd still likely pop up
during nightly or pre-release testing.
Also increase the tolerance threshold for DoH latency comparisons, as
those tests often experience increased jitter in the tail end latencies.
Michał Kępień [Tue, 18 Mar 2025 05:55:17 +0000 (05:55 +0000)]
chg: test: Use isctest.asyncserver in the "qmin" test
Replace custom DNS servers used in the "qmin" system test with new code
based on the isctest.asyncserver module. The revised code employs zone
files and a limited amount of custom logic, which massively improves
test readability and maintainability, extends logging, and fixes
non-compliant replies sent by some of the custom servers in response to
certain queries (e.g. AA=0 in authoritative empty non-terminal
responses, non-glue address records in ADDITIONAL section).
Merge branch 'michal/qmin-asyncserver' into 'main'
Michał Kępień [Tue, 18 Mar 2025 05:19:01 +0000 (06:19 +0100)]
Broaden vulture exclude glob for ans.py servers
The vulture tool seems to be unable to follow how the parent classes
defined in bin/tests/system/qmin/qmin_ans.py use mandatory properties
specified by child classes in bin/tests/system/qmin/ans*/ans.py. Make
the tool ignore not just ans.py servers, but also *_ans.py utility
modules above the ansX/ subdirectories to prevent false positives about
unused code from causing CI pipeline failures.
Michał Kępień [Tue, 18 Mar 2025 05:19:01 +0000 (06:19 +0100)]
Ignore .hypothesis files created by system tests
Some versions of the Hypothesis Python library - notably the one
included in stock OS repositories for Ubuntu 20.04 Focal Fossa - cause a
.hypothesis file to be created in a Python script's working directory
when the hypothesis module is present in its import chain. Ignore such
files by adding them to the list of expected test artifacts to prevent
pytest teardown checks from failing due to these files appearing in the
file system after running system tests.
Michał Kępień [Tue, 18 Mar 2025 05:19:01 +0000 (06:19 +0100)]
Fix PYTHONPATH set for ans.py servers by start.pl
Commit 6c010a5644324947c8c13b5600cd8d988ae7684f caused the PYTHONPATH
environment variable to be set for ans.py servers started using
start.pl. However, no system test has actually used the new
isctest.asyncserver module since that change was applied, so it has not
been noticed until now that including the source directory in PYTHONPATH
is only sufficient for in-tree builds. Include the build directory
instead of the source directory in the PYTHONPATH environment variable
set for ans.py servers started by start.pl so that they work correctly
for both in-tree and out-of-tree builds.
Michał Kępień [Tue, 18 Mar 2025 05:19:01 +0000 (06:19 +0100)]
Use isctest.asyncserver in the "qmin" test
Replace custom DNS servers used in the "qmin" system test with new code
based on the isctest.asyncserver module. The revised code employs zone
files and a limited amount of custom logic, which massively improves
test readability and maintainability, extends logging, and fixes
non-compliant replies sent by some of the custom servers in response to
certain queries (e.g. AA=0 in authoritative empty non-terminal
responses, non-glue address records in ADDITIONAL section).
Ondřej Surý [Mon, 17 Mar 2025 14:27:38 +0000 (15:27 +0100)]
Remove the kludges for records in the bad sections
There were kludges to help process responses from authoritative servers
giving RRs in wrong sections (mentioning BIND 8). These should just go
away and such responses should not be processed.
Evan Hunt [Sat, 15 Mar 2025 01:26:35 +0000 (01:26 +0000)]
fix: nil: Add new convenience functions to classify rdata types
- `dns_rdatatype_ismulti()` returns true if a given type can have
multiple answers: ANY, RRSIG, or SIG.
- `dns_rdatatype_issig()` returns true for a signature: RRSIG or SIG.
- `dns_rdatatype_isaddr()` returns true for an address: A or AAAA.
- `dns_rdatatype_isalias()` returns true for an alias: CNAME or DNAME.
Code has been modified to use these functions where applicable.
These and all similar functions (e.g., `dns_rdatatype_ismeta()`, `dns_rdatatype_issingleton()`, etc) are now `static inline` functions defined in `rdata.h`.
Merge branch 'each-rdatatype-functions' into 'main'
Evan Hunt [Tue, 4 Mar 2025 23:51:49 +0000 (15:51 -0800)]
add new functions to classify rdata types
- dns_rdatatype_ismulti() returns true if a given type can have
multiple answers: ANY, RRSIG, or SIG.
- dns_rdatatype_issig() returns true for a signature: RRSIG or SIG.
- dns_rdatatype_isaddr() returns true for an address: A or AAAA.
- dns_rdatatype_isalias() returns true for an alias: CNAME or DNAME.
Evan Hunt [Fri, 14 Mar 2025 23:19:36 +0000 (23:19 +0000)]
fix: dev: step() could ignore rollbacks
The `step()` function (used for stepping to the prececessor or successor of a database node) could overlook a node if there was an rdataset that was marked IGNORE because it had been rolled back, covering an active rdataset under it.
Closes #5170
Merge branch '5170-step-ignores-rollback' into 'main'
Evan Hunt [Sat, 15 Feb 2025 05:42:34 +0000 (21:42 -0800)]
qpzone.c:step() could ignore rollbacks
the step() function (used for stepping to the prececessor or
successor of a database node) could overlook a node because
there was an rdataset marked IGNORE because it had been rolled
back, covering an active rdataset under it.
Evan Hunt [Fri, 14 Mar 2025 22:26:36 +0000 (22:26 +0000)]
fix: dev: Fix handling of revoked keys
When a key is revoked, its key ID changes due to the inclusion of the "revoked" flag. A collision between this changed key ID
and an unrelated public-only key could cause a crash in `dnssec-signzone`.
Closes #5231
Merge branch '5231-fix-keyid-collision' into 'main'
projects / thirdparty / bind9.git / log
