Colin Vidal [Mon, 17 Nov 2025 14:23:58 +0000 (15:23 +0100)]
remove need_hints parameters to configure_view
The `configure_view()` `need_hints` is removed as it this function was
always called with the value `true`.
The `need_hints` wasn't even used in the function. The only thing it was
actually used was to throw a warning which can be done simply in an
`else` condition branch.
Moreoever, in the case of catalog zones and response-policy, it fixes a
possible bug that would affect root zones, as those wouldn't be reverted
back to their previous version in case of the view fails to load
(during a server reconfiguration).
Colin Vidal [Tue, 18 Nov 2025 08:16:57 +0000 (09:16 +0100)]
chg: dev: No effective config as text if allow-new-zones is yes
Do not save the text version of the effective configuration when
`allow-new-zones` is enabled, as in that case the object tree can
be printed on demand, reducing unnecessary memory consumption.
Merge branch 'colin/no-effective-config-as-text-allownewzones' into 'main'
Colin Vidal [Mon, 17 Nov 2025 10:06:34 +0000 (11:06 +0100)]
no effective config as text if allow-new-zones is yes
Do not save the textual version of the effective configuration when
`allow-new-zones` is enabled, as it can be printed on-demand. This
enable to reduce the memory footprint of ~70MB on huge configurations
(1M zones).
Colin Vidal [Thu, 13 Nov 2025 14:33:02 +0000 (15:33 +0100)]
fix: dev: Remove holes in `dns_zoneflg_t` enum
The `dns_zoneflg_t` enum defined multiple possible flags for a zone, but
contains numerous holes (likely from flag removed in the past). This
fixes the holes, and use a bit-shift and decimal notation to make holes
easier to spot.
Merge branch 'colin/remove-zoneflag-holes' into 'main'
Colin Vidal [Fri, 31 Oct 2025 09:32:53 +0000 (10:32 +0100)]
remove holes in `dns_zoneflg_t` enum
`dns_zoneflg_t` enum defined multiple possible flags for a zone, but
contains numerous holes (likely from flag removed in the past). This
fixes the holes, and use a bit-shift and decimal notation to make holes
easier to spot.
Colin Vidal [Wed, 12 Nov 2025 10:40:33 +0000 (11:40 +0100)]
fix: dev: Save configuration as text
A `cfg_obj_t` object tree structure takes up considerably more space than the equivalent canonical text. If `allow-new-zones` is disabled and catalog zones are not in use, then we don't need the object tree. By storing the configuration in text format, we can use less memory, and `rndc showconf` and `rndc showzone` still work.
Evan Hunt [Wed, 12 Nov 2025 02:50:23 +0000 (18:50 -0800)]
save effective configuration as text
the effective configuration tree is now detached if allow-new-zones
or catalog-zones aren't enabled in any views. this reduces memory
consumption while still allowing "rndc showconf -effective" to work.
Evan Hunt [Tue, 11 Nov 2025 23:46:23 +0000 (15:46 -0800)]
save zone configuration as text
as previously mentioned in commit c65b2868ab, a cfg_obj_t
configuration tree structure takes up considerably more space than
the canonical text. since the zone configuration saved in the zone
object using dns_zone_setcfg() is only currently used for "rndc
showzone", it can be saved as text more efficiently than as an
object tree. (and, if a tree were needed, the text could be
re-parsed quickly; zone configuration text is generally small.)
Colin Vidal [Wed, 15 Oct 2025 13:35:59 +0000 (15:35 +0200)]
check-cocci fails in WARNING is found on stderr
As the implicit cast check print "WARNING: ..." on stderr, add a pattern
to make sure that check-cocci would fails if such warning is found on
stderr. This is generic (not specific like the existing "parse error")
so it should be able to support future Coccinelle spatch warnings.
Colin Vidal [Tue, 14 Oct 2025 11:31:44 +0000 (13:31 +0200)]
mdig: fix implicit bool to int cast
The `display_rrcomments` is a tri-state (-1, 0, 1) which is (in some
cases) initialized with `state`, a boolean, through an implicit cast.
This was spot by Coccinelle. Remove the implcit cast by explicitly
assigning 0 or 1 to `display_rrcomments` based on `state` value.
Nicki Křížek [Mon, 10 Nov 2025 15:21:52 +0000 (16:21 +0100)]
new: test: Add isctest.check.ede() helper for pytest
Add a utility function to check for EDE codes present in the DNS
message. The primary benefit of this helper function is that it
handles the compatibility issues with different dnspython versions
and the actual test code doesn't have to deal with that any more.
Merge branch 'nicki/isctest-check-ede-helper' into 'main'
Nicki Křížek [Thu, 30 Oct 2025 17:12:25 +0000 (18:12 +0100)]
Use new EDE helper in existing system tests
Previously, hasattr("extended_errors") was used as a check to detect a
mimumum required dnspython version in order to only perform the EDE
check if a new-enough dnspython was present. This is now abstracted into
isctest.check.ede().
In order to support dnspython<2.2.0, use isctest.compat.EDECode rather
than using dns.edns.EDECode directly.
Nicki Křížek [Thu, 30 Oct 2025 17:08:01 +0000 (18:08 +0100)]
Add isctest.check.ede() helper for pytest
Add a utility function to check for EDE options present in the DNS
message. The primary benefit of this helper function is that it
handles the compatibility issues with different dnspython versions
and the actual test code doesn't have to deal with that any more.
Rather than using the convenience .extended_errors() method
introduced in dnspython 2.7.0, iterate over the options and find
EDEOption types, which is supported from 2.2.0 onwards.
To work around the issue of using dns.edns.EDECode to specify EDE codes
in our tests, create an isctest.compat.EDECode wrapper. This can be used
even with dnspython versions prior to 2.2.0 and will simply result in
no-op, since EDE isn't supported in the older dnspython anyway.
Colin Vidal [Fri, 7 Nov 2025 14:46:15 +0000 (15:46 +0100)]
fix: test: Rewrite views/addzone in loop system test
A part of the `views` system test attempts to add multiples zones in a
loop, and after each zone being added, reconfig the server.
However, the test didn't take into account the fact that the server
might take a bit more time to reload than the script to move to the next
iteration, and in some case the test was re-requesting the server reload
when it was still reloading.
Since `b49f83a3`, `named` explicitly fails to reload when a load/reload
is pending, which is (unless proved otherwise) the reason of the test
was now randomly failing.
That part of the test is now waiting for the server log message saying
the server has added the new zone and is running. Also, that part of the
test has been rewrote in Python.
Closes #5617
Merge branch '5617-rewrite-reload-view-test' into 'main'
Colin Vidal [Fri, 7 Nov 2025 09:45:09 +0000 (10:45 +0100)]
rewrite views/addzone in loop system test
A part of the `views` system test attempts to add multiples zones in a
loop, and after each zone being added, reconfig the server.
However, the test didn't take into account the fact that the server
might take a bit more time to reload than the script to move to the next
iteration, and in some case the test was re-requesting the server reload
when it was still reloading.
Since `b49f83a3`, `named` explicitly fails to reload when a load/reload
is pending, which is (unless proved otherwise) the reason of the test
was now randomly failing.
That part of the test is now waiting for the server log message saying
the server has added the new zone and is running. Also, that part of the
test has been rewrote in Python.
Colin Vidal [Thu, 6 Nov 2025 15:13:29 +0000 (16:13 +0100)]
fix: test: Harden EDE 24 system tests
Harden `ede24` system test in order to avoid random failures, likely caused by timing issues. Also remove expiration-related dead-code (which should have been done in the original ede24 changes) as well as printing the query ID, as this should be useful to debug further flaky system test issues. (In particular, this one, if the changes made here are not enough).
Colin Vidal [Thu, 6 Nov 2025 13:35:33 +0000 (14:35 +0100)]
split ede24 system test into separate modules
Because ede24 system tests require stopping/restarting server, there is
always the risk that the test ends (with a failure) with server in an
wrong and impredictible state. This would make the other tests to fail
in a strange way as well.
To avoid this problem, split the test into different modules, so if a
module fails, the other module is not impacted as it uses separate
server instances.
Colin Vidal [Wed, 5 Nov 2025 14:08:51 +0000 (15:08 +0100)]
harden ede24 system test
There was a random failure of ede24 system test. While this is still a
bit speculative, the two reasons were:
- in the case of `test_ede24_noloaded` the test might attempt to early
(before the zone actually transfered on the secondary server) to query
ns2.
- still in the case of `test_ede24_noloaded`, even after waiting for
transfer succeed logs, if the CI machine is slow, the zone could be
expired before the request checking the secondary zone works because
the expiration time of the zone was very short (1s). Moving this
expiration time to 3 seconds should be enough (while not making the
test execution too much longer when waiting for the zone expiration).
- in the case of `test_ede24_expired`, the zone expired flag is flipped
and the log message is printed immediately after. However, it is
possible that because the flag is set using a relaxed atomic
operation, another thread process the query and gets the previous
(non-expired) value of the flag. In order to workaround this, the
test now also expects another log written after the zone expiration
(stop timers) on the next UV tick.
There is code duplication between `keyfetch` and `nsfetch`, refactor to allow common code paths to differentiate between them. This is in preparation for support of generalized DNS notifications, that will require fetching DSYNC records.
Merge branch 'matthijs-refactor-zone-fetch' into 'main'
Scheduling and rescheduling a zonefetch is also similar. Refactor into
zonefetch functions. This also increments and decrements the zone's
internal reference counter in the same module, which may be less
confusing when reading the code.
Ondřej Surý [Wed, 5 Nov 2025 11:39:43 +0000 (12:39 +0100)]
Fix parser test (missing string termination)
Parser test could crash because the `dumpb2` buffer hasn't explicit C
NULL string termination after dumping the configuration tree in it.
`cfg_printx` does not doing this by default.
Fix the test by comparing only the strings written with strncmp.
Ondřej Surý [Tue, 4 Nov 2025 19:30:08 +0000 (20:30 +0100)]
fix: usr: Skip unsupported algorithms when looking for signing key
A mix of supported and unsupported DNSSEC algorithms in the same zone could have caused validation failures. Ignore the DNSSEC keys with unsupported algorithm when looking for the signing keys.
Closes #5622
Merge branch '5622-dont-fail-on-unsupported-algorithms' into 'main'
Ondřej Surý [Tue, 4 Nov 2025 01:09:38 +0000 (02:09 +0100)]
Skip unsupported algorithms when looking for signing key
When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search. Instead, skip
such keys and continue searching for the right key.
Co-Authored-By: Aram Sargsyan <aram@isc.org> Co-Authored-By: Petr Menšík <pemensik@redhat.com>
Ondřej Surý [Tue, 4 Nov 2025 18:53:09 +0000 (19:53 +0100)]
fix: dev: Only unlink from SIEVE LRU if it is still linked
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path. This could lead to double-unlink
which causes assertion failure. Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
Closes #5606
Merge branch '5606-fix-assertion-failure-in-overmem-cleaning' into 'main'
Ondřej Surý [Wed, 29 Oct 2025 06:18:55 +0000 (07:18 +0100)]
Only unlink from SIEVE LRU if it is still linked
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path. This could lead to double-unlink
which causes assertion failure. Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
Štěpán Balážik [Tue, 4 Nov 2025 17:14:35 +0000 (17:14 +0000)]
fix: test: Require dnspython>2.0.0 in system tests using asyncserver
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
Full removal of pre-2.0.0 `dnspython` support is planned for after 9.18
goes EoL.
Merge branch 'stepan/require-dnspython-2-for-asyncserver' into 'main'
Štěpán Balážik [Fri, 31 Oct 2025 11:04:39 +0000 (12:04 +0100)]
Require dnspython>2.0.0 in system tests using asyncserver
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.
Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
Štěpán Balážik [Tue, 4 Nov 2025 12:40:26 +0000 (13:40 +0100)]
Don't use pytest.importorskip in isctest.name
They can be used outside of test modules (like ans.py custom servers)
which leads to pytest.outcomes.Skipped being raised in weird places and
skipping of tests which don't need dnspython this new.
Remove pytest.importskip from top scope in isctest.name, only run the
check when ZoneAnalyzer is used.
Michał Kępień [Tue, 4 Nov 2025 11:51:35 +0000 (12:51 +0100)]
Add a job preparing post-disclosure notifications
Add a new GitLab CI job that automatically generates post-disclosure
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
Michał Kępień [Tue, 4 Nov 2025 11:51:35 +0000 (12:51 +0100)]
Add a job preparing packager notifications
Add a new GitLab CI job that automatically generates T-1 packager
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
Michał Kępień [Tue, 4 Nov 2025 11:51:35 +0000 (12:51 +0100)]
Add a job preparing security pre-announcements
Add a new GitLab CI job that automatically generates public T-5
pre-announcements for BIND 9 security releases based on the metadata for
the current release cycle.
Michał Kępień [Tue, 4 Nov 2025 11:51:35 +0000 (12:51 +0100)]
Enable overriding the list of security releases
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of security releases in a given release cycle in case
autodetection fails for any reason.
Michał Kępień [Tue, 4 Nov 2025 11:51:35 +0000 (12:51 +0100)]
Enable overriding the list of fixed CVE IDs
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of CVE IDs fixed in a given release cycle in case
autodetection fails for any reason.
Michał Kępień [Tue, 4 Nov 2025 11:51:35 +0000 (12:51 +0100)]
Deduplicate definitions of release-related jobs
Extract common YAML keys used by release-related job definitions into
reusable anchors to ensure consistency and limit repetition across
multiple similar jobs.
Aram Sargsyan [Fri, 31 Oct 2025 16:34:47 +0000 (16:34 +0000)]
Test dig with a IPv4 source address and a IPv4+IPv6 server
Check that dig doesn't exit with an assertion failure when a IPv4
source address is defined after defining a server address which has
both IPv4 and IPv6 addresses (in this case, @localhost).
JINMEI Tatuya [Thu, 30 Oct 2025 04:58:18 +0000 (21:58 -0700)]
avoid retrying a server if its address is unusable
Previously, if there's no more server to try in force_next,
it attempted to retry the current server similar to a query
timeout case. But, force_next() is called only when the
current server's address is unusable and the query was not
even sent, so recvcount was not incremented, causing an
assertion failure.
We might be able to fix it so the retry doesn't cause a crash,
but it doesn't make sense to retry the server when its address
is known to be unusable. So, simply avoiding the retry would be
the easiest and safest way to prevent the crash.
JINMEI Tatuya [Thu, 30 Oct 2025 00:51:59 +0000 (17:51 -0700)]
make sure current_query is detached before trying next server
Without this, start_udp or start_tcp would trigger an assertion
failure. Detaching it at this point is also consistent with
other failure handling cases, such as in recv_done.
Colin Vidal [Mon, 3 Nov 2025 17:25:38 +0000 (18:25 +0100)]
new: usr: Add support for Extended DNS Error 24 (Invalid Data)
Extended DNS Error 24 (Invalid Data) is returned when the server cannot answer data for a zone it is configured for. This occurs typically when an authoritative server does not have loaded the DB of a configured zone, or a secondary server zone is expired.
Colin Vidal [Mon, 3 Nov 2025 16:31:26 +0000 (17:31 +0100)]
log that a zone is expired after setting the flag
When a (secondary) zone is expired, the log message `<zone> expired` is
printed and the flag `DNS_ZONEFLG_EXPIRED` is set. Change the order by
setting the expired flag first, then printing the log.
This should fixes (rare but persistent) timing-related CI error when the
EDE 24 tests expect the zone to be expired (from the log) and
immediately after request and expect an EDE 24 error. (In some rare
cases, the server was still answering the response).
Colin Vidal [Wed, 29 Oct 2025 16:32:29 +0000 (17:32 +0100)]
add tests for EDE 24 support
Add system test covering EDE 24 being added in the response in both
common cases: when the server has not loaded the DB of a zone and when
the zone has expired (secondary).
Colin Vidal [Fri, 31 Oct 2025 11:16:54 +0000 (12:16 +0100)]
support EDE 24 (Invalid Data)
Extended DNS Error 24 (Invalid Data) is returned when the server cannot
answer data for a zone it is configured for. This occurs typically when
an authoritative server does not have loaded the DB of a configured
zone, or a secondary server zone is expired.
Colin Vidal [Fri, 31 Oct 2025 11:15:00 +0000 (12:15 +0100)]
query_getzonedb can returns DNS_R_EXPIRED
If `query_getzonedb()` finds a zone but the zone is expired it
immediately returns `DNS_R_EXPIRED` and doesn't attempt to get the zone
DB (which would be NULL in this case).
This enable caller to have a more precise reason of why getting the DB
has failed.
CID 638286: Concurrent data access violations (MISSING_LOCK). This
complains about accessing "zone->notifyctx.notify_acl" without holding
the lock "dns_zone.lock". Elsewhere, reading this data does have the
lock, so it makes sense that in the getter function this must also be
so. However, the function is unused so we can just remove it.
CID 638287: Concurrent data access violations (MISSING_LOCK). This
complains about accessing "zone->locked" without holding the lock
"dns_zone.lock". I think this is a false positive as "dns__zone_lock()"
and "dns__zone_unlock() are wrappers around "LOCK_ZONE()" and
"UNLOCK_ZONE()" and where these macros were used they were only
replaced with the internal zone functions. Moreover, "zone->locked"
is only accessed in these macros (and "TRYLOCK_ZONE()" and
"LOCKED_ZONE()").
Colin Vidal [Fri, 31 Oct 2025 14:50:56 +0000 (15:50 +0100)]
fix: dev: restore reuseport to yes by default on supported platforms
Changes introduced by 72862c2a moved the
default configuration from within `bin/named` to a central place
`bin/includes`.
The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.
As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
Merge branch 'colin/fix-reuseport-default' into 'main'
The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.
As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
Matthijs Mekking [Fri, 24 Oct 2025 12:21:25 +0000 (14:21 +0200)]
Move notify functions to notify source files
Move dns_notify_destroy, dns_notify_log, dns_notify_cancel,
dns_notify_queue, dns_notify_isqueued, dns_notify_find_address, and
notify related static functions over to the notify source files.
Matthijs Mekking [Thu, 16 Oct 2025 15:01:57 +0000 (17:01 +0200)]
Introduce notify source code files
Part of refactoring zone.c is to move the notify code into its own
source files. This commit initiates this work by creating notify.[c,h]
and move notify_create() and the notify state and context there.
The function notify_create() cannot fail, so it can return void instead
of isc_result_t.
Alessio Podda [Fri, 31 Oct 2025 12:16:03 +0000 (12:16 +0000)]
fix: usr: Skip buffer allocations if not logging
Currently, during IXFR we allocate a 2KB buffer for IXFR change logging
regardless of the log level. This commit introduces an early check
on the log level in dns_diff_print to avoid this.
Results in a speedup from 28% in the test case from issue #5442.
Alessio Podda [Thu, 30 Oct 2025 10:45:09 +0000 (11:45 +0100)]
Skip buffer allocations if not logging
Currently, during IXFR we allocate a 2KB buffer for IXFR change logging
regardless of the log level. This commit introduces an early check
on the log level in dns_diff_print to avoid this.
Results in a speedup from 28% in the test case from issue #5442.
Colin Vidal [Fri, 31 Oct 2025 08:25:36 +0000 (09:25 +0100)]
chg: dev: Don't retain the default configuration tree
The built-in configuration is actually used in two cases: first, when the server is loaded (or reloaded), and second when `rndc showconf -builtin` is called.
Considering the parsing of the builtin configuration is quick and does not occur during exclusive mode, but the configuration tree takes considerable memory space, the built-in configuration is no longer kept in memory once it has been used; instead it is re-parsed on demand.
Merge branch 'colin/not-persist-builtin-config' into 'main'
Colin Vidal [Thu, 30 Oct 2025 22:18:54 +0000 (23:18 +0100)]
don't retain the default configuration
The built-in configuration is actually used in two cases: first, when
the server is loaded (or reloaded), and second when
'rndc showconf -builtin' is called.
Considering the parsing of the builtin configuration is quick and does
not occur during exclusive mode, but the configuration tree takes
considerable memory space, the built-in configuration is no longer kept
in memory once it has been used; instead it is re-parsed on demand.
Evan Hunt [Thu, 30 Oct 2025 23:31:50 +0000 (23:31 +0000)]
fix: dev: Save userconfig as text instead of a cfg_obj tree
Once the user configuration has been merged into the effective configuration, it no longer needs to be accessed as a configuration tree, but we still want to be able to show it with `rndc showconf -user`.
Because the recursive strucure of `cfg_obj` objects is fairly large, the canonical text form is a fraction of the size of the configuration tree, so we now save it in that form instead.
Evan Hunt [Thu, 30 Oct 2025 20:01:44 +0000 (13:01 -0700)]
save userconfig as text instead of a cfg_obj tree
once the user configuration has been merged into the effective
configuration, it no longer needs to be accessed as a configuration
tree, but we still want to be able to show it with 'rndc showconf -user'.
because the recursive strucure of cfg_obj objects is fairly large, the
canonical text form is a fraction of the size of the configuration
tree, so we now save it in that form instead.
Evan Hunt [Thu, 30 Oct 2025 22:54:49 +0000 (22:54 +0000)]
fix: dev: Reduce the size of cfg_obj_t
Instead of having `isc_sockaddr`, `isc_netaddr`, and `isccfg_duration` members in the `cfg_obj->value`
union, we now just keep pointers to them, and allocate memory when parsing these types. This reduces the
size of `cfg_obj_t` from 112 bytes to 72.
Evan Hunt [Thu, 30 Oct 2025 20:40:10 +0000 (13:40 -0700)]
reduce the size of cfg_obj by using pointers for addresses
instead of having sockaddr and netaddr members in the cfg_obj->value
union, we now just keep pointers, and allocate memory when parsing
these types. this reduces the size of cfg_obj_t from 112 to 80 bytes.
Colin Vidal [Wed, 29 Oct 2025 22:49:58 +0000 (23:49 +0100)]
new: usr: New "rndc showconf" command
The new `rndc showconf` command prints the running server configuration. There are three options:
- `rndc showconf -user` displays the user configuration (i.e., the contents of `named.conf`).
- `rndc showconf -builtin` displays the default settings, similar to `named -H`.
- `rndc showconf -effective` displays the effective configuration. This is the merged combination of the `-user` and `-builtin` configurations.
Closes #1075
Merge branch 'colin/effective-config-rndc' into 'main'
Colin Vidal [Tue, 21 Oct 2025 10:10:34 +0000 (12:10 +0200)]
add system test for rndc showconf
Add system tests covering the rndc showconf command. It doesn't
attempt to check the whole effective configuration (as any change to the
builtin configuration would break it) but instead ensures that some parts
of the user config are present, as well as some parts of the builtin
config as well.
It also checks that the effective config (in this context of running
named instance) is about static configuration: a newly added zone is not
visible in the effective configuration.
Evan Hunt [Fri, 24 Oct 2025 07:42:33 +0000 (00:42 -0700)]
implement "rndc showconf"
add a new rndc command to dump server configuration info:
- "rndc showconf -user" dumps the contents of named.conf
- "rndc showconf -builtin" dumps named_g_defaltconfig
- "rndc showconf -effective" dumps the effective configuration,
i.e., the merger of the builtin and the user configurations.
Evan Hunt [Thu, 23 Oct 2025 20:44:56 +0000 (13:44 -0700)]
refactor newzones configuration
instead of using an opaque ns_cfgctx pointer to store the configuration
data to be used by addzone and modzone, there are now fields in the
dns_view object to store the view configuration and LMDB database
environment. the global configuration is now stored in the named_server
object, along with the ACL context.
Colin Vidal [Wed, 29 Oct 2025 22:49:37 +0000 (23:49 +0100)]
new: usr: named-checkconf -e prints the effective configuration
The new `named-checkconf -e` option prints the effective server configuration, including all the default settings, that would result from loading the specified configuration file into `named`.
Closes #2798
Merge branch 'colin/effective-config-checkconf' into 'main'
Colin Vidal [Tue, 21 Oct 2025 09:53:56 +0000 (11:53 +0200)]
add system test for named-checkconf -e
Add a system test checking the command line switch -e of
named-checkconf. The test doesn't care about the whole output of the
effective configuration (in particular to avoid breaking the test for
each default statement that would change) but instead just ensure the
effective configuration is actually returned by checking the presence of
the _bind chaos builtin view as well a user provided view and option
change.
projects / thirdparty / bind9.git / log
