Michał Kępień [Wed, 29 Jan 2020 13:50:26 +0000 (14:50 +0100)]
List atypical failures in system test summary
Each system test can be marked as failed not only due to some tested
component(s) not behaving as expected, but also because of core dumps,
assertion failures, and/or ThreadSanitizer reports being found among its
artifacts. Make the system test summary list the tests which exhibit
such atypical symptoms to more clearly present the nature of problems
found.
Tinderbox User [Thu, 16 Jan 2020 15:01:08 +0000 (15:01 +0000)]
prep 9.14.10
Update the API files.
- lib/dns:
- struct resolver has added elements, this is an interface change
and thus LIBINTERFACE is incremented, and LIBREVISION is reset.
- Since this also means an interface change since the last public
release, also reset LIBAGE.
- lib/isccfg:
- The library source code changed, so increment LIBREVISION.
- lib/ns:
- The library source code changed, so increment LIBREVISION.
Update other files:
- No changes needed to the README, this is a small bugfix release.
Tony Finch [Thu, 16 Jan 2020 15:46:04 +0000 (15:46 +0000)]
Send NOFITY messages after deleting private-type records.
The `rndc signing -clear` command cleans up the private-type records
that keep track of zone signing activity, but before this change it
did not tell the secondary servers that the zone has changed.
Diego Fronza [Wed, 15 Jan 2020 18:22:06 +0000 (15:22 -0300)]
Added test for the proposed fix
Added test to ensure that NXDOMAIN is returned when BIND is queried for a
non existing domain in CH class (if a view of CHAOS class is configured)
and that it also doesn't crash anymore in those cases.
Diego Fronza [Wed, 15 Jan 2020 17:39:38 +0000 (14:39 -0300)]
Fixed crash when querying for non existing domain in chaos class
Function dns_view_findzonecut in view.c wasn't correctly handling
classes other than IN (chaos, hesiod, etc) whenever the name being
looked up wasn't in cache or in any of the configured zone views' database.
That resulted in a NULL fname being used in resolver.c:4900, which
in turn was triggering abort.
Mark Andrews [Tue, 21 Jan 2020 23:04:16 +0000 (23:04 +0000)]
dnssec: do not publish CDS records when -Psync is in the future
This is a bug I encountered when trying to schedule an algorithm
rollover. My plan, for a zone whose maximum TTL is 48h, was to sign
with the new algorithm and schedule a change of CDS records for more
than 48 hours in the future, roughly like this:
$ dnssec-keygen -a 13 -fk -Psync now+50h $zone
$ dnssec-keygen -a 13 $zone
$ dnssec-settime -Dsync now+50h $zone_ksk_old
However the algorithm 13 CDS was published immediately, which could
have made the zone bogus.
To reveal the bug using the `smartsign` test, this change just adds a
KSK with all its times in the future, so it should not affect the
existing checks at all. But the final check (that there are no CDS or
CDSNSKEY records after -Dsync) fails with the old `syncpublish()`
logic, because the future key's sync records appear early. With the
new `syncpublish()` logic the future key does not affect the test, as
expected, and it now passes.
Mark Andrews [Wed, 4 Dec 2019 10:41:04 +0000 (21:41 +1100)]
Testing node->down requires the tree lock to be held.
In decrement_reference only test node->down if the tree lock
is held. As node->down is not always tested in
decrement_reference we need to test that it is non NULL in
cleanup_dead_nodes prior to removing the node from the rbt
tree. Additionally it is not always possible to aquire the
node lock and reactivate a node when adding parent nodes.
Reactivate such nodes in cleanup_dead_nodes if required.
Tony Finch [Mon, 13 Jan 2020 05:48:09 +0000 (05:48 +0000)]
Fix line spacing in `rndc secroots`
Before this change, there was a missing blank line between the
negative trust anchors for one view, and the heading line for the next
view. This is because dns_ntatable_totext() omits the last newline.
There is an example of the incorrect output below; the fixed output
has a blank line before "Start view auth".
Michal Nowak [Mon, 13 Jan 2020 16:27:21 +0000 (16:27 +0000)]
Add openSUSE Tumbleweed image to the CI
Ensure BIND is continuously tested on Tumbleweed, a pure rolling release
version of openSUSE. This will allow BIND incompatibilities with latest
upstream versions of its dependencies to be caught more quickly.
Michał Kępień [Mon, 13 Jan 2020 13:32:19 +0000 (14:32 +0100)]
Add CHANGES entry
5339. [bug] With some libmaxminddb versions, named could erroneously
match an IP address not belonging to any subnet defined
in a given GeoIP2 database to one of the existing
entries in that database. [GL #1552]
Michał Kępień [Mon, 13 Jan 2020 13:32:19 +0000 (14:32 +0100)]
Properly detect MMDB lookup failures
Only comparing the value of the integer passed as the last argument to
MMDB_lookup_sockaddr() against MMDB_SUCCESS is not enough to ensure that
an MMDB lookup was successful - the 'found_entry' field of the
MMDB_lookup_result_s structure returned by that function also needs to
be true or else the remaining contents of that structure should be
ignored as the lookup failed. Extend the relevant logical condition in
get_entry_for() to ensure the latter does not return incorrect MMDB
entries for IP addresses which do not belong to any subnet defined in a
given GeoIP2 database.
Ondřej Surý [Thu, 5 Dec 2019 17:09:21 +0000 (18:09 +0100)]
Bail-out early if dig fails to finish successfully or takes too long
Before, the zero system test could get stuck almost infinitely, because
the first test sends > 300 queries with 5 seconds timeout on each in
each pass. If named crashed early, it would took the test more than 4
hours to properly timeout.
This commit introduces a "watchdog" on the dig commands running in the
background and failing the test on timeout, failing any test if any dig
command fails to return successfully, and making the tests.sh script
shellcheck clean.
Ondřej Surý [Wed, 4 Dec 2019 23:02:43 +0000 (00:02 +0100)]
Test for the hard fetchlimit instead of soft fetchlimit
Previously, the fetchlimit tested the recursive-clients soft limit
that's defined as 90% of the hard limit (the actual configured value).
This worked previously because the reaping of the oldest recursive
client was put on the same event queue as the current TCP client, thus
the cleaning has happened before the new TCP client established a new
connection.
With the change in BIND 9.14 that added a multiple event queues the
cleaning of the oldests clients is no longer synchronous and could
happen stochastically making the soft limit testing fail often. The
situation became even worse with the new networking manager, thus we
change the system test to fail only if the hard limit bound is not
honored.
Changing the accounting of the already reaped TCP clients so the soft
limit testing is possible again is out of the scope for this change.
projects / thirdparty / bind9.git / log
