Colin Vidal [Tue, 24 Jun 2025 08:52:11 +0000 (10:52 +0200)]
chg: dev: parse user configuration before exclusive mode
Previously, `named.conf` was parsed while the server was in exclusive (i.e., single-threaded) mode and unable to answer queries. This could cause an unnecessary delay in query processing when the file was large. We now delay entry into exclusive mode until after the configuration has been parsed, but before it is applied.
Merge branch 'colin/configparse-before-exclusive' into 'main'
Colin Vidal [Mon, 23 Jun 2025 19:54:43 +0000 (21:54 +0200)]
wait for reload completed in emptyzones system test
The emptyzones system test ran two consecutive "rndc reload" commands
without waiting for the first one to complete. It used to work because
the commands were serialized, but now an rndc reconfig/reload command is
ignored if another one is already running, so the emptyzones test is
more likely to fail.
Fix this problem by waiting for the log message indicating that all the
zones are loaded before attempting the next reload.
Colin Vidal [Thu, 5 Jun 2025 16:28:22 +0000 (18:28 +0200)]
log-based test for load/apply config
Add a new system test which checks named output when starting,
reconfiguring and reloading the server. It checks that the steps where
configuration is loaded, when named enters exclusive mode, and when the
configuration is applied are all logged, and that they occur in the
correct order. This adds a guard/warning to keep the parsing of the
named.conf outside of the exclusive mode.
Colin Vidal [Tue, 22 Apr 2025 11:46:47 +0000 (13:46 +0200)]
parse user configuration before exclusive mode
The configuration file was parsed when named was in exclusive
(i.e. single-threaded) mode and unable to answer queries. Because
the parsing is a self-contained operation, it is now done before
named enters exclusive mode.
This reduces the amount of time named can't answer queries when
reloading the configuration when the configuration file is large.
Note that exclusive mode is still used for applying the
configuration changes to the server.
Also, simplify the configuration logic by parsing the built-in
configuration only once at server start time.
Impossible: How can diff be null and have not Correct in compare_c? Tag1 ("diff token: ( VS (\nFile \"./lib/dns/include/dns/rdatasetiter.h\", line 109, column 32, charpos = 3103\n around = '(',\n whole content = #define DNS_RDATASETITER_FOREACH(rds) \\\nFile \"/tmp/cocci-output-110376-c54da3-rdatasetiter.h\", line 109, column 32, charpos = 3103\n around = '(',\n whole content = #define DNS_RDATASETITER_FOREACH(rds) \\\n")
Impossible: How can diff be null and have not Correct in compare_c? Tag1 ("diff token: ( VS (\nFile \"./lib/dns/include/dns/dbiterator.h\", line 114, column 30, charpos = 3413\n around = '(',\n whole content = #define DNS_DBITERATOR_FOREACH(rds) \\\nFile \"/tmp/cocci-output-110387-883f2f-dbiterator.h\", line 114, column 30, charpos = 3413\n around = '(',\n whole content = #define DNS_DBITERATOR_FOREACH(rds) \\\n")
See https://github.com/coccinelle/coccinelle/issues/398.
Merge branch 'mnowak/coccinelle-fix-impossible-warning' into 'main'
Impossible: How can diff be null and have not Correct in compare_c? Tag1 ("diff token: ( VS (\nFile \"./lib/dns/include/dns/rdatasetiter.h\", line 109, column 32, charpos = 3103\n around = '(',\n whole content = #define DNS_RDATASETITER_FOREACH(rds) \\\nFile \"/tmp/cocci-output-110376-c54da3-rdatasetiter.h\", line 109, column 32, charpos = 3103\n around = '(',\n whole content = #define DNS_RDATASETITER_FOREACH(rds) \\\n")
Impossible: How can diff be null and have not Correct in compare_c? Tag1 ("diff token: ( VS (\nFile \"./lib/dns/include/dns/dbiterator.h\", line 114, column 30, charpos = 3413\n around = '(',\n whole content = #define DNS_DBITERATOR_FOREACH(rds) \\\nFile \"/tmp/cocci-output-110387-883f2f-dbiterator.h\", line 114, column 30, charpos = 3413\n around = '(',\n whole content = #define DNS_DBITERATOR_FOREACH(rds) \\\n")
See https://github.com/coccinelle/coccinelle/issues/398.
Petr Špaček [Mon, 23 Jun 2025 11:22:52 +0000 (13:22 +0200)]
Restore DNSSEC validation by default
Meson generated 'dnssec-validation yes' into the built-in config, but
this config without an explicit trust anchor does not enable validation.
Change default to 'dnssec-validation auto' to use built-in key, as in
the autotools days.
Aydın Mercan [Mon, 23 Jun 2025 11:23:53 +0000 (14:23 +0300)]
fix: dev: Fix RTD builds and minor documentation issues
Fix some leftover artifacts and information while transitioning BIND to Meson.
Add CI job to verify that pre-generated config grammar files are up-to-date with code.
Aydın Mercan [Fri, 13 Jun 2025 15:30:34 +0000 (18:30 +0300)]
Remove build requirements from building arm
The meson build switched to generating the file grammars and using meson
to build the manpages/ARM. This is because meson doesn't work well when
writing files outside the build directory.
However, this has been suboptimal when someone only wants to build the
documentation (like RTD). Sphinx can now be used outside meson like it
was with autoconf.
Grammars are now updated by the developer with CI checking if one is
needed or not, like clang-format.
Michał Kępień [Mon, 23 Jun 2025 08:28:26 +0000 (10:28 +0200)]
fix: nil: Use links() for checking if -latomic is necessary
Use the links() method instead of compiles() for checking whether
-latomic needs to be added to linker invocations as compiles() does not
perform the linking step and is therefore not appropriate for carrying
out this kind of checks.
See #5379
Merge branch '5379-use-links-for-checking-if-latomic-is-necessary' into 'main'
Michał Kępień [Mon, 23 Jun 2025 08:23:17 +0000 (10:23 +0200)]
Retain Meson >= 0.61 version requirement
The add_project_dependencies() method was only added in Meson 0.63.
Replace its only use in meson.build with a corresponding call to the
add_project_link_arguments() method to avoid bumping the minimum
required Meson version beyond the one available in stock Ubuntu 22.04
LTS repositories.
Michał Kępień [Mon, 23 Jun 2025 08:23:17 +0000 (10:23 +0200)]
Use links() for checking if -latomic is necessary
Use the links() method instead of compiles() for checking whether
-latomic needs to be added to linker invocations as compiles() does not
perform the linking step and is therefore not appropriate for carrying
out this kind of checks.
Michał Kępień [Sat, 21 Jun 2025 04:47:19 +0000 (04:47 +0000)]
chg: ci: move "stress" test generation script to QA repo
Move the util/generate-stress-test-configs.py script from the BIND 9
source repository to the BIND 9 QA repository. This simplifies the
maintenance of that script by eliminating the need to backport every
change applied to it to multiple branches.
Merge branch 'michal/move-stress-test-generation-script-to-qa-repo' into 'main'
Michał Kępień [Sat, 21 Jun 2025 04:43:36 +0000 (06:43 +0200)]
Move "stress" test generation script to QA repo
Move the util/generate-stress-test-configs.py script from the BIND 9
source repository to the BIND 9 QA repository. This simplifies the
maintenance of that script by eliminating the need to backport every
change applied to it to multiple branches.
Michał Kępień [Sat, 21 Jun 2025 04:06:45 +0000 (04:06 +0000)]
fix: nil: Install named-compilezone
named-compilezone is an alias for named-checkzone: the two tools are
built from the same set of source files, but they behave differently
depending on which executable gets invoked. With Automake,
named-compilezone was installed as a hard link to named-checkzone using
a custom installation hook; try to keep things simple with Meson by
using the install_symlink() method, which makes named-compilezone a
symbolic link to named-checkzone and is the same thing that is already
used for ddns-confgen/tsig-keygen.
See #5379
Merge branch '5379-install-named-compilezone' into 'main'
Michał Kępień [Sat, 21 Jun 2025 03:59:51 +0000 (05:59 +0200)]
Install named-compilezone
named-compilezone is an alias for named-checkzone: the two tools are
built from the same set of source files, but they behave differently
depending on which executable gets invoked. With Automake,
named-compilezone was installed as a hard link to named-checkzone using
a custom installation hook; try to keep things simple with Meson by
using the install_symlink() method, which makes named-compilezone a
symbolic link to named-checkzone and is the same thing that is already
used for ddns-confgen/tsig-keygen.
Nicki Křížek [Thu, 19 Jun 2025 13:49:52 +0000 (13:49 +0000)]
fix: test: Ignore softhsm2 errors when deleting token in keyfromlabel test
In some rare cases, the softhsm2 utility reports failure to delete the
token directory, despite the token being found. Subsequent attempts to
delete the token again indicate that the token was deleted.
Ignore this cleanup error, as it doesn't prevent our tests from working
properly. There is also an attempt to delete the token before the test
starts which ensures a clean state before the test is executed, in case
there's actually a leftover token.
Closes #5244
Merge branch '5244-ignore-softhsm2util-delete-token-error' into 'main'
Nicki Křížek [Thu, 19 Jun 2025 13:09:39 +0000 (15:09 +0200)]
Ignore softhsm2 errors when deleting token in keyfromlabel test
In some rare cases, the softhsm2 utility reports failure to delete the
token directory, despite the token being found. Subsequent attempts to
delete the token again indicate that the token was deleted.
Ignore this cleanup error, as it doesn't prevent our tests from working
properly. There is also an attempt to delete the token before the test
starts which ensures a clean state before the test is executed, in case
there's actually a leftover token.
Nicki Křížek [Thu, 19 Jun 2025 13:05:56 +0000 (13:05 +0000)]
chg: test: Improve logging from isctest.run.retry_with_timeout
Allow use of exception (and by extension, assert statements) in the
called function in order to extract essential debug information about
the type of failure that was encountered.
In case the called function fails to succeed on the last retry and
raised an exception, log it as error and set it as the assert message to
propagate it through the pytest framework.
Closes #5324
Merge branch '5324-pytest-isctest-run-logging' into 'main'
Nicki Křížek [Thu, 19 Jun 2025 12:09:57 +0000 (14:09 +0200)]
Use time.monotonic() for time measumeremts in pytest
For duration measurements, i.e. deadlines and timeouts, it's more
suitable to use monotonic time as it's guaranteed to only go forward,
unlike time.time() which can be affected by local clock settings.
Nicki Křížek [Fri, 6 Jun 2025 13:11:44 +0000 (15:11 +0200)]
Improve logging from isctest.run.retry_with_timeout
Allow use of exception (and by extension, assert statements) in the
called function in order to extract essential debug information about
the type of failure that was encountered.
In case the called function fails to succeed on the last retry and
raised an exception, log it as error and set it as the assert message to
propagate it through the pytest framework.
Matthijs Mekking [Thu, 22 May 2025 09:23:48 +0000 (11:23 +0200)]
Fix spurious missing key files log messages
This happens because old key is purged by one zone view, then the other
is freaking out about it.
Keys that are unused or being purged should not be taken into account
when verifying key files are available.
The keyring is maintained per zone. So in one zone, a key in the
keyring is being purged. The corresponding key file is removed.
The key maintenance is done for the other zone view. The key in that
keyring is not yet set to purge, but its corresponding key file is
removed. This leads to "some keys are missing" log errors.
We should not check the purge variable at this point, but the
current time and purge-keys duration.
Create a test scenario where a signed zone is in multiple views and
then a key may be purged. This is a bug case where the key files are
removed by one view and then the other view starts complaining.
Mark Andrews [Thu, 19 Jun 2025 01:01:12 +0000 (01:01 +0000)]
new: usr: "Add code paths to fully support PRIVATEDNS and PRIVATEOID keys"
Added support for PRIVATEDNS and PRIVATEOID key usage. Added PRIVATEOID
test algorithms using the assigned OIDs for RSASHA256 and RSASHA512.
Added code to support proposed DS digest types that encode the PRIVATEDNS
and PRIVATEOID identifiers at the start of the digest field of the DS record.
This code is disabled by default.
Closes #3240
Merge branch '3240-add-privatedns-and-privateoid-support' into 'main'
Mark Andrews [Wed, 28 May 2025 10:02:48 +0000 (20:02 +1000)]
Test extended DS digest type support
Add a zone using DS records that embed the private algorithm
identifier in the digest field. There are 2 DS record for an
unsupported DNSSEC algorithm one of which that doesn't have a
matching DNSKEY. This zone should validate as insecure as the
validator can establish that both DS records are for unsupported
DNSSEC algorithms.
Mark Andrews [Fri, 16 May 2025 05:50:53 +0000 (15:50 +1000)]
Add tests using PRIVATEOID algorithms
There are 4 tests:
1) a zone using a known private OID. Validations should succeed
and return AD=1.
2) a zone using an unknown private OID. Validation should succeed
and return AD=0 as the DS to DNSKEY has provably unsupported
algorithm.
3) a zone using a known private OID and an extra DS record. Validation
should succeed as there is DS to DNSKEY with a known algorithm
linkage.
4) a zone using an unknown private OID and an extra DS record.
Validation should fail as only one of the DS records can be matched
to a provable unknown algorithm. The algorithm of the second DS
is indeterminate.
Mark Andrews [Mon, 31 Mar 2025 13:12:52 +0000 (00:12 +1100)]
Add PRIVATEOIDs for RSASHA256 and RSASHA512
Use the existing RSASHA256 and RSASHA512 implementation to provide
working PRIVATEOID example implementations. We are using the OID
values normally associated with RSASHA256 (1.2.840.113549.1.1.11)
and RSASHA512 (1.2.840.113549.1.1.13).
Mark Andrews [Wed, 21 May 2025 00:13:04 +0000 (10:13 +1000)]
Future: DS private algorithm support
Add support for proposed DS digest types that encode the private
algorithm identifier at the start of the DS digest as is done for
DNSKEY and RRSIG. This allows a DS record to identify the specific
DNSSEC algorithm, rather than a set of algorithms, when the algorithm
field is set to PRIVATEDNS or PRIVATEOID.
Mark Andrews [Tue, 8 Apr 2025 18:26:55 +0000 (13:26 -0500)]
Support PRIVATEOID/PRIVATEDNS in zone.c
- dns_zone_cdscheck() has been extended to extract the key algorithms
from DNSKEY data when the CDS algorithm is PRIVATEOID or PRIVATEDNS.
- dns_zone_signwithkey() has been extended to support signing with
PRIVATEDNS and PRIVATEOID algorithms. The signing record (type 65534)
added at the zone apex to indicate the current state of automatic zone
signing can now contain an additional two-byte field for the DST
algorithm value, when the DNS secalg value isn't enough information.
Mark Andrews [Wed, 16 Apr 2025 01:31:41 +0000 (11:31 +1000)]
Support PRIVATEOID/PRIVATEDNS in the resolver
dns_resolver_algorithm_supported() has been extended so in addition to
an algorithm number, it can also take a pointer to an RRSIG signature
field in which key information is encoded.
Mark Andrews [Mon, 31 Mar 2025 13:12:52 +0000 (00:12 +1100)]
Use DST algorithm values instead of dns_secalg where needed
DST algorithm and DNSSEC algorithm values are not necessarily the same
anymore: if the DNSSEC algorithm value is PRIVATEOID or PRIVATEDNS, then
the DST algorithm will be mapped to something else. The conversion is
now done correctly where necessary.
Mark Andrews [Wed, 16 Apr 2025 01:31:41 +0000 (11:31 +1000)]
Support for DST_ALG_PRIVATEDNS and DST_ALG_PRIVATEOID
The algorithm values PRIVATEDNS and PRIVATEOID are placeholders,
signifying that the actual algorithm identifier is encoded into the
key data. Keys using this mechanism are now supported.
- The algorithm values PRIVATEDNS and PRIVATEOID cannot be used to
build a key file name; dst_key_buildfilename() will assert if
they are used.
- The DST key values for private algorithms are higher than 255.
Since DST_ALG_MAXALG now exceeds 256, algorithm arrays that were
previously hardcoded to size 256 have been resized.
- New mnemonic/text conversion functions have been added.
dst_algorithm_{fromtext,totext,format} can handle algorithm
identifiers encoded in PRIVATEDNS and PRIVATEOID keys, as well
as the traditional algorithm identifiers. (Note: The existing
dns_secalg_{fromtext,totext,format} functions are similar, but
do *not* support PRIVATEDNS and PRIVATEOID. In most cases, the
new functions have taken the place of the old ones, but in a few
cases the old version is still appropriate.)
- dns_private{oid,dns}_{fromtext,totext,format} converts between
DST algorithm values and the mnemonic strings for algorithms
implemented using PRIVATEDNS or PRIVATEOID. (E.g., "RSASHA256OID").
- dst_algorithm_tosecalg() returns the DNSSEC algorithm identifier
that applies for a given DST algorithm. For PRIVATEDNS- or
PRIVATEOID- based algorithms, the result will be PRIVATEDNS or
PRIVATEOID, respectively.
- dst_algorithm_fromprivatedns() and dst_algorithm_fromprivateoid()
return the DST algorithm identifier for an encoded algorithm in
wire format, represented as in DNS name or an object identifier,
respectively.
- dst_algorithm_fromdata() is a front-end for the above; it extracts
the private algorithm identifier encoded at the begining of a
block of key or signature data, and returns the matching DST
algorithm number.
- dst_key_fromdns() and dst_key_frombuffer() now work with keys
that have PRIVATEDNS and PRIVATEOID algorithm identifiers at the
beginning.
Mark Andrews [Wed, 23 Apr 2025 04:52:23 +0000 (14:52 +1000)]
Make system test changes needed for PRIVATEOID/PRIVATEDNS
- When the algorithm value for a DNSSEC key is set to PRIVATEOID
or PRIVATEDNS, that's a placeholder value indicating that the
real algorithm identifier is encoded into the key or signature
data. That means the DNSKEY algorithm value and the DST algorithm
value may not be identical, so we must now add environment variables
DEFAULT_ALGORITHM_DST_NUMBER, ALTERNATIVE_ALGORITHM_DST_NUMBER
and DISABLED_ALGORITHM_DST_NUMBER to the test suite, with support
for mapping from DST algorithm value to PRIVATEDNS or PRIVATEOID.
- Some test cases use RRSIGs that have been modified to force
validation to fail. When making those modifications, we now
preserve the first part of the signature, so that PRIVATEDNS and
PRIVATEOID algorithm identifier values will still work. (This
assumes that the identifiers are short and fit into the first
base64 block.)
Matthijs Mekking [Wed, 19 Mar 2025 13:37:28 +0000 (14:37 +0100)]
Convert going insecure kasp test to pytest
When going insecure, we publish CDS and CDNSKEY DELETE records. Update
the check_apex function to test this.
Also, skip some tests in the 'check_rollover_step()' function. If
we change the DNSSEC Policy, keys that no longer match the policy will
be retired. When this exactly happens is hard to determine, as it
happens on the reconfigure. So for these tests, we skip the key timing
metadata checks.
Also, the zone becomes unsigned, so don't call 'check_zone_is_signed'
in those cases.
Matthijs Mekking [Wed, 19 Mar 2025 10:35:18 +0000 (11:35 +0100)]
Convert policy changes tests to pytest
These test cases involve a reconfiguration. The first one is a zone
that changes from dynamic to inline-signing. The others are tests that
key lifetimes are updated correctly after changing them.
Evan Hunt [Thu, 6 Feb 2025 07:08:27 +0000 (23:08 -0800)]
load the journal file if it already exists
apply the existing journal file, if any, to the old version of the
database before diffing it against the new version. then, append
the diff to the end of the journal. this allows easy creation of
a journal file with multiple deltas, by running named-makejournal
successively.
Evan Hunt [Thu, 6 Feb 2025 04:28:31 +0000 (20:28 -0800)]
improvements to named-makejournal
- write the journal to a default location (file1.jnl) if it was not
specified on the commandline.
- exit with a clear error message if file2's SOA serial number is
not changed from file1.
Evan Hunt [Thu, 6 Feb 2025 01:15:09 +0000 (17:15 -0800)]
move makejournal to bin/tools
move the "makejournal" tool from bin/tests/system to bin/tools
and rename it to "named-makejournal". add a man page. update
tests to use the new file location.
Evan Hunt [Fri, 13 Jun 2025 03:12:18 +0000 (03:12 +0000)]
fix: usr: Use IPv6 queries in delv +ns
`delv +ns` invokes the same code to perform name resolution as `named`,
but it neglected to set up an IPv6 dispatch object first. Consequently,
it was behaving more like `named -4`. It now sets up dispatch objects
for both address families, and performs resolver queries to both v4 and v6
addresses, except when one of the address families has been suppressed
by using `delv -4` or `delv -6`.
Evan Hunt [Thu, 5 Jun 2025 21:10:21 +0000 (14:10 -0700)]
add tests for 'delv +ns -4' and '-6'
check that `delv +ns` sends iterative queries over both address
families when -4 and -6 are not used, and suppresses queries
appropriately when they are.
Evan Hunt [Thu, 5 Jun 2025 18:41:17 +0000 (11:41 -0700)]
Use ipv6 queries in delv +ns
`delv +ns` invokes the same code to perform name resolution as `named`,
but it neglected to set up an IPv6 dispatch object first. Consequently,
it was behaving more like `named -4`.
It now sets up dispatch objects for both address families, and performs
resolver queries to both v4 and v6 addresses, except when one of the
address families has been suppressed by using `delv -4` or `delv -6`.
Evan Hunt [Fri, 13 Jun 2025 02:43:30 +0000 (02:43 +0000)]
fix: dev: Remove zone keyopts field
The "keyopts" field of the dns_zone object was added to support
"auto-dnssec"; at that time the "options" field already had most of
its 32 bits in use by other flags, so it made sense to add a new
field.
Since then, "options" has been widened to 64 bits, and "auto-dnssec"
has been obsoleted and removed. Most of the DNS_ZONEKEY flags are no
longer needed. The one that still seems useful (_FULLSIGN) has been
moved into DNS_ZONEOPT and the rest have been removed, along with
"keyopts" and its setter/getter functions.
Merge branch 'each-cleanup-zonekey-opts' into 'main'
Evan Hunt [Sat, 7 Jun 2025 21:57:54 +0000 (14:57 -0700)]
Remove zone keyopts field
The "keyopts" field of the dns_zone object was added to support
"auto-dnssec"; at that time the "options" field already had most of
its 32 bits in use by other flags, so it made sense to add a new
field.
Since then, "options" has been widened to 64 bits, and "auto-dnssec"
has been obsoleted and removed. Most of the DNS_ZONEKEY flags are no
longer needed. The one that still seems useful (_FULLSIGN) has been
moved into DNS_ZONEOPT and the rest have been removed, along with
"keyopts" and its setter/getter functions.
Evan Hunt [Fri, 13 Jun 2025 01:28:42 +0000 (01:28 +0000)]
fix: dev: Clean up CFG_ZONE_DELEGATION
`type delegation-only` has been obsolete for some time
(see #3953) but the zone type flag for it was still defined
in libisccfg. It has now been removed.
Merge branch 'each-cleanup-delegation' into 'main'
Evan Hunt [Thu, 5 Jun 2025 00:06:25 +0000 (17:06 -0700)]
Clean up CFG_ZONE_DELEGATION
"type delegation-only" has been obsolete for some time
(see #3953) but the zone type flag for it was still defined
in libisccfg. It has now been removed.
Aydın Mercan [Wed, 11 Jun 2025 08:01:15 +0000 (08:01 +0000)]
new: dev: replace the build system with meson
This MR replaces the build system with meson.
Speed: Meson is noticeably faster to setup and build than automake/autoconf.
The improvements will likely add up in CI and development over time.
Readability: Readability is a subjective criteria but meson is generally regarded as easier to read compared to CMake and automake/autoconf.
Developer Ergonomics: Meson produces a compilation database, doesn't require libtool wrapping of executables/debuggers and offers JSON based build introspection.
WrapDB and downloading dependencies is a non-issue for us since it requires writing wrap files explicitly and has been disabled by default via the `wrap_mode=nofallback` project option as a measure.
Aydın Mercan [Tue, 16 Apr 2024 12:13:53 +0000 (15:13 +0300)]
replace the build system with meson
Meson is a modern build system that has seen a rise in adoption and some
version of it is available in almost every platform supported.
Compared to automake, meson has the following advantages:
* Meson provides a significant boost to the build and configuration time
by better exploiting parallelism.
* Meson is subjectively considered to be better in readability.
These merits alone justify experimenting with meson as a way of
improving development time and ergonomics. However, there are some
compromises to ensure the transition goes relatively smooth:
* The system tests currently rely on various files within the source
directory. Changing this requirement is a non-trivial task that can't
be currently justified. Currently the last compiled build directory
writes into the source tree which is in turn used by pytest.
* The minimum version supported has been fixed at 0.61. Increasing this
value will require choosing a baseline of distributions that can
package with meson. On the contrary, there will likely be an attempt
to decrease this value to ensure almost universal support for building
BIND 9 with meson.
Ondřej Surý [Wed, 4 Jun 2025 10:48:18 +0000 (10:48 +0000)]
fix: dev: Try to skip lock on fully lower names
If the name is fully lowercase, we don't need to access the case bitmap in order to set the case. Therefore, we can check for the FULLYLOWERCASE flag using only atomic operations, and skip a lock in the hot path, provided we clear the FULLYLOWERCASE flag before changing the case bitmap.
Merge branch 'alessio/skip-lock-on-fully-lower-names' into 'main'
Alessio Podda [Wed, 28 May 2025 12:33:04 +0000 (14:33 +0200)]
Try to skip lock on fully lower names
If the name is fully lowercase, we don't need to access the case bitmap
in order to set the case. Therefore, we can check for the FULLYLOWERCASE
flag using only atomic operations, and skip a lock in the hot path,
provided we clear the FULLYLOWERCASE flag before changing the case
bitmap.
Arаm Sаrgsyаn [Wed, 4 Jun 2025 10:22:38 +0000 (10:22 +0000)]
new: usr: Redesign the unreachable primaries cache
Previously, the cache for the unreachable primary servers was limited
to 10 entries (LRU) and a fixed 10 minutes delay for each entry, unless
removed forcibly by a new entry. The cache is now redesigned to remove the
10 entry limitation and to introduce delay values with exponential
backoff time - initially an unreachable primary server is cached as
being unreachable for 10 seconds, but each time the cache entry is expired
and the same server is added again during the eligibility period of the next
120 seconds, the delay time is doubled up until to the maximum of 640
seconds.
Closes #3992
Merge branch '3992-unreachable-cache-redesign' into 'main'
Aram Sargsyan [Tue, 18 Feb 2025 08:34:41 +0000 (08:34 +0000)]
Redesign the unreachable primaries cache
The cache for unreachable primaries was added to BIND 9 in 2006 via 1372e172d0e0b08996376b782a9041d1e3542489. It features a 10-slot LRU
array with 600 seconds (10 minutes) fixed delay. During this time, any
primary with a hiccup would be blocked for the whole block duration
(unless overwritten by a different entry).
As this design is not very flexible (i.e. the fixed delay and the fixed
amount of the slots), redesign it based on the badcache.c module, which
was implemented earlier for a similar mechanism.
The differences between the new code and the badcache module were large
enough to create a new module instead of trying to make the badcache
module universal, which could complicate the implementation.
The new design implements an exponential backoff for entries which are
added again soon after expiring, i.e. the next expiration happens in
double the amount of time of the previous expiration, but in no more
time than the defined maximum value.
The initial and the maximum expiration values are hard-coded, but, if
required, it should be trivial to implement configurable knobs.
A dns_view_t has a queryonacl property, which is supposed to hold the
ACL matching the configuration "allow-query-on". However the code
parsing this configuration ACL was missing (or removed by mistake?),
hence this property was always NULL. The ACL was still built but
individually for each zone (which checks if the property exists in the
zone definition, view definition, and finally options definition).
We now create the ACL instance at the view level, enabling zones to
share the same (identical) ACL instead of having their own copies.
Merge branch 'colin/view-allowqueryon' into 'main'
Colin Vidal [Tue, 3 Jun 2025 14:12:59 +0000 (16:12 +0200)]
initialize queryonacl dns_view_t property
A dns_view_t has a queryonacl property, which is supposed to hold the
ACL matching the configuration "allow-query-on". However the code
parsing this configuration ACL was missing (or removed by mistake?),
hence this property was always NULL. The ACL was still built but
individually for each zone (which checks if the property exists in the
zone definition, view definition, and finally options definition).
It now create the ACL instance at the view level, enabling zones to
share the same (identical) ACL instead of having their own copies.
Evan Hunt [Tue, 3 Jun 2025 19:45:06 +0000 (19:45 +0000)]
new: usr: Add support for zone templates
To simplify the configuration of multiple similar zones, BIND now supports a zone template mechanism. `template` blocks containing zone options can be defined at the top level of the configuration file; they can then be referenced in `zone` statements. A zone referencing a template will use the options in the specified `template` block as defaults. (Options locally defined in the `zone` statement override the template.)
The filename for a zone can now be generated parametrically from a format specified in the `file` option. The first occurrences of `$name`, `$type` and `$view` in `file` are replaced with the zone origin, the zone type (i.e., primary, secondary, etc), and the view name, respectively.
Primary zones can now take an `initial-file` option, specifying the path to a generic zone file that will be copied into the zone's `file` path when the zone is first loaded, if the `file` does not already exist.
For example, the following template can be used for primary zones:
```
template primary {
type primary;
file "$name.db";
initial-file "generic.db";
};
```
With this template in place, a new primary zone could be added using a single `rndc addzone` command:
projects / thirdparty / bind9.git / log
