Colin Vidal [Wed, 3 Dec 2025 15:26:22 +0000 (16:26 +0100)]
chg: dev: Add RRSIG if required as soon as they are found
When EDNS DO flag (`dig +dnssec`) flag is set, an rdataset is allocated
to hold the RRSIG of an RR, if present in DB. However, this allocation
is not done if the zone DB is not considered as secure
(`dns_db_issecure() == false`). Changes this behaviour by allocating the
rdataset anyway, so the RRSIG can be associated in the answer section of
the response as soon it is found from the DB.
The fact we attach the rrsig potentially more often (though it probably
occurs in edge cases) doesn't seems to affect performance in any ways:
Merge branch 'colin/rrsig-nonsecure-db' into 'main'
Colin Vidal [Tue, 2 Dec 2025 18:00:55 +0000 (19:00 +0100)]
test for RRSIG provided as soon as they are found
Add a system test which checks that a server authoritative on zone which
is not fully signed (here, it is missing the DNSKEY records as well as the
RRSIG on the RR `b`) still return the RRSIG associated with an RR if
provided in the zone.
Colin Vidal [Tue, 2 Dec 2025 15:53:40 +0000 (16:53 +0100)]
add RRSIG if required as soon as they are found
When EDNS DO flag (`dig +dnssec`) flag is set, an rdataset is allocated
to hold the RRSIG of an RR, if present in DB. However, this allocation
is not done if the zone DB is not considered as secure
(`dns_db_issecure() == false`). Changes this behaviour by allocating the
rdataset anyway, so the RRSIG can be associated in the answer section of
the response as soon it is found from the DB.
Arаm Sаrgsyаn [Wed, 3 Dec 2025 10:16:08 +0000 (10:16 +0000)]
fix: test: Fix an issue with unreachable cache's unit test
The isc_stdtime_now() function used by dns_unreachcache_find() to
check if the entry needs to be expired has a one-second resolution,
and the test sleeps for 1 second and then for the amount of the
expiration interval, which in a worst-case scenario can cause the
test to fail, because the entry was expected to be expired but it
wasn't. Sleep for 2 seconds instead of 1 to avoid the timing
resolution issue.
Closes #5601
Merge branch '5601-unreachable-cache-expire-test-fix' into 'main'
Aram Sargsyan [Thu, 6 Nov 2025 11:33:41 +0000 (11:33 +0000)]
Fix an issue with unreachable cache's unit test
The isc_stdtime_now() function used by dns_unreachcache_find() to
check if the entry needs to be expired has a one-second resolution,
and the test sleeps for 1 second and then for the amount of the
expiration interval, which in a worst-case scenario can cause the
test to fail, because the entry was expected to be expired but it
wasn't. Sleep for 2 seconds instead of 1 to avoid the timing
resolution issue.
Matthijs Mekking [Thu, 20 Nov 2025 13:10:45 +0000 (14:10 +0100)]
Wait for log zone_needdump is more reliable
In some cases we wait for the log message "sending notifies" before
proceeding with the test case. Notifies are rate limited. They are not
sent on every change to the zone. The "zone_needdump" messages happen on
every change.
Evan Hunt [Fri, 28 Nov 2025 19:07:48 +0000 (19:07 +0000)]
fix: dev: Pass isc_buffer_t pointers when applicable
In commit aea251f3bce7, `isc_buffer_reserve()` was changed to
take a simple `isc_buffer_t *` instead of `isc_buffer_t **`.
A number of functions calling it have now been similarly
modified.
Evan Hunt [Wed, 26 Nov 2025 07:23:19 +0000 (23:23 -0800)]
pass isc_buffer_t pointers when applicable
In commit aea251f3bce7, `isc_buffer_reserve()` was changed to
take a simple `isc_buffer_t *` instead of `isc_buffer_t **`.
A number of functions calling it have now been similarly
modified.
Matthijs Mekking [Fri, 28 Nov 2025 15:15:39 +0000 (15:15 +0000)]
chg: usr: Improve output of 'rndc dnssec -status'
Add a new parameter ``-v`` to the ``rndc dnssec -status`` command for more verbose output. Previously, key states were printed, and keys that can be purged were listed. This made the output hard to read. This information is now only shown in the verbose output.
Add more meaningful messages to the status output, making it clearer what the state of a rollover is.
This makes the output more condense, improving its readability.
Closes #3938
Merge branch '3938-improve-rndc-dnssec-status-output' into 'main'
Matthijs Mekking [Wed, 15 Oct 2025 14:04:28 +0000 (16:04 +0200)]
Change output of rndc dnssec -status
Wrap 'dns_keymgr_status()' in 'dns_zone_dnssecstatus()' so we can easily
retrieve the zone string name and refresh key time value.
In addition to the current time, output when the next key event is
expected.
Don't log keys that are completely hidden unless verbose is set.
Don't log key state values unless verbose is set, or they are in a
weird state.
For expected key states, log a more useful message of the stage of
the rollover. If we are in the middle of a key rollover, don't log
when the next key rollover is scheduled.
Matthijs Mekking [Wed, 26 Nov 2025 07:31:45 +0000 (08:31 +0100)]
Update misleading comments in multisigner test
We are not actually retrieving these records from the other provider,
they are available as key files to us and we are using those files
to send a dynamic update to the server.
Matthijs Mekking [Sun, 12 Oct 2025 09:49:00 +0000 (11:49 +0200)]
Convert model2.secondary test to pytest
This test is similar to model2.multisigner, but now the two providers
are both secondary, both using the same hidden primary. The DNSKEY,
CDNSKEY, and CDS records need to be published at the hidden primary,
ns5, the zone is transferred to both secondaries, ns3 and ns4.
To avoid intermittent test failures, we wait for the line
"zone {zone}/IN (signed): serial {serial2} (unsigned {serial1})" in
the secondary server logs. This is a signal that the unsigned zone
with serial <serial1> has a signed version ready with serial <serial2>.
Matthijs Mekking [Fri, 10 Oct 2025 16:02:58 +0000 (18:02 +0200)]
Update multisigner system test to set primary
When testing multi-signer as bump-in-the-wire (upcoming test), we want
to be able to do dynamically updates to a hidden primary. Update the
test functions such that we can set a specific primary server.
Matthijs Mekking [Fri, 10 Oct 2025 08:57:50 +0000 (10:57 +0200)]
Convert model2.multisigner test to pytest
This converts the model2.multisigner tests from the multisigner system
test to pytest based code. Crappy shell test functions such as
'zsks_are_published', 'records_published' and others are replaced with
the standard test code from isctest.kasp and by setting 'private=False'
and 'legacy=True' on the keys from the other providers so we don't do
any key file testing.
Ondřej Surý [Mon, 24 Nov 2025 09:06:51 +0000 (10:06 +0100)]
Provide more information when the memory allocation fails
Instead of just crashing when memory allocation fails, also print a
message saying "Out of memory!", the size of the allocation that failed,
total allocated memory from all memory contexts and value of errno.
Ondřej Surý [Fri, 28 Nov 2025 13:34:04 +0000 (14:34 +0100)]
fix: nil: Fix missing field 'merge' initializer for the new cfg_clausedef_t
In !11121, a .merge member was added to cfg_clausedef_t. This caused
a build failure with -Werror,-Wmissing-field-initializers enabled.
Add the missing initializer and set them all to NULL to match the
intent.
Merge branch 'ondrej/fix-compilation-on-macos' into 'main'
Ondřej Surý [Fri, 28 Nov 2025 10:38:41 +0000 (11:38 +0100)]
Fix missing field 'merge' initializer for the new cfg_clausedef_t
In !11121, a .merge member was added to cfg_clausedef_t. This caused
a build failure with -Werror,-Wmissing-field-initializers enabled.
Add the missing initializer and set them all to NULL to match the
intent.
Colin Vidal [Fri, 28 Nov 2025 12:45:06 +0000 (13:45 +0100)]
fix: dev: Fix uninitialized pointer check on getipandkeylist
Function `named_config_getipandkeylist` could, in case of error in the early code attempting to get the `port` or `tls-port`, make a pointer check on a non-initialized value. This is now fixed.
Merge branch 'colin/getipandkeylist-uinitstate' into 'main'
Colin Vidal [Fri, 28 Nov 2025 10:55:32 +0000 (11:55 +0100)]
fix unitiailized pointer check on getipandkeylist
Function `named_config_getipandkeylist` could, in case of error in the
early code attempting to get the `port` or `tls-port`, make a pointer
check on a non-initialized value. This is now fixed.
Ondřej Surý [Fri, 28 Nov 2025 09:51:38 +0000 (10:51 +0100)]
fix: usr: Fix caching RRSIG covering cache NODATA record
When a RRSIG for type that we already have cached NODATA record was cached due to mismatch of the records on the upstream nameservers, an assertion failure could trigger. This has been fixed.
Closes #5633
Merge branch '5633-evict-related-rrsig-when-adding-negative-header' into 'main'
Ondřej Surý [Sat, 8 Nov 2025 11:10:51 +0000 (12:10 +0100)]
Fix not caching RRSIG covering cache NODATA record
During refactoring, a condition that prevented caching RRSIGs for
records that we already have cached NODATA records was changed in an
invalid way. This was caught later when a cached NODATA(type) +
RRSIG(type) was found in the cache and caused an assertion failure.
Fix and simplify condition that prevents adding such RRSIGs.
Ondřej Surý [Sat, 8 Nov 2025 11:06:20 +0000 (12:06 +0100)]
Evict the RRSIG when adding negative header
Formerly, we've evicted the RRSIG(type) only when we were changing
existing header from positive to negative. Move the eviction routine
for the RRSIG to a common path, so the RRSIG also gets evicted when we
are adding new negative header for a specific type.
Colin Vidal [Tue, 25 Nov 2025 14:45:22 +0000 (15:45 +0100)]
check validity of key and tls in a server-list
If a `key` or `tls` is associated to an IP address inside a server-list,
only the `tls` existence in the configuration was checked. Also, if
`key` or `tls` is associated to a named server-list inside a
server-list, there was no check at all.
Add the check for making sure a `key` is defined in the configuration,
as well as the check for `key` and `tls` when used on a named
server-list.
Colin Vidal [Tue, 25 Nov 2025 14:34:26 +0000 (15:34 +0100)]
check remote-servers list correctness
`check.c` only checks if `remote-servers`, `primaries`, etc. are not
duplicated inside the configuration file, but does not check the
correctness of its definition. This commit fixes this by calling
`validate_remotes()` for each `remote-servers` (and other aliases),
which validates the correctness of the definition itself (this is the
same call done to validate other cases like `also-notify`, etc.).
Colin Vidal [Tue, 25 Nov 2025 12:56:37 +0000 (13:56 +0100)]
refactoring of `named_config_getipandkeylist`
Function `named_config_getipandkeylist()` processes the nested lists by
overriding the current local variable of the function, jumping back to
the beginning of the list processing. Of course, in order to go back to
the previous state and process the remaining items of the current list,
a "stack" array is used in order to put and get back the next list
element and associated values.
This makes the logic quite complex and error prone. Instead, this commit
changes the logic by recursing into the nested list (while sharing a
state between all the invocations). The processing is fundamentally
identical, but instead of "manually" handling the stack to go back to
the previous state (and process remaining elements of the current list),
takes advantage of recursion.
did not work: the `fookey` was silently ignored. No matter how `bar` was
used, the server `10.53.0.5` wouldn't be contacted using the TSIG key
`fookey`. The problem is the same the for `tls` property.
The reason of the problem was that when `named_config_getipandkeylist()`
reached a named server-list (here, `foo`), it modified the current
context in order to immediately process what is inside `foo`, but forgot
to look at the fields `key` and `tls`, to associate those with `foo`
addresses.
Fix the problem by wrapping the `key` and `tls` from the "caller" list
inside the existing `lists` struct which is used to figure out if a
list is already processed or not. That way, the `key` and `tls` values
can be read when adding the addresses of the nested list.
Colin Vidal [Fri, 21 Nov 2025 16:05:15 +0000 (17:05 +0100)]
test named remote-servers `key` usage
Even though `remote-servers` now allows using named server-list with `key`
(or `tls`), the `key` or `tls` is not used, in the context of a named
server-list, when configuring the server.
Colin Vidal [Wed, 19 Nov 2025 16:34:16 +0000 (17:34 +0100)]
allow named remote-servers list with key or tls
The remote-servers clause enables the following pattern:
remote-servers a { 1.2.3.4; ... };
remote-servers b { a key foo; };
However, `check.c` was explicitly throwing an error if a `key` or `tls`
was provided after a named server-list. Remove this check, as this is a
valid use case.
Arаm Sаrgsyаn [Thu, 27 Nov 2025 17:41:17 +0000 (17:41 +0000)]
fix: usr: Fix TLS contexts cache object usage bug in the resolver
:iscman:`named` could terminate unexpectedly when reconfiguring or
reloading, and if client-side TLS transport was in use (for example,
when forwarding queries to a DoT server). This has been fixed.
Closes #5653
Merge branch '5653-tlsctx_cache-reference-bug-fix' into 'main'
Aram Sargsyan [Thu, 27 Nov 2025 15:00:26 +0000 (15:00 +0000)]
Fix a bug where tlsctx_cache could be destroyed while still in use
When named is being reconfigured, it detaches from the old
'isc_tlsctx_cache_t' TLS context cache object and creates a
new one. This can cause an assertion failure within the
resolver when the object is destroyed while still in use,
because the resolver is using the object without getting
attached to it.
Add an attach/detach so that the 'isc_tlsctx_cache_t' doesn't
get destroyed while still being in use.
Ondřej Surý [Thu, 27 Nov 2025 16:34:42 +0000 (17:34 +0100)]
fix: usr: Fix the spurious timeouts while resolving names
Sometimes the loops in the resolving (e.g. to resolve or validate ns1.example.com we need to resolve ns1.example.com) were not properly detected leading to spurious 10 seconds delay. This has been fixed and such loops are properly detected.
Closes #3033, #5578
Merge branch '5578-tracker-parent-fetch' into 'main'
Ondřej Surý [Wed, 22 Oct 2025 17:25:55 +0000 (19:25 +0200)]
Detect resolution loops between fetches
Maintain the relationship between the parent and child fetch and when
creating a new child fetch, properly check the resolution loops that
would lead to a new fetch would join one of the parent's fetch contexts.
Ondřej Surý [Thu, 27 Nov 2025 16:34:07 +0000 (17:34 +0100)]
chg: usr: Change the QNAME minimization algorithm to follow the standard
In !9155, the QNAME minimization was changed to not leak the query type
to the parent name server. This violates RFC 9156 Section 3, step (3)
and it is not necessary. It also breaks some (weird) authoritative DNS
setups, especially when CNAMEs are involved. Also there is really no
privacy leak with query type.
Closes #5661
Merge branch '5661-dont-minimize-when-QNAME-matches-original-QNAME' into 'main'
Ondřej Surý [Thu, 27 Nov 2025 13:07:35 +0000 (14:07 +0100)]
Change the QNAME minimization algorithm to follow the standard
In !9155, the QNAME minimization was changed to not leak the query type
to the parent name server. This violates RFC 9156 Section 3, step (3)
and it is not necessary. It also breaks some (weird) authoritative DNS
setups, especially when CNAMEs are involved. Also there is really no
privacy leak with query type.
Nicki Křížek [Thu, 27 Nov 2025 13:49:01 +0000 (14:49 +0100)]
new: test: Create trust anchors from isctest.kasp.Key
Add isctest.kasp.Key.into_ta() method which convert the key into DS /
DNSKEY trust anchor for BIND config. Add a shared template
trusted.conf.j2 which can be linked to in tests to create the trust
anchor configuration from trust anchor data returned from bootstrap()
function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
Merge branch 'nicki/pytest-add-trust-anchor-template' into 'main'
Nicki Křížek [Mon, 3 Nov 2025 13:59:00 +0000 (14:59 +0100)]
Add a template for TA and generate it from isctest.kasp.Key
Add isctest.kasp.Key.into_ta() method which convert the key into DS /
DNSKEY trust anchor for BIND config. Add a shared template
trusted.conf.j2 which can be linked to in tests to create the trust
anchor configuration from trust anchor data returned from bootstrap()
function.
This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.
Nicki Křížek [Fri, 24 Oct 2025 14:47:59 +0000 (16:47 +0200)]
Parse DNSKEY into a dnspython type in isctest.kasp.Key.dnskey
Previously, a DNSKEY string from keyfile was returned. This made the
function brittle for further processing, as the string would have to be
split up, concatenated, and TTL could be missing, making string indices
context-dependent.
Parse the DNSKEY rrset into a proper dnspython object and return it.
This makes the output more predictable and reliable, as all the
neccessary parsing is done by dnspython.
Meson boolean options are usually configured with enabled/disabled
instead of on/off. Make things more consistent with other meson options
by renaming -Dnamed-lto=off to -Dnamed-lto=disabled.
Ondřej Surý [Thu, 27 Nov 2025 11:42:09 +0000 (12:42 +0100)]
chg: dev: Use malloc_usable_size()/malloc_size() for memory accounting
Restore usage of malloc_usable_size()/malloc_size(), but this time only
for memory accounting and statistics purposes. This should reduce the
memory footprint in case of compilation without jemalloc as we don't
have to keep track of the allocated memory size ourselves.
Merge branch 'ondrej/use-malloc_usable_size-when-available' into 'main'
Ondřej Surý [Mon, 24 Nov 2025 08:41:31 +0000 (09:41 +0100)]
Use malloc_usable_size()/malloc_size() for memory accounting
Restore usage of malloc_usable_size()/malloc_size(), but this time only
for memory accounting and statistics purposes. This should reduce the
memory footprint in case of compilation without jemalloc as we don't
have to keep track of the allocated memory size ourselves.
Ondřej Surý [Wed, 26 Nov 2025 10:45:03 +0000 (11:45 +0100)]
Enable junk filling via jemalloc option in the CI
Since the filling memory with junk patterns have been removed from ISC
memory context in favor of jemalloc opt.junk option, enable the jemalloc
behaviour by default in the GitLab CI.
As the fetch context reference counting was converted to userspace RCU
reference counting, the ability to debug the reference counting was
lost. Restore the debugging by adding the optional compile-time enabled
debugging output again.
Merge branch 'ondrej/add-tracing-to-fctx-reference-counting' into 'main'
Ondřej Surý [Thu, 23 Oct 2025 11:11:45 +0000 (13:11 +0200)]
Add optional debugging output for fetch context reference counting
As the fetch context reference counting was converted to userspace RCU
reference counting, the ability to debug the reference counting was
lost. Restore the debugging by adding the optional compile-time enabled
debugging output again.
Ondřej Surý [Thu, 27 Nov 2025 09:38:58 +0000 (10:38 +0100)]
chg: nil: Split qctx_destroy() into qctx_deinit() and qctx_destroy()
The qctx_destroy() only needs to be called on allocated memory and
qctx_deinit() needs to be called always. Also remove .allocated member
from the query_ctx_t structure.
Ondřej Surý [Mon, 24 Nov 2025 09:49:18 +0000 (10:49 +0100)]
Split qctx_destroy() into qctx_deinit() and qctx_destroy()
The qctx_destroy() only needs to be called on allocated memory and
qctx_deinit() needs to be called always. Also remove .allocated member
from the query_ctx_t structure.
Ondřej Surý [Thu, 27 Nov 2025 09:37:36 +0000 (10:37 +0100)]
fix: nil: Remove .delegating flag from the qpcache
The .delegating flag was only set, but never used in the dns_qpcache.
Remove it completely together with the code that was locking the node
to set the flag if the added type was DNAME.
Merge branch 'ondrej/remove-delegating-from-qpcache' into 'main'
The .delegating flag was only set, but never used in the dns_qpcache.
Remove it completely together with the code that was locking the node
to set the flag if the added type was DNAME.
Ondřej Surý [Thu, 27 Nov 2025 09:31:57 +0000 (10:31 +0100)]
chg: dev: Use atomics for CMM_{LOAD,STORE}_SHARED with ThreadSanitizer
Upstream has removed the atomics implementation of CMM_LOAD_SHARED and
CMM_STORE_SHARED as these can be used also with non-stdatomics types.
As we only use the CMM api with stdatomics types, we can restore the
previous behaviour to prevent ThreadSanitizer warnings.
Closes #5660
Merge branch '5660-use-atomics-for-CMM-api-with-thread-sanitizer' into 'main'
Ondřej Surý [Wed, 26 Nov 2025 16:10:37 +0000 (17:10 +0100)]
Use atomics for CMM_{LOAD,STORE}_SHARED with ThreadSanitizer
Upstream has removed the atomics implementation of CMM_LOAD_SHARED and
CMM_STORE_SHARED as these can be used also with non-stdatomics types.
As we only use the CMM api with stdatomics types, we can restore the
previous behaviour to prevent ThreadSanitizer warnings.
Andoni Duarte [Wed, 26 Nov 2025 14:06:24 +0000 (14:06 +0000)]
chg: ci: Fix wiki.wireshark.org links in doc/arm
Fix the broken link https://wiki.wireshark.org/TLS#tls-decryption to
simply https://wiki.wireshark.org/TLS. The links in the wireshark
wiki have been updated somewhen after october 2025 as shown by
https://web.archive.org/web/20251008165051/https://wiki.wireshark.org/TLS#tls-decryption and https://wiki.wireshark.org/TLS.
Merge branch 'andoni/fix-wireshark-links-in-doc-arm' into 'main'
Fix the broken link https://wiki.wireshark.org/TLS#tls-decryption.
Since their TOC also has the wrong anchor, we remove it altogether,
i.e. https://wiki.wireshark.org/TLS.
Nicki Křížek [Fri, 21 Nov 2025 14:05:36 +0000 (15:05 +0100)]
Increase the threshold for respdiff-third-party
There are multiple reasons for the increased amount of differences we've
been seeing lately and for the raise of the threshold:
1. Recent hardening against cache poisoning (CVE-2025-40778) have
uncovered a few edge cases where the domain can't be properly
resolved with the new protections in place, but those are issues with
upstream configuration and DNS setup.
2. The same hardening magnified some behaviour differences between 9.21
and older versions. Some misconfigured domains, which can be resolved
with BIND 9.20 and older are no longer resolvable in 9.21+. This can
be again attributed to upstream DNS misconfiguration. See #5649.
3. A change in the respdiff CI job to include timeouts in the
comparison, or rather, increasing the timeouts to resolve the
previously timed out queries, which are typically failures. With the
previous job configuration, those were omitted from comparison,
because they were timeouts. Now, there should be no timeouts, but
there is a slight increase in the amount of differences for the
threshold evaluation.
Nicki Křížek [Fri, 21 Nov 2025 13:35:57 +0000 (14:35 +0100)]
Set stricter respdiff:recent-named threshold
This job is testing the current BIND implementation against the latest
released version. Unless there has been a behaviour change, there should
be no difference.
In practice, there is a small number of differences caused by upstream
discrepencies. Some of those cause "upstream unstable" answers which are
excluded from the results, but statistically, some of those will end up
being detected as differences on the resolver under test.
Currently, there seems to be about 300 upstream unstable answers with
typically around 50-60 differences. Setting the threshold to 0.1 should
be stable enough to pass if there are no changes, yet sensitive enough
to detect even fairly small changes to behaviour.
Matthijs Mekking [Mon, 24 Nov 2025 13:23:21 +0000 (13:23 +0000)]
fix: usr: Fix bug where zone switches from NSEC3 to NSEC after retransfer
When a zone is re-transferred, but the zone journal on an inline-signing secondary is out of sync, the zone could fall back to using NSEC records instead of NSEC3. This has been fixed.
Closes #5527
Merge branch '5527-retransfer-nsec3-bug' into 'main'
When synchronizing the secure database, we skip DNSSEC records that
BIND 9 maintains with inline-signing. We should also skip private
RDATA type records that are used to track the current state of a
zone-signing process.
If the primary has been updated, but the secondary has not been
notified, the journal will go out of date. An 'rndc retransfer' causes
the zone to force an AXFR, removing and rebuilding zone and journal
files.
This test reproduces a bug that in such scenario, an NSEC3 signed zone
falls back to NSEC.
Colin Vidal [Sat, 22 Nov 2025 03:51:30 +0000 (04:51 +0100)]
fix: nil: Do not log no root hints of _bind chaos view
The "no root hints for view X" message must not be shown for the default
_bind/CH view. However, it is shown since 27c4f68dcc1 (part of effective
configuration changes).
The reason is that since 27c4f68dcc1, `configure_views()` now processes
a single list of views, which contains both builtin and user views as
they are both part of the effective configuration. The changes omit the
(now removed, since 6b5f714e53) `need_hints` bool that was disabling the
warning for the builtin view (_bind/CH).
This disable that log again when configuring _bind/CH view.
Merge branch 'colin/nohintswarn-bindchaos' into 'main'
projects / thirdparty / bind9.git / log
