git.ipfire.org Git - thirdparty/bind9.git/commit

author	Nicki Křížek <nicki@isc.org>
	Fri, 21 Nov 2025 14:05:36 +0000 (15:05 +0100)
committer	Nicki Křížek <nicki@isc.org>
	Tue, 25 Nov 2025 15:01:47 +0000 (16:01 +0100)
commit	d9aeef89e9a5b409aa3c93e22d7a143f38ff8698
tree	5bf1778f21a4f3e9d3a95cc2e5b8082278e17979	tree \| snapshot
parent	dd614497470c6ae9cd8a963e5a0f1cc177ee7b86	commit \| diff

Increase the threshold for respdiff-third-party

There are multiple reasons for the increased amount of differences we've
been seeing lately and for the raise of the threshold:

1. Recent hardening against cache poisoning (CVE-2025-40778) have
   uncovered a few edge cases where the domain can't be properly
   resolved with the new protections in place, but those are issues with
   upstream configuration and DNS setup.
2. The same hardening magnified some behaviour differences between 9.21
   and older versions. Some misconfigured domains, which can be resolved
   with BIND 9.20 and older are no longer resolvable in 9.21+. This can
   be again attributed to upstream DNS misconfiguration. See #5649.
3. A change in the respdiff CI job to include timeouts in the
   comparison, or rather, increasing the timeouts to resolve the
   previously timed out queries, which are typically failures. With the
   previous job configuration, those were omitted from comparison,
   because they were timeouts. Now, there should be no timeouts, but
   there is a slight increase in the amount of differences for the
   threshold evaluation.

(cherry picked from commit bcc4369b0bf243433ca5334cdce3982a15ce4027)