Nicki Křížek [Fri, 10 Oct 2025 11:07:31 +0000 (13:07 +0200)]
[9.18] fix: test: Disable keyfromlabel collision avoidance in tests
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Closes #5554
Backport of MR !11066
Merge branch 'backport-5554-disable-keyfromlabel-collision-avoidance-in-tests-9.18' into 'bind-9.18'
Nicki Křížek [Wed, 8 Oct 2025 09:35:24 +0000 (11:35 +0200)]
Disable keyfromlabel collision avoidance in tests
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Backport of MR !11056
Merge branch 'backport-nicki/reuse-remove-m4-annotations-9.18' into 'bind-9.18'
Nicki Křížek [Mon, 6 Oct 2025 15:45:07 +0000 (17:45 +0200)]
Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Michał Kępień [Wed, 1 Oct 2025 18:55:37 +0000 (20:55 +0200)]
[9.18] new: ci: Prepare release announcement MR
In the 'release' stage, create an MR automatically with the
corresponding release announcement. The input for this is taken from
metadata.json in bind9-qa.
Backport of MR !11039
Merge branch 'backport-andoni/release-announcement-preparation-9.18' into 'bind-9.18'
In the 'release' stage, create an MR automatically with the
corresponding release announcement. The input for this is taken from
metadata.json in bind9-qa.
The nsX are utility fixtures which can be used instead of the servers
fixture, which requires longer syntax(i.e. servers["nsX"]).
---
This MR is basically backporting pytest utility fixtures which were introduced to newer branches in !10717. This is a minimal change which only aims to facilitate easier test backports to ~"v9.18" in the future, without changing any of the existing tests.
Merge branch 'nicki/pytest-nsX-fixtures-9.18' into 'bind-9.18'
There's currently an issue with the shotgun workflow that's being
investigated. Until it's resolved, there's no point in creating the
shotgun jobs as they'll just fail.
Backport of MR !11005
Merge branch 'backport-nicki/ci-temporarily-disable-shotgun-jobs-9.18' into 'bind-9.18'
There's currently an issue with the shotgun workflow that's being
investigated. Until it's resolved, there's no point in creating the
shotgun jobs as they'll just fail.
[9.18] chg: ci: Only run relevant CI jobs based on the changes
Trigger selected CI jobs on MR automatically only if there are related
code changes. Otherwise, offer an option to run the jobs manually in
MRs. For other sources, like schedules, tags etc., execute the jobs as
usual.
Backport of MR !10987
Merge branch 'backport-nicki/ci-restrict-rules-changes-9.18' into 'bind-9.18'
Trigger selected CI jobs on MR automatically only if there are related
code changes. Otherwise, offer an option to run the jobs manually in
MRs. For other sources, like schedules, tags etc., execute the jobs as
usual.
[9.18] fix: test: Increase wait_for_log timeout in kasp shell test
When running with TSAN in CI, the test ocassionally fails on:
exceeded time limit waiting for literal 'keymgr: purgekeys.kasp done' in ns4/named.run
The line is actually present in the logs, but it take slightly longer
than 3 seconds to appear. Increase the wait_for_log timeout of the kasp test to 10
seconds to avoid such issues.
---
Example of failure: https://gitlab.isc.org/isc-projects/bind9/-/jobs/6176192
Merge branch 'nicki/kasp-shell-test-increase-log-timeout' into 'bind-9.18'
When running with TSAN in CI, the test ocassionally fails on:
'exceeded time limit waiting for literal 'keymgr: purgekeys.kasp done'
in ns4/named.run'
The line is actually present in the logs, but it take slightly longer
than 3 seconds to appear. Increase the wait_for_log timeout of the kasp
test to 10 seconds to avoid such issues.
Petr Špaček [Thu, 11 Sep 2025 09:06:21 +0000 (11:06 +0200)]
Prevent Sphinx from messing up syntax with "smartquotes" feature
Sphinx's smartquotes feature was rewriting -- to en-dash, "" to proper
English quotes etc. This was messing up syntax at unpredictable places.
Disable this feature instead of attempting to escape all the places in
the manual.
Mark Andrews [Wed, 10 Sep 2025 06:18:41 +0000 (16:18 +1000)]
Fix missing RRSIGs for "glue" lookups with CD=1
The code to test whether to store the RRSIGs on DNS_R_UNCHANGED
with CD=1 was failing because the comparison methods of the two
rdatatset instances were not compatible. Move the testing into
dns_db_addrdataset(), and request it by setting the DNS_ADD_EQUALOK
option. If the option is set and the old and new rrsets compare
as equal, dns_db_addrdataset() returns ISC_R_SUCCESS instead of
DNS_R_UNCHANGED.
Mark Andrews [Wed, 3 Sep 2025 00:21:09 +0000 (10:21 +1000)]
[9.18] fix: usr: RPZ canonical warning displays zone entry incorrectly
When an IPv6 rpz prefix entry is entered incorrectly the log
message was just displaying the prefix rather than the full
entry. This has been corrected.
Closes #5491
Backport of MR !10890
Merge branch 'backport-5491-rpz-canonical-warning-displays-zone-entry-incorrectly-9.18' into 'bind-9.18'
Michał Kępień [Mon, 1 Sep 2025 20:29:29 +0000 (22:29 +0200)]
rem: usr: Deprecate the "tkey-domain" statement
Mark the :any:`tkey-domain` statement as deprecated since it is only
used by code implementing TKEY Mode 2 (Diffie-Hellman), which was
removed from newer BIND 9 branches.
See #4204
Merge branch '4204-deprecate-tkey-domain' into 'bind-9.18'
Michał Kępień [Mon, 1 Sep 2025 20:04:28 +0000 (22:04 +0200)]
Deprecate the "tkey-domain" statement
Mark the "tkey-domain" statement as deprecated since it is only used by
code implementing TKEY Mode 2 (Diffie-Hellman), which was removed from
newer BIND 9 branches.
Michał Kępień [Mon, 1 Sep 2025 20:01:07 +0000 (22:01 +0200)]
[9.18] rem: usr: Deprecate the "tkey-gssapi-credential" statement
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in
a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`.
See #4204
Backport of MR !10782
Merge branch 'backport-4204-deprecate-tkey-gssapi-credential-9.18' into 'bind-9.18'
Michał Kępień [Mon, 1 Sep 2025 19:23:30 +0000 (21:23 +0200)]
Deprecate the "tkey-gssapi-credential" statement
The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).
Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named. Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.
Ondřej Surý [Thu, 28 Aug 2025 15:02:56 +0000 (17:02 +0200)]
[9.18] fix: dev: Add and use __attribute__((nonnull)) in dnssec-signzone.c
Clang 20 was spuriously warning about the possibility of passing a NULL file pointer
to `fprintf()`, which uses the 'nonnull' attribute. To silence the warning, the functions
calling `fprintf()` have been marked with the same attribute to assure that NULL can't be
passed to them in the first place.
Close #5487
Backport of MR !10888
Merge branch 'backport-5487-mark-passed-file-pointer-as-nonnull-in-dnssec-signzone-9.18' into 'bind-9.18'
Ondřej Surý [Thu, 21 Aug 2025 21:51:38 +0000 (23:51 +0200)]
Add and use __attribute__((nonnull)) in dnssec-signzone.c
Clang 20 is complaining about passing NULL to an argument with 'nonnull'
attribute. Mark these two functions with the same attribute to assure
that these two function also don't accept NULL as an argument.
Ondřej Surý [Tue, 26 Aug 2025 16:18:12 +0000 (18:18 +0200)]
Don't preserve cache entries if new TTL is smaller than existing
Under certain circumstances, cache entries with equivalent rdataset
might not get replaced. Previously such entry would get preserved
regardless of the new TTL and expire time on the existing header would
get updated when the expire time was less than the expire time on the
existing header. Change the logic to preserve the existing header only
if the new expire time is larger than the existing one and replace the
existing cache entry when the new expire time is less than the existing
one.
Ondřej Surý [Tue, 19 Aug 2025 06:48:06 +0000 (08:48 +0200)]
[9.18] chg: dev: Update clang-format style with options added in newer versions
Add and apply InsertBraces statement to add missing curly braces around one-line statements and use ControlStatementsExceptControlMacros for SpaceBeforeParens to remove space between foreach macro and the brace, e.g. `FOREACH (x) {` becomes `FOREACH(x) {`.
Backport of MR !10863
Merge branch 'backport-ondrej/update-clang-format-9.18' into 'bind-9.18'
Ondřej Surý [Tue, 19 Aug 2025 05:14:45 +0000 (07:14 +0200)]
Use ControlStatementsExceptControlMacros for SpaceBeforeParens
> Put a space before opening parentheses only after control statement
> keywords (for/if/while...) except this option doesn’t apply to ForEach
> and If macros. This is useful in projects where ForEach/If macros are
> treated as function calls instead of control statements.
Ondřej Surý [Tue, 19 Aug 2025 05:11:16 +0000 (07:11 +0200)]
Add and apply InsertBraces statement
> Insert braces after control statements (if, else, for, do, and while)
> in C++ unless the control statements are inside macro definitions or
> the braces would enclose preprocessor directives.
Nicki Křížek [Thu, 14 Aug 2025 21:30:28 +0000 (23:30 +0200)]
[9.18] fix: ci: Update DNS Shotgun parameters for an updated dataset
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
Backport of MR !10841
Merge branch 'backport-nicki/ci-shotgun-load-new-dataset-9.18' into 'bind-9.18'
Nicki Křížek [Mon, 11 Aug 2025 13:04:50 +0000 (15:04 +0200)]
Update DNS Shotgun parameters for an updated dataset
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
Michal Nowak [Thu, 14 Aug 2025 14:14:33 +0000 (16:14 +0200)]
[9.18] fix: ci: Set more lenient respdiff limits
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
Michal Nowak [Wed, 19 Mar 2025 13:02:32 +0000 (14:02 +0100)]
Set more lenient respdiff limits
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
Mark Andrews [Thu, 14 Aug 2025 13:19:09 +0000 (23:19 +1000)]
[9.18] fix: dev: Use DNS_RDATACOMMON_INIT to hide branch differences
Initialization of the common members of rdata type structures varies across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` macro for all types, so that new types are more likely to use it, and hence backport more cleanly.
Closes #5467
Merge branch '5467-use-dns_rdatacommon_init-to-hide-branch-differences-9.18' into 'bind-9.18'
Mark Andrews [Wed, 6 Aug 2025 07:57:13 +0000 (17:57 +1000)]
Use DNS_RDATACOMMON_INIT to hide branch differences
Initialization of the common members of rdata type structures varies
across branches. Standardize it by using the DNS_RDATACOMMON_INIT
macro for all types, so that new types are more likely to use it,
and hence backport more cleanly.
Petr Špaček [Tue, 5 Aug 2025 12:56:36 +0000 (12:56 +0000)]
[9.18] fix: test: Require explicit import of isctest.name in system tests
Since the isctest.name module uses `pytest.importorskip()` to check for
dnspython version, it can't be imported automatically on `import
isctest`, because that is used in conftest.py, causing an error during
test setup.
Note that this behavior only manifested on AlmaLinux 8, so perhaps newer
pytest versions are able to handle this edge case more gracefully.
This doesn't affect 9.20+, as this issue was introduced as an erroneous
conflict resolution during a 9.18 backport.
Merge branch 'nicki/fix-isctest-name-import-9.18' into 'bind-9.18'
Nicki Křížek [Tue, 5 Aug 2025 09:10:24 +0000 (11:10 +0200)]
Require explicit import of isctest.name in system tests
Since the isctest.name module uses `pytest.importorskip()` to check for
dnspython version, it can't be imported automatically on `import
isctest`, because that is used in conftest.py, causing an error during
test setup.
Note that this behavior only manifested on AlmaLinux 8, so perhaps newer
pytest versions are able to handle this edge case more gracefully.
This doesn't affect 9.20+, as this issue was introduced as an erroneous
conflict resolution during a 9.18 backport.
Ondřej Surý [Mon, 4 Aug 2025 09:24:44 +0000 (11:24 +0200)]
fix: usr: Rescan the interfaces again when reconfiguring the server
On FreeBSD, the server would not listen on the configured 'localhost'
interfaces immediately, but only after the 'interface-interval' period
has passed. After the fix for default interface-interval was merged in
!10281, this means the server would listen on the localhost after 60
minutes.
Rescan the interfaces immediately after configuring the
interface-interval value to start listening on the 'localhost' interface
immediately.
Merge branch 'ondrej/rescan-the-interface-on-time-0' into 'bind-9.18'
Rescan the interfaces again when reconfiguring the server
On FreeBSD, the server would not listen on the configured 'localhost'
interfaces immediately, but only after the 'interface-interval' period
has passed. After the fix for default interface-interval was merged in
!10281, this means the server would listen on the localhost after 60
minutes.
Rescan the interfaces immediately after configuring the
interface-interval value to start listening on the 'localhost' interface
immediately.
Mark Andrews [Wed, 17 Nov 2021 02:09:03 +0000 (13:09 +1100)]
validator.c:check_signer now clones val->event->sigrdataset
Spurious validation failures were traced back to check_signer looping
over val->event->sigrdataset directly. Cloning val->event->sigrdataset
prevents check_signer from interacting with callers that are also
looping over val->event->sigrdataset.
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.raflag() - checks that a response contains RA=1
- isctest.check.noraflag() - checks that a response contains RA=0
- isctest.check.rr_count_eq() - checks the number of RRsset in a section
- isctest.check.same_data() - checks that two message have the
same rcode and data
- isctest.check.same_answer() - checks that two message have the same
rcode and answer
- isctest.query.create() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec
Backport of MR !10760
Merge branch 'backport-each-isctest-helpers-9.18' into 'bind-9.18'
Rather than using the dnspython's facilities and defaults to create the
queries, use the isctest.query.create function in all the cases that
don't require special handling to have consistent defaults.
Use a common function to count the number of RRs in any section of the
DNS message. For the ADDITIONAL section, stick with the dnspython
convention of not including OPT and TSIG.
Evan Hunt [Thu, 26 Jun 2025 22:19:45 +0000 (15:19 -0700)]
add helper functions to isctest
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.answer_count_eq() - checks the answer count is correct
- isctest.check.additional_count_eq() - same for authority count
- isctest.check.authority_count_eq() - same for additional count
- isctest.check.same_data() - check that two message have the
same rcode and data
- isctest.check.same_answer() - check that two message have the same
rcode and answer
- isctest.dnssec.msg() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec:
use_edns=True, want_dnssec=True,
and flags are set to (RD|AD) by default, but
options exist to disable AD or enable CD.
(to generate non-DNSSEC queries, use
message.make_query() directly.)
projects / thirdparty / bind9.git / log
