]> git.ipfire.org Git - thirdparty/bind9.git/log
thirdparty/bind9.git
7 years agoremove '..\\bin\\tests\\system\\dlz\\prereq.sh' from win32util/Configure
Mark Andrews [Tue, 5 Mar 2019 03:09:49 +0000 (14:09 +1100)] 
remove '..\\bin\\tests\\system\\dlz\\prereq.sh' from win32util/Configure

7 years agoadd util/check-win32util-configure to precheck
Mark Andrews [Tue, 5 Mar 2019 02:46:29 +0000 (13:46 +1100)] 
add util/check-win32util-configure to precheck

7 years agoMerge branch 'matthijs/more-clean.sh-related-cleanups' into 'master'
Matthijs Mekking [Mon, 4 Mar 2019 15:54:16 +0000 (10:54 -0500)] 
Merge branch 'matthijs/more-clean.sh-related-cleanups' into 'master'

More clean.sh-related cleanups

See merge request isc-projects/bind9!1579

7 years agoEnsure all system tests run clean.sh from setup.sh
Matthijs Mekking [Wed, 27 Feb 2019 15:24:03 +0000 (16:24 +0100)] 
Ensure all system tests run clean.sh from setup.sh

For consistency between all system tests, add missing setup.sh scripts
for tests which do not have one yet and ensure every setup.sh script
calls its respective clean.sh script.

7 years agoOnly perform test cleanups in clean.sh scripts
Matthijs Mekking [Wed, 27 Feb 2019 14:21:04 +0000 (15:21 +0100)] 
Only perform test cleanups in clean.sh scripts

Temporary files created by a given system test should be removed by its
clean.sh script, not its setup.sh script.  Remove redundant "rm"
invocations from setup.sh scripts.  Move required "rm" invocations from
setup.sh scripts to their corresponding clean.sh scripts.

7 years agoMerge branch 'feature/featuretest-dlz' into 'master'
Mark Andrews [Mon, 4 Mar 2019 03:04:37 +0000 (22:04 -0500)] 
Merge branch 'feature/featuretest-dlz' into 'master'

Test dlz support in feature-test

See merge request isc-projects/bind9!1587

7 years agoadd CHANGES
Mark Andrews [Mon, 4 Mar 2019 03:03:23 +0000 (14:03 +1100)] 
add CHANGES

7 years agorun autoheader and autoconf
Mark Andrews [Sun, 3 Mar 2019 22:37:42 +0000 (09:37 +1100)] 
run autoheader and autoconf

7 years agoSupport DLZ filesystem detection in feature-test
Petr Menšík [Wed, 30 Jan 2019 14:12:54 +0000 (15:12 +0100)] 
Support DLZ filesystem detection in feature-test

Do not use variable from configure to detect the feature.

7 years agoMerge branch 'michal/fix-ip-regex-used-in-the-resolver-system-test' into 'master'
Michał Kępień [Fri, 1 Mar 2019 06:55:42 +0000 (01:55 -0500)] 
Merge branch 'michal/fix-ip-regex-used-in-the-resolver-system-test' into 'master'

Fix IP regex used in the "resolver" system test

See merge request isc-projects/bind9!1568

7 years agoFix IP regex used in the "resolver" system test
Michał Kępień [Tue, 26 Feb 2019 11:33:19 +0000 (12:33 +0100)] 
Fix IP regex used in the "resolver" system test

If dots are not escaped in the "1.2.3.4" regular expressions used for
checking whether IP address 1.2.3.4 is present in the tested resolver's
answers, a COOKIE that matches such a regular expression will trigger a
false positive for the "resolver" system test.  Properly escape dots in
the aforementioned regular expressions to prevent that from happening.

7 years agoMerge branch '901-empty-any' into 'master'
Evan Hunt [Fri, 1 Mar 2019 00:05:44 +0000 (19:05 -0500)] 
Merge branch '901-empty-any' into 'master'

handle empty ANY query responses

Closes #901

See merge request isc-projects/bind9!1580

7 years agoCHANGES, release notes
Evan Hunt [Thu, 28 Feb 2019 22:06:23 +0000 (14:06 -0800)] 
CHANGES, release notes

7 years agotest correct occlusion of DNSSEC records
Evan Hunt [Thu, 28 Feb 2019 22:28:26 +0000 (14:28 -0800)] 
test correct occlusion of DNSSEC records

7 years agofix crash in query_respond_any() from all records being hidden
Evan Hunt [Mon, 25 Feb 2019 20:55:27 +0000 (12:55 -0800)] 
fix crash in query_respond_any() from all records being hidden

in query_respond_any(), the assumption had previously been made that it
was impossible to get past iterating the node with a return value of
ISC_R_NOMORE but not have found any records, unless we were searching
for RRSIG or SIG. however, it is possible for other types to exist but
be hidden, such as when the zone is transitioning from insecure to
secure and DNSSEC types are encountered, and this situation could
trigger an assertion.  removed the assertion and reorganized the code.

7 years agoMerge branch 'michal/do-not-include-conf.sh-from-ttl-clean.sh' into 'master'
Michał Kępień [Thu, 28 Feb 2019 12:42:42 +0000 (07:42 -0500)] 
Merge branch 'michal/do-not-include-conf.sh-from-ttl-clean.sh' into 'master'

Do not include conf.sh from ttl/clean.sh

See merge request isc-projects/bind9!1564

7 years agoDo not include conf.sh from ttl/clean.sh
Michał Kępień [Thu, 28 Feb 2019 12:15:13 +0000 (13:15 +0100)] 
Do not include conf.sh from ttl/clean.sh

Including $SYSTEMTESTTOP/conf.sh from a system test's clean.sh script is
not needed for anything while it causes an error message to be printed
out when "./configure" is run, as "make clean" is invoked at the end.
Remove the offending line to prevent the error from occurring.

7 years agoMerge branch 'michal/call-clean.sh-from-all-relevant-setup.sh-scripts' into 'master'
Michał Kępień [Thu, 28 Feb 2019 12:11:00 +0000 (07:11 -0500)] 
Merge branch 'michal/call-clean.sh-from-all-relevant-setup.sh-scripts' into 'master'

Call clean.sh from all relevant setup.sh scripts

See merge request isc-projects/bind9!1565

7 years agoCall clean.sh from all relevant setup.sh scripts
Michał Kępień [Thu, 28 Feb 2019 11:33:07 +0000 (12:33 +0100)] 
Call clean.sh from all relevant setup.sh scripts

For all system tests utilizing named instances, call clean.sh from each
test's setup.sh script in a consistent way to make sure running the same
system test multiple times using run.sh does not trigger false positives
caused by stale files created by previous runs.

Ideally we would just call clean.sh from run.sh, but that would break
some quirky system tests like "rpz" or "rpzrecurse" and being consistent
for the time being does not hurt.

7 years agoMerge branch '813-matthijs-failure-loading-rpz' into 'master' 1570/head
Matthijs Mekking [Fri, 22 Feb 2019 14:05:46 +0000 (09:05 -0500)] 
Merge branch '813-matthijs-failure-loading-rpz' into 'master'

Resolve "Problems after failure of loading rpz [ISC-support #14002]"

Closes #813

See merge request isc-projects/bind9!1507

7 years agoUpdate CHANGES
Matthijs Mekking [Mon, 11 Feb 2019 16:30:04 +0000 (17:30 +0100)] 
Update CHANGES

7 years agoUnregister RPZ CATZ db cbs when zone load fails
Matthijs Mekking [Mon, 11 Feb 2019 16:25:34 +0000 (17:25 +0100)] 
Unregister RPZ CATZ db cbs when zone load fails

In case when a zone fails to load because the file does not exist
or is malformed, we should not run the callback that updates the
zone database when the load is done.  This is achieved by
unregistering the callbacks if at zone load end if the result
indicates something else than success.

7 years agoUpdate copyrights
Matthijs Mekking [Mon, 11 Feb 2019 09:55:50 +0000 (10:55 +0100)] 
Update copyrights

7 years agoAdd test for rpz zone load fail
Matthijs Mekking [Fri, 8 Feb 2019 16:13:52 +0000 (17:13 +0100)] 
Add test for rpz zone load fail

7 years agoRemove rpz->db_registered
Matthijs Mekking [Fri, 8 Feb 2019 15:20:47 +0000 (16:20 +0100)] 
Remove rpz->db_registered

As pointed out in !813 db_registered is sort of redundant.  It is
set to `true` only in `dns_zone_rpz_enable_db()` right before the
`dns_rpz_dbupdate_callback()` callback is registered.  It is only
required in that callback and it is the only place that the callback
is registered.  Therefore there is no path that that `REQUIRE` can
fail.

The `db_registered` variable is only set to `false` in
`dns_rpz_new_zone`, so it is not like the variable is unset again
later.

The only other place where `db_registered` is checked is in
`rpz_detach()`.  If `true`, it will call
`dns_db_updatenotify_unregister()`.  However if that happens, the
`db_registered` is not set back to `false` thus this implies that
this may happen multiple times.  If called a second time, most
likely the unregister function will return `ISC_R_NOTFOUND`, but
the return value is not checked anyway.  So it can do without the
`db_registered` check.

7 years agoAdd curly brackets on if statements
Matthijs Mekking [Fri, 8 Feb 2019 14:28:49 +0000 (15:28 +0100)] 
Add curly brackets on if statements

7 years agonamed crashes on shutdown after load rpz failed
Matthijs Mekking [Thu, 7 Feb 2019 14:25:28 +0000 (15:25 +0100)] 
named crashes on shutdown after load rpz failed

This may happen when loading an RPZ failed and the code path skips
calling dns_db_endload().  The dns_rpz_zone_t object is still kept
marked as having registered db.  So when this object is finally
destroyed in rpz_detach(), this code will incorrectly call
`dns_db_updatenotify_unregister()`:

   if (rpz->db_registered)
     dns_db_updatenotify_unregister(rpz->db,
                                    dns_rpz_dbupdate_callback, rpz);

and trigger this assertion failure:

   REQUIRE(db != NULL);

To fix this, only call `dns_db_updatenotify_unregister()` when
`rpz->db` is not NULL.

7 years agoMake RPZ tests more readable
Matthijs Mekking [Wed, 6 Feb 2019 14:40:06 +0000 (15:40 +0100)] 
Make RPZ tests more readable

7 years agoAdd README to RPZ tests
Matthijs Mekking [Wed, 6 Feb 2019 14:36:21 +0000 (15:36 +0100)] 
Add README to RPZ tests

7 years agoMerge branch '892-fix-redirect-name' into 'master'
Mark Andrews [Fri, 22 Feb 2019 05:42:34 +0000 (00:42 -0500)] 
Merge branch '892-fix-redirect-name' into 'master'

use qname in redirect2

Closes #892

See merge request isc-projects/bind9!1561

7 years agoadd CHANGES
Mark Andrews [Fri, 22 Feb 2019 05:25:34 +0000 (16:25 +1100)] 
add CHANGES

7 years agouse client->query.qname
Mark Andrews [Thu, 21 Feb 2019 07:24:30 +0000 (18:24 +1100)] 
use client->query.qname

7 years agoMerge branch 'prep-915' into 'master'
Evan Hunt [Fri, 22 Feb 2019 02:03:19 +0000 (21:03 -0500)] 
Merge branch 'prep-915' into 'master'

documentation changes setting up 9.15 development branch

See merge request isc-projects/bind9!1560

7 years agodocumentation changes setting up 9.15 development branch
Evan Hunt [Fri, 22 Feb 2019 00:04:33 +0000 (16:04 -0800)] 
documentation changes setting up 9.15 development branch

7 years agoMerge branch 'fix-changes' into security-master
Evan Hunt [Thu, 21 Feb 2019 02:04:53 +0000 (18:04 -0800)] 
Merge branch 'fix-changes' into security-master

7 years agoremove "released" line (retained in v9_14) so check-changes won't complain
Evan Hunt [Thu, 21 Feb 2019 02:03:53 +0000 (18:03 -0800)] 
remove "released" line (retained in v9_14) so check-changes won't complain

7 years agoMerge branch 'security-dlz-axfr-deny-broken' into security-master
Evan Hunt [Wed, 6 Feb 2019 19:36:54 +0000 (11:36 -0800)] 
Merge branch 'security-dlz-axfr-deny-broken' into security-master

denied axfr requests were not effective for writable DLZ zones

See merge request isc-private/bind9!57

7 years agoadd CHANGES and release notes entries
Mark Andrews [Wed, 6 Feb 2019 19:36:20 +0000 (11:36 -0800)] 
add CHANGES and release notes entries

7 years agodenied axfr requests were not effective for writable DLZ zones
Mark Andrews [Wed, 6 Feb 2019 19:35:21 +0000 (11:35 -0800)] 
denied axfr requests were not effective for writable DLZ zones

7 years agoMerge 'keytag-memleak' into security-master
Evan Hunt [Wed, 6 Feb 2019 19:32:47 +0000 (11:32 -0800)] 
Merge 'keytag-memleak' into security-master

7 years agofix test error
Evan Hunt [Thu, 3 Jan 2019 00:47:06 +0000 (16:47 -0800)] 
fix test error

7 years agoadd CHANGES and release note entries
Mark Andrews [Sun, 9 Dec 2018 22:13:05 +0000 (09:13 +1100)] 
add CHANGES and release note entries

7 years agocheck that multiple KEY-TAG trust-anchor-telemetry options don't leak memory
Mark Andrews [Mon, 10 Dec 2018 02:33:54 +0000 (13:33 +1100)] 
check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory

7 years agosilently ignore additional keytag options
Mark Andrews [Sun, 9 Dec 2018 21:41:26 +0000 (08:41 +1100)] 
silently ignore additional keytag options

7 years agoMerge 'managed-key-assert' into security-master
Evan Hunt [Tue, 15 Jan 2019 20:11:26 +0000 (12:11 -0800)] 
Merge 'managed-key-assert' into security-master

7 years agoMerge 'managed-key-assert' into security-master
Evan Hunt [Wed, 6 Feb 2019 19:32:17 +0000 (11:32 -0800)] 
Merge 'managed-key-assert' into security-master

7 years agouse algorithm 255 for both unsupported keys
Evan Hunt [Fri, 21 Dec 2018 23:55:44 +0000 (15:55 -0800)] 
use algorithm 255 for both unsupported keys

7 years agoCHANGES, notes
Matthijs Mekking [Thu, 20 Dec 2018 09:22:02 +0000 (10:22 +0100)] 
CHANGES, notes

7 years agoUpdate keyfetch_done compute_tag check
Matthijs Mekking [Wed, 19 Dec 2018 17:47:43 +0000 (18:47 +0100)] 
Update keyfetch_done compute_tag check

If in keyfetch_done the compute_tag fails (because for example the
algorithm is not supported), don't crash, but instead ignore the
key.

7 years agoAdd tests for mkeys with unsupported algorithm
Matthijs Mekking [Wed, 19 Dec 2018 17:45:43 +0000 (18:45 +0100)] 
Add tests for mkeys with unsupported algorithm

These tests check if a key with an unsupported algorithm in
managed-keys is ignored and when seeing an algorithm rollover to
an unsupported algorithm, the new key will be ignored too.

7 years agoDon't free key in compute_tag in case of failure
Matthijs Mekking [Wed, 12 Dec 2018 13:06:10 +0000 (14:06 +0100)] 
Don't free key in compute_tag in case of failure

If `dns_dnssec_keyfromrdata` failed we don't need to call
`dst_key_free` because no `dstkey` was created.  Doing so
nevertheless will result in an assertion failure.

This can happen if the key uses an unsupported algorithm.

7 years agoMerge branch 'placeholder' into 'master'
Evan Hunt [Thu, 21 Feb 2019 02:41:58 +0000 (21:41 -0500)] 
Merge branch 'placeholder' into 'master'

placeholder

See merge request isc-projects/bind9!1551

7 years agoplaceholder
Evan Hunt [Thu, 21 Feb 2019 02:41:26 +0000 (18:41 -0800)] 
placeholder

7 years agoMerge branch 'start-915' into 'master'
Evan Hunt [Thu, 21 Feb 2019 02:23:51 +0000 (21:23 -0500)] 
Merge branch 'start-915' into 'master'

9.15.0-dev

See merge request isc-projects/bind9!1550

7 years ago9.15.0-dev
Evan Hunt [Thu, 21 Feb 2019 02:22:54 +0000 (18:22 -0800)] 
9.15.0-dev

7 years agoMerge branch '428-remove-contrib-sdb' into 'master'
Evan Hunt [Wed, 20 Feb 2019 01:47:55 +0000 (20:47 -0500)] 
Merge branch '428-remove-contrib-sdb' into 'master'

remove contrib/sdb

Closes #428

See merge request isc-projects/bind9!1501

7 years agoCHANGES
Evan Hunt [Thu, 14 Feb 2019 21:19:51 +0000 (13:19 -0800)] 
CHANGES

7 years agoremove contrib/sdb
Evan Hunt [Sat, 9 Feb 2019 00:47:46 +0000 (16:47 -0800)] 
remove contrib/sdb

removed the SDB databases in contrib/sdb as they hadn't been
maintained in some time, and were no longer able to link to named
without modification.  also:

- cleaned up contrib/README, which still referred to contrib
  subdirectores that were removed already, and linked to an obsolete URL.
- removed references to sdb in doc/misc/roadmap and doc/misc/sdb.

7 years agoMerge branch '884-patches-to-review' into 'master'
Mark Andrews [Tue, 19 Feb 2019 23:11:42 +0000 (18:11 -0500)] 
Merge branch '884-patches-to-review' into 'master'

Correct errno to result translation

Closes #884

See merge request isc-projects/bind9!1519

7 years agoadd CHANGES
Mark Andrews [Tue, 19 Feb 2019 22:44:56 +0000 (09:44 +1100)] 
add CHANGES

7 years agocorrect errno to result translation
Mark Andrews [Mon, 18 Feb 2019 01:26:38 +0000 (12:26 +1100)] 
correct errno to result translation

7 years agoMerge branch '836-building-fails-in-build-subdirectory-when-dnstap-is-enabled' into...
Mark Andrews [Tue, 19 Feb 2019 22:40:59 +0000 (17:40 -0500)] 
Merge branch '836-building-fails-in-build-subdirectory-when-dnstap-is-enabled' into 'master'

Resolve "Building fails in build subdirectory when dnstap is enabled"

Closes #836

See merge request isc-projects/bind9!1510

7 years agoadd CHANGES
Mark Andrews [Tue, 19 Feb 2019 22:29:07 +0000 (09:29 +1100)] 
add CHANGES

7 years agoteach proto_c to look in the source directory for out of tree builds
Mark Andrews [Tue, 12 Feb 2019 04:27:57 +0000 (15:27 +1100)] 
teach proto_c to look in the source directory for out of tree builds

7 years agoMerge branch '877-clang-scan-build-redundant-assignments-detected' into 'master'
Mark Andrews [Mon, 18 Feb 2019 23:01:56 +0000 (18:01 -0500)] 
Merge branch '877-clang-scan-build-redundant-assignments-detected' into 'master'

Remove redundant assignments

Closes #877

See merge request isc-projects/bind9!1513

7 years agoremove redundant assignment
Mark Andrews [Wed, 13 Feb 2019 05:22:01 +0000 (16:22 +1100)] 
remove redundant assignment

7 years agosilence clang
Mark Andrews [Wed, 13 Feb 2019 05:19:07 +0000 (16:19 +1100)] 
silence clang

7 years agodeclarations before assertions
Mark Andrews [Wed, 13 Feb 2019 05:13:16 +0000 (16:13 +1100)] 
declarations before assertions

7 years agodon't overwrite result
Mark Andrews [Wed, 13 Feb 2019 05:11:08 +0000 (16:11 +1100)] 
don't overwrite result

7 years agoremove seen_dname
Mark Andrews [Wed, 13 Feb 2019 04:57:03 +0000 (15:57 +1100)] 
remove seen_dname

7 years agoMerge branch '877-clang-scan-build-redundant-assignments-detected-3' into 'master'
Mark Andrews [Mon, 18 Feb 2019 22:39:38 +0000 (17:39 -0500)] 
Merge branch '877-clang-scan-build-redundant-assignments-detected-3' into 'master'

Uninitialised reads in dns_tsig_sign after change 5148.

See merge request isc-projects/bind9!1528

7 years agorecord when querytsig is valid
Mark Andrews [Wed, 13 Feb 2019 06:21:16 +0000 (17:21 +1100)] 
record when querytsig is valid

7 years agoMerge branch '877-clang-scan-build-redundant-assignments-detected-2' into 'master'
Mark Andrews [Mon, 18 Feb 2019 22:34:50 +0000 (17:34 -0500)] 
Merge branch '877-clang-scan-build-redundant-assignments-detected-2' into 'master'

decode_NegTokenInit failed to cleanup allocated memory on error.

See merge request isc-projects/bind9!1527

7 years agofix memory leak
Mark Andrews [Thu, 14 Feb 2019 21:52:16 +0000 (08:52 +1100)] 
fix memory leak

7 years agoMerge branch '877-clang-scan-build-redundant-assignments-detected-2' into 'master'
Mark Andrews [Mon, 18 Feb 2019 21:14:56 +0000 (16:14 -0500)] 
Merge branch '877-clang-scan-build-redundant-assignments-detected-2' into 'master'

Cleanup no longer necessary assignments post refactoring in socket.c

See merge request isc-projects/bind9!1526

7 years agoremove dead assignments
Mark Andrews [Wed, 13 Feb 2019 05:02:30 +0000 (16:02 +1100)] 
remove dead assignments

7 years agoMerge branch '877-clang-scan-build-redundant-assignments-detected-2' into 'master'
Mark Andrews [Mon, 18 Feb 2019 20:57:46 +0000 (15:57 -0500)] 
Merge branch '877-clang-scan-build-redundant-assignments-detected-2' into 'master'

Add missing asserts to socket_test.c and dnstest.c

See merge request isc-projects/bind9!1523

7 years agoassert result is ISC_R_SUCCESS
Mark Andrews [Wed, 13 Feb 2019 04:53:41 +0000 (15:53 +1100)] 
assert result is ISC_R_SUCCESS

7 years agoMerge branch '513-matthijs-update-xfr-logs' into 'master'
Matthijs Mekking [Mon, 18 Feb 2019 11:33:15 +0000 (06:33 -0500)] 
Merge branch '513-matthijs-update-xfr-logs' into 'master'

Update to !1427:  Make primary's transfer log more detailed

See merge request isc-projects/bind9!1511

7 years agoUpdate to !1427: Make primary's transfer log more detailed
Matthijs Mekking [Mon, 18 Feb 2019 11:33:15 +0000 (06:33 -0500)] 
Update to !1427:  Make primary's transfer log more detailed

7 years agoMerge branch 'u/fanf2/dnssec-keymgr-man' into 'master'
Mark Andrews [Mon, 18 Feb 2019 04:43:26 +0000 (23:43 -0500)] 
Merge branch 'u/fanf2/dnssec-keymgr-man' into 'master'

Improve dnssec-keymgr manual

See merge request isc-projects/bind9!1518

7 years agoImprove dnssec-keymgr manual
Tony Finch [Fri, 15 Feb 2019 19:12:10 +0000 (19:12 +0000)] 
Improve dnssec-keymgr manual

Illustrate the syntax for the policy options, with semicolons.

Explicitly mention the "default" policy.

Fix a few typos and remove some redundant wording.

7 years agoMerge branch '879-dnssec-checkds-help' into 'master'
Evan Hunt [Thu, 14 Feb 2019 20:51:39 +0000 (15:51 -0500)] 
Merge branch '879-dnssec-checkds-help' into 'master'

Correct path in dnssec-checkds help

Closes #879

See merge request isc-projects/bind9!1515

7 years agoCorrect path in dnssec-checkds help
Petr Menšík [Thu, 14 Feb 2019 14:23:26 +0000 (15:23 +0100)] 
Correct path in dnssec-checkds help

7 years agoMerge branch '873-do-not-check-sep-bit-for-mirror-zone-trust-anchors' into 'master'
Michał Kępień [Thu, 14 Feb 2019 10:21:46 +0000 (05:21 -0500)] 
Merge branch '873-do-not-check-sep-bit-for-mirror-zone-trust-anchors' into 'master'

Do not check SEP bit for mirror zone trust anchors

Closes #873

See merge request isc-projects/bind9!1506

7 years agoAdd CHANGES entry
Michał Kępień [Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)] 
Add CHANGES entry

5161. [bug] Do not require the SEP bit to be set for mirror zone
trust anchors. [GL #873]

7 years agoDo not check SEP bit for mirror zone trust anchors
Michał Kępień [Thu, 14 Feb 2019 10:03:35 +0000 (11:03 +0100)] 
Do not check SEP bit for mirror zone trust anchors

When a mirror zone is verified, the 'ignore_kskflag' argument passed to
dns_zoneverify_dnssec() is set to false.  This means that in order for
its verification to succeed, a mirror zone needs to have at least one
key with the SEP bit set configured as a trust anchor.  This brings no
security benefit and prevents zones signed only using keys without the
SEP bit set from being mirrored, so change the value of the
'ignore_kskflag' argument passed to dns_zoneverify_dnssec() to true.

7 years agoMerge branch 'michal/improve-stability-of-mirror-zone-tests' into 'master'
Michał Kępień [Thu, 14 Feb 2019 09:59:14 +0000 (04:59 -0500)] 
Merge branch 'michal/improve-stability-of-mirror-zone-tests' into 'master'

Improve stability of mirror zone system tests

See merge request isc-projects/bind9!1505

7 years agoPrevent races when waiting for log messages
Michał Kępień [Thu, 14 Feb 2019 09:41:56 +0000 (10:41 +0100)] 
Prevent races when waiting for log messages

The "mirror" system test checks whether log messages announcing a mirror
zone coming into effect are emitted properly.  However, the helper
functions responsible for waiting for zone transfers and zone loading to
complete do not wait for these exact log messages, but rather for other
ones preceding them, which introduces a possibility of false positives.

This problem cannot be addressed by just changing the log message to
look for because the test still needs to discern between transferring a
zone and loading a zone.

Add two new log messages at debug level 99 (which is what named
instances used in system tests are configured with) that are to be
emitted after the log messages announcing a mirror zone coming into
effect.  Tweak the aforementioned helper functions to only return once
the log messages they originally looked for are followed by the newly
added log messages.  This reliably prevents races when looking for
"mirror zone is now in use" log messages and also enables a workaround
previously put into place in the "mirror" system test to be reverted.

7 years agoImprove reliability of zone verification checks
Michał Kępień [Thu, 14 Feb 2019 09:41:56 +0000 (10:41 +0100)] 
Improve reliability of zone verification checks

In the "mirror" system test, ns3 periodically sends trust anchor
telemetry queries to ns1 and ns2.  It may thus happen that for some
non-recursive queries for names inside mirror zones which are not yet
loaded, ns3 will be able to synthesize a negative answer from the cached
records it obtained from trust anchor telemetry responses.  In such
cases, NXDOMAIN responses will be sent with the root zone SOA in the
AUTHORITY section.  Since the root zone used in the "mirror" system test
has the same serial number as ns2/verify.db.in and zone verification
checks look for the specified serial numbers anywhere in the answer, the
test could be broken if different zone names were used.

The +noauth dig option could be used to address this weakness, but that
would prevent entire responses from being stored for later inspection,
which in turn would hamper troubleshooting test failures.  Instead, use
a different serial number for ns2/verify.db.in than for any other zone
used in the "mirror" system test and check the number of records in the
ANSWER section of each response.

7 years agoFix serial number used in zone verification checks
Michał Kępień [Thu, 14 Feb 2019 09:41:56 +0000 (10:41 +0100)] 
Fix serial number used in zone verification checks

Due to the way the "mirror" system test is set up, it is impossible for
the "verify-unsigned" and "verify-untrusted" zones to contain any serial
number other than the original one present in ns2/verify.db.in.  Thus,
using presence of a different serial number in the SOA records of these
zones as an indicator of problems with mirror zone verification is
wrong.  Look for the original zone serial number instead as that is the
one that will be returned by ns3 if one of the aforementioned zones is
successfully verified.

7 years agoMerge branch '871-add-a-ci-check-for-missing-prereq.sh-scripts' into 'master'
Mark Andrews [Mon, 11 Feb 2019 21:48:12 +0000 (16:48 -0500)] 
Merge branch '871-add-a-ci-check-for-missing-prereq.sh-scripts' into 'master'

Add a CI check for missing prereq.sh scripts

Closes #871

See merge request isc-projects/bind9!1494

7 years agoadd util/check-ans-prereq to precheck
Mark Andrews [Fri, 8 Feb 2019 01:21:59 +0000 (12:21 +1100)] 
add util/check-ans-prereq to precheck

7 years agoadd check-ans-prereq
Mark Andrews [Fri, 8 Feb 2019 01:19:39 +0000 (12:19 +1100)] 
add check-ans-prereq

7 years agoMerge branch '872-dlz-ldap-dname' into 'master'
Evan Hunt [Sun, 10 Feb 2019 20:07:38 +0000 (15:07 -0500)] 
Merge branch '872-dlz-ldap-dname' into 'master'

added DNAME support to DLZ LDAP schema, and fixed a DLZ compile error

Closes #872

See merge request isc-projects/bind9!1502

7 years agoadded DNAME support to DLZ LDAP schema, and fixed a DLZ compile error
Evan Hunt [Sun, 10 Feb 2019 19:49:01 +0000 (11:49 -0800)] 
added DNAME support to DLZ LDAP schema, and fixed a DLZ compile error

Thanks to Roland Gruber for the schema contribution.

7 years agoMerge branch 'u/fanf2/zonemd' into 'master'
Evan Hunt [Fri, 8 Feb 2019 21:16:29 +0000 (16:16 -0500)] 
Merge branch 'u/fanf2/zonemd' into 'master'

Correct ZONEMD expansion in ARM

See merge request isc-projects/bind9!1497

7 years agoCorrect ZONEMD expansion in ARM
Tony Finch [Fri, 8 Feb 2019 17:11:30 +0000 (17:11 +0000)] 
Correct ZONEMD expansion in ARM

7 years agoMerge branch '869-prereq-sh-needed-in-forward-test' into 'master'
Michał Kępień [Fri, 8 Feb 2019 14:05:02 +0000 (09:05 -0500)] 
Merge branch '869-prereq-sh-needed-in-forward-test' into 'master'

Resolve "prereq.sh needed in forward test"

Closes #869

See merge request isc-projects/bind9!1479

7 years agoadded prereq.sh to forward test to detect perl Net::DNS
Curtis Blackburn [Thu, 7 Feb 2019 19:46:58 +0000 (11:46 -0800)] 
added prereq.sh to forward test to detect perl Net::DNS