]> git.ipfire.org Git - thirdparty/bind9.git/log
thirdparty/bind9.git
7 years agoMerge branch '399-do-not-use-net-dns-nameserver-in-the-serve-stale-system-test' into...
Michał Kępień [Tue, 10 Jul 2018 13:14:26 +0000 (09:14 -0400)] 
Merge branch '399-do-not-use-net-dns-nameserver-in-the-serve-stale-system-test' into 'master'

Do not use Net::DNS::Nameserver in the "serve-stale" system test

Closes #399

See merge request isc-projects/bind9!486

7 years agoDo not use Net::DNS::Nameserver in the "serve-stale" system test
Michał Kępień [Mon, 9 Jul 2018 12:35:12 +0000 (14:35 +0200)] 
Do not use Net::DNS::Nameserver in the "serve-stale" system test

Net::DNS versions older than 0.67 respond to queries sent to a
Net::DNS::Nameserver even if its ReplyHandler returns undef.  This makes
the "serve-stale" system test fail as it takes advantage of the newer
behavior.  Since the latest Net::DNS version available with stock
RHEL/CentOS 6 packages is 0.65 and we officially support that operating
system, bin/tests/system/serve-stale/ans2/ans.pl should behave
consistently for various Net::DNS versions.  Ensure that by reworking it
so that it does not use Net::DNS::Nameserver.

7 years agoMerge branch '393-fix-a-net-dns-version-quirk-in-the-resolver-system-test' into ...
Michał Kępień [Tue, 10 Jul 2018 13:01:53 +0000 (09:01 -0400)] 
Merge branch '393-fix-a-net-dns-version-quirk-in-the-resolver-system-test' into 'master'

Fix a Net::DNS version quirk in the "resolver" system test

Closes #393

See merge request isc-projects/bind9!485

7 years agoFix a Net::DNS version quirk in the "resolver" system test
Michał Kępień [Mon, 9 Jul 2018 10:57:23 +0000 (12:57 +0200)] 
Fix a Net::DNS version quirk in the "resolver" system test

Net::DNS versions older than 0.68 insert a ./ANY RR into the QUESTION
section if the latter is empty.  Since the latest Net::DNS version
available with stock RHEL/CentOS 6 packages is 0.65 and we officially
support that operating system, bin/tests/system/resolver/ans8/ans.pl
should behave consistently for various Net::DNS versions.  Ensure that
by making handleUDP() return the query ID and flags generated by
Net::DNS with 8 zero bytes appended.

7 years agoMerge branch '384-rework-idn-support-in-dig' into 'master'
Michał Kępień [Tue, 10 Jul 2018 12:49:22 +0000 (08:49 -0400)] 
Merge branch '384-rework-idn-support-in-dig' into 'master'

Rework IDN support in dig

Closes #384

See merge request isc-projects/bind9!478

7 years agoAdd CHANGES entry
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Add CHANGES entry

4989. [cleanup] IDN support in dig has been reworked.  IDNA2003
fallbacks were removed in the process. [GL #384]

7 years agoDo not set IDN2_NFC_INPUT explicitly
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Do not set IDN2_NFC_INPUT explicitly

IDN2_NFC_INPUT is always set implicitly by idn2_to_ascii_lz(), so there
is no need to set it explicitly.

7 years agoImprove error handling in idn_ace_to_locale()
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Improve error handling in idn_ace_to_locale()

While idn2_to_unicode_8zlz() takes a 'flags' argument, it is ignored and
thus cannot be used to perform IDN checks on the output string.

The bug in libidn2 versions before 2.0.5 was not that a call to
idn2_to_unicode_8zlz() with certain flags set did not cause IDN checks
to be performed.  The bug was that idn2_to_unicode_8zlz() did not check
whether a conversion can be performed between UTF-8 and the current
locale's character encoding.  In other words, with libidn2 version
2.0.5+, if the current locale's character encoding is ASCII, then
idn2_to_unicode_8zlz() will fail when it is passed any Punycode string
which decodes to a non-ASCII string, even if it is a valid IDNA2008
name.

Rework idn_ace_to_locale() so that invalid IDNA2008 names are properly
and consistently detected for all libidn2 versions and locales.

Update the "idna" system test accordingly.  Add checks for processing a
server response containing Punycode which decodes to an invalid IDNA2008
name.  Fix invalid subtest description.

7 years agoRemove redundant dns_name_totextfilter_t argument
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Remove redundant dns_name_totextfilter_t argument

Since idn_output_filter() no longer uses its 'absolute' argument and no
other callback is used with dns_name_settotextfilter(), remove the
'absolute' argument from the dns_name_totextfilter_t prototype.

7 years agoSimplify and rename output_filter()
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Simplify and rename output_filter()

output_filter() does not need to dot-terminate its input name because
libidn2 properly handles both dot-terminated and non-dot-terminated
names.  libidn2 also does not implicitly dot-terminate names passed to
it, so parts of output_filter() handling dot termination can simply be
removed.

Fix a logical condition to make sure 'src' can fit the terminating NULL
byte.  Replace the MAXDLEN macro with the MXNAME macro used in the rest
of dig source code.  Tweak comments and variable names.

Rename output_filter() to idn_output_filter() so that it can be easily
associated with IDN and other idn_*() functions.

7 years agoSimplify idn_ace_to_locale()
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Simplify idn_ace_to_locale()

idn_ace_to_locale() may return a string longer than MAXDLEN because it
is using the current locale's character encoding.  Rather then imposing
an arbitrary limit on the length of the string that function can return,
make it pass the string prepared by libidn2 back to the caller verbatim,
making the latter responsible for freeing that string.  In conjunction
with the fact that libidn2 errors are considered fatal, this makes
returning an isc_result_t from idn_ace_to_locale() unnecessary.

Do not process success cases in conditional branches for improved
consistency with the rest of BIND source code.  Add a comment explaining
the purpose of idn_ace_to_locale().  Rename that function's parameters
to match common BIND naming pattern.

7 years agoSimplify idn_locale_to_ace()
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Simplify idn_locale_to_ace()

idn_locale_to_ace() is a static function which is always used with a
buffer of size MXNAME, i.e. one that can fit any valid domain name.
Since libidn2 detects invalid domain names and libidn2 errors are
considered fatal, remove size checks from idn_locale_to_ace().  This
makes returning an isc_result_t from it unnecessary.

Do not process success cases in conditional branches for improved
consistency with the rest of BIND source code.  Add a comment explaining
the purpose of idn_locale_to_ace().  Rename that function's parameters
to match common BIND naming pattern.

7 years agoRemove IDNA2003 fallback from dig
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Remove IDNA2003 fallback from dig

Certain characters, like symbols, are allowed by IDNA2003, but not by
IDNA2008.  Make dig reject such symbols when IDN input processing is
enabled to ensure BIND only supports IDNA2008.  Update the "idna" system
test so that it uses one of such symbols rather than one which is
disallowed by both IDNA2003 and IDNA2008.

7 years agoRemove redundant dns_name_settotextfilter() call
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Remove redundant dns_name_settotextfilter() call

There is no need to call dns_name_settotextfilter() in setup_system()
because setup_lookup() determines whether IDN output processing should
be enabled for a specific lookup (taking the global setting into
consideration) and calls dns_name_settotextfilter() anyway if it is.
Remove the dns_name_settotextfilter() call from setup_system().

7 years agoRemove empty idn_initialize() function
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Remove empty idn_initialize() function

7 years agoRework libidn2 detection
Michał Kępień [Tue, 10 Jul 2018 12:34:35 +0000 (14:34 +0200)] 
Rework libidn2 detection

Clean up the parts of configure.in responsible for handling libidn2
detection and adjust other pieces of the build system to match these
cleanups:

  - use pkg-config when --with-libidn2 is used without an explicit path,

  - look for idn2_to_ascii_lz() rather than idn2_to_ascii_8z() as the
    former is used in BIND while the latter is not,

  - do not look for idn2_to_unicode_8zlz() as it is present in all
    libidn2 versions which have idn2_to_ascii_lz(),

  - check whether the <idn2.h> header is usable,

  - set LDFLAGS in the Makefile for dig so that, if specified, the
    requested libidn2 path is used when linking with libidn2,

  - override CPPFLAGS when looking for libidn2 components so that the
    configure script does not produce warnings when libidn2 is not
    installed system-wide,

  - merge the AS_CASE() call into the AS_IF() call below it to simplify
    code,

  - indicate the default value of --with-libidn2 in "./configure --help"
    output,

  - use $with_libidn2 rather than $use_libidn2 to better match the name
    of the configure script argument,

  - stop differentiating between IDN "in" and "out" support, i.e. make
    dig either support libidn2 or not; remove WITH_* Autoconf macros and
    use a new one, HAVE_LIBIDN2, to determine whether libidn2 support
    should be enabled.

7 years agoMerge branch 'fix-synth-from-dnssec-dname-handling' into 'master'
Witold Krecicki [Tue, 10 Jul 2018 07:28:26 +0000 (03:28 -0400)] 
Merge branch 'fix-synth-from-dnssec-dname-handling' into 'master'

Don't synthesize NXDOMAIN from NSEC for records under a DNAME.

Closes #386

See merge request isc-projects/bind9!481

7 years agothe presence of a DNAME record proves that the name does not exist in the zone but...
Mark Andrews [Fri, 6 Jul 2018 05:07:59 +0000 (15:07 +1000)] 
the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata

7 years agoDon't synthesize NXDOMAIN from NSEC for records under a DNAME
Witold Kręcicki [Thu, 5 Jul 2018 10:58:49 +0000 (12:58 +0200)] 
Don't synthesize NXDOMAIN from NSEC for records under a DNAME

7 years agoMerge branch '402-memory-leak-found-in-file-fuzz-c-in-bind-9-12-1-p2' into 'master'
Mark Andrews [Tue, 10 Jul 2018 04:32:32 +0000 (00:32 -0400)] 
Merge branch '402-memory-leak-found-in-file-fuzz-c-in-bind-9-12-1-p2' into 'master'

Resolve "Memory Leak found in file 'fuzz.c' in BIND-9.12.1-P2"

Closes #402

See merge request isc-projects/bind9!488

7 years agofree rbuf
Mark Andrews [Tue, 10 Jul 2018 04:24:06 +0000 (14:24 +1000)] 
free rbuf

8 years agoMerge branch 'prep-release-v9_13_2' into 'master' v9.13.2
Evan Hunt [Tue, 3 Jul 2018 07:51:40 +0000 (03:51 -0400)] 
Merge branch 'prep-release-v9_13_2' into 'master'

prep 9.13.2

See merge request isc-projects/bind9!473

8 years agoprep 9.13.2
Tinderbox User [Tue, 3 Jul 2018 07:31:31 +0000 (07:31 +0000)] 
prep 9.13.2

8 years agoMerge branch 'clarify-mirror' into 'master'
Michał Kępień [Tue, 3 Jul 2018 07:23:50 +0000 (03:23 -0400)] 
Merge branch 'clarify-mirror' into 'master'

clarify documentation of the 'mirror' option

See merge request isc-projects/bind9!469

8 years agoclarify documentation of the 'mirror' option
Evan Hunt [Tue, 3 Jul 2018 06:07:38 +0000 (23:07 -0700)] 
clarify documentation of the 'mirror' option

8 years agoMerge branch '371-remove-dns_rdataslab_tordataset' into 'master'
Michał Kępień [Tue, 3 Jul 2018 06:53:53 +0000 (02:53 -0400)] 
Merge branch '371-remove-dns_rdataslab_tordataset' into 'master'

Remove dns_rdataslab_tordataset() and its related dns_rdatasetmethods_t callbacks

Closes #371

See merge request isc-projects/bind9!456

8 years agoAdd CHANGES entry
Michał Kępień [Tue, 3 Jul 2018 06:44:05 +0000 (08:44 +0200)] 
Add CHANGES entry

4987. [cleanup] dns_rdataslab_tordataset() and its related
dns_rdatasetmethods_t callbacks were removed as they
were not being used by anything in BIND. [GL #371]

8 years agoRemove dns_rdataslab_tordataset() and its related dns_rdatasetmethods_t callbacks
Michał Kępień [Tue, 3 Jul 2018 06:44:05 +0000 (08:44 +0200)] 
Remove dns_rdataslab_tordataset() and its related dns_rdatasetmethods_t callbacks

Since BIND libraries are no longer considered public and
dns_rdataslab_tordataset() is not used anywhere in the tree, remove the
latter and its associated dns_rdatasetmethods_t callbacks from
lib/dns/rdataslab.c.

8 years agoMerge branch 'fix-doc' into 'master'
Evan Hunt [Tue, 3 Jul 2018 02:11:33 +0000 (22:11 -0400)] 
Merge branch 'fix-doc' into 'master'

fix doc issues

See merge request isc-projects/bind9!466

8 years agoupdate new features list; also fix the "mirror" release note
Evan Hunt [Tue, 3 Jul 2018 02:09:32 +0000 (19:09 -0700)] 
update new features list; also fix the "mirror" release note

8 years agoMerge branch '321-improve-documentation-on-libcap-change' into 'master'
Evan Hunt [Mon, 2 Jul 2018 16:35:05 +0000 (12:35 -0400)] 
Merge branch '321-improve-documentation-on-libcap-change' into 'master'

Improve documentation on libcap change in 9.13+

See merge request isc-projects/bind9!461

8 years agoUse m4_normalize to reformat the long lines in the configure output
Ondřej Surý [Mon, 2 Jul 2018 06:53:13 +0000 (08:53 +0200)] 
Use m4_normalize to reformat the long lines in the configure output

8 years agoImprove documentation and error messages when libcap is not available
Ondřej Surý [Mon, 2 Jul 2018 06:47:32 +0000 (08:47 +0200)] 
Improve documentation and error messages when libcap is not available

8 years agoMerge branch '321-remove-linux-capability-support-without-libcap' into 'master'
Ondřej Surý [Sat, 30 Jun 2018 14:59:49 +0000 (10:59 -0400)] 
Merge branch '321-remove-linux-capability-support-without-libcap' into 'master'

Remove ability to build without libcap when Linux capabilities are enabled

Closes #321

See merge request isc-projects/bind9!421

8 years agoAdd CHANGES entry for GL #321.
Ondřej Surý [Tue, 26 Jun 2018 13:52:37 +0000 (15:52 +0200)] 
Add CHANGES entry for GL #321.

8 years agolibcap ships with <sys/capability.h>, so use an #ifdef associated with that header...
Michał Kępień [Thu, 28 Jun 2018 19:54:22 +0000 (21:54 +0200)] 
libcap ships with <sys/capability.h>, so use an #ifdef associated with that header to determine whether to enable capabilities support

8 years agoRevert parts of 3dd314590e introducing WANT_LINUX_CAPABILITY
Michał Kępień [Thu, 28 Jun 2018 19:48:08 +0000 (21:48 +0200)] 
Revert parts of 3dd314590e introducing WANT_LINUX_CAPABILITY

8 years agoMake libcap mandatory when Linux capabilities are enabled
Ondřej Surý [Tue, 26 Jun 2018 12:52:11 +0000 (14:52 +0200)] 
Make libcap mandatory when Linux capabilities are enabled

8 years agoMerge branch 'fix-win32' into 'master'
Evan Hunt [Thu, 28 Jun 2018 15:46:51 +0000 (11:46 -0400)] 
Merge branch 'fix-win32' into 'master'

add missing symbols for windows build

See merge request isc-projects/bind9!454

8 years agoadd missing symbols
Evan Hunt [Thu, 28 Jun 2018 15:38:22 +0000 (08:38 -0700)] 
add missing symbols

8 years agoMerge branch '33-implement-mirror-zones' into 'master'
Michał Kępień [Thu, 28 Jun 2018 11:53:10 +0000 (07:53 -0400)] 
Merge branch '33-implement-mirror-zones' into 'master'

Implement mirror zones

Closes #33

See merge request isc-projects/bind9!329

8 years agoAdd CHANGES entry
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Add CHANGES entry

4985. [func] Add a new slave zone option, "mirror", to enable
serving a non-authoritative copy of a zone that
is subject to DNSSEC validation before being
used.  For now, this option is only meant to
facilitate deployment of an RFC 7706-style local
copy of the root zone. [GL #33]

8 years agoAdd a release note
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Add a release note

8 years agoAdd documentation for mirror zones
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Add documentation for mirror zones

Update the ARM and various option lists with information about the
"mirror" option for slave zones.

8 years agoMake "rndc zonestatus" output for mirror zones different than for regular slave zones
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Make "rndc zonestatus" output for mirror zones different than for regular slave zones

Replace "type: slave" with "type: mirror" in "rndc zonestatus" output
for mirror zones in order to enable the user to tell a regular slave
zone and a mirror zone apart.

8 years agoDisable notifies for mirror zones unless also-notify is used
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Disable notifies for mirror zones unless also-notify is used

Since the mirror zone feature is expected to mostly be used for the root
zone, prevent slaves from sending NOTIFY messages for mirror zones by
default.  Retain the possibility to use "also-notify" as it might be
useful in certain cases.

8 years agoDisable outgoing mirror zone transfers by default
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Disable outgoing mirror zone transfers by default

As mirror zone data should be treated the way validated, cached DNS
responses are, outgoing mirror zone transfers should be disabled unless
they are explicitly enabled by zone configuration.

8 years agoTreat mirror zone data as cache data for access control purposes
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Treat mirror zone data as cache data for access control purposes

As mirror zone data should be treated the way validated, cached DNS
responses are, it should not be used when responding to clients who are
not allowed cache access.  Reuse code responsible for determining cache
database access for evaluating mirror zone access.

8 years agoRework query_checkcacheaccess()
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Rework query_checkcacheaccess()

Modify query_checkcacheaccess() so that it only contains a single return
statement rather than three and so that the "check_acl" variable is no
longer needed.  Tweak and expand comments.  Fix coding style issues.

8 years agoSimplify query_getcachedb()
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Simplify query_getcachedb()

Modify query_getcachedb() so that it uses a common return path for both
success and failure.  Remove a redundant NULL check since 'db' will
never be NULL after being passed as a target pointer to dns_db_attach().
Fix coding style issues.

8 years agoExtract cache access checks in query_getcachedb() to a separate function
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Extract cache access checks in query_getcachedb() to a separate function

Extract the parts of query_getcachedb() responsible for checking whether
the client is allowed to access the cache to a separate function, so
that it can be reused for determining mirror zone access.

8 years agoFall back to normal recursion when mirror zone data is unavailable
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Fall back to normal recursion when mirror zone data is unavailable

If transferring or loading a mirror zone fails, resolution should still
succeed by means of falling back to regular recursive queries.
Currently, though, if a slave zone is present in the zone table and not
loaded, a SERVFAIL response is generated.  Thus, mirror zones need
special handling in this regard.

Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
domain name is looked up rather than a zone itself.  Handle that flag in
dns_zt_find() in such a way that a mirror zone which is expired or not
yet loaded is ignored when looking up domain names, but still possible
to find when the caller wants to know whether the zone is configured.
This causes a fallback to recursion when mirror zone data is unavailable
without making unloaded mirror zones invisible to code checking a zone's
existence.

8 years agoEnsure responses sourced from mirror zones have the AD bit set
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Ensure responses sourced from mirror zones have the AD bit set

Zone RRsets are assigned trust level "ultimate" upon load, which causes
the AD bit to not be set in responses coming from slave zones, including
mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
verified RRsets to "secure" so that the AD bit is set in such responses.
No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
case of any DNSSEC failure, which causes the mirror zone version being
verified to be discarded.

8 years agoDo not treat mirror zone data as authoritative
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Do not treat mirror zone data as authoritative

Section 4 of RFC 7706 suggests that responses sourced from a local copy
of a zone should not have the AA bit set.  Follow that recommendation by
setting 'qctx->authoritative' to ISC_FALSE when a response to a query is
coming from a mirror zone.

8 years agoEnsure delegations inside mirror zones are properly handled for non-recursive queries
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Ensure delegations inside mirror zones are properly handled for non-recursive queries

When a resolver is a regular slave (i.e. not a mirror) for some zone,
non-recursive queries for names below that slaved zone will return a
delegation sourced from it.  This behavior is suboptimal for mirror
zones as their contents should rather be treated as validated, cached
DNS responses.  Modify query_delegation() and query_zone_delegation() to
permit clients allowed cache access to check its contents for a better
answer when responding to non-recursive queries.

8 years agoPerform basic resolution checks with a mirror zone in use
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Perform basic resolution checks with a mirror zone in use

Make ns3 mirror the "root" zone from ns1 and query the former for a
properly signed record below the root.  Ensure ns1 is not queried during
resolution and that the AD bit is set in the response.

8 years agoVerify mirror zone journals
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Verify mirror zone journals

As mirror zone files are verified when they are loaded from disk, verify
journal files as well to ensure invalid data is not used.  Reuse the
journals generated during IXFR tests to test this.

8 years agoVerify mirror zone files loaded from disk
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Verify mirror zone files loaded from disk

Verify data read from mirror zone files before it is used in order to
prevent loading corrupt mirror zones from disk.

8 years agoVerify mirror zone IXFRs
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Verify mirror zone IXFRs

Update ixfr_commit() so that all incoming versions of a mirror zone
transferred using IXFR are verified before being used.

8 years agoVerify mirror zone AXFRs
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Verify mirror zone AXFRs

Update axfr_commit() so that all incoming versions of a mirror zone
transferred using AXFR are verified before being used.  If zone
verification fails, discard the received version of the zone, wait until
the next refresh and retry.

8 years agoAdd dns_zone_verifydb()
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Add dns_zone_verifydb()

Add a function for determining whether the supplied version of a mirror
zone passes DNSSEC validation and is signed using a trusted key.  Define
a new libdns result signifying a zone verification failure.

8 years agoEnable dns_zoneverify_dnssec() to check whether the zone was signed by a trust anchor
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Enable dns_zoneverify_dnssec() to check whether the zone was signed by a trust anchor

Extend check_dnskey_sigs() so that, if requested, it checks whether the
DNSKEY RRset at zone apex is signed by at least one trust anchor.  The
trust anchor table is passed as an argument to dns_zoneverify_dnssec()
and passed around in the verification context structure.  Neither
dnssec-signzone nor dnssec-verify are yet modified to make use of that
feature, though.

8 years agoAdd a system test for mirror zones
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Add a system test for mirror zones

Create the basic files comprising a system test and define a few helper
functions which will be useful when testing mirror zones.

8 years agoImplement a "read-only" version of nextpart()
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Implement a "read-only" version of nextpart()

The system test helper function nextpart() always updates the "lines
read so far" marker ("<file>.prev") when it is called, which somewhat
limits its flexibility.  Add two new helper functions, nextpartpeek()
and nextpartreset(), so that certain parts of log files can be easily
examined more than once.  Add some documentation to help understand the
purpose of each function in the nextpart*() family.

8 years agoAdd new "mirror" slave zone option
Michał Kępień [Thu, 28 Jun 2018 11:38:39 +0000 (13:38 +0200)] 
Add new "mirror" slave zone option

Add a new slave-only boolean configuration option, "mirror", along with
its corresponding dns_zoneopt_t enum and a helper function for checking
whether that option was set for a given zone.  This commit does not
introduce any behavior changes yet.

8 years agoMerge branch '339-issues-with-large-journal-entries' into 'master'
Evan Hunt [Thu, 28 Jun 2018 01:24:29 +0000 (21:24 -0400)] 
Merge branch '339-issues-with-large-journal-entries' into 'master'

Fix handling of large journal entries.

Closes #339

See merge request isc-projects/bind9!432

8 years agoCHANGES, release note
Evan Hunt [Thu, 28 Jun 2018 00:34:51 +0000 (17:34 -0700)] 
CHANGES, release note

8 years agoFallback to normal procedure if creating of ixfr-from-differences fails
Witold Kręcicki [Wed, 27 Jun 2018 12:10:04 +0000 (14:10 +0200)] 
Fallback to normal procedure if creating of ixfr-from-differences fails

8 years agoFix some issues with large journal entries
Witold Kręcicki [Tue, 26 Jun 2018 19:06:55 +0000 (21:06 +0200)] 
Fix some issues with large journal entries

8 years agoMerge branch '367-dnssec-system-test-failing' into 'master'
Ondřej Surý [Wed, 27 Jun 2018 11:35:32 +0000 (07:35 -0400)] 
Merge branch '367-dnssec-system-test-failing' into 'master'

Resolve "dnssec system test failing"

Closes #367

See merge request isc-projects/bind9!438

8 years agoremove re-signing race when testing dnskey-sig-validity
Mark Andrews [Wed, 27 Jun 2018 04:04:16 +0000 (14:04 +1000)] 
remove re-signing race when testing dnskey-sig-validity

8 years agoimprove forensics
Mark Andrews [Wed, 27 Jun 2018 03:32:31 +0000 (13:32 +1000)] 
improve forensics

8 years agoMerge branch '366-missing-dereference-in-require-statement' into 'master'
Mark Andrews [Wed, 27 Jun 2018 07:33:12 +0000 (03:33 -0400)] 
Merge branch '366-missing-dereference-in-require-statement' into 'master'

Resolve "Missing dereference in REQUIRE statement?"

Closes #366

See merge request isc-projects/bind9!437

8 years agocfg_parse_boolean's REQUIRE test for ret was incomplete.
Mark Andrews [Wed, 27 Jun 2018 01:10:59 +0000 (11:10 +1000)] 
cfg_parse_boolean's REQUIRE test for ret was incomplete.

8 years agoMerge branch '275-add-permanent-option-to-disable-server-side-cookies' into 'master'
Evan Hunt [Tue, 26 Jun 2018 22:20:37 +0000 (18:20 -0400)] 
Merge branch '275-add-permanent-option-to-disable-server-side-cookies' into 'master'

Resolve "Provide a mechanism (build or runtime) to turn off server-side support for RFC7873"

Closes #275

See merge request isc-projects/bind9!413

8 years agoUpdate CHANGES and doc to reflect changes in master
Ondřej Surý [Tue, 26 Jun 2018 09:56:20 +0000 (11:56 +0200)] 
Update CHANGES and doc to reflect changes in master

8 years agoadd CHANGES and release notes
Mark Andrews [Fri, 8 Jun 2018 06:17:27 +0000 (16:17 +1000)] 
add CHANGES and release notes

(cherry picked from commit 5f7a6232d632119e4eb3e5e0e6d2b2c665820b3e)

8 years agoUpdate ARM documentation
Mukund Sivaraman [Tue, 20 Mar 2018 16:19:16 +0000 (21:49 +0530)] 
Update ARM documentation

(cherry picked from commit b5265a8cfa8ed1818f2ea1ccbe2d2c66bbe0e431)

8 years agoAdd system test
Mukund Sivaraman [Tue, 20 Mar 2018 16:06:01 +0000 (21:36 +0530)] 
Add system test

(cherry picked from commit a5933fa2bb6270f900515fb466cfaded2430b4ba)

8 years agoAdd a answer-cookie named config option
Mukund Sivaraman [Mon, 19 Mar 2018 12:39:05 +0000 (18:09 +0530)] 
Add a answer-cookie named config option

(cherry picked from commit 29305073575459a66f0a93b9becc4863fd1c0c6b)

8 years agoMerge branch '260-queries-with-empty-question-section-return-noerror' into 'master'
Evan Hunt [Tue, 26 Jun 2018 21:20:08 +0000 (17:20 -0400)] 
Merge branch '260-queries-with-empty-question-section-return-noerror' into 'master'

Resolve "Queries with empty question section (and otherwise query message of undetermined RDCLASS) return NOERROR instead of FORMERR"

Closes #260

See merge request isc-projects/bind9!283

8 years agoCHANGES
Evan Hunt [Tue, 26 Jun 2018 20:52:47 +0000 (13:52 -0700)] 
CHANGES

8 years agoreturn FORMERR when question section is empty if COOKIE is not present
Mukund Sivaraman [Tue, 15 May 2018 18:37:17 +0000 (00:07 +0530)] 
return FORMERR when question section is empty if COOKIE is not present

8 years agoMerge branch 'temp-disable-qmin-on-rpz' into 'master'
Ondřej Surý [Tue, 26 Jun 2018 19:47:52 +0000 (15:47 -0400)] 
Merge branch 'temp-disable-qmin-on-rpz' into 'master'

Temporarily disable qname minimization in RPZ tests

See merge request isc-projects/bind9!433

8 years agoTemporarily disable qname minimization in RPZ test
Witold Kręcicki [Tue, 26 Jun 2018 19:28:24 +0000 (21:28 +0200)] 
Temporarily disable qname minimization in RPZ test

8 years agoMerge branch 'git-replay-merge-explicit-push' into 'master'
Ondřej Surý [Tue, 26 Jun 2018 16:58:33 +0000 (12:58 -0400)] 
Merge branch 'git-replay-merge-explicit-push' into 'master'

Explicitly push into the same named branch at the remote

See merge request isc-projects/bind9!424

8 years agoExplicitly push into same named branch at the remote instead of relying on whatever...
Ondřej Surý [Tue, 26 Jun 2018 16:49:40 +0000 (18:49 +0200)] 
Explicitly push into same named branch at the remote instead of relying on whatever branch settings the git config might have

8 years agoMerge branch 'fix-changes' into 'master'
Evan Hunt [Tue, 26 Jun 2018 16:02:34 +0000 (12:02 -0400)] 
Merge branch 'fix-changes' into 'master'

fix CHANGES

See merge request isc-projects/bind9!422

8 years agoadd missing placeholder and fix CHANGES numbers
Evan Hunt [Tue, 26 Jun 2018 16:01:39 +0000 (09:01 -0700)] 
add missing placeholder and fix CHANGES numbers

8 years agoMerge branch '180-fix-cmsgbuf-usage' into 'master'
Witold Krecicki [Tue, 26 Jun 2018 15:55:14 +0000 (11:55 -0400)] 
Merge branch '180-fix-cmsgbuf-usage' into 'master'

Resolve "Intermittent recursive resolver issues [socket.c:2135]"

Closes #180

See merge request isc-projects/bind9!409

8 years agoUse completely static-sized buffers
Witold Kręcicki [Tue, 26 Jun 2018 13:11:28 +0000 (15:11 +0200)] 
Use completely static-sized buffers

8 years agoFix socket cmsg buffer usage
Witold Kręcicki [Tue, 26 Jun 2018 09:18:43 +0000 (11:18 +0200)] 
Fix socket cmsg buffer usage

8 years agoMerge branch '288-named-checkconf-does-not-recognize-errors-related-to-in-view-zones...
Evan Hunt [Tue, 26 Jun 2018 15:33:32 +0000 (11:33 -0400)] 
Merge branch '288-named-checkconf-does-not-recognize-errors-related-to-in-view-zones' into 'master'

Resolve "named-checkconf does not recognize errors related to in-view zones"

Closes #288

See merge request isc-projects/bind9!319

8 years agoCHANGES, copyright
Mark Andrews [Fri, 25 May 2018 06:29:04 +0000 (16:29 +1000)] 
CHANGES, copyright

8 years agoconstruct a symtab of valid in-view targets then check that the target exists
Mark Andrews [Fri, 25 May 2018 03:15:00 +0000 (13:15 +1000)] 
construct a symtab of valid in-view targets then check that the target exists

8 years agoMerge branch '312-fix-rpz-system-test' into 'master'
Michał Kępień [Tue, 26 Jun 2018 10:52:03 +0000 (06:52 -0400)] 
Merge branch '312-fix-rpz-system-test' into 'master'

Fix rpz system test

Closes #312

See merge request isc-projects/bind9!340

8 years agoAdd CHANGES entry
Michał Kępień [Tue, 26 Jun 2018 10:19:41 +0000 (12:19 +0200)] 
Add CHANGES entry

4978. [test] Fix error handling and resolver configuration in the
"rpz" system test. [GL #312]

8 years agoDo not use IANA DNSSEC keys in the "rpz" system test
Michał Kępień [Tue, 26 Jun 2018 10:19:41 +0000 (12:19 +0200)] 
Do not use IANA DNSSEC keys in the "rpz" system test

With "dnssec-validation" now defaulting to "auto", it needs to be
explicitly set to "yes" (the previous default value) for all validating
resolvers used in system tests.  Ensure that requirement is satisfied by
the resolvers used in the "rpz" system test.

8 years agoDetermine "rpz" system test mode based on $mode rather than $DNSRPS_TEST_MODE
Michał Kępień [Tue, 26 Jun 2018 10:19:41 +0000 (12:19 +0200)] 
Determine "rpz" system test mode based on $mode rather than $DNSRPS_TEST_MODE

Change 4897 modified the way the $DNSRPS_TEST_MODE variable is used in
bin/tests/system/rpz/tests.sh without updating all references to it,
which i.a. causes the $native and $dnsrps variables to not be set in the
default testing mode, effectively preventing failed checks from being
propagated to the final result of the test.  Use $mode instead of
$DNSRPS_TEST_MODE where appropriate to fix error handling in the "rpz"
system test.

8 years agoMerge branch 'git-replay-merge+x' into 'master'
Ondřej Surý [Tue, 26 Jun 2018 09:47:45 +0000 (05:47 -0400)] 
Merge branch 'git-replay-merge+x' into 'master'

Make util/git-replay-merge.sh executable

See merge request isc-projects/bind9!411