JINMEI Tatuya [Thu, 29 Aug 2024 07:24:48 +0000 (16:24 +0900)]
emit more helpful log for exceeding max-records-per-type
The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log includes
the owner name and type, corresponding zone name, and the limit value.
It will be emitted on loading a zone file, inbound zone transfer
(both AXFR and IXFR), handling a DDNS update, or updating a cache DB.
It's especially helpful in the case of zone transfer, since the
secondary side doesn't have direct access to the offending zone data.
It could also be used for max-types-per-name, but this change
doesn't implement it yet as it's much less likely to happen
in practice.
Mark Andrews [Tue, 26 Nov 2024 03:40:57 +0000 (03:40 +0000)]
fix: usr: '{&dns}' is as valid as '{?dns}' in a SVCB's dohpath
`dig` fails to parse a valid (as far as I can tell, and accepted by `kdig` and `Wireshark`) `SVCB` record with a `dohpath` URI template containing a `{&dns}`, like `dohpath=/some/path?key=value{&dns}"`. If the URI template contains a `{?dns}` instead `dig` is happy, but my understanding of rfc9461 and section 1.2. "Levels and Expression Types" of rfc6570 is that `{&dns}` is valid.
See for example section 1.2. "Levels and Expression Types" of rfc6570.
Note that Peter van Dijk suggested that `{dns}` and `{dns,someothervar}` might be valid forms as well, so my patch might be too restrictive, although it's anyone's guess how DoH clients would handle complex templates.
Mark Andrews [Mon, 9 Sep 2024 05:59:30 +0000 (15:59 +1000)]
Parse the URI template and check for a dns variable
The 'dns' variable in dohpath can be in various forms ({?dns},
{dns}, {&dns} etc.). To check for a valid dohpath it ends up
being simpler to just parse the URI template rather than looking
for all the various forms if substring.
Nicki Křížek [Mon, 25 Nov 2024 14:35:17 +0000 (14:35 +0000)]
fix: test: Allow re-run of mkeys system test
On some slow systems, the test might intermittently fail due to inherent
timing issues. In our CI, this most often happens in the
system:gcc:8fips:amd64 jobs.
Closes #3098
Merge branch '3098-allow-re-run-of-mkeys-test' into 'main'
Nicki Křížek [Thu, 7 Nov 2024 15:15:54 +0000 (16:15 +0100)]
Allow re-run of mkeys system test
On some slow systems, the test might intermittently fail due to inherent
timing issues. In our CI, this most often happens in the
system:gcc:8fips:amd64 jobs.
Michal Nowak [Mon, 25 Nov 2024 12:11:02 +0000 (12:11 +0000)]
fix: ci: Fix paths to binaries in cross-version-config-tests job
The cross-version-config-tests job has never functioned in CI because
the testing framework changed after the testing was completed. To run
the new "named" binary using the old configurations, paths in the test
framework must be updated to point to the location of the new binaries.
Closes #4977
Merge branch '4977-fix-cross-version-config-tests' into 'main'
Michal Nowak [Wed, 30 Oct 2024 20:15:44 +0000 (21:15 +0100)]
Fix paths to binaries in cross-version-config-tests job
The cross-version-config-tests job has never functioned in CI because
the testing framework changed after the testing was completed. To run
the new "named" binary using the old configurations, paths in the test
framework must be updated to point to the location of the new binaries.
Aydın Mercan [Mon, 25 Nov 2024 10:09:26 +0000 (10:09 +0000)]
new: usr: add separate query counters for new protocols
Add query counters for DoT, DoH, unencrypted DoH and their proxied
counterparts. The new protocols do not update their respective TCP/UDP
transport counter and is now for TCP/UDP over plain 53 only.
Closes #598
Merge branch '598-wishlist-statistics-for-dns-over-tcp-and-tls' into 'main'
Aydın Mercan [Fri, 4 Oct 2024 10:14:52 +0000 (13:14 +0300)]
add separate query counters for new protocols
Add query counters for DoT, DoH, unencrypted DoH and their proxied
counterparts. The protocols don't increment TCP/UDP counters anymore
since they aren't the same as plain DNS-over-53.
Colin Vidal [Fri, 22 Nov 2024 18:34:51 +0000 (18:34 +0000)]
rem: dev: Remove namedconf port/tls deprecated check on *-source[-v6] options
The usage of port and tls arguments in *-source and *-source-v6 named configuration options has been previously removed. Remove various configuration check deprecating usage of those arguments.
Merge branch 'colin/querysource-check-cleanup' into 'main'
Colin Vidal [Tue, 12 Nov 2024 09:10:12 +0000 (10:10 +0100)]
Remove namedconf port/tls deprecated check on *-source[-v6] options
The usage of port and tls arguments in *-source and *-source-v6 named
configuration options has been previously removed. Remove
configuration check deprecating usage of those arguments.
Alessio Podda [Fri, 22 Nov 2024 17:35:48 +0000 (17:35 +0000)]
chg: dev: Incrementally apply AXFR transfer
Reintroduce logic to apply diffs when the number of pending tuples is
above 128. The previous strategy of accumulating all the tuples and
pushing them at the end leads to excessive memory consumption during
transfer.
alessio [Sun, 3 Nov 2024 20:25:15 +0000 (21:25 +0100)]
Incrementally apply AXFR transfer
Reintroduce logic to apply diffs when the number of pending tuples is
above 128. The previous strategy of accumulating all the tuples and
pushing them at the end leads to excessive memory consumption during
transfer.
alessio [Fri, 22 Nov 2024 07:32:19 +0000 (08:32 +0100)]
Fix alpine build by removing LargestIntegralType in time_test
Avoids using functions that require LargestIntegralType arguments in
time_test to resolve import issues on Alpine Linux. Using size_t instead
wasn't an option due to compatibility issues with 32-bit architectures.
Mark Andrews [Thu, 21 Nov 2024 05:22:51 +0000 (16:22 +1100)]
Delv now supports selecting FIPS mode at runtime
To enable FIPS mode at runtime use 'delv -F'. The operating system
must have FIPS support available for this to succeed. This is on
by default when built with --enable-fips-mode.
Mark Andrews [Wed, 20 Nov 2024 22:46:24 +0000 (09:46 +1100)]
Dig now supports selecting FIPS mode at runtime
To enable FIPS mode at runtime use 'dig -F'. The operating system
must have FIPS support available for this to succeed. This is on
by default when built with --enable-fips-mode.
Petr Menšík [Wed, 20 Nov 2024 12:08:54 +0000 (13:08 +0100)]
Fix build of unit test on 32b architecture
Fixes unittest build failure on i686 platform.
In file included from tests/isc/time_test.c:24:
tests/isc/time_test.c: In function ‘run_test_isc_time_formatISO8601TZms_test’:
tests/isc/time_test.c:284:32: error: passing argument 2 of ‘_assert_in_set’ from incompatible pointer type [-Wincompatible-pointer-types]
284 | assert_in_set(buf[23], plus_minus, sizeof(plus_minus));
| ^~~~~~~~~~
| |
| size_t * {aka unsigned int *}
/usr/include/cmocka.h:2369:64: note: expected ‘const long long unsigned int *’ but argument is of type ‘size_t *’ {aka ‘unsigned int *’}
2369 | const LargestIntegralType value, const LargestIntegralType values[],
Nicki Křížek [Thu, 7 Nov 2024 14:01:40 +0000 (15:01 +0100)]
Move Known Issues to BIND9 wiki
Keeping the Known Issues as part of the rendered docs has the issue that
the list can't be updated on the official docs website until the next
release. This is unpractical is a high-priority issue is discovered
shortly after a release. Keep the Known Issues in wiki and simply link
to the list from the rendered docs. The wiki article can be updated at
any time as needed.
Ondřej Surý [Wed, 13 Nov 2024 07:49:05 +0000 (07:49 +0000)]
fix: usr: Fix race condition when canceling ADB find
When canceling the ADB find, the lock on the find gets released for
a brief period of time to be locked again inside adbname lock. During
the brief period that the ADB find is unlocked, it can get canceled by
other means removing it from the adbname list which in turn causes
assertion failure due to a double removal from the adbname list.
This has been fixed.
Closes #5024
Merge branch '5024-fix-crash-in-dns_adb_cancelfind' into 'main'
Ondřej Surý [Tue, 5 Nov 2024 13:59:16 +0000 (14:59 +0100)]
Revalidate the adbname when canceling the ADB find
When canceling the ADB find, the lock on the find gets released for
a brief period of time to be locked again inside adbname lock. During
the brief period that the ADB find is unlocked, it can get canceled by
other means removing it from the adbname list which in turn causes
assertion failure due to a double removal from the adbname list.
Recheck if the find->adbname is still valid after acquiring the lock
again and if not just skip the double removal. Additionally, attach to
the adbname as in the worst case, the adbname might also cease to exist
if the scheduler would block this particular thread for a longer period
of time invalidating the lock we are going to acquire and release.
Nicki Křížek [Tue, 12 Nov 2024 09:07:02 +0000 (10:07 +0100)]
Ensure pytest runner get proper outcome from flaky reruns
When a test is re-run by the flaky plugin, the TestReport outcomes
collected in the pytest_runtest_makereport() hook should be overriden.
Each of the setup/call/teardown phases is reported again and since we
care about the overall outcome, their respective results should be
overriden so that only the outcome from the final test (re)run gets
reported.
Prior to this change, it lead to a situation where an extra_artifact
generated during the test might be ignored. This was caused because the
check was skipped, since the test was incorrectly considered as "failed"
in the case where the test would fail on the first run, but pass on a
subsequent flaky rerun.
Ondřej Surý [Tue, 12 Nov 2024 08:26:28 +0000 (08:26 +0000)]
rem: usr: Remove RBTDB implementation
Remove the RBTDB database implementation, and only leave the QPDB
based implementations of zone and cache databases. This means
it's no longer possible to choose the RBTDB to be default at the
compilation time and it's not possible to configure RBTDB as the
database backend in the configuration file.
Closes #5027
Merge branch '5027-remove-rbtdb-implementation' into 'main'
Ondřej Surý [Sun, 3 Nov 2024 09:22:29 +0000 (10:22 +0100)]
Remove RBTDB implementation
QPDB is now a default implementation for both cache and zone. Remove
the venerable RBTDB database implementation, so we can fast-track the
changes to the database without having to implement the design changes
to both QPDB and RBTDB and this allows us to be more aggressive when
refactoring the database design.
Nicki Křížek [Fri, 8 Nov 2024 11:36:16 +0000 (11:36 +0000)]
chg: dev: Use lists of expected artifacts in system tests
``clean.sh`` scripts have been replaced by lists of expected artifacts for each system test module. The list is defined using the custom ``pytest.mark.extra_artifacts`` mark, which can use both filenames and globs.
Closes #4261
Merge branch '4261-add-pytest-fixture-checking-test-artifacts' into 'main'
Michał Kępień [Mon, 19 Aug 2024 16:49:08 +0000 (18:49 +0200)]
Add pytest fixture for checking test artifacts
Prior to introducing the pytest runner, clean.sh files were used as a
list of files that the test is expected to leave around as artifacts and
check that no extra files were created.
With the pytest runner, those scripts are no longer used, but the
ability to detect extraneous files is still useful. Add a new
"extra_artifacts" mark which can be used for the same purpose.
Arаm Sаrgsyаn [Thu, 7 Nov 2024 09:58:47 +0000 (09:58 +0000)]
fix: dev: Fix a data race between dns_zone_getxfr() and dns_xfrin_create()
There is a data race between the statistics channel, which uses
`dns_zone_getxfr()` to get a reference to `zone->xfr`, and the creation
of `zone->xfr`, because the latter happens outside of a zone lock.
Split the `dns_xfrin_create()` function into two parts to separate the
zone transfer starting part from the zone transfer object creation part.
This allows us to attach the new object to a local variable first, then
attach it to `zone->xfr` under a lock, and only then start the transfer.
Closes #5011
Merge branch '5011-dns_zone_getxfr-race-fix' into 'main'
Aram Sargsyan [Tue, 5 Nov 2024 10:28:37 +0000 (10:28 +0000)]
Fix a data race between dns_zone_getxfr() and dns_xfrin_create()
There is a data race between the statistics channel, which uses
`dns_zone_getxfr()` to get a reference to `zone->xfr`, and the creation
of `zone->xfr`, because the latter happens outside of a zone lock.
Split the `dns_xfrin_create()` function into two parts to separate the
zone tranfer startring part from the zone transfer object creation part.
This allows us to attach the new object to a local variable first, then
attach it to `zone->xfr` under a lock, and only then start the transfer.
Ondřej Surý [Thu, 7 Nov 2024 07:23:02 +0000 (07:23 +0000)]
chg: dev: Enforce type checking for dns_dbversion_t
Originally, the dns_dbversion_t was typedef'ed to void type. This
allowed some flexibility, but using (void *) just removes any
type-checking that C might have. Instead of using:
typedef void dns_dbversion_t;
use a trick to define the type to non-existing structure:
typedef struct dns_dbversion dns_dbversion_t;
This allows the C compilers to employ the type-checking while the
structure itself doesn't have to be ever defined because the actual
'storage' is never accessed using dns_dbversion_t type.
Merge branch 'ondrej/non-void-dns_dbversion_t' into 'main'
Ondřej Surý [Tue, 5 Nov 2024 17:50:15 +0000 (18:50 +0100)]
Enforce type checking for dns_dbversiont_t
Originally, the dns_dbversion_t was typedef'ed to void type. This
allowed some flexibility, but using (void *) just removes any
type-checking that C might have. Instead of using:
typedef void dns_dbversion_t;
use a trick to define the type to non-existing structure:
typedef struct dns_dbversion dns_dbversion_t;
This allows the C compilers to employ the type-checking while the
structure itself doesn't have to be ever defined because the actual
'storage' is never accessed using dns_dbversion_t type.
Ondřej Surý [Wed, 6 Nov 2024 17:05:03 +0000 (17:05 +0000)]
fix: dev: Enforce type checking for dns_dbnode_t
Originally, the dns_dbnode_t was typedef'ed to void type. This allowed
some flexibility, but using (void *) just removes any type-checking that
C might have. Instead of using:
typedef void dns_dbnode_t;
use a trick to define the type to non-existing structure:
typedef struct dns_dbnode dns_dbnode_t;
This allows the C compilers to employ the type-checking while the
structure itself doesn't have to be ever defined because the actual
'storage' is never accessed using dns_dbnode_t type.
Merge branch 'ondrej/non-void-dns_dbnode_t' into 'main'
Ondřej Surý [Tue, 5 Nov 2024 15:13:10 +0000 (16:13 +0100)]
Enforce type checking for dns_dbnode_t
Originally, the dns_dbnode_t was typedef'ed to void type. This allowed
some flexibility, but using (void *) just removes any type-checking that
C might have. Instead of using:
typedef void dns_dbnode_t;
use a trick to define the type to non-existing structure:
typedef struct dns_dbnode dns_dbnode_t;
This allows the C compilers to employ the type-checking while the
structure itself doesn't have to be ever defined because the actual
'storage' is never accessed using dns_dbnode_t type.
Alessio Podda [Tue, 5 Nov 2024 09:36:19 +0000 (09:36 +0000)]
chg: dev: Unify parsing of query-source and other X-source options
The query-source option currently allows the address to be specified in two ways, either as every other X-source option, or as an
"address" key-value pair.
This merge request extends the `parse_sockaddrsub` config parsing function so that it can parse the query-source option. It also removes the separate config parsing function for `query-source`.
Closes #4961
Merge branch '4961-query-source-parsing-refactor' into 'main'
The query-source option has the slight quirk of allowing the address to
be specified in two ways, either as every other source option, or as an
"address" key-value pair.
For this reason, it had a separate parsing function from other X-source
options, but it is possible to extend the parsing of other X-sources to
be generic and also handle query-source.
This commit just does that.
Ondřej Surý [Mon, 4 Nov 2024 23:36:09 +0000 (23:36 +0000)]
fix: nil: Add OpenSSL includes as needed
The isc/crypto.h now directly includes the OpenSSL headers (evp.h) and
any application that includes that header also needs to have
OPENSSL_CFLAGS in the Makefile.am. Adjust the required automake files
as needed.
Merge branch 'ondrej/add-missing-OPENSSL_CFLAGS' into 'main'
Ondřej Surý [Mon, 4 Nov 2024 15:13:45 +0000 (15:13 +0000)]
Add OpenSSL includes as needed
The isc/crypto.h now directly includes the OpenSSL headers (evp.h) and
any application that includes that header also needs to have
OPENSSL_CFLAGS in the Makefile.am. Adjust the required automake files
as needed.
The tool 'dnssec-ksr' now allows for KSK generation, as well as planned KSK rollovers. When signing a bundle from a Key Signing Request (KSR), only the key that is active in that time frame is being used for signing. Also, the CDS and CDNSKEY records are now added and removed at the correct time.
Closes #4697
Closes #4705
Merge branch '4705-dnssec-ksr-only-sign-with-active-ksks' into 'main'
dnssec-ksr can now sign KSR files with multiple KSKs. A planned KSK
rollover is supported, meaning the KSR will first be signed with
one KSK and later with another. The timing metadata for CDS and
CDNSKEY records are also taken into account, so these records are
only published when the time is between "SyncPublish" and "SyncDelete".
Add a test case for Offline KSK where during the lifespan of the Signed
Key Response a KSK rollover happens. Ensure that the correct DNSKEY,
CDNSKEY, and CDS records are published at the right times.
When the zone is initially signed, the CDNSKEY/CDS RRset is not
immediately published. The DNSKEY and signatures must propagate first.
Adjust the test to allow for this case.
Add an option to dnssec-ksr keygen, -o, to create KSKs instead of ZSKs.
This way, we can create a set of KSKS for a given period too.
For KSKs we also need to set timing metadata, including "SyncPublish"
and "SyncDelete". This functionality already exists in keymgr.c so
let's make the function accessible.
Replace dnssec-keygen calls with dnssec-ksr keygen for KSK in the
ksr system test and check keys for created KSKs as well. This requires
a slight modification of the check_keys function to take into account
KSK timings and metadata.
chg: test: Match algorithms when checking signatures
In the ksr system test, the 'test_ksr_twotone' case may fail if there are two keys with the same keytag (but different algorithms), because one key is expected to be signing and the other is not.
Switch to regular expression matching and include the algorithm in the search string.
Closes #5017
Merge branch '5017-unexpected-match-ksr-twotone-again' into 'main'
Matthijs Mekking [Thu, 31 Oct 2024 10:25:23 +0000 (11:25 +0100)]
Match algorithms when checking signatures
In the ksr system test, the test_ksr_twotone case may fail if there
are two keys with the same keytag (but different algorithms), because
one key is expected to be signing and the other is not.
Switch to regular expression matching and include the algorithm in the
search string.
Michal Nowak [Thu, 31 Oct 2024 16:46:11 +0000 (16:46 +0000)]
fix: doc: Remove the CHANGES file
With the introduction of the generated changelog, the CHANGES file
became a symlink to doc/arm/changelog.rst. After the changes made in
!9549, the changelog file transitioned from being a wholly generated
file to one that includes versioned changelog files, which are
themselves generated. However, while implementing !9549, we overlooked
that the CHANGES file is copied to a release directory on an FTP server
and contains just "include" directives, not the changelog itself.
Therefore, in the same fashion as the "RELEASE-NOTES*.html" file, create
a "CHANGELOG*.html" file that redirects to the Changelog appendix of the
ARM.
Closes #5000
Merge branch '5000-provide-correct-changelog-on-ftp' into 'main'
Michal Nowak [Thu, 24 Oct 2024 15:01:57 +0000 (17:01 +0200)]
Remove the CHANGES file
With the introduction of the generated changelog, the CHANGES file
became a symlink to doc/arm/changelog.rst. After the changes made in
!9549, the changelog file transitioned from being a wholly generated
file to one that includes versioned changelog files, which are
themselves generated. However, while implementing !9549, we overlooked
that the CHANGES file is copied to a release directory on an FTP server
and contains just "include" directives, not the changelog itself.
Therefore, in the same fashion as the "RELEASE-NOTES*.html" file, create
a "CHANGELOG*.html" file that redirects to the Changelog appendix of the
ARM.
Nicki Křížek [Thu, 31 Oct 2024 09:40:02 +0000 (09:40 +0000)]
new: dev: Support jinja2 templates in pytest runner
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.
Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.
New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.
Closes #4938
Merge branch '4938-use-jinja2-templates-in-system-tests' into 'main'
Nicki Křížek [Tue, 1 Oct 2024 12:45:36 +0000 (14:45 +0200)]
Support jinja2 templates in pytest runner
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.
Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.
New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.
Evan Hunt [Tue, 29 Oct 2024 20:05:52 +0000 (20:05 +0000)]
chg: usr: Add missing EDNS option mnemonics
The `Report-Channel` and `ZONEVERSION` EDNS options can now be sent using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for short), and `dig +ednsopt=zoneversion`.
Several other EDNS option names, including `DAU`, `DHU`, `N3U`, and `CHAIN`, are now displayed correctly in text and YAML formats. Also, an inconsistency has been corrected: the `TCP-KEEPALIVE` option is now spelled with a hyphen in both text and YAML formats; previously, text format used a space.
Merge branch 'each-add-missing-edns-opts' into 'main'
Evan Hunt [Thu, 24 Oct 2024 23:55:31 +0000 (16:55 -0700)]
refactor, add missing EDNS options, and fix option names
some EDNS option names, including DAU, DHU, N3U, and CHAIN,
were not printed in dns_message_pseudosectiontotext() or
_psuedosectiontoyaml(); they were displayed as unknown options.
this has been corrected.
that code was also refactored to use switch instead of if/else,
and to look up the option code names in a table to prevent
inconsistencies between the two formats. one such inconsistency
was corrected: the "TCP-KEEPALIVE" option is now always printed
with a hyphen, instead of being "TCP KEEPALIVE" when not using
YAML. the keepalive system test has been updated to expect this.
EDNS options that print DNS names (i.e., CHAIN and Report-Channel)
now enclose them in quotation marks to ensure YAML correctness.
the auth system test has been updated to expect this when grepping
for Report-Channel options.
Evan Hunt [Thu, 24 Oct 2024 21:51:58 +0000 (14:51 -0700)]
add missing EDNS option mnemonics to dig
Report-Channel and ZONEVERSION EDNS options can now be sent
using `dig +ednsopt=report-channel` (or `dig +ednsopt=rc` for
short), and `dig +ednsopt=zoneversion`.
Nicki Křížek [Mon, 14 Oct 2024 17:32:39 +0000 (19:32 +0200)]
Make changelog audience mandatory
Use a stricter hazard check which ensures the audience tag is present in
the MR title and is one of the known values. This prevents siuations
where incorrect audience is accidentally used, resulting in a missing
changelog entry or a release note.
Matthijs Mekking [Fri, 25 Oct 2024 11:20:03 +0000 (11:20 +0000)]
fix: test: Fix CID 510858: Null ptr derefs in check_keys
Coverity Scan reported a new issue for the ksr system test. There is allegedly a null pointer dereference (FORWARD_NULL) in check_keys().
This popped up because previously we set 'retired' to 0 in case of unlimited lifetime, but we changed it to None.
It is actually a false positive, because if lifetime is unlimited there will be only one key in 'keys'.
However, the code would be better if we always initialized 'active' and if it is not the first key and retired is set, set the successor key's active time to the retire time of the predecessor key.
Closes #5004
Merge branch '5004-cid-510858-ksr-check-keys' into 'main'
Matthijs Mekking [Thu, 24 Oct 2024 12:03:58 +0000 (14:03 +0200)]
Fix CID 510858: Null ptr derefs in check_keys
Coverity Scan reported a new issue for the ksr system test. There
is allegedly a null pointer dereference (FORWARD_NULL) in check_keys().
This popped up because previously we set 'retired' to 0 in case of
unlimited lifetime, but we changed it to None.
It is actually a false positive, because if lifetime is unlimited
there will be only one key in 'keys'.
However, the code would be better if we always initialized 'active'
and if it is not the first key and retired is set, set the successor
key's active time to the retire time of the predecessor key.
Matthijs Mekking [Thu, 24 Oct 2024 12:30:51 +0000 (14:30 +0200)]
Fix intermittent ksr test failure
The test_ksr_twotwone may fail if the key id is shorter than 5 digits.
Add a leading space to the expected strings which start with the key
tag to avoid the issue.
Nicki Křížek [Mon, 27 May 2024 14:10:04 +0000 (16:10 +0200)]
Make system tests compatible with pytest 8.0.0+
The pytest collection mechanism has been overhauled in pytest 8.0.0,
resulting in a different node tree when collecting the tests. Ensure the
paths / names we're using that are derived from the node tree are
consistent across different pytest versions.
Particularly, this has affected the convenience symlink name (which is
supposed to be in the form of e.g. dns64_sh_dns64 for the dns64 module
and tests_sh_dns64.py module) and the test name that's logged at the
start of the test, which is supposed to include the system test
directory relative to the root system test directory as well as the
module name (e.g. dns64/tests_sh_dns64.py).
Related https://github.com/pytest-dev/pytest/issues/7777
Mark Andrews [Thu, 24 Oct 2024 03:10:38 +0000 (03:10 +0000)]
fix: usr: Use TLS for notifies if configured to do so
Notifies configured to use TLS will now be sent over TLS, instead of plaintext UDP or TCP.
Also, failing to load the TLS configuration for notify now also results in an error.
Mark Andrews [Tue, 15 Oct 2024 05:09:48 +0000 (16:09 +1100)]
Fix TCP dispatches and transport
Dispatch needs to know the transport that is being used over the
TCP connection to correctly allow for it to be reused. Add a
transport parameter to dns_dispatch_createtcp and dns_dispatch_gettcp
and use it when selecting a TCP socket for reuse.
projects / thirdparty / bind9.git / log
