From fed34e531e9e810cc74ff0ec7d8a513a3f8972ce Mon Sep 17 00:00:00 2001 From: christos Date: Mon, 26 Jun 2023 21:45:59 +0000 Subject: [PATCH] Import 9.16.42 (last was 9.16.37) --- 9.16.42 released --- 6192. [security] A query that prioritizes stale data over lookup triggers a fetch to refresh the stale data in cache. If the fetch is aborted for exceeding the recursion quota, it was possible for 'named' to enter an infinite callback loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911) [GL #4089] 6190. [security] Improve the overmem cleaning process to prevent the cache going over the configured limit. (CVE-2023-2828) [GL #4055] 6183. [bug] Fix a serve-stale bug where a delegation from cache could be returned to the client. [GL #3950] 6173. [bug] Properly process extra "nameserver" lines in resolv.conf otherwise the next line is not properly processed. [GL #4066] 6169. [bug] named could crash when deleting inline-signing zones with "rndc delzone". [GL #4054] --- 9.16.41 released --- 6157. [bug] When removing delegations in an OPTOUT range empty-non-terminal NSEC3 records generated by those delegations were not removed. [GL #4027] --- 9.16.40 released --- 6142. [bug] Reduce the number of dns_dnssec_verify calls made determining if revoked keys needs to be removed from the trust anchors. [GL #3981] 6138. [doc] Fix the DF-flag documentation on the outgoing UDP packets. [GL #3710] 6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967] 6129. [cleanup] Value stored to 'source' during its initialization is never read. [GL #3965] 6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to an NSEC3 incapable DNSSEC algorithm using KASP the zone could sometimes be incompletely signed. [GL #3937] 5741. [bug] Log files with "timestamp" suffixes could be left in place after rolling, even if the number of preserved log files exceeded the configured "versions" limit. [GL #828] [GL #3959] --- 9.16.39 released --- 6119. [bug] Make sure to revert the reconfigured zones to the previous version of the view, when the new view reconfiguration fails during the configuration of one of the configured zones. [GL #3911] 6116. [bug] Fix error path cleanup issue in the dns_catz_new_zones() function. [GL #3900] 6115. [bug] Unregister db update notify callback before detaching from the previous db inside the catz update notify callback. [GL #3777] 6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in configure_rpz() and configure_catz(), respectively, just after attaching it to the new view. [GL #3880] 6098. [test] Don't test HMAC-MD5 when not supported by libcrypto. [GL #3871] 6095. [test] Test various 'islands of trust' configurations when using managed keys. [GL #3662] 6094. [bug] Building against (or running with) libuv versions 1.35.0 and 1.36.0 is now a fatal error. The rules for mixing and matching compile-time and run-time libuv versions have been tightened for libuv versions between 1.35.0 and 1.40.0. [GL #3840] --- 9.16.38 released --- 6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently broken by change 6042. [GL #3827] 6081. [bug] Handle primary server address lookup failures in nsupdate more gracefully. [GL #3830] 6080. [bug] 'named -V' leaked memory. [GL #3829] 6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds' command. [GL #3822] 6075. [bug] Add missing node lock when setting node->wild in add_wildcard_magic. [GL #3799] 6072. [bug] Avoid the OpenSSL lock contention when initializing Message Digest Contexts by using explicit algorithm fetching, initializing static contexts for every supported algorithms, and initializing the new context by copying the static copy. [GL #3795] 6069. [bug] Detach from the view in zone_shutdown() to release the memory held by the dead view early. [GL #3801] --- external/mpl/bind/dist/CHANGES | 115 ++++ external/mpl/bind/dist/CONTRIBUTING | 8 +- external/mpl/bind/dist/CONTRIBUTING.md | 8 +- .../bind/dist/bin/python/isc/coverage.py.in | 1 + .../mpl/bind/dist/bin/python/isc/dnskey.py.in | 1 + .../mpl/bind/dist/bin/python/isc/keymgr.py.in | 1 + .../bind/dist/bin/python/isc/keyzone.py.in | 1 + external/mpl/bind/dist/bin/rndc/rndc.rst | 8 +- .../bind/dist/bin/tests/system/acl/tests.sh | 2 +- .../dist/bin/tests/system/autosign/clean.sh | 3 +- .../bin/tests/system/autosign/ns2/keygen.sh | 8 + .../tests/system/autosign/ns2/named.conf.in | 9 + .../system/autosign/ns2/optout-with-ent.db.in | 22 + .../dist/bin/tests/system/autosign/tests.sh | 45 +- .../bind/dist/bin/tests/system/catz/clean.sh | 1 + .../bin/tests/system/catz/ns2/named1.conf.in | 11 +- .../system/catz/ns4/catalog.example.db.in | 14 + .../bin/tests/system/catz/ns4/named.conf.in | 55 ++ .../bind/dist/bin/tests/system/catz/setup.sh | 2 + .../bind/dist/bin/tests/system/catz/tests.sh | 53 ++ .../dist/bin/tests/system/chain/ans4/ans.py | 2 +- .../system/checkconf/kasp-bad-keylen.conf | 2 +- .../dist/bin/tests/system/cookie/ans9/ans.py | 2 + .../dist/bin/tests/system/dnssec/ans10/ans.py | 1 + .../dist/bin/tests/system/dnstap/tests.sh | 1 + .../dist/bin/tests/system/dupsigs/tests.sh | 35 +- .../bin/tests/system/forward/ans11/ans.py | 1 + .../dist/bin/tests/system/get_algorithms.py | 10 +- .../system/inline/tests_signed_zone_files.py | 1 - .../bind/dist/bin/tests/system/kasp/tests.sh | 16 +- .../dist/bin/tests/system/legacy/tests.sh | 2 +- .../bin/tests/system/logfileconfig/clean.sh | 5 +- .../tests/system/logfileconfig/named1.args | 1 + .../tests/system/logfileconfig/named2.args | 1 + .../system/logfileconfig/ns1/named.dirconf.in | 43 ++ .../logfileconfig/ns1/named.iso8601-utc.in | 43 ++ .../system/logfileconfig/ns1/named.iso8601.in | 43 ++ .../logfileconfig/ns1/named.pipeconf.in | 43 ++ .../system/logfileconfig/ns1/named.plain.in | 50 ++ .../logfileconfig/ns1/named.plainconf.in | 34 ++ .../system/logfileconfig/ns1/named.symconf.in | 43 ++ .../system/logfileconfig/ns1/named.tsconf.in | 52 ++ .../logfileconfig/ns1/named.unlimited.in | 52 ++ .../logfileconfig/ns1/named.versconf.in | 52 ++ .../bin/tests/system/logfileconfig/setup.sh | 4 +- .../bin/tests/system/logfileconfig/tests.sh | 513 ++++++------------ .../bind/dist/bin/tests/system/mkeys/clean.sh | 9 +- .../bin/tests/system/mkeys/ns1/named1.conf.in | 10 + .../bin/tests/system/mkeys/ns1/named2.conf.in | 10 + .../bin/tests/system/mkeys/ns1/named3.conf.in | 10 + .../dist/bin/tests/system/mkeys/ns1/root.db | 3 + .../dist/bin/tests/system/mkeys/ns1/sign.sh | 18 + .../bin/tests/system/mkeys/ns1/sub.tld.db | 21 + .../dist/bin/tests/system/mkeys/ns1/tld.db | 23 + .../bin/tests/system/mkeys/ns4/named.conf.in | 5 + .../dist/bin/tests/system/mkeys/ns4/sign.sh | 25 + .../bin/tests/system/mkeys/ns4/sub.foo.db | 21 + .../dist/bin/tests/system/mkeys/ns5/foo.db | 23 + .../bin/tests/system/mkeys/ns5/named.conf.in | 8 + .../bind/dist/bin/tests/system/mkeys/setup.sh | 1 + .../bind/dist/bin/tests/system/mkeys/tests.sh | 132 +++-- .../bind/dist/bin/tests/system/nsec3/tests.sh | 1 - .../dist/bin/tests/system/nsupdate/setup.sh | 6 +- .../dist/bin/tests/system/nsupdate/tests.sh | 38 +- .../bin/tests/system/pytest_custom_markers.py | 4 +- .../bind/dist/bin/tests/system/rndc/setup.sh | 2 +- .../bind/dist/bin/tests/system/rndc/tests.sh | 24 +- .../bin/tests/system/rpz/ns3/named.conf.in | 10 + .../bind/dist/bin/tests/system/rpz/tests.sh | 10 + .../mpl/bind/dist/bin/tests/system/run.sh | 23 +- .../dist/bin/tests/system/runtime/tests.sh | 10 +- .../bin/tests/system/serve-stale/ans2/ans.pl | 54 ++ .../bin/tests/system/serve-stale/ns1/root.db | 2 + .../system/serve-stale/ns3/named2.conf.in | 7 +- .../bin/tests/system/serve-stale/tests.sh | 79 ++- .../tests/system/shutdown/tests_shutdown.py | 78 +-- .../bin/tests/system/statschannel/generic.py | 4 - .../system/statschannel/generic_dnspython.py | 3 - .../tests/system/statschannel/tests_json.py | 3 - .../tests/system/statschannel/tests_xml.py | 2 - .../dist/bin/tests/system/tcp/tests_tcp.py | 2 - .../bind/dist/bin/tests/system/testcrypto.sh | 12 +- .../bin/tests/system/tsig/ns1/named.conf.in | 10 +- .../bind/dist/bin/tests/system/tsig/setup.sh | 16 + .../bind/dist/bin/tests/system/tsig/tests.sh | 65 ++- .../bind/dist/bin/tests/system/ttl/clean.sh | 6 +- .../bind/dist/bin/tests/system/ttl/prereq.sh | 31 ++ .../bind/dist/bin/tests/system/ttl/setup.sh | 1 - .../bin/tests/system/ttl/tests_cache_ttl.py | 32 ++ external/mpl/bind/dist/configure.ac | 26 +- external/mpl/bind/dist/dangerfile.py | 33 +- external/mpl/bind/dist/doc/Makefile.in | 2 +- external/mpl/bind/dist/doc/arm/build.rst | 10 +- external/mpl/bind/dist/doc/arm/notes.rst | 5 + external/mpl/bind/dist/doc/arm/platforms.rst | 10 +- external/mpl/bind/dist/doc/arm/reference.rst | 36 +- .../bind/dist/doc/dnssec-guide/validation.rst | 2 - .../mpl/bind/dist/doc/man/ddns-confgen.8in | 8 +- external/mpl/bind/dist/doc/man/delv.1in | 26 +- external/mpl/bind/dist/doc/man/dig.1in | 12 +- .../bind/dist/doc/man/dnssec-dsfromkey.8in | 2 +- .../bind/dist/doc/man/dnssec-importkey.8in | 2 +- .../mpl/bind/dist/doc/man/dnssec-keygen.8in | 2 +- .../mpl/bind/dist/doc/man/dnssec-keymgr.8in | 14 +- .../mpl/bind/dist/doc/man/dnssec-signzone.8in | 10 +- .../mpl/bind/dist/doc/man/filter-aaaa.8in | 4 +- external/mpl/bind/dist/doc/man/host.1in | 6 +- external/mpl/bind/dist/doc/man/mdig.1in | 20 +- .../mpl/bind/dist/doc/man/named-checkconf.8in | 2 +- .../mpl/bind/dist/doc/man/named-checkzone.8in | 4 +- .../bind/dist/doc/man/named-compilezone.8in | 4 +- external/mpl/bind/dist/doc/man/nsec3hash.8in | 2 +- external/mpl/bind/dist/doc/man/rndc.8in | 26 +- external/mpl/bind/dist/doc/man/rndc.conf.5in | 14 +- .../mpl/bind/dist/doc/man/tsig-keygen.8in | 2 +- .../mpl/bind/dist/doc/notes/notes-9.16.38.rst | 33 ++ .../mpl/bind/dist/doc/notes/notes-9.16.39.rst | 60 ++ .../mpl/bind/dist/doc/notes/notes-9.16.40.rst | 32 ++ .../mpl/bind/dist/doc/notes/notes-9.16.41.rst | 27 + .../mpl/bind/dist/doc/notes/notes-9.16.42.rst | 45 ++ .../mpl/bind/dist/lib/dns/win32/libdns.def.in | 1 + .../mpl/bind/dist/lib/isc/win32/libisc.def.in | 4 +- .../mpl/bind/dist/sonar-project.properties | 2 + external/mpl/bind/dist/srcid | 2 +- external/mpl/bind/dist/version | 2 +- 125 files changed, 2058 insertions(+), 708 deletions(-) create mode 100644 external/mpl/bind/dist/bin/tests/system/autosign/ns2/optout-with-ent.db.in create mode 100644 external/mpl/bind/dist/bin/tests/system/catz/ns4/catalog.example.db.in create mode 100644 external/mpl/bind/dist/bin/tests/system/catz/ns4/named.conf.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/named1.args create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/named2.args create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.dirconf.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.pipeconf.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plain.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plainconf.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.symconf.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.tsconf.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited.in create mode 100644 external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf.in create mode 100644 external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sub.tld.db create mode 100644 external/mpl/bind/dist/bin/tests/system/mkeys/ns1/tld.db create mode 100644 external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sign.sh create mode 100644 external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sub.foo.db create mode 100644 external/mpl/bind/dist/bin/tests/system/mkeys/ns5/foo.db create mode 100644 external/mpl/bind/dist/bin/tests/system/ttl/prereq.sh create mode 100644 external/mpl/bind/dist/bin/tests/system/ttl/tests_cache_ttl.py create mode 100644 external/mpl/bind/dist/doc/notes/notes-9.16.38.rst create mode 100644 external/mpl/bind/dist/doc/notes/notes-9.16.39.rst create mode 100644 external/mpl/bind/dist/doc/notes/notes-9.16.40.rst create mode 100644 external/mpl/bind/dist/doc/notes/notes-9.16.41.rst create mode 100644 external/mpl/bind/dist/doc/notes/notes-9.16.42.rst create mode 100644 external/mpl/bind/dist/sonar-project.properties diff --git a/external/mpl/bind/dist/CHANGES b/external/mpl/bind/dist/CHANGES index 0d8baed833a9..e04878f59622 100644 --- a/external/mpl/bind/dist/CHANGES +++ b/external/mpl/bind/dist/CHANGES @@ -1,3 +1,111 @@ + --- 9.16.42 released --- + +6192. [security] A query that prioritizes stale data over lookup + triggers a fetch to refresh the stale data in cache. + If the fetch is aborted for exceeding the recursion + quota, it was possible for 'named' to enter an infinite + callback loop and crash due to stack overflow. This has + been fixed. (CVE-2023-2911) [GL #4089] + +6190. [security] Improve the overmem cleaning process to prevent the + cache going over the configured limit. (CVE-2023-2828) + [GL #4055] + +6183. [bug] Fix a serve-stale bug where a delegation from cache + could be returned to the client. [GL #3950] + +6173. [bug] Properly process extra "nameserver" lines in + resolv.conf otherwise the next line is not properly + processed. [GL #4066] + +6169. [bug] named could crash when deleting inline-signing zones + with "rndc delzone". [GL #4054] + + --- 9.16.41 released --- + +6157. [bug] When removing delegations in an OPTOUT range + empty-non-terminal NSEC3 records generated by + those delegations were not removed. [GL #4027] + + --- 9.16.40 released --- + +6142. [bug] Reduce the number of dns_dnssec_verify calls made + determining if revoked keys needs to be removed from + the trust anchors. [GL #3981] + +6138. [doc] Fix the DF-flag documentation on the outgoing + UDP packets. [GL #3710] + +6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967] + +6129. [cleanup] Value stored to 'source' during its initialization is + never read. [GL #3965] + +6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to + an NSEC3 incapable DNSSEC algorithm using KASP the zone + could sometimes be incompletely signed. [GL #3937] + +5741. [bug] Log files with "timestamp" suffixes could be left in + place after rolling, even if the number of preserved + log files exceeded the configured "versions" limit. + [GL #828] [GL #3959] + + --- 9.16.39 released --- + +6119. [bug] Make sure to revert the reconfigured zones to the + previous version of the view, when the new view + reconfiguration fails during the configuration of + one of the configured zones. [GL #3911] + +6116. [bug] Fix error path cleanup issue in the dns_catz_new_zones() + function. [GL #3900] + +6115. [bug] Unregister db update notify callback before detaching + from the previous db inside the catz update notify + callback. [GL #3777] + +6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in + configure_rpz() and configure_catz(), respectively, + just after attaching it to the new view. [GL #3880] + +6098. [test] Don't test HMAC-MD5 when not supported by libcrypto. + [GL #3871] + +6095. [test] Test various 'islands of trust' configurations when + using managed keys. [GL #3662] + +6094. [bug] Building against (or running with) libuv versions + 1.35.0 and 1.36.0 is now a fatal error. The rules for + mixing and matching compile-time and run-time libuv + versions have been tightened for libuv versions between + 1.35.0 and 1.40.0. [GL #3840] + + --- 9.16.38 released --- + +6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently + broken by change 6042. [GL #3827] + +6081. [bug] Handle primary server address lookup failures in + nsupdate more gracefully. [GL #3830] + +6080. [bug] 'named -V' leaked memory. [GL #3829] + +6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds' + command. [GL #3822] + +6075. [bug] Add missing node lock when setting node->wild in + add_wildcard_magic. [GL #3799] + +6072. [bug] Avoid the OpenSSL lock contention when initializing + Message Digest Contexts by using explicit algorithm + fetching, initializing static contexts for every + supported algorithms, and initializing the new context + by copying the static copy. [GL #3795] + +6069. [bug] Detach from the view in zone_shutdown() to + release the memory held by the dead view + early. [GL #3801] + --- 9.16.37 released --- 6067. [security] Fix serve-stale crash when recursive clients soft quota @@ -48,6 +156,13 @@ 6044. [bug] There was an "RSASHA236" typo in a log message. [GL !7206] +5845. [bug] Refactor the timer to keep track of posted events + as to use isc_task_purgeevent() instead of using + isc_task_purgerange(). The isc_task_purgeevent() + has been refactored to purge a single event instead + of walking through the list of posted events. + [GL #3252] + --- 9.16.36 released --- 6043. [bug] The key file IO locks objects would never get diff --git a/external/mpl/bind/dist/CONTRIBUTING b/external/mpl/bind/dist/CONTRIBUTING index 4875c0ea0139..928ee67a6d93 100644 --- a/external/mpl/bind/dist/CONTRIBUTING +++ b/external/mpl/bind/dist/CONTRIBUTING @@ -57,14 +57,14 @@ To clone the repository, use: $ git clone https://gitlab.isc.org/isc-projects/bind9.git -Release branch names are of the form v9_X, where X represents the second -number in the BIND 9 version number. So, to check out the BIND 9.12 +Release branch names are of the form bind-9.X, where X represents the +second number in the BIND 9 version number. So, to check out the BIND 9.18 branch, use: - $ git checkout v9_12 + $ git checkout bind-9.18 Whenever a branch is ready for publication, a tag is placed of the form -v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0. +v9.X.Y. The 9.18.0 release, for instance, is tagged as v9.18.0. The branch in which the next major release is being developed is called main. diff --git a/external/mpl/bind/dist/CONTRIBUTING.md b/external/mpl/bind/dist/CONTRIBUTING.md index 0b7661b6717f..4b3db8938114 100644 --- a/external/mpl/bind/dist/CONTRIBUTING.md +++ b/external/mpl/bind/dist/CONTRIBUTING.md @@ -71,14 +71,14 @@ To clone the repository, use: > $ git clone https://gitlab.isc.org/isc-projects/bind9.git -Release branch names are of the form `v9_X`, where X represents the second -number in the BIND 9 version number. So, to check out the BIND 9.12 +Release branch names are of the form `bind-9.X`, where X represents the second +number in the BIND 9 version number. So, to check out the BIND 9.18 branch, use: -> $ git checkout v9_12 +> $ git checkout bind-9.18 Whenever a branch is ready for publication, a tag is placed of the -form `v9_X_Y`. The 9.12.0 release, for instance, is tagged as `v9_12_0`. +form `v9.X.Y`. The 9.18.0 release, for instance, is tagged as `v9.18.0`. The branch in which the next major release is being developed is called `main`. diff --git a/external/mpl/bind/dist/bin/python/isc/coverage.py.in b/external/mpl/bind/dist/bin/python/isc/coverage.py.in index 1b2839614f67..e9be265a6f92 100644 --- a/external/mpl/bind/dist/bin/python/isc/coverage.py.in +++ b/external/mpl/bind/dist/bin/python/isc/coverage.py.in @@ -24,6 +24,7 @@ prog = "dnssec-coverage" from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils + ############################################################################ # print a fatal error and exit ############################################################################ diff --git a/external/mpl/bind/dist/bin/python/isc/dnskey.py.in b/external/mpl/bind/dist/bin/python/isc/dnskey.py.in index 3165a8ba4aea..c4cdc57d1554 100644 --- a/external/mpl/bind/dist/bin/python/isc/dnskey.py.in +++ b/external/mpl/bind/dist/bin/python/isc/dnskey.py.in @@ -14,6 +14,7 @@ import time import calendar from subprocess import Popen, PIPE + ######################################################################## # Class dnskey ######################################################################## diff --git a/external/mpl/bind/dist/bin/python/isc/keymgr.py.in b/external/mpl/bind/dist/bin/python/isc/keymgr.py.in index c847b65caa81..67fe4c77bef4 100644 --- a/external/mpl/bind/dist/bin/python/isc/keymgr.py.in +++ b/external/mpl/bind/dist/bin/python/isc/keymgr.py.in @@ -17,6 +17,7 @@ prog = "dnssec-keymgr" from isc import dnskey, keydict, keyseries, policy, parsetab, utils + ############################################################################ # print a fatal error and exit ############################################################################ diff --git a/external/mpl/bind/dist/bin/python/isc/keyzone.py.in b/external/mpl/bind/dist/bin/python/isc/keyzone.py.in index f5f1c3dc2c69..c0c7043ceec8 100644 --- a/external/mpl/bind/dist/bin/python/isc/keyzone.py.in +++ b/external/mpl/bind/dist/bin/python/isc/keyzone.py.in @@ -14,6 +14,7 @@ import sys import re from subprocess import Popen, PIPE + ######################################################################## # Exceptions ######################################################################## diff --git a/external/mpl/bind/dist/bin/rndc/rndc.rst b/external/mpl/bind/dist/bin/rndc/rndc.rst index 888640252015..b2ec0e8a021c 100644 --- a/external/mpl/bind/dist/bin/rndc/rndc.rst +++ b/external/mpl/bind/dist/bin/rndc/rndc.rst @@ -173,9 +173,13 @@ Currently supported commands are: notation. ``dnstap`` ( **-reopen** | **-roll** [*number*] ) - This command closes and re-opens DNSTAP output files. ``rndc dnstap -reopen`` allows + This command closes and re-opens DNSTAP output files. + + ``rndc dnstap -reopen`` allows the output file to be renamed externally, so that ``named`` can - truncate and re-open it. ``rndc dnstap -roll`` causes the output file + truncate and re-open it. + + ``rndc dnstap -roll`` causes the output file to be rolled automatically, similar to log files. The most recent output file has ".0" appended to its name; the previous most recent output file is moved to ".1", and so on. If ``number`` is specified, then diff --git a/external/mpl/bind/dist/bin/tests/system/acl/tests.sh b/external/mpl/bind/dist/bin/tests/system/acl/tests.sh index e30569e0ec1b..19e5c8f6f8d9 100644 --- a/external/mpl/bind/dist/bin/tests/system/acl/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/acl/tests.sh @@ -99,7 +99,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 # and other values? right out t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two diff --git a/external/mpl/bind/dist/bin/tests/system/autosign/clean.sh b/external/mpl/bind/dist/bin/tests/system/autosign/clean.sh index a8118dd2f4d1..ef676772d76a 100644 --- a/external/mpl/bind/dist/bin/tests/system/autosign/clean.sh +++ b/external/mpl/bind/dist/bin/tests/system/autosign/clean.sh @@ -23,14 +23,13 @@ rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f dig.out.* rm -f digcomp.out.test* -rm -f digcomp.out.test* rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key rm -f nopriv.key vanishing.key del1.key del2.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock -rm -f ns*/named.lock rm -f ns1/root.db rm -f ns2/example.db +rm -f ns2/optout-with-ent.db rm -f ns2/private.secure.example.db ns2/bar.db rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf diff --git a/external/mpl/bind/dist/bin/tests/system/autosign/ns2/keygen.sh b/external/mpl/bind/dist/bin/tests/system/autosign/ns2/keygen.sh index 839995ced4bc..087d39747082 100644 --- a/external/mpl/bind/dist/bin/tests/system/autosign/ns2/keygen.sh +++ b/external/mpl/bind/dist/bin/tests/system/autosign/ns2/keygen.sh @@ -56,3 +56,11 @@ do done $KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null $DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP + +# a zone with empty non-terminals. +zone=optout-with-ent +zonefile=optout-with-ent.db +infile=optout-with-ent.db.in +cat $infile > $zonefile +kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null diff --git a/external/mpl/bind/dist/bin/tests/system/autosign/ns2/named.conf.in b/external/mpl/bind/dist/bin/tests/system/autosign/ns2/named.conf.in index 2a769f5e86d3..d70306ad8cfe 100644 --- a/external/mpl/bind/dist/bin/tests/system/autosign/ns2/named.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/autosign/ns2/named.conf.in @@ -96,4 +96,13 @@ zone "child.optout.example" { auto-dnssec maintain; }; +zone "optout-with-ent" { + type primary; + file "optout-with-ent.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff --git a/external/mpl/bind/dist/bin/tests/system/autosign/ns2/optout-with-ent.db.in b/external/mpl/bind/dist/bin/tests/system/autosign/ns2/optout-with-ent.db.in new file mode 100644 index 000000000000..5a3e207f2cc4 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/autosign/ns2/optout-with-ent.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2.example. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +sub1.ent NS . +sub2.ent NS . diff --git a/external/mpl/bind/dist/bin/tests/system/autosign/tests.sh b/external/mpl/bind/dist/bin/tests/system/autosign/tests.sh index 309e938f2778..ac96507b4f28 100755 --- a/external/mpl/bind/dist/bin/tests/system/autosign/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/autosign/tests.sh @@ -153,7 +153,7 @@ do $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 done - for z in bar. example. private.secure.example. + for z in bar. example. private.secure.example. optout-with-ent. do $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 @@ -173,6 +173,9 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "done"; fi status=$((status + ret)) +echo_i "Convert optout-with-ent from nsec to nsec3" +($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 + echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" for z in . do @@ -1741,5 +1744,45 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)" +ret=0 +zone=optout-with-ent +hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL +# check that NSEC3 for ENT is present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +# remove first delegation of two delegations, NSEC3 for ENT should remain. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub1.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is still present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n +grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +# remove second delegation of two delegations, NSEC3 for ENT should be deleted. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub2.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is gone present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n +grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n +grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/external/mpl/bind/dist/bin/tests/system/catz/clean.sh b/external/mpl/bind/dist/bin/tests/system/catz/clean.sh index fd8e9e4c3fbc..b021f3baac24 100644 --- a/external/mpl/bind/dist/bin/tests/system/catz/clean.sh +++ b/external/mpl/bind/dist/bin/tests/system/catz/clean.sh @@ -23,6 +23,7 @@ rm -f ns1/*dom*example.db rm -f ns2/__catz__*db rm -f ns2/named.conf.tmp rm -f ns3/dom13.example.db ns3/dom14.example.db +rm -f ns4/catalog-self.example.db rm -f nsupdate.out.* rm -f ns[123]/catalog[1234].example.db rm -rf ns2/zonedir diff --git a/external/mpl/bind/dist/bin/tests/system/catz/ns2/named1.conf.in b/external/mpl/bind/dist/bin/tests/system/catz/ns2/named1.conf.in index 14cb8e01462b..38381eb2e7e0 100644 --- a/external/mpl/bind/dist/bin/tests/system/catz/ns2/named1.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/catz/ns2/named1.conf.in @@ -47,7 +47,7 @@ options { }; # A faulty dlz configuration to check if named and catz survive a certain class -# of failed configuration attempts (see GL#3060). +# of failed configuration attempts (see GL #3060). # We use "dlz" because the dlz processing code is located in an ideal place in # the view configuration function for the test to cover the view reverting code. #T3dlz "bad-dlz" { @@ -78,6 +78,15 @@ zone "catalog4.example" { primaries { 10.53.0.1; }; }; +# When the following zone configuration is enabled, "dom3.example" should +# already exist as a member of "catalog1.example", and named should be able +# to deal with that situation (see GL #3911). Make sure that this duplicate +# zone comes after the the "catalog1.example" zone in the configuration file. +#T4zone "dom3.example" { +#T4 type secondary; +#T4 file "dom2.example.db"; +#T4}; + key tsig_key. { secret "LSAnCU+Z"; algorithm @DEFAULT_HMAC@; diff --git a/external/mpl/bind/dist/bin/tests/system/catz/ns4/catalog.example.db.in b/external/mpl/bind/dist/bin/tests/system/catz/ns4/catalog.example.db.in new file mode 100644 index 000000000000..a0bab0dfe284 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/catz/ns4/catalog.example.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" diff --git a/external/mpl/bind/dist/bin/tests/system/catz/ns4/named.conf.in b/external/mpl/bind/dist/bin/tests/system/catz/ns4/named.conf.in new file mode 100644 index 000000000000..5f9930807f91 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/catz/ns4/named.conf.in @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { fd92:7065:b8e:ffff::4; }; + notify no; + notify-delay 0; + recursion no; + serial-query-rate 100; + ixfr-from-differences yes; // GL #3777 + + catalog-zones { + zone "catalog-self.example" + min-update-interval 1s + default-masters { 10.53.0.4; }; + }; +}; + +zone "catalog-self.example" { + type primary; + file "catalog-self.example.db"; + notify explicit; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/catz/setup.sh b/external/mpl/bind/dist/bin/tests/system/catz/setup.sh index ec3580b597d9..d8ea17777746 100644 --- a/external/mpl/bind/dist/bin/tests/system/catz/setup.sh +++ b/external/mpl/bind/dist/bin/tests/system/catz/setup.sh @@ -19,10 +19,12 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named1.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf cp -f ns1/catalog.example.db.in ns1/catalog1.example.db cp -f ns3/catalog.example.db.in ns3/catalog2.example.db cp -f ns1/catalog.example.db.in ns1/catalog3.example.db cp -f ns1/catalog.example.db.in ns1/catalog4.example.db +cp -f ns4/catalog.example.db.in ns4/catalog-self.example.db mkdir -p ns2/zonedir diff --git a/external/mpl/bind/dist/bin/tests/system/catz/tests.sh b/external/mpl/bind/dist/bin/tests/system/catz/tests.sh index d85dfbbda77e..69b3a5772fd4 100644 --- a/external/mpl/bind/dist/bin/tests/system/catz/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/catz/tests.sh @@ -373,6 +373,9 @@ wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + +# GL #3060 n=$((n+1)) echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)" ret=0 @@ -397,6 +400,38 @@ rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + +# GL #3911 +n=$((n+1)) +echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)" +ret=0 +sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# catalog zone update can be deferred +sleep 2 + +n=$((n+1)) +echo_i "checking again that dom3.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reconfiguring secondary - reverting the bad configuration ($n)" +ret=0 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + n=$((n+1)) echo_i "removing all records from catalog1 zone ($n)" ret=0 @@ -1858,5 +1893,23 @@ wait_for_message ns2/named.run "transfer of 'dom19.example/IN' from 10.53.0.1#${ if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## +# GL #3777 +nextpart ns4/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)" +ret=0 +echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db +rndccmd 10.53.0.4 reload || ret=1 + +n=$((n+1)) +echo_i "Issuing another rndc reload command after 1 second ($n)" +sleep 1 +rndccmd 10.53.0.4 reload || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/external/mpl/bind/dist/bin/tests/system/chain/ans4/ans.py b/external/mpl/bind/dist/bin/tests/system/chain/ans4/ans.py index 4d17705ef135..839067faa5e6 100755 --- a/external/mpl/bind/dist/bin/tests/system/chain/ans4/ans.py +++ b/external/mpl/bind/dist/bin/tests/system/chain/ans4/ans.py @@ -265,7 +265,7 @@ def create_response(msg): if wantsigs: r.answer.append(sigs[-1]) else: - for (i, sig) in rrs: + for i, sig in rrs: if sig and not wantsigs: continue elif sig: diff --git a/external/mpl/bind/dist/bin/tests/system/checkconf/kasp-bad-keylen.conf b/external/mpl/bind/dist/bin/tests/system/checkconf/kasp-bad-keylen.conf index 0fb8e16e7ee5..7e3465f9634b 100644 --- a/external/mpl/bind/dist/bin/tests/system/checkconf/kasp-bad-keylen.conf +++ b/external/mpl/bind/dist/bin/tests/system/checkconf/kasp-bad-keylen.conf @@ -20,5 +20,5 @@ dnssec-policy "bad-keylen" { zone "example.net" { type master; file "example.db"; - dnssec-policy "badkeylen"; + dnssec-policy "bad-keylen"; }; diff --git a/external/mpl/bind/dist/bin/tests/system/cookie/ans9/ans.py b/external/mpl/bind/dist/bin/tests/system/cookie/ans9/ans.py index 550909466a88..1266b7e99785 100644 --- a/external/mpl/bind/dist/bin/tests/system/cookie/ans9/ans.py +++ b/external/mpl/bind/dist/bin/tests/system/cookie/ans9/ans.py @@ -35,6 +35,7 @@ from dns.rdataclass import * from dns.rdatatype import * from dns.tsig import * + # Log query to file def logquery(type, qname): with open("qlog", "a") as f: @@ -54,6 +55,7 @@ except: dopass2 = False + ############################################################################ # # This server will serve valid and spoofed answers. A spoofed answer will diff --git a/external/mpl/bind/dist/bin/tests/system/dnssec/ans10/ans.py b/external/mpl/bind/dist/bin/tests/system/dnssec/ans10/ans.py index c2f60e68e536..dbe49e5e5ab4 100644 --- a/external/mpl/bind/dist/bin/tests/system/dnssec/ans10/ans.py +++ b/external/mpl/bind/dist/bin/tests/system/dnssec/ans10/ans.py @@ -25,6 +25,7 @@ from dns.rdataclass import * from dns.rcode import * from dns.name import * + # Log query to file def logquery(type, qname): with open("qlog", "a") as f: diff --git a/external/mpl/bind/dist/bin/tests/system/dnstap/tests.sh b/external/mpl/bind/dist/bin/tests/system/dnstap/tests.sh index a630c3b6ba61..0724a492874a 100644 --- a/external/mpl/bind/dist/bin/tests/system/dnstap/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/dnstap/tests.sh @@ -670,6 +670,7 @@ EOF $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ -w dnstap.out > fstrm_capture.out 2>&1 & fstrm_capture_pid=$! + sleep 1 $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i $DIG $DIGOPTS @10.53.0.4 a.example > dig.out diff --git a/external/mpl/bind/dist/bin/tests/system/dupsigs/tests.sh b/external/mpl/bind/dist/bin/tests/system/dupsigs/tests.sh index c9599b223494..dfc88ce80c23 100644 --- a/external/mpl/bind/dist/bin/tests/system/dupsigs/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/dupsigs/tests.sh @@ -20,29 +20,42 @@ status=0 # # We expect the zone to have the following: # -# - 5 signatures for signing.test. +# - 6 signatures for signing.test. # - 3 signatures for ns.signing.test. # - 2 x 500 signatures for a{0000-0499}.signing.test. # -# for a total of 1008. +# for a total of 1009. fully_signed () { - $DIG axfr signing.test -p ${PORT} @10.53.0.1 | - awk 'BEGIN { lines = 0 } - $4 == "RRSIG" {lines++} - END { if (lines != 1008) exit(1) }' + $DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr" + awk 'BEGIN { lines = 0 } + $4 == "RRSIG" {lines++} + END { if (lines != 1009) exit(1) }' < "dig.out.ns1.axfr" } -retry_quiet 30 fully_signed || ret=1 + +# Wait for the last NSEC record in the zone to be signed. This is a lightweight +# alternative to avoid many AXFR requests while waiting for the zone to be +# fully signed. +_wait_for_last_nsec_signed() { + $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1 + grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1 + return 0 +} + +echo_i "wait for the zone to be fully signed" +retry_quiet 60 _wait_for_last_nsec_signed +retry_quiet 10 fully_signed || status=1 +if [ $status != 0 ]; then echo_i "failed"; fi start=`date +%s` now=$start end=$((start + 140)) -while [ $now -lt $end ]; do +while [ $now -lt $end ] && [ $status -eq 0 ]; do et=$((now - start)) - echo "=============== $et ============" - $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl + echo_i "............... $et ............" + $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et - awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c + awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l` if [ ${et} -ne 0 -a ${lines} -ne 1009 ] then diff --git a/external/mpl/bind/dist/bin/tests/system/forward/ans11/ans.py b/external/mpl/bind/dist/bin/tests/system/forward/ans11/ans.py index c04355861390..e8f11952092c 100644 --- a/external/mpl/bind/dist/bin/tests/system/forward/ans11/ans.py +++ b/external/mpl/bind/dist/bin/tests/system/forward/ans11/ans.py @@ -25,6 +25,7 @@ from dns.rdataclass import * from dns.rcode import * from dns.name import * + # Log query to file def logquery(type, qname): with open("qlog", "a") as f: diff --git a/external/mpl/bind/dist/bin/tests/system/get_algorithms.py b/external/mpl/bind/dist/bin/tests/system/get_algorithms.py index f1b020bffca1..529487a8aca4 100755 --- a/external/mpl/bind/dist/bin/tests/system/get_algorithms.py +++ b/external/mpl/bind/dist/bin/tests/system/get_algorithms.py @@ -111,7 +111,10 @@ def is_supported(alg: Algorithm) -> bool: f"{TESTCRYPTO} -q {alg.name}", shell=True, check=True, - env={"KEYGEN": KEYGEN}, + env={ + "KEYGEN": KEYGEN, + "TMPDIR": os.getenv("TMPDIR", "/tmp"), + }, stdout=subprocess.DEVNULL, ) except subprocess.CalledProcessError as exc: @@ -232,9 +235,8 @@ def main(): # later by run.sh print("export ALGORITHM_SET=error") raise - else: - for name, value in algs_env.items(): - print(f"export {name}={value}") + for name, value in algs_env.items(): + print(f"export {name}={value}") if __name__ == "__main__": diff --git a/external/mpl/bind/dist/bin/tests/system/inline/tests_signed_zone_files.py b/external/mpl/bind/dist/bin/tests/system/inline/tests_signed_zone_files.py index 06806eeb7dc8..596b756933ee 100755 --- a/external/mpl/bind/dist/bin/tests/system/inline/tests_signed_zone_files.py +++ b/external/mpl/bind/dist/bin/tests/system/inline/tests_signed_zone_files.py @@ -35,7 +35,6 @@ class RawFormatHeader(dict): def test_unsigned_serial_number(): - """ Check whether all signed zone files in the "ns8" subdirectory contain the serial number of the unsigned version of the zone in the raw-format header. diff --git a/external/mpl/bind/dist/bin/tests/system/kasp/tests.sh b/external/mpl/bind/dist/bin/tests/system/kasp/tests.sh index 33db173936dd..c2bf7e95e621 100644 --- a/external/mpl/bind/dist/bin/tests/system/kasp/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/kasp/tests.sh @@ -551,15 +551,23 @@ _wait_for_metadata() { n=$((n+1)) echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" -rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" -retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +# DS State should be forced into RUMOURED. +set_keystate "KEY1" "STATE_DS" "rumoured" +check_keys test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" -rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" -retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +# DS State should be forced into UNRETENTIVE. +set_keystate "KEY1" "STATE_DS" "unretentive" +check_keys test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) diff --git a/external/mpl/bind/dist/bin/tests/system/legacy/tests.sh b/external/mpl/bind/dist/bin/tests/system/legacy/tests.sh index 13e7b97f27f2..5e1622b25261 100755 --- a/external/mpl/bind/dist/bin/tests/system/legacy/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/legacy/tests.sh @@ -33,7 +33,7 @@ resolution_succeeds() { resolution_fails() { _servfail=0 _timeout=0 - $DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n + $DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n grep "status: SERVFAIL" dig.out.test$n > /dev/null && _servfail=1 grep "connection timed out" dig.out.test$n > /dev/null && _timeout=1 if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/clean.sh b/external/mpl/bind/dist/bin/tests/system/logfileconfig/clean.sh index e19db68015db..18aa5de2dd60 100644 --- a/external/mpl/bind/dist/bin/tests/system/logfileconfig/clean.sh +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/clean.sh @@ -14,10 +14,9 @@ # # Clean up after log file tests # -rm -f ns1/rndc.conf -rm -f ns1/controls.conf rm -f ns1/named.conf -rm -f ns1/named.pid ns1/named.run +rm -f ns1/named.args +rm -f ns1/named.pid ns1/named.run ns1/named.run.prev rm -f ns1/named.memstats ns1/dig.out rm -f ns1/named_log ns1/named_pipe ns1/named_sym rm -rf ns1/named_dir diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/named1.args b/external/mpl/bind/dist/bin/tests/system/logfileconfig/named1.args new file mode 100644 index 000000000000..764d4c969eb5 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/named1.args @@ -0,0 +1 @@ +-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/named2.args b/external/mpl/bind/dist/bin/tests/system/logfileconfig/named2.args new file mode 100644 index 000000000000..fb9fe5737113 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/named2.args @@ -0,0 +1 @@ +-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.dirconf.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.dirconf.in new file mode 100644 index 000000000000..12b3e962574b --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.dirconf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "/tmp"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in new file mode 100644 index 000000000000..2b4b1819d04c --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_iso8601_utc"; + print-time iso8601-utc; + severity debug 9; + }; + category default { default_log; default_debug; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601.in new file mode 100644 index 000000000000..1eb1aa8c5af6 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.iso8601.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_iso8601"; + print-time iso8601; + severity debug 9; + }; + category default { default_log; default_debug; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.pipeconf.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.pipeconf.in new file mode 100644 index 000000000000..5497b62f10b3 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.pipeconf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_pipe"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plain.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plain.in new file mode 100644 index 000000000000..53a1946374f8 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plain.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_log"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plainconf.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plainconf.in new file mode 100644 index 000000000000..8a70ca061c77 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.plainconf.in @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.symconf.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.symconf.in new file mode 100644 index 000000000000..5b30e5797aad --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.symconf.in @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_sym"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.tsconf.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.tsconf.in new file mode 100644 index 000000000000..4b0f8af55f3c --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.tsconf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_ts" versions 3 size 1000 suffix timestamp; # small size + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited.in new file mode 100644 index 000000000000..506b49b3c649 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_unlimited" versions unlimited size 1000; + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf.in b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf.in new file mode 100644 index 000000000000..3860ae8c31db --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf.in @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_vers" versions 5 size 1000; // really small size + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/setup.sh b/external/mpl/bind/dist/bin/tests/system/logfileconfig/setup.sh index 8a9b1398efc9..0e0cc89858ae 100644 --- a/external/mpl/bind/dist/bin/tests/system/logfileconfig/setup.sh +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/setup.sh @@ -16,6 +16,4 @@ SYSTEMTESTTOP=.. $SHELL clean.sh -copy_setports ns1/named.plain ns1/named.conf -copy_setports ns1/rndc.conf.in ns1/rndc.conf -copy_setports ns1/controls.conf.in ns1/controls.conf +copy_setports ns1/named.plain.in ns1/named.conf diff --git a/external/mpl/bind/dist/bin/tests/system/logfileconfig/tests.sh b/external/mpl/bind/dist/bin/tests/system/logfileconfig/tests.sh index c36fca946d9c..2cfb558316e0 100644 --- a/external/mpl/bind/dist/bin/tests/system/logfileconfig/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/logfileconfig/tests.sh @@ -16,30 +16,6 @@ SYSTEMTESTTOP=.. THISDIR=`pwd` CONFDIR="ns1" -PLAINCONF="${THISDIR}/${CONFDIR}/named.plainconf" -PLAINFILE="named_log" -DIRCONF="${THISDIR}/${CONFDIR}/named.dirconf" -DIRFILE="named_dir" -PIPECONF="${THISDIR}/${CONFDIR}/named.pipeconf" -PIPEFILE="named_pipe" -SYMCONF="${THISDIR}/${CONFDIR}/named.symconf" -SYMFILE="named_sym" -VERSCONF="${THISDIR}/${CONFDIR}/named.versconf" -VERSFILE="named_vers" -TSCONF="${THISDIR}/${CONFDIR}/named.tsconf" -TSFILE="named_ts" -UNLIMITEDCONF="${THISDIR}/${CONFDIR}/named.unlimited" -UNLIMITEDFILE="named_unlimited" -ISOCONF="${THISDIR}/${CONFDIR}/named.iso8601" -ISOFILE="named_iso8601" -ISOCONFUTC="${THISDIR}/${CONFDIR}/named.iso8601-utc" -ISOUTCFILE="named_iso8601_utc" -DLFILE="named_deflog" - -PIDFILE="${THISDIR}/${CONFDIR}/named.pid" -myRNDC="$RNDC -c ${THISDIR}/${CONFDIR}/rndc.conf" -myNAMED="$NAMED -c ${THISDIR}/${CONFDIR}/named.conf -m record,size,mctx -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4" - # Test given condition. If true, test again after a second. Used for testing # filesystem-dependent conditions in order to prevent false negatives caused by # directory contents not being synchronized immediately after rename() returns. @@ -53,367 +29,216 @@ test_with_retry() { return 1 } -waitforpidfile() { - for _w in 1 2 3 4 5 6 7 8 9 10 - do - test -f $PIDFILE && break - sleep 1 - done -} - status=0 n=0 -cd $CONFDIR -export SYSTEMTESTTOP=../.. - echo_i "testing log file validity (named -g + only plain files allowed)" -n=`expr $n + 1` -echo_i "testing plain file (named -g) ($n)" # First run with a known good config. -echo > $PLAINFILE -copy_setports $PLAINCONF named.conf -$myRNDC reconfig > rndc.out.test$n 2>&1 -grep "reloading configuration failed" named.run > /dev/null 2>&1 -if [ $? -ne 0 ] -then - echo_i "testing plain file succeeded" -else - echo_i "testing plain file failed (unexpected)" - echo_i "exit status: 1" - exit 1 -fi +n=$((n+1)) +echo_i "testing log file validity (only plain files allowed) ($n)" +ret=0 +cat /dev/null > ns1/named_log +copy_setports ns1/named.plainconf.in ns1/named.conf +nextpart ns1/named.run > /dev/null +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) # Now try directory, expect failure -n=`expr $n + 1` -echo_i "testing directory as log file (named -g) ($n)" -echo > named.run -rm -rf $DIRFILE -mkdir -p $DIRFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $DIRCONF named.conf - echo > named.run - $myRNDC reconfig > rndc.out.test$n 2>&1 - grep "checking logging configuration failed: invalid file" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing directory as file succeeded (UNEXPECTED)" - echo_i "exit status: 1" - exit 1 - else - echo_i "testing directory as log file failed (expected)" - fi -else - echo_i "skipping directory test (unable to create directory)" -fi - -# Now try pipe file, expect failure -n=`expr $n + 1` -echo_i "testing pipe file as log file (named -g) ($n)" -echo > named.run -rm -f $PIPEFILE -mkfifo $PIPEFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $PIPECONF named.conf - echo > named.run - $myRNDC reconfig > rndc.out.test$n 2>&1 - grep "checking logging configuration failed: invalid file" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing pipe file as log file succeeded (UNEXPECTED)" - echo_i "exit status: 1" - exit 1 - else - echo_i "testing pipe file as log file failed (expected)" - fi -else - echo_i "skipping pipe test (unable to create pipe)" -fi - -# Now try symlink file to plain file, expect success -n=`expr $n + 1` -echo_i "testing symlink to plain file as log file (named -g) ($n)" -# Assume success -echo > named.run -echo > $PLAINFILE -rm -f $SYMFILE $SYMFILE -ln -s $PLAINFILE $SYMFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $SYMCONF named.conf - $myRNDC reconfig > rndc.out.test$n 2>&1 - echo > named.run - grep "reloading configuration failed" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing symlink to plain file succeeded" - else - echo_i "testing symlink to plain file failed (unexpected)" - echo_i "exit status: 1" - exit 1 - fi -else - echo_i "skipping symlink test (unable to create symlink)" -fi -# Stop the server and run through a series of tests with various config -# files while controlling the stop/start of the server. -# Have to stop the stock server because it uses "-g" -# -stop_server ns1 - -$myNAMED > /dev/null 2>&1 - -if [ $? -ne 0 ] -then - echo_i "failed to start $myNAMED" - echo_i "exit status: $status" - exit $status -fi - -status=0 - -echo_i "testing log file validity (only plain files allowed)" - -n=`expr $n + 1` -echo_i "testing plain file (named -g) ($n)" -# First run with a known good config. -echo > $PLAINFILE -copy_setports $PLAINCONF named.conf -$myRNDC reconfig > rndc.out.test$n 2>&1 -grep "reloading configuration failed" named.run > /dev/null 2>&1 -if [ $? -ne 0 ] -then - echo_i "testing plain file succeeded" -else - echo_i "testing plain file failed (unexpected)" - echo_i "exit status: 1" - exit 1 -fi - -# Now try directory, expect failure -n=`expr $n + 1` +n=$((n+1)) echo_i "testing directory as log file ($n)" -echo > named.run -rm -rf $DIRFILE -mkdir -p $DIRFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $DIRCONF named.conf - echo > named.run - $myRNDC reconfig > rndc.out.test$n 2>&1 - grep "configuring logging: invalid file" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing directory as file succeeded (UNEXPECTED)" - echo_i "exit status: 1" - exit 1 - else - echo_i "testing directory as log file failed (expected)" - fi -else - echo_i "skipping directory test (unable to create directory)" -fi +ret=0 +nextpart ns1/named.run > /dev/null +copy_setports ns1/named.dirconf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) # Now try pipe file, expect failure -n=`expr $n + 1` +n=$((n+1)) echo_i "testing pipe file as log file ($n)" -echo > named.run -rm -f $PIPEFILE -mkfifo $PIPEFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $PIPECONF named.conf - echo > named.run - $myRNDC reconfig > rndc.out.test$n 2>&1 - grep "configuring logging: invalid file" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing pipe file as log file succeeded (UNEXPECTED)" - echo_i "exit status: 1" - exit 1 - else - echo_i "testing pipe file as log file failed (expected)" - fi +ret=0 +nextpart ns1/named.run > /dev/null +rm -f ns1/named_pipe +if mkfifo ns1/named_pipe >/dev/null 2>&1; then + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) else - echo_i "skipping pipe test (unable to create pipe)" + echo_i "skipping pipe test (unable to create pipe)" fi # Now try symlink file to plain file, expect success -n=`expr $n + 1` +n=$((n+1)) echo_i "testing symlink to plain file as log file ($n)" -# Assume success -status=0 -echo > named.run -echo > $PLAINFILE -rm -f $SYMFILE -ln -s $PLAINFILE $SYMFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $SYMCONF named.conf - $myRNDC reconfig > rndc.out.test$n 2>&1 - echo > named.run - grep "reloading configuration failed" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing symlink to plain file succeeded" - else - echo_i "testing symlink to plain file failed (unexpected)" - echo_i "exit status: 1" - exit 1 - fi +ret=0 +rm -f ns1/named_log ns1/named_sym +touch ns1/named_log +if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then + nextpart ns1/named.run > /dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) else echo_i "skipping symlink test (unable to create symlink)" fi -n=`expr $n + 1` -echo_i "testing default logfile using named -L file ($n)" -# Now stop the server again and test the -L option -rm -f $DLFILE -stop_server --use-rndc --port ${CONTROLPORT} ns1 -if ! test -f $PIDFILE; then - copy_setports $PLAINCONF named.conf - $myNAMED -L $DLFILE > /dev/null 2>&1 - if [ $? -ne 0 ]; then - echo_i "failed to start $myNAMED" - echo_i "exit status: $status" - exit $status - fi +echo_i "repeat previous tests without named -g" +copy_setports ns1/named.plain.in ns1/named.conf +$PERL ../stop.pl --use-rndc --port ${CONTROLPORT} logfileconfig ns1 +cp named1.args ns1/named.args +start_server --noclean --restart --port ${PORT} ns1 - waitforpidfile +n=$((n+1)) +echo_i "testing log file validity (only plain files allowed) ($n)" +ret=0 +cat /dev/null > ns1/named_log +copy_setports ns1/named.plainconf.in ns1/named.conf +nextpart ns1/named.run > /dev/null +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) - sleep 1 - if [ -f "$DLFILE" ]; then - echo_i "testing default logfile using named -L succeeded" - else - echo_i "testing default logfile using named -L failed" - echo_i "exit status: 1" - exit 1 - fi +# Now try directory, expect failure +n=$((n+1)) +echo_i "testing directory as log file ($n)" +ret=0 +nextpart ns1/named.run > /dev/null +copy_setports ns1/named.dirconf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# Now try pipe file, expect failure +n=$((n+1)) +echo_i "testing pipe file as log file ($n)" +ret=0 +nextpart ns1/named.run > /dev/null +rm -f ns1/named_pipe +if mkfifo ns1/named_pipe >/dev/null 2>&1; then + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) else - echo_i "failed to cleanly stop $myNAMED" - echo_i "exit status: 1" - exit 1 + echo_i "skipping pipe test (unable to create pipe)" +fi + +# Now try symlink file to plain file, expect success +n=$((n+1)) +echo_i "testing symlink to plain file as log file ($n)" +ret=0 +rm -f ns1/named_log ns1/named_sym +touch ns1/named_log +if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then + nextpart ns1/named.run > /dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping symlink test (unable to create symlink)" fi echo_i "testing logging functionality" - -n=`expr $n + 1` +n=$((n+1)) +ret=0 echo_i "testing iso8601 timestamp ($n)" -copy_setports $ISOCONF named.conf -$myRNDC reconfig > rndc.out.test$n 2>&1 -if grep '^....-..-..T..:..:..\.... ' $ISOFILE > /dev/null; then - echo_i "testing iso8601 timestamp succeeded" -else - echo_i "testing iso8601 timestamp failed" - status=`expr $status + 1` -fi +copy_setports ns1/named.iso8601.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 > /dev/null || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) -n=`expr $n + 1` +n=$((n+1)) echo_i "testing iso8601-utc timestamp ($n)" -copy_setports $ISOCONFUTC named.conf -$myRNDC reconfig > rndc.out.test$n 2>&1 -if grep '^....-..-..T..:..:..\....Z' $ISOUTCFILE > /dev/null; then - echo_i "testing iso8601-utc timestamp succeeded" -else - echo_i "testing iso8601-utc timestamp failed" - status=`expr $status + 1` -fi +ret=0 +copy_setports ns1/named.iso8601-utc.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc > /dev/null || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) -n=`expr $n + 1` +n=$((n+1)) echo_i "testing explicit versions ($n)" -copy_setports $VERSCONF named.conf +ret=0 +copy_setports ns1/named.versconf.in ns1/named.conf # a seconds since epoch version number -touch $VERSFILE.1480039317 -t1=`$PERL -e 'print time()."\n";'` -$myRNDC reconfig > rndc.out.test$n 2>&1 +touch ns1/named_vers.1480039317 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -t2=`$PERL -e 'print time()."\n";'` -t=`expr ${t2:-0} - ${t1:-0}` -if test ${t:-1000} -gt 5 -then - echo_i "testing explicit versions failed: cleanup of old entries took too long ($t secs)" - status=`expr $status + 1` -fi -if ! grep "status: NOERROR" dig.out.test$n > /dev/null -then - echo_i "testing explicit versions failed: DiG lookup failed" - status=`expr $status + 1` -fi -if test_with_retry -f $VERSFILE.1480039317 -then - echo_i "testing explicit versions failed: $VERSFILE.1480039317 not removed" - status=`expr $status + 1` -fi -if test_with_retry -f $VERSFILE.5 -then - echo_i "testing explicit versions failed: $VERSFILE.5 exists" - status=`expr $status + 1` -fi -if test_with_retry ! -f $VERSFILE.4 -then - echo_i "testing explicit versions failed: $VERSFILE.4 does not exist" - status=`expr $status + 1` -fi +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +# we are configured to retain five logfiles (a current file +# and 4 backups). so files with version number 5 or higher +# should be removed. +test_with_retry -f ns1/named_vers.1480039317 && ret=1 +test_with_retry -f ns1/named_vers.5 && ret=1 +test_with_retry -f ns1/named_vers.4 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) -n=`expr $n + 1` +n=$((n+1)) echo_i "testing timestamped versions ($n)" -copy_setports $TSCONF named.conf +ret=0 +copy_setports ns1/named.tsconf.in ns1/named.conf # a seconds since epoch version number -touch $TSFILE.2015010112000012 -t1=`$PERL -e 'print time()."\n";'` -$myRNDC reconfig > rndc.out.test$n 2>&1 -$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -t2=`$PERL -e 'print time()."\n";'` -t=`expr ${t2:-0} - ${t1:-0}` -if test ${t:-1000} -gt 5 -then - echo_i "testing timestamped versions failed: cleanup of old entries took too long ($t secs)" - status=`expr $status + 1` -fi -if ! grep "status: NOERROR" dig.out.test$n > /dev/null -then - echo_i "testing timestamped versions failed: DiG lookup failed" - status=`expr $status + 1` -fi -if test_with_retry -f $TSFILE.1480039317 -then - echo_i "testing timestamped versions failed: $TSFILE.1480039317 not removed" - status=`expr $status + 1` -fi +touch ns1/named_ts.1480039317 +# a timestamp version number +touch ns1/named_ts.20150101120000120 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +_found2() ( + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n + grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -n=`expr $n + 1` + # we are configured to keep three versions, so the oldest + # timestamped versions should be gone, and there should + # be two or three backup ones. + [ -f ns1/named_ts.1480039317 ] && return 1 + [ -f ns1/named_ts.20150101120000120 ] && return 1 + set -- ns1/named_ts.* + [ "$#" -eq 2 -o "$#" -eq 3 ] || return 1 +) +retry_quiet 5 _found2 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) echo_i "testing unlimited versions ($n)" -copy_setports $UNLIMITEDCONF named.conf +ret=0 +copy_setports ns1/named.unlimited.in ns1/named.conf # a seconds since epoch version number -touch $UNLIMITEDFILE.1480039317 -t1=`$PERL -e 'print time()."\n";'` -$myRNDC reconfig > rndc.out.test$n 2>&1 +touch ns1/named_unlimited.1480039317 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -t2=`$PERL -e 'print time()."\n";'` -t=`expr ${t2:-0} - ${t1:-0}` -if test ${t:-1000} -gt 5 -then - echo_i "testing unlimited versions failed: took too long ($t secs)" - status=`expr $status + 1` -fi -if ! grep "status: NOERROR" dig.out.test$n > /dev/null -then - echo_i "testing unlimited versions failed: DiG lookup failed" - status=`expr $status + 1` -fi -if test_with_retry ! -f $UNLIMITEDFILE.1480039317 -then - echo_i "testing unlimited versions failed: $UNLIMITEDFILE.1480039317 removed" - status=`expr $status + 1` -fi -if test_with_retry ! -f $UNLIMITEDFILE.4 -then - echo_i "testing unlimited versions failed: $UNLIMITEDFILE.4 does not exist" - status=`expr $status + 1` -fi +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +test_with_retry -f ns1/named_unlimited.1480039317 || ret=1 +test_with_retry -f ns1/named_unlimited.4 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing default logfile using named -L file ($n)" +ret=0 +$PERL ../stop.pl logfileconfig ns1 +cp named2.args ns1/named.args +test -f ns1/named.pid && ret=1 +rm -f ns1/named_deflog +copy_setports ns1/named.plainconf.in ns1/named.conf +start_server --noclean --restart --port ${PORT} ns1 +[ -f "ns1/named_deflog" ] || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/clean.sh b/external/mpl/bind/dist/bin/tests/system/mkeys/clean.sh index 102cb3710f79..3f297a22a2f5 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/clean.sh +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/clean.sh @@ -12,17 +12,22 @@ # information regarding copyright ownership. rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk +rm -f */island.conf +rm -f */private.conf rm -f */managed*.conf ns1/managed.key ns1/managed.key.id rm -f */managed-keys.bind* */named.secroots rm -f */named.conf -rm -f ns3/broken.conf rm -f */named.memstats */named.run */named.run.prev rm -f dig.out* delv.out* rndc.out* signer.out* rm -f dsset-. ns1/dsset-. -rm -f ns1/zone.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock +rm -f ns1/dsset-sub.tld. +rm -f ns1/dsset-tld. rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp +rm -f ns1/zone.key +rm -f ns3/broken.conf +rm -f ns4/dsset-sub.foo. rm -f ns5/named.args rm -f ns7/view1.mkeys ns7/view2.mkeys rm -rf ns4/nope diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named1.conf.in b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named1.conf.in index 1912ee184eca..6ca16e153b80 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named1.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named1.conf.in @@ -47,3 +47,13 @@ zone "." { allow-update { any; }; auto-dnssec maintain; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named2.conf.in b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named2.conf.in index 99ec781b52cd..4bfb4367f057 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named2.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named2.conf.in @@ -45,3 +45,13 @@ zone "." { type primary; file "root.db.signed"; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named3.conf.in b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named3.conf.in index e05965dc14c3..aa8709b628d0 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named3.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/named3.conf.in @@ -39,3 +39,13 @@ zone "." { type primary; file "root.db.signed"; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/root.db b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/root.db index ae5c1251c4ca..bc837886721f 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/root.db +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/root.db @@ -23,3 +23,6 @@ a.root-servers.nil. A 10.53.0.1 ; no delegation example. TXT "This is a test." + +tld. NS ns.tld. +ns.tld. A 10.53.0.1 diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sign.sh b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sign.sh index 908429f7acad..fa57307e7081 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sign.sh +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sign.sh @@ -14,6 +14,24 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +zone=sub.tld +zonefile=sub.tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > island.conf +cp island.conf ../ns5/island.conf + +zone=tld +zonefile=tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null + zone=. zonefile=root.db diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sub.tld.db b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sub.tld.db new file mode 100644 index 000000000000..35d436112da6 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/sub.tld.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.tld. IN SOA marka.isc.org. ns.sub.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/tld.db b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/tld.db new file mode 100644 index 000000000000..5c54e0e9db1a --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns1/tld.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +tld. IN SOA marka.isc.org. ns.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +tld. NS ns.tld. +ns.tld. A 10.53.0.1 +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/named.conf.in b/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/named.conf.in index 6bbc6b7b94d2..f72c081fc5eb 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/named.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/named.conf.in @@ -41,3 +41,8 @@ zone "." { type hint; file "../../common/root.hint"; }; + +zone "sub.foo" { + type primary; + file "sub.foo.db.signed"; +}; diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sign.sh b/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sign.sh new file mode 100644 index 000000000000..13d7640064d6 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=sub.foo +zonefile=sub.foo.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > private.conf +cp private.conf ../ns5/private.conf diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sub.foo.db b/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sub.foo.db new file mode 100644 index 000000000000..7bc31047b646 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns4/sub.foo.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns5/foo.db b/external/mpl/bind/dist/bin/tests/system/mkeys/ns5/foo.db new file mode 100644 index 000000000000..092a1c3b0eee --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns5/foo.db @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +foo. NS ns.foo. +ns.foo. A 10.53.0.5 +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/ns5/named.conf.in b/external/mpl/bind/dist/bin/tests/system/mkeys/ns5/named.conf.in index aec778f243bc..8af1a46c1b4a 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/ns5/named.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/ns5/named.conf.in @@ -41,3 +41,11 @@ zone "." { type hint; file "../../common/root.hint"; }; + +zone "foo" { + type primary; + file "foo.db"; +}; + +include "island.conf"; +include "private.conf"; diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/setup.sh b/external/mpl/bind/dist/bin/tests/system/mkeys/setup.sh index 6b361de8c7e2..b110094d8667 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/setup.sh +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/setup.sh @@ -33,6 +33,7 @@ copy_setports ns7/named.conf.in ns7/named.conf cp ns5/named1.args ns5/named.args ( cd ns1 && $SHELL sign.sh ) +( cd ns4 && $SHELL sign.sh ) ( cd ns6 && $SHELL setup.sh ) cp ns2/managed.conf ns2/managed1.conf diff --git a/external/mpl/bind/dist/bin/tests/system/mkeys/tests.sh b/external/mpl/bind/dist/bin/tests/system/mkeys/tests.sh index 330b37d54c22..b11ded3bd9e9 100644 --- a/external/mpl/bind/dist/bin/tests/system/mkeys/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/mkeys/tests.sh @@ -568,44 +568,46 @@ grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) -n=$((n+1)) -echo_i "reset the root server with no keys, check for minimal update ($n)" -ret=0 -# Refresh keys first to prevent previous checks from influencing this one. -# Note that we might still get occasional false negatives on some really slow -# machines, when $t1 equals $t2 due to the time elapsed between "rndc -# managed-keys status" calls being equal to the normal active refresh period -# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as -# set using -T mkeytimers). -mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 -t1=$(grep 'next refresh:' rndc.out.1.$n) || true -stop_server --use-rndc --port "${CONTROLPORT}" ns1 -rm -f ns1/root.db.signed.jnl -cp ns1/root.db ns1/root.db.signed -nextpart ns1/named.run > /dev/null -start_server --noclean --restart --port "${PORT}" ns1 -wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 -# one key listed -count=$(grep -c "keyid: " rndc.out.2.$n) || true -[ "$count" -eq 1 ] || ret=1 -# it's the original key id -count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || ret=1 -# not revoked -count=$(grep -c "REVOKE" rndc.out.2.$n) || true -[ "$count" -eq 0 ] || ret=1 -# trust is still current -count=$(grep -c "trust" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || ret=1 -count=$(grep -c "trusted since" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || ret=1 -t2=$(grep 'next refresh:' rndc.out.2.$n) || true -[ "$t1" = "$t2" ] && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if [ ! "$CYGWIN" ]; then + n=$((n+1)) + echo_i "reset the root server with no keys, check for minimal update ($n)" + ret=0 + # Refresh keys first to prevent previous checks from influencing this one. + # Note that we might still get occasional false negatives on some really slow + # machines, when $t1 equals $t2 due to the time elapsed between "rndc + # managed-keys status" calls being equal to the normal active refresh period + # (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as + # set using -T mkeytimers). + mkeys_refresh_on 2 || ret=1 + mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 + t1=$(grep 'next refresh:' rndc.out.1.$n) || true + stop_server --use-rndc --port "${CONTROLPORT}" ns1 + rm -f ns1/root.db.signed.jnl + cp ns1/root.db ns1/root.db.signed + nextpart ns1/named.run > /dev/null + start_server --noclean --restart --port "${PORT}" ns1 + wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 + mkeys_refresh_on 2 || ret=1 + mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 + # one key listed + count=$(grep -c "keyid: " rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + # it's the original key id + count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + # not revoked + count=$(grep -c "REVOKE" rndc.out.2.$n) || true + [ "$count" -eq 0 ] || ret=1 + # trust is still current + count=$(grep -c "trust" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + count=$(grep -c "trusted since" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + t2=$(grep 'next refresh:' rndc.out.2.$n) || true + [ "$t1" = "$t2" ] && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +fi n=$((n+1)) echo_i "reset the root server with no signatures, check for minimal update ($n)" @@ -680,8 +682,12 @@ rndccmd 10.53.0.2 managed-keys destroy | sed 's/^/ns2 /' | cat_i mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1 mkeys_reconfig_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 -grep "name: \." rndc.out.2.$n > /dev/null || ret=1 +check_root_trust_anchor_is_present_in_status() { + mkeys_status_on 2 > rndc.out.2.$n 2>&1 || return 1 + grep "name: \." rndc.out.2.$n > /dev/null || return 1 + return 0 +} +retry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -719,7 +725,9 @@ ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns5 nextpart ns5/named.run > /dev/null start_server --noclean --restart --port "${PORT}" ns5 -wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1 # ns5/named.run will contain logs from both the old instance and the new # instance. In order for the test to pass, both must attempt a fetch. count=$(grep -c "Creating key fetch" ns5/named.run) || true @@ -727,6 +735,23 @@ count=$(grep -c "Creating key fetch" ns5/named.run) || true if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# one indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + n=$((n+1)) echo_i "check key refreshes are resumed after root servers become available ($n)" ret=0 @@ -738,7 +763,9 @@ rm -f ns5/managed-keys.bind* cp ns5/named2.args ns5/named.args nextpart ns5/named.run > /dev/null start_server --noclean --restart --port "${PORT}" ns5 -wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 # ns1 should still REFUSE queries from ns5, so resolving should be impossible @@ -751,7 +778,9 @@ copy_setports ns1/named3.conf.in ns1/named.conf rm -f ns1/root.db.signed.jnl nextpart ns5/named.run > /dev/null mkeys_reconfig_on 1 || ret=1 -wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 grep '; managed' ns5/named.secroots > /dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be @@ -832,5 +861,22 @@ grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# theee lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/external/mpl/bind/dist/bin/tests/system/nsec3/tests.sh b/external/mpl/bind/dist/bin/tests/system/nsec3/tests.sh index 6b3eb7adeab7..0141103d7c6a 100644 --- a/external/mpl/bind/dist/bin/tests/system/nsec3/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/nsec3/tests.sh @@ -231,7 +231,6 @@ dnssec_verify # This is a secondary zone, where the primary is signed with NSEC3 but # the dnssec-policy dictates NSEC. set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600 -set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec diff --git a/external/mpl/bind/dist/bin/tests/system/nsupdate/setup.sh b/external/mpl/bind/dist/bin/tests/system/nsupdate/setup.sh index c9a756e75dc5..fac39d4fbabd 100644 --- a/external/mpl/bind/dist/bin/tests/system/nsupdate/setup.sh +++ b/external/mpl/bind/dist/bin/tests/system/nsupdate/setup.sh @@ -73,7 +73,11 @@ EOF $DDNSCONFGEN -q -z example.nil > ns1/ddns.key -$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +if $FEATURETEST --md5; then + $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +else + echo -n > ns1/md5.key +fi $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff --git a/external/mpl/bind/dist/bin/tests/system/nsupdate/tests.sh b/external/mpl/bind/dist/bin/tests/system/nsupdate/tests.sh index 67ffc27c1b4d..2cf23ac71fe2 100755 --- a/external/mpl/bind/dist/bin/tests/system/nsupdate/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/nsupdate/tests.sh @@ -852,7 +852,14 @@ fi n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +if $FEATURETEST --md5 +then + ALGS="md5 sha1 sha224 sha256 sha384 sha512" +else + ALGS="sha1 sha224 sha256 sha384 sha512" + echo_i "skipping disabled md5 algorithm" +fi +for alg in $ALGS; do $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 @@ -860,7 +867,7 @@ send END done sleep 2 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +for alg in $ALGS; do $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then @@ -1302,19 +1309,22 @@ END grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } -n=$((n + 1)) -ret=0 -echo_i "check that update is rejected if quota is exceeded ($n)" -for loop in 1 2 3 4 5 6 7 8 9 10; do -{ - $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 < /dev/null 2>&1 <> ns4/named.conf } -make_key 1 ${EXTRAPORT1} hmac-md5 +$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 make_key 2 ${EXTRAPORT2} hmac-sha1 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff --git a/external/mpl/bind/dist/bin/tests/system/rndc/tests.sh b/external/mpl/bind/dist/bin/tests/system/rndc/tests.sh index 43e89d308d1e..4c400621252e 100644 --- a/external/mpl/bind/dist/bin/tests/system/rndc/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/rndc/tests.sh @@ -350,16 +350,20 @@ done if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "testing rndc with hmac-md5 ($n)" -ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 -for i in 2 3 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -done -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +if $FEATURETEST --md5; then + echo_i "testing rndc with hmac-md5 ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 + for i in 2 3 4 5 6 + do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping rndc with hmac-md5 ($n)" +fi n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" diff --git a/external/mpl/bind/dist/bin/tests/system/rpz/ns3/named.conf.in b/external/mpl/bind/dist/bin/tests/system/rpz/ns3/named.conf.in index 30f08c804c8e..dc069d8164df 100644 --- a/external/mpl/bind/dist/bin/tests/system/rpz/ns3/named.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/rpz/ns3/named.conf.in @@ -148,3 +148,13 @@ zone "static-stub-nomatch." { type static-stub; server-addresses { 10.53.0.10; }; }; + +# A faulty dlz configuration to check if named with response policy zones +# survives a certain class of failed configuration attempts (see GL #3880). +# "dlz" is used because the dlz processing code is located in an ideal place in +# the view configuration function for the test to cover the view reverting code. +# The "BAD" comments below are necessary, because they will be removed using +# 'sed' by tests.sh in order to activate the faulty configuration. +#BAD dlz "bad-dlz" { +#BAD database "dlopen bad-dlz.so example.org"; +#BAD }; diff --git a/external/mpl/bind/dist/bin/tests/system/rpz/tests.sh b/external/mpl/bind/dist/bin/tests/system/rpz/tests.sh index 6505082b2c44..760ef13fed27 100644 --- a/external/mpl/bind/dist/bin/tests/system/rpz/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/rpz/tests.sh @@ -846,6 +846,16 @@ EOF stop_server --use-rndc --port ${CONTROLPORT} ns3 restart 3 "rebuild-bl-rpz" + t=`expr $t + 1` + echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})" + sed -e "s/^#BAD//" < ns3/named.conf.in > ns3/named.conf.tmp + copy_setports ns3/named.conf.tmp ns3/named.conf + rm ns3/named.conf.tmp + $RNDCCMD $ns3 reconfig > /dev/null 2>&1 && setret "failed" + sleep 1 + copy_setports ns3/named.conf.in ns3/named.conf + $RNDCCMD $ns3 reconfig || setret "failed" + # reload a RPZ zone that is now deliberately broken. t=`expr $t + 1` echo_i "checking rpz failed update will keep previous rpz rules (${t})" diff --git a/external/mpl/bind/dist/bin/tests/system/run.sh b/external/mpl/bind/dist/bin/tests/system/run.sh index 650ae7f97429..3384397d8275 100644 --- a/external/mpl/bind/dist/bin/tests/system/run.sh +++ b/external/mpl/bind/dist/bin/tests/system/run.sh @@ -276,11 +276,8 @@ get_core_dumps() { } core_dumps=$(get_core_dumps | tr '\n' ' ') -assertion_failures=$(find "$systest/" -name named.run -exec grep "assertion failure" {} + | wc -l) -sanitizer_summaries=$(find "$systest/" -name 'tsan.*' | wc -l) if [ -n "$core_dumps" ]; then echoinfo "I:$systest:Core dump(s) found: $core_dumps" - echofail "R:$systest:FAIL" get_core_dumps | while read -r coredump; do SYSTESTDIR="$systest" echoinfo "D:$systest:backtrace from $coredump:" @@ -308,17 +305,23 @@ if [ -n "$core_dumps" ]; then gzip -1 "${coredump}" done status=$((status+1)) -elif [ "$assertion_failures" -ne 0 ]; then +fi + +assertion_failures=$(find "$systest/" -name named.run -exec grep "assertion failure" {} + | wc -l) +if [ "$assertion_failures" -ne 0 ]; then SYSTESTDIR="$systest" echoinfo "I:$systest:$assertion_failures assertion failure(s) found" + status=$((status+1)) +fi + +tsan_failures=$(find "$systest/" -name 'tsan.*' | wc -l) +if [ "$tsan_failures" -ne 0 ]; then + echoinfo "I:$systest:$tsan_failures sanitizer report(s) found" find "$systest/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d - echofail "R:$systest:FAIL" status=$((status+1)) -elif [ "$sanitizer_summaries" -ne 0 ]; then - echoinfo "I:$systest:$sanitizer_summaries sanitizer report(s) found" - echofail "R:$systest:FAIL" - status=$((status+1)) -elif [ "$status" -ne 0 ]; then +fi + +if [ "$status" -ne 0 ]; then echofail "R:$systest:FAIL" else echopass "R:$systest:PASS" diff --git a/external/mpl/bind/dist/bin/tests/system/runtime/tests.sh b/external/mpl/bind/dist/bin/tests/system/runtime/tests.sh index 81184099b81c..d5e4277f2e22 100644 --- a/external/mpl/bind/dist/bin/tests/system/runtime/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/runtime/tests.sh @@ -96,7 +96,7 @@ echo_i "verifying that 'lock-file none' disables process check ($n)" ret=0 testpid=$(run_named ns2 named$n.run -c named-alt3.conf -D runtime-ns2-extra-3) test -n "$testpid" || ret=1 -retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 grep "another named process" ns2/named$n.run > /dev/null && ret=1 kill_named ns2/named-alt3.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 @@ -188,7 +188,7 @@ ret=0 INSTANCE_NAME="runtime-ns2-extra-7-$(cat ctrl-chars)" testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") test -n "$testpid" || ret=1 -retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 grep 'running as.*\\177\\033' ns2/named$n.run > /dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 @@ -201,7 +201,7 @@ ret=0 INSTANCE_NAME="runtime-ns2-extra-8-$;" testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") test -n "$testpid" || ret=1 -retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 grep 'running as.*\\$\\;' ns2/named$n.run > /dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 @@ -215,7 +215,7 @@ LONG_CMD_LINE=$(cat long-cmd-line) # shellcheck disable=SC2086 testpid=$(run_named ns2 named$n.run $LONG_CMD_LINE -c "named-alt7.conf") test -n "$testpid" || ret=1 -retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 grep "running as.*\.\.\.$" ns2/named$n.run > /dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 @@ -235,7 +235,7 @@ if [ "$(id -u)" -eq 0 ] && [ -z "$CYGWIN" ]; then chmod 0700 "${TEMP_NAMED_DIR}" testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf) test -n "$testpid" || ret=1 - retry_quiet 10 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 + retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 [ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1 grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" > /dev/null && ret=1 kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1 diff --git a/external/mpl/bind/dist/bin/tests/system/serve-stale/ans2/ans.pl b/external/mpl/bind/dist/bin/tests/system/serve-stale/ans2/ans.pl index f14ae67fe8f7..3fdc1fc9aac5 100644 --- a/external/mpl/bind/dist/bin/tests/system/serve-stale/ans2/ans.pl +++ b/external/mpl/bind/dist/bin/tests/system/serve-stale/ans2/ans.pl @@ -49,6 +49,16 @@ my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr", my $SOA = "example 300 IN SOA . . 0 0 0 0 300"; my $NS = "example 300 IN NS ns.example"; my $A = "ns.example 300 IN A $localaddr"; + +# +# Slow delegation +# +my $slowSOA = "slow 300 IN SOA . . 0 0 0 0 300"; +my $slowNS = "slow 300 IN NS ns.slow"; +my $slowA = "ns.slow 300 IN A $localaddr"; +my $slowTXT = "data.slow 2 IN TXT \"A slow text record with a 2 second ttl\""; +my $slownegSOA = "slow 2 IN SOA . . 0 0 0 0 300"; + # # Records to be TTL stretched # @@ -100,6 +110,12 @@ sub reply_handler { # If we are not responding to queries we are done. return if (!$send_response); + if (index($qname, "latency") == 0) { + # simulate network latency before answering + print " Sleeping 50 milliseconds\n"; + select(undef, undef, undef, 0.05); + } + # Construct the response and send it. if ($qname eq "ns.example" ) { if ($qtype eq "A") { @@ -212,6 +228,44 @@ sub reply_handler { push @auth, $rr; } $rcode = "NOERROR"; + } elsif ($qname eq "ns.slow" ) { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR($slowA); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slowSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "slow") { + if ($qtype eq "NS") { + my $rr = new Net::DNS::RR($slowNS); + push @auth, $rr; + $rr = new Net::DNS::RR($slowA); + push @add, $rr; + } elsif ($qtype eq "SOA") { + my $rr = new Net::DNS::RR($slowSOA); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slowSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "data.slow") { + if ($slow_response) { + print " Sleeping 3 seconds\n"; + sleep(3); + # only one time + $slow_response = 0; + } + if ($qtype eq "TXT") { + my $rr = new Net::DNS::RR($slowTXT); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slownegSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; } else { my $rr = new Net::DNS::RR($SOA); push @auth, $rr; diff --git a/external/mpl/bind/dist/bin/tests/system/serve-stale/ns1/root.db b/external/mpl/bind/dist/bin/tests/system/serve-stale/ns1/root.db index b6b73675fdfd..aef8e31c7aa7 100644 --- a/external/mpl/bind/dist/bin/tests/system/serve-stale/ns1/root.db +++ b/external/mpl/bind/dist/bin/tests/system/serve-stale/ns1/root.db @@ -14,3 +14,5 @@ ns.nil. 300 A 10.53.0.1 example. 300 NS ns.example. ns.example. 300 A 10.53.0.2 +slow. 300 NS ns.slow. +ns.slow. 300 A 10.53.0.2 diff --git a/external/mpl/bind/dist/bin/tests/system/serve-stale/ns3/named2.conf.in b/external/mpl/bind/dist/bin/tests/system/serve-stale/ns3/named2.conf.in index e25bc28d9022..a2b1d5ace57a 100644 --- a/external/mpl/bind/dist/bin/tests/system/serve-stale/ns3/named2.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/serve-stale/ns3/named2.conf.in @@ -39,12 +39,13 @@ options { stale-answer-ttl 3; stale-refresh-time 0; stale-answer-client-timeout 1800; + recursive-clients 10; # CVE-2022-3924 max-stale-ttl 3600; resolver-query-timeout 10; + qname-minimization disabled; }; zone "." { - type secondary; - primaries { 10.53.0.1; }; - file "root.bk"; + type hint; + file "root.db"; }; diff --git a/external/mpl/bind/dist/bin/tests/system/serve-stale/tests.sh b/external/mpl/bind/dist/bin/tests/system/serve-stale/tests.sh index 29faa30b00e2..104ae051adf7 100755 --- a/external/mpl/bind/dist/bin/tests/system/serve-stale/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/serve-stale/tests.sh @@ -1638,6 +1638,24 @@ grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "delay responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.slow TXT (stale-answer-client-timeout) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + n=$((n+1)) echo_i "disable responses from authoritative server ($n)" ret=0 @@ -1652,10 +1670,11 @@ sleep 2 nextpart ns3/named.run > /dev/null -echo_i "sending queries for tests $((n+1))-$((n+2))..." +echo_i "sending queries for tests $((n+1))-$((n+3))..." t1=`$PERL -e 'print time()'` $DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & $DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 nodata.example TXT > dig.out.test$((n+2)) +$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 data.slow TXT > dig.out.test$((n+3)) & wait t2=`$PERL -e 'print time()'` @@ -1677,21 +1696,32 @@ status=$((status+ret)) n=$((n+1)) echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" +ret=0 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check stale data.slow TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + # Now query for RRset not in cache. The first query should time out, but once # we enable the authoritative server, the second query should be able to get a # response. nextpart ns3/named.run > /dev/null -echo_i "sending queries for tests $((n+2))-$((n+3))..." +echo_i "sending queries for tests $((n+2))-$((n+4))..." $DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example TXT > dig.out.test$((n+2)) & $DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 longttl.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example RRSIG > dig.out.test$((n+4)) & # Enable the authoritative name server after stale-answer-client-timeout. n=$((n+1)) @@ -1730,6 +1760,37 @@ retry_quiet 8 check_results dig.out.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check not in cache longttl.example RRSIG times out (stale-answer-client-timeout 1.8) ($n)" +ret=0 +check_results() { + [ -s "$1" ] || return 1 + grep "connection timed out" "$1" > /dev/null || return 1 + return 0 +} +retry_quiet 8 check_results dig.out.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# CVE-2022-3924, GL #3619 +n=$((n+1)) +echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)" +ret=0 +num=0 +# Make sure to exceed the configured value of 'recursive-clients 10;' by running +# 20 parallel queries with simulated network latency. +while [ $num -lt 20 ]; do + $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 & + num=$((num+1)) +done; +_dig_data() { + $DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 +} +retry_quiet 5 _dig_data || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + ############################################# # Test for stale-answer-client-timeout off. # ############################################# @@ -1930,8 +1991,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) wait_for_rrset_refresh() { - nextpart ns3/named.run | grep 'data.example.*2.*TXT.*"A text record with a 2 second ttl"' > /dev/null && return 0 - return 1 + $DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 + grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || return 1 } # This test ensures that after we get stale data due to @@ -1941,10 +2004,6 @@ n=$((n+1)) ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0) ($n)" retry_quiet 10 wait_for_rrset_refresh || ret=1 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -2124,10 +2183,6 @@ n=$((n+1)) ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" retry_quiet 10 wait_for_rrset_refresh || ret=1 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) diff --git a/external/mpl/bind/dist/bin/tests/system/shutdown/tests_shutdown.py b/external/mpl/bind/dist/bin/tests/system/shutdown/tests_shutdown.py index 2c8c446971dd..b6083b77a25b 100755 --- a/external/mpl/bind/dist/bin/tests/system/shutdown/tests_shutdown.py +++ b/external/mpl/bind/dist/bin/tests/system/shutdown/tests_shutdown.py @@ -70,7 +70,6 @@ def do_work(named_proc, resolver, rndc_cmd, kill_method, n_workers, n_queries): # We're going to execute queries in parallel by means of a thread pool. # dnspython functions block, so we need to circunvent that. with ThreadPoolExecutor(n_workers + 1) as executor: - # Helper dict, where keys=Future objects and values are tags used # to process results later. futures = {} @@ -132,6 +131,31 @@ def do_work(named_proc, resolver, rndc_cmd, kill_method, n_workers, n_queries): assert ret_code == 0 +def wait_for_named_loaded(resolver, retries=10): + for _ in range(retries): + try: + resolver.query("version.bind", "TXT", "CH") + return True + except (dns.resolver.NoNameservers, dns.exception.Timeout): + time.sleep(1) + return False + + +def wait_for_proc_termination(proc, max_timeout=10): + for _ in range(max_timeout): + if proc.poll() is not None: + return True + time.sleep(1) + + proc.send_signal(signal.SIGABRT) + for _ in range(max_timeout): + if proc.poll() is not None: + return True + time.sleep(1) + + return False + + def test_named_shutdown(named_port, control_port): # pylint: disable-msg=too-many-locals cfg_dir = os.path.join(os.getcwd(), "resolver") @@ -168,40 +192,18 @@ def test_named_shutdown(named_port, control_port): for kill_method in ("rndc", "sigterm"): named_cmdline = [named, "-c", cfg_file, "-f"] with subprocess.Popen(named_cmdline, cwd=cfg_dir) as named_proc: - # Ensure named is running - assert named_proc.poll() is None - # wait for named to finish loading - for _ in range(10): - try: - resolver.query("version.bind", "TXT", "CH") - break - except (dns.resolver.NoNameservers, dns.exception.Timeout): - time.sleep(1) - - do_work( - named_proc, resolver, rndc_cmd, kill_method, n_workers=12, n_queries=16 - ) - - # Wait named to exit for a maximum of MAX_TIMEOUT seconds. - MAX_TIMEOUT = 10 - is_dead = False - for _ in range(MAX_TIMEOUT): - if named_proc.poll() is not None: - is_dead = True - break - time.sleep(1) - - if not is_dead: - named_proc.send_signal(signal.SIGABRT) - for _ in range(MAX_TIMEOUT): - if named_proc.poll() is not None: - is_dead = True - break - time.sleep(1) - if not is_dead: - named_proc.kill() - - assert is_dead - # Ensures that named exited gracefully. - # If it crashed (abort()) exitcode will be non zero. - assert named_proc.returncode == 0 + try: + assert named_proc.poll() is None, "named isn't running" + assert wait_for_named_loaded(resolver) + do_work( + named_proc, + resolver, + rndc_cmd, + kill_method, + n_workers=12, + n_queries=16, + ) + assert wait_for_proc_termination(named_proc) + assert named_proc.returncode == 0, "named crashed" + finally: # Ensure named is terminated in case of an exception + named_proc.kill() diff --git a/external/mpl/bind/dist/bin/tests/system/statschannel/generic.py b/external/mpl/bind/dist/bin/tests/system/statschannel/generic.py index 6688ff6db0a8..5ff09e257049 100644 --- a/external/mpl/bind/dist/bin/tests/system/statschannel/generic.py +++ b/external/mpl/bind/dist/bin/tests/system/statschannel/generic.py @@ -58,7 +58,6 @@ def check_manykeys(name, zone=None): def zone_mtime(zonedir, name): - try: si = os.stat(os.path.join(zonedir, "{}.db".format(name))) except FileNotFoundError: @@ -70,7 +69,6 @@ def zone_mtime(zonedir, name): def test_zone_timers_primary(fetch_zones, load_timers, **kwargs): - statsip = kwargs["statsip"] statsport = kwargs["statsport"] zonedir = kwargs["zonedir"] @@ -84,7 +82,6 @@ def test_zone_timers_primary(fetch_zones, load_timers, **kwargs): def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs): - statsip = kwargs["statsip"] statsport = kwargs["statsport"] zonedir = kwargs["zonedir"] @@ -98,7 +95,6 @@ def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs): def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): - statsip = kwargs["statsip"] statsport = kwargs["statsport"] diff --git a/external/mpl/bind/dist/bin/tests/system/statschannel/generic_dnspython.py b/external/mpl/bind/dist/bin/tests/system/statschannel/generic_dnspython.py index 37e6e89f14bf..34a0398108ae 100644 --- a/external/mpl/bind/dist/bin/tests/system/statschannel/generic_dnspython.py +++ b/external/mpl/bind/dist/bin/tests/system/statschannel/generic_dnspython.py @@ -28,7 +28,6 @@ def create_msg(qname, qtype): def udp_query(ip, port, msg): - ans = dns.query.udp(msg, ip, TIMEOUT, port=port) assert ans.rcode() == dns.rcode.NOERROR @@ -36,7 +35,6 @@ def udp_query(ip, port, msg): def tcp_query(ip, port, msg): - ans = dns.query.tcp(msg, ip, TIMEOUT, port=port) assert ans.rcode() == dns.rcode.NOERROR @@ -90,7 +88,6 @@ def check_traffic(data, expected): def test_traffic(fetch_traffic, **kwargs): - statsip = kwargs["statsip"] statsport = kwargs["statsport"] port = kwargs["port"] diff --git a/external/mpl/bind/dist/bin/tests/system/statschannel/tests_json.py b/external/mpl/bind/dist/bin/tests/system/statschannel/tests_json.py index 312c6830a6bd..c4599258ea43 100755 --- a/external/mpl/bind/dist/bin/tests/system/statschannel/tests_json.py +++ b/external/mpl/bind/dist/bin/tests/system/statschannel/tests_json.py @@ -24,7 +24,6 @@ requests = pytest.importorskip("requests") # JSON helper functions def fetch_zones_json(statsip, statsport): - r = requests.get( "http://{}:{}/json/v1/zones".format(statsip, statsport), timeout=600 ) @@ -35,7 +34,6 @@ def fetch_zones_json(statsip, statsport): def fetch_traffic_json(statsip, statsport): - r = requests.get( "http://{}:{}/json/v1/traffic".format(statsip, statsport), timeout=600 ) @@ -47,7 +45,6 @@ def fetch_traffic_json(statsip, statsport): def load_timers_json(zone, primary=True): - name = zone["name"] # Check if the primary zone timer exists diff --git a/external/mpl/bind/dist/bin/tests/system/statschannel/tests_xml.py b/external/mpl/bind/dist/bin/tests/system/statschannel/tests_xml.py index 5b187b0f49f8..7f0b37e84636 100755 --- a/external/mpl/bind/dist/bin/tests/system/statschannel/tests_xml.py +++ b/external/mpl/bind/dist/bin/tests/system/statschannel/tests_xml.py @@ -25,7 +25,6 @@ requests = pytest.importorskip("requests") # XML helper functions def fetch_zones_xml(statsip, statsport): - r = requests.get( "http://{}:{}/xml/v3/zones".format(statsip, statsport), timeout=600 ) @@ -75,7 +74,6 @@ def fetch_traffic_xml(statsip, statsport): def load_timers_xml(zone, primary=True): - name = zone.attrib["name"] loaded_el = zone.find("loaded") diff --git a/external/mpl/bind/dist/bin/tests/system/tcp/tests_tcp.py b/external/mpl/bind/dist/bin/tests/system/tcp/tests_tcp.py index 95553336ccdc..3a0a7ae9c388 100644 --- a/external/mpl/bind/dist/bin/tests/system/tcp/tests_tcp.py +++ b/external/mpl/bind/dist/bin/tests/system/tcp/tests_tcp.py @@ -43,7 +43,6 @@ def create_socket(host, port): # Regression test for CVE-2022-0396 def test_close_wait(named_port): with create_socket("10.53.0.7", named_port) as sock: - msg = create_msg("a.example.", "A") (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) (response, rtime) = dns.query.receive_tcp(sock, timeout()) @@ -66,7 +65,6 @@ def test_close_wait(named_port): # request. If it gets stuck in CLOSE_WAIT state, there is no connection # available for the query below and it will time out. with create_socket("10.53.0.7", named_port) as sock: - msg = create_msg("a.example.", "A") (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) (response, rtime) = dns.query.receive_tcp(sock, timeout()) diff --git a/external/mpl/bind/dist/bin/tests/system/testcrypto.sh b/external/mpl/bind/dist/bin/tests/system/testcrypto.sh index dd1d583527dd..020aa9ab72e2 100644 --- a/external/mpl/bind/dist/bin/tests/system/testcrypto.sh +++ b/external/mpl/bind/dist/bin/tests/system/testcrypto.sh @@ -15,6 +15,7 @@ SYSTEMTESTTOP=${SYSTEMTESTTOP:=..} prog=$0 args="" quiet=0 +dir="" msg="cryptography" if test -z "$KEYGEN"; then @@ -75,9 +76,18 @@ if test -z "$alg"; then exit 1 fi +if test -n "$TMPDIR"; then + dir=$(mktemp -d "$TMPDIR/XXXXXX") + args="$args -K $dir" +fi + if $KEYGEN $args $alg foo > /dev/null 2>&1 then - rm -f Kfoo* + if test -z "$dir"; then + rm -f Kfoo* + else + rm -rf "$dir" + fi else if test $quiet -eq 0; then echo_i "This test requires support for $msg" >&2 diff --git a/external/mpl/bind/dist/bin/tests/system/tsig/ns1/named.conf.in b/external/mpl/bind/dist/bin/tests/system/tsig/ns1/named.conf.in index 76cf970397d8..22637af90163 100644 --- a/external/mpl/bind/dist/bin/tests/system/tsig/ns1/named.conf.in +++ b/external/mpl/bind/dist/bin/tests/system/tsig/ns1/named.conf.in @@ -23,10 +23,7 @@ options { notify no; }; -key "md5" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5; -}; +# md5 key appended by setup.sh at the end key "sha1" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; @@ -53,10 +50,7 @@ key "sha512" { algorithm hmac-sha512; }; -key "md5-trunc" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5-80; -}; +# md5-trunc key appended by setup.sh at the end key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; diff --git a/external/mpl/bind/dist/bin/tests/system/tsig/setup.sh b/external/mpl/bind/dist/bin/tests/system/tsig/setup.sh index 6020947c4aa8..420e513e0087 100644 --- a/external/mpl/bind/dist/bin/tests/system/tsig/setup.sh +++ b/external/mpl/bind/dist/bin/tests/system/tsig/setup.sh @@ -17,3 +17,19 @@ SYSTEMTESTTOP=.. $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf + +if $FEATURETEST --md5 +then + cat >> ns1/named.conf << EOF +# Conditionally included when support for MD5 is available +key "md5" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5; +}; + +key "md5-trunc" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5-80; +}; +EOF +fi diff --git a/external/mpl/bind/dist/bin/tests/system/tsig/tests.sh b/external/mpl/bind/dist/bin/tests/system/tsig/tests.sh index 02199e6bd50a..affc6d093549 100644 --- a/external/mpl/bind/dist/bin/tests/system/tsig/tests.sh +++ b/external/mpl/bind/dist/bin/tests/system/tsig/tests.sh @@ -28,20 +28,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f status=0 -echo_i "fetching using hmac-md5 (old form)" -ret=0 -$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 -fi +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (old form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi -echo_i "fetching using hmac-md5 (new form)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5" fi echo_i "fetching using hmac-sha1" @@ -89,12 +94,17 @@ fi # Truncated TSIG # # -echo_i "fetching using hmac-md5 (trunc)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 -grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (trunc)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 + grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5 (trunc)" fi echo_i "fetching using hmac-sha1 (trunc)" @@ -143,12 +153,17 @@ fi # Check for bad truncation. # # -echo_i "fetching using hmac-md5-80 (BADTRUNC)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 -grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5-80 (BADTRUNC)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 + grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5-80 (BADTRUNC)" fi echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff --git a/external/mpl/bind/dist/bin/tests/system/ttl/clean.sh b/external/mpl/bind/dist/bin/tests/system/ttl/clean.sh index 17b09d77d42d..3bb41d9247f1 100644 --- a/external/mpl/bind/dist/bin/tests/system/ttl/clean.sh +++ b/external/mpl/bind/dist/bin/tests/system/ttl/clean.sh @@ -11,11 +11,7 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f ./dig.out.* rm -f ./*/named.conf rm -f ./*/named.memstats rm -f ./*/named.run -rm -f ./ns*/named.lock -rm -f ./ns*/_default.nzf -rm -f ./ns*/_default.nzd* -rm -f ./ns*/managed-keys.bind* ns*/*.mkeys* +rm -f ./ns*/managed-keys.bind* diff --git a/external/mpl/bind/dist/bin/tests/system/ttl/prereq.sh b/external/mpl/bind/dist/bin/tests/system/ttl/prereq.sh new file mode 100644 index 000000000000..aa97ae244840 --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/ttl/prereq.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff --git a/external/mpl/bind/dist/bin/tests/system/ttl/setup.sh b/external/mpl/bind/dist/bin/tests/system/ttl/setup.sh index a8e9d5f3738e..87c524fb1320 100644 --- a/external/mpl/bind/dist/bin/tests/system/ttl/setup.sh +++ b/external/mpl/bind/dist/bin/tests/system/ttl/setup.sh @@ -13,6 +13,5 @@ . $SYSTEMTESTTOP/conf.sh -$SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf diff --git a/external/mpl/bind/dist/bin/tests/system/ttl/tests_cache_ttl.py b/external/mpl/bind/dist/bin/tests/system/ttl/tests_cache_ttl.py new file mode 100644 index 000000000000..9025283bd2ef --- /dev/null +++ b/external/mpl/bind/dist/bin/tests/system/ttl/tests_cache_ttl.py @@ -0,0 +1,32 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.query + + +@pytest.mark.parametrize( + "qname,rdtype,expected_ttl", + [ + ("min-example.", "SOA", 60), + ("min-example.", "MX", 30), + ("max-example.", "SOA", 120), + ("max-example.", "MX", 60), + ], +) +def test_cache_ttl(qname, rdtype, expected_ttl, named_port): + msg = dns.message.make_query(qname, rdtype) + response = dns.query.udp(msg, "10.53.0.2", timeout=10, port=named_port) + for rr in response.answer + response.authority: + assert rr.ttl == expected_ttl diff --git a/external/mpl/bind/dist/configure.ac b/external/mpl/bind/dist/configure.ac index eaad0097eceb..fb6f172eaef9 100644 --- a/external/mpl/bind/dist/configure.ac +++ b/external/mpl/bind/dist/configure.ac @@ -707,9 +707,9 @@ AC_CHECK_FUNCS([pthread_setname_np pthread_set_name_np]) AC_CHECK_HEADERS([pthread_np.h], [], [], [#include ]) # libuv -AC_MSG_CHECKING(for libuv) -PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0], [], - [AC_MSG_ERROR([libuv not found])]) +PKG_CHECK_MODULES([LIBUV], [libuv >= 1.37.0], [], + [PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0 libuv < 1.35.0], [], + [AC_MSG_ERROR([libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found])])]) AX_SAVE_FLAGS([libuv]) CFLAGS="$CFLAGS $LIBUV_CFLAGS" @@ -939,7 +939,12 @@ PKCS11_MANS= # # was --enable-native-pkcs11 specified? # -# [pairwise: --enable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --without-dlopen] +# DNSRPS builds are included in pairwise testing here and not later because both +# --enable-native-pkcs11 and --enable-dnsrps-dl require --with-dlopen and the +# ordering of the set of ./configure arguments generated during pairwise testing +# is random. +# +# [pairwise: --enable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --disable-dnsrps --without-dlopen] AC_ARG_ENABLE(native-pkcs11, AS_HELP_STRING([--enable-native-pkcs11], [use native PKCS11 for public-key crypto [default=no]]), @@ -2153,6 +2158,14 @@ AC_PATH_PROG([XELATEX], [xelatex], [:]) AC_PATH_PROG([LATEXMK], [latexmk], [:]) AM_CONDITIONAL([HAVE_XELATEX], [test "$XELATEX" != ":" && test "$LATEXMK" != ":"]) +# +# Build the man pages only if we have prebuilt manpages or we can build them from RST sources +# +BUILD_MANPAGES= +AS_IF([test -e doc/man/named.conf.5in || test "$SPHINX_BUILD" != ":"], + [BUILD_MANPAGES=man]) +AC_SUBST([BUILD_MANPAGES]) + # # Pull release date from CHANGES file last modification date # for reproducible builds @@ -2583,8 +2596,9 @@ AC_COMPILE_IFELSE( AC_MSG_RESULT([no]) ]) -# DNSRPS is not included in pairwise testing as the librpz library is not -# present in the relevant Docker image. +# DNSRPS builds are included in pairwise testing along --enable-native-pkcs11 +# tests above as both of these features require --with-dlopen (see also the +# relevant comment there). # # [pairwise: skip] AC_ARG_ENABLE([dnsrps-dl], diff --git a/external/mpl/bind/dist/dangerfile.py b/external/mpl/bind/dist/dangerfile.py index 4652df2ee596..d6a32e51123c 100644 --- a/external/mpl/bind/dist/dangerfile.py +++ b/external/mpl/bind/dist/dangerfile.py @@ -60,7 +60,7 @@ mr = proj.mergerequests.get(os.environ["CI_MERGE_REQUEST_IID"]) # # - FAIL if any of the following is true for any commit on the MR branch: # -# * The subject line starts with "fixup!" or "Apply suggestion". +# * The subject line starts with "fixup!", "amend!" or "Apply suggestion". # # * The subject line starts with a prohibited word indicating a work in # progress commit (e.g. "WIP"). @@ -98,7 +98,9 @@ for commit in danger.git.commits: message_lines = commit.message.splitlines() subject = message_lines[0] if not fixup_error_logged and ( - subject.startswith("fixup!") or subject.startswith("Apply suggestion") + subject.startswith("fixup!") + or subject.startswith("amend!") + or subject.startswith("Apply suggestion") ): fail( "Fixup commits are still present in this merge request. " @@ -123,8 +125,9 @@ for commit in danger.git.commits: if ( len(message_lines) < 3 and "fixup! " not in subject - and " CHANGES " not in subject - and " release note" not in subject + and "CHANGES " not in subject + and "release note" not in subject.lower() + and "GL #" not in subject ): warn(f"Please write a log message for commit {commit.sha}.") for line in message_lines[2:]: @@ -284,7 +287,7 @@ elif not approved: # * The merge request adds a new CHANGES entry that is not a placeholder and # does not contain any GitLab/RT issue/MR identifiers. -changes_modified = "CHANGES" in modified_files +changes_modified = "CHANGES" in modified_files or "CHANGES.SE" in modified_files no_changes_label_set = "No CHANGES" in mr_labels if not changes_modified and not no_changes_label_set: fail( @@ -297,7 +300,7 @@ if changes_modified and no_changes_label_set: "Revert `CHANGES` modifications or unset the *No Changes* label." ) -changes_added_lines = added_lines(target_branch, ["CHANGES"]) +changes_added_lines = added_lines(target_branch, ["CHANGES", "CHANGES.SE"]) placeholders_added = lines_containing(changes_added_lines, "[placeholder]") identifiers_found = filter(changes_issue_or_mr_id_regex.search, changes_added_lines) if changes_added_lines: @@ -393,11 +396,19 @@ switches_added = lines_containing( configure_added_lines, "AC_ARG_ENABLE" ) + lines_containing(configure_added_lines, "AC_ARG_WITH") annotations_added = lines_containing(configure_added_lines, "# [pairwise: ") -if len(switches_added) > len(annotations_added): - fail( - "This merge request adds at least one new `./configure` switch that " - "is not annotated for pairwise testing purposes." - ) +if switches_added: + if len(switches_added) > len(annotations_added): + fail( + "This merge request adds at least one new `./configure` switch that " + "is not annotated for pairwise testing purposes." + ) + else: + message( + "**Before merging**, please start a full CI pipeline for this " + "branch with the `PAIRWISE_TESTING` variable set to any " + "non-empty value (e.g. `1`). This will cause the `pairwise` " + "job to exercise the new `./configure` switches." + ) ############################################################################### # USER-VISIBLE LOG LEVELS diff --git a/external/mpl/bind/dist/doc/Makefile.in b/external/mpl/bind/dist/doc/Makefile.in index eef3f3eef153..91e9e17dc2a7 100644 --- a/external/mpl/bind/dist/doc/Makefile.in +++ b/external/mpl/bind/dist/doc/Makefile.in @@ -17,7 +17,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -SUBDIRS = man arm misc doxygen +SUBDIRS = @BUILD_MANPAGES@ arm misc doxygen TARGETS = @BIND9_MAKE_RULES@ diff --git a/external/mpl/bind/dist/doc/arm/build.rst b/external/mpl/bind/dist/doc/arm/build.rst index b98033b30df5..7c266c9675f7 100644 --- a/external/mpl/bind/dist/doc/arm/build.rst +++ b/external/mpl/bind/dist/doc/arm/build.rst @@ -83,10 +83,12 @@ To build BIND 9, the following packages must be installed: - ``perl`` - ``pkg-config`` / ``pkgconfig`` / ``pkgconf`` -BIND 9.16 requires ``libuv`` 1.x or higher. On older systems, an updated -``libuv`` package needs to be installed from sources such as EPEL, PPA, -or other native sources. The other option is to build and install -``libuv`` from source. +BIND 9.16 requires ``libuv`` 1.0.0 or higher, using ``libuv`` >= 1.40.0 +is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is +not supported, as this could lead to an assertion failure in the UDP +receive code. On older systems, an updated ``libuv`` package needs to be +installed from sources such as EPEL, PPA, or other native sources. The +other option is to build and install ``libuv`` from source. OpenSSL 1.0.2e or newer is required. If the OpenSSL library is installed in a nonstandard location, specify the prefix using diff --git a/external/mpl/bind/dist/doc/arm/notes.rst b/external/mpl/bind/dist/doc/arm/notes.rst index e944d1caf4a6..4eb912229ad9 100644 --- a/external/mpl/bind/dist/doc/arm/notes.rst +++ b/external/mpl/bind/dist/doc/arm/notes.rst @@ -46,6 +46,11 @@ for Microsoft Windows operating systems. .. include:: ../notes/notes-known-issues.rst +.. include:: ../notes/notes-9.16.42.rst +.. include:: ../notes/notes-9.16.41.rst +.. include:: ../notes/notes-9.16.40.rst +.. include:: ../notes/notes-9.16.39.rst +.. include:: ../notes/notes-9.16.38.rst .. include:: ../notes/notes-9.16.37.rst .. include:: ../notes/notes-9.16.36.rst .. include:: ../notes/notes-9.16.35.rst diff --git a/external/mpl/bind/dist/doc/arm/platforms.rst b/external/mpl/bind/dist/doc/arm/platforms.rst index a78f400b956a..da9f68a0e747 100644 --- a/external/mpl/bind/dist/doc/arm/platforms.rst +++ b/external/mpl/bind/dist/doc/arm/platforms.rst @@ -42,16 +42,16 @@ able to offer support on a “best effort” basis for some. Regularly tested platforms ~~~~~~~~~~~~~~~~~~~~~~~~~~ -As of August 2022, BIND 9.16 is fully supported and regularly tested on the +Current versions of BIND 9 are fully supported and regularly tested on the following systems: - Debian 10, 11 - Ubuntu LTS 18.04, 20.04, 22.04 -- Fedora 37 +- Fedora 38 - Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9 -- FreeBSD 12.3, 13.1 -- OpenBSD 7.2 -- Alpine Linux 3.16 +- FreeBSD 12.4, 13.2 +- OpenBSD 7.3 +- Alpine Linux 3.18 The amd64, i386, armhf and arm64 CPU architectures are all fully supported. diff --git a/external/mpl/bind/dist/doc/arm/reference.rst b/external/mpl/bind/dist/doc/arm/reference.rst index 703663d0ba6a..55af7b8b423f 100644 --- a/external/mpl/bind/dist/doc/arm/reference.rst +++ b/external/mpl/bind/dist/doc/arm/reference.rst @@ -416,12 +416,11 @@ To disable the command channel, use an empty ``controls`` statement: ``include`` Statement Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The ``include`` statement inserts the specified file (or files if a valid glob -expression is detected) at the point where the ``include`` statement is -encountered. The ``include`` statement facilitates the administration of -configuration files by permitting the reading or writing of some things but not -others. For example, the statement could include private keys that are readable -only by the name server. +The ``include`` statement inserts the specified file at the point where the +``include`` statement is encountered. The ``include`` statement facilitates +the administration of configuration files by permitting the reading or +writing of some things but not others. For example, the statement could +include private keys that are readable only by the name server. .. _key_grammar: @@ -1160,14 +1159,20 @@ default is used. effective user ID of the ``named`` process. ``qname-minimization`` - This option controls QNAME minimization behavior in the BIND - resolver. When set to ``strict``, BIND follows the QNAME + When this is set to ``strict``, BIND follows the QNAME minimization algorithm to the letter, as specified in :rfc:`7816`. + Setting this option to ``relaxed`` causes BIND to fall back to normal (non-minimized) query mode when it receives either NXDOMAIN or other unexpected responses (e.g., SERVFAIL, improper zone cut, - REFUSED) to a minimized query. ``disabled`` disables QNAME - minimization completely. The current default is ``relaxed``, but it + REFUSED) to a minimized query. A resolver can use a leading + underscore, like ``_.example.com``, in an attempt to improve + interoperability. (See :rfc:`7816` section 3.) + + ``disabled`` disables QNAME minimization completely. + ``off`` is a synonym for ``disabled``. + + The current default is ``relaxed``, but it may be changed to ``strict`` in a future release. ``tkey-gssapi-keytab`` @@ -3090,6 +3095,11 @@ system. default value of that option (90% of physical memory for each individual cache) may lead to memory exhaustion over time. + .. note:: + + ``max-cache-size`` does not work reliably for the maximum + amount of memory of 100 MB or lower. + Upon startup and reconfiguration, caches with a limited size preallocate a small amount of memory (less than 1% of ``max-cache-size`` for a given view). This preallocation serves as an @@ -3560,9 +3570,8 @@ Tuning to be sent without fragmentation at the minimum MTU sizes for Ethernet and IPv6 networks.) - The ``named`` now sets the DON'T FRAGMENT flag on outgoing UDP packets. - According to the measurements done by multiple parties this should not be - causing any operational problems as most of the Internet "core" is able to + According to the measurements done by multiple parties the default value + should not be causing the fragmentation as most of the Internet "core" is able to cope with IP message sizes between 1400-1500 bytes, the 1232 size was picked as a conservative minimal number that could be changed by the DNS operator to a estimated path MTU minus the estimated header space. In practice, the @@ -6542,6 +6551,7 @@ This example generates A and AAAA records using modifiers; the AAAA is equivalent to: :: + HOST-0000.EXAMPLE. A 1.2.3.1 HOST-0001.EXAMPLE. A 1.2.3.2 HOST-0002.EXAMPLE. A 1.2.3.3 diff --git a/external/mpl/bind/dist/doc/dnssec-guide/validation.rst b/external/mpl/bind/dist/doc/dnssec-guide/validation.rst index 1abfd48c16f8..2830b98ebe4d 100644 --- a/external/mpl/bind/dist/doc/dnssec-guide/validation.rst +++ b/external/mpl/bind/dist/doc/dnssec-guide/validation.rst @@ -112,8 +112,6 @@ confirm that it is in fact validating DNS responses. - `Internet.nl `__ -- `DNSSEC Resolver Test (uni-due.de) `__ - - `DNSSEC or Not (VeriSign) `__ .. _using_dig_to_verify: diff --git a/external/mpl/bind/dist/doc/man/ddns-confgen.8in b/external/mpl/bind/dist/doc/man/ddns-confgen.8in index 1f12ae957887..97e1cf8cbf02 100644 --- a/external/mpl/bind/dist/doc/man/ddns-confgen.8in +++ b/external/mpl/bind/dist/doc/man/ddns-confgen.8in @@ -58,7 +58,7 @@ be used from a remote system. This option specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, and hmac\-sha512. The default is hmac\-sha256. Options are -case\-insensitive, and the "hmac\-" prefix may be omitted. +case\-insensitive, and the \(dqhmac\-\(dq prefix may be omitted. .TP .B \fB\-h\fP This option prints a short summary of options and arguments. @@ -79,15 +79,15 @@ explanatory text or usage examples. This is essentially identical to .B \fB\-s name\fP This option generates a configuration example to allow dynamic updates of a single hostname. The example \fBnamed.conf\fP text shows how to set -an update policy for the specified name using the "name" nametype. The -default key name is \fBddns\-key.name\fP\&. Note that the "self" nametype +an update policy for the specified name using the \(dqname\(dq nametype. The +default key name is \fBddns\-key.name\fP\&. Note that the \(dqself\(dq nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the \fB\-z\fP option. .TP .B \fB\-z zone\fP This option generates a configuration example to allow dynamic updates of a zone. The example \fBnamed.conf\fP text shows how -to set an update policy for the specified zone using the "zonesub" +to set an update policy for the specified zone using the \(dqzonesub\(dq nametype, allowing updates to all subdomain names within that zone. This option cannot be used with the \fB\-s\fP option. .UNINDENT diff --git a/external/mpl/bind/dist/doc/man/delv.1in b/external/mpl/bind/dist/doc/man/delv.1in index 836499b71937..9a2b186900fd 100644 --- a/external/mpl/bind/dist/doc/man/delv.1in +++ b/external/mpl/bind/dist/doc/man/delv.1in @@ -53,7 +53,7 @@ simulates the behavior of a name server configured for DNSSEC validating and forwarding. .sp By default, responses are validated using the built\-in DNSSEC trust anchor -for the root zone ("."). Records returned by \fBdelv\fP are either fully +for the root zone (\(dq.\(dq). Records returned by \fBdelv\fP are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because \fBdelv\fP does not rely on an external server to carry @@ -66,7 +66,7 @@ addresses are found, \fBdelv\fP sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6). .sp When no command\-line arguments or options are given, \fBdelv\fP -performs an NS query for "." (the root zone). +performs an NS query for \(dq.\(dq (the root zone). .SH SIMPLE USAGE .sp A typical invocation of \fBdelv\fP looks like: @@ -114,7 +114,7 @@ supplied, \fBdelv\fP performs a lookup for an A record. .B \fB\-a anchor\-file\fP This option specifies a file from which to read DNSSEC trust anchors. The default is \fB/etc/bind.keys\fP, which is included with BIND 9 and contains one -or more trust anchors for the root zone ("."). +or more trust anchors for the root zone (\(dq.\(dq). .sp Keys that do not match the root zone name are ignored. An alternate key name can be specified using the \fB+root=NAME\fP options. @@ -135,7 +135,7 @@ or \fB::\fP\&. An optional source port may be specified by appending .TP .B \fB\-c class\fP This option sets the query class for the requested data. Currently, only class -"IN" is supported in \fBdelv\fP and any other value is ignored. +\(dqIN\(dq is supported in \fBdelv\fP and any other value is ignored. .TP .B \fB\-d level\fP This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is @@ -168,8 +168,8 @@ non\-standard port number. This option sets the query name to \fBname\fP\&. While the query name can be specified without using the \fB\-q\fP option, it is sometimes necessary to disambiguate names from types or classes (for example, when looking -up the name "ns", which could be misinterpreted as the type NS, or -"ch", which could be misinterpreted as class CH). +up the name \(dqns\(dq, which could be misinterpreted as the type NS, or +\(dqch\(dq, which could be misinterpreted as class CH). .TP .B \fB\-t type\fP This option sets the query type to \fBtype\fP, which can be any valid query type @@ -178,8 +178,8 @@ with \fB\-q\fP, this is useful to distinguish query\-name types or classes when they are ambiguous. It is sometimes necessary to disambiguate names from types. .sp -The default query type is "A", unless the \fB\-x\fP option is supplied -to indicate a reverse lookup, in which case it is "PTR". +The default query type is \(dqA\(dq, unless the \fB\-x\fP option is supplied +to indicate a reverse lookup, in which case it is \(dqPTR\(dq. .TP .B \fB\-v\fP This option prints the \fBdelv\fP version and exits. @@ -235,7 +235,7 @@ and validation process, including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation. .sp -This is equivalent to setting the debug level to 1 in the "resolver" +This is equivalent to setting the debug level to 1 in the \(dqresolver\(dq logging category. Setting the systemwide debug level to 1 using the \fB\-d\fP option produces the same output, but affects other logging categories as well. @@ -245,8 +245,8 @@ This option toggles message logging. This produces a detailed dump of the responses received by \fBdelv\fP in the process of carrying out the resolution and validation process. .sp -This is equivalent to setting the debug level to 10 for the "packets" -module of the "resolver" logging category. Setting the systemwide +This is equivalent to setting the debug level to 10 for the \(dqpackets\(dq +module of the \(dqresolver\(dq logging category. Setting the systemwide debug level to 10 using the \fB\-d\fP option produces the same output, but affects other logging categories as well. .TP @@ -256,7 +256,7 @@ validator as it determines whether an answer is validly signed, unsigned, or invalid. .sp This is equivalent to setting the debug level to 3 for the -"validator" module of the "dnssec" logging category. Setting the +\(dqvalidator\(dq module of the \(dqdnssec\(dq logging category. Setting the systemwide debug level to 3 using the \fB\-d\fP option produces the same output, but affects other logging categories as well. .TP @@ -313,7 +313,7 @@ always occurs unless suppressed by the use of \fB\-i\fP or .B \fB+[no]root[=ROOT]\fP This option indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a -trust anchor of "." (the root zone), for which there is a built\-in key. If +trust anchor of \(dq.\(dq (the root zone), for which there is a built\-in key. If specifying a different trust anchor, then \fB\-a\fP must be used to specify a file containing the key. .TP diff --git a/external/mpl/bind/dist/doc/man/dig.1in b/external/mpl/bind/dist/doc/man/dig.1in index 245a9c6574ba..fd6d6f802392 100644 --- a/external/mpl/bind/dist/doc/man/dig.1in +++ b/external/mpl/bind/dist/doc/man/dig.1in @@ -58,7 +58,7 @@ of the servers listed in \fB/etc/resolv.conf\fP\&. If no usable server addresses are found, \fBdig\fP sends the query to the local host. .sp When no command\-line arguments or options are given, \fBdig\fP -performs an NS query for "." (the root). +performs an NS query for \(dq.\(dq (the root). .sp It is possible to set per\-user defaults for \fBdig\fP via \fB${HOME}/.digrc\fP\&. This file is read and any options in it are applied @@ -67,8 +67,8 @@ feature, for scripts that need predictable behavior. .sp The IN and CH class names overlap with the IN and CH top\-level domain names. Either use the \fB\-t\fP and \fB\-c\fP options to specify the type and -class, use the \fB\-q\fP to specify the domain name, or use "IN." and -"CH." when looking up these top\-level domains. +class, use the \fB\-q\fP to specify the domain name, or use \(dqIN.\(dq and +\(dqCH.\(dq when looking up these top\-level domains. .SH SIMPLE USAGE .sp A typical invocation of \fBdig\fP looks like: @@ -120,8 +120,8 @@ This option indicates that only IPv6 should be used. .TP .B \fB\-b address[#port]\fP This option sets the source IP address of the query. The \fBaddress\fP must be a -valid address on one of the host\(aqs network interfaces, or "0.0.0.0" -or "::". An optional port may be specified by appending \fB#port\fP\&. +valid address on one of the host\(aqs network interfaces, or \(dq0.0.0.0\(dq +or \(dq::\(dq. An optional port may be specified by appending \fB#port\fP\&. .TP .B \fB\-c class\fP This option sets the query class. The default \fBclass\fP is IN; other classes are @@ -575,7 +575,7 @@ presentation format. .B \fB+[no]vc\fP This option uses [or does not use] TCP when querying name servers. This alternate syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The -\fBvc\fP stands for "virtual circuit." +\fBvc\fP stands for \(dqvirtual circuit.\(dq .TP .B \fB+[no]yaml\fP When enabled, this option prints the responses (and, if \fB+qr\fP is in use, also the diff --git a/external/mpl/bind/dist/doc/man/dnssec-dsfromkey.8in b/external/mpl/bind/dist/doc/man/dnssec-dsfromkey.8in index b22ba567ef97..83f6a7aade2f 100644 --- a/external/mpl/bind/dist/doc/man/dnssec-dsfromkey.8in +++ b/external/mpl/bind/dist/doc/man/dnssec-dsfromkey.8in @@ -139,7 +139,7 @@ The keyset file name is built from the \fBdirectory\fP, the string \fBkeyset\-\fP, and the \fBdnsname\fP\&. .SH CAVEAT .sp -A keyfile error may return "file not found," even if the file exists. +A keyfile error may return \(dqfile not found,\(dq even if the file exists. .SH SEE ALSO .sp \fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, diff --git a/external/mpl/bind/dist/doc/man/dnssec-importkey.8in b/external/mpl/bind/dist/doc/man/dnssec-importkey.8in index fcca54c3c543..8a50888fc66e 100644 --- a/external/mpl/bind/dist/doc/man/dnssec-importkey.8in +++ b/external/mpl/bind/dist/doc/man/dnssec-importkey.8in @@ -57,7 +57,7 @@ DNS domain name of a zone master file, which can be read from \fBfilename\fP\&. If the domain name is the same as \fBfilename\fP, then it may be omitted. .sp -If \fBfilename\fP is set to \fB"\-"\fP, then the zone data is read from the +If \fBfilename\fP is set to \fB\(dq\-\(dq\fP, then the zone data is read from the standard input. .TP .B \fB\-K directory\fP diff --git a/external/mpl/bind/dist/doc/man/dnssec-keygen.8in b/external/mpl/bind/dist/doc/man/dnssec-keygen.8in index f3ceeca2f09a..84d4d68f4093 100644 --- a/external/mpl/bind/dist/doc/man/dnssec-keygen.8in +++ b/external/mpl/bind/dist/doc/man/dnssec-keygen.8in @@ -139,7 +139,7 @@ This option sets the directory in which the key files are to be written. .B \fB\-k policy\fP This option creates keys for a specific \fBdnssec\-policy\fP\&. If a policy uses multiple keys, \fBdnssec\-keygen\fP generates multiple keys. This also -creates a ".state" file to keep track of the key state. +creates a \(dq.state\(dq file to keep track of the key state. .sp This option creates keys according to the \fBdnssec\-policy\fP configuration, hence it cannot be used at the same time as many of the other options that diff --git a/external/mpl/bind/dist/doc/man/dnssec-keymgr.8in b/external/mpl/bind/dist/doc/man/dnssec-keymgr.8in index 23c8beac2e81..ae163dba1013 100644 --- a/external/mpl/bind/dist/doc/man/dnssec-keymgr.8in +++ b/external/mpl/bind/dist/doc/man/dnssec-keymgr.8in @@ -44,7 +44,7 @@ DNSSEC policy can be read from a configuration file (default /etc/dnssec\-policy.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined. This file may be used to define individual DNSSEC -policies on a per\-zone basis, or to set a "default" policy used for all +policies on a per\-zone basis, or to set a \(dqdefault\(dq policy used for all zones. .sp When \fBdnssec\-keymgr\fP runs, it examines the DNSSEC keys for one or more @@ -181,7 +181,7 @@ sizes would then be used for any key of type RSASHA256. single zone by name. A zone policy can inherit a policy class by including a \fBpolicy\fP option. Zone names beginning with digits (i.e., 0\-9) must be quoted. If a zone does not have its own policy -then the "default" policy applies. +then the \(dqdefault\(dq policy applies. .UNINDENT .UNINDENT .sp @@ -200,7 +200,7 @@ The key algorithm. If no policy is defined, the default is RSASHA256. The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. This can be represented as a number of seconds, or as a duration -using human\-readable units (examples: "1y" or "6 months"). A default +using human\-readable units (examples: \(dq1y\(dq or \(dq6 months\(dq). A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is six months. @@ -218,7 +218,7 @@ Specifies the directory in which keys should be stored. .INDENT 0.0 .INDENT 3.5 Specifies the number of bits to use in creating keys. The keytype is -either "zsk" or "ksk". A default value for this option can be set in +either \(dqzsk\(dq or \(dqksk\(dq. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is 2048 bits for RSA keys. .UNINDENT @@ -236,7 +236,7 @@ The key TTL. If no policy is defined, the default is one hour. .INDENT 3.5 How long after inactivation a key should be deleted from the zone. Note: If \fBroll\-period\fP is not set, this value is ignored. The -keytype is either "zsk" or "ksk". A default duration for this option +keytype is either \(dqzsk\(dq or \(dqksk\(dq. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month. .UNINDENT @@ -247,7 +247,7 @@ policies. The default is one month. .INDENT 3.5 How long before activation a key should be published. Note: If \fBroll\-period\fP is not set, this value is ignored. The keytype is -either "zsk" or "ksk". A default duration for this option can be set +either \(dqzsk\(dq or \(dqksk\(dq. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month. .UNINDENT @@ -257,7 +257,7 @@ The default is one month. .INDENT 0.0 .INDENT 3.5 How frequently keys should be rolled over. The keytype is either -"zsk" or "ksk". A default duration for this option can be set in +\(dqzsk\(dq or \(dqksk\(dq. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is one year for ZSKs. KSKs do not roll over by default. diff --git a/external/mpl/bind/dist/doc/man/dnssec-signzone.8in b/external/mpl/bind/dist/doc/man/dnssec-signzone.8in index 4ae4e1e86d32..d9599a488cf7 100644 --- a/external/mpl/bind/dist/doc/man/dnssec-signzone.8in +++ b/external/mpl/bind/dist/doc/man/dnssec-signzone.8in @@ -182,8 +182,8 @@ less congestion than if all validators need to refetch at around the same time. .TP .B \fB\-L serial\fP -When writing a signed zone to "raw" or "map" format, this option sets the "source -serial" value in the header to the specified \fBserial\fP number. (This is +When writing a signed zone to \(dqraw\(dq or \(dqmap\(dq format, this option sets the \(dqsource +serial\(dq value in the header to the specified \fBserial\fP number. (This is expected to be used primarily for testing purposes.) .TP .B \fB\-n ncpus\fP @@ -248,7 +248,7 @@ period are retained. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset. The \fB\-Q\fP option forces \fBdnssec\-signzone\fP to remove signatures from keys that are no longer active. This enables ZSK rollover using the procedure described in -\fI\%RFC 4641#4.2.1.1\fP ("Pre\-Publish Key Rollover"). +\fI\%RFC 4641#4.2.1.1\fP (\(dqPre\-Publish Key Rollover\(dq). .TP .B \fB\-q\fP This option enables quiet mode, which suppresses unnecessary output. Without this option, when @@ -263,8 +263,8 @@ This option removes signatures from keys that are no longer published. This option is similar to \fB\-Q\fP, except it forces \fBdnssec\-signzone\fP to remove signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in -\fI\%RFC 4641#4.2.1.2\fP ("Double Signature Zone Signing Key -Rollover"). +\fI\%RFC 4641#4.2.1.2\fP (\(dqDouble Signature Zone Signing Key +Rollover\(dq). .TP .B \fB\-S\fP This option enables smart signing, which instructs \fBdnssec\-signzone\fP to search the key diff --git a/external/mpl/bind/dist/doc/man/filter-aaaa.8in b/external/mpl/bind/dist/doc/man/filter-aaaa.8in index 2061fdbd8d31..b4ef9462e061 100644 --- a/external/mpl/bind/dist/doc/man/filter-aaaa.8in +++ b/external/mpl/bind/dist/doc/man/filter-aaaa.8in @@ -32,7 +32,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] filter-aaaa \- filter AAAA in DNS responses when A is present .SH SYNOPSIS .sp -\fBplugin query\fP "filter\-aaaa.so" [{ parameters }]; +\fBplugin query\fP \(dqfilter\-aaaa.so\(dq [{ parameters }]; .SH DESCRIPTION .sp \fBfilter\-aaaa.so\fP is a query plugin module for \fBnamed\fP, enabling @@ -48,7 +48,7 @@ enabled with the \fBfilter\-aaaa\fP ACL and the \fBfilter\-aaaa\-on\-v4\fP and .sp .nf .ft C -plugin query "/usr/local/lib/filter\-aaaa.so" { +plugin query \(dq/usr/local/lib/filter\-aaaa.so\(dq { filter\-aaaa\-on\-v4 yes; filter\-aaaa\-on\-v6 yes; filter\-aaaa { 192.0.2.1; 2001:db8:2::1; }; diff --git a/external/mpl/bind/dist/doc/man/host.1in b/external/mpl/bind/dist/doc/man/host.1in index 4f90de3ebcab..0747ded82982 100644 --- a/external/mpl/bind/dist/doc/man/host.1in +++ b/external/mpl/bind/dist/doc/man/host.1in @@ -56,11 +56,11 @@ This option specifies that only IPv4 should be used for query transport. See als This option specifies that only IPv6 should be used for query transport. See also the \fB\-4\fP option. .TP .B \fB\-a\fP -The \fB\-a\fP ("all") option is normally equivalent to \fB\-v \-t ANY\fP\&. It +The \fB\-a\fP (\(dqall\(dq) option is normally equivalent to \fB\-v \-t ANY\fP\&. It also affects the behavior of the \fB\-l\fP list zone option. .TP .B \fB\-A\fP -The \fB\-A\fP ("almost all") option is equivalent to \fB\-a\fP, except that RRSIG, +The \fB\-A\fP (\(dqalmost all\(dq) option is equivalent to \fB\-a\fP, except that RRSIG, NSEC, and NSEC3 records are omitted from the output. .TP .B \fB\-c class\fP @@ -146,7 +146,7 @@ can also be enabled by setting the \fBdebug\fP option in This option prints the version number and exits. .TP .B \fB\-w\fP -This option sets "wait forever": the query timeout is set to the maximum possible. See +This option sets \(dqwait forever\(dq: the query timeout is set to the maximum possible. See also the \fB\-W\fP option. .TP .B \fB\-W wait\fP diff --git a/external/mpl/bind/dist/doc/man/mdig.1in b/external/mpl/bind/dist/doc/man/mdig.1in index 1191da58e338..8ad1858ef056 100644 --- a/external/mpl/bind/dist/doc/man/mdig.1in +++ b/external/mpl/bind/dist/doc/man/mdig.1in @@ -45,9 +45,9 @@ all queries. Responses are displayed in the order in which they are received, not in the order the corresponding queries were sent. .sp \fBmdig\fP options are a subset of the \fBdig\fP options, and are divided -into "anywhere options," which can occur anywhere, "global options," which +into \(dqanywhere options,\(dq which can occur anywhere, \(dqglobal options,\(dq which must occur before the query name (or they are ignored with a warning), -and "local options," which apply to the next query on the command line. +and \(dqlocal options,\(dq which apply to the next query on the command line. .sp The \fB@server\fP option is a mandatory global option. It is the name or IP address of the name server to query. (Unlike \fBdig\fP, this value is not @@ -96,8 +96,8 @@ This option forces \fBmdig\fP to only use IPv6 query transport. .B \fB\-b address\fP This option sets the source IP address of the query to \fBaddress\fP\&. This must be a valid address on one of the host\(aqs network -interfaces or "0.0.0.0" or "::". An optional port may be specified by -appending "#" +interfaces or \(dq0.0.0.0\(dq or \(dq::\(dq. An optional port may be specified by +appending \(dq#\(dq .TP .B \fB\-m\fP This option enables memory usage debugging. @@ -150,7 +150,7 @@ This option toggles the display of cryptographic fields in DNSSEC records. The contents of these fields are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures. The default is to display the fields. When omitted, -they are replaced by the string "[omitted]"; in the DNSKEY case, the +they are replaced by the string \(dq[omitted]\(dq; in the DNSKEY case, the key ID is displayed as the replacement, e.g., \fB[ key id = value ]\fP\&. .TP .B \fB+dscp[=value]\fP @@ -193,13 +193,13 @@ This option displays [or does not display] the TTL when printing the record. .TP .B \fB+[no]ttlunits\fP This option displays [or does not display] the TTL in friendly human\-readable time -units of "s", "m", "h", "d", and "w", representing seconds, minutes, +units of \(dqs\(dq, \(dqm\(dq, \(dqh\(dq, \(dqd\(dq, and \(dqw\(dq, representing seconds, minutes, hours, days, and weeks. This implies +ttlid. .TP .B \fB+[no]vc\fP This option uses [or does not use] TCP when querying name servers. This alternate syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The -\fBvc\fP stands for "virtual circuit". +\fBvc\fP stands for \(dqvirtual circuit\(dq. .UNINDENT .SH LOCAL OPTIONS .INDENT 0.0 @@ -207,13 +207,13 @@ syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The .B \fB\-c class\fP This option sets the query class to \fBclass\fP\&. It can be any valid query class which is supported in BIND 9. The default query class is -"IN". +\(dqIN\(dq. .TP .B \fB\-t type\fP This option sets the query type to \fBtype\fP\&. It can be any valid -query type which is supported in BIND 9. The default query type is "A", +query type which is supported in BIND 9. The default query type is \(dqA\(dq, unless the \fB\-x\fP option is supplied to indicate a reverse lookup with -the "PTR" query type. +the \(dqPTR\(dq query type. .TP .B \fB\-x addr\fP Reverse lookups \- mapping addresses to names \- are simplified by diff --git a/external/mpl/bind/dist/doc/man/named-checkconf.8in b/external/mpl/bind/dist/doc/man/named-checkconf.8in index e8899ffc23b7..a54628eee29e 100644 --- a/external/mpl/bind/dist/doc/man/named-checkconf.8in +++ b/external/mpl/bind/dist/doc/man/named-checkconf.8in @@ -59,7 +59,7 @@ This option lists all the configured zones. Each line of output contains the zon name, class (e.g. IN), view, and type (e.g. primary or secondary). .TP .B \fB\-c\fP -This option specifies that only the "core" configuration should be checked. This suppresses the loading of +This option specifies that only the \(dqcore\(dq configuration should be checked. This suppresses the loading of plugin modules, and causes all parameters to \fBplugin\fP statements to be ignored. .TP diff --git a/external/mpl/bind/dist/doc/man/named-checkzone.8in b/external/mpl/bind/dist/doc/man/named-checkzone.8in index 0f39c75b0d30..3eff3d8aed63 100644 --- a/external/mpl/bind/dist/doc/man/named-checkzone.8in +++ b/external/mpl/bind/dist/doc/man/named-checkzone.8in @@ -119,8 +119,8 @@ TTL higher than this value causes the zone to be rejected. This is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&. .TP .B \fB\-L serial\fP -When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the "source -serial" value in the header to the specified serial number. This is +When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the \(dqsource +serial\(dq value in the header to the specified serial number. This is expected to be used primarily for testing purposes. .TP .B \fB\-m mode\fP diff --git a/external/mpl/bind/dist/doc/man/named-compilezone.8in b/external/mpl/bind/dist/doc/man/named-compilezone.8in index 76cac706b3f4..493223e7c24b 100644 --- a/external/mpl/bind/dist/doc/man/named-compilezone.8in +++ b/external/mpl/bind/dist/doc/man/named-compilezone.8in @@ -121,8 +121,8 @@ TTL higher than this value causes the zone to be rejected. This is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&. .TP .B \fB\-L serial\fP -When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the "source -serial" value in the header to the specified serial number. This is +When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the \(dqsource +serial\(dq value in the header to the specified serial number. This is expected to be used primarily for testing purposes. .TP .B \fB\-m mode\fP diff --git a/external/mpl/bind/dist/doc/man/nsec3hash.8in b/external/mpl/bind/dist/doc/man/nsec3hash.8in index d73b66ec7f03..32d85d1057d6 100644 --- a/external/mpl/bind/dist/doc/man/nsec3hash.8in +++ b/external/mpl/bind/dist/doc/man/nsec3hash.8in @@ -55,7 +55,7 @@ This is the salt provided to the hash algorithm. .B \fBalgorithm\fP This is a number indicating the hash algorithm. Currently the only supported hash algorithm for NSEC3 is SHA\-1, which is indicated by the number -1; consequently "1" is the only useful value for this argument. +1; consequently \(dq1\(dq is the only useful value for this argument. .TP .B \fBflags\fP This is provided for compatibility with NSEC3 record presentation format, but diff --git a/external/mpl/bind/dist/doc/man/rndc.8in b/external/mpl/bind/dist/doc/man/rndc.8in index 71636fb0dcc0..dba9922fb2d4 100644 --- a/external/mpl/bind/dist/doc/man/rndc.8in +++ b/external/mpl/bind/dist/doc/man/rndc.8in @@ -136,7 +136,7 @@ after a restart. This sample \fBaddzone\fP command adds the zone \fBexample.com\fP to the default view: .sp -\fBrndc addzone example.com \(aq{ type master; file "example.com.db"; };\(aq\fP +\fBrndc addzone example.com \(aq{ type master; file \(dqexample.com.db\(dq; };\(aq\fP .sp (Note the brackets around and semi\-colon after the zone configuration text.) @@ -162,7 +162,7 @@ recreated. To remove it permanently, it must also be removed from See also \fBrndc addzone\fP and \fBrndc modzone\fP\&. .TP \fBdnssec\fP ( \fB\-status\fP | \fB\-rollover\fP \fB\-key\fP id [\fB\-alg\fP \fIalgorithm\fP] [\fB\-when\fP \fItime\fP] | \fB\-checkds\fP [\fB\-key\fP \fIid\fP [\fB\-alg\fP \fIalgorithm\fP]] [\fB\-when\fP \fItime\fP] ( \fIpublished\fP | \fIwithdrawn\fP )) \fIzone\fP [\fIclass\fP [\fIview\fP]] -This command allows you to interact with the "dnssec\-policy" of a given +This command allows you to interact with the \(dqdnssec\-policy\(dq of a given zone. .sp \fBrndc dnssec \-status\fP show the DNSSEC signing state for the specified @@ -183,12 +183,16 @@ argument \fB\-when time\fP, where \fBtime\fP is expressed in YYYYMMDDHHMMSS notation. .TP \fBdnstap\fP ( \fB\-reopen\fP | \fB\-roll\fP [\fInumber\fP] ) -This command closes and re\-opens DNSTAP output files. \fBrndc dnstap \-reopen\fP allows +This command closes and re\-opens DNSTAP output files. +.sp +\fBrndc dnstap \-reopen\fP allows the output file to be renamed externally, so that \fBnamed\fP can -truncate and re\-open it. \fBrndc dnstap \-roll\fP causes the output file +truncate and re\-open it. +.sp +\fBrndc dnstap \-roll\fP causes the output file to be rolled automatically, similar to log files. The most recent -output file has ".0" appended to its name; the previous most recent -output file is moved to ".1", and so on. If \fBnumber\fP is specified, then +output file has \(dq.0\(dq appended to its name; the previous most recent +output file is moved to \(dq.1\(dq, and so on. If \fBnumber\fP is specified, then the number of backup log files is limited to that number. .TP \fBdumpdb\fP [\fB\-all\fP | \fB\-cache\fP | \fB\-zones\fP | \fB\-adb\fP | \fB\-bad\fP | \fB\-expired\fP | \fB\-fail\fP] [\fIview ...\fP] @@ -237,11 +241,11 @@ incrementally re\-sign over time. .sp This command requires that the zone be configured with a \fBdnssec\-policy\fP, or that the \fBauto\-dnssec\fP zone option be set to \fBmaintain\fP, and also requires the -zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in +zone to be configured to allow dynamic DNS. (See \(dqDynamic Update Policies\(dq in the Administrator Reference Manual for more details.) .TP .B \fBmanaged\-keys\fP (\fIstatus\fP | \fIrefresh\fP | \fIsync\fP | \fIdestroy\fP) [\fIclass\fP [\fIview\fP]] -This command inspects and controls the "managed\-keys" database which handles +This command inspects and controls the \(dqmanaged\-keys\(dq database which handles \fI\%RFC 5011\fP DNSSEC trust anchor maintenance. If a view is specified, these commands are applied to that view; otherwise, they are applied to all views. @@ -461,7 +465,7 @@ zone is automatically re\-signed with the new key set. This command requires that the zone be configured with a \fBdnssec\-policy\fP, or that the \fBauto\-dnssec\fP zone option be set to \fBallow\fP or \fBmaintain\fP, and also requires the zone to be configured to allow dynamic DNS. (See -"Dynamic Update Policies" in the BIND 9 Administrator Reference Manual for more +\(dqDynamic Update Policies\(dq in the BIND 9 Administrator Reference Manual for more details.) .sp See also \fBrndc loadkeys\fP\&. @@ -538,7 +542,7 @@ See also \fBrndc halt\fP\&. .TP \fBsync\fP \fB\-clean\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]] This command syncs changes in the journal file for a dynamic zone to the master -file. If the "\-clean" option is specified, the journal file is also +file. If the \(dq\-clean\(dq option is specified, the journal file is also removed. If no zone is specified, then all zones are synced. .TP .B \fBtcp\-timeouts\fP [\fIinitial\fP \fIidle\fP \fIkeepalive\fP \fIadvertised\fP] @@ -603,7 +607,7 @@ of type \fBredirect\fP\&. Redirect zones are always called \fB\&.\fP, and can be confused with zones of type \fBhint\fP or with secondary copies of the root zone. To specify a redirect zone, use the special zone name \fB\-redirect\fP, without a trailing period. (With a trailing period, this -would specify a zone called "\-redirect".) +would specify a zone called \(dq\-redirect\(dq.) .SH LIMITATIONS .sp There is currently no way to provide the shared secret for a \fBkey_id\fP diff --git a/external/mpl/bind/dist/doc/man/rndc.conf.5in b/external/mpl/bind/dist/doc/man/rndc.conf.5in index 059abf060f16..54a0847930d0 100644 --- a/external/mpl/bind/dist/doc/man/rndc.conf.5in +++ b/external/mpl/bind/dist/doc/man/rndc.conf.5in @@ -136,7 +136,7 @@ server testserver { .ft C key samplekey { algorithm hmac\-sha256; - secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; + secret \(dq6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz\(dq; }; .ft P .fi @@ -149,7 +149,7 @@ key samplekey { .ft C key testkey { algorithm hmac\-sha256; - secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; + secret \(dqR3HI8P6BKw9ZwXwN3VZKuQ==\(dq; }; .ft P .fi @@ -157,15 +157,15 @@ key testkey { .UNINDENT .sp In the above example, \fBrndc\fP by default uses the server at -localhost (127.0.0.1) and the key called "samplekey". Commands to the -localhost server use the "samplekey" key, which must also be defined +localhost (127.0.0.1) and the key called \(dqsamplekey\(dq. Commands to the +localhost server use the \(dqsamplekey\(dq key, which must also be defined in the server\(aqs configuration file with the same name and secret. The -key statement indicates that "samplekey" uses the HMAC\-SHA256 algorithm +key statement indicates that \(dqsamplekey\(dq uses the HMAC\-SHA256 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-SHA256 secret enclosed in double quotes. .sp If \fBrndc \-s testserver\fP is used, then \fBrndc\fP connects to the server -on localhost port 5353 using the key "testkey". +on localhost port 5353 using the key \(dqtestkey\(dq. .sp To generate a random secret with \fBrndc\-confgen\fP: .sp @@ -177,7 +177,7 @@ is written to the standard output. Commented\-out \fBkey\fP and .sp To generate a base\-64 secret with \fBmmencode\fP: .sp -\fBecho "known plaintext for a secret" | mmencode\fP +\fBecho \(dqknown plaintext for a secret\(dq | mmencode\fP .SH NAME SERVER CONFIGURATION .sp The name server must be configured to accept rndc connections and to diff --git a/external/mpl/bind/dist/doc/man/tsig-keygen.8in b/external/mpl/bind/dist/doc/man/tsig-keygen.8in index bd45eb4faa66..e0949026baf2 100644 --- a/external/mpl/bind/dist/doc/man/tsig-keygen.8in +++ b/external/mpl/bind/dist/doc/man/tsig-keygen.8in @@ -48,7 +48,7 @@ of the generated key. If no name is specified, the default is \fBtsig\-key\fP\&. This option specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, and hmac\-sha512. The default is hmac\-sha256. Options are -case\-insensitive, and the "hmac\-" prefix may be omitted. +case\-insensitive, and the \(dqhmac\-\(dq prefix may be omitted. .TP .B \fB\-h\fP This option prints a short summary of options and arguments. diff --git a/external/mpl/bind/dist/doc/notes/notes-9.16.38.rst b/external/mpl/bind/dist/doc/notes/notes-9.16.38.rst new file mode 100644 index 000000000000..8d20794dcfc6 --- /dev/null +++ b/external/mpl/bind/dist/doc/notes/notes-9.16.38.rst @@ -0,0 +1,33 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.38 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- A constant stream of zone additions and deletions via ``rndc + reconfig`` could cause increased memory consumption due to delayed + cleaning of view memory. This has been fixed. :gl:`#3801` + +- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of + NSEC3 hashing, has been improved. :gl:`#3795` + +- Building BIND 9 failed when the ``--enable-dnsrps`` switch for + ``./configure`` was used. This has been fixed. :gl:`#3827` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/external/mpl/bind/dist/doc/notes/notes-9.16.39.rst b/external/mpl/bind/dist/doc/notes/notes-9.16.39.rst new file mode 100644 index 000000000000..4e88a9dbdbd7 --- /dev/null +++ b/external/mpl/bind/dist/doc/notes/notes-9.16.39.rst @@ -0,0 +1,60 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.39 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- libuv support for receiving multiple UDP messages in a single + ``recvmmsg()`` system call has been tweaked several times between + libuv versions 1.35.0 and 1.40.0; the current recommended libuv + version is 1.40.0 or higher. New rules are now in effect for running + with a different version of libuv than the one used at compilation + time. These rules may trigger a fatal error at startup: + + - Building against or running with libuv versions 1.35.0 and 1.36.0 is + now a fatal error. + + - Running with libuv version higher than 1.34.2 is now a fatal error + when :iscman:`named` is built against libuv version 1.34.2 or lower. + + - Running with libuv version higher than 1.39.0 is now a fatal error + when :iscman:`named` is built against libuv version 1.37.0, 1.38.0, + 1.38.1, or 1.39.0. + + This prevents the use of libuv versions that may trigger an assertion + failure when receiving multiple UDP messages in a single system call. + :gl:`#3840` + +Bug Fixes +~~~~~~~~~ + +- :iscman:`named` could crash with an assertion failure when adding a + new zone into the configuration file for a name which was already + configured as a member zone for a catalog zone. This has been fixed. + :gl:`#3911` + +- When :iscman:`named` starts up, it sends a query for the DNSSEC key + for each configured trust anchor to determine whether the key has + changed. In some unusual cases, the query might depend on a zone for + which the server is itself authoritative, and would have failed if it + were sent before the zone was fully loaded. This has now been fixed by + delaying the key queries until all zones have finished loading. + :gl:`#3673` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/external/mpl/bind/dist/doc/notes/notes-9.16.40.rst b/external/mpl/bind/dist/doc/notes/notes-9.16.40.rst new file mode 100644 index 000000000000..caa2e61a05af --- /dev/null +++ b/external/mpl/bind/dist/doc/notes/notes-9.16.40.rst @@ -0,0 +1,32 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.40 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Logfiles using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by ``versions``. + This has been fixed for configurations which do not explicitly specify + a directory path as part of the ``file`` argument in the ``channel`` + specification. :gl:`#3959` :gl:`#3991` + +- Performance of DNSSEC validation in zones with many DNSKEY records + has been improved. :gl:`#3981` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/external/mpl/bind/dist/doc/notes/notes-9.16.41.rst b/external/mpl/bind/dist/doc/notes/notes-9.16.41.rst new file mode 100644 index 000000000000..24f2cb82671c --- /dev/null +++ b/external/mpl/bind/dist/doc/notes/notes-9.16.41.rst @@ -0,0 +1,27 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.41 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- When removing delegations from an opt-out range, empty-non-terminal + NSEC3 records generated by those delegations were not cleaned up. This + has been fixed. :gl:`#4027` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/external/mpl/bind/dist/doc/notes/notes-9.16.42.rst b/external/mpl/bind/dist/doc/notes/notes-9.16.42.rst new file mode 100644 index 000000000000..85b0edeabd28 --- /dev/null +++ b/external/mpl/bind/dist/doc/notes/notes-9.16.42.rst @@ -0,0 +1,45 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.42 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The overmem cleaning process has been improved, to prevent the cache + from significantly exceeding the configured ``max-cache-size`` limit. + (CVE-2023-2828) + + ISC would like to thank Shoham Danino from Reichman University, Anat + Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv + University, and Yuval Shavitt from Tel-Aviv University for bringing + this vulnerability to our attention. :gl:`#4055` + +- A query that prioritizes stale data over lookup triggers a fetch to + refresh the stale data in cache. If the fetch is aborted for exceeding + the recursion quota, it was possible for :iscman:`named` to enter an + infinite callback loop and crash due to stack overflow. This has been + fixed. (CVE-2023-2911) :gl:`#4089` + +Bug Fixes +~~~~~~~~~ + +- Previously, it was possible for a delegation from cache to be returned + to the client after the ``stale-answer-client-timeout`` duration. + This has been fixed. :gl:`#3950` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff --git a/external/mpl/bind/dist/lib/dns/win32/libdns.def.in b/external/mpl/bind/dist/lib/dns/win32/libdns.def.in index 6db74498e3d2..5c0ba7c45101 100644 --- a/external/mpl/bind/dist/lib/dns/win32/libdns.def.in +++ b/external/mpl/bind/dist/lib/dns/win32/libdns.def.in @@ -1139,6 +1139,7 @@ dns_view_initsecroots dns_view_iscacheshared dns_view_isdelegationonly dns_view_issecuredomain +dns_view_istrusted dns_view_load dns_view_loadnta dns_view_ntacovers diff --git a/external/mpl/bind/dist/lib/isc/win32/libisc.def.in b/external/mpl/bind/dist/lib/isc/win32/libisc.def.in index a98ae707c673..0ee055d0a24d 100644 --- a/external/mpl/bind/dist/lib/isc/win32/libisc.def.in +++ b/external/mpl/bind/dist/lib/isc/win32/libisc.def.in @@ -647,6 +647,7 @@ isc_task_sendto isc_task_sendtoanddetach isc_task_setname isc_task_setprivilege +isc_task_setquantum isc_task_shutdown isc_task_unpause isc_task_unsend @@ -699,9 +700,8 @@ isc_time_seconds isc_time_set isc_time_settoepoch isc_time_subtract -isc_timer_attach isc_timer_create -isc_timer_detach +isc_timer_destroy isc_timer_gettype isc_timer_reset isc_timer_touch diff --git a/external/mpl/bind/dist/sonar-project.properties b/external/mpl/bind/dist/sonar-project.properties new file mode 100644 index 000000000000..e88ed296d36a --- /dev/null +++ b/external/mpl/bind/dist/sonar-project.properties @@ -0,0 +1,2 @@ +sonar.projectKey=isc-projects_bind9 +sonar.organization=isc-projects diff --git a/external/mpl/bind/dist/srcid b/external/mpl/bind/dist/srcid index 948e68dc8a32..fd25ca35a6d6 100644 --- a/external/mpl/bind/dist/srcid +++ b/external/mpl/bind/dist/srcid @@ -1 +1 @@ -SRCID=2b2afb2 +SRCID=a62d1bd diff --git a/external/mpl/bind/dist/version b/external/mpl/bind/dist/version index 8b47c66ab26a..c8234484c213 100644 --- a/external/mpl/bind/dist/version +++ b/external/mpl/bind/dist/version @@ -5,7 +5,7 @@ PRODUCT=BIND DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=16 -PATCHVER=37 +PATCHVER=42 RELEASETYPE= RELEASEVER= EXTENSIONS=