Merge branch 'master' of ssh://repo.isc.org/proj/git/prod/bind9

CHANGES

@@ -1,3 +1,14 @@
+3408.	[bug]		Some DNSSEC-related options (update-check-ksk,
+			dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
+			are now legal in slave zones as long as
+			inline-signing is in use. [RT #31078]
+
+3407.	[placeholder]
+
+3406.	[bug]		mem.c: Fix compilation errors when building with
+			ISC_MEM_TRACKLINES or ISC_MEMPOOL_NAMES disabled.
+                        Also, ISC_MEM_DEBUG is no longer optional. [RT #31559]
+
 3405.	[bug]		Handle time going backwards in acache. [RT #31253]
 
 3404.	[bug]		dnssec-signzone: When re-signing a zone, remove

bin/tests/system/checkconf/bad-dnssec.conf

@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+zone not-inline {
+        type slave;
+        masters { 127.0.0.1; };
+        inline-signing no;
+        dnssec-dnskey-kskonly yes;
+        update-check-ksk yes;
+        dnssec-loadkeys-interval 10;
+
+};
+
+zone inline {
+        type slave;
+        masters { 127.0.0.1; };
+        inline-signing yes;
+        dnssec-dnskey-kskonly yes;
+        update-check-ksk yes;
+        dnssec-loadkeys-interval 10;
+};

bin/tests/system/checkconf/tests.sh

@@ -93,5 +93,16 @@ done
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I: checking options allowed in inline-signing slaves"
+ret=0
+n=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-dnskey-kskonly.*requires inline" | wc -l`
+[ $n -eq 1 ] || ret=1
+n=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-loadkeys-interval.*requires inline" | wc -l`
+[ $n -eq 1 ] || ret=1
+n=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "update-check-ksk.*requires inline" | wc -l`
+[ $n -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

doc/arm/Bv9ARM-book.xml

@@ -9874,6 +9874,20 @@ bzone.domain.com        CNAME   garden.example.com.
 ns.domain.com.rpz-nsdname   CNAME   .
 48.zz.2.2001.rpz-nsip       CNAME   .
 </programlisting>
+	  <para>
+            Note: RPZ may impact server performance.  Each configured
+            response policy zone requires the server to perform one to four
+            additional database lookups before a query can be answered.
+            For example, a DNS server with four policy zones, each with all
+            four kinds of response triggers &mdash; QNAME, IP, NSIP, and
+            NSDNAME &mdash; requires a total of 17 times as many database
+            lookups as a similar DNS server with no response policy zones.
+            A <acronym>BIND9</acronym> server with adequate memory and one
+            response policy zone with QNAME and IP triggers might achieve a
+            maximum queries-per-second rate about 20% lower.  A server with
+            four response policy zones with QNAME and IP triggers might
+            have a maximum QPS rate about 50% lower.
+	  </para>
         </sect3>
       </sect2>
 
@@ -10487,6 +10501,9 @@ view "external" {
     <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
     <optional> update-policy <replaceable>local</replaceable> | { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
                   <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
@@ -10539,8 +10556,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
+    <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
     <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
@@ -10581,11 +10598,18 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
+    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
     <optional> database <replaceable>string</replaceable> ; </optional>
     <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
     <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
     <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
     <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
+    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
+    <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional>
+    <optional> inline-signing <replaceable>yes_or_no</replaceable>; </optional>
     <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
 };

lib/bind9/check.c

@@ -1459,9 +1459,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "check-srv-cname", MASTERZONE },
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE |
 	  REDIRECTZONE },
-	{ "update-check-ksk", MASTERZONE },
-	{ "dnssec-dnskey-kskonly", MASTERZONE },
-	{ "dnssec-loadkeys-interval", MASTERZONE },
+	{ "update-check-ksk", MASTERZONE | SLAVEZONE },
+	{ "dnssec-dnskey-kskonly", MASTERZONE | SLAVEZONE },
+	{ "dnssec-loadkeys-interval", MASTERZONE | SLAVEZONE },
 	{ "auto-dnssec", MASTERZONE | SLAVEZONE },
 	{ "try-tcp-refresh", SLAVEZONE | STREDIRECTZONE },
 	{ "server-addresses", STATICSTUBZONE },
@@ -1475,7 +1475,6 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "passive", SLAVEZONE | STUBZONE | STREDIRECTZONE },
 	};
 
-
 	znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
 
 	zoptions = cfg_tuple_get(zconfig, "options");
@@ -1714,6 +1713,33 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 					    0xff00U, 0xffffU);
 			result = ISC_R_FAILURE;
 		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-dnskey-kskonly", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-dnskey-kskonly: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-loadkeys-interval: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "update-check-ksk", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == SLAVEZONE && !signing) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "update-check-ksk: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
 	}
 
 	/*

lib/isc/include/isc/mem.h

@@ -39,15 +39,6 @@ typedef void (*isc_mem_water_t)(void *, int);
 typedef void * (*isc_memalloc_t)(void *, size_t);
 typedef void (*isc_memfree_t)(void *, void *);
 
-/*%
- * Define ISC_MEM_DEBUG=1 to make all functions that free memory
- * set the pointer being freed to NULL after being freed.
- * This is the default; set ISC_MEM_DEBUG=0 to disable it.
- */
-#ifndef ISC_MEM_DEBUG
-#define ISC_MEM_DEBUG 1
-#endif
-
 /*%
  * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory
  * allocation and freeing by file and line number.
@@ -276,7 +267,6 @@ struct isc_mempool {
 #define ISCAPI_MPOOL_VALID(mp)	((mp) != NULL && \
 				 (mp)->magic == ISCAPI_MPOOL_MAGIC)
 
-#if ISC_MEM_DEBUG
 #define isc_mem_put(c, p, s) \
 	do { \
 		ISCMEMFUNC(put)((c), (p), (s) _ISC_MEM_FILELINE);	\
@@ -297,13 +287,6 @@ struct isc_mempool {
 		ISCMEMPOOLFUNC(put)((c), (p) _ISC_MEM_FILELINE);	\
 		(p) = NULL; \
 	} while (0)
-#else
-#define isc_mem_put(c, p, s)	ISCMEMFUNC(put)((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_putanddetach(c, p, s) \
-	ISCMEMFUNC(putanddetach)((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_free(c, p)	ISCMEMFUNC(free)((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_put(c, p)	ISCMEMPOOLFUNC(put)((c), (p) _ISC_MEM_FILELINE)
-#endif
 
 /*@{*/
 isc_result_t

lib/isc/include/isc/namespace.h

@@ -73,6 +73,7 @@
 #define isc_mem_isovermem isc__mem_isovermem
 #define isc_mem_setname isc__mem_setname
 #define isc_mem_setwater isc__mem_setwater
+#define isc_mem_printactive isc__mem_printactive
 #define isc_mem_printallactive isc__mem_printallactive
 #define isc_mem_waterack isc__mem_waterack
 #define isc_mempool_create isc__mempool_create

lib/isc/mem.c

@@ -202,6 +202,7 @@ struct isc__mempool {
 #if ! ISC_MEM_TRACKLINES
 #define ADD_TRACE(a, b, c, d, e)
 #define DELETE_TRACE(a, b, c, d, e)
+#define ISC_MEMFUNC_SCOPE
 #else
 #define ADD_TRACE(a, b, c, d, e) \
 	do { \
@@ -325,6 +326,7 @@ isc__mem_checkdestroyed(FILE *file);
 ISC_MEMFUNC_SCOPE unsigned int
 isc__mem_references(isc_mem_t *ctx0);
 #endif
+#endif /* ISC_MEM_TRACKLINES */
 
 static struct isc__memmethods {
 	isc_memmethods_t methods;
@@ -395,6 +397,7 @@ static struct isc__mempoolmethods {
 #endif
 };
 
+#if ISC_MEM_TRACKLINES
 /*!
  * mctx must be locked.
  */
@@ -1484,7 +1487,12 @@ isc__mem_stats(isc_mem_t *ctx0, FILE *out) {
 	}
 	while (pool != NULL) {
 		fprintf(out, "%15s %10lu %10u %10u %10u %10u %10u %10u %s\n",
-			pool->name, (unsigned long) pool->size, pool->maxalloc,
+#if ISC_MEMPOOL_NAMES
+			pool->name,
+#else
+			"(not tracked)",
+#endif
+			(unsigned long) pool->size, pool->maxalloc,
 			pool->allocated, pool->freecount, pool->freemax,
 			pool->fillcount, pool->gets,
 			(pool->lock == NULL ? "N" : "Y"));
@@ -2296,16 +2304,16 @@ isc__mem_register() {
 #ifdef BIND9
 ISC_MEMFUNC_SCOPE void
 isc__mem_printactive(isc_mem_t *ctx0, FILE *file) {
+#if ISC_MEM_TRACKLINES
 	isc__mem_t *ctx = (isc__mem_t *)ctx0;
 
 	REQUIRE(VALID_CONTEXT(ctx));
 	REQUIRE(file != NULL);
 
-#if !ISC_MEM_TRACKLINES
-	UNUSED(ctx);
-	UNUSED(file);
-#else
 	print_active(ctx, file);
+#else
+	UNUSED(ctx0);
+	UNUSED(file);
 #endif
 }
 
@@ -2331,6 +2339,9 @@ isc__mem_printallactive(FILE *file) {
 
 ISC_MEMFUNC_SCOPE void
 isc__mem_checkdestroyed(FILE *file) {
+#if !ISC_MEM_TRACKLINES
+	UNUSED(file);
+#endif
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
 

util/copyrights

@@ -655,6 +655,7 @@
 ./bin/tests/system/cacheclean/ns2/named.conf	CONF-C	2001,2004,2005,2007,2011
 ./bin/tests/system/cacheclean/tests.sh		SH	2001,2004,2007,2011,2012
 ./bin/tests/system/checkconf/bad-also-notify.conf	CONF-C	2012
+./bin/tests/system/checkconf/bad-dnssec.conf	CONF-C	2012
 ./bin/tests/system/checkconf/bad-many.conf	CONF-C	2005,2012
 ./bin/tests/system/checkconf/bad-tsig.conf	CONF-C	2012
 ./bin/tests/system/checkconf/clean.sh		SH	2011,2012