`delv +ns` invokes the same code to perform name resolution as `named`,
but it neglected to set up an IPv6 dispatch object first. Consequently,
it was behaving more like `named -4`. It now sets up dispatch objects
for both address families, and performs resolver queries to both v4 and v6
addresses, except when one of the address families has been suppressed
by using `delv -4` or `delv -6`.
Closes#5352
Merge branch '5352-delv-ipv6' into 'main'
See merge request isc-projects/bind9!10563
check that `delv +ns` sends iterative queries over both address
families when -4 and -6 are not used, and suppresses queries
appropriately when they are.
`delv +ns` invokes the same code to perform name resolution as `named`,
but it neglected to set up an IPv6 dispatch object first. Consequently,
it was behaving more like `named -4`.
It now sets up dispatch objects for both address families, and performs
resolver queries to both v4 and v6 addresses, except when one of the
address families has been suppressed by using `delv -4` or `delv -6`.
The "keyopts" field of the dns_zone object was added to support
"auto-dnssec"; at that time the "options" field already had most of
its 32 bits in use by other flags, so it made sense to add a new
field.
Since then, "options" has been widened to 64 bits, and "auto-dnssec"
has been obsoleted and removed. Most of the DNS_ZONEKEY flags are no
longer needed. The one that still seems useful (_FULLSIGN) has been
moved into DNS_ZONEOPT and the rest have been removed, along with
"keyopts" and its setter/getter functions.
Merge branch 'each-cleanup-zonekey-opts' into 'main'
See merge request isc-projects/bind9!10564
The "keyopts" field of the dns_zone object was added to support
"auto-dnssec"; at that time the "options" field already had most of
its 32 bits in use by other flags, so it made sense to add a new
field.
Since then, "options" has been widened to 64 bits, and "auto-dnssec"
has been obsoleted and removed. Most of the DNS_ZONEKEY flags are no
longer needed. The one that still seems useful (_FULLSIGN) has been
moved into DNS_ZONEOPT and the rest have been removed, along with
"keyopts" and its setter/getter functions.
`type delegation-only` has been obsolete for some time
(see #3953) but the zone type flag for it was still defined
in libisccfg. It has now been removed.
Merge branch 'each-cleanup-delegation' into 'main'
See merge request isc-projects/bind9!10558
"type delegation-only" has been obsolete for some time
(see #3953) but the zone type flag for it was still defined
in libisccfg. It has now been removed.
This MR replaces the build system with meson.
Speed: Meson is noticeably faster to setup and build than automake/autoconf.
The improvements will likely add up in CI and development over time.
Readability: Readability is a subjective criteria but meson is generally regarded as easier to read compared to CMake and automake/autoconf.
Developer Ergonomics: Meson produces a compilation database, doesn't require libtool wrapping of executables/debuggers and offers JSON based build introspection.
WrapDB and downloading dependencies is a non-issue for us since it requires writing wrap files explicitly and has been disabled by default via the `wrap_mode=nofallback` project option as a measure.
Merge branch 'aydin/meson-experiment' into 'main'
See merge request isc-projects/bind9!8989
Meson is a modern build system that has seen a rise in adoption and some
version of it is available in almost every platform supported.
Compared to automake, meson has the following advantages:
* Meson provides a significant boost to the build and configuration time
by better exploiting parallelism.
* Meson is subjectively considered to be better in readability.
These merits alone justify experimenting with meson as a way of
improving development time and ergonomics. However, there are some
compromises to ensure the transition goes relatively smooth:
* The system tests currently rely on various files within the source
directory. Changing this requirement is a non-trivial task that can't
be currently justified. Currently the last compiled build directory
writes into the source tree which is in turn used by pytest.
* The minimum version supported has been fixed at 0.61. Increasing this
value will require choosing a baseline of distributions that can
package with meson. On the contrary, there will likely be an attempt
to decrease this value to ensure almost universal support for building
BIND 9 with meson.
If the name is fully lowercase, we don't need to access the case bitmap in order to set the case. Therefore, we can check for the FULLYLOWERCASE flag using only atomic operations, and skip a lock in the hot path, provided we clear the FULLYLOWERCASE flag before changing the case bitmap.
Merge branch 'alessio/skip-lock-on-fully-lower-names' into 'main'
See merge request isc-projects/bind9!10497
If the name is fully lowercase, we don't need to access the case bitmap
in order to set the case. Therefore, we can check for the FULLYLOWERCASE
flag using only atomic operations, and skip a lock in the hot path,
provided we clear the FULLYLOWERCASE flag before changing the case
bitmap.
Previously, the cache for the unreachable primary servers was limited
to 10 entries (LRU) and a fixed 10 minutes delay for each entry, unless
removed forcibly by a new entry. The cache is now redesigned to remove the
10 entry limitation and to introduce delay values with exponential
backoff time - initially an unreachable primary server is cached as
being unreachable for 10 seconds, but each time the cache entry is expired
and the same server is added again during the eligibility period of the next
120 seconds, the delay time is doubled up until to the maximum of 640
seconds.
Closes#3992
Merge branch '3992-unreachable-cache-redesign' into 'main'
See merge request isc-projects/bind9!10393
The cache for unreachable primaries was added to BIND 9 in 2006 via
1372e172d0e0b08996376b782a9041d1e3542489. It features a 10-slot LRU
array with 600 seconds (10 minutes) fixed delay. During this time, any
primary with a hiccup would be blocked for the whole block duration
(unless overwritten by a different entry).
As this design is not very flexible (i.e. the fixed delay and the fixed
amount of the slots), redesign it based on the badcache.c module, which
was implemented earlier for a similar mechanism.
The differences between the new code and the badcache module were large
enough to create a new module instead of trying to make the badcache
module universal, which could complicate the implementation.
The new design implements an exponential backoff for entries which are
added again soon after expiring, i.e. the next expiration happens in
double the amount of time of the previous expiration, but in no more
time than the defined maximum value.
The initial and the maximum expiration values are hard-coded, but, if
required, it should be trivial to implement configurable knobs.
A dns_view_t has a queryonacl property, which is supposed to hold the
ACL matching the configuration "allow-query-on". However the code
parsing this configuration ACL was missing (or removed by mistake?),
hence this property was always NULL. The ACL was still built but
individually for each zone (which checks if the property exists in the
zone definition, view definition, and finally options definition).
We now create the ACL instance at the view level, enabling zones to
share the same (identical) ACL instead of having their own copies.
Merge branch 'colin/view-allowqueryon' into 'main'
See merge request isc-projects/bind9!10551
A dns_view_t has a queryonacl property, which is supposed to hold the
ACL matching the configuration "allow-query-on". However the code
parsing this configuration ACL was missing (or removed by mistake?),
hence this property was always NULL. The ACL was still built but
individually for each zone (which checks if the property exists in the
zone definition, view definition, and finally options definition).
It now create the ACL instance at the view level, enabling zones to
share the same (identical) ACL instead of having their own copies.
To simplify the configuration of multiple similar zones, BIND now supports a zone template mechanism. `template` blocks containing zone options can be defined at the top level of the configuration file; they can then be referenced in `zone` statements. A zone referencing a template will use the options in the specified `template` block as defaults. (Options locally defined in the `zone` statement override the template.)
The filename for a zone can now be generated parametrically from a format specified in the `file` option. The first occurrences of `$name`, `$type` and `$view` in `file` are replaced with the zone origin, the zone type (i.e., primary, secondary, etc), and the view name, respectively.
Primary zones can now take an `initial-file` option, specifying the path to a generic zone file that will be copied into the zone's `file` path when the zone is first loaded, if the `file` does not already exist.
For example, the following template can be used for primary zones:
```
template primary {
type primary;
file "$name.db";
initial-file "generic.db";
};
```
With this template in place, a new primary zone could be added using a single `rndc addzone` command:
```
$ rndc addzone example.com '{ template primary; };'
```
The zone would be created using the filename `example.com.db`, which would be copied into place from `generic.db`.
Closes#2964
Merge branch '2964-zone-templates' into 'main'
See merge request isc-projects/bind9!10407
A "template" statement can contain the same configuration clauses
as a "zone" statement. A "zone" statement can now reference a
template, and all the clauses in that template will be used as
default values for the zone. For example:
template primary {
type primary;
file "$name.db";
initial-file "primary.db";
};
zone example.com {
template primary;
file "different-name.db"; // overrides the template
};
Special tokens can now be specified in a zone "file" option
in order to generate the filename parametrically. The first
instead of "$name" in the "file" option is replaced with the
zone origin, the first instance of "$type" is replaced with the
zone type (i.e., primary, secondary, etc), and the first instance
of "$view" is replaced with the view name..
This simplifies the creation of zones using initial-file templates.
For example:
$ rndc addzone <zonename> \
{ type primary; file "$name.db"; initial-file "template.db"
When loading a primary zone for the first time, if the zonefile
does not exist but an "initial-file" option has been set, then a
new file will be copied into place from the path specified by
"initial-file".
This can be used to simplify the process of adding new zones. For
instance, a template zonefile could be used by running:
$ rndc addzone example.com \
'{ type primary; file "example.db"; initial-file "template.db"; };'
The function that checks zone syntax in libisccfg was previously
only called when loading `named.conf`, not when parsing an an
`rndc addzone` or `rndc modzone` command. This has been corrected.
Closes#5338
Merge branch '5338-check-zoneconf' into 'main'
See merge request isc-projects/bind9!10520
there were some duplicated syntax checks in named_zone_configure()
that are no longer needed, now that we perform those same checks
using isccfg_check_zoneconf().
there were also some syntax checks that were *only* in
named_zone_configure(), which have now been moved to
isccfg_check_zoneconf(). test cases for them have been
added to the checkconf system test.
the function that checks zone syntax in libisccfg was previously
only called when loading named.conf, not when parsing an an
"rndc addzone" or "rndc modzone" command. this has been corrected.
note that some checks are still skipped: those that check for
duplication of filenames, key directories, etc. to fix this, we'd need
to export the symbol tables that are set up when loading named.conf and
preserve them so they could be reused later.
Add the `size` argument to the fuzzing version of the `chunk_get_raw()` function.
Merge branch '5353-fix-ossfuzz-build' into 'main'
See merge request isc-projects/bind9!10553
Since 70b1777d8aef75da1b184fe8155dc818ce66628a was commited the OSS-Fuzz
build was broken because the `chunk_get_raw()` was not updated in the
`FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION`-enabled area. Add the `size`
argument to the fuzzing version of the `chunk_get_raw()` function.
The "run.sh" script, used by "make test", changes the working
directory to the system test directory before executing pytest.
If the test drops hypothesis artifacts while running, this
can cause spurious test failures due to an apparent mismatch
between the contents of the system test directory and the
temporary pytest directory. This has been addressed by having
"run.sh" call pytest from the parent directory instead.
named-rrchecker now parses the braces which support multi-line input
from the beginning of the input rather than only when reading the
data fields of the record.
Closes#5336
Merge branch '5336-extend-named-rrchecker-multiline-support' into 'main'
See merge request isc-projects/bind9!10521
named-rrchecker now parses the braces which support multi-line input
from the beginning of the input rather than only when reading the
data fields of the record.
Coverity flagged a potential divide by zero error in collect in
qpmulti.c when the elapsed time is zero but that is only called
once the elapsed time is greater than or equal to RUNTIME (1/4
second) so INSIST this is the case.
Closes#5329
Merge branch '5329-potential-divide-by-zero-in-qpmulti-c' into 'main'
See merge request isc-projects/bind9!10519
Coverity flagged a potential divide by zero error in collect in
qpmulti.c when the elapsed time is zero but that is only called
once the elapsed time is greater than or equal to RUNTIME (1/4
second) so INSIST this is the case.
Unexpectedly this broke CI job generator which parses gitlab-ci.yaml
and cannot handle `!reference` YAML tags.
This reverts merge request !10490
Merge branch 'revert-0a1a599f' into 'main'
See merge request isc-projects/bind9!10540
The odd-looking "\ " escape is required to italicize <character-string>
without italicizing the final "s". See reStructuredText Markup
Specification, sections "Inline markup recognition rules" and "Escaping
Mechanism". Most importantly:
Escaped whitespace characters are removed from the output document
together with the escaping backslash. This allows for character-level
inline markup.
The tr range did not work on Solaris 11.4. Let's use a class that is
defined in POSIX.
Closes#5326
Merge branch '5326-make-rndc_dumpdb-work-on-solaris' into 'main'
See merge request isc-projects/bind9!10530
