2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00

41735 Commits

Author SHA1 Message Date
Petr Špaček
73b950dc29 Remove milestone check from dangerfile
Milestone is automatically set by 'merged-metadata' CI job to 'Not
released yet' so it does not matter what the original value was.
2024-08-23 07:38:27 +00:00
Petr Špaček
146743d5a3 Remove 'Release notes' label check from dangerfile
This label is now handled automatically by 'merged-metadata' CI job.
2024-08-23 07:38:27 +00:00
Petr Špaček
edf0e6415a Remove 'No CHANGES' check from dangerfile
This label is now handled automatically by 'merged-metadata' CI job.
2024-08-23 07:38:27 +00:00
Petr Špaček
d1c64d588b Automatically adjust MR metadata after merge
1. Set milestone to 'Not released yet' after merge
   We will set milestone to actual version number when we actually tag a
   particular version. This will get rid of mass MR reassignment when we
   do last minute changes to a release plan etc.

2. Adjust No CHANGES and Release Notes MR labels to match gitchangelog
   workflow.
2024-08-23 07:38:27 +00:00
Petr Špaček
3165261ecd Mark backports CI job as non-interruptible
Previously CI job for the autobackport bot inherited "interruptible:
true" global configuration. This caused premature termination of the job
when another merge was finished before the autobackport job ran to
completion.
2024-08-23 07:38:27 +00:00
Evan Hunt
a133a33b65 rem: usr: Remove the 'dialup' and 'heartbeat-interval' options
The `dialup` and `heartbeat-interval` options have been removed, along with all code implementing them. Using these options is now a fatal error.

Closes #4237

Merge branch '4237-remove-dialup' into 'main'

Closes #4237

See merge request isc-projects/bind9!8160
2024-08-22 19:43:49 +00:00
Evan Hunt
642a1b985d remove the "dialup" and "heartbeat-interval" options
mark "dialup" and "heartbeat-interval" options as ancient and
remove the documentation and the code implementing them.
2024-08-22 11:11:10 -07:00
Arаm Sаrgsyаn
99b18bab7e new: usr: implement the 'request-ixfr-max-diffs' configuration option
The new 'request-ixfr-max-diffs' configuration option sets the
maximum number of incoming incremental zone transfer (IXFR) differences,
exceeding which triggers a full zone transfer (AXFR).

Closes #4389

Merge branch '4389-request-ixfr-max-diffs' into 'main'

Closes #4389

See merge request isc-projects/bind9!9094
2024-08-22 15:33:17 +00:00
Aram Sargsyan
397e007a8e Document the 'request-ixfr-max-diffs' configuration option
Document the new configuration option and its default value.
2024-08-22 13:42:27 +00:00
Aram Sargsyan
49505cb93d Test the 'request-ixfr-max-diffs' configuration option
Configure a maximum of 3 allowed differences and add 5 new records.
Check that named detected that the differences exceed the allowed
limit and successfully retries with AXFR.
2024-08-22 13:42:27 +00:00
Aram Sargsyan
c05a823e8b Implement the 'request-ixfr-max-diffs' configuration option
This limits the maximum number of received incremental zone
transfer differences for a secondary server. Upon reaching the
confgiured limit, the secondary aborts IXFR and initiates a full
zone transfer (AXFR).
2024-08-22 13:42:27 +00:00
Mark Andrews
d40b722d46 new: usr: Support restricted key tag range when generating new keys
It is useful when multiple signers are being used
to sign a zone to able to specify a restricted
range of range of key tags that will be used by an
operator to sign the zone.  This adds controls to
named (dnssec-policy), dnssec-signzone, dnssec-keyfromlabel and
dnssec-ksr (dnssec-policy) to specify such ranges.

Closes #4830

Merge branch '4830-support-restricted-key-tag-range-when-generating-new-keys' into 'main'

Closes #4830

See merge request isc-projects/bind9!9258
2024-08-22 12:55:46 +00:00
Mark Andrews
bb653d37e0 Add bad dnssec-policy range variants test examples 2024-08-22 12:12:02 +00:00
Mark Andrews
62469afe71 Add a multi-signer where the key tag range changes 2024-08-22 12:12:02 +00:00
Mark Andrews
266530d473 Use key tag ranges when generating multisigner keys 2024-08-22 12:12:02 +00:00
Mark Andrews
d165466125 Check that dnssec-keygen honours key tag ranges 2024-08-22 12:12:02 +00:00
Mark Andrews
c088772191 Document dnssec-policy keys range directive
Co-authored-by: Suzanne Goldlust <sgoldlust@isc.org>
2024-08-22 12:12:02 +00:00
Mark Andrews
e7decd7a65 Add good dnssec-policy tag-range variants test examples 2024-08-22 12:12:02 +00:00
Mark Andrews
035289be71 Check key tag range when matching dnssec keys to kasp keys 2024-08-22 12:12:02 +00:00
Mark Andrews
c5bc0a1805 Add optional range directive to keys in dnssec-policy 2024-08-22 12:12:02 +00:00
Mark Andrews
25bf77fac6 Add the concept of allowed key tag ranges to kasp 2024-08-22 12:12:02 +00:00
Mark Andrews
0c347fb321 Document -M tag_min:tag_max
A new argument has been added to dnssec-keygen and dnssec-keyfromlabel
to restrict the tag value of key generated / imported to a particular
range.  This is intended to be used by multi-signers.

Co-authored-by: Suzanne Goldlust <sgoldlust@isc.org>
2024-08-22 12:12:02 +00:00
Mark Andrews
329e5eee9b Add restrict key tag range support
to dnssec-keygen and dnssec-keyfromlabel.
2024-08-22 12:12:02 +00:00
Michal Nowak
479c7d5a61 chg: ci: Revert "Workaround temporary cross-version-config-tests limitation"
With the release of BIND 9.19.25 this workaround is not needed anymore.

This reverts commit c58dd6e78f9c69667f0abb71d4c162a479a87029.

Merge branch 'mnowak/revert-workaround-temporary-cross-version-config-tests-limitation' into 'main'

See merge request isc-projects/bind9!9065
2024-08-22 10:20:04 +00:00
Michal Nowak
125059caef Revert "Workaround temporary cross-version-config-tests limitation"
With the release of BIND 9.19.25 this workaround is not needed anymore.

This reverts commit c58dd6e78f9c69667f0abb71d4c162a479a87029.
2024-08-22 10:19:52 +00:00
Matthijs Mekking
8dbd57116b fix: usr: Fix algoritm rollover bug when there are two keys with the same keytag
If there is an algorithm rollover and two keys of different algorithm share the same keytags, then there is a possibility that if we check that a key matches a specific state, we are checking against the wrong key. This has been fixed by not only checking for matching key tag but also key algorithm.

Closes #4878

Merge branch '4878-fix-algorithm-rollover-keytag-conflict-bug' into 'main'

Closes #4878

See merge request isc-projects/bind9!9381
2024-08-22 10:11:29 +00:00
Matthijs Mekking
f37eb33f29 Fix algorithm rollover bug wrt keytag conflicts
If there is an algorithm rollover and two keys of different algorithm
share the same keytags, then there is a possibility that if we check
that a key matches a specific state, we are checking against the wrong
key.

Fix this by not only checking for matching key id but also key
algorithm.
2024-08-22 11:29:43 +02:00
Matthijs Mekking
7bb6d82505 Adjust kasp system test to get keys which signed
If there is a keytag conflict between keys with different algorithms,
we need to supply what key algorithm is used so we can get the right
public key.

For clarity, print the algorithm on the found keys after 'check_keys'.
2024-08-22 11:29:43 +02:00
Michal Nowak
b9bb0528f6 chg: ci: Update Clang to version 19
These Clang 19-identified issues need to be addressed first:
- [x] isc-projects/bind9!9313
- [x] isc-projects/bind9!9317
- [x] isc-projects/bind9!9316
- [x] isc-projects/bind9!9315

Validation pipelines for backports:
- [x] ~"v9.21" - https://gitlab.isc.org/isc-projects/bind9/-/pipelines/191211
- [x] ~"v9.20" - https://gitlab.isc.org/isc-projects/bind9/-/pipelines/191512
- [x] ~"v9.18" - https://gitlab.isc.org/isc-projects/bind9/-/pipelines/191904

Prereq: isc-projects/images!328

Merge branch 'mnowak/llvm-19' into 'main'

See merge request isc-projects/bind9!9296
2024-08-22 08:06:56 +00:00
Ondřej Surý
7b756350f5
Use clang-format-19 to update formatting
This is purely result of running:

    git-clang-format-19 --binary clang-format-19 origin/main
2024-08-22 09:21:55 +02:00
Michal Nowak
ec62fc1399
Update Clang to version 19 2024-08-22 09:21:55 +02:00
Matthijs Mekking
bfa206beec new: usr: Support for Offline KSK implemented
Add a new configuration option `offline-ksk` to enable Offline KSK key management. Signed Key Response (SKR) files created with `dnssec-ksr` (or other program) can now be imported into `named` with the new `rndc skr -import` command. Rather than creating new DNSKEY, CDS and CDNSKEY records and generating signatures covering these types, these records are loaded from the currently active bundle from the imported SKR. 

The implementation is loosely based on: https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt

Closes #1128

Merge branch '1128-offline-ksk-rndc-import-skr' into 'main'

Closes #1128

See merge request isc-projects/bind9!9119
2024-08-22 07:15:00 +00:00
Matthijs Mekking
d504f4f20b Add a section for Offline KSK to the DNSSEC Guide
This will describe in more detail the operational practices of
Offline KSK.
2024-08-22 08:21:53 +02:00
Matthijs Mekking
1ce163795e Add skr unit test
Add a test file for testing the skr related code.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
2e3068ed60 Disable some behavior in offline-ksk mode
Some things we no longer want to do when we are in offline-ksk mode.

1. Don't check for inactive and private keys if the key is a KSK.
2. Don't update the TTL of DNSKEY, CDS and CDNSKEY RRset, these come
   from the SKR.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
61cf599fbf Retrieve RRSIG from SKR
When it is time to generate a new signature (dns_dnssec_sign), rather
than create a new one, retrieve it from the SKR.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
30d20b110e Don't read private key files for offline KSKs
When we are appending contents of a DNSKEY rdataset to a keylist,
don't attempt to read the private key file of a KSK when we are in
offline-ksk mode.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
2190aa904f Update key states in offline-ksk mode
With offline-ksk enabled, we don't run the keymgr because the key
timings are determined by the SKR. We do update the key states but
we derive them from the timing metadata.

Then, we can skip a other tasks in offline-ksk mode, like DS checking
at the parent and CDS synchronization, because the CDS and CDNSKEY
RRsets also come from the SKR.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
63e058c29e Apply SKR bundle on rekey
When a zone has a skr structure, lookup the currently active bundle
that contains the right key and signature material.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
037382c4a5 Implement SKR import
When 'rndc skr import' is called, read the file contents and store the
data in the zone's skr structure.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
445722d2bf Add code to store SKR
This added source code stores SKR data. It is loosely based on:
https://www.iana.org/dnssec/archive/files/draft-icann-dnssec-keymgmt-01.txt

A SKR contains a list of signed DNSKEY RRsets. Each change in data
should be stored in a separate bundle. So if the RRSIG is refreshed that
means it is stored in the next bundle. Likewise, if there is a new ZSK
pre-published, it is in the next bundle.

In addition (not mentioned in the draft), each bundle may contain
signed CDS and CDNSKEY RRsets.

Each bundle has an inception time. These will determine when we need
to re-sign or re-key the zone.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
afe093258c Test rndc skr import
Test importing a Signed Key Response. Files should be loaded and once
loaded the correct bundle should be used. Alsoe test cases where the
bundle is not the first bundle in the SKR.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
ecd2b79106 Add option to kasp.sh check_keys to retain found keys
This will come in handy when we are testing offline-ksk where first
we check for ZSKs and then the KSK.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
edbb219fda Implement dummy 'rndc skr -import' command
Add the code and documentation required to provide KSR import using
rndc.  This is just the command, and the feature is at this point in
time still not implemented.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
748d98e387 Add a common setup script for ksr
The previous setup.sh has been moved to ns1/setup.sh, we need a common
setup script to invoke ns1/setup.sh.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
367154c1de Update ksr system test to include server
Prepare the system test for tests that require a server to import
created SKR files. This means the test script needs adjustments to
take into account the directory test files are located.

In addition, the check_keys function is renamed to ksr_check_keys
because the name clashes with check_keys from kasp.sh. It also has an
extra parameter added, offset, that can be used to check ksr files that
are created in the past or future.
2024-08-22 08:21:52 +02:00
Matthijs Mekking
0598381236 Add offline-ksk option
Add a new configuration option to enable Offline KSK key management.

Offline KSK cannot work with CSK because it splits how keys with the
KSK and ZSK role operate. Therefore, one key cannot have both roles.
Add a configuration check to ensure this.
2024-08-22 08:21:52 +02:00
Mark Andrews
2299aba5c2 chg: dev: Restore the ability to select individual unit tests
This add the command line arguments: `-d` (debug), `-l` (list tests) and `-t test` (run this test) to the unit tests.

Closes #4579

Merge branch '4579-restore-the-ability-to-select-individual-unit-tests' into 'main'

Closes #4579

See merge request isc-projects/bind9!9384
2024-08-22 00:54:13 +00:00
Mark Andrews
d8a6ff5c3e Extend ISC_TEST_MAIN for debugging
ISC_TEST_MAIN now supports turning on/off debugging and
running individual tests.
2024-08-22 09:54:39 +10:00
Michal Nowak
8d6b0bcc6b chg: ci: Add FreeBSD 14.1
Prereq: https://gitlab.isc.org/isc-projects/images/-/merge_requests/323

Merge branch 'mnowak/freebsd-14.1' into 'main'

See merge request isc-projects/bind9!9116
2024-08-21 16:28:48 +00:00