> Put a space before opening parentheses only after control statement
> keywords (for/if/while...) except this option doesn’t apply to ForEach
> and If macros. This is useful in projects where ForEach/If macros are
> treated as function calls instead of control statements.
(cherry picked from commit 42496f3f4a)
> Insert braces after control statements (if, else, for, do, and while)
> in C++ unless the control statements are inside macro definitions or
> the braces would enclose preprocessor directives.
(cherry picked from commit d051e1e8f8)
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
Backport of MR !10841
Merge branch 'backport-nicki/ci-shotgun-load-new-dataset-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10857
We've switched to an updated dataset for shotgun jobs. The change in
underlying traffic caused the more sensitive doh-get (and partially dot)
jobs to overload the resolver, making the jobs unstable and unreliable,
due to an increased number of timeouts.
Readjust the load parameters slightly to avoid exceeding ~2 % of
timeouts in the cold cache scenario to stabilize the job results.
(cherry picked from commit 338389b3eb)
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
(cherry picked from commit 9acc0c8543)
Backport of MR !10293
Merge branch 'backport-mnowak/more-lenient-respdiff-limits-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10848
After !9950, respdiff's maximal disagreement percentage needs to be
adjusted as target disagreements between the tested version of the
"main" branch and the reference one jumped for the respdiff,
respdiff:asan, and respdiff:tsan jobs from on average 0.07% to 0.16% and
from 0.12% to 0.17% for the respdiff-third-party job.
In !9950, we concluded setting MAX_DISAGREEMENTS_PERCENTAGE to double
the average disagreement percentage works fine in the CI.
(cherry picked from commit 9acc0c8543)
Initialization of the common members of rdata type structures varies across branches. Standardize it by using the `DNS_RDATACOMMON_INIT` macro for all types, so that new types are more likely to use it, and hence backport more cleanly.
Closes#5467
Merge branch '5467-use-dns_rdatacommon_init-to-hide-branch-differences-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10833
Initialization of the common members of rdata type structures varies
across branches. Standardize it by using the DNS_RDATACOMMON_INIT
macro for all types, so that new types are more likely to use it,
and hence backport more cleanly.
Previously the location of the .hypothesis directory would depend on the
current working directory when running pytest.
Set the HYPOTHESIS_STORAGE_DIRECTORY explicitly.
Closes#5424
Backport of MR !10825
Merge branch 'backport-5424-hypothesis-artifacts-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10829
Previously the location of the .hypothesis directory would depend on the
current working directory when running pytest.
Set the HYPOTHESIS_STORAGE_DIRECTORY explicitly.
(cherry picked from commit a4e74ab8cd)
Since the isctest.name module uses `pytest.importorskip()` to check for
dnspython version, it can't be imported automatically on `import
isctest`, because that is used in conftest.py, causing an error during
test setup.
Note that this behavior only manifested on AlmaLinux 8, so perhaps newer
pytest versions are able to handle this edge case more gracefully.
This doesn't affect 9.20+, as this issue was introduced as an erroneous
conflict resolution during a 9.18 backport.
Merge branch 'nicki/fix-isctest-name-import-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10822
Since the isctest.name module uses `pytest.importorskip()` to check for
dnspython version, it can't be imported automatically on `import
isctest`, because that is used in conftest.py, causing an error during
test setup.
Note that this behavior only manifested on AlmaLinux 8, so perhaps newer
pytest versions are able to handle this edge case more gracefully.
This doesn't affect 9.20+, as this issue was introduced as an erroneous
conflict resolution during a 9.18 backport.
On FreeBSD, the server would not listen on the configured 'localhost'
interfaces immediately, but only after the 'interface-interval' period
has passed. After the fix for default interface-interval was merged in
!10281, this means the server would listen on the localhost after 60
minutes.
Rescan the interfaces immediately after configuring the
interface-interval value to start listening on the 'localhost' interface
immediately.
Merge branch 'ondrej/rescan-the-interface-on-time-0' into 'bind-9.18'
See merge request isc-projects/bind9!10758
On FreeBSD, the server would not listen on the configured 'localhost'
interfaces immediately, but only after the 'interface-interval' period
has passed. After the fix for default interface-interval was merged in
!10281, this means the server would listen on the localhost after 60
minutes.
Rescan the interfaces immediately after configuring the
interface-interval value to start listening on the 'localhost' interface
immediately.
Under rare circumstances, validation could fail if multiple clients simultaneously iterated the same set of signatures.
References #3014
Backport of MR !5578
Merge branch 'backport-3014-validator-c-check_signer-fails-to-call-dns_rdataset_clone-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10816
Spurious validation failures were traced back to check_signer looping
over val->event->sigrdataset directly. Cloning val->event->sigrdataset
prevents check_signer from interacting with callers that are also
looping over val->event->sigrdataset.
(cherry picked from commit 8aa130f253)
This reverts commit b4a2674d98.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
Closes#5456
Backport of MR !10808
Merge branch 'backport-5456-coverity-scan-drop-fs-capture-search-option-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10811
This reverts commit e1a463e98d.
The --fs-capture-search option is no more. The ability to analyse Python
scripts in Coverity turned out to be questionable anyways.
(cherry picked from commit 310884c259)
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.raflag() - checks that a response contains RA=1
- isctest.check.noraflag() - checks that a response contains RA=0
- isctest.check.rr_count_eq() - checks the number of RRsset in a section
- isctest.check.same_data() - checks that two message have the
same rcode and data
- isctest.check.same_answer() - checks that two message have the same
rcode and answer
- isctest.query.create() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec
Backport of MR !10760
Merge branch 'backport-each-isctest-helpers-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10794
Rather than using the dnspython's facilities and defaults to create the
queries, use the isctest.query.create function in all the cases that
don't require special handling to have consistent defaults.
(cherry picked from commit 64143ea077)
Make the query helper function more universal and reusable across our
system tests -- default to using EDNS and sending AD=1.
(cherry picked from commit 989e64b9b0)
Use a common function to count the number of RRs in any section of the
DNS message. For the ADDITIONAL section, stick with the dnspython
convention of not including OPT and TSIG.
(cherry picked from commit efd60348b9)
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.answer_count_eq() - checks the answer count is correct
- isctest.check.additional_count_eq() - same for authority count
- isctest.check.authority_count_eq() - same for additional count
- isctest.check.same_data() - check that two message have the
same rcode and data
- isctest.check.same_answer() - check that two message have the same
rcode and answer
- isctest.dnssec.msg() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec:
use_edns=True, want_dnssec=True,
and flags are set to (RD|AD) by default, but
options exist to disable AD or enable CD.
(to generate non-DNSSEC queries, use
message.make_query() directly.)
(cherry picked from commit b69097f139)
Add missing type hints in the tests_nsec3.py module. Tweak the syntax
used for type hints for better consistency with other Python code in
bin/tests/system/.
(cherry picked from commit adb931f700)
This should prevent the case where are are unlucky enough that static
values hash 'just right' for the test to pass, but only accidentally.
(cherry picked from commit 46781845ea)
Currently this test is limited only to auth because currently BIND
resolver does not send DS proof of nonexistence for RD=0 queries.
(cherry picked from commit 548632b18a)
Simplistic test. Ignores the possibility of DNAME chain going through
multiple zones and/or wildcard expansions.
(cherry picked from commit 73e4201331)
Simplistic test. Ignores the possibility of CNAME chain going through
multiple zones and/or wildcard expansions.
(cherry picked from commit d0e413dd57)
The test actually needs just two servers - auth and resolver. The rest
was not needed and made test setup only slower and harder to debug.
(cherry picked from commit ac58b58002)
Basic sanity checks - limited to responses from a single zone:
- NSEC3 type cannot be present in type bitmap:
By definition, the type bitmap describes state of the unhashed name
but NSEC3 RR is present at a different owner name. RFC 7129 section 5
- NSEC3 owner names cannot be duplicated:
Unless the response crosses zone boundary, parent zone has insecure
delegation for child, but child is signed ... don't do that.
- All parameters are consistent across all RRs present in answer:
RFC 5155 section 7.2, last paragraph - at least when we don't cross
zone boundary.
(cherry picked from commit cfaf5c997f)
