Until we have a system test that would directly test the engine_pkcs11
integration, we need to disable the system tests that enabled native
PKCS#11 in the CI because it's currently broken.
The native PKCS#11 support has been removed in favour of better
maintained, more performance and easier to use OpenSSL PKCS#11 engine
from the OpenSC project.
when "checking lame server clients are dropped below the hard limit",
periodically a query is sent for a name for which the server is
authoritative, to verify that legitimate queries can still be
processed while the server is dealing with a flood of lame delegation
queries. those queries used the same dig options as elsewhere in the
fetchlimit test, including "+tries=1 +timeout=1". on slow systems, a
1-second timeout may be insufficient to get an answer even if the server
is behaving well. this commit increases the timeout for the check
queries to 2 seconds in hopes that will be enough to eliminate test
failures in CI.
Document that the interval on new RRSIG records is randomally
chosen between the limits specified by sig-validity-interval.
document the operatations when this occurs.
- fixed a size comparison using "signed int" that failed if the file
size was more than 2GB, since that was treated as a negative number.
- incidentally renamed deserialize32() to just deserialize(). we no
longer have separate 32 and 64 bit rbtdb implementations.
Dependencies regression: Re-enable some common TLS-related options for non-DoH builds, making DoT usable in them
See merge request isc-projects/bind9!5377
This commit fixes a regression introduced at
ea80bcc41c. Some options, which are
common to both DoH and DoT were mistakenly disabled for non-DoH
builds. That is a mistake, because DoH does not imply DoT and vice
versa. Not fixing this would make DoT functionality not accessible
without DoH.
This commit modifies the MTU of the loopback interface on
Linux systems to 1500, so that oversized UDP packets can
trigger EMSGSIZE errors, and tests that named handles
such errors correctly.
Note that the loopback MTU size has not yet been modified
for other platforms.
This commit ensures that DoH (and DoT) functionality works well via
IPv6 as well.
The changes were made because it turned out that dig could not make
DoH queries against an IPv6 IP address. These tests ensure that such a
bug will not remain unnoticed.
The commit also increases the servers' startup timeout to 25 seconds
because the initial timeout of 14 seconds was too short to generate
(!) eight 4096 bit ephemeral RSA certificates on a heavily loaded CI
runner in some pipeline runs.
This commit replaces ad-hoc code for DoH connect URI construction with
isc_nm_http_makeuri(), making it handle IPv6 adresses properly (among
other things).
This commit adds new function isc_nm_http_makeuri() which is supposed
to unify DoH URI construction throughout the codebase.
It handles IPv6 addresses, hostnames, and IPv6 addresses given as
hostnames properly, and replaces similar ad-hoc code in the codebase.
- removed unused functions
- changed some public functions to static that are never called
from outside client.c
- removed unused types and function prototypes
- renamed dns_client_destroy() to dns_client_detach()
The previous versions of BIND 9 exported its internal libraries so that
they can be used by third-party applications more easily. Certain
library functions were altered from specific BIND-only behavior to more
generic behavior when used by other applications.
This commit removes the function isc_lib_register() that was used by
external applications to enable the functionality.
bump the map zonefile version number to avoid an assertion
failure when loading map files from versions of BIND prior to
the most recent change to the in-memory structure of zone
databases.
test server now has tcp-idle-timeout set to 5 seconds and
tcp-keepalive-timeout set to 7, so queries that follow a 6-second sleep
should either succeed or fail depending on whether the keepalive option
was sent.
