Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package bind for openSUSE:Factory checked in
at 2021-12-28 12:26:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bind (Old)
and /work/SRC/openSUSE:Factory/.bind.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind"
Tue Dec 28 12:26:09 2021 rev:175 rq:942722 version:9.16.24
Changes:
--------
--- /work/SRC/openSUSE:Factory/bind/bind.changes 2021-12-06
23:59:38.616508934 +0100
+++ /work/SRC/openSUSE:Factory/.bind.new.2520/bind.changes 2021-12-28
12:26:21.804472419 +0100
@@ -1,0 +2,19 @@
+Wed Dec 15 14:37:47 UTC 2021 - Josef M??llers <josef.moell...@suse.com>
+
+- Upgrade to release 9.16.24
+ This upgrade fixes the following bugs:
+ * mdig now honors the operating system's preferred ephemeral port
+ range.
+ * Fix a "named" crash related to removing and restoring a
+ `catalog-zone` entry in the configuration file and running
+ `rndc reconfig`.
+ * dns_sdlz_putrr failed to process some valid resource records.
+ * dnssec-dsfromkey failed to omit revoked keys.
+ Functional change:
+ * Change the message when accepting TCP connection has failed to
+ say "Accepting TCP connection failed" and change the log level
+ for ISC_R_NOTCONNECTED, ISC_R_QUOTA and ISC_R_SOFTQUOTA results
+ codes from ERROR to INFO.
+ [bind-9.16.24.tar.xz]
+
+-------------------------------------------------------------------
Old:
----
bind-9.16.23.tar.xz
bind-9.16.23.tar.xz.sha512.asc
New:
----
bind-9.16.24.tar.xz
bind-9.16.24.tar.xz.sha512.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bind.spec ++++++
--- /var/tmp/diff_new_pack.AXQ4aN/_old 2021-12-28 12:26:22.412472879 +0100
+++ /var/tmp/diff_new_pack.AXQ4aN/_new 2021-12-28 12:26:22.420472885 +0100
@@ -46,7 +46,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: bind
-Version: 9.16.23
+Version: 9.16.24
Release: 0
Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
++++++ bind-9.16.23.tar.xz -> bind-9.16.24.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/.dir-locals.el
new/bind-9.16.24/.dir-locals.el
--- old/bind-9.16.23/.dir-locals.el 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/.dir-locals.el 2021-12-07 13:24:49.000000000 +0100
@@ -77,6 +77,9 @@
(expand-file-name
(concat directory-of-current-dir-locals-file
"bin/rndc/include"))
+ (expand-file-name "/usr/include/libxml2")
+ (expand-file-name "/usr/include/json-c")
+
(expand-file-name "/usr/local/opt/openssl@1.1/include")
(expand-file-name "/usr/local/opt/libxml2/include/libxml2")
(expand-file-name "/usr/local/opt/json-c/include/json-c/")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/.gitlab-ci.yml
new/bind-9.16.24/.gitlab-ci.yml
--- old/bind-9.16.23/.gitlab-ci.yml 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/.gitlab-ci.yml 2021-12-07 13:24:49.000000000 +0100
@@ -40,6 +40,13 @@
BIND_STRESS_TEST_OS: linux
BIND_STRESS_TEST_ARCH: amd64
+# Allow all running CI jobs to be automatically canceled when a new
+# version of a branch is pushed.
+#
+# See:
https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines
+default:
+ interruptible: true
+
stages:
- precheck
- build
@@ -505,7 +512,9 @@
artifacts: true
script:
- *configure
- - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE
'(ans\.py|dangerfile\.py)')
+ - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE
'(ans\.py|dangerfile\.py|^bin/tests/system/)')
+ # Ignore Flake8 E402 error (module level import not at top of file) in
system test to enable use of pytest.importorskip
+ - flake8 --max-line-length=80 --extend-ignore=E402 $(git ls-files
'bin/tests/system/*.py' | grep -vE 'ans\.py')
pylint:
<<: *default_triggering_rules
@@ -516,8 +525,10 @@
artifacts: true
script:
- *configure
- - PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python"
- - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep
-vE '(ans\.py|dangerfile\.py)')
+ - export PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python"
+ - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep
-vE '(ans\.py|dangerfile\.py|^bin/tests/system/)')
+ # Ignore Pylint wrong-import-position error in system test to enable use
of pytest.importorskip
+ - pylint --rcfile $CI_PROJECT_DIR/.pylintrc
--disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep
-vE 'ans\.py')
tarball-create:
stage: precheck
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/CHANGES new/bind-9.16.24/CHANGES
--- old/bind-9.16.23/CHANGES 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/CHANGES 2021-12-07 13:24:49.000000000 +0100
@@ -1,3 +1,27 @@
+ --- 9.16.24 released ---
+
+5773. [func] Change the message when accepting TCP connection has
+ failed to say "Accepting TCP connection failed" and
+ change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA
+ and ISC_R_SOFTQUOTA results codes from ERROR to INFO.
+ [GL #2700]
+
+5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853]
+
+5764. [bug] dns_sdlz_putrr failed to process some valid resource
+ records. [GL #3021]
+
+5762. [bug] Fix a "named" crash related to removing and restoring a
+ `catalog-zone` entry in the configuration file and
+ running `rndc reconfig`. [GL #1608]
+
+5758. [bug] mdig now honors the operating system's preferred
+ ephemeral port range. [GL #2374]
+
+5757. [test] Replace sed in nsupdate system test with awk to
+ construct the nsupdate command. The sed expression
+ was not reliably changing the ttl. [GL #3003]
+
--- 9.16.23 released ---
5752. [bug] Fix an assertion failure caused by missing member zones
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.c
new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.c
--- old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.c 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.c 2021-12-07
13:24:49.000000000 +0100
@@ -262,6 +262,10 @@
fatal("can't convert DNSKEY");
}
+ if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) {
+ return;
+ }
+
if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
return;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.rst
new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.rst
--- old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.rst 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.rst 2021-12-07
13:24:49.000000000 +0100
@@ -43,6 +43,10 @@
The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource
records
(RRs), or CDS (Child DS) RRs with the ``-C`` option.
+By default, only KSKs are converted (keys with flags = 257). The
+``-A`` option includes ZSKs (flags = 256). Revoked keys are never
+included.
+
The input keys can be specified in a number of ways:
By default, ``dnssec-dsfromkey`` reads a key file named in the format
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/named/config.c
new/bind-9.16.24/bin/named/config.c
--- old/bind-9.16.23/bin/named/config.c 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/named/config.c 2021-12-07 13:24:49.000000000 +0100
@@ -281,14 +281,14 @@
"#\n\
# Default trusted key(s), used if \n\
# \"dnssec-validation auto;\" is set and\n\
-# sysconfdir/bind.keys doesn't exist).\n\
+# " NAMED_SYSCONFDIR "/bind.keys doesn't exist).\n\
#\n\
-# BEGIN DNSSEC KEYS\n"
+# BEGIN TRUST ANCHORS\n"
/* Imported from bind.keys.h: */
TRUST_ANCHORS
- "# END MANAGED KEYS\n\
+ "# END TRUST ANCHORS\n\
\n\
primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\
2001:500:200::b; # b.root-servers.net\n\
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/named/server.c
new/bind-9.16.24/bin/named/server.c
--- old/bind-9.16.23/bin/named/server.c 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/named/server.c 2021-12-07 13:24:49.000000000 +0100
@@ -6523,6 +6523,8 @@
if (zone_is_catz) {
dns_zone_catz_enable(zone, view->catzs);
+ } else if (dns_zone_catz_is_enabled(zone)) {
+ dns_zone_catz_disable(zone);
}
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/rndc/rndc.rst
new/bind-9.16.24/bin/rndc/rndc.rst
--- old/bind-9.16.23/bin/rndc/rndc.rst 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/rndc/rndc.rst 2021-12-07 13:24:49.000000000 +0100
@@ -370,11 +370,24 @@
avoids the need to examine the modification times of the zone files.
``recursing``
- This command dumps the list of queries ``named`` is currently recursing on,
and the
- list of domains to which iterative queries are currently being sent.
- The second list includes the number of fetches currently active for
- the given domain, and how many have been passed or dropped because of
- the ``fetches-per-zone`` option.
+ This command dumps the list of queries ``named`` is currently
+ recursing on, and the list of domains to which iterative queries
+ are currently being sent.
+
+ The first list includes all unique clients that are waiting for
+ recursion to complete, including the query that is awaiting a
+ response and the timestamp (seconds since the Unix epoch) of
+ when named started processing this client query.
+
+ The second list comprises of domains for which there are active
+ (or recently active) fetches in progress. It reports the number
+ of active fetches for each domain and the number of queries that
+ have been passed (allowed) or dropped (spilled) as a result of
+ the ``fetches-per-zone`` limit. (Note: these counters are not
+ cumulative over time; whenever the number of active fetches for
+ a domain drops to zero, the counter for that domain is deleted,
+ and the next time a fetch is sent to that domain, it is recreated
+ with the counters set to zero).
``refresh`` *zone* [*class* [*view*]]
This command schedules zone maintenance for the given zone.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/ns2/named.conf.in
new/bind-9.16.24/bin/tests/system/catz/ns2/named.conf.in
--- old/bind-9.16.23/bin/tests/system/catz/ns2/named.conf.in 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/ns2/named.conf.in 1970-01-01
01:00:00.000000000 +0100
@@ -1,74 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-include "../../common/rndc.key";
-
-controls {
- inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { fd92:7065:b8e:ffff::2; };
- notify no;
- recursion no;
- serial-query-rate 100;
- catalog-zones {
- zone "catalog1.example"
- default-masters { 10.53.0.1; }
- in-memory no
- zone-directory "zonedir";
- zone "catalog2.example"
- default-masters { 10.53.0.1 port @EXTRAPORT1@; }
- in-memory yes;
- zone "catalog3.example"
- default-masters { 10.53.0.1; }
- zone-directory "nonexistent";
-#T1 zone "catalog4.example"
-#T1 default-masters { 10.53.0.1; };
-#T2 zone "catalog5.example"
-#T2 default-masters { 10.53.0.1; };
- };
-};
-
-zone "catalog1.example" {
- type secondary;
- file "catalog1.example.db";
- primaries { 10.53.0.1; };
-};
-
-zone "catalog2.example" {
- type secondary;
- file "catalog2.example.db";
- primaries { 10.53.0.3; };
-};
-
-zone "catalog3.example" {
- type secondary;
- file "catalog3.example.db";
- primaries { 10.53.0.1; };
-};
-
-zone "catalog4.example" {
- type secondary;
- file "catalog4.example.db";
- primaries { 10.53.0.1; };
-};
-
-key tsig_key. {
- secret "LSAnCU+Z";
- algorithm hmac-md5;
-};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.16.23/bin/tests/system/catz/ns2/named1.conf.in
new/bind-9.16.24/bin/tests/system/catz/ns2/named1.conf.in
--- old/bind-9.16.23/bin/tests/system/catz/ns2/named1.conf.in 1970-01-01
01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/ns2/named1.conf.in 2021-12-07
13:24:49.000000000 +0100
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { fd92:7065:b8e:ffff::2; };
+ notify no;
+ recursion no;
+ serial-query-rate 100;
+ catalog-zones {
+ zone "catalog1.example"
+ default-masters { 10.53.0.1; }
+ in-memory no
+ zone-directory "zonedir";
+ zone "catalog2.example"
+ default-masters { 10.53.0.1 port @EXTRAPORT1@; }
+ in-memory yes;
+ zone "catalog3.example"
+ default-masters { 10.53.0.1; }
+ zone-directory "nonexistent";
+#T1 zone "catalog4.example"
+#T1 default-masters { 10.53.0.1; };
+#T2 zone "catalog5.example"
+#T2 default-masters { 10.53.0.1; };
+ };
+};
+
+zone "catalog1.example" {
+ type secondary;
+ file "catalog1.example.db";
+ primaries { 10.53.0.1; };
+};
+
+zone "catalog2.example" {
+ type secondary;
+ file "catalog2.example.db";
+ primaries { 10.53.0.3; };
+};
+
+zone "catalog3.example" {
+ type secondary;
+ file "catalog3.example.db";
+ primaries { 10.53.0.1; };
+};
+
+zone "catalog4.example" {
+ type secondary;
+ file "catalog4.example.db";
+ primaries { 10.53.0.1; };
+};
+
+key tsig_key. {
+ secret "LSAnCU+Z";
+ algorithm hmac-md5;
+};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.16.23/bin/tests/system/catz/ns2/named2.conf.in
new/bind-9.16.24/bin/tests/system/catz/ns2/named2.conf.in
--- old/bind-9.16.23/bin/tests/system/catz/ns2/named2.conf.in 1970-01-01
01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/ns2/named2.conf.in 2021-12-07
13:24:49.000000000 +0100
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../common/rndc.key";
+
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { fd92:7065:b8e:ffff::2; };
+ notify no;
+ recursion no;
+ serial-query-rate 100;
+ # removed catalog-zone option, otherwise this is
+ # identical to named1.conf.in
+};
+
+zone "catalog1.example" {
+ type secondary;
+ file "catalog1.example.db";
+ primaries { 10.53.0.1; };
+};
+
+zone "catalog2.example" {
+ type secondary;
+ file "catalog2.example.db";
+ primaries { 10.53.0.3; };
+};
+
+zone "catalog3.example" {
+ type secondary;
+ file "catalog3.example.db";
+ primaries { 10.53.0.1; };
+};
+
+zone "catalog4.example" {
+ type secondary;
+ file "catalog4.example.db";
+ primaries { 10.53.0.1; };
+};
+
+key tsig_key. {
+ secret "LSAnCU+Z";
+ algorithm hmac-md5;
+};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/setup.sh
new/bind-9.16.24/bin/tests/system/catz/setup.sh
--- old/bind-9.16.23/bin/tests/system/catz/setup.sh 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/setup.sh 2021-12-07
13:24:49.000000000 +0100
@@ -15,7 +15,7 @@
$SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
-copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns2/named1.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
cp -f ns1/catalog.example.db.in ns1/catalog1.example.db
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/tests.sh
new/bind-9.16.24/bin/tests/system/catz/tests.sh
--- old/bind-9.16.23/bin/tests/system/catz/tests.sh 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/catz/tests.sh 2021-12-07
13:24:49.000000000 +0100
@@ -1179,7 +1179,7 @@
n=$((n+1))
echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)"
ret=0
-sed -e "s/^#T1//g" < ns2/named.conf.in > ns2/named.conf.tmp
+sed -e "s/^#T1//g" < ns2/named1.conf.in > ns2/named.conf.tmp
copy_setports ns2/named.conf.tmp ns2/named.conf
rndccmd 10.53.0.2 reconfig || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
@@ -1210,7 +1210,7 @@
n=$((n+1))
echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding
non-existent catalog5 catalog zone ($n)"
ret=0
-sed -e "s/^#T2//" < ns2/named.conf.in > ns2/named.conf.tmp
+sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp
copy_setports ns2/named.conf.tmp ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > /dev/null 2>&1 &&
ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
@@ -1219,7 +1219,7 @@
n=$((n+1))
echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone
($n)"
ret=0
-copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns2/named1.conf.in ns2/named.conf
rndccmd 10.53.0.2 reconfig || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
@@ -1730,5 +1730,15 @@
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
+n=$((n+1))
+echo_i "checking that reconfig can delete and restore catalog zone
configuration ($n)"
+ret=0
+copy_setports ns2/named2.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+copy_setports ns2/named1.conf.in ns2/named.conf
+rndccmd 10.53.0.2 reconfig || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/checkds/clean.sh
new/bind-9.16.24/bin/tests/system/checkds/clean.sh
--- old/bind-9.16.23/bin/tests/system/checkds/clean.sh 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/checkds/clean.sh 2021-12-07
13:24:49.000000000 +0100
@@ -21,5 +21,4 @@
rm -f ns*/managed-keys.bind*
rm -f ns*/*.mkeys
rm -f ns*/zones
-rm -f tests-checkds.py.status
rm -f *.checkds.out
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/dlzexternal/driver.c
new/bind-9.16.24/bin/tests/system/dlzexternal/driver.c
--- old/bind-9.16.23/bin/tests/system/dlzexternal/driver.c 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/dlzexternal/driver.c 2021-12-07
13:24:49.000000000 +0100
@@ -238,10 +238,9 @@
struct dlz_example_data *state;
const char *helper_name;
va_list ap;
- char soa_data[1024];
- const char *extra;
+ char soa_data[sizeof("@ hostmaster.root 123 900 600 86400 3600")];
isc_result_t result;
- int n;
+ size_t n;
UNUSED(dlzname);
@@ -275,19 +274,19 @@
sprintf(state->zone_name, "%s.", argv[1]);
}
+ /*
+ * Use relative names to trigger ISC_R_NOSPACE in dns_sdlz_putrr.
+ */
if (strcmp(state->zone_name, ".") == 0) {
- extra = ".root";
+ n = strlcpy(soa_data,
+ "@ hostmaster.root 123 900 600 86400 3600",
+ sizeof(soa_data));
} else {
- extra = ".";
+ n = strlcpy(soa_data, "@ hostmaster 123 900 600 86400 3600",
+ sizeof(soa_data));
}
- n = sprintf(soa_data, "%s hostmaster%s%s 123 900 600 86400 3600",
- state->zone_name, extra, state->zone_name);
-
- if (n < 0) {
- CHECK(ISC_R_FAILURE);
- }
- if ((unsigned)n >= sizeof(soa_data)) {
+ if (n >= sizeof(soa_data)) {
CHECK(ISC_R_NOSPACE);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.16.23/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
new/bind-9.16.24/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
--- old/bind-9.16.23/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
2021-12-07 13:24:49.000000000 +0100
@@ -21,6 +21,11 @@
database "dlopen ../driver.@SO@ example.org";
};
+dlz "example four" {
+ // Long zone name to trigger ISC_R_NOSPACE in dns_sdlz_putrr.
+ database "dlopen ../driver.@SO@
123456789.123456789.123456789.123456789.123456789.example.foo";
+};
+
dlz "unsearched1" {
database "dlopen ../driver.@SO@ other.nil";
search no;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/dnssec/tests.sh
new/bind-9.16.24/bin/tests/system/dnssec/tests.sh
--- old/bind-9.16.23/bin/tests/system/dnssec/tests.sh 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/dnssec/tests.sh 2021-12-07
13:24:49.000000000 +0100
@@ -2881,6 +2881,18 @@
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
+echo_i "check dnssec-dsfromkey with revoked key ($n)"
+ret=0
+dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK
+grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK
+grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK
+test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 ||
ret=1
+$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n ||
ret=1
+test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+
echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)"
ret=0
dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG >
dig.out.ns3.test$n 2>&1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/nsupdate/clean.sh
new/bind-9.16.24/bin/tests/system/nsupdate/clean.sh
--- old/bind-9.16.23/bin/tests/system/nsupdate/clean.sh 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/nsupdate/clean.sh 2021-12-07
13:24:49.000000000 +0100
@@ -63,4 +63,5 @@
rm -f nsupdate.out*
rm -f typelist.out.*
rm -f update.out.*
+rm -f update.in.*
rm -f verylarge
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/nsupdate/tests.sh
new/bind-9.16.24/bin/tests/system/nsupdate/tests.sh
--- old/bind-9.16.23/bin/tests/system/nsupdate/tests.sh 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/nsupdate/tests.sh 2021-12-07
13:24:49.000000000 +0100
@@ -751,9 +751,10 @@
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects
($n)"
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
@10.53.0.3 dnskey | \
- sed -n 's/\(.*\)10.IN/update add \1600 IN/p' |
- (echo server 10.53.0.3 ${PORT}; cat - ; echo send ) |
-$NSUPDATE
+ awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; }
+ $2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update
add", $0 }
+ END { print "send" }' > update.in.$n
+$NSUPDATE update.in.$n
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \
@10.53.0.3 any > dig.out.ns3.$n
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/run.sh
new/bind-9.16.24/bin/tests/system/run.sh
--- old/bind-9.16.23/bin/tests/system/run.sh 2021-11-05 10:03:26.000000000
+0100
+++ new/bind-9.16.24/bin/tests/system/run.sh 2021-12-07 13:24:49.000000000
+0100
@@ -228,6 +228,7 @@
if [ -n "$PYTEST" ]; then
run=$((run+1))
for test in $(cd "${systest}" && find . -name "tests*.py"); do
+ rm -f "$systest/$test.status"
if start_servers; then
rm -f "$systest/$test.status"
test_status=0
@@ -243,6 +244,7 @@
break
fi
done
+ rm -f "$systest/$test.status"
else
echoinfo "I:$systest:pytest not installed, skipping python tests"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/shutdown/clean.sh
new/bind-9.16.24/bin/tests/system/shutdown/clean.sh
--- old/bind-9.16.23/bin/tests/system/shutdown/clean.sh 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/shutdown/clean.sh 2021-12-07
13:24:49.000000000 +0100
@@ -14,4 +14,3 @@
rm -f */named.conf
rm -f */named.run
rm -rf __pycache__
-rm -f *.status
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/conftest.py
new/bind-9.16.24/bin/tests/system/wildcard/conftest.py
--- old/bind-9.16.23/bin/tests/system/wildcard/conftest.py 1970-01-01
01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/conftest.py 2021-12-07
13:24:49.000000000 +0100
@@ -0,0 +1,18 @@
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+import os
+import pytest
+
+
+@pytest.fixture(scope='module')
+def named_port():
+ return int(os.environ.get("PORT", default=5300))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.16.23/bin/tests/system/wildcard/ns1/allwild.db.in
new/bind-9.16.24/bin/tests/system/wildcard/ns1/allwild.db.in
--- old/bind-9.16.23/bin/tests/system/wildcard/ns1/allwild.db.in
1970-01-01 01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/allwild.db.in
2021-12-07 13:24:49.000000000 +0100
@@ -0,0 +1,4 @@
+$ORIGIN allwild.test.
+allwild.test. 3600 IN SOA . . 0 0 0 0 0
+allwild.test. 3600 NS ns.example.test.
+*.allwild.test. 3600 A 192.0.2.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.16.23/bin/tests/system/wildcard/ns1/named.conf.in
new/bind-9.16.24/bin/tests/system/wildcard/ns1/named.conf.in
--- old/bind-9.16.23/bin/tests/system/wildcard/ns1/named.conf.in
2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/named.conf.in
2021-12-07 13:24:49.000000000 +0100
@@ -27,6 +27,7 @@
/*
* RFC 4592 example zone.
*/
+zone "allwild.test" { type primary; file "allwild.db"; };
zone "example" { type primary; file "example.db"; };
zone "nsec" { type primary; file "nsec.db.signed"; };
zone "private.nsec" { type primary; file "private.nsec.db.signed"; };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/ns1/sign.sh
new/bind-9.16.24/bin/tests/system/wildcard/ns1/sign.sh
--- old/bind-9.16.23/bin/tests/system/wildcard/ns1/sign.sh 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/sign.sh 2021-12-07
13:24:49.000000000 +0100
@@ -17,6 +17,7 @@
dssets=
# RFC 4592 example zone.
+cp allwild.db.in allwild.db
cp example.db.in example.db
zone=nsec
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.16.23/bin/tests/system/wildcard/tests-wildcard.py
new/bind-9.16.24/bin/tests/system/wildcard/tests-wildcard.py
--- old/bind-9.16.23/bin/tests/system/wildcard/tests-wildcard.py
1970-01-01 01:00:00.000000000 +0100
+++ new/bind-9.16.24/bin/tests/system/wildcard/tests-wildcard.py
2021-12-07 13:24:49.000000000 +0100
@@ -0,0 +1,103 @@
+#!/usr/bin/python3
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+"""
+Example property-based test for wildcard synthesis.
+Verifies that otherwise-empty zone with single wildcard record * A 192.0.2.1
+produces synthesized answers for <random_label>.test. A, and returns NODATA for
+<random_label>.test. when rdtype is not A.
+
+Limitations - untested properties:
+ - expansion works with multiple labels
+ - asterisk in qname does not cause expansion
+ - empty non-terminals prevent expansion
+ - or more generally any existing node prevents expansion
+ - DNSSEC record inclusion
+ - possibly others, see RFC 4592 and company
+ - content of authority & additional sections
+ - flags beyond RCODE
+ - special behavior of rdtypes like CNAME
+"""
+import pytest
+
+pytest.importorskip("dns")
+import dns.message
+import dns.name
+import dns.query
+import dns.rcode
+import dns.rdatatype
+
+pytest.importorskip("hypothesis")
+from hypothesis import given
+from hypothesis.strategies import binary, integers
+
+
+# labels of a zone with * A 192.0.2.1 wildcard
+WILDCARD_ZONE = ('allwild', 'test', '')
+WILDCARD_RDTYPE = dns.rdatatype.A
+WILDCARD_RDATA = '192.0.2.1'
+IPADDR = '10.53.0.1'
+TIMEOUT = 5 # seconds, just a sanity check
+
+
+# Helpers
+def is_nonexpanding_rdtype(rdtype):
+ """skip meta types to avoid weird rcodes caused by AXFR etc.; RFC 6895"""
+ return not(rdtype == WILDCARD_RDTYPE
+ or dns.rdatatype.is_metatype(rdtype) # known metatypes: OPT ...
+ or 128 <= rdtype <= 255) # unknown meta types
+
+
+def tcp_query(where, port, qname, qtype):
+ querymsg = dns.message.make_query(qname, qtype)
+ assert len(querymsg.question) == 1
+ return querymsg, dns.query.tcp(querymsg, where, port=port, timeout=TIMEOUT)
+
+
+def query(where, port, label, rdtype):
+ labels = (label, ) + WILDCARD_ZONE
+ qname = dns.name.Name(labels)
+ return tcp_query(where, port, qname, rdtype)
+
+
+# Tests
+@given(label=binary(min_size=1, max_size=63),
+ rdtype=integers(min_value=0, max_value=65535).filter(
+ is_nonexpanding_rdtype))
+def test_wildcard_rdtype_mismatch(label, rdtype, named_port):
+ """any label non-matching rdtype must result in to NODATA"""
+ check_answer_nodata(*query(IPADDR, named_port, label, rdtype))
+
+
+def check_answer_nodata(querymsg, answer):
+ assert querymsg.is_response(answer), str(answer)
+ assert answer.rcode() == dns.rcode.NOERROR, str(answer)
+ assert answer.answer == [], str(answer)
+
+
+@given(label=binary(min_size=1, max_size=63))
+def test_wildcard_match(label, named_port):
+ """any label with maching rdtype must result in wildcard data in answer"""
+ check_answer_noerror(*query(IPADDR, named_port, label, WILDCARD_RDTYPE))
+
+
+def check_answer_noerror(querymsg, answer):
+ assert querymsg.is_response(answer), str(answer)
+ assert answer.rcode() == dns.rcode.NOERROR, str(answer)
+ assert len(querymsg.question) == 1, str(answer)
+ expected_answer = [dns.rrset.from_text(
+ querymsg.question[0].name,
+ 300, # TTL, ignored by dnspython comparison
+ dns.rdataclass.IN,
+ WILDCARD_RDTYPE,
+ WILDCARD_RDATA)]
+ assert answer.answer == expected_answer, str(answer)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/bin/tools/mdig.c
new/bind-9.16.24/bin/tools/mdig.c
--- old/bind-9.16.23/bin/tools/mdig.c 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/bin/tools/mdig.c 2021-12-07 13:24:49.000000000 +0100
@@ -25,6 +25,7 @@
#include <isc/net.h>
#include <isc/nonce.h>
#include <isc/parseint.h>
+#include <isc/portset.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/sockaddr.h>
@@ -2057,6 +2058,47 @@
}
}
+/*
+ * Try honoring the operating system's preferred ephemeral port range.
+ */
+static void
+set_source_ports(dns_dispatchmgr_t *manager) {
+ isc_portset_t *v4portset = NULL, *v6portset = NULL;
+ in_port_t udpport_low, udpport_high;
+ isc_result_t result;
+
+ result = isc_portset_create(mctx, &v4portset);
+ if (result != ISC_R_SUCCESS) {
+ fatal("isc_portset_create (v4) failed");
+ }
+
+ result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high);
+ if (result != ISC_R_SUCCESS) {
+ fatal("isc_net_getudpportrange (v4) failed");
+ }
+
+ isc_portset_addrange(v4portset, udpport_low, udpport_high);
+
+ result = isc_portset_create(mctx, &v6portset);
+ if (result != ISC_R_SUCCESS) {
+ fatal("isc_portset_create (v6) failed");
+ }
+ result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high);
+ if (result != ISC_R_SUCCESS) {
+ fatal("isc_net_getudpportrange (v6) failed");
+ }
+
+ isc_portset_addrange(v6portset, udpport_low, udpport_high);
+
+ result = dns_dispatchmgr_setavailports(manager, v4portset, v6portset);
+ if (result != ISC_R_SUCCESS) {
+ fatal("dns_dispatchmgr_setavailports failed");
+ }
+
+ isc_portset_destroy(mctx, &v4portset);
+ isc_portset_destroy(mctx, &v6portset);
+}
+
/*% Main processing routine for mdig */
int
main(int argc, char *argv[]) {
@@ -2126,12 +2168,14 @@
RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr));
RUNCHECK(isc_task_create(taskmgr, 0, &task));
-
RUNCHECK(isc_timermgr_create(mctx, &timermgr));
RUNCHECK(isc_socketmgr_create(mctx, &socketmgr));
RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr));
+ set_source_ports(dispatchmgr);
+
attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY;
+
if (have_ipv4) {
isc_sockaddr_any(&bind_any);
attrs |= DNS_DISPATCHATTR_IPV4;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/configure new/bind-9.16.24/configure
--- old/bind-9.16.23/configure 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/configure 2021-12-07 13:24:49.000000000 +0100
@@ -16849,6 +16849,14 @@
+#
+# This maintenance branch of BIND 9 does not support new OpenSSL APIs
+# introduced in version 3.0.0. Suppress compiler warnings about using
+# functions deprecated in newer OpenSSL versions as they will not be
+# addressed in BIND 9.16.
+#
+OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+
CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
LIBS="$LIBS $OPENSSL_LIBS"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/configure.ac
new/bind-9.16.24/configure.ac
--- old/bind-9.16.23/configure.ac 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/configure.ac 2021-12-07 13:24:49.000000000 +0100
@@ -806,6 +806,14 @@
AX_SAVE_FLAGS([openssl])
+#
+# This maintenance branch of BIND 9 does not support new OpenSSL APIs
+# introduced in version 3.0.0. Suppress compiler warnings about using
+# functions deprecated in newer OpenSSL versions as they will not be
+# addressed in BIND 9.16.
+#
+OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DOPENSSL_SUPPRESS_DEPRECATED"
+
CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
LIBS="$LIBS $OPENSSL_LIBS"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/doc/arm/notes.rst
new/bind-9.16.24/doc/arm/notes.rst
--- old/bind-9.16.23/doc/arm/notes.rst 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/doc/arm/notes.rst 2021-12-07 13:24:49.000000000 +0100
@@ -59,6 +59,7 @@
information about each release, source code, and pre-compiled versions
for Microsoft Windows operating systems.
+.. include:: ../notes/notes-9.16.24.rst
.. include:: ../notes/notes-9.16.23.rst
.. include:: ../notes/notes-9.16.22.rst
.. include:: ../notes/notes-9.16.21.rst
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/doc/arm/reference.rst
new/bind-9.16.24/doc/arm/reference.rst
--- old/bind-9.16.23/doc/arm/reference.rst 2021-11-05 10:03:26.000000000
+0100
+++ new/bind-9.16.24/doc/arm/reference.rst 2021-12-07 13:24:49.000000000
+0100
@@ -1909,8 +1909,8 @@
``cookie-algorithm``
This sets the algorithm to be used when generating the server cookie; the
options are
- "aes", "sha1", or "sha256". The default is "aes" if supported by
- the cryptographic library; otherwise, "sha256".
+ "aes" or "siphash24". The default is "siphash24". The "aes" option remains
for legacy
+ purposes.
``cookie-secret``
If set, this is a shared secret used for generating and verifying
@@ -2961,12 +2961,13 @@
The current list of active fetches can be dumped by running
``rndc recursing``. The list includes the number of active fetches
- for each domain and the number of queries that have been passed or
- dropped as a result of the ``fetches-per-zone`` limit. (Note: these
- counters are not cumulative over time; whenever the number of active
- fetches for a domain drops to zero, the counter for that domain is
- deleted, and the next time a fetch is sent to that domain, it is
- recreated with the counters set to zero.)
+ for each domain and the number of queries that have been passed
+ (allowed) or dropped (spilled) as a result of the ``fetches-per-zone``
+ limit. (Note: these counters are not cumulative over time;
+ whenever the number of active fetches for a domain drops to zero,
+ the counter for that domain is deleted, and the next time a fetch
+ is sent to that domain, it is recreated with the counters set
+ to zero.)
``fetches-per-server``
This sets the maximum number of simultaneous iterative queries that the
server
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/doc/man/dnssec-dsfromkey.8in
new/bind-9.16.24/doc/man/dnssec-dsfromkey.8in
--- old/bind-9.16.23/doc/man/dnssec-dsfromkey.8in 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/doc/man/dnssec-dsfromkey.8in 2021-12-07
13:24:49.000000000 +0100
@@ -44,6 +44,10 @@
The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource
records
(RRs), or CDS (Child DS) RRs with the \fB\-C\fP option.
.sp
+By default, only KSKs are converted (keys with flags = 257). The
+\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are never
+included.
+.sp
The input keys can be specified in a number of ways:
.sp
By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/doc/man/rndc.8in
new/bind-9.16.24/doc/man/rndc.8in
--- old/bind-9.16.23/doc/man/rndc.8in 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/doc/man/rndc.8in 2021-12-07 13:24:49.000000000 +0100
@@ -372,11 +372,24 @@
avoids the need to examine the modification times of the zone files.
.TP
.B \fBrecursing\fP
-This command dumps the list of queries \fBnamed\fP is currently recursing on,
and the
-list of domains to which iterative queries are currently being sent.
-The second list includes the number of fetches currently active for
-the given domain, and how many have been passed or dropped because of
-the \fBfetches\-per\-zone\fP option.
+This command dumps the list of queries \fBnamed\fP is currently
+recursing on, and the list of domains to which iterative queries
+are currently being sent.
+.sp
+The first list includes all unique clients that are waiting for
+recursion to complete, including the query that is awaiting a
+response and the timestamp (seconds since the Unix epoch) of
+when named started processing this client query.
+.sp
+The second list comprises of domains for which there are active
+(or recently active) fetches in progress. It reports the number
+of active fetches for each domain and the number of queries that
+have been passed (allowed) or dropped (spilled) as a result of
+the \fBfetches\-per\-zone\fP limit. (Note: these counters are not
+cumulative over time; whenever the number of active fetches for
+a domain drops to zero, the counter for that domain is deleted,
+and the next time a fetch is sent to that domain, it is recreated
+with the counters set to zero).
.TP
.B \fBrefresh\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
This command schedules zone maintenance for the given zone.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/doc/notes/notes-9.16.24.rst
new/bind-9.16.24/doc/notes/notes-9.16.24.rst
--- old/bind-9.16.23/doc/notes/notes-9.16.24.rst 1970-01-01
01:00:00.000000000 +0100
+++ new/bind-9.16.24/doc/notes/notes-9.16.24.rst 2021-12-07
13:24:49.000000000 +0100
@@ -0,0 +1,35 @@
+..
+ Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+ This Source Code Form is subject to the terms of the Mozilla Public
+ License, v. 2.0. If a copy of the MPL was not distributed with this
+ file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+ See the COPYRIGHT file distributed with this work for additional
+ information regarding copyright ownership.
+
+Notes for BIND 9.16.24
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Previously, when an incoming TCP connection could not be accepted
+ because the client closed the connection early, an error message of
+ ``TCP connection failed: socket is not connected`` was logged. This
+ message has been changed to ``Accepting TCP connection failed: socket
+ is not connected``. The severity level at which this type of message
+ is logged has also been changed from ``error`` to ``info`` for the
+ following triggering events: ``socket is not connected``, ``quota
+ reached``, and ``soft quota reached``. :gl:`#2700`
+
+- ``dnssec-dsfromkey`` no longer generates DS records from revoked keys.
+ :gl:`#853`
+
+Bug Fixes
+~~~~~~~~~
+
+- Removing a configured ``catalog-zone`` clause from the configuration,
+ running ``rndc reconfig``, then bringing back the removed
+ ``catalog-zone`` clause and running ``rndc reconfig`` again caused
+ ``named`` to crash. This has been fixed. :gl:`#1608`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/include/dns/zone.h
new/bind-9.16.24/lib/dns/include/dns/zone.h
--- old/bind-9.16.23/lib/dns/include/dns/zone.h 2021-11-05 10:03:26.000000000
+0100
+++ new/bind-9.16.24/lib/dns/include/dns/zone.h 2021-12-07 13:24:49.000000000
+0100
@@ -2606,6 +2606,26 @@
*/
void
+dns_zone_catz_disable(dns_zone_t *zone);
+/*%<
+ * Disable zone as catalog zone, if it is one.
+ *
+ * Requires:
+ *
+ * \li 'zone' is a valid zone object
+ */
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone);
+/*%<
+ * Return a boolean indicating whether the zone is enabled as catalog zone.
+ *
+ * Requires:
+ *
+ * \li 'zone' is a valid zone object
+ */
+
+void
dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db);
/*%<
* If 'zone' is a catalog zone, then set up a notify-on-update trigger
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/rdata/in_1/svcb_64.c
new/bind-9.16.24/lib/dns/rdata/in_1/svcb_64.c
--- old/bind-9.16.23/lib/dns/rdata/in_1/svcb_64.c 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/dns/rdata/in_1/svcb_64.c 2021-12-07
13:24:49.000000000 +0100
@@ -260,7 +260,7 @@
RETERR(alpn_fromtxt(region, target));
break;
case sbpr_port:
- if (!isdigit(*region->base)) {
+ if (!isdigit((unsigned char)*region->base)) {
return (DNS_R_SYNTAX);
}
ul = strtoul(region->base, &e, 10);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/sdlz.c
new/bind-9.16.24/lib/dns/sdlz.c
--- old/bind-9.16.23/lib/dns/sdlz.c 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/dns/sdlz.c 2021-12-07 13:24:49.000000000 +0100
@@ -1875,7 +1875,6 @@
mctx, rdatabuf, &lookup->callbacks);
if (result != ISC_R_SUCCESS) {
isc_buffer_free(&rdatabuf);
- result = DNS_R_SERVFAIL;
}
if (size >= 65535) {
break;
@@ -1887,6 +1886,7 @@
} while (result == ISC_R_NOSPACE);
if (result != ISC_R_SUCCESS) {
+ result = DNS_R_SERVFAIL;
goto failure;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/win32/libdns.def.in
new/bind-9.16.24/lib/dns/win32/libdns.def.in
--- old/bind-9.16.23/lib/dns/win32/libdns.def.in 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/dns/win32/libdns.def.in 2021-12-07
13:24:49.000000000 +0100
@@ -1173,8 +1173,10 @@
dns_zone_addnsec3chain
dns_zone_asyncload
dns_zone_attach
+dns_zone_catz_disable
dns_zone_catz_enable
dns_zone_catz_enable_db
+dns_zone_catz_is_enabled
dns_zone_cdscheck
dns_zone_checknames
dns_zone_clearforwardacl
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/dns/zone.c
new/bind-9.16.24/lib/dns/zone.c
--- old/bind-9.16.23/lib/dns/zone.c 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/dns/zone.c 2021-12-07 13:24:49.000000000 +0100
@@ -1942,6 +1942,24 @@
UNLOCK_ZONE(zone);
}
+void
+dns_zone_catz_disable(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ LOCK_ZONE(zone);
+ if (zone->catzs != NULL) {
+ dns_catz_catzs_detach(&zone->catzs);
+ }
+ UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_catz_is_enabled(dns_zone_t *zone) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ return (zone->catzs != NULL);
+}
+
/*
* If a zone is a catalog zone, attach it to update notification in database.
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/netmgr-int.h
new/bind-9.16.24/lib/isc/netmgr/netmgr-int.h
--- old/bind-9.16.23/lib/isc/netmgr/netmgr-int.h 2021-11-05
10:03:26.000000000 +0100
+++ new/bind-9.16.24/lib/isc/netmgr/netmgr-int.h 2021-12-07
13:24:49.000000000 +0100
@@ -1576,4 +1576,7 @@
void
isc__nmsocket_connecttimeout_cb(uv_timer_t *timer);
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota);
+
#define STREAM_CLIENTS_PER_CONN 23
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/netmgr.c
new/bind-9.16.24/lib/isc/netmgr/netmgr.c
--- old/bind-9.16.23/lib/isc/netmgr/netmgr.c 2021-11-05 10:03:26.000000000
+0100
+++ new/bind-9.16.24/lib/isc/netmgr/netmgr.c 2021-12-07 13:24:49.000000000
+0100
@@ -1967,6 +1967,33 @@
}
}
+void
+isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) {
+ int level;
+
+ switch (result) {
+ case ISC_R_SUCCESS:
+ case ISC_R_NOCONN:
+ return;
+ case ISC_R_QUOTA:
+ case ISC_R_SOFTQUOTA:
+ if (!can_log_quota) {
+ return;
+ }
+ level = ISC_LOG_INFO;
+ break;
+ case ISC_R_NOTCONNECTED:
+ level = ISC_LOG_INFO;
+ break;
+ default:
+ level = ISC_LOG_ERROR;
+ }
+
+ isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
+ level, "Accepting TCP connection failed: %s",
+ isc_result_totext(result));
+}
+
static void
isc__nmsocket_readtimeout_cb(uv_timer_t *timer) {
isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/tcp.c
new/bind-9.16.24/lib/isc/netmgr/tcp.c
--- old/bind-9.16.23/lib/isc/netmgr/tcp.c 2021-11-05 10:03:26.000000000
+0100
+++ new/bind-9.16.24/lib/isc/netmgr/tcp.c 2021-12-07 13:24:49.000000000
+0100
@@ -631,15 +631,7 @@
result = accept_connection(ssock, quota);
done:
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcp_quota()) {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcp_quota());
}
void
@@ -934,15 +926,7 @@
REQUIRE(sock->tid == isc_nm_tid());
result = accept_connection(sock, ievent->quota);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcp_quota()) {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcp_quota());
}
static isc_result_t
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/tcpdns.c
new/bind-9.16.24/lib/isc/netmgr/tcpdns.c
--- old/bind-9.16.23/lib/isc/netmgr/tcpdns.c 2021-11-05 10:03:26.000000000
+0100
+++ new/bind-9.16.24/lib/isc/netmgr/tcpdns.c 2021-12-07 13:24:49.000000000
+0100
@@ -600,16 +600,7 @@
result = accept_connection(ssock, quota);
done:
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcpdns_quota())
- {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
}
void
@@ -905,16 +896,7 @@
REQUIRE(ievent->sock->tid == isc_nm_tid());
result = accept_connection(ievent->sock, ievent->quota);
- if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) {
- if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) ||
- can_log_tcpdns_quota())
- {
- isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
- ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR,
- "TCP connection failed: %s",
- isc_result_totext(result));
- }
- }
+ isc__nm_accept_connection_log(result, can_log_tcpdns_quota());
}
static isc_result_t
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/srcid new/bind-9.16.24/srcid
--- old/bind-9.16.23/srcid 2021-11-05 10:07:16.000000000 +0100
+++ new/bind-9.16.24/srcid 2021-12-07 13:27:02.000000000 +0100
@@ -1 +1 @@
-SRCID=fde3b1f
+SRCID=93e3098
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.16.23/version new/bind-9.16.24/version
--- old/bind-9.16.23/version 2021-11-05 10:03:26.000000000 +0100
+++ new/bind-9.16.24/version 2021-12-07 13:24:49.000000000 +0100
@@ -5,7 +5,7 @@
DESCRIPTION="(Extended Support Version)"
MAJORVER=9
MINORVER=16
-PATCHVER=23
+PATCHVER=24
RELEASETYPE=
RELEASEVER=
EXTENSIONS=
