Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2021-12-28 12:26:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind" Tue Dec 28 12:26:09 2021 rev:175 rq:942722 version:9.16.24 Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2021-12-06 23:59:38.616508934 +0100 +++ /work/SRC/openSUSE:Factory/.bind.new.2520/bind.changes 2021-12-28 12:26:21.804472419 +0100 @@ -1,0 +2,19 @@ +Wed Dec 15 14:37:47 UTC 2021 - Josef M??llers <josef.moell...@suse.com> + +- Upgrade to release 9.16.24 + This upgrade fixes the following bugs: + * mdig now honors the operating system's preferred ephemeral port + range. + * Fix a "named" crash related to removing and restoring a + `catalog-zone` entry in the configuration file and running + `rndc reconfig`. + * dns_sdlz_putrr failed to process some valid resource records. + * dnssec-dsfromkey failed to omit revoked keys. + Functional change: + * Change the message when accepting TCP connection has failed to + say "Accepting TCP connection failed" and change the log level + for ISC_R_NOTCONNECTED, ISC_R_QUOTA and ISC_R_SOFTQUOTA results + codes from ERROR to INFO. + [bind-9.16.24.tar.xz] + +------------------------------------------------------------------- Old: ---- bind-9.16.23.tar.xz bind-9.16.23.tar.xz.sha512.asc New: ---- bind-9.16.24.tar.xz bind-9.16.24.tar.xz.sha512.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.AXQ4aN/_old 2021-12-28 12:26:22.412472879 +0100 +++ /var/tmp/diff_new_pack.AXQ4aN/_new 2021-12-28 12:26:22.420472885 +0100 @@ -46,7 +46,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.16.23 +Version: 9.16.24 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 ++++++ bind-9.16.23.tar.xz -> bind-9.16.24.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/.dir-locals.el new/bind-9.16.24/.dir-locals.el --- old/bind-9.16.23/.dir-locals.el 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/.dir-locals.el 2021-12-07 13:24:49.000000000 +0100 @@ -77,6 +77,9 @@ (expand-file-name (concat directory-of-current-dir-locals-file "bin/rndc/include")) + (expand-file-name "/usr/include/libxml2") + (expand-file-name "/usr/include/json-c") + (expand-file-name "/usr/local/opt/openssl@1.1/include") (expand-file-name "/usr/local/opt/libxml2/include/libxml2") (expand-file-name "/usr/local/opt/json-c/include/json-c/") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/.gitlab-ci.yml new/bind-9.16.24/.gitlab-ci.yml --- old/bind-9.16.23/.gitlab-ci.yml 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/.gitlab-ci.yml 2021-12-07 13:24:49.000000000 +0100 @@ -40,6 +40,13 @@ BIND_STRESS_TEST_OS: linux BIND_STRESS_TEST_ARCH: amd64 +# Allow all running CI jobs to be automatically canceled when a new +# version of a branch is pushed. +# +# See: https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines +default: + interruptible: true + stages: - precheck - build @@ -505,7 +512,9 @@ artifacts: true script: - *configure - - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py)') + - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|^bin/tests/system/)') + # Ignore Flake8 E402 error (module level import not at top of file) in system test to enable use of pytest.importorskip + - flake8 --max-line-length=80 --extend-ignore=E402 $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py') pylint: <<: *default_triggering_rules @@ -516,8 +525,10 @@ artifacts: true script: - *configure - - PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python" - - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py)') + - export PYTHONPATH="$PYTHONPATH:$CI_PROJECT_DIR/bin/python" + - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|^bin/tests/system/)') + # Ignore Pylint wrong-import-position error in system test to enable use of pytest.importorskip + - pylint --rcfile $CI_PROJECT_DIR/.pylintrc --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py') tarball-create: stage: precheck diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/CHANGES new/bind-9.16.24/CHANGES --- old/bind-9.16.23/CHANGES 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/CHANGES 2021-12-07 13:24:49.000000000 +0100 @@ -1,3 +1,27 @@ + --- 9.16.24 released --- + +5773. [func] Change the message when accepting TCP connection has + failed to say "Accepting TCP connection failed" and + change the log level for ISC_R_NOTCONNECTED, ISC_R_QUOTA + and ISC_R_SOFTQUOTA results codes from ERROR to INFO. + [GL #2700] + +5768. [bug] dnssec-dsfromkey failed to omit revoked keys. [GL #853] + +5764. [bug] dns_sdlz_putrr failed to process some valid resource + records. [GL #3021] + +5762. [bug] Fix a "named" crash related to removing and restoring a + `catalog-zone` entry in the configuration file and + running `rndc reconfig`. [GL #1608] + +5758. [bug] mdig now honors the operating system's preferred + ephemeral port range. [GL #2374] + +5757. [test] Replace sed in nsupdate system test with awk to + construct the nsupdate command. The sed expression + was not reliably changing the ttl. [GL #3003] + --- 9.16.23 released --- 5752. [bug] Fix an assertion failure caused by missing member zones diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.c new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.c --- old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.c 2021-12-07 13:24:49.000000000 +0100 @@ -262,6 +262,10 @@ fatal("can't convert DNSKEY"); } + if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) { + return; + } + if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) { return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.rst new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.rst --- old/bind-9.16.23/bin/dnssec/dnssec-dsfromkey.rst 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/dnssec/dnssec-dsfromkey.rst 2021-12-07 13:24:49.000000000 +0100 @@ -43,6 +43,10 @@ The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the ``-C`` option. +By default, only KSKs are converted (keys with flags = 257). The +``-A`` option includes ZSKs (flags = 256). Revoked keys are never +included. + The input keys can be specified in a number of ways: By default, ``dnssec-dsfromkey`` reads a key file named in the format diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/named/config.c new/bind-9.16.24/bin/named/config.c --- old/bind-9.16.23/bin/named/config.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/named/config.c 2021-12-07 13:24:49.000000000 +0100 @@ -281,14 +281,14 @@ "#\n\ # Default trusted key(s), used if \n\ # \"dnssec-validation auto;\" is set and\n\ -# sysconfdir/bind.keys doesn't exist).\n\ +# " NAMED_SYSCONFDIR "/bind.keys doesn't exist).\n\ #\n\ -# BEGIN DNSSEC KEYS\n" +# BEGIN TRUST ANCHORS\n" /* Imported from bind.keys.h: */ TRUST_ANCHORS - "# END MANAGED KEYS\n\ + "# END TRUST ANCHORS\n\ \n\ primaries " DEFAULT_IANA_ROOT_ZONE_PRIMARIES " {\n\ 2001:500:200::b; # b.root-servers.net\n\ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/named/server.c new/bind-9.16.24/bin/named/server.c --- old/bind-9.16.23/bin/named/server.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/named/server.c 2021-12-07 13:24:49.000000000 +0100 @@ -6523,6 +6523,8 @@ if (zone_is_catz) { dns_zone_catz_enable(zone, view->catzs); + } else if (dns_zone_catz_is_enabled(zone)) { + dns_zone_catz_disable(zone); } /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/rndc/rndc.rst new/bind-9.16.24/bin/rndc/rndc.rst --- old/bind-9.16.23/bin/rndc/rndc.rst 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/rndc/rndc.rst 2021-12-07 13:24:49.000000000 +0100 @@ -370,11 +370,24 @@ avoids the need to examine the modification times of the zone files. ``recursing`` - This command dumps the list of queries ``named`` is currently recursing on, and the - list of domains to which iterative queries are currently being sent. - The second list includes the number of fetches currently active for - the given domain, and how many have been passed or dropped because of - the ``fetches-per-zone`` option. + This command dumps the list of queries ``named`` is currently + recursing on, and the list of domains to which iterative queries + are currently being sent. + + The first list includes all unique clients that are waiting for + recursion to complete, including the query that is awaiting a + response and the timestamp (seconds since the Unix epoch) of + when named started processing this client query. + + The second list comprises of domains for which there are active + (or recently active) fetches in progress. It reports the number + of active fetches for each domain and the number of queries that + have been passed (allowed) or dropped (spilled) as a result of + the ``fetches-per-zone`` limit. (Note: these counters are not + cumulative over time; whenever the number of active fetches for + a domain drops to zero, the counter for that domain is deleted, + and the next time a fetch is sent to that domain, it is recreated + with the counters set to zero). ``refresh`` *zone* [*class* [*view*]] This command schedules zone maintenance for the given zone. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/ns2/named.conf.in new/bind-9.16.24/bin/tests/system/catz/ns2/named.conf.in --- old/bind-9.16.23/bin/tests/system/catz/ns2/named.conf.in 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/catz/ns2/named.conf.in 1970-01-01 01:00:00.000000000 +0100 @@ -1,74 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -include "../../common/rndc.key"; - -controls { - inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { fd92:7065:b8e:ffff::2; }; - notify no; - recursion no; - serial-query-rate 100; - catalog-zones { - zone "catalog1.example" - default-masters { 10.53.0.1; } - in-memory no - zone-directory "zonedir"; - zone "catalog2.example" - default-masters { 10.53.0.1 port @EXTRAPORT1@; } - in-memory yes; - zone "catalog3.example" - default-masters { 10.53.0.1; } - zone-directory "nonexistent"; -#T1 zone "catalog4.example" -#T1 default-masters { 10.53.0.1; }; -#T2 zone "catalog5.example" -#T2 default-masters { 10.53.0.1; }; - }; -}; - -zone "catalog1.example" { - type secondary; - file "catalog1.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog2.example" { - type secondary; - file "catalog2.example.db"; - primaries { 10.53.0.3; }; -}; - -zone "catalog3.example" { - type secondary; - file "catalog3.example.db"; - primaries { 10.53.0.1; }; -}; - -zone "catalog4.example" { - type secondary; - file "catalog4.example.db"; - primaries { 10.53.0.1; }; -}; - -key tsig_key. { - secret "LSAnCU+Z"; - algorithm hmac-md5; -}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/ns2/named1.conf.in new/bind-9.16.24/bin/tests/system/catz/ns2/named1.conf.in --- old/bind-9.16.23/bin/tests/system/catz/ns2/named1.conf.in 1970-01-01 01:00:00.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/catz/ns2/named1.conf.in 2021-12-07 13:24:49.000000000 +0100 @@ -0,0 +1,74 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + notify no; + recursion no; + serial-query-rate 100; + catalog-zones { + zone "catalog1.example" + default-masters { 10.53.0.1; } + in-memory no + zone-directory "zonedir"; + zone "catalog2.example" + default-masters { 10.53.0.1 port @EXTRAPORT1@; } + in-memory yes; + zone "catalog3.example" + default-masters { 10.53.0.1; } + zone-directory "nonexistent"; +#T1 zone "catalog4.example" +#T1 default-masters { 10.53.0.1; }; +#T2 zone "catalog5.example" +#T2 default-masters { 10.53.0.1; }; + }; +}; + +zone "catalog1.example" { + type secondary; + file "catalog1.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog2.example" { + type secondary; + file "catalog2.example.db"; + primaries { 10.53.0.3; }; +}; + +zone "catalog3.example" { + type secondary; + file "catalog3.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog4.example" { + type secondary; + file "catalog4.example.db"; + primaries { 10.53.0.1; }; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm hmac-md5; +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/ns2/named2.conf.in new/bind-9.16.24/bin/tests/system/catz/ns2/named2.conf.in --- old/bind-9.16.23/bin/tests/system/catz/ns2/named2.conf.in 1970-01-01 01:00:00.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/catz/ns2/named2.conf.in 2021-12-07 13:24:49.000000000 +0100 @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { fd92:7065:b8e:ffff::2; }; + notify no; + recursion no; + serial-query-rate 100; + # removed catalog-zone option, otherwise this is + # identical to named1.conf.in +}; + +zone "catalog1.example" { + type secondary; + file "catalog1.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog2.example" { + type secondary; + file "catalog2.example.db"; + primaries { 10.53.0.3; }; +}; + +zone "catalog3.example" { + type secondary; + file "catalog3.example.db"; + primaries { 10.53.0.1; }; +}; + +zone "catalog4.example" { + type secondary; + file "catalog4.example.db"; + primaries { 10.53.0.1; }; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm hmac-md5; +}; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/setup.sh new/bind-9.16.24/bin/tests/system/catz/setup.sh --- old/bind-9.16.23/bin/tests/system/catz/setup.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/catz/setup.sh 2021-12-07 13:24:49.000000000 +0100 @@ -15,7 +15,7 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf -copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns2/named1.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf cp -f ns1/catalog.example.db.in ns1/catalog1.example.db diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/catz/tests.sh new/bind-9.16.24/bin/tests/system/catz/tests.sh --- old/bind-9.16.23/bin/tests/system/catz/tests.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/catz/tests.sh 2021-12-07 13:24:49.000000000 +0100 @@ -1179,7 +1179,7 @@ n=$((n+1)) echo_i "reconfiguring secondary - adding catalog4 catalog zone ($n)" ret=0 -sed -e "s/^#T1//g" < ns2/named.conf.in > ns2/named.conf.tmp +sed -e "s/^#T1//g" < ns2/named1.conf.in > ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -1210,7 +1210,7 @@ n=$((n+1)) echo_i "reconfiguring secondary - removing catalog4 catalog zone, adding non-existent catalog5 catalog zone ($n)" ret=0 -sed -e "s/^#T2//" < ns2/named.conf.in > ns2/named.conf.tmp +sed -e "s/^#T2//" < ns2/named1.conf.in > ns2/named.conf.tmp copy_setports ns2/named.conf.tmp ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reconfig > /dev/null 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi @@ -1219,7 +1219,7 @@ n=$((n+1)) echo_i "reconfiguring secondary - removing non-existent catalog5 catalog zone ($n)" ret=0 -copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns2/named1.conf.in ns2/named.conf rndccmd 10.53.0.2 reconfig || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1730,5 +1730,15 @@ if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "checking that reconfig can delete and restore catalog zone configuration ($n)" +ret=0 +copy_setports ns2/named2.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/checkds/clean.sh new/bind-9.16.24/bin/tests/system/checkds/clean.sh --- old/bind-9.16.23/bin/tests/system/checkds/clean.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/checkds/clean.sh 2021-12-07 13:24:49.000000000 +0100 @@ -21,5 +21,4 @@ rm -f ns*/managed-keys.bind* rm -f ns*/*.mkeys rm -f ns*/zones -rm -f tests-checkds.py.status rm -f *.checkds.out diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/dlzexternal/driver.c new/bind-9.16.24/bin/tests/system/dlzexternal/driver.c --- old/bind-9.16.23/bin/tests/system/dlzexternal/driver.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/dlzexternal/driver.c 2021-12-07 13:24:49.000000000 +0100 @@ -238,10 +238,9 @@ struct dlz_example_data *state; const char *helper_name; va_list ap; - char soa_data[1024]; - const char *extra; + char soa_data[sizeof("@ hostmaster.root 123 900 600 86400 3600")]; isc_result_t result; - int n; + size_t n; UNUSED(dlzname); @@ -275,19 +274,19 @@ sprintf(state->zone_name, "%s.", argv[1]); } + /* + * Use relative names to trigger ISC_R_NOSPACE in dns_sdlz_putrr. + */ if (strcmp(state->zone_name, ".") == 0) { - extra = ".root"; + n = strlcpy(soa_data, + "@ hostmaster.root 123 900 600 86400 3600", + sizeof(soa_data)); } else { - extra = "."; + n = strlcpy(soa_data, "@ hostmaster 123 900 600 86400 3600", + sizeof(soa_data)); } - n = sprintf(soa_data, "%s hostmaster%s%s 123 900 600 86400 3600", - state->zone_name, extra, state->zone_name); - - if (n < 0) { - CHECK(ISC_R_FAILURE); - } - if ((unsigned)n >= sizeof(soa_data)) { + if (n >= sizeof(soa_data)) { CHECK(ISC_R_NOSPACE); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/dlzexternal/ns1/dlzs.conf.in new/bind-9.16.24/bin/tests/system/dlzexternal/ns1/dlzs.conf.in --- old/bind-9.16.23/bin/tests/system/dlzexternal/ns1/dlzs.conf.in 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/dlzexternal/ns1/dlzs.conf.in 2021-12-07 13:24:49.000000000 +0100 @@ -21,6 +21,11 @@ database "dlopen ../driver.@SO@ example.org"; }; +dlz "example four" { + // Long zone name to trigger ISC_R_NOSPACE in dns_sdlz_putrr. + database "dlopen ../driver.@SO@ 123456789.123456789.123456789.123456789.123456789.example.foo"; +}; + dlz "unsearched1" { database "dlopen ../driver.@SO@ other.nil"; search no; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/dnssec/tests.sh new/bind-9.16.24/bin/tests/system/dnssec/tests.sh --- old/bind-9.16.23/bin/tests/system/dnssec/tests.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/dnssec/tests.sh 2021-12-07 13:24:49.000000000 +0100 @@ -2881,6 +2881,18 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "check dnssec-dsfromkey with revoked key ($n)" +ret=0 +dig_with_opts revkey.example dnskey @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "DNSKEY.256 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # ZSK +grep "DNSKEY.385 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # revoked KSK +grep "DNSKEY.257 3 13" dig.out.ns4.test$n > /dev/null || ret=1 # KSK +test $(awk '$4 == "DNSKEY" { print }' dig.out.ns4.test$n | wc -l) -eq 3 || ret=1 +$DSFROMKEY -f dig.out.ns4.test$n revkey.example. > dsfromkey.out.test$n || ret=1 +test $(wc -l < dsfromkey.out.test$n) -eq 1 || ret=1 +n=$((n+1)) +test "$ret" -eq 0 || echo_i "failed" + echo_i "testing soon-to-expire RRSIGs without a replacement private key ($n)" ret=0 dig_with_answeropts +nottlid expiring.example ns @10.53.0.3 | grep RRSIG > dig.out.ns3.test$n 2>&1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/nsupdate/clean.sh new/bind-9.16.24/bin/tests/system/nsupdate/clean.sh --- old/bind-9.16.23/bin/tests/system/nsupdate/clean.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/nsupdate/clean.sh 2021-12-07 13:24:49.000000000 +0100 @@ -63,4 +63,5 @@ rm -f nsupdate.out* rm -f typelist.out.* rm -f update.out.* +rm -f update.in.* rm -f verylarge diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/nsupdate/tests.sh new/bind-9.16.24/bin/tests/system/nsupdate/tests.sh --- old/bind-9.16.23/bin/tests/system/nsupdate/tests.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/nsupdate/tests.sh 2021-12-07 13:24:49.000000000 +0100 @@ -751,9 +751,10 @@ echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)" $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ @10.53.0.3 dnskey | \ - sed -n 's/\(.*\)10.IN/update add \1600 IN/p' | - (echo server 10.53.0.3 ${PORT}; cat - ; echo send ) | -$NSUPDATE + awk -v port="${PORT}" 'BEGIN { print "server 10.53.0.3", port; } + $2 == 10 && $3 == "IN" && $4 == "DNSKEY" { $2 = 600; print "update add", $0 } + END { print "send" }' > update.in.$n +$NSUPDATE update.in.$n $DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd dnskey.test. \ @10.53.0.3 any > dig.out.ns3.$n diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/run.sh new/bind-9.16.24/bin/tests/system/run.sh --- old/bind-9.16.23/bin/tests/system/run.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/run.sh 2021-12-07 13:24:49.000000000 +0100 @@ -228,6 +228,7 @@ if [ -n "$PYTEST" ]; then run=$((run+1)) for test in $(cd "${systest}" && find . -name "tests*.py"); do + rm -f "$systest/$test.status" if start_servers; then rm -f "$systest/$test.status" test_status=0 @@ -243,6 +244,7 @@ break fi done + rm -f "$systest/$test.status" else echoinfo "I:$systest:pytest not installed, skipping python tests" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/shutdown/clean.sh new/bind-9.16.24/bin/tests/system/shutdown/clean.sh --- old/bind-9.16.23/bin/tests/system/shutdown/clean.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/shutdown/clean.sh 2021-12-07 13:24:49.000000000 +0100 @@ -14,4 +14,3 @@ rm -f */named.conf rm -f */named.run rm -rf __pycache__ -rm -f *.status diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/conftest.py new/bind-9.16.24/bin/tests/system/wildcard/conftest.py --- old/bind-9.16.23/bin/tests/system/wildcard/conftest.py 1970-01-01 01:00:00.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/wildcard/conftest.py 2021-12-07 13:24:49.000000000 +0100 @@ -0,0 +1,18 @@ +############################################################################ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. +############################################################################ + +import os +import pytest + + +@pytest.fixture(scope='module') +def named_port(): + return int(os.environ.get("PORT", default=5300)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/ns1/allwild.db.in new/bind-9.16.24/bin/tests/system/wildcard/ns1/allwild.db.in --- old/bind-9.16.23/bin/tests/system/wildcard/ns1/allwild.db.in 1970-01-01 01:00:00.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/allwild.db.in 2021-12-07 13:24:49.000000000 +0100 @@ -0,0 +1,4 @@ +$ORIGIN allwild.test. +allwild.test. 3600 IN SOA . . 0 0 0 0 0 +allwild.test. 3600 NS ns.example.test. +*.allwild.test. 3600 A 192.0.2.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/ns1/named.conf.in new/bind-9.16.24/bin/tests/system/wildcard/ns1/named.conf.in --- old/bind-9.16.23/bin/tests/system/wildcard/ns1/named.conf.in 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/named.conf.in 2021-12-07 13:24:49.000000000 +0100 @@ -27,6 +27,7 @@ /* * RFC 4592 example zone. */ +zone "allwild.test" { type primary; file "allwild.db"; }; zone "example" { type primary; file "example.db"; }; zone "nsec" { type primary; file "nsec.db.signed"; }; zone "private.nsec" { type primary; file "private.nsec.db.signed"; }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/ns1/sign.sh new/bind-9.16.24/bin/tests/system/wildcard/ns1/sign.sh --- old/bind-9.16.23/bin/tests/system/wildcard/ns1/sign.sh 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/wildcard/ns1/sign.sh 2021-12-07 13:24:49.000000000 +0100 @@ -17,6 +17,7 @@ dssets= # RFC 4592 example zone. +cp allwild.db.in allwild.db cp example.db.in example.db zone=nsec diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tests/system/wildcard/tests-wildcard.py new/bind-9.16.24/bin/tests/system/wildcard/tests-wildcard.py --- old/bind-9.16.23/bin/tests/system/wildcard/tests-wildcard.py 1970-01-01 01:00:00.000000000 +0100 +++ new/bind-9.16.24/bin/tests/system/wildcard/tests-wildcard.py 2021-12-07 13:24:49.000000000 +0100 @@ -0,0 +1,103 @@ +#!/usr/bin/python3 +############################################################################ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. +############################################################################ + +""" +Example property-based test for wildcard synthesis. +Verifies that otherwise-empty zone with single wildcard record * A 192.0.2.1 +produces synthesized answers for <random_label>.test. A, and returns NODATA for +<random_label>.test. when rdtype is not A. + +Limitations - untested properties: + - expansion works with multiple labels + - asterisk in qname does not cause expansion + - empty non-terminals prevent expansion + - or more generally any existing node prevents expansion + - DNSSEC record inclusion + - possibly others, see RFC 4592 and company + - content of authority & additional sections + - flags beyond RCODE + - special behavior of rdtypes like CNAME +""" +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.name +import dns.query +import dns.rcode +import dns.rdatatype + +pytest.importorskip("hypothesis") +from hypothesis import given +from hypothesis.strategies import binary, integers + + +# labels of a zone with * A 192.0.2.1 wildcard +WILDCARD_ZONE = ('allwild', 'test', '') +WILDCARD_RDTYPE = dns.rdatatype.A +WILDCARD_RDATA = '192.0.2.1' +IPADDR = '10.53.0.1' +TIMEOUT = 5 # seconds, just a sanity check + + +# Helpers +def is_nonexpanding_rdtype(rdtype): + """skip meta types to avoid weird rcodes caused by AXFR etc.; RFC 6895""" + return not(rdtype == WILDCARD_RDTYPE + or dns.rdatatype.is_metatype(rdtype) # known metatypes: OPT ... + or 128 <= rdtype <= 255) # unknown meta types + + +def tcp_query(where, port, qname, qtype): + querymsg = dns.message.make_query(qname, qtype) + assert len(querymsg.question) == 1 + return querymsg, dns.query.tcp(querymsg, where, port=port, timeout=TIMEOUT) + + +def query(where, port, label, rdtype): + labels = (label, ) + WILDCARD_ZONE + qname = dns.name.Name(labels) + return tcp_query(where, port, qname, rdtype) + + +# Tests +@given(label=binary(min_size=1, max_size=63), + rdtype=integers(min_value=0, max_value=65535).filter( + is_nonexpanding_rdtype)) +def test_wildcard_rdtype_mismatch(label, rdtype, named_port): + """any label non-matching rdtype must result in to NODATA""" + check_answer_nodata(*query(IPADDR, named_port, label, rdtype)) + + +def check_answer_nodata(querymsg, answer): + assert querymsg.is_response(answer), str(answer) + assert answer.rcode() == dns.rcode.NOERROR, str(answer) + assert answer.answer == [], str(answer) + + +@given(label=binary(min_size=1, max_size=63)) +def test_wildcard_match(label, named_port): + """any label with maching rdtype must result in wildcard data in answer""" + check_answer_noerror(*query(IPADDR, named_port, label, WILDCARD_RDTYPE)) + + +def check_answer_noerror(querymsg, answer): + assert querymsg.is_response(answer), str(answer) + assert answer.rcode() == dns.rcode.NOERROR, str(answer) + assert len(querymsg.question) == 1, str(answer) + expected_answer = [dns.rrset.from_text( + querymsg.question[0].name, + 300, # TTL, ignored by dnspython comparison + dns.rdataclass.IN, + WILDCARD_RDTYPE, + WILDCARD_RDATA)] + assert answer.answer == expected_answer, str(answer) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/bin/tools/mdig.c new/bind-9.16.24/bin/tools/mdig.c --- old/bind-9.16.23/bin/tools/mdig.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/bin/tools/mdig.c 2021-12-07 13:24:49.000000000 +0100 @@ -25,6 +25,7 @@ #include <isc/net.h> #include <isc/nonce.h> #include <isc/parseint.h> +#include <isc/portset.h> #include <isc/print.h> #include <isc/random.h> #include <isc/sockaddr.h> @@ -2057,6 +2058,47 @@ } } +/* + * Try honoring the operating system's preferred ephemeral port range. + */ +static void +set_source_ports(dns_dispatchmgr_t *manager) { + isc_portset_t *v4portset = NULL, *v6portset = NULL; + in_port_t udpport_low, udpport_high; + isc_result_t result; + + result = isc_portset_create(mctx, &v4portset); + if (result != ISC_R_SUCCESS) { + fatal("isc_portset_create (v4) failed"); + } + + result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high); + if (result != ISC_R_SUCCESS) { + fatal("isc_net_getudpportrange (v4) failed"); + } + + isc_portset_addrange(v4portset, udpport_low, udpport_high); + + result = isc_portset_create(mctx, &v6portset); + if (result != ISC_R_SUCCESS) { + fatal("isc_portset_create (v6) failed"); + } + result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high); + if (result != ISC_R_SUCCESS) { + fatal("isc_net_getudpportrange (v6) failed"); + } + + isc_portset_addrange(v6portset, udpport_low, udpport_high); + + result = dns_dispatchmgr_setavailports(manager, v4portset, v6portset); + if (result != ISC_R_SUCCESS) { + fatal("dns_dispatchmgr_setavailports failed"); + } + + isc_portset_destroy(mctx, &v4portset); + isc_portset_destroy(mctx, &v6portset); +} + /*% Main processing routine for mdig */ int main(int argc, char *argv[]) { @@ -2126,12 +2168,14 @@ RUNCHECK(isc_managers_create(mctx, 1, 0, &netmgr, &taskmgr)); RUNCHECK(isc_task_create(taskmgr, 0, &task)); - RUNCHECK(isc_timermgr_create(mctx, &timermgr)); RUNCHECK(isc_socketmgr_create(mctx, &socketmgr)); RUNCHECK(dns_dispatchmgr_create(mctx, &dispatchmgr)); + set_source_ports(dispatchmgr); + attrs = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_MAKEQUERY; + if (have_ipv4) { isc_sockaddr_any(&bind_any); attrs |= DNS_DISPATCHATTR_IPV4; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/configure new/bind-9.16.24/configure --- old/bind-9.16.23/configure 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/configure 2021-12-07 13:24:49.000000000 +0100 @@ -16849,6 +16849,14 @@ +# +# This maintenance branch of BIND 9 does not support new OpenSSL APIs +# introduced in version 3.0.0. Suppress compiler warnings about using +# functions deprecated in newer OpenSSL versions as they will not be +# addressed in BIND 9.16. +# +OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DOPENSSL_SUPPRESS_DEPRECATED" + CFLAGS="$CFLAGS $OPENSSL_CFLAGS" LIBS="$LIBS $OPENSSL_LIBS" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/configure.ac new/bind-9.16.24/configure.ac --- old/bind-9.16.23/configure.ac 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/configure.ac 2021-12-07 13:24:49.000000000 +0100 @@ -806,6 +806,14 @@ AX_SAVE_FLAGS([openssl]) +# +# This maintenance branch of BIND 9 does not support new OpenSSL APIs +# introduced in version 3.0.0. Suppress compiler warnings about using +# functions deprecated in newer OpenSSL versions as they will not be +# addressed in BIND 9.16. +# +OPENSSL_CFLAGS="$OPENSSL_CFLAGS -DOPENSSL_SUPPRESS_DEPRECATED" + CFLAGS="$CFLAGS $OPENSSL_CFLAGS" LIBS="$LIBS $OPENSSL_LIBS" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/doc/arm/notes.rst new/bind-9.16.24/doc/arm/notes.rst --- old/bind-9.16.23/doc/arm/notes.rst 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/doc/arm/notes.rst 2021-12-07 13:24:49.000000000 +0100 @@ -59,6 +59,7 @@ information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +.. include:: ../notes/notes-9.16.24.rst .. include:: ../notes/notes-9.16.23.rst .. include:: ../notes/notes-9.16.22.rst .. include:: ../notes/notes-9.16.21.rst diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/doc/arm/reference.rst new/bind-9.16.24/doc/arm/reference.rst --- old/bind-9.16.23/doc/arm/reference.rst 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/doc/arm/reference.rst 2021-12-07 13:24:49.000000000 +0100 @@ -1909,8 +1909,8 @@ ``cookie-algorithm`` This sets the algorithm to be used when generating the server cookie; the options are - "aes", "sha1", or "sha256". The default is "aes" if supported by - the cryptographic library; otherwise, "sha256". + "aes" or "siphash24". The default is "siphash24". The "aes" option remains for legacy + purposes. ``cookie-secret`` If set, this is a shared secret used for generating and verifying @@ -2961,12 +2961,13 @@ The current list of active fetches can be dumped by running ``rndc recursing``. The list includes the number of active fetches - for each domain and the number of queries that have been passed or - dropped as a result of the ``fetches-per-zone`` limit. (Note: these - counters are not cumulative over time; whenever the number of active - fetches for a domain drops to zero, the counter for that domain is - deleted, and the next time a fetch is sent to that domain, it is - recreated with the counters set to zero.) + for each domain and the number of queries that have been passed + (allowed) or dropped (spilled) as a result of the ``fetches-per-zone`` + limit. (Note: these counters are not cumulative over time; + whenever the number of active fetches for a domain drops to zero, + the counter for that domain is deleted, and the next time a fetch + is sent to that domain, it is recreated with the counters set + to zero.) ``fetches-per-server`` This sets the maximum number of simultaneous iterative queries that the server diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/doc/man/dnssec-dsfromkey.8in new/bind-9.16.24/doc/man/dnssec-dsfromkey.8in --- old/bind-9.16.23/doc/man/dnssec-dsfromkey.8in 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/doc/man/dnssec-dsfromkey.8in 2021-12-07 13:24:49.000000000 +0100 @@ -44,6 +44,10 @@ The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records (RRs), or CDS (Child DS) RRs with the \fB\-C\fP option. .sp +By default, only KSKs are converted (keys with flags = 257). The +\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are never +included. +.sp The input keys can be specified in a number of ways: .sp By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/doc/man/rndc.8in new/bind-9.16.24/doc/man/rndc.8in --- old/bind-9.16.23/doc/man/rndc.8in 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/doc/man/rndc.8in 2021-12-07 13:24:49.000000000 +0100 @@ -372,11 +372,24 @@ avoids the need to examine the modification times of the zone files. .TP .B \fBrecursing\fP -This command dumps the list of queries \fBnamed\fP is currently recursing on, and the -list of domains to which iterative queries are currently being sent. -The second list includes the number of fetches currently active for -the given domain, and how many have been passed or dropped because of -the \fBfetches\-per\-zone\fP option. +This command dumps the list of queries \fBnamed\fP is currently +recursing on, and the list of domains to which iterative queries +are currently being sent. +.sp +The first list includes all unique clients that are waiting for +recursion to complete, including the query that is awaiting a +response and the timestamp (seconds since the Unix epoch) of +when named started processing this client query. +.sp +The second list comprises of domains for which there are active +(or recently active) fetches in progress. It reports the number +of active fetches for each domain and the number of queries that +have been passed (allowed) or dropped (spilled) as a result of +the \fBfetches\-per\-zone\fP limit. (Note: these counters are not +cumulative over time; whenever the number of active fetches for +a domain drops to zero, the counter for that domain is deleted, +and the next time a fetch is sent to that domain, it is recreated +with the counters set to zero). .TP .B \fBrefresh\fP \fIzone\fP [\fIclass\fP [\fIview\fP]] This command schedules zone maintenance for the given zone. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/doc/notes/notes-9.16.24.rst new/bind-9.16.24/doc/notes/notes-9.16.24.rst --- old/bind-9.16.23/doc/notes/notes-9.16.24.rst 1970-01-01 01:00:00.000000000 +0100 +++ new/bind-9.16.24/doc/notes/notes-9.16.24.rst 2021-12-07 13:24:49.000000000 +0100 @@ -0,0 +1,35 @@ +.. + Copyright (C) Internet Systems Consortium, Inc. ("ISC") + + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, you can obtain one at https://mozilla.org/MPL/2.0/. + + See the COPYRIGHT file distributed with this work for additional + information regarding copyright ownership. + +Notes for BIND 9.16.24 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- Previously, when an incoming TCP connection could not be accepted + because the client closed the connection early, an error message of + ``TCP connection failed: socket is not connected`` was logged. This + message has been changed to ``Accepting TCP connection failed: socket + is not connected``. The severity level at which this type of message + is logged has also been changed from ``error`` to ``info`` for the + following triggering events: ``socket is not connected``, ``quota + reached``, and ``soft quota reached``. :gl:`#2700` + +- ``dnssec-dsfromkey`` no longer generates DS records from revoked keys. + :gl:`#853` + +Bug Fixes +~~~~~~~~~ + +- Removing a configured ``catalog-zone`` clause from the configuration, + running ``rndc reconfig``, then bringing back the removed + ``catalog-zone`` clause and running ``rndc reconfig`` again caused + ``named`` to crash. This has been fixed. :gl:`#1608` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/dns/include/dns/zone.h new/bind-9.16.24/lib/dns/include/dns/zone.h --- old/bind-9.16.23/lib/dns/include/dns/zone.h 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/dns/include/dns/zone.h 2021-12-07 13:24:49.000000000 +0100 @@ -2606,6 +2606,26 @@ */ void +dns_zone_catz_disable(dns_zone_t *zone); +/*%< + * Disable zone as catalog zone, if it is one. + * + * Requires: + * + * \li 'zone' is a valid zone object + */ + +bool +dns_zone_catz_is_enabled(dns_zone_t *zone); +/*%< + * Return a boolean indicating whether the zone is enabled as catalog zone. + * + * Requires: + * + * \li 'zone' is a valid zone object + */ + +void dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db); /*%< * If 'zone' is a catalog zone, then set up a notify-on-update trigger diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/dns/rdata/in_1/svcb_64.c new/bind-9.16.24/lib/dns/rdata/in_1/svcb_64.c --- old/bind-9.16.23/lib/dns/rdata/in_1/svcb_64.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/dns/rdata/in_1/svcb_64.c 2021-12-07 13:24:49.000000000 +0100 @@ -260,7 +260,7 @@ RETERR(alpn_fromtxt(region, target)); break; case sbpr_port: - if (!isdigit(*region->base)) { + if (!isdigit((unsigned char)*region->base)) { return (DNS_R_SYNTAX); } ul = strtoul(region->base, &e, 10); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/dns/sdlz.c new/bind-9.16.24/lib/dns/sdlz.c --- old/bind-9.16.23/lib/dns/sdlz.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/dns/sdlz.c 2021-12-07 13:24:49.000000000 +0100 @@ -1875,7 +1875,6 @@ mctx, rdatabuf, &lookup->callbacks); if (result != ISC_R_SUCCESS) { isc_buffer_free(&rdatabuf); - result = DNS_R_SERVFAIL; } if (size >= 65535) { break; @@ -1887,6 +1886,7 @@ } while (result == ISC_R_NOSPACE); if (result != ISC_R_SUCCESS) { + result = DNS_R_SERVFAIL; goto failure; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/dns/win32/libdns.def.in new/bind-9.16.24/lib/dns/win32/libdns.def.in --- old/bind-9.16.23/lib/dns/win32/libdns.def.in 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/dns/win32/libdns.def.in 2021-12-07 13:24:49.000000000 +0100 @@ -1173,8 +1173,10 @@ dns_zone_addnsec3chain dns_zone_asyncload dns_zone_attach +dns_zone_catz_disable dns_zone_catz_enable dns_zone_catz_enable_db +dns_zone_catz_is_enabled dns_zone_cdscheck dns_zone_checknames dns_zone_clearforwardacl diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/dns/zone.c new/bind-9.16.24/lib/dns/zone.c --- old/bind-9.16.23/lib/dns/zone.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/dns/zone.c 2021-12-07 13:24:49.000000000 +0100 @@ -1942,6 +1942,24 @@ UNLOCK_ZONE(zone); } +void +dns_zone_catz_disable(dns_zone_t *zone) { + REQUIRE(DNS_ZONE_VALID(zone)); + + LOCK_ZONE(zone); + if (zone->catzs != NULL) { + dns_catz_catzs_detach(&zone->catzs); + } + UNLOCK_ZONE(zone); +} + +bool +dns_zone_catz_is_enabled(dns_zone_t *zone) { + REQUIRE(DNS_ZONE_VALID(zone)); + + return (zone->catzs != NULL); +} + /* * If a zone is a catalog zone, attach it to update notification in database. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/netmgr-int.h new/bind-9.16.24/lib/isc/netmgr/netmgr-int.h --- old/bind-9.16.23/lib/isc/netmgr/netmgr-int.h 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/isc/netmgr/netmgr-int.h 2021-12-07 13:24:49.000000000 +0100 @@ -1576,4 +1576,7 @@ void isc__nmsocket_connecttimeout_cb(uv_timer_t *timer); +void +isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota); + #define STREAM_CLIENTS_PER_CONN 23 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/netmgr.c new/bind-9.16.24/lib/isc/netmgr/netmgr.c --- old/bind-9.16.23/lib/isc/netmgr/netmgr.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/isc/netmgr/netmgr.c 2021-12-07 13:24:49.000000000 +0100 @@ -1967,6 +1967,33 @@ } } +void +isc__nm_accept_connection_log(isc_result_t result, bool can_log_quota) { + int level; + + switch (result) { + case ISC_R_SUCCESS: + case ISC_R_NOCONN: + return; + case ISC_R_QUOTA: + case ISC_R_SOFTQUOTA: + if (!can_log_quota) { + return; + } + level = ISC_LOG_INFO; + break; + case ISC_R_NOTCONNECTED: + level = ISC_LOG_INFO; + break; + default: + level = ISC_LOG_ERROR; + } + + isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR, + level, "Accepting TCP connection failed: %s", + isc_result_totext(result)); +} + static void isc__nmsocket_readtimeout_cb(uv_timer_t *timer) { isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/tcp.c new/bind-9.16.24/lib/isc/netmgr/tcp.c --- old/bind-9.16.23/lib/isc/netmgr/tcp.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/isc/netmgr/tcp.c 2021-12-07 13:24:49.000000000 +0100 @@ -631,15 +631,7 @@ result = accept_connection(ssock, quota); done: - if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { - if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || - can_log_tcp_quota()) { - isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, - ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, - "TCP connection failed: %s", - isc_result_totext(result)); - } - } + isc__nm_accept_connection_log(result, can_log_tcp_quota()); } void @@ -934,15 +926,7 @@ REQUIRE(sock->tid == isc_nm_tid()); result = accept_connection(sock, ievent->quota); - if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { - if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || - can_log_tcp_quota()) { - isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, - ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, - "TCP connection failed: %s", - isc_result_totext(result)); - } - } + isc__nm_accept_connection_log(result, can_log_tcp_quota()); } static isc_result_t diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/lib/isc/netmgr/tcpdns.c new/bind-9.16.24/lib/isc/netmgr/tcpdns.c --- old/bind-9.16.23/lib/isc/netmgr/tcpdns.c 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/lib/isc/netmgr/tcpdns.c 2021-12-07 13:24:49.000000000 +0100 @@ -600,16 +600,7 @@ result = accept_connection(ssock, quota); done: - if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { - if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || - can_log_tcpdns_quota()) - { - isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, - ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, - "TCP connection failed: %s", - isc_result_totext(result)); - } - } + isc__nm_accept_connection_log(result, can_log_tcpdns_quota()); } void @@ -905,16 +896,7 @@ REQUIRE(ievent->sock->tid == isc_nm_tid()); result = accept_connection(ievent->sock, ievent->quota); - if (result != ISC_R_SUCCESS && result != ISC_R_NOCONN) { - if ((result != ISC_R_QUOTA && result != ISC_R_SOFTQUOTA) || - can_log_tcpdns_quota()) - { - isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, - ISC_LOGMODULE_NETMGR, ISC_LOG_ERROR, - "TCP connection failed: %s", - isc_result_totext(result)); - } - } + isc__nm_accept_connection_log(result, can_log_tcpdns_quota()); } static isc_result_t diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/srcid new/bind-9.16.24/srcid --- old/bind-9.16.23/srcid 2021-11-05 10:07:16.000000000 +0100 +++ new/bind-9.16.24/srcid 2021-12-07 13:27:02.000000000 +0100 @@ -1 +1 @@ -SRCID=fde3b1f +SRCID=93e3098 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/bind-9.16.23/version new/bind-9.16.24/version --- old/bind-9.16.23/version 2021-11-05 10:03:26.000000000 +0100 +++ new/bind-9.16.24/version 2021-12-07 13:24:49.000000000 +0100 @@ -5,7 +5,7 @@ DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=16 -PATCHVER=23 +PATCHVER=24 RELEASETYPE= RELEASEVER= EXTENSIONS=