Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package bind for openSUSE:Factory checked in
at 2024-05-20 18:09:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bind (Old)
and /work/SRC/openSUSE:Factory/.bind.new.1880 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind"
Mon May 20 18:09:44 2024 rev:208 rq:1174925 version:9.18.27
Changes:
--------
--- /work/SRC/openSUSE:Factory/bind/bind.changes 2024-04-24
15:13:21.706979770 +0200
+++ /work/SRC/openSUSE:Factory/.bind.new.1880/bind.changes 2024-05-20
18:09:59.190757906 +0200
@@ -1,0 +2,14 @@
+Fri May 17 16:05:37 UTC 2024 - Jorik Cronenberg <jorik.cronenb...@suse.com>
+
+- Update to release 9.18.27
+ New Features:
+ * A new option signatures-jitter has been added to dnssec-policy
+ to allow signature expirations to be spread out over a period
+ of time.
+
+ Feature Changes:
+ * DNSSEC signatures that are not valid because the current time
+ falls outside the signature inception and expiration dates are
+ skipped instead of causing an immediate validation failure.
+
+-------------------------------------------------------------------
Old:
----
bind-9.18.26.tar.xz
bind-9.18.26.tar.xz.asc
New:
----
bind-9.18.27.tar.xz
bind-9.18.27.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bind.spec ++++++
--- /var/tmp/diff_new_pack.1EVwod/_old 2024-05-20 18:10:00.098790966 +0200
+++ /var/tmp/diff_new_pack.1EVwod/_new 2024-05-20 18:10:00.098790966 +0200
@@ -56,7 +56,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: bind
-Version: 9.18.26
+Version: 9.18.27
Release: 0
Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
++++++ bind-9.18.26.tar.xz -> bind-9.18.27.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/CHANGES new/bind-9.18.27/CHANGES
--- old/bind-9.18.26/CHANGES 2024-04-03 11:39:01.419981403 +0200
+++ new/bind-9.18.27/CHANGES 2024-05-03 09:33:47.634937443 +0200
@@ -1,3 +1,10 @@
+ --- 9.18.27 released ---
+
+6374. [bug] Skip to next RRSIG if signature has expired or is in
+ the future rather than failing immediately. [GL #4586]
+
+6372. [func] Implement signature jitter for dnssec-policy. [GL #4554]
+
--- 9.18.26 released ---
6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/ChangeLog new/bind-9.18.27/ChangeLog
--- old/bind-9.18.26/ChangeLog 2024-04-03 11:39:01.419981403 +0200
+++ new/bind-9.18.27/ChangeLog 2024-05-03 09:33:47.634937443 +0200
@@ -1,3 +1,10 @@
+ --- 9.18.27 released ---
+
+6374. [bug] Skip to next RRSIG if signature has expired or is in
+ the future rather than failing immediately. [GL #4586]
+
+6372. [func] Implement signature jitter for dnssec-policy. [GL #4554]
+
--- 9.18.26 released ---
6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/NEWS new/bind-9.18.27/NEWS
--- old/bind-9.18.26/NEWS 2024-04-03 11:39:01.419981403 +0200
+++ new/bind-9.18.27/NEWS 2024-05-03 09:33:47.634937443 +0200
@@ -1,3 +1,10 @@
+ --- 9.18.27 released ---
+
+6374. [bug] Skip to next RRSIG if signature has expired or is in
+ the future rather than failing immediately. [GL #4586]
+
+6372. [func] Implement signature jitter for dnssec-policy. [GL #4554]
+
--- 9.18.26 released ---
6364. [protocol] Add RESOLVER.ARPA to the built in empty zones.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/bin/named/config.c
new/bind-9.18.27/bin/named/config.c
--- old/bind-9.18.26/bin/named/config.c 2024-04-03 11:39:01.431981624 +0200
+++ new/bind-9.18.27/bin/named/config.c 2024-05-03 09:33:47.642937559 +0200
@@ -309,6 +309,7 @@
publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
purge-keys " DNS_KASP_PURGE_KEYS "; \n\
+ signatures-jitter " DNS_KASP_SIG_JITTER "; \n\
signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/bin/named/named.rst
new/bind-9.18.27/bin/named/named.rst
--- old/bind-9.18.26/bin/named/named.rst 2024-04-03 11:39:01.435981698
+0200
+++ new/bind-9.18.27/bin/named/named.rst 2024-05-03 09:33:47.646937618
+0200
@@ -171,16 +171,22 @@
most systems; the way ``chroot`` is defined allows a process
with root privileges to escape a chroot jail.
-.. option:: -U #listeners
+.. option:: -U #dispatches
- This option tells :program:`named` the number of ``#listeners`` worker
threads to listen on, for incoming UDP packets on
- each address. If not specified, :program:`named` calculates a default
- value based on the number of detected CPUs: 1 for 1 CPU, and the
- number of detected CPUs minus one for machines with more than 1 CPU.
- This cannot be increased to a value higher than the number of CPUs.
- If :option:`-n` has been set to a higher value than the number of detected
- CPUs, then :option:`-U` may be increased as high as that value, but no
- higher.
+ This option specifies the number of per-interface UDP ``#dispatches`` that
:program:`named` should use to handle the outgoing (recursive) UDP connection,
+ to reduce contention between the resolver threads.
+
+ If not specified, :program:`named` calculates a default value based on the
+ number of detected CPUs: 1 for a single CPU, and the number of detected
CPUs minus
+ one for machines with more than 1 CPU.
+
+ This cannot be increased to a value higher than the number of CPUs
+ (see :option:`-n` on how to override the value).
+
+.. warning::
+
+ This option should be unnecessary for the vast majority of users,
+ and will be removed in the next version of BIND 9.
.. option:: -u user
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/bin/named/server.c
new/bind-9.18.27/bin/named/server.c
--- old/bind-9.18.26/bin/named/server.c 2024-04-03 11:39:01.435981698 +0200
+++ new/bind-9.18.27/bin/named/server.c 2024-05-03 09:33:47.650937675 +0200
@@ -148,11 +148,11 @@
#endif /* HAVE_LMDB */
#ifndef SIZE_MAX
-#define SIZE_MAX ((size_t)-1)
+#define SIZE_MAX ((size_t) - 1)
#endif /* ifndef SIZE_MAX */
#ifndef SIZE_AS_PERCENT
-#define SIZE_AS_PERCENT ((size_t)-2)
+#define SIZE_AS_PERCENT ((size_t) - 2)
#endif /* ifndef SIZE_AS_PERCENT */
#ifdef TUNE_LARGE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.18.26/bin/tests/system/checkconf/bad-kasp-jitter.conf
new/bind-9.18.27/bin/tests/system/checkconf/bad-kasp-jitter.conf
--- old/bind-9.18.26/bin/tests/system/checkconf/bad-kasp-jitter.conf
1970-01-01 01:00:00.000000000 +0100
+++ new/bind-9.18.27/bin/tests/system/checkconf/bad-kasp-jitter.conf
2024-05-03 09:33:47.682938141 +0200
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy jitter is more than signatures-validity,
+ * which is not allowed.
+ */
+dnssec-policy high-jitter {
+ signatures-jitter P8DT1S;
+ signatures-validity P8D;
+};
+
+zone "example.net" {
+ type primary;
+ file "example.db";
+ dnssec-policy high-jitter;
+};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.18.26/bin/tests/system/checkconf/good-kasp.conf
new/bind-9.18.27/bin/tests/system/checkconf/good-kasp.conf
--- old/bind-9.18.26/bin/tests/system/checkconf/good-kasp.conf 2024-04-03
11:39:01.483982586 +0200
+++ new/bind-9.18.27/bin/tests/system/checkconf/good-kasp.conf 2024-05-03
09:33:47.698938373 +0200
@@ -29,6 +29,7 @@
parent-propagation-delay PT1H;
publish-safety PT3600S;
retire-safety PT3600S;
+ signatures-jitter PT12H;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/bin/tests/system/checkconf/good.conf
new/bind-9.18.27/bin/tests/system/checkconf/good.conf
--- old/bind-9.18.26/bin/tests/system/checkconf/good.conf 2024-04-03
11:39:01.487982659 +0200
+++ new/bind-9.18.27/bin/tests/system/checkconf/good.conf 2024-05-03
09:33:47.698938373 +0200
@@ -30,6 +30,7 @@
publish-safety PT3600S;
purge-keys P90D;
retire-safety PT3600S;
+ signatures-jitter PT12H;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/bin/tests/system/custom-test-driver
new/bind-9.18.27/bin/tests/system/custom-test-driver
--- old/bind-9.18.26/bin/tests/system/custom-test-driver 2024-04-03
11:39:01.503982955 +0200
+++ new/bind-9.18.27/bin/tests/system/custom-test-driver 2024-05-03
09:33:47.714938606 +0200
@@ -6,7 +6,7 @@
# Copyright (C) 2011-2020 Free Software Foundation, Inc.
#
-# SPDX-License-Identifier: GPL-2.0-or-later WITH
LicenseRef-Automake-exception-2.0
+# SPDX-License-Identifier: GPL-2.0-or-later WITH Autoconf-exception-generic
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/bind-9.18.26/bin/tests/system/notify/ns1/named.conf.in
new/bind-9.18.27/bin/tests/system/notify/ns1/named.conf.in
--- old/bind-9.18.26/bin/tests/system/notify/ns1/named.conf.in 2024-04-03
11:39:01.587984507 +0200
+++ new/bind-9.18.27/bin/tests/system/notify/ns1/named.conf.in 2024-05-03
09:33:47.798939826 +0200
@@ -14,6 +14,8 @@
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
+ # invalid notify-source-v6 address
+ notify-source-v6 fd92:7065:b8e:fffe::a35:5;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/bin/tests/system/notify/ns1/root.db
new/bind-9.18.27/bin/tests/system/notify/ns1/root.db
--- old/bind-9.18.26/bin/tests/system/notify/ns1/root.db 2024-04-03
11:39:01.587984507 +0200
+++ new/bind-9.18.27/bin/tests/system/notify/ns1/root.db 2024-05-03
09:33:47.798939826 +0200
@@ -19,6 +19,9 @@
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
+; sends NOTIFY using invalid notify-source-v6 address
+. NS other.root-servers.nil.
+other.root-servers.nil. AAAA fd92:7065:b8e:fffe::a35:4
example. NS ns2.example.
ns2.example. A 10.53.0.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/bin/tests/system/notify/tests.sh
new/bind-9.18.27/bin/tests/system/notify/tests.sh
--- old/bind-9.18.26/bin/tests/system/notify/tests.sh 2024-04-03
11:39:01.591984582 +0200
+++ new/bind-9.18.27/bin/tests/system/notify/tests.sh 2024-05-03
09:33:47.798939826 +0200
@@ -98,6 +98,12 @@
}' ns2/named.run >awk.out.ns2.test$n || ret=1
test_end
+# See [GL#4689]
+test_start "checking server behaviour with invalid notify-source-v6 address"
+grep "zone ./IN: sending notify to fd92:7065:b8e:fffe::a35:4#" ns1/named.run
>/dev/null || ret=1
+grep "dns_request_create: failed address not available" ns1/named.run
>/dev/null || ret=1
+test_end
+
nextpart ns3/named.run >/dev/null
sleep 1 # make sure filesystem time stamp is newer for reload.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/configure new/bind-9.18.27/configure
--- old/bind-9.18.26/configure 2024-04-03 11:39:57.877030814 +0200
+++ new/bind-9.18.27/configure 2024-05-03 09:34:54.068282704 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for BIND 9.18.26.
+# Generated by GNU Autoconf 2.71 for BIND 9.18.27.
#
# Report bugs to
<https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug>.
#
@@ -622,8 +622,8 @@
# Identity of this package.
PACKAGE_NAME='BIND'
PACKAGE_TARNAME='bind'
-PACKAGE_VERSION='9.18.26'
-PACKAGE_STRING='BIND 9.18.26'
+PACKAGE_VERSION='9.18.27'
+PACKAGE_STRING='BIND 9.18.27'
PACKAGE_BUGREPORT='https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug'
PACKAGE_URL='https://www.isc.org/downloads/'
@@ -1546,7 +1546,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures BIND 9.18.26 to adapt to many kinds of systems.
+\`configure' configures BIND 9.18.27 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1618,7 +1618,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of BIND 9.18.26:";;
+ short | recursive ) echo "Configuration of BIND 9.18.27:";;
esac
cat <<\_ACEOF
@@ -1844,7 +1844,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-BIND configure 9.18.26
+BIND configure 9.18.27
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2252,7 +2252,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by BIND $as_me 9.18.26, which was
+It was created by BIND $as_me 9.18.27, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3018,7 +3018,7 @@
printf "%s\n" "#define PACKAGE_VERSION_MINOR \"18\"" >>confdefs.h
-printf "%s\n" "#define PACKAGE_VERSION_PATCH \"26\"" >>confdefs.h
+printf "%s\n" "#define PACKAGE_VERSION_PATCH \"27\"" >>confdefs.h
printf "%s\n" "#define PACKAGE_VERSION_EXTRA \"\"" >>confdefs.h
@@ -3027,7 +3027,7 @@
printf "%s\n" "#define PACKAGE_DESCRIPTION \" (Extended Support Version)\""
>>confdefs.h
-printf "%s\n" "#define PACKAGE_SRCID \"936d80b\"" >>confdefs.h
+printf "%s\n" "#define PACKAGE_SRCID \"663e6d9\"" >>confdefs.h
bind_CONFIGARGS="${ac_configure_args:-default}"
@@ -3673,7 +3673,7 @@
# Define the identity of the package.
PACKAGE='bind'
- VERSION='9.18.26'
+ VERSION='9.18.27'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -28457,7 +28457,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by BIND $as_me 9.18.26, which was
+This file was extended by BIND $as_me 9.18.27, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -28526,7 +28526,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-BIND config.status 9.18.26
+BIND config.status 9.18.27
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/configure.ac
new/bind-9.18.27/configure.ac
--- old/bind-9.18.26/configure.ac 2024-04-03 11:39:01.683986282 +0200
+++ new/bind-9.18.27/configure.ac 2024-05-03 09:33:47.890941163 +0200
@@ -16,7 +16,7 @@
#
m4_define([bind_VERSION_MAJOR], 9)dnl
m4_define([bind_VERSION_MINOR], 18)dnl
-m4_define([bind_VERSION_PATCH], 26)dnl
+m4_define([bind_VERSION_PATCH], 27)dnl
m4_define([bind_VERSION_EXTRA], )dnl
m4_define([bind_DESCRIPTION], [(Extended Support Version)])dnl
m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut
-b1-7])])dnl
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/doc/arm/notes.rst
new/bind-9.18.27/doc/arm/notes.rst
--- old/bind-9.18.26/doc/arm/notes.rst 2024-04-03 11:39:01.695986504 +0200
+++ new/bind-9.18.27/doc/arm/notes.rst 2024-05-03 09:33:47.906941396 +0200
@@ -35,6 +35,7 @@
.. include:: ../notes/notes-known-issues.rst
+.. include:: ../notes/notes-9.18.27.rst
.. include:: ../notes/notes-9.18.26.rst
.. include:: ../notes/notes-9.18.25.rst
.. include:: ../notes/notes-9.18.24.rst
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/doc/arm/platforms.inc.rst
new/bind-9.18.27/doc/arm/platforms.inc.rst
--- old/bind-9.18.26/doc/arm/platforms.inc.rst 2024-04-03 11:39:01.695986504
+0200
+++ new/bind-9.18.27/doc/arm/platforms.inc.rst 2024-05-03 09:33:47.906941396
+0200
@@ -45,7 +45,7 @@
Current versions of BIND 9 are fully supported and regularly tested on the
following systems:
-- Debian 10, 11, 12
+- Debian 11, 12
- Ubuntu LTS 20.04, 22.04
- Fedora 39
- Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9
@@ -91,7 +91,7 @@
- Ubuntu 14.04, 16.04 (Ubuntu ESM releases are not supported)
- CentOS 6
- - Debian 8 Jessie, 9 Stretch
+ - Debian 8 Jessie, 9 Stretch, 10 Buster
- FreeBSD 10.x, 11.x
- Less common CPU architectures (i386, i686, mips, mipsel, sparc, ppc, and
others)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/doc/arm/reference.rst
new/bind-9.18.27/doc/arm/reference.rst
--- old/bind-9.18.26/doc/arm/reference.rst 2024-04-03 11:39:01.699986578
+0200
+++ new/bind-9.18.27/doc/arm/reference.rst 2024-05-03 09:33:47.906941396
+0200
@@ -6509,6 +6509,18 @@
unforeseen events. This increases the time a key remains published
after it is no longer active. The default is ``PT1H`` (1 hour).
+.. namedconf:statement:: signatures-jitter
+ :tags: dnssec
+ :short: Specifies a range for signatures expirations.
+
+ To prevent all signatures from expiring at the same moment, BIND 9 may
+ vary the validity interval of individual signatures. The validity of a
+ newly generated signatures is in range between :any:`signatures-validity`
+ (maximum) and :any:`signatures-validity` minus :any:`signatures-jitter`
+ (minimum). The default jitter is 12 hours and the configured value must
+ be lower than :any:`signatures-validity` and
+ :any:`signatures-validity-dnskey`.
+
.. namedconf:statement:: signatures-refresh
:tags: dnssec
:short: Specifies how frequently an RRSIG record is refreshed.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/doc/arm/requirements.txt
new/bind-9.18.27/doc/arm/requirements.txt
--- old/bind-9.18.26/doc/arm/requirements.txt 2024-04-03 11:39:01.699986578
+0200
+++ new/bind-9.18.27/doc/arm/requirements.txt 2024-05-03 09:33:47.906941396
+0200
@@ -1,5 +1,3 @@
-# Make Read the Docs use the exact same package versions as in
-# registry.gitlab.isc.org/isc-projects/images/bind9:debian-bookworm-amd64
-Sphinx==7.2.6
+Sphinx==7.3.6
docutils==0.20.1
sphinx_rtd_theme==2.0.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/doc/man/named.8in
new/bind-9.18.27/doc/man/named.8in
--- old/bind-9.18.26/doc/man/named.8in 2024-04-03 11:40:51.850041319 +0200
+++ new/bind-9.18.27/doc/man/named.8in 2024-05-03 09:35:54.209462463 +0200
@@ -207,15 +207,24 @@
.UNINDENT
.INDENT 0.0
.TP
-.B \-U #listeners
-This option tells \fBnamed\fP the number of \fB#listeners\fP worker threads to
listen on, for incoming UDP packets on
-each address. If not specified, \fBnamed\fP calculates a default
-value based on the number of detected CPUs: 1 for 1 CPU, and the
-number of detected CPUs minus one for machines with more than 1 CPU.
-This cannot be increased to a value higher than the number of CPUs.
-If \fI\%\-n\fP has been set to a higher value than the number of detected
-CPUs, then \fI\%\-U\fP may be increased as high as that value, but no
-higher.
+.B \-U #dispatches
+This option specifies the number of per\-interface UDP \fB#dispatches\fP that
\fBnamed\fP should use to handle the outgoing (recursive) UDP connection,
+to reduce contention between the resolver threads.
+.sp
+If not specified, \fBnamed\fP calculates a default value based on the
+number of detected CPUs: 1 for a single CPU, and the number of detected CPUs
minus
+one for machines with more than 1 CPU.
+.sp
+This cannot be increased to a value higher than the number of CPUs
+(see \fI\%\-n\fP on how to override the value).
+.UNINDENT
+.sp
+\fBWARNING:\fP
+.INDENT 0.0
+.INDENT 3.5
+This option should be unnecessary for the vast majority of users,
+and will be removed in the next version of BIND 9.
+.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/doc/man/named.conf.5in
new/bind-9.18.27/doc/man/named.conf.5in
--- old/bind-9.18.26/doc/man/named.conf.5in 2024-04-03 11:40:51.842041170
+0200
+++ new/bind-9.18.27/doc/man/named.conf.5in 2024-05-03 09:35:54.201462304
+0200
@@ -78,6 +78,7 @@
publish\-safety <duration>;
purge\-keys <duration>;
retire\-safety <duration>;
+ signatures\-jitter <duration>;
signatures\-refresh <duration>;
signatures\-validity <duration>;
signatures\-validity\-dnskey <duration>;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/doc/misc/options
new/bind-9.18.27/doc/misc/options
--- old/bind-9.18.26/doc/misc/options 2024-04-03 11:40:45.569924419 +0200
+++ new/bind-9.18.27/doc/misc/options 2024-05-03 09:35:41.349209562 +0200
@@ -21,6 +21,7 @@
publish-safety <duration>;
purge-keys <duration>;
retire-safety <duration>;
+ signatures-jitter <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/doc/notes/notes-9.18.27.rst
new/bind-9.18.27/doc/notes/notes-9.18.27.rst
--- old/bind-9.18.26/doc/notes/notes-9.18.27.rst 1970-01-01
01:00:00.000000000 +0100
+++ new/bind-9.18.27/doc/notes/notes-9.18.27.rst 2024-05-03
09:33:47.930941744 +0200
@@ -0,0 +1,34 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.27
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- A new option :any:`signatures-jitter` has been added to :any:`dnssec-policy`
+ to allow signature expirations to be spread out over a period of time.
+ :gl:`#4554`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- DNSSEC signatures that are not valid because the current time falls outside
+ the signature inception and expiration dates are skipped instead of causing
+ an immediate validation failure. :gl:`#4586`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+ <relnotes_known_issues>` for a list of all known issues affecting this
+ BIND 9 branch.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/dns/include/dns/kasp.h
new/bind-9.18.27/lib/dns/include/dns/kasp.h
--- old/bind-9.18.26/lib/dns/include/dns/kasp.h 2024-04-03 11:39:01.767987835
+0200
+++ new/bind-9.18.27/lib/dns/include/dns/kasp.h 2024-05-03 09:33:47.974942384
+0200
@@ -75,6 +75,7 @@
ISC_LINK(struct dns_kasp) link;
/* Configuration: signatures */
+ uint32_t signatures_jitter;
uint32_t signatures_refresh;
uint32_t signatures_validity;
uint32_t signatures_validity_dnskey;
@@ -105,6 +106,8 @@
#define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC)
/* Defaults */
+#define DEFAULT_JITTER (12 * 3600)
+#define DNS_KASP_SIG_JITTER "PT12H"
#define DNS_KASP_SIG_REFRESH "P5D"
#define DNS_KASP_SIG_VALIDITY "P14D"
#define DNS_KASP_SIG_VALIDITY_DNSKEY "P14D"
@@ -234,6 +237,30 @@
*/
uint32_t
+dns_kasp_sigjitter(dns_kasp_t *kasp);
+/*%<
+ * Get signature jitter value.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li signature jitter value.
+ */
+
+void
+dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set signature jitter value.
+ *
+ * Requires:
+ *
+ *\li 'kasp' is a valid, thawed kasp.
+ */
+
+uint32_t
dns_kasp_sigrefresh(dns_kasp_t *kasp);
/*%<
* Get signature refresh interval.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/dns/include/dns/librpz.h
new/bind-9.18.27/lib/dns/include/dns/librpz.h
--- old/bind-9.18.26/lib/dns/include/dns/librpz.h 2024-04-03
11:39:01.767987835 +0200
+++ new/bind-9.18.27/lib/dns/include/dns/librpz.h 2024-05-03
09:33:47.974942384 +0200
@@ -156,7 +156,7 @@
typedef uint32_t librpz_idx_t;
#define LIBRPZ_IDX_NULL 0
#define LIBRPZ_IDX_MIN 1
-#define LIBRPZ_IDX_BAD ((librpz_idx_t)-1)
+#define LIBRPZ_IDX_BAD ((librpz_idx_t) - 1)
/**
* Partial decoded results of a set of RPZ queries for a single DNS response
* or iteration through the mapped file.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/dns/include/dns/rpz.h
new/bind-9.18.27/lib/dns/include/dns/rpz.h
--- old/bind-9.18.26/lib/dns/include/dns/rpz.h 2024-04-03 11:39:01.771987908
+0200
+++ new/bind-9.18.27/lib/dns/include/dns/rpz.h 2024-05-03 09:33:47.978942442
+0200
@@ -89,7 +89,7 @@
*/
typedef uint64_t dns_rpz_zbits_t;
-#define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1)
+#define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t) - 1)
#define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/dns/kasp.c
new/bind-9.18.27/lib/dns/kasp.c
--- old/bind-9.18.26/lib/dns/kasp.c 2024-04-03 11:39:01.775987982 +0200
+++ new/bind-9.18.27/lib/dns/kasp.c 2024-05-03 09:33:47.982942500 +0200
@@ -128,6 +128,22 @@
}
uint32_t
+dns_kasp_sigjitter(dns_kasp_t *kasp) {
+ REQUIRE(DNS_KASP_VALID(kasp));
+ REQUIRE(kasp->frozen);
+
+ return (kasp->signatures_jitter);
+}
+
+void
+dns_kasp_setsigjitter(dns_kasp_t *kasp, uint32_t value) {
+ REQUIRE(DNS_KASP_VALID(kasp));
+ REQUIRE(!kasp->frozen);
+
+ kasp->signatures_jitter = value;
+}
+
+uint32_t
dns_kasp_sigrefresh(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/dns/rrl.c
new/bind-9.18.27/lib/dns/rrl.c
--- old/bind-9.18.26/lib/dns/rrl.c 2024-04-03 11:39:01.803988500 +0200
+++ new/bind-9.18.27/lib/dns/rrl.c 2024-05-03 09:33:48.006942849 +0200
@@ -53,30 +53,8 @@
static int
hash_divisor(unsigned int initial) {
static uint16_t primes[] = {
- 3,
- 5,
- 7,
- 11,
- 13,
- 17,
- 19,
- 23,
- 29,
- 31,
- 37,
- 41,
- 43,
- 47,
- 53,
- 59,
- 61,
- 67,
- 71,
- 73,
- 79,
- 83,
- 89,
- 97,
+ 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41,
+ 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97,
#if 0
101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157,
163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/dns/update.c
new/bind-9.18.27/lib/dns/update.c
--- old/bind-9.18.26/lib/dns/update.c 2024-04-03 11:39:01.803988500 +0200
+++ new/bind-9.18.27/lib/dns/update.c 2024-05-03 09:33:48.010942907 +0200
@@ -1492,23 +1492,37 @@
};
static uint32_t
-dns__jitter_expire(dns_zone_t *zone, uint32_t sigvalidityinterval) {
+dns__jitter_expire(dns_zone_t *zone) {
/* Spread out signatures over time */
- if (sigvalidityinterval >= 3600U) {
- uint32_t expiryinterval =
- dns_zone_getsigresigninginterval(zone);
-
- if (sigvalidityinterval < 7200U) {
- expiryinterval = 1200;
- } else if (expiryinterval > sigvalidityinterval) {
- expiryinterval = sigvalidityinterval;
+ isc_stdtime_t jitter = DEFAULT_JITTER;
+ isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
+ dns_kasp_t *kasp = dns_zone_getkasp(zone);
+
+ if (kasp != NULL) {
+ jitter = dns_kasp_sigjitter(kasp);
+ sigvalidity = dns_kasp_sigvalidity(kasp);
+ INSIST(jitter <= sigvalidity);
+ } else {
+ jitter = dns_zone_getsigresigninginterval(zone);
+ if (jitter > sigvalidity) {
+ jitter = sigvalidity;
} else {
- expiryinterval = sigvalidityinterval - expiryinterval;
+ jitter = sigvalidity - jitter;
}
- uint32_t jitter = isc_random_uniform(expiryinterval);
- sigvalidityinterval -= jitter;
}
- return (sigvalidityinterval);
+
+ if (jitter > sigvalidity) {
+ jitter = sigvalidity;
+ }
+
+ if (sigvalidity >= 3600U) {
+ if (sigvalidity > 7200U) {
+ sigvalidity -= isc_random_uniform(jitter);
+ } else {
+ sigvalidity -= isc_random_uniform(1200);
+ }
+ }
+ return (sigvalidity);
}
isc_result_t
@@ -1561,8 +1575,7 @@
isc_stdtime_get(&state->now);
state->inception = state->now - 3600; /* Allow for some clock
skew. */
- state->expire = state->now +
- dns__jitter_expire(zone, sigvalidityinterval);
+ state->expire = state->now + dns__jitter_expire(zone);
state->soaexpire = state->now + sigvalidityinterval;
state->keyexpire = dns_zone_getkeyvalidityinterval(zone);
if (state->keyexpire == 0) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/dns/validator.c
new/bind-9.18.27/lib/dns/validator.c
--- old/bind-9.18.26/lib/dns/validator.c 2024-04-03 11:39:01.803988500
+0200
+++ new/bind-9.18.27/lib/dns/validator.c 2024-05-03 09:33:48.010942907
+0200
@@ -1590,6 +1590,10 @@
}
vresult = verify(val, val->key, &rdata, val->siginfo->keyid);
+ if (vresult == DNS_R_SIGEXPIRED || vresult == DNS_R_SIGFUTURE) {
+ resume = false;
+ continue;
+ }
if (vresult != ISC_R_SUCCESS) {
val->failed = true;
validator_log(val, ISC_LOG_DEBUG(3),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/dns/zone.c
new/bind-9.18.27/lib/dns/zone.c
--- old/bind-9.18.26/lib/dns/zone.c 2024-04-03 11:39:01.807988573 +0200
+++ new/bind-9.18.27/lib/dns/zone.c 2024-05-03 09:33:48.014942965 +0200
@@ -1022,7 +1022,7 @@
do { \
isc_interval_t _i; \
uint32_t _j; \
- _j = (b)-isc_random_uniform((b) / 4); \
+ _j = (b) - isc_random_uniform((b) / 4); \
isc_interval_set(&_i, _j, 0); \
if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
dns_zone_log(zone, ISC_LOG_WARNING, \
@@ -7185,6 +7185,60 @@
}
static void
+calculate_rrsig_validity(dns_zone_t *zone, isc_stdtime_t now,
+ isc_stdtime_t *inception, isc_stdtime_t *soaexpire,
+ isc_stdtime_t *expire, isc_stdtime_t *fullexpire) {
+ REQUIRE(inception != NULL);
+ REQUIRE(soaexpire != NULL);
+ /* expire and fullexpire are optional */
+
+ isc_stdtime_t jitter = DEFAULT_JITTER;
+ isc_stdtime_t sigvalidity = dns_zone_getsigvalidityinterval(zone);
+ isc_stdtime_t shortjitter = 0, fulljitter = 0;
+
+ if (zone->kasp != NULL) {
+ jitter = dns_kasp_sigjitter(zone->kasp);
+ sigvalidity = dns_kasp_sigvalidity(zone->kasp);
+ INSIST(jitter <= sigvalidity);
+ } else {
+ jitter = dns_zone_getsigresigninginterval(zone);
+ if (jitter > sigvalidity) {
+ jitter = sigvalidity;
+ } else {
+ jitter = sigvalidity - jitter;
+ }
+ }
+
+ if (jitter > sigvalidity) {
+ jitter = sigvalidity;
+ }
+
+ *inception = now - 3600; /* Allow for clock skew. */
+ *soaexpire = now + sigvalidity;
+
+ /*
+ * Spread out signatures over time if they happen to be
+ * clumped. We don't do this for each add_sigs() call as
+ * we still want some clustering to occur. In normal operations
+ * the records should be re-signed as they fall due and they should
+ * already be spread out. However if the server is off for a
+ * period we need to ensure that the clusters don't become
+ * synchronised by using the full jitter range.
+ */
+ if (sigvalidity >= 3600U) {
+ if (sigvalidity > 7200U) {
+ shortjitter = isc_random_uniform(3600);
+ fulljitter = isc_random_uniform(jitter);
+ } else {
+ shortjitter = fulljitter = isc_random_uniform(1200);
+ }
+ }
+
+ SET_IF_NOT_NULL(expire, *soaexpire - shortjitter - 1);
+ SET_IF_NOT_NULL(fullexpire, *soaexpire - fulljitter - 1);
+}
+
+static void
zone_resigninc(dns_zone_t *zone) {
const char *me = "zone_resigninc";
dns_db_t *db = NULL;
@@ -7199,7 +7253,6 @@
bool check_ksk, keyset_kskonly = false;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire, fullexpire, stop;
- uint32_t sigvalidityinterval, expiryinterval;
unsigned int i;
unsigned int nkeys = 0;
unsigned int resign;
@@ -7250,38 +7303,9 @@
goto failure;
}
- sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
- inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + sigvalidityinterval;
- expiryinterval = dns_zone_getsigresigninginterval(zone);
- if (expiryinterval > sigvalidityinterval) {
- expiryinterval = sigvalidityinterval;
- } else {
- expiryinterval = sigvalidityinterval - expiryinterval;
- }
+ calculate_rrsig_validity(zone, now, &inception, &soaexpire, &expire,
+ &fullexpire);
- /*
- * Spread out signatures over time if they happen to be
- * clumped. We don't do this for each add_sigs() call as
- * we still want some clustering to occur. In normal operations
- * the records should be re-signed as they fall due and they should
- * already be spread out. However if the server is off for a
- * period we need to ensure that the clusters don't become
- * synchronised by using the full jitter range.
- */
- if (sigvalidityinterval >= 3600U) {
- uint32_t normaljitter, fulljitter;
- if (sigvalidityinterval > 7200U) {
- normaljitter = isc_random_uniform(3600);
- fulljitter = isc_random_uniform(expiryinterval);
- } else {
- normaljitter = fulljitter = isc_random_uniform(1200);
- }
- expire = soaexpire - normaljitter - 1;
- fullexpire = soaexpire - fulljitter - 1;
- } else {
- expire = fullexpire = soaexpire - 1;
- }
stop = now + 5;
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@@ -8376,7 +8400,6 @@
bool first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
- uint32_t jitter, sigvalidityinterval, expiryinterval;
unsigned int i;
unsigned int nkeys = 0;
uint32_t nodes;
@@ -8445,31 +8468,8 @@
goto failure;
}
- sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
- inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + sigvalidityinterval;
- expiryinterval = dns_zone_getsigresigninginterval(zone);
- if (expiryinterval > sigvalidityinterval) {
- expiryinterval = sigvalidityinterval;
- } else {
- expiryinterval = sigvalidityinterval - expiryinterval;
- }
-
- /*
- * Spread out signatures over time if they happen to be
- * clumped. We don't do this for each add_sigs() call as
- * we still want some clustering to occur.
- */
- if (sigvalidityinterval >= 3600U) {
- if (sigvalidityinterval > 7200U) {
- jitter = isc_random_uniform(expiryinterval);
- } else {
- jitter = isc_random_uniform(1200);
- }
- expire = soaexpire - jitter - 1;
- } else {
- expire = soaexpire - 1;
- }
+ calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL,
+ &expire);
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
@@ -9482,7 +9482,6 @@
bool first;
isc_result_t result;
isc_stdtime_t now, inception, soaexpire, expire;
- uint32_t jitter, sigvalidityinterval, expiryinterval;
unsigned int i, j;
unsigned int nkeys = 0;
uint32_t nodes;
@@ -9534,32 +9533,8 @@
goto cleanup;
}
- kasp = dns_zone_getkasp(zone);
- sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
- inception = now - 3600; /* Allow for clock skew. */
- soaexpire = now + sigvalidityinterval;
- expiryinterval = dns_zone_getsigresigninginterval(zone);
- if (expiryinterval > sigvalidityinterval) {
- expiryinterval = sigvalidityinterval;
- } else {
- expiryinterval = sigvalidityinterval - expiryinterval;
- }
-
- /*
- * Spread out signatures over time if they happen to be
- * clumped. We don't do this for each add_sigs() call as
- * we still want some clustering to occur.
- */
- if (sigvalidityinterval >= 3600U) {
- if (sigvalidityinterval > 7200U) {
- jitter = isc_random_uniform(expiryinterval);
- } else {
- jitter = isc_random_uniform(1200);
- }
- expire = soaexpire - jitter - 1;
- } else {
- expire = soaexpire - 1;
- }
+ calculate_rrsig_validity(zone, now, &inception, &soaexpire, NULL,
+ &expire);
/*
* We keep pulling nodes off each iterator in turn until
@@ -9575,6 +9550,7 @@
check_ksk = false;
keyset_kskonly = true;
use_kasp = true;
+ kasp = zone->kasp;
} else {
check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
keyset_kskonly = DNS_ZONE_OPTION(zone,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/isc/include/isc/util.h
new/bind-9.18.27/lib/isc/include/isc/util.h
--- old/bind-9.18.26/lib/isc/include/isc/util.h 2024-04-03 11:39:01.823988870
+0200
+++ new/bind-9.18.27/lib/isc/include/isc/util.h 2024-05-03 09:33:48.026943140
+0200
@@ -356,9 +356,9 @@
* Alignment
*/
#ifdef __GNUC__
-#define ISC_ALIGN(x, a) (((x) + (a)-1) & ~((typeof(x))(a)-1))
+#define ISC_ALIGN(x, a) (((x) + (a) - 1) & ~((typeof(x))(a) - 1))
#else /* ifdef __GNUC__ */
-#define ISC_ALIGN(x, a) (((x) + (a)-1) & ~((uintmax_t)(a)-1))
+#define ISC_ALIGN(x, a) (((x) + (a) - 1) & ~((uintmax_t)(a) - 1))
#endif /* ifdef __GNUC__ */
/*%
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/isc/picohttpparser.c
new/bind-9.18.27/lib/isc/picohttpparser.c
--- old/bind-9.18.26/lib/isc/picohttpparser.c 2024-04-03 11:39:01.827988943
+0200
+++ new/bind-9.18.27/lib/isc/picohttpparser.c 2024-05-03 09:33:48.030943198
+0200
@@ -52,7 +52,7 @@
#define ALIGNED(n) __attribute__((aligned(n)))
#endif
-#define IS_PRINTABLE_ASCII(c) ((unsigned char)(c)-040u < 0137u)
+#define IS_PRINTABLE_ASCII(c) ((unsigned char)(c) - 040u < 0137u)
#define CHECK_EOF() \
if (buf == buf_end) { \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/isccfg/kaspconf.c
new/bind-9.18.27/lib/isccfg/kaspconf.c
--- old/bind-9.18.26/lib/isccfg/kaspconf.c 2024-04-03 11:39:01.835989091
+0200
+++ new/bind-9.18.27/lib/isccfg/kaspconf.c 2024-05-03 09:33:48.038943314
+0200
@@ -312,7 +312,7 @@
const char *kaspname = NULL;
dns_kasp_t *kasp = NULL;
size_t i = 0;
- uint32_t sigrefresh = 0, sigvalidity = 0;
+ uint32_t sigjitter = 0, sigrefresh = 0, sigvalidity = 0;
uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
uint32_t publishsafety = 0, retiresafety = 0;
uint32_t zonepropdelay = 0, parentpropdelay = 0;
@@ -360,6 +360,10 @@
maps[i] = NULL;
/* Configuration: Signatures */
+ sigjitter = get_duration(maps, "signatures-jitter",
+ DNS_KASP_SIG_JITTER);
+ dns_kasp_setsigjitter(kasp, sigjitter);
+
sigrefresh = get_duration(maps, "signatures-refresh",
DNS_KASP_SIG_REFRESH);
dns_kasp_setsigrefresh(kasp, sigrefresh);
@@ -376,6 +380,15 @@
}
dns_kasp_setsigvalidity_dnskey(kasp, sigvalidity);
+ if (sigjitter > sigvalidity) {
+ cfg_obj_log(
+ config, logctx, ISC_LOG_ERROR,
+ "dnssec-policy: policy '%s' signatures-jitter cannot "
+ "be larger than signatures-validity-dnskey",
+ kaspname);
+ result = ISC_R_FAILURE;
+ }
+
sigvalidity = get_duration(maps, "signatures-validity",
DNS_KASP_SIG_VALIDITY);
if (sigrefresh >= (sigvalidity * 0.9)) {
@@ -388,6 +401,15 @@
}
dns_kasp_setsigvalidity(kasp, sigvalidity);
+ if (sigjitter > sigvalidity) {
+ cfg_obj_log(
+ config, logctx, ISC_LOG_ERROR,
+ "dnssec-policy: policy '%s' signatures-jitter cannot "
+ "be larger than signatures-validity",
+ kaspname);
+ result = ISC_R_FAILURE;
+ }
+
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/lib/isccfg/namedconf.c
new/bind-9.18.27/lib/isccfg/namedconf.c
--- old/bind-9.18.26/lib/isccfg/namedconf.c 2024-04-03 11:39:01.835989091
+0200
+++ new/bind-9.18.27/lib/isccfg/namedconf.c 2024-05-03 09:33:48.038943314
+0200
@@ -2211,6 +2211,7 @@
{ "publish-safety", &cfg_type_duration, 0 },
{ "purge-keys", &cfg_type_duration, 0 },
{ "retire-safety", &cfg_type_duration, 0 },
+ { "signatures-jitter", &cfg_type_duration, 0 },
{ "signatures-refresh", &cfg_type_duration, 0 },
{ "signatures-validity", &cfg_type_duration, 0 },
{ "signatures-validity-dnskey", &cfg_type_duration, 0 },
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/srcid new/bind-9.18.27/srcid
--- old/bind-9.18.26/srcid 2024-04-03 11:41:09.866376764 +0200
+++ new/bind-9.18.27/srcid 2024-05-03 09:36:12.073814363 +0200
@@ -1 +1 @@
-936d80b
+663e6d9
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/tests/dns/name_test.c
new/bind-9.18.27/tests/dns/name_test.c
--- old/bind-9.18.26/tests/dns/name_test.c 2024-04-03 11:39:01.847989313
+0200
+++ new/bind-9.18.27/tests/dns/name_test.c 2024-05-03 09:33:48.050943488
+0200
@@ -271,6 +271,70 @@
dns_compress_invalidate(&cctx);
}
+ISC_RUN_TEST_IMPL(fromregion) {
+ dns_name_t name;
+ isc_buffer_t b;
+ isc_region_t r;
+ /*
+ * target and source need to be bigger than DNS_NAME_MAXWIRE to
+ * exercise 'len > DNS_NAME_MAXWIRE' test in dns_name_fromwire
+ */
+ unsigned char target[DNS_NAME_MAXWIRE + 10];
+ unsigned char source[DNS_NAME_MAXWIRE + 10] = { '\007', 'e', 'x', 'a',
+ 'm', 'p', 'l', 'e' };
+ /*
+ * Extract the fully qualified name at the beginning of 'source'
+ * into 'name' where 'name.ndata' points to the buffer 'target'.
+ */
+ isc_buffer_init(&b, target, sizeof(target));
+ dns_name_init(&name, NULL);
+ dns_name_setbuffer(&name, &b);
+ r.base = source;
+ r.length = sizeof(source);
+ dns_name_fromregion(&name, &r);
+ assert_int_equal(9, name.length);
+ assert_ptr_equal(target, name.ndata);
+ assert_true(dns_name_isabsolute(&name));
+
+ /*
+ * Extract the fully qualified name at the beginning of 'source'
+ * into 'name' where 'name.ndata' points to the source.
+ */
+ isc_buffer_init(&b, target, sizeof(target));
+ dns_name_init(&name, NULL);
+ r.base = source;
+ r.length = sizeof(source);
+ dns_name_fromregion(&name, &r);
+ assert_int_equal(9, name.length);
+ assert_ptr_equal(source, name.ndata);
+ assert_true(dns_name_isabsolute(&name));
+
+ /*
+ * Extract the partially qualified name in 'source' into 'name'
+ * where 'name.ndata' points to the source.
+ */
+ isc_buffer_init(&b, target, sizeof(target));
+ dns_name_init(&name, NULL);
+ r.base = source;
+ r.length = 8;
+ dns_name_fromregion(&name, &r);
+ assert_int_equal(8, name.length);
+ assert_ptr_equal(source, name.ndata);
+ assert_false(dns_name_isabsolute(&name));
+
+ /*
+ * Extract empty name in 'source' into 'name'.
+ */
+ isc_buffer_init(&b, target, sizeof(target));
+ dns_name_init(&name, NULL);
+ r.base = source;
+ r.length = 0;
+ dns_name_fromregion(&name, &r);
+ assert_int_equal(0, name.length);
+ assert_ptr_equal(source, name.ndata);
+ assert_false(dns_name_isabsolute(&name));
+}
+
/* is trust-anchor-telemetry test */
ISC_RUN_TEST_IMPL(istat) {
dns_fixedname_t fixed;
@@ -713,6 +777,7 @@
ISC_TEST_LIST_START
ISC_TEST_ENTRY(fullcompare)
ISC_TEST_ENTRY(compression)
+ISC_TEST_ENTRY(fromregion)
ISC_TEST_ENTRY(istat)
ISC_TEST_ENTRY(init)
ISC_TEST_ENTRY(invalidate)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/bind-9.18.26/tests/isc/netmgr_test.c
new/bind-9.18.27/tests/isc/netmgr_test.c
--- old/bind-9.18.26/tests/isc/netmgr_test.c 2024-04-03 11:39:01.859989535
+0200
+++ new/bind-9.18.27/tests/isc/netmgr_test.c 2024-05-03 09:33:48.062943663
+0200
@@ -2401,6 +2401,7 @@
atomic_assert_int_eq(ssends, 0);
}
+#ifdef HAVE_LIBNGHTTP2
static void
tlsdns_many_listen_read_cb(isc_nmhandle_t *handle, isc_result_t eresult,
isc_region_t *region, void *cbarg) {
@@ -2570,6 +2571,7 @@
atomic_assert_int_eq(sreads, 1);
atomic_assert_int_eq(ssends, 1);
}
+#endif /* HAVE_LIBNGHTTP2 */
ISC_RUN_TEST_IMPL(tlsdns_recv_two) {
isc_result_t result = ISC_R_SUCCESS;
@@ -3049,8 +3051,6 @@
/* TLSDNS */
ISC_TEST_ENTRY_CUSTOM(tlsdns_recv_one, setup_test, teardown_test)
-ISC_TEST_ENTRY_CUSTOM(tlsdns_server_send_many_recv_one, setup_test,
- teardown_test)
ISC_TEST_ENTRY_CUSTOM(tlsdns_recv_two, setup_test, teardown_test)
ISC_TEST_ENTRY_CUSTOM(tlsdns_noop, setup_test, teardown_test)
ISC_TEST_ENTRY_CUSTOM(tlsdns_noresponse, setup_test, teardown_test)
@@ -3062,6 +3062,8 @@
ISC_TEST_ENTRY_CUSTOM(tlsdns_connect_noalpn, setup_test, teardown_test)
#ifdef HAVE_LIBNGHTTP2
ISC_TEST_ENTRY_CUSTOM(tlsdns_listen_noalpn, setup_test, teardown_test)
+ISC_TEST_ENTRY_CUSTOM(tlsdns_server_send_many_recv_one, setup_test,
+ teardown_test)
#endif
ISC_TEST_LIST_END
