The default values are currently set to 30 seconds, use nsupdate
default (or overriden using the -t option) timeout value instead.
(cherry picked from commit 98c8135692)
The 'nsupdate' tool, when sending SOA queries, uses a hard-coded value
3 UDP retries and of 5 seconds of timeout for UDP queries, and 100
seconds of timeout for TCP queries.
Use the timeout and retry values which can be configured using the
-t, -u, -r command line options, and which are already used for
sending the update query.
(cherry picked from commit 3ef2a30c75)
The req_response() function is using 'udpcount' variable to resend
the request 'udpcount' times on timeout even for TCP requests,
which does not make sense, as it would use the same connection.
Add a condition to use the resend logic only for UDP requests.
(cherry picked from commit edcdb881da)
The dns_request_createraw() function, unlike dns_request_create(), when
calculating the UDP timeout value, doesn't check that 'udpretries' is
not zero, and that is the more logical behavior, because the calculation
formula uses division to 'udpretries + 1', where '1' is the first try.
Change the dns_request_create() function to remove the 'udpretries != 0'
condition.
Add a 'REQUIRE(udpretries != UINT_MAX)' check to protect from a division
by zero.
Make the 'request->udpcount' field to represent the number of tries,
instead of the number of retries.
(cherry picked from commit 643abfbba7)
The manual page of nsupdate's '-u udptimeout' option states that, quote:
> If zero, the interval is computed from the timeout interval and number
> of UDP retries.
However, nsupdate sets the UDP timeout value to UINT_MAX when it is 0,
thus, not behaving as documented.
Let dns_request_create() calculate the UDP timeout, if it was set to 0.
(cherry picked from commit 0ef11c0ccb)
* nsupdate should take 12 seconds (one try and three retries with
3 second timeout for each), UDP mode
* nsupdate -u 4 -r 1 should take 8 seconds (one try and one retry with
4 second timeout for each), UDP mode
* nsupdate -u 0 -t 8 -r 1 should also take 8 seconds, UDP mode
* nsupdate -u 4 -t 30 -r 1 should also take 8 seconds, as -u takes
precedence over -t, UDP mode
* nsupdate -t 8 -v should also take 8 seconds, TCP mode
(cherry picked from commit 5ce2ed0688)
dns_rdata_fromstruct in dns_keytable_deletekey can potentially
fail with ISC_R_NOSPACE. Handle the error condition.
(cherry picked from commit b5df9b8591)
In selfsigned_dnskey only call dns_dnssec_verify if the signature's
key id matches a revoked key, the trust is pending and the key
matches a trust anchor. Previously named was calling dns_dnssec_verify
unconditionally resulted in busy work.
(cherry picked from commit e68fecbdaa)
Facilitate faster system test failure identification and debugging by
checking any dig outputs for errors, which are typically indicative of
CI runner network / load issues.
(cherry picked from commit 940e160c06)
Remove the reference to setting the DF-flag as we don't do that right
now. Rephrase the paragraph that the default value should not be
causing fragmentation.
(cherry picked from commit 61f276d5a4)
The CI doesn't provide useful forensics when a system test locks
up. Fork the process and kill it with ABRT if it is still running
after 20 minutes. Pass the exit status to the caller.
(cherry picked from commit 3d5c7cd46c)
The isc_fsaccess API was created to hide the implementation details
between POSIX and Windows APIs. As we are not supporting the Windows
APIs anymore, it's better to drop this API used in the DST part.
Moreover, the isc_fsaccess was setting the permissions in an insecure
manner - it operated on the filename, and not on the file descriptor
which can lead to all kind of attacks if unpriviledged user has read (or
even worse write) access to key directory.
Replace the code that operates on the private keys with code that uses
mkstemp(), fchmod() and atomic rename() at the end, so at no time the
private key files have insecure permissions.
(cherry picked from commit 263d232c79)
As it's impossible to get the current umask without modifying it at the
same time, initialize the current umask at the program start and keep
the loaded value internally. Add isc_os_umask() function to access the
starttime umask.
(cherry picked from commit aca7dd3961)
This commit contains the backport of the behaviour for handling TLS
connect callbacks when wrapping up.
The current behaviour have not caused any problems to us, yet, but we
are changing it to remain on the safer side.
The doc file doc/dnssec-guide/validation.rst points to a resolver test
site that is now down. Remove the dead link.
(cherry picked from commit 8e78f8fc0f)
The isc_nm_httpconnect() would succeed even if the netmgr would be
already shuttingdown. This has been fixed and the unit test has been
updated to cope with fact that the handle would be NULL when
isc_nm_httpconnect() returns with an error.
(cherry picked from commit 665f8bb78d)
"Unstable" Debian "bullseye" unit and system jobs differ from unit and
system jobs on the Debian "bullseye" image by running a few more tests
enabled by the CI_ENABLE_ALL_TESTS environmental variable. These tests
are no less stable than the rest, and thus to have distinct jobs for
them wastes resources.
Run "unstable" unit and system tests as part of stock Debian "bullseye"
jobs.
(cherry picked from commit 2b9111b435)
amd64cross32 jobs run a cross-compiled 32-bit BIND 9 on the 64-bit
platform. This approach brings no build issues, and it is a good way to
catch 32-bit issues in BIND 9 code-base and ensure cross-compilation
keeps working.
Unfortunately, running unit and system tests is a problem:
- #3269 - doth-ns1 frequently failed to start
- #3316 - quota_test sometimes fails to create new thread
- #3956 - tcp-ns1 sometimes fails to allocate memory
There's little value in running unit and system tests on the
amd64cross32 platform, and it only means the effort spent by QA by
looking into what turns out to be 32-bit limitations.
(cherry picked from commit f86d4f3bd8)
With a newline before the :suppress_grammar: directive, it wasn't
actually interpreted as a directive, but rather as node content.
Therefore, the directive was ignored and the grammar was incorrectly
printed out.
(cherry picked from commit 36a5c098bd)
