After f10f5572ac spatch started reporting
the following warnings:
Impossible: How can diff be null and have not Correct in compare_c? Tag1 ("diff token: ( VS (\nFile \"./lib/dns/include/dns/rdatasetiter.h\", line 109, column 32, charpos = 3103\n around = '(',\n whole content = #define DNS_RDATASETITER_FOREACH(rds) \\\nFile \"/tmp/cocci-output-110376-c54da3-rdatasetiter.h\", line 109, column 32, charpos = 3103\n around = '(',\n whole content = #define DNS_RDATASETITER_FOREACH(rds) \\\n")
Impossible: How can diff be null and have not Correct in compare_c? Tag1 ("diff token: ( VS (\nFile \"./lib/dns/include/dns/dbiterator.h\", line 114, column 30, charpos = 3413\n around = '(',\n whole content = #define DNS_DBITERATOR_FOREACH(rds) \\\nFile \"/tmp/cocci-output-110387-883f2f-dbiterator.h\", line 114, column 30, charpos = 3413\n around = '(',\n whole content = #define DNS_DBITERATOR_FOREACH(rds) \\\n")
See https://github.com/coccinelle/coccinelle/issues/398.
Merge branch 'mnowak/coccinelle-fix-impossible-warning' into 'main'
See merge request isc-projects/bind9!10557
After f10f5572ac spatch started reporting
the following warnings:
Impossible: How can diff be null and have not Correct in compare_c? Tag1 ("diff token: ( VS (\nFile \"./lib/dns/include/dns/rdatasetiter.h\", line 109, column 32, charpos = 3103\n around = '(',\n whole content = #define DNS_RDATASETITER_FOREACH(rds) \\\nFile \"/tmp/cocci-output-110376-c54da3-rdatasetiter.h\", line 109, column 32, charpos = 3103\n around = '(',\n whole content = #define DNS_RDATASETITER_FOREACH(rds) \\\n")
Impossible: How can diff be null and have not Correct in compare_c? Tag1 ("diff token: ( VS (\nFile \"./lib/dns/include/dns/dbiterator.h\", line 114, column 30, charpos = 3413\n around = '(',\n whole content = #define DNS_DBITERATOR_FOREACH(rds) \\\nFile \"/tmp/cocci-output-110387-883f2f-dbiterator.h\", line 114, column 30, charpos = 3413\n around = '(',\n whole content = #define DNS_DBITERATOR_FOREACH(rds) \\\n")
See https://github.com/coccinelle/coccinelle/issues/398.
Meson generated 'dnssec-validation yes' into the built-in config, but
this config without an explicit trust anchor does not enable validation.
Change default to 'dnssec-validation auto' to use built-in key, as in
the autotools days.
Fix some leftover artifacts and information while transitioning BIND to Meson.
Add CI job to verify that pre-generated config grammar files are up-to-date with code.
Merge branch 'aydin/meson-doc-fix' into 'main'
See merge request isc-projects/bind9!10584
The meson build switched to generating the file grammars and using meson
to build the manpages/ARM. This is because meson doesn't work well when
writing files outside the build directory.
However, this has been suboptimal when someone only wants to build the
documentation (like RTD). Sphinx can now be used outside meson like it
was with autoconf.
Grammars are now updated by the developer with CI checking if one is
needed or not, like clang-format.
Use the links() method instead of compiles() for checking whether
-latomic needs to be added to linker invocations as compiles() does not
perform the linking step and is therefore not appropriate for carrying
out this kind of checks.
See #5379
Merge branch '5379-use-links-for-checking-if-latomic-is-necessary' into 'main'
See merge request isc-projects/bind9!10592
The add_project_dependencies() method was only added in Meson 0.63.
Replace its only use in meson.build with a corresponding call to the
add_project_link_arguments() method to avoid bumping the minimum
required Meson version beyond the one available in stock Ubuntu 22.04
LTS repositories.
Use the links() method instead of compiles() for checking whether
-latomic needs to be added to linker invocations as compiles() does not
perform the linking step and is therefore not appropriate for carrying
out this kind of checks.
Move the util/generate-stress-test-configs.py script from the BIND 9
source repository to the BIND 9 QA repository. This simplifies the
maintenance of that script by eliminating the need to backport every
change applied to it to multiple branches.
Merge branch 'michal/move-stress-test-generation-script-to-qa-repo' into 'main'
See merge request isc-projects/bind9!10585
Move the util/generate-stress-test-configs.py script from the BIND 9
source repository to the BIND 9 QA repository. This simplifies the
maintenance of that script by eliminating the need to backport every
change applied to it to multiple branches.
named-compilezone is an alias for named-checkzone: the two tools are
built from the same set of source files, but they behave differently
depending on which executable gets invoked. With Automake,
named-compilezone was installed as a hard link to named-checkzone using
a custom installation hook; try to keep things simple with Meson by
using the install_symlink() method, which makes named-compilezone a
symbolic link to named-checkzone and is the same thing that is already
used for ddns-confgen/tsig-keygen.
See #5379
Merge branch '5379-install-named-compilezone' into 'main'
See merge request isc-projects/bind9!10595
named-compilezone is an alias for named-checkzone: the two tools are
built from the same set of source files, but they behave differently
depending on which executable gets invoked. With Automake,
named-compilezone was installed as a hard link to named-checkzone using
a custom installation hook; try to keep things simple with Meson by
using the install_symlink() method, which makes named-compilezone a
symbolic link to named-checkzone and is the same thing that is already
used for ddns-confgen/tsig-keygen.
Add a 1 second wait before updating verify-axfr.db so that the
modification time of the file changes.
Closes#5376
Merge branch '5376-verify-axfr-db-gets-updated-too-fast-in-mirror-test' into 'main'
See merge request isc-projects/bind9!10586
In some rare cases, the softhsm2 utility reports failure to delete the
token directory, despite the token being found. Subsequent attempts to
delete the token again indicate that the token was deleted.
Ignore this cleanup error, as it doesn't prevent our tests from working
properly. There is also an attempt to delete the token before the test
starts which ensures a clean state before the test is executed, in case
there's actually a leftover token.
Closes#5244
Merge branch '5244-ignore-softhsm2util-delete-token-error' into 'main'
See merge request isc-projects/bind9!10607
In some rare cases, the softhsm2 utility reports failure to delete the
token directory, despite the token being found. Subsequent attempts to
delete the token again indicate that the token was deleted.
Ignore this cleanup error, as it doesn't prevent our tests from working
properly. There is also an attempt to delete the token before the test
starts which ensures a clean state before the test is executed, in case
there's actually a leftover token.
Update Sphinx to its current version pulled in by "pip install
sphinx-rtd-theme" run in a fresh Debian "bookworm" container.
Merge branch 'mnowak/update-sphinx-to-8.2.3' into 'main'
See merge request isc-projects/bind9!10603
Allow use of exception (and by extension, assert statements) in the
called function in order to extract essential debug information about
the type of failure that was encountered.
In case the called function fails to succeed on the last retry and
raised an exception, log it as error and set it as the assert message to
propagate it through the pytest framework.
Closes#5324
Merge branch '5324-pytest-isctest-run-logging' into 'main'
See merge request isc-projects/bind9!10580
For duration measurements, i.e. deadlines and timeouts, it's more
suitable to use monotonic time as it's guaranteed to only go forward,
unlike time.time() which can be affected by local clock settings.
Allow use of exception (and by extension, assert statements) in the
called function in order to extract essential debug information about
the type of failure that was encountered.
In case the called function fails to succeed on the last retry and
raised an exception, log it as error and set it as the assert message to
propagate it through the pytest framework.
Previously, when a DNSSEC key was purged by one zone view, other zone views would return an error about missing key files. This has been fixed.
Closes#5315
Merge branch '5315-fix-spurious-some-key-files-are-missing' into 'main'
See merge request isc-projects/bind9!10550
This happens because old key is purged by one zone view, then the other
is freaking out about it.
Keys that are unused or being purged should not be taken into account
when verifying key files are available.
The keyring is maintained per zone. So in one zone, a key in the
keyring is being purged. The corresponding key file is removed.
The key maintenance is done for the other zone view. The key in that
keyring is not yet set to purge, but its corresponding key file is
removed. This leads to "some keys are missing" log errors.
We should not check the purge variable at this point, but the
current time and purge-keys duration.
This commit fixes this erroneous logic.
Create a test scenario where a signed zone is in multiple views and
then a key may be purged. This is a bug case where the key files are
removed by one view and then the other view starts complaining.
Added support for PRIVATEDNS and PRIVATEOID key usage. Added PRIVATEOID
test algorithms using the assigned OIDs for RSASHA256 and RSASHA512.
Added code to support proposed DS digest types that encode the PRIVATEDNS
and PRIVATEOID identifiers at the start of the digest field of the DS record.
This code is disabled by default.
Closes#3240
Merge branch '3240-add-privatedns-and-privateoid-support' into 'main'
See merge request isc-projects/bind9!10341
Add a zone using DS records that embed the private algorithm
identifier in the digest field. There are 2 DS record for an
unsupported DNSSEC algorithm one of which that doesn't have a
matching DNSKEY. This zone should validate as insecure as the
validator can establish that both DS records are for unsupported
DNSSEC algorithms.
There are 4 tests:
1) a zone using a known private OID. Validations should succeed
and return AD=1.
2) a zone using an unknown private OID. Validation should succeed
and return AD=0 as the DS to DNSKEY has provably unsupported
algorithm.
3) a zone using a known private OID and an extra DS record. Validation
should succeed as there is DS to DNSKEY with a known algorithm
linkage.
4) a zone using an unknown private OID and an extra DS record.
Validation should fail as only one of the DS records can be matched
to a provable unknown algorithm. The algorithm of the second DS
is indeterminate.
Use the existing RSASHA256 and RSASHA512 implementation to provide
working PRIVATEOID example implementations. We are using the OID
values normally associated with RSASHA256 (1.2.840.113549.1.1.11)
and RSASHA512 (1.2.840.113549.1.1.13).
Add support for proposed DS digest types that encode the private
algorithm identifier at the start of the DS digest as is done for
DNSKEY and RRSIG. This allows a DS record to identify the specific
DNSSEC algorithm, rather than a set of algorithms, when the algorithm
field is set to PRIVATEDNS or PRIVATEOID.
- dns_zone_cdscheck() has been extended to extract the key algorithms
from DNSKEY data when the CDS algorithm is PRIVATEOID or PRIVATEDNS.
- dns_zone_signwithkey() has been extended to support signing with
PRIVATEDNS and PRIVATEOID algorithms. The signing record (type 65534)
added at the zone apex to indicate the current state of automatic zone
signing can now contain an additional two-byte field for the DST
algorithm value, when the DNS secalg value isn't enough information.
dns_resolver_algorithm_supported() has been extended so in addition to
an algorithm number, it can also take a pointer to an RRSIG signature
field in which key information is encoded.
DST algorithm and DNSSEC algorithm values are not necessarily the same
anymore: if the DNSSEC algorithm value is PRIVATEOID or PRIVATEDNS, then
the DST algorithm will be mapped to something else. The conversion is
now done correctly where necessary.
The algorithm values PRIVATEDNS and PRIVATEOID are placeholders,
signifying that the actual algorithm identifier is encoded into the
key data. Keys using this mechanism are now supported.
- The algorithm values PRIVATEDNS and PRIVATEOID cannot be used to
build a key file name; dst_key_buildfilename() will assert if
they are used.
- The DST key values for private algorithms are higher than 255.
Since DST_ALG_MAXALG now exceeds 256, algorithm arrays that were
previously hardcoded to size 256 have been resized.
- New mnemonic/text conversion functions have been added.
dst_algorithm_{fromtext,totext,format} can handle algorithm
identifiers encoded in PRIVATEDNS and PRIVATEOID keys, as well
as the traditional algorithm identifiers. (Note: The existing
dns_secalg_{fromtext,totext,format} functions are similar, but
do *not* support PRIVATEDNS and PRIVATEOID. In most cases, the
new functions have taken the place of the old ones, but in a few
cases the old version is still appropriate.)
- dns_private{oid,dns}_{fromtext,totext,format} converts between
DST algorithm values and the mnemonic strings for algorithms
implemented using PRIVATEDNS or PRIVATEOID. (E.g., "RSASHA256OID").
- dst_algorithm_tosecalg() returns the DNSSEC algorithm identifier
that applies for a given DST algorithm. For PRIVATEDNS- or
PRIVATEOID- based algorithms, the result will be PRIVATEDNS or
PRIVATEOID, respectively.
- dst_algorithm_fromprivatedns() and dst_algorithm_fromprivateoid()
return the DST algorithm identifier for an encoded algorithm in
wire format, represented as in DNS name or an object identifier,
respectively.
- dst_algorithm_fromdata() is a front-end for the above; it extracts
the private algorithm identifier encoded at the begining of a
block of key or signature data, and returns the matching DST
algorithm number.
- dst_key_fromdns() and dst_key_frombuffer() now work with keys
that have PRIVATEDNS and PRIVATEOID algorithm identifiers at the
beginning.
- When the algorithm value for a DNSSEC key is set to PRIVATEOID
or PRIVATEDNS, that's a placeholder value indicating that the
real algorithm identifier is encoded into the key or signature
data. That means the DNSKEY algorithm value and the DST algorithm
value may not be identical, so we must now add environment variables
DEFAULT_ALGORITHM_DST_NUMBER, ALTERNATIVE_ALGORITHM_DST_NUMBER
and DISABLED_ALGORITHM_DST_NUMBER to the test suite, with support
for mapping from DST algorithm value to PRIVATEDNS or PRIVATEOID.
- Some test cases use RRSIGs that have been modified to force
validation to fail. When making those modifications, we now
preserve the first part of the signature, so that PRIVATEDNS and
PRIVATEOID algorithm identifier values will still work. (This
assumes that the identifiers are short and fit into the first
base64 block.)
These test cases involve a reconfig, dnssec policy changes.
Merge branch 'matthijs-pytest-rewrite-kasp-system-test-6' into 'main'
See merge request isc-projects/bind9!10295
