To be consistent with the replacing of Oracle Linux QCOW2 images with
AlmaLinux AWS AMIs, also replace Docker images.
(cherry picked from commit 63947a2062)
Focal-specific ./configure options were moved to Jammy.
Backport of MR !9899
Merge branch 'backport-mnowak/drop-ubuntu-focal-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!10457
There's a mismatch between the atomic and non-atomic types that could
potentialy lead to a rwlock deadlock (after two billion 2^32) writes.
Use int_fast32_t when loading the atomic_int_fast32_t types in the
isc_rwlock unit.
Closes#5280
Backport of MR !10390
Merge branch 'backport-5280-match-the-types-in-isc_rwlock-9.18-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!10391
There's a mismatch between the atomic and non-atomic types that could
potentialy lead to a rwlock deadlock (after two billion 2^32) writes.
Use int_fast32_t when loading the atomic_int_fast32_t types in the
isc_rwlock unit.
(cherry picked from commit 86673ee67a)
For pipelines in the private repository, add an optional manual job,
which allows the current branch to be pushed into the specified
customer's git repository. This can be useful to provide patch previews
for early testing.
For tags created in a private repository, add a manual job which pushes
the created tag to all entitled customers.
Backport of MR !10323
Merge branch 'backport-nicki/ci-customer-git-automation-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!10358
For pipelines in the private repository, add an optional manual job,
which allows the current branch to be pushed into the specified
customer's git repository. This can be useful to provide patch previews
for early testing.
For tags created in a private repository, add a manual job which pushes
the created tag to all entitled customers.
(cherry picked from commit 378b412e94)
Clang 18 is no longer in the base image with a recent image update and clang-format and scan-build fail.
Merge branch 'mnowak/missing-clang-18' into 'bind-9.16'
See merge request isc-projects/bind9!10269
When `-T cookiealwaysvalid` is passed to `named`, DNS cookie checks for
the incoming queries always pass, given they are structurally correct.
Backport of MR !10232
Merge branch 'backport-aram/new-named-minus-T-option-of-cookiealwaysvalid-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!10266
When -T cookiealwaysvalid is passed to named, DNS cookie checks for
the incoming queries always pass, given they are structurally correct.
(cherry picked from commit 807ef8545d)
Both FreeBSD and OpenBSD in the CI are tested on outdated images.
Current FreeBSD images can't even be rebuild because in the maintained
branches they were ported from QCOW2 to the AWS autoscaler (also a
future of the OpenBSD image). This is something we don't want to
backport to EoL branches.
Merge branch 'mnowak/drop-bsd-images-from-ci' into 'bind-9.16'
See merge request isc-projects/bind9!10229
Both FreeBSD and OpenBSD in the CI are tested on outdated images.
Current FreeBSD images can't even be rebuild because in the maintained
branches they were ported from QCOW2 to the AWS autoscaler (also a
future of the OpenBSD image). This is something we don't want to
backport to EoL branches.
Backport of MR !10029
Backport of MR !10042
Merge branch 'backport-pspacek/no-cross-project-after-merge-jobs-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!10045
We need to avoid double-triggering of post-merge jobs in the following
scenario:
1. A private MR gets merged into the private BIND 9 repository.
2. This merge operation triggers a "push" pipeline in the private
repository, which correctly runs post-merge jobs, e.g. to set MR
metadata in the private project.
3. When a release is published, a script is run to change the
automatically assigned milestone value ("Not released yet") to
something else.
4. Shortly afterwards, the result of the merge from step 1 is merged
back into a maintenance branch in the public repository.
5. The push operation triggers another "push" pipeline, this time in
the public project.
At this point there are two problems:
- If the script is dumb (like it currently is), it will extract the
merge request ID from the merge commit description and change the
milestone for a merge request in the wrong project namespace.
- Even if the script was fixed to extract and use the correct GitLab
project reference, it would reset the milestone for the merge
request in the private repository back to "Not released yet" - while
the milestone set in step 3 should be retained.
An alternative would be to change the order of operations so that
post-release milestoning happens at a later stage, while also fixing the
script to correctly follow cross-project references, but that approach
seems more fragile than simply failing on all cross-project pushes. The
rule to enforce is: each project should only take care of its own
post-merge tasks.
(cherry picked from commit 6014060774)
With shallow fetching working reliably in pygit2 1.17.0+, there is no
longer any need for GitLab CI runners to clone the BIND 9 repository
with a fixed depth of 1000 during every "danger" CI job as Hazard is now
able to fetch remote refs with an arbitrary depth, controlled by the
HAZARD_FETCH_DEPTH environment variable. The latter can be defined via
GitLab project's CI settings and adjusted as needed over time, without
the need to update .gitlab-ci.yml every time its value needs to be
changed.
Backport of MR !9946
Merge branch 'backport-michal/use-default-cloning-depth-for-the-danger-ci-job-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!10039
With shallow fetching working reliably in pygit2 1.17.0+, there is no
longer any need for GitLab CI runners to clone the BIND 9 repository
with a fixed depth of 1000 during every "danger" CI job as Hazard is now
able to fetch remote refs with an arbitrary depth, controlled by the
HAZARD_FETCH_DEPTH environment variable. The latter can be defined via
GitLab project's CI settings and adjusted as needed over time, without
the need to update .gitlab-ci.yml every time its value needs to be
changed.
(cherry picked from commit e39e7afc16)
After isc-projects/bind9-qa!9 merged BIND 9 releases without DoH/DoT
support are not supported.
Merge branch 'mnowak/drop-stress-tests' into 'bind-9.16'
See merge request isc-projects/bind9!10005
When answering queries, don't add data to the additional section if the answer has more than 13 names in the RDATA. This limits the number of lookups into the database(s) during a single client query, reducing query processing load.
Backport of MR !750
See isc-projects/bind9#5034
Merge branch '5034-security-limit-additional-9.16' into 'bind-9.16-release'
See merge request isc-private/bind9!760
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA. This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.
Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.
(cherry picked from commit a1982cf1bb)
Instead of running the whole resolver/ns4 server with -T noaa flag,
use it only for the part where it is actually needed. The -T noaa
could interfere with other parts of the test because the answers don't
have the authoritative-answer bit set, and we could have false
positives (or false negatives) in the test because the authoritative
server doesn't follow the DNS protocol for all the tests in the resolver
system test.
(cherry picked from commit e51d4d3b88)
When isc_rwlock_trylock() fails to get a read lock because another
writer was faster, it should wake up other waiting writers in case
there are no other readers, but the current code forgets about
the currently active writer when evaluating 'cntflag'.
Unset the WRITER_ACTIVE bit in 'cntflag' before checking to see if
there are other readers, otherwise the waiting writers, if they exist,
might not wake up.
Closes#5121
Backport of MR !9937
Merge branch 'backport-aram/isc_rwlock_trylock-bugfix-9.18-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9938
When isc_rwlock_trylock() fails to get a read lock because another
writer was faster, it should wake up other waiting writers in case
there are no other readers, but the current code forgets about
the currently active writer when evaluating 'cntflag'.
Unset the WRITER_ACTIVE bit in 'cntflag' before checking to see if
there are other readers, otherwise the waiting writers, if they exist,
might not wake up.
(cherry picked from commit 73b6d9e9e5)
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.
(cherry picked from commit f7319a38cf277c2140f0ed7ab46fd616b9322587)
Backport of MR !9626
Merge branch 'backport-nicki/pylint-disable-too-few-too-many-checks-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9806
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.
(cherry picked from commit 7639c58c48)
Add an 'initial-ds' entry to bind.keys for the new root key, ID
38696, which is scheduled for publication in January 2025.
Closes#4896
Backport of MR !9422
Merge branch 'backport-4896-update-bind-keys-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9748
Add an 'initial-ds' entry to bind.keys for the new root key, ID
38696, scheduled for publication in January 2025.
(cherry picked from commit 609bf35075)
CookieOption with new .server/.client attributes (rather than .data) was
added to dnspython. Adjust the code to use the new attributes if
available and fall back to the old code for dnspython<2.7.0
compatibility.
(cherry picked from commit 0d90b13646)
When the TCP test is run on the busy server, the server might take a
while to wind the server down because it might still be processing all
that 300k invalid XFR requests.
Increate the rncd wait time to 120 seconds, the SIGTERM time to 300
seconds, and reduce the time to wait for ans servers from 1200 second
to just 120 seconds.
(cherry picked from commit d971472321)
Backport of MR !6847
Merge branch 'backport-ondrej-increase-the-time-to-wait-for-servers-to-gracefully-shutdown-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9468
When the TCP test is run on the busy server, the server might take a
while to wind the server down because it might still be processing all
that 300k invalid XFR requests.
Increate the rncd wait time to 120 seconds, the SIGTERM time to 300
seconds, and reduce the time to wait for ans servers from 1200 second
to just 120 seconds.
(cherry picked from commit d971472321)
Backport of MR !9424
Merge branch 'backport-mnowak/avoid-some-artifacts-in-stress-tests-9.16' into 'bind-9.16'
See merge request isc-projects/bind9!9430
With max-recursion-queries set to 50 the resolver system test was
unstable in the "checking query resolution for a domain with a valid
glueless delegation chain" check as ns1 replied with SERVFAIL.
Closes#4897
Merge branch '4897-resolver-ns1-bump-max-recursion-queries-to-100' into 'bind-9.16'
See merge request isc-projects/bind9!9421
