The rrset-order random doesn't offer uniform distribution of all
permutations and it isn't superior to cyclic order in any way. Make the
random ordering an alias to the cyclic ordering.
Closes: #5513
Merge branch 'ondrej/remove-rrset-order-random' into 'main'
See merge request isc-projects/bind9!10912
Mimic the Unbound behaviour where the cyclic offset is taken from query
ID, and remove recording of the current state. As the incoming query ID
should have random distribution, the cyclic ordering should also have
uniform distribution of the starting record.
With random ordering removed, the cyclic ordering can be rewritten in a
that it uses thread_local static array to keep the cyclic order.
This could be further improved by keeping the current position inside
the slabheader and adding a function to start directly there instead at
dns_rdataset_first().
The rrset-order random doesn't offer uniform distribution of all
permutations and it isn't superior to cyclic order in any way. Make the
random ordering an alias to the cyclic ordering.
Extend the `$name`, `$view` and `$type` tokens (expanding into the zone
name, zone's view name and type); the new following tokens are now also
accepted:
- `$name` or `%s` is replaced with the zone name in lower case;
- `$type` or `%t` is replaced with the zone type -- i.e., primary,
secondary, etc);
- `$view` or `%v` is replaced with the view name;
- `$char1` or `%1` is replaced with the first character of the zone name;
- `$char2` or `%2` is replaced with the second character of the zone name
(or a dot if there is no second character);
- `$char3` or `%3` is replaced with the third character of the zone name (or
a dot if there is no third character);
- `$label1` or `%z` is replaced with the toplevel domain of the zone (or a
dot if it is the root zone);
- `$label2` or `%y` is replaced with the next label under the toplevel
domain (or a dot if there is no next label);
- `$label3` or `%x` is replaced with the next-next label under the toplevel
domain (or a dot if there is no next-next label).
Closes#85
Merge branch '85-file-template' into 'main'
See merge request isc-projects/bind9!10779
Extend the `$name`, `$view` and `$type` tokens (expanding into the zone
name, zone's view name and type); the new following tokens are now also
accepted:
- $name or %s is replaced with the zone name in lower case;
- $type or %t is replaced with the zone type -- i.e., primary,
secondary, etc);
- $view or %v is replaced with the view name;
- $char1 or %1 is replaced with the first character of the zone name;
- $char2 or %2 is replaced with the second character of the zone name
(or a dot if there is no second character);
- $char3 or %3 is replaced with the third character of the zone name (or
a dot if there is no third character);
- $label1 or %z is replaced with the toplevel domain of the zone (or a
dot if it is the root zone);
- $label2 or %y is replaced with the next label under the toplevel
domain (or a dot if there is no next label);
- $label3 or %x is replaced with the next-next label under the toplevel
domain (or a dot if there is no next-next label).
Update to REUSE Specification 3.2+ that uses REUSE.toml instead of DEP5
based specification.
Merge branch 'ondrej/cover-reuse-dep5-to-toml' into 'main'
See merge request isc-projects/bind9!10945
In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
Merge branch 'aram/rpz-servfail-until-ready-tunings' into 'main'
See merge request isc-projects/bind9!10904
Since the log level has been raised, busy servers can "explode" from
the amount of log messages. Use the usual practice of logging "every
once in a while".
The "RPZ not ready yet" message is logged at debug 3 level. Use the
info level instead for better visibility.
After raising the log level, the rpz_log_fail_helper() function starts
appending " failed: " the the message. Change the log message so it
makes more sense.
In order to not pollute the SERVFAIL cache with the configured
SERVFAIL answers while RPZ is loading, set the NS_CLIENTATTR_NOSETFC
attribute for the client.
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
Closes#5485
Merge branch 'ondrej/clarify-rrset-order-random' into 'main'
See merge request isc-projects/bind9!10909
When an IPv6 rpz prefix entry is entered incorrectly the log
message was just displaying the prefix rather than the full
entry. This has been corrected.
Closes#5491
Merge branch '5491-rpz-canonical-warning-displays-zone-entry-incorrectly' into 'main'
See merge request isc-projects/bind9!10890
Both qname and qtype arguments to dns_adb_createfind() were unused.
Remove both these arguments from the function prototype.
Merge branch 'ondrej/minor-dns_adb-cleanup' into 'main'
See merge request isc-projects/bind9!10918
Waiting for "keymgr: done" logs caused some manual-mode tests to fail intermittently. Waiting for "rekey done" logs should be more reliable.
Closes#5493
Merge branch '5493-algoroll-csk-step3-manual-unstable-test' into 'main'
See merge request isc-projects/bind9!10923
The counter in ns_client_t is used to track the maximum number of
recursions in the resolver, but it is created unconditionally when
starting the client and deallocated when resetting it.
This commit defers the allocation of the counter till recursion needs to
actually happen, speeding up authoritative workloads in perflab by
1.5~2%.
Merge branch 'alessio/lazy-fetch-counter-alloc' into 'main'
See merge request isc-projects/bind9!10917
The counter in ns_client_t is used to track the maximum number of
recursions in the resolver, but it is created unconditionally when
starting the client and deallocated when resetting it.
This commit defers the allocation of the counter till recursion needs to
actually happen, speeding up authoritative workloads in perflab by
1.5~2%.
Add a test to check serve-stale with the 'stale-answer-client-timeout 0'
configuration option and with a delegation which is a CNAME to a auth
zone.
Closes#5372
Merge branch '5372-serve-stale-crash-on-insist-unreachable-test' into 'main'
See merge request isc-projects/bind9!10920
Mark the ``tkey-domain`` statement as obsolete, since it has not had any
effect on server behavior since support for TKEY Mode 2 (Diffie-Hellman)
was removed (in BIND 9.20.0).
See #4204
Merge branch '4204-obsolete-tkey-domain' into 'main'
See merge request isc-projects/bind9!10798
The "tkey-domain" statement has effectively been a no-op since commit
bd4576b3ce, which removed the only bit of
code using it: the logic implementing TKEY Mode 2 (Diffie-Hellman).
A subsequent cleanup commit, 885c132f4a,
also missed the opportunity to remove the "tkey-domain" statement
altogether.
Mark the "tkey-domain" statement as obsolete and remove all code and
documentation related to it.
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in
a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`.
See #4204
Merge branch '4204-deprecate-tkey-gssapi-credential' into 'main'
See merge request isc-projects/bind9!10782
The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).
Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named. Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.
- Remove double non-NULL guard around bindrdataset()
- Add DNS_SLABTOP_FOREACH macros
- Made add() function in qpcache a single pass
Merge branch 'ondrej/add-DNS_SLABTOP_FOREACH' into 'main'
See merge request isc-projects/bind9!10879
The existing logic would always scan the headers if:
- adding negative cache entry that's NXDOMAIN or negative RRSIG
- adding positive cache entry
- the type doesn't exist in the node
As the rest is relatively minor - we only delete rrset from resolver
on broken chain and most negative entries don't exist in the case
anyway, it feels like the extra logic to decide whether we should do
full scan or not is just complicating things.
Remove the extra logic and always scan all the slabtop/slabheaders in
the node when adding new entry into the cache.
There were several consequtive foreach loops when adding new entry into
the cache. Merge the multiple foreach loops into a single pass loop
with some effort and a lot of comments.
The bindrdataset() already has a logic to skip the rest of the function
if the passed rdataset is NULL. Remove the external guarding for
'addedrdataset' to simplify the code flow both from the zone and cache
databases.
