Remove the global named defaults parser. Instead, a parser is created
during the execution time of named_config_parsedefaults(). This
simplifies the API (no parser to pass around) and the life-cycle of the
default configuration tree (it doesn't depends on a parser instance).
cfg_obj_t doesn't store a pointer to its a parser context anymore,
and does not depend on the parser's lifecycle. Instead, it stores a
reference to its own memory context (and in principle, each node
could have different memory context). This also slightly simplifies
the _destroy API as there is no need to pass a context through it
anymore.
In order to reduce the lifecycle dependency of a `cfg_obj_t` on its
parser, the `file` field needs its own reference count, so it isn't
deleted when the parser is. It is now stored as a subsidiary
`cfg_obj_t` object of type string.
Reimplement the custom server written in Perl in Python using the AsyncDnsServer class.
Merge branch 'stepan/nsupdate-asyncserver' into 'main'
See merge request isc-projects/bind9!10915
Add a TCP connection handler, IgnoreAllConnections that allows
establishing TCP connection but not reading anything from it.
This re-uses the horrible hack from ConnectionReset handler and might
break at any point in the future.
See the comments and e407888507 for more
details.
Sometimes spatch fails to process the source code:
EXN: Failure("replacement: node 80: {7[1,2,30,31,32] in isc__nm_base64_to_base64url reachable by inconsistent control-flow paths") in ./lib/isc/netmgr/http.c
Closes#5567
Merge branch '5567-spatch-detect-more-error-conditions' into 'main'
See merge request isc-projects/bind9!11115
Sometimes spatch fails to process the source code:
EXN: Failure("replacement: node 80: {7[1,2,30,31,32] in isc__nm_base64_to_base64url reachable by inconsistent control-flow paths") in ./lib/isc/netmgr/http.c
Add util/check-cocci.sh support for a command-line argument which is a
path to a spatch file. Running `util/check-cocci.sh` runs all the spatch
in `cocci` folder. Running `util/check-cocci.sh cocci/foo.spatch` only
run the spatch `cocci/foo.spatch`.
Any command line parameters after `--` are forwarded to `spatch`
command, for instance:
`util/check-cocci.sh -- --debug`
`util/check-cocci.sh cocci/foo.spatch -- --debug`
Will (1) run all spatch files in cocci/ with --debug spatch option and
(2) run only `cocci/foo.spatch` with --debug options.
Merge branch 'colin/check-cocci-individual-check' into 'main'
See merge request isc-projects/bind9!11096
Add util/check-cocci.sh support for a command-line argument which is a
path to a spatch file. Running `util/check-cocci.sh` runs all the spatch
in `cocci` folder. Running `util/check-cocci.sh cocci/foo.spatch` only
run the spatch `cocci/foo.spatch`.
Any command line parameters after `--` are forwarded to `spatch`
command, for instance:
`util/check-cocci.sh -- --debug`
`util/check-cocci.sh cocci/foo.spatch -- --debug`
Will (1) run all spatch files in cocci/ with --debug spatch option and
(2) run only `cocci/foo.spatch` with --debug options.
Previously, dnssec-verify exited with code 0 if the options could not be parsed. This has been fixed.
Closes#5574
Merge branch '5574-dnssec-verify-uses-exit-code-0-when-failing-due-to-illegal-option' into 'main'
See merge request isc-projects/bind9!11106
The :iscman:`dnssec-keygen` utility program failed to detect
possible Key ID collisions with the existing keys generated
using the non-default ``-T KEY`` option (e.g. for ``SIG(0)``).
This has been fixed.
Closes#5506
Merge branch '5506-dnssec-keygen-sig0-keys-collision-fix' into 'main'
See merge request isc-projects/bind9!11047
When generating a new key, dnssec-keygen checks for possible
key ID collisions with existing keys. The dnssec.c:findmatchingkeys()
function, which is supposed to get the list of the existing keys,
fails to do that for the existing KEY rrtype keys (i.e. generated
using 'dnssec-keygen -T KEY') because it doesn't pass down to the
dst_key_fromnamedfile() -> dst_key_read_public() functions the type
of the keys it's interested in. Fix the issue by introducing a new
function parameter which tells in which type of keys the caller is
currently interested in.
During the system test execution, allow use of module-specific setup()
function in addition to the setup.sh script which this function should
ultimately replace.
The purpose of setup() is two-fold. First, it can execute any commands
needed to create the initial conditions for the test, such as creating
key materials, manipulating files etc. Second, it should return any
test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
Merge branch 'nicki/pytest-add-python-setup-func' into 'main'
See merge request isc-projects/bind9!10983
Unify the names of autouse module-wide fixtures that perform
after_servers_start() setup. The consistent naming doesn't just help
readability, but also makes it simpler for the vulture exception (since
it doesn't properly deal with autouse fixtures).
Replace the autouse fixtures which were only used to change the initial
server configuration into proper bootstrap() functions. This gets rid of
an extraneous reconfigure.
In the tests_validation_many_anchors.py, split the fixture into a proper
bootstrap() and a separate test for checking the expected log lines for
the ignored keys. Previously, the test was broken - it should check for
all the messages being present in the log, and some of the keys are
actually initial-key rather than static-key. This has been fixed in the
parametrized test.
During the system test execution, allow use of module-specific
bootstrap() function in addition to the setup.sh script which this
function should ultimately replace.
The purpose of bootstrap() is two-fold. First, it can execute any
commands needed to create the initial conditions for the test, such as
creating key materials, manipulating files etc. Second, it should return
any test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
the functions dns_dumpctx_db() and dns_dumpctx_version() are used in
only one place, to get the serial number of the version being dumped.
it's simpler to expose the serial number through its own call,
dns_dumpctx_serial(), and remove the others.
Merge branch 'each-cleanup-dumpctx' into 'main'
See merge request isc-projects/bind9!10937
the functions dns_dumpctx_db() and dns_dumpctx_version() are used in
only one place, to get the serial number of the version being dumped.
it's simpler to expose the serial number through its own call,
dns_dumpctx_serial(), and remove the others.
If dns_name_fromtext failed or the subsequent dns_name_compare
failed the lexer's comments state wasn't cleaned up.
Closes#5581
Merge branch '5581-parse_dnskey-in-lib-dns-skr-c-was-failing-to-reset-comments' into 'main'
See merge request isc-projects/bind9!11109
When a memory context is destroyed, if the `checkfree` property is set,
the program assert there is no remaining allocation. If there are and
assertions are enabled, the program immediately stops.
However, if memory trace/record debug is enabled, the dump of
outstanding allocation won't be printed as it is done after the
no remaining allocation assertion check.
This moves the no remaining allocation assertion check after the dump of
outstanding allocations, so it is still possible to figure out what's
still allocated by this memory context.
Merge branch 'colin/mem-checkfree-check-after-debuglist' into 'main'
See merge request isc-projects/bind9!11110
Add a magic number check to ensure the memory context validity before
destorying it.
This check is needed now as it was done before implicitly when
isc_mem_inuse was called, but isc_mem_inuse is now called later (to be
able to dump the outstanding allocations).
When a memory context is destroyed, if the `checkfree` property is set,
the program assert there is no remaining allocation. If there are and
assertions are enabled, the program immediately stops.
However, if memory trace/record debug is enabled, the dump of
outstanding allocation won't be printed as it is done after the
no remaining allocation assertion check.
This moves the no remaining allocation assertion check after the dump of
outstanding allocations, so it is still possible to figure out what's
still allocated by this memory context.
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
(cherry picked from commit e77f349240)
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
Closesisc-projects/bind9#5343
Merge branch 'ondrej/security-fix-crash-in-selfsigned-key-handling' into 'v9.21.14-release'
See merge request isc-private/bind9!865
If a zone reload was already in progress when `rndc reload <zone>` was
run, the message returned was "zone reload queued", which was technically
correct, but it was identical to the message returned when a reload
was not in progress. Consequently, a user could issue two reload commands
without realizing that only one reload had actually taken place. This has
been addressed by changing the message returned to "zone reload was already queued".
Closes#5140
Merge branch '5140-report-reload-in-progress' into 'main'
See merge request isc-projects/bind9!10849
if a zone reload is already in progress when 'rndc reload <zone>' is
run, currently the message returned in "zone reload queued", which
is correct, but it's identical to the message returned when a reload
was *not* in progress, so the user can't easily tell what happened.
a user could reload a zone twice and not realize that only one
reload actually took place.
this has been addressed by changing the message returned to
"zone reload was already queued".
a new result code ISC_R_LOADING has been added to signal this
condition, taking the place of ISC_R_RELOAD, which was obsolete
and has been removed.
One of the synthrecord system tests uses a test function to generate an expected name based on some randomly generated IPv6 (using Hypothesis). Turns out the test function generating the name didn't handle the case where the label which encodes the IPv6 could have a leading or trailing '-' character. (The plugin needs to add a leading or trailing 0 so as not to break IDN compatibility.)
Merge branch 'colin/fix-synthrecord-v6test' into 'main'
See merge request isc-projects/bind9!11073
One of the synthrecord system tests uses a test function to generate an
expected name based on some randomly generated IPv6 (using Hypothesis).
Turns out the test function generating the name didn't handle the case
where the label which encodes the IPv6 could have a leading or trailing
'-' character. (The plugin needs to add a leading or trailing 0 so as
not to break IDN compatibility.)
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
