Version in base suite: 9.16.33-1~deb11u1 Base version: bind9_9.16.33-1~deb11u1 Target version: bind9_9.16.37-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bind9/bind9_9.16.33-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bind9/bind9_9.16.37-1~deb11u1.dsc .gitlab-ci.yml | 185 + CHANGES | 146 + COPYRIGHT | 2 bin/check/check-tool.c | 11 bin/check/named-checkconf.c | 11 bin/check/named-checkzone.c | 3 bin/confgen/ddns-confgen.c | 3 bin/delv/delv.c | 27 bin/dig/dig.c | 26 bin/dig/dig.rst | 8 bin/dig/dighost.c | 39 bin/dig/host.c | 21 bin/dnssec/dnssec-cds.c | 15 bin/dnssec/dnssec-keyfromlabel.c | 6 bin/dnssec/dnssec-keygen.c | 15 bin/dnssec/dnssec-revoke.c | 3 bin/dnssec/dnssec-settime.c | 6 bin/dnssec/dnssec-signzone.c | 90 bin/dnssec/dnssectool.c | 3 bin/named/bind9.xsl | 4 bin/named/bind9.xsl.h | 6 bin/named/builtin.c | 3 bin/named/config.c | 13 bin/named/controlconf.c | 12 bin/named/main.c | 148 + bin/named/named.conf.rst | 13 bin/named/named.rst | 16 bin/named/server.c | 277 +- bin/named/statschannel.c | 50 bin/named/tsigconf.c | 3 bin/named/unix/os.c | 6 bin/named/zoneconf.c | 9 bin/nsupdate/nsupdate.c | 18 bin/nsupdate/nsupdate.rst | 2 bin/pkcs11/pkcs11-keygen.c | 6 bin/plugins/filter-aaaa.c | 3 bin/rndc/rndc.c | 21 bin/tests/cfg_test.c | 6 bin/tests/optional/byaddr_test.c | 6 bin/tests/optional/db_test.c | 13 bin/tests/optional/name_test.c | 9 bin/tests/optional/nsecify.c | 2 bin/tests/optional/rbt_test.c | 3 bin/tests/optional/zone_test.c | 3 bin/tests/system/addzone/tests.sh | 22 bin/tests/system/auth/clean.sh | 2 bin/tests/system/autosign/clean.sh | 2 bin/tests/system/autosign/ns1/keygen.sh | 20 bin/tests/system/autosign/ns2/Xbar.+005+30676.key | 5 bin/tests/system/autosign/ns2/Xbar.+005+30676.private | 13 bin/tests/system/autosign/ns2/Xbar.+005+30804.key | 5 bin/tests/system/autosign/ns2/Xbar.+005+30804.private | 13 bin/tests/system/autosign/ns2/Xbar.+013+59973.key | 5 bin/tests/system/autosign/ns2/Xbar.+013+59973.private | 6 bin/tests/system/autosign/ns2/Xbar.+013+60101.key | 5 bin/tests/system/autosign/ns2/Xbar.+013+60101.private | 6 bin/tests/system/autosign/ns2/keygen.sh | 18 bin/tests/system/autosign/ns3/keygen.sh | 103 - bin/tests/system/autosign/ns3/named.conf.in | 4 bin/tests/system/autosign/ns3/nsec-only.example.db.in | 26 bin/tests/system/autosign/ns3/nsec.example.db.in | 26 bin/tests/system/autosign/tests.sh | 582 +++--- bin/tests/system/builtin/tests.sh | 14 bin/tests/system/cacheclean/tests.sh | 6 bin/tests/system/case/setup.sh | 2 bin/tests/system/catz/clean.sh | 2 bin/tests/system/catz/ns1/named.conf.in | 7 bin/tests/system/catz/ns2/named1.conf.in | 7 bin/tests/system/catz/ns2/named2.conf.in | 2 bin/tests/system/catz/ns3/catalog.example.db.in | 14 bin/tests/system/catz/setup.sh | 2 bin/tests/system/catz/tests.sh | 94 bin/tests/system/cds/setup.sh | 26 bin/tests/system/cds/tests.sh | 2 bin/tests/system/chain/ns2/sign.sh | 20 bin/tests/system/chain/tests.sh | 2 bin/tests/system/checkconf/bad-kasp-keydir1.conf | 50 bin/tests/system/checkconf/bad-kasp-keydir1.conf.in | 50 bin/tests/system/checkconf/bad-kasp-keydir2.conf | 48 bin/tests/system/checkconf/bad-kasp-keydir2.conf.in | 48 bin/tests/system/checkconf/bad-kasp-keydir3.conf | 55 bin/tests/system/checkconf/bad-kasp-keydir3.conf.in | 55 bin/tests/system/checkconf/bad-kasp-keydir4.conf | 52 bin/tests/system/checkconf/bad-kasp-keydir4.conf.in | 52 bin/tests/system/checkconf/bad-kasp-keydir5.conf | 52 bin/tests/system/checkconf/bad-kasp-keydir5.conf.in | 52 bin/tests/system/checkconf/check-wildcard-no.conf | 18 bin/tests/system/checkconf/check-wildcard.conf | 18 bin/tests/system/checkconf/check-wildcard.db | 23 bin/tests/system/checkconf/clean.sh | 12 bin/tests/system/checkconf/deprecated.conf | 5 bin/tests/system/checkconf/dnssec.4 | 18 bin/tests/system/checkconf/good.conf | 1 bin/tests/system/checkconf/tests.sh | 142 - bin/tests/system/checkds/ns9/setup.sh | 6 bin/tests/system/checkds/tests-checkds.py | 443 ---- bin/tests/system/checkds/tests_checkds.py | 445 ++++ bin/tests/system/checknames/setup.sh | 2 bin/tests/system/checkzone/clean.sh | 3 bin/tests/system/checkzone/setup.sh | 4 bin/tests/system/checkzone/tests.sh | 2 bin/tests/system/checkzone/zones/bad-tsig.db | 17 bin/tests/system/checkzone/zones/bad-tsig.db.in | 17 bin/tests/system/checkzone/zones/good-svcb.db | 1 bin/tests/system/ckdnsrps.sh | 2 bin/tests/system/common/controls.conf | 22 bin/tests/system/conf.sh.common | 154 - bin/tests/system/conf.sh.in | 183 - bin/tests/system/conf.sh.win32 | 156 - bin/tests/system/cookie/clean.sh | 2 bin/tests/system/coverage/setup.sh | 74 bin/tests/system/delzone/clean.sh | 25 bin/tests/system/delzone/ns1/inlinesec.db | 26 bin/tests/system/delzone/ns1/named.conf | 34 bin/tests/system/delzone/ns2/added.db | 26 bin/tests/system/delzone/ns2/named.args | 1 bin/tests/system/delzone/ns2/named.conf | 35 bin/tests/system/delzone/ns2/normal.db | 26 bin/tests/system/delzone/setup.sh | 17 bin/tests/system/delzone/tests.sh | 65 bin/tests/system/dialup/clean.sh | 2 bin/tests/system/dialup/ns1/named.conf | 40 bin/tests/system/dialup/ns1/named.conf.in | 40 bin/tests/system/dialup/ns2/named.conf | 40 bin/tests/system/dialup/ns2/named.conf.in | 40 bin/tests/system/dialup/ns3/named.conf | 40 bin/tests/system/dialup/ns3/named.conf.in | 40 bin/tests/system/dialup/setup.sh | 19 bin/tests/system/dialup/tests.sh | 2 bin/tests/system/digdelv/yamlget.py | 1 bin/tests/system/dlzexternal/driver.c | 6 bin/tests/system/dlzexternal/tests.sh | 2 bin/tests/system/dns64/ns1/sign.sh | 4 bin/tests/system/dnssec/clean.sh | 3 bin/tests/system/dnssec/ns4/managed-keys.bind.in | 21 bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.key | 1 bin/tests/system/dnssec/signer/general/Kexample.com.+005+07065.private | 10 bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.key | 1 bin/tests/system/dnssec/signer/general/Kexample.com.+005+23362.private | 10 bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.key | 5 bin/tests/system/dnssec/signer/general/Kexample.com.+010+18240.private | 13 bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.key | 5 bin/tests/system/dnssec/signer/general/Kexample.com.+010+28633.private | 13 bin/tests/system/dnssec/signer/general/bogus-ksk.key | 4 bin/tests/system/dnssec/signer/general/bogus-zsk.key | 4 bin/tests/system/dnssec/signer/general/test1.zone | 4 bin/tests/system/dnssec/signer/general/test2.zone | 2 bin/tests/system/dnssec/signer/general/test3.zone | 2 bin/tests/system/dnssec/signer/general/test4.zone | 4 bin/tests/system/dnssec/signer/general/test5.zone | 4 bin/tests/system/dnssec/signer/general/test6.zone | 4 bin/tests/system/dnssec/signer/general/test8.zone | 2 bin/tests/system/dnssec/tests.sh | 105 - bin/tests/system/dnstap/prereq.sh | 20 bin/tests/system/dnstap/tests.sh | 4 bin/tests/system/dscp/clean.sh | 2 bin/tests/system/dscp/tests.sh | 2 bin/tests/system/dsdigest/ns1/sign.sh | 4 bin/tests/system/dsdigest/ns2/sign.sh | 8 bin/tests/system/dupsigs/clean.sh | 3 bin/tests/system/dupsigs/ns1/named.conf.in | 2 bin/tests/system/dupsigs/ns1/reset_keys.sh | 13 bin/tests/system/dupsigs/ns1/signing.test.db.in | 2 bin/tests/system/dupsigs/setup.sh | 2 bin/tests/system/dupsigs/tests.sh | 36 bin/tests/system/dyndb/driver/db.c | 13 bin/tests/system/emptyzones/clean.sh | 2 bin/tests/system/emptyzones/setup.sh | 2 bin/tests/system/feature-test.c | 18 bin/tests/system/formerr/clean.sh | 2 bin/tests/system/forward/clean.sh | 2 bin/tests/system/forward/tests.sh | 6 bin/tests/system/get_algorithms.py | 241 ++ bin/tests/system/idna/tests.sh | 2 bin/tests/system/inline/clean.sh | 2 bin/tests/system/inline/ns1/sign.sh | 4 bin/tests/system/inline/ns3/sign.sh | 78 bin/tests/system/inline/ns7/sign.sh | 6 bin/tests/system/inline/ns8/sign.sh | 8 bin/tests/system/inline/setup.sh | 2 bin/tests/system/inline/tests.sh | 461 ++-- bin/tests/system/ixfr/tests.sh | 4 bin/tests/system/journal/clean.sh | 2 bin/tests/system/kasp.sh | 8 bin/tests/system/kasp/clean.sh | 3 bin/tests/system/kasp/kasp.conf | 4 bin/tests/system/kasp/ns3/named-fips.conf.in | 508 +++++ bin/tests/system/kasp/ns3/named.conf.in | 494 ----- bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in | 118 + bin/tests/system/kasp/ns3/policies/kasp.conf.in | 106 - bin/tests/system/kasp/ns3/setup.sh | 155 + bin/tests/system/kasp/ns4/named.conf.in | 6 bin/tests/system/kasp/ns6/named.conf.in | 10 bin/tests/system/kasp/ns6/named2.conf.in | 9 bin/tests/system/kasp/ns6/policies/csk1.conf.in | 2 bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in | 63 bin/tests/system/kasp/ns6/policies/kasp.conf.in | 28 bin/tests/system/kasp/ns6/setup.sh | 96 - bin/tests/system/kasp/setup.sh | 18 bin/tests/system/kasp/tests.sh | 245 +- bin/tests/system/keepalive/clean.sh | 2 bin/tests/system/keymgr/18-nonstd-prepub/policy.conf | 20 bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in | 20 bin/tests/system/keymgr/19-old-keys/policy.conf | 20 bin/tests/system/keymgr/19-old-keys/policy.conf.in | 20 bin/tests/system/keymgr/clean.sh | 3 bin/tests/system/keymgr/policy.conf | 23 bin/tests/system/keymgr/policy.conf.in | 23 bin/tests/system/keymgr/setup.sh | 98 - bin/tests/system/keymgr2kasp/clean.sh | 1 bin/tests/system/keymgr2kasp/ns3/kasp.conf.in | 8 bin/tests/system/keymgr2kasp/ns3/setup.sh | 14 bin/tests/system/keymgr2kasp/ns4/named.conf.in | 4 bin/tests/system/keymgr2kasp/ns4/named2.conf.in | 6 bin/tests/system/keymgr2kasp/ns4/setup.sh | 2 bin/tests/system/keymgr2kasp/tests.sh | 28 bin/tests/system/legacy/clean.sh | 2 bin/tests/system/legacy/tests.sh | 4 bin/tests/system/logfileconfig/tests.sh | 4 bin/tests/system/masterformat/tests.sh | 6 bin/tests/system/metadata/setup.sh | 22 bin/tests/system/metadata/tests.sh | 110 - bin/tests/system/mirror/clean.sh | 2 bin/tests/system/mirror/ns1/sign.sh | 4 bin/tests/system/mirror/ns2/sign.sh | 16 bin/tests/system/mirror/tests.sh | 146 - bin/tests/system/mkeys/clean.sh | 1 bin/tests/system/mkeys/ns1/sign.sh | 37 bin/tests/system/mkeys/ns3/named.conf.in | 5 bin/tests/system/mkeys/ns6/setup.sh | 8 bin/tests/system/mkeys/setup.sh | 8 bin/tests/system/mkeys/tests.sh | 45 bin/tests/system/names/setup.sh | 2 bin/tests/system/notify/tests.sh | 4 bin/tests/system/nsec3/clean.sh | 2 bin/tests/system/nsec3/ns2/named.conf.in | 46 bin/tests/system/nsec3/ns2/setup.sh | 22 bin/tests/system/nsec3/ns2/template.db.in | 28 bin/tests/system/nsec3/ns3/named.conf.in | 32 bin/tests/system/nsec3/ns3/named2.conf.in | 17 bin/tests/system/nsec3/ns3/setup.sh | 4 bin/tests/system/nsec3/setup.sh | 6 bin/tests/system/nsec3/tests.sh | 54 bin/tests/system/nslookup/clean.sh | 2 bin/tests/system/nsupdate/krb/setup.sh | 2 bin/tests/system/nsupdate/ns1/named.conf.in | 2 bin/tests/system/nsupdate/ns3/sign.sh | 12 bin/tests/system/nsupdate/tests.sh | 246 +- bin/tests/system/nzd2nzf/prereq.sh | 2 bin/tests/system/nzd2nzf/tests.sh | 9 bin/tests/system/padding/clean.sh | 2 bin/tests/system/pending/ns1/sign.sh | 4 bin/tests/system/pending/ns2/sign.sh | 4 bin/tests/system/pytest_custom_markers.py | 21 bin/tests/system/qmin/ans3/ans.py | 1 bin/tests/system/redirect/ns1/sign.sh | 8 bin/tests/system/redirect/ns3/sign.sh | 8 bin/tests/system/redirect/ns5/sign.sh | 8 bin/tests/system/resolve.c | 9 bin/tests/system/resolver/ans2/ans.pl | 9 bin/tests/system/resolver/ans3/ans.pl | 71 bin/tests/system/resolver/ns1/named.conf.in | 13 bin/tests/system/resolver/ns4/named.conf.in | 5 bin/tests/system/resolver/ns4/tld1.db | 3 bin/tests/system/resolver/ns4/tld2.db | 7 bin/tests/system/resolver/ns4/v4only.net.db | 22 bin/tests/system/resolver/ns6/keygen.sh | 11 bin/tests/system/resolver/ns6/named.conf.in | 12 bin/tests/system/resolver/ns6/redirect.com.db | 27 bin/tests/system/resolver/ns6/root.db | 3 bin/tests/system/resolver/ns6/tld1.db | 17 bin/tests/system/resolver/ns7/named1.conf.in | 12 bin/tests/system/resolver/ns7/named2.conf.in | 12 bin/tests/system/resolver/ns7/sub.tld1.db | 17 bin/tests/system/resolver/ns7/tld2.db | 18 bin/tests/system/resolver/ns9/named.args | 2 bin/tests/system/resolver/ns9/named.conf.in | 39 bin/tests/system/resolver/ns9/root.hint | 15 bin/tests/system/resolver/setup.sh | 1 bin/tests/system/resolver/tests.sh | 665 +++---- bin/tests/system/rndc/ns7/named.conf.in | 4 bin/tests/system/rndc/setup.sh | 2 bin/tests/system/rndc/tests.sh | 18 bin/tests/system/rootkeysentinel/ns1/sign.sh | 4 bin/tests/system/rootkeysentinel/ns2/sign.sh | 14 bin/tests/system/rpz/clean.sh | 4 bin/tests/system/rpz/dnsrps.c | 3 bin/tests/system/rpz/ns2/base-tld2s.db | 1 bin/tests/system/rpz/ns2/tld2.db | 3 bin/tests/system/rpz/ns6/bl.tld2s.db.in | 20 bin/tests/system/rpz/ns6/named.conf.in | 6 bin/tests/system/rpz/qperf.sh | 2 bin/tests/system/rpz/setup.sh | 13 bin/tests/system/rpz/tests.sh | 38 bin/tests/system/rpzrecurse/clean.sh | 2 bin/tests/system/rpzrecurse/tests.sh | 10 bin/tests/system/rrchecker/clean.sh | 2 bin/tests/system/rrl/broken.conf | 46 bin/tests/system/rrl/broken.conf.in | 46 bin/tests/system/rrl/clean.sh | 3 bin/tests/system/rrl/setup.sh | 1 bin/tests/system/rrl/tests.sh | 14 bin/tests/system/rrsetorder/tests.sh | 4 bin/tests/system/rsabigexponent/README.md | 8 bin/tests/system/rsabigexponent/bigkey.c | 4 bin/tests/system/rsabigexponent/ns1/sign.sh | 2 bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key | 2 bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private | 10 bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key | 2 bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private | 10 bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.key | 5 bin/tests/system/rsabigexponent/ns2/Xexample.+008+51650.private | 13 bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.key | 2 bin/tests/system/rsabigexponent/ns2/Xexample.+008+52810.private | 10 bin/tests/system/rsabigexponent/ns2/dsset-example.in | 3 bin/tests/system/rsabigexponent/ns2/example.db.bad | 226 +- bin/tests/system/rsabigexponent/ns2/sign.sh | 6 bin/tests/system/run.sh | 2 bin/tests/system/serve-stale/ans2/ans.pl | 24 bin/tests/system/serve-stale/clean.sh | 2 bin/tests/system/serve-stale/ns1/named3.conf.in | 5 bin/tests/system/serve-stale/ns1/stale.test.db | 19 bin/tests/system/serve-stale/ns3/named6.conf.in | 4 bin/tests/system/serve-stale/tests.sh | 379 ++-- bin/tests/system/shutdown/clean.sh | 2 bin/tests/system/shutdown/setup.sh | 2 bin/tests/system/shutdown/tests-shutdown.py | 207 -- bin/tests/system/shutdown/tests_shutdown.py | 207 ++ bin/tests/system/smartsign/tests.sh | 76 bin/tests/system/sortlist/tests.sh | 8 bin/tests/system/spf/clean.sh | 2 bin/tests/system/start.pl | 40 bin/tests/system/staticstub/ns3/sign.sh | 8 bin/tests/system/staticstub/ns4/sign.sh | 4 bin/tests/system/statschannel/tests-json.py | 111 - bin/tests/system/statschannel/tests-xml.py | 140 - bin/tests/system/statschannel/tests.sh | 51 bin/tests/system/statschannel/tests_json.py | 108 + bin/tests/system/statschannel/tests_xml.py | 137 + bin/tests/system/stop.pl | 4 bin/tests/system/stress/clean.sh | 3 bin/tests/system/stress/ns1/named.conf | 32 bin/tests/system/stress/ns1/named.conf.in | 32 bin/tests/system/stress/ns2/named.conf | 34 bin/tests/system/stress/ns2/named.conf.in | 34 bin/tests/system/stress/ns3/named.conf | 50 bin/tests/system/stress/ns3/named.conf.in | 50 bin/tests/system/stress/ns4/named.conf | 35 bin/tests/system/stress/ns4/named.conf.in | 35 bin/tests/system/stress/setup.sh | 5 bin/tests/system/stress/tests.sh | 8 bin/tests/system/stub/tests.sh | 4 bin/tests/system/synthfromdnssec/ns1/sign.sh | 4 bin/tests/system/synthfromdnssec/ns4/named.conf.in | 1 bin/tests/system/system-test-driver.sh | 5 bin/tests/system/tcp/tests-tcp.py | 72 bin/tests/system/tcp/tests_tcp.py | 72 bin/tests/system/testcrypto.sh | 100 - bin/tests/system/timeouts/tests-tcp.py | 283 -- bin/tests/system/timeouts/tests_tcp_timeouts.py | 283 ++ bin/tests/system/tsiggss/tests.sh | 2 bin/tests/system/unknown/ns3/sign.sh | 4 bin/tests/system/unknown/setup.sh | 2 bin/tests/system/unknown/tests.sh | 8 bin/tests/system/upforwd/clean.sh | 2 bin/tests/system/upforwd/ns3/named.conf.in | 56 bin/tests/system/upforwd/ns3/named1.conf.in | 63 bin/tests/system/upforwd/ns3/named2.conf.in | 41 bin/tests/system/upforwd/setup.sh | 4 bin/tests/system/upforwd/tests.sh | 39 bin/tests/system/verify/clean.sh | 2 bin/tests/system/verify/tests.sh | 2 bin/tests/system/verify/zones/genzones.sh | 109 - bin/tests/system/views/setup.sh | 12 bin/tests/system/wildcard/ns1/sign.sh | 20 bin/tests/system/wildcard/tests-wildcard.py | 112 - bin/tests/system/wildcard/tests.sh | 2 bin/tests/system/wildcard/tests_wildcard.py | 112 + bin/tests/system/xfer/tests.sh | 4 bin/tests/system/zero/clean.sh | 2 bin/tests/system/zero/setup.sh | 2 bin/tests/system/zonechecks/setup.sh | 4 bin/tests/wire_test.c | 3 bin/tools/mdig.c | 12 config.h.in | 3 configure | 2 configure.ac | 2 contrib/dlz/bin/dlzbdb/dlzbdb.c | 9 contrib/dlz/drivers/dlz_bdb_driver.c | 3 contrib/dlz/drivers/dlz_bdbhpt_driver.c | 3 contrib/dlz/drivers/dlz_filesystem_driver.c | 18 contrib/dlz/drivers/dlz_odbc_driver.c | 9 contrib/dlz/drivers/dlz_postgres_driver.c | 3 contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c | 6 contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c | 18 contrib/dlz/modules/include/dlz_list.h | 14 contrib/dlz/modules/ldap/dlz_ldap_dynamic.c | 3 contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c | 9 contrib/dlz/modules/perl/Makefile | 4 contrib/dlz/modules/perl/dlz_perl_driver.c | 35 contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c | 16 contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c | 19 dangerfile.py | 124 + debian/changelog | 15 debian/patches/0003-Disable-sphinx-build-strict-mode.patch | 8 doc/arm/conf.py | 4 doc/arm/dnssec.inc.rst | 9 doc/arm/notes.rst | 6 doc/arm/platforms.rst | 6 doc/arm/reference.rst | 55 doc/arm/requirements.txt | 2 doc/dnssec-guide/introduction.rst | 2 doc/dnssec-guide/recipes.rst | 4 doc/dnssec-guide/signing.rst | 19 doc/man/Makefile.in | 3 doc/man/arpaname.1in | 2 doc/man/conf.py | 1 doc/man/ddns-confgen.8in | 2 doc/man/delv.1in | 2 doc/man/dig.1in | 10 doc/man/dnssec-cds.8in | 2 doc/man/dnssec-checkds.8in | 2 doc/man/dnssec-coverage.8in | 2 doc/man/dnssec-dsfromkey.8in | 2 doc/man/dnssec-importkey.8in | 2 doc/man/dnssec-keyfromlabel.8in | 2 doc/man/dnssec-keygen.8in | 2 doc/man/dnssec-keymgr.8in | 2 doc/man/dnssec-revoke.8in | 2 doc/man/dnssec-settime.8in | 2 doc/man/dnssec-signzone.8in | 2 doc/man/dnssec-verify.8in | 2 doc/man/dnstap-read.1in | 2 doc/man/filter-aaaa.8in | 2 doc/man/host.1in | 2 doc/man/mdig.1in | 2 doc/man/named-checkconf.8in | 2 doc/man/named-checkzone.8in | 2 doc/man/named-compilezone.8in | 2 doc/man/named-journalprint.8in | 2 doc/man/named-nzd2nzf.8in | 2 doc/man/named-rrchecker.1in | 2 doc/man/named.8in | 18 doc/man/named.conf.5in | 15 doc/man/nsec3hash.8in | 2 doc/man/nslookup.1in | 2 doc/man/nsupdate.1in | 9 doc/man/pkcs11-destroy.8in | 2 doc/man/pkcs11-keygen.8in | 2 doc/man/pkcs11-list.8in | 2 doc/man/pkcs11-tokens.8in | 2 doc/man/rndc-confgen.8in | 2 doc/man/rndc.8in | 2 doc/man/rndc.conf.5in | 2 doc/man/tsig-keygen.8in | 2 doc/misc/master.zoneopt | 4 doc/misc/master.zoneopt.rst | 4 doc/misc/options | 15 doc/misc/options.active | 15 doc/misc/options.grammar.rst | 3 doc/misc/slave.zoneopt | 2 doc/misc/slave.zoneopt.rst | 2 doc/notes/notes-9.16.0.rst | 6 doc/notes/notes-9.16.1.rst | 3 doc/notes/notes-9.16.10.rst | 7 doc/notes/notes-9.16.11.rst | 7 doc/notes/notes-9.16.12.rst | 7 doc/notes/notes-9.16.13.rst | 7 doc/notes/notes-9.16.15.rst | 7 doc/notes/notes-9.16.16.rst | 7 doc/notes/notes-9.16.17.rst | 7 doc/notes/notes-9.16.18.rst | 7 doc/notes/notes-9.16.19.rst | 7 doc/notes/notes-9.16.2.rst | 5 doc/notes/notes-9.16.20.rst | 7 doc/notes/notes-9.16.21.rst | 7 doc/notes/notes-9.16.22.rst | 7 doc/notes/notes-9.16.23.rst | 7 doc/notes/notes-9.16.24.rst | 7 doc/notes/notes-9.16.25.rst | 7 doc/notes/notes-9.16.26.rst | 7 doc/notes/notes-9.16.27.rst | 7 doc/notes/notes-9.16.28.rst | 7 doc/notes/notes-9.16.29.rst | 7 doc/notes/notes-9.16.3.rst | 3 doc/notes/notes-9.16.30.rst | 7 doc/notes/notes-9.16.31.rst | 7 doc/notes/notes-9.16.32.rst | 7 doc/notes/notes-9.16.33.rst | 7 doc/notes/notes-9.16.34.rst | 46 doc/notes/notes-9.16.35.rst | 56 doc/notes/notes-9.16.36.rst | 49 doc/notes/notes-9.16.37.rst | 80 doc/notes/notes-9.16.4.rst | 13 doc/notes/notes-9.16.5.rst | 7 doc/notes/notes-9.16.6.rst | 7 doc/notes/notes-9.16.7.rst | 7 doc/notes/notes-9.16.8.rst | 7 doc/notes/notes-9.16.9.rst | 7 doc/notes/notes-known-issues.rst | 46 lib/bind9/check.c | 128 - lib/bind9/getaddresses.c | 3 lib/dns/adb.c | 21 lib/dns/badcache.c | 3 lib/dns/byaddr.c | 3 lib/dns/cache.c | 3 lib/dns/catz.c | 60 lib/dns/client.c | 8 lib/dns/compress.c | 12 lib/dns/db.c | 21 lib/dns/diff.c | 27 lib/dns/dispatch.c | 12 lib/dns/dnsrps.c | 6 lib/dns/dnssec.c | 57 lib/dns/dst_api.c | 6 lib/dns/dst_parse.c | 3 lib/dns/ecdb.c | 4 lib/dns/ecs.c | 3 lib/dns/forward.c | 32 lib/dns/gen.c | 4 lib/dns/hmac_link.c | 3 lib/dns/include/dns/db.h | 18 lib/dns/include/dns/rdataset.h | 5 lib/dns/include/dns/rdatasetiter.h | 1 lib/dns/include/dns/zone.h | 3 lib/dns/include/dns/zt.h | 2 lib/dns/journal.c | 32 lib/dns/key.c | 6 lib/dns/keymgr.c | 45 lib/dns/master.c | 48 lib/dns/masterdump.c | 35 lib/dns/message.c | 56 lib/dns/name.c | 9 lib/dns/ncache.c | 6 lib/dns/nsec.c | 8 lib/dns/nsec3.c | 25 lib/dns/openssl_link.c | 3 lib/dns/openssldh_link.c | 6 lib/dns/opensslecdsa_link.c | 3 lib/dns/openssleddsa_link.c | 6 lib/dns/opensslrsa_link.c | 32 lib/dns/order.c | 3 lib/dns/peer.c | 6 lib/dns/pkcs11rsa_link.c | 21 lib/dns/private.c | 15 lib/dns/rbt.c | 46 lib/dns/rbtdb.c | 339 ++- lib/dns/rcode.c | 3 lib/dns/rdata.c | 24 lib/dns/rdata/any_255/tsig_250.c | 3 lib/dns/rdata/generic/amtrelay_260.c | 3 lib/dns/rdata/generic/caa_257.c | 3 lib/dns/rdata/generic/isdn_20.c | 3 lib/dns/rdata/generic/key_25.c | 3 lib/dns/rdata/generic/loc_29.c | 15 lib/dns/rdata/generic/tkey_249.c | 3 lib/dns/rdata/generic/txt_16.c | 3 lib/dns/rdata/in_1/a_1.c | 3 lib/dns/rdata/in_1/aaaa_28.c | 3 lib/dns/rdata/in_1/svcb_64.c | 67 lib/dns/rdatalist.c | 18 lib/dns/rdataslab.c | 3 lib/dns/request.c | 3 lib/dns/resolver.c | 249 +- lib/dns/rootns.c | 8 lib/dns/rpz.c | 26 lib/dns/rriterator.c | 4 lib/dns/rrl.c | 18 lib/dns/sdb.c | 13 lib/dns/sdlz.c | 19 lib/dns/ssu.c | 36 lib/dns/stats.c | 15 lib/dns/tests/Krsa.+005+29235.key | 5 lib/dns/tests/Krsa.+008+29238.key | 5 lib/dns/tests/dbversion_test.c | 4 lib/dns/tests/dnstest.c | 3 lib/dns/tests/rdata_test.c | 40 lib/dns/tests/rsa_test.c | 37 lib/dns/tests/zt_test.c | 4 lib/dns/tkey.c | 3 lib/dns/tsig.c | 21 lib/dns/update.c | 22 lib/dns/validator.c | 45 lib/dns/view.c | 33 lib/dns/xfrin.c | 21 lib/dns/zone.c | 945 +++++----- lib/dns/zonekey.c | 3 lib/dns/zoneverify.c | 29 lib/dns/zt.c | 34 lib/irs/getaddrinfo.c | 18 lib/irs/getnameinfo.c | 9 lib/irs/win32/resconf.c | 3 lib/isc/app.c | 3 lib/isc/buffer.c | 120 - lib/isc/heap.c | 3 lib/isc/ht.c | 9 lib/isc/httpd.c | 9 lib/isc/include/isc/buffer.h | 124 - lib/isc/include/isc/list.h | 33 lib/isc/include/isc/string.h | 5 lib/isc/lex.c | 54 lib/isc/log.c | 27 lib/isc/mem.c | 27 lib/isc/netaddr.c | 3 lib/isc/netmgr/netmgr.c | 3 lib/isc/netmgr/tcp.c | 21 lib/isc/netmgr/tcpdns.c | 15 lib/isc/netmgr/udp.c | 15 lib/isc/pk11.c | 9 lib/isc/radix.c | 6 lib/isc/rwlock.c | 12 lib/isc/siphash.c | 10 lib/isc/string.c | 30 lib/isc/task.c | 12 lib/isc/tests/random_test.c | 3 lib/isc/tests/socket_test.c | 3 lib/isc/tests/task_test.c | 6 lib/isc/timer.c | 3 lib/isc/unix/file.c | 3 lib/isc/unix/socket.c | 51 lib/isc/url.c | 3 lib/isc/utf8.c | 3 lib/isc/win32/dir.c | 3 lib/isc/win32/file.c | 9 lib/isc/win32/fsaccess.c | 6 lib/isc/win32/include/isc/net.h | 6 lib/isc/win32/interfaceiter.c | 3 lib/isc/win32/libisc.def.in | 1 lib/isc/win32/net.c | 9 lib/isc/win32/ntgroups.c | 6 lib/isc/win32/socket.c | 21 lib/isccc/alist.c | 3 lib/isccc/cc.c | 6 lib/isccc/symtab.c | 12 lib/isccfg/aclconf.c | 15 lib/isccfg/include/isccfg/grammar.h | 2 lib/isccfg/namedconf.c | 41 lib/isccfg/parser.c | 122 - lib/isccfg/tests/duration_test.c | 109 - lib/ns/client.c | 19 lib/ns/hooks.c | 3 lib/ns/include/ns/client.h | 10 lib/ns/include/ns/server.h | 1 lib/ns/include/ns/stats.h | 4 lib/ns/interfacemgr.c | 19 lib/ns/query.c | 233 +- lib/ns/server.c | 2 lib/ns/sortlist.c | 6 lib/ns/tests/nstest.c | 3 lib/ns/update.c | 458 ++-- lib/ns/win32/libns.def | 1 lib/ns/xfrout.c | 6 srcid | 2 version | 2 654 files changed, 12218 insertions(+), 7993 deletions(-) diff -Nru bind9-9.16.33/.gitlab-ci.yml bind9-9.16.37/.gitlab-ci.yml --- bind9-9.16.33/.gitlab-ci.yml 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/.gitlab-ci.yml 2023-01-12 22:45:02.000000000 +0000 @@ -16,7 +16,7 @@ TEST_PARALLEL_JOBS: 6 CONFIGURE: ./configure - CLANG_VERSION: 14 + CLANG_VERSION: 15 CLANG: "clang-${CLANG_VERSION}" SCAN_BUILD: "scan-build-${CLANG_VERSION}" ASAN_SYMBOLIZER_PATH: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" @@ -27,6 +27,7 @@ # Pass run-time flags to AddressSanitizer to get core dumps on error. ASAN_OPTIONS: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1 TSAN_OPTIONS_COMMON: "disable_coredump=0 second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan" + UBSAN_OPTIONS: "halt_on_error=1:abort_on_error=1:disable_coredump=0" TARBALL_COMPRESSOR: xz TARBALL_EXTENSION: xz @@ -114,6 +115,10 @@ image: "$CI_REGISTRY_IMAGE:oraclelinux-8-amd64" <<: *linux_amd64 +.oraclelinux-9-amd64: &oraclelinux_9_amd64_image + image: "$CI_REGISTRY_IMAGE:oraclelinux-9-amd64" + <<: *linux_amd64 + # Debian .debian-buster-amd64: &debian_buster_amd64_image @@ -140,12 +145,12 @@ # Fedora -.fedora-35-amd64: &fedora_35_amd64_image - image: "$CI_REGISTRY_IMAGE:fedora-35-amd64" +.fedora-37-amd64: &fedora_37_amd64_image + image: "$CI_REGISTRY_IMAGE:fedora-37-amd64" <<: *linux_amd64 -.fedora-35-arm64: &fedora_35_arm64_image - image: "$CI_REGISTRY_IMAGE:fedora-35-arm64" +.fedora-37-arm64: &fedora_37_arm64_image + image: "$CI_REGISTRY_IMAGE:fedora-37-arm64" <<: *linux_stress_arm64 # Ubuntu @@ -185,7 +190,7 @@ <<: *libvirt_amd64 .openbsd-amd64: &openbsd_amd64_image - image: "openbsd-7.1-x86_64" + image: "openbsd-7.2-x86_64" <<: *libvirt_amd64 ### Job Templates @@ -244,6 +249,9 @@ $EXTRA_CONFIGURE || (test -s config.log && cat config.log; exit 1) +.parse_tsan: &parse_tsan + - find -name 'tsan.*' -exec python3 util/parse_tsan.py {} \; + .build: &build_job <<: *default_triggering_rules stage: build @@ -255,7 +263,9 @@ - test -n "${SKIP_MAKE_DEPEND}" || make -j${BUILD_PARALLEL_JOBS:-1} depend 2>&1 | tee make-depend.log - test -n "${SKIP_MAKE_DEPEND}" || ( ! grep -F "error:" make-depend.log ) - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1 + - test -z "${BUILD_CONTRIB}" || for DIR in contrib/dlz/modules/*; do test -f "${DIR}/Makefile" && make -C "${DIR}"; done - test -z "${RUN_MAKE_INSTALL}" || make DESTDIR="${INSTALL_PATH}" install + - test -z "${RUN_MAKE_INSTALL}" -o -z "${BUILD_CONTRIB}" || for DIR in contrib/dlz/modules/*; do test -f "${DIR}/Makefile" && make -C "${DIR}" DESTDIR="${INSTALL_PATH}" install; done - test -z "${RUN_MAKE_INSTALL}" || DESTDIR="${INSTALL_PATH}" sh util/check-make-install - if [[ "${CFLAGS}" == *"-fsanitize=address"* ]]; then ( ! grep -F AddressSanitizer config.log ); fi - test -z "${CROSS_COMPILATION}" || grep -F -A 1 "checking whether we are cross compiling" config.log | grep -q "result.*yes" @@ -315,6 +325,7 @@ - ( cd bin/tests/system && make -j${TEST_PARALLEL_JOBS:-1} -k test V=1 ) - test -s bin/tests/system/systests.output - if git rev-parse > /dev/null 2>&1; then ( ! grep "^I:.*:file.*not removed$" bin/tests/system/systests.output ); fi + - '( ! grep -F "grep: warning:" bin/tests/system/systests.output )' .system_test: &system_test_job <<: *system_test_common @@ -333,7 +344,7 @@ .system_test_tsan: &system_test_tsan_job <<: *system_test_common after_script: - - find bin -name 'tsan.*' -exec python3 util/parse_tsan.py {} \; + - *parse_tsan artifacts: expire_in: "1 day" untracked: true @@ -392,16 +403,10 @@ <<: *unit_test_common after_script: - *kyua_report_html - - for f in tsan.* ; do test -f "$f" && python3 util/parse_tsan.py "$f" ; done - - find lib -name 'tsan.*' -exec python3 util/parse_tsan.py {} \; + - *parse_tsan artifacts: + untracked: true expire_in: "1 day" - paths: - - lib/*/tests/tsan.* - - tsan/ - - kyua.log - - kyua.results - - kyua_html/ when: on_failure .respdiff: &respdiff_job @@ -522,6 +527,12 @@ # Ignore Pylint wrong-import-position error in system test to enable use of pytest.importorskip - pylint --rcfile $CI_PROJECT_DIR/.pylintrc --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py') +checkbashisms: + <<: *precheck_job + needs: [] + script: + - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print | sed -e '/^\.\/install-sh$/d') + tarball-create: stage: precheck <<: *base_image @@ -566,6 +577,7 @@ - doc/arm/ - doc/man/ - doc/misc/ + when: always # Jobs for regular GCC builds on Alpine Linux 3.16 (amd64) @@ -595,7 +607,8 @@ gcc:oraclelinux7:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON}" + # -Wno-address suppresses isc_buffer macro warnings + CFLAGS: "${CFLAGS_COMMON} -Wno-address" EXTRA_CONFIGURE: "--with-libidn2" <<: *oraclelinux_7_amd64_image <<: *build_job @@ -638,6 +651,30 @@ - job: gcc:oraclelinux8:amd64 artifacts: true +# Jobs for regular GCC builds on Oracle Linux 9 (amd64) + +gcc:oraclelinux9:amd64: + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--with-libidn2 --disable-developer" + <<: *oraclelinux_9_amd64_image + <<: *build_job + +system:gcc:oraclelinux9:amd64: + <<: *oraclelinux_9_amd64_image + <<: *system_test_job + needs: + - job: gcc:oraclelinux9:amd64 + artifacts: true + +unit:gcc:oraclelinux9:amd64: + <<: *oraclelinux_9_amd64_image + <<: *unit_test_job + needs: + - job: gcc:oraclelinux9:amd64 + artifacts: true + # Jobs for regular GCC builds on Debian 10 "buster" (amd64) gcc:buster:amd64: @@ -670,10 +707,12 @@ gcc:bullseye:amd64: variables: + BUILD_CONTRIB: 1 CC: gcc CFLAGS: "${CFLAGS_COMMON} --coverage -O0" EXTRA_CONFIGURE: "--with-libidn2" LDFLAGS: "--coverage" + RUN_MAKE_INSTALL: 1 <<: *debian_bullseye_amd64_image <<: *build_job @@ -946,7 +985,7 @@ - job: gcc:jammy:amd64 artifacts: true -# Jobs for ASAN builds on Fedora 35 (amd64) +# Jobs for ASAN builds on Fedora 37 (amd64) gcc:asan: variables: @@ -954,18 +993,18 @@ CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=address,undefined" EXTRA_CONFIGURE: "--with-libidn2" - <<: *fedora_35_amd64_image + <<: *fedora_37_amd64_image <<: *build_job system:gcc:asan: - <<: *fedora_35_amd64_image + <<: *fedora_37_amd64_image <<: *system_test_job needs: - job: gcc:asan artifacts: true unit:gcc:asan: - <<: *fedora_35_amd64_image + <<: *fedora_37_amd64_image <<: *unit_test_job needs: - job: gcc:asan @@ -994,7 +1033,7 @@ - job: clang:asan artifacts: true -# Jobs for TSAN builds on Fedora 35 (amd64) +# Jobs for TSAN builds on Fedora 37 (amd64) gcc:tsan: variables: @@ -1002,13 +1041,13 @@ CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=thread" EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock" - <<: *fedora_35_amd64_image + <<: *fedora_37_amd64_image <<: *build_job system:gcc:tsan: variables: TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" - <<: *fedora_35_amd64_image + <<: *fedora_37_amd64_image <<: *system_test_tsan_job needs: - job: gcc:tsan @@ -1017,7 +1056,7 @@ unit:gcc:tsan: variables: TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" - <<: *fedora_35_amd64_image + <<: *fedora_37_amd64_image <<: *unit_test_tsan_job needs: - job: gcc:tsan @@ -1051,12 +1090,16 @@ artifacts: true # Jobs for Clang builds on Debian 11 "bullseye" (amd64) +# The -Wno-compound-token-split-by-macro option prevents warning when compiling +# Perl DLZ module with Clang against Perl older than version 5.35.2. clang:bullseye:amd64: variables: + BUILD_CONTRIB: 1 CC: ${CLANG} - CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion" + CFLAGS: "${CFLAGS_COMMON} -Wenum-conversion -Wno-compound-token-split-by-macro" EXTRA_CONFIGURE: "--with-python=python3" + RUN_MAKE_INSTALL: 1 <<: *debian_bullseye_amd64_image <<: *build_job @@ -1085,6 +1128,8 @@ <<: *build_job system:gcc:softhsm2.6: + variables: + DISABLE_ALGORITHM_SUPPORT_CHECKING: 1 <<: *debian_bullseye_amd64_image <<: *system_test_job needs: @@ -1343,6 +1388,34 @@ script: - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" +respdiff-short:asan: + <<: *respdiff_job + <<: *default_triggering_rules + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" + LDFLAGS: "-fsanitize=address,undefined" + MAX_DISAGREEMENTS_PERCENTAGE: "0.1" + script: + - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + allow_failure: true + +respdiff-short:tsan: + <<: *respdiff_job + <<: *default_triggering_rules + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" + LDFLAGS: "-fsanitize=thread" + EXTRA_CONFIGURE: "--enable-pthread-rwlock" + MAX_DISAGREEMENTS_PERCENTAGE: "0.1" + TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" + script: + - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + after_script: + - *parse_tsan + allow_failure: true + respdiff-long: <<: *respdiff_job <<: *api_schedules_tags_triggers_web_triggering_rules @@ -1353,6 +1426,34 @@ script: - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" +respdiff-long:asan: + <<: *respdiff_job + <<: *api_schedules_tags_triggers_web_triggering_rules + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" + LDFLAGS: "-fsanitize=address,undefined" + MAX_DISAGREEMENTS_PERCENTAGE: "0.1" + script: + - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + allow_failure: true + +respdiff-long:tsan: + <<: *respdiff_job + <<: *api_schedules_tags_triggers_web_triggering_rules + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" + LDFLAGS: "-fsanitize=thread" + EXTRA_CONFIGURE: "--enable-pthread-rwlock" + MAX_DISAGREEMENTS_PERCENTAGE: "0.1" + TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" + script: + - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + after_script: + - *parse_tsan + allow_failure: true + respdiff-long-third-party: <<: *respdiff_job <<: *api_schedules_tags_triggers_web_triggering_rules @@ -1385,8 +1486,8 @@ when: always timeout: 2h -stress:authoritative:fedora:35:amd64: - <<: *fedora_35_amd64_image +stress:authoritative:fedora:37:amd64: + <<: *fedora_37_amd64_image <<: *linux_stress_amd64 <<: *stress_job variables: @@ -1399,8 +1500,8 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:recursive:fedora:35:amd64: - <<: *fedora_35_amd64_image +stress:recursive:fedora:37:amd64: + <<: *fedora_37_amd64_image <<: *linux_stress_amd64 <<: *stress_job variables: @@ -1413,8 +1514,8 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:rpz:fedora:35:amd64: - <<: *fedora_35_amd64_image +stress:rpz:fedora:37:amd64: + <<: *fedora_37_amd64_image <<: *linux_stress_amd64 <<: *stress_job variables: @@ -1427,8 +1528,8 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:authoritative:fedora:35:arm64: - <<: *fedora_35_arm64_image +stress:authoritative:fedora:37:arm64: + <<: *fedora_37_arm64_image <<: *linux_stress_arm64 <<: *stress_job variables: @@ -1441,8 +1542,8 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) -stress:recursive:fedora:35:arm64: - <<: *fedora_35_arm64_image +stress:recursive:fedora:37:arm64: + <<: *fedora_37_arm64_image <<: *linux_stress_arm64 <<: *stress_job variables: @@ -1455,8 +1556,8 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) -stress:rpz:fedora:35:arm64: - <<: *fedora_35_arm64_image +stress:rpz:fedora:37:arm64: + <<: *fedora_37_arm64_image <<: *linux_stress_arm64 <<: *stress_job variables: @@ -1528,13 +1629,15 @@ - find lib/dns/rdata/* -name "*.c" -execdir cp -f "{}" ../../ \; # These drivers are built into bin/named/named in a way which trips up # gcovr. Copy them to where gcovr expects them. - - cp contrib/dlz/drivers/dlz_drivers.c contrib/dlz/drivers/dlz_filesystem_driver.c contrib/dlz/drivers/sdlz_helper.c bin/named/ + - cp contrib/dlz/drivers/{dlz_drivers,dlz_filesystem_driver,sdlz_helper}.c bin/named/ + # Help gcovr find dlz_dbi.c file + - for DST in ldap mysql mysqldyn sqlite3 wildcard; do cp contrib/dlz/modules/common/dlz_dbi.c "contrib/dlz/modules/${DST}"; done # Generate XML file in the Cobertura XML format suitable for use by GitLab # for the purpose of displaying code coverage information in the diff view # of a given merge request. - - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --xml -o coverage.xml - - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --html-details -o coverage.html - - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' -o coverage.txt + - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --xml -o coverage.xml + - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' --html-details -o coverage.html + - gcovr --root . --exclude-directories bin/tests --exclude-directories doc --exclude-directories fuzz --exclude-directories libltdl --exclude-directories lib/samples --exclude 'lib/.*/tests/.*' -o coverage.txt - tail -n 3 coverage.txt artifacts: paths: diff -Nru bind9-9.16.33/CHANGES bind9-9.16.37/CHANGES --- bind9-9.16.33/CHANGES 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/CHANGES 2023-01-12 22:45:02.000000000 +0000 @@ -1,3 +1,149 @@ + --- 9.16.37 released --- + +6067. [security] Fix serve-stale crash when recursive clients soft quota + is reached. (CVE-2022-3924) [GL #3619] + +6066. [security] Handle RRSIG lookups when serve-stale is active. + (CVE-2022-3736) [GL #3622] + +6064. [security] An UPDATE message flood could cause named to exhaust all + available memory. This flaw was addressed by adding a + new "update-quota" statement that controls the number of + simultaneous UPDATE messages that can be processed or + forwarded. The default is 100. A stats counter has been + added to record events when the update quota is + exceeded, and the XML and JSON statistics version + numbers have been updated. (CVE-2022-3094) [GL #3523] + +6062. [func] The DSCP implementation, which has only been + partly operational since 9.16.0, is now marked as + deprecated. Configuring DSCP values in named.conf + will cause a warning will be logged. [GL #3773] + +6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() + by detaching from the zone manager outside of the write + lock. [GL #3768] + +6059. [bug] In some serve stale scenarios, like when following an + expired CNAME record, named could return SERVFAIL if the + previous request wasn't successful. Consider non-stale + data when in serve-stale mode. [GL #3678] + +6058. [bug] Prevent named from crashing when "rndc delzone" + attempts to delete a zone added by a catalog zone. + [GL #3745] + +6050. [bug] Changes to the RPZ response-policy min-update-interval + and add-soa options now take effect as expected when + named is reconfigured. [GL #3740] + +6048. [bug] Fix a log message error in dns_catz_update_from_db(), + where serials with values of 2^31 or larger were logged + incorrectly as negative numbers. [GL #3742] + +6045. [cleanup] The list of supported DNSSEC algorithms changed log + level from "warning" to "notice" to match named's other + startup messages. [GL !7217] + +6044. [bug] There was an "RSASHA236" typo in a log message. + [GL !7206] + + --- 9.16.36 released --- + +6043. [bug] The key file IO locks objects would never get + deleted from the hashtable due to off-by-one error. + [GL #3727] + +6042. [bug] ANY responses could sometimes have the wrong TTL. + [GL #3613] + +6040. [bug] Speed up the named shutdown time by explicitly + canceling all recursing ns_client objects for + each ns_clientmgr. [GL #3183] + +6039. [bug] Removing a catalog zone from catalog-zones without + also removing the referenced zone could leave a + dangling pointer. [GL #3683] + +6031. [bug] Move the "final reference detached" log message + from dns_zone unit to the DEBUG(1) log level. + [GL #3707] + +6024. [func] Deprecate 'auto-dnssec'. [GL #3667] + +6021. [bug] Use the current domain name when checking answers from + a dual-stack-server. [GL #3607] + +6020. [bug] Ensure 'named-checkconf -z' respects the check-wildcard + option when loading a zone. [GL #1905] + +6017. [bug] The view's zone table was not locked when it should + have been leading to race conditions when external + extensions that manipulate the zone table where in + use. [GL #3468] + + --- 9.16.35 released --- + +6013. [bug] Fix a crash that could happen when you change + a dnssec-policy zone with NSEC3 to start using + inline-signing. [GL #3591] + +6009. [bug] Don't trust a placeholder KEYDATA from the managed-keys + zone by adding it into secroots. [GL #2895] + +6008. [bug] Fixed a race condition that could cause a crash + in dns_zone_synckeyzone(). [GL #3617] + +6002. [bug] Fix a resolver prefetch bug when the record's TTL value + is equal to the configured prefetch eligibility value, + but the record was erroneously not treated as eligible + for prefetching. [GL #3603] + +6001. [bug] Always call dns_adb_endudpfetch() after calling + dns_adb_beginudpfetch() for UDP queries in resolver.c, + in order to adjust back the quota. [GL #3598] + +6000. [bug] Fix a startup issue on Solaris systems with many + (reportedly > 510) CPUs. Thanks to Stacey Marshall from + Oracle for deep investigation of the problem. [GL #3563] + +5999. [bug] rpz-ip rules could be ineffective in some scenarios + with CD=1 queries. [GL #3247] + +5998. [bug] The RecursClients statistics counter could overflow + in certain resolution scenarios. [GL #3584] + +5996. [bug] Fix a couple of bugs in cfg_print_duration(), which + could result in generating incomplete duration values + when printing the configuration using named-checkconf. + [GL !6880] + + --- 9.16.34 released --- + +5991. [protocol] Add support for parsing and validating "dohpath" to + SVCB. [GL #3544] + +5988. [bug] Some out of memory conditions in opensslrsa_link.c + could lead to memory leaks. [GL #3551] + +5984. [func] 'named -V' now reports the list of supported + DNSSEC/DS/HMAC algorithms and the supported TKEY modes. + [GL #3541] + +5983. [bug] Changing just the TSIG key names for primaries in + catalog zones' member zones was not effective. + [GL #3557] + +5973. [bug] Fixed a possible invalid detach in UPDATE + processing. [GL #3522] + +5963. [bug] Ensure struct named_server is properly initialized. + [GL #6531] + +5921. [test] Convert system tests to use a default DNSKEY algorithm + where the test is not DNSKEY algorithm specific. + [GL #3440] + --- 9.16.33 released --- 5962. [security] Fix memory leak in EdDSA verify processing. diff -Nru bind9-9.16.33/COPYRIGHT bind9-9.16.37/COPYRIGHT --- bind9-9.16.33/COPYRIGHT 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/COPYRIGHT 2023-01-12 22:45:02.000000000 +0000 @@ -1,4 +1,4 @@ -Copyright (C) 1996-2022 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2023 Internet Systems Consortium, Inc. ("ISC") This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this diff -Nru bind9-9.16.33/bin/check/check-tool.c bind9-9.16.37/bin/check/check-tool.c --- bind9-9.16.33/bin/check/check-tool.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/check/check-tool.c 2023-01-12 22:45:02.000000000 +0000 @@ -209,7 +209,8 @@ */ cur = ai; while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) { + cur->ai_next != NULL) + { cur = cur->ai_next; } if (cur != NULL && cur->ai_canonname != NULL && @@ -411,7 +412,8 @@ */ cur = ai; while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) { + cur->ai_next != NULL) + { cur = cur->ai_next; } if (cur != NULL && cur->ai_canonname != NULL && @@ -497,7 +499,8 @@ */ cur = ai; while (cur != NULL && cur->ai_canonname == NULL && - cur->ai_next != NULL) { + cur->ai_next != NULL) + { cur = cur->ai_next; } if (cur != NULL && cur->ai_canonname != NULL && @@ -607,7 +610,7 @@ } CHECK(result); - CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsiter)); + CHECK(dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter)); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) diff -Nru bind9-9.16.33/bin/check/named-checkconf.c bind9-9.16.37/bin/check/named-checkconf.c --- bind9-9.16.33/bin/check/named-checkconf.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/check/named-checkconf.c 2023-01-12 22:45:02.000000000 +0000 @@ -404,6 +404,17 @@ } obj = NULL; + if (get_maps(maps, "check-wildcard", &obj)) { + if (cfg_obj_asboolean(obj)) { + zone_options |= DNS_ZONEOPT_CHECKWILDCARD; + } else { + zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD; + } + } else { + zone_options |= DNS_ZONEOPT_CHECKWILDCARD; + } + + obj = NULL; if (get_checknames(maps, &obj)) { if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) { zone_options |= DNS_ZONEOPT_CHECKNAMES; diff -Nru bind9-9.16.33/bin/check/named-checkzone.c bind9-9.16.37/bin/check/named-checkzone.c --- bind9-9.16.33/bin/check/named-checkzone.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/check/named-checkzone.c 2023-01-12 22:45:02.000000000 +0000 @@ -473,7 +473,8 @@ outputformat = dns_masterformat_raw; rawversion = strtol(outputformatstr + 4, &end, 10); if (end == outputformatstr + 4 || *end != '\0' || - rawversion > 1U) { + rawversion > 1U) + { fprintf(stderr, "unknown raw format version\n"); exit(1); } diff -Nru bind9-9.16.33/bin/confgen/ddns-confgen.c bind9-9.16.37/bin/confgen/ddns-confgen.c --- bind9-9.16.33/bin/confgen/ddns-confgen.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/confgen/ddns-confgen.c 2023-01-12 22:45:02.000000000 +0000 @@ -137,7 +137,8 @@ isc_commandline_errprint = false; while ((ch = isc_commandline_parse(argc, argv, "a:hk:Mmr:qs:y:z:")) != - -1) { + -1) + { switch (ch) { case 'a': algname = isc_commandline_argument; diff -Nru bind9-9.16.33/bin/delv/delv.c bind9-9.16.37/bin/delv/delv.c --- bind9-9.16.33/bin/delv/delv.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/delv/delv.c 2023-01-12 22:45:02.000000000 +0000 @@ -458,7 +458,8 @@ result = dns_rdataset_next(rdataset)) { if ((rdataset->attributes & - DNS_RDATASETATTR_NEGATIVE) != 0) { + DNS_RDATASETATTR_NEGATIVE) != 0) + { continue; } @@ -482,7 +483,8 @@ } else { dns_indent_t indent = { " ", 2 }; if (!yaml && (rdataset->attributes & - DNS_RDATASETATTR_NEGATIVE) != 0) { + DNS_RDATASETATTR_NEGATIVE) != 0) + { isc_buffer_putstr(&target, "; "); } result = dns_master_rdatasettotext( @@ -784,7 +786,8 @@ keylist = cfg_listelt_value(elt); for (elt2 = cfg_list_first(keylist); elt2 != NULL; - elt2 = cfg_list_next(elt2)) { + elt2 = cfg_list_next(elt2)) + { key = cfg_listelt_value(elt2); CHECK(key_fromconfig(key, client)); } @@ -950,7 +953,8 @@ result = ISC_R_SUCCESS; for (cur = res; cur != NULL; cur = cur->ai_next) { if (cur->ai_family != AF_INET && - cur->ai_family != AF_INET6) { + cur->ai_family != AF_INET6) + { continue; } sa = isc_mem_get(mctx, sizeof(*sa)); @@ -1450,7 +1454,8 @@ warn("extra query type"); } if (rdtype == dns_rdatatype_ixfr || - rdtype == dns_rdatatype_axfr) { + rdtype == dns_rdatatype_axfr) + { fatal("Transfer not supported"); } qtype = rdtype; @@ -1529,7 +1534,8 @@ /* Look for dash value option. */ if (strpbrk(option, dash_opts) != &option[0] || - strlen(option) > 1U) { + strlen(option) > 1U) + { /* Error or value in option. */ continue; } @@ -1567,13 +1573,15 @@ } else if (argv[0][0] == '-') { if (argc <= 1) { if (dash_option(&argv[0][1], NULL, - &open_type_class)) { + &open_type_class)) + { argc--; argv++; } } else { if (dash_option(&argv[0][1], argv[1], - &open_type_class)) { + &open_type_class)) + { argc--; argv++; } @@ -1592,7 +1600,8 @@ warn("extra query type"); } if (rdtype == dns_rdatatype_ixfr || - rdtype == dns_rdatatype_axfr) { + rdtype == dns_rdatatype_axfr) + { fatal("Transfer not supported"); } qtype = rdtype; diff -Nru bind9-9.16.33/bin/dig/dig.c bind9-9.16.37/bin/dig/dig.c --- bind9-9.16.33/bin/dig/dig.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dig/dig.c 2023-01-12 22:45:02.000000000 +0000 @@ -514,7 +514,7 @@ static bool isdotlocal(dns_message_t *msg) { isc_result_t result; - static unsigned char local_ndata[] = { "\005local\0" }; + static unsigned char local_ndata[] = { "\005local" }; static unsigned char local_offsets[] = { 0, 6 }; static dns_name_t local = DNS_NAME_INITABSOLUTE(local_ndata, local_offsets); @@ -622,7 +622,8 @@ flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS; } if (query->lookup->onesoa && - query->lookup->rdtype == dns_rdatatype_axfr) { + query->lookup->rdtype == dns_rdatatype_axfr) + { flags |= (query->msg_count == 0) ? DNS_MESSAGETEXTFLAG_ONESOA : DNS_MESSAGETEXTFLAG_OMITSOA; } @@ -1459,7 +1460,8 @@ } for (num = 0; num < sizeof(opcodetext) / sizeof(opcodetext[0]); - num++) { + num++) + { if (strcasecmp(opcodetext[num], value) == 0) { break; } @@ -2034,7 +2036,8 @@ result = dns_rdatatype_fromtext( &rdtype, (isc_textregion_t *)&tr); if (result == ISC_R_SUCCESS && - rdtype == dns_rdatatype_ixfr) { + rdtype == dns_rdatatype_ixfr) + { result = DNS_R_UNKNOWN; } } @@ -2107,7 +2110,8 @@ } *need_clone = true; if (get_reverse(textname, sizeof(textname), value, false) == - ISC_R_SUCCESS) { + ISC_R_SUCCESS) + { strlcpy((*lookup)->textname, textname, sizeof((*lookup)->textname)); debug("looking up %s", (*lookup)->textname); @@ -2289,7 +2293,8 @@ } if (batchfp != NULL) { while (fgets(batchline, sizeof(batchline), batchfp) != - 0) { + 0) + { debug("config line %s", batchline); bargc = split_batchline(batchline, bargv, 62, ".digrc argv"); @@ -2380,7 +2385,8 @@ &rdtype, (isc_textregion_t *)&tr); if (result == ISC_R_SUCCESS && - rdtype == dns_rdatatype_ixfr) { + rdtype == dns_rdatatype_ixfr) + { fprintf(stderr, ";; Warning, " "ixfr requires " "a " @@ -2420,7 +2426,8 @@ lookup->rdtype = rdtype; lookup->rdtypeset = true; if (rdtype == - dns_rdatatype_axfr) { + dns_rdatatype_axfr) + { lookup->section_question = plusquest; lookup->comments = @@ -2428,7 +2435,8 @@ } if (rdtype == dns_rdatatype_any && - !lookup->tcp_mode_set) { + !lookup->tcp_mode_set) + { lookup->tcp_mode = true; } lookup->ixfr_serial = false; diff -Nru bind9-9.16.33/bin/dig/dig.rst bind9-9.16.37/bin/dig/dig.rst --- bind9-9.16.33/bin/dig/dig.rst 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dig/dig.rst 2023-01-12 22:45:02.000000000 +0000 @@ -495,9 +495,11 @@ ``+notcflag``. This bit is ignored by the server for QUERY. ``+[no]tcp`` - This option uses [or does not use] TCP when querying name servers. The default behavior - is to use UDP unless a type ``any`` or ``ixfr=N`` query is requested, - in which case the default is TCP. AXFR queries always use TCP. + This option uses [or does not use] TCP when querying name servers. + The default behavior is to use UDP unless a type ``any`` or + ``ixfr=N`` query is requested, in which case the default is TCP. + AXFR queries always use TCP. To prevent retry over TCP when TC=1 + is returned from a UDP query, use ``+ignore``. ``+timeout=T`` This option sets the timeout for a query to ``T`` seconds. The default timeout is diff -Nru bind9-9.16.33/bin/dig/dighost.c bind9-9.16.37/bin/dig/dighost.c --- bind9-9.16.33/bin/dig/dighost.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dig/dighost.c 2023-01-12 22:45:02.000000000 +0000 @@ -516,7 +516,8 @@ debug("get_server_list()"); servers = irs_resconf_getnameservers(resconf); for (sa = ISC_LIST_HEAD(*servers); sa != NULL; - sa = ISC_LIST_NEXT(sa, link)) { + sa = ISC_LIST_NEXT(sa, link)) + { int pf = isc_sockaddr_pf(sa); isc_netaddr_t na; isc_result_t result; @@ -1561,7 +1562,8 @@ debug("check_if_done()"); debug("list %s", ISC_LIST_EMPTY(lookup_list) ? "empty" : "full"); if (ISC_LIST_EMPTY(lookup_list) && current_lookup == NULL && - sendcount == 0) { + sendcount == 0) + { INSIST(sockcount == 0); INSIST(recvcount == 0); debug("shutting down"); @@ -1844,7 +1846,8 @@ dns_rdata_ns_t ns; if (query->lookup->trace_root && - query->lookup->nsfound >= MXSERV) { + query->lookup->nsfound >= MXSERV) + { break; } @@ -1865,7 +1868,8 @@ cancel_lookup(query->lookup); lookup->doing_xfr = false; if (!lookup->trace_root && - section == DNS_SECTION_ANSWER) { + section == DNS_SECTION_ANSWER) + { lookup->trace = false; } else { lookup->trace = query->lookup->trace; @@ -2621,7 +2625,8 @@ l = query->lookup; if (l == current_lookup && l->ns_search_only && !l->trace_root && - !l->tcp_mode) { + !l->tcp_mode) + { debug("sending next, since searching"); next = query->pending_free ? query->saved_next : ISC_LIST_NEXT(query, link); @@ -3327,7 +3332,8 @@ isc_event_free(&event); l = query->lookup; if ((l->current_query != NULL) && - (ISC_LINK_LINKED(l->current_query, link))) { + (ISC_LINK_LINKED(l->current_query, link))) + { next = ISC_LIST_NEXT(l->current_query, link); } else { next = NULL; @@ -3414,13 +3420,15 @@ * it's an SOA */ if ((!query->first_soa_rcvd) && - (rdata.type != dns_rdatatype_soa)) { + (rdata.type != dns_rdatatype_soa)) + { puts("; Transfer failed. " "Didn't start with SOA answer."); return (true); } if ((!query->second_rr_rcvd) && - (rdata.type != dns_rdatatype_soa)) { + (rdata.type != dns_rdatatype_soa)) + { query->second_rr_rcvd = true; query->second_rr_serial = 0; debug("got the second rr as nonsoa"); @@ -3920,7 +3928,8 @@ return; } if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 && !l->ignore && - !l->tcp_mode) { + !l->tcp_mode) + { if (l->cookie == NULL && l->sendcookie && msg->opt != NULL) { process_opt(l, msg); } @@ -3985,7 +3994,8 @@ * through to print the message. */ if ((ISC_LIST_HEAD(l->q) != query) || - (ISC_LIST_NEXT(query, link) != NULL)) { + (ISC_LIST_NEXT(query, link) != NULL)) + { dighost_comments(l, "Got %s from %s, trying next " "server", @@ -4068,7 +4078,8 @@ } if (!l->doing_xfr || l->xfr_q == query) { if (msg->rcode == dns_rcode_nxdomain && - (l->origin != NULL || l->need_search)) { + (l->origin != NULL || l->need_search)) + { if (!next_origin(query->lookup) || showsearch) { dighost_printmessage(query, &b, msg, true); dighost_received(isc_buffer_usedlength(&b), @@ -4153,7 +4164,8 @@ query->lookup->pending = false; } if (!query->lookup->ns_search_only || - query->lookup->trace_root || docancel) { + query->lookup->trace_root || docancel) + { dns_message_detach(&msg); cancel_lookup(l); } @@ -4305,7 +4317,8 @@ } } for (q = ISC_LIST_HEAD(current_lookup->connecting); q != NULL; - q = nq) { + q = nq) + { nq = ISC_LIST_NEXT(q, clink); debug("canceling connecting query %p, belonging to %p", q, current_lookup); diff -Nru bind9-9.16.33/bin/dig/host.c bind9-9.16.37/bin/dig/host.c --- bind9-9.16.33/bin/dig/host.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dig/host.c 2023-01-12 22:45:02.000000000 +0000 @@ -530,7 +530,8 @@ } if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) && - !short_form) { + !short_form) + { printf("\n"); result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY", true, query); @@ -539,7 +540,8 @@ } } if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) && - !short_form) { + !short_form) + { printf("\n"); result = printsection(msg, DNS_SECTION_ADDITIONAL, "ADDITIONAL", true, query); @@ -593,10 +595,12 @@ { isc_mem_debugging |= ISC_MEM_DEBUGTRACE; } else if (strcasecmp("record", - isc_commandline_argument) == 0) { + isc_commandline_argument) == 0) + { isc_mem_debugging |= ISC_MEM_DEBUGRECORD; } else if (strcasecmp("usage", - isc_commandline_argument) == 0) { + isc_commandline_argument) == 0) + { isc_mem_debugging |= ISC_MEM_DEBUGUSAGE; } break; @@ -707,7 +711,8 @@ break; case 't': if (strncasecmp(isc_commandline_argument, "ixfr=", 5) == - 0) { + 0) + { rdtype = dns_rdatatype_ixfr; /* XXXMPA add error checking */ serial = strtoul(isc_commandline_argument + 5, @@ -726,7 +731,8 @@ isc_commandline_argument); } if (!lookup->rdtypeset || - lookup->rdtype != dns_rdatatype_axfr) { + lookup->rdtype != dns_rdatatype_axfr) + { lookup->rdtype = rdtype; } lookup->rdtypeset = true; @@ -770,7 +776,8 @@ FALLTHROUGH; case 'a': if (!lookup->rdtypeset || - lookup->rdtype != dns_rdatatype_axfr) { + lookup->rdtype != dns_rdatatype_axfr) + { lookup->rdtype = dns_rdatatype_any; } list_type = dns_rdatatype_any; diff -Nru bind9-9.16.33/bin/dnssec/dnssec-cds.c bind9-9.16.37/bin/dnssec/dnssec-cds.c --- bind9-9.16.33/bin/dnssec/dnssec-cds.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dnssec/dnssec-cds.c 2023-01-12 22:45:02.000000000 +0000 @@ -637,7 +637,8 @@ NULL); if (result != ISC_R_SUCCESS && - result != DNS_R_FROMWILDCARD) { + result != DNS_R_FROMWILDCARD) + { vbprintf(1, "skip RRSIG by key %d:" " verification failed: %s\n", @@ -1097,7 +1098,8 @@ * so that it works just like sed(1). */ if (isc_commandline_argument == - argv[isc_commandline_index - 1]) { + argv[isc_commandline_index - 1]) + { isc_commandline_index--; inplace = ""; } else { @@ -1189,7 +1191,8 @@ fatal("missing RRSIG CDNSKEY records for %s", namestr); } if (dns_rdataset_isassociated(&cds_set) && - !dns_rdataset_isassociated(&cds_sig)) { + !dns_rdataset_isassociated(&cds_sig)) + { fatal("missing RRSIG CDS records for %s", namestr); } @@ -1211,7 +1214,8 @@ if (dns_rdataset_isassociated(&cdnskey_set)) { vbprintf(1, "verify CDNSKEY signature(s)\n"); if (!signed_loose(matching_sigs(old_key_tbl, &cdnskey_set, - &cdnskey_sig))) { + &cdnskey_sig))) + { fatal("could not validate child CDNSKEY RRset for %s", namestr); } @@ -1219,7 +1223,8 @@ if (dns_rdataset_isassociated(&cds_set)) { vbprintf(1, "verify CDS signature(s)\n"); if (!signed_loose( - matching_sigs(old_key_tbl, &cds_set, &cds_sig))) { + matching_sigs(old_key_tbl, &cds_set, &cds_sig))) + { fatal("could not validate child CDS RRset for %s", namestr); } diff -Nru bind9-9.16.33/bin/dnssec/dnssec-keyfromlabel.c bind9-9.16.37/bin/dnssec/dnssec-keyfromlabel.c --- bind9-9.16.33/bin/dnssec/dnssec-keyfromlabel.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dnssec/dnssec-keyfromlabel.c 2023-01-12 22:45:02.000000000 +0000 @@ -576,7 +576,8 @@ flags |= DNS_KEYOWNER_ZONE; } else if ((options & DST_TYPE_KEY) != 0) { /* KEY */ if (strcasecmp(nametype, "host") == 0 || - strcasecmp(nametype, "entity") == 0) { + strcasecmp(nametype, "entity") == 0) + { flags |= DNS_KEYOWNER_ENTITY; } else if (strcasecmp(nametype, "user") == 0) { flags |= DNS_KEYOWNER_USER; @@ -603,7 +604,8 @@ if (protocol == -1) { protocol = DNS_KEYPROTO_DNSSEC; } else if ((options & DST_TYPE_KEY) == 0 && - protocol != DNS_KEYPROTO_DNSSEC) { + protocol != DNS_KEYPROTO_DNSSEC) + { fatal("invalid DNSKEY protocol: %d", protocol); } diff -Nru bind9-9.16.33/bin/dnssec/dnssec-keygen.c bind9-9.16.37/bin/dnssec/dnssec-keygen.c --- bind9-9.16.33/bin/dnssec/dnssec-keygen.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dnssec/dnssec-keygen.c 2023-01-12 22:45:02.000000000 +0000 @@ -266,7 +266,8 @@ cfg_obj_t *kconfig = cfg_listelt_value(element); kasp = NULL; if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), - name) != 0) { + name) != 0) + { continue; } @@ -403,7 +404,8 @@ if (!ctx->oldstyle && ctx->prepub > 0) { if (ctx->setpub && ctx->setact && - (ctx->activate - ctx->prepub) < ctx->publish) { + (ctx->activate - ctx->prepub) < ctx->publish) + { fatal("Activation and publication dates " "are closer together than the\n\t" "prepublication interval."); @@ -739,7 +741,8 @@ if (ctx->setdel) { if (ctx->setinact && - ctx->deltime < ctx->inactive) { + ctx->deltime < ctx->inactive) + { fprintf(stderr, "%s: warning: Key is " "scheduled to be deleted " @@ -1004,7 +1007,8 @@ ctx.protocol = strtol(isc_commandline_argument, &endp, 10); if (*endp != '\0' || ctx.protocol < 0 || - ctx.protocol > 255) { + ctx.protocol > 255) + { fatal("-p must be followed by a number " "[0..255]"); } @@ -1020,7 +1024,8 @@ ctx.signatory = strtol(isc_commandline_argument, &endp, 10); if (*endp != '\0' || ctx.signatory < 0 || - ctx.signatory > 15) { + ctx.signatory > 15) + { fatal("-s must be followed by a number " "[0..15]"); } diff -Nru bind9-9.16.33/bin/dnssec/dnssec-revoke.c bind9-9.16.37/bin/dnssec/dnssec-revoke.c --- bind9-9.16.33/bin/dnssec/dnssec-revoke.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dnssec/dnssec-revoke.c 2023-01-12 22:45:02.000000000 +0000 @@ -151,7 +151,8 @@ } if (argc < isc_commandline_index + 1 || - argv[isc_commandline_index] == NULL) { + argv[isc_commandline_index] == NULL) + { fatal("The key file name was not specified"); } if (argc > isc_commandline_index + 1) { diff -Nru bind9-9.16.33/bin/dnssec/dnssec-settime.c bind9-9.16.37/bin/dnssec/dnssec-settime.c --- bind9-9.16.33/bin/dnssec/dnssec-settime.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dnssec/dnssec-settime.c 2023-01-12 22:45:02.000000000 +0000 @@ -562,7 +562,8 @@ } if (argc < isc_commandline_index + 1 || - argv[isc_commandline_index] == NULL) { + argv[isc_commandline_index] == NULL) + { fatal("The key file name was not specified"); } if (argc > isc_commandline_index + 1) { @@ -570,7 +571,8 @@ } if ((setgoal || setds || setdnskey || setkrrsig || setzrrsig) && - !write_state) { + !write_state) + { fatal("Options -g, -d, -k, -r and -z require -s to be set"); } diff -Nru bind9-9.16.33/bin/dnssec/dnssec-signzone.c bind9-9.16.37/bin/dnssec/dnssec-signzone.c --- bind9-9.16.33/bin/dnssec/dnssec-signzone.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dnssec/dnssec-signzone.c 2023-01-12 22:45:02.000000000 +0000 @@ -227,7 +227,7 @@ return; } - result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &iter); check_result(result, "dns_db_allrdatasets"); dns_rdataset_init(&rds); @@ -364,7 +364,8 @@ dns_dnsseckey_t *key; for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (rrsig->keyid == dst_key_id(key->key) && rrsig->algorithm == dst_key_alg(key->key) && dns_name_equal(&rrsig->signer, dst_key_name(key->key))) @@ -564,7 +565,8 @@ "invalid validity period\n", sigstr); } else if (key == NULL && !future && - expecttofindkey(&rrsig.signer)) { + expecttofindkey(&rrsig.signer)) + { /* rrsig is dropped and not replaced */ vbprintf(2, "\trrsig by %s dropped - " @@ -575,7 +577,8 @@ vbprintf(2, "\trrsig by %s %s - dnskey not found\n", keep ? "retained" : "dropped", sigstr); } else if (!dns_dnssec_keyactive(key->key, now) && - remove_inactkeysigs) { + remove_inactkeysigs) + { keep = false; vbprintf(2, "\trrsig by %s dropped - key inactive\n", sigstr); @@ -676,7 +679,8 @@ } for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (nowsignedby[key->index]) { continue; } @@ -698,7 +702,8 @@ curr = ISC_LIST_NEXT(curr, link)) { if (dst_key_alg(key->key) != - dst_key_alg(curr->key)) { + dst_key_alg(curr->key)) + { continue; } if (REVOKE(curr->key)) { @@ -709,7 +714,8 @@ } } if (isksk(key) || !have_ksk || - (iszsk(key) && !keyset_kskonly)) { + (iszsk(key) && !keyset_kskonly)) + { signwithkey(name, set, key->key, ttl, add, "signing with dnskey"); } @@ -750,7 +756,8 @@ DST_NUM_SUCCESSOR, &suc); if (ret != ISC_R_SUCCESS || - dst_key_id(key->key) != suc) { + dst_key_id(key->key) != suc) + { continue; } @@ -1185,7 +1192,7 @@ dns_diff_init(mctx, &del); dns_diff_init(mctx, &add); rdsiter = NULL; - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { @@ -1203,7 +1210,8 @@ */ if (isdelegation) { if (rdataset.type != nsec_datatype && - rdataset.type != dns_rdatatype_ds) { + rdataset.type != dns_rdatatype_ds) + { goto skip; } } else if (rdataset.type == dns_rdatatype_ds) { @@ -1258,7 +1266,7 @@ bool found; dns_rdataset_init(&rdataset); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { @@ -1304,7 +1312,8 @@ /* * Delete RRSIGs for types that no longer exist. */ - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, + &rdsiter2); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; @@ -1352,7 +1361,8 @@ check_result(result, "dns_db_deleterdataset(" "rrsig)"); } else if (result != ISC_R_NOMORE && - result != ISC_R_SUCCESS) { + result != ISC_R_SUCCESS) + { fatal("rdataset iteration failed: %s", isc_result_totext(result)); } @@ -1433,7 +1443,8 @@ old_serial = dns_soa_getserial(&rdata); if (method == dns_updatemethod_date || - method == dns_updatemethod_unixtime) { + method == dns_updatemethod_unixtime) + { new_serial = dns_update_soaserial(old_serial, method, &used); } else if (serial != 0 || method == dns_updatemethod_none) { /* Set SOA serial to the value provided. */ @@ -1504,7 +1515,7 @@ } dns_rdataset_init(&set); - result = dns_db_allrdatasets(db, node, dbversion, 0, &rdsiter); + result = dns_db_allrdatasets(db, node, dbversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets"); result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { @@ -1648,10 +1659,12 @@ !dns_name_issubdomain(name, zonecut))) { if (is_delegation(gdb, gversion, gorigin, name, - node, NULL)) { + node, NULL)) + { zonecut = savezonecut(&fzonecut, name); if (!OPTOUT(nsec3flags) || - secure(name, node)) { + secure(name, node)) + { found = true; } } else if (has_dname(gdb, gversion, node)) { @@ -1802,7 +1815,7 @@ /* * Delete any records of the given type at the apex. */ - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) @@ -1813,12 +1826,14 @@ dns_rdataset_disassociate(&rdataset); if (type == which || covers == which) { if (which == dns_rdatatype_nsec && checknsec && - !update_chain) { + !update_chain) + { fatal("Zone contains NSEC records. Use -u " "to update to NSEC3."); } if (which == dns_rdatatype_nsec3param && checknsec && - !update_chain) { + !update_chain) + { fatal("Zone contains NSEC3 chains. Use -u " "to update to NSEC."); } @@ -1843,7 +1858,7 @@ dns_rdataset_t rdataset; dns_rdataset_init(&rdataset); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, &rdsiter); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; result = dns_rdatasetiter_next(rdsiter)) @@ -1907,7 +1922,8 @@ { result = dns_dbiterator_current(dbiter, &node, name); check_dns_dbiterator_current(result); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, + &rdsiter); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; @@ -2265,7 +2281,8 @@ count2++; dns_rdataset_current(&tmprdataset, &rdata2); if (count1 < count2 && - dns_rdata_casecompare(&rdata1, &rdata2) == 0) { + dns_rdata_casecompare(&rdata1, &rdata2) == 0) + { vbprintf(2, "removing duplicate at %s/%s\n", namestr, typestr); result = dns_difftuple_create( @@ -2320,7 +2337,8 @@ { result = dns_dbiterator_current(dbiter, &node, name); check_dns_dbiterator_current(result); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + result = dns_db_allrdatasets(gdb, node, gversion, 0, 0, + &rdsiter); check_result(result, "dns_db_allrdatasets()"); for (result = dns_rdatasetiter_first(rdsiter); result == ISC_R_SUCCESS; @@ -2432,14 +2450,16 @@ continue; } if (is_delegation(gdb, gversion, gorigin, nextname, - nextnode, &nsttl)) { + nextnode, &nsttl)) + { zonecut = savezonecut(&fzonecut, nextname); remove_sigs(nextnode, true, 0); if (generateds) { add_ds(nextname, nextnode, nsttl); } if (OPTOUT(nsec3flags) && - !secure(nextname, nextnode)) { + !secure(nextname, nextnode)) + { dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2573,10 +2593,12 @@ continue; } if (is_delegation(gdb, gversion, gorigin, nextname, - nextnode, NULL)) { + nextnode, NULL)) + { zonecut = savezonecut(&fzonecut, nextname); if (OPTOUT(nsec3flags) && - !secure(nextname, nextnode)) { + !secure(nextname, nextnode)) + { dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2754,7 +2776,8 @@ /* Skip any duplicates */ for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (dst_key_id(key->key) == dst_key_id(newkey) && dst_key_alg(key->key) == dst_key_alg(newkey)) { @@ -3095,7 +3118,8 @@ name = gorigin; for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { if (REVOKE(key->key)) { continue; } @@ -3794,7 +3818,8 @@ outputformat = dns_masterformat_raw; rawversion = strtol(outputformatstr + 4, &end, 10); if (end == outputformatstr + 4 || *end != '\0' || - rawversion > 1U) { + rawversion > 1U) + { fprintf(stderr, "unknown raw format version\n"); exit(1); } @@ -3900,7 +3925,8 @@ /* Now enumerate the key list */ for (key = ISC_LIST_HEAD(keylist); key != NULL; - key = ISC_LIST_NEXT(key, link)) { + key = ISC_LIST_NEXT(key, link)) + { key->index = keycount++; } diff -Nru bind9-9.16.33/bin/dnssec/dnssectool.c bind9-9.16.37/bin/dnssec/dnssectool.c --- bind9-9.16.33/bin/dnssec/dnssectool.c 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/dnssec/dnssectool.c 2023-01-12 22:45:02.000000000 +0000 @@ -313,7 +313,8 @@ */ n = strspn(str, "0123456789"); if ((n == 8u || n == 14u) && - (str[n] == '\0' || str[n] == '-' || str[n] == '+')) { + (str[n] == '\0' || str[n] == '-' || str[n] == '+')) + { char timestr[15]; strlcpy(timestr, str, sizeof(timestr)); diff -Nru bind9-9.16.33/bin/named/bind9.xsl bind9-9.16.37/bin/named/bind9.xsl --- bind9-9.16.33/bin/named/bind9.xsl 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/named/bind9.xsl 2023-01-12 22:45:02.000000000 +0000 @@ -2,7 +2,9 @@ - + + + diff -Nru bind9-9.16.33/bin/named/bind9.xsl.h bind9-9.16.37/bin/named/bind9.xsl.h --- bind9-9.16.33/bin/named/bind9.xsl.h 2022-09-08 13:01:23.000000000 +0000 +++ bind9-9.16.37/bin/named/bind9.xsl.h 2023-01-12 22:45:02.000000000 +0000 @@ -8,7 +8,11 @@ "\n" " \n" - " \n" + " \n" + " \n" + " \n" " \n" " \n" "