Version in base suite: 9.16.37-1~deb11u1 Base version: bind9_9.16.37-1~deb11u1 Target version: bind9_9.16.42-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bind9/bind9_9.16.37-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bind9/bind9_9.16.42-1~deb11u1.dsc .github/workflows/codeql.yml | 55 + .github/workflows/sonarcloud.yml | 50 + .gitlab-ci.yml | 261 +++-- .reuse/dep5 | 3 .tsan-suppress | 2 CHANGES | 115 ++ CONTRIBUTING | 8 CONTRIBUTING.md | 8 bin/dig/dighost.c | 6 bin/named/controlconf.c | 10 bin/named/logconf.c | 6 bin/named/main.c | 8 bin/named/server.c | 56 - bin/named/zoneconf.c | 168 +-- bin/nsupdate/nsupdate.c | 11 bin/python/isc/coverage.py.in | 1 bin/python/isc/dnskey.py.in | 1 bin/python/isc/keymgr.py.in | 1 bin/python/isc/keyzone.py.in | 1 bin/rndc/rndc.c | 2 bin/rndc/rndc.rst | 8 bin/tests/optional/ratelimiter_test.c | 2 bin/tests/optional/rbt_test.c | 4 bin/tests/optional/shutdown_test.c | 6 bin/tests/optional/sock_test.c | 2 bin/tests/optional/task_test.c | 4 bin/tests/optional/timer_test.c | 6 bin/tests/system/acl/tests.sh | 2 bin/tests/system/autosign/clean.sh | 3 bin/tests/system/autosign/ns2/keygen.sh | 8 bin/tests/system/autosign/ns2/named.conf.in | 9 bin/tests/system/autosign/ns2/optout-with-ent.db.in | 22 bin/tests/system/autosign/tests.sh | 45 bin/tests/system/catz/clean.sh | 1 bin/tests/system/catz/ns2/named1.conf.in | 11 bin/tests/system/catz/ns4/catalog.example.db.in | 14 bin/tests/system/catz/ns4/named.conf.in | 55 + bin/tests/system/catz/setup.sh | 2 bin/tests/system/catz/tests.sh | 53 + bin/tests/system/chain/ans4/ans.py | 2 bin/tests/system/checkconf/kasp-bad-keylen.conf | 2 bin/tests/system/cookie/ans9/ans.py | 2 bin/tests/system/dnssec/ans10/ans.py | 1 bin/tests/system/dnstap/tests.sh | 1 bin/tests/system/dupsigs/tests.sh | 35 bin/tests/system/feature-test.c | 16 bin/tests/system/forward/ans11/ans.py | 1 bin/tests/system/get_algorithms.py | 10 bin/tests/system/inline/tests_signed_zone_files.py | 1 bin/tests/system/kasp/tests.sh | 16 bin/tests/system/legacy/tests.sh | 2 bin/tests/system/logfileconfig/clean.sh | 5 bin/tests/system/logfileconfig/named1.args | 1 bin/tests/system/logfileconfig/named2.args | 1 bin/tests/system/logfileconfig/ns1/controls.conf.in | 18 bin/tests/system/logfileconfig/ns1/named.dirconf | 45 bin/tests/system/logfileconfig/ns1/named.dirconf.in | 43 bin/tests/system/logfileconfig/ns1/named.iso8601 | 45 bin/tests/system/logfileconfig/ns1/named.iso8601-utc | 45 bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in | 43 bin/tests/system/logfileconfig/ns1/named.iso8601.in | 43 bin/tests/system/logfileconfig/ns1/named.pipeconf | 45 bin/tests/system/logfileconfig/ns1/named.pipeconf.in | 43 bin/tests/system/logfileconfig/ns1/named.plain | 53 - bin/tests/system/logfileconfig/ns1/named.plain.in | 50 + bin/tests/system/logfileconfig/ns1/named.plainconf | 36 bin/tests/system/logfileconfig/ns1/named.plainconf.in | 34 bin/tests/system/logfileconfig/ns1/named.symconf | 45 bin/tests/system/logfileconfig/ns1/named.symconf.in | 43 bin/tests/system/logfileconfig/ns1/named.tsconf | 55 - bin/tests/system/logfileconfig/ns1/named.tsconf.in | 52 + bin/tests/system/logfileconfig/ns1/named.unlimited | 55 - bin/tests/system/logfileconfig/ns1/named.unlimited.in | 52 + bin/tests/system/logfileconfig/ns1/named.versconf | 55 - bin/tests/system/logfileconfig/ns1/named.versconf.in | 52 + bin/tests/system/logfileconfig/ns1/rndc.conf.in | 26 bin/tests/system/logfileconfig/ns1/root.db | 27 bin/tests/system/logfileconfig/setup.sh | 4 bin/tests/system/logfileconfig/tests.sh | 499 +++------- bin/tests/system/mkeys/clean.sh | 9 bin/tests/system/mkeys/ns1/named1.conf.in | 10 bin/tests/system/mkeys/ns1/named2.conf.in | 10 bin/tests/system/mkeys/ns1/named3.conf.in | 10 bin/tests/system/mkeys/ns1/root.db | 3 bin/tests/system/mkeys/ns1/sign.sh | 18 bin/tests/system/mkeys/ns1/sub.tld.db | 21 bin/tests/system/mkeys/ns1/tld.db | 23 bin/tests/system/mkeys/ns4/named.conf.in | 5 bin/tests/system/mkeys/ns4/sign.sh | 25 bin/tests/system/mkeys/ns4/sub.foo.db | 21 bin/tests/system/mkeys/ns5/foo.db | 23 bin/tests/system/mkeys/ns5/named.conf.in | 8 bin/tests/system/mkeys/setup.sh | 1 bin/tests/system/mkeys/tests.sh | 132 +- bin/tests/system/nsec3/tests.sh | 1 bin/tests/system/nsupdate/setup.sh | 6 bin/tests/system/nsupdate/tests.sh | 38 bin/tests/system/pytest_custom_markers.py | 4 bin/tests/system/rndc/setup.sh | 2 bin/tests/system/rndc/tests.sh | 24 bin/tests/system/rpz/ns3/named.conf.in | 10 bin/tests/system/rpz/tests.sh | 10 bin/tests/system/run.sh | 23 bin/tests/system/runtime/tests.sh | 10 bin/tests/system/serve-stale/ans2/ans.pl | 54 + bin/tests/system/serve-stale/ns1/root.db | 2 bin/tests/system/serve-stale/ns3/named2.conf.in | 7 bin/tests/system/serve-stale/tests.sh | 79 + bin/tests/system/shutdown/tests_shutdown.py | 78 - bin/tests/system/statschannel/generic.py | 4 bin/tests/system/statschannel/generic_dnspython.py | 3 bin/tests/system/statschannel/tests_json.py | 3 bin/tests/system/statschannel/tests_xml.py | 2 bin/tests/system/tcp/tests_tcp.py | 2 bin/tests/system/testcrypto.sh | 12 bin/tests/system/tsig/ns1/named.conf.in | 10 bin/tests/system/tsig/setup.sh | 16 bin/tests/system/tsig/tests.sh | 67 - bin/tests/system/ttl/clean.sh | 6 bin/tests/system/ttl/prereq.sh | 31 bin/tests/system/ttl/setup.sh | 1 bin/tests/system/ttl/tests.sh | 46 bin/tests/system/ttl/tests_cache_ttl.py | 32 configure | 205 +++- configure.ac | 26 dangerfile.py | 33 debian/changelog | 15 debian/upstream/signing-key.asc | 743 +++------------- doc/Makefile.in | 2 doc/arm/build.rst | 10 doc/arm/notes.rst | 5 doc/arm/platforms.rst | 10 doc/arm/reference.rst | 36 doc/dnssec-guide/validation.rst | 2 doc/man/ddns-confgen.8in | 8 doc/man/delv.1in | 26 doc/man/dig.1in | 12 doc/man/dnssec-dsfromkey.8in | 2 doc/man/dnssec-importkey.8in | 2 doc/man/dnssec-keygen.8in | 2 doc/man/dnssec-keymgr.8in | 14 doc/man/dnssec-signzone.8in | 10 doc/man/filter-aaaa.8in | 4 doc/man/host.1in | 6 doc/man/mdig.1in | 20 doc/man/named-checkconf.8in | 2 doc/man/named-checkzone.8in | 4 doc/man/named-compilezone.1in | 206 ---- doc/man/named-compilezone.8in | 4 doc/man/nsec3hash.8in | 2 doc/man/rndc.8in | 26 doc/man/rndc.conf.5in | 14 doc/man/tsig-keygen.8in | 2 doc/notes/notes-9.16.38.rst | 33 doc/notes/notes-9.16.39.rst | 60 + doc/notes/notes-9.16.40.rst | 32 doc/notes/notes-9.16.41.rst | 27 doc/notes/notes-9.16.42.rst | 45 fuzz/fuzz.h | 12 lib/dns/catz.c | 18 lib/dns/dnsrps.c | 4 lib/dns/hmac_link.c | 1 lib/dns/include/dns/view.h | 15 lib/dns/include/dns/zt.h | 1 lib/dns/keymgr.c | 10 lib/dns/keytable.c | 11 lib/dns/master.c | 2 lib/dns/nsec3.c | 5 lib/dns/nta.c | 7 lib/dns/rbt.c | 10 lib/dns/rbtdb.c | 129 +- lib/dns/request.c | 23 lib/dns/resolver.c | 10 lib/dns/rpz.c | 2 lib/dns/validator.c | 46 lib/dns/view.c | 100 +- lib/dns/win32/libdns.def.in | 1 lib/dns/xfrin.c | 4 lib/dns/zone.c | 89 + lib/irs/getaddrinfo.c | 3 lib/irs/resconf.c | 8 lib/isc/include/isc/task.h | 25 lib/isc/include/isc/timer.h | 36 lib/isc/iterated_hash.c | 58 - lib/isc/lib.c | 1 lib/isc/log.c | 19 lib/isc/mem.c | 7 lib/isc/netmgr/netmgr.c | 22 lib/isc/ratelimiter.c | 7 lib/isc/task.c | 36 lib/isc/tests/task_test.c | 20 lib/isc/tests/timer_test.c | 22 lib/isc/timer.c | 133 +- lib/isc/win32/libisc.def.in | 4 lib/ns/query.c | 67 + sonar-project.properties | 2 srcid | 2 tsan-suppressions.txt | 2 version | 2 199 files changed, 3441 insertions(+), 2721 deletions(-) diff -Nru bind9-9.16.37/.github/workflows/codeql.yml bind9-9.16.42/.github/workflows/codeql.yml --- bind9-9.16.37/.github/workflows/codeql.yml 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/.github/workflows/codeql.yml 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,55 @@ +name: "CodeQL" + +on: + push: + branches: [ "bind-9.16", "bind-9.18", "main" ] + schedule: + - cron: '39 8 * * 3' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Install build dependencies + uses: awalsh128/cache-apt-pkgs-action@latest + with: + packages: libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply + version: 1.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff -Nru bind9-9.16.37/.github/workflows/sonarcloud.yml bind9-9.16.42/.github/workflows/sonarcloud.yml --- bind9-9.16.37/.github/workflows/sonarcloud.yml 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/.github/workflows/sonarcloud.yml 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,50 @@ +name: SonarCloud + +on: + push: + branches: [ "bind-9.16", "bind-9.18", "main" ] + schedule: + - cron: '39 8 * * 3' + +jobs: + build: + name: Build and analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'cpp' ] + + env: + BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Install build dependencies + uses: awalsh128/cache-apt-pkgs-action@latest + with: + packages: libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply + version: 1.0 + + - name: Install sonar-scanner and build-wrapper + uses: SonarSource/sonarcloud-github-c-cpp@v1 + + - name: Run build-wrapper + run: | + autoreconf -fi + ./configure + build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make clean all + + - name: Run sonar-scanner + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: | + sonar-scanner --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}" diff -Nru bind9-9.16.37/.gitlab-ci.yml bind9-9.16.42/.gitlab-ci.yml --- bind9-9.16.37/.gitlab-ci.yml 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/.gitlab-ci.yml 2023-06-09 14:35:17.000000000 +0000 @@ -12,13 +12,17 @@ KYUA_RESULT: "$CI_PROJECT_DIR/kyua.results" GIT_DEPTH: 1 + GIT_CLEAN_FLAGS: -ffdxq + + # The following values may be overwritten in GitLab's CI/CD Variables Settings. BUILD_PARALLEL_JOBS: 6 - TEST_PARALLEL_JOBS: 6 + TEST_PARALLEL_JOBS: 4 CONFIGURE: ./configure - CLANG_VERSION: 15 + CLANG_VERSION: 16 CLANG: "clang-${CLANG_VERSION}" SCAN_BUILD: "scan-build-${CLANG_VERSION}" + LLVM_SYMBOLIZER: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" ASAN_SYMBOLIZER_PATH: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" CLANG_FORMAT: "clang-format-${CLANG_VERSION}" @@ -26,7 +30,12 @@ # Pass run-time flags to AddressSanitizer to get core dumps on error. ASAN_OPTIONS: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1 - TSAN_OPTIONS_COMMON: "disable_coredump=0 second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan" + + TSAN_OPTIONS_COMMON: "disable_coredump=0 second_deadlock_stack=1 atexit_sleep_ms=1000 history_size=7 log_exe_name=true log_path=tsan" + TSAN_SUPPRESSIONS: "suppressions=${CI_PROJECT_DIR}/.tsan-suppress" + TSAN_OPTIONS_DEBIAN: "${TSAN_OPTIONS_COMMON} ${TSAN_SUPPRESSIONS} external_symbolizer_path=${LLVM_SYMBOLIZER}" + TSAN_OPTIONS_FEDORA: "${TSAN_OPTIONS_COMMON} ${TSAN_SUPPRESSIONS} external_symbolizer_path=/usr/bin/llvm-symbolizer" + UBSAN_OPTIONS: "halt_on_error=1:abort_on_error=1:disable_coredump=0" TARBALL_COMPRESSOR: xz @@ -42,11 +51,11 @@ BIND_STRESS_TEST_OS: linux BIND_STRESS_TEST_ARCH: amd64 -# Allow all running CI jobs to be automatically canceled when a new -# version of a branch is pushed. -# -# See: https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines default: + # Allow all running CI jobs to be automatically canceled when a new + # version of a branch is pushed. + # + # See: https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines interruptible: true stages: @@ -66,11 +75,25 @@ - libvirt - amd64 +# Jobs with these tags do not run on AWS but on permanent OVH systems. + +.linux-respdiff-amd64: &linux_respdiff_amd64 + tags: + - linux + - ovh + - amd64 + +# Autoscaling GitLab Runner on AWS EC2 + .linux-amd64: &linux_amd64 tags: - linux + - aws + - runner-manager - amd64 +# Stress-testing runners + .linux-stress-amd64: &linux_stress_amd64 tags: - amd64 @@ -101,8 +124,8 @@ # Alpine Linux -.alpine-3.16-amd64: &alpine_3_16_amd64_image - image: "$CI_REGISTRY_IMAGE:alpine-3.16-amd64" +.alpine-3.18-amd64: &alpine_3_18_amd64_image + image: "$CI_REGISTRY_IMAGE:alpine-3.18-amd64" <<: *linux_amd64 # Oracle Linux @@ -125,10 +148,18 @@ image: "$CI_REGISTRY_IMAGE:debian-buster-amd64" <<: *linux_amd64 +.respdiff-debian-bullseye-amd64: &respdiff_debian_bullseye_amd64_image + image: "$CI_REGISTRY_IMAGE:debian-bullseye-amd64" + <<: *linux_respdiff_amd64 + .debian-bullseye-amd64: &debian_bullseye_amd64_image image: "$CI_REGISTRY_IMAGE:debian-bullseye-amd64" <<: *linux_amd64 +.tsan-debian-bullseye-amd64: &tsan_debian_bullseye_amd64_image + image: "$CI_REGISTRY_IMAGE:tsan-debian-bullseye-amd64" + <<: *linux_amd64 + .debian-bullseye-amd64cross32: &debian_bullseye_amd64cross32_image image: "$CI_REGISTRY_IMAGE:debian-bullseye-amd64cross32" <<: *linux_amd64 @@ -145,12 +176,16 @@ # Fedora -.fedora-37-amd64: &fedora_37_amd64_image - image: "$CI_REGISTRY_IMAGE:fedora-37-amd64" +.tsan-fedora-38-amd64: &tsan_fedora_38_amd64_image + image: "$CI_REGISTRY_IMAGE:tsan-fedora-38-amd64" + <<: *linux_amd64 + +.fedora-38-amd64: &fedora_38_amd64_image + image: "$CI_REGISTRY_IMAGE:fedora-38-amd64" <<: *linux_amd64 -.fedora-37-arm64: &fedora_37_arm64_image - image: "$CI_REGISTRY_IMAGE:fedora-37-arm64" +.fedora-38-arm64: &fedora_38_arm64_image + image: "$CI_REGISTRY_IMAGE:fedora-38-arm64" <<: *linux_stress_arm64 # Ubuntu @@ -182,15 +217,15 @@ ### QCOW2 Image Templates .freebsd-12-amd64: &freebsd_12_amd64_image - image: "freebsd-12.3-x86_64" + image: "freebsd-12.4-x86_64" <<: *libvirt_amd64 .freebsd-13-amd64: &freebsd_13_amd64_image - image: "freebsd-13.1-x86_64" + image: "freebsd-13.2-x86_64" <<: *libvirt_amd64 .openbsd-amd64: &openbsd_amd64_image - image: "openbsd-7.2-x86_64" + image: "openbsd-7.3-x86_64" <<: *libvirt_amd64 ### Job Templates @@ -232,7 +267,6 @@ - autoreconf -fi artifacts: untracked: true - expire_in: "1 day" .configure: &configure - ${CONFIGURE} @@ -276,7 +310,6 @@ artifacts: true artifacts: untracked: true - expire_in: "1 day" when: always .windows_build: &windows_build_job @@ -302,7 +335,6 @@ needs: [] artifacts: untracked: true - expire_in: "1 day" .setup_interfaces: &setup_interfaces - if [ "$(id -u)" -eq "0" ]; then @@ -331,14 +363,12 @@ <<: *system_test_common artifacts: untracked: true - expire_in: "1 day" when: on_failure .system_test_gcov: &system_test_gcov_job <<: *system_test_common artifacts: untracked: true - expire_in: "1 day" when: always .system_test_tsan: &system_test_tsan_job @@ -346,7 +376,6 @@ after_script: - *parse_tsan artifacts: - expire_in: "1 day" untracked: true when: on_failure @@ -358,7 +387,6 @@ --output kyua_html > /dev/null .windows_system_test: &windows_system_test_job - <<: *api_schedules_tags_triggers_web_triggering_rules stage: system script: - 'Push-Location bin/tests/system' @@ -372,7 +400,6 @@ - 'If (Test-Path C:/CrashDumps/*) { dir C:/CrashDumps; Throw }' artifacts: untracked: true - expire_in: "1 day" when: on_failure .unit_test_common: &unit_test_common @@ -389,14 +416,12 @@ <<: *unit_test_common artifacts: untracked: true - expire_in: "1 day" when: on_failure .unit_test_gcov: &unit_test_gcov_job <<: *unit_test_common artifacts: untracked: true - expire_in: "1 day" when: always .unit_test_tsan: &unit_test_tsan_job @@ -406,11 +431,9 @@ - *parse_tsan artifacts: untracked: true - expire_in: "1 day" when: on_failure .respdiff: &respdiff_job - <<: *base_image stage: system before_script: - *configure @@ -425,7 +448,6 @@ exclude: - bind-qa/bind9/respdiff/rspworkdir/data.mdb # Exclude a 10 GB file. untracked: true - expire_in: "1 day" when: always ### Job Definitions @@ -457,7 +479,6 @@ artifacts: paths: - checklibs.out - expire_in: "1 day" when: on_failure black: @@ -539,11 +560,16 @@ <<: *default_triggering_rules script: - source version - - export BIND_DIRECTORY="bind-${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}" + - export BIND9_VERSION="${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}${EXTENSIONS}" + - export BIND_DIRECTORY="bind-${BIND9_VERSION}" - git archive --prefix="${BIND_DIRECTORY}/" --output="${BIND_DIRECTORY}.tar" HEAD - mkdir "${BIND_DIRECTORY}" - echo "SRCID=$(git rev-list --max-count=1 HEAD | cut -b1-7)" > "${BIND_DIRECTORY}/srcid" - tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/srcid" + - sphinx-build -b man -d "${BIND_DIRECTORY}/tmp/.doctrees/" -W -a -v -c doc/man/ -D version="@BIND9_VERSION@" -D today="@RELEASE_DATE@" -D release="@BIND9_VERSIONSTRING@" doc/man "${BIND_DIRECTORY}/doc/man" + - rm -rf "${BIND_DIRECTORY}/tmp/.doctrees/" + - for man in "${BIND_DIRECTORY}/doc/man/"*; do mv "$man" "$man"in; done + - tar --append --file="${BIND_DIRECTORY}.tar" "${BIND_DIRECTORY}/doc/man/"*in - ${TARBALL_COMPRESSOR} "${BIND_DIRECTORY}.tar" artifacts: paths: @@ -571,7 +597,6 @@ needs: - job: autoreconf artifacts: true - allow_failure: false artifacts: paths: - doc/arm/ @@ -579,27 +604,27 @@ - doc/misc/ when: always -# Jobs for regular GCC builds on Alpine Linux 3.16 (amd64) +# Jobs for regular GCC builds on Alpine Linux 3.18 (amd64) -gcc:alpine3.16:amd64: +gcc:alpine3.18:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - <<: *alpine_3_16_amd64_image + <<: *alpine_3_18_amd64_image <<: *build_job -system:gcc:alpine3.16:amd64: - <<: *alpine_3_16_amd64_image +system:gcc:alpine3.18:amd64: + <<: *alpine_3_18_amd64_image <<: *system_test_job needs: - - job: gcc:alpine3.16:amd64 + - job: gcc:alpine3.18:amd64 artifacts: true -unit:gcc:alpine3.16:amd64: - <<: *alpine_3_16_amd64_image +unit:gcc:alpine3.18:amd64: + <<: *alpine_3_18_amd64_image <<: *unit_test_job needs: - - job: gcc:alpine3.16:amd64 + - job: gcc:alpine3.18:amd64 artifacts: true # Jobs for regular GCC builds on Oracle Linux 7 (amd64) @@ -675,6 +700,23 @@ - job: gcc:oraclelinux9:amd64 artifacts: true +gcc:tarball:nosphinx: + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--with-libidn2 --disable-developer" + RUN_MAKE_INSTALL: 1 + <<: *oraclelinux_9_amd64_image + <<: *build_job + before_script: + - (! command -v sphinx-build >/dev/null) + - tar --extract --file bind-*.tar.${TARBALL_EXTENSION} + - rm -f bind-*.tar.${TARBALL_EXTENSION} + - cd bind-* + needs: + - job: tarball-create + artifacts: true + # Jobs for regular GCC builds on Debian 10 "buster" (amd64) gcc:buster:amd64: @@ -703,7 +745,6 @@ artifacts: true # Jobs for regular GCC builds on Debian 11 "bullseye" (amd64) -# (The second unit test job also executes unstable unit tests.) gcc:bullseye:amd64: variables: @@ -719,39 +760,23 @@ system:gcc:bullseye:amd64: <<: *debian_bullseye_amd64_image <<: *system_test_gcov_job - needs: - - job: unit:gcc:bullseye:amd64 - artifacts: true - -system:gcc:bullseye:unstable:amd64: - <<: *debian_bullseye_amd64_image - <<: *system_test_job - <<: *api_schedules_triggers_web_triggering_rules variables: CI_ENABLE_ALL_TESTS: 1 needs: - - job: gcc:bullseye:amd64 + - job: unit:gcc:bullseye:amd64 artifacts: true unit:gcc:bullseye:amd64: <<: *debian_bullseye_amd64_image <<: *unit_test_gcov_job - needs: - - job: gcc:bullseye:amd64 - artifacts: true - -unit:gcc:bullseye:unstable:amd64: - <<: *debian_bullseye_amd64_image - <<: *unit_test_job - <<: *api_schedules_triggers_web_triggering_rules variables: CI_ENABLE_ALL_TESTS: 1 needs: - job: gcc:bullseye:amd64 artifacts: true -# Jobs for cross-compiled GCC builds on Debian 11 "bullseye" (amd64) with -# 32-bit libraries +# Build job for cross-compiled GCC builds on 64-bit Debian 11 "bullseye" +# (amd64) with 32-bit BIND 9. gcc:bullseye:amd64cross32: variables: @@ -763,20 +788,6 @@ <<: *debian_bullseye_amd64cross32_image <<: *build_job -system:gcc:bullseye:amd64cross32: - <<: *debian_bullseye_amd64cross32_image - <<: *system_test_job - needs: - - job: gcc:bullseye:amd64cross32 - artifacts: true - -unit:gcc:bullseye:amd64cross32: - <<: *debian_bullseye_amd64cross32_image - <<: *unit_test_job - needs: - - job: gcc:bullseye:amd64cross32 - artifacts: true - # Jobs for scan-build builds on Debian 11 "bullseye" (amd64) .scan_build: &scan_build @@ -804,7 +815,6 @@ artifacts: paths: - scan-build.reports/ - expire_in: "1 day" when: on_failure # Jobs for regular GCC builds on Debian "sid" (amd64) @@ -985,7 +995,7 @@ - job: gcc:jammy:amd64 artifacts: true -# Jobs for ASAN builds on Fedora 37 (amd64) +# Jobs for ASAN builds on Fedora 38 (amd64) gcc:asan: variables: @@ -993,18 +1003,18 @@ CFLAGS: "${CFLAGS_COMMON} -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=address,undefined" EXTRA_CONFIGURE: "--with-libidn2" - <<: *fedora_37_amd64_image + <<: *fedora_38_amd64_image <<: *build_job system:gcc:asan: - <<: *fedora_37_amd64_image + <<: *fedora_38_amd64_image <<: *system_test_job needs: - job: gcc:asan artifacts: true unit:gcc:asan: - <<: *fedora_37_amd64_image + <<: *fedora_38_amd64_image <<: *unit_test_job needs: - job: gcc:asan @@ -1033,7 +1043,7 @@ - job: clang:asan artifacts: true -# Jobs for TSAN builds on Fedora 37 (amd64) +# Jobs for TSAN builds on Fedora 38 (amd64) gcc:tsan: variables: @@ -1041,13 +1051,13 @@ CFLAGS: "${CFLAGS_COMMON} -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=thread" EXTRA_CONFIGURE: "--with-libidn2 --enable-pthread-rwlock" - <<: *fedora_37_amd64_image + <<: *tsan_fedora_38_amd64_image <<: *build_job system:gcc:tsan: variables: - TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" - <<: *fedora_37_amd64_image + TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}" + <<: *tsan_fedora_38_amd64_image <<: *system_test_tsan_job needs: - job: gcc:tsan @@ -1055,15 +1065,15 @@ unit:gcc:tsan: variables: - TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" - <<: *fedora_37_amd64_image + TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}" + <<: *tsan_fedora_38_amd64_image <<: *unit_test_tsan_job needs: - job: gcc:tsan artifacts: true clang:tsan: - <<: *base_image + <<: *tsan_debian_bullseye_amd64_image <<: *build_job variables: CC: "${CLANG}" @@ -1073,8 +1083,8 @@ system:clang:tsan: variables: - TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" - <<: *base_image + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + <<: *tsan_debian_bullseye_amd64_image <<: *system_test_tsan_job needs: - job: clang:tsan @@ -1082,8 +1092,8 @@ unit:clang:tsan: variables: - TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer suppressions=$CI_PROJECT_DIR/tsan-suppressions.txt" - <<: *base_image + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + <<: *tsan_debian_bullseye_amd64_image <<: *unit_test_tsan_job needs: - job: clang:tsan @@ -1158,7 +1168,6 @@ <<: *system_test_job variables: USER: gitlab-runner - TEST_PARALLEL_JOBS: 4 needs: - job: clang:freebsd12:amd64 artifacts: true @@ -1185,7 +1194,6 @@ <<: *system_test_job variables: USER: gitlab-runner - TEST_PARALLEL_JOBS: 4 needs: - job: clang:freebsd13:amd64 artifacts: true @@ -1216,6 +1224,7 @@ needs: - job: clang:openbsd:amd64 artifacts: true + allow_failure: true # Jobs with libtool disabled @@ -1253,6 +1262,7 @@ system:msvc:windows:amd64: <<: *windows_server_2016_amd64_image <<: *windows_system_test_job + <<: *default_triggering_rules variables: VSCONF: Release needs: @@ -1269,6 +1279,7 @@ system:msvc-debug:windows:amd64: <<: *windows_server_2016_amd64_image <<: *windows_system_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules variables: VSCONF: Debug needs: @@ -1321,7 +1332,7 @@ artifacts: paths: - "*.tar.gz" - expire_in: "1 day" + expire_in: never # Coverity Scan analysis upload @@ -1335,10 +1346,10 @@ --form token=$COVERITY_SCAN_TOKEN - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)" - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp - - test -d /tmp/cov-analysis-linux64-2022.6.0 + - test -d /tmp/cov-analysis-linux64-* .coverity_build: &coverity_build - - /tmp/cov-analysis-linux64-2022.6.0/bin/cov-build --dir /tmp/cov-int --fs-capture-search . sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1' + - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int --fs-capture-search . sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1' - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN @@ -1381,6 +1392,7 @@ respdiff-short: <<: *respdiff_job <<: *default_triggering_rules + <<: *debian_bullseye_amd64_image variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" @@ -1391,6 +1403,7 @@ respdiff-short:asan: <<: *respdiff_job <<: *default_triggering_rules + <<: *debian_bullseye_amd64_image variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" @@ -1398,27 +1411,28 @@ MAX_DISAGREEMENTS_PERCENTAGE: "0.1" script: - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" - allow_failure: true respdiff-short:tsan: <<: *respdiff_job <<: *default_triggering_rules + <<: *tsan_debian_bullseye_amd64_image variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=thread" EXTRA_CONFIGURE: "--enable-pthread-rwlock" MAX_DISAGREEMENTS_PERCENTAGE: "0.1" - TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + RESPDIFF_JOBS: 32 script: - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" after_script: - *parse_tsan - allow_failure: true respdiff-long: <<: *respdiff_job <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *respdiff_debian_bullseye_amd64_image variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" @@ -1429,6 +1443,7 @@ respdiff-long:asan: <<: *respdiff_job <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *debian_bullseye_amd64_image variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=address,undefined -DISC_MEM_USE_INTERNAL_MALLOC=0" @@ -1436,27 +1451,28 @@ MAX_DISAGREEMENTS_PERCENTAGE: "0.1" script: - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" - allow_failure: true respdiff-long:tsan: <<: *respdiff_job <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *tsan_debian_bullseye_amd64_image variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og -fsanitize=thread -DISC_MEM_USE_INTERNAL_MALLOC=0" LDFLAGS: "-fsanitize=thread" EXTRA_CONFIGURE: "--enable-pthread-rwlock" MAX_DISAGREEMENTS_PERCENTAGE: "0.1" - TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" + TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}" + RESPDIFF_JOBS: 32 script: - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" after_script: - *parse_tsan - allow_failure: true respdiff-long-third-party: <<: *respdiff_job <<: *api_schedules_tags_triggers_web_triggering_rules + <<: *debian_bullseye_amd64_image variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" @@ -1466,13 +1482,17 @@ # "Stress" tests +# Parallel build in the "make" step is avoided since multiple jobs can be +# executed concurrently on the same runner. This may present problems when one +# job runs a performance-sensitive task of replying to queries while another +# takes all cores to build BIND. .stress: &stress_job stage: performance script: - *configure - *setup_interfaces - *setup_softhsm - - make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1 + - make -k all V=1 - make DESTDIR="${INSTALL_PATH}" install - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git - cd bind-qa/bind9/stress @@ -1482,16 +1502,17 @@ artifacts: true artifacts: untracked: true - expire_in: "1 day" + expire_in: "1 week" when: always timeout: 2h -stress:authoritative:fedora:37:amd64: - <<: *fedora_37_amd64_image +stress:authoritative:fedora:38:amd64: + <<: *fedora_38_amd64_image <<: *linux_stress_amd64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: authoritative RATE: 10000 @@ -1500,12 +1521,13 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:recursive:fedora:37:amd64: - <<: *fedora_37_amd64_image +stress:recursive:fedora:38:amd64: + <<: *fedora_38_amd64_image <<: *linux_stress_amd64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: recursive RATE: 10000 @@ -1514,12 +1536,13 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:rpz:fedora:37:amd64: - <<: *fedora_37_amd64_image +stress:rpz:fedora:38:amd64: + <<: *fedora_38_amd64_image <<: *linux_stress_amd64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: rpz RATE: 1500 @@ -1528,12 +1551,13 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) -stress:authoritative:fedora:37:arm64: - <<: *fedora_37_arm64_image +stress:authoritative:fedora:38:arm64: + <<: *fedora_38_arm64_image <<: *linux_stress_arm64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: authoritative RATE: 10000 @@ -1542,12 +1566,13 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /authoritative/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) -stress:recursive:fedora:37:arm64: - <<: *fedora_37_arm64_image +stress:recursive:fedora:38:arm64: + <<: *fedora_38_arm64_image <<: *linux_stress_arm64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: recursive RATE: 10000 @@ -1556,12 +1581,13 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) -stress:rpz:fedora:37:arm64: - <<: *fedora_37_arm64_image +stress:rpz:fedora:38:arm64: + <<: *fedora_38_arm64_image <<: *linux_stress_arm64 <<: *stress_job variables: CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/bin/flame MODE: rpz RATE: 1500 @@ -1576,6 +1602,7 @@ <<: *stress_job variables: CC: clang + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/local/bin/flame MODE: authoritative RATE: 10000 @@ -1590,6 +1617,7 @@ <<: *stress_job variables: CC: clang + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/local/bin/flame MODE: recursive RATE: 10000 @@ -1604,6 +1632,7 @@ <<: *stress_job variables: CC: clang + CFLAGS: "${CFLAGS_COMMON} -Og" FLAME: /usr/local/bin/flame MODE: rpz RATE: 1500 diff -Nru bind9-9.16.37/.reuse/dep5 bind9-9.16.42/.reuse/dep5 --- bind9-9.16.37/.reuse/dep5 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/.reuse/dep5 2023-06-09 14:35:17.000000000 +0000 @@ -161,6 +161,7 @@ .gitlab-ci.yml .lgtm.yml .pylintrc + .tsan-suppress .uncrustify.cfg config.guess config.h.in @@ -175,9 +176,9 @@ install-sh lib/dns/mapapi mkinstalldirs - tsan-suppressions.txt util/suppressions.txt version + sonar-project.properties Copyright: Internet Systems Consortium, Inc. ("ISC") License: CC0-1.0 diff -Nru bind9-9.16.37/.tsan-suppress bind9-9.16.42/.tsan-suppress --- bind9-9.16.37/.tsan-suppress 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/.tsan-suppress 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,2 @@ +# Uninstrumented library. +called_from_lib:libfstrm.so diff -Nru bind9-9.16.37/CHANGES bind9-9.16.42/CHANGES --- bind9-9.16.37/CHANGES 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/CHANGES 2023-06-09 14:35:17.000000000 +0000 @@ -1,3 +1,111 @@ + --- 9.16.42 released --- + +6192. [security] A query that prioritizes stale data over lookup + triggers a fetch to refresh the stale data in cache. + If the fetch is aborted for exceeding the recursion + quota, it was possible for 'named' to enter an infinite + callback loop and crash due to stack overflow. This has + been fixed. (CVE-2023-2911) [GL #4089] + +6190. [security] Improve the overmem cleaning process to prevent the + cache going over the configured limit. (CVE-2023-2828) + [GL #4055] + +6183. [bug] Fix a serve-stale bug where a delegation from cache + could be returned to the client. [GL #3950] + +6173. [bug] Properly process extra "nameserver" lines in + resolv.conf otherwise the next line is not properly + processed. [GL #4066] + +6169. [bug] named could crash when deleting inline-signing zones + with "rndc delzone". [GL #4054] + + --- 9.16.41 released --- + +6157. [bug] When removing delegations in an OPTOUT range + empty-non-terminal NSEC3 records generated by + those delegations were not removed. [GL #4027] + + --- 9.16.40 released --- + +6142. [bug] Reduce the number of dns_dnssec_verify calls made + determining if revoked keys needs to be removed from + the trust anchors. [GL #3981] + +6138. [doc] Fix the DF-flag documentation on the outgoing + UDP packets. [GL #3710] + +6132. [doc] Remove a dead link in the DNSSEC guide. [GL #3967] + +6129. [cleanup] Value stored to 'source' during its initialization is + never read. [GL #3965] + +6124. [bug] When changing from a NSEC3 capable DNSSEC algorithm to + an NSEC3 incapable DNSSEC algorithm using KASP the zone + could sometimes be incompletely signed. [GL #3937] + +5741. [bug] Log files with "timestamp" suffixes could be left in + place after rolling, even if the number of preserved + log files exceeded the configured "versions" limit. + [GL #828] [GL #3959] + + --- 9.16.39 released --- + +6119. [bug] Make sure to revert the reconfigured zones to the + previous version of the view, when the new view + reconfiguration fails during the configuration of + one of the configured zones. [GL #3911] + +6116. [bug] Fix error path cleanup issue in the dns_catz_new_zones() + function. [GL #3900] + +6115. [bug] Unregister db update notify callback before detaching + from the previous db inside the catz update notify + callback. [GL #3777] + +6105. [bug] Detach 'rpzs' and 'catzs' from the previous view in + configure_rpz() and configure_catz(), respectively, + just after attaching it to the new view. [GL #3880] + +6098. [test] Don't test HMAC-MD5 when not supported by libcrypto. + [GL #3871] + +6095. [test] Test various 'islands of trust' configurations when + using managed keys. [GL #3662] + +6094. [bug] Building against (or running with) libuv versions + 1.35.0 and 1.36.0 is now a fatal error. The rules for + mixing and matching compile-time and run-time libuv + versions have been tightened for libuv versions between + 1.35.0 and 1.40.0. [GL #3840] + + --- 9.16.38 released --- + +6083. [bug] Fix DNSRPS-enabled builds as they were inadvertently + broken by change 6042. [GL #3827] + +6081. [bug] Handle primary server address lookup failures in + nsupdate more gracefully. [GL #3830] + +6080. [bug] 'named -V' leaked memory. [GL #3829] + +6079. [bug] Force set the DS state after a 'rdnc dnssec -checkds' + command. [GL #3822] + +6075. [bug] Add missing node lock when setting node->wild in + add_wildcard_magic. [GL #3799] + +6072. [bug] Avoid the OpenSSL lock contention when initializing + Message Digest Contexts by using explicit algorithm + fetching, initializing static contexts for every + supported algorithms, and initializing the new context + by copying the static copy. [GL #3795] + +6069. [bug] Detach from the view in zone_shutdown() to + release the memory held by the dead view + early. [GL #3801] + --- 9.16.37 released --- 6067. [security] Fix serve-stale crash when recursive clients soft quota @@ -48,6 +156,13 @@ 6044. [bug] There was an "RSASHA236" typo in a log message. [GL !7206] +5845. [bug] Refactor the timer to keep track of posted events + as to use isc_task_purgeevent() instead of using + isc_task_purgerange(). The isc_task_purgeevent() + has been refactored to purge a single event instead + of walking through the list of posted events. + [GL #3252] + --- 9.16.36 released --- 6043. [bug] The key file IO locks objects would never get diff -Nru bind9-9.16.37/CONTRIBUTING bind9-9.16.42/CONTRIBUTING --- bind9-9.16.37/CONTRIBUTING 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/CONTRIBUTING 2023-06-09 14:35:17.000000000 +0000 @@ -57,14 +57,14 @@ $ git clone https://gitlab.isc.org/isc-projects/bind9.git -Release branch names are of the form v9_X, where X represents the second -number in the BIND 9 version number. So, to check out the BIND 9.12 +Release branch names are of the form bind-9.X, where X represents the +second number in the BIND 9 version number. So, to check out the BIND 9.18 branch, use: - $ git checkout v9_12 + $ git checkout bind-9.18 Whenever a branch is ready for publication, a tag is placed of the form -v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0. +v9.X.Y. The 9.18.0 release, for instance, is tagged as v9.18.0. The branch in which the next major release is being developed is called main. diff -Nru bind9-9.16.37/CONTRIBUTING.md bind9-9.16.42/CONTRIBUTING.md --- bind9-9.16.37/CONTRIBUTING.md 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/CONTRIBUTING.md 2023-06-09 14:35:17.000000000 +0000 @@ -71,14 +71,14 @@ > $ git clone https://gitlab.isc.org/isc-projects/bind9.git -Release branch names are of the form `v9_X`, where X represents the second -number in the BIND 9 version number. So, to check out the BIND 9.12 +Release branch names are of the form `bind-9.X`, where X represents the second +number in the BIND 9 version number. So, to check out the BIND 9.18 branch, use: -> $ git checkout v9_12 +> $ git checkout bind-9.18 Whenever a branch is ready for publication, a tag is placed of the -form `v9_X_Y`. The 9.12.0 release, for instance, is tagged as `v9_12_0`. +form `v9.X.Y`. The 9.18.0 release, for instance, is tagged as `v9.18.0`. The branch in which the next major release is being developed is called `main`. diff -Nru bind9-9.16.37/bin/dig/dighost.c bind9-9.16.42/bin/dig/dighost.c --- bind9-9.16.37/bin/dig/dighost.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/dig/dighost.c 2023-06-09 14:35:17.000000000 +0000 @@ -1584,7 +1584,7 @@ debug("clear_query(%p)", query); if (query->timer != NULL) { - isc_timer_detach(&query->timer); + isc_timer_destroy(&query->timer); } lookup = query->lookup; @@ -2700,7 +2700,7 @@ debug("have local timeout of %d", local_timeout); isc_interval_set(&l->interval, local_timeout, 0); if (query->timer != NULL) { - isc_timer_detach(&query->timer); + isc_timer_destroy(&query->timer); } result = isc_timer_create(timermgr, isc_timertype_once, NULL, &l->interval, global_task, connect_timeout, @@ -2724,7 +2724,7 @@ * ourselves due to the duplicate events. */ if (query->timer != NULL) { - isc_timer_detach(&query->timer); + isc_timer_destroy(&query->timer); } } diff -Nru bind9-9.16.37/bin/named/controlconf.c bind9-9.16.42/bin/named/controlconf.c --- bind9-9.16.37/bin/named/controlconf.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/named/controlconf.c 2023-06-09 14:35:17.000000000 +0000 @@ -177,7 +177,7 @@ } if (conn->timer != NULL) { - isc_timer_detach(&conn->timer); + isc_timer_destroy(&conn->timer); } if (conn->ccmsg_valid) { @@ -570,10 +570,10 @@ UNUSED(task); - isc_timer_detach(&conn->timer); - maybe_free_connection(conn); - isc_event_free(&event); + + isc_timer_destroy(&conn->timer); + maybe_free_connection(conn); } static isc_result_t @@ -621,7 +621,7 @@ } isccc_ccmsg_invalidate(&conn->ccmsg); if (conn->timer != NULL) { - isc_timer_detach(&conn->timer); + isc_timer_destroy(&conn->timer); } isc_mem_put(listener->mctx, conn, sizeof(*conn)); #ifdef ENABLE_AFL diff -Nru bind9-9.16.37/bin/named/logconf.c bind9-9.16.42/bin/named/logconf.c --- bind9-9.16.37/bin/named/logconf.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/named/logconf.c 2023-06-09 14:35:17.000000000 +0000 @@ -300,10 +300,6 @@ dest.file.name, isc_result_totext(result)); } - fprintf(stderr, - "isc_stdio_open '%s' failed: %s\n", - dest.file.name, - isc_result_totext(result)); } else { (void)isc_stdio_close(fp); } @@ -313,8 +309,6 @@ syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s", dest.file.name, isc_result_totext(result)); } - fprintf(stderr, "isc_file_isplainfile '%s' failed: %s\n", - dest.file.name, isc_result_totext(result)); } done: diff -Nru bind9-9.16.37/bin/named/main.c bind9-9.16.42/bin/named/main.c --- bind9-9.16.37/bin/named/main.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/named/main.c 2023-06-09 14:35:17.000000000 +0000 @@ -703,6 +703,7 @@ isc_buffer_init(&b, buf, sizeof(buf)); format_supported_algorithms(printit); printf("\n"); + dst_lib_destroy(); } else { printf("DST initialization failure: %s\n", isc_result_totext(result)); @@ -1278,6 +1279,13 @@ "linked to OpenSSL version: %s", SSLeay_version(SSLEAY_VERSION)); #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "compiled with libuv version: %d.%d.%d", UV_VERSION_MAJOR, + UV_VERSION_MINOR, UV_VERSION_PATCH); + isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, + "linked to libuv version: %s", uv_version_string()); #ifdef HAVE_LIBXML2 isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, diff -Nru bind9-9.16.37/bin/named/server.c bind9-9.16.42/bin/named/server.c --- bind9-9.16.37/bin/named/server.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/named/server.c 2023-06-09 14:35:17.000000000 +0000 @@ -2671,6 +2671,7 @@ if (*old_rpz_okp) { dns_rpz_detach_rpzs(&view->rpzs); dns_rpz_attach_rpzs(pview->rpzs, &view->rpzs); + dns_rpz_detach_rpzs(&pview->rpzs); } else if (old != NULL && pview != NULL) { ++pview->rpzs->rpz_ver; view->rpzs->rpz_ver = pview->rpzs->rpz_ver; @@ -3173,6 +3174,7 @@ if (old != NULL) { dns_catz_catzs_detach(&view->catzs); dns_catz_catzs_attach(pview->catzs, &view->catzs); + dns_catz_catzs_detach(&pview->catzs); dns_catz_prereconfig(view->catzs); } @@ -3977,7 +3979,8 @@ const cfg_obj_t *dyndb_list, *plugin_list; const cfg_obj_t *disabled; const cfg_obj_t *obj, *obj2; - const cfg_listelt_t *element; + const cfg_listelt_t *element = NULL; + const cfg_listelt_t *zone_element_latest = NULL; in_port_t port; dns_cache_t *cache = NULL; isc_result_t result; @@ -3994,7 +3997,6 @@ dns_dispatch_t *dispatch6 = NULL; bool rpz_configured = false; bool catz_configured = false; - bool zones_configured = false; bool reused_cache = false; bool shared_cache = false; int i = 0, j = 0, k = 0; @@ -4098,8 +4100,8 @@ CHECK(configure_zone(config, zconfig, vconfig, mctx, view, viewlist, kasplist, actx, false, old_rpz_ok, false)); + zone_element_latest = element; } - zones_configured = true; /* * Check that a master or slave zone was found for each @@ -5878,9 +5880,6 @@ named_config_get(maps, "catalog-zones", &obj) == ISC_R_SUCCESS) { - if (pview->catzs != NULL) { - dns_catz_catzs_detach(&pview->catzs); - } /* * We are swapping the places of the `view` and * `pview` in the function's parameters list @@ -5908,7 +5907,7 @@ dns_view_detach(&pview); } - if (zones_configured) { + if (zone_element_latest != NULL) { for (element = cfg_list_first(zonelist); element != NULL; element = cfg_list_next(element)) { @@ -5916,6 +5915,13 @@ cfg_listelt_value(element); configure_zone_setviewcommit(result, zconfig, view); + if (element == zone_element_latest) { + /* + * This was the latest element that was + * successfully configured earlier. + */ + break; + } } } } @@ -6770,6 +6776,7 @@ dns_zone_attach(pview->managed_keys, &view->managed_keys); dns_zone_setview(pview->managed_keys, view); + dns_zone_setviewcommit(pview->managed_keys); dns_view_detach(&pview); dns_zone_synckeyzone(view->managed_keys); return (ISC_R_SUCCESS); @@ -9285,8 +9292,8 @@ logobj = NULL; (void)cfg_map_get(config, "logging", &logobj); if (logobj != NULL) { - CHECKM(named_logconfig(logc, logobj), "configuring " - "logging"); + CHECKM(named_logconfig(logc, logobj), + "configuring logging"); } else { named_log_setdefaultchannels(logc); CHECKM(named_log_setunmatchedcategory(logc), @@ -9657,6 +9664,7 @@ if (isc_refcount_decrement(&zl->refs) == 1) { named_server_t *server = zl->server; bool reconfig = zl->reconfig; + dns_view_t *view = NULL; isc_refcount_destroy(&zl->refs); isc_mem_put(server->mctx, zl, sizeof(*zl)); @@ -9677,6 +9685,28 @@ "all zones loaded"); } + for (view = ISC_LIST_HEAD(server->viewlist); view != NULL; + view = ISC_LIST_NEXT(view, link)) + { + if (view->managed_keys != NULL) { + result = dns_zone_synckeyzone( + view->managed_keys); + if (result != ISC_R_SUCCESS) { + isc_log_write( + named_g_lctx, + DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, + ISC_LOG_ERROR, + "failed to initialize " + "managed-keys for view %s " + "(%s): DNSSEC validation is " + "at risk", + view->name, + isc_result_totext(result)); + } + } + } + CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr), "forcing zone maintenance"); @@ -9925,10 +9955,10 @@ isc_mem_put(server->mctx, nsc, sizeof(*nsc)); } - isc_timer_detach(&server->interface_timer); - isc_timer_detach(&server->heartbeat_timer); - isc_timer_detach(&server->pps_timer); - isc_timer_detach(&server->tat_timer); + isc_timer_destroy(&server->interface_timer); + isc_timer_destroy(&server->heartbeat_timer); + isc_timer_destroy(&server->pps_timer); + isc_timer_destroy(&server->tat_timer); ns_interfacemgr_detach(&server->interfacemgr); diff -Nru bind9-9.16.37/bin/named/zoneconf.c bind9-9.16.42/bin/named/zoneconf.c --- bind9-9.16.37/bin/named/zoneconf.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/named/zoneconf.c 2023-06-09 14:35:17.000000000 +0000 @@ -925,8 +925,8 @@ maps[i] = NULL; if (vconfig != NULL) { - RETERR(named_config_getclass(cfg_tuple_get(vconfig, "class"), - dns_rdataclass_in, &vclass)); + CHECK(named_config_getclass(cfg_tuple_get(vconfig, "class"), + dns_rdataclass_in, &vclass)); } else { vclass = dns_rdataclass_in; } @@ -937,8 +937,8 @@ zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name")); - RETERR(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass, - &zclass)); + CHECK(named_config_getclass(cfg_tuple_get(zconfig, "class"), vclass, + &zclass)); dns_zone_setclass(zone, zclass); if (raw != NULL) { dns_zone_setclass(raw, zclass); @@ -958,7 +958,7 @@ cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj)); } if (cpval == NULL) { - return (ISC_R_NOMEMORY); + CHECK(ISC_R_NOMEMORY); } obj = NULL; @@ -973,7 +973,7 @@ "zone '%s': both 'database' and 'dlz' " "specified", zname); - return (ISC_R_FAILURE); + CHECK(ISC_R_FAILURE); } len = strlen(dlzname) + 5; @@ -984,7 +984,7 @@ result = strtoargv(mctx, cpval, &dbargc, &dbargv); if (result != ISC_R_SUCCESS && cpval != default_dbtype) { isc_mem_free(mctx, cpval); - return (result); + CHECK(result); } /* @@ -1014,7 +1014,7 @@ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, "zone '%s': 'file' not specified", zname); - return (ISC_R_FAILURE); + CHECK(ISC_R_FAILURE); } if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { @@ -1052,7 +1052,7 @@ "can only be used with " "'masterfile-format text'", zname); - return (ISC_R_FAILURE); + CHECK(ISC_R_FAILURE); } if (strcasecmp(masterstylestr, "full") == 0) { @@ -1077,47 +1077,45 @@ size_t signedlen = strlen(filename) + sizeof(SIGNED); char *signedname; - RETERR(dns_zone_setfile(raw, filename, masterformat, - masterstyle)); + CHECK(dns_zone_setfile(raw, filename, masterformat, + masterstyle)); signedname = isc_mem_get(mctx, signedlen); (void)snprintf(signedname, signedlen, "%s" SIGNED, filename); result = dns_zone_setfile(zone, signedname, dns_masterformat_raw, NULL); isc_mem_put(mctx, signedname, signedlen); - if (result != ISC_R_SUCCESS) { - return (result); - } + CHECK(result); } else { - RETERR(dns_zone_setfile(zone, filename, masterformat, - masterstyle)); + CHECK(dns_zone_setfile(zone, filename, masterformat, + masterstyle)); } obj = NULL; result = cfg_map_get(zoptions, "journal", &obj); if (result == ISC_R_SUCCESS) { - RETERR(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj))); + CHECK(dns_zone_setjournal(mayberaw, cfg_obj_asstring(obj))); } /* * Notify messages are processed by the raw zone if it exists. */ if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { - RETERR(configure_zone_acl( - zconfig, vconfig, config, allow_notify, ac, mayberaw, - dns_zone_setnotifyacl, dns_zone_clearnotifyacl)); + CHECK(configure_zone_acl(zconfig, vconfig, config, allow_notify, + ac, mayberaw, dns_zone_setnotifyacl, + dns_zone_clearnotifyacl)); } /* * XXXAG This probably does not make sense for stubs. */ - RETERR(configure_zone_acl(zconfig, vconfig, config, allow_query, ac, - zone, dns_zone_setqueryacl, - dns_zone_clearqueryacl)); - - RETERR(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac, - zone, dns_zone_setqueryonacl, - dns_zone_clearqueryonacl)); + CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query, ac, + zone, dns_zone_setqueryacl, + dns_zone_clearqueryacl)); + + CHECK(configure_zone_acl(zconfig, vconfig, config, allow_query_on, ac, + zone, dns_zone_setqueryonacl, + dns_zone_clearqueryonacl)); obj = NULL; result = named_config_get(maps, "dialup", &obj); @@ -1174,10 +1172,10 @@ rcvquerystats = NULL; dnssecsignstats = NULL; if (statlevel == dns_zonestat_full) { - RETERR(isc_stats_create(mctx, &zoneqrystats, - ns_statscounter_max)); - RETERR(dns_rdatatypestats_create(mctx, &rcvquerystats)); - RETERR(dns_dnssecsignstats_create(mctx, &dnssecsignstats)); + CHECK(isc_stats_create(mctx, &zoneqrystats, + ns_statscounter_max)); + CHECK(dns_rdatatypestats_create(mctx, &rcvquerystats)); + CHECK(dns_dnssecsignstats_create(mctx, &dnssecsignstats)); } dns_zone_setrequeststats(zone, zoneqrystats); dns_zone_setrcvquerystats(zone, rcvquerystats); @@ -1216,7 +1214,7 @@ ISC_LOG_ERROR, "dnssec-policy '%s' not found ", kaspname); - RETERR(result); + CHECK(result); } dns_zone_setkasp(zone, kasp); use_kasp = true; @@ -1265,62 +1263,62 @@ dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); - RETERR(named_config_getipandkeylist(config, "primaries", - obj, mctx, &ipkl)); + CHECK(named_config_getipandkeylist(config, "primaries", + obj, mctx, &ipkl)); result = dns_zone_setalsonotifydscpkeys( zone, ipkl.addrs, ipkl.dscps, ipkl.keys, ipkl.count); dns_ipkeylist_clear(mctx, &ipkl); - RETERR(result); + CHECK(result); } else { - RETERR(dns_zone_setalsonotify(zone, NULL, 0)); + CHECK(dns_zone_setalsonotify(zone, NULL, 0)); } obj = NULL; result = named_config_get(maps, "parental-source", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj))); + CHECK(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj))); dscp = cfg_obj_getdscp(obj); if (dscp == -1) { dscp = named_g_dscp; } - RETERR(dns_zone_setparentalsrc4dscp(zone, dscp)); + CHECK(dns_zone_setparentalsrc4dscp(zone, dscp)); named_add_reserved_dispatch(named_g_server, cfg_obj_assockaddr(obj)); obj = NULL; result = named_config_get(maps, "parental-source-v6", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj))); + CHECK(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj))); dscp = cfg_obj_getdscp(obj); if (dscp == -1) { dscp = named_g_dscp; } - RETERR(dns_zone_setparentalsrc6dscp(zone, dscp)); + CHECK(dns_zone_setparentalsrc6dscp(zone, dscp)); named_add_reserved_dispatch(named_g_server, cfg_obj_assockaddr(obj)); obj = NULL; result = named_config_get(maps, "notify-source", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj))); + CHECK(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj))); dscp = cfg_obj_getdscp(obj); if (dscp == -1) { dscp = named_g_dscp; } - RETERR(dns_zone_setnotifysrc4dscp(zone, dscp)); + CHECK(dns_zone_setnotifysrc4dscp(zone, dscp)); named_add_reserved_dispatch(named_g_server, cfg_obj_assockaddr(obj)); obj = NULL; result = named_config_get(maps, "notify-source-v6", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); + CHECK(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj))); dscp = cfg_obj_getdscp(obj); if (dscp == -1) { dscp = named_g_dscp; } - RETERR(dns_zone_setnotifysrc6dscp(zone, dscp)); + CHECK(dns_zone_setnotifysrc6dscp(zone, dscp)); named_add_reserved_dispatch(named_g_server, cfg_obj_assockaddr(obj)); @@ -1332,7 +1330,7 @@ dns_zone_setisself(zone, isself, named_g_server->interfacemgr); - RETERR(configure_zone_acl( + CHECK(configure_zone_acl( zconfig, vconfig, config, allow_transfer, ac, zone, dns_zone_setxfracl, dns_zone_clearxfracl)); @@ -1370,7 +1368,7 @@ "%" PRId64 "' " "is too large", value); - RETERR(ISC_R_RANGE); + CHECK(ISC_R_RANGE); } journal_size = (uint32_t)value; } @@ -1510,7 +1508,7 @@ "%" PRId64 "' " "is too large", value); - RETERR(ISC_R_RANGE); + CHECK(ISC_R_RANGE); } journal_size = (uint32_t)value; } @@ -1540,9 +1538,9 @@ if (ztype == dns_zone_primary) { dns_acl_t *updateacl; - RETERR(configure_zone_acl( - zconfig, vconfig, config, allow_update, ac, mayberaw, - dns_zone_setupdateacl, dns_zone_clearupdateacl)); + CHECK(configure_zone_acl(zconfig, vconfig, config, allow_update, + ac, mayberaw, dns_zone_setupdateacl, + dns_zone_clearupdateacl)); updateacl = dns_zone_getupdateacl(mayberaw); if (updateacl != NULL && dns_acl_isinsecure(updateacl)) { @@ -1553,7 +1551,7 @@ zname); } - RETERR(configure_zone_ssutable(zoptions, mayberaw, zname)); + CHECK(configure_zone_ssutable(zoptions, mayberaw, zname)); } /* @@ -1630,7 +1628,7 @@ result = named_config_get(maps, "key-directory", &obj); if (result == ISC_R_SUCCESS) { filename = cfg_obj_asstring(obj); - RETERR(dns_zone_setkeydirectory(zone, filename)); + CHECK(dns_zone_setkeydirectory(zone, filename)); } obj = NULL; @@ -1672,8 +1670,8 @@ result = named_config_get(maps, "dnssec-loadkeys-interval", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setrefreshkeyinterval(zone, - cfg_obj_asuint32(obj))); + CHECK(dns_zone_setrefreshkeyinterval(zone, + cfg_obj_asuint32(obj))); obj = NULL; result = cfg_map_get(zoptions, "auto-dnssec", &obj); @@ -1701,10 +1699,10 @@ } if (ztype == dns_zone_secondary || ztype == dns_zone_mirror) { - RETERR(configure_zone_acl(zconfig, vconfig, config, - allow_update_forwarding, ac, mayberaw, - dns_zone_setforwardacl, - dns_zone_clearforwardacl)); + CHECK(configure_zone_acl(zconfig, vconfig, config, + allow_update_forwarding, ac, mayberaw, + dns_zone_setforwardacl, + dns_zone_clearforwardacl)); } /*% @@ -1716,14 +1714,14 @@ if (obj != NULL) { dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); - RETERR(named_config_getipandkeylist( + CHECK(named_config_getipandkeylist( config, "parental-agents", obj, mctx, &ipkl)); result = dns_zone_setparentals(zone, ipkl.addrs, ipkl.keys, ipkl.count); dns_ipkeylist_clear(mctx, &ipkl); - RETERR(result); + CHECK(result); } else { - RETERR(dns_zone_setparentals(zone, NULL, NULL, 0)); + CHECK(dns_zone_setparentals(zone, NULL, NULL, 0)); } } @@ -1894,7 +1892,7 @@ (void)cfg_map_get(zoptions, "allow-transfer", &obj); if (obj == NULL) { dns_acl_t *none; - RETERR(dns_acl_none(mctx, &none)); + CHECK(dns_acl_none(mctx, &none)); dns_zone_setxfracl(zone, none); dns_acl_detach(&none); } @@ -1919,23 +1917,23 @@ result = named_config_getremotesdef( named_g_config, "primaries", DEFAULT_IANA_ROOT_ZONE_PRIMARIES, &obj); - RETERR(result); + CHECK(result); } if (obj != NULL) { dns_ipkeylist_t ipkl; dns_ipkeylist_init(&ipkl); - RETERR(named_config_getipandkeylist(config, "primaries", - obj, mctx, &ipkl)); + CHECK(named_config_getipandkeylist(config, "primaries", + obj, mctx, &ipkl)); result = dns_zone_setprimarieswithkeys( mayberaw, ipkl.addrs, ipkl.keys, ipkl.count); count = ipkl.count; dns_ipkeylist_clear(mctx, &ipkl); - RETERR(result); + CHECK(result); } else { result = dns_zone_setprimaries(mayberaw, NULL, 0); } - RETERR(result); + CHECK(result); multi = false; if (count > 1) { @@ -1979,50 +1977,50 @@ obj = NULL; result = named_config_get(maps, "transfer-source", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setxfrsource4(mayberaw, - cfg_obj_assockaddr(obj))); + CHECK(dns_zone_setxfrsource4(mayberaw, + cfg_obj_assockaddr(obj))); dscp = cfg_obj_getdscp(obj); if (dscp == -1) { dscp = named_g_dscp; } - RETERR(dns_zone_setxfrsource4dscp(mayberaw, dscp)); + CHECK(dns_zone_setxfrsource4dscp(mayberaw, dscp)); named_add_reserved_dispatch(named_g_server, cfg_obj_assockaddr(obj)); obj = NULL; result = named_config_get(maps, "transfer-source-v6", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setxfrsource6(mayberaw, - cfg_obj_assockaddr(obj))); + CHECK(dns_zone_setxfrsource6(mayberaw, + cfg_obj_assockaddr(obj))); dscp = cfg_obj_getdscp(obj); if (dscp == -1) { dscp = named_g_dscp; } - RETERR(dns_zone_setxfrsource6dscp(mayberaw, dscp)); + CHECK(dns_zone_setxfrsource6dscp(mayberaw, dscp)); named_add_reserved_dispatch(named_g_server, cfg_obj_assockaddr(obj)); obj = NULL; result = named_config_get(maps, "alt-transfer-source", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setaltxfrsource4(mayberaw, - cfg_obj_assockaddr(obj))); + CHECK(dns_zone_setaltxfrsource4(mayberaw, + cfg_obj_assockaddr(obj))); dscp = cfg_obj_getdscp(obj); if (dscp == -1) { dscp = named_g_dscp; } - RETERR(dns_zone_setaltxfrsource4dscp(mayberaw, dscp)); + CHECK(dns_zone_setaltxfrsource4dscp(mayberaw, dscp)); obj = NULL; result = named_config_get(maps, "alt-transfer-source-v6", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); - RETERR(dns_zone_setaltxfrsource6(mayberaw, - cfg_obj_assockaddr(obj))); + CHECK(dns_zone_setaltxfrsource6(mayberaw, + cfg_obj_assockaddr(obj))); dscp = cfg_obj_getdscp(obj); if (dscp == -1) { dscp = named_g_dscp; } - RETERR(dns_zone_setaltxfrsource6dscp(mayberaw, dscp)); + CHECK(dns_zone_setaltxfrsource6dscp(mayberaw, dscp)); obj = NULL; (void)named_config_get(maps, "use-alt-transfer-source", &obj); @@ -2050,15 +2048,21 @@ break; case dns_zone_staticstub: - RETERR(configure_staticstub(zoptions, zone, zname, - default_dbtype)); + CHECK(configure_staticstub(zoptions, zone, zname, + default_dbtype)); break; default: break; } - return (ISC_R_SUCCESS); + result = ISC_R_SUCCESS; + +cleanup: + if (kasp != NULL) { + dns_kasp_detach(&kasp); + } + return (result); } /* diff -Nru bind9-9.16.37/bin/nsupdate/nsupdate.c bind9-9.16.42/bin/nsupdate/nsupdate.c --- bind9-9.16.37/bin/nsupdate/nsupdate.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/nsupdate/nsupdate.c 2023-06-09 14:35:17.000000000 +0000 @@ -2707,8 +2707,8 @@ dns_request_destroy(&request); dns_message_detach(&soaquery); ddebug("Out of recvsoa"); - done_update(); seenerror = true; + done_update(); return; } @@ -2815,7 +2815,14 @@ master_total = get_addresses(serverstr, dnsport, master_servers, master_alloc); if (master_total == 0) { - exit(1); + seenerror = true; + dns_rdata_freestruct(&soa); + dns_message_detach(&soaquery); + dns_request_destroy(&request); + dns_message_detach(&rcvmsg); + ddebug("Out of recvsoa"); + done_update(); + return; } master_inuse = 0; } else { diff -Nru bind9-9.16.37/bin/python/isc/coverage.py.in bind9-9.16.42/bin/python/isc/coverage.py.in --- bind9-9.16.37/bin/python/isc/coverage.py.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/python/isc/coverage.py.in 2023-06-09 14:35:17.000000000 +0000 @@ -24,6 +24,7 @@ from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils + ############################################################################ # print a fatal error and exit ############################################################################ diff -Nru bind9-9.16.37/bin/python/isc/dnskey.py.in bind9-9.16.42/bin/python/isc/dnskey.py.in --- bind9-9.16.37/bin/python/isc/dnskey.py.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/python/isc/dnskey.py.in 2023-06-09 14:35:17.000000000 +0000 @@ -14,6 +14,7 @@ import calendar from subprocess import Popen, PIPE + ######################################################################## # Class dnskey ######################################################################## diff -Nru bind9-9.16.37/bin/python/isc/keymgr.py.in bind9-9.16.42/bin/python/isc/keymgr.py.in --- bind9-9.16.37/bin/python/isc/keymgr.py.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/python/isc/keymgr.py.in 2023-06-09 14:35:17.000000000 +0000 @@ -17,6 +17,7 @@ from isc import dnskey, keydict, keyseries, policy, parsetab, utils + ############################################################################ # print a fatal error and exit ############################################################################ diff -Nru bind9-9.16.37/bin/python/isc/keyzone.py.in bind9-9.16.42/bin/python/isc/keyzone.py.in --- bind9-9.16.37/bin/python/isc/keyzone.py.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/python/isc/keyzone.py.in 2023-06-09 14:35:17.000000000 +0000 @@ -14,6 +14,7 @@ import re from subprocess import Popen, PIPE + ######################################################################## # Exceptions ######################################################################## diff -Nru bind9-9.16.37/bin/rndc/rndc.c bind9-9.16.42/bin/rndc/rndc.c --- bind9-9.16.37/bin/rndc/rndc.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/rndc/rndc.c 2023-06-09 14:35:17.000000000 +0000 @@ -121,7 +121,7 @@ Requires the zone to have a dnssec-policy.\n\ dnstap -reopen\n\ Close, truncate and re-open the DNSTAP output file.\n\ - dnstap -roll count\n\ + dnstap -roll [count]\n\ Close, rename and re-open the DNSTAP output file(s).\n\ dumpdb [-all|-cache|-zones|-adb|-bad|-expired|-fail] [view ...]\n\ Dump cache(s) to the dump file (named_dump.db).\n\ diff -Nru bind9-9.16.37/bin/rndc/rndc.rst bind9-9.16.42/bin/rndc/rndc.rst --- bind9-9.16.37/bin/rndc/rndc.rst 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/rndc/rndc.rst 2023-06-09 14:35:17.000000000 +0000 @@ -173,9 +173,13 @@ notation. ``dnstap`` ( **-reopen** | **-roll** [*number*] ) - This command closes and re-opens DNSTAP output files. ``rndc dnstap -reopen`` allows + This command closes and re-opens DNSTAP output files. + + ``rndc dnstap -reopen`` allows the output file to be renamed externally, so that ``named`` can - truncate and re-open it. ``rndc dnstap -roll`` causes the output file + truncate and re-open it. + + ``rndc dnstap -roll`` causes the output file to be rolled automatically, similar to log files. The most recent output file has ".0" appended to its name; the previous most recent output file is moved to ".1", and so on. If ``number`` is specified, then diff -Nru bind9-9.16.37/bin/tests/optional/ratelimiter_test.c bind9-9.16.42/bin/tests/optional/ratelimiter_test.c --- bind9-9.16.37/bin/tests/optional/ratelimiter_test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/optional/ratelimiter_test.c 2023-06-09 14:35:17.000000000 +0000 @@ -86,7 +86,7 @@ UNUSED(event); printf("shutdown all\n"); for (i = 0; i < NEVENTS; i++) { - isc_timer_detach(&timers[i]); + isc_timer_destroy(&timers[i]); } isc_app_shutdown(); diff -Nru bind9-9.16.37/bin/tests/optional/rbt_test.c bind9-9.16.42/bin/tests/optional/rbt_test.c --- bind9-9.16.37/bin/tests/optional/rbt_test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/optional/rbt_test.c 2023-06-09 14:35:17.000000000 +0000 @@ -184,8 +184,8 @@ dns_rbtnodechain_t chain; dns_fixedname_t fixedorigin; isc_result_t result; - isc_result_t (*move)(dns_rbtnodechain_t * chain, dns_name_t * name, - dns_name_t * origin); + isc_result_t (*move)(dns_rbtnodechain_t *chain, dns_name_t *name, + dns_name_t *origin); dns_rbtnodechain_init(&chain); diff -Nru bind9-9.16.37/bin/tests/optional/shutdown_test.c bind9-9.16.42/bin/tests/optional/shutdown_test.c --- bind9-9.16.37/bin/tests/optional/shutdown_test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/optional/shutdown_test.c 2023-06-09 14:35:17.000000000 +0000 @@ -73,7 +73,7 @@ printf("task %s (%p) shutdown\n", info->name, task); if (strcmp(info->name, "0") == 0) { - isc_timer_detach(&info->timer); + isc_timer_destroy(&info->timer); nevent = isc_event_allocate(info->mctx, info, T2_SHUTDOWNOK, t2_shutdown, &tasks[1], sizeof(*event)); @@ -104,7 +104,7 @@ if (info->ticks == 10) { isc_app_shutdown(); } else if (info->ticks >= 15 && info->exiting) { - isc_timer_detach(&info->timer); + isc_timer_destroy(&info->timer); isc_task_detach(&info->task); nevent = isc_event_allocate( info->mctx, info, T2_SHUTDOWNDONE, t1_shutdown, @@ -114,7 +114,7 @@ isc_task_detach(&info->peer); } } else if (strcmp(info->name, "foo") == 0) { - isc_timer_detach(&info->timer); + isc_timer_destroy(&info->timer); nevent = isc_event_allocate(info->mctx, info, FOO_EVENT, foo_event, task, sizeof(*event)); RUNTIME_CHECK(nevent != NULL); diff -Nru bind9-9.16.37/bin/tests/optional/sock_test.c bind9-9.16.42/bin/tests/optional/sock_test.c --- bind9-9.16.37/bin/tests/optional/sock_test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/optional/sock_test.c 2023-06-09 14:35:17.000000000 +0000 @@ -245,7 +245,7 @@ printf("Timeout, canceling IO on socket %p (task %p)\n", sock, task); isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_ALL); - isc_timer_detach((isc_timer_t **)&event->ev_sender); + isc_timer_destroy((isc_timer_t **)&event->ev_sender); isc_event_free(&event); } diff -Nru bind9-9.16.37/bin/tests/optional/task_test.c bind9-9.16.42/bin/tests/optional/task_test.c --- bind9-9.16.37/bin/tests/optional/task_test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/optional/task_test.c 2023-06-09 14:35:17.000000000 +0000 @@ -194,8 +194,8 @@ Sleep(10000); #endif /* ifndef WIN32 */ printf("destroy\n"); - isc_timer_detach(&ti1); - isc_timer_detach(&ti2); + isc_timer_destroy(&ti1); + isc_timer_destroy(&ti2); isc_timermgr_destroy(&timgr); isc_managers_destroy(&netmgr, &taskmgr); printf("destroyed\n"); diff -Nru bind9-9.16.37/bin/tests/optional/timer_test.c bind9-9.16.42/bin/tests/optional/timer_test.c --- bind9-9.16.37/bin/tests/optional/timer_test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/optional/timer_test.c 2023-06-09 14:35:17.000000000 +0000 @@ -164,9 +164,9 @@ Sleep(15000); #endif /* ifndef WIN32 */ printf("destroy\n"); - isc_timer_detach(&ti1); - isc_timer_detach(&ti2); - isc_timer_detach(&ti3); + isc_timer_destroy(&ti1); + isc_timer_destroy(&ti2); + isc_timer_destroy(&ti3); #ifndef WIN32 sleep(2); #else /* ifndef WIN32 */ diff -Nru bind9-9.16.37/bin/tests/system/acl/tests.sh bind9-9.16.42/bin/tests/system/acl/tests.sh --- bind9-9.16.37/bin/tests/system/acl/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/acl/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -99,7 +99,7 @@ # and other values? right out t=`expr $t + 1` $DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} + @10.53.0.2 -b 127.0.0.1 axfr -y "${DEFAULT_HMAC}:three:1234abcd8765" > dig.out.${t} grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two diff -Nru bind9-9.16.37/bin/tests/system/autosign/clean.sh bind9-9.16.42/bin/tests/system/autosign/clean.sh --- bind9-9.16.37/bin/tests/system/autosign/clean.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/autosign/clean.sh 2023-06-09 14:35:17.000000000 +0000 @@ -23,14 +23,13 @@ rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f dig.out.* rm -f digcomp.out.test* -rm -f digcomp.out.test* rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key rm -f nopriv.key vanishing.key del1.key del2.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock -rm -f ns*/named.lock rm -f ns1/root.db rm -f ns2/example.db +rm -f ns2/optout-with-ent.db rm -f ns2/private.secure.example.db ns2/bar.db rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf diff -Nru bind9-9.16.37/bin/tests/system/autosign/ns2/keygen.sh bind9-9.16.42/bin/tests/system/autosign/ns2/keygen.sh --- bind9-9.16.37/bin/tests/system/autosign/ns2/keygen.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/autosign/ns2/keygen.sh 2023-06-09 14:35:17.000000000 +0000 @@ -56,3 +56,11 @@ done $KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null $DSFROMKEY Kbar.+013+60101.key > dsset-bar$TP + +# a zone with empty non-terminals. +zone=optout-with-ent +zonefile=optout-with-ent.db +infile=optout-with-ent.db.in +cat $infile > $zonefile +kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) +$KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null diff -Nru bind9-9.16.37/bin/tests/system/autosign/ns2/named.conf.in bind9-9.16.42/bin/tests/system/autosign/ns2/named.conf.in --- bind9-9.16.37/bin/tests/system/autosign/ns2/named.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/autosign/ns2/named.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -96,4 +96,13 @@ auto-dnssec maintain; }; +zone "optout-with-ent" { + type primary; + file "optout-with-ent.db"; + allow-query { any; }; + allow-transfer { any; }; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff -Nru bind9-9.16.37/bin/tests/system/autosign/ns2/optout-with-ent.db.in bind9-9.16.42/bin/tests/system/autosign/ns2/optout-with-ent.db.in --- bind9-9.16.37/bin/tests/system/autosign/ns2/optout-with-ent.db.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/autosign/ns2/optout-with-ent.db.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns2.example. . ( + 2010042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2.example. +sub1.ent NS . +sub2.ent NS . diff -Nru bind9-9.16.37/bin/tests/system/autosign/tests.sh bind9-9.16.42/bin/tests/system/autosign/tests.sh --- bind9-9.16.37/bin/tests/system/autosign/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/autosign/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -153,7 +153,7 @@ $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 done - for z in bar. example. private.secure.example. + for z in bar. example. private.secure.example. optout-with-ent. do $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 @@ -173,6 +173,9 @@ if [ $ret != 0 ]; then echo_i "done"; fi status=$((status + ret)) +echo_i "Convert optout-with-ent from nsec to nsec3" +($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 + echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" for z in . do @@ -1741,5 +1744,45 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)" +ret=0 +zone=optout-with-ent +hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL +# check that NSEC3 for ENT is present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +# remove first delegation of two delegations, NSEC3 for ENT should remain. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub1.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is still present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n +grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +# remove second delegation of two delegations, NSEC3 for ENT should be deleted. +( +echo zone $zone +echo server 10.53.0.2 "$PORT" +echo update del sub2.ent.$zone NS +echo send +) | $NSUPDATE +# check that NSEC3 for ENT is gone present +$DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n +grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 +grep "^${hash}.${zone}." dig.out.post.ns2.test$n > /dev/null && ret=1 +$DIG $DIGOPTS @10.53.0.2 axfr "${zone}" > dig.out.axfr.ns2.test$n +grep "^${hash}.${zone}." dig.out.axfr.ns2.test$n > /dev/null && ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.37/bin/tests/system/catz/clean.sh bind9-9.16.42/bin/tests/system/catz/clean.sh --- bind9-9.16.37/bin/tests/system/catz/clean.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/catz/clean.sh 2023-06-09 14:35:17.000000000 +0000 @@ -23,6 +23,7 @@ rm -f ns2/__catz__*db rm -f ns2/named.conf.tmp rm -f ns3/dom13.example.db ns3/dom14.example.db +rm -f ns4/catalog-self.example.db rm -f nsupdate.out.* rm -f ns[123]/catalog[1234].example.db rm -rf ns2/zonedir diff -Nru bind9-9.16.37/bin/tests/system/catz/ns2/named1.conf.in bind9-9.16.42/bin/tests/system/catz/ns2/named1.conf.in --- bind9-9.16.37/bin/tests/system/catz/ns2/named1.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/catz/ns2/named1.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -47,7 +47,7 @@ }; # A faulty dlz configuration to check if named and catz survive a certain class -# of failed configuration attempts (see GL#3060). +# of failed configuration attempts (see GL #3060). # We use "dlz" because the dlz processing code is located in an ideal place in # the view configuration function for the test to cover the view reverting code. #T3dlz "bad-dlz" { @@ -78,6 +78,15 @@ primaries { 10.53.0.1; }; }; +# When the following zone configuration is enabled, "dom3.example" should +# already exist as a member of "catalog1.example", and named should be able +# to deal with that situation (see GL #3911). Make sure that this duplicate +# zone comes after the the "catalog1.example" zone in the configuration file. +#T4zone "dom3.example" { +#T4 type secondary; +#T4 file "dom2.example.db"; +#T4}; + key tsig_key. { secret "LSAnCU+Z"; algorithm @DEFAULT_HMAC@; diff -Nru bind9-9.16.37/bin/tests/system/catz/ns4/catalog.example.db.in bind9-9.16.42/bin/tests/system/catz/ns4/catalog.example.db.in --- bind9-9.16.37/bin/tests/system/catz/ns4/catalog.example.db.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/catz/ns4/catalog.example.db.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "1" diff -Nru bind9-9.16.37/bin/tests/system/catz/ns4/named.conf.in bind9-9.16.42/bin/tests/system/catz/ns4/named.conf.in --- bind9-9.16.37/bin/tests/system/catz/ns4/named.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/catz/ns4/named.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,55 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "../../common/rndc.key"; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { fd92:7065:b8e:ffff::4; }; + notify no; + notify-delay 0; + recursion no; + serial-query-rate 100; + ixfr-from-differences yes; // GL #3777 + + catalog-zones { + zone "catalog-self.example" + min-update-interval 1s + default-masters { 10.53.0.4; }; + }; +}; + +zone "catalog-self.example" { + type primary; + file "catalog-self.example.db"; + notify explicit; +}; + +key tsig_key. { + secret "LSAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; + +key next_key. { + secret "LaAnCU+Z"; + algorithm @DEFAULT_HMAC@; +}; diff -Nru bind9-9.16.37/bin/tests/system/catz/setup.sh bind9-9.16.42/bin/tests/system/catz/setup.sh --- bind9-9.16.37/bin/tests/system/catz/setup.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/catz/setup.sh 2023-06-09 14:35:17.000000000 +0000 @@ -19,10 +19,12 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named1.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf cp -f ns1/catalog.example.db.in ns1/catalog1.example.db cp -f ns3/catalog.example.db.in ns3/catalog2.example.db cp -f ns1/catalog.example.db.in ns1/catalog3.example.db cp -f ns1/catalog.example.db.in ns1/catalog4.example.db +cp -f ns4/catalog.example.db.in ns4/catalog-self.example.db mkdir -p ns2/zonedir diff -Nru bind9-9.16.37/bin/tests/system/catz/tests.sh bind9-9.16.42/bin/tests/system/catz/tests.sh --- bind9-9.16.37/bin/tests/system/catz/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/catz/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -373,6 +373,9 @@ if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + +# GL #3060 n=$((n+1)) echo_i "reconfiguring secondary - checking if catz survives a certain class of failed reconfiguration attempts ($n)" ret=0 @@ -397,6 +400,38 @@ if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +nextpart ns2/named.run >/dev/null + +# GL #3911 +n=$((n+1)) +echo_i "reconfiguring secondary - checking if catz survives another type of failed reconfiguration attempts ($n)" +ret=0 +sed -e "s/^#T4//" < ns2/named1.conf.in > ns2/named.conf.tmp +copy_setports ns2/named.conf.tmp ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p "${CONTROLPORT}" reconfig > /dev/null 2>&1 && ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# catalog zone update can be deferred +sleep 2 + +n=$((n+1)) +echo_i "checking again that dom3.example. is served by secondary ($n)" +ret=0 +wait_for_soa @10.53.0.2 dom3.example. dig.out.test$n || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "reconfiguring secondary - reverting the bad configuration ($n)" +ret=0 +copy_setports ns2/named1.conf.in ns2/named.conf +rndccmd 10.53.0.2 reconfig || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +nextpart ns2/named.run >/dev/null + n=$((n+1)) echo_i "removing all records from catalog1 zone ($n)" ret=0 @@ -1858,5 +1893,23 @@ if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) +########################################################################## +# GL #3777 +nextpart ns4/named.run >/dev/null + +n=$((n+1)) +echo_i "Adding domain self.example. to catalog-self zone without updating the serial ($n)" +ret=0 +echo "self.zones.catalog-self.example. 3600 IN PTR self.example." >> ns4/catalog-self.example.db +rndccmd 10.53.0.4 reload || ret=1 + +n=$((n+1)) +echo_i "Issuing another rndc reload command after 1 second ($n)" +sleep 1 +rndccmd 10.53.0.4 reload || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +########################################################################## echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.37/bin/tests/system/chain/ans4/ans.py bind9-9.16.42/bin/tests/system/chain/ans4/ans.py --- bind9-9.16.37/bin/tests/system/chain/ans4/ans.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/chain/ans4/ans.py 2023-06-09 14:35:17.000000000 +0000 @@ -265,7 +265,7 @@ if wantsigs: r.answer.append(sigs[-1]) else: - for (i, sig) in rrs: + for i, sig in rrs: if sig and not wantsigs: continue elif sig: diff -Nru bind9-9.16.37/bin/tests/system/checkconf/kasp-bad-keylen.conf bind9-9.16.42/bin/tests/system/checkconf/kasp-bad-keylen.conf --- bind9-9.16.37/bin/tests/system/checkconf/kasp-bad-keylen.conf 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/checkconf/kasp-bad-keylen.conf 2023-06-09 14:35:17.000000000 +0000 @@ -20,5 +20,5 @@ zone "example.net" { type master; file "example.db"; - dnssec-policy "badkeylen"; + dnssec-policy "bad-keylen"; }; diff -Nru bind9-9.16.37/bin/tests/system/cookie/ans9/ans.py bind9-9.16.42/bin/tests/system/cookie/ans9/ans.py --- bind9-9.16.37/bin/tests/system/cookie/ans9/ans.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/cookie/ans9/ans.py 2023-06-09 14:35:17.000000000 +0000 @@ -35,6 +35,7 @@ from dns.rdatatype import * from dns.tsig import * + # Log query to file def logquery(type, qname): with open("qlog", "a") as f: @@ -54,6 +55,7 @@ dopass2 = False + ############################################################################ # # This server will serve valid and spoofed answers. A spoofed answer will diff -Nru bind9-9.16.37/bin/tests/system/dnssec/ans10/ans.py bind9-9.16.42/bin/tests/system/dnssec/ans10/ans.py --- bind9-9.16.37/bin/tests/system/dnssec/ans10/ans.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/dnssec/ans10/ans.py 2023-06-09 14:35:17.000000000 +0000 @@ -25,6 +25,7 @@ from dns.rcode import * from dns.name import * + # Log query to file def logquery(type, qname): with open("qlog", "a") as f: diff -Nru bind9-9.16.37/bin/tests/system/dnstap/tests.sh bind9-9.16.42/bin/tests/system/dnstap/tests.sh --- bind9-9.16.37/bin/tests/system/dnstap/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/dnstap/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -670,6 +670,7 @@ $FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \ -w dnstap.out > fstrm_capture.out 2>&1 & fstrm_capture_pid=$! + sleep 1 $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i $DIG $DIGOPTS @10.53.0.4 a.example > dig.out diff -Nru bind9-9.16.37/bin/tests/system/dupsigs/tests.sh bind9-9.16.42/bin/tests/system/dupsigs/tests.sh --- bind9-9.16.37/bin/tests/system/dupsigs/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/dupsigs/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -20,29 +20,42 @@ # # We expect the zone to have the following: # -# - 5 signatures for signing.test. +# - 6 signatures for signing.test. # - 3 signatures for ns.signing.test. # - 2 x 500 signatures for a{0000-0499}.signing.test. # -# for a total of 1008. +# for a total of 1009. fully_signed () { - $DIG axfr signing.test -p ${PORT} @10.53.0.1 | - awk 'BEGIN { lines = 0 } - $4 == "RRSIG" {lines++} - END { if (lines != 1008) exit(1) }' + $DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr" + awk 'BEGIN { lines = 0 } + $4 == "RRSIG" {lines++} + END { if (lines != 1009) exit(1) }' < "dig.out.ns1.axfr" } -retry_quiet 30 fully_signed || ret=1 + +# Wait for the last NSEC record in the zone to be signed. This is a lightweight +# alternative to avoid many AXFR requests while waiting for the zone to be +# fully signed. +_wait_for_last_nsec_signed() { + $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1 + grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1 + return 0 +} + +echo_i "wait for the zone to be fully signed" +retry_quiet 60 _wait_for_last_nsec_signed +retry_quiet 10 fully_signed || status=1 +if [ $status != 0 ]; then echo_i "failed"; fi start=`date +%s` now=$start end=$((start + 140)) -while [ $now -lt $end ]; do +while [ $now -lt $end ] && [ $status -eq 0 ]; do et=$((now - start)) - echo "=============== $et ============" - $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl + echo_i "............... $et ............" + $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et - awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c + awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l` if [ ${et} -ne 0 -a ${lines} -ne 1009 ] then diff -Nru bind9-9.16.37/bin/tests/system/feature-test.c bind9-9.16.42/bin/tests/system/feature-test.c --- bind9-9.16.37/bin/tests/system/feature-test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/feature-test.c 2023-06-09 14:35:17.000000000 +0000 @@ -17,6 +17,7 @@ #include #include +#include #include #include #include @@ -45,6 +46,7 @@ fprintf(stderr, "\t--have-json-c\n"); fprintf(stderr, "\t--have-libxml2\n"); fprintf(stderr, "\t--ipv6only=no\n"); + fprintf(stderr, "\t--md5\n"); fprintf(stderr, "\t--tsan\n"); fprintf(stderr, "\t--with-dlz-filesystem\n"); fprintf(stderr, "\t--with-idn\n"); @@ -174,6 +176,20 @@ #endif /* ifdef WIN32 */ } + if (strcmp(argv[1], "--md5") == 0) { + unsigned char digest[ISC_MAX_MD_SIZE]; + const unsigned char test[] = "test"; + unsigned int size = sizeof(digest); + + if (isc_md(ISC_MD_MD5, test, sizeof(test), digest, &size) == + ISC_R_SUCCESS) + { + return (0); + } else { + return (1); + } + } + if (strcmp(argv[1], "--tsan") == 0) { #if defined(__has_feature) #if __has_feature(thread_sanitizer) diff -Nru bind9-9.16.37/bin/tests/system/forward/ans11/ans.py bind9-9.16.42/bin/tests/system/forward/ans11/ans.py --- bind9-9.16.37/bin/tests/system/forward/ans11/ans.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/forward/ans11/ans.py 2023-06-09 14:35:17.000000000 +0000 @@ -25,6 +25,7 @@ from dns.rcode import * from dns.name import * + # Log query to file def logquery(type, qname): with open("qlog", "a") as f: diff -Nru bind9-9.16.37/bin/tests/system/get_algorithms.py bind9-9.16.42/bin/tests/system/get_algorithms.py --- bind9-9.16.37/bin/tests/system/get_algorithms.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/get_algorithms.py 2023-06-09 14:35:17.000000000 +0000 @@ -111,7 +111,10 @@ f"{TESTCRYPTO} -q {alg.name}", shell=True, check=True, - env={"KEYGEN": KEYGEN}, + env={ + "KEYGEN": KEYGEN, + "TMPDIR": os.getenv("TMPDIR", "/tmp"), + }, stdout=subprocess.DEVNULL, ) except subprocess.CalledProcessError as exc: @@ -232,9 +235,8 @@ # later by run.sh print("export ALGORITHM_SET=error") raise - else: - for name, value in algs_env.items(): - print(f"export {name}={value}") + for name, value in algs_env.items(): + print(f"export {name}={value}") if __name__ == "__main__": diff -Nru bind9-9.16.37/bin/tests/system/inline/tests_signed_zone_files.py bind9-9.16.42/bin/tests/system/inline/tests_signed_zone_files.py --- bind9-9.16.37/bin/tests/system/inline/tests_signed_zone_files.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/inline/tests_signed_zone_files.py 2023-06-09 14:35:17.000000000 +0000 @@ -35,7 +35,6 @@ def test_unsigned_serial_number(): - """ Check whether all signed zone files in the "ns8" subdirectory contain the serial number of the unsigned version of the zone in the raw-format header. diff -Nru bind9-9.16.37/bin/tests/system/kasp/tests.sh bind9-9.16.42/bin/tests/system/kasp/tests.sh --- bind9-9.16.37/bin/tests/system/kasp/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/kasp/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -551,15 +551,23 @@ n=$((n+1)) echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" -rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" -retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" +# DS State should be forced into RUMOURED. +set_keystate "KEY1" "STATE_DS" "rumoured" +check_keys test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) n=$((n+1)) echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" -rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" -retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +now=$(date +%Y%m%d%H%M%S) +rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE" +retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" +# DS State should be forced into UNRETENTIVE. +set_keystate "KEY1" "STATE_DS" "unretentive" +check_keys test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) diff -Nru bind9-9.16.37/bin/tests/system/legacy/tests.sh bind9-9.16.42/bin/tests/system/legacy/tests.sh --- bind9-9.16.37/bin/tests/system/legacy/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/legacy/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -33,7 +33,7 @@ resolution_fails() { _servfail=0 _timeout=0 - $DIG $DIGOPTS +tcp +tries=3 +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n + $DIG $DIGOPTS +tcp +time=5 @10.53.0.1 ${1} SOA > dig.out.test$n grep "status: SERVFAIL" dig.out.test$n > /dev/null && _servfail=1 grep "connection timed out" dig.out.test$n > /dev/null && _timeout=1 if [ $_servfail -eq 1 ] || [ $_timeout -eq 1 ]; then diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/clean.sh bind9-9.16.42/bin/tests/system/logfileconfig/clean.sh --- bind9-9.16.37/bin/tests/system/logfileconfig/clean.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/clean.sh 2023-06-09 14:35:17.000000000 +0000 @@ -14,10 +14,9 @@ # # Clean up after log file tests # -rm -f ns1/rndc.conf -rm -f ns1/controls.conf rm -f ns1/named.conf -rm -f ns1/named.pid ns1/named.run +rm -f ns1/named.args +rm -f ns1/named.pid ns1/named.run ns1/named.run.prev rm -f ns1/named.memstats ns1/dig.out rm -f ns1/named_log ns1/named_pipe ns1/named_sym rm -rf ns1/named_dir diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/named1.args bind9-9.16.42/bin/tests/system/logfileconfig/named1.args --- bind9-9.16.37/bin/tests/system/logfileconfig/named1.args 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/named1.args 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1 @@ +-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/named2.args bind9-9.16.42/bin/tests/system/logfileconfig/named2.args --- bind9-9.16.37/bin/tests/system/logfileconfig/named2.args 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/named2.args 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1 @@ +-c named.conf -m record -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4 -L named_deflog diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/controls.conf.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/controls.conf.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/controls.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/controls.conf.in 1970-01-01 00:00:00.000000000 +0000 @@ -1,18 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -controls { - inet 127.0.0.1 port @CONTROLPORT@ - allow { 127.0.0.1/32; ::1/128; } - keys { "rndc-key"; }; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.dirconf bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.dirconf --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.dirconf 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.dirconf 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - file "named_dir"; - print-time yes; - }; - category default { default_log; default_debug; }; - category lame-servers { null; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.dirconf.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.dirconf.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.dirconf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.dirconf.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "/tmp"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.iso8601 bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.iso8601 --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.iso8601 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.iso8601 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - file "named_iso8601"; - print-time iso8601; - severity debug 9; - }; - category default { default_log; default_debug; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.iso8601-utc bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.iso8601-utc --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.iso8601-utc 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.iso8601-utc 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - file "named_iso8601_utc"; - print-time iso8601-utc; - severity debug 9; - }; - category default { default_log; default_debug; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.iso8601-utc.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_iso8601_utc"; + print-time iso8601-utc; + severity debug 9; + }; + category default { default_log; default_debug; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.iso8601.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.iso8601.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.iso8601.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.iso8601.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_iso8601"; + print-time iso8601; + severity debug 9; + }; + category default { default_log; default_debug; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.pipeconf bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.pipeconf --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.pipeconf 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.pipeconf 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - file "named_pipe"; - print-time yes; - }; - category default { default_log; default_debug; }; - category lame-servers { null; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.pipeconf.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.pipeconf.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.pipeconf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.pipeconf.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_pipe"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.plain bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.plain --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.plain 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.plain 1970-01-01 00:00:00.000000000 +0000 @@ -1,53 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - file "named_log"; - print-time yes; - }; - category default { default_log; default_debug; }; - category lame-servers { null; }; - - channel query_log { - file "query_log"; - print-time yes; - buffered yes; - }; - category queries { query_log; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.plain.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.plain.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.plain.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.plain.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_log"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.plainconf bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.plainconf --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.plainconf 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.plainconf 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.plainconf.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.plainconf.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.plainconf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.plainconf.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,34 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.symconf bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.symconf --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.symconf 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.symconf 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - file "named_sym"; - print-time yes; - }; - category default { default_log; default_debug; }; - category lame-servers { null; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.symconf.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.symconf.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.symconf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.symconf.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + file "named_sym"; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.tsconf bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.tsconf --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.tsconf 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.tsconf 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - buffered no; - file "named_ts" versions 10 size 1000 suffix timestamp; # small size - severity debug 100; - print-time yes; - }; - category default { default_log; default_debug; }; - category lame-servers { null; }; - - channel query_log { - file "query_log"; - print-time yes; - buffered yes; - }; - category queries { query_log; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.tsconf.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.tsconf.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.tsconf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.tsconf.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_ts" versions 3 size 1000 suffix timestamp; # small size + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.unlimited bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.unlimited --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.unlimited 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.unlimited 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - buffered no; - file "named_unlimited" versions unlimited size 1000; - severity debug 100; - print-time yes; - }; - category default { default_log; default_debug; }; - category lame-servers { null; }; - - channel query_log { - file "query_log"; - print-time yes; - buffered yes; - }; - category queries { query_log; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.unlimited.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.unlimited.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.unlimited.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.unlimited.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_unlimited" versions unlimited size 1000; + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.versconf bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.versconf --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.versconf 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.versconf 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.1; - notify-source 10.53.0.1; - transfer-source 10.53.0.1; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.1; }; - listen-on-v6 { none; }; - recursion no; - notify yes; -}; - -logging { - channel default_log { - buffered no; - file "named_vers" versions 5 size 1000; // really small size - severity debug 100; - print-time yes; - }; - category default { default_log; default_debug; }; - category lame-servers { null; }; - - channel query_log { - file "query_log"; - print-time yes; - buffered yes; - }; - category queries { query_log; }; -}; - -include "controls.conf"; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; - - -zone "." { - type primary; - file "root.db"; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.versconf.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.versconf.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/named.versconf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/named.versconf.in 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,52 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + dnssec-validation no; + recursion no; + notify yes; +}; + +logging { + channel default_log { + buffered no; + file "named_vers" versions 5 size 1000; // really small size + severity debug 100; + print-time yes; + }; + category default { default_log; default_debug; }; + category lame-servers { null; }; + + channel query_log { + file "query_log"; + print-time yes; + buffered yes; + }; + category queries { query_log; }; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { "rndc-key"; }; +}; + +key rndc-key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/rndc.conf.in bind9-9.16.42/bin/tests/system/logfileconfig/ns1/rndc.conf.in --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/rndc.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/rndc.conf.in 1970-01-01 00:00:00.000000000 +0000 @@ -1,26 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - default-server 127.0.0.1; -}; - -server 127.0.0.1 { - key "rndc-key"; - addresses { 127.0.0.1 port @CONTROLPORT@; }; -}; - -key "rndc-key" { - algorithm hmac-sha256; - secret "Am9vCg=="; -}; diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/ns1/root.db bind9-9.16.42/bin/tests/system/logfileconfig/ns1/root.db --- bind9-9.16.37/bin/tests/system/logfileconfig/ns1/root.db 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/ns1/root.db 1970-01-01 00:00:00.000000000 +0000 @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 -. IN SOA gson.nominum.com. a.root.servers.nil. ( - 2000042100 ; serial - 600 ; refresh - 600 ; retry - 1200 ; expire - 600 ; minimum - ) -. NS a.root-servers.nil. -a.root-servers.nil. A 10.53.0.1 - -example. NS ns2.example. -ns2.example. A 10.53.0.2 - -tsigzone. NS ns2.tsigzone. -ns2.tsigzone. A 10.53.0.2 diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/setup.sh bind9-9.16.42/bin/tests/system/logfileconfig/setup.sh --- bind9-9.16.37/bin/tests/system/logfileconfig/setup.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/setup.sh 2023-06-09 14:35:17.000000000 +0000 @@ -16,6 +16,4 @@ $SHELL clean.sh -copy_setports ns1/named.plain ns1/named.conf -copy_setports ns1/rndc.conf.in ns1/rndc.conf -copy_setports ns1/controls.conf.in ns1/controls.conf +copy_setports ns1/named.plain.in ns1/named.conf diff -Nru bind9-9.16.37/bin/tests/system/logfileconfig/tests.sh bind9-9.16.42/bin/tests/system/logfileconfig/tests.sh --- bind9-9.16.37/bin/tests/system/logfileconfig/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/logfileconfig/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -16,30 +16,6 @@ THISDIR=`pwd` CONFDIR="ns1" -PLAINCONF="${THISDIR}/${CONFDIR}/named.plainconf" -PLAINFILE="named_log" -DIRCONF="${THISDIR}/${CONFDIR}/named.dirconf" -DIRFILE="named_dir" -PIPECONF="${THISDIR}/${CONFDIR}/named.pipeconf" -PIPEFILE="named_pipe" -SYMCONF="${THISDIR}/${CONFDIR}/named.symconf" -SYMFILE="named_sym" -VERSCONF="${THISDIR}/${CONFDIR}/named.versconf" -VERSFILE="named_vers" -TSCONF="${THISDIR}/${CONFDIR}/named.tsconf" -TSFILE="named_ts" -UNLIMITEDCONF="${THISDIR}/${CONFDIR}/named.unlimited" -UNLIMITEDFILE="named_unlimited" -ISOCONF="${THISDIR}/${CONFDIR}/named.iso8601" -ISOFILE="named_iso8601" -ISOCONFUTC="${THISDIR}/${CONFDIR}/named.iso8601-utc" -ISOUTCFILE="named_iso8601_utc" -DLFILE="named_deflog" - -PIDFILE="${THISDIR}/${CONFDIR}/named.pid" -myRNDC="$RNDC -c ${THISDIR}/${CONFDIR}/rndc.conf" -myNAMED="$NAMED -c ${THISDIR}/${CONFDIR}/named.conf -m record,size,mctx -T nosyslog -d 99 -D logfileconfig-ns1 -X named.lock -U 4" - # Test given condition. If true, test again after a second. Used for testing # filesystem-dependent conditions in order to prevent false negatives caused by # directory contents not being synchronized immediately after rename() returns. @@ -53,367 +29,216 @@ return 1 } -waitforpidfile() { - for _w in 1 2 3 4 5 6 7 8 9 10 - do - test -f $PIDFILE && break - sleep 1 - done -} - status=0 n=0 -cd $CONFDIR -export SYSTEMTESTTOP=../.. - echo_i "testing log file validity (named -g + only plain files allowed)" -n=`expr $n + 1` -echo_i "testing plain file (named -g) ($n)" # First run with a known good config. -echo > $PLAINFILE -copy_setports $PLAINCONF named.conf -$myRNDC reconfig > rndc.out.test$n 2>&1 -grep "reloading configuration failed" named.run > /dev/null 2>&1 -if [ $? -ne 0 ] -then - echo_i "testing plain file succeeded" -else - echo_i "testing plain file failed (unexpected)" - echo_i "exit status: 1" - exit 1 -fi +n=$((n+1)) +echo_i "testing log file validity (only plain files allowed) ($n)" +ret=0 +cat /dev/null > ns1/named_log +copy_setports ns1/named.plainconf.in ns1/named.conf +nextpart ns1/named.run > /dev/null +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) # Now try directory, expect failure -n=`expr $n + 1` -echo_i "testing directory as log file (named -g) ($n)" -echo > named.run -rm -rf $DIRFILE -mkdir -p $DIRFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $DIRCONF named.conf - echo > named.run - $myRNDC reconfig > rndc.out.test$n 2>&1 - grep "checking logging configuration failed: invalid file" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing directory as file succeeded (UNEXPECTED)" - echo_i "exit status: 1" - exit 1 - else - echo_i "testing directory as log file failed (expected)" - fi -else - echo_i "skipping directory test (unable to create directory)" -fi +n=$((n+1)) +echo_i "testing directory as log file ($n)" +ret=0 +nextpart ns1/named.run > /dev/null +copy_setports ns1/named.dirconf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) # Now try pipe file, expect failure -n=`expr $n + 1` -echo_i "testing pipe file as log file (named -g) ($n)" -echo > named.run -rm -f $PIPEFILE -mkfifo $PIPEFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $PIPECONF named.conf - echo > named.run - $myRNDC reconfig > rndc.out.test$n 2>&1 - grep "checking logging configuration failed: invalid file" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing pipe file as log file succeeded (UNEXPECTED)" - echo_i "exit status: 1" - exit 1 - else - echo_i "testing pipe file as log file failed (expected)" - fi +n=$((n+1)) +echo_i "testing pipe file as log file ($n)" +ret=0 +nextpart ns1/named.run > /dev/null +rm -f ns1/named_pipe +if mkfifo ns1/named_pipe >/dev/null 2>&1; then + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) else - echo_i "skipping pipe test (unable to create pipe)" + echo_i "skipping pipe test (unable to create pipe)" fi # Now try symlink file to plain file, expect success -n=`expr $n + 1` -echo_i "testing symlink to plain file as log file (named -g) ($n)" -# Assume success -echo > named.run -echo > $PLAINFILE -rm -f $SYMFILE $SYMFILE -ln -s $PLAINFILE $SYMFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $SYMCONF named.conf - $myRNDC reconfig > rndc.out.test$n 2>&1 - echo > named.run - grep "reloading configuration failed" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing symlink to plain file succeeded" - else - echo_i "testing symlink to plain file failed (unexpected)" - echo_i "exit status: 1" - exit 1 - fi +n=$((n+1)) +echo_i "testing symlink to plain file as log file ($n)" +ret=0 +rm -f ns1/named_log ns1/named_sym +touch ns1/named_log +if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then + nextpart ns1/named.run > /dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) else echo_i "skipping symlink test (unable to create symlink)" fi -# Stop the server and run through a series of tests with various config -# files while controlling the stop/start of the server. -# Have to stop the stock server because it uses "-g" -# -stop_server ns1 - -$myNAMED > /dev/null 2>&1 - -if [ $? -ne 0 ] -then - echo_i "failed to start $myNAMED" - echo_i "exit status: $status" - exit $status -fi - -status=0 -echo_i "testing log file validity (only plain files allowed)" - -n=`expr $n + 1` -echo_i "testing plain file (named -g) ($n)" -# First run with a known good config. -echo > $PLAINFILE -copy_setports $PLAINCONF named.conf -$myRNDC reconfig > rndc.out.test$n 2>&1 -grep "reloading configuration failed" named.run > /dev/null 2>&1 -if [ $? -ne 0 ] -then - echo_i "testing plain file succeeded" -else - echo_i "testing plain file failed (unexpected)" - echo_i "exit status: 1" - exit 1 -fi +echo_i "repeat previous tests without named -g" +copy_setports ns1/named.plain.in ns1/named.conf +$PERL ../stop.pl --use-rndc --port ${CONTROLPORT} logfileconfig ns1 +cp named1.args ns1/named.args +start_server --noclean --restart --port ${PORT} ns1 + +n=$((n+1)) +echo_i "testing log file validity (only plain files allowed) ($n)" +ret=0 +cat /dev/null > ns1/named_log +copy_setports ns1/named.plainconf.in ns1/named.conf +nextpart ns1/named.run > /dev/null +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) # Now try directory, expect failure -n=`expr $n + 1` +n=$((n+1)) echo_i "testing directory as log file ($n)" -echo > named.run -rm -rf $DIRFILE -mkdir -p $DIRFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $DIRCONF named.conf - echo > named.run - $myRNDC reconfig > rndc.out.test$n 2>&1 - grep "configuring logging: invalid file" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing directory as file succeeded (UNEXPECTED)" - echo_i "exit status: 1" - exit 1 - else - echo_i "testing directory as log file failed (expected)" - fi -else - echo_i "skipping directory test (unable to create directory)" -fi +ret=0 +nextpart ns1/named.run > /dev/null +copy_setports ns1/named.dirconf.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) # Now try pipe file, expect failure -n=`expr $n + 1` +n=$((n+1)) echo_i "testing pipe file as log file ($n)" -echo > named.run -rm -f $PIPEFILE -mkfifo $PIPEFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $PIPECONF named.conf - echo > named.run - $myRNDC reconfig > rndc.out.test$n 2>&1 - grep "configuring logging: invalid file" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing pipe file as log file succeeded (UNEXPECTED)" - echo_i "exit status: 1" - exit 1 - else - echo_i "testing pipe file as log file failed (expected)" - fi +ret=0 +nextpart ns1/named.run > /dev/null +rm -f ns1/named_pipe +if mkfifo ns1/named_pipe >/dev/null 2>&1; then + copy_setports ns1/named.pipeconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration failed: invalid file" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) else - echo_i "skipping pipe test (unable to create pipe)" + echo_i "skipping pipe test (unable to create pipe)" fi # Now try symlink file to plain file, expect success -n=`expr $n + 1` +n=$((n+1)) echo_i "testing symlink to plain file as log file ($n)" -# Assume success -status=0 -echo > named.run -echo > $PLAINFILE -rm -f $SYMFILE -ln -s $PLAINFILE $SYMFILE >/dev/null 2>&1 -if [ $? -eq 0 ] -then - copy_setports $SYMCONF named.conf - $myRNDC reconfig > rndc.out.test$n 2>&1 - echo > named.run - grep "reloading configuration failed" named.run > /dev/null 2>&1 - if [ $? -ne 0 ] - then - echo_i "testing symlink to plain file succeeded" - else - echo_i "testing symlink to plain file failed (unexpected)" - echo_i "exit status: 1" - exit 1 - fi +ret=0 +rm -f ns1/named_log ns1/named_sym +touch ns1/named_log +if ln -s $(pwd)/ns1/named_log $(pwd)/ns1/named_sym >/dev/null 2>&1; then + nextpart ns1/named.run > /dev/null + copy_setports ns1/named.symconf.in ns1/named.conf + rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n + wait_for_log 5 "reloading configuration succeeded" ns1/named.run || ret=1 + if [ "$ret" -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) else echo_i "skipping symlink test (unable to create symlink)" fi -n=`expr $n + 1` -echo_i "testing default logfile using named -L file ($n)" -# Now stop the server again and test the -L option -rm -f $DLFILE -stop_server --use-rndc --port ${CONTROLPORT} ns1 -if ! test -f $PIDFILE; then - copy_setports $PLAINCONF named.conf - $myNAMED -L $DLFILE > /dev/null 2>&1 - if [ $? -ne 0 ]; then - echo_i "failed to start $myNAMED" - echo_i "exit status: $status" - exit $status - fi - - waitforpidfile - - sleep 1 - if [ -f "$DLFILE" ]; then - echo_i "testing default logfile using named -L succeeded" - else - echo_i "testing default logfile using named -L failed" - echo_i "exit status: 1" - exit 1 - fi -else - echo_i "failed to cleanly stop $myNAMED" - echo_i "exit status: 1" - exit 1 -fi - echo_i "testing logging functionality" - -n=`expr $n + 1` +n=$((n+1)) +ret=0 echo_i "testing iso8601 timestamp ($n)" -copy_setports $ISOCONF named.conf -$myRNDC reconfig > rndc.out.test$n 2>&1 -if grep '^....-..-..T..:..:..\.... ' $ISOFILE > /dev/null; then - echo_i "testing iso8601 timestamp succeeded" -else - echo_i "testing iso8601 timestamp failed" - status=`expr $status + 1` -fi +copy_setports ns1/named.iso8601.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +grep '^....-..-..T..:..:..\.... ' ns1/named_iso8601 > /dev/null || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) -n=`expr $n + 1` +n=$((n+1)) echo_i "testing iso8601-utc timestamp ($n)" -copy_setports $ISOCONFUTC named.conf -$myRNDC reconfig > rndc.out.test$n 2>&1 -if grep '^....-..-..T..:..:..\....Z' $ISOUTCFILE > /dev/null; then - echo_i "testing iso8601-utc timestamp succeeded" -else - echo_i "testing iso8601-utc timestamp failed" - status=`expr $status + 1` -fi +ret=0 +copy_setports ns1/named.iso8601-utc.in ns1/named.conf +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +grep '^....-..-..T..:..:..\....Z' ns1/named_iso8601_utc > /dev/null || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) -n=`expr $n + 1` +n=$((n+1)) echo_i "testing explicit versions ($n)" -copy_setports $VERSCONF named.conf +ret=0 +copy_setports ns1/named.versconf.in ns1/named.conf # a seconds since epoch version number -touch $VERSFILE.1480039317 -t1=`$PERL -e 'print time()."\n";'` -$myRNDC reconfig > rndc.out.test$n 2>&1 +touch ns1/named_vers.1480039317 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -t2=`$PERL -e 'print time()."\n";'` -t=`expr ${t2:-0} - ${t1:-0}` -if test ${t:-1000} -gt 5 -then - echo_i "testing explicit versions failed: cleanup of old entries took too long ($t secs)" - status=`expr $status + 1` -fi -if ! grep "status: NOERROR" dig.out.test$n > /dev/null -then - echo_i "testing explicit versions failed: DiG lookup failed" - status=`expr $status + 1` -fi -if test_with_retry -f $VERSFILE.1480039317 -then - echo_i "testing explicit versions failed: $VERSFILE.1480039317 not removed" - status=`expr $status + 1` -fi -if test_with_retry -f $VERSFILE.5 -then - echo_i "testing explicit versions failed: $VERSFILE.5 exists" - status=`expr $status + 1` -fi -if test_with_retry ! -f $VERSFILE.4 -then - echo_i "testing explicit versions failed: $VERSFILE.4 does not exist" - status=`expr $status + 1` -fi +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +# we are configured to retain five logfiles (a current file +# and 4 backups). so files with version number 5 or higher +# should be removed. +test_with_retry -f ns1/named_vers.1480039317 && ret=1 +test_with_retry -f ns1/named_vers.5 && ret=1 +test_with_retry -f ns1/named_vers.4 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) -n=`expr $n + 1` +n=$((n+1)) echo_i "testing timestamped versions ($n)" -copy_setports $TSCONF named.conf +ret=0 +copy_setports ns1/named.tsconf.in ns1/named.conf # a seconds since epoch version number -touch $TSFILE.2015010112000012 -t1=`$PERL -e 'print time()."\n";'` -$myRNDC reconfig > rndc.out.test$n 2>&1 -$DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -t2=`$PERL -e 'print time()."\n";'` -t=`expr ${t2:-0} - ${t1:-0}` -if test ${t:-1000} -gt 5 -then - echo_i "testing timestamped versions failed: cleanup of old entries took too long ($t secs)" - status=`expr $status + 1` -fi -if ! grep "status: NOERROR" dig.out.test$n > /dev/null -then - echo_i "testing timestamped versions failed: DiG lookup failed" - status=`expr $status + 1` -fi -if test_with_retry -f $TSFILE.1480039317 -then - echo_i "testing timestamped versions failed: $TSFILE.1480039317 not removed" - status=`expr $status + 1` -fi +touch ns1/named_ts.1480039317 +# a timestamp version number +touch ns1/named_ts.20150101120000120 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n +_found2() ( + $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n + grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 + + # we are configured to keep three versions, so the oldest + # timestamped versions should be gone, and there should + # be two or three backup ones. + [ -f ns1/named_ts.1480039317 ] && return 1 + [ -f ns1/named_ts.20150101120000120 ] && return 1 + set -- ns1/named_ts.* + [ "$#" -eq 2 -o "$#" -eq 3 ] || return 1 +) +retry_quiet 5 _found2 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) -n=`expr $n + 1` +n=$((n+1)) echo_i "testing unlimited versions ($n)" -copy_setports $UNLIMITEDCONF named.conf +ret=0 +copy_setports ns1/named.unlimited.in ns1/named.conf # a seconds since epoch version number -touch $UNLIMITEDFILE.1480039317 -t1=`$PERL -e 'print time()."\n";'` -$myRNDC reconfig > rndc.out.test$n 2>&1 +touch ns1/named_unlimited.1480039317 +rndc_reconfig ns1 10.53.0.1 > rndc.out.test$n $DIG version.bind txt ch @10.53.0.1 -p ${PORT} > dig.out.test$n -t2=`$PERL -e 'print time()."\n";'` -t=`expr ${t2:-0} - ${t1:-0}` -if test ${t:-1000} -gt 5 -then - echo_i "testing unlimited versions failed: took too long ($t secs)" - status=`expr $status + 1` -fi -if ! grep "status: NOERROR" dig.out.test$n > /dev/null -then - echo_i "testing unlimited versions failed: DiG lookup failed" - status=`expr $status + 1` -fi -if test_with_retry ! -f $UNLIMITEDFILE.1480039317 -then - echo_i "testing unlimited versions failed: $UNLIMITEDFILE.1480039317 removed" - status=`expr $status + 1` -fi -if test_with_retry ! -f $UNLIMITEDFILE.4 -then - echo_i "testing unlimited versions failed: $UNLIMITEDFILE.4 does not exist" - status=`expr $status + 1` -fi +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +test_with_retry -f ns1/named_unlimited.1480039317 || ret=1 +test_with_retry -f ns1/named_unlimited.4 || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "testing default logfile using named -L file ($n)" +ret=0 +$PERL ../stop.pl logfileconfig ns1 +cp named2.args ns1/named.args +test -f ns1/named.pid && ret=1 +rm -f ns1/named_deflog +copy_setports ns1/named.plainconf.in ns1/named.conf +start_server --noclean --restart --port ${PORT} ns1 +[ -f "ns1/named_deflog" ] || ret=1 +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.37/bin/tests/system/mkeys/clean.sh bind9-9.16.42/bin/tests/system/mkeys/clean.sh --- bind9-9.16.37/bin/tests/system/mkeys/clean.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/clean.sh 2023-06-09 14:35:17.000000000 +0000 @@ -12,17 +12,22 @@ # information regarding copyright ownership. rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk +rm -f */island.conf +rm -f */private.conf rm -f */managed*.conf ns1/managed.key ns1/managed.key.id rm -f */managed-keys.bind* */named.secroots rm -f */named.conf -rm -f ns3/broken.conf rm -f */named.memstats */named.run */named.run.prev rm -f dig.out* delv.out* rndc.out* signer.out* rm -f dsset-. ns1/dsset-. -rm -f ns1/zone.key rm -f ns*/managed-keys.bind* rm -f ns*/named.lock +rm -f ns1/dsset-sub.tld. +rm -f ns1/dsset-tld. rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp +rm -f ns1/zone.key +rm -f ns3/broken.conf +rm -f ns4/dsset-sub.foo. rm -f ns5/named.args rm -f ns7/view1.mkeys ns7/view2.mkeys rm -rf ns4/nope diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns1/named1.conf.in bind9-9.16.42/bin/tests/system/mkeys/ns1/named1.conf.in --- bind9-9.16.37/bin/tests/system/mkeys/ns1/named1.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns1/named1.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -47,3 +47,13 @@ allow-update { any; }; auto-dnssec maintain; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns1/named2.conf.in bind9-9.16.42/bin/tests/system/mkeys/ns1/named2.conf.in --- bind9-9.16.37/bin/tests/system/mkeys/ns1/named2.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns1/named2.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -45,3 +45,13 @@ type primary; file "root.db.signed"; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns1/named3.conf.in bind9-9.16.42/bin/tests/system/mkeys/ns1/named3.conf.in --- bind9-9.16.37/bin/tests/system/mkeys/ns1/named3.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns1/named3.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -39,3 +39,13 @@ type primary; file "root.db.signed"; }; + +zone "tld" { + type primary; + file "tld.db.signed"; +}; + +zone "sub.tld" { + type primary; + file "sub.tld.db.signed"; +}; diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns1/root.db bind9-9.16.42/bin/tests/system/mkeys/ns1/root.db --- bind9-9.16.37/bin/tests/system/mkeys/ns1/root.db 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns1/root.db 2023-06-09 14:35:17.000000000 +0000 @@ -23,3 +23,6 @@ ; no delegation example. TXT "This is a test." + +tld. NS ns.tld. +ns.tld. A 10.53.0.1 diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns1/sign.sh bind9-9.16.42/bin/tests/system/mkeys/ns1/sign.sh --- bind9-9.16.37/bin/tests/system/mkeys/ns1/sign.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns1/sign.sh 2023-06-09 14:35:17.000000000 +0000 @@ -14,6 +14,24 @@ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh +zone=sub.tld +zonefile=sub.tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > island.conf +cp island.conf ../ns5/island.conf + +zone=tld +zonefile=tld.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null + zone=. zonefile=root.db diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns1/sub.tld.db bind9-9.16.42/bin/tests/system/mkeys/ns1/sub.tld.db --- bind9-9.16.37/bin/tests/system/mkeys/ns1/sub.tld.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns1/sub.tld.db 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.tld. IN SOA marka.isc.org. ns.sub.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns1/tld.db bind9-9.16.42/bin/tests/system/mkeys/ns1/tld.db --- bind9-9.16.37/bin/tests/system/mkeys/ns1/tld.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns1/tld.db 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +tld. IN SOA marka.isc.org. ns.tld. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +tld. NS ns.tld. +ns.tld. A 10.53.0.1 +sub.tld. NS ns.sub.tld. +ns.sub.tld. A 10.53.0.1 diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns4/named.conf.in bind9-9.16.42/bin/tests/system/mkeys/ns4/named.conf.in --- bind9-9.16.37/bin/tests/system/mkeys/ns4/named.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns4/named.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -41,3 +41,8 @@ type hint; file "../../common/root.hint"; }; + +zone "sub.foo" { + type primary; + file "sub.foo.db.signed"; +}; diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns4/sign.sh bind9-9.16.42/bin/tests/system/mkeys/ns4/sign.sh --- bind9-9.16.37/bin/tests/system/mkeys/ns4/sign.sh 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns4/sign.sh 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,25 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +zone=sub.foo +zonefile=sub.foo.db + +keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) +zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) + +$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +keyfile_to_initial_ds $keyname > private.conf +cp private.conf ../ns5/private.conf diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns4/sub.foo.db bind9-9.16.42/bin/tests/system/mkeys/ns4/sub.foo.db --- bind9-9.16.37/bin/tests/system/mkeys/ns4/sub.foo.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns4/sub.foo.db 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +sub.foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns5/foo.db bind9-9.16.42/bin/tests/system/mkeys/ns5/foo.db --- bind9-9.16.37/bin/tests/system/mkeys/ns5/foo.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns5/foo.db 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,23 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +foo. IN SOA marka.isc.org. ns.foo. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +foo. NS ns.foo. +ns.foo. A 10.53.0.5 +sub.foo. NS ns.sub.foo. +ns.sub.foo. A 10.53.0.4 diff -Nru bind9-9.16.37/bin/tests/system/mkeys/ns5/named.conf.in bind9-9.16.42/bin/tests/system/mkeys/ns5/named.conf.in --- bind9-9.16.37/bin/tests/system/mkeys/ns5/named.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/ns5/named.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -41,3 +41,11 @@ type hint; file "../../common/root.hint"; }; + +zone "foo" { + type primary; + file "foo.db"; +}; + +include "island.conf"; +include "private.conf"; diff -Nru bind9-9.16.37/bin/tests/system/mkeys/setup.sh bind9-9.16.42/bin/tests/system/mkeys/setup.sh --- bind9-9.16.37/bin/tests/system/mkeys/setup.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/setup.sh 2023-06-09 14:35:17.000000000 +0000 @@ -33,6 +33,7 @@ cp ns5/named1.args ns5/named.args ( cd ns1 && $SHELL sign.sh ) +( cd ns4 && $SHELL sign.sh ) ( cd ns6 && $SHELL setup.sh ) cp ns2/managed.conf ns2/managed1.conf diff -Nru bind9-9.16.37/bin/tests/system/mkeys/tests.sh bind9-9.16.42/bin/tests/system/mkeys/tests.sh --- bind9-9.16.37/bin/tests/system/mkeys/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/mkeys/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -568,44 +568,46 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) -n=$((n+1)) -echo_i "reset the root server with no keys, check for minimal update ($n)" -ret=0 -# Refresh keys first to prevent previous checks from influencing this one. -# Note that we might still get occasional false negatives on some really slow -# machines, when $t1 equals $t2 due to the time elapsed between "rndc -# managed-keys status" calls being equal to the normal active refresh period -# (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as -# set using -T mkeytimers). -mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 -t1=$(grep 'next refresh:' rndc.out.1.$n) || true -stop_server --use-rndc --port "${CONTROLPORT}" ns1 -rm -f ns1/root.db.signed.jnl -cp ns1/root.db ns1/root.db.signed -nextpart ns1/named.run > /dev/null -start_server --noclean --restart --port "${PORT}" ns1 -wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 -mkeys_refresh_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 -# one key listed -count=$(grep -c "keyid: " rndc.out.2.$n) || true -[ "$count" -eq 1 ] || ret=1 -# it's the original key id -count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || ret=1 -# not revoked -count=$(grep -c "REVOKE" rndc.out.2.$n) || true -[ "$count" -eq 0 ] || ret=1 -# trust is still current -count=$(grep -c "trust" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || ret=1 -count=$(grep -c "trusted since" rndc.out.2.$n) || true -[ "$count" -eq 1 ] || ret=1 -t2=$(grep 'next refresh:' rndc.out.2.$n) || true -[ "$t1" = "$t2" ] && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status+ret)) +if [ ! "$CYGWIN" ]; then + n=$((n+1)) + echo_i "reset the root server with no keys, check for minimal update ($n)" + ret=0 + # Refresh keys first to prevent previous checks from influencing this one. + # Note that we might still get occasional false negatives on some really slow + # machines, when $t1 equals $t2 due to the time elapsed between "rndc + # managed-keys status" calls being equal to the normal active refresh period + # (as calculated per rules listed in RFC 5011 section 2.3) minus an "hour" (as + # set using -T mkeytimers). + mkeys_refresh_on 2 || ret=1 + mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 + t1=$(grep 'next refresh:' rndc.out.1.$n) || true + stop_server --use-rndc --port "${CONTROLPORT}" ns1 + rm -f ns1/root.db.signed.jnl + cp ns1/root.db ns1/root.db.signed + nextpart ns1/named.run > /dev/null + start_server --noclean --restart --port "${PORT}" ns1 + wait_for_log 20 "all zones loaded" ns1/named.run || ret=1 + mkeys_refresh_on 2 || ret=1 + mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 + # one key listed + count=$(grep -c "keyid: " rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + # it's the original key id + count=$(grep -c "keyid: $originalid" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + # not revoked + count=$(grep -c "REVOKE" rndc.out.2.$n) || true + [ "$count" -eq 0 ] || ret=1 + # trust is still current + count=$(grep -c "trust" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + count=$(grep -c "trusted since" rndc.out.2.$n) || true + [ "$count" -eq 1 ] || ret=1 + t2=$(grep 'next refresh:' rndc.out.2.$n) || true + [ "$t1" = "$t2" ] && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +fi n=$((n+1)) echo_i "reset the root server with no signatures, check for minimal update ($n)" @@ -680,8 +682,12 @@ mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 grep "no views with managed keys" rndc.out.1.$n > /dev/null || ret=1 mkeys_reconfig_on 2 || ret=1 -mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 -grep "name: \." rndc.out.2.$n > /dev/null || ret=1 +check_root_trust_anchor_is_present_in_status() { + mkeys_status_on 2 > rndc.out.2.$n 2>&1 || return 1 + grep "name: \." rndc.out.2.$n > /dev/null || return 1 + return 0 +} +retry_quiet 5 check_root_trust_anchor_is_present_in_status || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -719,7 +725,9 @@ stop_server --use-rndc --port "${CONTROLPORT}" ns5 nextpart ns5/named.run > /dev/null start_server --noclean --restart --port "${PORT}" ns5 -wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1 # ns5/named.run will contain logs from both the old instance and the new # instance. In order for the test to pass, both must attempt a fetch. count=$(grep -c "Creating key fetch" ns5/named.run) || true @@ -728,6 +736,23 @@ status=$((status+ret)) n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# one indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) echo_i "check key refreshes are resumed after root servers become available ($n)" ret=0 stop_server --use-rndc --port "${CONTROLPORT}" ns5 @@ -738,7 +763,9 @@ cp ns5/named2.args ns5/named.args nextpart ns5/named.run > /dev/null start_server --noclean --restart --port "${PORT}" ns5 -wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1 # ns1 should still REFUSE queries from ns5, so resolving should be impossible @@ -751,7 +778,9 @@ rm -f ns1/root.db.signed.jnl nextpart ns5/named.run > /dev/null mkeys_reconfig_on 1 || ret=1 -wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1 +wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1 mkeys_secroots_on 5 || ret=1 grep '; managed' ns5/named.secroots > /dev/null || ret=1 # ns1 should not longer REFUSE queries from ns5, so managed keys should be @@ -832,5 +861,22 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)" +ret=0 +mkeys_sync_on 5 +mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1 +# there should be three keys listed now +count=$(grep -c "keyid: " rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# theee lines indicating trust status +count=$(grep -c "trust" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +# three indicates current trust +count=$(grep -c "trusted since" rndc.out.$n) || true +[ "$count" -eq 3 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.37/bin/tests/system/nsec3/tests.sh bind9-9.16.42/bin/tests/system/nsec3/tests.sh --- bind9-9.16.37/bin/tests/system/nsec3/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/nsec3/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -231,7 +231,6 @@ # This is a secondary zone, where the primary is signed with NSEC3 but # the dnssec-policy dictates NSEC. set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600 -set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec diff -Nru bind9-9.16.37/bin/tests/system/nsupdate/setup.sh bind9-9.16.42/bin/tests/system/nsupdate/setup.sh --- bind9-9.16.37/bin/tests/system/nsupdate/setup.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/nsupdate/setup.sh 2023-06-09 14:35:17.000000000 +0000 @@ -73,7 +73,11 @@ $DDNSCONFGEN -q -z example.nil > ns1/ddns.key -$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +if $FEATURETEST --md5; then + $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key +else + echo -n > ns1/md5.key +fi $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key diff -Nru bind9-9.16.37/bin/tests/system/nsupdate/tests.sh bind9-9.16.42/bin/tests/system/nsupdate/tests.sh --- bind9-9.16.37/bin/tests/system/nsupdate/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/nsupdate/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -852,7 +852,14 @@ n=$((n + 1)) ret=0 echo_i "check TSIG key algorithms (nsupdate -k) ($n)" -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +if $FEATURETEST --md5 +then + ALGS="md5 sha1 sha224 sha256 sha384 sha512" +else + ALGS="sha1 sha224 sha256 sha384 sha512" + echo_i "skipping disabled md5 algorithm" +fi +for alg in $ALGS; do $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 server 10.53.0.1 ${PORT} update add ${alg}.keytests.nil. 600 A 10.10.10.3 @@ -860,7 +867,7 @@ END done sleep 2 -for alg in md5 sha1 sha224 sha256 sha384 sha512; do +for alg in $ALGS; do $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 done if [ $ret -ne 0 ]; then @@ -1302,19 +1309,22 @@ grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } -n=$((n + 1)) -ret=0 -echo_i "check that update is rejected if quota is exceeded ($n)" -for loop in 1 2 3 4 5 6 7 8 9 10; do -{ - $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 < /dev/null 2>&1 <> ns4/named.conf } -make_key 1 ${EXTRAPORT1} hmac-md5 +$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 make_key 2 ${EXTRAPORT2} hmac-sha1 make_key 3 ${EXTRAPORT3} hmac-sha224 make_key 4 ${EXTRAPORT4} hmac-sha256 diff -Nru bind9-9.16.37/bin/tests/system/rndc/tests.sh bind9-9.16.42/bin/tests/system/rndc/tests.sh --- bind9-9.16.37/bin/tests/system/rndc/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/rndc/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -350,16 +350,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "testing rndc with hmac-md5 ($n)" -ret=0 -$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 -for i in 2 3 4 5 6 -do - $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -done -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +n=$((n+1)) +if $FEATURETEST --md5; then + echo_i "testing rndc with hmac-md5 ($n)" + ret=0 + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 + for i in 2 3 4 5 6 + do + $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +else + echo_i "skipping rndc with hmac-md5 ($n)" +fi n=`expr $n + 1` echo_i "testing rndc with hmac-sha1 ($n)" diff -Nru bind9-9.16.37/bin/tests/system/rpz/ns3/named.conf.in bind9-9.16.42/bin/tests/system/rpz/ns3/named.conf.in --- bind9-9.16.37/bin/tests/system/rpz/ns3/named.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/rpz/ns3/named.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -148,3 +148,13 @@ type static-stub; server-addresses { 10.53.0.10; }; }; + +# A faulty dlz configuration to check if named with response policy zones +# survives a certain class of failed configuration attempts (see GL #3880). +# "dlz" is used because the dlz processing code is located in an ideal place in +# the view configuration function for the test to cover the view reverting code. +# The "BAD" comments below are necessary, because they will be removed using +# 'sed' by tests.sh in order to activate the faulty configuration. +#BAD dlz "bad-dlz" { +#BAD database "dlopen bad-dlz.so example.org"; +#BAD }; diff -Nru bind9-9.16.37/bin/tests/system/rpz/tests.sh bind9-9.16.42/bin/tests/system/rpz/tests.sh --- bind9-9.16.37/bin/tests/system/rpz/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/rpz/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -846,6 +846,16 @@ stop_server --use-rndc --port ${CONTROLPORT} ns3 restart 3 "rebuild-bl-rpz" + t=`expr $t + 1` + echo_i "checking if rpz survives a certain class of failed reconfiguration attempts (${t})" + sed -e "s/^#BAD//" < ns3/named.conf.in > ns3/named.conf.tmp + copy_setports ns3/named.conf.tmp ns3/named.conf + rm ns3/named.conf.tmp + $RNDCCMD $ns3 reconfig > /dev/null 2>&1 && setret "failed" + sleep 1 + copy_setports ns3/named.conf.in ns3/named.conf + $RNDCCMD $ns3 reconfig || setret "failed" + # reload a RPZ zone that is now deliberately broken. t=`expr $t + 1` echo_i "checking rpz failed update will keep previous rpz rules (${t})" diff -Nru bind9-9.16.37/bin/tests/system/run.sh bind9-9.16.42/bin/tests/system/run.sh --- bind9-9.16.37/bin/tests/system/run.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/run.sh 2023-06-09 14:35:17.000000000 +0000 @@ -276,11 +276,8 @@ } core_dumps=$(get_core_dumps | tr '\n' ' ') -assertion_failures=$(find "$systest/" -name named.run -exec grep "assertion failure" {} + | wc -l) -sanitizer_summaries=$(find "$systest/" -name 'tsan.*' | wc -l) if [ -n "$core_dumps" ]; then echoinfo "I:$systest:Core dump(s) found: $core_dumps" - echofail "R:$systest:FAIL" get_core_dumps | while read -r coredump; do SYSTESTDIR="$systest" echoinfo "D:$systest:backtrace from $coredump:" @@ -308,17 +305,23 @@ gzip -1 "${coredump}" done status=$((status+1)) -elif [ "$assertion_failures" -ne 0 ]; then +fi + +assertion_failures=$(find "$systest/" -name named.run -exec grep "assertion failure" {} + | wc -l) +if [ "$assertion_failures" -ne 0 ]; then SYSTESTDIR="$systest" echoinfo "I:$systest:$assertion_failures assertion failure(s) found" - find "$systest/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d - echofail "R:$systest:FAIL" status=$((status+1)) -elif [ "$sanitizer_summaries" -ne 0 ]; then - echoinfo "I:$systest:$sanitizer_summaries sanitizer report(s) found" - echofail "R:$systest:FAIL" +fi + +tsan_failures=$(find "$systest/" -name 'tsan.*' | wc -l) +if [ "$tsan_failures" -ne 0 ]; then + echoinfo "I:$systest:$tsan_failures sanitizer report(s) found" + find "$systest/" -name 'tsan.*' -exec grep "SUMMARY: " {} + | sort -u | cat_d status=$((status+1)) -elif [ "$status" -ne 0 ]; then +fi + +if [ "$status" -ne 0 ]; then echofail "R:$systest:FAIL" else echopass "R:$systest:PASS" diff -Nru bind9-9.16.37/bin/tests/system/runtime/tests.sh bind9-9.16.42/bin/tests/system/runtime/tests.sh --- bind9-9.16.37/bin/tests/system/runtime/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/runtime/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -96,7 +96,7 @@ ret=0 testpid=$(run_named ns2 named$n.run -c named-alt3.conf -D runtime-ns2-extra-3) test -n "$testpid" || ret=1 -retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 grep "another named process" ns2/named$n.run > /dev/null && ret=1 kill_named ns2/named-alt3.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 @@ -188,7 +188,7 @@ INSTANCE_NAME="runtime-ns2-extra-7-$(cat ctrl-chars)" testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") test -n "$testpid" || ret=1 -retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 grep 'running as.*\\177\\033' ns2/named$n.run > /dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 @@ -201,7 +201,7 @@ INSTANCE_NAME="runtime-ns2-extra-8-$;" testpid=$(run_named ns2 named$n.run -c named-alt7.conf -D "${INSTANCE_NAME}") test -n "$testpid" || ret=1 -retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 grep 'running as.*\\$\\;' ns2/named$n.run > /dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 @@ -215,7 +215,7 @@ # shellcheck disable=SC2086 testpid=$(run_named ns2 named$n.run $LONG_CMD_LINE -c "named-alt7.conf") test -n "$testpid" || ret=1 -retry_quiet 10 check_named_log "running$" ns2/named$n.run || ret=1 +retry_quiet 60 check_named_log "running$" ns2/named$n.run || ret=1 grep "running as.*\.\.\.$" ns2/named$n.run > /dev/null || ret=1 kill_named ns2/named.pid || ret=1 test -n "$testpid" && retry_quiet 10 check_pid $testpid || ret=1 @@ -235,7 +235,7 @@ chmod 0700 "${TEMP_NAMED_DIR}" testpid=$(run_named "${TEMP_NAMED_DIR}" "${TEMP_NAMED_DIR}/named$n.run" -u nobody -c named-alt9.conf) test -n "$testpid" || ret=1 - retry_quiet 10 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 + retry_quiet 60 check_named_log "running$" "${TEMP_NAMED_DIR}/named$n.run" || ret=1 [ -s "${TEMP_NAMED_DIR}/named9.pid" ] || ret=1 grep "loading configuration: permission denied" "${TEMP_NAMED_DIR}/named$n.run" > /dev/null && ret=1 kill_named "${TEMP_NAMED_DIR}/named9.pid" || ret=1 diff -Nru bind9-9.16.37/bin/tests/system/serve-stale/ans2/ans.pl bind9-9.16.42/bin/tests/system/serve-stale/ans2/ans.pl --- bind9-9.16.37/bin/tests/system/serve-stale/ans2/ans.pl 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/serve-stale/ans2/ans.pl 2023-06-09 14:35:17.000000000 +0000 @@ -49,6 +49,16 @@ my $SOA = "example 300 IN SOA . . 0 0 0 0 300"; my $NS = "example 300 IN NS ns.example"; my $A = "ns.example 300 IN A $localaddr"; + +# +# Slow delegation +# +my $slowSOA = "slow 300 IN SOA . . 0 0 0 0 300"; +my $slowNS = "slow 300 IN NS ns.slow"; +my $slowA = "ns.slow 300 IN A $localaddr"; +my $slowTXT = "data.slow 2 IN TXT \"A slow text record with a 2 second ttl\""; +my $slownegSOA = "slow 2 IN SOA . . 0 0 0 0 300"; + # # Records to be TTL stretched # @@ -100,6 +110,12 @@ # If we are not responding to queries we are done. return if (!$send_response); + if (index($qname, "latency") == 0) { + # simulate network latency before answering + print " Sleeping 50 milliseconds\n"; + select(undef, undef, undef, 0.05); + } + # Construct the response and send it. if ($qname eq "ns.example" ) { if ($qtype eq "A") { @@ -212,6 +228,44 @@ push @auth, $rr; } $rcode = "NOERROR"; + } elsif ($qname eq "ns.slow" ) { + if ($qtype eq "A") { + my $rr = new Net::DNS::RR($slowA); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slowSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "slow") { + if ($qtype eq "NS") { + my $rr = new Net::DNS::RR($slowNS); + push @auth, $rr; + $rr = new Net::DNS::RR($slowA); + push @add, $rr; + } elsif ($qtype eq "SOA") { + my $rr = new Net::DNS::RR($slowSOA); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slowSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; + } elsif ($qname eq "data.slow") { + if ($slow_response) { + print " Sleeping 3 seconds\n"; + sleep(3); + # only one time + $slow_response = 0; + } + if ($qtype eq "TXT") { + my $rr = new Net::DNS::RR($slowTXT); + push @ans, $rr; + } else { + my $rr = new Net::DNS::RR($slownegSOA); + push @auth, $rr; + } + $rcode = "NOERROR"; } else { my $rr = new Net::DNS::RR($SOA); push @auth, $rr; diff -Nru bind9-9.16.37/bin/tests/system/serve-stale/ns1/root.db bind9-9.16.42/bin/tests/system/serve-stale/ns1/root.db --- bind9-9.16.37/bin/tests/system/serve-stale/ns1/root.db 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/serve-stale/ns1/root.db 2023-06-09 14:35:17.000000000 +0000 @@ -14,3 +14,5 @@ ns.nil. 300 A 10.53.0.1 example. 300 NS ns.example. ns.example. 300 A 10.53.0.2 +slow. 300 NS ns.slow. +ns.slow. 300 A 10.53.0.2 diff -Nru bind9-9.16.37/bin/tests/system/serve-stale/ns3/named2.conf.in bind9-9.16.42/bin/tests/system/serve-stale/ns3/named2.conf.in --- bind9-9.16.37/bin/tests/system/serve-stale/ns3/named2.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/serve-stale/ns3/named2.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -39,12 +39,13 @@ stale-answer-ttl 3; stale-refresh-time 0; stale-answer-client-timeout 1800; + recursive-clients 10; # CVE-2022-3924 max-stale-ttl 3600; resolver-query-timeout 10; + qname-minimization disabled; }; zone "." { - type secondary; - primaries { 10.53.0.1; }; - file "root.bk"; + type hint; + file "root.db"; }; diff -Nru bind9-9.16.37/bin/tests/system/serve-stale/tests.sh bind9-9.16.42/bin/tests/system/serve-stale/tests.sh --- bind9-9.16.37/bin/tests/system/serve-stale/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/serve-stale/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -1639,6 +1639,24 @@ status=$((status+ret)) n=$((n+1)) +echo_i "delay responses from authoritative server ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.2 txt slowdown > dig.out.test$n +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "TXT.\"1\"" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "prime cache data.slow TXT (stale-answer-client-timeout) ($n)" +ret=0 +$DIG -p ${PORT} @10.53.0.3 data.slow TXT > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) echo_i "disable responses from authoritative server ($n)" ret=0 $DIG -p ${PORT} @10.53.0.2 txt disable > dig.out.test$n @@ -1652,10 +1670,11 @@ nextpart ns3/named.run > /dev/null -echo_i "sending queries for tests $((n+1))-$((n+2))..." +echo_i "sending queries for tests $((n+1))-$((n+3))..." t1=`$PERL -e 'print time()'` $DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 data.example TXT > dig.out.test$((n+1)) & $DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 nodata.example TXT > dig.out.test$((n+2)) +$DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 data.slow TXT > dig.out.test$((n+3)) & wait t2=`$PERL -e 'print time()'` @@ -1677,21 +1696,32 @@ n=$((n+1)) echo_i "check stale nodata.example TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" +ret=0 grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1 grep "example\..*3.*IN.*SOA" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check stale data.slow TXT comes from cache (stale-answer-client-timeout 1.8) ($n)" +ret=0 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 +grep "data\.slow\..*3.*IN.*TXT.*A slow text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + # Now query for RRset not in cache. The first query should time out, but once # we enable the authoritative server, the second query should be able to get a # response. nextpart ns3/named.run > /dev/null -echo_i "sending queries for tests $((n+2))-$((n+3))..." +echo_i "sending queries for tests $((n+2))-$((n+4))..." $DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example TXT > dig.out.test$((n+2)) & $DIG -p ${PORT} +tries=1 +timeout=10 @10.53.0.3 longttl.example TXT > dig.out.test$((n+3)) & +$DIG -p ${PORT} +tries=1 +timeout=3 @10.53.0.3 longttl.example RRSIG > dig.out.test$((n+4)) & # Enable the authoritative name server after stale-answer-client-timeout. n=$((n+1)) @@ -1730,6 +1760,37 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +n=$((n+1)) +echo_i "check not in cache longttl.example RRSIG times out (stale-answer-client-timeout 1.8) ($n)" +ret=0 +check_results() { + [ -s "$1" ] || return 1 + grep "connection timed out" "$1" > /dev/null || return 1 + return 0 +} +retry_quiet 8 check_results dig.out.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# CVE-2022-3924, GL #3619 +n=$((n+1)) +echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)" +ret=0 +num=0 +# Make sure to exceed the configured value of 'recursive-clients 10;' by running +# 20 parallel queries with simulated network latency. +while [ $num -lt 20 ]; do + $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 & + num=$((num+1)) +done; +_dig_data() { + $DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n || return 1 + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 +} +retry_quiet 5 _dig_data || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + ############################################# # Test for stale-answer-client-timeout off. # ############################################# @@ -1930,8 +1991,10 @@ status=$((status+ret)) wait_for_rrset_refresh() { - nextpart ns3/named.run | grep 'data.example.*2.*TXT.*"A text record with a 2 second ttl"' > /dev/null && return 0 - return 1 + $DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n + grep "status: NOERROR" dig.out.test$n > /dev/null || return 1 + grep "ANSWER: 1," dig.out.test$n > /dev/null || return 1 + grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || return 1 } # This test ensures that after we get stale data due to @@ -1941,10 +2004,6 @@ ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0) ($n)" retry_quiet 10 wait_for_rrset_refresh || ret=1 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -2124,10 +2183,6 @@ ret=0 echo_i "check stale data.example TXT was refreshed (stale-answer-client-timeout 0 stale-refresh-time 4) ($n)" retry_quiet 10 wait_for_rrset_refresh || ret=1 -$DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$n -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 -grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1 -grep "data\.example\..*[12].*IN.*TXT.*A text record with a 2 second ttl" dig.out.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) diff -Nru bind9-9.16.37/bin/tests/system/shutdown/tests_shutdown.py bind9-9.16.42/bin/tests/system/shutdown/tests_shutdown.py --- bind9-9.16.37/bin/tests/system/shutdown/tests_shutdown.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/shutdown/tests_shutdown.py 2023-06-09 14:35:17.000000000 +0000 @@ -70,7 +70,6 @@ # We're going to execute queries in parallel by means of a thread pool. # dnspython functions block, so we need to circunvent that. with ThreadPoolExecutor(n_workers + 1) as executor: - # Helper dict, where keys=Future objects and values are tags used # to process results later. futures = {} @@ -132,6 +131,31 @@ assert ret_code == 0 +def wait_for_named_loaded(resolver, retries=10): + for _ in range(retries): + try: + resolver.query("version.bind", "TXT", "CH") + return True + except (dns.resolver.NoNameservers, dns.exception.Timeout): + time.sleep(1) + return False + + +def wait_for_proc_termination(proc, max_timeout=10): + for _ in range(max_timeout): + if proc.poll() is not None: + return True + time.sleep(1) + + proc.send_signal(signal.SIGABRT) + for _ in range(max_timeout): + if proc.poll() is not None: + return True + time.sleep(1) + + return False + + def test_named_shutdown(named_port, control_port): # pylint: disable-msg=too-many-locals cfg_dir = os.path.join(os.getcwd(), "resolver") @@ -168,40 +192,18 @@ for kill_method in ("rndc", "sigterm"): named_cmdline = [named, "-c", cfg_file, "-f"] with subprocess.Popen(named_cmdline, cwd=cfg_dir) as named_proc: - # Ensure named is running - assert named_proc.poll() is None - # wait for named to finish loading - for _ in range(10): - try: - resolver.query("version.bind", "TXT", "CH") - break - except (dns.resolver.NoNameservers, dns.exception.Timeout): - time.sleep(1) - - do_work( - named_proc, resolver, rndc_cmd, kill_method, n_workers=12, n_queries=16 - ) - - # Wait named to exit for a maximum of MAX_TIMEOUT seconds. - MAX_TIMEOUT = 10 - is_dead = False - for _ in range(MAX_TIMEOUT): - if named_proc.poll() is not None: - is_dead = True - break - time.sleep(1) - - if not is_dead: - named_proc.send_signal(signal.SIGABRT) - for _ in range(MAX_TIMEOUT): - if named_proc.poll() is not None: - is_dead = True - break - time.sleep(1) - if not is_dead: - named_proc.kill() - - assert is_dead - # Ensures that named exited gracefully. - # If it crashed (abort()) exitcode will be non zero. - assert named_proc.returncode == 0 + try: + assert named_proc.poll() is None, "named isn't running" + assert wait_for_named_loaded(resolver) + do_work( + named_proc, + resolver, + rndc_cmd, + kill_method, + n_workers=12, + n_queries=16, + ) + assert wait_for_proc_termination(named_proc) + assert named_proc.returncode == 0, "named crashed" + finally: # Ensure named is terminated in case of an exception + named_proc.kill() diff -Nru bind9-9.16.37/bin/tests/system/statschannel/generic.py bind9-9.16.42/bin/tests/system/statschannel/generic.py --- bind9-9.16.37/bin/tests/system/statschannel/generic.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/statschannel/generic.py 2023-06-09 14:35:17.000000000 +0000 @@ -58,7 +58,6 @@ def zone_mtime(zonedir, name): - try: si = os.stat(os.path.join(zonedir, "{}.db".format(name))) except FileNotFoundError: @@ -70,7 +69,6 @@ def test_zone_timers_primary(fetch_zones, load_timers, **kwargs): - statsip = kwargs["statsip"] statsport = kwargs["statsport"] zonedir = kwargs["zonedir"] @@ -84,7 +82,6 @@ def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs): - statsip = kwargs["statsip"] statsport = kwargs["statsport"] zonedir = kwargs["zonedir"] @@ -98,7 +95,6 @@ def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): - statsip = kwargs["statsip"] statsport = kwargs["statsport"] diff -Nru bind9-9.16.37/bin/tests/system/statschannel/generic_dnspython.py bind9-9.16.42/bin/tests/system/statschannel/generic_dnspython.py --- bind9-9.16.37/bin/tests/system/statschannel/generic_dnspython.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/statschannel/generic_dnspython.py 2023-06-09 14:35:17.000000000 +0000 @@ -28,7 +28,6 @@ def udp_query(ip, port, msg): - ans = dns.query.udp(msg, ip, TIMEOUT, port=port) assert ans.rcode() == dns.rcode.NOERROR @@ -36,7 +35,6 @@ def tcp_query(ip, port, msg): - ans = dns.query.tcp(msg, ip, TIMEOUT, port=port) assert ans.rcode() == dns.rcode.NOERROR @@ -90,7 +88,6 @@ def test_traffic(fetch_traffic, **kwargs): - statsip = kwargs["statsip"] statsport = kwargs["statsport"] port = kwargs["port"] diff -Nru bind9-9.16.37/bin/tests/system/statschannel/tests_json.py bind9-9.16.42/bin/tests/system/statschannel/tests_json.py --- bind9-9.16.37/bin/tests/system/statschannel/tests_json.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/statschannel/tests_json.py 2023-06-09 14:35:17.000000000 +0000 @@ -24,7 +24,6 @@ # JSON helper functions def fetch_zones_json(statsip, statsport): - r = requests.get( "http://{}:{}/json/v1/zones".format(statsip, statsport), timeout=600 ) @@ -35,7 +34,6 @@ def fetch_traffic_json(statsip, statsport): - r = requests.get( "http://{}:{}/json/v1/traffic".format(statsip, statsport), timeout=600 ) @@ -47,7 +45,6 @@ def load_timers_json(zone, primary=True): - name = zone["name"] # Check if the primary zone timer exists diff -Nru bind9-9.16.37/bin/tests/system/statschannel/tests_xml.py bind9-9.16.42/bin/tests/system/statschannel/tests_xml.py --- bind9-9.16.37/bin/tests/system/statschannel/tests_xml.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/statschannel/tests_xml.py 2023-06-09 14:35:17.000000000 +0000 @@ -25,7 +25,6 @@ # XML helper functions def fetch_zones_xml(statsip, statsport): - r = requests.get( "http://{}:{}/xml/v3/zones".format(statsip, statsport), timeout=600 ) @@ -75,7 +74,6 @@ def load_timers_xml(zone, primary=True): - name = zone.attrib["name"] loaded_el = zone.find("loaded") diff -Nru bind9-9.16.37/bin/tests/system/tcp/tests_tcp.py bind9-9.16.42/bin/tests/system/tcp/tests_tcp.py --- bind9-9.16.37/bin/tests/system/tcp/tests_tcp.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/tcp/tests_tcp.py 2023-06-09 14:35:17.000000000 +0000 @@ -43,7 +43,6 @@ # Regression test for CVE-2022-0396 def test_close_wait(named_port): with create_socket("10.53.0.7", named_port) as sock: - msg = create_msg("a.example.", "A") (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) (response, rtime) = dns.query.receive_tcp(sock, timeout()) @@ -66,7 +65,6 @@ # request. If it gets stuck in CLOSE_WAIT state, there is no connection # available for the query below and it will time out. with create_socket("10.53.0.7", named_port) as sock: - msg = create_msg("a.example.", "A") (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) (response, rtime) = dns.query.receive_tcp(sock, timeout()) diff -Nru bind9-9.16.37/bin/tests/system/testcrypto.sh bind9-9.16.42/bin/tests/system/testcrypto.sh --- bind9-9.16.37/bin/tests/system/testcrypto.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/testcrypto.sh 2023-06-09 14:35:17.000000000 +0000 @@ -15,6 +15,7 @@ prog=$0 args="" quiet=0 +dir="" msg="cryptography" if test -z "$KEYGEN"; then @@ -75,9 +76,18 @@ exit 1 fi +if test -n "$TMPDIR"; then + dir=$(mktemp -d "$TMPDIR/XXXXXX") + args="$args -K $dir" +fi + if $KEYGEN $args $alg foo > /dev/null 2>&1 then - rm -f Kfoo* + if test -z "$dir"; then + rm -f Kfoo* + else + rm -rf "$dir" + fi else if test $quiet -eq 0; then echo_i "This test requires support for $msg" >&2 diff -Nru bind9-9.16.37/bin/tests/system/tsig/ns1/named.conf.in bind9-9.16.42/bin/tests/system/tsig/ns1/named.conf.in --- bind9-9.16.37/bin/tests/system/tsig/ns1/named.conf.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/tsig/ns1/named.conf.in 2023-06-09 14:35:17.000000000 +0000 @@ -23,10 +23,7 @@ notify no; }; -key "md5" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5; -}; +# md5 key appended by setup.sh at the end key "sha1" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; @@ -53,10 +50,7 @@ algorithm hmac-sha512; }; -key "md5-trunc" { - secret "97rnFx24Tfna4mHPfgnerA=="; - algorithm hmac-md5-80; -}; +# md5-trunc key appended by setup.sh at the end key "sha1-trunc" { secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; diff -Nru bind9-9.16.37/bin/tests/system/tsig/setup.sh bind9-9.16.42/bin/tests/system/tsig/setup.sh --- bind9-9.16.37/bin/tests/system/tsig/setup.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/tsig/setup.sh 2023-06-09 14:35:17.000000000 +0000 @@ -17,3 +17,19 @@ $SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf + +if $FEATURETEST --md5 +then + cat >> ns1/named.conf << EOF +# Conditionally included when support for MD5 is available +key "md5" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5; +}; + +key "md5-trunc" { + secret "97rnFx24Tfna4mHPfgnerA=="; + algorithm hmac-md5-80; +}; +EOF +fi diff -Nru bind9-9.16.37/bin/tests/system/tsig/tests.sh bind9-9.16.42/bin/tests/system/tsig/tests.sh --- bind9-9.16.37/bin/tests/system/tsig/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/tsig/tests.sh 2023-06-09 14:35:17.000000000 +0000 @@ -28,20 +28,25 @@ status=0 -echo_i "fetching using hmac-md5 (old form)" -ret=0 -$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 -fi - -echo_i "fetching using hmac-md5 (new form)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 -grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (old form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi + + echo_i "fetching using hmac-md5 (new form)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 + grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5" fi echo_i "fetching using hmac-sha1" @@ -89,12 +94,17 @@ # Truncated TSIG # # -echo_i "fetching using hmac-md5 (trunc)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 -grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5 (trunc)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 + grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5 (trunc)" fi echo_i "fetching using hmac-sha1 (trunc)" @@ -143,12 +153,17 @@ # Check for bad truncation. # # -echo_i "fetching using hmac-md5-80 (BADTRUNC)" -ret=0 -$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 -grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -if [ $ret -eq 1 ] ; then - echo_i "failed"; status=1 +if $FEATURETEST --md5 +then + echo_i "fetching using hmac-md5-80 (BADTRUNC)" + ret=0 + $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 + grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 + if [ $ret -eq 1 ] ; then + echo_i "failed"; status=1 + fi +else + echo_i "skipping using hmac-md5-80 (BADTRUNC)" fi echo_i "fetching using hmac-sha1-80 (BADTRUNC)" diff -Nru bind9-9.16.37/bin/tests/system/ttl/clean.sh bind9-9.16.42/bin/tests/system/ttl/clean.sh --- bind9-9.16.37/bin/tests/system/ttl/clean.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/ttl/clean.sh 2023-06-09 14:35:17.000000000 +0000 @@ -11,11 +11,7 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f ./dig.out.* rm -f ./*/named.conf rm -f ./*/named.memstats rm -f ./*/named.run -rm -f ./ns*/named.lock -rm -f ./ns*/_default.nzf -rm -f ./ns*/_default.nzd* -rm -f ./ns*/managed-keys.bind* ns*/*.mkeys* +rm -f ./ns*/managed-keys.bind* diff -Nru bind9-9.16.37/bin/tests/system/ttl/prereq.sh bind9-9.16.42/bin/tests/system/ttl/prereq.sh --- bind9-9.16.37/bin/tests/system/ttl/prereq.sh 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/ttl/prereq.sh 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,31 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +exit 0 diff -Nru bind9-9.16.37/bin/tests/system/ttl/setup.sh bind9-9.16.42/bin/tests/system/ttl/setup.sh --- bind9-9.16.37/bin/tests/system/ttl/setup.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/ttl/setup.sh 2023-06-09 14:35:17.000000000 +0000 @@ -13,6 +13,5 @@ . $SYSTEMTESTTOP/conf.sh -$SHELL clean.sh copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf diff -Nru bind9-9.16.37/bin/tests/system/ttl/tests.sh bind9-9.16.42/bin/tests/system/ttl/tests.sh --- bind9-9.16.37/bin/tests/system/ttl/tests.sh 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/ttl/tests.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,46 +0,0 @@ -#!/bin/sh - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -. $SYSTEMTESTTOP/conf.sh - -dig_with_options() { "$DIG" +noadd +nosea +nostat +noquest +nocomm +nocmd -p "${PORT}" "$@"; } - -status=0 -t=0 - -echo_i "testing min-cache-ttl" -t=$((t+1)) -dig_with_options IN SOA min-example. @10.53.0.2 > dig.out.${t} -TTL=$(< dig.out.${t} awk '{ print $2; }') -[ "$TTL" -eq 60 ] || status=$((status+1)) - -echo_i "testing min-ncache-ttl" -t=$((t+1)) -dig_with_options IN MX min-example. @10.53.0.2 > dig.out.${t} -TTL=$(< dig.out.${t} awk '{ print $2; }') -[ "$TTL" -eq 30 ] || status=$((status+1)) - -echo_i "testing max-cache-ttl" -t=$((t+1)) -dig_with_options IN SOA max-example. @10.53.0.2 > dig.out.${t} -TTL=$(< dig.out.${t} awk '{ print $2; }') -[ "$TTL" -eq 120 ] || status=$((status+1)) - -echo_i "testing max-ncache-ttl" -t=$((t+1)) -dig_with_options IN MX max-example. @10.53.0.2 > dig.out.${t} -TTL=$(< dig.out.${t} awk '{ print $2; }') -[ "$TTL" -eq 60 ] || status=$((status+1)) - -echo_i "exit status: $status" -[ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.37/bin/tests/system/ttl/tests_cache_ttl.py bind9-9.16.42/bin/tests/system/ttl/tests_cache_ttl.py --- bind9-9.16.37/bin/tests/system/ttl/tests_cache_ttl.py 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/bin/tests/system/ttl/tests_cache_ttl.py 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,32 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import pytest + +pytest.importorskip("dns") +import dns.message +import dns.query + + +@pytest.mark.parametrize( + "qname,rdtype,expected_ttl", + [ + ("min-example.", "SOA", 60), + ("min-example.", "MX", 30), + ("max-example.", "SOA", 120), + ("max-example.", "MX", 60), + ], +) +def test_cache_ttl(qname, rdtype, expected_ttl, named_port): + msg = dns.message.make_query(qname, rdtype) + response = dns.query.udp(msg, "10.53.0.2", timeout=10, port=named_port) + for rr in response.answer + response.authority: + assert rr.ttl == expected_ttl diff -Nru bind9-9.16.37/configure bind9-9.16.42/configure --- bind9-9.16.37/configure 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/configure 2023-06-09 14:35:17.000000000 +0000 @@ -686,6 +686,7 @@ HTMLTARGET PDFLATEX RELEASE_DATE +BUILD_MANPAGES HAVE_XELATEX_FALSE HAVE_XELATEX_TRUE LATEXMK @@ -16140,23 +16141,21 @@ # libuv -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libuv" >&5 -$as_echo_n "checking for libuv... " >&6; } pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libuv >= 1.0.0" >&5 -$as_echo_n "checking for libuv >= 1.0.0... " >&6; } +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libuv >= 1.37.0" >&5 +printf %s "checking for libuv >= 1.37.0... " >&6; } if test -n "$LIBUV_CFLAGS"; then pkg_cv_LIBUV_CFLAGS="$LIBUV_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0") 2>&5 + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.37.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libuv >= 1.37.0") 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_LIBUV_CFLAGS=`$PKG_CONFIG --cflags "libuv >= 1.0.0" 2>/dev/null` + pkg_cv_LIBUV_CFLAGS=`$PKG_CONFIG --cflags "libuv >= 1.37.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -16168,12 +16167,12 @@ pkg_cv_LIBUV_LIBS="$LIBUV_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0") 2>&5 + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.37.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libuv >= 1.37.0") 2>&5 ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_LIBUV_LIBS=`$PKG_CONFIG --libs "libuv >= 1.0.0" 2>/dev/null` + pkg_cv_LIBUV_LIBS=`$PKG_CONFIG --libs "libuv >= 1.37.0" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -16185,8 +16184,67 @@ if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LIBUV_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libuv >= 1.37.0" 2>&1` + else + LIBUV_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libuv >= 1.37.0" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$LIBUV_PKG_ERRORS" >&5 + + +pkg_failed=no +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libuv >= 1.0.0 libuv < 1.35.0" >&5 +printf %s "checking for libuv >= 1.0.0 libuv < 1.35.0... " >&6; } + +if test -n "$LIBUV_CFLAGS"; then + pkg_cv_LIBUV_CFLAGS="$LIBUV_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0 libuv < 1.35.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0 libuv < 1.35.0") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBUV_CFLAGS=`$PKG_CONFIG --cflags "libuv >= 1.0.0 libuv < 1.35.0" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$LIBUV_LIBS"; then + pkg_cv_LIBUV_LIBS="$LIBUV_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0 libuv < 1.35.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0 libuv < 1.35.0") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBUV_LIBS=`$PKG_CONFIG --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then _pkg_short_errors_supported=yes @@ -16194,23 +16252,104 @@ _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then - LIBUV_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libuv >= 1.0.0" 2>&1` + LIBUV_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>&1` else - LIBUV_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libuv >= 1.0.0" 2>&1` + LIBUV_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$LIBUV_PKG_ERRORS" >&5 - as_fn_error $? "libuv not found" "$LINENO" 5 + as_fn_error $? "libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found" "$LINENO" 5 elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - as_fn_error $? "libuv not found" "$LINENO" 5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + as_fn_error $? "libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found" "$LINENO" 5 else LIBUV_CFLAGS=$pkg_cv_LIBUV_CFLAGS LIBUV_LIBS=$pkg_cv_LIBUV_LIBS - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + +fi +elif test $pkg_failed = untried; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + +pkg_failed=no +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libuv >= 1.0.0 libuv < 1.35.0" >&5 +printf %s "checking for libuv >= 1.0.0 libuv < 1.35.0... " >&6; } + +if test -n "$LIBUV_CFLAGS"; then + pkg_cv_LIBUV_CFLAGS="$LIBUV_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0 libuv < 1.35.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0 libuv < 1.35.0") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBUV_CFLAGS=`$PKG_CONFIG --cflags "libuv >= 1.0.0 libuv < 1.35.0" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$LIBUV_LIBS"; then + pkg_cv_LIBUV_LIBS="$LIBUV_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libuv >= 1.0.0 libuv < 1.35.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libuv >= 1.0.0 libuv < 1.35.0") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBUV_LIBS=`$PKG_CONFIG --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LIBUV_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>&1` + else + LIBUV_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libuv >= 1.0.0 libuv < 1.35.0" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$LIBUV_PKG_ERRORS" >&5 + + as_fn_error $? "libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found" "$LINENO" 5 +elif test $pkg_failed = untried; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + as_fn_error $? "libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found" "$LINENO" 5 +else + LIBUV_CFLAGS=$pkg_cv_LIBUV_CFLAGS + LIBUV_LIBS=$pkg_cv_LIBUV_LIBS + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + +fi +else + LIBUV_CFLAGS=$pkg_cv_LIBUV_CFLAGS + LIBUV_LIBS=$pkg_cv_LIBUV_LIBS + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } fi @@ -17511,7 +17650,12 @@ # # was --enable-native-pkcs11 specified? # -# [pairwise: --enable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --without-dlopen] +# DNSRPS builds are included in pairwise testing here and not later because both +# --enable-native-pkcs11 and --enable-dnsrps-dl require --with-dlopen and the +# ordering of the set of ./configure arguments generated during pairwise testing +# is random. +# +# [pairwise: --enable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --disable-dnsrps --without-dlopen] # Check whether --enable-native-pkcs11 was given. if test "${enable_native_pkcs11+set}" = set; then : enableval=$enable_native_pkcs11; : @@ -21462,6 +21606,16 @@ # +# Build the man pages only if we have prebuilt manpages or we can build them from RST sources +# +BUILD_MANPAGES= +if test -e doc/man/named.conf.5in || test "$SPHINX_BUILD" != ":" +then : + BUILD_MANPAGES=man +fi + + +# # Pull release date from CHANGES file last modification date # for reproducible builds # @@ -22935,8 +23089,9 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -# DNSRPS is not included in pairwise testing as the librpz library is not -# present in the relevant Docker image. +# DNSRPS builds are included in pairwise testing along --enable-native-pkcs11 +# tests above as both of these features require --with-dlopen (see also the +# relevant comment there). # # [pairwise: skip] # Check whether --enable-dnsrps-dl was given. diff -Nru bind9-9.16.37/configure.ac bind9-9.16.42/configure.ac --- bind9-9.16.37/configure.ac 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/configure.ac 2023-06-09 14:35:17.000000000 +0000 @@ -707,9 +707,9 @@ AC_CHECK_HEADERS([pthread_np.h], [], [], [#include ]) # libuv -AC_MSG_CHECKING(for libuv) -PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0], [], - [AC_MSG_ERROR([libuv not found])]) +PKG_CHECK_MODULES([LIBUV], [libuv >= 1.37.0], [], + [PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0 libuv < 1.35.0], [], + [AC_MSG_ERROR([libuv >= 1.0.0 (except 1.35.0 and 1.36.0) not found])])]) AX_SAVE_FLAGS([libuv]) CFLAGS="$CFLAGS $LIBUV_CFLAGS" @@ -939,7 +939,12 @@ # # was --enable-native-pkcs11 specified? # -# [pairwise: --enable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --with-dlopen, --disable-native-pkcs11 --without-dlopen] +# DNSRPS builds are included in pairwise testing here and not later because both +# --enable-native-pkcs11 and --enable-dnsrps-dl require --with-dlopen and the +# ordering of the set of ./configure arguments generated during pairwise testing +# is random. +# +# [pairwise: --enable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --enable-dnsrps --enable-dnsrps-dl --with-dlopen, --disable-native-pkcs11 --disable-dnsrps --without-dlopen] AC_ARG_ENABLE(native-pkcs11, AS_HELP_STRING([--enable-native-pkcs11], [use native PKCS11 for public-key crypto [default=no]]), @@ -2154,6 +2159,14 @@ AM_CONDITIONAL([HAVE_XELATEX], [test "$XELATEX" != ":" && test "$LATEXMK" != ":"]) # +# Build the man pages only if we have prebuilt manpages or we can build them from RST sources +# +BUILD_MANPAGES= +AS_IF([test -e doc/man/named.conf.5in || test "$SPHINX_BUILD" != ":"], + [BUILD_MANPAGES=man]) +AC_SUBST([BUILD_MANPAGES]) + +# # Pull release date from CHANGES file last modification date # for reproducible builds # @@ -2583,8 +2596,9 @@ AC_MSG_RESULT([no]) ]) -# DNSRPS is not included in pairwise testing as the librpz library is not -# present in the relevant Docker image. +# DNSRPS builds are included in pairwise testing along --enable-native-pkcs11 +# tests above as both of these features require --with-dlopen (see also the +# relevant comment there). # # [pairwise: skip] AC_ARG_ENABLE([dnsrps-dl], diff -Nru bind9-9.16.37/dangerfile.py bind9-9.16.42/dangerfile.py --- bind9-9.16.37/dangerfile.py 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/dangerfile.py 2023-06-09 14:35:17.000000000 +0000 @@ -60,7 +60,7 @@ # # - FAIL if any of the following is true for any commit on the MR branch: # -# * The subject line starts with "fixup!" or "Apply suggestion". +# * The subject line starts with "fixup!", "amend!" or "Apply suggestion". # # * The subject line starts with a prohibited word indicating a work in # progress commit (e.g. "WIP"). @@ -98,7 +98,9 @@ message_lines = commit.message.splitlines() subject = message_lines[0] if not fixup_error_logged and ( - subject.startswith("fixup!") or subject.startswith("Apply suggestion") + subject.startswith("fixup!") + or subject.startswith("amend!") + or subject.startswith("Apply suggestion") ): fail( "Fixup commits are still present in this merge request. " @@ -123,8 +125,9 @@ if ( len(message_lines) < 3 and "fixup! " not in subject - and " CHANGES " not in subject - and " release note" not in subject + and "CHANGES " not in subject + and "release note" not in subject.lower() + and "GL #" not in subject ): warn(f"Please write a log message for commit {commit.sha}.") for line in message_lines[2:]: @@ -284,7 +287,7 @@ # * The merge request adds a new CHANGES entry that is not a placeholder and # does not contain any GitLab/RT issue/MR identifiers. -changes_modified = "CHANGES" in modified_files +changes_modified = "CHANGES" in modified_files or "CHANGES.SE" in modified_files no_changes_label_set = "No CHANGES" in mr_labels if not changes_modified and not no_changes_label_set: fail( @@ -297,7 +300,7 @@ "Revert `CHANGES` modifications or unset the *No Changes* label." ) -changes_added_lines = added_lines(target_branch, ["CHANGES"]) +changes_added_lines = added_lines(target_branch, ["CHANGES", "CHANGES.SE"]) placeholders_added = lines_containing(changes_added_lines, "[placeholder]") identifiers_found = filter(changes_issue_or_mr_id_regex.search, changes_added_lines) if changes_added_lines: @@ -393,11 +396,19 @@ configure_added_lines, "AC_ARG_ENABLE" ) + lines_containing(configure_added_lines, "AC_ARG_WITH") annotations_added = lines_containing(configure_added_lines, "# [pairwise: ") -if len(switches_added) > len(annotations_added): - fail( - "This merge request adds at least one new `./configure` switch that " - "is not annotated for pairwise testing purposes." - ) +if switches_added: + if len(switches_added) > len(annotations_added): + fail( + "This merge request adds at least one new `./configure` switch that " + "is not annotated for pairwise testing purposes." + ) + else: + message( + "**Before merging**, please start a full CI pipeline for this " + "branch with the `PAIRWISE_TESTING` variable set to any " + "non-empty value (e.g. `1`). This will cause the `pairwise` " + "job to exercise the new `./configure` switches." + ) ############################################################################### # USER-VISIBLE LOG LEVELS diff -Nru bind9-9.16.37/debian/changelog bind9-9.16.42/debian/changelog --- bind9-9.16.37/debian/changelog 2023-01-25 15:22:22.000000000 +0000 +++ bind9-9.16.42/debian/changelog 2023-06-21 18:31:51.000000000 +0000 @@ -1,3 +1,18 @@ +bind9 (1:9.16.42-1~deb11u1) bullseye-security; urgency=high + + * Update the upstream signing keys + * New upstream version 9.16.42 + - CVE-2023-2828: The overmem cleaning process has been improved, + to prevent the cache from significantly exceeding the configured + max-cache-size limit. + - CVE-2023-2911: A query that prioritizes stale data over lookup + triggers a fetch to refresh the stale data in cache. If the fetch + is aborted for exceeding the recursion quota, it was possible for + named to enter an infinite callback loop and crash due to stack + overflow. This has been fixed. + + -- Ondřej SurÃŊ Wed, 21 Jun 2023 20:31:51 +0200 + bind9 (1:9.16.37-1~deb11u1) bullseye-security; urgency=high * New upstream version 9.16.37 diff -Nru bind9-9.16.37/debian/upstream/signing-key.asc bind9-9.16.42/debian/upstream/signing-key.asc --- bind9-9.16.37/debian/upstream/signing-key.asc 2023-01-25 15:22:22.000000000 +0000 +++ bind9-9.16.42/debian/upstream/signing-key.asc 2023-06-21 18:31:51.000000000 +0000 @@ -1,598 +1,151 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQINBFf1aL4BEADaw6pPFCoWEtbcGEbfFRsCxEK2PDjzG7+PWTDUpdJgzMvHKvWU -BkKKpxxkWk6+irY4fZnaRkXKR6ggkTDRXucpssayXt95ZXdniOWGOuEGvGmIcif9 -klfvDLxK3dq1WrsRGs35FE4puxldS0RAS8dcRlq0bqMpnaSPxay8bdvQF8v5syIF -vW2ySfT21e1YgaMdSCu92kmg7lzrPccKFNuX3xkosGIglnoVcjpXqsZEIZjj6YAw -cZiEGB1Lxc88WjWbhrct0S1Z4zITapRAFdY65i1POmHmcyqEDlhYvbPIfk99PUvB -o6SbvE5IGChc+O5cqwp9i8sTw/ABewUkv2rcRfjaehQzIm6HHq3lX+ukqinic1fc -+FsZnQNQXUoh9z3InKPzWkxOcc1DiXkMcXUdxSi7C0zghR/tFKTLHeTOxj8j6oaX -DfWpdhBfFch2ogVQXZMyPaQxuObtG9aVffbpQsTHzAitz5/M7lXj2044DE8p9gcq -ORMZnqAE/uVuYvGzdQZJEx8pDma4Aegx/Nn0Wpv19U2zw2dfGon3Ckrdi8G77K10 -5++BB0ZFDia93kkEodcyJtdLMhFSxXV2XMMN8frO4jhHq86lnG71kbb5Y2ZdrkXz -BCGo6sVMVqWWEXUp4COfgEboeDneLUTlVLFQbgqpgWCCFZKz/k0hQpZbOQARAQAB -tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 -LCAyMDE3LTIwMTgpIDxjb2Rlc2lnbkBpc2Mub3JnPokCPwQTAQgAKQUCV/VovgIb -AwUJBF9JgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPGxG/Bc8C5XwvEP -/jRPx7GaTG4PqXiNptV36r1q+Eg92oRozUqNcuhN/l09gThyClfQylsEhZBcTT3I -VAjqqqAott5XNqw8pyPjERMFnqal0zBMZTln9RLkLnvoWQrHnEzG3CJ9Ndkk7niM -DOpRI71h8+nMl7YbkXOy87qamvoZ2BQZcdL+a8R5p733JaPMDUy5leZKNiywThQQ -iEtpWuz5u+zoALP5EKedPKCr0+xfGTUS5qptR2nHnRXnZouPfbQWKyEWtC3Qbiu+ -0ir9e2/4pp725g+os8TDCyzfRDLgD1cbxPrObwDAiw1B8KrL5l9WD70vfYpyMuvj -aUVkNbL5kFEuKKOrQSxyehyR8pgUyUnYUejmSdXDg/BmOpXr6gscnRDpq7Th6yew -85Dy5ntYHVAO2Qq6Iafnsun0/i1g0Wlv+OEbN+YIXTMbweCt5qddC1ak6I0WomiP -Frh8a2EeFrpRGEsKR9aFxUb+HdobclBMV4T2siewcW12W+MWnvRzVcMxFs/Yf1Wi -4DTb0sAztpftYk3vOVFkhIlTtgp0u9GPkSgCwIeW1ZCVMnxaWMfzDvzjt0cp09MQ -a6MBwIoKPLIRwVOzoyIhS9PrI26e/hdcQPaJo6ESYbJGT64lTbkVoaWkKKbJbJrG -gTnIzoxDL7l9rlYGOy3G1M6jZvT8uFanMM9vl22QfT5niQEcBBABCAAGBQJYPPzW -AAoJEG+m68mRGkwCqeMH/3sYTCls7frQzPDsNxc6sUowMvIHmU99ybUNzcIBEG4v -uBTCTKQm4ubC0vQN1YSGgQwkRAaVLLATA6hXvq0Rif0LHm2U3gNOTl3I4khgy2pp -gE0NNaXJ5WZUFITN2vY41z6RqUccW2vVSa4EfsQF53AshsRC81wjKHx09UX04dtz -AczeqBBoNAQ9IOm4hagiD7uZm9GFg8h0p+f2QgEIz68LOV/EOebyVDCoaU1DV2u2 -PYDcIwJHHSVBwvmzDDOKqUkqicsOzpMqE96/oZ6vtzTAmQMavQJ5PH4iAlLc5kYs -Cg1fRhSkfw5FKh7I+1OGaNcqqWHRqMXHa/XqgF/IUmyJARwEEAEIAAYFAlg8/UYA -CgkQlumWUDlMmawx6wf+LrvfHO4STQygjoAVpLPL/XwB5DohSrLNygoTJX2D9jol -jgek57VXfJHY2wRWZgCUJ4lN9yUjPnIN5Z2LcmAY4CX4F2QOyWPIplnsggG1mn9z -ERqSNXIdJmNkP8A3/wfmcxgIHUUgM947HpQWC20uNls/27UXGyWZpRsfsE1qza67 -BDCwRwmkJ3Du34tLUH3eup321DX8edmBcVd8zcBhxg4I85mexO6ypq+/u89GSHrC -HZntHaowd42s+Ej2ApcING01WkxgIhvjc/BI7MLQcJ9YGCJWo16nbwrk+7crfP1O -t6yaXPuGWzaCTyEzVdxAl3ONVk+TUfS7nOaakofzRrkCDQRX9Wi+ARAA7jZa8vD6 -sow7Jf6JaeW1HN2Pe4yshwGDYIYNFa8MKCrWhhonll2lex7VLJZrZlJY+y/A8s7w -bzpZimcBpwBAOlCUhxGPlW2M48Smj80x7ViaWbX7JGZMgkHmMu8gocZOdNJIVPMD -T+fs3ZBVPnfeY5Y9ENuikv2S5yv9MGaEsxkTVdvgnk5T87T7s6LXKWOXoP+19A/4 -nvFhOwTitgaMTVh75qZh43gKFuWrAZSeh8nezjdLWz/Ponh23AMWqZK/SBK9dvv0 -T4ZrqwMEU9Vt1zSj26h4RDJmp6Y7/UBWZ84brD7pnm0vRd0tyHUjx52WbArqVeVX -u3es6r23W9H/5xP+7Ufu4xBTXuPdZCVJ810ze6yn4yZCFZMZWA5Ax/Ctq+5DWwpH -bNrETfsPP7/ERCZAN9RRoX9qDupoFfjWtzaWLUjfLUtsfaAuXDLXhJb5wcaA3xNG -FB0r+TcubBo41v/kR6qtVcaigR2G25UKX0dTrBLFs0VieEeRfErpvJPV30QHak9O -IBPQ5ZhrIOGTZ+HdUfkr12qIyEYczqxbtrYRL0CadXGDIzPQkiFPqt9NtRPpYhA+ -84OXeQ9fZdolQJiZF3yrBXb+Jh0tTjPyA4LbtL4O4OKkUQeKBkEZUpdvPBJabsKP -5jtS18MqpOqB96WQfhbu2saNcTeRD72GaxcAEQEAAYkCJQQYAQgADwUCV/VovgIb -DAUJBF9JgAAKCRDxsRvwXPAuV8rPEACvmX/uXTjRHgI3Ofqk+AcSqwfR9XMxnV9i -II7AazAwh2QhUX71ITBvdOW9YmztescIBMP1a18CULo1kinOLix7ihfUjXcKf6AV -KcpbR5tGVFSc6Z0KS7jaMGHNoSlC0UkSo1EZAcOZ9ICvjprwgNrkRxEQXVKJCZla -2o0yFbWDrqszL0VGIDm6NRAItCy8JaAiA2Ze8v1ngCTP+LHL30UT72dswpp+0JCm -cWntZ1ikQokrmXVVfRNObDgtHNj+BAPqaml8hy5Gdv1zhy9HlXpLO85e6qeMgVmm -X5lP4d0gT78YZNCEK/j2dDZM6voKldGs4ejsumuUs9ToSbcXWsfYfVsDtSnAUWui -AvFDrWxh7h2tExire/92Plud82YMidayvUGyTFUpzcxXGlqbCnsCZNIjUjC0qZax -FD2jXRlCxn8RtR8dY0QmnU1rG6h0baZDPn0mgH3TCpTxCJc3oA/plyli6Gfg+Vsh -YKDcZ1FdUlmIfx/tZygCABPRbKiB2DNr5S4Vd5VYZFGUR/hAvrVoE0f/X5bcRavu -daZUIbaHdYuWZP1gIqFp5muOSuDp73ddrIdEbEIeS1JfDcy+jPCFfl2w6TuORSah -UE6h7ewfx3MRCAoHVkyEgUA1XR+7Ic5N4mdoq/9lBVk5oJm58uJtAWbgEs5p5ky5 -twX4/LLOqg== -=KES6 ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m -r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk -pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI -yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG -ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0 -/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh -qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF -UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv -SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D -o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt -LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB -tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 -LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln -EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB -Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA -1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj -tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+ -5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn -Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF -JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI -hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa -xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd -gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX -pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP -vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf -6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr -gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF -FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki -33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I -LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X -gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa -7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A -5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu -8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN -bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo -p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus -HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF -CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW -f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi -wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I -u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY -0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87 -RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP -NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD -6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL -llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0 -85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x -zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF -1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0 -wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH -/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo -dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON -LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA -Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj -cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE -tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak -a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX -THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4 -EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n -ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ -A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY -BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf -5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv -29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx -Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh -nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS -odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87 -y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk -Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr -FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk -7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv -O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k -IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V -Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/ -2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o -NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT -+pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7 -xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym -JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn -uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD -jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06 -3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ -ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb -VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF -SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6 -bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa -C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc -VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek -IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN -z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2 -jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg -dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr -2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB -jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB -CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr -mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy -4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu -f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk -vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO -JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi -8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S -XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY -TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY -3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4 -uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM -x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr -0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J -W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD -4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm -Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0 -p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW -QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId -GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ -4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo -VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM -wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr -iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1 -H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB -UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w -/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI -/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101 -x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys -uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM -npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr -9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M -hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA -DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA -C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929 -y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln -EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB -CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA -hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS -BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0 -xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV -qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4 -W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U -9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn -uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se -mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I -xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/ -WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV -cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3 -E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU -vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2 -LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4 -wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz -nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq -SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z -zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj -pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf -7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/ -08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz -QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ -ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz -iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs -1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ -z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB -Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q -fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg -EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33 -AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ -AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc -bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x -sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua -TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO -vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC -qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0 -TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu -8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z -IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq -x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw -t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO -/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu -Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon -UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q -KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ -SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN -cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn -BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+ -XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71 -e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6 -A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz -Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR -63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1 -oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN -J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima -chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9 -mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU -rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv -EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9 -5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE -sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot -s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2 -lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf -vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu -MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ -BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa -3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx -W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C -GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x -8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo -Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y -chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh -DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx -l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0 -JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1 -P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi -1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ -snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo -Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN -iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws -VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC -m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa -4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J -Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS -H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+ -g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD -9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW -TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o -uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY -QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS -Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ== -=fX+D ------END PGP PUBLIC KEY BLOCK----- ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS -ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW -AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/ -41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka -4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z -XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u -/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5 -0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa -9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM -uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ -hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB -tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5 -LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA -MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB -Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+ -ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID -4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ -JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J -QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV -3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1 -8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/ -/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8 -LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk -QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH -sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9 -BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL -3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj -IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE -U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC -6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G -LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h -BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2 -HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ -kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d -f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8 -4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b -8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF -CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln -xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/ -LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh -KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b -mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya -8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn -vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn -IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7 -VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw -IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2 -YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C -L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s -1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl -qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj -nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x -UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73 -qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc -IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb -s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6 -nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl -8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7 -0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6 -ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf -7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS -PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc -GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh -nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX -vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7 -7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo -bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl -ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j -hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH -Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn -0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY -AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP -PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ -xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN -ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+ -oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp -aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m -/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY -ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52 -BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB -ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4 -GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW -0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp -69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA -qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N -+tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w -uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql -yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc -TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv -XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f -yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7 -zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf -dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V -XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d -iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK -W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY -UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit -BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV -M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I -EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr -6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo -Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb -HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX -ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT -+iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1 -iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs -gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ -AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP -/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH -6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA -5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA -ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC -89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc -493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb -jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g -DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh -nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m -5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld -72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ -RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc -lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS -qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV -FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH -eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ -+gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh -uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN -5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D -IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag -CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL -ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR -2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k -IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n -D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/ -X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm -mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v -zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv -YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a -88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id -pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2 -Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu -MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88 -h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa -YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL -XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4 -MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7 -eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz -rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy -5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid -CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/ -zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6 -Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU -a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2 -ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+ -GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14 -MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL -hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe -16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2 -isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7 -Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW -NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc -qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M -bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt -zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX -DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk -XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu -ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4 -zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY -JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi -qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ -zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS -y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh -qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx -QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww -QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH -X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn -vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi -AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ -aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY -VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+ -flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p -NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ -Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w -lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q -se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc -RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy -MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE -RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71 -PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3 -K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT -Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP -dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+ -qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe -MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc -wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ -7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC -PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj -rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4 -b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g -dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5 -Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS -CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+ -96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/ -ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy -a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT -YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs -KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp -bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ -la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u -Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3 -Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ -BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA -CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7 -AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu -9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK -dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH -fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II -XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK -yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz -HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv -SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN -eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp -jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv -DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR -Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p -hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0 -rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV -Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt -ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ -i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb -rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637 -CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD -LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l -Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp -dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF -+6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs -gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ -8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf -nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C -r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf -eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD -VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT -zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh -Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU -JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6 -IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE -fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB -dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF -W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d -O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK -jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ -TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF -M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39 -oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp -AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi -sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI -ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8 -M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3 -Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A -0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8 -x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv -6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw -QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi -gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o -c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb -1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF -8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8 -Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr -rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt -MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV -grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l -QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR -f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu -O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb -SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT -VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg -J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di -ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8 -+SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH -SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5 -8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76 -uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE -JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4 -ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ -Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c -eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E -dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0 -9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3 -d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526 -tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4 -lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT -KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz -iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR -bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL -d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r -aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6 -X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5 -vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV -4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC -7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5 -UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa -8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588 -7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90 -l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ -4xcYgqlVpv15O7VrD+I= -=Uugw +mQINBGNjen4BEADDHiUVNbkFtiKPaMWjKxbKmF1nmv7XKjDhwSww6WFiGPbQyxNM +r8EHlEJx5kMT67rx0IYMhTLiXm/9C4dGYyUfFWc35CGetuzstzCNkwJs7vZAhEyk ++06CX4GFiHPOmWIupGCxFkNz1Qopz3ZePMlZRslVCHzW4dbg5NKLI0ojXlNaTDU5 +mgUXpsPi/6l6QE6q3ouvmWPF4u71cZ1+W4UkIRAXOlbVsDzGaMaoHjJd8cOM8DrZ +gKHACNPjzqOvEujXDC2vyKw6XpxR+pHz0QcrRtlKnVhPNiKcDfw2mJJ5zxi9uSDc +dh5FomMn9sS4gy2Tub2urELnPf9xnURftRGG3VO6nZc81ufQB4s1BNT2ny0Uhx5V +mXUJwefMypMBfAvWCWBCeyWYtBeo7LT3NmtLq3oVGPfl7+a0ToFAYeghspK8/nOX +6/fqF1MEtzvWjXljz6K7FSDYSY9AoaESLHGwCo6dtff5S7f1+l6PCUNo6aM/B5Ke +SIAN9Lm6z2iVuy9Lukw+5IRoRKHHV4rJauPtDeYoWnNiSd7Q4vFtotUIjRpDARpm +xWS711Q2T+knHFLEiU8QzxjLhOnTzh4n9dDLHCkOY5WM5krldVeL5EuTyPKinuSn +oE01A7I4IGJp753CshibxjNYDiEOVeK93R38Y543edlIrYxnfyMVsiqPkwARAQAB +tDRNaWNoYcWCIEvEmXBpZcWEIChDb2RlLVNpZ25pbmcgS2V5KSA8bWljaGFsQGlz +Yy5vcmc+iQJOBBMBCgA4FiEEcGtsKGIOdvkdEfffUQpkKgbFLOwFAmNjen4CGwMF +CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQUQpkKgbFLOwiLxAAjYuI4JQ8mPq7 +YrV9m4tu+jOKvoKfpjct2Rh02n/X3ChOgrdcXU898eH56tRk8Mv/E+cBTPN9zQn6 +rLprbYR2t2R+zgvuUZWA8In7aewoPIJw8OdlG0gTK9m3VHJIOhIX07qcFttSZw4m +4rEU5mdxi9FatBWBzqnVm4Pn577aqRXK908j+6TvgWbZ6Cq0tw3syVT4kGj+93+P +uIQQQkTYN8UDQPsAKzfzkbQC9I5YXBKUoB9CfhXig8V9N75R0gsWkJ8Vy/8wsPXT +9/EPIIzhnhSuUIjvvBPbLGrzDgbhrfUQ/QVuXDVN8xl3rAWM/tiNGOnmzoYORyM5 +ftrnCDIaO4aVKR6rtEzfdQa5Kid1StfhFien/U8jYErxkEn2HRt2gVEX5nYq31T+ +0jgVode2Dzkm4+HKHmfOYsQeC07Mu6wZw9raNYqFjTcfh0ajFpLIT3j2YqOJE2jy +KbcveJcy2NiOiUl13exIZuBkZm0wEVbvgVX1PlgL3GJqnbU/Q+maRTb8FBoQVsOd +GIm7U/phU91qR+00SkOcp2LgHCCNKrmHXgiBNYBbInNIp6ze3bFvfKTRFn8WdY9v +Z7vNfKar8rt90mpjYG9qMhmvh4E9icfp3wRUtOwyi7VVtVTTUq0iFTe2C0m0v6KW +XcDwwwaTbl79BOqOH3Gp1flS2ECBsyiZAg0EY2N8xQEQAMWcyZbpxEyefX4JTszG +ocpz8C8yqvZJQUfoDK5AecQWR7OegPkIqwJcHEH5cz+MduklXNQdra/snn6pxGig +At3xCwfzRTH/aYXdjcjnma1elzZSTgk6Maw4zR/W9wea2DcUtMCcsys0gviN/VUe +Aqt+5pmhy2PlEWfJG+Mzyrqgz3Q8hRyAJAKONAwNhs1A4ZqQX/6iuCkJbH1CBeoW ++c+5qJHYEXsx25qR1yiKOFo5b90QOcwaebUq+xKQRlnESn75FTgDjDfDm9BqrHcn +Tv79kOuIN5vhz4BCsuo5QbNu4RGrs/1VSTPvMf5AN7xs9pYNMAEde7pSF1Ps3B5p +CE6iUw9L53ytV4iJQKXpzG29LofUu65YQjIXPgK7NbBO7FUHA41YbSfoWiOAjfMh +iE025YM2+RPQh/Nrc3PqBj4h21ycT+d8eEXKfc/okbVFFE9dKS1hUwKgSrs7baOG +CBZdpiB+t3jWrr8UrteALab7v0rndco3QKOe9U3f+Gm3MdgLK1TGiRgpdyiIXEel +J7zhsdoYEvaKMgUOjhf+COdlf8b9ITg93mDKe8h0OcpirCXw4O2ma3sklabzZKZf +CPhhja6Ro5gmO5pxaLau+esQWNrjEikynNIs+GRphtcFsVVH+ww26mR0nI65Llgv +kb4+DrbDGSPP6R/C2q/LMLM1ABEBAAG0ME1pY2hhbCBOb3dhayAoQ29kZS1TaWdu +aW5nIEtleSkgPG1ub3dha0Bpc2Mub3JnPokCTgQTAQoAOBYhBNmczq+Hl0cBTwON +YxguI1eUYu+qBQJjY3zFAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBgu +I1eUYu+q9IAP/j/GGneuvjwbXdATiQAmkiFlOxjs+SsO/hgA/mmWcm+Kpg4cAlbP +C2xEDa6biJyZ8TmLZEqPNrRm/umiisC8JnIJpIbInn42n4aDCRDW35lrYGdnP1Ft +fexnEOWAJBDRVvh9OnfRfvf+HLFfLFl40b/15YzkTYGIfrMR9y8zalkzXxsVNsyr +9Eq2pmYR7BT2z8d/9SAVuh8D3qgUylIgcFcCFJodsrI4zJSpIMfMntwVsZxDlis8 +JVFN8/pfhuBBe6vjqX/cGJnj6OL3T12jvvniv13W3rar2Ocm6XA9j1t5TZNhKqAy +azAKu52NtdJjh25B6C/H+haXAX1eduCCE74uSarqS3F1wf6JI3p8fnWzk4hZNzxp +nZjIk3vrHNjE4jXTZosXCf5DoVRfMpNbxj3YEnXV+kNZQRYPPatUPgFYbxz91hbN +tHyCiy0GmTyf0QId8LTc0y9mPtP9QureJJ6rL8lt7pvXyrYglqhxDgRhJIGKMKdw +0bQtTEF4tyNzC4/sg4/omAGH66clhXlqMmuUjHSUiQyA4LL1mJl63Q+bwqXX4B8t +898tSUmb4Jmg3jLZ3Z9Hl7H8Sp3yYPOLzb2YUF6w3xFsUrNNzVxHFo8tAtEhtEfX +D+ypkowZq8g41WqMlOBrrzQFuExUSXckH2Cn97lV6lkBoueqxP+Zv0bbmQINBGNj +qIkBEADDw/CKszyuFKpVp4Z26rKJ3ooOlp8p9a+fmfuknPtMjJMSX8xK8pOlK739 +K83yvDRUidT4+R9IAUKM7TqGA0hoPZmZQLiK0YLlAAXufKxO9IsDZI/7DuF2d8fu +usKQfS4oJC/IbzOAVwgwodnvKhttLWutT09GxiHrnfVPu6Uf4A+GWtrcTIWhXuxE +m7+16ToxBOTLtQ3hh79/RndUuM0ldKRRzJUzASGIPmdQJDLCKgSSeaGjZAdq6gkl +qT/K/R8eoLWSOaBRq8lBE1k7Tq4nSwthMHtCQq4+vxFWH3VF9hwy6ixccROPqt9s +fNfJK3KF4KGhfejMuVn/Lxp1v+Ne2DsdnVofFakAbBMpMyauzAyXPncYSfFhzLBD +kkn7THkfRznmHD8ux89kV534EyqYLjAy8AAD6zNc3tSYgfC0UUw7yz05Sl/eV9Xc +pbezu2ipONlXko8jpCQiiHck599cy+StrjjYPwcHF5m8uUlNnzHoUj8qsoK5SA8u +RnTW2I4DFbL0+x8eL7gmNQYFdMaA4azogtaTFWgPL2jPJ3B+/bUfHDZflvR0FB5+ +OD/QHsDv4SB6uX8TOhGbFsHpt7E0scb2U9B8gQeQQJZ3jmcIRp+K18mjYh/ErDFW +23ixBe7h3tn2MGUTOhv1ibOYDE3GYBuGLQiom6yhCs8zrneuAQARAQABtDFXbG9k +ZWsgV2VuY2VsIChDb2RlLVNpZ25pbmcgS2V5KSA8d2xvZGVrQGlzYy5vcmc+iQJO +BBMBCgA4FiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmNjqIkCGwMFCwkIBwMFFQoJ +CAsFFgIDAQACHgECF4AACgkQel4ITKylGIRk9g//XrvOYy9zQkpo4Dkol8yLxr99 +Dq9Ur2v8F5Ba4za4QdUxeYrlq8J827mkUqMtnlyb/+3zSMy2I6HAI8QxlDZL5K0g +Gm7iLrwVTM8nAQiNU5vAe4D6PeO5ATBEvRdAUTQGz4xeaTrUXbmNUSC1dZEPvH1z +Fa/Z1WZoy9GLeuWDXix6OXTP8FlQWUTL4/ILLtfJDsWCCX7efkyfnvad8Ye2NfU9 +tBjRX5QQ0Dpvgpr8/7El44XcmaHxPWEiq8X2p/d6j3nU/7LspUXRu3ptu5Q2RqMM +iRDZme2c8zieHETpC7m5sshzGxRtT5jWEtZ6V37On5DNTObvXCiaGV95qgiHi5VG +s3MFD3QSo1jJI951k68UM8V+OnzbJGN7TezZ3fTn5Pwdd4C4035QMl0E5NXCcXc8 +9d+3DeFmewRRGCaOKPuO/jFPLWcwMlQqp5tkNx8LpqEZfD7/t6FrSvDUsUDU8Rn0 +TQILnUZioO68HmeuJbhKaUCMuZGjBIbBqviiufFRiJuEFOVKADQ1u/P5ct/0T/gE +JAho3aubzdYMH5DLsaw03W5KfOjeTLW10zSmSK65wnR6fdwlo5l/Sg6Z63QXD+/H +/OIFgzviJkyoh6MkH55z2K8BDWbhOmaUBjNAcQEXV1KyHeLDkQ+TJfLjctv4KIpv +D7i6kNIp1b6OSdDS9W+ZAg0EY2OzdwEQAMRWPO237ohaXNpKO+dw1qkfOYYisiTQ +yfkT7BG0Xvu8jxeOdRuvUzzplgOfwWhOQkyEEXd205/PpwReeeRwhiu0BDSrzYGM +KZdw9Bw4enoaOinf5WTqM76mc5WUYfvDJIiHies+ANxj4EqTzvSif9hxvvzrbKYV +lHdaGtLm40D6yZSzDEe3X49DmEABM4g/Bs7NfVJcJ3LtLo6qbLy2tKEgNPW+VN/s +harufucxnH5HM6BUUOGZx8L04UCNJu+jvZ0zjLc5DqubNO1526kZclAo94DfTkb+ +ir9nxKn7RkdcseibeYPdeIh3le6aU6M0KhTJs3RCxaQF9At08Vrrkh+wkK2Jr5QW +bs8cHpEJ+Q7BwDuAQetFi94eq7Sswh4mjhJ6ZnFCx8v9EbQnvL76afMbhZOezpaQ +aAwXVuIio2fsJpHfxWnXb93H1QKiOQdBZZLQGowcFQCqAWg7h2FwWWbKMV1smGHr +/28tLZtk/4aSCd9cZ9+nofFPPemPLbYwnBECIZN21QKZ2oBXKxb3hchy4EBTKWtC +G/fbTsjSfTCUpMNZ57HO3rGXchjSdIf+tTGJpAqWkTcXuhWXBMWPK6/2REk/DKis +XHugHg9R9hqGs2DaMpGh5NrOLly9+0dsjU15iTQucXbCS9895bRtmDjIN8dLSo9H +6DDw4yO7SHTlABEBAAG0NE1hcmNpbiBHb2R6aW5hIChDb2RlLVNpZ25pbmcgS2V5 +KSA8bWdvZHppbmFAaXNjLm9yZz6JAk4EEwEKADgWIQQJCioHkj+SW1dngDpC5d94 +yDJx2wUCY2OzdwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBC5d94yDJx +29U0D/41C8WaGEphQW1N5lT/1284qiPuz3w3iSciAAoAe8iHUGBcSNpAWQmWvWXI +buKb92Gtt8JtSOHwQj8qiHjqRsUu02t/tEgQMQUq6p2jqbxODJfHR8oMFMMB0i0I +RgKtEQeq5wRJpVtH+zIFSl9PorsJtHHfhVbqxvE/axcNKa+WaqZdHuKMqADupQEw +6rD7yYVX6YPiHxMhba2AAAoHT/3VpHC0JidZ5BWGwkfnGbV1/7O91GHfJx6KN/AK +DKb5hFl4TrieDLJzphBWg0y4FJ4K7WSIKvcT2cLel9f9pHV6ysqSZWkCbkjkaVIi +LyoA0o7l263WU0D5oG2ihW6Pa2YrWHDDjfTem+kOEFsMjN+Gw74I4KWUBtldfnHK +A8TyeviKkVok1lwDAoJ3LJi/bcyCLgBZLInOU31mQ7mIXq1ENCOIvQvaG0Lwdt59 +sBI8sknHkt+54t/VCaKbWSBOzgGur6EDf9WtPHWvHNCKEleDiHCELdhRYYtENO7T +vTv6Fq6Lh26dor26LnARLPvGLAKwONJ0vlTEG8IyoD5AHz9MwdXYgzh8wIvc/HtD +/0FlQGLd0WYVI6UjZfPxHOZAzARJKXLJMqiSn8hnO8v6JZaUcOF0yRKTKtzqsjzU +v9TubCGdQAaCSCaD2fmA0BEs/FpOnZ8P1fXMpcHGEtMV0qc0wZkCDQRjY7/GARAA +ubCCHkdiMblMA9ZlcOVN1Wep7TuYxQouATTb+73iHDQRNIU7DvluHoSq5zJe1Qst +zjTmtlkr2dyI5JnBexUEKrw2X7gPXfLaXY01gLLB/Jn8tU9VxPqBybxmjmEdP58B +I7BwmCyMYNqDuvPSfTMlogH/pF35Al+c8UbOfDEQqxSO2nKPNa4T5ZoVxvMxV4gn +hEJPv8Xte/wiE+CxxbmO2we6rwJjWe7O3T0mNmqvpO8iIsLlQnwTFD5L1huywPc0 +UDHK0nl8k2lkue2buaOiancLatXt/i+L1DIimCgZwOt3DlVLURH5lz5ALXE/fn+5 +wKkp+XVyNTAEFhSGifgBDYFw3nZeRTU7unMsRssL8SjuwPWoCcRI/3VE08xCuXc+ +h6NpGfeJjLRgUSSBF+958djY320TcXaRLrqRhjcJ34dBsDYsRSC15nnq2JU6Vj5t +rJL9qOdwVAFwKeAfROUULcy/LHZ3QgKLN5jOfdqYzE2KHk1+VANttRPTG34i6uq6 +yzCFFYadwST22+QWvxh2ohYj2INvvrzRf3lVxssWyb4USB0JPajgnGeNY/hSYfDa +KArqOr9S+3q7h0v4RgoPxDRFIC8v/10W4wPC7R3wj0m/1WHkSm951Wtzq3V84uCF +LLhx2ByNpnJFRFqklonAH3WHUIeYcdXAsTeunrGU/XsAEQEAAbQuR3JlZyBDaG91 +bGVzIChDb2RlLVNpZ25pbmcgS2V5KSA8Z3JlZ0Bpc2Mub3JnPokCTgQTAQoAOBYh +BJWA1r8syA8eO7ESUt6rkdVLE8m4BQJjY7/GAhsDBQsJCAcDBRUKCQgLBRYCAwEA +Ah4BAheAAAoJEN6rkdVLE8m42PwP/RFmUzgsoM23Z/NQ2AacCFTmHweEllkmf+25 +3hP80BuSHKsdzlmllFux+xbKZEpQK0nL3fqW8yyv69WmsoKZPpZJxmQ6bwUbtXC7 +rHkt5gfOXiTaxDBmgO2dcnDsKLb+bEQ7C5hay1P8rOvf13a4UZeTP37gRGmMr38+ +LvADIspIxBdSvFa7Hb4HKG4VVDai8jaPCF0q8daEWMJxyKSfOQBtSVVAzjLcGrYR +bCPDAI1DEASyQOru52WREe4vJCwSaq9dZyGhaWcnyTVQO8bsSLxu7cUVxA3SOheQ +izYKkYNbaBDmWlZxLYFsTUf5izEYdW5BwHaowmw22hSspFod+c37BoY/ePfkR5iQ +YuEff/unyqvdHMDqIXWZqpAi5o5hW3jdCd7ZL5T0WWjz4CQ8eko1ZYYnYzZlDrge +F0veW8+lzHBLx3Ad8HyVGwtRe+VV1V0AZ0lpWMtxo02ZDRtqNDqPqVfLT5P87ZPv +r5GhKtedgrjwY2clgmCT0xgAKNxi2SC+c/vI5PRkIoqwbTiryLIYq8tl6T1k6AMY +eN1ZNQR7eNEXpIvYRD/BZw7IWKkCRaKwfDVhUHCm0ikylwdLXIfEEEA5mu2LJeZh +vCddhks0S8+lRyWR/3okurF6rlloNtM1pslceh2AMDwfs3fORhYJxFsV7O7fyRnD +NS93fq56mQINBGNj8P4BEADXK//p0lWEUNUYirsm6BUyUXqPlPrpVTdPB1tJPj1o +zgeMKFOpYRPU1IZF1G6pbKD09gL6y19LehQYx1a57PF7kCx2ZvvcFN24EHto1H1p +Ti48dZ7KyyEO1rBeLY5Zjgz6YvQZcSH3cd6cTrAo7hPIAjtgSTWp04FjtYJqf+tT +gf+9ZWY+i4nQ6/Q5Z5NUd8jsOcOoFDsmY6Fds+lzn0aZSg2yfd8fnX5QFOIwDv66 +aM25q2kvkrX0wtvSQbulC8x5g6fIB3xEL6MWbXcEBYkBMW5Cnw/Kmyj7lJwVwvEO +FFhKaOH/d2LG3rM66gl048aJYLhEJyFSyooBynXs8S/NLDgca94Bvb54FPX8LC3p +lqJRLxhdkha5NLcUYiHOq/L7LWdThh5rRAy87Ggog8TVza118K3oiYujlyVEzLhB +NVMT8x5kl15YknVgOKJAv9j28bSZihHrS7aga1BtYFD8yA9MuuDaHARV6YmThkdg +OEz/PNECjsxCLcT5Bbthzg6Jg1qo3Unyeup0UbyX4zxSphCVmerDmMYddLjJ/ydc +1uxyn4IPINBSx2sAPuUIymhVC29MB6N+SnB37/poTvSsIH15Vg264OVdaervIpuC +W3eUANr7zrdO85nc1CTWGhugFwccXv9nyxAt8zUF/ci17p1/mLpy9K3LqlStVI9j +MwARAQABtDBDYXRoeSBBbG1vbmQgKENvZGUtU2lnbmluZyBLZXkpIDxjYXRoeWFA +aXNjLm9yZz6JAk4EEwEKADgWIQT8h0w+P+hncHCscb617/asfhrd+AUCY2Pw/gIb +AwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRC17/asfhrd+HM6D/9KD/n245Fq +jVzew92lJtufAxAFkTA5WO6fXweMlUeqMOub4vpVMLPLoFe5TzWbJMtF0m/P5+aU +YbcvZBWFHsrnwTgA55c1VrhggLOxpw4EU0TvBdwrO7PFOYc2WznaMG+mJdqw+uNM +yK+G44aIaC6rvi3ILSo5HPnbgQWHs39QIRLLcUjtqvavQQeyYAl0zrvNI9Xrs/Nf +eE6PS4hIXg90A9VJRhay18w9hA+STb+xmK+3oSwP1ayLqqQ43OnV/pExSHBsjBQk +4p1nIPlRFL30lGp/o2MoBsRvQM1tELpgBTk1LaTHzuKEpOskrWU37xu0QgEtj7YE +r0X+GGBxgJuUzqSyLsaDgH1sEDqE+AthFfv2dxDadcXM2cdch9y3OyuSMo89aWGc +mEVyesjYoV40tDCG73qLtfehhV/iARDMCfnZGyGYIZdDBL+tZTNeLKVDIUi/R3x9 +OmpEl8ZuCuYltyEsJnCF/rQBVMgcTOmsMu6CMx+qT3kC8iGtHqkUT2ufpKISahTn +e329FQjClEWwBHkr0T4K80Z0REjSo6UBtio73IOCxXe0RqO37L/qgo8xKZbLxy86 +857PRWJhgbw169FJ2kR5p+M5d/g/MUeYnigvWlORW5LyrFg6RnZ1ZbULZI80QhHN +aSFf/w020HBsLCkzWA/XM6MO2ifJTSn8Ng== +=C1ed -----END PGP PUBLIC KEY BLOCK----- diff -Nru bind9-9.16.37/doc/Makefile.in bind9-9.16.42/doc/Makefile.in --- bind9-9.16.37/doc/Makefile.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/Makefile.in 2023-06-09 14:35:17.000000000 +0000 @@ -17,7 +17,7 @@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -SUBDIRS = man arm misc doxygen +SUBDIRS = @BUILD_MANPAGES@ arm misc doxygen TARGETS = @BIND9_MAKE_RULES@ diff -Nru bind9-9.16.37/doc/arm/build.rst bind9-9.16.42/doc/arm/build.rst --- bind9-9.16.37/doc/arm/build.rst 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/arm/build.rst 2023-06-09 14:35:17.000000000 +0000 @@ -83,10 +83,12 @@ - ``perl`` - ``pkg-config`` / ``pkgconfig`` / ``pkgconf`` -BIND 9.16 requires ``libuv`` 1.x or higher. On older systems, an updated -``libuv`` package needs to be installed from sources such as EPEL, PPA, -or other native sources. The other option is to build and install -``libuv`` from source. +BIND 9.16 requires ``libuv`` 1.0.0 or higher, using ``libuv`` >= 1.40.0 +is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is +not supported, as this could lead to an assertion failure in the UDP +receive code. On older systems, an updated ``libuv`` package needs to be +installed from sources such as EPEL, PPA, or other native sources. The +other option is to build and install ``libuv`` from source. OpenSSL 1.0.2e or newer is required. If the OpenSSL library is installed in a nonstandard location, specify the prefix using diff -Nru bind9-9.16.37/doc/arm/notes.rst bind9-9.16.42/doc/arm/notes.rst --- bind9-9.16.37/doc/arm/notes.rst 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/arm/notes.rst 2023-06-09 14:35:17.000000000 +0000 @@ -46,6 +46,11 @@ .. include:: ../notes/notes-known-issues.rst +.. include:: ../notes/notes-9.16.42.rst +.. include:: ../notes/notes-9.16.41.rst +.. include:: ../notes/notes-9.16.40.rst +.. include:: ../notes/notes-9.16.39.rst +.. include:: ../notes/notes-9.16.38.rst .. include:: ../notes/notes-9.16.37.rst .. include:: ../notes/notes-9.16.36.rst .. include:: ../notes/notes-9.16.35.rst diff -Nru bind9-9.16.37/doc/arm/platforms.rst bind9-9.16.42/doc/arm/platforms.rst --- bind9-9.16.37/doc/arm/platforms.rst 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/arm/platforms.rst 2023-06-09 14:35:17.000000000 +0000 @@ -42,16 +42,16 @@ Regularly tested platforms ~~~~~~~~~~~~~~~~~~~~~~~~~~ -As of August 2022, BIND 9.16 is fully supported and regularly tested on the +Current versions of BIND 9 are fully supported and regularly tested on the following systems: - Debian 10, 11 - Ubuntu LTS 18.04, 20.04, 22.04 -- Fedora 37 +- Fedora 38 - Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8, 9 -- FreeBSD 12.3, 13.1 -- OpenBSD 7.2 -- Alpine Linux 3.16 +- FreeBSD 12.4, 13.2 +- OpenBSD 7.3 +- Alpine Linux 3.18 The amd64, i386, armhf and arm64 CPU architectures are all fully supported. diff -Nru bind9-9.16.37/doc/arm/reference.rst bind9-9.16.42/doc/arm/reference.rst --- bind9-9.16.37/doc/arm/reference.rst 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/arm/reference.rst 2023-06-09 14:35:17.000000000 +0000 @@ -416,12 +416,11 @@ ``include`` Statement Definition and Usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The ``include`` statement inserts the specified file (or files if a valid glob -expression is detected) at the point where the ``include`` statement is -encountered. The ``include`` statement facilitates the administration of -configuration files by permitting the reading or writing of some things but not -others. For example, the statement could include private keys that are readable -only by the name server. +The ``include`` statement inserts the specified file at the point where the +``include`` statement is encountered. The ``include`` statement facilitates +the administration of configuration files by permitting the reading or +writing of some things but not others. For example, the statement could +include private keys that are readable only by the name server. .. _key_grammar: @@ -1160,14 +1159,20 @@ effective user ID of the ``named`` process. ``qname-minimization`` - This option controls QNAME minimization behavior in the BIND - resolver. When set to ``strict``, BIND follows the QNAME + When this is set to ``strict``, BIND follows the QNAME minimization algorithm to the letter, as specified in :rfc:`7816`. + Setting this option to ``relaxed`` causes BIND to fall back to normal (non-minimized) query mode when it receives either NXDOMAIN or other unexpected responses (e.g., SERVFAIL, improper zone cut, - REFUSED) to a minimized query. ``disabled`` disables QNAME - minimization completely. The current default is ``relaxed``, but it + REFUSED) to a minimized query. A resolver can use a leading + underscore, like ``_.example.com``, in an attempt to improve + interoperability. (See :rfc:`7816` section 3.) + + ``disabled`` disables QNAME minimization completely. + ``off`` is a synonym for ``disabled``. + + The current default is ``relaxed``, but it may be changed to ``strict`` in a future release. ``tkey-gssapi-keytab`` @@ -3090,6 +3095,11 @@ default value of that option (90% of physical memory for each individual cache) may lead to memory exhaustion over time. + .. note:: + + ``max-cache-size`` does not work reliably for the maximum + amount of memory of 100 MB or lower. + Upon startup and reconfiguration, caches with a limited size preallocate a small amount of memory (less than 1% of ``max-cache-size`` for a given view). This preallocation serves as an @@ -3560,9 +3570,8 @@ to be sent without fragmentation at the minimum MTU sizes for Ethernet and IPv6 networks.) - The ``named`` now sets the DON'T FRAGMENT flag on outgoing UDP packets. - According to the measurements done by multiple parties this should not be - causing any operational problems as most of the Internet "core" is able to + According to the measurements done by multiple parties the default value + should not be causing the fragmentation as most of the Internet "core" is able to cope with IP message sizes between 1400-1500 bytes, the 1232 size was picked as a conservative minimal number that could be changed by the DNS operator to a estimated path MTU minus the estimated header space. In practice, the @@ -6542,6 +6551,7 @@ is equivalent to: :: + HOST-0000.EXAMPLE. A 1.2.3.1 HOST-0001.EXAMPLE. A 1.2.3.2 HOST-0002.EXAMPLE. A 1.2.3.3 diff -Nru bind9-9.16.37/doc/dnssec-guide/validation.rst bind9-9.16.42/doc/dnssec-guide/validation.rst --- bind9-9.16.37/doc/dnssec-guide/validation.rst 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/dnssec-guide/validation.rst 2023-06-09 14:35:17.000000000 +0000 @@ -112,8 +112,6 @@ - `Internet.nl `__ -- `DNSSEC Resolver Test (uni-due.de) `__ - - `DNSSEC or Not (VeriSign) `__ .. _using_dig_to_verify: diff -Nru bind9-9.16.37/doc/man/ddns-confgen.8in bind9-9.16.42/doc/man/ddns-confgen.8in --- bind9-9.16.37/doc/man/ddns-confgen.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/ddns-confgen.8in 2023-06-09 14:45:37.000000000 +0000 @@ -58,7 +58,7 @@ This option specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, and hmac\-sha512. The default is hmac\-sha256. Options are -case\-insensitive, and the "hmac\-" prefix may be omitted. +case\-insensitive, and the \(dqhmac\-\(dq prefix may be omitted. .TP .B \fB\-h\fP This option prints a short summary of options and arguments. @@ -79,15 +79,15 @@ .B \fB\-s name\fP This option generates a configuration example to allow dynamic updates of a single hostname. The example \fBnamed.conf\fP text shows how to set -an update policy for the specified name using the "name" nametype. The -default key name is \fBddns\-key.name\fP\&. Note that the "self" nametype +an update policy for the specified name using the \(dqname\(dq nametype. The +default key name is \fBddns\-key.name\fP\&. Note that the \(dqself\(dq nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the \fB\-z\fP option. .TP .B \fB\-z zone\fP This option generates a configuration example to allow dynamic updates of a zone. The example \fBnamed.conf\fP text shows how -to set an update policy for the specified zone using the "zonesub" +to set an update policy for the specified zone using the \(dqzonesub\(dq nametype, allowing updates to all subdomain names within that zone. This option cannot be used with the \fB\-s\fP option. .UNINDENT diff -Nru bind9-9.16.37/doc/man/delv.1in bind9-9.16.42/doc/man/delv.1in --- bind9-9.16.37/doc/man/delv.1in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/delv.1in 2023-06-09 14:45:37.000000000 +0000 @@ -53,7 +53,7 @@ and forwarding. .sp By default, responses are validated using the built\-in DNSSEC trust anchor -for the root zone ("."). Records returned by \fBdelv\fP are either fully +for the root zone (\(dq.\(dq). Records returned by \fBdelv\fP are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because \fBdelv\fP does not rely on an external server to carry @@ -66,7 +66,7 @@ addresses (127.0.0.1 for IPv4, ::1 for IPv6). .sp When no command\-line arguments or options are given, \fBdelv\fP -performs an NS query for "." (the root zone). +performs an NS query for \(dq.\(dq (the root zone). .SH SIMPLE USAGE .sp A typical invocation of \fBdelv\fP looks like: @@ -114,7 +114,7 @@ .B \fB\-a anchor\-file\fP This option specifies a file from which to read DNSSEC trust anchors. The default is \fB/etc/bind.keys\fP, which is included with BIND 9 and contains one -or more trust anchors for the root zone ("."). +or more trust anchors for the root zone (\(dq.\(dq). .sp Keys that do not match the root zone name are ignored. An alternate key name can be specified using the \fB+root=NAME\fP options. @@ -135,7 +135,7 @@ .TP .B \fB\-c class\fP This option sets the query class for the requested data. Currently, only class -"IN" is supported in \fBdelv\fP and any other value is ignored. +\(dqIN\(dq is supported in \fBdelv\fP and any other value is ignored. .TP .B \fB\-d level\fP This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is @@ -168,8 +168,8 @@ This option sets the query name to \fBname\fP\&. While the query name can be specified without using the \fB\-q\fP option, it is sometimes necessary to disambiguate names from types or classes (for example, when looking -up the name "ns", which could be misinterpreted as the type NS, or -"ch", which could be misinterpreted as class CH). +up the name \(dqns\(dq, which could be misinterpreted as the type NS, or +\(dqch\(dq, which could be misinterpreted as class CH). .TP .B \fB\-t type\fP This option sets the query type to \fBtype\fP, which can be any valid query type @@ -178,8 +178,8 @@ when they are ambiguous. It is sometimes necessary to disambiguate names from types. .sp -The default query type is "A", unless the \fB\-x\fP option is supplied -to indicate a reverse lookup, in which case it is "PTR". +The default query type is \(dqA\(dq, unless the \fB\-x\fP option is supplied +to indicate a reverse lookup, in which case it is \(dqPTR\(dq. .TP .B \fB\-v\fP This option prints the \fBdelv\fP version and exits. @@ -235,7 +235,7 @@ and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation. .sp -This is equivalent to setting the debug level to 1 in the "resolver" +This is equivalent to setting the debug level to 1 in the \(dqresolver\(dq logging category. Setting the systemwide debug level to 1 using the \fB\-d\fP option produces the same output, but affects other logging categories as well. @@ -245,8 +245,8 @@ responses received by \fBdelv\fP in the process of carrying out the resolution and validation process. .sp -This is equivalent to setting the debug level to 10 for the "packets" -module of the "resolver" logging category. Setting the systemwide +This is equivalent to setting the debug level to 10 for the \(dqpackets\(dq +module of the \(dqresolver\(dq logging category. Setting the systemwide debug level to 10 using the \fB\-d\fP option produces the same output, but affects other logging categories as well. .TP @@ -256,7 +256,7 @@ unsigned, or invalid. .sp This is equivalent to setting the debug level to 3 for the -"validator" module of the "dnssec" logging category. Setting the +\(dqvalidator\(dq module of the \(dqdnssec\(dq logging category. Setting the systemwide debug level to 3 using the \fB\-d\fP option produces the same output, but affects other logging categories as well. .TP @@ -313,7 +313,7 @@ .B \fB+[no]root[=ROOT]\fP This option indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor. The default is to validate using a -trust anchor of "." (the root zone), for which there is a built\-in key. If +trust anchor of \(dq.\(dq (the root zone), for which there is a built\-in key. If specifying a different trust anchor, then \fB\-a\fP must be used to specify a file containing the key. .TP diff -Nru bind9-9.16.37/doc/man/dig.1in bind9-9.16.42/doc/man/dig.1in --- bind9-9.16.37/doc/man/dig.1in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/dig.1in 2023-06-09 14:45:37.000000000 +0000 @@ -58,7 +58,7 @@ addresses are found, \fBdig\fP sends the query to the local host. .sp When no command\-line arguments or options are given, \fBdig\fP -performs an NS query for "." (the root). +performs an NS query for \(dq.\(dq (the root). .sp It is possible to set per\-user defaults for \fBdig\fP via \fB${HOME}/.digrc\fP\&. This file is read and any options in it are applied @@ -67,8 +67,8 @@ .sp The IN and CH class names overlap with the IN and CH top\-level domain names. Either use the \fB\-t\fP and \fB\-c\fP options to specify the type and -class, use the \fB\-q\fP to specify the domain name, or use "IN." and -"CH." when looking up these top\-level domains. +class, use the \fB\-q\fP to specify the domain name, or use \(dqIN.\(dq and +\(dqCH.\(dq when looking up these top\-level domains. .SH SIMPLE USAGE .sp A typical invocation of \fBdig\fP looks like: @@ -120,8 +120,8 @@ .TP .B \fB\-b address[#port]\fP This option sets the source IP address of the query. The \fBaddress\fP must be a -valid address on one of the host\(aqs network interfaces, or "0.0.0.0" -or "::". An optional port may be specified by appending \fB#port\fP\&. +valid address on one of the host\(aqs network interfaces, or \(dq0.0.0.0\(dq +or \(dq::\(dq. An optional port may be specified by appending \fB#port\fP\&. .TP .B \fB\-c class\fP This option sets the query class. The default \fBclass\fP is IN; other classes are @@ -575,7 +575,7 @@ .B \fB+[no]vc\fP This option uses [or does not use] TCP when querying name servers. This alternate syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The -\fBvc\fP stands for "virtual circuit." +\fBvc\fP stands for \(dqvirtual circuit.\(dq .TP .B \fB+[no]yaml\fP When enabled, this option prints the responses (and, if \fB+qr\fP is in use, also the diff -Nru bind9-9.16.37/doc/man/dnssec-dsfromkey.8in bind9-9.16.42/doc/man/dnssec-dsfromkey.8in --- bind9-9.16.37/doc/man/dnssec-dsfromkey.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/dnssec-dsfromkey.8in 2023-06-09 14:45:37.000000000 +0000 @@ -139,7 +139,7 @@ \fBkeyset\-\fP, and the \fBdnsname\fP\&. .SH CAVEAT .sp -A keyfile error may return "file not found," even if the file exists. +A keyfile error may return \(dqfile not found,\(dq even if the file exists. .SH SEE ALSO .sp \fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, diff -Nru bind9-9.16.37/doc/man/dnssec-importkey.8in bind9-9.16.42/doc/man/dnssec-importkey.8in --- bind9-9.16.37/doc/man/dnssec-importkey.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/dnssec-importkey.8in 2023-06-09 14:45:37.000000000 +0000 @@ -57,7 +57,7 @@ \fBfilename\fP\&. If the domain name is the same as \fBfilename\fP, then it may be omitted. .sp -If \fBfilename\fP is set to \fB"\-"\fP, then the zone data is read from the +If \fBfilename\fP is set to \fB\(dq\-\(dq\fP, then the zone data is read from the standard input. .TP .B \fB\-K directory\fP diff -Nru bind9-9.16.37/doc/man/dnssec-keygen.8in bind9-9.16.42/doc/man/dnssec-keygen.8in --- bind9-9.16.37/doc/man/dnssec-keygen.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/dnssec-keygen.8in 2023-06-09 14:45:37.000000000 +0000 @@ -139,7 +139,7 @@ .B \fB\-k policy\fP This option creates keys for a specific \fBdnssec\-policy\fP\&. If a policy uses multiple keys, \fBdnssec\-keygen\fP generates multiple keys. This also -creates a ".state" file to keep track of the key state. +creates a \(dq.state\(dq file to keep track of the key state. .sp This option creates keys according to the \fBdnssec\-policy\fP configuration, hence it cannot be used at the same time as many of the other options that diff -Nru bind9-9.16.37/doc/man/dnssec-keymgr.8in bind9-9.16.42/doc/man/dnssec-keymgr.8in --- bind9-9.16.37/doc/man/dnssec-keymgr.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/dnssec-keymgr.8in 2023-06-09 14:45:37.000000000 +0000 @@ -44,7 +44,7 @@ /etc/dnssec\-policy.conf), from which the key parameters, publication and rollover schedule, and desired coverage duration for any given zone can be determined. This file may be used to define individual DNSSEC -policies on a per\-zone basis, or to set a "default" policy used for all +policies on a per\-zone basis, or to set a \(dqdefault\(dq policy used for all zones. .sp When \fBdnssec\-keymgr\fP runs, it examines the DNSSEC keys for one or more @@ -181,7 +181,7 @@ single zone by name. A zone policy can inherit a policy class by including a \fBpolicy\fP option. Zone names beginning with digits (i.e., 0\-9) must be quoted. If a zone does not have its own policy -then the "default" policy applies. +then the \(dqdefault\(dq policy applies. .UNINDENT .UNINDENT .sp @@ -200,7 +200,7 @@ The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time. This can be represented as a number of seconds, or as a duration -using human\-readable units (examples: "1y" or "6 months"). A default +using human\-readable units (examples: \(dq1y\(dq or \(dq6 months\(dq). A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is six months. @@ -218,7 +218,7 @@ .INDENT 0.0 .INDENT 3.5 Specifies the number of bits to use in creating keys. The keytype is -either "zsk" or "ksk". A default value for this option can be set in +either \(dqzsk\(dq or \(dqksk\(dq. A default value for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is 2048 bits for RSA keys. .UNINDENT @@ -236,7 +236,7 @@ .INDENT 3.5 How long after inactivation a key should be deleted from the zone. Note: If \fBroll\-period\fP is not set, this value is ignored. The -keytype is either "zsk" or "ksk". A default duration for this option +keytype is either \(dqzsk\(dq or \(dqksk\(dq. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month. .UNINDENT @@ -247,7 +247,7 @@ .INDENT 3.5 How long before activation a key should be published. Note: If \fBroll\-period\fP is not set, this value is ignored. The keytype is -either "zsk" or "ksk". A default duration for this option can be set +either \(dqzsk\(dq or \(dqksk\(dq. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. The default is one month. .UNINDENT @@ -257,7 +257,7 @@ .INDENT 0.0 .INDENT 3.5 How frequently keys should be rolled over. The keytype is either -"zsk" or "ksk". A default duration for this option can be set in +\(dqzsk\(dq or \(dqksk\(dq. A default duration for this option can be set in algorithm policies as well as in policy classes or zone policies. If no policy is configured, the default is one year for ZSKs. KSKs do not roll over by default. diff -Nru bind9-9.16.37/doc/man/dnssec-signzone.8in bind9-9.16.42/doc/man/dnssec-signzone.8in --- bind9-9.16.37/doc/man/dnssec-signzone.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/dnssec-signzone.8in 2023-06-09 14:45:37.000000000 +0000 @@ -182,8 +182,8 @@ same time. .TP .B \fB\-L serial\fP -When writing a signed zone to "raw" or "map" format, this option sets the "source -serial" value in the header to the specified \fBserial\fP number. (This is +When writing a signed zone to \(dqraw\(dq or \(dqmap\(dq format, this option sets the \(dqsource +serial\(dq value in the header to the specified \fBserial\fP number. (This is expected to be used primarily for testing purposes.) .TP .B \fB\-n ncpus\fP @@ -248,7 +248,7 @@ with cached copies of the old DNSKEY RRset. The \fB\-Q\fP option forces \fBdnssec\-signzone\fP to remove signatures from keys that are no longer active. This enables ZSK rollover using the procedure described in -\fI\%RFC 4641#4.2.1.1\fP ("Pre\-Publish Key Rollover"). +\fI\%RFC 4641#4.2.1.1\fP (\(dqPre\-Publish Key Rollover\(dq). .TP .B \fB\-q\fP This option enables quiet mode, which suppresses unnecessary output. Without this option, when @@ -263,8 +263,8 @@ This option is similar to \fB\-Q\fP, except it forces \fBdnssec\-signzone\fP to remove signatures from keys that are no longer published. This enables ZSK rollover using the procedure described in -\fI\%RFC 4641#4.2.1.2\fP ("Double Signature Zone Signing Key -Rollover"). +\fI\%RFC 4641#4.2.1.2\fP (\(dqDouble Signature Zone Signing Key +Rollover\(dq). .TP .B \fB\-S\fP This option enables smart signing, which instructs \fBdnssec\-signzone\fP to search the key diff -Nru bind9-9.16.37/doc/man/filter-aaaa.8in bind9-9.16.42/doc/man/filter-aaaa.8in --- bind9-9.16.37/doc/man/filter-aaaa.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/filter-aaaa.8in 2023-06-09 14:45:37.000000000 +0000 @@ -32,7 +32,7 @@ filter-aaaa \- filter AAAA in DNS responses when A is present .SH SYNOPSIS .sp -\fBplugin query\fP "filter\-aaaa.so" [{ parameters }]; +\fBplugin query\fP \(dqfilter\-aaaa.so\(dq [{ parameters }]; .SH DESCRIPTION .sp \fBfilter\-aaaa.so\fP is a query plugin module for \fBnamed\fP, enabling @@ -48,7 +48,7 @@ .sp .nf .ft C -plugin query "/usr/local/lib/filter\-aaaa.so" { +plugin query \(dq/usr/local/lib/filter\-aaaa.so\(dq { filter\-aaaa\-on\-v4 yes; filter\-aaaa\-on\-v6 yes; filter\-aaaa { 192.0.2.1; 2001:db8:2::1; }; diff -Nru bind9-9.16.37/doc/man/host.1in bind9-9.16.42/doc/man/host.1in --- bind9-9.16.37/doc/man/host.1in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/host.1in 2023-06-09 14:45:37.000000000 +0000 @@ -56,11 +56,11 @@ This option specifies that only IPv6 should be used for query transport. See also the \fB\-4\fP option. .TP .B \fB\-a\fP -The \fB\-a\fP ("all") option is normally equivalent to \fB\-v \-t ANY\fP\&. It +The \fB\-a\fP (\(dqall\(dq) option is normally equivalent to \fB\-v \-t ANY\fP\&. It also affects the behavior of the \fB\-l\fP list zone option. .TP .B \fB\-A\fP -The \fB\-A\fP ("almost all") option is equivalent to \fB\-a\fP, except that RRSIG, +The \fB\-A\fP (\(dqalmost all\(dq) option is equivalent to \fB\-a\fP, except that RRSIG, NSEC, and NSEC3 records are omitted from the output. .TP .B \fB\-c class\fP @@ -146,7 +146,7 @@ This option prints the version number and exits. .TP .B \fB\-w\fP -This option sets "wait forever": the query timeout is set to the maximum possible. See +This option sets \(dqwait forever\(dq: the query timeout is set to the maximum possible. See also the \fB\-W\fP option. .TP .B \fB\-W wait\fP diff -Nru bind9-9.16.37/doc/man/mdig.1in bind9-9.16.42/doc/man/mdig.1in --- bind9-9.16.37/doc/man/mdig.1in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/mdig.1in 2023-06-09 14:45:37.000000000 +0000 @@ -45,9 +45,9 @@ received, not in the order the corresponding queries were sent. .sp \fBmdig\fP options are a subset of the \fBdig\fP options, and are divided -into "anywhere options," which can occur anywhere, "global options," which +into \(dqanywhere options,\(dq which can occur anywhere, \(dqglobal options,\(dq which must occur before the query name (or they are ignored with a warning), -and "local options," which apply to the next query on the command line. +and \(dqlocal options,\(dq which apply to the next query on the command line. .sp The \fB@server\fP option is a mandatory global option. It is the name or IP address of the name server to query. (Unlike \fBdig\fP, this value is not @@ -96,8 +96,8 @@ .B \fB\-b address\fP This option sets the source IP address of the query to \fBaddress\fP\&. This must be a valid address on one of the host\(aqs network -interfaces or "0.0.0.0" or "::". An optional port may be specified by -appending "#" +interfaces or \(dq0.0.0.0\(dq or \(dq::\(dq. An optional port may be specified by +appending \(dq#\(dq .TP .B \fB\-m\fP This option enables memory usage debugging. @@ -150,7 +150,7 @@ contents of these fields are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures. The default is to display the fields. When omitted, -they are replaced by the string "[omitted]"; in the DNSKEY case, the +they are replaced by the string \(dq[omitted]\(dq; in the DNSKEY case, the key ID is displayed as the replacement, e.g., \fB[ key id = value ]\fP\&. .TP .B \fB+dscp[=value]\fP @@ -193,13 +193,13 @@ .TP .B \fB+[no]ttlunits\fP This option displays [or does not display] the TTL in friendly human\-readable time -units of "s", "m", "h", "d", and "w", representing seconds, minutes, +units of \(dqs\(dq, \(dqm\(dq, \(dqh\(dq, \(dqd\(dq, and \(dqw\(dq, representing seconds, minutes, hours, days, and weeks. This implies +ttlid. .TP .B \fB+[no]vc\fP This option uses [or does not use] TCP when querying name servers. This alternate syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The -\fBvc\fP stands for "virtual circuit". +\fBvc\fP stands for \(dqvirtual circuit\(dq. .UNINDENT .SH LOCAL OPTIONS .INDENT 0.0 @@ -207,13 +207,13 @@ .B \fB\-c class\fP This option sets the query class to \fBclass\fP\&. It can be any valid query class which is supported in BIND 9. The default query class is -"IN". +\(dqIN\(dq. .TP .B \fB\-t type\fP This option sets the query type to \fBtype\fP\&. It can be any valid -query type which is supported in BIND 9. The default query type is "A", +query type which is supported in BIND 9. The default query type is \(dqA\(dq, unless the \fB\-x\fP option is supplied to indicate a reverse lookup with -the "PTR" query type. +the \(dqPTR\(dq query type. .TP .B \fB\-x addr\fP Reverse lookups \- mapping addresses to names \- are simplified by diff -Nru bind9-9.16.37/doc/man/named-checkconf.8in bind9-9.16.42/doc/man/named-checkconf.8in --- bind9-9.16.37/doc/man/named-checkconf.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/named-checkconf.8in 2023-06-09 14:45:37.000000000 +0000 @@ -59,7 +59,7 @@ name, class (e.g. IN), view, and type (e.g. primary or secondary). .TP .B \fB\-c\fP -This option specifies that only the "core" configuration should be checked. This suppresses the loading of +This option specifies that only the \(dqcore\(dq configuration should be checked. This suppresses the loading of plugin modules, and causes all parameters to \fBplugin\fP statements to be ignored. .TP diff -Nru bind9-9.16.37/doc/man/named-checkzone.8in bind9-9.16.42/doc/man/named-checkzone.8in --- bind9-9.16.37/doc/man/named-checkzone.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/named-checkzone.8in 2023-06-09 14:45:37.000000000 +0000 @@ -119,8 +119,8 @@ is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&. .TP .B \fB\-L serial\fP -When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the "source -serial" value in the header to the specified serial number. This is +When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the \(dqsource +serial\(dq value in the header to the specified serial number. This is expected to be used primarily for testing purposes. .TP .B \fB\-m mode\fP diff -Nru bind9-9.16.37/doc/man/named-compilezone.1in bind9-9.16.42/doc/man/named-compilezone.1in --- bind9-9.16.37/doc/man/named-compilezone.1in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/named-compilezone.1in 1970-01-01 00:00:00.000000000 +0000 @@ -1,206 +0,0 @@ -.\" Man page generated from reStructuredText. -. -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.TH "NAMED-COMPILEZONE" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" -.SH NAME -named-compilezone \- zone file validity checking or converting tool -.SH SYNOPSIS -.sp -\fBnamed\-compilezone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {\fB\-o\fP filename} {zonename} {filename} -.SH DESCRIPTION -.sp -\fBnamed\-compilezone\fP checks the syntax and integrity of a zone file, -and dumps the zone contents to a specified file in a specified format. -It applies strict check levels by default, since the -dump output is used as an actual zone file loaded by \fBnamed\fP\&. -When manually specified otherwise, the check levels must at least be as -strict as those specified in the \fBnamed\fP configuration file. -.SH OPTIONS -.INDENT 0.0 -.TP -.B \fB\-d\fP -This option enables debugging. -.TP -.B \fB\-h\fP -This option prints the usage summary and exits. -.TP -.B \fB\-q\fP -This option sets quiet mode, which only sets an exit code to indicate -successful or failed completion. -.TP -.B \fB\-v\fP -This option prints the version of the \fBnamed\-checkzone\fP program and exits. -.TP -.B \fB\-j\fP -When loading a zone file, this option tells \fBnamed\fP to read the journal if it exists. The journal -file name is assumed to be the zone file name with the -string \fB\&.jnl\fP appended. -.TP -.B \fB\-J filename\fP -When loading the zone file, this option tells \fBnamed\fP to read the journal from the given file, if -it exists. This implies \fB\-j\fP\&. -.TP -.B \fB\-c class\fP -This option specifies the class of the zone. If not specified, \fBIN\fP is assumed. -.TP -.B \fB\-i mode\fP -This option performs post\-load zone integrity checks. Possible modes are -\fBfull\fP (the default), \fBfull\-sibling\fP, \fBlocal\fP, -\fBlocal\-sibling\fP, and \fBnone\fP\&. -.sp -Mode \fBfull\fP checks that MX records refer to A or AAAA records -(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only -checks MX records which refer to in\-zone hostnames. -.sp -Mode \fBfull\fP checks that SRV records refer to A or AAAA records -(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only -checks SRV records which refer to in\-zone hostnames. -.sp -Mode \fBfull\fP checks that delegation NS records refer to A or AAAA -records (both in\-zone and out\-of\-zone hostnames). It also checks that -glue address records in the zone match those advertised by the child. -Mode \fBlocal\fP only checks NS records which refer to in\-zone -hostnames or verifies that some required glue exists, i.e., when the -name server is in a child zone. -.sp -Modes \fBfull\-sibling\fP and \fBlocal\-sibling\fP disable sibling glue -checks, but are otherwise the same as \fBfull\fP and \fBlocal\fP, -respectively. -.sp -Mode \fBnone\fP disables the checks. -.TP -.B \fB\-f format\fP -This option specifies the format of the zone file. Possible formats are -\fBtext\fP (the default), and \fBraw\fP\&. -.TP -.B \fB\-F format\fP -This option specifies the format of the output file specified. For -\fBnamed\-checkzone\fP, this does not have any effect unless it dumps -the zone contents. -.sp -Possible formats are \fBtext\fP (the default), which is the standard -textual representation of the zone, and \fBraw\fP and \fBraw=N\fP, which -store the zone in a binary format for rapid loading by \fBnamed\fP\&. -\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is -0, the raw file can be read by any version of \fBnamed\fP; if N is 1, the -file can only be read by release 9.9.0 or higher. The default is 1. -.TP -.B \fB\-k mode\fP -This option performs \fBcheck\-names\fP checks with the specified failure mode. -Possible modes are \fBfail\fP (the default), \fBwarn\fP, and \fBignore\fP\&. -.TP -.B \fB\-l ttl\fP -This option sets a maximum permissible TTL for the input file. Any record with a -TTL higher than this value causes the zone to be rejected. This -is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&. -.TP -.B \fB\-L serial\fP -When compiling a zone to \fBraw\fP format, this option sets the "source -serial" value in the header to the specified serial number. This is -expected to be used primarily for testing purposes. -.TP -.B \fB\-m mode\fP -This option specifies whether MX records should be checked to see if they are -addresses. Possible modes are \fBfail\fP, \fBwarn\fP (the default), and -\fBignore\fP\&. -.TP -.B \fB\-M mode\fP -This option checks whether a MX record refers to a CNAME. Possible modes are -\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&. -.TP -.B \fB\-n mode\fP -This option specifies whether NS records should be checked to see if they are -addresses. Possible modes are \fBfail\fP (the default), \fBwarn\fP, and -\fBignore\fP\&. -.TP -.B \fB\-o filename\fP -This option writes the zone output to \fBfilename\fP\&. If \fBfilename\fP is \fB\-\fP, then -the zone output is written to standard output. This is mandatory for \fBnamed\-compilezone\fP\&. -.TP -.B \fB\-r mode\fP -This option checks for records that are treated as different by DNSSEC but are -semantically equal in plain DNS. Possible modes are \fBfail\fP, -\fBwarn\fP (the default), and \fBignore\fP\&. -.TP -.B \fB\-s style\fP -This option specifies the style of the dumped zone file. Possible styles are -\fBfull\fP (the default) and \fBrelative\fP\&. The \fBfull\fP format is most -suitable for processing automatically by a separate script. -The relative format is more human\-readable and is thus -suitable for editing by hand. -.TP -.B \fB\-S mode\fP -This option checks whether an SRV record refers to a CNAME. Possible modes are -\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&. -.TP -.B \fB\-t directory\fP -This option tells \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the -configuration file are processed as if run by a similarly chrooted -\fBnamed\fP\&. -.TP -.B \fB\-T mode\fP -This option checks whether Sender Policy Framework (SPF) records exist and issues a -warning if an SPF\-formatted TXT record is not also present. Possible -modes are \fBwarn\fP (the default) and \fBignore\fP\&. -.TP -.B \fB\-w directory\fP -This option instructs \fBnamed\fP to chdir to \fBdirectory\fP, so that relative filenames in master file -\fB$INCLUDE\fP directives work. This is similar to the directory clause in -\fBnamed.conf\fP\&. -.TP -.B \fB\-D\fP -This option dumps the zone file in canonical format. This is always enabled for -\fBnamed\-compilezone\fP\&. -.TP -.B \fB\-W mode\fP -This option specifies whether to check for non\-terminal wildcards. Non\-terminal -wildcards are almost always the result of a failure to understand the -wildcard matching algorithm (\fI\%RFC 4592\fP). Possible modes are \fBwarn\fP -(the default) and \fBignore\fP\&. -.TP -.B \fBzonename\fP -This indicates the domain name of the zone being checked. -.TP -.B \fBfilename\fP -This is the name of the zone file. -.UNINDENT -.SH RETURN VALUES -.sp -\fBnamed\-compilezone\fP returns an exit status of 1 if errors were detected -and 0 otherwise. -.SH SEE ALSO -.sp -\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-checkzone(8)\fP, -\fI\%RFC 1035\fP, BIND 9 Administrator Reference Manual. -.SH AUTHOR -Internet Systems Consortium -.SH COPYRIGHT -2022, Internet Systems Consortium -.\" Generated by docutils manpage writer. -. diff -Nru bind9-9.16.37/doc/man/named-compilezone.8in bind9-9.16.42/doc/man/named-compilezone.8in --- bind9-9.16.37/doc/man/named-compilezone.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/named-compilezone.8in 2023-06-09 14:45:37.000000000 +0000 @@ -121,8 +121,8 @@ is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&. .TP .B \fB\-L serial\fP -When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the "source -serial" value in the header to the specified serial number. This is +When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the \(dqsource +serial\(dq value in the header to the specified serial number. This is expected to be used primarily for testing purposes. .TP .B \fB\-m mode\fP diff -Nru bind9-9.16.37/doc/man/nsec3hash.8in bind9-9.16.42/doc/man/nsec3hash.8in --- bind9-9.16.37/doc/man/nsec3hash.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/nsec3hash.8in 2023-06-09 14:45:37.000000000 +0000 @@ -55,7 +55,7 @@ .B \fBalgorithm\fP This is a number indicating the hash algorithm. Currently the only supported hash algorithm for NSEC3 is SHA\-1, which is indicated by the number -1; consequently "1" is the only useful value for this argument. +1; consequently \(dq1\(dq is the only useful value for this argument. .TP .B \fBflags\fP This is provided for compatibility with NSEC3 record presentation format, but diff -Nru bind9-9.16.37/doc/man/rndc.8in bind9-9.16.42/doc/man/rndc.8in --- bind9-9.16.37/doc/man/rndc.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/rndc.8in 2023-06-09 14:45:37.000000000 +0000 @@ -136,7 +136,7 @@ This sample \fBaddzone\fP command adds the zone \fBexample.com\fP to the default view: .sp -\fBrndc addzone example.com \(aq{ type master; file "example.com.db"; };\(aq\fP +\fBrndc addzone example.com \(aq{ type master; file \(dqexample.com.db\(dq; };\(aq\fP .sp (Note the brackets around and semi\-colon after the zone configuration text.) @@ -162,7 +162,7 @@ See also \fBrndc addzone\fP and \fBrndc modzone\fP\&. .TP \fBdnssec\fP ( \fB\-status\fP | \fB\-rollover\fP \fB\-key\fP id [\fB\-alg\fP \fIalgorithm\fP] [\fB\-when\fP \fItime\fP] | \fB\-checkds\fP [\fB\-key\fP \fIid\fP [\fB\-alg\fP \fIalgorithm\fP]] [\fB\-when\fP \fItime\fP] ( \fIpublished\fP | \fIwithdrawn\fP )) \fIzone\fP [\fIclass\fP [\fIview\fP]] -This command allows you to interact with the "dnssec\-policy" of a given +This command allows you to interact with the \(dqdnssec\-policy\(dq of a given zone. .sp \fBrndc dnssec \-status\fP show the DNSSEC signing state for the specified @@ -183,12 +183,16 @@ notation. .TP \fBdnstap\fP ( \fB\-reopen\fP | \fB\-roll\fP [\fInumber\fP] ) -This command closes and re\-opens DNSTAP output files. \fBrndc dnstap \-reopen\fP allows +This command closes and re\-opens DNSTAP output files. +.sp +\fBrndc dnstap \-reopen\fP allows the output file to be renamed externally, so that \fBnamed\fP can -truncate and re\-open it. \fBrndc dnstap \-roll\fP causes the output file +truncate and re\-open it. +.sp +\fBrndc dnstap \-roll\fP causes the output file to be rolled automatically, similar to log files. The most recent -output file has ".0" appended to its name; the previous most recent -output file is moved to ".1", and so on. If \fBnumber\fP is specified, then +output file has \(dq.0\(dq appended to its name; the previous most recent +output file is moved to \(dq.1\(dq, and so on. If \fBnumber\fP is specified, then the number of backup log files is limited to that number. .TP \fBdumpdb\fP [\fB\-all\fP | \fB\-cache\fP | \fB\-zones\fP | \fB\-adb\fP | \fB\-bad\fP | \fB\-expired\fP | \fB\-fail\fP] [\fIview ...\fP] @@ -237,11 +241,11 @@ .sp This command requires that the zone be configured with a \fBdnssec\-policy\fP, or that the \fBauto\-dnssec\fP zone option be set to \fBmaintain\fP, and also requires the -zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in +zone to be configured to allow dynamic DNS. (See \(dqDynamic Update Policies\(dq in the Administrator Reference Manual for more details.) .TP .B \fBmanaged\-keys\fP (\fIstatus\fP | \fIrefresh\fP | \fIsync\fP | \fIdestroy\fP) [\fIclass\fP [\fIview\fP]] -This command inspects and controls the "managed\-keys" database which handles +This command inspects and controls the \(dqmanaged\-keys\(dq database which handles \fI\%RFC 5011\fP DNSSEC trust anchor maintenance. If a view is specified, these commands are applied to that view; otherwise, they are applied to all views. @@ -461,7 +465,7 @@ This command requires that the zone be configured with a \fBdnssec\-policy\fP, or that the \fBauto\-dnssec\fP zone option be set to \fBallow\fP or \fBmaintain\fP, and also requires the zone to be configured to allow dynamic DNS. (See -"Dynamic Update Policies" in the BIND 9 Administrator Reference Manual for more +\(dqDynamic Update Policies\(dq in the BIND 9 Administrator Reference Manual for more details.) .sp See also \fBrndc loadkeys\fP\&. @@ -538,7 +542,7 @@ .TP \fBsync\fP \fB\-clean\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]] This command syncs changes in the journal file for a dynamic zone to the master -file. If the "\-clean" option is specified, the journal file is also +file. If the \(dq\-clean\(dq option is specified, the journal file is also removed. If no zone is specified, then all zones are synced. .TP .B \fBtcp\-timeouts\fP [\fIinitial\fP \fIidle\fP \fIkeepalive\fP \fIadvertised\fP] @@ -603,7 +607,7 @@ confused with zones of type \fBhint\fP or with secondary copies of the root zone. To specify a redirect zone, use the special zone name \fB\-redirect\fP, without a trailing period. (With a trailing period, this -would specify a zone called "\-redirect".) +would specify a zone called \(dq\-redirect\(dq.) .SH LIMITATIONS .sp There is currently no way to provide the shared secret for a \fBkey_id\fP diff -Nru bind9-9.16.37/doc/man/rndc.conf.5in bind9-9.16.42/doc/man/rndc.conf.5in --- bind9-9.16.37/doc/man/rndc.conf.5in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/rndc.conf.5in 2023-06-09 14:45:37.000000000 +0000 @@ -136,7 +136,7 @@ .ft C key samplekey { algorithm hmac\-sha256; - secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; + secret \(dq6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz\(dq; }; .ft P .fi @@ -149,7 +149,7 @@ .ft C key testkey { algorithm hmac\-sha256; - secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; + secret \(dqR3HI8P6BKw9ZwXwN3VZKuQ==\(dq; }; .ft P .fi @@ -157,15 +157,15 @@ .UNINDENT .sp In the above example, \fBrndc\fP by default uses the server at -localhost (127.0.0.1) and the key called "samplekey". Commands to the -localhost server use the "samplekey" key, which must also be defined +localhost (127.0.0.1) and the key called \(dqsamplekey\(dq. Commands to the +localhost server use the \(dqsamplekey\(dq key, which must also be defined in the server\(aqs configuration file with the same name and secret. The -key statement indicates that "samplekey" uses the HMAC\-SHA256 algorithm +key statement indicates that \(dqsamplekey\(dq uses the HMAC\-SHA256 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-SHA256 secret enclosed in double quotes. .sp If \fBrndc \-s testserver\fP is used, then \fBrndc\fP connects to the server -on localhost port 5353 using the key "testkey". +on localhost port 5353 using the key \(dqtestkey\(dq. .sp To generate a random secret with \fBrndc\-confgen\fP: .sp @@ -177,7 +177,7 @@ .sp To generate a base\-64 secret with \fBmmencode\fP: .sp -\fBecho "known plaintext for a secret" | mmencode\fP +\fBecho \(dqknown plaintext for a secret\(dq | mmencode\fP .SH NAME SERVER CONFIGURATION .sp The name server must be configured to accept rndc connections and to diff -Nru bind9-9.16.37/doc/man/tsig-keygen.8in bind9-9.16.42/doc/man/tsig-keygen.8in --- bind9-9.16.37/doc/man/tsig-keygen.8in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/doc/man/tsig-keygen.8in 2023-06-09 14:45:37.000000000 +0000 @@ -48,7 +48,7 @@ This option specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, and hmac\-sha512. The default is hmac\-sha256. Options are -case\-insensitive, and the "hmac\-" prefix may be omitted. +case\-insensitive, and the \(dqhmac\-\(dq prefix may be omitted. .TP .B \fB\-h\fP This option prints a short summary of options and arguments. diff -Nru bind9-9.16.37/doc/notes/notes-9.16.38.rst bind9-9.16.42/doc/notes/notes-9.16.38.rst --- bind9-9.16.37/doc/notes/notes-9.16.38.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/doc/notes/notes-9.16.38.rst 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,33 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.38 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- A constant stream of zone additions and deletions via ``rndc + reconfig`` could cause increased memory consumption due to delayed + cleaning of view memory. This has been fixed. :gl:`#3801` + +- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of + NSEC3 hashing, has been improved. :gl:`#3795` + +- Building BIND 9 failed when the ``--enable-dnsrps`` switch for + ``./configure`` was used. This has been fixed. :gl:`#3827` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff -Nru bind9-9.16.37/doc/notes/notes-9.16.39.rst bind9-9.16.42/doc/notes/notes-9.16.39.rst --- bind9-9.16.37/doc/notes/notes-9.16.39.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/doc/notes/notes-9.16.39.rst 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,60 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.39 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- libuv support for receiving multiple UDP messages in a single + ``recvmmsg()`` system call has been tweaked several times between + libuv versions 1.35.0 and 1.40.0; the current recommended libuv + version is 1.40.0 or higher. New rules are now in effect for running + with a different version of libuv than the one used at compilation + time. These rules may trigger a fatal error at startup: + + - Building against or running with libuv versions 1.35.0 and 1.36.0 is + now a fatal error. + + - Running with libuv version higher than 1.34.2 is now a fatal error + when :iscman:`named` is built against libuv version 1.34.2 or lower. + + - Running with libuv version higher than 1.39.0 is now a fatal error + when :iscman:`named` is built against libuv version 1.37.0, 1.38.0, + 1.38.1, or 1.39.0. + + This prevents the use of libuv versions that may trigger an assertion + failure when receiving multiple UDP messages in a single system call. + :gl:`#3840` + +Bug Fixes +~~~~~~~~~ + +- :iscman:`named` could crash with an assertion failure when adding a + new zone into the configuration file for a name which was already + configured as a member zone for a catalog zone. This has been fixed. + :gl:`#3911` + +- When :iscman:`named` starts up, it sends a query for the DNSSEC key + for each configured trust anchor to determine whether the key has + changed. In some unusual cases, the query might depend on a zone for + which the server is itself authoritative, and would have failed if it + were sent before the zone was fully loaded. This has now been fixed by + delaying the key queries until all zones have finished loading. + :gl:`#3673` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff -Nru bind9-9.16.37/doc/notes/notes-9.16.40.rst bind9-9.16.42/doc/notes/notes-9.16.40.rst --- bind9-9.16.37/doc/notes/notes-9.16.40.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/doc/notes/notes-9.16.40.rst 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,32 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.40 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Logfiles using ``timestamp``-style suffixes were not always correctly + removed when the number of files exceeded the limit set by ``versions``. + This has been fixed for configurations which do not explicitly specify + a directory path as part of the ``file`` argument in the ``channel`` + specification. :gl:`#3959` :gl:`#3991` + +- Performance of DNSSEC validation in zones with many DNSKEY records + has been improved. :gl:`#3981` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff -Nru bind9-9.16.37/doc/notes/notes-9.16.41.rst bind9-9.16.42/doc/notes/notes-9.16.41.rst --- bind9-9.16.37/doc/notes/notes-9.16.41.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/doc/notes/notes-9.16.41.rst 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,27 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.41 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- When removing delegations from an opt-out range, empty-non-terminal + NSEC3 records generated by those delegations were not cleaned up. This + has been fixed. :gl:`#4027` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff -Nru bind9-9.16.37/doc/notes/notes-9.16.42.rst bind9-9.16.42/doc/notes/notes-9.16.42.rst --- bind9-9.16.37/doc/notes/notes-9.16.42.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/doc/notes/notes-9.16.42.rst 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,45 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.42 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- The overmem cleaning process has been improved, to prevent the cache + from significantly exceeding the configured ``max-cache-size`` limit. + (CVE-2023-2828) + + ISC would like to thank Shoham Danino from Reichman University, Anat + Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv + University, and Yuval Shavitt from Tel-Aviv University for bringing + this vulnerability to our attention. :gl:`#4055` + +- A query that prioritizes stale data over lookup triggers a fetch to + refresh the stale data in cache. If the fetch is aborted for exceeding + the recursion quota, it was possible for :iscman:`named` to enter an + infinite callback loop and crash due to stack overflow. This has been + fixed. (CVE-2023-2911) :gl:`#4089` + +Bug Fixes +~~~~~~~~~ + +- Previously, it was possible for a delegation from cache to be returned + to the client after the ``stale-answer-client-timeout`` duration. + This has been fixed. :gl:`#3950` + +Known Issues +~~~~~~~~~~~~ + +- There are no new known issues with this release. See :ref:`above + ` for a list of all known issues affecting this + BIND 9 branch. diff -Nru bind9-9.16.37/fuzz/fuzz.h bind9-9.16.42/fuzz/fuzz.h --- bind9-9.16.37/fuzz/fuzz.h 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/fuzz/fuzz.h 2023-06-09 14:35:17.000000000 +0000 @@ -30,16 +30,4 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); -static isc_mem_t *mctx = NULL; - -static void __attribute__((constructor)) init(void) { - isc_mem_create(&mctx); - RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS); -} - -static void __attribute__((destructor)) deinit(void) { - dst_lib_destroy(); - isc_mem_destroy(&mctx); -} - ISC_LANG_ENDDECLS diff -Nru bind9-9.16.37/lib/dns/catz.c bind9-9.16.42/lib/dns/catz.c --- bind9-9.16.37/lib/dns/catz.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/catz.c 2023-06-09 14:35:17.000000000 +0000 @@ -630,7 +630,7 @@ isc_ht_destroy(&new_zones->zones); isc_refcount_destroy(&new_zones->refs); isc_mutex_destroy(&new_zones->lock); - isc_mem_put(mctx, new_zones, sizeof(*new_zones)); + isc_mem_putanddetach(&new_zones->mctx, new_zones, sizeof(*new_zones)); return (result); } @@ -752,8 +752,10 @@ REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC)); + LOCK(&catzs->lock); result = isc_ht_find(catzs->zones, name->ndata, name->length, (void **)&found); + UNLOCK(&catzs->lock); if (result != ISC_R_SUCCESS) { return (NULL); } @@ -808,7 +810,7 @@ isc_ht_destroy(&zone->entries); } zone->magic = 0; - isc_timer_detach(&zone->updatetimer); + isc_timer_destroy(&zone->updatetimer); if (zone->db_registered) { dns_db_updatenotify_unregister( zone->db, dns_catz_dbupdate_callback, @@ -1761,6 +1763,8 @@ if (zone->dbversion != NULL) { dns_db_closeversion(zone->db, &zone->dbversion, false); } + dns_db_updatenotify_unregister( + zone->db, dns_catz_dbupdate_callback, zone->catzs); dns_db_detach(&zone->db); /* * We're not registering db update callback, it will be @@ -1858,6 +1862,14 @@ return; } + if (!oldzone->active) { + /* This can happen during a reconfiguration. */ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_MASTER, ISC_LOG_INFO, + "catz: zone '%s' is no longer active", bname); + return; + } + isc_buffer_init(&ibname, bname, DNS_NAME_FORMATSIZE); result = dns_name_totext(&db->origin, true, &ibname); INSIST(result == ISC_R_SUCCESS); @@ -2026,6 +2038,7 @@ REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); + LOCK(&catzs->lock); isc_ht_iter_create(catzs->zones, &iter); for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS; result = isc_ht_iter_next(iter)) @@ -2034,6 +2047,7 @@ isc_ht_iter_current(iter, (void **)&zone); zone->active = false; } + UNLOCK(&catzs->lock); INSIST(result == ISC_R_NOMORE); isc_ht_iter_destroy(&iter); } diff -Nru bind9-9.16.37/lib/dns/dnsrps.c bind9-9.16.42/lib/dns/dnsrps.c --- bind9-9.16.37/lib/dns/dnsrps.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/dnsrps.c 2023-06-09 14:35:17.000000000 +0000 @@ -621,7 +621,8 @@ static isc_result_t rpsdb_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, - isc_stdtime_t now, dns_rdatasetiter_t **iteratorp) { + unsigned int options, isc_stdtime_t now, + dns_rdatasetiter_t **iteratorp) { rpsdb_t *rpsdb = (rpsdb_t *)db; rpsdb_rdatasetiter_t *rpsdb_iter; @@ -637,6 +638,7 @@ rpsdb_iter->common.magic = DNS_RDATASETITER_MAGIC; rpsdb_iter->common.methods = &rpsdb_rdatasetiter_methods; rpsdb_iter->common.db = db; + rpsdb_iter->common.options = options; rpsdb_attachnode(db, node, &rpsdb_iter->common.node); *iteratorp = &rpsdb_iter->common; diff -Nru bind9-9.16.37/lib/dns/hmac_link.c bind9-9.16.42/lib/dns/hmac_link.c --- bind9-9.16.37/lib/dns/hmac_link.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/hmac_link.c 2023-06-09 14:35:17.000000000 +0000 @@ -170,6 +170,7 @@ result = isc_hmac_init(ctx, hkey->key, isc_md_type_get_block_size(type), type); if (result != ISC_R_SUCCESS) { + isc_hmac_free(ctx); return (DST_R_UNSUPPORTEDALG); } diff -Nru bind9-9.16.37/lib/dns/include/dns/view.h bind9-9.16.42/lib/dns/include/dns/view.h --- bind9-9.16.37/lib/dns/include/dns/view.h 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/include/dns/view.h 2023-06-09 14:35:17.000000000 +0000 @@ -1197,7 +1197,7 @@ void dns_view_untrust(dns_view_t *view, const dns_name_t *keyname, - dns_rdata_dnskey_t *dnskey); + const dns_rdata_dnskey_t *dnskey); /*%< * Remove keys that match 'keyname' and 'dnskey' from the views trust * anchors. @@ -1210,6 +1210,19 @@ * * Requires: * \li 'view' is valid. + * \li 'keyname' is valid. + * \li 'dnskey' is valid. + */ + +bool +dns_view_istrusted(dns_view_t *view, const dns_name_t *keyname, + const dns_rdata_dnskey_t *dnskey); +/*%< + * Determine if the key defined by 'keyname' and 'dnskey' is + * trusted by 'view'. + * + * Requires: + * \li 'view' is valid. * \li 'keyname' is valid. * \li 'dnskey' is valid. */ diff -Nru bind9-9.16.37/lib/dns/include/dns/zt.h bind9-9.16.42/lib/dns/include/dns/zt.h --- bind9-9.16.37/lib/dns/include/dns/zt.h 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/include/dns/zt.h 2023-06-09 14:35:17.000000000 +0000 @@ -19,6 +19,7 @@ #include #include +#include #include diff -Nru bind9-9.16.37/lib/dns/keymgr.c bind9-9.16.42/lib/dns/keymgr.c --- bind9-9.16.37/lib/dns/keymgr.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/keymgr.c 2023-06-09 14:35:17.000000000 +0000 @@ -2276,9 +2276,19 @@ } if (dspublish) { + dst_key_state_t s; dst_key_settime(ksk_key->key, DST_TIME_DSPUBLISH, when); + result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s); + if (result != ISC_R_SUCCESS || s != RUMOURED) { + dst_key_setstate(ksk_key->key, DST_KEY_DS, RUMOURED); + } } else { + dst_key_state_t s; dst_key_settime(ksk_key->key, DST_TIME_DSDELETE, when); + result = dst_key_getstate(ksk_key->key, DST_KEY_DS, &s); + if (result != ISC_R_SUCCESS || s != UNRETENTIVE) { + dst_key_setstate(ksk_key->key, DST_KEY_DS, UNRETENTIVE); + } } if (isc_log_wouldlog(dns_lctx, ISC_LOG_NOTICE)) { diff -Nru bind9-9.16.37/lib/dns/keytable.c bind9-9.16.42/lib/dns/keytable.c --- bind9-9.16.37/lib/dns/keytable.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/keytable.c 2023-06-09 14:35:17.000000000 +0000 @@ -459,10 +459,6 @@ REQUIRE(VALID_KEYTABLE(keytable)); REQUIRE(dnskey != NULL); - isc_buffer_init(&b, data, sizeof(data)); - dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, - dns_rdatatype_dnskey, dnskey, &b); - RWLOCK(&keytable->rwlock, isc_rwlocktype_write); result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL, DNS_RBTFIND_NOOPTIONS, NULL, NULL); @@ -489,6 +485,13 @@ } RWUNLOCK(&knode->rwlock, isc_rwlocktype_read); + isc_buffer_init(&b, data, sizeof(data)); + result = dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, + dns_rdatatype_dnskey, dnskey, &b); + if (result != ISC_R_SUCCESS) { + goto finish; + } + result = dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256, digest, &ds); if (result != ISC_R_SUCCESS) { diff -Nru bind9-9.16.37/lib/dns/master.c bind9-9.16.42/lib/dns/master.c --- bind9-9.16.37/lib/dns/master.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/master.c 2023-06-09 14:35:17.000000000 +0000 @@ -1101,7 +1101,7 @@ char *lhs = NULL; char *gtype = NULL; char *rhs = NULL; - const char *source = ""; + const char *source; unsigned long line = 0; bool explicit_ttl; char classname1[DNS_RDATACLASS_FORMATSIZE]; diff -Nru bind9-9.16.37/lib/dns/nsec3.c bind9-9.16.42/lib/dns/nsec3.c --- bind9-9.16.37/lib/dns/nsec3.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/nsec3.c 2023-06-09 14:35:17.000000000 +0000 @@ -1443,7 +1443,7 @@ result = dns_dbiterator_seek(dbit, hashname); if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) { - goto success; + goto cleanup_orphaned_ents; } if (result != ISC_R_SUCCESS) { goto failure; @@ -1455,7 +1455,7 @@ (isc_stdtime_t)0, &rdataset, NULL); dns_db_detachnode(db, &node); if (result == ISC_R_NOTFOUND) { - goto success; + goto cleanup_orphaned_ents; } if (result != ISC_R_SUCCESS) { goto failure; @@ -1540,6 +1540,7 @@ /* * Delete NSEC3 records for now non active nodes. */ +cleanup_orphaned_ents: dns_name_init(&empty, NULL); dns_name_clone(name, &empty); do { diff -Nru bind9-9.16.37/lib/dns/nta.c bind9-9.16.42/lib/dns/nta.c --- bind9-9.16.37/lib/dns/nta.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/nta.c 2023-06-09 14:35:17.000000000 +0000 @@ -77,7 +77,7 @@ (void)isc_timer_reset(nta->timer, isc_timertype_inactive, NULL, NULL, true); - isc_timer_detach(&nta->timer); + isc_timer_destroy(&nta->timer); } if (dns_rdataset_isassociated(&nta->rdataset)) { dns_rdataset_disassociate(&nta->rdataset); @@ -293,6 +293,9 @@ result = isc_timer_create(ntatable->timermgr, isc_timertype_ticker, NULL, &interval, ntatable->task, checkbogus, nta, &nta->timer); + if (result != ISC_R_SUCCESS) { + isc_timer_destroy(&nta->timer); + } return (result); } @@ -479,7 +482,7 @@ (void)isc_timer_reset(nta->timer, isc_timertype_inactive, NULL, NULL, true); - isc_timer_detach(&nta->timer); + isc_timer_destroy(&nta->timer); } result = deletenode(ntatable, foundname); diff -Nru bind9-9.16.37/lib/dns/rbt.c bind9-9.16.42/lib/dns/rbt.c --- bind9-9.16.37/lib/dns/rbt.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/rbt.c 2023-06-09 14:35:17.000000000 +0000 @@ -35,6 +35,7 @@ * efficient macro calls instead of functions for a few operations. */ #define DNS_NAME_USEINLINE 1 +#define ALIGNMENT_SIZE 8U /* see lib/isc/mem.c */ #include @@ -798,8 +799,12 @@ return (ISC_R_SUCCESS); } +#define CHECK_ALIGNMENT(n) \ + (((uintptr_t)n & ~((uintptr_t)ALIGNMENT_SIZE - 1)) == (uintptr_t)n) + CONFIRM((void *)n >= base); CONFIRM((size_t)((char *)n - (char *)base) <= nodemax); + CONFIRM(CHECK_ALIGNMENT(n)); CONFIRM(DNS_RBTNODE_VALID(n)); dns_name_init(&nodename, NULL); @@ -820,6 +825,7 @@ CONFIRM(n->left <= (dns_rbtnode_t *)nodemax); n->left = getleft(n, rbt->mmap_location); n->left_is_relative = 0; + CONFIRM(CHECK_ALIGNMENT(n->left)); CONFIRM(DNS_RBTNODE_VALID(n->left)); } else { CONFIRM(n->left == NULL); @@ -829,6 +835,7 @@ CONFIRM(n->right <= (dns_rbtnode_t *)nodemax); n->right = getright(n, rbt->mmap_location); n->right_is_relative = 0; + CONFIRM(CHECK_ALIGNMENT(n->right)); CONFIRM(DNS_RBTNODE_VALID(n->right)); } else { CONFIRM(n->right == NULL); @@ -839,6 +846,7 @@ n->down = getdown(n, rbt->mmap_location); n->down_is_relative = 0; CONFIRM(n->down > (dns_rbtnode_t *)n); + CONFIRM(CHECK_ALIGNMENT(n->down)); CONFIRM(DNS_RBTNODE_VALID(n->down)); } else { CONFIRM(n->down == NULL); @@ -849,6 +857,7 @@ n->parent = getparent(n, rbt->mmap_location); n->parent_is_relative = 0; CONFIRM(n->parent < (dns_rbtnode_t *)n); + CONFIRM(CHECK_ALIGNMENT(n->parent)); CONFIRM(DNS_RBTNODE_VALID(n->parent)); } else { CONFIRM(n->parent == NULL); @@ -859,6 +868,7 @@ n->data = getdata(n, rbt->mmap_location); n->data_is_relative = 0; CONFIRM(n->data > (void *)n); + CONFIRM(CHECK_ALIGNMENT(n->data)); } else { CONFIRM(n->data == NULL); } diff -Nru bind9-9.16.37/lib/dns/rbtdb.c bind9-9.16.42/lib/dns/rbtdb.c --- bind9-9.16.37/lib/dns/rbtdb.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/rbtdb.c 2023-06-09 14:35:17.000000000 +0000 @@ -605,7 +605,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked, expire_t reason); static void -overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now, +overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize, bool tree_locked); static void resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader); @@ -2785,7 +2785,7 @@ * tree_lock(write) must be held. */ static isc_result_t -add_wildcard_magic(dns_rbtdb_t *rbtdb, const dns_name_t *name) { +add_wildcard_magic(dns_rbtdb_t *rbtdb, const dns_name_t *name, bool lock) { isc_result_t result; dns_name_t foundname; dns_offsets_t offsets; @@ -2805,7 +2805,15 @@ node->nsec = DNS_RBT_NSEC_NORMAL; } node->find_callback = 1; + if (lock) { + NODE_LOCK(&rbtdb->node_locks[node->locknum].lock, + isc_rwlocktype_write); + } node->wild = 1; + if (lock) { + NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock, + isc_rwlocktype_write); + } return (ISC_R_SUCCESS); } @@ -2813,7 +2821,7 @@ * tree_lock(write) must be held. */ static isc_result_t -add_empty_wildcards(dns_rbtdb_t *rbtdb, const dns_name_t *name) { +add_empty_wildcards(dns_rbtdb_t *rbtdb, const dns_name_t *name, bool lock) { isc_result_t result; dns_name_t foundname; dns_offsets_t offsets; @@ -2827,7 +2835,7 @@ dns_rbtnode_t *node = NULL; /* dummy */ dns_name_getlabelsequence(name, n - i, i, &foundname); if (dns_name_iswildcard(&foundname)) { - result = add_wildcard_magic(rbtdb, &foundname); + result = add_wildcard_magic(rbtdb, &foundname, lock); if (result != ISC_R_SUCCESS) { return (result); } @@ -2879,11 +2887,11 @@ dns_rbt_namefromnode(node, &nodename); node->locknum = node->hashval % rbtdb->node_lock_count; if (tree == rbtdb->tree) { - add_empty_wildcards(rbtdb, name); + add_empty_wildcards(rbtdb, name, true); if (dns_name_iswildcard(name)) { - result = add_wildcard_magic(rbtdb, - name); + result = add_wildcard_magic(rbtdb, name, + true); if (result != ISC_R_SUCCESS) { RWUNLOCK(&rbtdb->tree_lock, locktype); @@ -6815,6 +6823,16 @@ static dns_dbmethods_t zone_methods; +static size_t +rdataset_size(rdatasetheader_t *header) { + if (!NONEXISTENT(header)) { + return (dns_rdataslab_size((unsigned char *)header, + sizeof(*header))); + } + + return (sizeof(*header)); +} + static isc_result_t addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, @@ -6979,7 +6997,8 @@ } if (cache_is_overmem) { - overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked); + overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), + tree_locked); } NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, @@ -6998,10 +7017,18 @@ } header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1); - if (header != NULL && header->rdh_ttl + rbtdb->serve_stale_ttl < - now - RBTDB_VIRTUAL) - { - expire_header(rbtdb, header, tree_locked, expire_ttl); + if (header != NULL) { + dns_ttl_t rdh_ttl = header->rdh_ttl; + + /* Only account for stale TTL if cache is not overmem */ + if (!cache_is_overmem) { + rdh_ttl += rbtdb->serve_stale_ttl; + } + + if (rdh_ttl < now - RBTDB_VIRTUAL) { + expire_header(rbtdb, header, tree_locked, + expire_ttl); + } } /* @@ -7449,7 +7476,7 @@ if (rdataset->type != dns_rdatatype_nsec3 && rdataset->covers != dns_rdatatype_nsec3) { - add_empty_wildcards(rbtdb, name); + add_empty_wildcards(rbtdb, name, false); } if (dns_name_iswildcard(name)) { @@ -7465,7 +7492,7 @@ if (rdataset->type == dns_rdatatype_nsec3) { return (DNS_R_INVALIDNSEC3); } - result = add_wildcard_magic(rbtdb, name); + result = add_wildcard_magic(rbtdb, name, false); if (result != ISC_R_SUCCESS) { return (result); } @@ -10539,52 +10566,58 @@ ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); } +static size_t +expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, + bool tree_locked) { + rdatasetheader_t *header, *header_prev; + size_t purged = 0; + + for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); + header != NULL && purged <= purgesize; header = header_prev) + { + header_prev = ISC_LIST_PREV(header, link); + /* + * Unlink the entry at this point to avoid checking it + * again even if it's currently used someone else and + * cannot be purged at this moment. This entry won't be + * referenced any more (so unlinking is safe) since the + * TTL was reset to 0. + */ + ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); + size_t header_size = rdataset_size(header); + expire_header(rbtdb, header, tree_locked, expire_lru); + purged += header_size; + } + + return (purged); +} + /*% - * Purge some expired and/or stale (i.e. unused for some period) cache entries - * under an overmem condition. To recover from this condition quickly, up to - * 2 entries will be purged. This process is triggered while adding a new - * entry, and we specifically avoid purging entries in the same LRU bucket as - * the one to which the new entry will belong. Otherwise, we might purge - * entries of the same name of different RR types while adding RRsets from a - * single response (consider the case where we're adding A and AAAA glue records - * of the same NS name). + * Purge some stale (i.e. unused for some period - LRU based cleaning) cache + * entries under the overmem condition. To recover from this condition quickly, + * we cleanup entries up to the size of newly added rdata (passed as purgesize). + * + * This process is triggered while adding a new entry, and we specifically avoid + * purging entries in the same LRU bucket as the one to which the new entry will + * belong. Otherwise, we might purge entries of the same name of different RR + * types while adding RRsets from a single response (consider the case where + * we're adding A and AAAA glue records of the same NS name). */ static void -overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now, +overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize, bool tree_locked) { - rdatasetheader_t *header, *header_prev; unsigned int locknum; - int purgecount = 2; + size_t purged = 0; for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; - locknum != locknum_start && purgecount > 0; + locknum != locknum_start && purged <= purgesize; locknum = (locknum + 1) % rbtdb->node_lock_count) { NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); - header = isc_heap_element(rbtdb->heaps[locknum], 1); - if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) { - expire_header(rbtdb, header, tree_locked, expire_ttl); - purgecount--; - } - - for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); - header != NULL && purgecount > 0; header = header_prev) - { - header_prev = ISC_LIST_PREV(header, link); - /* - * Unlink the entry at this point to avoid checking it - * again even if it's currently used someone else and - * cannot be purged at this moment. This entry won't be - * referenced any more (so unlinking is safe) since the - * TTL was reset to 0. - */ - ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, - link); - expire_header(rbtdb, header, tree_locked, expire_lru); - purgecount--; - } + purged += expire_lru_headers(rbtdb, locknum, purgesize - purged, + tree_locked); NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write); diff -Nru bind9-9.16.37/lib/dns/request.c bind9-9.16.42/lib/dns/request.c --- bind9-9.16.37/lib/dns/request.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/request.c 2023-06-09 14:35:17.000000000 +0000 @@ -1298,6 +1298,9 @@ req_log(ISC_LOG_DEBUG(3), "req_connected: request %p", request); + result = sevent->result; + isc_event_free(&event); + LOCK(&request->requestmgr->locks[request->hash]); request->flags &= ~DNS_REQUEST_F_CONNECTING; @@ -1312,7 +1315,6 @@ } } else { dns_dispatch_starttcp(request->dispatch); - result = sevent->result; if (result == ISC_R_SUCCESS) { result = req_send(request, task, NULL); } @@ -1323,13 +1325,13 @@ } } UNLOCK(&request->requestmgr->locks[request->hash]); - isc_event_free(&event); } static void req_senddone(isc_task_t *task, isc_event_t *event) { isc_socketevent_t *sevent = (isc_socketevent_t *)event; dns_request_t *request = event->ev_arg; + isc_result_t result = sevent->result; REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE); REQUIRE(VALID_REQUEST(request)); @@ -1339,6 +1341,8 @@ UNUSED(task); + isc_event_free(&event); + LOCK(&request->requestmgr->locks[request->hash]); request->flags &= ~DNS_REQUEST_F_SENDING; @@ -1351,13 +1355,11 @@ } else { send_if_done(request, ISC_R_CANCELED); } - } else if (sevent->result != ISC_R_SUCCESS) { + } else if (result != ISC_R_SUCCESS) { req_cancel(request); send_if_done(request, ISC_R_CANCELED); } UNLOCK(&request->requestmgr->locks[request->hash]); - - isc_event_free(&event); } static void @@ -1407,14 +1409,18 @@ req_timeout(isc_task_t *task, isc_event_t *event) { dns_request_t *request = event->ev_arg; isc_result_t result; + isc_eventtype_t ev_type = event->ev_type; REQUIRE(VALID_REQUEST(request)); req_log(ISC_LOG_DEBUG(3), "req_timeout: request %p", request); UNUSED(task); + + isc_event_free(&event); + LOCK(&request->requestmgr->locks[request->hash]); - if (event->ev_type == ISC_TIMEREVENT_TICK && request->udpcount-- != 0) { + if (ev_type == ISC_TIMEREVENT_TICK && request->udpcount-- != 0) { if (!DNS_REQUEST_SENDING(request)) { result = req_send(request, task, &request->destaddr); if (result != ISC_R_SUCCESS) { @@ -1428,7 +1434,6 @@ send_if_done(request, ISC_R_TIMEDOUT); } UNLOCK(&request->requestmgr->locks[request->hash]); - isc_event_free(&event); } static void @@ -1471,7 +1476,7 @@ dns_dispatch_detach(&request->dispatch); } if (request->timer != NULL) { - isc_timer_detach(&request->timer); + isc_timer_destroy(&request->timer); } if (request->tsig != NULL) { isc_buffer_free(&request->tsig); @@ -1503,7 +1508,7 @@ request->flags |= DNS_REQUEST_F_CANCELED; if (request->timer != NULL) { - isc_timer_detach(&request->timer); + isc_timer_destroy(&request->timer); } dispattr = dns_dispatch_getattributes(request->dispatch); sock = NULL; diff -Nru bind9-9.16.37/lib/dns/resolver.c bind9-9.16.42/lib/dns/resolver.c --- bind9-9.16.37/lib/dns/resolver.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/resolver.c 2023-06-09 14:35:17.000000000 +0000 @@ -4706,9 +4706,9 @@ isc_counter_detach(&fctx->qc); fcount_decr(fctx); - isc_timer_detach(&fctx->timer); + isc_timer_destroy(&fctx->timer); if (fctx->timer_try_stale != NULL) { - isc_timer_detach(&fctx->timer_try_stale); + isc_timer_destroy(&fctx->timer_try_stale); } dns_message_detach(&fctx->qmessage); if (dns_name_countlabels(&fctx->domain) > 0) { @@ -5483,8 +5483,8 @@ isc_mem_detach(&fctx->mctx); dns_adb_detach(&fctx->adb); dns_db_detach(&fctx->cache); - isc_timer_detach(&fctx->timer); - isc_timer_detach(&fctx->timer_try_stale); + isc_timer_destroy(&fctx->timer); + isc_timer_destroy(&fctx->timer_try_stale); cleanup_qmessage: dns_message_detach(&fctx->qmessage); @@ -10486,7 +10486,7 @@ #if USE_MBSLOCK isc_rwlock_destroy(&res->mbslock); #endif /* if USE_MBSLOCK */ - isc_timer_detach(&res->spillattimer); + isc_timer_destroy(&res->spillattimer); res->magic = 0; isc_mem_put(res->mctx, res, sizeof(*res)); } diff -Nru bind9-9.16.37/lib/dns/rpz.c bind9-9.16.42/lib/dns/rpz.c --- bind9-9.16.37/lib/dns/rpz.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/rpz.c 2023-06-09 14:35:17.000000000 +0000 @@ -2230,7 +2230,7 @@ isc_timer_reset(rpz->updatetimer, isc_timertype_inactive, NULL, NULL, true); - isc_timer_detach(&rpz->updatetimer); + isc_timer_destroy(&rpz->updatetimer); isc_ht_destroy(&rpz->nodes); diff -Nru bind9-9.16.37/lib/dns/validator.c bind9-9.16.42/lib/dns/validator.c --- bind9-9.16.37/lib/dns/validator.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/validator.c 2023-06-09 14:35:17.000000000 +0000 @@ -1397,26 +1397,50 @@ continue; } - result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, - &dstkey); - if (result != ISC_R_SUCCESS) { + /* + * If the REVOKE bit is not set we have a + * theoretically self signed DNSKEY RRset. + * This will be verified later. + */ + if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) { + answer = true; continue; } - result = dns_dnssec_verify(name, rdataset, dstkey, true, - val->view->maxbits, mctx, - &sigrdata, NULL); - dst_key_free(&dstkey); + result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx, + &dstkey); if (result != ISC_R_SUCCESS) { continue; } - if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) { - answer = true; - continue; + /* + * If this RRset is pending and it is trusted, + * see if it was self signed by this DNSKEY. + */ + if (DNS_TRUST_PENDING(rdataset->trust) && + dns_view_istrusted(val->view, name, &key)) + { + result = dns_dnssec_verify( + name, rdataset, dstkey, true, + val->view->maxbits, mctx, &sigrdata, + NULL); + if (result == ISC_R_SUCCESS) { + /* + * The key with the REVOKE flag has + * self signed the RRset so it is no + * good. + */ + dns_view_untrust(val->view, name, &key); + } + } else if (rdataset->trust >= dns_trust_secure) { + /* + * We trust this RRset so if the key is + * marked revoked remove it. + */ + dns_view_untrust(val->view, name, &key); } - dns_view_untrust(val->view, name, &key); + dst_key_free(&dstkey); } } diff -Nru bind9-9.16.37/lib/dns/view.c bind9-9.16.42/lib/dns/view.c --- bind9-9.16.37/lib/dns/view.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/view.c 2023-06-09 14:35:17.000000000 +0000 @@ -1992,26 +1992,28 @@ void dns_view_untrust(dns_view_t *view, const dns_name_t *keyname, - dns_rdata_dnskey_t *dnskey) { + const dns_rdata_dnskey_t *dnskey) { isc_result_t result; dns_keytable_t *sr = NULL; + dns_rdata_dnskey_t tmpkey; REQUIRE(DNS_VIEW_VALID(view)); REQUIRE(keyname != NULL); REQUIRE(dnskey != NULL); - /* - * Clear the revoke bit, if set, so that the key will match what's - * in secroots now. - */ - dnskey->flags &= ~DNS_KEYFLAG_REVOKE; - result = dns_view_getsecroots(view, &sr); if (result != ISC_R_SUCCESS) { return; } - result = dns_keytable_deletekey(sr, keyname, dnskey); + /* + * Clear the revoke bit, if set, so that the key will match what's + * in secroots now. + */ + tmpkey = *dnskey; + tmpkey.flags &= ~DNS_KEYFLAG_REVOKE; + + result = dns_keytable_deletekey(sr, keyname, &tmpkey); if (result == ISC_R_SUCCESS) { /* * If key was found in secroots, then it was a @@ -2026,6 +2028,88 @@ dns_keytable_detach(&sr); } +bool +dns_view_istrusted(dns_view_t *view, const dns_name_t *keyname, + const dns_rdata_dnskey_t *dnskey) { + isc_result_t result; + dns_keytable_t *sr = NULL; + dns_keynode_t *knode = NULL; + bool answer = false; + dns_rdataset_t dsset; + + REQUIRE(DNS_VIEW_VALID(view)); + REQUIRE(keyname != NULL); + REQUIRE(dnskey != NULL); + + result = dns_view_getsecroots(view, &sr); + if (result != ISC_R_SUCCESS) { + return (false); + } + + dns_rdataset_init(&dsset); + result = dns_keytable_find(sr, keyname, &knode); + if (result == ISC_R_SUCCESS) { + if (dns_keynode_dsset(knode, &dsset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; + unsigned char data[4096], digest[DNS_DS_BUFFERSIZE]; + dns_rdata_dnskey_t tmpkey = *dnskey; + dns_rdata_ds_t ds; + isc_buffer_t b; + dns_rdataclass_t rdclass = tmpkey.common.rdclass; + + /* + * Clear the revoke bit, if set, so that the key + * will match what's in secroots now. + */ + tmpkey.flags &= ~DNS_KEYFLAG_REVOKE; + + isc_buffer_init(&b, data, sizeof(data)); + result = dns_rdata_fromstruct(&rdata, rdclass, + dns_rdatatype_dnskey, + &tmpkey, &b); + if (result != ISC_R_SUCCESS) { + goto finish; + } + + result = dns_ds_fromkeyrdata(keyname, &rdata, + DNS_DSDIGEST_SHA256, + digest, &ds); + if (result != ISC_R_SUCCESS) { + goto finish; + } + + dns_rdata_reset(&rdata); + isc_buffer_init(&b, data, sizeof(data)); + result = dns_rdata_fromstruct( + &rdata, rdclass, dns_rdatatype_ds, &ds, &b); + if (result != ISC_R_SUCCESS) { + goto finish; + } + + result = dns_rdataset_first(&dsset); + while (result == ISC_R_SUCCESS) { + dns_rdata_t this = DNS_RDATA_INIT; + dns_rdataset_current(&dsset, &this); + if (dns_rdata_compare(&rdata, &this) == 0) { + answer = true; + break; + } + result = dns_rdataset_next(&dsset); + } + } + } + +finish: + if (dns_rdataset_isassociated(&dsset)) { + dns_rdataset_disassociate(&dsset); + } + if (knode != NULL) { + dns_keytable_detachkeynode(sr, &knode); + } + dns_keytable_detach(&sr); + return (answer); +} + /* * Create path to a directory and a filename constructed from viewname. * This is a front-end to isc_file_sanitize(), allowing backward diff -Nru bind9-9.16.37/lib/dns/win32/libdns.def.in bind9-9.16.42/lib/dns/win32/libdns.def.in --- bind9-9.16.37/lib/dns/win32/libdns.def.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/win32/libdns.def.in 2023-06-09 14:35:17.000000000 +0000 @@ -1139,6 +1139,7 @@ dns_view_iscacheshared dns_view_isdelegationonly dns_view_issecuredomain +dns_view_istrusted dns_view_load dns_view_loadnta dns_view_ntacovers diff -Nru bind9-9.16.37/lib/dns/xfrin.c bind9-9.16.42/lib/dns/xfrin.c --- bind9-9.16.37/lib/dns/xfrin.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/xfrin.c 2023-06-09 14:35:17.000000000 +0000 @@ -950,7 +950,7 @@ failure: if (xfr->timer != NULL) { - isc_timer_detach(&xfr->timer); + isc_timer_destroy(&xfr->timer); } if (dns_name_dynamic(&xfr->name)) { dns_name_free(&xfr->name, xfr->mctx); @@ -1580,7 +1580,7 @@ } if (xfr->timer != NULL) { - isc_timer_detach(&xfr->timer); + isc_timer_destroy(&xfr->timer); } if (xfr->task != NULL) { diff -Nru bind9-9.16.37/lib/dns/zone.c bind9-9.16.42/lib/dns/zone.c --- bind9-9.16.37/lib/dns/zone.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/dns/zone.c 2023-06-09 14:35:17.000000000 +0000 @@ -1246,6 +1246,8 @@ INSIST(zone->readio == NULL); INSIST(zone->statelist == NULL); INSIST(zone->writeio == NULL); + INSIST(zone->view == NULL); + INSIST(zone->prev_view == NULL); if (zone->task != NULL) { isc_task_detach(&zone->task); @@ -1253,12 +1255,6 @@ if (zone->loadtask != NULL) { isc_task_detach(&zone->loadtask); } - if (zone->view != NULL) { - dns_view_weakdetach(&zone->view); - } - if (zone->prev_view != NULL) { - dns_view_weakdetach(&zone->prev_view); - } /* Unmanaged objects */ while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) { @@ -2408,6 +2404,9 @@ (asl->loaded)(asl->loaded_arg, zone, task); } + /* Reduce the quantum */ + isc_task_setquantum(zone->loadtask, 1); + isc_mem_put(zone->mctx, asl, sizeof(*asl)); dns_zone_idetach(&zone); } @@ -4731,8 +4730,7 @@ } failure: - if (result != ISC_R_SUCCESS && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) - { + if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "unable to synchronize managed keys: %s", dns_result_totext(result)); @@ -5197,10 +5195,7 @@ break; case dns_zone_key: - result = sync_keyzone(zone, db); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + /* Nothing needs to be done now */ break; default: @@ -5358,13 +5353,6 @@ goto done; cleanup: - if (zone->type == dns_zone_key && result != ISC_R_SUCCESS) { - dnssec_log(zone, ISC_LOG_ERROR, - "failed to initialize managed-keys (%s): " - "DNSSEC validation is at risk", - isc_result_totext(result)); - } - if (result != ISC_R_SUCCESS) { dns_zone_rpz_disable_db(zone, db); dns_zone_catz_disable_db(zone, db); @@ -5853,11 +5841,11 @@ LOCK_ZONE(zone); if (zone->kasp != NULL) { - dns_kasp_t *oldkasp = zone->kasp; - zone->kasp = NULL; - dns_kasp_detach(&oldkasp); + dns_kasp_detach(&zone->kasp); + } + if (kasp != NULL) { + dns_kasp_attach(kasp, &zone->kasp); } - zone->kasp = kasp; UNLOCK_ZONE(zone); } @@ -7348,8 +7336,14 @@ } ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read); - dns_db_attach(zone->db, &db); + if (zone->db != NULL) { + dns_db_attach(zone->db, &db); + } ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read); + if (db == NULL) { + result = ISC_R_FAILURE; + goto failure; + } result = dns_db_newversion(db, &version); if (result != ISC_R_SUCCESS) { @@ -9611,14 +9605,14 @@ use_kasp ? "yes" : "no"); /* Determine which type of chain to build */ - if (use_kasp) { - build_nsec3 = dns_kasp_nsec3(kasp); - build_nsec = !build_nsec3; - } else { - CHECK(dns_private_chains(db, version, zone->privatetype, - &build_nsec, &build_nsec3)); - /* If neither chain is found, default to NSEC */ - if (!build_nsec && !build_nsec3) { + CHECK(dns_private_chains(db, version, zone->privatetype, &build_nsec, + &build_nsec3)); + if (!build_nsec && !build_nsec3) { + if (use_kasp) { + build_nsec3 = dns_kasp_nsec3(kasp); + build_nsec = !build_nsec3; + } else { + /* If neither chain is found, default to NSEC */ build_nsec = true; } } @@ -11051,6 +11045,11 @@ isc_time_t timenow, timethen; dns_zone_t *zone = kfetch->zone; bool free_needed; + char namebuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(kname, namebuf, sizeof(namebuf)); + dnssec_log(zone, ISC_LOG_WARNING, + "Failed to create fetch for %s DNSKEY update", namebuf); /* * Error during a key fetch; cancel and retry in an hour. @@ -11062,8 +11061,6 @@ dns_rdataset_disassociate(&kfetch->keydataset); dns_name_free(kname, zone->mctx); isc_mem_putanddetach(&kfetch->mctx, kfetch, sizeof(*kfetch)); - dnssec_log(zone, ISC_LOG_WARNING, - "Failed to create fetch for DNSKEY update"); if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) { /* Don't really retry if we are exiting */ @@ -14926,6 +14923,7 @@ dns_zone_t *zone = (dns_zone_t *)event->ev_arg; bool free_needed, linked = false; dns_zone_t *raw = NULL, *secure = NULL; + dns_view_t *view = NULL, *prev_view = NULL; UNUSED(task); REQUIRE(DNS_ZONE_VALID(zone)); @@ -14971,6 +14969,17 @@ LOCK_ZONE(zone); INSIST(zone != zone->raw); + + /* + * Detach the views early, we don't need them anymore. However, we need + * to detach them outside of the zone lock to break the lock loop + * between view, adb and zone locks. + */ + view = zone->view; + zone->view = NULL; + prev_view = zone->prev_view; + zone->prev_view = NULL; + if (linked) { isc_refcount_decrement(&zone->irefs); } @@ -15005,7 +15014,7 @@ forward_cancel(zone); if (zone->timer != NULL) { - isc_timer_detach(&zone->timer); + isc_timer_destroy(&zone->timer); isc_refcount_decrement(&zone->irefs); } @@ -15031,6 +15040,14 @@ zone->secure = NULL; } UNLOCK_ZONE(zone); + + if (view != NULL) { + dns_view_weakdetach(&view); + } + if (prev_view != NULL) { + dns_view_weakdetach(&prev_view); + } + if (raw != NULL) { dns_zone_detach(&raw); } @@ -19062,7 +19079,7 @@ pool = NULL; if (zmgr->loadtasks == NULL) { result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx, ntasks, - 2, true, &pool); + UINT_MAX, true, &pool); } else { result = isc_taskpool_expand(&zmgr->loadtasks, ntasks, true, &pool); diff -Nru bind9-9.16.37/lib/irs/getaddrinfo.c bind9-9.16.42/lib/irs/getaddrinfo.c --- bind9-9.16.37/lib/irs/getaddrinfo.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/irs/getaddrinfo.c 2023-06-09 14:35:17.000000000 +0000 @@ -1356,7 +1356,8 @@ for (ai_tmp = ai1; ai_tmp != NULL && ai_tmp->ai_next != NULL; ai_tmp = ai_tmp->ai_next) - {} + { + } ai_tmp->ai_next = ai2; diff -Nru bind9-9.16.37/lib/irs/resconf.c bind9-9.16.42/lib/irs/resconf.c --- bind9-9.16.37/lib/irs/resconf.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/irs/resconf.c 2023-06-09 14:35:17.000000000 +0000 @@ -288,10 +288,6 @@ int cp; isc_result_t result; - if (conf->numns == RESCONFMAXNAMESERVERS) { - return (ISC_R_SUCCESS); - } - cp = getword(fp, word, sizeof(word)); if (strlen(word) == 0U) { return (ISC_R_UNEXPECTEDEND); /* Nothing on line. */ @@ -303,6 +299,10 @@ return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */ } + if (conf->numns == RESCONFMAXNAMESERVERS) { + return (ISC_R_SUCCESS); + } + result = add_server(conf->mctx, word, &conf->nameservers); if (result != ISC_R_SUCCESS) { return (result); diff -Nru bind9-9.16.37/lib/isc/include/isc/task.h bind9-9.16.42/lib/isc/include/isc/task.h --- bind9-9.16.37/lib/isc/include/isc/task.h 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/include/isc/task.h 2023-06-09 14:35:17.000000000 +0000 @@ -373,27 +373,27 @@ * * Notes: * - *\li This function is equivalent to + *\li This function is equivalent to * *\code - * isc_task_unsendrange(task, sender, type, type, tag, events); + * isc_task_unsendrange(task, sender, type, type, tag, events); *\endcode * * Requires: * - *\li 'task' is a valid task. + *\li 'task' is a valid task. * - *\li *events is a valid list. + *\li *events is a valid list. * * Ensures: * - *\li Events in the event queue of 'task' whose sender is 'sender', whose - * type is 'type', and whose tag is 'tag' will be dequeued and appended - * to *events. + *\li Events in the event queue of 'task' whose sender is 'sender', whose + * type is 'type', and whose tag is 'tag' will be dequeued and appended + * to *events. * * Returns: * - *\li The number of events unsent. + *\li The number of events unsent. */ isc_result_t @@ -528,6 +528,15 @@ *\li 'task' is a valid task. */ +void +isc_task_setquantum(isc_task_t *task, unsigned int quantum); +/*%< + * Set future 'task' quantum to 'quantum'. The current 'task' quantum will be + * kept for the current isc_task_run() loop, and will be changed for the next + * run. Therefore, the function is safe to use from the event callback as it + * will not affect the current event loop processing. + */ + isc_result_t isc_task_beginexclusive(isc_task_t *task); /*%< diff -Nru bind9-9.16.37/lib/isc/include/isc/timer.h bind9-9.16.42/lib/isc/include/isc/timer.h --- bind9-9.16.37/lib/isc/include/isc/timer.h 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/include/isc/timer.h 2023-06-09 14:35:17.000000000 +0000 @@ -88,10 +88,13 @@ isc_timertype_inactive = 3 /*%< Inactive */ } isc_timertype_t; -typedef struct isc_timerevent { +typedef struct isc_timerevent isc_timerevent_t; + +struct isc_timerevent { struct isc_event common; isc_time_t due; -} isc_timerevent_t; + ISC_LINK(isc_timerevent_t) ev_timerlink; +}; #define ISC_TIMEREVENT_FIRSTEVENT (ISC_EVENTCLASS_TIMER + 0) #define ISC_TIMEREVENT_TICK (ISC_EVENTCLASS_TIMER + 1) @@ -223,25 +226,9 @@ */ void -isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp); -/*%< - * Attach *timerp to timer. - * - * Requires: - * - *\li 'timer' is a valid timer. - * - *\li 'timerp' points to a NULL timer. - * - * Ensures: - * - *\li *timerp is attached to timer. - */ - -void -isc_timer_detach(isc_timer_t **timerp); +isc_timer_destroy(isc_timer_t **timerp); /*%< - * Detach *timerp from its timer. + * Destroy *timerp. * * Requires: * @@ -251,9 +238,6 @@ * *\li *timerp is NULL. * - *\li If '*timerp' is the last reference to the timer, - * then: - * *\code * The timer will be shutdown * @@ -262,9 +246,13 @@ * All resources used by the timer have been freed * * Any events already posted by the timer will be purged. - * Therefore, if isc_timer_detach() is called in the context + * Therefore, if isc_timer_destroy() is called in the context * of the timer's task, it is guaranteed that no more * timer event callbacks will run after the call. + * + * If this function is called from the timer event callback + * the event itself must be destroyed before the timer + * itself. *\endcode */ diff -Nru bind9-9.16.37/lib/isc/iterated_hash.c bind9-9.16.42/lib/isc/iterated_hash.c --- bind9-9.16.37/lib/isc/iterated_hash.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/iterated_hash.c 2023-06-09 14:35:17.000000000 +0000 @@ -13,8 +13,11 @@ #include +#include +#include + #include -#include +#include #include int @@ -22,55 +25,40 @@ const int iterations, const unsigned char *salt, const int saltlength, const unsigned char *in, const int inlength) { - isc_md_t *md; - isc_result_t result; + REQUIRE(out != NULL); + int n = 0; - unsigned int outlength = 0; size_t len; const unsigned char *buf; - - REQUIRE(out != NULL); + SHA_CTX ctx; if (hashalg != 1) { return (0); } - if ((md = isc_md_new()) == NULL) { - return (0); - } - - len = inlength; buf = in; + len = inlength; + do { - result = isc_md_init(md, ISC_MD_SHA1); - if (result != ISC_R_SUCCESS) { - goto md_fail; + if (SHA1_Init(&ctx) != 1) { + return (0); } - result = isc_md_update(md, buf, len); - if (result != ISC_R_SUCCESS) { - goto md_fail; - } - result = isc_md_update(md, salt, saltlength); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (SHA1_Update(&ctx, buf, len) != 1) { + return (0); } - result = isc_md_final(md, out, &outlength); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (SHA1_Update(&ctx, salt, saltlength) != 1) { + return (0); } - result = isc_md_reset(md); - if (result != ISC_R_SUCCESS) { - goto md_fail; + + if (SHA1_Final(out, &ctx) != 1) { + return (0); } + buf = out; - len = outlength; + len = SHA_DIGEST_LENGTH; } while (n++ < iterations); - isc_md_free(md); - - return (outlength); -md_fail: - isc_md_free(md); - return (0); + return (SHA_DIGEST_LENGTH); } -#undef RETERR diff -Nru bind9-9.16.37/lib/isc/lib.c bind9-9.16.42/lib/isc/lib.c --- bind9-9.16.37/lib/isc/lib.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/lib.c 2023-06-09 14:35:17.000000000 +0000 @@ -14,6 +14,7 @@ /*! \file */ #include +#include #include #include #include diff -Nru bind9-9.16.37/lib/isc/log.c bind9-9.16.42/lib/isc/log.c --- bind9-9.16.37/lib/isc/log.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/log.c 2023-06-09 14:35:17.000000000 +0000 @@ -1103,7 +1103,7 @@ } static void -insert_sort(int64_t to_keep[], int64_t versions, int version) { +insert_sort(int64_t to_keep[], int64_t versions, int64_t version) { int i = 0; while (i < versions && version < to_keep[i]) { i++; @@ -1120,12 +1120,13 @@ static int64_t last_to_keep(int64_t versions, isc_dir_t *dirp, char *bname, size_t bnamelen) { + int64_t to_keep[ISC_LOG_MAX_VERSIONS] = { 0 }; + int64_t version = 0; + if (versions <= 0) { - return INT64_MAX; + return (INT64_MAX); } - int64_t to_keep[ISC_LOG_MAX_VERSIONS] = { 0 }; - int64_t version = 0; if (versions > ISC_LOG_MAX_VERSIONS) { versions = ISC_LOG_MAX_VERSIONS; } @@ -1134,6 +1135,9 @@ */ memset(to_keep, 0, sizeof(to_keep)); while (isc_dir_read(dirp) == ISC_R_SUCCESS) { + char *digit_end = NULL; + char *ename = NULL; + if (dirp->entry.length <= bnamelen || strncmp(dirp->entry.name, bname, bnamelen) != 0 || dirp->entry.name[bnamelen] != '.') @@ -1141,8 +1145,7 @@ continue; } - char *digit_end; - char *ename = &dirp->entry.name[bnamelen + 1]; + ename = &dirp->entry.name[bnamelen + 1]; version = strtoull(ename, &digit_end, 10); if (*digit_end == '\0') { insert_sort(to_keep, versions, version); @@ -1160,8 +1163,8 @@ static isc_result_t remove_old_tsversions(isc_logfile_t *file, int versions) { isc_result_t result; - char *bname, *digit_end; - const char *dirname; + char *bname = NULL, *digit_end = NULL; + const char *dirname = NULL; int64_t version, last = INT64_MAX; size_t bnamelen; isc_dir_t dir; diff -Nru bind9-9.16.37/lib/isc/mem.c bind9-9.16.42/lib/isc/mem.c --- bind9-9.16.37/lib/isc/mem.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/mem.c 2023-06-09 14:35:17.000000000 +0000 @@ -58,9 +58,10 @@ * Constants. */ -#define DEF_MAX_SIZE 1100 -#define DEF_MEM_TARGET 4096 -#define ALIGNMENT_SIZE 8U /*%< must be a power of 2 */ +#define DEF_MAX_SIZE 1100 +#define DEF_MEM_TARGET 4096 +#define ALIGNMENT_SIZE \ + 8U /*%< must be a power of 2, also update lib/dns/rbt.c */ #define NUM_BASIC_BLOCKS 64 /*%< must be > 1 */ #define TABLE_INCREMENT 1024 #define DEBUG_TABLE_COUNT 512U diff -Nru bind9-9.16.37/lib/isc/netmgr/netmgr.c bind9-9.16.42/lib/isc/netmgr/netmgr.c --- bind9-9.16.37/lib/isc/netmgr/netmgr.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/netmgr/netmgr.c 2023-06-09 14:35:17.000000000 +0000 @@ -241,15 +241,15 @@ } } -#if HAVE_DECL_UV_UDP_LINUX_RECVERR -#define MINIMAL_UV_VERSION UV_VERSION(1, 42, 0) -#elif HAVE_DECL_UV_UDP_MMSG_FREE +#if HAVE_DECL_UV_UDP_MMSG_FREE #define MINIMAL_UV_VERSION UV_VERSION(1, 40, 0) #elif HAVE_DECL_UV_UDP_RECVMMSG +#define MAXIMAL_UV_VERSION UV_VERSION(1, 39, 99) #define MINIMAL_UV_VERSION UV_VERSION(1, 37, 0) -#elif HAVE_DECL_UV_UDP_MMSG_CHUNK -#define MINIMAL_UV_VERSION UV_VERSION(1, 35, 0) +#elif _WIN32 +#define MINIMAL_UV_VERSION UV_VERSION(1, 0, 0) #else +#define MAXIMAL_UV_VERSION UV_VERSION(1, 34, 99) #define MINIMAL_UV_VERSION UV_VERSION(1, 0, 0) #endif @@ -260,11 +260,21 @@ REQUIRE(workers > 0); +#ifdef MAXIMAL_UV_VERSION + if (uv_version() > MAXIMAL_UV_VERSION) { + isc_error_fatal(__FILE__, __LINE__, + "libuv version too new: running with libuv %s " + "when compiled with libuv %s will lead to " + "libuv failures", + uv_version_string(), UV_VERSION_STRING); + } +#endif /* MAXIMAL_UV_VERSION */ + if (uv_version() < MINIMAL_UV_VERSION) { isc_error_fatal(__FILE__, __LINE__, "libuv version too old: running with libuv %s " "when compiled with libuv %s will lead to " - "libuv failures because of unknown flags", + "libuv failures", uv_version_string(), UV_VERSION_STRING); } diff -Nru bind9-9.16.37/lib/isc/ratelimiter.c bind9-9.16.42/lib/isc/ratelimiter.c --- bind9-9.16.37/lib/isc/ratelimiter.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/ratelimiter.c 2023-06-09 14:35:17.000000000 +0000 @@ -242,6 +242,7 @@ isc_ratelimiter_shutdown(isc_ratelimiter_t *rl) { isc_event_t *ev; isc_task_t *task; + isc_result_t result; REQUIRE(rl != NULL); @@ -257,7 +258,11 @@ } task = NULL; isc_task_attach(rl->task, &task); - isc_timer_detach(&rl->timer); + + result = isc_timer_reset(rl->timer, isc_timertype_inactive, NULL, NULL, + false); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_timer_destroy(&rl->timer); /* * Send an event to our task. The delivery of this event diff -Nru bind9-9.16.37/lib/isc/task.c bind9-9.16.42/lib/isc/task.c --- bind9-9.16.37/lib/isc/task.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/task.c 2023-06-09 14:35:17.000000000 +0000 @@ -620,12 +620,10 @@ bool isc_task_purgeevent(isc_task_t *task, isc_event_t *event) { - isc_event_t *curr_event, *next_event; + bool found = false; /* * Purge 'event' from a task's event queue. - * - * XXXRTH: WARNING: This method may be removed before beta. */ REQUIRE(VALID_TASK(task)); @@ -641,23 +639,18 @@ */ LOCK(&task->lock); - for (curr_event = HEAD(task->events); curr_event != NULL; - curr_event = next_event) - { - next_event = NEXT(curr_event, ev_link); - if (curr_event == event && PURGE_OK(event)) { - DEQUEUE(task->events, curr_event, ev_link); - task->nevents--; - break; - } + if (ISC_LINK_LINKED(event, ev_link)) { + DEQUEUE(task->events, event, ev_link); + task->nevents--; + found = true; } UNLOCK(&task->lock); - if (curr_event == NULL) { + if (!found) { return (false); } - isc_event_free(&curr_event); + isc_event_free(&event); return (true); } @@ -807,6 +800,16 @@ return (task->manager->netmgr); } +void +isc_task_setquantum(isc_task_t *task, unsigned int quantum) { + REQUIRE(VALID_TASK(task)); + + LOCK(&task->lock); + task->quantum = (quantum > 0) ? quantum + : task->manager->default_quantum; + UNLOCK(&task->lock); +} + /*** *** Task Manager. ***/ @@ -817,10 +820,13 @@ bool finished = false; isc_event_t *event = NULL; isc_result_t result = ISC_R_SUCCESS; + uint32_t quantum; REQUIRE(VALID_TASK(task)); LOCK(&task->lock); + quantum = task->quantum; + /* * It is possible because that we have a paused task in the queue - it * might have been paused in the meantime and we never hold both queue @@ -912,7 +918,7 @@ XTRACE("pausing"); task->state = task_state_paused; break; - } else if (dispatch_count >= task->quantum) { + } else if (dispatch_count >= quantum) { /* * Our quantum has expired, but there is more work to be * done. We'll requeue it to the ready queue later. diff -Nru bind9-9.16.37/lib/isc/tests/task_test.c bind9-9.16.42/lib/isc/tests/task_test.c --- bind9-9.16.37/lib/isc/tests/task_test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/tests/task_test.c 2023-06-09 14:35:17.000000000 +0000 @@ -631,8 +631,8 @@ #else /* ifndef WIN32 */ Sleep(10000); #endif /* ifndef WIN32 */ - isc_timer_detach(&ti1); - isc_timer_detach(&ti2); + isc_timer_destroy(&ti1); + isc_timer_destroy(&ti2); } /* @@ -1519,20 +1519,6 @@ try_purgeevent(true); } -/* - * Purge event not purgeable test: - * When the event is not marked as purgable, a call to - * isc_task_purgeevent(task, event) does not purge the event - * 'event' from the task's queue and returns false. - */ - -static void -purgeevent_notpurge(void **state) { - UNUSED(state); - - try_purgeevent(false); -} - int main(int argc, char **argv) { const struct CMUnitTest tests[] = { @@ -1550,8 +1536,6 @@ _teardown), cmocka_unit_test_setup_teardown(purge, _setup2, _teardown), cmocka_unit_test_setup_teardown(purgeevent, _setup2, _teardown), - cmocka_unit_test_setup_teardown(purgeevent_notpurge, _setup, - _teardown), cmocka_unit_test_setup_teardown(purgerange, _setup, _teardown), cmocka_unit_test_setup_teardown(task_shutdown, _setup4, _teardown), diff -Nru bind9-9.16.37/lib/isc/tests/timer_test.c bind9-9.16.42/lib/isc/tests/timer_test.c --- bind9-9.16.37/lib/isc/tests/timer_test.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/tests/timer_test.c 2023-06-09 14:35:17.000000000 +0000 @@ -244,14 +244,14 @@ isc_mutex_unlock(&lasttime_mx); subthread_assert_result_equal(result, ISC_R_SUCCESS); + isc_event_free(&event); + if (atomic_load(&eventcnt) == nevents) { result = isc_time_now(&endtime); subthread_assert_result_equal(result, ISC_R_SUCCESS); - isc_timer_detach(&timer); + isc_timer_destroy(&timer); isc_task_shutdown(task); } - - isc_event_free(&event); } /* @@ -339,9 +339,10 @@ subthread_assert_int_equal(event->ev_type, ISC_TIMEREVENT_IDLE); - isc_timer_detach(&timer); - isc_task_shutdown(task); isc_event_free(&event); + + isc_timer_destroy(&timer); + isc_task_shutdown(task); } /* timer type once idles out */ @@ -426,14 +427,15 @@ &expires, &interval, false); subthread_assert_result_equal(result, ISC_R_SUCCESS); } + + isc_event_free(&event); } else { subthread_assert_int_equal(event->ev_type, ISC_TIMEREVENT_LIFE); - isc_timer_detach(&timer); + isc_event_free(&event); + isc_timer_destroy(&timer); isc_task_shutdown(task); } - - isc_event_free(&event); } static void @@ -591,8 +593,8 @@ assert_int_equal(atomic_load(&eventcnt), 1); - isc_timer_detach(&tickertimer); - isc_timer_detach(&oncetimer); + isc_timer_destroy(&tickertimer); + isc_timer_destroy(&oncetimer); isc_task_destroy(&task1); isc_task_destroy(&task2); } diff -Nru bind9-9.16.37/lib/isc/timer.c bind9-9.16.42/lib/isc/timer.c --- bind9-9.16.37/lib/isc/timer.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/timer.c 2023-06-09 14:35:17.000000000 +0000 @@ -62,9 +62,9 @@ unsigned int magic; isc_timermgr_t *manager; isc_mutex_t lock; - isc_refcount_t references; /*! Locked by timer lock. */ isc_time_t idle; + ISC_LIST(isc_timerevent_t) active; /*! Locked by manager lock. */ isc_timertype_t type; isc_time_t expires; @@ -208,26 +208,36 @@ } static void -destroy(isc_timer_t *timer) { - isc_timermgr_t *manager = timer->manager; +timerevent_unlink(isc_timer_t *timer, isc_timerevent_t *event) { + REQUIRE(ISC_LINK_LINKED(event, ev_timerlink)); + ISC_LIST_UNLINK(timer->active, event, ev_timerlink); +} - /* - * The caller must ensure it is safe to destroy the timer. - */ +static void +timerevent_destroy(isc_event_t *event0) { + isc_timer_t *timer = event0->ev_destroy_arg; + isc_timerevent_t *event = (isc_timerevent_t *)event0; - LOCK(&manager->lock); + LOCK(&timer->lock); + if (ISC_LINK_LINKED(event, ev_timerlink)) { + /* The event was unlinked via timer_purge() */ + timerevent_unlink(timer, event); + } + UNLOCK(&timer->lock); - (void)isc_task_purgerange(timer->task, timer, ISC_TIMEREVENT_FIRSTEVENT, - ISC_TIMEREVENT_LASTEVENT, NULL); - deschedule(timer); - UNLINK(manager->timers, timer, link); + isc_mem_put(timer->manager->mctx, event, event0->ev_size); +} - UNLOCK(&manager->lock); +static void +timer_purge(isc_timer_t *timer) { + isc_timerevent_t *event = NULL; - isc_task_detach(&timer->task); - isc_mutex_destroy(&timer->lock); - timer->magic = 0; - isc_mem_put(manager->mctx, timer, sizeof(*timer)); + while ((event = ISC_LIST_HEAD(timer->active)) != NULL) { + timerevent_unlink(timer, event); + UNLOCK(&timer->lock); + (void)isc_task_purgeevent(timer->task, (isc_event_t *)event); + LOCK(&timer->lock); + } } isc_result_t @@ -279,7 +289,6 @@ timer = isc_mem_get(manager->mctx, sizeof(*timer)); timer->manager = manager; - isc_refcount_init(&timer->references, 1); if (type == isc_timertype_once && !isc_interval_iszero(interval)) { result = isc_time_add(&now, interval, &timer->idle); @@ -311,6 +320,9 @@ timer->index = 0; isc_mutex_init(&timer->lock); ISC_LINK_INIT(timer, link); + + ISC_LIST_INIT(timer->active); + timer->magic = TIMER_MAGIC; LOCK(&manager->lock); @@ -390,9 +402,7 @@ LOCK(&timer->lock); if (purge) { - (void)isc_task_purgerange(timer->task, timer, - ISC_TIMEREVENT_FIRSTEVENT, - ISC_TIMEREVENT_LASTEVENT, NULL); + timer_purge(timer); } timer->type = type; timer->expires = *expires; @@ -463,41 +473,60 @@ } void -isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) { - /* - * Attach *timerp to timer. - */ +isc_timer_destroy(isc_timer_t **timerp) { + isc_timer_t *timer = NULL; + isc_timermgr_t *manager = NULL; - REQUIRE(VALID_TIMER(timer)); - REQUIRE(timerp != NULL && *timerp == NULL); - isc_refcount_increment(&timer->references); + REQUIRE(timerp != NULL && VALID_TIMER(*timerp)); + + timer = *timerp; + *timerp = NULL; - *timerp = timer; + manager = timer->manager; + + LOCK(&manager->lock); + + LOCK(&timer->lock); + timer_purge(timer); + deschedule(timer); + UNLOCK(&timer->lock); + + UNLINK(manager->timers, timer, link); + + UNLOCK(&manager->lock); + + isc_task_detach(&timer->task); + isc_mutex_destroy(&timer->lock); + timer->magic = 0; + isc_mem_put(manager->mctx, timer, sizeof(*timer)); } -void -isc_timer_detach(isc_timer_t **timerp) { - isc_timer_t *timer; +static void +timer_post_event(isc_timermgr_t *manager, isc_timer_t *timer, + isc_eventtype_t type) { + isc_timerevent_t *event; + XTRACEID("posting", timer); - /* - * Detach *timerp from its timer. - */ + event = (isc_timerevent_t *)isc_event_allocate( + manager->mctx, timer, type, timer->action, timer->arg, + sizeof(*event)); - REQUIRE(timerp != NULL); - timer = *timerp; - REQUIRE(VALID_TIMER(timer)); + ISC_LINK_INIT(event, ev_timerlink); + ((isc_event_t *)event)->ev_destroy = timerevent_destroy; + ((isc_event_t *)event)->ev_destroy_arg = timer; - if (isc_refcount_decrement(&timer->references) == 1) { - destroy(timer); - } + event->due = timer->due; - *timerp = NULL; + LOCK(&timer->lock); + ISC_LIST_APPEND(timer->active, event, ev_timerlink); + UNLOCK(&timer->lock); + + isc_task_send(timer->task, ISC_EVENT_PTR(&event)); } static void dispatch(isc_timermgr_t *manager, isc_time_t *now) { bool done = false, post_event, need_schedule; - isc_timerevent_t *event; isc_eventtype_t type = 0; isc_timer_t *timer; isc_result_t result; @@ -559,25 +588,7 @@ } if (post_event) { - XTRACEID("posting", timer); - /* - * XXX We could preallocate this event. - */ - event = (isc_timerevent_t *)isc_event_allocate( - manager->mctx, timer, type, - timer->action, timer->arg, - sizeof(*event)); - - if (event != NULL) { - event->due = timer->due; - isc_task_send(timer->task, - ISC_EVENT_PTR(&event)); - } else { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "%s", - "couldn't allocate " - "event"); - } + timer_post_event(manager, timer, type); } timer->index = 0; diff -Nru bind9-9.16.37/lib/isc/win32/libisc.def.in bind9-9.16.42/lib/isc/win32/libisc.def.in --- bind9-9.16.37/lib/isc/win32/libisc.def.in 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/isc/win32/libisc.def.in 2023-06-09 14:35:17.000000000 +0000 @@ -647,6 +647,7 @@ isc_task_sendtoanddetach isc_task_setname isc_task_setprivilege +isc_task_setquantum isc_task_shutdown isc_task_unpause isc_task_unsend @@ -699,9 +700,8 @@ isc_time_set isc_time_settoepoch isc_time_subtract -isc_timer_attach isc_timer_create -isc_timer_detach +isc_timer_destroy isc_timer_gettype isc_timer_reset isc_timer_touch diff -Nru bind9-9.16.37/lib/ns/query.c bind9-9.16.42/lib/ns/query.c --- bind9-9.16.37/lib/ns/query.c 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/lib/ns/query.c 2023-06-09 14:35:17.000000000 +0000 @@ -5719,6 +5719,7 @@ qctx.client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT | DNS_DBFIND_STALEOK | DNS_DBFIND_STALEENABLED); + qctx.client->nodetach = false; /* * We'll need some resources... @@ -5745,6 +5746,27 @@ } /*% + * Depending on the db lookup result, we can respond to the + * client this stale answer. + */ +static bool +stale_client_answer(isc_result_t result) { + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_EMPTYNAME: + case DNS_R_NXRRSET: + case DNS_R_NCACHENXRRSET: + case DNS_R_CNAME: + case DNS_R_DNAME: + return (true); + default: + return (false); + } + + UNREACHABLE(); +} + +/*% * Perform a local database lookup, in either an authoritative or * cache database. If unable to answer, call ns_query_done(); otherwise * hand off processing to query_gotanswer(). @@ -5873,7 +5895,6 @@ { /* Found non-stale usable rdataset. */ answer_found = true; - goto gotanswer; } if (dbfind_stale || stale_refresh_window || stale_timeout) { @@ -5899,7 +5920,7 @@ NS_LOGMODULE_QUERY, ISC_LOG_INFO, "%s resolver failure, stale answer %s", namebuf, stale_found ? "used" : "unavailable"); - if (!stale_found) { + if (!stale_found && !answer_found) { /* * Resolver failure, no stale data, nothing more we * can do, return SERVFAIL. @@ -5918,7 +5939,7 @@ "answer %s", namebuf, stale_found ? "used" : "unavailable"); - if (!stale_found) { + if (!stale_found && !answer_found) { /* * During the stale refresh window explicitly do not try * to refresh the data, because a recent lookup failed. @@ -5928,7 +5949,7 @@ } } else if (stale_timeout) { if ((qctx->options & DNS_GETDB_STALEFIRST) != 0) { - if (!stale_found) { + if (!stale_found && !answer_found) { /* * We have nothing useful in cache to return * immediately. @@ -5945,7 +5966,7 @@ &qctx->client->query.fetch); } return (query_lookup(qctx)); - } else { + } else if (stale_client_answer(result)) { /* * Immediately return the stale answer, start a * resolver fetch to refresh the data in cache. @@ -5956,7 +5977,14 @@ "%s stale answer used, an attempt to " "refresh the RRset will still be made", namebuf); + qctx->refresh_rrset = STALE(qctx->rdataset); + + /* + * If we are refreshing the RRSet, we must not + * detach from the client in query_send(). + */ + qctx->client->nodetach = qctx->refresh_rrset; } } else { /* @@ -5969,7 +5997,11 @@ "%s client timeout, stale answer %s", namebuf, stale_found ? "used" : "unavailable"); - if (!stale_found) { + if (!stale_found && !answer_found) { + return (result); + } + + if (!stale_client_answer(result)) { return (result); } @@ -5982,7 +6014,6 @@ } } -gotanswer: if (stale_timeout && (answer_found || stale_found)) { /* * Mark RRsets that we are adding to the client message on a @@ -6301,7 +6332,7 @@ if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) { ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "recursion loop detected"); - return (ISC_R_FAILURE); + return (ISC_R_ALREADYRUNNING); } recparam_update(&client->query.recparam, qtype, qname, qdomain); @@ -7265,10 +7296,21 @@ return (false); } - if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) { + if (qctx->refresh_rrset) { + /* + * This is a refreshing query, we have already prioritized + * stale data, so don't enable serve-stale again. + */ + return (false); + } + + if (result == DNS_R_DUPLICATE || result == DNS_R_DROP || + result == ISC_R_ALREADYRUNNING) + { /* * Don't enable serve-stale if the result signals a duplicate - * query or query that is being dropped. + * query or a query that is being dropped or can't proceed + * because of a recursion loop. */ return (false); } @@ -11531,12 +11573,7 @@ /* * Client may have been detached after query_send(), so * we test and store the flag state here, for safety. - * If we are refreshing the RRSet, we must not detach from the client - * in the query_send(), so we need to override the flag. */ - if (qctx->refresh_rrset) { - qctx->client->nodetach = true; - } nodetach = qctx->client->nodetach; query_send(qctx->client); diff -Nru bind9-9.16.37/sonar-project.properties bind9-9.16.42/sonar-project.properties --- bind9-9.16.37/sonar-project.properties 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.42/sonar-project.properties 2023-06-09 14:35:17.000000000 +0000 @@ -0,0 +1,2 @@ +sonar.projectKey=isc-projects_bind9 +sonar.organization=isc-projects diff -Nru bind9-9.16.37/srcid bind9-9.16.42/srcid --- bind9-9.16.37/srcid 2023-01-12 23:03:38.000000000 +0000 +++ bind9-9.16.42/srcid 2023-06-09 14:45:26.000000000 +0000 @@ -1 +1 @@ -SRCID=2b2afb2 +SRCID=a62d1bd diff -Nru bind9-9.16.37/tsan-suppressions.txt bind9-9.16.42/tsan-suppressions.txt --- bind9-9.16.37/tsan-suppressions.txt 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/tsan-suppressions.txt 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -# Uninstrumented library. -called_from_lib:libfstrm.so diff -Nru bind9-9.16.37/version bind9-9.16.42/version --- bind9-9.16.37/version 2023-01-12 22:45:02.000000000 +0000 +++ bind9-9.16.42/version 2023-06-09 14:35:17.000000000 +0000 @@ -5,7 +5,7 @@ DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=16 -PATCHVER=37 +PATCHVER=42 RELEASETYPE= RELEASEVER= EXTENSIONS=