Version in base suite: 9.16.27-1~deb11u1 Base version: bind9_9.16.27-1~deb11u1 Target version: bind9_9.16.33-1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bind9/bind9_9.16.27-1~deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bind9/bind9_9.16.33-1~deb11u1.dsc /srv/release.debian.org/tmp/GG6_iXBfdC/bind9-9.16.33/fuzz/dns_master_load.in/generate-counter-overflow.db |binary bind9-9.16.33/.gitlab-ci.yml | 401 +++--- bind9-9.16.33/.reuse/dep5 | 18 bind9-9.16.33/CHANGES | 192 +++ bind9-9.16.33/bin/check/named-checkconf.c | 23 bind9-9.16.33/bin/check/named-checkzone.c | 5 bind9-9.16.33/bin/check/named-checkzone.rst | 54 bind9-9.16.33/bin/check/named-compilezone.rst | 195 +++ bind9-9.16.33/bin/confgen/ddns-confgen.c | 3 bind9-9.16.33/bin/confgen/ddns-confgen.rst | 67 - bind9-9.16.33/bin/confgen/tsig-keygen.rst | 50 bind9-9.16.33/bin/delv/delv.c | 8 bind9-9.16.33/bin/dig/dig.c | 12 bind9-9.16.33/bin/dig/dighost.c | 50 bind9-9.16.33/bin/dig/host.c | 12 bind9-9.16.33/bin/dig/include/dig/dig.h | 33 bind9-9.16.33/bin/dnssec/dnssec-cds.c | 2 bind9-9.16.33/bin/dnssec/dnssec-dsfromkey.c | 6 bind9-9.16.33/bin/dnssec/dnssec-importkey.c | 2 bind9-9.16.33/bin/dnssec/dnssec-keyfromlabel.c | 8 bind9-9.16.33/bin/dnssec/dnssec-keyfromlabel.rst | 12 bind9-9.16.33/bin/dnssec/dnssec-keygen.c | 6 bind9-9.16.33/bin/dnssec/dnssec-keygen.rst | 2 bind9-9.16.33/bin/dnssec/dnssec-revoke.c | 2 bind9-9.16.33/bin/dnssec/dnssec-settime.c | 2 bind9-9.16.33/bin/dnssec/dnssec-signzone.c | 22 bind9-9.16.33/bin/dnssec/dnssec-signzone.rst | 9 bind9-9.16.33/bin/dnssec/dnssec-verify.c | 4 bind9-9.16.33/bin/dnssec/dnssectool.c | 6 bind9-9.16.33/bin/named/config.c | 22 bind9-9.16.33/bin/named/control.c | 2 bind9-9.16.33/bin/named/controlconf.c | 2 bind9-9.16.33/bin/named/include/named/config.h | 3 bind9-9.16.33/bin/named/include/named/main.h | 2 bind9-9.16.33/bin/named/include/named/server.h | 14 bind9-9.16.33/bin/named/include/named/zoneconf.h | 10 bind9-9.16.33/bin/named/logconf.c | 3 bind9-9.16.33/bin/named/main.c | 29 bind9-9.16.33/bin/named/named.conf.rst | 1 bind9-9.16.33/bin/named/named.rst | 34 bind9-9.16.33/bin/named/server.c | 105 - bind9-9.16.33/bin/named/statschannel.c | 2 bind9-9.16.33/bin/named/zoneconf.c | 168 -- bind9-9.16.33/bin/nsupdate/nsupdate.c | 5 bind9-9.16.33/bin/pkcs11/pkcs11-destroy.c | 3 bind9-9.16.33/bin/pkcs11/pkcs11-list.c | 3 bind9-9.16.33/bin/plugins/filter-aaaa.c | 4 bind9-9.16.33/bin/python/dnssec-checkds.py.in | 14 bind9-9.16.33/bin/python/dnssec-coverage.py.in | 14 bind9-9.16.33/bin/python/dnssec-keymgr.py.in | 14 bind9-9.16.33/bin/python/isc/__init__.py.in | 18 bind9-9.16.33/bin/python/isc/checkds.py.in | 140 +- bind9-9.16.33/bin/python/isc/coverage.py.in | 180 +- bind9-9.16.33/bin/python/isc/dnskey.py.in | 254 ++-- bind9-9.16.33/bin/python/isc/eventlist.py.in | 58 bind9-9.16.33/bin/python/isc/keydict.py.in | 34 bind9-9.16.33/bin/python/isc/keyevent.py.in | 24 bind9-9.16.33/bin/python/isc/keymgr.py.in | 157 +- bind9-9.16.33/bin/python/isc/keyseries.py.in | 74 - bind9-9.16.33/bin/python/isc/keyzone.py.in | 13 bind9-9.16.33/bin/python/isc/policy.py.in | 609 +++++----- bind9-9.16.33/bin/python/isc/rndc.py.in | 95 - bind9-9.16.33/bin/python/isc/tests/dnskey_test.py.in | 22 bind9-9.16.33/bin/python/isc/tests/policy_test.py.in | 91 - bind9-9.16.33/bin/python/isc/utils.py.in | 18 bind9-9.16.33/bin/python/setup.py | 27 bind9-9.16.33/bin/rndc/rndc.c | 8 bind9-9.16.33/bin/rndc/rndc.rst | 32 bind9-9.16.33/bin/tests/optional/adb_test.c | 4 bind9-9.16.33/bin/tests/optional/db_test.c | 2 bind9-9.16.33/bin/tests/optional/nsecify.c | 10 bind9-9.16.33/bin/tests/pkcs11/benchmarks/create.c | 3 bind9-9.16.33/bin/tests/pkcs11/benchmarks/login.c | 3 bind9-9.16.33/bin/tests/pkcs11/benchmarks/privrsa.c | 3 bind9-9.16.33/bin/tests/pkcs11/benchmarks/pubrsa.c | 3 bind9-9.16.33/bin/tests/pkcs11/benchmarks/session.c | 3 bind9-9.16.33/bin/tests/system/addzone/tests_rndc_deadlock.py | 46 bind9-9.16.33/bin/tests/system/autosign/clean.sh | 2 bind9-9.16.33/bin/tests/system/autosign/ns1/keygen.sh | 2 bind9-9.16.33/bin/tests/system/autosign/ns2/keygen.sh | 5 bind9-9.16.33/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in | 28 bind9-9.16.33/bin/tests/system/autosign/ns3/cds-delete.example.db.in | 28 bind9-9.16.33/bin/tests/system/autosign/ns3/keygen.sh | 25 bind9-9.16.33/bin/tests/system/autosign/ns3/named.conf.in | 14 bind9-9.16.33/bin/tests/system/autosign/tests.sh | 104 + bind9-9.16.33/bin/tests/system/cds/checktime.pl | 2 bind9-9.16.33/bin/tests/system/cds/tests.sh | 8 bind9-9.16.33/bin/tests/system/chain/ans4/ans.py | 203 +-- bind9-9.16.33/bin/tests/system/checkconf/bad-ksk-without-zsk.conf | 24 bind9-9.16.33/bin/tests/system/checkconf/bad-unpaired-keys.conf | 27 bind9-9.16.33/bin/tests/system/checkconf/bad-zsk-without-ksk.conf | 24 bind9-9.16.33/bin/tests/system/checkconf/good-kasp.conf | 5 bind9-9.16.33/bin/tests/system/checkconf/good-key-directory.conf | 3 bind9-9.16.33/bin/tests/system/checkconf/good.conf | 13 bind9-9.16.33/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf | 1 bind9-9.16.33/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf | 1 bind9-9.16.33/bin/tests/system/checkconf/kasp-ignore-keylen.conf | 1 bind9-9.16.33/bin/tests/system/checkconf/tests.sh | 10 bind9-9.16.33/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf | 27 bind9-9.16.33/bin/tests/system/checkds/conftest.py | 71 - bind9-9.16.33/bin/tests/system/checkds/ns9/named.conf.in | 13 bind9-9.16.33/bin/tests/system/checkds/prereq.sh | 2 bind9-9.16.33/bin/tests/system/checkds/tests-checkds.py | 270 ++-- bind9-9.16.33/bin/tests/system/checkzone/tests.sh | 64 - bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-garbage.db | 17 bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db | 17 bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-range.db | 18 bind9-9.16.33/bin/tests/system/checkzone/zones/generate-overflow.db | 17 bind9-9.16.33/bin/tests/system/checkzone/zones/good-generate-modifier.db | 20 bind9-9.16.33/bin/tests/system/conf.sh.common | 4 bind9-9.16.33/bin/tests/system/conftest.py | 31 bind9-9.16.33/bin/tests/system/cookie/ans9/ans.py | 127 +- bind9-9.16.33/bin/tests/system/dnssec/ans10/ans.py | 42 bind9-9.16.33/bin/tests/system/dnssec/ns2/example.db.in | 4 bind9-9.16.33/bin/tests/system/dnssec/ns3/insecure2.example.db | 27 bind9-9.16.33/bin/tests/system/dnssec/ns3/named.conf.in | 6 bind9-9.16.33/bin/tests/system/dnssec/ns3/sign.sh | 6 bind9-9.16.33/bin/tests/system/dnssec/tests.sh | 28 bind9-9.16.33/bin/tests/system/dnstap/tests.sh | 6 bind9-9.16.33/bin/tests/system/dnstap/ydump.py | 2 bind9-9.16.33/bin/tests/system/ednscompliance/tests.sh | 2 bind9-9.16.33/bin/tests/system/feature-test.c | 13 bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named1.conf.in | 4 bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named2.conf.in | 4 bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named3.conf.in | 4 bind9-9.16.33/bin/tests/system/fetchlimit/tests.sh | 41 bind9-9.16.33/bin/tests/system/forward/ans11/ans.py | 142 ++ bind9-9.16.33/bin/tests/system/forward/clean.sh | 2 bind9-9.16.33/bin/tests/system/forward/ns1/diditwork.net.db | 22 bind9-9.16.33/bin/tests/system/forward/ns1/named.conf.in | 20 bind9-9.16.33/bin/tests/system/forward/ns1/net.example.lll | 15 bind9-9.16.33/bin/tests/system/forward/ns1/spoofed.net.db | 22 bind9-9.16.33/bin/tests/system/forward/ns1/sub.local.net.db | 22 bind9-9.16.33/bin/tests/system/forward/ns10/fakenet.zone | 17 bind9-9.16.33/bin/tests/system/forward/ns10/fakenet2.zone | 15 bind9-9.16.33/bin/tests/system/forward/ns10/fakesublocalnet.zone | 15 bind9-9.16.33/bin/tests/system/forward/ns10/fakesublocaltld.zone | 15 bind9-9.16.33/bin/tests/system/forward/ns10/named.conf.in | 53 bind9-9.16.33/bin/tests/system/forward/ns10/net.example.lll | 15 bind9-9.16.33/bin/tests/system/forward/ns10/spoofednet.zone | 16 bind9-9.16.33/bin/tests/system/forward/ns2/tld.db | 6 bind9-9.16.33/bin/tests/system/forward/ns4/named.conf.in | 5 bind9-9.16.33/bin/tests/system/forward/ns4/sibling.tld.db | 22 bind9-9.16.33/bin/tests/system/forward/ns8/named.conf.in | 5 bind9-9.16.33/bin/tests/system/forward/ns8/sub.local.tld.db | 15 bind9-9.16.33/bin/tests/system/forward/ns9/local.net.db | 16 bind9-9.16.33/bin/tests/system/forward/ns9/local.tld.db | 15 bind9-9.16.33/bin/tests/system/forward/ns9/named1.conf.in | 67 + bind9-9.16.33/bin/tests/system/forward/ns9/named2.conf.in | 70 + bind9-9.16.33/bin/tests/system/forward/ns9/named3.conf.in | 50 bind9-9.16.33/bin/tests/system/forward/ns9/named4.conf.in | 47 bind9-9.16.33/bin/tests/system/forward/ns9/root.db | 13 bind9-9.16.33/bin/tests/system/forward/prereq.sh | 14 bind9-9.16.33/bin/tests/system/forward/setup.sh | 2 bind9-9.16.33/bin/tests/system/forward/tests.sh | 122 ++ bind9-9.16.33/bin/tests/system/idna/tests.sh | 8 bind9-9.16.33/bin/tests/system/ifconfig.sh | 401 +++--- bind9-9.16.33/bin/tests/system/inline/tests.sh | 18 bind9-9.16.33/bin/tests/system/inline/tests_signed_zone_files.py | 32 bind9-9.16.33/bin/tests/system/kasp.sh | 92 + bind9-9.16.33/bin/tests/system/kasp/clean.sh | 2 bind9-9.16.33/bin/tests/system/kasp/ns2/named.conf.in | 3 bind9-9.16.33/bin/tests/system/kasp/ns3/ed25519.conf | 1 bind9-9.16.33/bin/tests/system/kasp/ns3/ed448.conf | 1 bind9-9.16.33/bin/tests/system/kasp/ns3/named.conf.in | 68 + bind9-9.16.33/bin/tests/system/kasp/ns3/policies/kasp.conf.in | 4 bind9-9.16.33/bin/tests/system/kasp/ns3/setup.sh | 30 bind9-9.16.33/bin/tests/system/kasp/ns4/named.conf.in | 20 bind9-9.16.33/bin/tests/system/kasp/ns5/named.conf.in | 16 bind9-9.16.33/bin/tests/system/kasp/ns6/named.conf.in | 7 bind9-9.16.33/bin/tests/system/kasp/ns6/named2.conf.in | 17 bind9-9.16.33/bin/tests/system/kasp/tests.sh | 118 + bind9-9.16.33/bin/tests/system/keymgr/testpolicy.py | 22 bind9-9.16.33/bin/tests/system/keymgr2kasp/ns4/named2.conf.in | 2 bind9-9.16.33/bin/tests/system/nsec3/ns3/named.conf.in | 7 bind9-9.16.33/bin/tests/system/nsec3/ns3/named2.conf.in | 7 bind9-9.16.33/bin/tests/system/nsupdate/tests.sh | 26 bind9-9.16.33/bin/tests/system/org.isc.bind.system | 15 bind9-9.16.33/bin/tests/system/pipelined/ans5/ans.py | 74 - bind9-9.16.33/bin/tests/system/pytest_custom_markers.py | 21 bind9-9.16.33/bin/tests/system/qmin/ans2/ans.py | 198 ++- bind9-9.16.33/bin/tests/system/qmin/ans3/ans.py | 92 + bind9-9.16.33/bin/tests/system/qmin/ans4/ans.py | 128 +- bind9-9.16.33/bin/tests/system/rndc/tests.sh | 10 bind9-9.16.33/bin/tests/system/rpz/dnsrps.c | 6 bind9-9.16.33/bin/tests/system/rpz/ns10/hints | 13 bind9-9.16.33/bin/tests/system/rpz/ns10/named.conf.in | 42 bind9-9.16.33/bin/tests/system/rpz/ns10/stub.db | 21 bind9-9.16.33/bin/tests/system/rpz/ns2/named.conf.in | 4 bind9-9.16.33/bin/tests/system/rpz/ns2/stub.db | 20 bind9-9.16.33/bin/tests/system/rpz/ns3/named.conf.in | 20 bind9-9.16.33/bin/tests/system/rpz/setup.sh | 1 bind9-9.16.33/bin/tests/system/rpz/tests.sh | 37 bind9-9.16.33/bin/tests/system/rrl/tests.sh | 13 bind9-9.16.33/bin/tests/system/rrsetorder/tests.sh | 217 +-- bind9-9.16.33/bin/tests/system/run.sh | 10 bind9-9.16.33/bin/tests/system/shutdown/conftest.py | 58 bind9-9.16.33/bin/tests/system/shutdown/tests-shutdown.py | 87 - bind9-9.16.33/bin/tests/system/statschannel/conftest.py | 84 - bind9-9.16.33/bin/tests/system/statschannel/generic.py | 129 +- bind9-9.16.33/bin/tests/system/statschannel/generic_dnspython.py | 131 ++ bind9-9.16.33/bin/tests/system/statschannel/helper.py | 146 -- bind9-9.16.33/bin/tests/system/statschannel/tests-json.py | 88 - bind9-9.16.33/bin/tests/system/statschannel/tests-xml.py | 95 - bind9-9.16.33/bin/tests/system/tcp/ans6/ans.py | 49 bind9-9.16.33/bin/tests/system/tcp/clean.sh | 8 bind9-9.16.33/bin/tests/system/tcp/ns7/named.conf.in | 41 bind9-9.16.33/bin/tests/system/tcp/ns7/named.dropedns | 1 bind9-9.16.33/bin/tests/system/tcp/ns7/root.db | 24 bind9-9.16.33/bin/tests/system/tcp/setup.sh | 1 bind9-9.16.33/bin/tests/system/tcp/tests-tcp.py | 72 + bind9-9.16.33/bin/tests/system/timeouts/conftest.py | 69 - bind9-9.16.33/bin/tests/system/timeouts/prereq.sh | 2 bind9-9.16.33/bin/tests/system/timeouts/tests-tcp.py | 160 +- bind9-9.16.33/bin/tests/system/wildcard/conftest.py | 18 bind9-9.16.33/bin/tests/system/wildcard/tests-wildcard.py | 40 bind9-9.16.33/bin/tests/wire_test.c | 3 bind9-9.16.33/bin/tools/dnstap-read.c | 4 bind9-9.16.33/bin/tools/mdig.c | 10 bind9-9.16.33/cocci/unreachable.spatch | 19 bind9-9.16.33/config.h.in | 3 bind9-9.16.33/configure | 186 ++- bind9-9.16.33/configure.ac | 49 bind9-9.16.33/contrib/dlz/drivers/dlz_ldap_driver.c | 3 bind9-9.16.33/contrib/dlz/drivers/dlz_mysql_driver.c | 6 bind9-9.16.33/contrib/dlz/drivers/dlz_postgres_driver.c | 3 bind9-9.16.33/contrib/dlz/drivers/include/dlz/sdlz_helper.h | 4 bind9-9.16.33/contrib/dlz/example/dlz_example.c | 3 bind9-9.16.33/contrib/dlz/modules/include/dlz_dbi.h | 2 bind9-9.16.33/contrib/dlz/modules/include/dlz_minimal.h | 31 bind9-9.16.33/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c | 10 bind9-9.16.33/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c | 9 bind9-9.16.33/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c | 6 bind9-9.16.33/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c | 7 bind9-9.16.33/contrib/kasp/kasp2policy.py | 96 - bind9-9.16.33/dangerfile.py | 220 ++- bind9-9.16.33/debian/changelog | 17 bind9-9.16.33/debian/control | 23 bind9-9.16.33/debian/patches/0002-python-fix-for-dist-packages.patch | 54 bind9-9.16.33/debian/patches/0003-Disable-sphinx-build-strict-mode.patch | 33 bind9-9.16.33/debian/patches/series | 1 bind9-9.16.33/doc/arm/_static/custom.css | 25 bind9-9.16.33/doc/arm/advanced.rst | 210 --- bind9-9.16.33/doc/arm/conf.py | 118 + bind9-9.16.33/doc/arm/configuration.rst | 42 bind9-9.16.33/doc/arm/dnssec.inc.rst | 516 ++++++++ bind9-9.16.33/doc/arm/dnssec.rst | 290 ---- bind9-9.16.33/doc/arm/index.rst | 1 bind9-9.16.33/doc/arm/manpages.rst | 2 bind9-9.16.33/doc/arm/notes.rst | 6 bind9-9.16.33/doc/arm/platforms.rst | 14 bind9-9.16.33/doc/arm/reference.rst | 280 +++- bind9-9.16.33/doc/arm/requirements.txt | 7 bind9-9.16.33/doc/dnssec-guide/advanced-discussions.rst | 246 ++-- bind9-9.16.33/doc/dnssec-guide/commonly-asked-questions.rst | 91 - bind9-9.16.33/doc/dnssec-guide/getting-started.rst | 148 -- bind9-9.16.33/doc/dnssec-guide/introduction.rst | 4 bind9-9.16.33/doc/dnssec-guide/recipes.rst | 189 +-- bind9-9.16.33/doc/dnssec-guide/signing.rst | 111 + bind9-9.16.33/doc/dnssec-guide/troubleshooting.rst | 2 bind9-9.16.33/doc/dnssec-guide/validation.rst | 8 bind9-9.16.33/doc/man/Makefile.in | 12 bind9-9.16.33/doc/man/conf.py | 205 ++- bind9-9.16.33/doc/man/ddns-confgen.8in | 63 - bind9-9.16.33/doc/man/ddns-confgen.rst | 2 bind9-9.16.33/doc/man/dnssec-keyfromlabel.8in | 12 bind9-9.16.33/doc/man/dnssec-keygen.8in | 2 bind9-9.16.33/doc/man/dnssec-signzone.8in | 21 bind9-9.16.33/doc/man/named-checkzone.8in | 48 bind9-9.16.33/doc/man/named-compilezone.1in | 206 +++ bind9-9.16.33/doc/man/named-compilezone.8in | 206 +++ bind9-9.16.33/doc/man/named-compilezone.rst | 14 bind9-9.16.33/doc/man/named.8in | 50 bind9-9.16.33/doc/man/named.conf.5in | 1 bind9-9.16.33/doc/man/rndc.8in | 38 bind9-9.16.33/doc/man/tsig-keygen.8in | 64 + bind9-9.16.33/doc/man/tsig-keygen.rst | 14 bind9-9.16.33/doc/misc/options | 1 bind9-9.16.33/doc/misc/options.active | 1 bind9-9.16.33/doc/misc/options.grammar.rst | 16 bind9-9.16.33/doc/notes/notes-9.16.28.rst | 33 bind9-9.16.33/doc/notes/notes-9.16.29.rst | 20 bind9-9.16.33/doc/notes/notes-9.16.30.rst | 30 bind9-9.16.33/doc/notes/notes-9.16.31.rst | 24 bind9-9.16.33/doc/notes/notes-9.16.32.rst | 49 bind9-9.16.33/doc/notes/notes-9.16.33.rst | 61 + bind9-9.16.33/lib/bind9/check.c | 84 - bind9-9.16.33/lib/bind9/getaddresses.c | 2 bind9-9.16.33/lib/dns/acl.c | 6 bind9-9.16.33/lib/dns/adb.c | 128 +- bind9-9.16.33/lib/dns/byaddr.c | 2 bind9-9.16.33/lib/dns/cache.c | 2 bind9-9.16.33/lib/dns/catz.c | 106 - bind9-9.16.33/lib/dns/client.c | 5 bind9-9.16.33/lib/dns/compress.c | 2 bind9-9.16.33/lib/dns/db.c | 2 bind9-9.16.33/lib/dns/dbtable.c | 2 bind9-9.16.33/lib/dns/diff.c | 3 bind9-9.16.33/lib/dns/dispatch.c | 22 bind9-9.16.33/lib/dns/dlz.c | 2 bind9-9.16.33/lib/dns/dnsrps.c | 3 bind9-9.16.33/lib/dns/dnssec.c | 48 bind9-9.16.33/lib/dns/dnstap.c | 26 bind9-9.16.33/lib/dns/ds.c | 3 bind9-9.16.33/lib/dns/dst_api.c | 45 bind9-9.16.33/lib/dns/dst_internal.h | 1 bind9-9.16.33/lib/dns/ecs.c | 3 bind9-9.16.33/lib/dns/gssapi_link.c | 9 bind9-9.16.33/lib/dns/gssapictx.c | 2 bind9-9.16.33/lib/dns/hmac_link.c | 43 bind9-9.16.33/lib/dns/include/dns/acl.h | 6 bind9-9.16.33/lib/dns/include/dns/adb.h | 2 bind9-9.16.33/lib/dns/include/dns/callbacks.h | 2 bind9-9.16.33/lib/dns/include/dns/catz.h | 13 bind9-9.16.33/lib/dns/include/dns/clientinfo.h | 6 bind9-9.16.33/lib/dns/include/dns/db.h | 34 bind9-9.16.33/lib/dns/include/dns/dbiterator.h | 2 bind9-9.16.33/lib/dns/include/dns/diff.h | 4 bind9-9.16.33/lib/dns/include/dns/dispatch.h | 6 bind9-9.16.33/lib/dns/include/dns/dlz.h | 30 bind9-9.16.33/lib/dns/include/dns/dlz_dlopen.h | 2 bind9-9.16.33/lib/dns/include/dns/dnsrps.h | 4 bind9-9.16.33/lib/dns/include/dns/dnssec.h | 9 bind9-9.16.33/lib/dns/include/dns/dyndb.h | 10 bind9-9.16.33/lib/dns/include/dns/geoip.h | 4 bind9-9.16.33/lib/dns/include/dns/ipkeylist.h | 6 bind9-9.16.33/lib/dns/include/dns/iptable.h | 2 bind9-9.16.33/lib/dns/include/dns/kasp.h | 4 bind9-9.16.33/lib/dns/include/dns/librpz.h | 100 - bind9-9.16.33/lib/dns/include/dns/log.h | 2 bind9-9.16.33/lib/dns/include/dns/lookup.h | 4 bind9-9.16.33/lib/dns/include/dns/masterdump.h | 10 bind9-9.16.33/lib/dns/include/dns/message.h | 12 bind9-9.16.33/lib/dns/include/dns/nsec3.h | 6 bind9-9.16.33/lib/dns/include/dns/nta.h | 4 bind9-9.16.33/lib/dns/include/dns/peer.h | 10 bind9-9.16.33/lib/dns/include/dns/rbt.h | 6 bind9-9.16.33/lib/dns/include/dns/rdata.h | 2 bind9-9.16.33/lib/dns/include/dns/rdatalist.h | 2 bind9-9.16.33/lib/dns/include/dns/rdataset.h | 20 bind9-9.16.33/lib/dns/include/dns/rdatasetiter.h | 8 bind9-9.16.33/lib/dns/include/dns/resolver.h | 16 bind9-9.16.33/lib/dns/include/dns/rpz.h | 36 bind9-9.16.33/lib/dns/include/dns/rriterator.h | 8 bind9-9.16.33/lib/dns/include/dns/rrl.h | 4 bind9-9.16.33/lib/dns/include/dns/sdb.h | 8 bind9-9.16.33/lib/dns/include/dns/sdlz.h | 8 bind9-9.16.33/lib/dns/include/dns/tcpmsg.h | 8 bind9-9.16.33/lib/dns/include/dns/tkey.h | 8 bind9-9.16.33/lib/dns/include/dns/tsig.h | 10 bind9-9.16.33/lib/dns/include/dns/types.h | 2 bind9-9.16.33/lib/dns/include/dns/validator.h | 22 bind9-9.16.33/lib/dns/include/dns/view.h | 70 - bind9-9.16.33/lib/dns/include/dst/dst.h | 20 bind9-9.16.33/lib/dns/journal.c | 10 bind9-9.16.33/lib/dns/kasp.c | 2 bind9-9.16.33/lib/dns/keymgr.c | 20 bind9-9.16.33/lib/dns/lookup.c | 2 bind9-9.16.33/lib/dns/master.c | 54 bind9-9.16.33/lib/dns/masterdump.c | 8 bind9-9.16.33/lib/dns/message.c | 46 bind9-9.16.33/lib/dns/name.c | 32 bind9-9.16.33/lib/dns/ncache.c | 3 bind9-9.16.33/lib/dns/nsec3.c | 1 bind9-9.16.33/lib/dns/opensslecdsa_link.c | 5 bind9-9.16.33/lib/dns/openssleddsa_link.c | 13 bind9-9.16.33/lib/dns/opensslrsa_link.c | 202 +++ bind9-9.16.33/lib/dns/order.c | 2 bind9-9.16.33/lib/dns/peer.c | 3 bind9-9.16.33/lib/dns/pkcs11ecdsa_link.c | 30 bind9-9.16.33/lib/dns/pkcs11eddsa_link.c | 27 bind9-9.16.33/lib/dns/pkcs11rsa_link.c | 40 bind9-9.16.33/lib/dns/private.c | 3 bind9-9.16.33/lib/dns/rbt.c | 38 bind9-9.16.33/lib/dns/rbtdb.c | 244 +--- bind9-9.16.33/lib/dns/rdata.c | 28 bind9-9.16.33/lib/dns/rdata/any_255/tsig_250.c | 26 bind9-9.16.33/lib/dns/rdata/ch_3/a_1.c | 26 bind9-9.16.33/lib/dns/rdata/generic/afsdb_18.c | 26 bind9-9.16.33/lib/dns/rdata/generic/amtrelay_260.c | 32 bind9-9.16.33/lib/dns/rdata/generic/avc_258.c | 26 bind9-9.16.33/lib/dns/rdata/generic/caa_257.c | 26 bind9-9.16.33/lib/dns/rdata/generic/cdnskey_60.c | 26 bind9-9.16.33/lib/dns/rdata/generic/cds_59.c | 26 bind9-9.16.33/lib/dns/rdata/generic/cert_37.c | 26 bind9-9.16.33/lib/dns/rdata/generic/cname_5.c | 26 bind9-9.16.33/lib/dns/rdata/generic/csync_62.c | 26 bind9-9.16.33/lib/dns/rdata/generic/dlv_32769.c | 26 bind9-9.16.33/lib/dns/rdata/generic/dname_39.c | 26 bind9-9.16.33/lib/dns/rdata/generic/dnskey_48.c | 26 bind9-9.16.33/lib/dns/rdata/generic/doa_259.c | 26 bind9-9.16.33/lib/dns/rdata/generic/ds_43.c | 36 bind9-9.16.33/lib/dns/rdata/generic/eui48_108.c | 26 bind9-9.16.33/lib/dns/rdata/generic/eui64_109.c | 26 bind9-9.16.33/lib/dns/rdata/generic/gpos_27.c | 29 bind9-9.16.33/lib/dns/rdata/generic/hinfo_13.c | 26 bind9-9.16.33/lib/dns/rdata/generic/hip_55.c | 30 bind9-9.16.33/lib/dns/rdata/generic/ipseckey_45.c | 26 bind9-9.16.33/lib/dns/rdata/generic/isdn_20.c | 26 bind9-9.16.33/lib/dns/rdata/generic/key_25.c | 40 bind9-9.16.33/lib/dns/rdata/generic/keydata_65533.c | 26 bind9-9.16.33/lib/dns/rdata/generic/l32_105.c | 26 bind9-9.16.33/lib/dns/rdata/generic/l64_106.c | 26 bind9-9.16.33/lib/dns/rdata/generic/loc_29.c | 46 bind9-9.16.33/lib/dns/rdata/generic/lp_107.c | 26 bind9-9.16.33/lib/dns/rdata/generic/mb_7.c | 26 bind9-9.16.33/lib/dns/rdata/generic/md_3.c | 26 bind9-9.16.33/lib/dns/rdata/generic/mf_4.c | 26 bind9-9.16.33/lib/dns/rdata/generic/mg_8.c | 26 bind9-9.16.33/lib/dns/rdata/generic/minfo_14.c | 26 bind9-9.16.33/lib/dns/rdata/generic/mr_9.c | 26 bind9-9.16.33/lib/dns/rdata/generic/mx_15.c | 26 bind9-9.16.33/lib/dns/rdata/generic/naptr_35.c | 28 bind9-9.16.33/lib/dns/rdata/generic/nid_104.c | 26 bind9-9.16.33/lib/dns/rdata/generic/ninfo_56.c | 26 bind9-9.16.33/lib/dns/rdata/generic/ns_2.c | 26 bind9-9.16.33/lib/dns/rdata/generic/nsec3_50.c | 26 bind9-9.16.33/lib/dns/rdata/generic/nsec3param_51.c | 26 bind9-9.16.33/lib/dns/rdata/generic/nsec_47.c | 26 bind9-9.16.33/lib/dns/rdata/generic/null_10.c | 26 bind9-9.16.33/lib/dns/rdata/generic/nxt_30.c | 26 bind9-9.16.33/lib/dns/rdata/generic/openpgpkey_61.c | 26 bind9-9.16.33/lib/dns/rdata/generic/opt_41.c | 28 bind9-9.16.33/lib/dns/rdata/generic/proforma.c | 26 bind9-9.16.33/lib/dns/rdata/generic/ptr_12.c | 26 bind9-9.16.33/lib/dns/rdata/generic/rkey_57.c | 26 bind9-9.16.33/lib/dns/rdata/generic/rp_17.c | 26 bind9-9.16.33/lib/dns/rdata/generic/rrsig_46.c | 28 bind9-9.16.33/lib/dns/rdata/generic/rt_21.c | 26 bind9-9.16.33/lib/dns/rdata/generic/sig_24.c | 28 bind9-9.16.33/lib/dns/rdata/generic/sink_40.c | 26 bind9-9.16.33/lib/dns/rdata/generic/smimea_53.c | 26 bind9-9.16.33/lib/dns/rdata/generic/soa_6.c | 26 bind9-9.16.33/lib/dns/rdata/generic/spf_99.c | 26 bind9-9.16.33/lib/dns/rdata/generic/sshfp_44.c | 26 bind9-9.16.33/lib/dns/rdata/generic/ta_32768.c | 26 bind9-9.16.33/lib/dns/rdata/generic/talink_58.c | 26 bind9-9.16.33/lib/dns/rdata/generic/tkey_249.c | 26 bind9-9.16.33/lib/dns/rdata/generic/tlsa_52.c | 38 bind9-9.16.33/lib/dns/rdata/generic/txt_16.c | 38 bind9-9.16.33/lib/dns/rdata/generic/uri_256.c | 26 bind9-9.16.33/lib/dns/rdata/generic/x25_19.c | 26 bind9-9.16.33/lib/dns/rdata/generic/zonemd_63.c | 26 bind9-9.16.33/lib/dns/rdata/hs_4/a_1.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/a6_38.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/a_1.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/aaaa_28.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/apl_42.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/atma_34.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/dhcid_49.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/eid_31.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/https_65.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/kx_36.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/nimloc_32.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/nsap-ptr_23.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/nsap_22.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/px_26.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/srv_33.c | 26 bind9-9.16.33/lib/dns/rdata/in_1/svcb_64.c | 50 bind9-9.16.33/lib/dns/rdata/in_1/wks_11.c | 26 bind9-9.16.33/lib/dns/rdataset.c | 2 bind9-9.16.33/lib/dns/rdataslab.c | 4 bind9-9.16.33/lib/dns/request.c | 2 bind9-9.16.33/lib/dns/resolver.c | 270 +--- bind9-9.16.33/lib/dns/rootns.c | 2 bind9-9.16.33/lib/dns/rpz.c | 59 bind9-9.16.33/lib/dns/rrl.c | 103 - bind9-9.16.33/lib/dns/sdb.c | 5 bind9-9.16.33/lib/dns/sdlz.c | 5 bind9-9.16.33/lib/dns/soa.c | 4 bind9-9.16.33/lib/dns/ssu.c | 10 bind9-9.16.33/lib/dns/stats.c | 4 bind9-9.16.33/lib/dns/tests/dispatch_test.c | 2 bind9-9.16.33/lib/dns/tests/dnstest.c | 1 bind9-9.16.33/lib/dns/tests/geoip_test.c | 3 bind9-9.16.33/lib/dns/tests/private_test.c | 12 bind9-9.16.33/lib/dns/tkey.c | 15 bind9-9.16.33/lib/dns/tsec.c | 9 bind9-9.16.33/lib/dns/tsig.c | 12 bind9-9.16.33/lib/dns/update.c | 29 bind9-9.16.33/lib/dns/validator.c | 19 bind9-9.16.33/lib/dns/view.c | 2 bind9-9.16.33/lib/dns/win32/libdns.def.in | 2 bind9-9.16.33/lib/dns/xfrin.c | 8 bind9-9.16.33/lib/dns/zone.c | 152 +- bind9-9.16.33/lib/dns/zoneverify.c | 61 - bind9-9.16.33/lib/irs/getnameinfo.c | 3 bind9-9.16.33/lib/irs/win32/include/irs/netdb.h | 2 bind9-9.16.33/lib/isc/Makefile.in | 9 bind9-9.16.33/lib/isc/app.c | 5 bind9-9.16.33/lib/isc/assertions.c | 1 bind9-9.16.33/lib/isc/base32.c | 6 bind9-9.16.33/lib/isc/base64.c | 6 bind9-9.16.33/lib/isc/heap.c | 16 bind9-9.16.33/lib/isc/hex.c | 6 bind9-9.16.33/lib/isc/hp.c | 207 --- bind9-9.16.33/lib/isc/ht.c | 7 bind9-9.16.33/lib/isc/httpd.c | 8 bind9-9.16.33/lib/isc/include/isc/Makefile.in | 6 bind9-9.16.33/lib/isc/include/isc/assertions.h | 5 bind9-9.16.33/lib/isc/include/isc/atomic.h | 4 bind9-9.16.33/lib/isc/include/isc/backtrace.h | 2 bind9-9.16.33/lib/isc/include/isc/buffer.h | 4 bind9-9.16.33/lib/isc/include/isc/heap.h | 8 bind9-9.16.33/lib/isc/include/isc/hp.h | 140 -- bind9-9.16.33/lib/isc/include/isc/ht.h | 13 bind9-9.16.33/lib/isc/include/isc/httpd.h | 6 bind9-9.16.33/lib/isc/include/isc/lex.h | 2 bind9-9.16.33/lib/isc/include/isc/lfsr.h | 2 bind9-9.16.33/lib/isc/include/isc/list.h | 17 bind9-9.16.33/lib/isc/include/isc/log.h | 4 bind9-9.16.33/lib/isc/include/isc/mem.h | 16 bind9-9.16.33/lib/isc/include/isc/mutexatomic.h | 254 ---- bind9-9.16.33/lib/isc/include/isc/netmgr.h | 22 bind9-9.16.33/lib/isc/include/isc/queue.h | 56 bind9-9.16.33/lib/isc/include/isc/quota.h | 2 bind9-9.16.33/lib/isc/include/isc/radix.h | 14 bind9-9.16.33/lib/isc/include/isc/region.h | 2 bind9-9.16.33/lib/isc/include/isc/socket.h | 2 bind9-9.16.33/lib/isc/include/isc/symtab.h | 2 bind9-9.16.33/lib/isc/include/isc/types.h | 8 bind9-9.16.33/lib/isc/include/isc/util.h | 44 bind9-9.16.33/lib/isc/include/pk11/pk11.h | 4 bind9-9.16.33/lib/isc/include/pkcs11/pkcs11.h | 38 bind9-9.16.33/lib/isc/lex.c | 8 bind9-9.16.33/lib/isc/lfsr.c | 4 bind9-9.16.33/lib/isc/log.c | 5 bind9-9.16.33/lib/isc/managers.c | 7 bind9-9.16.33/lib/isc/mem.c | 45 bind9-9.16.33/lib/isc/netaddr.c | 3 bind9-9.16.33/lib/isc/netmgr/netmgr-int.h | 65 - bind9-9.16.33/lib/isc/netmgr/netmgr.c | 412 +++--- bind9-9.16.33/lib/isc/netmgr/tcp.c | 168 +- bind9-9.16.33/lib/isc/netmgr/tcpdns.c | 159 +- bind9-9.16.33/lib/isc/netmgr/udp.c | 110 - bind9-9.16.33/lib/isc/netmgr/uv-compat.h | 17 bind9-9.16.33/lib/isc/portset.c | 6 bind9-9.16.33/lib/isc/pthreads/include/isc/thread.h | 4 bind9-9.16.33/lib/isc/queue.c | 234 --- bind9-9.16.33/lib/isc/ratelimiter.c | 2 bind9-9.16.33/lib/isc/rwlock.c | 8 bind9-9.16.33/lib/isc/siphash.c | 26 bind9-9.16.33/lib/isc/sockaddr.c | 6 bind9-9.16.33/lib/isc/symtab.c | 2 bind9-9.16.33/lib/isc/task.c | 10 bind9-9.16.33/lib/isc/tests/heap_test.c | 5 bind9-9.16.33/lib/isc/tests/ht_test.c | 9 bind9-9.16.33/lib/isc/tests/netmgr_test.c | 39 bind9-9.16.33/lib/isc/tests/quota_test.c | 4 bind9-9.16.33/lib/isc/tests/timer_test.c | 5 bind9-9.16.33/lib/isc/tests/uv_wrap.h | 36 bind9-9.16.33/lib/isc/timer.c | 21 bind9-9.16.33/lib/isc/tls.c | 4 bind9-9.16.33/lib/isc/tm.c | 4 bind9-9.16.33/lib/isc/trampoline.c | 93 - bind9-9.16.33/lib/isc/unix/include/isc/dir.h | 2 bind9-9.16.33/lib/isc/unix/include/isc/stdatomic.h | 2 bind9-9.16.33/lib/isc/unix/interfaceiter.c | 3 bind9-9.16.33/lib/isc/unix/net.c | 7 bind9-9.16.33/lib/isc/unix/os.c | 2 bind9-9.16.33/lib/isc/unix/socket.c | 33 bind9-9.16.33/lib/isc/unix/time.c | 2 bind9-9.16.33/lib/isc/url.c | 13 bind9-9.16.33/lib/isc/win32/dir.c | 2 bind9-9.16.33/lib/isc/win32/include/isc/platform.h.in | 2 bind9-9.16.33/lib/isc/win32/include/isc/stdatomic.h | 23 bind9-9.16.33/lib/isc/win32/interfaceiter.c | 6 bind9-9.16.33/lib/isc/win32/libisc.def.in | 22 bind9-9.16.33/lib/isc/win32/libisc.vcxproj.filters.in | 12 bind9-9.16.33/lib/isc/win32/libisc.vcxproj.in | 4 bind9-9.16.33/lib/isc/win32/socket.c | 5 bind9-9.16.33/lib/isc/xoshiro128starstar.c | 4 bind9-9.16.33/lib/isccc/include/isccc/ccmsg.h | 8 bind9-9.16.33/lib/isccc/include/isccc/sexpr.h | 2 bind9-9.16.33/lib/isccc/include/isccc/symtab.h | 6 bind9-9.16.33/lib/isccc/include/isccc/util.h | 2 bind9-9.16.33/lib/isccc/sexpr.c | 3 bind9-9.16.33/lib/isccc/symtab.c | 4 bind9-9.16.33/lib/isccfg/aclconf.c | 7 bind9-9.16.33/lib/isccfg/include/isccfg/cfg.h | 8 bind9-9.16.33/lib/isccfg/include/isccfg/grammar.h | 22 bind9-9.16.33/lib/isccfg/kaspconf.c | 35 bind9-9.16.33/lib/isccfg/namedconf.c | 13 bind9-9.16.33/lib/isccfg/parser.c | 12 bind9-9.16.33/lib/ns/client.c | 69 - bind9-9.16.33/lib/ns/include/ns/client.h | 22 bind9-9.16.33/lib/ns/include/ns/hooks.h | 4 bind9-9.16.33/lib/ns/include/ns/interfacemgr.h | 2 bind9-9.16.33/lib/ns/include/ns/log.h | 2 bind9-9.16.33/lib/ns/include/ns/query.h | 45 bind9-9.16.33/lib/ns/include/ns/server.h | 8 bind9-9.16.33/lib/ns/include/ns/sortlist.h | 4 bind9-9.16.33/lib/ns/interfacemgr.c | 18 bind9-9.16.33/lib/ns/query.c | 355 +++-- bind9-9.16.33/lib/ns/tests/nstest.c | 5 bind9-9.16.33/lib/ns/tests/query_test.c | 3 bind9-9.16.33/lib/ns/update.c | 13 bind9-9.16.33/lib/ns/xfrout.c | 11 bind9-9.16.33/srcid | 2 bind9-9.16.33/version | 2 600 files changed, 12446 insertions(+), 9189 deletions(-) diff -Nru bind9-9.16.27/.gitlab-ci.yml bind9-9.16.33/.gitlab-ci.yml --- bind9-9.16.27/.gitlab-ci.yml 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/.gitlab-ci.yml 2022-09-08 13:01:23.000000000 +0000 @@ -16,16 +16,17 @@ TEST_PARALLEL_JOBS: 6 CONFIGURE: ./configure - CLANG: clang-13 - SCAN_BUILD: scan-build-13 - ASAN_SYMBOLIZER_PATH: /usr/lib/llvm-13/bin/llvm-symbolizer - CLANG_FORMAT: clang-format-13 + CLANG_VERSION: 14 + CLANG: "clang-${CLANG_VERSION}" + SCAN_BUILD: "scan-build-${CLANG_VERSION}" + ASAN_SYMBOLIZER_PATH: "/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" + CLANG_FORMAT: "clang-format-${CLANG_VERSION}" - CFLAGS_COMMON: -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra + CFLAGS_COMMON: -fno-omit-frame-pointer -fno-optimize-sibling-calls -O1 -g -Wall -Wextra # Pass run-time flags to AddressSanitizer to get core dumps on error. ASAN_OPTIONS: abort_on_error=1:disable_coredump=0:unmap_shadow_on_exit=1 - TSAN_OPTIONS_COMMON: "disable_coredump=0 second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan external_symbolizer_path=/usr/lib/llvm-12/bin/llvm-symbolizer" + TSAN_OPTIONS_COMMON: "disable_coredump=0 second_deadlock_stack=1 history_size=7 log_exe_name=true log_path=tsan" TARBALL_COMPRESSOR: xz TARBALL_EXTENSION: xz @@ -54,7 +55,6 @@ - system - performance - docs - - push - postcheck - release @@ -100,8 +100,8 @@ # Alpine Linux -.alpine-3.15-amd64: &alpine_3_15_amd64_image - image: "$CI_REGISTRY_IMAGE:alpine-3.15-amd64" +.alpine-3.16-amd64: &alpine_3_16_amd64_image + image: "$CI_REGISTRY_IMAGE:alpine-3.16-amd64" <<: *linux_amd64 # Oracle Linux @@ -116,10 +116,6 @@ # Debian -.debian-stretch-amd64: &debian_stretch_amd64_image - image: "$CI_REGISTRY_IMAGE:debian-stretch-amd64" - <<: *linux_amd64 - .debian-buster-amd64: &debian_buster_amd64_image image: "$CI_REGISTRY_IMAGE:debian-buster-amd64" <<: *linux_amd64 @@ -162,6 +158,10 @@ image: "$CI_REGISTRY_IMAGE:ubuntu-focal-amd64" <<: *linux_amd64 +.ubuntu-jammy-amd64: &ubuntu_jammy_amd64_image + image: "$CI_REGISTRY_IMAGE:ubuntu-jammy-amd64" + <<: *linux_amd64 + # Windows .windows-server-2016-amd64: &windows_server_2016_amd64_image @@ -181,38 +181,34 @@ <<: *libvirt_amd64 .freebsd-13-amd64: &freebsd_13_amd64_image - image: "freebsd-13.0-x86_64" + image: "freebsd-13.1-x86_64" <<: *libvirt_amd64 .openbsd-amd64: &openbsd_amd64_image - image: "openbsd-7.0-x86_64" + image: "openbsd-7.1-x86_64" <<: *libvirt_amd64 ### Job Templates -.default-triggering-rules: &default_triggering_rules +.api-schedules-tags-triggers-web-triggering-rules: &api_schedules_tags_triggers_web_triggering_rules only: - api - - merge_requests + - schedules - tags - triggers - web - - schedules -.release-branch-triggering-rules: &release_branch_triggering_rules +.api-schedules-triggers-web-triggering-rules: &api_schedules_triggers_web_triggering_rules only: - api - - merge_requests - - tags + - schedules - triggers - web - - schedules - - main@isc-projects/bind9 - - /^v9_[1-9][0-9]$/@isc-projects/bind9 -.schedules-tags-web-triggering-rules: &schedules_tags_web_triggering_rules +.default-triggering-rules: &default_triggering_rules only: - api + - merge_requests - schedules - tags - triggers @@ -224,7 +220,7 @@ stage: precheck .autoconf: &autoconf_job - <<: *release_branch_triggering_rules + <<: *default_triggering_rules <<: *base_image stage: precheck script: @@ -351,7 +347,7 @@ --output kyua_html > /dev/null .windows_system_test: &windows_system_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules stage: system script: - 'Push-Location bin/tests/system' @@ -408,6 +404,25 @@ - kyua_html/ when: on_failure +.respdiff: &respdiff_job + <<: *base_image + stage: system + before_script: + - *configure + - make -j${BUILD_PARALLEL_JOBS:-1} V=1 + - *setup_interfaces + - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git + - cd bind-qa/bind9/respdiff + needs: [] + artifacts: + paths: + - bind-qa/bind9/respdiff + exclude: + - bind-qa/bind9/respdiff/rspworkdir/data.mdb # Exclude a 10 GB file. + untracked: true + expire_in: "1 day" + when: always + ### Job Definitions # Jobs in the precheck stage @@ -440,6 +455,19 @@ expire_in: "1 day" when: on_failure +black: + <<: *precheck_job + needs: [] + script: + - black $(git ls-files '*.py' '*.py.in') + - git diff > black.patch + - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + artifacts: + paths: + - black.patch + expire_in: "1 week" + when: on_failure + clang-format: <<: *precheck_job needs: [] @@ -480,19 +508,6 @@ variables: - $DANGER_GITLAB_API_TOKEN -flake8: - <<: *default_triggering_rules - <<: *base_image - stage: postcheck - needs: - - job: autoreconf - artifacts: true - script: - - *configure - - flake8 --max-line-length=80 $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|^bin/tests/system/)') - # Ignore Flake8 E402 error (module level import not at top of file) in system test to enable use of pytest.importorskip - - flake8 --max-line-length=80 --extend-ignore=E402 $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py') - pylint: <<: *default_triggering_rules <<: *base_image @@ -526,7 +541,7 @@ # Jobs for doc builds on Debian 11 "bullseye" (amd64) docs: - <<: *release_branch_triggering_rules + <<: *default_triggering_rules <<: *base_image stage: docs before_script: @@ -551,41 +566,28 @@ - doc/arm/ - doc/man/ - doc/misc/ - expire_in: "1 month" -push:docs: - <<: *base_image - stage: push - needs: - - job: docs - artifacts: false - script: - - curl -X POST -F token=$GITLAB_PAGES_DOCS_TRIGGER_TOKEN -F ref=main $GITLAB_PAGES_DOCS_TRIGGER_URL - only: - - main@isc-projects/bind9 - - /^v9_[1-9][0-9]$/@isc-projects/bind9 +# Jobs for regular GCC builds on Alpine Linux 3.16 (amd64) -# Jobs for regular GCC builds on Alpine Linux 3.15 (amd64) - -gcc:alpine3.15:amd64: +gcc:alpine3.16:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" - <<: *alpine_3_15_amd64_image + <<: *alpine_3_16_amd64_image <<: *build_job -system:gcc:alpine3.15:amd64: - <<: *alpine_3_15_amd64_image +system:gcc:alpine3.16:amd64: + <<: *alpine_3_16_amd64_image <<: *system_test_job needs: - - job: gcc:alpine3.15:amd64 + - job: gcc:alpine3.16:amd64 artifacts: true -unit:gcc:alpine3.15:amd64: - <<: *alpine_3_15_amd64_image +unit:gcc:alpine3.16:amd64: + <<: *alpine_3_16_amd64_image <<: *unit_test_job needs: - - job: gcc:alpine3.15:amd64 + - job: gcc:alpine3.16:amd64 artifacts: true # Jobs for regular GCC builds on Oracle Linux 7 (amd64) @@ -636,33 +638,6 @@ - job: gcc:oraclelinux8:amd64 artifacts: true -# Jobs for regular GCC builds on Debian 9 "stretch" (amd64) - -gcc:stretch:amd64: - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O2" - EXTRA_CONFIGURE: "--without-gssapi" - <<: *debian_stretch_amd64_image - <<: *build_job - <<: *schedules_tags_web_triggering_rules - -system:gcc:stretch:amd64: - <<: *debian_stretch_amd64_image - <<: *system_test_job - <<: *schedules_tags_web_triggering_rules - needs: - - job: gcc:stretch:amd64 - artifacts: true - -unit:gcc:stretch:amd64: - <<: *debian_stretch_amd64_image - <<: *unit_test_job - <<: *schedules_tags_web_triggering_rules - needs: - - job: gcc:stretch:amd64 - artifacts: true - # Jobs for regular GCC builds on Debian 10 "buster" (amd64) gcc:buster:amd64: @@ -672,12 +647,12 @@ EXTRA_CONFIGURE: "--with-libidn2" <<: *debian_buster_amd64_image <<: *build_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules system:gcc:buster:amd64: <<: *debian_buster_amd64_image <<: *system_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules needs: - job: gcc:buster:amd64 artifacts: true @@ -685,7 +660,7 @@ unit:gcc:buster:amd64: <<: *debian_buster_amd64_image <<: *unit_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules needs: - job: gcc:buster:amd64 artifacts: true @@ -709,6 +684,16 @@ - job: unit:gcc:bullseye:amd64 artifacts: true +system:gcc:bullseye:unstable:amd64: + <<: *debian_bullseye_amd64_image + <<: *system_test_job + <<: *api_schedules_triggers_web_triggering_rules + variables: + CI_ENABLE_ALL_TESTS: 1 + needs: + - job: gcc:bullseye:amd64 + artifacts: true + unit:gcc:bullseye:amd64: <<: *debian_bullseye_amd64_image <<: *unit_test_gcov_job @@ -719,16 +704,12 @@ unit:gcc:bullseye:unstable:amd64: <<: *debian_bullseye_amd64_image <<: *unit_test_job + <<: *api_schedules_triggers_web_triggering_rules variables: CI_ENABLE_ALL_TESTS: 1 needs: - job: gcc:bullseye:amd64 artifacts: true - only: - - api - - schedules - - triggers - - web # Jobs for cross-compiled GCC builds on Debian 11 "bullseye" (amd64) with # 32-bit libraries @@ -848,7 +829,7 @@ system:gcc:tarball: <<: *base_image <<: *system_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules before_script: - cd bind-* - *setup_interfaces @@ -859,7 +840,7 @@ unit:gcc:tarball: <<: *base_image <<: *unit_test_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules before_script: - cd bind-* needs: @@ -896,13 +877,15 @@ variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -O2" - EXTRA_CONFIGURE: "--disable-dnstap --disable-geoip --with-gssapi" + EXTRA_CONFIGURE: "--disable-dnstap --with-gssapi" <<: *ubuntu_bionic_amd64_image <<: *build_job + <<: *api_schedules_tags_triggers_web_triggering_rules system:gcc:bionic:amd64: <<: *ubuntu_bionic_amd64_image <<: *system_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules needs: - job: gcc:bionic:amd64 artifacts: true @@ -910,6 +893,7 @@ unit:gcc:bionic:amd64: <<: *ubuntu_bionic_amd64_image <<: *unit_test_job + <<: *api_schedules_tags_triggers_web_triggering_rules needs: - job: gcc:bionic:amd64 artifacts: true @@ -920,7 +904,7 @@ variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" - EXTRA_CONFIGURE: "--with-libidn2 --with-gssapi=/usr" + EXTRA_CONFIGURE: "--with-libidn2 --with-gssapi=/usr --disable-geoip" <<: *ubuntu_focal_amd64_image <<: *build_job @@ -938,6 +922,30 @@ - job: gcc:focal:amd64 artifacts: true +# Jobs for regular GCC builds on Ubuntu 22.04 Jammy Jellyfish (amd64) + +gcc:jammy:amd64: + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "--with-libidn2" + <<: *ubuntu_jammy_amd64_image + <<: *build_job + +system:gcc:jammy:amd64: + <<: *ubuntu_jammy_amd64_image + <<: *system_test_job + needs: + - job: gcc:jammy:amd64 + artifacts: true + +unit:gcc:jammy:amd64: + <<: *ubuntu_jammy_amd64_image + <<: *unit_test_job + needs: + - job: gcc:jammy:amd64 + artifacts: true + # Jobs for ASAN builds on Fedora 35 (amd64) gcc:asan: @@ -999,7 +1007,7 @@ system:gcc:tsan: variables: - TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} + TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" <<: *fedora_35_amd64_image <<: *system_test_tsan_job needs: @@ -1008,7 +1016,7 @@ unit:gcc:tsan: variables: - TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} + TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/bin/llvm-symbolizer" <<: *fedora_35_amd64_image <<: *unit_test_tsan_job needs: @@ -1026,7 +1034,7 @@ system:clang:tsan: variables: - TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} + TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer" <<: *base_image <<: *system_test_tsan_job needs: @@ -1035,37 +1043,13 @@ unit:clang:tsan: variables: - TSAN_OPTIONS: ${TSAN_OPTIONS_COMMON} suppressions=$CI_PROJECT_DIR/tsan-suppressions.txt + TSAN_OPTIONS: "${TSAN_OPTIONS_COMMON} external_symbolizer_path=/usr/lib/llvm-${CLANG_VERSION}/bin/llvm-symbolizer suppressions=$CI_PROJECT_DIR/tsan-suppressions.txt" <<: *base_image <<: *unit_test_tsan_job needs: - job: clang:tsan artifacts: true -# Jobs for builds with mutex-based atomics on Debian 11 "bullseye" (amd64) - -gcc:mutexatomics: - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -DISC_MEM_USE_INTERNAL_MALLOC=0" - EXTRA_CONFIGURE: "--with-libidn2 --enable-mutex-atomics" - <<: *base_image - <<: *build_job - -system:gcc:mutexatomics: - <<: *base_image - <<: *system_test_job - needs: - - job: gcc:mutexatomics - artifacts: true - -unit:gcc:mutexatomics: - <<: *base_image - <<: *unit_test_job - needs: - - job: gcc:mutexatomics - artifacts: true - # Jobs for Clang builds on Debian 11 "bullseye" (amd64) clang:bullseye:amd64: @@ -1090,25 +1074,25 @@ - job: clang:bullseye:amd64 artifacts: true -# Jobs for PKCS#11-enabled GCC builds on Fedora 35 (amd64) +# Jobs for PKCS#11-enabled GCC builds on Debian 11 "bullseye" (amd64) gcc:softhsm2.6: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -O1" - EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so" - <<: *fedora_35_amd64_image + EXTRA_CONFIGURE: "--with-libidn2 --enable-native-pkcs11 --with-pkcs11=/usr/lib/softhsm/libsofthsm2.so" + <<: *debian_bullseye_amd64_image <<: *build_job system:gcc:softhsm2.6: - <<: *fedora_35_amd64_image + <<: *debian_bullseye_amd64_image <<: *system_test_job needs: - job: gcc:softhsm2.6 artifacts: true unit:gcc:softhsm2.6: - <<: *fedora_35_amd64_image + <<: *debian_bullseye_amd64_image <<: *unit_test_job needs: - job: gcc:softhsm2.6 @@ -1181,16 +1165,12 @@ system:clang:openbsd:amd64: <<: *openbsd_amd64_image <<: *system_test_job + <<: *api_schedules_triggers_web_triggering_rules variables: USER: gitlab-runner needs: - job: clang:openbsd:amd64 artifacts: true - only: - - api - - schedules - - triggers - - web # Jobs with libtool disabled @@ -1237,7 +1217,7 @@ msvc-debug:windows:amd64: <<: *windows_server_2016_amd64_image <<: *windows_build_job - <<: *schedules_tags_web_triggering_rules + <<: *api_schedules_tags_triggers_web_triggering_rules variables: VSCONF: Debug @@ -1300,27 +1280,25 @@ # Coverity Scan analysis upload -.coverity_cache_prep: &coverity_cache_prep - - test -f cov-analysis-linux64.md5 && test -f cov-analysis-linux64.tgz || ( - curl --output cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64 +.coverity_prep: &coverity_prep + - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64 --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN - --form md5=1; - curl --output cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64 + --form md5=1 + - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64 --form project=$COVERITY_SCAN_PROJECT_NAME - --form token=$COVERITY_SCAN_TOKEN; - ) - - test "$(md5sum cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat cov-analysis-linux64.md5)" - - tar --extract --gzip --file=cov-analysis-linux64.tgz - - test -d cov-analysis-linux64-2021.12.1 + --form token=$COVERITY_SCAN_TOKEN + - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)" + - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp + - test -d /tmp/cov-analysis-linux64-2022.6.0 .coverity_build: &coverity_build - - cov-analysis-linux64-2021.12.1/bin/cov-build --dir cov-int sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1' - - tar --create --gzip --file=cov-int.tar.gz cov-int/ + - /tmp/cov-analysis-linux64-2022.6.0/bin/cov-build --dir /tmp/cov-int --fs-capture-search . sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1' + - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN --form email=bind-changes@isc.org - --form file=@cov-int.tar.gz + --form file=@/tmp/cov-int.tar.gz --form version="$(git rev-parse --short HEAD)" --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1 | tee curl-response.txt @@ -1334,9 +1312,11 @@ CFLAGS: "${CFLAGS_COMMON} -Og" EXTRA_CONFIGURE: "--with-libidn2" script: - - *coverity_cache_prep + - *coverity_prep - *configure - *coverity_build + after_script: + - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/ needs: - job: autoreconf artifacts: true @@ -1350,69 +1330,38 @@ variables: - $COVERITY_SCAN_PROJECT_NAME - $COVERITY_SCAN_TOKEN - cache: - key: cov-analysis-linux64-2021.12.1 - paths: - - cov-analysis-linux64.md5 - - cov-analysis-linux64.tgz # Respdiff tests -respdiff: - <<: *base_image - <<: *schedules_tags_web_triggering_rules - stage: system +respdiff-short: + <<: *respdiff_job + <<: *default_triggering_rules variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" - BIND_BASELINE_VERSION: v9_11_24 MAX_DISAGREEMENTS_PERCENTAGE: "0.1" script: - - *configure - - make -j${BUILD_PARALLEL_JOBS:-1} V=1 - - *setup_interfaces - - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git - - git clone --branch "${BIND_BASELINE_VERSION}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git refserver - - cd refserver/ - - ./configure --without-make-clean --with-randomdev=/dev/urandom - - make -j${BUILD_PARALLEL_JOBS:-1} V=1 - - cd ../bind-qa/bind9/respdiff - - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "${CI_PROJECT_DIR}/refserver" - needs: [] - artifacts: - paths: - - refserver - - bind-qa/bind9/respdiff - exclude: - - bind-qa/bind9/respdiff/rspworkdir/data.mdb # Exclude a 10 GB file. - untracked: true - expire_in: "1 day" - when: always + - bash respdiff.sh -s named -q "${PWD}/10k_a.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" -respdiff-third-party: - <<: *base_image - <<: *schedules_tags_web_triggering_rules - stage: system +respdiff-long: + <<: *respdiff_job + <<: *api_schedules_tags_triggers_web_triggering_rules + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" + MAX_DISAGREEMENTS_PERCENTAGE: "0.1" + script: + - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named" + +respdiff-long-third-party: + <<: *respdiff_job + <<: *api_schedules_tags_triggers_web_triggering_rules variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -Og" MAX_DISAGREEMENTS_PERCENTAGE: "0.1" script: - - *configure - - make -j${BUILD_PARALLEL_JOBS:-1} V=1 - - *setup_interfaces - - git clone --depth 1 https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.isc.org/isc-private/bind-qa.git - - cd bind-qa/bind9/respdiff - bash respdiff.sh -s third_party -q "${PWD}/100k_mixed.txt" -c 1 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" - needs: [] - artifacts: - paths: - - bind-qa/bind9/respdiff - exclude: - - bind-qa/bind9/respdiff/rspworkdir/data.mdb # Exclude a 10 GB file. - untracked: true - expire_in: "1 day" - when: always # "Stress" tests @@ -1464,6 +1413,20 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) +stress:rpz:fedora:35:amd64: + <<: *fedora_35_amd64_image + <<: *linux_stress_amd64 + <<: *stress_job + variables: + CC: gcc + FLAME: /usr/bin/flame + MODE: rpz + RATE: 1500 + RUN_TIME: 1 + only: + variables: + - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) + stress:authoritative:fedora:35:arm64: <<: *fedora_35_arm64_image <<: *linux_stress_arm64 @@ -1492,6 +1455,20 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) +stress:rpz:fedora:35:arm64: + <<: *fedora_35_arm64_image + <<: *linux_stress_arm64 + <<: *stress_job + variables: + CC: gcc + FLAME: /usr/bin/flame + MODE: rpz + RATE: 1500 + RUN_TIME: 1 + only: + variables: + - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /linux/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /arm64/i) + stress:authoritative:freebsd12:amd64: <<: *freebsd_12_amd64_image <<: *freebsd_stress_amd64 @@ -1520,6 +1497,20 @@ variables: - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /recursive/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) +stress:rpz:freebsd12:amd64: + <<: *freebsd_12_amd64_image + <<: *freebsd_stress_amd64 + <<: *stress_job + variables: + CC: clang + FLAME: /usr/local/bin/flame + MODE: rpz + RATE: 1500 + RUN_TIME: 1 + only: + variables: + - $CI_COMMIT_TAG || ($BIND_STRESS_TEST_OS =~ /freebsd/i && $BIND_STRESS_TEST_MODE =~ /rpz/i && $BIND_STRESS_TEST_ARCH =~ /amd64/i) + gcov: <<: *base_image <<: *default_triggering_rules @@ -1551,7 +1542,9 @@ - coverage.txt - coverage.xml reports: - cobertura: coverage.xml + coverage_report: + coverage_format: cobertura + path: coverage.xml # Pairwise testing of ./configure options diff -Nru bind9-9.16.27/.reuse/dep5 bind9-9.16.33/.reuse/dep5 --- bind9-9.16.27/.reuse/dep5 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/.reuse/dep5 2022-09-08 13:01:23.000000000 +0000 @@ -55,16 +55,8 @@ bin/tests/system/journal/ns2/managed-keys.bind.in bin/tests/system/journal/ns2/managed-keys.bind.jnl.in bin/tests/system/keepalive/expected - bin/tests/system/legacy/ns10/named.ednsrefused - bin/tests/system/legacy/ns2/named.dropedns - bin/tests/system/legacy/ns3/named.dropedns - bin/tests/system/legacy/ns3/named.notcp - bin/tests/system/legacy/ns5/named.notcp bin/tests/system/legacy/ns6/edns512.db.signed bin/tests/system/legacy/ns7/edns512-notcp.db.signed - bin/tests/system/legacy/ns7/named.notcp - bin/tests/system/legacy/ns8/named.ednsformerr - bin/tests/system/legacy/ns9/named.ednsnotimp bin/tests/system/notify/ns4/named.port.in bin/tests/system/nsupdate/commandlist bin/tests/system/nsupdate/verylarge.in @@ -150,6 +142,16 @@ **/.gitattributes **/.gitignore **/named*.args + **/named.dropedns + **/named.ednsformerr + **/named.ednsnotimp + **/named.ednsrefused + **/named.maxudp1460 + **/named.maxudp512 + **/named.noaa + **/named.noedns + **/named.nosoa + **/named.notcp **/startme .clang-format .clang-format.headers diff -Nru bind9-9.16.27/CHANGES bind9-9.16.33/CHANGES --- bind9-9.16.27/CHANGES 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/CHANGES 2022-09-08 13:01:23.000000000 +0000 @@ -1,3 +1,195 @@ + --- 9.16.33 released --- + +5962. [security] Fix memory leak in EdDSA verify processing. + (CVE-2022-38178) [GL #3487] + +5961. [security] Fix memory leak in ECDSA verify processing. + (CVE-2022-38177) [GL #3487] + +5960. [security] Fix serve-stale crash that could happen when + stale-answer-client-timeout was set to 0 and there was + a stale CNAME in the cache for an incoming query. + (CVE-2022-3080) [GL #3517] + +5957. [security] Prevent excessive resource use while processing large + delegations. (CVE-2022-2795) [GL #3394] + +5956. [func] Make RRL code treat all QNAMEs that are subject to + wildcard processing within a given zone as the same + name. [GL #3459] + +5955. [port] The libxml2 library has deprecated the usage of + xmlInitThreads() and xmlCleanupThreads() functions. Use + xmlInitParser() and xmlCleanupParser() instead. + [GL #3518] + +5954. [func] Fallback to IDNA2003 processing in dig when IDNA2008 + conversion fails. [GL #3485] + +5953. [bug] Fix a crash on shutdown in delete_trace_entry(). Add + mctx attach/detach pair to make sure that the memory + context used by a memory pool is not destroyed before + the memory pool itself. [GL #3515] + +5952. [bug] Use quotes around address strings in YAML output. + [GL #3511] + +5951. [bug] In some cases, the dnstap query_message field was + erroneously set when logging response messages. + [GL #3501] + +5948. [bug] Fix nsec3.c:dns_nsec3_activex() function, add a missing + dns_db_detachnode() call. [GL #3500] + +5945. [bug] If parsing /etc/bind.key failed, delv could assert + when trying to parse the built in trust anchors as + the parser hadn't been reset. [GL !6468] + +5942. [bug] Fix tkey.c:buildquery() function's error handling by + adding the missing cleanup code. [GL #3492] + +5941. [func] Zones with dnssec-policy now require dynamic DNS or + inline-siging to be configured explicitly. [GL #3381] + +5936. [bug] Don't enable serve-stale for lookups that error because + it is a duplicate query or a query that would be + dropped. [GL #2982] + + --- 9.16.32 released --- + +5934. [func] Improve fetches-per-zone fetch limit logging to log + the final allowed and spilled values of the fetch + counters before the counter object gets destroyed. + [GL #3461] + +5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in + named on Fedorda 33, Oracle Linux 9 and RHEL9 when + they are disabled by the security policy. [GL #3469] + +5932. [bug] Fix rndc dumpdb -expired and always include expired + RRsets, not just for RBTDB_VIRTUAL time window. + [GL #3462] + +5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was + not fully effective; it was used for timing key + rollovers but did not actually place an upper limit + on TTLs when loading a zone. This has been + corrected, and the documentation has been clarified + to indicate that the old "max-zone-ttl" zone option + is now ignored when "dnssec-policy" is in use. + [GL #2918] + +5924. [func] When it's necessary to use AXFR to respond to an + IXFR request, a message explaining the reason + is now logged at level info. [GL #2683] + +5923. [bug] Fix inheritance for dnssec-policy when checking for + inline-signing. [GL #3438] + +5922. [bug] Forwarding of UPDATE message could fail with the + introduction of netmgr. This has been fixed. [GL #3389] + + --- 9.16.31 released --- + +5917. [bug] Update ifconfig.sh script as is miscomputed interface + identifiers when destroying interfaces. [GL #3061] + +5915. [bug] Detect missing closing brace (}) and computational + overflows in $GENERATE directives. [GL #3429] + +5913. [bug] Fix a race between resolver query timeout and + validation in resolver.c:validated(). Remove + resolver.c:maybe_destroy() as it is no loger needed. + [GL #3398] + +5909. [bug] The server-side destination port was missing from dnstap + captures of client traffic. [GL #3309] + +5905. [bug] When the TCP connection would be closed/reset between + the connect/accept and the read, the uv_read_start() + return value would be unexpected and cause an assertion + failure. [GL #3400] + +5903. [bug] When named checks that the OPCODE in a response matches + that of the request, if there is a mismatch named logs + an error. Some of those error messages incorrectly + used RCODE instead of OPCODE to lookup the nemonic. + This has been corrected. [GL !6420] + + --- 9.16.30 released --- + +5899. [func] Don't try to process DNSSEC-related and ZONEMD records + in catz. [GL #3380] + +5890. [bug] When the fetches-per-server quota was adjusted + because of an authoritative server timing out more + or less frequently, it was incorrectly set to 1 + rather than the intended value. This has been + fixed. [GL #3327] + +5888. [bug] Only write key files if the dnssec-policy keymgr has + changed the metadata. [GL #3302] + +5823. [func] Replace hazard pointers based lock-free list with + locked-list based queue that's simpler and has no or + little performance impact. [GL #3180] + + --- 9.16.29 released --- + +5885. [bug] RPZ NSIP and NSDNAME rule processing didn't handle stub + and static-stub zones at or above the query name. This + has now been addressed. [GL #3232] + +5881. [bug] dig +nssearch could hang in rare cases when recv_done() + callback was being called earlier than send_done(). + [GL #3278] + +5880. [func] Add new named command-line option -C to print built-in + defaults. [GL #1326] + +5879. [contrib] dlz: Add FALLTHROUGH and UNREACHABLE macros. [GL #3306] + +5874. [bug] keymgr didn't work with python 3.11. [GL !6157] + +5866. [bug] Work around a jemalloc quirk which could trigger an + out-of-memory condition in named over time. [GL #3287] + +5863. [bug] If there was a pending negative cache DS entry, + validations depending upon it could fail. [GL #3279] + +5858. [bug] Don't remove CDS/CDNSKEY DELETE records on zone sign + when using 'auto-dnssec maintain;'. [GL #2931] + + --- 9.16.28 released --- + +5856. [bug] The "starting maxtime timer" message related to outgoing + zone transfers was incorrectly logged at the ERROR level + instead of DEBUG(1). [GL #3208] + +5852. [func] Add new "reuseport" option to enable/disable load + balancing of sockets. [GL #3249] + +5843. [bug] When an UPDATE targets a zone that is not configured, + the requested zone name is now logged in the "not + authoritative" error message, so that it is easier to + track down problematic update clients. [GL #3209] + +5836. [bug] Quote the dns64 prefix in error messages that complain + about problems with it, to avoid confusion with the + following dns64 ACLs. [GL #3210] + +5834. [cleanup] C99 variable-length arrays are difficult to use safely, + so avoid them except in test code. [GL #3201] + +5828. [bug] Replace single TCP write timer with per-TCP write + timers. [GL #3200] + +5824. [bug] Invalid dnssec-policy definitions were being accepted + where the defined keys did not cover both KSK and ZSK + roles for a given algorithm. This is now checked for + and the dnssec-policy is rejected if both roles are + not present for all algorithms in use. [GL #3142] + --- 9.16.27 released --- 5818. [security] A synchronous call to closehandle_cb() caused diff -Nru bind9-9.16.27/bin/check/named-checkconf.c bind9-9.16.33/bin/check/named-checkconf.c --- bind9-9.16.27/bin/check/named-checkconf.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/check/named-checkconf.c 2022-09-08 13:01:23.000000000 +0000 @@ -306,8 +306,7 @@ zone_options &= ~DNS_ZONEOPT_CHECKDUPRR; zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_CHECKDUPRR; @@ -326,8 +325,7 @@ zone_options &= ~DNS_ZONEOPT_CHECKMX; zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_CHECKMX; @@ -357,8 +355,7 @@ zone_options |= DNS_ZONEOPT_WARNMXCNAME; zone_options |= DNS_ZONEOPT_IGNOREMXCNAME; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_WARNMXCNAME; @@ -377,8 +374,7 @@ zone_options |= DNS_ZONEOPT_WARNSRVCNAME; zone_options |= DNS_ZONEOPT_IGNORESRVCNAME; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_WARNSRVCNAME; @@ -401,8 +397,7 @@ } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { zone_options &= ~DNS_ZONEOPT_CHECKSPF; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_CHECKSPF; @@ -420,8 +415,7 @@ zone_options &= ~DNS_ZONEOPT_CHECKNAMES; zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { zone_options |= DNS_ZONEOPT_CHECKNAMES; @@ -439,8 +433,7 @@ } else if (strcasecmp(masterformatstr, "map") == 0) { masterformat = dns_masterformat_map; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -685,7 +678,7 @@ fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': usage(); diff -Nru bind9-9.16.27/bin/check/named-checkzone.c bind9-9.16.33/bin/check/named-checkzone.c --- bind9-9.16.27/bin/check/named-checkzone.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/check/named-checkzone.c 2022-09-08 13:01:23.000000000 +0000 @@ -146,8 +146,7 @@ } else if (PROGCMP("named-compilezone")) { progmode = progmode_compile; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* Compilation specific defaults */ @@ -425,7 +424,7 @@ fprintf(stderr, "%s: invalid argument -%c\n", prog_name, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': usage(); diff -Nru bind9-9.16.27/bin/check/named-checkzone.rst bind9-9.16.33/bin/check/named-checkzone.rst --- bind9-9.16.27/bin/check/named-checkzone.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/check/named-checkzone.rst 2022-09-08 13:01:23.000000000 +0000 @@ -11,18 +11,18 @@ .. highlight: console +.. BEWARE: Do not forget to edit also named-compilezone.rst! + .. _man_named-checkzone: -named-checkzone, named-compilezone - zone file validity checking or converting tool ------------------------------------------------------------------------------------ +named-checkzone - zone file validation tool +------------------------------------------- Synopsis ~~~~~~~~ :program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename} -:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename} - Description ~~~~~~~~~~~ @@ -31,13 +31,6 @@ makes ``named-checkzone`` useful for checking zone files before configuring them into a name server. -``named-compilezone`` is similar to ``named-checkzone``, but it always -dumps the zone contents to a specified file in a specified format. -It also applies stricter check levels by default, since the -dump output is used as an actual zone file loaded by ``named``. -When manually specified otherwise, the check levels must at least be as -strict as those specified in the ``named`` configuration file. - Options ~~~~~~~ @@ -93,8 +86,8 @@ Mode ``none`` disables the checks. ``-f format`` - This option specifies the format of the zone file. Possible formats are ``text`` - (the default), ``raw``, and ``map``. + This option specifies the format of the zone file. Possible formats are + ``text`` (the default), ``raw``, and ``map``. ``-F format`` This option specifies the format of the output file specified. For @@ -102,17 +95,15 @@ the zone contents. Possible formats are ``text`` (the default), which is the standard - textual representation of the zone, and ``map``, ``raw``, and - ``raw=N``, which store the zone in a binary format for rapid - loading by ``named``. ``raw=N`` specifies the format version of the - raw zone file: if ``N`` is 0, the raw file can be read by any version of - ``named``; if N is 1, the file can only be read by release 9.9.0 or - higher. The default is 1. + textual representation of the zone, and ``map``, ``raw``, and ``raw=N``, which + store the zone in a binary format for rapid loading by ``named``. + ``raw=N`` specifies the format version of the raw zone file: if ``N`` is + 0, the raw file can be read by any version of ``named``; if N is 1, the + file can only be read by release 9.9.0 or higher. The default is 1. ``-k mode`` This option performs ``check-names`` checks with the specified failure mode. - Possible modes are ``fail`` (the default for ``named-compilezone``), - ``warn`` (the default for ``named-checkzone``), and ``ignore``. + Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. ``-l ttl`` This option sets a maximum permissible TTL for the input file. Any record with a @@ -135,13 +126,11 @@ ``-n mode`` This option specifies whether NS records should be checked to see if they are - addresses. Possible modes are ``fail`` (the default for - ``named-compilezone``), ``warn`` (the default for ``named-checkzone``), - and ``ignore``. + addresses. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. ``-o filename`` This option writes the zone output to ``filename``. If ``filename`` is ``-``, then - the zone output is written to standard output. This is mandatory for ``named-compilezone``. + the zone output is written to standard output. ``-r mode`` This option checks for records that are treated as different by DNSSEC but are @@ -153,9 +142,9 @@ ``full`` (the default) and ``relative``. The ``full`` format is most suitable for processing automatically by a separate script. The relative format is more human-readable and is thus - suitable for editing by hand. For ``named-checkzone``, this does not - have any effect unless it dumps the zone contents. It also does not - have any meaning if the output format is not text. + suitable for editing by hand. This does not have any effect unless it dumps + the zone contents. It also does not have any meaning if the output format + is not text. ``-S mode`` This option checks whether an SRV record refers to a CNAME. Possible modes are @@ -177,13 +166,12 @@ ``named.conf``. ``-D`` - This option dumps the zone file in canonical format. This is always enabled for - ``named-compilezone``. + This option dumps the zone file in canonical format. ``-W mode`` This option specifies whether to check for non-terminal wildcards. Non-terminal wildcards are almost always the result of a failure to understand the - wildcard matching algorithm (:rfc:`1034`). Possible modes are ``warn`` + wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn`` (the default) and ``ignore``. ``zonename`` @@ -201,5 +189,5 @@ See Also ~~~~~~~~ -:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference -Manual. +:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :manpage:`named-compilezone(8)`, +:rfc:`1035`, BIND 9 Administrator Reference Manual. diff -Nru bind9-9.16.27/bin/check/named-compilezone.rst bind9-9.16.33/bin/check/named-compilezone.rst --- bind9-9.16.27/bin/check/named-compilezone.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/check/named-compilezone.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,195 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. BEWARE: Do not forget to edit also named-checkzone.rst! + +.. _man_named-compilezone: + +named-compilezone - zone file converting tool +--------------------------------------------- + +Synopsis +~~~~~~~~ + +:program:`named-compilezone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename} + +Description +~~~~~~~~~~~ + +``named-compilezone`` checks the syntax and integrity of a zone file, +and dumps the zone contents to a specified file in a specified format. +It applies strict check levels by default, since the +dump output is used as an actual zone file loaded by ``named``. +When manually specified otherwise, the check levels must at least be as +strict as those specified in the ``named`` configuration file. + +Options +~~~~~~~ + +``-d`` + This option enables debugging. + +``-h`` + This option prints the usage summary and exits. + +``-q`` + This option sets quiet mode, which only sets an exit code to indicate + successful or failed completion. + +``-v`` + This option prints the version of the ``named-checkzone`` program and exits. + +``-j`` + When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal + file name is assumed to be the zone file name with the + string ``.jnl`` appended. + +``-J filename`` + When loading the zone file, this option tells ``named`` to read the journal from the given file, if + it exists. This implies ``-j``. + +``-c class`` + This option specifies the class of the zone. If not specified, ``IN`` is assumed. + +``-i mode`` + This option performs post-load zone integrity checks. Possible modes are + ``full`` (the default), ``full-sibling``, ``local``, + ``local-sibling``, and ``none``. + + Mode ``full`` checks that MX records refer to A or AAAA records + (both in-zone and out-of-zone hostnames). Mode ``local`` only + checks MX records which refer to in-zone hostnames. + + Mode ``full`` checks that SRV records refer to A or AAAA records + (both in-zone and out-of-zone hostnames). Mode ``local`` only + checks SRV records which refer to in-zone hostnames. + + Mode ``full`` checks that delegation NS records refer to A or AAAA + records (both in-zone and out-of-zone hostnames). It also checks that + glue address records in the zone match those advertised by the child. + Mode ``local`` only checks NS records which refer to in-zone + hostnames or verifies that some required glue exists, i.e., when the + name server is in a child zone. + + Modes ``full-sibling`` and ``local-sibling`` disable sibling glue + checks, but are otherwise the same as ``full`` and ``local``, + respectively. + + Mode ``none`` disables the checks. + +``-f format`` + This option specifies the format of the zone file. Possible formats are + ``text`` (the default), ``raw``, and ``map``. + +``-F format`` + This option specifies the format of the output file specified. For + ``named-checkzone``, this does not have any effect unless it dumps + the zone contents. + + Possible formats are ``text`` (the default), which is the standard + textual representation of the zone, and ``map``, ``raw``, and ``raw=N``, which + store the zone in a binary format for rapid loading by ``named``. + ``raw=N`` specifies the format version of the raw zone file: if ``N`` is + 0, the raw file can be read by any version of ``named``; if N is 1, the + file can only be read by release 9.9.0 or higher. The default is 1. + +``-k mode`` + This option performs ``check-names`` checks with the specified failure mode. + Possible modes are ``fail`` (the default), ``warn``, and ``ignore``. + +``-l ttl`` + This option sets a maximum permissible TTL for the input file. Any record with a + TTL higher than this value causes the zone to be rejected. This + is similar to using the ``max-zone-ttl`` option in ``named.conf``. + +``-L serial`` + When compiling a zone to ``raw`` or ``map`` format, this option sets the "source + serial" value in the header to the specified serial number. This is + expected to be used primarily for testing purposes. + +``-m mode`` + This option specifies whether MX records should be checked to see if they are + addresses. Possible modes are ``fail``, ``warn`` (the default), and + ``ignore``. + +``-M mode`` + This option checks whether a MX record refers to a CNAME. Possible modes are + ``fail``, ``warn`` (the default), and ``ignore``. + +``-n mode`` + This option specifies whether NS records should be checked to see if they are + addresses. Possible modes are ``fail`` (the default), ``warn``, and + ``ignore``. + +``-o filename`` + This option writes the zone output to ``filename``. If ``filename`` is ``-``, then + the zone output is written to standard output. This is mandatory for ``named-compilezone``. + +``-r mode`` + This option checks for records that are treated as different by DNSSEC but are + semantically equal in plain DNS. Possible modes are ``fail``, + ``warn`` (the default), and ``ignore``. + +``-s style`` + This option specifies the style of the dumped zone file. Possible styles are + ``full`` (the default) and ``relative``. The ``full`` format is most + suitable for processing automatically by a separate script. + The relative format is more human-readable and is thus + suitable for editing by hand. + +``-S mode`` + This option checks whether an SRV record refers to a CNAME. Possible modes are + ``fail``, ``warn`` (the default), and ``ignore``. + +``-t directory`` + This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the + configuration file are processed as if run by a similarly chrooted + ``named``. + +``-T mode`` + This option checks whether Sender Policy Framework (SPF) records exist and issues a + warning if an SPF-formatted TXT record is not also present. Possible + modes are ``warn`` (the default) and ``ignore``. + +``-w directory`` + This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file + ``$INCLUDE`` directives work. This is similar to the directory clause in + ``named.conf``. + +``-D`` + This option dumps the zone file in canonical format. This is always enabled for + ``named-compilezone``. + +``-W mode`` + This option specifies whether to check for non-terminal wildcards. Non-terminal + wildcards are almost always the result of a failure to understand the + wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn`` + (the default) and ``ignore``. + +``zonename`` + This indicates the domain name of the zone being checked. + +``filename`` + This is the name of the zone file. + +Return Values +~~~~~~~~~~~~~ + +``named-compilezone`` returns an exit status of 1 if errors were detected +and 0 otherwise. + +See Also +~~~~~~~~ + +:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :manpage:`named-checkzone(8)`, +:rfc:`1035`, BIND 9 Administrator Reference Manual. diff -Nru bind9-9.16.27/bin/confgen/ddns-confgen.c bind9-9.16.33/bin/confgen/ddns-confgen.c --- bind9-9.16.27/bin/confgen/ddns-confgen.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/confgen/ddns-confgen.c 2022-09-08 13:01:23.000000000 +0000 @@ -131,8 +131,7 @@ } else if (PROGCMP("ddns-confgen")) { progmode = progmode_confgen; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_commandline_errprint = false; diff -Nru bind9-9.16.27/bin/confgen/ddns-confgen.rst bind9-9.16.33/bin/confgen/ddns-confgen.rst --- bind9-9.16.27/bin/confgen/ddns-confgen.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/confgen/ddns-confgen.rst 2022-09-08 13:01:23.000000000 +0000 @@ -11,34 +11,30 @@ .. highlight: console +.. BEWARE: Do not forget to edit also tsig-keygen.rst! + .. _man_ddns-confgen: -ddns-confgen - ddns key generation tool +ddns-confgen - TSIG key generation tool --------------------------------------- Synopsis ~~~~~~~~ -:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [name] - -:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone] +:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-s** name] [**-z** zone] Description ~~~~~~~~~~~ -``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a -utility that generates keys for use in TSIG signing. The resulting keys -can be used, for example, to secure dynamic DNS updates to a zone or for -the ``rndc`` command channel. - -When run as ``tsig-keygen``, a domain name can be specified on the -command line to be used as the name of the generated key. If no -name is specified, the default is ``tsig-key``. - -When run as ``ddns-confgen``, the generated key is accompanied by -configuration text and instructions that can be used with ``nsupdate`` -and ``named`` when setting up dynamic DNS, including an example -``update-policy`` statement. (This usage is similar to the ``rndc-confgen`` -command for setting up command-channel security.) +``ddns-confgen`` is an utility that generates keys for use in TSIG signing. +The resulting keys can be used, for example, to secure dynamic DNS updates +to a zone, or for the ``rndc`` command channel. + +The key name can specified using ``-k`` parameter and defaults to ``ddns-key``. +The generated key is accompanied by configuration text and instructions that +can be used with ``nsupdate`` and ``named`` when setting up dynamic DNS, +including an example ``update-policy`` statement. +(This usage is similar to the ``rndc-confgen`` command for setting up +command-channel security.) Note that ``named`` itself can configure a local DDNS key for use with ``nsupdate -l``; it does this when a zone is configured with @@ -50,37 +46,36 @@ ~~~~~~~ ``-a algorithm`` - This option specifies the algorithm to use for the TSIG key. Available choices - are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and - hmac-sha512. The default is hmac-sha256. Options are + This option specifies the algorithm to use for the TSIG key. Available + choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, + and hmac-sha512. The default is hmac-sha256. Options are case-insensitive, and the "hmac-" prefix may be omitted. ``-h`` This option prints a short summary of options and arguments. ``-k keyname`` - This option specifies the key name of the DDNS authentication key. The default is - ``ddns-key`` when neither the ``-s`` nor ``-z`` option is specified; - otherwise, the default is ``ddns-key`` as a separate label followed - by the argument of the option, e.g., ``ddns-key.example.com.`` The - key name must have the format of a valid domain name, consisting of + This option specifies the key name of the DDNS authentication key. The + default is ``ddns-key`` when neither the ``-s`` nor ``-z`` option is + specified; otherwise, the default is ``ddns-key`` as a separate label + followed by the argument of the option, e.g., ``ddns-key.example.com.`` + The key name must have the format of a valid domain name, consisting of letters, digits, hyphens, and periods. -``-q`` (``ddns-confgen`` only) +``-q`` This option enables quiet mode, which prints only the key, with no explanatory text or usage examples. This is essentially identical to ``tsig-keygen``. -``-s name`` (``ddns-confgen`` only) - This option generates a configuration example to allow - dynamic updates of a single hostname. The example ``named.conf`` text - shows how to set an update policy for the specified name using the - "name" nametype. The default key name is ``ddns-key.name``. Note that the - "self" nametype cannot be used, since the name to be updated may - differ from the key name. This option cannot be used with the ``-z`` - option. +``-s name`` + This option generates a configuration example to allow dynamic updates + of a single hostname. The example ``named.conf`` text shows how to set + an update policy for the specified name using the "name" nametype. The + default key name is ``ddns-key.name``. Note that the "self" nametype + cannot be used, since the name to be updated may differ from the key + name. This option cannot be used with the ``-z`` option. -``-z zone`` (``ddns-confgen`` only) +``-z zone`` This option generates a configuration example to allow dynamic updates of a zone. The example ``named.conf`` text shows how to set an update policy for the specified zone using the "zonesub" diff -Nru bind9-9.16.27/bin/confgen/tsig-keygen.rst bind9-9.16.33/bin/confgen/tsig-keygen.rst --- bind9-9.16.27/bin/confgen/tsig-keygen.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/confgen/tsig-keygen.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,50 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. BEWARE: Do not forget to edit also ddns-confgen.rst! + +.. _man_tsig-keygen: + +tsig-keygen - TSIG key generation tool +-------------------------------------- + +Synopsis +~~~~~~~~ +:program:`tsig-keygen` [**-a** algorithm] [**-h**] [name] + +Description +~~~~~~~~~~~ + +``tsig-keygen`` is an utility that generates keys for use in TSIG signing. +The resulting keys can be used, for example, to secure dynamic DNS updates +to a zone, or for the ``rndc`` command channel. + +A domain name can be specified on the command line to be used as the name +of the generated key. If no name is specified, the default is ``tsig-key``. + +Options +~~~~~~~ + +``-a algorithm`` + This option specifies the algorithm to use for the TSIG key. Available + choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, + and hmac-sha512. The default is hmac-sha256. Options are + case-insensitive, and the "hmac-" prefix may be omitted. + +``-h`` + This option prints a short summary of options and arguments. + +See Also +~~~~~~~~ + +:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual. diff -Nru bind9-9.16.27/bin/delv/delv.c bind9-9.16.33/bin/delv/delv.c --- bind9-9.16.27/bin/delv/delv.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/delv/delv.c 2022-09-08 13:01:23.000000000 +0000 @@ -852,6 +852,7 @@ isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1); isc_buffer_add(&b, sizeof(anchortext) - 1); + cfg_parser_reset(parser); result = cfg_parse_buffer(parser, &b, NULL, 0, &cfg_type_bindkeys, 0, &bindkeys); if (result != ISC_R_SUCCESS) { @@ -1332,7 +1333,6 @@ case 'h': usage(); exit(0); - /* NOTREACHED */ case 'i': no_sigs = true; root_validation = false; @@ -1343,10 +1343,8 @@ case 'v': fputs("delv " VERSION "\n", stderr); exit(0); - /* NOTREACHED */ default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (strlen(option) > 1U) { option = &option[1]; @@ -1484,7 +1482,7 @@ fprintf(stderr, "Invalid option: -%s\n", option); usage(); } - /* NOTREACHED */ + UNREACHABLE(); return (false); } diff -Nru bind9-9.16.27/bin/dig/dig.c bind9-9.16.33/bin/dig/dig.c --- bind9-9.16.27/bin/dig/dig.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dig/dig.c 2022-09-08 13:01:23.000000000 +0000 @@ -58,7 +58,7 @@ dig_lookup_t *default_lookup = NULL; -static atomic_uintptr_t batchname = ATOMIC_VAR_INIT(0); +static atomic_uintptr_t batchname = 0; static FILE *batchfp = NULL; static char *argv0; static int addresscount = 0; @@ -712,7 +712,7 @@ strlcat(sockstr, "0", sizeof(sockstr)); } - printf(" response_address: %s\n", sockstr); + printf(" response_address: \"%s\"\n", sockstr); printf(" response_port: %u\n", sport); } @@ -730,7 +730,7 @@ strlcat(sockstr, "0", sizeof(sockstr)); } - printf(" query_address: %s\n", sockstr); + printf(" query_address: \"%s\"\n", sockstr); printf(" query_port: %u\n", sport); } @@ -1874,7 +1874,7 @@ have_ipv6 = false; } else { fatal("can't find IPv4 networking"); - /* NOTREACHED */ + UNREACHABLE(); return (false); } break; @@ -1884,7 +1884,7 @@ have_ipv4 = false; } else { fatal("can't find IPv6 networking"); - /* NOTREACHED */ + UNREACHABLE(); return (false); } break; @@ -2135,7 +2135,7 @@ fprintf(stderr, "Invalid option: -%s\n", option); usage(); } - /* NOTREACHED */ + UNREACHABLE(); return (false); } diff -Nru bind9-9.16.27/bin/dig/dighost.c bind9-9.16.33/bin/dig/dighost.c --- bind9-9.16.27/bin/dig/dighost.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dig/dighost.c 2022-09-08 13:01:23.000000000 +0000 @@ -765,7 +765,7 @@ clone_lookup(dig_lookup_t *lookold, bool servers) { dig_lookup_t *looknew; - debug("clone_lookup()"); + debug("clone_lookup(%p)", lookold); INSIST(!free_now); @@ -877,7 +877,7 @@ requeue_lookup(dig_lookup_t *lookold, bool servers) { dig_lookup_t *looknew; - debug("requeue_lookup()"); + debug("requeue_lookup(%p)", lookold); lookup_counter++; if (lookup_counter > LOOKUP_LIMIT) { @@ -1591,6 +1591,7 @@ } if (ISC_LINK_LINKED(query, link)) { + query->saved_next = ISC_LIST_NEXT(query, link); ISC_LIST_UNLINK(lookup->q, query, link); } if (ISC_LINK_LINKED(query, clink)) { @@ -1609,6 +1610,7 @@ isc_buffer_invalidate(&query->lengthbuf); if (query->waiting_senddone) { + debug("waiting senddone, delay freeing query"); query->pending_free = true; } else { query->magic = 0; @@ -1951,7 +1953,7 @@ INSIST(!free_now); - debug("next_origin()"); + debug("next_origin(%p)", oldlookup); debug("following up %s", oldlookup->textname); if (!usesearch) { @@ -2009,7 +2011,7 @@ dns_rdataset_t *rdataset = NULL; dns_name_t *soaname = NULL; - debug("insert_soa()"); + debug("insert_soa(%p)", lookup); soa.mctx = mctx; soa.serial = lookup->ixfr_serial; soa.refresh = 0; @@ -2428,8 +2430,7 @@ memmove(addr, &sin6->sin6_addr, addrl); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_buffer_init(&b, ecsbuf, sizeof(ecsbuf)); @@ -2584,6 +2585,7 @@ ISC_LINK_INIT(query, clink); ISC_LINK_INIT(query, link); + query->saved_next = NULL; query->magic = DIG_QUERY_MAGIC; @@ -2608,7 +2610,7 @@ LOCK_LOOKUP; - debug("send_done()"); + debug("send_done(%p)", event->ev_arg); sendcount--; debug("sendcount=%d", sendcount); INSIST(sendcount >= 0); @@ -2618,10 +2620,11 @@ query->waiting_senddone = false; l = query->lookup; - if (!query->pending_free && l->ns_search_only && !l->trace_root && + if (l == current_lookup && l->ns_search_only && !l->trace_root && !l->tcp_mode) { debug("sending next, since searching"); - next = ISC_LIST_NEXT(query, link); + next = query->pending_free ? query->saved_next + : ISC_LIST_NEXT(query, link); if (next != NULL) { send_udp(next); } @@ -2647,7 +2650,7 @@ cancel_lookup(dig_lookup_t *lookup) { dig_query_t *query, *next; - debug("cancel_lookup()"); + debug("cancel_lookup(%p)", lookup); query = ISC_LIST_HEAD(lookup->q); while (query != NULL) { REQUIRE(DIG_VALID_QUERY(query)); @@ -2672,7 +2675,7 @@ isc_result_t result; REQUIRE(DIG_VALID_QUERY(query)); - debug("bringup_timer()"); + debug("bringup_timer(%p)", query); /* * If the timer already exists, that means we're calling this * a second time (for a retry). Don't need to recreate it, @@ -2704,7 +2707,7 @@ force_timeout(dig_query_t *query) { isc_event_t *event; - debug("force_timeout ()"); + debug("force_timeout(%p)", query); event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE, connect_timeout, query, sizeof(isc_event_t)); isc_task_send(global_task, &event); @@ -2996,7 +2999,7 @@ UNUSED(task); REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE); - debug("connect_timeout()"); + debug("connect_timeout(%p)", event->ev_arg); LOCK_LOOKUP; query = event->ev_arg; @@ -3106,7 +3109,7 @@ UNUSED(task); - debug("tcp_length_done()"); + debug("tcp_length_done(%p)", event->ev_arg); LOCK_LOOKUP; sevent = (isc_socketevent_t *)event; @@ -3189,7 +3192,7 @@ INSIST(!free_now); - debug("launch_next_query()"); + debug("launch_next_query(%p)", query); if (!query->lookup->pending) { debug("ignoring launch_next_query because !pending"); @@ -3268,7 +3271,7 @@ REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT); INSIST(!free_now); - debug("connect_done()"); + debug("connect_done(%p)", event->ev_arg); LOCK_LOOKUP; sevent = (isc_socketevent_t *)event; @@ -3373,7 +3376,7 @@ axfr = query->ixfr_axfr; } - debug("check_for_more_data()"); + debug("check_for_more_data(%p)", query); /* * By the time we're in this routine, we know we're doing @@ -3615,7 +3618,7 @@ UNUSED(task); INSIST(!free_now); - debug("recv_done()"); + debug("recv_done(%p)", event->ev_arg); LOCK_LOOKUP; recvcount--; @@ -4246,7 +4249,7 @@ REQUIRE(lookup != NULL); - debug("do_lookup()"); + debug("do_lookup(%p)", lookup); lookup->pending = true; query = ISC_LIST_HEAD(lookup->q); if (query != NULL) { @@ -4477,6 +4480,9 @@ * valid domain name. */ res = idn2_to_ascii_lz(src, &ascii_src, IDN2_NONTRANSITIONAL); + if (res == IDN2_DISALLOWED) { + res = idn2_to_ascii_lz(src, &ascii_src, IDN2_TRANSITIONAL); + } if (res != IDN2_OK) { fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnin", src, idn2_strerror(res)); @@ -4538,9 +4544,13 @@ } /* - * Then, check whether decoded 'src' is a valid IDNA2008 name. + * Then, check whether decoded 'src' is a valid IDNA2008 name + * and if disallowed character is found, fallback to IDNA2003. */ res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_NONTRANSITIONAL); + if (res == IDN2_DISALLOWED) { + res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_TRANSITIONAL); + } if (res != IDN2_OK) { fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnout", src, idn2_strerror(res)); diff -Nru bind9-9.16.27/bin/dig/host.c bind9-9.16.33/bin/dig/host.c --- bind9-9.16.27/bin/dig/host.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dig/host.c 2022-09-08 13:01:23.000000000 +0000 @@ -208,15 +208,9 @@ isc_result_t result, loopresult; isc_region_t r; dns_name_t empty_name; - char tbuf[4096]; + char tbuf[4096] = { 0 }; bool first; - bool no_rdata; - - if (sectionid == DNS_SECTION_QUESTION) { - no_rdata = true; - } else { - no_rdata = false; - } + bool no_rdata = (sectionid == DNS_SECTION_QUESTION); if (headers) { printf(";; %s SECTION:\n", section_name); @@ -773,7 +767,7 @@ break; case 'A': list_almost_all = true; - /* FALL THROUGH */ + FALLTHROUGH; case 'a': if (!lookup->rdtypeset || lookup->rdtype != dns_rdatatype_axfr) { diff -Nru bind9-9.16.27/bin/dig/include/dig/dig.h bind9-9.16.33/bin/dig/include/dig/dig.h --- bind9-9.16.27/bin/dig/include/dig/dig.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dig/include/dig/dig.h 2022-09-08 13:01:23.000000000 +0000 @@ -129,18 +129,18 @@ isc_buffer_t namebuf; isc_buffer_t onamebuf; isc_buffer_t renderbuf; - char *sendspace; - dns_name_t *name; + char *sendspace; + dns_name_t *name; isc_interval_t interval; - dns_message_t *sendmsg; - dns_name_t *oname; + dns_message_t *sendmsg; + dns_name_t *oname; ISC_LINK(dig_lookup_t) link; ISC_LIST(dig_query_t) q; ISC_LIST(dig_query_t) connecting; - dig_query_t *current_query; + dig_query_t *current_query; dig_serverlist_t my_server_list; dig_searchlist_t *origin; - dig_query_t *xfr_q; + dig_query_t *xfr_q; uint32_t retries; int nsfound; int16_t udpsize; @@ -149,13 +149,13 @@ uint32_t ixfr_serial; isc_buffer_t rdatabuf; char rdatastore[MXNAME]; - dst_context_t *tsigctx; - isc_buffer_t *querysig; + dst_context_t *tsigctx; + isc_buffer_t *querysig; uint32_t msgcounter; dns_fixedname_t fdomain; - isc_sockaddr_t *ecs_addr; - char *cookie; - dns_ednsopt_t *ednsopts; + isc_sockaddr_t *ecs_addr; + char *cookie; + dns_ednsopt_t *ednsopts; unsigned int ednsoptscnt; isc_dscp_t dscp; unsigned int ednsflags; @@ -183,6 +183,7 @@ isc_socket_t *sock; ISC_LINK(dig_query_t) link; ISC_LINK(dig_query_t) clink; + dig_query_t *saved_next; isc_sockaddr_t sockaddr; isc_time_t time_sent; isc_time_t time_recv; @@ -217,7 +218,7 @@ showsearch, yaml; extern in_port_t port; extern unsigned int timeout; -extern isc_mem_t *mctx; +extern isc_mem_t *mctx; extern int sendcount; extern int ndots; extern int lookup_counter; @@ -228,10 +229,10 @@ extern char keysecret[MXNAME]; extern const dns_name_t *hmacname; extern unsigned int digestbits; -extern dns_tsigkey_t *tsigkey; +extern dns_tsigkey_t *tsigkey; extern bool validated; -extern isc_taskmgr_t *taskmgr; -extern isc_task_t *global_task; +extern isc_taskmgr_t *taskmgr; +extern isc_task_t *global_task; extern bool free_now; extern bool debugging, debugtiming, memdebugging; extern bool keep_open; @@ -339,7 +340,7 @@ * Routines to be defined in dig.c, host.c, and nslookup.c. and * then assigned to the appropriate function pointer */ -extern isc_result_t (*dighost_printmessage)(dig_query_t *query, +extern isc_result_t (*dighost_printmessage)(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg, bool headers); diff -Nru bind9-9.16.27/bin/dnssec/dnssec-cds.c bind9-9.16.33/bin/dnssec/dnssec-cds.c --- bind9-9.16.27/bin/dnssec/dnssec-cds.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-cds.c 2022-09-08 13:01:23.000000000 +0000 @@ -853,7 +853,7 @@ } } -static inline int +static int rdata_cmp(const void *rdata1, const void *rdata2) { return (dns_rdata_compare((const dns_rdata_t *)rdata1, (const dns_rdata_t *)rdata2)); diff -Nru bind9-9.16.27/bin/dnssec/dnssec-dsfromkey.c bind9-9.16.33/bin/dnssec/dnssec-dsfromkey.c --- bind9-9.16.27/bin/dnssec/dnssec-dsfromkey.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-dsfromkey.c 2022-09-08 13:01:23.000000000 +0000 @@ -441,14 +441,14 @@ } break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + /* Reserved for FIPS mode */ + FALLTHROUGH; case '?': if (isc_commandline_option != '?') { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); diff -Nru bind9-9.16.27/bin/dnssec/dnssec-importkey.c bind9-9.16.33/bin/dnssec/dnssec-importkey.c --- bind9-9.16.27/bin/dnssec/dnssec-importkey.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-importkey.c 2022-09-08 13:01:23.000000000 +0000 @@ -393,7 +393,7 @@ fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); diff -Nru bind9-9.16.27/bin/dnssec/dnssec-keyfromlabel.c bind9-9.16.33/bin/dnssec/dnssec-keyfromlabel.c --- bind9-9.16.27/bin/dnssec/dnssec-keyfromlabel.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-keyfromlabel.c 2022-09-08 13:01:23.000000000 +0000 @@ -332,14 +332,14 @@ prepub = strtottl(isc_commandline_argument); break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + /* Reserved for FIPS mode */ + FALLTHROUGH; case '?': if (isc_commandline_option != '?') { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); @@ -638,7 +638,7 @@ dns_secalg_format(alg, algstr, sizeof(algstr)); fatal("failed to get key %s/%s: %s", namestr, algstr, isc_result_totext(ret)); - /* NOTREACHED */ + UNREACHABLE(); exit(-1); } diff -Nru bind9-9.16.27/bin/dnssec/dnssec-keyfromlabel.rst bind9-9.16.33/bin/dnssec/dnssec-keyfromlabel.rst --- bind9-9.16.27/bin/dnssec/dnssec-keyfromlabel.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-keyfromlabel.rst 2022-09-08 13:01:23.000000000 +0000 @@ -42,20 +42,16 @@ be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. - If no algorithm is specified, RSASHA1 is used by default - unless the ``-3`` option is specified, in which case NSEC3RSASHA1 - is used instead. (If ``-3`` is used and an algorithm is - specified, that algorithm is checked for compatibility with - NSEC3.) - These values are case-insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified along with the ``-3`` option, then NSEC3RSASHA1 is used instead. - Since BIND 9.12.0, this option is mandatory except when using the + This option is mandatory except when using the ``-S`` option, which copies the algorithm from the predecessory key. - Previously, the default for newly generated keys was RSASHA1. + + .. versionchanged:: 9.12.0 + The default value RSASHA1 for newly generated keys was removed. ``-3`` This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this diff -Nru bind9-9.16.27/bin/dnssec/dnssec-keygen.c bind9-9.16.33/bin/dnssec/dnssec-keygen.c --- bind9-9.16.27/bin/dnssec/dnssec-keygen.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-keygen.c 2022-09-08 13:01:23.000000000 +0000 @@ -1131,14 +1131,14 @@ ctx.prepub = strtottl(isc_commandline_argument); break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + /* Reserved for FIPS mode */ + FALLTHROUGH; case '?': if (isc_commandline_option != '?') { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); diff -Nru bind9-9.16.27/bin/dnssec/dnssec-keygen.rst bind9-9.16.33/bin/dnssec/dnssec-keygen.rst --- bind9-9.16.27/bin/dnssec/dnssec-keygen.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-keygen.rst 2022-09-08 13:01:23.000000000 +0000 @@ -46,7 +46,7 @@ This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version is selected; for example, - ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. + ``dnssec-keygen -3 -a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. ``-a algorithm`` This option selects the cryptographic algorithm. For DNSSEC keys, the value of diff -Nru bind9-9.16.27/bin/dnssec/dnssec-revoke.c bind9-9.16.33/bin/dnssec/dnssec-revoke.c --- bind9-9.16.27/bin/dnssec/dnssec-revoke.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-revoke.c 2022-09-08 13:01:23.000000000 +0000 @@ -134,7 +134,7 @@ fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); diff -Nru bind9-9.16.27/bin/dnssec/dnssec-settime.c bind9-9.16.33/bin/dnssec/dnssec-settime.c --- bind9-9.16.27/bin/dnssec/dnssec-settime.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-settime.c 2022-09-08 13:01:23.000000000 +0000 @@ -360,7 +360,7 @@ fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); diff -Nru bind9-9.16.27/bin/dnssec/dnssec-signzone.c bind9-9.16.33/bin/dnssec/dnssec-signzone.c --- bind9-9.16.27/bin/dnssec/dnssec-signzone.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-signzone.c 2022-09-08 13:01:23.000000000 +0000 @@ -327,28 +327,28 @@ dns_diff_append(add, &tuple); } -static inline bool +static bool issigningkey(dns_dnsseckey_t *key) { return (key->force_sign || key->hint_sign); } -static inline bool +static bool ispublishedkey(dns_dnsseckey_t *key) { return ((key->force_publish || key->hint_publish) && !key->hint_remove); } -static inline bool +static bool iszonekey(dns_dnsseckey_t *key) { return (dns_name_equal(dst_key_name(key->key), gorigin) && dst_key_iszonekey(key->key)); } -static inline bool +static bool isksk(dns_dnsseckey_t *key) { return (key->ksk); } -static inline bool +static bool iszsk(dns_dnsseckey_t *key) { return (ignore_kskflag || !key->ksk); } @@ -463,11 +463,11 @@ dns_name_format(name, namestr, sizeof(namestr)); fatal("failure looking for '%s DNSKEY' in database: %s", namestr, isc_result_totext(result)); - /* NOTREACHED */ + UNREACHABLE(); return (false); /* removes a warning */ } -static inline bool +static bool setverifies(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key, dns_rdata_t *rrsig) { isc_result_t result; @@ -1246,7 +1246,7 @@ * See if the node contains any non RRSIG/NSEC records and report to * caller. Clean out extraneous RRSIG records for node. */ -static inline bool +static bool active_node(dns_dbnode_t *node) { dns_rdatasetiter_t *rdsiter = NULL; dns_rdatasetiter_t *rdsiter2 = NULL; @@ -3662,14 +3662,14 @@ break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + /* Reserved for FIPS mode */ + FALLTHROUGH; case '?': if (isc_commandline_option != '?') { fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ usage(); diff -Nru bind9-9.16.27/bin/dnssec/dnssec-signzone.rst bind9-9.16.33/bin/dnssec/dnssec-signzone.rst --- bind9-9.16.27/bin/dnssec/dnssec-signzone.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-signzone.rst 2022-09-08 13:01:23.000000000 +0000 @@ -328,14 +328,23 @@ (-) can be used to indicate that no salt is to be used when generating the NSEC3 chain. + .. note:: + ``-3 -`` is the recommended configuration. Adding salt provides no practical benefits. + ``-H iterations`` This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default is 10. + .. warning:: + Values greater than 0 cause interoperability issues and also increase the risk of CPU-exhausting DoS attacks. The default value has not been changed because the best practices has changed only after BIND 9.16 reached Extended Support Version status. + ``-A`` This option indicates that, when generating an NSEC3 chain, BIND 9 should set the OPTOUT flag on all NSEC3 records and should not generate NSEC3 records for insecure delegations. + .. warning:: + Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to ``com.``) with sparse secure delegations. + Using this option twice (i.e., ``-AA``) turns the OPTOUT flag off for all records. This is useful when using the ``-u`` option to modify an NSEC3 chain which previously had OPTOUT set. diff -Nru bind9-9.16.27/bin/dnssec/dnssec-verify.c bind9-9.16.33/bin/dnssec/dnssec-verify.c --- bind9-9.16.27/bin/dnssec/dnssec-verify.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssec-verify.c 2022-09-08 13:01:23.000000000 +0000 @@ -135,7 +135,7 @@ "use -o to specify a different zone origin", origin, file); } - /* FALLTHROUGH */ + FALLTHROUGH; default: fatal("failed loading zone from '%s': %s", file, isc_result_totext(result)); @@ -279,7 +279,7 @@ fprintf(stderr, "%s: invalid argument -%c\n", program, isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': /* Does not return. */ diff -Nru bind9-9.16.27/bin/dnssec/dnssectool.c bind9-9.16.33/bin/dnssec/dnssectool.c --- bind9-9.16.27/bin/dnssec/dnssectool.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/dnssec/dnssectool.c 2022-09-08 13:01:23.000000000 +0000 @@ -220,7 +220,7 @@ default: fatal("time value %s is invalid", str); } - /* NOTREACHED */ + UNREACHABLE(); break; case 'W': case 'w': @@ -238,11 +238,11 @@ default: fatal("time value %s is invalid", str); } - /* NOTREACHED */ + UNREACHABLE(); return (0); /* silence compiler warning */ } -static inline bool +static bool isnone(const char *str) { return ((strcasecmp(str, "none") == 0) || (strcasecmp(str, "never") == 0)); diff -Nru bind9-9.16.27/bin/named/config.c bind9-9.16.33/bin/named/config.c --- bind9-9.16.27/bin/named/config.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/config.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -87,7 +88,15 @@ nta-lifetime 3600;\n\ nta-recheck 300;\n\ # pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\ - port 53;\n\ + port 53;\n" +#if HAVE_SO_REUSEPORT_LB + "\ + reuseport yes;\n" +#else + "\ + reuseport no;\n" +#endif + "\ prefetch 2 9;\n\ recursing-file \"named.recursing\";\n\ recursive-clients 1000;\n\ @@ -320,6 +329,11 @@ CFG_PCTX_NODEPRECATED, conf)); } +const char * +named_config_getdefault(void) { + return (defaultconf); +} + isc_result_t named_config_get(cfg_obj_t const *const *maps, const char *name, const cfg_obj_t **obj) { @@ -449,8 +463,7 @@ } else if (strcasecmp(str, "redirect") == 0) { ztype = dns_zone_redirect; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ztype); } @@ -1059,8 +1072,7 @@ *name = dns_tsig_hmacsha512_name; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } if (typep != NULL) { diff -Nru bind9-9.16.27/bin/named/control.c bind9-9.16.33/bin/named/control.c --- bind9-9.16.27/bin/named/control.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/control.c 2022-09-08 13:01:23.000000000 +0000 @@ -61,7 +61,7 @@ return (ISC_R_SUCCESS); } -static inline bool +static bool command_compare(const char *str, const char *command) { return (strcasecmp(str, command) == 0); } diff -Nru bind9-9.16.27/bin/named/controlconf.c bind9-9.16.33/bin/named/controlconf.c --- bind9-9.16.27/bin/named/controlconf.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/controlconf.c 2022-09-08 13:01:23.000000000 +0000 @@ -320,7 +320,7 @@ } } -static inline void +static void log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) { char socktext[ISC_SOCKADDR_FORMATSIZE]; isc_sockaddr_t peeraddr; diff -Nru bind9-9.16.27/bin/named/include/named/config.h bind9-9.16.33/bin/named/include/named/config.h --- bind9-9.16.27/bin/named/include/named/config.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/include/named/config.h 2022-09-08 13:01:23.000000000 +0000 @@ -28,6 +28,9 @@ isc_result_t named_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf); +const char * +named_config_getdefault(void); + isc_result_t named_config_get(cfg_obj_t const *const *maps, const char *name, const cfg_obj_t **obj); diff -Nru bind9-9.16.27/bin/named/include/named/main.h bind9-9.16.33/bin/named/include/named/main.h --- bind9-9.16.27/bin/named/include/named/main.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/include/named/main.h 2022-09-08 13:01:23.000000000 +0000 @@ -23,7 +23,7 @@ /* * Commandline arguments for named; also referenced in win32/ntservice.c */ -#define NAMED_MAIN_ARGS "46A:c:d:D:E:fFgL:M:m:n:N:p:sS:t:T:U:u:vVx:X:" +#define NAMED_MAIN_ARGS "46A:c:Cd:D:E:fFgL:M:m:n:N:p:sS:t:T:U:u:vVx:X:" ISC_PLATFORM_NORETURN_PRE void named_main_earlyfatal(const char *format, ...) diff -Nru bind9-9.16.27/bin/named/include/named/server.h bind9-9.16.33/bin/named/include/named/server.h --- bind9-9.16.27/bin/named/include/named/server.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/include/named/server.h 2022-09-08 13:01:23.000000000 +0000 @@ -48,7 +48,7 @@ */ struct named_server { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; ns_server_t *sctx; @@ -69,12 +69,12 @@ * */ /* Server data structures. */ - dns_loadmgr_t *loadmgr; - dns_zonemgr_t *zonemgr; + dns_loadmgr_t *loadmgr; + dns_zonemgr_t *zonemgr; dns_viewlist_t viewlist; dns_kasplist_t kasplist; ns_interfacemgr_t *interfacemgr; - dns_db_t *in_roothints; + dns_db_t *in_roothints; isc_timer_t *interface_timer; isc_timer_t *heartbeat_timer; @@ -96,15 +96,15 @@ isc_stats_t *resolverstats; /*% Resolver stats */ isc_stats_t *sockstats; /*%< Socket stats */ - named_controls_t *controls; /*%< Control channels */ + named_controls_t *controls; /*%< Control channels */ unsigned int dispatchgen; named_dispatchlist_t dispatches; named_statschannellist_t statschannels; dns_tsigkey_t *sessionkey; - char *session_keyfile; - dns_name_t *session_keyname; + char *session_keyfile; + dns_name_t *session_keyname; unsigned int session_keyalg; uint16_t session_keybits; bool interface_auto; diff -Nru bind9-9.16.27/bin/named/include/named/zoneconf.h bind9-9.16.33/bin/named/include/named/zoneconf.h --- bind9-9.16.27/bin/named/include/named/zoneconf.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/include/named/zoneconf.h 2022-09-08 13:01:23.000000000 +0000 @@ -45,9 +45,7 @@ */ bool -named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, const cfg_obj_t *config, - cfg_aclconfctx_t *actx); +named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig); /*%< * If 'zone' can be safely reconfigured according to the configuration * data in 'zconfig', return true. If the configuration data is so @@ -56,12 +54,10 @@ */ bool -named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, const cfg_obj_t *config, - cfg_aclconfctx_t *actx); +named_zone_inlinesigning(const cfg_obj_t *zconfig); /*%< * Determine if zone uses inline-signing. This is true if inline-signing - * is set to yes, or if there is a dnssec-policy on a non-dynamic zone. + * is set to yes. */ isc_result_t diff -Nru bind9-9.16.27/bin/named/logconf.c bind9-9.16.33/bin/named/logconf.c --- bind9-9.16.27/bin/named/logconf.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/logconf.c 2022-09-08 13:01:23.000000000 +0000 @@ -161,8 +161,7 @@ maxoffset = 0x7fffffffffffffffULL; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } type = ISC_LOG_TOFILE; diff -Nru bind9-9.16.27/bin/named/main.c bind9-9.16.33/bin/named/main.c --- bind9-9.16.27/bin/named/main.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/main.c 2022-09-08 13:01:23.000000000 +0000 @@ -34,7 +34,6 @@ #include #include #include -#include #include #include #include @@ -351,8 +350,8 @@ "username] [-U listeners]\n" " [-X lockfile] [-m " "{usage|trace|record|size|mctx}]\n" - " [-M fill|nofill]\n" - "usage: named [-v|-V]\n"); + " [-M external|internal|fill|nofill]\n" + "usage: named [-v|-V|-C]\n"); } static void @@ -774,6 +773,11 @@ named_g_conffile = isc_commandline_argument; named_g_conffileset = true; break; + case 'C': + printf("# Built-in default values. " + "This is NOT the run-time configuration!\n"); + printf("%s", named_config_getdefault()); + exit(0); case 'd': named_g_debuglevel = parse_int(isc_commandline_argument, "debug " @@ -861,8 +865,8 @@ } break; case 'F': - /* Reserved for FIPS mode */ - /* FALLTHROUGH */ + /* Reserved for FIPS mode */ + FALLTHROUGH; case '?': usage(); if (isc_commandline_option == '?') { @@ -877,7 +881,7 @@ "an argument", isc_commandline_option); } - /* FALLTHROUGH */ + FALLTHROUGH; default: named_main_earlyfatal("parsing options returned %d", ch); @@ -1479,7 +1483,7 @@ #endif /* ifdef WIN32 */ #ifdef HAVE_LIBXML2 - xmlInitThreads(); + xmlInitParser(); #endif /* HAVE_LIBXML2 */ /* @@ -1525,15 +1529,6 @@ pk11_result_register(); #endif /* if USE_PKCS11 */ -#if !ISC_MEM_DEFAULTFILL - /* - * Update the default flags to remove ISC_MEMFLAG_FILL - * before we parse the command line. If disabled here, - * it can be turned back on with -M fill. - */ - isc_mem_defaultflags &= ~ISC_MEMFLAG_FILL; -#endif /* if !ISC_MEM_DEFAULTFILL */ - parse_command_line(argc, argv); #ifdef ENABLE_AFL @@ -1634,7 +1629,7 @@ named_os_shutdown(); #ifdef HAVE_LIBXML2 - xmlCleanupThreads(); + xmlCleanupParser(); #endif /* HAVE_LIBXML2 */ #ifdef HAVE_GPERFTOOLS_PROFILER diff -Nru bind9-9.16.27/bin/named/named.conf.rst bind9-9.16.33/bin/named/named.conf.rst --- bind9-9.16.27/bin/named/named.conf.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/named.conf.rst 2022-09-08 13:01:23.000000000 +0000 @@ -396,6 +396,7 @@ [ recursive-only boolean ] [ nsip-enable boolean ] [ nsdname-enable boolean ] [ dnsrps-enable boolean ] [ dnsrps-options { unspecified-text } ]; + reuseport boolean; root-delegation-only [ exclude { string; ... } ]; root-key-sentinel boolean; rrset-order { [ class string ] [ type string ] [ name diff -Nru bind9-9.16.27/bin/named/named.rst bind9-9.16.33/bin/named/named.rst --- bind9-9.16.27/bin/named/named.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/named.rst 2022-09-08 13:01:23.000000000 +0000 @@ -19,7 +19,7 @@ Synopsis ~~~~~~~~ -:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-S** #max-socks] [**-t** directory] [**-U** #listeners] [**-u** user] [**-v**] [**-V**] [**-X** lock-file] [**-x** cache-file] +:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-S** #max-socks] [**-t** directory] [**-U** #listeners] [**-u** user] [**-v**] [**-V**] [**-X** lock-file] [**-x** cache-file] Description ~~~~~~~~~~~ @@ -50,6 +50,14 @@ due to to a possible ``directory`` option in the configuration file, ``config-file`` should be an absolute pathname. +``-C`` + + This option prints out the default built-in configuration and exits. + + NOTE: This is for debugging purposes only and is not an + accurate representation of the actual configuration used by :iscman:`named` + at runtime. + ``-d debug-level`` This option sets the daemon's debug level to ``debug-level``. Debugging traces from ``named`` become more verbose as the debug level increases. @@ -79,13 +87,23 @@ This option sets the log to the file ``logfile`` by default, instead of the system log. ``-M option`` - This option sets the default memory context options. If set to ``external``, - the internal memory manager is bypassed in favor of - system-provided memory allocation functions. If set to ``fill``, blocks - of memory are filled with tag values when allocated or freed, to - assist debugging of memory problems. ``nofill`` disables this behavior, - and is the default unless ``named`` has been compiled with developer - options. + + This option sets the default (comma-separated) memory context + options. The possible flags are: + + - ``external``: use system-provided memory allocation functions; this + is the implicit default. + + - ``internal``: use the internal memory manager. + + - ``fill``: fill blocks of memory with tag values when they are + allocated or freed, to assist debugging of memory problems; this is + the implicit default if ``named`` has been compiled with + ``--enable-developer``. + + - ``nofill``: disable the behavior enabled by ``fill``; this is the + implicit default unless ``named`` has been compiled with + ``--enable-developer``. ``-m flag`` This option turns on memory usage debugging flags. Possible flags are ``usage``, diff -Nru bind9-9.16.27/bin/named/server.c bind9-9.16.33/bin/named/server.c --- bind9-9.16.27/bin/named/server.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/server.c 2022-09-08 13:01:23.000000000 +0000 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -454,7 +455,7 @@ static void newzone_cfgctx_destroy(void **cfgp); -static inline isc_result_t +static isc_result_t putstr(isc_buffer_t **b, const char *str); static isc_result_t @@ -463,7 +464,7 @@ static isc_result_t putuint8(isc_buffer_t **b, uint8_t val); -static inline isc_result_t +static isc_result_t putnull(isc_buffer_t **b); static int @@ -865,8 +866,7 @@ break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -1274,8 +1274,7 @@ INSIST(result == ISC_R_SUCCESS); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } sa = *(cfg_obj_assockaddr(obj)); @@ -1297,8 +1296,7 @@ result = isc_net_probeipv6(); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (result != ISC_R_SUCCESS) { return (ISC_R_SUCCESS); @@ -1425,8 +1423,7 @@ } else if (!strcasecmp(str, "none")) { mode = DNS_RDATASETATTR_NONE; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* @@ -1582,8 +1579,7 @@ } else if (strcasecmp(str, "one-answer") == 0) { CHECK(dns_peer_settransferformat(peer, dns_one_answer)); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2952,7 +2948,7 @@ break; default: REQUIRE(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } event = (catz_chgzone_event_t *)isc_event_allocate( @@ -3046,13 +3042,7 @@ * We have to walk through all the member zones and attach * them to current view */ - result = dns_catz_get_iterator(zone, &it); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(catz_obj, named_g_lctx, - DNS_CATZ_ERROR_LEVEL, - "catz: unable to create iterator"); - goto cleanup; - } + dns_catz_get_iterator(zone, &it); for (result = isc_ht_iter_first(it); result == ISC_R_SUCCESS; result = isc_ht_iter_next(it)) @@ -4274,8 +4264,7 @@ } else if (strcasecmp(str, "ignore") == 0) { view->checknames = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } obj = NULL; @@ -4745,8 +4734,7 @@ } else if (strcasecmp(resp, "fail") == 0) { r = DNS_R_SERVFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_resolver_setquotaresponse(view->resolver, @@ -5136,8 +5124,7 @@ } else if (strcasecmp(str, "no-auth-recursive") == 0) { view->minimalresponses = dns_minimal_noauthrec; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -5150,8 +5137,7 @@ } else if (strcasecmp(str, "one-answer") == 0) { view->transfer_format = dns_one_answer; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } obj = NULL; @@ -5463,8 +5449,7 @@ } else if (strcasecmp(resp, "fail") == 0) { r = DNS_R_SERVFAIL; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_resolver_setquotaresponse(view->resolver, @@ -5695,8 +5680,7 @@ } else if (strcasecmp(levelstr, "none") == 0) { statlevel = dns_zonestat_none; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -6151,8 +6135,7 @@ } else if (strcasecmp(forwardstr, "only") == 0) { fwdpolicy = dns_fwdpolicy_only; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } } @@ -6584,9 +6567,7 @@ goto cleanup; } - if (zone != NULL && - !named_zone_reusable(zone, zconfig, vconfig, config, aclconf)) - { + if (zone != NULL && !named_zone_reusable(zone, zconfig)) { dns_zone_detach(&zone); } @@ -6668,8 +6649,7 @@ strcasecmp(ztypestr, "slave") == 0)); if (zone_maybe_inline) { - inline_signing = named_zone_inlinesigning( - zone, zconfig, vconfig, config, aclconf); + inline_signing = named_zone_inlinesigning(zconfig); } if (inline_signing) { dns_zone_getraw(zone, &raw); @@ -7706,9 +7686,7 @@ result = named_config_get(maps, "new-zones-directory", &nzdir); if (result == ISC_R_SUCCESS) { dir = cfg_obj_asstring(nzdir); - if (dir != NULL) { - result = isc_file_isdirectory(dir); - } + result = isc_file_isdirectory(dir); if (result != ISC_R_SUCCESS) { isc_log_write(named_g_lctx, DNS_LOGCATEGORY_SECURITY, NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, @@ -8334,6 +8312,7 @@ uint32_t softquota = 0; uint32_t max; uint64_t initial, idle, keepalive, advertised; + bool loadbalancesockets; dns_aclenv_t *env = ns_interfacemgr_getaclenv(named_g_server->interfacemgr); @@ -8806,6 +8785,26 @@ } ns_interfacemgr_setbacklog(server->interfacemgr, backlog); + obj = NULL; + result = named_config_get(maps, "reuseport", &obj); + INSIST(result == ISC_R_SUCCESS); + loadbalancesockets = cfg_obj_asboolean(obj); +#if HAVE_SO_REUSEPORT_LB + if (first_time) { + isc_nm_setloadbalancesockets(named_g_nm, + cfg_obj_asboolean(obj)); + } else if (loadbalancesockets != + isc_nm_getloadbalancesockets(named_g_nm)) { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "changing reuseport value requires server restart"); + } +#else + if (loadbalancesockets) { + cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING, + "reuseport has no effect on this system"); + } +#endif + /* * Configure the interface manager according to the "listen-on" * statement. @@ -9419,8 +9418,7 @@ } else if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) { server->sctx->cookiealg = ns_cookiealg_aes; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } obj = NULL; @@ -13227,8 +13225,7 @@ } else if (strncasecmp(command, "mod", 3) == 0) { bn = "modzone"; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* @@ -14582,7 +14579,12 @@ result = dns_rdataset_next(&privset)) { dns_rdata_t priv = DNS_RDATA_INIT; - char output[BUFSIZ]; + /* + * In theory, the output buffer could hold a full RDATA + * record which is 16-bit and then some text around + * it + */ + char output[UINT16_MAX + BUFSIZ]; isc_buffer_t buf; dns_rdataset_current(&privset, &priv); @@ -14624,7 +14626,7 @@ return (result); } -static inline bool +static bool argcheck(char *cmd, const char *full) { size_t l; @@ -14962,7 +14964,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t putstr(isc_buffer_t **b, const char *str) { return (putmem(b, str, strlen(str))); } @@ -14980,7 +14982,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t putnull(isc_buffer_t **b) { return (putuint8(b, 0)); } @@ -15923,8 +15925,7 @@ CHECK(mkey_destroy(server, view, text)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (viewtxt != NULL) { diff -Nru bind9-9.16.27/bin/named/statschannel.c bind9-9.16.33/bin/named/statschannel.c --- bind9-9.16.27/bin/named/statschannel.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/statschannel.c 2022-09-08 13:01:23.000000000 +0000 @@ -197,7 +197,7 @@ static int dnstapstats_index[dns_dnstapcounter_max]; static int gluecachestats_index[dns_gluecachestatscounter_max]; -static inline void +static void set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs, const char *xdesc, const char **xdescs) { REQUIRE(counter < maxcounter); diff -Nru bind9-9.16.27/bin/named/zoneconf.c bind9-9.16.33/bin/named/zoneconf.c --- bind9-9.16.27/bin/named/zoneconf.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/named/zoneconf.c 2022-09-08 13:01:23.000000000 +0000 @@ -133,8 +133,7 @@ aclname = "allow-update-forwarding"; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* First check to see if ACL is defined within the zone */ @@ -249,8 +248,7 @@ } else if (strcasecmp(str, "deny") == 0) { grant = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } str = cfg_obj_asstring(matchtype); @@ -674,7 +672,7 @@ /*% * Convert a config file zone type into a server zone type. */ -static inline dns_zonetype_t +static dns_zonetype_t zonetype_fromconfig(const cfg_obj_t *map) { const cfg_obj_t *obj = NULL; isc_result_t result; @@ -749,8 +747,7 @@ result = named_checknames_get(maps, primary_synonyms, objp); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } INSIST(result == ISC_R_SUCCESS && objp != NULL && *objp != NULL); @@ -900,6 +897,7 @@ dns_stats_t *dnssecsignstats; dns_zonestat_level_t statlevel = dns_zonestat_none; int seconds; + dns_ttl_t maxttl = 0; /* unlimited */ dns_zone_t *mayberaw = (raw != NULL) ? raw : zone; isc_dscp_t dscp; @@ -1036,8 +1034,7 @@ "masterfile-format: format 'map' is " "deprecated"); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -1060,29 +1057,7 @@ } else if (strcasecmp(masterstylestr, "relative") == 0) { masterstyle = &dns_master_style_default; } else { - INSIST(0); - ISC_UNREACHABLE(); - } - } - - obj = NULL; - result = named_config_get(maps, "max-zone-ttl", &obj); - if (result == ISC_R_SUCCESS && masterformat == dns_masterformat_map) { - isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "zone '%s': 'max-zone-ttl' is not compatible " - "with 'masterfile-format map'", - zname); - return (ISC_R_FAILURE); - } else if (result == ISC_R_SUCCESS) { - dns_ttl_t maxttl = 0; /* unlimited */ - - if (cfg_obj_isduration(obj)) { - maxttl = cfg_obj_asduration(obj); - } - dns_zone_setmaxttl(zone, maxttl); - if (raw != NULL) { - dns_zone_setmaxttl(raw, maxttl); + UNREACHABLE(); } } @@ -1161,8 +1136,7 @@ } else if (strcasecmp(dialupstr, "passive") == 0) { dialup = dns_dialuptype_passive; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } if (raw != NULL) { @@ -1188,8 +1162,7 @@ } else if (strcasecmp(levelstr, "none") == 0) { statlevel = dns_zonestat_none; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } dns_zone_setstatlevel(zone, statlevel); @@ -1268,8 +1241,7 @@ { notifytype = dns_notifytype_masteronly; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } notifytype = process_notifytype(notifytype, ztype, zname, @@ -1463,8 +1435,7 @@ } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { fail = check = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (raw != NULL) { dns_zone_setoption(raw, DNS_ZONEOPT_CHECKNAMES, check); @@ -1498,8 +1469,7 @@ } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { check = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSPF, check); @@ -1544,6 +1514,22 @@ dns_zone_setjournalsize(zone, journal_size); } + if (use_kasp) { + maxttl = dns_kasp_zonemaxttl(dns_zone_getkasp(zone)); + } else { + obj = NULL; + result = named_config_get(maps, "max-zone-ttl", &obj); + if (result == ISC_R_SUCCESS) { + if (cfg_obj_isduration(obj)) { + maxttl = cfg_obj_asduration(obj); + } + } + } + dns_zone_setmaxttl(zone, maxttl); + if (raw != NULL) { + dns_zone_setmaxttl(raw, maxttl); + } + /* * Configure update-related options. These apply to * primary servers only. @@ -1567,6 +1553,10 @@ RETERR(configure_zone_ssutable(zoptions, mayberaw, zname)); } + /* + * Configure DNSSEC signing. These apply to primary zones or zones that + * use inline-signing (raw != NULL). + */ if (ztype == dns_zone_primary || raw != NULL) { const cfg_obj_t *validity, *resign; bool allow = false, maint = false; @@ -1699,8 +1689,7 @@ } else if (strcasecmp(arg, "off") == 0) { /* Default */ } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow); dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false); @@ -1776,8 +1765,7 @@ } else if (strcasecmp(dupcheck, "ignore") == 0) { fail = check = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRR, check); dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKDUPRRFAIL, fail); @@ -1793,8 +1781,7 @@ } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { fail = check = false; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMX, check); dns_zone_setoption(mayberaw, DNS_ZONEOPT_CHECKMXFAIL, fail); @@ -1833,8 +1820,7 @@ } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { warn = ignore = true; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNMXCNAME, warn); dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNOREMXCNAME, ignore); @@ -1850,8 +1836,7 @@ } else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) { warn = ignore = true; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_zone_setoption(mayberaw, DNS_ZONEOPT_WARNSRVCNAME, warn); dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME, @@ -1874,8 +1859,7 @@ } else if (strcasecmp(arg, "maintain") == 0) { /* Default */ } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -1911,7 +1895,7 @@ dns_zone_setxfracl(zone, none); dns_acl_detach(&none); } - /* FALLTHROUGH */ + FALLTHROUGH; case dns_zone_secondary: case dns_zone_stub: case dns_zone_redirect: @@ -2097,9 +2081,7 @@ } bool -named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, const cfg_obj_t *config, - cfg_aclconfctx_t *actx) { +named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { const cfg_obj_t *zoptions = NULL; const cfg_obj_t *obj = NULL; const char *cfilename; @@ -2133,8 +2115,7 @@ has_raw = false; } - inline_signing = named_zone_inlinesigning(zone, zconfig, vconfig, - config, actx); + inline_signing = named_zone_inlinesigning(zconfig); if (!inline_signing && has_raw) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "not reusable: old zone was inline-signing"); @@ -2171,80 +2152,15 @@ } bool -named_zone_inlinesigning(dns_zone_t *zone, const cfg_obj_t *zconfig, - const cfg_obj_t *vconfig, const cfg_obj_t *config, - cfg_aclconfctx_t *actx) { - isc_result_t res; +named_zone_inlinesigning(const cfg_obj_t *zconfig) { const cfg_obj_t *zoptions = NULL; - const cfg_obj_t *voptions = NULL; - const cfg_obj_t *options = NULL; const cfg_obj_t *signing = NULL; - const cfg_obj_t *allowupdate = NULL; - const cfg_obj_t *updatepolicy = NULL; - bool zone_is_dynamic = false; bool inline_signing = false; - (void)cfg_map_get(config, "options", &options); - zoptions = cfg_tuple_get(zconfig, "options"); - if (vconfig != NULL) { - voptions = cfg_tuple_get(vconfig, "options"); - } - inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS && cfg_obj_asboolean(signing)); - if (inline_signing) { - return (true); - } - - if (cfg_map_get(zoptions, "update-policy", &updatepolicy) == - ISC_R_SUCCESS) { - zone_is_dynamic = true; - } else { - res = cfg_map_get(zoptions, "allow-update", &allowupdate); - if (res != ISC_R_SUCCESS && voptions != NULL) { - res = cfg_map_get(voptions, "allow-update", - &allowupdate); - } - if (res != ISC_R_SUCCESS && options != NULL) { - res = cfg_map_get(options, "allow-update", - &allowupdate); - } - if (res == ISC_R_SUCCESS) { - dns_acl_t *acl = NULL; - res = cfg_acl_fromconfig( - allowupdate, config, named_g_lctx, actx, - dns_zone_getmctx(zone), 0, &acl); - if (res == ISC_R_SUCCESS && acl != NULL && - !dns_acl_isnone(acl)) { - zone_is_dynamic = true; - } - if (acl != NULL) { - dns_acl_detach(&acl); - } - } - } - - /* - * If inline-signing is not set, perhaps implictly through a - * dnssec-policy. Since automated DNSSEC maintenance requires - * a dynamic zone, or inline-siging to be enabled, check if - * the zone with dnssec-policy allows updates. If not, enable - * inline-signing. - */ - signing = NULL; - if (!inline_signing && !zone_is_dynamic && - cfg_map_get(zoptions, "dnssec-policy", &signing) == ISC_R_SUCCESS && - signing != NULL) - { - if (strcmp(cfg_obj_asstring(signing), "none") != 0) { - inline_signing = true; - dns_zone_log(zone, ISC_LOG_DEBUG(1), - "inline-signing: " - "implicitly through dnssec-policy"); - } - } return (inline_signing); } diff -Nru bind9-9.16.27/bin/nsupdate/nsupdate.c bind9-9.16.33/bin/nsupdate/nsupdate.c --- bind9-9.16.27/bin/nsupdate/nsupdate.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/nsupdate/nsupdate.c 2022-09-08 13:01:23.000000000 +0000 @@ -324,7 +324,7 @@ } } -static inline void +static void check_result(isc_result_t result, const char *msg) { if (result != ISC_R_SUCCESS) { fatal("%s: %s", msg, isc_result_totext(result)); @@ -763,8 +763,9 @@ static void maybeshutdown(void) { /* when called from getinput, doshutdown might be already finished */ - if (requestmgr == NULL) + if (requestmgr == NULL) { return; + } ddebug("Shutting down request manager"); dns_requestmgr_shutdown(requestmgr); diff -Nru bind9-9.16.27/bin/pkcs11/pkcs11-destroy.c bind9-9.16.33/bin/pkcs11/pkcs11-destroy.c --- bind9-9.16.27/bin/pkcs11/pkcs11-destroy.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/pkcs11/pkcs11-destroy.c 2022-09-08 13:01:23.000000000 +0000 @@ -217,8 +217,9 @@ if (len > 0) { printf("0x"); } - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { printf("%02x", idbuf[j]); + } if (attr_template[2].ulValueLen > len) { printf("...\n"); } else { diff -Nru bind9-9.16.27/bin/pkcs11/pkcs11-list.c bind9-9.16.33/bin/pkcs11/pkcs11-list.c --- bind9-9.16.27/bin/pkcs11/pkcs11-list.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/pkcs11/pkcs11-list.c 2022-09-08 13:01:23.000000000 +0000 @@ -241,8 +241,9 @@ if (len > 0) { printf("0x"); } - for (j = 0; j < len; j++) + for (j = 0; j < len; j++) { printf("%02x", idbuf[j]); + } if (template[2].ulValueLen > len) { printf("..."); } diff -Nru bind9-9.16.27/bin/plugins/filter-aaaa.c bind9-9.16.33/bin/plugins/filter-aaaa.c --- bind9-9.16.27/bin/plugins/filter-aaaa.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/plugins/filter-aaaa.c 2022-09-08 13:01:23.000000000 +0000 @@ -333,7 +333,7 @@ unsigned long cfg_line, isc_mem_t *mctx, isc_log_t *lctx, void *actx, ns_hooktable_t *hooktable, void **instp) { filter_instance_t *inst = NULL; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; isc_log_write(lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS, ISC_LOG_INFO, @@ -350,7 +350,7 @@ cfg_line, mctx, lctx, actx)); } - CHECK(isc_ht_init(&inst->ht, mctx, 16)); + isc_ht_init(&inst->ht, mctx, 16); isc_mutex_init(&inst->hlock); /* diff -Nru bind9-9.16.27/bin/python/dnssec-checkds.py.in bind9-9.16.33/bin/python/dnssec-checkds.py.in --- bind9-9.16.27/bin/python/dnssec-checkds.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/dnssec-checkds.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -15,12 +15,16 @@ import sys sys.path.insert(0, os.path.dirname(sys.argv[0])) -if os.name != 'nt': - if '@PYTHON_INSTALL_DIR@': # value of --with-python-install-dir - sys.path.insert(1, '@PYTHON_INSTALL_DIR@') +if os.name != "nt": + if "@PYTHON_INSTALL_DIR@": # value of --with-python-install-dir + sys.path.insert(1, "@PYTHON_INSTALL_DIR@") else: - sys.path.insert(1, os.path.join('@prefix@', 'lib', - 'python' + sys.version[:3], 'site-packages')) + sys.path.insert( + 1, + os.path.join( + "@prefix@", "lib", "python" + sys.version[:3], "site-packages" + ), + ) import isc.checkds diff -Nru bind9-9.16.27/bin/python/dnssec-coverage.py.in bind9-9.16.33/bin/python/dnssec-coverage.py.in --- bind9-9.16.27/bin/python/dnssec-coverage.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/dnssec-coverage.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -15,12 +15,16 @@ import sys sys.path.insert(0, os.path.dirname(sys.argv[0])) -if os.name != 'nt': - if '@PYTHON_INSTALL_DIR@': # value of --with-python-install-dir - sys.path.insert(1, '@PYTHON_INSTALL_DIR@') +if os.name != "nt": + if "@PYTHON_INSTALL_DIR@": # value of --with-python-install-dir + sys.path.insert(1, "@PYTHON_INSTALL_DIR@") else: - sys.path.insert(1, os.path.join('@prefix@', 'lib', - 'python' + sys.version[:3], 'site-packages')) + sys.path.insert( + 1, + os.path.join( + "@prefix@", "lib", "python" + sys.version[:3], "site-packages" + ), + ) import isc.coverage diff -Nru bind9-9.16.27/bin/python/dnssec-keymgr.py.in bind9-9.16.33/bin/python/dnssec-keymgr.py.in --- bind9-9.16.27/bin/python/dnssec-keymgr.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/dnssec-keymgr.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -15,12 +15,16 @@ import sys sys.path.insert(0, os.path.dirname(sys.argv[0])) -if os.name != 'nt': - if '@PYTHON_INSTALL_DIR@': # value of --with-python-install-dir - sys.path.insert(1, '@PYTHON_INSTALL_DIR@') +if os.name != "nt": + if "@PYTHON_INSTALL_DIR@": # value of --with-python-install-dir + sys.path.insert(1, "@PYTHON_INSTALL_DIR@") else: - sys.path.insert(1, os.path.join('@prefix@', 'lib', - 'python' + sys.version[:3], 'site-packages')) + sys.path.insert( + 1, + os.path.join( + "@prefix@", "lib", "python" + sys.version[:3], "site-packages" + ), + ) import isc.keymgr diff -Nru bind9-9.16.27/bin/python/isc/__init__.py.in bind9-9.16.33/bin/python/isc/__init__.py.in --- bind9-9.16.27/bin/python/isc/__init__.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/__init__.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -11,9 +11,21 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -__all__ = ['checkds', 'coverage', 'keymgr', 'dnskey', 'eventlist', - 'keydict', 'keyevent', 'keyseries', 'keyzone', 'policy', - 'parsetab', 'rndc', 'utils'] +__all__ = [ + "checkds", + "coverage", + "keymgr", + "dnskey", + "eventlist", + "keydict", + "keyevent", + "keyseries", + "keyzone", + "policy", + "parsetab", + "rndc", + "utils", +] from isc.dnskey import * from isc.eventlist import * diff -Nru bind9-9.16.27/bin/python/isc/checkds.py.in bind9-9.16.33/bin/python/isc/checkds.py.in --- bind9-9.16.27/bin/python/isc/checkds.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/checkds.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -14,9 +14,9 @@ import sys from subprocess import Popen, PIPE -from isc.utils import prefix,version +from isc.utils import prefix, version -prog = 'dnssec-checkds' +prog = "dnssec-checkds" ############################################################################ @@ -24,13 +24,13 @@ # Class for DS resource record ############################################################################ class SECRR: - hashalgs = {1: 'SHA-1', 2: 'SHA-256', 3: 'GOST', 4: 'SHA-384'} - rrname = '' - rrclass = 'IN' + hashalgs = {1: "SHA-1", 2: "SHA-256", 3: "GOST", 4: "SHA-384"} + rrname = "" + rrclass = "IN" keyid = None keyalg = None hashalg = None - digest = '' + digest = "" ttl = 0 def __init__(self, rrtext): @@ -39,7 +39,7 @@ # 'str' does not have decode method in python3 if type(rrtext) is not str: - fields = rrtext.decode('ascii').split() + fields = rrtext.decode("ascii").split() else: fields = rrtext.split() if len(fields) < 7: @@ -49,7 +49,7 @@ self.rrname = fields[0].lower() fields = fields[1:] - if fields[0].upper() in ['IN', 'CH', 'HS']: + if fields[0].upper() in ["IN", "CH", "HS"]: self.rrclass = fields[0].upper() fields = fields[1:] else: @@ -58,16 +58,21 @@ fields = fields[2:] if fields[0].upper() != self.rrtype: - raise Exception('%s does not match %s' % - (fields[0].upper(), self.rrtype)) + raise Exception("%s does not match %s" % (fields[0].upper(), self.rrtype)) self.keyid, self.keyalg, self.hashalg = map(int, fields[1:4]) - self.digest = ''.join(fields[4:]).upper() + self.digest = "".join(fields[4:]).upper() def __repr__(self): - return '%s %s %s %d %d %d %s' % \ - (self.rrname, self.rrclass, self.rrtype, - self.keyid, self.keyalg, self.hashalg, self.digest) + return "%s %s %s %d %d %d %s" % ( + self.rrname, + self.rrclass, + self.rrtype, + self.keyid, + self.keyalg, + self.hashalg, + self.digest, + ) def __eq__(self, other): return self.__repr__() == other.__repr__() @@ -90,7 +95,7 @@ for line in fp.splitlines(): if type(line) is not str: - line = line.decode('ascii') + line = line.decode("ascii") rrlist.append(SECRR(line)) rrlist = sorted(rrlist, key=lambda rr: (rr.keyid, rr.keyalg, rr.hashalg)) @@ -98,20 +103,21 @@ cmd = [args.dsfromkey] for algo in args.algo: - cmd += ['-a', algo] + cmd += ["-a", algo] if args.masterfile: cmd += ["-f", args.masterfile, zone] fp, _ = Popen(cmd, stdout=PIPE).communicate() else: - intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey", - "-q", zone], stdout=PIPE).communicate() + intods, _ = Popen( + [args.dig, "+noall", "+answer", "-t", "dnskey", "-q", zone], stdout=PIPE + ).communicate() cmd += ["-f", "-", zone] fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods) for line in fp.splitlines(): if type(line) is not str: - line = line.decode('ascii') + line = line.decode("ascii") klist.append(SECRR(line)) if len(klist) < 1: @@ -121,21 +127,42 @@ match = True for rr in rrlist: if rr not in klist: - print("KSK for %s %s/%03d/%05d (%s) missing from child" % - (rr.rrtype, rr.rrname.strip('.'), rr.keyalg, - rr.keyid, SECRR.hashalgs[rr.hashalg])) + print( + "KSK for %s %s/%03d/%05d (%s) missing from child" + % ( + rr.rrtype, + rr.rrname.strip("."), + rr.keyalg, + rr.keyid, + SECRR.hashalgs[rr.hashalg], + ) + ) match = False for rr in klist: if rr not in rrlist: - print("%s for KSK %s/%03d/%05d (%s) missing from parent" % - (rr.rrtype, rr.rrname.strip('.'), rr.keyalg, - rr.keyid, SECRR.hashalgs[rr.hashalg])) + print( + "%s for KSK %s/%03d/%05d (%s) missing from parent" + % ( + rr.rrtype, + rr.rrname.strip("."), + rr.keyalg, + rr.keyid, + SECRR.hashalgs[rr.hashalg], + ) + ) match = False for rr in klist: if rr in rrlist: - print("%s for KSK %s/%03d/%05d (%s) found in parent" % - (rr.rrtype, rr.rrname.strip('.'), rr.keyalg, - rr.keyid, SECRR.hashalgs[rr.hashalg])) + print( + "%s for KSK %s/%03d/%05d (%s) found in parent" + % ( + rr.rrtype, + rr.rrname.strip("."), + rr.keyalg, + rr.keyid, + SECRR.hashalgs[rr.hashalg], + ) + ) return match @@ -145,30 +172,47 @@ # Read command line arguments, set global 'args' structure ############################################################################ def parse_args(): - parser = argparse.ArgumentParser(description=prog + ': checks DS coverage') + parser = argparse.ArgumentParser(description=prog + ": checks DS coverage") - bindir = 'bin' - sbindir = 'bin' if os.name == 'nt' else 'sbin' + bindir = "bin" + sbindir = "bin" if os.name == "nt" else "sbin" - parser.add_argument('zone', type=str, help='zone to check') - parser.add_argument('-a', '--algo', dest='algo', action='append', - default=[], type=str, help='DS digest algorithm') - parser.add_argument('-d', '--dig', dest='dig', - default=os.path.join(prefix(bindir), 'dig'), - type=str, help='path to \'dig\'') - parser.add_argument('-D', '--dsfromkey', dest='dsfromkey', - default=os.path.join(prefix(sbindir), - 'dnssec-dsfromkey'), - type=str, help='path to \'dnssec-dsfromkey\'') - parser.add_argument('-f', '--file', dest='masterfile', type=str, - help='zone master file') - parser.add_argument('-s', '--dsset', dest='dssetfile', type=str, - help='prepared DSset file') - parser.add_argument('-v', '--version', action='version', - version=version) + parser.add_argument("zone", type=str, help="zone to check") + parser.add_argument( + "-a", + "--algo", + dest="algo", + action="append", + default=[], + type=str, + help="DS digest algorithm", + ) + parser.add_argument( + "-d", + "--dig", + dest="dig", + default=os.path.join(prefix(bindir), "dig"), + type=str, + help="path to 'dig'", + ) + parser.add_argument( + "-D", + "--dsfromkey", + dest="dsfromkey", + default=os.path.join(prefix(sbindir), "dnssec-dsfromkey"), + type=str, + help="path to 'dnssec-dsfromkey'", + ) + parser.add_argument( + "-f", "--file", dest="masterfile", type=str, help="zone master file" + ) + parser.add_argument( + "-s", "--dsset", dest="dssetfile", type=str, help="prepared DSset file" + ) + parser.add_argument("-v", "--version", action="version", version=version) args = parser.parse_args() - args.zone = args.zone.strip('.') + args.zone = args.zone.strip(".") return args diff -Nru bind9-9.16.27/bin/python/isc/coverage.py.in bind9-9.16.33/bin/python/isc/coverage.py.in --- bind9-9.16.27/bin/python/isc/coverage.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/coverage.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ import pprint from collections import defaultdict -prog = 'dnssec-coverage' +prog = "dnssec-coverage" from isc import dnskey, eventlist, keydict, keyevent, keyzone, utils @@ -36,19 +36,21 @@ # output: ############################################################################ _firstline = True + + def output(*args, **kwargs): """output text, adding a vertical space this is *not* the first first section being printed since a call to vreset()""" global _firstline - if 'skip' in kwargs: - skip = kwargs['skip'] - kwargs.pop('skip', None) + if "skip" in kwargs: + skip = kwargs["skip"] + kwargs.pop("skip", None) else: skip = True if _firstline: _firstline = False elif skip: - print('') + print("") if args: print(*args, **kwargs) @@ -63,7 +65,7 @@ # parse_time ############################################################################ def parse_time(s): - """ convert a formatted time (e.g., 1y, 6mo, 15mi, etc) into seconds + """convert a formatted time (e.g., 1y, 6mo, 15mi, etc) into seconds :param s: String with some text representing a time interval :return: Integer with the number of seconds in the time interval """ @@ -76,26 +78,26 @@ pass # try to parse as a number with a suffix indicating unit of time - r = re.compile(r'([0-9][0-9]*)\s*([A-Za-z]*)') + r = re.compile(r"([0-9][0-9]*)\s*([A-Za-z]*)") m = r.match(s) if not m: raise ValueError("Cannot parse %s" % s) n, unit = m.groups() n = int(n) unit = unit.lower() - if unit.startswith('y'): + if unit.startswith("y"): return n * 31536000 - elif unit.startswith('mo'): + elif unit.startswith("mo"): return n * 2592000 - elif unit.startswith('w'): + elif unit.startswith("w"): return n * 604800 - elif unit.startswith('d'): + elif unit.startswith("d"): return n * 86400 - elif unit.startswith('h'): + elif unit.startswith("h"): return n * 3600 - elif unit.startswith('mi'): + elif unit.startswith("mi"): return n * 60 - elif unit.startswith('s'): + elif unit.startswith("s"): return n else: raise ValueError("Invalid suffix %s" % unit) @@ -105,7 +107,7 @@ # set_path: ############################################################################ def set_path(command, default=None): - """ find the location of a specified command. if a default is supplied + """find the location of a specified command. if a default is supplied and it works, we use it; otherwise we search PATH for a match. :param command: string with a command to look for in the path :param default: default location to use @@ -131,50 +133,89 @@ ############################################################################ def parse_args(): """Read command line arguments, set global 'args' structure""" - compilezone = set_path('named-compilezone', - os.path.join(utils.prefix('sbin'), - 'named-compilezone')) - - parser = argparse.ArgumentParser(description=prog + ': checks future ' + - 'DNSKEY coverage for a zone') - - parser.add_argument('zone', type=str, nargs='*', default=None, - help='zone(s) to check' + - '(default: all zones in the directory)') - parser.add_argument('-K', dest='path', default='.', type=str, - help='a directory containing keys to process', - metavar='dir') - parser.add_argument('-f', dest='filename', type=str, - help='zone master file', metavar='file') - parser.add_argument('-m', dest='maxttl', type=str, - help='the longest TTL in the zone(s)', - metavar='time') - parser.add_argument('-d', dest='keyttl', type=str, - help='the DNSKEY TTL', metavar='time') - parser.add_argument('-r', dest='resign', default='1944000', - type=str, help='the RRSIG refresh interval ' - 'in seconds [default: 22.5 days]', - metavar='time') - parser.add_argument('-c', dest='compilezone', - default=compilezone, type=str, - help='path to \'named-compilezone\'', - metavar='path') - parser.add_argument('-l', dest='checklimit', - type=str, default='0', - help='Length of time to check for ' - 'DNSSEC coverage [default: 0 (unlimited)]', - metavar='time') - parser.add_argument('-z', dest='no_ksk', - action='store_true', default=False, - help='Only check zone-signing keys (ZSKs)') - parser.add_argument('-k', dest='no_zsk', - action='store_true', default=False, - help='Only check key-signing keys (KSKs)') - parser.add_argument('-D', '--debug', dest='debug_mode', - action='store_true', default=False, - help='Turn on debugging output') - parser.add_argument('-v', '--version', action='version', - version=utils.version) + compilezone = set_path( + "named-compilezone", os.path.join(utils.prefix("sbin"), "named-compilezone") + ) + + parser = argparse.ArgumentParser( + description=prog + ": checks future " + "DNSKEY coverage for a zone" + ) + + parser.add_argument( + "zone", + type=str, + nargs="*", + default=None, + help="zone(s) to check" + "(default: all zones in the directory)", + ) + parser.add_argument( + "-K", + dest="path", + default=".", + type=str, + help="a directory containing keys to process", + metavar="dir", + ) + parser.add_argument( + "-f", dest="filename", type=str, help="zone master file", metavar="file" + ) + parser.add_argument( + "-m", + dest="maxttl", + type=str, + help="the longest TTL in the zone(s)", + metavar="time", + ) + parser.add_argument( + "-d", dest="keyttl", type=str, help="the DNSKEY TTL", metavar="time" + ) + parser.add_argument( + "-r", + dest="resign", + default="1944000", + type=str, + help="the RRSIG refresh interval " "in seconds [default: 22.5 days]", + metavar="time", + ) + parser.add_argument( + "-c", + dest="compilezone", + default=compilezone, + type=str, + help="path to 'named-compilezone'", + metavar="path", + ) + parser.add_argument( + "-l", + dest="checklimit", + type=str, + default="0", + help="Length of time to check for " "DNSSEC coverage [default: 0 (unlimited)]", + metavar="time", + ) + parser.add_argument( + "-z", + dest="no_ksk", + action="store_true", + default=False, + help="Only check zone-signing keys (ZSKs)", + ) + parser.add_argument( + "-k", + dest="no_zsk", + action="store_true", + default=False, + help="Only check key-signing keys (KSKs)", + ) + parser.add_argument( + "-D", + "--debug", + dest="debug_mode", + action="store_true", + default=False, + help="Turn on debugging output", + ) + parser.add_argument("-v", "--version", action="version", version=utils.version) args = parser.parse_args() @@ -189,8 +230,7 @@ fatal("ERROR: -f can only be used with one zone.") # strip trailing dots if any - args.zone = [x[:-1] if (len(x) > 1 and x[-1] == '.') else x - for x in args.zone] + args.zone = [x[:-1] if (len(x) > 1 and x[-1] == ".") else x for x in args.zone] # convert from time arguments to seconds try: @@ -239,13 +279,16 @@ print("Unable to load zone data from %s: " % args.filename, e) if not args.maxttl: - output("WARNING: Maximum TTL value was not specified. Using 1 week\n" - "\t (604800 seconds); re-run with the -m option to get more\n" - "\t accurate results.") + output( + "WARNING: Maximum TTL value was not specified. Using 1 week\n" + "\t (604800 seconds); re-run with the -m option to get more\n" + "\t accurate results." + ) args.maxttl = 604800 return args + ############################################################################ # Main ############################################################################ @@ -257,7 +300,7 @@ try: kd = keydict(path=args.path, zones=args.zone, keyttl=args.keyttl) except Exception as e: - fatal('ERROR: Unable to build key dictionary: ' + str(e)) + fatal("ERROR: Unable to build key dictionary: " + str(e)) for key in kd: key.check_prepub(output) @@ -272,7 +315,7 @@ try: elist = eventlist(kd) except Exception as e: - fatal('ERROR: Unable to build event list: ' + str(e)) + fatal("ERROR: Unable to build event list: " + str(e)) errors = False if not args.zone: @@ -281,10 +324,9 @@ else: for zone in args.zone: try: - if not elist.coverage(zone, args.keytype, - args.checklimit, output): + if not elist.coverage(zone, args.keytype, args.checklimit, output): errors = True except: - output('ERROR: Coverage check failed for zone ' + zone) + output("ERROR: Coverage check failed for zone " + zone) sys.exit(1 if errors else 0) diff -Nru bind9-9.16.27/bin/python/isc/dnskey.py.in bind9-9.16.33/bin/python/isc/dnskey.py.in --- bind9-9.16.27/bin/python/isc/dnskey.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/dnskey.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -19,48 +19,73 @@ ######################################################################## class TimePast(Exception): def __init__(self, key, prop, value): - super(TimePast, self).__init__('%s time for key %s (%d) is already past' - % (prop, key, value)) + super(TimePast, self).__init__( + "%s time for key %s (%d) is already past" % (prop, key, value) + ) + class dnskey: """An individual DNSSEC key. Identified by path, name, algorithm, keyid. Contains a dictionary of metadata events.""" - _PROPS = ('Created', 'Publish', 'Activate', 'Inactive', 'Delete', - 'Revoke', 'DSPublish', 'SyncPublish', 'SyncDelete') - _OPTS = (None, '-P', '-A', '-I', '-D', '-R', None, '-Psync', '-Dsync') - - _ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', None, 'RSASHA1', - 'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None, - 'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256', - 'ECDSAP384SHA384', 'ED25519', 'ED448') + _PROPS = ( + "Created", + "Publish", + "Activate", + "Inactive", + "Delete", + "Revoke", + "DSPublish", + "SyncPublish", + "SyncDelete", + ) + _OPTS = (None, "-P", "-A", "-I", "-D", "-R", None, "-Psync", "-Dsync") + + _ALGNAMES = ( + None, + "RSAMD5", + "DH", + "DSA", + None, + "RSASHA1", + "NSEC3DSA", + "NSEC3RSASHA1", + "RSASHA256", + None, + "RSASHA512", + None, + "ECCGOST", + "ECDSAP256SHA256", + "ECDSAP384SHA384", + "ED25519", + "ED448", + ) def __init__(self, key, directory=None, keyttl=None): # this makes it possible to use algname as a class or instance method if isinstance(key, tuple) and len(key) == 3: - self._dir = directory or '.' + self._dir = directory or "." (name, alg, keyid) = key self.fromtuple(name, alg, keyid, keyttl) - self._dir = directory or os.path.dirname(key) or '.' + self._dir = directory or os.path.dirname(key) or "." key = os.path.basename(key) - (name, alg, keyid) = key.split('+') + (name, alg, keyid) = key.split("+") name = name[1:-1] alg = int(alg) - keyid = int(keyid.split('.')[0]) + keyid = int(keyid.split(".")[0]) self.fromtuple(name, alg, keyid, keyttl) def fromtuple(self, name, alg, keyid, keyttl): - if name.endswith('.'): + if name.endswith("."): fullname = name - name = name.rstrip('.') + name = name.rstrip(".") else: - fullname = name + '.' + fullname = name + "." keystr = "K%s+%03d+%05d" % (fullname, alg, keyid) - key_file = self._dir + (self._dir and os.sep or '') + keystr + ".key" - private_file = (self._dir + (self._dir and os.sep or '') + - keystr + ".private") + key_file = self._dir + (self._dir and os.sep or "") + keystr + ".key" + private_file = self._dir + (self._dir and os.sep or "") + keystr + ".private" self.keystr = keystr @@ -71,13 +96,13 @@ kfp = open(key_file, "r") for line in kfp: - if line[0] == ';': + if line[0] == ";": continue tokens = line.split() if not tokens: continue - if tokens[1].lower() in ('in', 'ch', 'hs'): + if tokens[1].lower() in ("in", "ch", "hs"): septoken = 3 self.ttl = keyttl else: @@ -90,7 +115,7 @@ self.sep = False kfp.close() - pfp = open(private_file, "rU") + pfp = open(private_file, "r") self.metadata = dict() self._changed = dict() @@ -103,9 +128,9 @@ for line in pfp: line = line.strip() - if not line or line[0] in ('!#'): + if not line or line[0] in ("!#"): continue - punctuation = [line.find(c) for c in ':= '] + [len(line)] + punctuation = [line.find(c) for c in ":= "] + [len(line)] found = min([pos for pos in punctuation if pos != -1]) name = line[:found].rstrip() value = line[found:].lstrip(":= ").rstrip() @@ -128,7 +153,7 @@ pfp.close() def commit(self, settime_bin, **kwargs): - quiet = kwargs.get('quiet', False) + quiet = kwargs.get("quiet", False) cmd = [] first = True @@ -143,31 +168,48 @@ if prop in self._delete and self._delete[prop]: delete = True - when = 'none' if delete else self._fmttime[prop] + when = "none" if delete else self._fmttime[prop] cmd += [opt, when] first = False if cmd: - fullcmd = [settime_bin, "-K", self._dir] + cmd + [self.keystr,] + fullcmd = ( + [settime_bin, "-K", self._dir] + + cmd + + [ + self.keystr, + ] + ) if not quiet: - print('# ' + ' '.join(fullcmd)) + print("# " + " ".join(fullcmd)) try: p = Popen(fullcmd, stdout=PIPE, stderr=PIPE) stdout, stderr = p.communicate() if stderr: raise Exception(str(stderr)) except Exception as e: - raise Exception('unable to run %s: %s' % - (settime_bin, str(e))) + raise Exception("unable to run %s: %s" % (settime_bin, str(e))) self._origttl = None for prop in dnskey._PROPS: self._original[prop] = self._timestamps[prop] self._changed[prop] = False @classmethod - def generate(cls, keygen_bin, randomdev, keys_dir, name, alg, keysize, sep, - ttl, publish=None, activate=None, **kwargs): - quiet = kwargs.get('quiet', False) + def generate( + cls, + keygen_bin, + randomdev, + keys_dir, + name, + alg, + keysize, + sep, + ttl, + publish=None, + activate=None, + **kwargs + ): + quiet = kwargs.get("quiet", False) keygen_cmd = [keygen_bin, "-q", "-K", keys_dir, "-L", str(ttl)] @@ -194,22 +236,22 @@ keygen_cmd.append(name) if not quiet: - print('# ' + ' '.join(keygen_cmd)) + print("# " + " ".join(keygen_cmd)) p = Popen(keygen_cmd, stdout=PIPE, stderr=PIPE) stdout, stderr = p.communicate() if stderr: - raise Exception('unable to generate key: ' + str(stderr)) + raise Exception("unable to generate key: " + str(stderr)) try: - keystr = stdout.splitlines()[0].decode('ascii') + keystr = stdout.splitlines()[0].decode("ascii") newkey = dnskey(keystr, keys_dir, ttl) return newkey except Exception as e: - raise Exception('unable to parse generated key: %s' % str(e)) + raise Exception("unable to parse generated key: %s" % str(e)) def generate_successor(self, keygen_bin, randomdev, prepublish, **kwargs): - quiet = kwargs.get('quiet', False) + quiet = kwargs.get("quiet", False) if not self.inactive(): raise Exception("predecessor key %s has no inactive date" % self) @@ -226,19 +268,19 @@ keygen_cmd += ["-i", str(prepublish)] if not quiet: - print('# ' + ' '.join(keygen_cmd)) + print("# " + " ".join(keygen_cmd)) p = Popen(keygen_cmd, stdout=PIPE, stderr=PIPE) stdout, stderr = p.communicate() if stderr: - raise Exception('unable to generate key: ' + stderr) + raise Exception("unable to generate key: " + stderr) try: - keystr = stdout.splitlines()[0].decode('ascii') + keystr = stdout.splitlines()[0].decode("ascii") newkey = dnskey(keystr, self._dir, self.ttl) return newkey except: - raise Exception('unable to generate successor for key %s' % self) + raise Exception("unable to generate successor for key %s" % self) @staticmethod def algstr(alg): @@ -277,18 +319,20 @@ return time.strftime("%Y%m%d%H%M%S", t) def setmeta(self, prop, secs, now, **kwargs): - force = kwargs.get('force', False) + force = kwargs.get("force", False) if self._timestamps[prop] == secs: return - if self._original[prop] is not None and \ - self._original[prop] < now and not force: + if ( + self._original[prop] is not None + and self._original[prop] < now + and not force + ): raise TimePast(self, prop, self._original[prop]) if secs is None: - self._changed[prop] = False \ - if self._original[prop] is None else True + self._changed[prop] = False if self._original[prop] is None else True self._delete[prop] = True self._timestamps[prop] = None @@ -300,8 +344,9 @@ self._timestamps[prop] = secs self._times[prop] = t self._fmttime[prop] = self.formattime(t) - self._changed[prop] = False if \ - self._original[prop] == self._timestamps[prop] else True + self._changed[prop] = ( + False if self._original[prop] == self._timestamps[prop] else True + ) def gettime(self, prop): return self._times[prop] @@ -370,19 +415,21 @@ self.ttl = ttl def keytype(self): - return ("KSK" if self.sep else "ZSK") + return "KSK" if self.sep else "ZSK" def __str__(self): - return ("%s/%s/%05d" - % (self.name, self.algname(), self.keyid)) + return "%s/%s/%05d" % (self.name, self.algname(), self.keyid) def __repr__(self): - return ("%s/%s/%05d (%s)" - % (self.name, self.algname(), self.keyid, - ("KSK" if self.sep else "ZSK"))) + return "%s/%s/%05d (%s)" % ( + self.name, + self.algname(), + self.keyid, + ("KSK" if self.sep else "ZSK"), + ) def date(self): - return (self.activate() or self.publish() or self.created()) + return self.activate() or self.publish() or self.created() # keys are sorted first by zone name, then by algorithm. within # the same name/algorithm, they are sorted according to their @@ -396,7 +443,9 @@ return self.date() < other.date() def check_prepub(self, output=None): - def noop(*args, **kwargs): pass + def noop(*args, **kwargs): + pass + if not output: output = noop @@ -409,43 +458,47 @@ if not p: if a > now: - output("WARNING: Key %s is scheduled for\n" - "\t activation but not for publication." - % repr(self)) + output( + "WARNING: Key %s is scheduled for\n" + "\t activation but not for publication." % repr(self) + ) return False if p <= now and a <= now: return True if p == a: - output("WARNING: %s is scheduled to be\n" - "\t published and activated at the same time. This\n" - "\t could result in a coverage gap if the zone was\n" - "\t previously signed. Activation should be at least\n" - "\t %s after publication." - % (repr(self), - dnskey.duration(self.ttl) or 'one DNSKEY TTL')) + output( + "WARNING: %s is scheduled to be\n" + "\t published and activated at the same time. This\n" + "\t could result in a coverage gap if the zone was\n" + "\t previously signed. Activation should be at least\n" + "\t %s after publication." + % (repr(self), dnskey.duration(self.ttl) or "one DNSKEY TTL") + ) return True if a < p: - output("WARNING: Key %s is active before it is published" - % repr(self)) + output("WARNING: Key %s is active before it is published" % repr(self)) return False if self.ttl is not None and a - p < self.ttl: - output("WARNING: Key %s is activated too soon\n" - "\t after publication; this could result in coverage \n" - "\t gaps due to resolver caches containing old data.\n" - "\t Activation should be at least %s after\n" - "\t publication." - % (repr(self), - dnskey.duration(self.ttl) or 'one DNSKEY TTL')) + output( + "WARNING: Key %s is activated too soon\n" + "\t after publication; this could result in coverage \n" + "\t gaps due to resolver caches containing old data.\n" + "\t Activation should be at least %s after\n" + "\t publication." + % (repr(self), dnskey.duration(self.ttl) or "one DNSKEY TTL") + ) return False return True - def check_postpub(self, output = None, timespan = None): - def noop(*args, **kwargs): pass + def check_postpub(self, output=None, timespan=None): + def noop(*args, **kwargs): + pass + if output is None: output = noop @@ -454,7 +507,7 @@ if timespan is None: output("WARNING: Key %s using default TTL." % repr(self)) - timespan = (60*60*24) + timespan = 60 * 60 * 24 now = time.time() d = self.delete() @@ -465,26 +518,30 @@ if not i: if d > now: - output("WARNING: Key %s is scheduled for\n" - "\t deletion but not for inactivation." % repr(self)) + output( + "WARNING: Key %s is scheduled for\n" + "\t deletion but not for inactivation." % repr(self) + ) return False if d < now and i < now: return True if d < i: - output("WARNING: Key %s is scheduled for\n" - "\t deletion before inactivation." - % repr(self)) + output( + "WARNING: Key %s is scheduled for\n" + "\t deletion before inactivation." % repr(self) + ) return False if d - i < timespan: - output("WARNING: Key %s scheduled for\n" - "\t deletion too soon after deactivation; this may \n" - "\t result in coverage gaps due to resolver caches\n" - "\t containing old data. Deletion should be at least\n" - "\t %s after inactivation." - % (repr(self), dnskey.duration(timespan))) + output( + "WARNING: Key %s scheduled for\n" + "\t deletion too soon after deactivation; this may \n" + "\t result in coverage gaps due to resolver caches\n" + "\t containing old data. Deletion should be at least\n" + "\t %s after inactivation." % (repr(self), dnskey.duration(timespan)) + ) return False return True @@ -494,12 +551,14 @@ if not secs: return None - units = [("year", 60*60*24*365), - ("month", 60*60*24*30), - ("day", 60*60*24), - ("hour", 60*60), - ("minute", 60), - ("second", 1)] + units = [ + ("year", 60 * 60 * 24 * 365), + ("month", 60 * 60 * 24 * 30), + ("day", 60 * 60 * 24), + ("hour", 60 * 60), + ("minute", 60), + ("second", 1), + ] output = [] for unit in units: @@ -508,4 +567,3 @@ output.append("%d %s%s" % (v, unit[0], "s" if v > 1 else "")) return ", ".join(output) - diff -Nru bind9-9.16.27/bin/python/isc/eventlist.py.in bind9-9.16.33/bin/python/isc/eventlist.py.in --- bind9-9.16.27/bin/python/isc/eventlist.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/eventlist.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -22,8 +22,14 @@ _kdict = None def __init__(self, kdict): - properties = ["SyncPublish", "Publish", "SyncDelete", - "Activate", "Inactive", "Delete"] + properties = [ + "SyncPublish", + "Publish", + "SyncDelete", + "Activate", + "Inactive", + "Delete", + ] self._kdict = kdict for zone in kdict.zones(): self._zones.add(zone) @@ -39,15 +45,19 @@ else: self._Z[zone][alg].append(e) - self._K[zone][alg] = sorted(self._K[zone][alg], - key=lambda event: event.when) - self._Z[zone][alg] = sorted(self._Z[zone][alg], - key=lambda event: event.when) + self._K[zone][alg] = sorted( + self._K[zone][alg], key=lambda event: event.when + ) + self._Z[zone][alg] = sorted( + self._Z[zone][alg], key=lambda event: event.when + ) # scan events per zone, algorithm, and key type, in order of # occurrence, noting inconsistent states when found - def coverage(self, zone, keytype, until, output = None): - def noop(*args, **kwargs): pass + def coverage(self, zone, keytype, until, output=None): + def noop(*args, **kwargs): + pass + if not output: output = noop @@ -79,7 +89,7 @@ output("ERROR: No key events found") return False - return (kok and zok) + return kok and zok def checkzone(self, zone, keytype, until, output): allok = True @@ -89,9 +99,10 @@ kz = self._Z[zone] for alg in kz.keys(): - output("Checking scheduled %s events for zone %s, " - "algorithm %s..." % - (keytype, zone, dnskey.algstr(alg))) + output( + "Checking scheduled %s events for zone %s, " + "algorithm %s..." % (keytype, zone, dnskey.algstr(alg)) + ) ok = eventlist.checkset(kz[alg], keytype, until, output) if ok: output("No errors found") @@ -119,12 +130,12 @@ eventsfound = True # add event to current group - if (not group or group[0].when == event.when): + if not group or group[0].when == event.when: group.append(event) # if we're at the end of the list, we're done. if # we've found an event with a later time, start a new group - if (group[0].when != event.when): + if group[0].when != event.when: groups.append(group) group = list() group.append(event) @@ -138,10 +149,11 @@ active = published = None for group in groups: - if (until and calendar.timegm(group[0].when) > until): - output("Ignoring events after %s" % - time.strftime("%a %b %d %H:%M:%S UTC %Y", - time.gmtime(until))) + if until and calendar.timegm(group[0].when) > until: + output( + "Ignoring events after %s" + % time.strftime("%a %b %d %H:%M:%S UTC %Y", time.gmtime(until)) + ) return True for event in group: @@ -154,13 +166,13 @@ output("ERROR: No %s's are active after this event" % keytype) return False elif not published: - output("ERROR: No %s's are published after this event" - % keytype) + output("ERROR: No %s's are published after this event" % keytype) return False elif not published.intersection(active): - output("ERROR: No %s's are both active and published " - "after this event" % keytype) + output( + "ERROR: No %s's are both active and published " + "after this event" % keytype + ) return False return True - diff -Nru bind9-9.16.27/bin/python/isc/keydict.py.in bind9-9.16.33/bin/python/isc/keydict.py.in --- bind9-9.16.27/bin/python/isc/keydict.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/keydict.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -19,47 +19,47 @@ # Class keydict ######################################################################## class keydict: - """ A dictionary of keys, indexed by name, algorithm, and key id """ + """A dictionary of keys, indexed by name, algorithm, and key id""" _keydict = defaultdict(lambda: defaultdict(dict)) _defttl = None _missing = [] def __init__(self, dp=None, **kwargs): - self._defttl = kwargs.get('keyttl', None) - zones = kwargs.get('zones', None) + self._defttl = kwargs.get("keyttl", None) + zones = kwargs.get("zones", None) if not zones: - path = kwargs.get('path',None) or '.' + path = kwargs.get("path", None) or "." self.readall(path) else: for zone in zones: - if 'path' in kwargs and kwargs['path'] is not None: - path = kwargs['path'] + if "path" in kwargs and kwargs["path"] is not None: + path = kwargs["path"] else: - path = dp and dp.policy(zone).directory or '.' + path = dp and dp.policy(zone).directory or "." if not self.readone(path, zone): self._missing.append(zone) def readall(self, path): - files = glob.glob(os.path.join(path, '*.private')) + files = glob.glob(os.path.join(path, "*.private")) for infile in files: key = dnskey(infile, path, self._defttl) self._keydict[key.name][key.alg][key.keyid] = key def readone(self, path, zone): - if not zone.endswith('.'): - zone += '.' - match='K' + zone + '+*.private' + if not zone.endswith("."): + zone += "." + match = "K" + zone + "+*.private" files = glob.glob(os.path.join(path, match)) found = False for infile in files: key = dnskey(infile, path, self._defttl) - if key.fullname != zone: # shouldn't ever happen + if key.fullname != zone: # shouldn't ever happen continue - keyname=key.name if zone != '.' else '.' + keyname = key.name if zone != "." else "." self._keydict[keyname][key.alg][key.keyid] = key found = True @@ -75,13 +75,13 @@ return self._keydict[name] def zones(self): - return (self._keydict.keys()) + return self._keydict.keys() def algorithms(self, zone): - return (self._keydict[zone].keys()) + return self._keydict[zone].keys() def keys(self, zone, alg): - return (self._keydict[zone][alg].keys()) + return self._keydict[zone][alg].keys() def missing(self): - return (self._missing) + return self._missing diff -Nru bind9-9.16.27/bin/python/isc/keyevent.py.in bind9-9.16.33/bin/python/isc/keyevent.py.in --- bind9-9.16.27/bin/python/isc/keyevent.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/keyevent.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ # Class keyevent ######################################################################## class keyevent: - """ A discrete key event, e.g., Publish, Activate, Inactive, Delete, + """A discrete key event, e.g., Publish, Activate, Inactive, Delete, etc. Stores the date of the event, and identifying information about the key to which the event will occur.""" @@ -30,16 +30,17 @@ self.keyid = key.keyid def __repr__(self): - return repr((self.when, self.what, self.keyid, self.sep, - self.zone, self.alg)) + return repr((self.when, self.what, self.keyid, self.sep, self.zone, self.alg)) def showtime(self): return time.strftime("%a %b %d %H:%M:%S UTC %Y", self.when) # update sets of active and published keys, based on # the contents of this keyevent - def status(self, active, published, output = None): - def noop(*args, **kwargs): pass + def status(self, active, published, output=None): + def noop(*args, **kwargs): + pass + if not output: output = noop @@ -54,17 +55,20 @@ published.add(self.keyid) elif self.what == "Inactive": if self.keyid not in active: - output("\tWARNING: %s scheduled to become inactive " - "before it is active" - % repr(self.key)) + output( + "\tWARNING: %s scheduled to become inactive " + "before it is active" % repr(self.key) + ) else: active.remove(self.keyid) elif self.what == "Delete": if self.keyid in published: published.remove(self.keyid) else: - output("WARNING: key %s is scheduled for deletion " - "before it is published" % repr(self.key)) + output( + "WARNING: key %s is scheduled for deletion " + "before it is published" % repr(self.key) + ) elif self.what == "Revoke": # We don't need to worry about the logic of this one; # just stop counting this key as either active or published diff -Nru bind9-9.16.27/bin/python/isc/keymgr.py.in bind9-9.16.33/bin/python/isc/keymgr.py.in --- bind9-9.16.27/bin/python/isc/keymgr.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/keymgr.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -13,7 +13,7 @@ import os, sys, argparse, glob, re, time, calendar, pprint from collections import defaultdict -prog='dnssec-keymgr' +prog = "dnssec-keymgr" from isc import dnskey, keydict, keyseries, policy, parsetab, utils @@ -24,11 +24,12 @@ print(*args, **kwargs) sys.exit(1) + ############################################################################ # find the location of an external command ############################################################################ def set_path(command, default=None): - """ find the location of a specified command. If a default is supplied, + """find the location of a specified command. If a default is supplied, exists and it's an executable, we use it; otherwise we search PATH for an alternative. :param command: command to look for @@ -48,58 +49,103 @@ return fpath + ############################################################################ # parse arguments ############################################################################ def parse_args(): - """ Read command line arguments, returns 'args' object + """Read command line arguments, returns 'args' object :return: args object properly prepared """ - keygen = set_path('dnssec-keygen', - os.path.join(utils.prefix('sbin'), 'dnssec-keygen')) - settime = set_path('dnssec-settime', - os.path.join(utils.prefix('sbin'), 'dnssec-settime')) - - parser = argparse.ArgumentParser(description=prog + ': schedule ' - 'DNSSEC key rollovers according to a ' - 'pre-defined policy') - - parser.add_argument('zone', type=str, nargs='*', default=None, - help='Zone(s) to which the policy should be applied ' + - '(default: all zones in the directory)') - parser.add_argument('-K', dest='path', type=str, - help='Directory containing keys', metavar='dir') - parser.add_argument('-c', dest='policyfile', type=str, - help='Policy definition file', metavar='file') - parser.add_argument('-g', dest='keygen', default=keygen, type=str, - help='Path to \'dnssec-keygen\'', - metavar='path') - parser.add_argument('-r', dest='randomdev', type=str, default=None, - help='DEPRECATED', - metavar='path') - parser.add_argument('-s', dest='settime', default=settime, type=str, - help='Path to \'dnssec-settime\'', - metavar='path') - parser.add_argument('-k', dest='no_zsk', - action='store_true', default=False, - help='Only apply policy to key-signing keys (KSKs)') - parser.add_argument('-z', dest='no_ksk', - action='store_true', default=False, - help='Only apply policy to zone-signing keys (ZSKs)') - parser.add_argument('-f', '--force', dest='force', action='store_true', - default=False, help='Force updates to key events '+ - 'even if they are in the past') - parser.add_argument('-q', '--quiet', dest='quiet', action='store_true', - default=False, help='Update keys silently') - parser.add_argument('-v', '--version', action='version', - version=utils.version) + keygen = set_path( + "dnssec-keygen", os.path.join(utils.prefix("sbin"), "dnssec-keygen") + ) + settime = set_path( + "dnssec-settime", os.path.join(utils.prefix("sbin"), "dnssec-settime") + ) + + parser = argparse.ArgumentParser( + description=prog + ": schedule " + "DNSSEC key rollovers according to a " + "pre-defined policy" + ) + + parser.add_argument( + "zone", + type=str, + nargs="*", + default=None, + help="Zone(s) to which the policy should be applied " + + "(default: all zones in the directory)", + ) + parser.add_argument( + "-K", dest="path", type=str, help="Directory containing keys", metavar="dir" + ) + parser.add_argument( + "-c", dest="policyfile", type=str, help="Policy definition file", metavar="file" + ) + parser.add_argument( + "-g", + dest="keygen", + default=keygen, + type=str, + help="Path to 'dnssec-keygen'", + metavar="path", + ) + parser.add_argument( + "-r", + dest="randomdev", + type=str, + default=None, + help="DEPRECATED", + metavar="path", + ) + parser.add_argument( + "-s", + dest="settime", + default=settime, + type=str, + help="Path to 'dnssec-settime'", + metavar="path", + ) + parser.add_argument( + "-k", + dest="no_zsk", + action="store_true", + default=False, + help="Only apply policy to key-signing keys (KSKs)", + ) + parser.add_argument( + "-z", + dest="no_ksk", + action="store_true", + default=False, + help="Only apply policy to zone-signing keys (ZSKs)", + ) + parser.add_argument( + "-f", + "--force", + dest="force", + action="store_true", + default=False, + help="Force updates to key events " + "even if they are in the past", + ) + parser.add_argument( + "-q", + "--quiet", + dest="quiet", + action="store_true", + default=False, + help="Update keys silently", + ) + parser.add_argument("-v", "--version", action="version", version=utils.version) args = parser.parse_args() if args.randomdev: fatal("ERROR: -r option has been deprecated.") - + if args.no_zsk and args.no_ksk: fatal("ERROR: -z and -k cannot be used together.") @@ -115,13 +161,13 @@ if not os.path.exists(args.policyfile): fatal('ERROR: Policy file "%s" not found' % args.policyfile) else: - args.policyfile = os.path.join(utils.sysconfdir, - 'dnssec-policy.conf') + args.policyfile = os.path.join(utils.sysconfdir, "dnssec-policy.conf") if not os.path.exists(args.policyfile): args.policyfile = None return args + ############################################################################ # main ############################################################################ @@ -130,28 +176,31 @@ # As we may have specific locations for the binaries, we put that info # into a context object that can be passed around - context = {'keygen_path': args.keygen, - 'settime_path': args.settime, - 'keys_path': args.path, - 'randomdev': args.randomdev} + context = { + "keygen_path": args.keygen, + "settime_path": args.settime, + "keys_path": args.path, + "randomdev": args.randomdev, + } try: dp = policy.dnssec_policy(args.policyfile) except Exception as e: - fatal('Unable to load DNSSEC policy: ' + str(e)) + fatal("Unable to load DNSSEC policy: " + str(e)) try: kd = keydict(dp, path=args.path, zones=args.zone) except Exception as e: - fatal('Unable to build key dictionary: ' + str(e)) + fatal("Unable to build key dictionary: " + str(e)) try: ks = keyseries(kd, context=context) except Exception as e: - fatal('Unable to build key series: ' + str(e)) + fatal("Unable to build key series: " + str(e)) try: - ks.enforce_policy(dp, ksk=args.no_zsk, zsk=args.no_ksk, - force=args.force, quiet=args.quiet) + ks.enforce_policy( + dp, ksk=args.no_zsk, zsk=args.no_ksk, force=args.force, quiet=args.quiet + ) except Exception as e: - fatal('Unable to apply policy: ' + str(e)) + fatal("Unable to apply policy: " + str(e)) diff -Nru bind9-9.16.27/bin/python/isc/keyseries.py.in bind9-9.16.33/bin/python/isc/keyseries.py.in --- bind9-9.16.27/bin/python/isc/keyseries.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/keyseries.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -35,10 +35,10 @@ for k in keys.values(): if k.sep: if not (k.delete() and k.delete() < now): - self._K[zone][alg].append(k) + self._K[zone][alg].append(k) else: if not (k.delete() and k.delete() < now): - self._Z[zone][alg].append(k) + self._Z[zone][alg].append(k) self._K[zone][alg].sort() self._Z[zone][alg].sort() @@ -57,7 +57,7 @@ print("%s" % repr(k)) def fixseries(self, keys, policy, now, **kwargs): - force = kwargs.get('force', False) + force = kwargs.get("force", False) if not keys: return @@ -148,14 +148,16 @@ prev = key # if we haven't got sufficient coverage, create successor key(s) - while rp and prev.inactive() and \ - prev.inactive() < now + policy.coverage: + while rp and prev.inactive() and prev.inactive() < now + policy.coverage: # commit changes to predecessor: a successor can only be # generated if Inactive has been set in the predecessor key - prev.commit(self._context['settime_path'], **kwargs) - key = prev.generate_successor(self._context['keygen_path'], - self._context['randomdev'], - prepub, **kwargs) + prev.commit(self._context["settime_path"], **kwargs) + key = prev.generate_successor( + self._context["keygen_path"], + self._context["randomdev"], + prepub, + **kwargs + ) key.setinactive(key.activate() + rp, **kwargs) key.setdelete(key.inactive() + postpub, **kwargs) @@ -171,41 +173,50 @@ # commit changes for key in keys: - key.commit(self._context['settime_path'], **kwargs) - + key.commit(self._context["settime_path"], **kwargs) def enforce_policy(self, policies, now=time.time(), **kwargs): # If zones is provided as a parameter, use that list. # If not, use what we have in this object - zones = kwargs.get('zones', self._zones) - keys_dir = kwargs.get('dir', self._context.get('keys_path', None)) - force = kwargs.get('force', False) + zones = kwargs.get("zones", self._zones) + keys_dir = kwargs.get("dir", self._context.get("keys_path", None)) + force = kwargs.get("force", False) for zone in zones: collections = [] policy = policies.policy(zone) - keys_dir = keys_dir or policy.directory or '.' + keys_dir = keys_dir or policy.directory or "." alg = policy.algorithm algnum = dnskey.algnum(alg) - if 'ksk' not in kwargs or not kwargs['ksk']: + if "ksk" not in kwargs or not kwargs["ksk"]: if len(self._Z[zone][algnum]) == 0: - k = dnskey.generate(self._context['keygen_path'], - self._context['randomdev'], - keys_dir, zone, alg, - policy.zsk_keysize, False, - policy.keyttl or 3600, - **kwargs) + k = dnskey.generate( + self._context["keygen_path"], + self._context["randomdev"], + keys_dir, + zone, + alg, + policy.zsk_keysize, + False, + policy.keyttl or 3600, + **kwargs + ) self._Z[zone][algnum].append(k) collections.append(self._Z[zone]) - if 'zsk' not in kwargs or not kwargs['zsk']: + if "zsk" not in kwargs or not kwargs["zsk"]: if len(self._K[zone][algnum]) == 0: - k = dnskey.generate(self._context['keygen_path'], - self._context['randomdev'], - keys_dir, zone, alg, - policy.ksk_keysize, True, - policy.keyttl or 3600, - **kwargs) + k = dnskey.generate( + self._context["keygen_path"], + self._context["randomdev"], + keys_dir, + zone, + alg, + policy.ksk_keysize, + True, + policy.keyttl or 3600, + **kwargs + ) self._K[zone][algnum].append(k) collections.append(self._K[zone]) @@ -216,5 +227,6 @@ try: self.fixseries(keys, policy, now, **kwargs) except Exception as e: - raise Exception('%s/%s: %s' % - (zone, dnskey.algstr(algnum), str(e))) + raise Exception( + "%s/%s: %s" % (zone, dnskey.algstr(algnum), str(e)) + ) diff -Nru bind9-9.16.27/bin/python/isc/keyzone.py.in bind9-9.16.33/bin/python/isc/keyzone.py.in --- bind9-9.16.27/bin/python/isc/keyzone.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/keyzone.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -20,6 +20,7 @@ class KeyZoneException(Exception): pass + ######################################################################## # class keyzone ######################################################################## @@ -33,19 +34,19 @@ if not name: return - if not czpath or not os.path.isfile(czpath) \ - or not os.access(czpath, os.X_OK): + if not czpath or not os.path.isfile(czpath) or not os.access(czpath, os.X_OK): raise KeyZoneException('"named-compilezone" not found') return maxttl = keyttl = None - fp, _ = Popen([czpath, "-o", "-", name, filename], - stdout=PIPE, stderr=PIPE).communicate() + fp, _ = Popen( + [czpath, "-o", "-", name, filename], stdout=PIPE, stderr=PIPE + ).communicate() for line in fp.splitlines(): if type(line) is not str: - line = line.decode('ascii') - if re.search('^[:space:]*;', line): + line = line.decode("ascii") + if re.search("^[:space:]*;", line): continue fields = line.split() if not maxttl or int(fields[1]) > maxttl: diff -Nru bind9-9.16.27/bin/python/isc/policy.py.in bind9-9.16.33/bin/python/isc/policy.py.in --- bind9-9.16.27/bin/python/isc/policy.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/policy.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -20,63 +20,71 @@ # PolicyLex: a lexer for the policy file syntax. ############################################################################ class PolicyLex: - reserved = ('POLICY', - 'ALGORITHM_POLICY', - 'ZONE', - 'ALGORITHM', - 'DIRECTORY', - 'KEYTTL', - 'KEY_SIZE', - 'ROLL_PERIOD', - 'PRE_PUBLISH', - 'POST_PUBLISH', - 'COVERAGE', - 'STANDBY', - 'NONE') - - tokens = reserved + ('DATESUFFIX', - 'KEYTYPE', - 'ALGNAME', - 'STR', - 'QSTRING', - 'NUMBER', - 'LBRACE', - 'RBRACE', - 'SEMI') + reserved = ( + "POLICY", + "ALGORITHM_POLICY", + "ZONE", + "ALGORITHM", + "DIRECTORY", + "KEYTTL", + "KEY_SIZE", + "ROLL_PERIOD", + "PRE_PUBLISH", + "POST_PUBLISH", + "COVERAGE", + "STANDBY", + "NONE", + ) + + tokens = reserved + ( + "DATESUFFIX", + "KEYTYPE", + "ALGNAME", + "STR", + "QSTRING", + "NUMBER", + "LBRACE", + "RBRACE", + "SEMI", + ) reserved_map = {} - t_ignore = ' \t' - t_ignore_olcomment = r'(//|\#).*' + t_ignore = " \t" + t_ignore_olcomment = r"(//|\#).*" - t_LBRACE = r'\{' - t_RBRACE = r'\}' - t_SEMI = r';'; + t_LBRACE = r"\{" + t_RBRACE = r"\}" + t_SEMI = r";" def t_newline(self, t): - r'\n+' + r"\n+" t.lexer.lineno += t.value.count("\n") def t_comment(self, t): - r'/\*(.|\n)*?\*/' - t.lexer.lineno += t.value.count('\n') + r"/\*(.|\n)*?\*/" + t.lexer.lineno += t.value.count("\n") def t_DATESUFFIX(self, t): - r'(?i)(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\b' - t.value = re.match(r'(?i)(y|mo|w|d|h|mi|s)([a-z]*)', t.value).group(1).lower() + r"(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\b" + t.value = ( + re.match(r"(y|mo|w|d|h|mi|s)([a-z]*)", t.value, re.IGNORECASE) + .group(1) + .lower() + ) return t def t_KEYTYPE(self, t): - r'(?i)\b(KSK|ZSK)\b' + r"\b(KSK|ZSK)\b" t.value = t.value.upper() return t def t_ALGNAME(self, t): - r'(?i)\b(DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b' + r"\b(DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b" t.value = t.value.upper() return t def t_STR(self, t): - r'[A-Za-z._-][\w._-]*' + r"[A-Za-z._-][\w._-]*" t.type = self.reserved_map.get(t.value, "STR") return t @@ -87,7 +95,7 @@ return t def t_NUMBER(self, t): - r'\d+' + r"\d+" t.value = int(t.value) return t @@ -96,13 +104,13 @@ t.lexer.skip(1) def __init__(self, **kwargs): - if 'maketrans' in dir(str): - trans = str.maketrans('_', '-') + if "maketrans" in dir(str): + trans = str.maketrans("_", "-") else: - trans = maketrans('_', '-') + trans = maketrans("_", "-") for r in self.reserved: self.reserved_map[r.lower().translate(trans)] = r - self.lexer = lex.lex(object=self, **kwargs) + self.lexer = lex.lex(object=self, reflags=re.VERBOSE | re.IGNORECASE, **kwargs) def test(self, text): self.lexer.input(text) @@ -112,6 +120,7 @@ break print(t) + ############################################################################ # Policy: this object holds a set of DNSSEC policy settings. ############################################################################ @@ -132,14 +141,16 @@ keyttl = None coverage = None directory = None - valid_key_sz_per_algo = {'RSASHA1': [1024, 4096], - 'NSEC3RSASHA1': [512, 4096], - 'RSASHA256': [1024, 4096], - 'RSASHA512': [1024, 4096], - 'ECDSAP256SHA256': None, - 'ECDSAP384SHA384': None, - 'ED25519': None, - 'ED448': None} + valid_key_sz_per_algo = { + "RSASHA1": [1024, 4096], + "NSEC3RSASHA1": [512, 4096], + "RSASHA256": [1024, 4096], + "RSASHA512": [1024, 4096], + "ECDSAP256SHA256": None, + "ECDSAP384SHA384": None, + "ED25519": None, + "ED448": None, + } def __init__(self, name=None, algorithm=None, parent=None): self.name = name @@ -148,45 +159,54 @@ pass def __repr__(self): - return ("%spolicy %s:\n" - "\tinherits %s\n" - "\tdirectory %s\n" - "\talgorithm %s\n" - "\tcoverage %s\n" - "\tksk_keysize %s\n" - "\tzsk_keysize %s\n" - "\tksk_rollperiod %s\n" - "\tzsk_rollperiod %s\n" - "\tksk_prepublish %s\n" - "\tksk_postpublish %s\n" - "\tzsk_prepublish %s\n" - "\tzsk_postpublish %s\n" - "\tksk_standby %s\n" - "\tzsk_standby %s\n" - "\tkeyttl %s\n" - % - ((self.is_constructed and 'constructed ' or \ - self.is_zone and 'zone ' or \ - self.is_alg and 'algorithm ' or ''), - self.name or 'UNKNOWN', - self.parent and self.parent.name or 'None', - self.directory and ('"' + str(self.directory) + '"') or 'None', - self.algorithm or 'None', - self.coverage and str(self.coverage) or 'None', - self.ksk_keysize and str(self.ksk_keysize) or 'None', - self.zsk_keysize and str(self.zsk_keysize) or 'None', - self.ksk_rollperiod and str(self.ksk_rollperiod) or 'None', - self.zsk_rollperiod and str(self.zsk_rollperiod) or 'None', - self.ksk_prepublish and str(self.ksk_prepublish) or 'None', - self.ksk_postpublish and str(self.ksk_postpublish) or 'None', - self.zsk_prepublish and str(self.zsk_prepublish) or 'None', - self.zsk_postpublish and str(self.zsk_postpublish) or 'None', - self.ksk_standby and str(self.ksk_standby) or 'None', - self.zsk_standby and str(self.zsk_standby) or 'None', - self.keyttl and str(self.keyttl) or 'None')) + return ( + "%spolicy %s:\n" + "\tinherits %s\n" + "\tdirectory %s\n" + "\talgorithm %s\n" + "\tcoverage %s\n" + "\tksk_keysize %s\n" + "\tzsk_keysize %s\n" + "\tksk_rollperiod %s\n" + "\tzsk_rollperiod %s\n" + "\tksk_prepublish %s\n" + "\tksk_postpublish %s\n" + "\tzsk_prepublish %s\n" + "\tzsk_postpublish %s\n" + "\tksk_standby %s\n" + "\tzsk_standby %s\n" + "\tkeyttl %s\n" + % ( + ( + self.is_constructed + and "constructed " + or self.is_zone + and "zone " + or self.is_alg + and "algorithm " + or "" + ), + self.name or "UNKNOWN", + self.parent and self.parent.name or "None", + self.directory and ('"' + str(self.directory) + '"') or "None", + self.algorithm or "None", + self.coverage and str(self.coverage) or "None", + self.ksk_keysize and str(self.ksk_keysize) or "None", + self.zsk_keysize and str(self.zsk_keysize) or "None", + self.ksk_rollperiod and str(self.ksk_rollperiod) or "None", + self.zsk_rollperiod and str(self.zsk_rollperiod) or "None", + self.ksk_prepublish and str(self.ksk_prepublish) or "None", + self.ksk_postpublish and str(self.ksk_postpublish) or "None", + self.zsk_prepublish and str(self.zsk_prepublish) or "None", + self.zsk_postpublish and str(self.zsk_postpublish) or "None", + self.ksk_standby and str(self.ksk_standby) or "None", + self.zsk_standby and str(self.zsk_standby) or "None", + self.keyttl and str(self.keyttl) or "None", + ) + ) def __verify_size(self, key_size, size_range): - return (size_range[0] <= key_size <= size_range[1]) + return size_range[0] <= key_size <= size_range[1] def get_name(self): return self.name @@ -195,57 +215,95 @@ return self.is_constructed def validate(self): - """ Check if the values in the policy make sense + """Check if the values in the policy make sense :return: True/False if the policy passes validation """ - if self.ksk_rollperiod and \ - self.ksk_prepublish is not None and \ - self.ksk_prepublish > self.ksk_rollperiod: + if ( + self.ksk_rollperiod + and self.ksk_prepublish is not None + and self.ksk_prepublish > self.ksk_rollperiod + ): print(self.ksk_rollperiod) - return (False, - ('KSK pre-publish period (%d) exceeds rollover period %d' - % (self.ksk_prepublish, self.ksk_rollperiod))) - - if self.ksk_rollperiod and \ - self.ksk_postpublish is not None and \ - self.ksk_postpublish > self.ksk_rollperiod: - return (False, - ('KSK post-publish period (%d) exceeds rollover period %d' - % (self.ksk_postpublish, self.ksk_rollperiod))) - - if self.zsk_rollperiod and \ - self.zsk_prepublish is not None and \ - self.zsk_prepublish >= self.zsk_rollperiod: - return (False, - ('ZSK pre-publish period (%d) exceeds rollover period %d' - % (self.zsk_prepublish, self.zsk_rollperiod))) - - if self.zsk_rollperiod and \ - self.zsk_postpublish is not None and \ - self.zsk_postpublish >= self.zsk_rollperiod: - return (False, - ('ZSK post-publish period (%d) exceeds rollover period %d' - % (self.zsk_postpublish, self.zsk_rollperiod))) - - if self.ksk_rollperiod and \ - self.ksk_prepublish and self.ksk_postpublish and \ - self.ksk_prepublish + self.ksk_postpublish >= self.ksk_rollperiod: - return (False, - (('KSK pre/post-publish periods (%d/%d) ' + - 'combined exceed rollover period %d') % - (self.ksk_prepublish, - self.ksk_postpublish, - self.ksk_rollperiod))) - - if self.zsk_rollperiod and \ - self.zsk_prepublish and self.zsk_postpublish and \ - self.zsk_prepublish + self.zsk_postpublish >= self.zsk_rollperiod: - return (False, - (('ZSK pre/post-publish periods (%d/%d) ' + - 'combined exceed rollover period %d') % - (self.zsk_prepublish, - self.zsk_postpublish, - self.zsk_rollperiod))) + return ( + False, + ( + "KSK pre-publish period (%d) exceeds rollover period %d" + % (self.ksk_prepublish, self.ksk_rollperiod) + ), + ) + + if ( + self.ksk_rollperiod + and self.ksk_postpublish is not None + and self.ksk_postpublish > self.ksk_rollperiod + ): + return ( + False, + ( + "KSK post-publish period (%d) exceeds rollover period %d" + % (self.ksk_postpublish, self.ksk_rollperiod) + ), + ) + + if ( + self.zsk_rollperiod + and self.zsk_prepublish is not None + and self.zsk_prepublish >= self.zsk_rollperiod + ): + return ( + False, + ( + "ZSK pre-publish period (%d) exceeds rollover period %d" + % (self.zsk_prepublish, self.zsk_rollperiod) + ), + ) + + if ( + self.zsk_rollperiod + and self.zsk_postpublish is not None + and self.zsk_postpublish >= self.zsk_rollperiod + ): + return ( + False, + ( + "ZSK post-publish period (%d) exceeds rollover period %d" + % (self.zsk_postpublish, self.zsk_rollperiod) + ), + ) + + if ( + self.ksk_rollperiod + and self.ksk_prepublish + and self.ksk_postpublish + and self.ksk_prepublish + self.ksk_postpublish >= self.ksk_rollperiod + ): + return ( + False, + ( + ( + "KSK pre/post-publish periods (%d/%d) " + + "combined exceed rollover period %d" + ) + % (self.ksk_prepublish, self.ksk_postpublish, self.ksk_rollperiod) + ), + ) + + if ( + self.zsk_rollperiod + and self.zsk_prepublish + and self.zsk_postpublish + and self.zsk_prepublish + self.zsk_postpublish >= self.zsk_rollperiod + ): + return ( + False, + ( + ( + "ZSK pre/post-publish periods (%d/%d) " + + "combined exceed rollover period %d" + ) + % (self.zsk_prepublish, self.zsk_postpublish, self.zsk_rollperiod) + ), + ) if self.algorithm is not None: # Validate the key size @@ -253,22 +311,29 @@ if key_sz_range is not None: # Verify KSK if not self.__verify_size(self.ksk_keysize, key_sz_range): - return False, 'KSK key size %d outside valid range %s' \ - % (self.ksk_keysize, key_sz_range) + return False, "KSK key size %d outside valid range %s" % ( + self.ksk_keysize, + key_sz_range, + ) # Verify ZSK if not self.__verify_size(self.zsk_keysize, key_sz_range): - return False, 'ZSK key size %d outside valid range %s' \ - % (self.zsk_keysize, key_sz_range) - - if self.algorithm in ['ECDSAP256SHA256', \ - 'ECDSAP384SHA384', \ - 'ED25519', \ - 'ED448']: + return False, "ZSK key size %d outside valid range %s" % ( + self.zsk_keysize, + key_sz_range, + ) + + if self.algorithm in [ + "ECDSAP256SHA256", + "ECDSAP384SHA384", + "ED25519", + "ED448", + ]: self.ksk_keysize = None self.zsk_keysize = None - return True, '' + return True, "" + ############################################################################ # dnssec_policy: @@ -279,6 +344,7 @@ class PolicyException(Exception): pass + class dnssec_policy: alg_policy = {} named_policy = {} @@ -290,14 +356,15 @@ def __init__(self, filename=None, **kwargs): self.plex = PolicyLex() self.tokens = self.plex.tokens - if 'debug' not in kwargs: - kwargs['debug'] = False - if 'write_tables' not in kwargs: - kwargs['write_tables'] = False + if "debug" not in kwargs: + kwargs["debug"] = False + if "write_tables" not in kwargs: + kwargs["write_tables"] = False self.parser = yacc.yacc(module=self, **kwargs) # set defaults - self.setup('''policy global { algorithm rsasha256; + self.setup( + """policy global { algorithm rsasha256; key-size ksk 2048; key-size zsk 2048; roll-period ksk 0; @@ -310,56 +377,57 @@ standby zsk 0; keyttl 1h; coverage 6mo; }; - policy default { policy global; };''') + policy default { policy global; };""" + ) p = Policy() p.algorithm = None p.is_alg = True - p.ksk_keysize = 2048; - p.zsk_keysize = 2048; + p.ksk_keysize = 2048 + p.zsk_keysize = 2048 # set default algorithm policies # these can use default settings - self.alg_policy['RSASHA1'] = copy(p) - self.alg_policy['RSASHA1'].algorithm = "RSASHA1" - self.alg_policy['RSASHA1'].name = "RSASHA1" - - self.alg_policy['NSEC3RSASHA1'] = copy(p) - self.alg_policy['NSEC3RSASHA1'].algorithm = "NSEC3RSASHA1" - self.alg_policy['NSEC3RSASHA1'].name = "NSEC3RSASHA1" - - self.alg_policy['RSASHA256'] = copy(p) - self.alg_policy['RSASHA256'].algorithm = "RSASHA256" - self.alg_policy['RSASHA256'].name = "RSASHA256" - - self.alg_policy['RSASHA512'] = copy(p) - self.alg_policy['RSASHA512'].algorithm = "RSASHA512" - self.alg_policy['RSASHA512'].name = "RSASHA512" - - self.alg_policy['ECDSAP256SHA256'] = copy(p) - self.alg_policy['ECDSAP256SHA256'].algorithm = "ECDSAP256SHA256" - self.alg_policy['ECDSAP256SHA256'].name = "ECDSAP256SHA256" - self.alg_policy['ECDSAP256SHA256'].ksk_keysize = None; - self.alg_policy['ECDSAP256SHA256'].zsk_keysize = None; - - self.alg_policy['ECDSAP384SHA384'] = copy(p) - self.alg_policy['ECDSAP384SHA384'].algorithm = "ECDSAP384SHA384" - self.alg_policy['ECDSAP384SHA384'].name = "ECDSAP384SHA384" - self.alg_policy['ECDSAP384SHA384'].ksk_keysize = None; - self.alg_policy['ECDSAP384SHA384'].zsk_keysize = None; - - self.alg_policy['ED25519'] = copy(p) - self.alg_policy['ED25519'].algorithm = "ED25519" - self.alg_policy['ED25519'].name = "ED25519" - self.alg_policy['ED25519'].ksk_keysize = None; - self.alg_policy['ED25519'].zsk_keysize = None; - - self.alg_policy['ED448'] = copy(p) - self.alg_policy['ED448'].algorithm = "ED448" - self.alg_policy['ED448'].name = "ED448" - self.alg_policy['ED448'].ksk_keysize = None; - self.alg_policy['ED448'].zsk_keysize = None; + self.alg_policy["RSASHA1"] = copy(p) + self.alg_policy["RSASHA1"].algorithm = "RSASHA1" + self.alg_policy["RSASHA1"].name = "RSASHA1" + + self.alg_policy["NSEC3RSASHA1"] = copy(p) + self.alg_policy["NSEC3RSASHA1"].algorithm = "NSEC3RSASHA1" + self.alg_policy["NSEC3RSASHA1"].name = "NSEC3RSASHA1" + + self.alg_policy["RSASHA256"] = copy(p) + self.alg_policy["RSASHA256"].algorithm = "RSASHA256" + self.alg_policy["RSASHA256"].name = "RSASHA256" + + self.alg_policy["RSASHA512"] = copy(p) + self.alg_policy["RSASHA512"].algorithm = "RSASHA512" + self.alg_policy["RSASHA512"].name = "RSASHA512" + + self.alg_policy["ECDSAP256SHA256"] = copy(p) + self.alg_policy["ECDSAP256SHA256"].algorithm = "ECDSAP256SHA256" + self.alg_policy["ECDSAP256SHA256"].name = "ECDSAP256SHA256" + self.alg_policy["ECDSAP256SHA256"].ksk_keysize = None + self.alg_policy["ECDSAP256SHA256"].zsk_keysize = None + + self.alg_policy["ECDSAP384SHA384"] = copy(p) + self.alg_policy["ECDSAP384SHA384"].algorithm = "ECDSAP384SHA384" + self.alg_policy["ECDSAP384SHA384"].name = "ECDSAP384SHA384" + self.alg_policy["ECDSAP384SHA384"].ksk_keysize = None + self.alg_policy["ECDSAP384SHA384"].zsk_keysize = None + + self.alg_policy["ED25519"] = copy(p) + self.alg_policy["ED25519"].algorithm = "ED25519" + self.alg_policy["ED25519"].name = "ED25519" + self.alg_policy["ED25519"].ksk_keysize = None + self.alg_policy["ED25519"].zsk_keysize = None + + self.alg_policy["ED448"] = copy(p) + self.alg_policy["ED448"].algorithm = "ED448" + self.alg_policy["ED448"].name = "ED448" + self.alg_policy["ED448"].ksk_keysize = None + self.alg_policy["ED448"].zsk_keysize = None if filename: self.load(filename) @@ -387,12 +455,12 @@ p = self.zone_policy[z] if p is None: - p = copy(self.named_policy['default']) + p = copy(self.named_policy["default"]) p.name = zone p.is_constructed = True if p.algorithm is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent and not parent.algorithm: parent = parent.parent p.algorithm = parent and parent.algorithm or None @@ -400,81 +468,75 @@ if p.algorithm in self.alg_policy: ap = self.alg_policy[p.algorithm] else: - raise PolicyException('algorithm not found') + raise PolicyException("algorithm not found") if p.directory is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent is not None and not parent.directory: parent = parent.parent p.directory = parent and parent.directory if p.coverage is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent and not parent.coverage: parent = parent.parent p.coverage = parent and parent.coverage or ap.coverage if p.ksk_keysize is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent.parent and not parent.ksk_keysize: parent = parent.parent p.ksk_keysize = parent and parent.ksk_keysize or ap.ksk_keysize if p.zsk_keysize is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent.parent and not parent.zsk_keysize: parent = parent.parent p.zsk_keysize = parent and parent.zsk_keysize or ap.zsk_keysize if p.ksk_rollperiod is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent.parent and not parent.ksk_rollperiod: parent = parent.parent - p.ksk_rollperiod = parent and \ - parent.ksk_rollperiod or ap.ksk_rollperiod + p.ksk_rollperiod = parent and parent.ksk_rollperiod or ap.ksk_rollperiod if p.zsk_rollperiod is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent.parent and not parent.zsk_rollperiod: parent = parent.parent - p.zsk_rollperiod = parent and \ - parent.zsk_rollperiod or ap.zsk_rollperiod + p.zsk_rollperiod = parent and parent.zsk_rollperiod or ap.zsk_rollperiod if p.ksk_prepublish is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent.parent and not parent.ksk_prepublish: parent = parent.parent - p.ksk_prepublish = parent and \ - parent.ksk_prepublish or ap.ksk_prepublish + p.ksk_prepublish = parent and parent.ksk_prepublish or ap.ksk_prepublish if p.zsk_prepublish is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent.parent and not parent.zsk_prepublish: parent = parent.parent - p.zsk_prepublish = parent and \ - parent.zsk_prepublish or ap.zsk_prepublish + p.zsk_prepublish = parent and parent.zsk_prepublish or ap.zsk_prepublish if p.ksk_postpublish is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent.parent and not parent.ksk_postpublish: parent = parent.parent - p.ksk_postpublish = parent and \ - parent.ksk_postpublish or ap.ksk_postpublish + p.ksk_postpublish = parent and parent.ksk_postpublish or ap.ksk_postpublish if p.zsk_postpublish is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent.parent and not parent.zsk_postpublish: parent = parent.parent - p.zsk_postpublish = parent and \ - parent.zsk_postpublish or ap.zsk_postpublish + p.zsk_postpublish = parent and parent.zsk_postpublish or ap.zsk_postpublish if p.keyttl is None: - parent = p.parent or self.named_policy['default'] + parent = p.parent or self.named_policy["default"] while parent is not None and not parent.keyttl: parent = parent.parent p.keyttl = parent and parent.keyttl - if 'novalidate' not in kwargs or not kwargs['novalidate']: + if "novalidate" not in kwargs or not kwargs["novalidate"]: (valid, msg) = p.validate() if not valid: raise PolicyException(msg) @@ -482,10 +544,9 @@ return p - def p_policylist(self, p): - '''policylist : init policy - | policylist policy''' + """policylist : init policy + | policylist policy""" pass def p_init(self, p): @@ -493,26 +554,26 @@ self.initial = False def p_policy(self, p): - '''policy : alg_policy - | zone_policy - | named_policy''' + """policy : alg_policy + | zone_policy + | named_policy""" pass def p_name(self, p): - '''name : STR - | KEYTYPE - | DATESUFFIX''' + """name : STR + | KEYTYPE + | DATESUFFIX""" p[0] = p[1] pass def p_domain(self, p): - '''domain : STR - | QSTRING - | KEYTYPE - | DATESUFFIX''' + """domain : STR + | QSTRING + | KEYTYPE + | DATESUFFIX""" p[0] = p[1].strip() - if not re.match(r'^[\w.-][\w.-]*$', p[0]): - raise PolicyException('invalid domain') + if not re.match(r"^[\w.-][\w.-]*$", p[0]): + raise PolicyException("invalid domain") pass def p_new_policy(self, p): @@ -528,9 +589,9 @@ def p_zone_policy(self, p): "zone_policy : ZONE domain new_policy policy_option_group SEMI" - self.current.name = p[2].rstrip('.') + self.current.name = p[2].rstrip(".") self.current.is_zone = True - self.zone_policy[p[2].rstrip('.').lower()] = self.current + self.zone_policy[p[2].rstrip(".").lower()] = self.current pass def p_named_policy(self, p): @@ -552,42 +613,42 @@ def p_duration_3(self, p): "duration : NUMBER DATESUFFIX" if p[2] == "y": - p[0] = p[1] * 31536000 # year + p[0] = p[1] * 31536000 # year elif p[2] == "mo": p[0] = p[1] * 2592000 # month elif p[2] == "w": - p[0] = p[1] * 604800 # week + p[0] = p[1] * 604800 # week elif p[2] == "d": - p[0] = p[1] * 86400 # day + p[0] = p[1] * 86400 # day elif p[2] == "h": - p[0] = p[1] * 3600 # hour + p[0] = p[1] * 3600 # hour elif p[2] == "mi": - p[0] = p[1] * 60 # minute + p[0] = p[1] * 60 # minute elif p[2] == "s": - p[0] = p[1] # second + p[0] = p[1] # second else: - raise PolicyException('invalid duration') + raise PolicyException("invalid duration") def p_policy_option_group(self, p): "policy_option_group : LBRACE policy_option_list RBRACE" pass def p_policy_option_list(self, p): - '''policy_option_list : policy_option SEMI - | policy_option_list policy_option SEMI''' + """policy_option_list : policy_option SEMI + | policy_option_list policy_option SEMI""" pass def p_policy_option(self, p): - '''policy_option : parent_option - | directory_option - | coverage_option - | rollperiod_option - | prepublish_option - | postpublish_option - | keysize_option - | algorithm_option - | keyttl_option - | standby_option''' + """policy_option : parent_option + | directory_option + | coverage_option + | rollperiod_option + | prepublish_option + | postpublish_option + | keysize_option + | algorithm_option + | keyttl_option + | standby_option""" pass def p_alg_option_group(self, p): @@ -595,18 +656,18 @@ pass def p_alg_option_list(self, p): - '''alg_option_list : alg_option SEMI - | alg_option_list alg_option SEMI''' + """alg_option_list : alg_option SEMI + | alg_option_list alg_option SEMI""" pass def p_alg_option(self, p): - '''alg_option : coverage_option - | rollperiod_option - | prepublish_option - | postpublish_option - | keyttl_option - | keysize_option - | standby_option''' + """alg_option : coverage_option + | rollperiod_option + | prepublish_option + | postpublish_option + | keyttl_option + | keysize_option + | standby_option""" pass def p_parent_option(self, p): @@ -666,17 +727,25 @@ def p_error(self, p): if p: - print("%s%s%d:syntax error near '%s'" % - (self.filename or "", ":" if self.filename else "", - p.lineno, p.value)) + print( + "%s%s%d:syntax error near '%s'" + % (self.filename or "", ":" if self.filename else "", p.lineno, p.value) + ) else: if not self.initial: - raise PolicyException("%s%s%d:unexpected end of input" % - (self.filename or "", ":" if self.filename else "", - p and p.lineno or 0)) + raise PolicyException( + "%s%s%d:unexpected end of input" + % ( + self.filename or "", + ":" if self.filename else "", + p and p.lineno or 0, + ) + ) + if __name__ == "__main__": import sys + if sys.argv[1] == "lex": file = open(sys.argv[2]) text = file.read() @@ -686,7 +755,7 @@ elif sys.argv[1] == "parse": try: pp = dnssec_policy(sys.argv[2], write_tables=True, debug=True) - print(pp.named_policy['default']) + print(pp.named_policy["default"]) print(pp.policy("nonexistent.zone")) except Exception as e: print(e.args[0]) diff -Nru bind9-9.16.27/bin/python/isc/rndc.py.in bind9-9.16.33/bin/python/isc/rndc.py.in --- bind9-9.16.27/bin/python/isc/rndc.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/rndc.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -26,12 +26,15 @@ class rndc(object): """RNDC protocol client library""" - __algos = {'md5': 157, - 'sha1': 161, - 'sha224': 162, - 'sha256': 163, - 'sha384': 164, - 'sha512': 165} + + __algos = { + "md5": 157, + "sha1": 161, + "sha224": 162, + "sha256": 163, + "sha384": 164, + "sha512": 165, + } def __init__(self, host, algo, secret): """Creates a persistent connection to RNDC and logs in @@ -41,7 +44,7 @@ secret - HMAC secret, base64 encoded""" self.host = host algo = algo.lower() - if algo.startswith('hmac-'): + if algo.startswith("hmac-"): algo = algo[5:] self.algo = algo self.hlalgo = getattr(hashlib, algo) @@ -54,26 +57,27 @@ """Call a RNDC command, all parsing is done on the server side cmd - a complete string with a command (eg 'reload zone example.com') """ - return dict(self.__command(type=cmd)['_data']) + return dict(self.__command(type=cmd)["_data"]) def __serialize_dict(self, data, ignore_auth=False): rv = bytearray() for k, v in data.items(): - if ignore_auth and k == '_auth': + if ignore_auth and k == "_auth": continue - rv += struct.pack('B', len(k)) + k.encode('ascii') + rv += struct.pack("B", len(k)) + k.encode("ascii") if type(v) == str: - rv += struct.pack('>BI', 1, len(v)) + v.encode('ascii') + rv += struct.pack(">BI", 1, len(v)) + v.encode("ascii") elif type(v) == bytes: - rv += struct.pack('>BI', 1, len(v)) + v + rv += struct.pack(">BI", 1, len(v)) + v elif type(v) == bytearray: - rv += struct.pack('>BI', 1, len(v)) + v + rv += struct.pack(">BI", 1, len(v)) + v elif type(v) == OrderedDict: sd = self.__serialize_dict(v) - rv += struct.pack('>BI', 2, len(sd)) + sd + rv += struct.pack(">BI", 2, len(sd)) + sd else: - raise NotImplementedError('Cannot serialize element of type %s' - % type(v)) + raise NotImplementedError( + "Cannot serialize element of type %s" % type(v) + ) return rv def __prep_message(self, *args, **kwargs): @@ -82,41 +86,42 @@ data = OrderedDict(*args, **kwargs) d = OrderedDict() - d['_auth'] = OrderedDict() - d['_ctrl'] = OrderedDict() - d['_ctrl']['_ser'] = str(self.ser) - d['_ctrl']['_tim'] = str(now) - d['_ctrl']['_exp'] = str(now+60) + d["_auth"] = OrderedDict() + d["_ctrl"] = OrderedDict() + d["_ctrl"]["_ser"] = str(self.ser) + d["_ctrl"]["_tim"] = str(now) + d["_ctrl"]["_exp"] = str(now + 60) if self.nonce is not None: - d['_ctrl']['_nonce'] = self.nonce - d['_data'] = data + d["_ctrl"]["_nonce"] = self.nonce + d["_data"] = data msg = self.__serialize_dict(d, ignore_auth=True) hash = hmac.new(self.secret, msg, self.hlalgo).digest() bhash = base64.b64encode(hash) - if self.algo == 'md5': - d['_auth']['hmd5'] = struct.pack('22s', bhash) + if self.algo == "md5": + d["_auth"]["hmd5"] = struct.pack("22s", bhash) else: - d['_auth']['hsha'] = bytearray(struct.pack('B88s', - self.__algos[self.algo], bhash)) + d["_auth"]["hsha"] = bytearray( + struct.pack("B88s", self.__algos[self.algo], bhash) + ) msg = self.__serialize_dict(d) - msg = struct.pack('>II', len(msg) + 4, 1) + msg + msg = struct.pack(">II", len(msg) + 4, 1) + msg return msg def __verify_msg(self, msg): - if self.nonce is not None and msg['_ctrl']['_nonce'] != self.nonce: + if self.nonce is not None and msg["_ctrl"]["_nonce"] != self.nonce: return False - if self.algo == 'md5': - bhash = msg['_auth']['hmd5'] + if self.algo == "md5": + bhash = msg["_auth"]["hmd5"] else: - bhash = msg['_auth']['hsha'][1:] + bhash = msg["_auth"]["hsha"][1:] if type(bhash) == bytes: - bhash = bhash.decode('ascii') - bhash += '=' * (4 - (len(bhash) % 4)) + bhash = bhash.decode("ascii") + bhash += "=" * (4 - (len(bhash) % 4)) remote_hash = base64.b64decode(bhash) my_msg = self.__serialize_dict(msg, ignore_auth=True) my_hash = hmac.new(self.secret, my_msg, self.hlalgo).digest() - return (my_hash == remote_hash) + return my_hash == remote_hash def __command(self, *args, **kwargs): msg = self.__prep_message(*args, **kwargs) @@ -129,9 +134,9 @@ # What should we throw here? Bad auth can cause this... raise IOError("Can't read response header") - length, version = struct.unpack('>II', header) + length, version = struct.unpack(">II", header) if version != 1: - raise NotImplementedError('Wrong message version %d' % version) + raise NotImplementedError("Wrong message version %d" % version) # it includes the header length -= 4 @@ -150,26 +155,26 @@ def __connect_login(self): self.socket = socket.create_connection(self.host) self.nonce = None - msg = self.__command(type='null') - self.nonce = msg['_ctrl']['_nonce'] + msg = self.__command(type="null") + self.nonce = msg["_ctrl"]["_nonce"] def __parse_element(self, input): pos = 0 labellen = input[pos] pos += 1 - label = input[pos:pos+labellen].decode('ascii') + label = input[pos : pos + labellen].decode("ascii") pos += labellen type = input[pos] pos += 1 - datalen = struct.unpack('>I', input[pos:pos+4])[0] + datalen = struct.unpack(">I", input[pos : pos + 4])[0] pos += 4 - data = input[pos:pos+datalen] + data = input[pos : pos + datalen] pos += datalen rest = input[pos:] - if type == 1: # raw binary value + if type == 1: # raw binary value return label, data, rest - elif type == 2: # dictionary + elif type == 2: # dictionary d = OrderedDict() while len(data) > 0: ilabel, value, data = self.__parse_element(data) @@ -177,7 +182,7 @@ return label, d, rest # TODO type 3 - list else: - raise NotImplementedError('Unknown element type %d' % type) + raise NotImplementedError("Unknown element type %d" % type) def __parse_message(self, input): rv = OrderedDict() diff -Nru bind9-9.16.27/bin/python/isc/tests/dnskey_test.py.in bind9-9.16.33/bin/python/isc/tests/dnskey_test.py.in --- bind9-9.16.27/bin/python/isc/tests/dnskey_test.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/tests/dnskey_test.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -11,7 +11,8 @@ import sys import unittest -sys.path.append('../..') + +sys.path.append("../..") from isc import * kdict = None @@ -20,7 +21,7 @@ def getkey(): global kdict if not kdict: - kd = keydict(path='testdata') + kd = keydict(path="testdata") for key in kd: return key @@ -39,14 +40,15 @@ def test_fmttime(self): key = getkey() - self.assertEqual(key.getfmttime('Created'), '20151120214047') - self.assertEqual(key.getfmttime('Publish'), '20151021214154') - self.assertEqual(key.getfmttime('Activate'), '20151120214154') - self.assertEqual(key.getfmttime('Revoke'), '20161119214154') - self.assertEqual(key.getfmttime('Inactive'), '20171119214154') - self.assertEqual(key.getfmttime('Delete'), '20181119214154') - self.assertEqual(key.getfmttime('SyncPublish'), '20150921214154') - self.assertEqual(key.getfmttime('SyncDelete'), '20151130214154') + self.assertEqual(key.getfmttime("Created"), "20151120214047") + self.assertEqual(key.getfmttime("Publish"), "20151021214154") + self.assertEqual(key.getfmttime("Activate"), "20151120214154") + self.assertEqual(key.getfmttime("Revoke"), "20161119214154") + self.assertEqual(key.getfmttime("Inactive"), "20171119214154") + self.assertEqual(key.getfmttime("Delete"), "20181119214154") + self.assertEqual(key.getfmttime("SyncPublish"), "20150921214154") + self.assertEqual(key.getfmttime("SyncDelete"), "20151130214154") + if __name__ == "__main__": unittest.main() diff -Nru bind9-9.16.27/bin/python/isc/tests/policy_test.py.in bind9-9.16.33/bin/python/isc/tests/policy_test.py.in --- bind9-9.16.27/bin/python/isc/tests/policy_test.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/tests/policy_test.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -11,73 +11,94 @@ import sys import unittest -sys.path.append('../..') + +sys.path.append("../..") from isc import * class PolicyTest(unittest.TestCase): def test_keysize(self): pol = policy.dnssec_policy() - pol.load('test-policies/01-keysize.pol') + pol.load("test-policies/01-keysize.pol") - p = pol.policy('good_rsa.test', novalidate=True) + p = pol.policy("good_rsa.test", novalidate=True) self.assertEqual(p.get_name(), "good_rsa.test") self.assertEqual(p.constructed(), False) self.assertEqual(p.validate(), (True, "")) def test_prepublish(self): pol = policy.dnssec_policy() - pol.load('test-policies/02-prepublish.pol') - p = pol.policy('good_prepublish.test', novalidate=True) + pol.load("test-policies/02-prepublish.pol") + p = pol.policy("good_prepublish.test", novalidate=True) self.assertEqual(p.validate(), (True, "")) - p = pol.policy('bad_prepublish.test', novalidate=True) - self.assertEqual(p.validate(), - (False, 'KSK pre/post-publish periods ' - '(10368000/5184000) combined exceed ' - 'rollover period 10368000')) + p = pol.policy("bad_prepublish.test", novalidate=True) + self.assertEqual( + p.validate(), + ( + False, + "KSK pre/post-publish periods " + "(10368000/5184000) combined exceed " + "rollover period 10368000", + ), + ) def test_postpublish(self): pol = policy.dnssec_policy() - pol.load('test-policies/03-postpublish.pol') + pol.load("test-policies/03-postpublish.pol") - p = pol.policy('good_postpublish.test', novalidate=True) + p = pol.policy("good_postpublish.test", novalidate=True) self.assertEqual(p.validate(), (True, "")) - p = pol.policy('bad_postpublish.test', novalidate=True) - self.assertEqual(p.validate(), - (False, 'KSK pre/post-publish periods ' - '(10368000/5184000) combined exceed ' - 'rollover period 10368000')) + p = pol.policy("bad_postpublish.test", novalidate=True) + self.assertEqual( + p.validate(), + ( + False, + "KSK pre/post-publish periods " + "(10368000/5184000) combined exceed " + "rollover period 10368000", + ), + ) def test_combined_pre_post(self): pol = policy.dnssec_policy() - pol.load('test-policies/04-combined-pre-post.pol') + pol.load("test-policies/04-combined-pre-post.pol") - p = pol.policy('good_combined_pre_post_ksk.test', novalidate=True) + p = pol.policy("good_combined_pre_post_ksk.test", novalidate=True) self.assertEqual(p.validate(), (True, "")) - p = pol.policy('bad_combined_pre_post_ksk.test', novalidate=True) - self.assertEqual(p.validate(), - (False, 'KSK pre/post-publish periods ' - '(5184000/5184000) combined exceed ' - 'rollover period 10368000')) - - p = pol.policy('good_combined_pre_post_zsk.test', novalidate=True) - self.assertEqual(p.validate(), - (True, "")) - p = pol.policy('bad_combined_pre_post_zsk.test', novalidate=True) - self.assertEqual(p.validate(), - (False, 'ZSK pre/post-publish periods ' - '(5184000/5184000) combined exceed ' - 'rollover period 7776000')) + p = pol.policy("bad_combined_pre_post_ksk.test", novalidate=True) + self.assertEqual( + p.validate(), + ( + False, + "KSK pre/post-publish periods " + "(5184000/5184000) combined exceed " + "rollover period 10368000", + ), + ) + + p = pol.policy("good_combined_pre_post_zsk.test", novalidate=True) + self.assertEqual(p.validate(), (True, "")) + p = pol.policy("bad_combined_pre_post_zsk.test", novalidate=True) + self.assertEqual( + p.validate(), + ( + False, + "ZSK pre/post-publish periods " + "(5184000/5184000) combined exceed " + "rollover period 7776000", + ), + ) def test_numeric_zone(self): pol = policy.dnssec_policy() - pol.load('test-policies/05-numeric-zone.pol') + pol.load("test-policies/05-numeric-zone.pol") - p = pol.policy('99example.test', novalidate=True) + p = pol.policy("99example.test", novalidate=True) self.assertEqual(p.validate(), (True, "")) + if __name__ == "__main__": unittest.main() diff -Nru bind9-9.16.27/bin/python/isc/utils.py.in bind9-9.16.33/bin/python/isc/utils.py.in --- bind9-9.16.27/bin/python/isc/utils.py.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/isc/utils.py.in 2022-09-08 13:01:23.000000000 +0000 @@ -12,14 +12,14 @@ import os # These routines permit platform-independent location of BIND 9 tools -if os.name == 'nt': +if os.name == "nt": import win32con import win32api -def prefix(bindir=''): - if os.name != 'nt': - return os.path.join('@prefix@', bindir) +def prefix(bindir=""): + if os.name != "nt": + return os.path.join("@prefix@", bindir) hklm = win32con.HKEY_LOCAL_MACHINE bind_subkey = "Software\\ISC\\BIND" @@ -59,13 +59,13 @@ def shellquote(s): - if os.name == 'nt': + if os.name == "nt": return '"' + s.replace('"', '"\\"') + '"' return "'" + s.replace("'", "'\\''") + "'" -version = '@BIND9_VERSION@' -if os.name != 'nt': - sysconfdir = '@expanded_sysconfdir@' +version = "@BIND9_VERSION@" +if os.name != "nt": + sysconfdir = "@expanded_sysconfdir@" else: - sysconfdir = prefix('etc') + sysconfdir = prefix("etc") diff -Nru bind9-9.16.27/bin/python/setup.py bind9-9.16.33/bin/python/setup.py --- bind9-9.16.27/bin/python/setup.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/python/setup.py 2022-09-08 13:01:23.000000000 +0000 @@ -9,13 +9,20 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -from distutils.core import setup -setup(name='isc', - version='2.0', - description='Python functions to support BIND utilities', - url='https://www.isc.org/bind', - author='Internet Systems Consortium, Inc', - author_email='info@isc.org', - license='MPL', - requires=['ply'], - packages=['isc']) +try: + from setuptools import setup +except ImportError: + # pylint: disable=deprecated-module + from distutils.core import setup + +setup( + name="isc", + version="2.0", + description="Python functions to support BIND utilities", + url="https://www.isc.org/bind", + author="Internet Systems Consortium, Inc", + author_email="info@isc.org", + license="MPL", + requires=["ply"], + packages=["isc"], +) diff -Nru bind9-9.16.27/bin/rndc/rndc.c bind9-9.16.33/bin/rndc/rndc.c --- bind9-9.16.27/bin/rndc/rndc.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/rndc/rndc.c 2022-09-08 13:01:23.000000000 +0000 @@ -78,9 +78,9 @@ static bool failed = false; static bool c_flag = false; static isc_mem_t *rndc_mctx; -static atomic_uint_fast32_t sends = ATOMIC_VAR_INIT(0); -static atomic_uint_fast32_t recvs = ATOMIC_VAR_INIT(0); -static atomic_uint_fast32_t connects = ATOMIC_VAR_INIT(0); +static atomic_uint_fast32_t sends = 0; +static atomic_uint_fast32_t recvs = 0; +static atomic_uint_fast32_t connects = 0; static char *command; static char *args; static char program[256]; @@ -974,7 +974,7 @@ program, isc_commandline_option); usage(1); } - /* FALLTHROUGH */ + FALLTHROUGH; case 'h': usage(0); break; diff -Nru bind9-9.16.27/bin/rndc/rndc.rst bind9-9.16.33/bin/rndc/rndc.rst --- bind9-9.16.27/bin/rndc/rndc.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/rndc/rndc.rst 2022-09-08 13:01:23.000000000 +0000 @@ -161,14 +161,16 @@ ``rndc dnssec -rollover`` allows you to schedule key rollover for a specific key (overriding the original key lifetime). - ``rndc dnssec -checkds`` will let ``named`` know that the DS for the given - key has been seen published into or withdrawn from the parent. This is - required in order to complete a KSK rollover. If the ``-key id`` argument - is specified, look for the key with the given identifier, otherwise if there - is only one key acting as a KSK in the zone, assume the DS of that key (if - there are multiple keys with the same tag, use ``-alg algorithm`` to - select the correct algorithm). The time that the DS has been published or - withdrawn is set to now, unless otherwise specified with the argument ``-when time``. + ``rndc dnssec -checkds`` informs :iscman:`named` that the DS for + a specified zone's key-signing key has been confirmed to be published + in, or withdrawn from, the parent zone. This is required in order to + complete a KSK rollover. The ``-key id`` and ``-alg algorithm`` arguments + can be used to specify a particular KSK, if necessary; if there is only + one key acting as a KSK for the zone, these arguments can be omitted. + The time of publication or withdrawal for the DS is set to the current + time by default, but can be overridden to a specific time with the + argument ``-when time``, where ``time`` is expressed in YYYYMMDDHHMMSS + notation. ``dnstap`` ( **-reopen** | **-roll** [*number*] ) This command closes and re-opens DNSTAP output files. ``rndc dnstap -reopen`` allows @@ -479,15 +481,17 @@ depending on whether the opt-out bit in the NSEC3 chain should be set. ``iterations`` defines the number of additional times to apply the algorithm when generating an NSEC3 hash. The ``salt`` is a string - of data expressed in hexadecimal, a hyphen (`-') if no salt is to be + of data expressed in hexadecimal, a hyphen (``-``) if no salt is to be used, or the keyword ``auto``, which causes ``named`` to generate a random 64-bit salt. - So, for example, to create an NSEC3 chain using the SHA-1 hash - algorithm, no opt-out flag, 10 iterations, and a salt value of - "FFFF", use: ``rndc signing -nsec3param 1 0 10 FFFF zone``. To set - the opt-out flag, 15 iterations, and no salt, use: - ``rndc signing -nsec3param 1 1 15 - zone``. + The only recommended configuration is ``rndc signing -nsec3param 1 0 0 - zone``, + i.e. no salt, no additional iterations, no opt-out. + + .. warning:: + Do not use extra iterations, salt, or opt-out unless all their implications + are fully understood. A higher number of iterations causes interoperability + problems and opens servers to CPU-exhausting DoS attacks. ``rndc signing -nsec3param none`` removes an existing NSEC3 chain and replaces it with NSEC. diff -Nru bind9-9.16.27/bin/tests/optional/adb_test.c bind9-9.16.33/bin/tests/optional/adb_test.c --- bind9-9.16.27/bin/tests/optional/adb_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/optional/adb_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -107,12 +107,12 @@ isc_mempool_put(cmp, client); } -static inline void +static void CLOCK(void) { RUNTIME_CHECK(isc_mutex_lock(&client_lock) == ISC_R_SUCCESS); } -static inline void +static void CUNLOCK(void) { RUNTIME_CHECK(isc_mutex_unlock(&client_lock) == ISC_R_SUCCESS); } diff -Nru bind9-9.16.27/bin/tests/optional/db_test.c bind9-9.16.33/bin/tests/optional/db_test.c --- bind9-9.16.27/bin/tests/optional/db_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/optional/db_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -845,7 +845,7 @@ if (dns_rdataset_isassociated(&rdataset)) { break; } - /* FALLTHROUGH */ + FALLTHROUGH; default: if (dbi == NULL) { dns_db_detach(&db); diff -Nru bind9-9.16.27/bin/tests/optional/nsecify.c bind9-9.16.33/bin/tests/optional/nsecify.c --- bind9-9.16.27/bin/tests/optional/nsecify.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/optional/nsecify.c 2022-09-08 13:01:23.000000000 +0000 @@ -28,16 +28,16 @@ static isc_mem_t *mctx = NULL; -ISC_PLATFORM_NORETURN_PRE static inline void +ISC_PLATFORM_NORETURN_PRE static void fatal(const char *message) ISC_PLATFORM_NORETURN_POST; -static inline void +static void fatal(const char *message) { fprintf(stderr, "%s\n", message); exit(1); } -static inline void +static void check_result(isc_result_t result, const char *message) { if (result != ISC_R_SUCCESS) { fprintf(stderr, "%s: %s\n", message, isc_result_totext(result)); @@ -45,7 +45,7 @@ } } -static inline bool +static bool active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { dns_rdatasetiter_t *rdsiter; bool active = false; @@ -89,7 +89,7 @@ return (active); } -static inline isc_result_t +static isc_result_t next_active(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter, dns_name_t *name, dns_dbnode_t **nodep) { isc_result_t result; diff -Nru bind9-9.16.27/bin/tests/pkcs11/benchmarks/create.c bind9-9.16.33/bin/tests/pkcs11/benchmarks/create.c --- bind9-9.16.27/bin/tests/pkcs11/benchmarks/create.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/pkcs11/benchmarks/create.c 2022-09-08 13:01:23.000000000 +0000 @@ -160,8 +160,9 @@ perror("malloc"); exit(1); } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { hKey[i] = CK_INVALID_HANDLE; + } /* Initialize the CRYPTOKI library */ if (lib_name != NULL) { diff -Nru bind9-9.16.27/bin/tests/pkcs11/benchmarks/login.c bind9-9.16.33/bin/tests/pkcs11/benchmarks/login.c --- bind9-9.16.27/bin/tests/pkcs11/benchmarks/login.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/pkcs11/benchmarks/login.c 2022-09-08 13:01:23.000000000 +0000 @@ -137,8 +137,9 @@ perror("malloc"); exit(1); } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { hSession[i] = CK_INVALID_HANDLE; + } /* Initialize the CRYPTOKI library */ if (lib_name != NULL) { diff -Nru bind9-9.16.27/bin/tests/pkcs11/benchmarks/privrsa.c bind9-9.16.33/bin/tests/pkcs11/benchmarks/privrsa.c --- bind9-9.16.27/bin/tests/pkcs11/benchmarks/privrsa.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/pkcs11/benchmarks/privrsa.c 2022-09-08 13:01:23.000000000 +0000 @@ -233,8 +233,9 @@ perror("malloc"); exit(1); } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { hKey[i] = CK_INVALID_HANDLE; + } /* Initialize the CRYPTOKI library */ if (lib_name != NULL) { diff -Nru bind9-9.16.27/bin/tests/pkcs11/benchmarks/pubrsa.c bind9-9.16.33/bin/tests/pkcs11/benchmarks/pubrsa.c --- bind9-9.16.27/bin/tests/pkcs11/benchmarks/pubrsa.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/pkcs11/benchmarks/pubrsa.c 2022-09-08 13:01:23.000000000 +0000 @@ -179,8 +179,9 @@ perror("malloc"); exit(1); } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { hKey[i] = CK_INVALID_HANDLE; + } /* Initialize the CRYPTOKI library */ if (lib_name != NULL) { diff -Nru bind9-9.16.27/bin/tests/pkcs11/benchmarks/session.c bind9-9.16.33/bin/tests/pkcs11/benchmarks/session.c --- bind9-9.16.27/bin/tests/pkcs11/benchmarks/session.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/pkcs11/benchmarks/session.c 2022-09-08 13:01:23.000000000 +0000 @@ -132,8 +132,9 @@ perror("malloc"); exit(1); } - for (i = 0; i < count; i++) + for (i = 0; i < count; i++) { hSession[i] = CK_INVALID_HANDLE; + } /* Initialize the CRYPTOKI library */ if (lib_name != NULL) { diff -Nru bind9-9.16.27/bin/tests/system/addzone/tests_rndc_deadlock.py bind9-9.16.33/bin/tests/system/addzone/tests_rndc_deadlock.py --- bind9-9.16.27/bin/tests/system/addzone/tests_rndc_deadlock.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/addzone/tests_rndc_deadlock.py 2022-09-08 13:01:23.000000000 +0000 @@ -16,61 +16,63 @@ def run_rndc(server, rndc_command): - ''' + """ Send the specified 'rndc_command' to 'server' with a timeout of 10 seconds - ''' - rndc = os.getenv('RNDC') - port = os.getenv('CONTROLPORT') + """ + rndc = os.getenv("RNDC") + port = os.getenv("CONTROLPORT") - cmdline = [rndc, '-c', '../common/rndc.conf', '-p', port, '-s', server] + cmdline = [rndc, "-c", "../common/rndc.conf", "-p", port, "-s", server] cmdline.extend(rndc_command) subprocess.check_output(cmdline, stderr=subprocess.STDOUT, timeout=10) def rndc_loop(test_state, domain): - ''' + """ Run "rndc addzone", "rndc modzone", and "rndc delzone" in a tight loop until the test is considered finished, ignoring errors - ''' + """ rndc_commands = [ - ['addzone', domain, - '{ type master; file "example.db"; };'], - ['modzone', domain, - '{ type master; file "example.db"; allow-transfer { any; }; };'], - ['delzone', domain], + ["addzone", domain, '{ type master; file "example.db"; };'], + [ + "modzone", + domain, + '{ type master; file "example.db"; allow-transfer { any; }; };', + ], + ["delzone", domain], ] - while not test_state['finished']: + while not test_state["finished"]: for command in rndc_commands: try: - run_rndc('10.53.0.3', command) + run_rndc("10.53.0.3", command) except subprocess.SubprocessError: pass def check_if_server_is_responsive(): - ''' + """ Check if server status can be successfully retrieved using "rndc status" - ''' + """ try: - run_rndc('10.53.0.3', ['status']) + run_rndc("10.53.0.3", ["status"]) return True except subprocess.SubprocessError: return False def test_rndc_deadlock(): - ''' + """ Test whether running "rndc addzone", "rndc modzone", and "rndc delzone" commands concurrently does not trigger a deadlock - ''' - test_state = {'finished': False} + """ + test_state = {"finished": False} # Create 4 worker threads running "rndc" commands in a loop. with concurrent.futures.ThreadPoolExecutor() as executor: for i in range(1, 5): - domain = 'example%d' % i + domain = "example%d" % i executor.submit(rndc_loop, test_state, domain) # Run "rndc status" 10 times, with 1-second pauses between attempts. @@ -84,7 +86,7 @@ time.sleep(1) # Signal worker threads that the test is finished. - test_state['finished'] = True + test_state["finished"] = True # Check whether all "rndc status" commands succeeded. assert server_is_responsive diff -Nru bind9-9.16.27/bin/tests/system/autosign/clean.sh bind9-9.16.33/bin/tests/system/autosign/clean.sh --- bind9-9.16.27/bin/tests/system/autosign/clean.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/autosign/clean.sh 2022-09-08 13:01:23.000000000 +0000 @@ -35,6 +35,8 @@ rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf rm -f ns3/autonsec3.example.db +rm -f ns3/cdnskey-delete.example.db +rm -f ns3/cds-delete.example.db rm -f ns3/delzsk.example.db rm -f ns3/dname-at-apex-nsec3.example.db rm -f ns3/inacksk2.example.db diff -Nru bind9-9.16.27/bin/tests/system/autosign/ns1/keygen.sh bind9-9.16.33/bin/tests/system/autosign/ns1/keygen.sh --- bind9-9.16.27/bin/tests/system/autosign/ns1/keygen.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/autosign/ns1/keygen.sh 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ (cd ../ns2 && $SHELL keygen.sh ) -cat $infile ../ns2/dsset-example$TP > $zonefile +cat $infile ../ns2/dsset-example$TP ../ns2/dsset-bar$TP > $zonefile zskact=`$KEYGEN -3 -a RSASHA1 -q $zone` zskvanish=`$KEYGEN -3 -a RSASHA1 -q $zone` diff -Nru bind9-9.16.27/bin/tests/system/autosign/ns2/keygen.sh bind9-9.16.33/bin/tests/system/autosign/ns2/keygen.sh --- bind9-9.16.27/bin/tests/system/autosign/ns2/keygen.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/autosign/ns2/keygen.sh 2022-09-08 13:01:23.000000000 +0000 @@ -17,8 +17,9 @@ # Have the child generate subdomain keys and pass DS sets to us. ( cd ../ns3 && $SHELL keygen.sh ) -for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs sync \ - dname-at-apex-nsec3 +for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 \ + nsec3-to-nsec oldsigs sync dname-at-apex-nsec3 cds-delete \ + cdnskey-delete do cp ../ns3/dsset-$subdomain.example$TP . done diff -Nru bind9-9.16.27/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in bind9-9.16.33/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in --- bind9-9.16.27/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff -Nru bind9-9.16.27/bin/tests/system/autosign/ns3/cds-delete.example.db.in bind9-9.16.33/bin/tests/system/autosign/ns3/cds-delete.example.db.in --- bind9-9.16.27/bin/tests/system/autosign/ns3/cds-delete.example.db.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/autosign/ns3/cds-delete.example.db.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2009102722 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +z A 10.0.0.26 +a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 +x CNAME a diff -Nru bind9-9.16.27/bin/tests/system/autosign/ns3/keygen.sh bind9-9.16.33/bin/tests/system/autosign/ns3/keygen.sh --- bind9-9.16.27/bin/tests/system/autosign/ns3/keygen.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/autosign/ns3/keygen.sh 2022-09-08 13:01:23.000000000 +0000 @@ -333,7 +333,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # -# A zone that starts with a active KSK + ZSK and a inactive ZSK. +# A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inacksk3.example cp $infile $zonefile @@ -343,7 +343,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP # -# A zone that starts with a active KSK + ZSK and a inactive ZSK. +# A zone that starts with a active KSK + ZSK and a inactive ZSK. # setup inaczsk3.example cp $infile $zonefile @@ -364,10 +364,29 @@ echo $zsk > ../delzsk.key # -# Check that NSEC3 are correctly signed and returned from below a DNAME +# Check that NSEC3 are correctly signed and returned from below a DNAME # setup dname-at-apex-nsec3.example cp $infile $zonefile ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# Check that dynamically added CDS (DELETE) is kept in the zone after signing. +# +setup cds-delete.example +cp $infile $zonefile +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out +$DSFROMKEY $ksk.key > dsset-${zone}$TP + +# +# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after +# signing. +# +setup cdnskey-delete.example +cp $infile $zonefile +ksk=`$KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out` || dumpit kg.out +$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}$TP diff -Nru bind9-9.16.27/bin/tests/system/autosign/ns3/named.conf.in bind9-9.16.33/bin/tests/system/autosign/ns3/named.conf.in --- bind9-9.16.27/bin/tests/system/autosign/ns3/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/autosign/ns3/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -317,4 +317,18 @@ auto-dnssec maintain; }; +zone "cds-delete.example" { + type primary; + file "cds-delete.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + +zone "cdnskey-delete.example" { + type primary; + file "cdnskey-delete.example.db"; + allow-update { any; }; + auto-dnssec maintain; +}; + include "trusted.conf"; diff -Nru bind9-9.16.27/bin/tests/system/autosign/tests.sh bind9-9.16.33/bin/tests/system/autosign/tests.sh --- bind9-9.16.27/bin/tests/system/autosign/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/autosign/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -1302,17 +1302,22 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking revoked key with duplicate key ID (failure expected) ($n)" -lret=0 +echo_i "checking revoked key with duplicate key ID ($n)" +ret=0 id=30676 -$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1 -grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1 -$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1 -n=`expr $n + 1` -if [ $lret != 0 ]; then echo_i "not yet implemented"; fi +rid=30804 +$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1 +keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l) +test $keys -eq 2 || ret=1 +$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +n=$((n + 1)) +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "checking key event timers are always set ($n)" +ret=0 # this is a regression test for a bug in which the next key event could # be scheduled for the present moment, and then never fire. check for # visible evidence of this error in the logs: @@ -1638,6 +1643,89 @@ [ "$inac" -eq 1 ] || ret=1 del=`grep "DNSKEY .* is now deleted" ns1/named.run | wc -l` [ "$del" -eq 1 ] || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that CDS (DELETE) persists after zone sign ($n)" +echo_i "update add cds-delete.example. CDS 0 0 00" +ret=0 +$NSUPDATE > nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 + return 0 +) +_cdnskey_delete_nx() { + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 + return 0 +} + +echo_i "query cds-delete.example. CDS" +retry_quiet 10 _cds_delete cds-delete.example. || ret=1 +echo_i "query cds-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 + +echo_i "sign cds-delete.example." +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1 +wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run +# The CDS (DELETE) record should still be here. +echo_i "query cds-delete.example. CDS" +retry_quiet 1 _cds_delete cds-delete.example. || ret=1 +# The CDNSKEY (DELETE) record should still not be added. +echo_i "query cds-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 + +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)" +echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA==" +ret=0 +$NSUPDATE > nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 + grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 + return 0 +) +_cdnskey_delete() { + $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 + grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 + return 0 +} + +echo_i "query cdnskey-delete.example. CDNSKEY" +retry_quiet 10 _cdnskey_delete cdnskey-delete.example. || ret=1 +echo_i "query cdnskey-delete.example. CDS" +retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 + +echo_i "sign cdsnskey-delete.example." +nextpart ns3/named.run >/dev/null +$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1 +wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run +# The CDNSKEY (DELETE) record should still be here. +echo_i "query cdnskey-delete.example. CDNSKEY" +retry_quiet 1 _cdnskey_delete cdnskey-delete.example. || ret=1 +# The CDS (DELETE) record should still not be added. +echo_i "query cdnskey-delete.example. CDS" +retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 + +n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff -Nru bind9-9.16.27/bin/tests/system/cds/checktime.pl bind9-9.16.33/bin/tests/system/cds/checktime.pl --- bind9-9.16.27/bin/tests/system/cds/checktime.pl 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/cds/checktime.pl 2022-09-08 13:01:23.000000000 +0000 @@ -24,4 +24,4 @@ die "missing notbefore time" unless $notbefore; die "missing inception time" unless $inception; my $delta = $inception - $notbefore; -die "bad inception time $delta" unless abs($delta - $target) <= 3; +die "bad inception time $delta" unless abs($delta - $target) <= 10; diff -Nru bind9-9.16.27/bin/tests/system/cds/tests.sh bind9-9.16.33/bin/tests/system/cds/tests.sh --- bind9-9.16.27/bin/tests/system/cds/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/cds/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ n=0 fail() { echo_i "failed" - status=`expr $status + 1` + status=$((status + 1)) } runcmd() { @@ -27,11 +27,11 @@ } testcase() { - n=`expr $n + 1` + n=$((n + 1)) echo_i "$name ($n)" expect=$1 shift - result=`runcmd "$@"` + result=$(runcmd "$@") check_stdout check_stderr if [ "$expect" -ne "$result" ]; then @@ -44,10 +44,10 @@ check_stderr() { if [ -n "${err:=}" ]; then egrep "$err" err.$n >/dev/null && return 0 + echo_d "stderr did not match '$err'" else [ -s err.$n ] || return 0 fi - echo_d "stderr did not match '$err'" cat err.$n | cat_d fail } diff -Nru bind9-9.16.27/bin/tests/system/chain/ans4/ans.py bind9-9.16.33/bin/tests/system/chain/ans4/ans.py --- bind9-9.16.27/bin/tests/system/chain/ans4/ans.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/chain/ans4/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -69,18 +69,22 @@ ############################################################################ actions = [] rrs = [] + + def ctl_channel(msg): global actions, rrs msg = msg.splitlines().pop(0) - print ('received control message: %s' % msg) + print("received control message: %s" % msg) - msg = msg.split(b'|') + msg = msg.split(b"|") if len(msg) == 0: return - actions = [x.strip() for x in msg[0].split(b',')] - n = functools.reduce(lambda n, act: (n + (2 if act == b'dname' else 1)), [0] + actions) + actions = [x.strip() for x in msg[0].split(b",")] + n = functools.reduce( + lambda n, act: (n + (2 if act == b"dname" else 1)), [0] + actions + ) if len(msg) == 1: rrs = [] @@ -89,29 +93,30 @@ rrs.append((i, b)) return - rlist = [x.strip() for x in msg[1].split(b',')] + rlist = [x.strip() for x in msg[1].split(b",")] rrs = [] for item in rlist: - if item[0] == b's'[0]: + if item[0] == b"s"[0]: i = int(item[1:].strip()) - 1 if i > n: - print ('invalid index %d' + (i + 1)) + print("invalid index %d" + (i + 1)) continue rrs.append((int(item[1:]) - 1, True)) else: i = int(item) - 1 if i > n: - print ('invalid index %d' % (i + 1)) + print("invalid index %d" % (i + 1)) continue rrs.append((i, False)) + ############################################################################ # Respond to a DNS query. ############################################################################ def create_response(msg): m = dns.message.from_wire(msg) qname = m.question[0].name.to_text() - labels = qname.lower().split('.') + labels = qname.lower().split(".") wantsigs = True if m.ednsflags & dns.flags.DO else False # get qtype @@ -124,27 +129,27 @@ # - sld is 'example' # - tld is 'com.' name = labels.pop(0) - domain = '.'.join(labels) + domain = ".".join(labels) sld = labels.pop(0) - tld = '.'.join(labels) + tld = ".".join(labels) - print ('query: ' + qname + '/' + typename) - print ('domain: ' + domain) + print("query: " + qname + "/" + typename) + print("domain: " + domain) # default answers, depending on QTYPE. # currently only A, AAAA, TXT and NS are supported. ttl = 86400 - additionalA = '10.53.0.4' - additionalAAAA = 'fd92:7065:b8e:ffff::4' - if typename == 'A': - final = '10.53.0.4' - elif typename == 'AAAA': - final = 'fd92:7065:b8e:ffff::4' - elif typename == 'TXT': - final = 'Some\ text\ here' - elif typename == 'NS': + additionalA = "10.53.0.4" + additionalAAAA = "fd92:7065:b8e:ffff::4" + if typename == "A": + final = "10.53.0.4" + elif typename == "AAAA": + final = "fd92:7065:b8e:ffff::4" + elif typename == "TXT": + final = "Some\ text\ here" + elif typename == "NS": domain = qname - final = ('ns1.%s' % domain) + final = "ns1.%s" % domain else: final = None @@ -153,9 +158,9 @@ delta = timedelta(30) t1 = t - delta t2 = t + delta - inception=t1.strftime('%Y%m%d000000') - expiry=t2.strftime('%Y%m%d000000') - sigdata='OCXH2De0yE4NMTl9UykvOsJ4IBGs/ZIpff2rpaVJrVG7jQfmj50otBAp A0Zo7dpBU4ofv0N/F2Ar6LznCncIojkWptEJIAKA5tHegf/jY39arEpO cevbGp6DKxFhlkLXNcw7k9o7DSw14OaRmgAjXdTFbrl4AiAa0zAttFko Tso=' + inception = t1.strftime("%Y%m%d000000") + expiry = t2.strftime("%Y%m%d000000") + sigdata = "OCXH2De0yE4NMTl9UykvOsJ4IBGs/ZIpff2rpaVJrVG7jQfmj50otBAp A0Zo7dpBU4ofv0N/F2Ar6LznCncIojkWptEJIAKA5tHegf/jY39arEpO cevbGp6DKxFhlkLXNcw7k9o7DSw14OaRmgAjXdTFbrl4AiAa0zAttFko Tso=" # construct answer set. answers = [] @@ -165,71 +170,97 @@ i = 0 for action in actions: - if name != 'test': + if name != "test": continue - if action == b'xname': - owner = curname + '.' + curdom - newname = 'cname%d' % i + if action == b"xname": + owner = curname + "." + curdom + newname = "cname%d" % i i += 1 - newdom = 'domain%d.%s' % (i, tld) + newdom = "domain%d.%s" % (i, tld) i += 1 - target = newname + '.' + newdom - print ('add external CNAME %s to %s' % (owner, target)) + target = newname + "." + newdom + print("add external CNAME %s to %s" % (owner, target)) answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) - rrsig = 'CNAME 5 3 %d %s %s 12345 %s %s' % \ - (ttl, expiry, inception, domain, sigdata) - print ('add external RRISG(CNAME) %s to %s' % (owner, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add external RRISG(CNAME) %s to %s" % (owner, target)) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) curname = newname curdom = newdom continue - if action == b'cname': - owner = curname + '.' + curdom - newname = 'cname%d' % i - target = newname + '.' + curdom + if action == b"cname": + owner = curname + "." + curdom + newname = "cname%d" % i + target = newname + "." + curdom i += 1 - print ('add CNAME %s to %s' % (owner, target)) + print("add CNAME %s to %s" % (owner, target)) answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) - rrsig = 'CNAME 5 3 %d %s %s 12345 %s %s' % \ - (ttl, expiry, inception, domain, sigdata) - print ('add RRSIG(CNAME) %s to %s' % (owner, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add RRSIG(CNAME) %s to %s" % (owner, target)) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) curname = newname continue - if action == b'dname': + if action == b"dname": owner = curdom - newdom = 'domain%d.%s' % (i, tld) + newdom = "domain%d.%s" % (i, tld) i += 1 - print ('add DNAME %s to %s' % (owner, newdom)) + print("add DNAME %s to %s" % (owner, newdom)) answers.append(dns.rrset.from_text(owner, ttl, IN, DNAME, newdom)) - rrsig = 'DNAME 5 3 %d %s %s 12345 %s %s' % \ - (ttl, expiry, inception, domain, sigdata) - print ('add RRSIG(DNAME) %s to %s' % (owner, newdom)) + rrsig = "DNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add RRSIG(DNAME) %s to %s" % (owner, newdom)) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) - owner = curname + '.' + curdom - target = curname + '.' + newdom - print ('add synthesized CNAME %s to %s' % (owner, target)) + owner = curname + "." + curdom + target = curname + "." + newdom + print("add synthesized CNAME %s to %s" % (owner, target)) answers.append(dns.rrset.from_text(owner, ttl, IN, CNAME, target)) - rrsig = 'CNAME 5 3 %d %s %s 12345 %s %s' % \ - (ttl, expiry, inception, domain, sigdata) - print ('add synthesized RRSIG(CNAME) %s to %s' % (owner, target)) + rrsig = "CNAME 5 3 %d %s %s 12345 %s %s" % ( + ttl, + expiry, + inception, + domain, + sigdata, + ) + print("add synthesized RRSIG(CNAME) %s to %s" % (owner, target)) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) curdom = newdom continue # now add the final answer - owner = curname + '.' + curdom + owner = curname + "." + curdom answers.append(dns.rrset.from_text(owner, ttl, IN, rrtype, final)) - rrsig = '%s 5 3 %d %s %s 12345 %s %s' % \ - (typename, ttl, expiry, inception, domain, sigdata) + rrsig = "%s 5 3 %d %s %s 12345 %s %s" % ( + typename, + ttl, + expiry, + inception, + domain, + sigdata, + ) sigs.append(dns.rrset.from_text(owner, ttl, IN, RRSIG, rrsig)) # prepare the response and convert to wire format r = dns.message.make_response(m) - if name != 'test': + if name != "test": r.answer.append(answers[-1]) if wantsigs: r.answer.append(sigs[-1]) @@ -242,24 +273,29 @@ else: r.answer.append(answers[i]) - if typename != 'NS': - r.authority.append(dns.rrset.from_text(domain, ttl, IN, "NS", - ("ns1.%s" % domain))) - r.additional.append(dns.rrset.from_text(('ns1.%s' % domain), 86400, - IN, A, additionalA)) - r.additional.append(dns.rrset.from_text(('ns1.%s' % domain), 86400, - IN, AAAA, additionalAAAA)) + if typename != "NS": + r.authority.append( + dns.rrset.from_text(domain, ttl, IN, "NS", ("ns1.%s" % domain)) + ) + r.additional.append( + dns.rrset.from_text(("ns1.%s" % domain), 86400, IN, A, additionalA) + ) + r.additional.append( + dns.rrset.from_text(("ns1.%s" % domain), 86400, IN, AAAA, additionalAAAA) + ) r.flags |= dns.flags.AA r.use_edns() return r.to_wire() + def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -270,11 +306,15 @@ ip4 = "10.53.0.4" ip6 = "fd92:7065:b8e:ffff::4" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 -try: ctrlport=int(os.environ['EXTRAPORT1']) -except: ctrlport=5300 +try: + ctrlport = int(os.environ["EXTRAPORT1"]) +except: + ctrlport = 5300 query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) query4_socket.bind((ip4, port)) @@ -296,18 +336,18 @@ signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Listening on %s port %d" % (ip4, port)) +print("Listening on %s port %d" % (ip4, port)) if havev6: - print ("Listening on %s port %d" % (ip6, port)) -print ("Control channel on %s port %d" % (ip4, ctrlport)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6, port)) +print("Control channel on %s port %d" % (ip4, ctrlport)) +print("Ctrl-c to quit") if havev6: input = [query4_socket, query6_socket, ctrl_socket] @@ -328,7 +368,7 @@ if s == ctrl_socket: # Handle control channel input conn, addr = s.accept() - print ("Control channel connected") + print("Control channel connected") while True: msg = conn.recv(65535) if not msg: @@ -336,8 +376,7 @@ ctl_channel(msg) conn.close() if s == query4_socket or s == query6_socket: - print ("Query received on %s" % - (ip4 if s == query4_socket else ip6)) + print("Query received on %s" % (ip4 if s == query4_socket else ip6)) # Handle incoming queries msg = s.recvfrom(65535) rsp = create_response(msg[0]) diff -Nru bind9-9.16.27/bin/tests/system/checkconf/bad-ksk-without-zsk.conf bind9-9.16.33/bin/tests/system/checkconf/bad-ksk-without-zsk.conf --- bind9-9.16.27/bin/tests/system/checkconf/bad-ksk-without-zsk.conf 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/bad-ksk-without-zsk.conf 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy ksk-without-zsk { + keys { + ksk lifetime 30d algorithm 13; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy ksk-without-zsk; +}; diff -Nru bind9-9.16.27/bin/tests/system/checkconf/bad-unpaired-keys.conf bind9-9.16.33/bin/tests/system/checkconf/bad-unpaired-keys.conf --- bind9-9.16.27/bin/tests/system/checkconf/bad-unpaired-keys.conf 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/bad-unpaired-keys.conf 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy unpaired-keys { + keys { + /* zsk without ksk */ + zsk lifetime 30d algorithm 13; + /* ksk without zsk */ + ksk lifetime 30d algorithm 7; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy unpaired-keys; +}; diff -Nru bind9-9.16.27/bin/tests/system/checkconf/bad-zsk-without-ksk.conf bind9-9.16.33/bin/tests/system/checkconf/bad-zsk-without-ksk.conf --- bind9-9.16.27/bin/tests/system/checkconf/bad-zsk-without-ksk.conf 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/bad-zsk-without-ksk.conf 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,24 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy zsk-without-ksk { + keys { + zsk lifetime 30d algorithm 13; + }; +}; + +zone "example" { + type primary; + file "example.db"; + dnssec-policy zsk-without-ksk; +}; diff -Nru bind9-9.16.27/bin/tests/system/checkconf/good-kasp.conf bind9-9.16.33/bin/tests/system/checkconf/good-kasp.conf --- bind9-9.16.27/bin/tests/system/checkconf/good-kasp.conf 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/good-kasp.conf 2022-09-08 13:01:23.000000000 +0000 @@ -40,15 +40,20 @@ zone "example1" { type master; file "example1.db"; + inline-signing yes; }; zone "example2" { type master; file "example2.db"; + allow-update { + "any"; + }; dnssec-policy "test"; }; zone "example3" { type master; file "example3.db"; + inline-signing yes; dnssec-policy "default"; }; zone "dnssec-policy-none-shared-zonefile1" { diff -Nru bind9-9.16.27/bin/tests/system/checkconf/good-key-directory.conf bind9-9.16.33/bin/tests/system/checkconf/good-key-directory.conf --- bind9-9.16.27/bin/tests/system/checkconf/good-key-directory.conf 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/good-key-directory.conf 2022-09-08 13:01:23.000000000 +0000 @@ -46,6 +46,7 @@ type primary; file "localhost/example.com.zone"; dnssec-policy "localhost"; + inline-signing yes; }; }; @@ -56,6 +57,7 @@ type primary; file "external/example.com.zone"; dnssec-policy "internet"; + inline-signing yes; }; }; @@ -66,5 +68,6 @@ type primary; file "internal/example.com.zone"; dnssec-policy "intranet"; + inline-signing yes; }; }; diff -Nru bind9-9.16.27/bin/tests/system/checkconf/good.conf bind9-9.16.33/bin/tests/system/checkconf/good.conf --- bind9-9.16.27/bin/tests/system/checkconf/good.conf 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/good.conf 2022-09-08 13:01:23.000000000 +0000 @@ -106,6 +106,7 @@ zone "clone" { type master; file "yyy"; + inline-signing yes; max-ixfr-ratio unlimited; }; dnssec-validation auto; @@ -169,9 +170,12 @@ zone "p" { type primary; file "pfile"; + inline-signing yes; }; zone "s" { type secondary; + file "sfile"; + inline-signing yes; masters { 1.2.3.4; }; @@ -182,6 +186,7 @@ zone "dnssec-test" { type master; file "dnssec-test.db"; + inline-signing yes; parental-agents { 1.2.3.4; 1.2.3.5; @@ -192,6 +197,7 @@ zone "dnssec-default" { type master; file "dnssec-default.db"; + inline-signing yes; parental-agents { "parents"; }; @@ -200,6 +206,7 @@ zone "dnssec-inherit" { type master; file "dnssec-inherit.db"; + inline-signing yes; }; zone "dnssec-none" { type master; @@ -209,11 +216,13 @@ zone "dnssec-view1" { type master; file "dnssec-view41.db"; + inline-signing yes; dnssec-policy "test"; }; zone "dnssec-view2" { type master; file "dnssec-view42.db"; + inline-signing yes; }; zone "dnssec-view3" { type master; @@ -233,17 +242,20 @@ zone "dnssec-view1" { type master; file "dnssec-view51.db"; + inline-signing yes; dnssec-policy "test"; }; zone "dnssec-view2" { type master; file "dnssec-view52.db"; + inline-signing yes; dnssec-policy "test"; key-directory "keys"; }; zone "dnssec-view3" { type master; file "dnssec-view53.db"; + inline-signing yes; dnssec-policy "default"; key-directory "keys"; }; @@ -258,6 +270,7 @@ zone "hostname.bind" chaos { type master; database "_builtin hostname"; + inline-signing yes; }; }; dyndb "name" "library.so" { diff -Nru bind9-9.16.27/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf bind9-9.16.33/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf --- bind9-9.16.27/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf 2022-09-08 13:01:23.000000000 +0000 @@ -26,4 +26,3 @@ sig-validity-interval 3600; update-check-ksk yes; }; - diff -Nru bind9-9.16.27/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf bind9-9.16.33/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf --- bind9-9.16.27/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf 2022-09-08 13:01:23.000000000 +0000 @@ -57,4 +57,5 @@ type master; file "example.db"; dnssec-policy "default"; + inline-signing yes; }; diff -Nru bind9-9.16.27/bin/tests/system/checkconf/kasp-ignore-keylen.conf bind9-9.16.33/bin/tests/system/checkconf/kasp-ignore-keylen.conf --- bind9-9.16.27/bin/tests/system/checkconf/kasp-ignore-keylen.conf 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/kasp-ignore-keylen.conf 2022-09-08 13:01:23.000000000 +0000 @@ -22,5 +22,6 @@ type master; file "example.db"; dnssec-policy "warn-length"; + inline-signing yes; }; diff -Nru bind9-9.16.27/bin/tests/system/checkconf/tests.sh bind9-9.16.33/bin/tests/system/checkconf/tests.sh --- bind9-9.16.27/bin/tests/system/checkconf/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -503,7 +503,7 @@ echo_i "checking named-checkconf kasp errors ($n)" ret=0 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 -grep "'inline-signing;' cannot be set to 'no' if dnssec-policy is also set on a non-dynamic DNS zone" < checkconf.out$n > /dev/null || ret=1 +grep "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone" < checkconf.out$n > /dev/null || ret=1 grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 @@ -585,6 +585,14 @@ if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" +ret=0 +$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 +grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + n=$((n+1)) echo_i "check that masterfile-format map generates deprecation warning ($n)" ret=0 diff -Nru bind9-9.16.27/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf bind9-9.16.33/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf --- bind9-9.16.27/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * The dnssec-policy is not defined. Should also be caught if it is inherited. + */ + +options { + dnssec-policy default; +}; + +zone "example.net" { + type primary; + file "example.db"; + inline-signing yes; + max-zone-ttl 600; +}; diff -Nru bind9-9.16.27/bin/tests/system/checkds/conftest.py bind9-9.16.33/bin/tests/system/checkds/conftest.py --- bind9-9.16.27/bin/tests/system/checkds/conftest.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkds/conftest.py 1970-01-01 00:00:00.000000000 +0000 @@ -1,71 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -import os -import pytest - - -def pytest_configure(config): - config.addinivalue_line( - "markers", "dnspython: mark tests that need dnspython to function" - ) - config.addinivalue_line( - "markers", "dnspython2: mark tests that need dnspython >= 2.0.0" - ) - - -def pytest_collection_modifyitems(config, items): - # pylint: disable=unused-argument,unused-import,too-many-branches - # pylint: disable=import-outside-toplevel - - # Test for dnspython module - skip_dnspython = pytest.mark.skip( - reason="need dnspython module to run") - try: - import dns.query # noqa: F401 - except ModuleNotFoundError: - for item in items: - if "dnspython" in item.keywords: - item.add_marker(skip_dnspython) - - # Test for dnspython >= 2.0.0 module - skip_dnspython2 = pytest.mark.skip( - reason="need dnspython >= 2.0.0 module to run") - try: - from dns.query import udp_with_fallback # noqa: F401 - except ImportError: - for item in items: - if "dnspython2" in item.keywords: - item.add_marker(skip_dnspython2) - - -@pytest.fixture -def named_port(request): - # pylint: disable=unused-argument - port = os.getenv("PORT") - if port is None: - port = 5301 - else: - port = int(port) - - return port - - -@pytest.fixture -def control_port(request): - # pylint: disable=unused-argument - port = os.getenv("CONTROLPORT") - if port is None: - port = 5301 - else: - port = int(port) - - return port diff -Nru bind9-9.16.27/bin/tests/system/checkds/ns9/named.conf.in bind9-9.16.33/bin/tests/system/checkds/ns9/named.conf.in --- bind9-9.16.27/bin/tests/system/checkds/ns9/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkds/ns9/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -49,6 +49,7 @@ zone "dspublished.checkds" { type primary; file "dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; }; }; @@ -60,6 +61,7 @@ zone "reference.checkds" { type primary; file "reference.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { "ns2"; }; }; @@ -71,6 +73,7 @@ zone "missing-dspublished.checkds" { type primary; file "missing-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.5 port @PORT@; // missing @@ -85,6 +88,7 @@ zone "bad-dspublished.checkds" { type primary; file "bad-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.6 port @PORT@; // bad @@ -98,6 +102,7 @@ zone "multiple-dspublished.checkds" { type primary; file "multiple-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; @@ -113,6 +118,7 @@ zone "incomplete-dspublished.checkds" { type primary; file "incomplete-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; @@ -130,6 +136,7 @@ zone "bad2-dspublished.checkds" { type primary; file "bad2-dspublished.checkds.db"; + inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.2 port @PORT@; @@ -150,6 +157,7 @@ zone "dswithdrawn.checkds" { type primary; file "dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.5 port @PORT@; }; }; @@ -157,6 +165,7 @@ zone "missing-dswithdrawn.checkds" { type primary; file "missing-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.2 port @PORT@; // still published @@ -166,6 +175,7 @@ zone "bad-dswithdrawn.checkds" { type primary; file "bad-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.6 port @PORT@; // bad @@ -175,6 +185,7 @@ zone "multiple-dswithdrawn.checkds" { type primary; file "multiple-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.5 port @PORT@; @@ -185,6 +196,7 @@ zone "incomplete-dswithdrawn.checkds" { type primary; file "incomplete-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.2 port @PORT@; // still published @@ -196,6 +208,7 @@ zone "bad2-dswithdrawn.checkds" { type primary; file "bad2-dswithdrawn.checkds.db"; + inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.5 port @PORT@; diff -Nru bind9-9.16.27/bin/tests/system/checkds/prereq.sh bind9-9.16.33/bin/tests/system/checkds/prereq.sh --- bind9-9.16.27/bin/tests/system/checkds/prereq.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkds/prereq.sh 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ if test -n "$PYTHON" then - if $PYTHON -c "from dns.query import send_tcp" 2> /dev/null + if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2> /dev/null)" -ge 2 ] then : else diff -Nru bind9-9.16.27/bin/tests/system/checkds/tests-checkds.py bind9-9.16.33/bin/tests/system/checkds/tests-checkds.py --- bind9-9.16.27/bin/tests/system/checkds/tests-checkds.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkds/tests-checkds.py 2022-09-08 13:01:23.000000000 +0000 @@ -17,9 +17,18 @@ import sys import time -import dns.resolver import pytest +pytest.importorskip("dns", minversion="2.0.0") +import dns.exception +import dns.message +import dns.name +import dns.query +import dns.rcode +import dns.rdataclass +import dns.rdatatype +import dns.resolver + def has_signed_apex_nsec(zone, response): has_nsec = False @@ -46,18 +55,22 @@ def do_query(server, qname, qtype, tcp=False): - query = dns.message.make_query(qname, qtype, use_edns=True, - want_dnssec=True) + query = dns.message.make_query(qname, qtype, use_edns=True, want_dnssec=True) try: if tcp: - response = dns.query.tcp(query, server.nameservers[0], timeout=3, - port=server.port) + response = dns.query.tcp( + query, server.nameservers[0], timeout=3, port=server.port + ) else: - response = dns.query.udp(query, server.nameservers[0], timeout=3, - port=server.port) + response = dns.query.udp( + query, server.nameservers[0], timeout=3, port=server.port + ) except dns.exception.Timeout: - print("error: query timeout for query {} {} to {}".format( - qname, qtype, server.nameservers[0])) + print( + "error: query timeout for query {} {} to {}".format( + qname, qtype, server.nameservers[0] + ) + ) return None return response @@ -68,10 +81,10 @@ assert verify is not None filename = "{}out".format(zone) - with open(filename, 'w', encoding='utf-8') as file: + with open(filename, "w", encoding="utf-8") as file: for rr in transfer.answer: file.write(rr.to_text()) - file.write('\n') + file.write("\n") # dnssec-verify command with default arguments. verify_cmd = [verify, "-z", "-o", zone, filename] @@ -99,30 +112,39 @@ if response.rcode() == dns.rcode.NOERROR: # fetch key id from response. for rr in response.answer: - if rr.match(dns.name.from_text(zone), dns.rdataclass.IN, - dns.rdatatype.DS, dns.rdatatype.NONE): + if rr.match( + dns.name.from_text(zone), + dns.rdataclass.IN, + dns.rdatatype.DS, + dns.rdatatype.NONE, + ): if count == 0: keyid = list(dict(rr.items).items())[0][0].key_tag count += 1 if count != 1: - print("error: expected a single DS in response for {} from {}," - "got {}".format(zone, addr, count)) + print( + "error: expected a single DS in response for {} from {}," + "got {}".format(zone, addr, count) + ) return {} else: - print("error: {} response for {} DNSKEY from {}".format( - dns.rcode.to_text(response.rcode()), zone, addr)) + print( + "error: {} response for {} DNSKEY from {}".format( + dns.rcode.to_text(response.rcode()), zone, addr + ) + ) return {} filename = "ns9/K{}+013+{:05d}.state".format(zone, keyid) print("read state file {}".format(filename)) try: - with open(filename, 'r', encoding='utf-8') as file: + with open(filename, "r", encoding="utf-8") as file: for line in file: - if line.startswith(';'): + if line.startswith(";"): continue - key, val = line.strip().split(':', 1) + key, val = line.strip().split(":", 1) state[key.strip()] = val.strip() except FileNotFoundError: @@ -138,14 +160,17 @@ # wait until zone is fully signed. signed = False for _ in range(10): - response = do_query(server, zone, 'NSEC') + response = do_query(server, zone, "NSEC") if not isinstance(response, dns.message.Message): print("error: no response for {} NSEC from {}".format(zone, addr)) elif response.rcode() == dns.rcode.NOERROR: signed = has_signed_apex_nsec(zone, response) else: - print("error: {} response for {} NSEC from {}".format( - dns.rcode.to_text(response.rcode()), zone, addr)) + print( + "error: {} response for {} NSEC from {}".format( + dns.rcode.to_text(response.rcode()), zone, addr + ) + ) if signed: break @@ -156,14 +181,17 @@ # check if zone if DNSSEC valid. verified = False - transfer = do_query(server, zone, 'AXFR', tcp=True) + transfer = do_query(server, zone, "AXFR", tcp=True) if not isinstance(transfer, dns.message.Message): print("error: no response for {} AXFR from {}".format(zone, addr)) elif transfer.rcode() == dns.rcode.NOERROR: verified = verify_zone(zone, transfer) else: - print("error: {} response for {} AXFR from {}".format( - dns.rcode.to_text(transfer.rcode()), zone, addr)) + print( + "error: {} response for {} AXFR from {}".format( + dns.rcode.to_text(transfer.rcode()), zone, addr + ) + ) assert verified @@ -173,7 +201,7 @@ deny = False search = key - if key.startswith('!'): + if key.startswith("!"): deny = True search = key[1:] @@ -204,7 +232,7 @@ print("read log file {}".format(filename)) try: - with open(filename, 'r', encoding='utf-8') as file: + with open(filename, "r", encoding="utf-8") as file: s = mmap.mmap(file.fileno(), 0, access=mmap.ACCESS_READ) if s.find(bytes(log, "ascii")) != -1: found = True @@ -220,8 +248,6 @@ assert found -@pytest.mark.dnspython -@pytest.mark.dnspython2 def test_checkds_dspublished(named_port): # We create resolver instances that will be used to send queries. server = dns.resolver.Resolver() @@ -234,67 +260,89 @@ # DS correctly published in parent. zone_check(server, "dspublished.checkds.") - wait_for_log("ns9/named.run", - "zone dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2") + wait_for_log( + "ns9/named.run", + "zone dspublished.checkds/IN (signed): checkds: DS response from 10.53.0.2", + ) keystate_check(parent, "dspublished.checkds.", "DSPublish") # DS correctly published in parent (reference to parental-agent). zone_check(server, "reference.checkds.") - wait_for_log("ns9/named.run", - "zone reference.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2") + wait_for_log( + "ns9/named.run", + "zone reference.checkds/IN (signed): checkds: DS response from 10.53.0.2", + ) keystate_check(parent, "reference.checkds.", "DSPublish") # DS not published in parent. zone_check(server, "missing-dspublished.checkds.") - wait_for_log("ns9/named.run", - "zone missing-dspublished.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.5") + wait_for_log( + "ns9/named.run", + "zone missing-dspublished.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) keystate_check(parent, "missing-dspublished.checkds.", "!DSPublish") # Badly configured parent. zone_check(server, "bad-dspublished.checkds.") - wait_for_log("ns9/named.run", - "zone bad-dspublished.checkds/IN (signed): checkds: " - "bad DS response from 10.53.0.6") + wait_for_log( + "ns9/named.run", + "zone bad-dspublished.checkds/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) keystate_check(parent, "bad-dspublished.checkds.", "!DSPublish") # TBD: DS published in parent, but bogus signature. # DS correctly published in all parents. zone_check(server, "multiple-dspublished.checkds.") - wait_for_log("ns9/named.run", - "zone multiple-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2") - wait_for_log("ns9/named.run", - "zone multiple-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.4") + wait_for_log( + "ns9/named.run", + "zone multiple-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone multiple-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) keystate_check(parent, "multiple-dspublished.checkds.", "DSPublish") # DS published in only one of multiple parents. zone_check(server, "incomplete-dspublished.checkds.") - wait_for_log("ns9/named.run", - "zone incomplete-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2") - wait_for_log("ns9/named.run", - "zone incomplete-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.4") - wait_for_log("ns9/named.run", - "zone incomplete-dspublished.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.5") + wait_for_log( + "ns9/named.run", + "zone incomplete-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete-dspublished.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) keystate_check(parent, "incomplete-dspublished.checkds.", "!DSPublish") # One of the parents is badly configured. - wait_for_log("ns9/named.run", - "zone bad2-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2") - wait_for_log("ns9/named.run", - "zone bad2-dspublished.checkds/IN (signed): checkds: " - "DS response from 10.53.0.4") - wait_for_log("ns9/named.run", - "zone bad2-dspublished.checkds/IN (signed): checkds: " - "bad DS response from 10.53.0.6") + wait_for_log( + "ns9/named.run", + "zone bad2-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone bad2-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.4", + ) + wait_for_log( + "ns9/named.run", + "zone bad2-dspublished.checkds/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish") # TBD: DS published in all parents, but one has bogus signature. @@ -302,8 +350,6 @@ # TBD: Check with TSIG -@pytest.mark.dnspython -@pytest.mark.dnspython2 def test_checkds_dswithdrawn(named_port): # We create resolver instances that will be used to send queries. server = dns.resolver.Resolver() @@ -316,60 +362,82 @@ # DS correctly published in single parent. zone_check(server, "dswithdrawn.checkds.") - wait_for_log("ns9/named.run", - "zone dswithdrawn.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.5") + wait_for_log( + "ns9/named.run", + "zone dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) keystate_check(parent, "dswithdrawn.checkds.", "DSRemoved") # DS not withdrawn from parent. zone_check(server, "missing-dswithdrawn.checkds.") - wait_for_log("ns9/named.run", - "zone missing-dswithdrawn.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2") + wait_for_log( + "ns9/named.run", + "zone missing-dswithdrawn.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) keystate_check(parent, "missing-dswithdrawn.checkds.", "!DSRemoved") # Badly configured parent. zone_check(server, "bad-dswithdrawn.checkds.") - wait_for_log("ns9/named.run", - "zone bad-dswithdrawn.checkds/IN (signed): checkds: " - "bad DS response from 10.53.0.6") + wait_for_log( + "ns9/named.run", + "zone bad-dswithdrawn.checkds/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) keystate_check(parent, "bad-dswithdrawn.checkds.", "!DSRemoved") # TBD: DS published in parent, but bogus signature. # DS correctly withdrawn from all parents. zone_check(server, "multiple-dswithdrawn.checkds.") - wait_for_log("ns9/named.run", - "zone multiple-dswithdrawn.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.5") - wait_for_log("ns9/named.run", - "zone multiple-dswithdrawn.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.7") + wait_for_log( + "ns9/named.run", + "zone multiple-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + wait_for_log( + "ns9/named.run", + "zone multiple-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.7", + ) keystate_check(parent, "multiple-dswithdrawn.checkds.", "DSRemoved") # DS withdrawn from only one of multiple parents. zone_check(server, "incomplete-dswithdrawn.checkds.") - wait_for_log("ns9/named.run", - "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " - "DS response from 10.53.0.2") - wait_for_log("ns9/named.run", - "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.5") - wait_for_log("ns9/named.run", - "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.7") + wait_for_log( + "ns9/named.run", + "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "DS response from 10.53.0.2", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + wait_for_log( + "ns9/named.run", + "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.7", + ) keystate_check(parent, "incomplete-dswithdrawn.checkds.", "!DSRemoved") # One of the parents is badly configured. - wait_for_log("ns9/named.run", - "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.5") - wait_for_log("ns9/named.run", - "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " - "empty DS response from 10.53.0.7") - wait_for_log("ns9/named.run", - "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " - "bad DS response from 10.53.0.6") + wait_for_log( + "ns9/named.run", + "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.5", + ) + wait_for_log( + "ns9/named.run", + "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.7", + ) + wait_for_log( + "ns9/named.run", + "zone bad2-dswithdrawn.checkds/IN (signed): checkds: " + "bad DS response from 10.53.0.6", + ) keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved") # TBD: DS withdrawn from all parents, but one has bogus signature. diff -Nru bind9-9.16.27/bin/tests/system/checkzone/tests.sh bind9-9.16.33/bin/tests/system/checkzone/tests.sh --- bind9-9.16.27/bin/tests/system/checkzone/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkzone/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -30,9 +30,9 @@ $CHECKZONE -i local example $db > test.out.$n 2>&1 || ret=1 ;; esac - n=`expr $n + 1` + n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status+ret)) done for db in zones/bad*.db @@ -48,9 +48,9 @@ ;; esac test $v = 1 || ret=1 - n=`expr $n + 1` + n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status+ret)) done echo_i "checking with journal file ($n)" @@ -58,16 +58,16 @@ $CHECKZONE -D -o test.orig.db test zones/test1.db > /dev/null 2>&1 || ret=1 $CHECKZONE -D -o test.changed.db test zones/test2.db > /dev/null 2>&1 || ret=1 $MAKEJOURNAL test test.orig.db test.changed.db test.orig.db.jnl 2>&1 || ret=1 -jlines=`$JOURNALPRINT test.orig.db.jnl | wc -l` +jlines=$($JOURNALPRINT test.orig.db.jnl | wc -l) [ $jlines = 3 ] || ret=1 $CHECKZONE -D -j -o test.out1.db test test.orig.db > /dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out1.db || ret=1 mv -f test.orig.db.jnl test.journal $CHECKZONE -D -J test.journal -o test.out2.db test test.orig.db > /dev/null 2>&1 || ret=1 cmp -s test.changed.db test.out2.db || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking with spf warnings ($n)" ret=0 @@ -79,25 +79,25 @@ grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1 grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1 grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking with max ttl (text) ($n)" ret=0 $CHECKZONE -l 300 example zones/good1.db > test.out1.$n 2>&1 && ret=1 $CHECKZONE -l 600 example zones/good1.db > test.out2.$n 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking with max ttl (raw) ($n)" ret=0 $CHECKZONE -f raw -l 300 example good1.db.raw > test.out1.$n 2>&1 && ret=1 $CHECKZONE -f raw -l 600 example good1.db.raw > test.out2.$n 2>&1 || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking with max ttl (map) ($n)" ret=0 @@ -111,33 +111,33 @@ ret=0 $CHECKZONE example zones/nowarn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 grep "inherited.owner" test.out1.$n > /dev/null && ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking for 'inherited owner' warning on '\$ORIGIN + \$INCLUDE file' ($n)" ret=0 $CHECKZONE example zones/warn.inherit.origin.db > test.out1.$n 2>&1 || ret=1 grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking for 'inherited owner' warning on '\$INCLUDE file origin' ($n)" ret=0 $CHECKZONE example zones/warn.inherited.owner.db > test.out1.$n 2>&1 || ret=1 grep "inherited.owner" test.out1.$n > /dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking that raw zone with bad class is handled ($n)" ret=0 $CHECKZONE -f raw example zones/bad-badclass.raw > test.out.$n 2>&1 && ret=1 grep "failed: bad class" test.out.$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking that expirations that loop using serial arithmetic are handled ($n)" ret=0 @@ -164,25 +164,35 @@ test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 test $ret -eq 1 || $CHECKZONE $q dyn.example.net zones/crashzone.db || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking that nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 $CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)" ret=0 $CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1 grep "is below a DNAME" test.out.$n >/dev/null || ret=1 -n=`expr $n + 1` +n=$((n+1)) if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) + +n=$((n+1)) +ret=0 +echo_i "checking integer overflow is prevented in \$GENERATE ($n)" +$CHECKZONE -D example.com zones/generate-overflow.db > test.out.$n 2>&1 || ret=1 +lines=$(grep -c CNAME test.out.$n) +echo $lines +[ "$lines" -eq 1 ] || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.27/bin/tests/system/checkzone/zones/bad-generate-garbage.db bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-garbage.db --- bind9-9.16.27/bin/tests/system/checkzone/zones/bad-generate-garbage.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-garbage.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1,0,dgarbagegarbage} diff -Nru bind9-9.16.27/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db --- bind9-9.16.27/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-missing-brace.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1000 diff -Nru bind9-9.16.27/bin/tests/system/checkzone/zones/bad-generate-range.db bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-range.db --- bind9-9.16.27/bin/tests/system/checkzone/zones/bad-generate-range.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkzone/zones/bad-generate-range.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +; 2147483647 + 1 overflows what can be represented in an 'int' +$GENERATE 1-1 host$ TXT foo${2147483647} diff -Nru bind9-9.16.27/bin/tests/system/checkzone/zones/generate-overflow.db bind9-9.16.33/bin/tests/system/checkzone/zones/generate-overflow.db --- bind9-9.16.27/bin/tests/system/checkzone/zones/generate-overflow.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkzone/zones/generate-overflow.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 19-28/2147483645 $ CNAME x diff -Nru bind9-9.16.27/bin/tests/system/checkzone/zones/good-generate-modifier.db bind9-9.16.33/bin/tests/system/checkzone/zones/good-generate-modifier.db --- bind9-9.16.27/bin/tests/system/checkzone/zones/good-generate-modifier.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/checkzone/zones/good-generate-modifier.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 600 +@ SOA ns hostmaster 2011012708 3600 1200 604800 1200 + NS ns +ns A 192.0.2.1 + +$GENERATE 0-7 host$ A 1.2.3.${1,0,d} +$GENERATE 8-9 host$ A 1.2.3.${1,0} +$GENERATE 10-11 host$ A 1.2.3.${1} +$GENERATE 1024-1026 ${0,3,n} AAAA 2001:db8::${0,4,x} diff -Nru bind9-9.16.27/bin/tests/system/conf.sh.common bind9-9.16.33/bin/tests/system/conf.sh.common --- bind9-9.16.27/bin/tests/system/conf.sh.common 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/conf.sh.common 2022-09-08 13:01:23.000000000 +0000 @@ -303,6 +303,9 @@ DISABLED_ALGORITHM_NUMBER=14 DISABLED_BITS=384 +# Default HMAC algorithm. +DEFAULT_HMAC=hmac-sha256 + # # Useful functions in test scripts # @@ -712,6 +715,7 @@ -e "s/${atsign}ALTERNATIVE_ALGORITHM${atsign}/${ALTERNATIVE_ALGORITHM}/g" \ -e "s/${atsign}ALTERNATIVE_ALGORITHM_NUMBER${atsign}/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \ -e "s/${atsign}ALTERNATIVE_BITS${atsign}/${ALTERNATIVE_BITS}/g" \ + -e "s/${atsign}DEFAULT_HMAC${atsign}/${DEFAULT_HMAC}/g" \ -e "s/${atsign}DISABLED_ALGORITHM${atsign}/${DISABLED_ALGORITHM}/g" \ -e "s/${atsign}DISABLED_ALGORITHM_NUMBER${atsign}/${DISABLED_ALGORITHM_NUMBER}/g" \ -e "s/${atsign}DISABLED_BITS${atsign}/${DISABLED_BITS}/g" \ diff -Nru bind9-9.16.27/bin/tests/system/conftest.py bind9-9.16.33/bin/tests/system/conftest.py --- bind9-9.16.27/bin/tests/system/conftest.py 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/conftest.py 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,31 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os + +import pytest + + +@pytest.fixture(scope="session") +def named_port(): + return int(os.environ.get("PORT", default=5300)) + + +@pytest.fixture(scope="session") +def named_tlsport(): + return int(os.environ.get("TLSPORT", default=8853)) + + +@pytest.fixture(scope="session") +def control_port(): + return int(os.environ.get("CONTROLPORT", default=9953)) diff -Nru bind9-9.16.27/bin/tests/system/cookie/ans9/ans.py bind9-9.16.33/bin/tests/system/cookie/ans9/ans.py --- bind9-9.16.27/bin/tests/system/cookie/ans9/ans.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/cookie/ans9/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -40,20 +40,17 @@ with open("qlog", "a") as f: f.write("%s %s\n", type, qname) + # DNS 2.0 keyring specifies the algorithm try: - keyring = dns.tsigkeyring.from_text({ "foo" : { - "hmac-sha256", - "aaaaaaaaaaaa" - } , - "fake" : { - "hmac-sha256", - "aaaaaaaaaaaa" - } - }) + keyring = dns.tsigkeyring.from_text( + { + "foo": {"hmac-sha256", "aaaaaaaaaaaa"}, + "fake": {"hmac-sha256", "aaaaaaaaaaaa"}, + } + ) except: - keyring = dns.tsigkeyring.from_text({ "foo" : "aaaaaaaaaaaa", - "fake" : "aaaaaaaaaaaa" }) + keyring = dns.tsigkeyring.from_text({"foo": "aaaaaaaaaaaa", "fake": "aaaaaaaaaaaa"}) dopass2 = False @@ -81,7 +78,7 @@ m = dns.message.from_wire(msg, keyring=keyring) qname = m.question[0].name.to_text() lqname = qname.lower() - labels = lqname.split('.') + labels = lqname.split(".") rrtype = m.question[0].rdtype typename = dns.rdatatype.to_text(rrtype) @@ -113,27 +110,31 @@ # Add a server cookie to the response if labels[0] != "nocookie": for o in m.options: - if o.otype == 10: # Use 10 instead of COOKIE - if first and labels[0] == "withtsig" and not tcp: - r.use_tsig(keyring = keyring, - keyname = dns.name.from_text("fake"), - algorithm = HMAC_SHA256) - elif labels[0] != "tcponly" or tcp: - cookie = o - if len(o.data) == 8: - cookie.data = o.data + o.data - else: - cookie.data = o.data - r.use_edns(options=[cookie]) + if o.otype == 10: # Use 10 instead of COOKIE + if first and labels[0] == "withtsig" and not tcp: + r.use_tsig( + keyring=keyring, + keyname=dns.name.from_text("fake"), + algorithm=HMAC_SHA256, + ) + elif labels[0] != "tcponly" or tcp: + cookie = o + if len(o.data) == 8: + cookie.data = o.data + o.data + else: + cookie.data = o.data + r.use_edns(options=[cookie]) r.flags |= dns.flags.AA return r + def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -146,8 +147,10 @@ ip6_addr1 = "fd92:7065:b8e:ffff::9" ip6_addr2 = "fd92:7065:b8e:ffff::10" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 query4_udp1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) query4_udp1.bind((ip4_addr1, port)) @@ -195,24 +198,32 @@ signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Using DNS version %s" % dns.version.version) -print ("Listening on %s port %d" % (ip4_addr1, port)) -print ("Listening on %s port %d" % (ip4_addr2, port)) +print("Using DNS version %s" % dns.version.version) +print("Listening on %s port %d" % (ip4_addr1, port)) +print("Listening on %s port %d" % (ip4_addr2, port)) if havev6: - print ("Listening on %s port %d" % (ip6_addr1, port)) - print ("Listening on %s port %d" % (ip6_addr2, port)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6_addr1, port)) + print("Listening on %s port %d" % (ip6_addr2, port)) +print("Ctrl-c to quit") if havev6: - input = [query4_udp1, query6_udp1, query4_tcp1, query6_tcp1, - query4_udp2, query6_udp2, query4_tcp2, query6_tcp2] + input = [ + query4_udp1, + query6_udp1, + query4_tcp1, + query6_tcp1, + query4_udp2, + query6_udp2, + query4_tcp2, + query6_tcp2, + ] else: input = [query4_udp1, query4_tcp1, query4_udp2, query4_tcp2] @@ -228,14 +239,19 @@ for s in inputready: ns10 = False - if s == query4_udp1 or s == query6_udp1 or \ - s == query4_udp2 or s == query6_udp2: + if s == query4_udp1 or s == query6_udp1 or s == query4_udp2 or s == query6_udp2: if s == query4_udp1 or s == query6_udp1: - print ("UDP Query received on %s" % - (ip4_addr1 if s == query4_udp1 else ip6_addr1), end=" ") + print( + "UDP Query received on %s" + % (ip4_addr1 if s == query4_udp1 else ip6_addr1), + end=" ", + ) if s == query4_udp2 or s == query6_udp2: - print ("UDP Query received on %s" % - (ip4_addr2 if s == query4_udp2 else ip6_addr2), end=" ") + print( + "UDP Query received on %s" + % (ip4_addr2 if s == query4_udp2 else ip6_addr2), + end=" ", + ) ns10 = True # Handle incoming queries msg = s.recvfrom(65535) @@ -244,31 +260,36 @@ print(dns.rcode.to_text(rsp.rcode())) s.sendto(rsp.to_wire(), msg[1]) if dopass2: - print ("Sending second UDP response without TSIG", end=" ") + print("Sending second UDP response without TSIG", end=" ") rsp = create_response(msg[0], False, False, ns10) s.sendto(rsp.to_wire(), msg[1]) print(dns.rcode.to_text(rsp.rcode())) - if s == query4_tcp1 or s == query6_tcp1 or \ - s == query4_tcp2 or s == query6_tcp2: + if s == query4_tcp1 or s == query6_tcp1 or s == query4_tcp2 or s == query6_tcp2: try: (cs, _) = s.accept() if s == query4_tcp1 or s == query6_tcp1: - print ("TCP Query received on %s" % - (ip4_addr1 if s == query4_tcp1 else ip6_addr1), end=" ") + print( + "TCP Query received on %s" + % (ip4_addr1 if s == query4_tcp1 else ip6_addr1), + end=" ", + ) if s == query4_tcp2 or s == query6_tcp2: - print ("TCP Query received on %s" % - (ip4_addr2 if s == query4_tcp2 else ip6_addr2), end=" ") + print( + "TCP Query received on %s" + % (ip4_addr2 if s == query4_tcp2 else ip6_addr2), + end=" ", + ) ns10 = True # get TCP message length buf = cs.recv(2) - length = struct.unpack('>H', buf[:2])[0] + length = struct.unpack(">H", buf[:2])[0] # grep DNS message msg = cs.recv(length) rsp = create_response(msg, True, True, ns10) print(dns.rcode.to_text(rsp.rcode())) wire = rsp.to_wire() - cs.send(struct.pack('>H', len(wire))) + cs.send(struct.pack(">H", len(wire))) cs.send(wire) cs.close() except s.timeout: diff -Nru bind9-9.16.27/bin/tests/system/dnssec/ans10/ans.py bind9-9.16.33/bin/tests/system/dnssec/ans10/ans.py --- bind9-9.16.27/bin/tests/system/dnssec/ans10/ans.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/dnssec/ans10/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -30,6 +30,7 @@ with open("qlog", "a") as f: f.write("%s %s\n", type, qname) + ############################################################################ # Respond to a DNS query. # SOA gets a unsigned response. @@ -54,10 +55,16 @@ now = datetime.today() expire = now + timedelta(days=30) inception = now - timedelta(days=1) - rrsig = "A 13 2 60 " + expire.strftime("%Y%m%d%H%M%S") + " " + \ - inception.strftime("%Y%m%d%H%M%S") + " 12345 " + qname + \ - " gB+eISXAhSPZU2i/II0W9ZUhC2SCIrb94mlNvP5092WAeXxqN/vG43/1nmDl" + \ - "y2Qs7y5VCjSMOGn85bnaMoAc7w==" + rrsig = ( + "A 13 2 60 " + + expire.strftime("%Y%m%d%H%M%S") + + " " + + inception.strftime("%Y%m%d%H%M%S") + + " 12345 " + + qname + + " gB+eISXAhSPZU2i/II0W9ZUhC2SCIrb94mlNvP5092WAeXxqN/vG43/1nmDl" + + "y2Qs7y5VCjSMOGn85bnaMoAc7w==" + ) r.answer.append(dns.rrset.from_text(qname, 1, IN, A, "10.53.0.10")) r.answer.append(dns.rrset.from_text(qname, 1, IN, RRSIG, rrsig)) elif rrtype == NS: @@ -69,12 +76,14 @@ r.flags |= dns.flags.AA return r + def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -85,8 +94,10 @@ ip4 = "10.53.0.10" ip6 = "fd92:7065:b8e:ffff::10" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) query4_socket.bind((ip4, port)) @@ -102,17 +113,17 @@ havev6 = False signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Listening on %s port %d" % (ip4, port)) +print("Listening on %s port %d" % (ip4, port)) if havev6: - print ("Listening on %s port %d" % (ip6, port)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") if havev6: input = [query4_socket, query6_socket] @@ -131,8 +142,9 @@ for s in inputready: if s == query4_socket or s == query6_socket: - print ("Query received on %s" % - (ip4 if s == query4_socket else ip6), end=" ") + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) # Handle incoming queries msg = s.recvfrom(65535) rsp = create_response(msg[0]) diff -Nru bind9-9.16.27/bin/tests/system/dnssec/ns2/example.db.in bind9-9.16.33/bin/tests/system/dnssec/ns2/example.db.in --- bind9-9.16.27/bin/tests/system/dnssec/ns2/example.db.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/dnssec/ns2/example.db.in 2022-09-08 13:01:23.000000000 +0000 @@ -55,6 +55,10 @@ insecure NS ns.insecure ns.insecure A 10.53.0.3 +; A second insecure subdomain +insecure2 NS ns.insecure2 +ns.insecure2 A 10.53.0.3 + ; A secure subdomain we're going to inject bogus data into bogus NS ns.bogus ns.bogus A 10.53.0.3 diff -Nru bind9-9.16.27/bin/tests/system/dnssec/ns3/insecure2.example.db bind9-9.16.33/bin/tests/system/dnssec/ns3/insecure2.example.db --- bind9-9.16.27/bin/tests/system/dnssec/ns3/insecure2.example.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/dnssec/ns3/insecure2.example.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +d A 10.0.0.4 +x DNSKEY 258 3 5 Cg== +z A 10.0.0.26 diff -Nru bind9-9.16.27/bin/tests/system/dnssec/ns3/named.conf.in bind9-9.16.33/bin/tests/system/dnssec/ns3/named.conf.in --- bind9-9.16.27/bin/tests/system/dnssec/ns3/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/dnssec/ns3/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -78,6 +78,12 @@ allow-update { any; }; }; +zone "insecure2.example" { + type primary; + file "insecure2.example.db"; + allow-update { any; }; +}; + zone "insecure.nsec3.example" { type primary; file "insecure.nsec3.example.db"; diff -Nru bind9-9.16.27/bin/tests/system/dnssec/ns3/sign.sh bind9-9.16.33/bin/tests/system/dnssec/ns3/sign.sh --- bind9-9.16.27/bin/tests/system/dnssec/ns3/sign.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/dnssec/ns3/sign.sh 2022-09-08 13:01:23.000000000 +0000 @@ -121,12 +121,12 @@ "$SIGNER" -P -o "$zone" "$zonefile" > /dev/null -# Change the signer field of the a.b.keyless.example SIG A -# to point to a provably nonexistent KEY record. +# Change the signer field of the a.b.keyless.example RRSIG A +# to point to a provably nonexistent DNSKEY record. zonefiletmp=$(mktemp "$zonefile.XXXXXX") || exit 1 mv "$zonefile.signed" "$zonefiletmp" <"$zonefiletmp" "$PERL" -p -e 's/ keyless.example/ b.keyless.example/ - if /^a.b.keyless.example/../NXT/;' > "$zonefile.signed" + if /^a.b.keyless.example/../A RRSIG NSEC/;' > "$zonefile.signed" rm -f "$zonefiletmp" # diff -Nru bind9-9.16.27/bin/tests/system/dnssec/tests.sh bind9-9.16.33/bin/tests/system/dnssec/tests.sh --- bind9-9.16.27/bin/tests/system/dnssec/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/dnssec/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -940,7 +940,7 @@ ret=0 echo_i "checking that validation fails when key record is missing using dns_client ($n)" delv_with_opts +cd @10.53.0.4 a a.b.keyless.example > delv.out$n 2>&1 || ret=1 - grep "resolution failed: broken trust chain" delv.out$n > /dev/null || ret=1 + grep "resolution failed: insecurity proof failed" delv.out$n > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1794,8 +1794,12 @@ $SIGNER -O raw=0 -f signer.out.6 -Sxt -o example example.db > /dev/null $SIGNER -O raw -f - -Sxt -o example example.db > signer.out.7 2> /dev/null ) || ret=1 -awk '/IN *SOA/ {if (NF != 11) exit(1)}' signer/signer.out.3 || ret=1 -awk '/IN *SOA/ {if (NF != 7) exit(1)}' signer/signer.out.4 || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 11) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.3 || ret=1 +awk 'BEGIN { found = 0; } + $1 == "example." && $3 == "IN" && $4 == "SOA" { found = 1; if (NF != 7) exit(1); } + END { if (!found) exit(1); }' signer/signer.out.4 || ret=1 israw1 signer/signer.out.5 || ret=1 israw0 signer/signer.out.6 || ret=1 israw1 signer/signer.out.7 || ret=1 @@ -4412,5 +4416,23 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Check that a query against a validating resolver succeeds when there is +# a negative cache entry with trust level "pending" for the DS. Prime +# with a +cd DS query to produce the negative cache entry, then send a +# query that uses that entry as part of the validation process. [GL #3279] +echo_i "check that pending negative DS cache entry validates ($n)" +ret=0 +dig_with_opts @10.53.0.4 +cd insecure2.example. ds > dig.out.prime.ns4.test$n || ret=1 +grep "flags: qr rd ra cd;" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.prime.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 4, " dig.out.prime.ns4.test$n > /dev/null || ret=1 +dig_with_opts @10.53.0.4 a.insecure2.example. a > dig.out.ns4.test$n || ret=1 +grep "ANSWER: 1, AUTHORITY: 1, " dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.27/bin/tests/system/dnstap/tests.sh bind9-9.16.33/bin/tests/system/dnstap/tests.sh --- bind9-9.16.27/bin/tests/system/dnstap/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/dnstap/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -519,6 +519,12 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking whether destination UDP port is logged for client queries" +ret=0 +$DNSTAPREAD ns3/dnstap.out.save | grep -Eq "CQ [0-9:.]+ -> 10.53.0.3:${PORT} UDP" || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + HAS_PYYAML=0 if [ -n "$PYTHON" ] ; then $PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1 diff -Nru bind9-9.16.27/bin/tests/system/dnstap/ydump.py bind9-9.16.33/bin/tests/system/dnstap/ydump.py --- bind9-9.16.27/bin/tests/system/dnstap/ydump.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/dnstap/ydump.py 2022-09-08 13:01:23.000000000 +0000 @@ -22,7 +22,7 @@ DNSTAP_READ = sys.argv[1] DATAFILE = sys.argv[2] -ARGS = [DNSTAP_READ, '-y', DATAFILE] +ARGS = [DNSTAP_READ, "-y", DATAFILE] with subprocess.Popen(ARGS, stdout=subprocess.PIPE) as f: for y in yaml.load_all(f.stdout, Loader=yaml.SafeLoader): diff -Nru bind9-9.16.27/bin/tests/system/ednscompliance/tests.sh bind9-9.16.33/bin/tests/system/ednscompliance/tests.sh --- bind9-9.16.27/bin/tests/system/ednscompliance/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/ednscompliance/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -50,7 +50,7 @@ $DIG $DIGOPTS @10.53.0.1 +edns=100 +noednsnegotiation soa $zone > dig.out$n grep "status: BADVERS," dig.out$n > /dev/null || { ret=1; reason="status"; } grep "EDNS: version: 0," dig.out$n > /dev/null || { ret=1; reason="version"; } -grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reasons="soa"; } +grep "IN.SOA." dig.out$n > /dev/null && { ret=1; reason="soa"; } if [ $ret != 0 ]; then echo_i "failed $reason"; fi status=`expr $status + $ret` diff -Nru bind9-9.16.27/bin/tests/system/feature-test.c bind9-9.16.33/bin/tests/system/feature-test.c --- bind9-9.16.27/bin/tests/system/feature-test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/feature-test.c 2022-09-08 13:01:23.000000000 +0000 @@ -11,6 +11,7 @@ * information regarding copyright ownership. */ +#include #include #include #include @@ -26,13 +27,9 @@ #include #endif /* ifdef WIN32 */ -#ifndef MAXHOSTNAMELEN -#ifdef HOST_NAME_MAX -#define MAXHOSTNAMELEN HOST_NAME_MAX -#else /* ifdef HOST_NAME_MAX */ -#define MAXHOSTNAMELEN 256 -#endif /* ifdef HOST_NAME_MAX */ -#endif /* ifndef MAXHOSTNAMELEN */ +#ifndef _POSIX_HOST_NAME_MAX +#define _POSIX_HOST_NAME_MAX 255 +#endif static void usage() { @@ -86,7 +83,7 @@ } if (strcmp(argv[1], "--gethostname") == 0) { - char hostname[MAXHOSTNAMELEN]; + char hostname[_POSIX_HOST_NAME_MAX + 1]; int n; #ifdef WIN32 /* From InitSocket() */ diff -Nru bind9-9.16.27/bin/tests/system/fetchlimit/ns3/named1.conf.in bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named1.conf.in --- bind9-9.16.27/bin/tests/system/fetchlimit/ns3/named1.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named1.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -28,6 +28,10 @@ fetches-per-server 400; }; +server 10.53.0.4 { + edns no; +}; + key rndc_key { secret "1234abcd8765"; algorithm hmac-sha256; diff -Nru bind9-9.16.27/bin/tests/system/fetchlimit/ns3/named2.conf.in bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named2.conf.in --- bind9-9.16.27/bin/tests/system/fetchlimit/ns3/named2.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named2.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -26,6 +26,10 @@ fetches-per-zone 40; }; +server 10.53.0.4 { + edns no; +}; + key rndc_key { secret "1234abcd8765"; algorithm hmac-sha256; diff -Nru bind9-9.16.27/bin/tests/system/fetchlimit/ns3/named3.conf.in bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named3.conf.in --- bind9-9.16.27/bin/tests/system/fetchlimit/ns3/named3.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/fetchlimit/ns3/named3.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -26,6 +26,10 @@ recursive-clients 400; }; +server 10.53.0.4 { + edns no; +}; + key rndc_key { secret "1234abcd8765"; algorithm hmac-sha256; diff -Nru bind9-9.16.27/bin/tests/system/fetchlimit/tests.sh bind9-9.16.33/bin/tests/system/fetchlimit/tests.sh --- bind9-9.16.27/bin/tests/system/fetchlimit/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/fetchlimit/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -21,7 +21,7 @@ num=${3:-20} rm -f burst.input.$$ while [ $num -gt 0 ]; do - num=`expr $num - 1` + num=$((num-1)) echo "${num}${1}${2}.lamesub.example A" >> burst.input.$$ done $PERL ../ditch.pl -p ${PORT} -s 10.53.0.3 burst.input.$$ @@ -33,7 +33,9 @@ sed 's;.*: \([^/][^/]*\)/.*;\1;'` echo_i "clients: $clients" [ "$clients" = "" ] && return 1 - [ "$clients" -le $1 ] + [ "$clients" -ge $1 ] || return 1 + [ "$clients" -le $2 ] || return 1 + return 0 } status=0 @@ -47,13 +49,14 @@ burst a $try # fetches-per-server is at 400, but at 20qps against a lame server, # we'll reach 200 at the tenth second, and the quota should have been - # tuned to less than that by then - stat 200 || ret=1 + # tuned to less than that by then. + [ $try -le 5 ] && low=$((try*10)) + stat 20 200 || ret=1 [ $ret -eq 1 ] && break sleep 1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "dumping ADB data" $RNDCCMD dumpdb -adb @@ -77,14 +80,14 @@ [ -z "$fails" ] && fails=0 [ "$fails" -ge "$sspill" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking lame server recovery" ret=0 rm -f ans4/norespond for try in 1 2 3 4 5; do burst b $try - stat 200 || ret=1 + stat 0 200 || ret=1 [ $ret -eq 1 ] && break sleep 1 done @@ -99,7 +102,7 @@ for try in 1 2 3 4 5 6 7 8 9 10; do burst c $try - stat 20 || ret=1 + stat 0 20 || ret=1 [ $ret -eq 1 ] && break sleep 1 done @@ -112,7 +115,7 @@ [ ${5:-${quota}} -gt $quota ] || ret=1 quota=$5 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -126,17 +129,17 @@ burst b $try 300 $DIGCMD a ${try}.example > dig.out.ns3.$try grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \ - success=`expr $success + 1` + success=$((success+1)) grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \ - fail=`expr $fail + 1` - stat 50 || ret=1 + fail=$(($fail+1)) + stat 30 50 || ret=1 [ $ret -eq 1 ] && break $RNDCCMD recursing 2>&1 | sed 's/^/ns3 /' | cat_i sleep 1 done echo_i "$success successful valid queries, $fail SERVFAIL" if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking drop statistics" rm -f ns3/named.stats @@ -151,7 +154,7 @@ [ -z "$drops" ] && drops=0 [ "$drops" -ge "$zspill" ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) copy_setports ns3/named3.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -165,11 +168,11 @@ for try in 1 2 3 4 5; do burst b $try 400 $DIGCMD +time=2 a ${try}.example > dig.out.ns3.$try - stat 400 || exceeded=`expr $exceeded + 1` + stat 100 400 || exceeded=$((exceeded + 1)) grep "status: NOERROR" dig.out.ns3.$try > /dev/null 2>&1 && \ - success=`expr $success + 1` + success=$((success+1)) grep "status: SERVFAIL" dig.out.ns3.$try > /dev/null 2>&1 && \ - fail=`expr $fail + 1` + fail=$(($fail+1)) sleep 1 done echo_i "$success successful valid queries (expected 5)" @@ -179,7 +182,7 @@ echo_i "clients count exceeded 400 on $exceeded trials (expected 0)" [ "$exceeded" -eq 0 ] || { echo_i "failed"; ret=1; } if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "checking drop statistics" rm -f ns3/named.stats @@ -191,7 +194,7 @@ drops=`grep 'queries dropped due to recursive client limit' ns3/named.stats | sed 's/\([0-9][0-9]*\) queries.*/\1/'` [ "${drops:-0}" -ne 0 ] || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.27/bin/tests/system/forward/ans11/ans.py bind9-9.16.33/bin/tests/system/forward/ans11/ans.py --- bind9-9.16.27/bin/tests/system/forward/ans11/ans.py 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ans11/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,142 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + + +############################################################################ +# Respond to a DNS query. +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, qname)) + print("%s %s" % (typename, qname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + if rrtype == A: + tld = qname.split(".")[-2] + "." + ns = "local." + tld + r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) + r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) + r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) + elif rrtype == NS: + r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) + elif rrtype == SOA: + r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) + else: + r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) + r.flags |= dns.flags.AA + return r + + +def sigterm(signum, frame): + print("Shutting down now...") + os.remove("ans.pid") + running = False + sys.exit(0) + + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.11" +ip6 = "fd92:7065:b8e:ffff::11" + +try: + port = int(os.environ["PORT"]) +except: + port = 5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False +signal.signal(signal.SIGTERM, sigterm) + +f = open("ans.pid", "w") +pid = os.getpid() +print(pid, file=f) +f.close() + +running = True + +print("Listening on %s port %d" % (ip4, port)) +if havev6: + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff -Nru bind9-9.16.27/bin/tests/system/forward/clean.sh bind9-9.16.33/bin/tests/system/forward/clean.sh --- bind9-9.16.27/bin/tests/system/forward/clean.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/clean.sh 2022-09-08 13:01:23.000000000 +0000 @@ -12,10 +12,12 @@ # # Clean up after forward tests. # +rm -f ./ans11/query.log rm -f ./dig.out.* rm -f ./*/named.conf rm -f ./*/named.memstats rm -f ./*/named.run ./*/named.run.prev +rm -f ./*/named_dump.db rm -f ./ns*/named.lock rm -f ./ns*/managed-keys.bind* rm -f ./ns1/root.db ./ns1/root.db.signed diff -Nru bind9-9.16.27/bin/tests/system/forward/ns1/diditwork.net.db bind9-9.16.33/bin/tests/system/forward/ns1/diditwork.net.db --- bind9-9.16.27/bin/tests/system/forward/ns1/diditwork.net.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns1/diditwork.net.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + TXT "recursed" +ns A 10.53.0.1 diff -Nru bind9-9.16.27/bin/tests/system/forward/ns1/named.conf.in bind9-9.16.33/bin/tests/system/forward/ns1/named.conf.in --- bind9-9.16.27/bin/tests/system/forward/ns1/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns1/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -65,3 +65,23 @@ zone "example6" { type forward; }; + +zone "diditwork.net" { + type primary; + file "diditwork.net.db"; +}; + +zone "spoofed.net" { + type primary; + file "spoofed.net.db"; +}; + +zone "sub.local.net" { + type primary; + file "sub.local.net.db"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; diff -Nru bind9-9.16.27/bin/tests/system/forward/ns1/net.example.lll bind9-9.16.33/bin/tests/system/forward/ns1/net.example.lll --- bind9-9.16.27/bin/tests/system/forward/ns1/net.example.lll 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns1/net.example.lll 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net.example.lll. SOA . . 0 0 0 0 0 +net.example.lll. NS attackSecureDomain.net. +didItWork.net.example.lll. TXT "if you can see this record the attack worked" diff -Nru bind9-9.16.27/bin/tests/system/forward/ns1/spoofed.net.db bind9-9.16.33/bin/tests/system/forward/ns1/spoofed.net.db --- bind9-9.16.27/bin/tests/system/forward/ns1/spoofed.net.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns1/spoofed.net.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +sub TXT "recursed" diff -Nru bind9-9.16.27/bin/tests/system/forward/ns1/sub.local.net.db bind9-9.16.33/bin/tests/system/forward/ns1/sub.local.net.db --- bind9-9.16.27/bin/tests/system/forward/ns1/sub.local.net.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns1/sub.local.net.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + TXT "recursed" +ns A 10.53.0.1 diff -Nru bind9-9.16.27/bin/tests/system/forward/ns10/fakenet.zone bind9-9.16.33/bin/tests/system/forward/ns10/fakenet.zone --- bind9-9.16.27/bin/tests/system/forward/ns10/fakenet.zone 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns10/fakenet.zone 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net. SOA . . 0 0 0 0 0 +net. NS attackSecureDomain.net. +attackSecureDomain.net. A 10.53.0.10 +didItWork.net. TXT "if you can see this record the attack worked" +ns.spoofed.net. A 10.53.0.10 diff -Nru bind9-9.16.27/bin/tests/system/forward/ns10/fakenet2.zone bind9-9.16.33/bin/tests/system/forward/ns10/fakenet2.zone --- bind9-9.16.27/bin/tests/system/forward/ns10/fakenet2.zone 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns10/fakenet2.zone 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net2. SOA . . 0 0 0 0 0 +net2. NS attackSecureDomain.net. +net2. DNAME net.example.lll. diff -Nru bind9-9.16.27/bin/tests/system/forward/ns10/fakesublocalnet.zone bind9-9.16.33/bin/tests/system/forward/ns10/fakesublocalnet.zone --- bind9-9.16.27/bin/tests/system/forward/ns10/fakesublocalnet.zone 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns10/fakesublocalnet.zone 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +sub.local.net. SOA . . 0 0 0 0 0 +sub.local.net. NS ns.spoofed.net. +sub.local.net. TXT "if you see this attacker overrode local delegation" diff -Nru bind9-9.16.27/bin/tests/system/forward/ns10/fakesublocaltld.zone bind9-9.16.33/bin/tests/system/forward/ns10/fakesublocaltld.zone --- bind9-9.16.27/bin/tests/system/forward/ns10/fakesublocaltld.zone 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns10/fakesublocaltld.zone 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 +sub.local.tld. 3600 IN NS ns.sub.local.tld. +sub.local.tld. 3600 IN TXT bad +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff -Nru bind9-9.16.27/bin/tests/system/forward/ns10/named.conf.in bind9-9.16.33/bin/tests/system/forward/ns10/named.conf.in --- bind9-9.16.27/bin/tests/system/forward/ns10/named.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns10/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + minimal-responses no; +}; + +zone "net." { + type master; + file "fakenet.zone"; +}; + +zone "spoofed.net." { + type master; + file "spoofednet.zone"; +}; + +zone "sub.local.net." { + type master; + file "fakesublocalnet.zone"; +}; + +zone "net2" { + type master; + file "fakenet2.zone"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; + +zone "sub.local.tld." { + type master; + file "fakesublocaltld.zone"; +}; diff -Nru bind9-9.16.27/bin/tests/system/forward/ns10/net.example.lll bind9-9.16.33/bin/tests/system/forward/ns10/net.example.lll --- bind9-9.16.27/bin/tests/system/forward/ns10/net.example.lll 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns10/net.example.lll 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net.example.lll. SOA . . 0 0 0 0 0 +net.example.lll. NS attackSecureDomain.net. +didItWork.net.example.lll. TXT "if you can see this record the attack worked" diff -Nru bind9-9.16.27/bin/tests/system/forward/ns10/spoofednet.zone bind9-9.16.33/bin/tests/system/forward/ns10/spoofednet.zone --- bind9-9.16.27/bin/tests/system/forward/ns10/spoofednet.zone 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns10/spoofednet.zone 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +spoofed.net. SOA . . 0 0 0 0 0 +spoofed.net. NS ns.spoofed.net. +ns.spoofed.net. A 10.53.0.10 +spoofed.net. TXT "this record is clearly spoofed" diff -Nru bind9-9.16.27/bin/tests/system/forward/ns2/tld.db bind9-9.16.33/bin/tests/system/forward/ns2/tld.db --- bind9-9.16.27/bin/tests/system/forward/ns2/tld.db 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns2/tld.db 2022-09-08 13:01:23.000000000 +0000 @@ -21,3 +21,9 @@ ns A 10.53.0.2 sld NS ns.sld ns.sld A 10.53.0.1 +local NS ns.local +ns.local A 10.53.0.9 +sibling NS ns.sibling +ns.sibling A 10.53.0.4 +sibling NS ns.sub.local +ns.sub.local A 10.53.0.10 diff -Nru bind9-9.16.27/bin/tests/system/forward/ns4/named.conf.in bind9-9.16.33/bin/tests/system/forward/ns4/named.conf.in --- bind9-9.16.27/bin/tests/system/forward/ns4/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns4/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -62,3 +62,8 @@ type primary; file "malicious.db"; }; + +zone "sibling.tld" { + type primary; + file "sibling.tld.db"; +}; diff -Nru bind9-9.16.27/bin/tests/system/forward/ns4/sibling.tld.db bind9-9.16.33/bin/tests/system/forward/ns4/sibling.tld.db --- bind9-9.16.27/bin/tests/system/forward/ns4/sibling.tld.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns4/sibling.tld.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA malicious. admin.malicious. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL + +@ IN NS ns + +ns IN A 10.53.0.4 diff -Nru bind9-9.16.27/bin/tests/system/forward/ns8/named.conf.in bind9-9.16.33/bin/tests/system/forward/ns8/named.conf.in --- bind9-9.16.27/bin/tests/system/forward/ns8/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns8/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -28,3 +28,8 @@ type hint; file "root.db"; }; + +zone "sub.local.tld" { + type primary; + file "sub.local.tld.db"; +}; diff -Nru bind9-9.16.27/bin/tests/system/forward/ns8/sub.local.tld.db bind9-9.16.33/bin/tests/system/forward/ns8/sub.local.tld.db --- bind9-9.16.27/bin/tests/system/forward/ns8/sub.local.tld.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns8/sub.local.tld.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 +sub.local.tld. 3600 IN NS ns.sub.local.tld. +sub.local.tld. 3600 IN TXT good +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff -Nru bind9-9.16.27/bin/tests/system/forward/ns9/local.net.db bind9-9.16.33/bin/tests/system/forward/ns9/local.net.db --- bind9-9.16.27/bin/tests/system/forward/ns9/local.net.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns9/local.net.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +local.net. 3600 IN SOA . . 0 0 0 0 0 +local.net. 3600 IN NS localhost. +ns.local.net. 3600 IN A 10.53.0.9 +txt.local.net. 3600 IN TXT "something in the local auth zone" +sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this diff -Nru bind9-9.16.27/bin/tests/system/forward/ns9/local.tld.db bind9-9.16.33/bin/tests/system/forward/ns9/local.tld.db --- bind9-9.16.27/bin/tests/system/forward/ns9/local.tld.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns9/local.tld.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +local.tld. 3600 IN SOA . . 0 0 0 0 0 +local.tld. 3600 IN NS localhost. +sub.local.tld. 3600 IN NS ns.sub.local.tld. +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff -Nru bind9-9.16.27/bin/tests/system/forward/ns9/named1.conf.in bind9-9.16.33/bin/tests/system/forward/ns9/named1.conf.in --- bind9-9.16.27/bin/tests/system/forward/ns9/named1.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns9/named1.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,67 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +server 10.53.0.11 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "attacksecuredomain.net." { + type forward; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net2." { + type forward; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net3." { + type forward; + forwarders { 10.53.0.11; }; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff -Nru bind9-9.16.27/bin/tests/system/forward/ns9/named2.conf.in bind9-9.16.33/bin/tests/system/forward/ns9/named2.conf.in --- bind9-9.16.27/bin/tests/system/forward/ns9/named2.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns9/named2.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,70 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +server 10.53.0.11 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "attacksecuredomain.net." { + type forward; + forward only; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net2." { + type forward; + forward only; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net3." { + type forward; + forward only; + forwarders { 10.53.0.11; }; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff -Nru bind9-9.16.27/bin/tests/system/forward/ns9/named3.conf.in bind9-9.16.33/bin/tests/system/forward/ns9/named3.conf.in --- bind9-9.16.27/bin/tests/system/forward/ns9/named3.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns9/named3.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; + forward only; + forwarders { 10.53.0.10; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff -Nru bind9-9.16.27/bin/tests/system/forward/ns9/named4.conf.in bind9-9.16.33/bin/tests/system/forward/ns9/named4.conf.in --- bind9-9.16.27/bin/tests/system/forward/ns9/named4.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns9/named4.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "local.tld." { + type primary; + file "local.tld.db"; +}; diff -Nru bind9-9.16.27/bin/tests/system/forward/ns9/root.db bind9-9.16.33/bin/tests/system/forward/ns9/root.db --- bind9-9.16.27/bin/tests/system/forward/ns9/root.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/ns9/root.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff -Nru bind9-9.16.27/bin/tests/system/forward/prereq.sh bind9-9.16.33/bin/tests/system/forward/prereq.sh --- bind9-9.16.27/bin/tests/system/forward/prereq.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/prereq.sh 2022-09-08 13:01:23.000000000 +0000 @@ -21,3 +21,17 @@ echo_i "This test requires the Net::DNS library." >&2 exit 1 fi + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi diff -Nru bind9-9.16.27/bin/tests/system/forward/setup.sh bind9-9.16.33/bin/tests/system/forward/setup.sh --- bind9-9.16.27/bin/tests/system/forward/setup.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/setup.sh 2022-09-08 13:01:23.000000000 +0000 @@ -21,6 +21,8 @@ copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named1.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf ( cd ns1 diff -Nru bind9-9.16.27/bin/tests/system/forward/tests.sh bind9-9.16.33/bin/tests/system/forward/tests.sh --- bind9-9.16.27/bin/tests/system/forward/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/forward/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -255,5 +255,127 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +# +# Check various spoofed response scenarios. The same tests will be +# run twice, with "forward first" and "forward only" configurations. +# +run_spooftests () { + n=$((n+1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +} + +echo_i "checking spoofed response scenarios with forward first zones" +run_spooftests + +copy_setports ns9/named2.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +echo_i "rechecking spoofed response scenarios with forward only zones" +run_spooftests + +# +# This scenario expects the spoofed response to succeed. The tests are +# similar to the ones above, but not identical. +# +echo_i "rechecking spoofed response scenarios with 'forward only' set globally" +copy_setports ns9/named3.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +# check 'net' is poisoned. +dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +# check 'sub.local.net' is poisoned. +dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +# check that net2/DNAME is cached +dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# This test doesn't use any forwarder clauses but is here because it +# is similar to forwarders, as the set of servers that can populate +# the namespace is defined by the zone content. +# +echo_i "rechecking spoofed response scenarios glue below local zone" +copy_setports ns9/named4.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking sibling glue below zone ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +# check for glue A record for sub.local.tld is not used +dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.27/bin/tests/system/idna/tests.sh bind9-9.16.33/bin/tests/system/idna/tests.sh --- bind9-9.16.27/bin/tests/system/idna/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/idna/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -328,8 +328,8 @@ idna_test "$text" "" "√.com" "\226\136\154.com." idna_test "$text" "+noidnin +noidnout" "√.com" "\226\136\154.com." idna_test "$text" "+noidnin +idnout" "√.com" "\226\136\154.com." - idna_fail "$text" "+idnin +noidnout" "√.com" - idna_fail "$text" "+idnin +idnout" "√.com" + idna_test "$text" "+idnin +noidnout" "√.com" "xn--19g.com." + idna_test "$text" "+idnin +idnout" "√.com" "√.com." # Tests of a valid unicode string but an invalid U-label (output) # @@ -351,8 +351,8 @@ text="Checking invalid output U-label" idna_test "$text" "" "xn--19g" "xn--19g." idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." - idna_fail "$text" "+noidnin +idnout" "xn--19g" - idna_fail "$text" "+idnin +idnout" "xn--19g" + idna_test "$text" "+noidnin +idnout" "xn--19g" "√." + idna_test "$text" "+idnin +idnout" "xn--19g" "√." } diff -Nru bind9-9.16.27/bin/tests/system/ifconfig.sh bind9-9.16.33/bin/tests/system/ifconfig.sh --- bind9-9.16.27/bin/tests/system/ifconfig.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/ifconfig.sh 2022-09-08 13:01:23.000000000 +0000 @@ -14,10 +14,10 @@ # # Set up interface aliases for bind9 system tests. # -# IPv4: 10.53.0.{1..10} RFC 1918 +# IPv4: 10.53.0.{1..11} RFC 1918 # 10.53.1.{1..2} # 10.53.2.{1..2} -# IPv6: fd92:7065:b8e:ffff::{1..10} ULA +# IPv6: fd92:7065:b8e:ffff::{1..11} ULA # fd92:7065:b8e:99ff::{1..2} # fd92:7065:b8e:ff::{1..2} # @@ -46,10 +46,204 @@ ;; esac -case "$1" in +up() { + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a netmask 0xffffffff up + ;; + *-*-solaris2.[8-9]|*-*-solaris2.10) + [ "$a" ] && { + /sbin/ifconfig lo0:$int plumb + /sbin/ifconfig lo0:$int $a up + /sbin/ifconfig lo0:$int mtu 1500 + } + [ "$aaaa" ] && { + /sbin/ifconfig lo0:$int inet6 plumb + /sbin/ifconfig lo0:$int inet6 $aaaa up + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $a lo0/bind9v4$int || + echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + /sbin/ipadm create-addr -t -T static \ + -a $aaaa lo0/bind9v6$int || + echo failed lo0/bind9v6$int + } + ;; + *-*-linux*) + if [ "$use_ip" ]; then + ip address add $a/24 dev lo:$int + ip link set dev lo:$int mtu 1500 + [ "$aaaa" ] && ip address add $aaaa/64 dev lo + else + ifconfig lo:$int $a up netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo inet6 add $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a alias netmask 255.255.255.0 mtu 1500 + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 add $a netmask 255.255.255.0 + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 $a alias netmask 0xffffffff + ;; + *-ibm-aix4.*|*-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 alias -dad $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int $a netmask 255.255.255.0 up + [ "$aaaa" ] && ifconfig lo0:$int inet6 $aaaa up + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 alias $a + ;; + *-darwin*) + [ "$a" ] && ifconfig lo0 alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa alias + ;; + *-cygwin*) + echo "Please run ifconfig.bat as Administrator." + exit 1 + ;; + *) + echo "Don't know how to set up interface. Giving up." + exit 1 + ;; + esac +} + +down() { + case "$sys" in + *-pc-solaris2.5.1) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 down + ;; + *-sun-solaris2.[6-7]) + [ "$a" ] && ifconfig lo0:$int $a down + ;; + *-*-solaris2.[8-9]|*-*-solaris2.10) + [ "$a" ] && { + ifconfig lo0:$int $a down + ifconfig lo0:$int $a unplumb + } + [ "$aaaa" ] && { + ifconfig lo0:$int inet6 down + ifconfig lo0:$int inet6 unplumb + } + ;; + *-*-solaris2.1[1-9]) + [ "$a" ] && { + ipadm delete-addr lo0/bind9v4$int || + echo failed lo0/bind9v4$int + } + [ "$aaaa" ] && { + ipadm delete-addr lo0/bind9v6$int || + echo failed lo0/bind9v6$int + } + ;; + + *-*-linux*) + if [ "$use_ip" ]; then + [ "$a" ] && ip address del $a/24 dev lo:$int + [ "$aaaa" ] && ip address del $aaaa/64 dev lo + else + [ "$a" ] && ifconfig lo:$int $a down + [ "$aaaa" ] && ifconfig lo inet6 del $aaaa/64 + fi + ;; + *-unknown-freebsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-netbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-unknown-openbsd*) + [ "$a" ] && ifconfig lo0 $a delete + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-*-bsdi[3-5].*) + [ "$a" ] && ifconfig lo0 remove $a + ;; + *-dec-osf[4-5].*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-sgi-irix6.*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *-ibm-aix4.*|*-ibm-aix5.*) + [ "$a" ] && ifconfig lo0 delete $a + [ "$aaaa" ] && ifconfig lo0 delete inet6 $aaaa/64 + ;; + hpux) + [ "$a" ] && ifconfig lo0:$int 0.0.0.0 + [ "$aaaa" ] && ifconfig lo0:$int inet6 :: + ;; + *-sco3.2v*) + [ "$a" ] && ifconfig lo0 -alias $a + ;; + *darwin*) + [ "$a" ] && ifconfig lo0 -alias $a + [ "$aaaa" ] && ifconfig lo0 inet6 $aaaa delete + ;; + *-cygwin*) + echo "Please run ifconfig.bat as Administrator." + exit 1 + ;; + *) + echo "Don't know how to destroy interface. Giving up." + exit 1 + ;; + esac +} + +sequence() ( + awk -v s=$1 -v e=$2 ' + BEGIN { + for (i = s ; i <= e; i++) { print i; } + exit; + }' +) - start|up) - for i in 0 1 2 +# +# 'max', 'i' and 'ns' are used to compute the interface identifier for +# systems that need it and must be unique for each interface (e.g. lo:$int). +# +# int=$((i * max + ns)) +# +# 'max' is the number of nameservers configured in the inner loop. +# 'i' is the outer loop counter. +# 'ns' in the namserver being configured. +# 'int' interface identifier. +# +max=11 +case $1 in + start|up|stop|down) + for i in $(sequence 0 2) do case $i in 0) ipv6="ff" ;; @@ -57,198 +251,21 @@ 2) ipv6="00" ;; *) ipv6="" ;; esac - for ns in 1 2 3 4 5 6 7 8 9 10 + for ns in $(sequence 1 $max) do [ $i -gt 0 -a $ns -gt 2 ] && break - int=`expr $i \* 10 + $ns` - case "$sys" in - *-pc-solaris2.5.1) - ifconfig lo0:$int 10.53.$i.$ns \ - netmask 0xffffffff up - ;; - *-sun-solaris2.[6-7]) - ifconfig lo0:$int 10.53.$i.$ns \ - netmask 0xffffffff up - ;; - *-*-solaris2.[8-9]|*-*-solaris2.1[0-9]) - /sbin/ifconfig lo0:$int plumb - /sbin/ifconfig lo0:$int 10.53.$i.$ns up - /sbin/ifconfig lo0:$int mtu 1500 - /sbin/ifconfig lo0:$int inet6 plumb - [ "$ipv6" ] && /sbin/ifconfig lo0:$int \ - inet6 fd92:7065:b8e:${ipv6}ff::$ns up - ;; - *-*-linux*) - if [ $use_ip ]; then - ip address add 10.53.$i.$ns/24 \ - dev lo:$int - ip link set dev lo:$int mtu 1500 - [ "$ipv6" ] && ip address add \ - fd92:7065:b8e:${ipv6}ff::$ns/64 \ - dev lo - else - ifconfig lo:$int 10.53.$i.$ns up \ - netmask 255.255.255.0 \ - mtu 1500 - [ "$ipv6" ] && ifconfig lo inet6 add \ - fd92:7065:b8e:${ipv6}ff::$ns/64 - fi - ;; - *-unknown-freebsd*) - ifconfig lo0 10.53.$i.$ns alias \ - netmask 0xffffffff \ - mtu 1500 - [ "$ipv6" ] && ifconfig lo0 inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns alias - ;; - *-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*) - ifconfig lo0 10.53.$i.$ns alias \ - netmask 255.255.255.0 \ - mtu 1500 - [ "$ipv6" ] && ifconfig lo0 inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns alias - ;; - *-*-bsdi[3-5].*) - ifconfig lo0 add 10.53.$i.$ns \ - netmask 255.255.255.0 - ;; - *-dec-osf[4-5].*) - ifconfig lo0 alias 10.53.$i.$ns - ;; - *-sgi-irix6.*) - ifconfig lo0 alias 10.53.$i.$ns - ;; - *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) - ifconfig lo0 10.53.$i.$ns alias \ - netmask 0xffffffff - ;; - *-ibm-aix4.*|*-ibm-aix5.*) - ifconfig lo0 alias 10.53.$i.$ns - [ "$ipv6" ] && ifconfig lo0 inet6 alias -dad \ - fd92:7065:b8e:${ipv6}ff::$ns/64 - ;; - hpux) - ifconfig lo0:$int 10.53.$i.$ns \ - netmask 255.255.255.0 up - [ "$ipv6" ] && ifconfig lo0:$int inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns up - ;; - *-sco3.2v*) - ifconfig lo0 alias 10.53.$i.$ns - ;; - *-darwin*) - ifconfig lo0 alias 10.53.$i.$ns - [ "$ipv6" ] && ifconfig lo0 inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns alias - ;; - *-cygwin*) - echo "Please run ifconfig.bat as Administrator." - exit 1 - ;; - *) - echo "Don't know how to set up interface. Giving up." - exit 1 + int=$((i * max + ns)) + a=10.53.$i.$ns + aaaa=fd92:7065:b8e:${ipv6}ff::$ns + case "$1" in + start|up) up;; + stop|down) down;; esac done done ;; - - stop|down) - for i in 0 1 2 - do - case $i in - 0) ipv6="ff" ;; - 1) ipv6="99" ;; - 2) ipv6="00" ;; - *) ipv6="" ;; - esac - for ns in 10 9 8 7 6 5 4 3 2 1 - do - [ $i -gt 0 -a $ns -gt 2 ] && continue - int=`expr $i \* 10 + $ns - 1` - case "$sys" in - *-pc-solaris2.5.1) - ifconfig lo0:$int 0.0.0.0 down - ;; - *-sun-solaris2.[6-7]) - ifconfig lo0:$int 10.53.$i.$ns down - ;; - *-*-solaris2.[8-9]|*-*-solaris2.1[0-9]) - ifconfig lo0:$int 10.53.$i.$ns down - ifconfig lo0:$int 10.53.$i.$ns unplumb - ifconfig lo0:$int inet6 down - ifconfig lo0:$int inet6 unplumb - ;; - *-*-linux*) - if [ $use_ip ]; then - ip address del 10.53.$i.$ns/24 \ - dev lo:$int - [ "$ipv6" ] && ip address del \ - fd92:7065:b8e:${ipv6}ff::$ns/64 \ - dev lo - else - ifconfig lo:$int 10.53.$i.$ns down - [ "$ipv6" ] && ifconfig lo inet6 \ - del fd92:7065:b8e:${ipv6}ff::$ns/64 - fi - ;; - *-unknown-freebsd*) - ifconfig lo0 10.53.$i.$ns delete - [ "$ipv6" ] && ifconfig lo0 inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns delete - ;; - *-unknown-netbsd*) - ifconfig lo0 10.53.$i.$ns delete - [ "$ipv6" ] && ifconfig lo0 inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns delete - ;; - *-unknown-openbsd*) - ifconfig lo0 10.53.$i.$ns delete - [ "$ipv6" ] && ifconfig lo0 inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns delete - ;; - *-*-bsdi[3-5].*) - ifconfig lo0 remove 10.53.$i.$ns - ;; - *-dec-osf[4-5].*) - ifconfig lo0 -alias 10.53.$i.$ns - ;; - *-sgi-irix6.*) - ifconfig lo0 -alias 10.53.$i.$ns - ;; - *-*-sysv5uw7*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*) - ifconfig lo0 -alias 10.53.$i.$ns - ;; - *-ibm-aix4.*|*-ibm-aix5.*) - ifconfig lo0 delete 10.53.$i.$ns - [ "$ipv6" ] && ifconfig lo0 delete inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns/64 - ;; - hpux) - ifconfig lo0:$int 0.0.0.0 - ifconfig lo0:$int inet6 :: - ;; - *-sco3.2v*) - ifconfig lo0 -alias 10.53.$i.$ns - ;; - *darwin*) - ifconfig lo0 -alias 10.53.$i.$ns - [ "$ipv6" ] && ifconfig lo0 inet6 \ - fd92:7065:b8e:${ipv6}ff::$ns delete - ;; - *-cygwin*) - echo "Please run ifconfig.bat as Administrator." - exit 1 - ;; - *) - echo "Don't know how to destroy interface. Giving up." - exit 1 - esac - done - done + *) + echo "Usage: $0 { up | down }" + exit 1 ;; - - *) - echo "Usage: $0 { up | down }" - exit 1 esac diff -Nru bind9-9.16.27/bin/tests/system/inline/tests.sh bind9-9.16.33/bin/tests/system/inline/tests.sh --- bind9-9.16.27/bin/tests/system/inline/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/inline/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -797,22 +797,16 @@ $RNDCCMD 10.53.0.2 reconfig || ret=1 # Request ns3 to retransfer the "retransfer3" zone. $RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1 -# Wait until ns3 finishes building the NSEC3 chain for "retransfer3". There is -# no need to immediately set ret=1 if building the NSEC3 chain is not finished -# within the time limit because the query we will send shortly will detect any -# problems anyway. +# Check whether "retransfer3" uses NSEC3 as requested. for i in 0 1 2 3 4 5 6 7 8 9 do - $RNDCCMD 10.53.0.3 signing -list retransfer3 > signing.out.test$n.$i 2>&1 - keys_done=`grep "Done signing" signing.out.test$n.$i | wc -l` - nsec3_pending=`grep "NSEC3 chain" signing.out.test$n.$i | wc -l` - test $keys_done -eq 2 -a $nsec3_pending -eq 0 && break + ret=0 + $DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i + grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 + grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1 + test $ret -eq 0 && break sleep 1 done -# Check whether "retransfer3" uses NSEC3 as requested. -$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n -grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ret=1 -grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff -Nru bind9-9.16.27/bin/tests/system/inline/tests_signed_zone_files.py bind9-9.16.33/bin/tests/system/inline/tests_signed_zone_files.py --- bind9-9.16.27/bin/tests/system/inline/tests_signed_zone_files.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/inline/tests_signed_zone_files.py 2022-09-08 13:01:23.000000000 +0000 @@ -14,29 +14,29 @@ class RawFormatHeader(dict): - ''' + """ A dictionary of raw-format header fields read from a zone file. - ''' + """ fields = [ - 'format', - 'version', - 'dumptime', - 'flags', - 'sourceserial', - 'lastxfrin', + "format", + "version", + "dumptime", + "flags", + "sourceserial", + "lastxfrin", ] def __init__(self, file_name): - header = struct.Struct('>IIIIII') - with open(file_name, 'rb') as data: + header = struct.Struct(">IIIIII") + with open(file_name, "rb") as data: header_data = data.read(header.size) super().__init__(zip(self.fields, header.unpack_from(header_data))) def test_unsigned_serial_number(): - ''' + """ Check whether all signed zone files in the "ns8" subdirectory contain the serial number of the unsigned version of the zone in the raw-format header. The test assumes that all "*.signed" files in the "ns8" subdirectory are in @@ -51,18 +51,18 @@ - example[0-9][0-9].com.db.signed files are initially signed by dnssec-signzone while the others - by named. - ''' + """ zones_with_unsigned_serial_missing = [] - for signed_zone in sorted(glob.glob('ns8/*.signed')): + for signed_zone in sorted(glob.glob("ns8/*.signed")): raw_header = RawFormatHeader(signed_zone) # Ensure the unsigned serial number is placed where it is expected. - assert raw_header['format'] == 2 - assert raw_header['version'] == 1 + assert raw_header["format"] == 2 + assert raw_header["version"] == 1 # Check whether the header flags indicate that the unsigned serial # number is set and that the latter is indeed set. - if raw_header['flags'] & 0x02 == 0 or raw_header['sourceserial'] == 0: + if raw_header["flags"] & 0x02 == 0 or raw_header["sourceserial"] == 0: zones_with_unsigned_serial_missing.append(signed_zone) assert not zones_with_unsigned_serial_missing diff -Nru bind9-9.16.27/bin/tests/system/kasp/clean.sh bind9-9.16.33/bin/tests/system/kasp/clean.sh --- bind9-9.16.27/bin/tests/system/kasp/clean.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/clean.sh 2022-09-08 13:01:23.000000000 +0000 @@ -29,7 +29,7 @@ rm -f ns*/*.zsk1 ns*/*.zsk2 rm -f ns3/legacy-keys.* rm -f *.created published.test* retired.test* -rm -f rndc.dnssec.*.out.* +rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.* rm -f python.out.* rm -f *-supported.file rm -f created.key-* unused.key-* diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns2/named.conf.in bind9-9.16.33/bin/tests/system/kasp/ns2/named.conf.in --- bind9-9.16.27/bin/tests/system/kasp/ns2/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns2/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -46,8 +46,9 @@ zone "signed.tld" { type primary; - dnssec-policy "default"; file "signed.tld.db"; + dnssec-policy "default"; + inline-signing yes; }; /* Primary service for ns3 */ diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns3/ed25519.conf bind9-9.16.33/bin/tests/system/kasp/ns3/ed25519.conf --- bind9-9.16.27/bin/tests/system/kasp/ns3/ed25519.conf 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns3/ed25519.conf 2022-09-08 13:01:23.000000000 +0000 @@ -24,5 +24,6 @@ zone "ed25519.kasp" { type primary; file "ed25519.kasp.db"; + inline-signing yes; dnssec-policy "ed25519"; }; diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns3/ed448.conf bind9-9.16.33/bin/tests/system/kasp/ns3/ed448.conf --- bind9-9.16.27/bin/tests/system/kasp/ns3/ed448.conf 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns3/ed448.conf 2022-09-08 13:01:23.000000000 +0000 @@ -24,5 +24,6 @@ zone "ed448.kasp" { type primary; file "ed448.kasp.db"; + inline-signing yes; dnssec-policy "ed448"; }; diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns3/named.conf.in bind9-9.16.33/bin/tests/system/kasp/ns3/named.conf.in --- bind9-9.16.27/bin/tests/system/kasp/ns3/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns3/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -44,6 +44,7 @@ zone "default.kasp" { type primary; file "default.kasp.db"; + inline-signing yes; dnssec-policy "default"; }; @@ -51,6 +52,7 @@ zone "checkds-ksk.kasp" { type primary; file "checkds-ksk.kasp.db"; + inline-signing yes; dnssec-policy "checkds-ksk"; }; @@ -58,6 +60,7 @@ zone "checkds-doubleksk.kasp" { type primary; file "checkds-doubleksk.kasp.db"; + inline-signing yes; dnssec-policy "checkds-doubleksk"; }; @@ -65,6 +68,7 @@ zone "checkds-csk.kasp" { type primary; file "checkds-csk.kasp.db"; + inline-signing yes; dnssec-policy "checkds-csk"; }; @@ -72,6 +76,7 @@ zone "unlimited.kasp" { type primary; file "unlimited.kasp.db"; + inline-signing yes; dnssec-policy "unlimited"; }; @@ -79,6 +84,7 @@ zone "manual-rollover.kasp" { type primary; file "manual-rollover.kasp.db"; + inline-signing yes; dnssec-policy "manual-rollover"; }; @@ -86,12 +92,14 @@ zone "rsasha1.kasp" { type primary; file "rsasha1.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1"; }; /* A zone that inherits dnssec-policy. */ zone "inherit.kasp" { type primary; + inline-signing yes; file "inherit.kasp.db"; }; @@ -99,6 +107,7 @@ zone "unsigned.kasp" { type primary; file "unsigned.kasp.db"; + inline-signing yes; dnssec-policy "none"; }; @@ -106,6 +115,7 @@ zone "insecure.kasp" { type primary; file "insecure.kasp.db"; + inline-signing yes; dnssec-policy "insecure"; }; @@ -113,6 +123,7 @@ zone "dnssec-keygen.kasp" { type primary; file "dnssec-keygen.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1"; }; @@ -121,6 +132,7 @@ type secondary; primaries { 10.53.0.2; }; file "secondary.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1"; }; @@ -155,6 +167,7 @@ zone "some-keys.kasp" { type primary; file "some-keys.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1"; }; @@ -164,6 +177,7 @@ zone "legacy-keys.kasp" { type primary; file "legacy-keys.kasp.db"; + inline-signing yes; dnssec-policy "migrate-to-dnssec-policy"; }; @@ -173,6 +187,7 @@ zone "pregenerated.kasp" { type primary; file "pregenerated.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1"; }; @@ -183,6 +198,7 @@ zone "rumoured.kasp" { type primary; file "rumoured.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1"; }; @@ -200,30 +216,45 @@ zone "rsasha1-nsec3.kasp" { type primary; file "rsasha1-nsec3.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1-nsec3"; }; zone "rsasha256.kasp" { type primary; file "rsasha256.kasp.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; zone "rsasha512.kasp" { type primary; file "rsasha512.kasp.db"; + inline-signing yes; dnssec-policy "rsasha512"; }; zone "ecdsa256.kasp" { type primary; file "ecdsa256.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "ecdsa384.kasp" { type primary; file "ecdsa384.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa384"; }; /* + * Zone with too high TTL. + */ +zone "max-zone-ttl.kasp" { + type primary; + file "max-zone-ttl.kasp.db"; + inline-signing yes; + dnssec-policy "ttl"; +}; + +/* * Zones in different signing states. */ @@ -233,6 +264,7 @@ zone "expired-sigs.autosign" { type primary; file "expired-sigs.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -242,6 +274,7 @@ zone "fresh-sigs.autosign" { type primary; file "fresh-sigs.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -251,6 +284,7 @@ zone "unfresh-sigs.autosign" { type primary; file "unfresh-sigs.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -260,6 +294,7 @@ zone "ksk-missing.autosign" { type primary; file "ksk-missing.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -269,6 +304,7 @@ zone "zsk-missing.autosign" { type primary; file "zsk-missing.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -278,6 +314,7 @@ zone "zsk-retired.autosign" { type primary; file "zsk-retired.autosign.db"; + inline-signing yes; dnssec-policy "autosign"; }; @@ -287,21 +324,25 @@ zone "step1.enable-dnssec.autosign" { type primary; file "step1.enable-dnssec.autosign.db"; + inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step2.enable-dnssec.autosign" { type primary; file "step2.enable-dnssec.autosign.db"; + inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step3.enable-dnssec.autosign" { type primary; file "step3.enable-dnssec.autosign.db"; + inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step4.enable-dnssec.autosign" { type primary; file "step4.enable-dnssec.autosign.db"; + inline-signing yes; dnssec-policy "enable-dnssec"; }; @@ -311,31 +352,37 @@ zone "step1.zsk-prepub.autosign" { type primary; file "step1.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step2.zsk-prepub.autosign" { type primary; file "step2.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step3.zsk-prepub.autosign" { type primary; file "step3.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step4.zsk-prepub.autosign" { type primary; file "step4.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step5.zsk-prepub.autosign" { type primary; file "step5.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step6.zsk-prepub.autosign" { type primary; file "step6.zsk-prepub.autosign.db"; + inline-signing yes; dnssec-policy "zsk-prepub"; }; @@ -345,31 +392,37 @@ zone "step1.ksk-doubleksk.autosign" { type primary; file "step1.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step2.ksk-doubleksk.autosign" { type primary; file "step2.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step3.ksk-doubleksk.autosign" { type primary; file "step3.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step4.ksk-doubleksk.autosign" { type primary; file "step4.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step5.ksk-doubleksk.autosign" { type primary; file "step5.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step6.ksk-doubleksk.autosign" { type primary; file "step6.ksk-doubleksk.autosign.db"; + inline-signing yes; dnssec-policy "ksk-doubleksk"; }; @@ -379,76 +432,91 @@ zone "step1.csk-roll.autosign" { type primary; file "step1.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step2.csk-roll.autosign" { type primary; file "step2.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step3.csk-roll.autosign" { type primary; file "step3.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step4.csk-roll.autosign" { type primary; file "step4.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step5.csk-roll.autosign" { type primary; file "step5.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step6.csk-roll.autosign" { type primary; file "step6.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step7.csk-roll.autosign" { type primary; file "step7.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step8.csk-roll.autosign" { type primary; file "step8.csk-roll.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll"; }; zone "step1.csk-roll2.autosign" { type primary; file "step1.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step2.csk-roll2.autosign" { type primary; file "step2.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step3.csk-roll2.autosign" { type primary; file "step3.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step4.csk-roll2.autosign" { type primary; file "step4.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step5.csk-roll2.autosign" { type primary; file "step5.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step6.csk-roll2.autosign" { type primary; file "step6.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step7.csk-roll2.autosign" { type primary; file "step7.csk-roll2.autosign.db"; + inline-signing yes; dnssec-policy "csk-roll2"; }; diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns3/policies/kasp.conf.in bind9-9.16.33/bin/tests/system/kasp/ns3/policies/kasp.conf.in --- bind9-9.16.27/bin/tests/system/kasp/ns3/policies/kasp.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns3/policies/kasp.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -132,3 +132,7 @@ csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; }; }; + +dnssec-policy "ttl" { + max-zone-ttl 299; +}; diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns3/setup.sh bind9-9.16.33/bin/tests/system/kasp/ns3/setup.sh --- bind9-9.16.27/bin/tests/system/kasp/ns3/setup.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns3/setup.sh 2022-09-08 13:01:23.000000000 +0000 @@ -64,30 +64,29 @@ cat ed448.conf >> named.conf fi -# Set up zone that stays unsigned. -zone="unsigned.kasp" -echo_i "setting up zone: $zone" -zonefile="${zone}.db" -infile="${zone}.db.infile" -cp template.db.in $infile -cp template.db.in $zonefile - -# Set up zone that stays unsigned. -zone="insecure.kasp" -echo_i "setting up zone: $zone" -zonefile="${zone}.db" -infile="${zone}.db.infile" -cp template.db.in $zonefile +# Set up zones that stay unsigned. +for zn in unsigned insecure max-zone-ttl +do + zone="${zn}.kasp" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + cp template.db.in $infile + cp template.db.in $zonefile +done # Some of these zones already have keys. zone="dnssec-keygen.kasp" +echo_i "setting up zone: $zone" $KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 zone="some-keys.kasp" +echo_i "setting up zone: $zone" $KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 $KEYGEN -G -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 zone="legacy-keys.kasp" +echo_i "setting up zone: $zone" ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1) KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.2) echo $ZSK > legacy-keys.kasp.zsk @@ -101,10 +100,12 @@ $SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1 zone="pregenerated.kasp" +echo_i "setting up zone: $zone" $KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 $KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 zone="multisigner-model2.kasp" +echo_i "setting up zone: $zone" # Import the ZSK sets of the other providers into their DNSKEY RRset. ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1) ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2) @@ -117,6 +118,7 @@ rm -f "../${ZSK2}.*" zone="rumoured.kasp" +echo_i "setting up zone: $zone" Tpub="now" Tact="now+1d" keytimes="-P ${Tpub} -A ${Tact}" diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns4/named.conf.in bind9-9.16.33/bin/tests/system/kasp/ns4/named.conf.in --- bind9-9.16.27/bin/tests/system/kasp/ns4/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns4/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -75,20 +75,22 @@ zone "inherit.inherit.signed" { type primary; file "inherit.inherit.signed.db"; + inline-signing yes; }; /* Override dnssec-policy */ zone "override.inherit.signed" { type primary; - dnssec-policy "default"; file "override.inherit.signed.db"; + inline-signing yes; + dnssec-policy "default"; }; /* Unset dnssec-policy */ zone "none.inherit.signed" { type primary; - dnssec-policy "none"; file "none.inherit.signed.db"; + dnssec-policy "none"; }; }; @@ -100,20 +102,22 @@ zone "inherit.override.signed" { type primary; file "inherit.override.signed.db"; + inline-signing yes; }; /* Override dnssec-policy */ zone "override.override.signed" { type primary; - dnssec-policy "test"; file "override.override.signed.db"; + inline-signing yes; + dnssec-policy "test"; }; /* Unset dnssec-policy */ zone "none.override.signed" { type primary; - dnssec-policy "none"; file "none.override.signed.db"; + dnssec-policy "none"; }; }; @@ -130,21 +134,24 @@ /* Override dnssec-policy */ zone "override.none.signed" { type primary; - dnssec-policy "test"; file "override.none.signed.db"; + inline-signing yes; + dnssec-policy "test"; }; /* Unset dnssec-policy */ zone "none.none.signed" { type primary; - dnssec-policy "none"; file "none.none.signed.db"; + dnssec-policy "none"; }; }; view "example1" { match-clients { key "keyforview1"; }; + allow-update { any; }; + zone "example.net" { type primary; file "example1.db"; @@ -157,6 +164,7 @@ zone "example.net" { type primary; file "example2.db"; + inline-signing yes; }; }; diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns5/named.conf.in bind9-9.16.33/bin/tests/system/kasp/ns5/named.conf.in --- bind9-9.16.27/bin/tests/system/kasp/ns5/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns5/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -65,15 +65,16 @@ /* Override dnssec-policy */ zone "override.inherit.unsigned" { type primary; - dnssec-policy "default"; file "override.inherit.unsigned.db"; + inline-signing yes; + dnssec-policy "default"; }; /* Unset dnssec-policy */ zone "none.inherit.unsigned" { type primary; - dnssec-policy "none"; file "none.inherit.unsigned.db"; + dnssec-policy "none"; }; }; @@ -85,20 +86,22 @@ zone "inherit.override.unsigned" { type primary; file "inherit.override.unsigned.db"; + inline-signing yes; }; /* Override dnssec-policy */ zone "override.override.unsigned" { type primary; - dnssec-policy "test"; file "override.override.unsigned.db"; + inline-signing yes; + dnssec-policy "test"; }; /* Unset dnssec-policy */ zone "none.override.unsigned" { type primary; - dnssec-policy "none"; file "none.override.unsigned.db"; + dnssec-policy "none"; }; }; @@ -115,14 +118,15 @@ /* Override dnssec-policy */ zone "override.none.unsigned" { type primary; - dnssec-policy "test"; file "override.none.unsigned.db"; + inline-signing yes; + dnssec-policy "test"; }; /* Unset dnssec-policy */ zone "none.none.unsigned" { type primary; - dnssec-policy "none"; file "none.none.unsigned.db"; + dnssec-policy "none"; }; }; diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns6/named.conf.in bind9-9.16.33/bin/tests/system/kasp/ns6/named.conf.in --- bind9-9.16.27/bin/tests/system/kasp/ns6/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns6/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -42,6 +42,7 @@ zone "step1.going-insecure.kasp" { type master; file "step1.going-insecure.kasp.db"; + inline-signing yes; dnssec-policy "unsigning"; }; @@ -55,6 +56,7 @@ zone "step1.going-straight-to-none.kasp" { type master; file "step1.going-straight-to-none.kasp.db"; + inline-signing yes; dnssec-policy "default"; }; @@ -62,12 +64,14 @@ zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "rsasha1"; }; zone "step1.csk-algorithm-roll.kasp" { type primary; file "step1.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; @@ -79,6 +83,7 @@ zone example { type primary; - dnssec-policy modified; file "example.db"; + inline-signing yes; + dnssec-policy modified; }; diff -Nru bind9-9.16.27/bin/tests/system/kasp/ns6/named2.conf.in bind9-9.16.33/bin/tests/system/kasp/ns6/named2.conf.in --- bind9-9.16.27/bin/tests/system/kasp/ns6/named2.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/ns6/named2.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -41,12 +41,14 @@ zone "step1.going-insecure.kasp" { type master; file "step1.going-insecure.kasp.db"; + inline-signing yes; dnssec-policy "insecure"; }; zone "step2.going-insecure.kasp" { type master; file "step2.going-insecure.kasp.db"; + inline-signing yes; dnssec-policy "insecure"; }; @@ -76,36 +78,42 @@ zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step2.algorithm-roll.kasp" { type primary; file "step2.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step3.algorithm-roll.kasp" { type primary; file "step3.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step4.algorithm-roll.kasp" { type primary; file "step4.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step5.algorithm-roll.kasp" { type primary; file "step5.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step6.algorithm-roll.kasp" { type primary; file "step6.algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "ecdsa256"; }; @@ -115,36 +123,42 @@ zone "step1.csk-algorithm-roll.kasp" { type primary; file "step1.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step2.csk-algorithm-roll.kasp" { type primary; file "step2.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step3.csk-algorithm-roll.kasp" { type primary; file "step3.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step4.csk-algorithm-roll.kasp" { type primary; file "step4.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step5.csk-algorithm-roll.kasp" { type primary; file "step5.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step6.csk-algorithm-roll.kasp" { type primary; file "step6.csk-algorithm-roll.kasp.db"; + inline-signing yes; dnssec-policy "csk-algoroll"; }; @@ -156,6 +170,7 @@ zone example { type primary; - dnssec-policy modified; file "example.db"; + inline-signing yes; + dnssec-policy modified; }; diff -Nru bind9-9.16.27/bin/tests/system/kasp/tests.sh bind9-9.16.33/bin/tests/system/kasp/tests.sh --- bind9-9.16.27/bin/tests/system/kasp/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -253,6 +253,15 @@ next_key_event_threshold=$((next_key_event_threshold+i)) +# Test max-zone-ttl rejects zones with too high TTL. +n=$((n+1)) +echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)" +ret=0 +set_zone "max-zone-ttl.kasp" +grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # # Zone: default.kasp. # @@ -294,6 +303,44 @@ check_subdomain dnssec_verify +# Trigger a keymgr run. Make sure the key files are not touched if there are +# no modifications to the key metadata. +n=$((n+1)) +echo_i "make sure key files are untouched if metadata does not change ($n)" +ret=0 +basefile=$(key_get KEY1 BASEFILE) +privkey_stat=$(key_get KEY1 PRIVKEY_STAT) +pubkey_stat=$(key_get KEY1 PUBKEY_STAT) +state_stat=$(key_get KEY1 STATE_STAT) + +nextpart $DIR/named.run > /dev/null +rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run +privkey_stat2=$(key_stat "${basefile}.private") +pubkey_stat2=$(key_stat "${basefile}.key") +state_stat2=$(key_stat "${basefile}.state") +test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)" +test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" +test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "again ($n)" +ret=0 + +nextpart $DIR/named.run > /dev/null +rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" +wait_for_log 3 "keymgr: done" $DIR/named.run +privkey_stat2=$(key_stat "${basefile}.private") +pubkey_stat2=$(key_stat "${basefile}.key") +state_stat2=$(key_stat "${basefile}.state") +test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)" +test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" +test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # Update zone. n=$((n+1)) echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" @@ -1843,8 +1890,16 @@ check_keytimes check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example1) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic" +check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain +n=$((n+1)) echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" @@ -1860,8 +1915,16 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example2) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected" +check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain +n=$((n+1)) echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" @@ -1874,12 +1937,20 @@ TSIG="hmac-sha1:keyforview3:$VIEW3" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example3) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected" +check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain -echo_i "check TXT example.net (in-view example2) rrset is signed correctly ($n)" +n=$((n+1)) +echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" @@ -2025,7 +2096,7 @@ # Schedule KSK rollover now. set_policy "manual-rollover" "3" "3600" set_keystate "KEY1" "GOAL" "hidden" -# This key was activated one day agao, so lifetime is set to 1d plus +# This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. set_keylifetime "KEY1" "93900" created=$(key_get KEY1 CREATED) @@ -2052,7 +2123,7 @@ # Schedule ZSK rollover now. set_policy "manual-rollover" "4" "3600" set_keystate "KEY2" "GOAL" "hidden" -# This key was activated one day agao, so lifetime is set to 1d plus +# This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. set_keylifetime "KEY2" "93900" created=$(key_get KEY2 CREATED) @@ -4623,6 +4694,18 @@ # an unlimited lifetime. Fallback to the default loadkeys interval. check_next_key_event 3600 +_check_soa_ttl() { + dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || return 1 + soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) + soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) + ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) + ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) + test ${soa1:-1000} -lt ${soa2:-0} || return 1 + test ${ttl1:-0} -eq $1 || return 1 + test ${ttl2:-0} -eq $2 || return 1 +} + +n=$((n+1)) echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" TSIG= ret=0 @@ -4631,19 +4714,13 @@ nextpart ns6/named.run > /dev/null rndccmd 10.53.0.6 reload || ret=1 wait_for_log 3 "all zones loaded" ns6/named.run -sleep 1 -dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || ret=1 -soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) -soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) -ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) -ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) -test ${soa1:-1000} -lt ${soa2:-0} || ret=1 -test ${ttl1:-0} -eq 300 || ret=1 -test ${ttl2:-0} -eq 300 || ret=1 +# Check that the SOA SERIAL increases and check the TTLs (should be 300 as +# defined in ns6/example2.db.in). +retry_quiet 10 _check_soa_ttl 300 300 || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -n=$((n+1)) +n=$((n+1)) echo_i "Check that restart with zone changes and deleted journal works ($n)" TSIG= ret=0 @@ -4655,18 +4732,11 @@ nextpart ns6/named.run > /dev/null start_server --noclean --restart --port ${PORT} kasp ns6 wait_for_log 3 "all zones loaded" ns6/named.run -sleep 1 -dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || ret=1 -soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) -soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) -ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) -ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) -test ${soa1:-1000} -lt ${soa2:-0} || ret=1 -test ${ttl1:-0} -eq 300 || ret=1 -test ${ttl2:-0} -eq 400 || ret=1 +# Check that the SOA SERIAL increases and check the TTLs (should be changed +# from 300 to 400 as defined in ns6/example3.db.in). +retry_quiet 10 _check_soa_ttl 300 400 || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -n=$((n+1)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.27/bin/tests/system/kasp.sh bind9-9.16.33/bin/tests/system/kasp.sh --- bind9-9.16.27/bin/tests/system/kasp.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/kasp.sh 2022-09-08 13:01:23.000000000 +0000 @@ -64,6 +64,9 @@ # EXPECT_KRRSIG # LEGACY # PRIVATE +# PRIVKEY_STAT +# PUBKEY_STAT +# STATE_STAT key_key() { echo "${1}__${2}" @@ -77,6 +80,10 @@ eval "$(key_key "$1" "$2")='$3'" } +key_stat() { + $PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1" +} + # Save certain values in the KEY array. key_save() { @@ -86,6 +93,10 @@ key_set "$1" BASEFILE "$BASE_FILE" # Save creation date. key_set "$1" CREATED "${KEY_CREATED}" + # Save key change time. + key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private") + key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key") + key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state") } # Clear key state. @@ -98,6 +109,7 @@ key_set "$1" "ROLE" 'none' key_set "$1" "KSK" 'no' key_set "$1" "ZSK" 'no' + key_set "$1" "FLAGS" '0' key_set "$1" "LIFETIME" 'none' key_set "$1" "ALG_NUM" '0' key_set "$1" "ALG_STR" 'none' @@ -118,7 +130,9 @@ key_set "$1" "EXPECT_KRRSIG" 'no' key_set "$1" "LEGACY" 'no' key_set "$1" "PRIVATE" 'yes' - key_set "$1" "FLAGS" '0' + key_set "$1" "PRIVKEY_STAT" '0' + key_set "$1" "PUBKEY_STAT" '0' + key_set "$1" "STATE_STAT" '0' } # Start clear. @@ -809,9 +823,9 @@ status=$((status+ret)) } -# Call rndc dnssec -status on server $1 for zone $2 and check output. -# This is a loose verification, it just tests if the right policy -# name is returned, and if all expected keys are listed. The rndc +# Call rndc dnssec -status on server $1 for zone $3 in view $4 with policy $2 +# and check output. This is a loose verification, it just tests if the right +# policy name is returned, and if all expected keys are listed. The rndc # dnssec -status output also lists whether a key is published, # used for signing, is retired, or is removed, and if not when # it is scheduled to do so, and it shows the states for the various @@ -850,6 +864,28 @@ status=$((status+ret)) } +# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if +# inline-signing is enabled. +check_inlinesigning() { + _server=$1 + _zone=$2 + _view=$3 + + _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 + grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 +} + +# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if +# the zone is dynamic. +check_isdynamic() { + _server=$1 + _zone=$2 + _view=$3 + + _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 + grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 +} + # Check if RRset of type $1 in file $2 is signed with the right keys. # The right keys are the ones that expect a signature and matches the role $3. _check_signatures() { @@ -1008,6 +1044,15 @@ status=$((status+ret)) } +_find_dnskey() { + _owner="${ZONE}." + _alg="$(key_get $1 ALG_NUM)" + _flags="$(key_get $1 FLAGS)" + _key_file="$(key_get $1 BASEFILE).key" + + awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file" +} + # Test DNSKEY query. _check_apex_dnskey() { @@ -1015,40 +1060,49 @@ grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1 _checksig=0 - _flags="$(key_get KEY1 FLAGS)" if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1 + _pubkey=$(_find_dnskey KEY1) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 _checksig=1 elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1 + _pubkey=$(_find_dnskey KEY1) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 fi - _flags="$(key_get KEY2 FLAGS)" - if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1 + _pubkey=$(_find_dnskey KEY2) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 _checksig=1 elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1 + _pubkey=$(_find_dnskey KEY2) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 fi - _flags="$(key_get KEY3 FLAGS)" - if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1 + _pubkey=$(_find_dnskey KEY3) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 _checksig=1 elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1 + _pubkey=$(_find_dnskey KEY3) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 fi - _flags="$(key_get KEY4 FLAGS)" - if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1 + _pubkey=$(_find_dnskey KEY4) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1 _checksig=1 elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1 + _pubkey=$(_find_dnskey KEY4) + test -z "$_pubkey" && return 1 + grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1 fi test "$_checksig" -eq 0 && return 0 diff -Nru bind9-9.16.27/bin/tests/system/keymgr/testpolicy.py bind9-9.16.33/bin/tests/system/keymgr/testpolicy.py --- bind9-9.16.27/bin/tests/system/keymgr/testpolicy.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/keymgr/testpolicy.py 2022-09-08 13:01:23.000000000 +0000 @@ -14,26 +14,26 @@ PP = policy.dnssec_policy() # print the unmodified default and a generated zone policy -print(PP.named_policy['default']) -print(PP.named_policy['global']) -print(PP.policy('example.com')) +print(PP.named_policy["default"]) +print(PP.named_policy["global"]) +print(PP.policy("example.com")) if len(sys.argv) > 0: for policy_file in sys.argv[1:]: PP.load(policy_file) # now print the modified default and generated zone policies - print(PP.named_policy['default']) - print(PP.policy('example.com')) - print(PP.policy('example.org')) - print(PP.policy('example.net')) + print(PP.named_policy["default"]) + print(PP.policy("example.com")) + print(PP.policy("example.org")) + print(PP.policy("example.net")) # print algorithm policies - print(PP.alg_policy['RSASHA1']) - print(PP.alg_policy['RSASHA256']) - print(PP.alg_policy['ECDSAP256SHA256']) + print(PP.alg_policy["RSASHA1"]) + print(PP.alg_policy["RSASHA256"]) + print(PP.alg_policy["ECDSAP256SHA256"]) # print another named policy - print(PP.named_policy['extra']) + print(PP.named_policy["extra"]) else: print("ERROR: Please provide an input file") diff -Nru bind9-9.16.27/bin/tests/system/keymgr2kasp/ns4/named2.conf.in bind9-9.16.33/bin/tests/system/keymgr2kasp/ns4/named2.conf.in --- bind9-9.16.27/bin/tests/system/keymgr2kasp/ns4/named2.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/keymgr2kasp/ns4/named2.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -72,6 +72,7 @@ zone "view-rsasha256.kasp" { type master; file "view-rsasha256.kasp.ext.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; }; @@ -82,6 +83,7 @@ zone "view-rsasha256.kasp" { type master; file "view-rsasha256.kasp.int.db"; + inline-signing yes; dnssec-policy "rsasha256"; }; }; diff -Nru bind9-9.16.27/bin/tests/system/nsec3/ns3/named.conf.in bind9-9.16.33/bin/tests/system/nsec3/ns3/named.conf.in --- bind9-9.16.27/bin/tests/system/nsec3/ns3/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/nsec3/ns3/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -55,6 +55,7 @@ zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; + inline-signing yes; dnssec-policy "nsec"; }; @@ -62,6 +63,7 @@ zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; @@ -76,6 +78,7 @@ zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; + inline-signing yes; dnssec-policy "nsec3-other"; }; @@ -83,6 +86,7 @@ zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; @@ -97,6 +101,7 @@ zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; @@ -104,6 +109,7 @@ zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; + inline-signing yes; dnssec-policy "optout"; }; @@ -111,6 +117,7 @@ zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; diff -Nru bind9-9.16.27/bin/tests/system/nsec3/ns3/named2.conf.in bind9-9.16.33/bin/tests/system/nsec3/ns3/named2.conf.in --- bind9-9.16.27/bin/tests/system/nsec3/ns3/named2.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/nsec3/ns3/named2.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -55,6 +55,7 @@ zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; + inline-signing yes; //dnssec-policy "nsec"; dnssec-policy "nsec3"; }; @@ -63,6 +64,7 @@ zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; + inline-signing yes; dnssec-policy "nsec3"; }; @@ -77,6 +79,7 @@ zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; + inline-signing yes; dnssec-policy "nsec3-other"; }; @@ -84,6 +87,7 @@ zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; + inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "nsec3-other"; }; @@ -100,6 +104,7 @@ zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; + inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "optout"; }; @@ -108,6 +113,7 @@ zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; + inline-signing yes; //dnssec-policy "optout"; dnssec-policy "nsec3"; }; @@ -116,6 +122,7 @@ zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; + inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "nsec"; }; diff -Nru bind9-9.16.27/bin/tests/system/nsupdate/tests.sh bind9-9.16.33/bin/tests/system/nsupdate/tests.sh --- bind9-9.16.27/bin/tests/system/nsupdate/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/nsupdate/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -84,6 +84,32 @@ [ $ret = 0 ] || { echo_i "failed"; status=1; } ret=0 +echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log" +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +server 10.53.0.1 ${PORT} +zone unconfigured.test +update add unconfigured.test 600 IN A 10.53.0.1 +send +END +grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1 +grep ' unconfigured.test: not authoritative' ns1/named.run \ + > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "ensure a subdomain is mentioned in its NOTAUTH log" +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +server 10.53.0.1 ${PORT} +zone sub.sub.example.nil +update add sub.sub.sub.example.nil 600 IN A 10.53.0.1 +send +END +grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1 +grep ' sub.sub.example.nil: not authoritative' ns1/named.run \ + > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 echo_i "updating zone" # nsupdate will print a ">" prompt to stdout as it gets each input line. $NSUPDATE -k ns1/ddns.key < /dev/null || ret=1 diff -Nru bind9-9.16.27/bin/tests/system/org.isc.bind.system bind9-9.16.33/bin/tests/system/org.isc.bind.system --- bind9-9.16.27/bin/tests/system/org.isc.bind.system 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/org.isc.bind.system 2022-09-08 13:01:23.000000000 +0000 @@ -11,8 +11,17 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -for ns in 1 2 3 4 5 6 7 8 +ifup() { + /sbin/ifconfig lo0 10.53.$1.$3 alias + /sbin/ifconfig lo0 inet6 fd92:7065:b8e:${2}ff::${3} alias +} + +for ns in 1 2 3 4 5 6 7 8 9 10 +do + ifup 0 ff $ns +done +for ns in 1 2 do - /sbin/ifconfig lo0 10.53.0.$ns alias - /sbin/ifconfig lo0 inet6 fd92:7065:b8e:ffff::$ns alias + ifup 1 99 $ns + ifup 2 00 $ns done diff -Nru bind9-9.16.27/bin/tests/system/pipelined/ans5/ans.py bind9-9.16.33/bin/tests/system/pipelined/ans5/ans.py --- bind9-9.16.27/bin/tests/system/pipelined/ans5/ans.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/pipelined/ans5/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -47,25 +47,28 @@ DELAY = 0.5 THREADS = [] + def log(msg): - print(datetime.datetime.now().strftime('%d-%b-%Y %H:%M:%S.%f ') + msg) + print(datetime.datetime.now().strftime("%d-%b-%Y %H:%M:%S.%f ") + msg) def sigterm(*_): - log('SIGTERM received, shutting down') + log("SIGTERM received, shutting down") for thread in THREADS: thread.close() thread.join() - os.remove('ans.pid') + os.remove("ans.pid") sys.exit(0) + class TCPDelayer(threading.Thread): - """ For a given TCP connection conn we open a connection to (ip, port), - and then we delay each incoming packet by DELAY by putting it in a - queue. - In the pipelined test TCP should not be used, but it's here for - completnes. + """For a given TCP connection conn we open a connection to (ip, port), + and then we delay each incoming packet by DELAY by putting it in a + queue. + In the pipelined test TCP should not be used, but it's here for + completnes. """ + def __init__(self, conn, ip, port): threading.Thread.__init__(self) self.conn = conn @@ -81,13 +84,15 @@ while self.running: curr_timeout = 0.5 try: - curr_timeout = self.queue[0][0]-time.time() + curr_timeout = self.queue[0][0] - time.time() except StopIteration: pass if curr_timeout > 0: if curr_timeout == 0: curr_timeout = 0.5 - rfds, _, _ = select.select([self.conn, self.cconn], [], [], curr_timeout) + rfds, _, _ = select.select( + [self.conn, self.cconn], [], [], curr_timeout + ) if self.conn in rfds: data = self.conn.recv(65535) if not data: @@ -99,17 +104,19 @@ return self.conn.send(data) try: - while self.queue[0][0]-time.time() < 0: + while self.queue[0][0] - time.time() < 0: _, data = self.queue.pop(0) self.cconn.send(data) except StopIteration: pass + class UDPDelayer(threading.Thread): - """ Every incoming UDP packet is put in a queue for DELAY time, then - it's sent to (ip, port). We remember the query id to send the - response we get to a proper source, responses are not delayed. + """Every incoming UDP packet is put in a queue for DELAY time, then + it's sent to (ip, port). We remember the query id to send the + response we get to a proper source, responses are not delayed. """ + def __init__(self, usock, ip, port): threading.Thread.__init__(self) self.sock = usock @@ -126,50 +133,56 @@ while self.running: curr_timeout = 0.5 if self.queue: - curr_timeout = self.queue[0][0]-time.time() + curr_timeout = self.queue[0][0] - time.time() if curr_timeout >= 0: if curr_timeout == 0: curr_timeout = 0.5 - rfds, _, _ = select.select([self.sock, self.csock], [], [], curr_timeout) + rfds, _, _ = select.select( + [self.sock, self.csock], [], [], curr_timeout + ) if self.sock in rfds: data, addr = self.sock.recvfrom(65535) if not data: return self.queue.append((time.time() + DELAY, data)) - qid = struct.unpack('>H', data[:2])[0] - log('Received a query from %s, queryid %d' % (str(addr), qid)) + qid = struct.unpack(">H", data[:2])[0] + log("Received a query from %s, queryid %d" % (str(addr), qid)) self.qid_mapping[qid] = addr if self.csock in rfds: data, addr = self.csock.recvfrom(65535) if not data: return - qid = struct.unpack('>H', data[:2])[0] + qid = struct.unpack(">H", data[:2])[0] dst = self.qid_mapping.get(qid) if dst is not None: self.sock.sendto(data, dst) - log('Received a response from %s, queryid %d, sending to %s' % (str(addr), qid, str(dst))) - while self.queue and self.queue[0][0]-time.time() < 0: + log( + "Received a response from %s, queryid %d, sending to %s" + % (str(addr), qid, str(dst)) + ) + while self.queue and self.queue[0][0] - time.time() < 0: _, data = self.queue.pop(0) - qid = struct.unpack('>H', data[:2])[0] - log('Sending a query to %s, queryid %d' % (str(self.dst), qid)) + qid = struct.unpack(">H", data[:2])[0] + log("Sending a query to %s, queryid %d" % (str(self.dst), qid)) self.csock.sendto(data, self.dst) + def main(): signal.signal(signal.SIGTERM, sigterm) signal.signal(signal.SIGINT, sigterm) - with open('ans.pid', 'w') as pidfile: + with open("ans.pid", "w") as pidfile: print(os.getpid(), file=pidfile) - listenip = '10.53.0.5' - serverip = '10.53.0.2' + listenip = "10.53.0.5" + serverip = "10.53.0.2" try: - port = int(os.environ['PORT']) + port = int(os.environ["PORT"]) except KeyError: port = 5300 - log('Listening on %s:%d' % (listenip, port)) + log("Listening on %s:%d" % (listenip, port)) usock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) usock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) @@ -187,12 +200,13 @@ while True: try: (clientsock, _) = sock.accept() - log('Accepted connection from %s' % clientsock) + log("Accepted connection from %s" % clientsock) thread = TCPDelayer(clientsock, serverip, port) thread.start() THREADS.append(thread) except socket.timeout: pass -if __name__ == '__main__': + +if __name__ == "__main__": main() diff -Nru bind9-9.16.27/bin/tests/system/pytest_custom_markers.py bind9-9.16.33/bin/tests/system/pytest_custom_markers.py --- bind9-9.16.27/bin/tests/system/pytest_custom_markers.py 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/pytest_custom_markers.py 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,21 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import os + +import pytest + + +long_test = pytest.mark.skipif( + not os.environ.get("CI_ENABLE_ALL_TESTS"), reason="CI_ENABLE_ALL_TESTS not set" +) diff -Nru bind9-9.16.27/bin/tests/system/qmin/ans2/ans.py bind9-9.16.33/bin/tests/system/qmin/ans2/ans.py --- bind9-9.16.27/bin/tests/system/qmin/ans2/ans.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/qmin/ans2/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -31,9 +31,11 @@ with open("qlog", "a") as f: f.write("%s %s\n", type, qname) + def endswith(domain, labels): return domain.endswith("." + labels) or domain == labels + ############################################################################ # Respond to a DNS query. # For good. it serves: @@ -65,7 +67,7 @@ m = dns.message.from_wire(msg) qname = m.question[0].name.to_text() lqname = qname.lower() - labels = lqname.split('.') + labels = lqname.split(".") # get qtype rrtype = m.question[0].rdtype @@ -88,22 +90,61 @@ # Direct query - give direct answer if endswith(lqname, "8.2.6.0.1.0.0.2.ip6.arpa."): # Delegate to ns3 - r.authority.append(dns.rrset.from_text("8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, NS, "ns3.good.")) - r.additional.append(dns.rrset.from_text("ns3.good.", 60, IN, A, "10.53.0.3")) - elif lqname == "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa." and rrtype == PTR: + r.authority.append( + dns.rrset.from_text( + "8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, NS, "ns3.good." + ) + ) + r.additional.append( + dns.rrset.from_text("ns3.good.", 60, IN, A, "10.53.0.3") + ) + elif ( + lqname + == "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa." + and rrtype == PTR + ): # Direct query - give direct answer - r.answer.append(dns.rrset.from_text("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.", 1, IN, PTR, "nee.com.")) + r.answer.append( + dns.rrset.from_text( + "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.", + 1, + IN, + PTR, + "nee.com.", + ) + ) r.flags |= dns.flags.AA elif lqname == "1.0.0.2.ip6.arpa." and rrtype == NS: # NS query at the apex - r.answer.append(dns.rrset.from_text("1.0.0.2.ip6.arpa.", 30, IN, NS, "ns2.good.")) + r.answer.append( + dns.rrset.from_text("1.0.0.2.ip6.arpa.", 30, IN, NS, "ns2.good.") + ) r.flags |= dns.flags.AA - elif endswith("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.", lqname): + elif endswith( + "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.", + lqname, + ): # NODATA answer - r.authority.append(dns.rrset.from_text("1.0.0.2.ip6.arpa.", 30, IN, SOA, "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1")) + r.authority.append( + dns.rrset.from_text( + "1.0.0.2.ip6.arpa.", + 30, + IN, + SOA, + "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) else: # NXDOMAIN - r.authority.append(dns.rrset.from_text("1.0.0.2.ip6.arpa.", 30, IN, SOA, "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1")) + r.authority.append( + dns.rrset.from_text( + "1.0.0.2.ip6.arpa.", + 30, + IN, + SOA, + "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) r.set_rcode(NXDOMAIN) return r elif endswith(lqname, "ip6.arpa."): @@ -113,35 +154,71 @@ r.flags |= dns.flags.AA elif endswith("1.0.0.2.ip6.arpa.", lqname): # NODATA answer - r.authority.append(dns.rrset.from_text("ip6.arpa.", 30, IN, SOA, "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1")) + r.authority.append( + dns.rrset.from_text( + "ip6.arpa.", + 30, + IN, + SOA, + "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) else: # NXDOMAIN - r.authority.append(dns.rrset.from_text("ip6.arpa.", 30, IN, SOA, "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1")) + r.authority.append( + dns.rrset.from_text( + "ip6.arpa.", + 30, + IN, + SOA, + "ns2.good. hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) r.set_rcode(NXDOMAIN) return r elif endswith(lqname, "stale."): if endswith(lqname, "a.b.stale."): # Delegate to ns.a.b.stale. - r.authority.append(dns.rrset.from_text("a.b.stale.", 2, IN, NS, "ns.a.b.stale.")) - r.additional.append(dns.rrset.from_text("ns.a.b.stale.", 2, IN, A, "10.53.0.3")) + r.authority.append( + dns.rrset.from_text("a.b.stale.", 2, IN, NS, "ns.a.b.stale.") + ) + r.additional.append( + dns.rrset.from_text("ns.a.b.stale.", 2, IN, A, "10.53.0.3") + ) elif endswith(lqname, "b.stale."): # Delegate to ns.b.stale. - r.authority.append(dns.rrset.from_text("b.stale.", 2, IN, NS, "ns.b.stale.")) - r.additional.append(dns.rrset.from_text("ns.b.stale.", 2, IN, A, "10.53.0.4")) + r.authority.append( + dns.rrset.from_text("b.stale.", 2, IN, NS, "ns.b.stale.") + ) + r.additional.append( + dns.rrset.from_text("ns.b.stale.", 2, IN, A, "10.53.0.4") + ) elif lqname == "stale." and rrtype == NS: # NS query at the apex. r.answer.append(dns.rrset.from_text("stale.", 2, IN, NS, "ns2.stale.")) r.flags |= dns.flags.AA elif lqname == "stale." and rrtype == SOA: # SOA query at the apex. - r.answer.append(dns.rrset.from_text("stale.", 2, IN, SOA, "ns2.stale. hostmaster.stale. 1 2 3 4 5")) + r.answer.append( + dns.rrset.from_text( + "stale.", 2, IN, SOA, "ns2.stale. hostmaster.stale. 1 2 3 4 5" + ) + ) r.flags |= dns.flags.AA elif lqname == "stale.": # NODATA answer - r.authority.append(dns.rrset.from_text("stale.", 2, IN, SOA, "ns2.stale. hostmaster.arpa. 1 2 3 4 5")) + r.authority.append( + dns.rrset.from_text( + "stale.", 2, IN, SOA, "ns2.stale. hostmaster.arpa. 1 2 3 4 5" + ) + ) else: # NXDOMAIN - r.authority.append(dns.rrset.from_text("stale.", 2, IN, SOA, "ns2.stale. hostmaster.arpa. 1 2 3 4 5")) + r.authority.append( + dns.rrset.from_text( + "stale.", 2, IN, SOA, "ns2.stale. hostmaster.arpa. 1 2 3 4 5" + ) + ) r.set_rcode(NXDOMAIN) return r elif endswith(lqname, "bad."): @@ -168,43 +245,72 @@ # Good/bad/ugly differs only in how we treat non-empty terminals if endswith(lqname, "zoop.boing."): - r.authority.append(dns.rrset.from_text("zoop.boing." + suffix, 1, IN, NS, "ns3." + suffix)) - elif lqname == "many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z." and rrtype == A: + r.authority.append( + dns.rrset.from_text("zoop.boing." + suffix, 1, IN, NS, "ns3." + suffix) + ) + elif ( + lqname == "many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z." + and rrtype == A + ): r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, A, "192.0.2.2")) r.flags |= dns.flags.AA elif lqname == "" and rrtype == NS: r.answer.append(dns.rrset.from_text(suffix, 30, IN, NS, "ns2." + suffix)) r.flags |= dns.flags.AA elif lqname == "ns2." and rrtype == A: - r.answer.append(dns.rrset.from_text("ns2."+suffix, 30, IN, A, "10.53.0.2")) + r.answer.append(dns.rrset.from_text("ns2." + suffix, 30, IN, A, "10.53.0.2")) r.flags |= dns.flags.AA elif lqname == "ns2." and rrtype == AAAA: - r.answer.append(dns.rrset.from_text("ns2."+suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::2")) + r.answer.append( + dns.rrset.from_text("ns2." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::2") + ) r.flags |= dns.flags.AA elif lqname == "ns3." and rrtype == A: - r.answer.append(dns.rrset.from_text("ns3."+suffix, 30, IN, A, "10.53.0.3")) + r.answer.append(dns.rrset.from_text("ns3." + suffix, 30, IN, A, "10.53.0.3")) r.flags |= dns.flags.AA elif lqname == "ns3." and rrtype == AAAA: - r.answer.append(dns.rrset.from_text("ns3."+suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::3")) + r.answer.append( + dns.rrset.from_text("ns3." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::3") + ) r.flags |= dns.flags.AA elif lqname == "ns4." and rrtype == A: - r.answer.append(dns.rrset.from_text("ns4."+suffix, 30, IN, A, "10.53.0.4")) + r.answer.append(dns.rrset.from_text("ns4." + suffix, 30, IN, A, "10.53.0.4")) r.flags |= dns.flags.AA elif lqname == "ns4." and rrtype == AAAA: - r.answer.append(dns.rrset.from_text("ns4."+suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::4")) + r.answer.append( + dns.rrset.from_text("ns4." + suffix, 30, IN, AAAA, "fd92:7065:b8e:ffff::4") + ) r.flags |= dns.flags.AA elif lqname == "a.bit.longer.ns.name." and rrtype == A: - r.answer.append(dns.rrset.from_text("a.bit.longer.ns.name."+suffix, 1, IN, A, "10.53.0.4")) + r.answer.append( + dns.rrset.from_text("a.bit.longer.ns.name." + suffix, 1, IN, A, "10.53.0.4") + ) r.flags |= dns.flags.AA elif lqname == "a.bit.longer.ns.name." and rrtype == AAAA: - r.answer.append(dns.rrset.from_text("a.bit.longer.ns.name."+suffix, 1, IN, AAAA, "fd92:7065:b8e:ffff::4")) + r.answer.append( + dns.rrset.from_text( + "a.bit.longer.ns.name." + suffix, 1, IN, AAAA, "fd92:7065:b8e:ffff::4" + ) + ) r.flags |= dns.flags.AA else: - r.authority.append(dns.rrset.from_text(suffix, 1, IN, SOA, "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1")) - if bad or not \ - (endswith("icky.icky.icky.ptang.zoop.boing.", lqname) or \ - endswith("many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.", lqname) or \ - endswith("a.bit.longer.ns.name.", lqname)): + r.authority.append( + dns.rrset.from_text( + suffix, + 1, + IN, + SOA, + "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) + if bad or not ( + endswith("icky.icky.icky.ptang.zoop.boing.", lqname) + or endswith( + "many.labels.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.", + lqname, + ) + or endswith("a.bit.longer.ns.name.", lqname) + ): r.set_rcode(NXDOMAIN) if ugly: r.set_rcode(FORMERR) @@ -214,11 +320,12 @@ def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -229,8 +336,10 @@ ip4 = "10.53.0.2" ip6 = "fd92:7065:b8e:ffff::2" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) query4_socket.bind((ip4, port)) @@ -248,17 +357,17 @@ signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Listening on %s port %d" % (ip4, port)) +print("Listening on %s port %d" % (ip4, port)) if havev6: - print ("Listening on %s port %d" % (ip6, port)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") if havev6: input = [query4_socket, query6_socket] @@ -277,8 +386,9 @@ for s in inputready: if s == query4_socket or s == query6_socket: - print ("Query received on %s" % - (ip4 if s == query4_socket else ip6), end=" ") + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) # Handle incoming queries msg = s.recvfrom(65535) rsp = create_response(msg[0]) diff -Nru bind9-9.16.27/bin/tests/system/qmin/ans3/ans.py bind9-9.16.33/bin/tests/system/qmin/ans3/ans.py --- bind9-9.16.27/bin/tests/system/qmin/ans3/ans.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/qmin/ans3/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -31,9 +31,11 @@ with open("qlog", "a") as f: f.write("%s %s\n", type, qname) + def endswith(domain, labels): return domain.endswith("." + labels) or domain == labels + ############################################################################ # Respond to a DNS query. # For good. it serves: @@ -54,7 +56,7 @@ m = dns.message.from_wire(msg) qname = m.question[0].name.to_text() lqname = qname.lower() - labels = lqname.split('.') + labels = lqname.split(".") # get qtype rrtype = m.question[0].rdtype @@ -101,17 +103,31 @@ elif rrtype == NS: # NS a.b. r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.a.b.stale.")) - r.additional.append(dns.rrset.from_text("ns.a.b.stale.", 1, IN, A, "10.53.0.3")) + r.additional.append( + dns.rrset.from_text("ns.a.b.stale.", 1, IN, A, "10.53.0.3") + ) r.flags |= dns.flags.AA elif rrtype == SOA: # SOA a.b. - r.answer.append(dns.rrset.from_text(lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5")) + r.answer.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) r.flags |= dns.flags.AA else: # NODATA. - r.authority.append(dns.rrset.from_text(lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5")) + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) else: - r.authority.append(dns.rrset.from_text(lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5")) + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) r.set_rcode(NXDOMAIN) # NXDOMAIN. return r @@ -121,21 +137,51 @@ # Good/bad differs only in how we treat non-empty terminals if lqname == "zoop.boing." and rrtype == NS: - r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, NS, "ns3."+suffix)) + r.answer.append( + dns.rrset.from_text(lqname + suffix, 1, IN, NS, "ns3." + suffix) + ) r.flags |= dns.flags.AA elif endswith(lqname, "icky.ptang.zoop.boing."): - r.authority.append(dns.rrset.from_text("icky.ptang.zoop.boing." + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix)) + r.authority.append( + dns.rrset.from_text( + "icky.ptang.zoop.boing." + suffix, + 1, + IN, + NS, + "a.bit.longer.ns.name." + suffix, + ) + ) elif endswith("icky.ptang.zoop.boing.", lqname): - r.authority.append(dns.rrset.from_text("zoop.boing." + suffix, 1, IN, SOA, "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1")) + r.authority.append( + dns.rrset.from_text( + "zoop.boing." + suffix, + 1, + IN, + SOA, + "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) if bad: r.set_rcode(NXDOMAIN) if ugly: r.set_rcode(FORMERR) elif endswith(lqname, "zoop.boing."): - r.authority.append(dns.rrset.from_text("zoop.boing." + suffix, 1, IN, SOA, "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1")) + r.authority.append( + dns.rrset.from_text( + "zoop.boing." + suffix, + 1, + IN, + SOA, + "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) r.set_rcode(NXDOMAIN) elif ip6req: - r.authority.append(dns.rrset.from_text("1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, NS, "ns4.good.")) + r.authority.append( + dns.rrset.from_text( + "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, NS, "ns4.good." + ) + ) r.additional.append(dns.rrset.from_text("ns4.good.", 60, IN, A, "10.53.0.4")) else: r.set_rcode(REFUSED) @@ -146,11 +192,12 @@ def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -161,8 +208,10 @@ ip4 = "10.53.0.3" ip6 = "fd92:7065:b8e:ffff::3" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) query4_socket.bind((ip4, port)) @@ -180,17 +229,17 @@ signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Listening on %s port %d" % (ip4, port)) +print("Listening on %s port %d" % (ip4, port)) if havev6: - print ("Listening on %s port %d" % (ip6, port)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") if havev6: input = [query4_socket, query6_socket] @@ -209,8 +258,9 @@ for s in inputready: if s == query4_socket or s == query6_socket: - print ("Query received on %s" % - (ip4 if s == query4_socket else ip6), end=" ") + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) # Handle incoming queries msg = s.recvfrom(65535) rsp = create_response(msg[0]) diff -Nru bind9-9.16.27/bin/tests/system/qmin/ans4/ans.py bind9-9.16.33/bin/tests/system/qmin/ans4/ans.py --- bind9-9.16.27/bin/tests/system/qmin/ans4/ans.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/qmin/ans4/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -31,9 +31,11 @@ with open("qlog", "a") as f: f.write("%s %s\n", type, qname) + def endswith(domain, labels): return domain.endswith("." + labels) or domain == labels + ############################################################################ # Respond to a DNS query. # For good. it serves: @@ -55,7 +57,8 @@ m = dns.message.from_wire(msg) qname = m.question[0].name.to_text() lqname = qname.lower() - labels = lqname.split('.') + labels = lqname.split(".") + suffix = "" # get qtype rrtype = m.question[0].rdtype @@ -102,30 +105,54 @@ elif rrtype == NS: # NS a.b. r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.a.b.stale.")) - r.additional.append(dns.rrset.from_text("ns.a.b.stale.", 1, IN, A, "10.53.0.3")) + r.additional.append( + dns.rrset.from_text("ns.a.b.stale.", 1, IN, A, "10.53.0.3") + ) r.flags |= dns.flags.AA elif rrtype == SOA: # SOA a.b. - r.answer.append(dns.rrset.from_text(lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5")) + r.answer.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) r.flags |= dns.flags.AA else: # NODATA. - r.authority.append(dns.rrset.from_text(lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5")) + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "a.b.stale. hostmaster.a.b.stale. 1 2 3 4 5" + ) + ) elif lqname == "b.stale.": if rrtype == NS: # NS b. r.answer.append(dns.rrset.from_text(lqname, 1, IN, NS, "ns.b.stale.")) - r.additional.append(dns.rrset.from_text("ns.b.stale.", 1, IN, A, "10.53.0.4")) + r.additional.append( + dns.rrset.from_text("ns.b.stale.", 1, IN, A, "10.53.0.4") + ) r.flags |= dns.flags.AA elif rrtype == SOA: # SOA b. - r.answer.append(dns.rrset.from_text(lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5")) + r.answer.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5" + ) + ) r.flags |= dns.flags.AA else: # NODATA. - r.authority.append(dns.rrset.from_text(lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5")) + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5" + ) + ) else: - r.authority.append(dns.rrset.from_text(lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5")) + r.authority.append( + dns.rrset.from_text( + lqname, 1, IN, SOA, "b.stale. hostmaster.b.stale. 1 2 3 4 5" + ) + ) r.set_rcode(NXDOMAIN) # NXDOMAIN. return r @@ -141,24 +168,67 @@ r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, A, "192.0.2.2")) r.flags |= dns.flags.AA elif lqname == "icky.ptang.zoop.boing." and rrtype == NS: - r.answer.append(dns.rrset.from_text(lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name."+suffix)) + r.answer.append( + dns.rrset.from_text( + lqname + suffix, 1, IN, NS, "a.bit.longer.ns.name." + suffix + ) + ) r.flags |= dns.flags.AA elif endswith(lqname, "icky.ptang.zoop.boing."): - r.authority.append(dns.rrset.from_text("icky.ptang.zoop.boing." + suffix, 1, IN, SOA, "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1")) + r.authority.append( + dns.rrset.from_text( + "icky.ptang.zoop.boing." + suffix, + 1, + IN, + SOA, + "ns2." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1", + ) + ) if bad or not endswith("more.icky.icky.icky.ptang.zoop.boing.", lqname): r.set_rcode(NXDOMAIN) if ugly: r.set_rcode(FORMERR) elif ip6req: r.flags |= dns.flags.AA - if lqname == "test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa." and rrtype == TXT: - r.answer.append(dns.rrset.from_text("test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", 1, IN, TXT, "long_ip6_name")) - elif endswith("0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", lqname): - #NODATA answer - r.authority.append(dns.rrset.from_text("1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, SOA, "ns4.good. hostmaster.arpa. 2018050100 120 30 320 16")) + if ( + lqname + == "test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa." + and rrtype == TXT + ): + r.answer.append( + dns.rrset.from_text( + "test1.test2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", + 1, + IN, + TXT, + "long_ip6_name", + ) + ) + elif endswith( + "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.9.0.9.4.1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", + lqname, + ): + # NODATA answer + r.authority.append( + dns.rrset.from_text( + "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", + 60, + IN, + SOA, + "ns4.good. hostmaster.arpa. 2018050100 120 30 320 16", + ) + ) else: # NXDOMAIN - r.authority.append(dns.rrset.from_text("1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", 60, IN, SOA, "ns4.good. hostmaster.arpa. 2018050100 120 30 320 16")) + r.authority.append( + dns.rrset.from_text( + "1.1.1.1.8.2.6.0.1.0.0.2.ip6.arpa.", + 60, + IN, + SOA, + "ns4.good. hostmaster.arpa. 2018050100 120 30 320 16", + ) + ) r.set_rcode(NXDOMAIN) else: r.set_rcode(REFUSED) @@ -169,11 +239,12 @@ def sigterm(signum, frame): - print ("Shutting down now...") - os.remove('ans.pid') + print("Shutting down now...") + os.remove("ans.pid") running = False sys.exit(0) + ############################################################################ # Main # @@ -184,8 +255,10 @@ ip4 = "10.53.0.4" ip6 = "fd92:7065:b8e:ffff::4" -try: port=int(os.environ['PORT']) -except: port=5300 +try: + port = int(os.environ["PORT"]) +except: + port = 5300 query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) query4_socket.bind((ip4, port)) @@ -203,17 +276,17 @@ signal.signal(signal.SIGTERM, sigterm) -f = open('ans.pid', 'w') +f = open("ans.pid", "w") pid = os.getpid() -print (pid, file=f) +print(pid, file=f) f.close() running = True -print ("Listening on %s port %d" % (ip4, port)) +print("Listening on %s port %d" % (ip4, port)) if havev6: - print ("Listening on %s port %d" % (ip6, port)) -print ("Ctrl-c to quit") + print("Listening on %s port %d" % (ip6, port)) +print("Ctrl-c to quit") if havev6: input = [query4_socket, query6_socket] @@ -232,8 +305,9 @@ for s in inputready: if s == query4_socket or s == query6_socket: - print ("Query received on %s" % - (ip4 if s == query4_socket else ip6), end=" ") + print( + "Query received on %s" % (ip4 if s == query4_socket else ip6), end=" " + ) # Handle incoming queries msg = s.recvfrom(65535) rsp = create_response(msg[0]) diff -Nru bind9-9.16.27/bin/tests/system/rndc/tests.sh bind9-9.16.33/bin/tests/system/rndc/tests.sh --- bind9-9.16.27/bin/tests/system/rndc/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rndc/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -456,22 +456,22 @@ $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog on >/dev/null 2>&1 || ret=1 grep "query logging is now on" ns4/named.run > /dev/null || ret=1 # query for builtin and check if query was logged (without +subnet) -$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo12345.bind > /dev/null || ret=1 +$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo12345.bind +qr > dig.out.1.test$n 2>&1 || ret=1 grep "query: foo12345.bind CH TXT.*(.*)$" ns4/named.run > /dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=127.0.0.1) -$DIG +subnet=127.0.0.1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12346.bind > /dev/null || ret=1 +$DIG +subnet=127.0.0.1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12346.bind +qr > dig.out.2.test$n 2>&1 || ret=1 grep "query: foo12346.bind CH TXT.*\[ECS 127\.0\.0\.1\/32\/0]" ns4/named.run > /dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=127.0.0.1/24) -$DIG +subnet=127.0.0.1/24 @10.53.0.4 -p ${PORT} -c ch -t txt foo12347.bind > /dev/null || ret=1 +$DIG +subnet=127.0.0.1/24 @10.53.0.4 -p ${PORT} -c ch -t txt foo12347.bind +qr > dig.out.3.test$n 2>&1 || ret=1 grep "query: foo12347.bind CH TXT.*\[ECS 127\.0\.0\.0\/24\/0]" ns4/named.run > /dev/null || ret=1 # query for another builtin zone and check if query was logged (with +subnet=::1) -$DIG +subnet=::1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12348.bind > /dev/null || ret=1 +$DIG +subnet=::1 @10.53.0.4 -p ${PORT} -c ch -t txt foo12348.bind +qr > dig.out.4.test$n 2>&1 || ret=1 grep "query: foo12348.bind CH TXT.*\[ECS \:\:1\/128\/0]" ns4/named.run > /dev/null || ret=1 # toggle query logging and check again $RNDC -s 10.53.0.4 -p ${EXTRAPORT6} -c ns4/key6.conf querylog > /dev/null 2>&1 || ret=1 grep "query logging is now off" ns4/named.run > /dev/null || ret=1 # query for another builtin zone and check if query was logged (without +subnet) -$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo9876.bind > /dev/null || ret=1 +$DIG @10.53.0.4 -p ${PORT} -c ch -t txt foo9876.bind +qr > dig.out.5.test$n 2>&1 || ret=1 grep "query: foo9876.bind CH TXT.*(.*)$" ns4/named.run > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff -Nru bind9-9.16.27/bin/tests/system/rpz/dnsrps.c bind9-9.16.33/bin/tests/system/rpz/dnsrps.c --- bind9-9.16.27/bin/tests/system/rpz/dnsrps.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/dnsrps.c 2022-09-08 13:01:23.000000000 +0000 @@ -83,8 +83,7 @@ #ifdef USE_DNSRPS printf("%s\n", librpz->dnsrpzd_path); #else /* ifdef USE_DNSRPS */ - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); #endif /* ifdef USE_DNSRPS */ return (0); @@ -134,8 +133,7 @@ librpz->client_detach(&client); printf("%u\n", serial); #else /* ifdef USE_DNSRPS */ - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); #endif /* ifdef USE_DNSRPS */ return (0); diff -Nru bind9-9.16.27/bin/tests/system/rpz/ns10/hints bind9-9.16.33/bin/tests/system/rpz/ns10/hints --- bind9-9.16.27/bin/tests/system/rpz/ns10/hints 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/ns10/hints 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 120 NS ns. +ns. 120 A 10.53.0.1 diff -Nru bind9-9.16.27/bin/tests/system/rpz/ns10/named.conf.in bind9-9.16.33/bin/tests/system/rpz/ns10/named.conf.in --- bind9-9.16.27/bin/tests/system/rpz/ns10/named.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/ns10/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,42 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + notify no; + minimal-responses no; + recursion yes; + dnssec-validation yes; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.10 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +include "../trusted.conf"; +zone "." { type hint; file "hints"; }; + +# grafted on zones using stub and static-stub +zone "stub-nomatch." {type primary; file "stub.db"; }; +zone "static-stub-nomatch." {type primary; file "stub.db"; }; diff -Nru bind9-9.16.27/bin/tests/system/rpz/ns10/stub.db bind9-9.16.33/bin/tests/system/rpz/ns10/stub.db --- bind9-9.16.27/bin/tests/system/rpz/ns10/stub.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/ns10/stub.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA ns hostmaster.ns ( 1 3600 1200 604800 60 ) + NS ns +ns A 10.53.0.10 + +a3-1 A 10.53.99.99 + +a4-1 A 10.53.99.99 diff -Nru bind9-9.16.27/bin/tests/system/rpz/ns2/named.conf.in bind9-9.16.33/bin/tests/system/rpz/ns2/named.conf.in --- bind9-9.16.27/bin/tests/system/rpz/ns2/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/ns2/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -49,3 +49,7 @@ zone "bl.tld2." {type primary; file "bl.tld2.db"; notify yes; notify-delay 0;}; + +# grafted on zones using stub and static-stub +zone "stub." {type primary; file "stub.db"; }; +zone "static-stub." {type primary; file "stub.db"; }; diff -Nru bind9-9.16.27/bin/tests/system/rpz/ns2/stub.db bind9-9.16.33/bin/tests/system/rpz/ns2/stub.db --- bind9-9.16.27/bin/tests/system/rpz/ns2/stub.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/ns2/stub.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; RPZ rewrite responses from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns.sub1.tld2. + +a3-1 A 10.53.99.99 + +a4-1 A 10.53.99.99 diff -Nru bind9-9.16.27/bin/tests/system/rpz/ns3/named.conf.in bind9-9.16.33/bin/tests/system/rpz/ns3/named.conf.in --- bind9-9.16.27/bin/tests/system/rpz/ns3/named.conf.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/ns3/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -128,3 +128,23 @@ primaries { 10.53.0.5; }; notify no; }; + +zone "stub." { + type stub; + primaries { 10.53.0.2; }; +}; + +zone "static-stub." { + type static-stub; + server-addresses { 10.53.0.2; }; +}; + +zone "stub-nomatch." { + type stub; + primaries { 10.53.0.10; }; +}; + +zone "static-stub-nomatch." { + type static-stub; + server-addresses { 10.53.0.10; }; +}; diff -Nru bind9-9.16.27/bin/tests/system/rpz/setup.sh bind9-9.16.33/bin/tests/system/rpz/setup.sh --- bind9-9.16.27/bin/tests/system/rpz/setup.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/setup.sh 2022-09-08 13:01:23.000000000 +0000 @@ -54,6 +54,7 @@ copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf copy_setports dnsrpzd.conf.in dnsrpzd.conf diff -Nru bind9-9.16.27/bin/tests/system/rpz/tests.sh bind9-9.16.33/bin/tests/system/rpz/tests.sh --- bind9-9.16.27/bin/tests/system/rpz/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rpz/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -28,6 +28,8 @@ ns6=$ns.6 # a forwarding server ns7=$ns.7 # another rewriting resolver ns8=$ns.8 # another rewriting resolver +ns9=$ns.9 # another rewriting resolver +ns10=$ns.10 # authoritative server HAVE_CORE= @@ -406,6 +408,13 @@ ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } +nochange_ns10 () { + make_dignm + digcmd $* >$DIGNM + digcmd $* @$ns10 >${DIGNM}_OK + ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK +} + # check against a 'here document' here () { make_dignm @@ -618,6 +627,7 @@ # these tests assume "min-ns-dots 0" start_group "NSDNAME rewrites" test3 + nextpart ns3/named.run > /dev/null nochange a3-1.tld2 # 1 nochange a3-1.tld2 +dnssec # 2 this once caused problems nxdomain a3-1.sub1.tld2 # 3 NXDOMAIN *.sub1.tld2 by NSDNAME @@ -630,25 +640,39 @@ addr 127.0.0.1 a3-1.sub3.tld2 # 10 prefer policy for largest NSDNAME addr 127.0.0.2 a3-1.subsub.sub3.tld2 # 11 nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash + + nxdomain a3-1.stub # 13 + nxdomain a3-1.static-stub # 14 + nochange_ns10 a3-1.stub-nomatch # 15 + nochange_ns10 a3-1.static-stub-nomatch # 16 if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 13 qname-as-ns + addr 12.12.12.12 as-ns.tld5. # 17 qname-as-ns fi + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && + setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group if [ "$mode" = dnsrps ]; then - ckstats $ns3 test3 ns3 8 + ckstats $ns3 test3 ns3 10 else - ckstats $ns3 test3 ns3 7 + ckstats $ns3 test3 ns3 9 fi # these tests assume "min-ns-dots 0" start_group "NSIP rewrites" test4 + nextpart ns3/named.run > /dev/null nxdomain a3-1.tld2 # 1 NXDOMAIN for all of tld2 nochange a3-2.tld2. # 2 exempt rewrite by name nochange a0-1.tld2. # 3 exempt rewrite by address block nochange a3-1.tld4 # 4 different NS IP address + nxdomain a4-1.stub # 5 + nxdomain a4-1.static-stub # 6 + nochange_ns10 a4-1.stub-nomatch # 7 + nochange_ns10 a4-1.static-stub-nomatch # 8 if [ "$mode" = dnsrps ]; then - addr 12.12.12.12 as-ns.tld5. # 5 ip-as-ns + addr 12.12.12.12 as-ns.tld5. # 9 ip-as-ns fi + nextpart ns3/named.run | grep -q "unrecognized NS rpz_rrset_find() failed: glue" && + setret "seen: unrecognized NS rpz_rrset_find() failed: glue" end_group start_group "walled garden NSIP rewrites" test4a @@ -660,9 +684,9 @@ EOF end_group if [ "$mode" = dnsrps ]; then - ckstats $ns3 test4 ns3 5 + ckstats $ns3 test4 ns3 7 else - ckstats $ns3 test4 ns3 4 + ckstats $ns3 test4 ns3 6 fi # policies in ./test5 overridden by response-policy{} in ns3/named.conf @@ -785,6 +809,7 @@ fi # Ensure ns3 manages to transfer the fast-expire zone before shutdown. + nextpartreset ns3/named.run wait_for_log 20 "zone fast-expire/IN: transferred serial 1" ns3/named.run # reconfigure the ns5 primary server without the fast-expire zone, so diff -Nru bind9-9.16.27/bin/tests/system/rrl/tests.sh bind9-9.16.33/bin/tests/system/rrl/tests.sh --- bind9-9.16.27/bin/tests/system/rrl/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rrl/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -175,9 +175,7 @@ sleep 1 burst 10 a1.tld2 # Request 30 different qnames to try a wildcard. -burst 30 'x$CNT.a2.tld2' -# These should be counted and limited but are not. See RT33138. -burst 10 'y.x$CNT.a2.tld2' +burst 30 'y.x$CNT.a2.tld2' # IP TC drop NXDOMAIN SERVFAIL NOERROR # referrals to "." @@ -185,12 +183,9 @@ # check 13 results including 1 second delay that allows an additional response ck_result a1.tld2 192.0.2.1 3 4 6 0 0 8 -# Check the wild card answers. -# The parent name of the 30 requests is counted. -ck_result 'x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12 - -# These should be limited but are not. See RT33138. -ck_result 'y.x*.a2.tld2' 192.0.2.2 10 0 0 0 0 10 +# Check the wildcard answers. +# The zone origin name of the 30 requests is counted. +ck_result 'y.x*.a2.tld2' 192.0.2.2 2 10 18 0 0 12 ######### sec_start diff -Nru bind9-9.16.27/bin/tests/system/rrsetorder/tests.sh bind9-9.16.33/bin/tests/system/rrsetorder/tests.sh --- bind9-9.16.27/bin/tests/system/rrsetorder/tests.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/rrsetorder/tests.sh 2022-09-08 13:01:23.000000000 +0000 @@ -41,20 +41,20 @@ $DIFF dig.out.fixed dig.out.fixed.good >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) else echo_i "Checking order fixed behaves as cyclic when disabled (primary)" ret=0 matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.1 fixed.example > dig.out.fixed || ret=1 - if [ $i -le 4 ]; then - cp dig.out.fixed dig.out.$j - else - $DIFF dig.out.fixed dig.out.$j >/dev/null && matches=`expr $matches + 1` - fi + if [ $i -le 4 ]; then + cp dig.out.fixed dig.out.$j + else + $DIFF dig.out.fixed dig.out.$j >/dev/null && matches=$((matches + 1)) + fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 $DIFF dig.out.0 dig.out.2 >/dev/null && ret=1 @@ -64,7 +64,7 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi # @@ -75,12 +75,12 @@ matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.1 cyclic.example > dig.out.cyclic || ret=1 if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j + cp dig.out.cyclic dig.out.$j else - $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=`expr $matches + 1` + $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 @@ -91,7 +91,7 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # @@ -101,12 +101,12 @@ matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.1 cyclic2.example > dig.out.cyclic2 || ret=1 if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j + cp dig.out.cyclic2 dig.out.$j else - $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=`expr $matches + 1` + $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 @@ -117,12 +117,12 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking order random (primary)" ret=0 for i in $GOOD_RANDOM do - eval match$i=0 + eval match$i=0 done for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 do @@ -138,27 +138,27 @@ match=0 for i in $GOOD_RANDOM do - eval "match=\`expr \$match + \$match$i\`" + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" -if [ $match -lt `expr ${GOOD_RANDOM_NO} / 3` ]; then ret=1; fi +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking order none (primary)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. $DIGCMD @10.53.0.1 none.example > dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - $DIGCMD @10.53.0.1 none.example > dig.out.test$i || ret=1 - $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 + $DIGCMD @10.53.0.1 none.example > dig.out.test$i || ret=1 + $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # @@ -172,7 +172,7 @@ $DIFF dig.out.fixed dig.out.fixed.good || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi # @@ -183,12 +183,12 @@ matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j + cp dig.out.cyclic dig.out.$j else - $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=`expr $matches + 1` + $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 @@ -199,7 +199,7 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # @@ -209,12 +209,12 @@ matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1 if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j + cp dig.out.cyclic2 dig.out.$j else - $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=`expr $matches + 1` + $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 @@ -225,13 +225,13 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking order random (secondary)" ret=0 for i in $GOOD_RANDOM do - eval match$i=0 + eval match$i=0 done for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 do @@ -247,27 +247,27 @@ match=0 for i in $GOOD_RANDOM do -eval "match=\`expr \$match + \$match$i\`" + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" -if [ $match -lt `expr ${GOOD_RANDOM_NO} / 3` ]; then ret=1; fi +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking order none (secondary)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. $DIGCMD @10.53.0.2 none.example > dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - $DIGCMD @10.53.0.2 none.example > dig.out.test$i || ret=1 - $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 + $DIGCMD @10.53.0.2 none.example > dig.out.test$i || ret=1 + $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Shutting down secondary" @@ -277,8 +277,8 @@ if [ ! -f ns2/root.bk ] then - echo_i "failed"; - status=`expr $status + 1` + echo_i "failed"; + status=$((status + 1)) fi echo_i "Re-starting secondary" @@ -297,7 +297,7 @@ $DIFF dig.out.fixed dig.out.fixed.good || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi # @@ -308,12 +308,12 @@ matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.2 cyclic.example > dig.out.cyclic || ret=1 if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j + cp dig.out.cyclic dig.out.$j else - $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=`expr $matches + 1` + $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 @@ -324,7 +324,7 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # @@ -334,12 +334,12 @@ matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.2 cyclic2.example > dig.out.cyclic2 || ret=1 if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j + cp dig.out.cyclic2 dig.out.$j else - $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=`expr $matches + 1` + $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 @@ -350,49 +350,49 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking order random (secondary loaded from disk)" ret=0 for i in $GOOD_RANDOM do - eval match$i=0 + eval match$i=0 done for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 do - $DIGCMD @10.53.0.2 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi + $DIGCMD @10.53.0.2 random.example > dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM + do + eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 for i in $GOOD_RANDOM do -eval "match=\`expr \$match + \$match$i\`" + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" -if [ $match -lt `expr ${GOOD_RANDOM_NO} / 3` ]; then ret=1; fi +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking order none (secondary loaded from disk)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. $DIGCMD @10.53.0.2 none.example > dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - $DIGCMD @10.53.0.2 none.example > dig.out.test$i || ret=1 - $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 + $DIGCMD @10.53.0.2 none.example > dig.out.test$i || ret=1 + $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # @@ -406,7 +406,7 @@ $DIFF dig.out.fixed dig.out.fixed.good || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + status=$((status + ret)) fi # @@ -419,12 +419,12 @@ matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.3 cyclic.example > dig.out.cyclic || ret=1 if [ $i -le 4 ]; then - cp dig.out.cyclic dig.out.$j + cp dig.out.cyclic dig.out.$j else - $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=`expr $matches + 1` + $DIFF dig.out.cyclic dig.out.$j >/dev/null && matches=$((matches + 1)) fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 @@ -435,7 +435,7 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) # # @@ -447,12 +447,12 @@ matches=0 for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 do - j=`expr $i % 4` + j=$((i % 4)) $DIGCMD @10.53.0.3 cyclic2.example > dig.out.cyclic2 || ret=1 if [ $i -le 4 ]; then - cp dig.out.cyclic2 dig.out.$j + cp dig.out.cyclic2 dig.out.$j else - $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=`expr $matches + 1` + $DIFF dig.out.cyclic2 dig.out.$j >/dev/null && matches=$((matches + 1)) fi done $DIFF dig.out.0 dig.out.1 >/dev/null && ret=1 @@ -463,90 +463,91 @@ $DIFF dig.out.2 dig.out.3 >/dev/null && ret=1 if [ $matches -ne 16 ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking order random (cache)" ret=0 for i in $GOOD_RANDOM do - eval match$i=0 + eval match$i=0 done for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 do - $DIGCMD @10.53.0.3 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi + $DIGCMD @10.53.0.3 random.example > dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM + do + eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 for i in $GOOD_RANDOM do -eval "match=\`expr \$match + \$match$i\`" + eval "match=\$((match + match$i))" done echo_i "Random selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" -if [ $match -lt `expr ${GOOD_RANDOM_NO} / 3` ]; then ret=1; fi +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) echo_i "Checking order none (cache)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. $DIGCMD @10.53.0.3 none.example > dig.out.none || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.none || ret=1 + grep -F -q 1.2.3.$i dig.out.none || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - $DIGCMD @10.53.0.3 none.example > dig.out.test$i || ret=1 - $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 + $DIGCMD @10.53.0.3 none.example > dig.out.test$i || ret=1 + $DIFF dig.out.none dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking default order (cache)" ret=0 for i in $GOOD_RANDOM do - eval match$i=0 + eval match$i=0 done for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9 do - $DIGCMD @10.53.0.5 random.example > dig.out.random || ret=1 - match=0 - for j in $GOOD_RANDOM - do - eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" - if [ $match -eq 1 ]; then break; fi - done - if [ $match -eq 0 ]; then ret=1; fi + $DIGCMD @10.53.0.5 random.example > dig.out.random || ret=1 + match=0 + for j in $GOOD_RANDOM + do + eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1" + if [ $match -eq 1 ]; then break; fi + done + if [ $match -eq 0 ]; then ret=1; fi done match=0 for i in $GOOD_RANDOM do -eval "match=\`expr \$match + \$match$i\`" + eval "match=\$((match + match$i))" done echo_i "Default selection return $match of ${GOOD_RANDOM_NO} possible orders in 36 samples" -if [ $match -lt `expr ${GOOD_RANDOM_NO} / 3` ]; then ret=1; fi +if [ $match -lt $((GOOD_RANDOM_NO / 3)) ]; then ret=1; fi if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "Checking default order no match in rrset-order (cache)" ret=0 # Fetch the "reference" response and ensure it contains the expected records. $DIGCMD @10.53.0.4 nomatch.example > dig.out.nomatch || ret=1 for i in 1 2 3 4; do - grep -F -q 1.2.3.$i dig.out.nomatch || ret=1 + grep -F -q 1.2.3.$i dig.out.nomatch || ret=1 done # Ensure 20 further queries result in the same response as the "reference" one. for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do - $DIGCMD @10.53.0.4 nomatch.example > dig.out.test$i || ret=1 - $DIFF dig.out.nomatch dig.out.test$i >/dev/null || ret=1 + $DIGCMD @10.53.0.4 nomatch.example > dig.out.test$i || ret=1 + $DIFF dig.out.nomatch dig.out.test$i >/dev/null || ret=1 done if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff -Nru bind9-9.16.27/bin/tests/system/run.sh bind9-9.16.33/bin/tests/system/run.sh --- bind9-9.16.27/bin/tests/system/run.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/run.sh 2022-09-08 13:01:23.000000000 +0000 @@ -236,17 +236,19 @@ rm -f "$systest/$test.status" if start_servers; then run=$((run+1)) - rm -f "$systest/$test.status" test_status=0 - (cd "$systest" && "$PYTEST" -v "$test" "$@" || echo "$?" > "$test.status") | SYSTESTDIR="$systest" cat_d + (cd "$systest" && "$PYTEST" -rsxX -v "$test" "$@" || echo "$?" > "$test.status") | SYSTESTDIR="$systest" cat_d if [ -f "$systest/$test.status" ]; then - echo_i "FAILED" - test_status=$(cat "$systest/$test.status") + if [ "$(cat "$systest/$test.status")" != "5" ]; then + test_status=$(cat "$systest/$test.status") + fi fi status=$((status+test_status)) stop_servers || status=1 else status=1 + fi + if [ $status -ne 0 ]; then break fi done diff -Nru bind9-9.16.27/bin/tests/system/shutdown/conftest.py bind9-9.16.33/bin/tests/system/shutdown/conftest.py --- bind9-9.16.27/bin/tests/system/shutdown/conftest.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/shutdown/conftest.py 1970-01-01 00:00:00.000000000 +0000 @@ -1,58 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -import os -import pytest - - -def pytest_configure(config): - config.addinivalue_line( - "markers", "dnspython: mark tests that need dnspython to function" - ) - - -def pytest_collection_modifyitems(config, items): - # pylint: disable=unused-argument,unused-import,too-many-branches - # pylint: disable=import-outside-toplevel - - # Test for dnspython module - skip_dnspython = pytest.mark.skip( - reason="need dnspython module to run") - try: - import dns.query # noqa: F401 - except ModuleNotFoundError: - for item in items: - if "dnspython" in item.keywords: - item.add_marker(skip_dnspython) - - -@pytest.fixture -def named_port(request): - # pylint: disable=unused-argument - port = os.getenv("PORT") - if port is None: - port = 5301 - else: - port = int(port) - - return port - - -@pytest.fixture -def control_port(request): - # pylint: disable=unused-argument - port = os.getenv("CONTROLPORT") - if port is None: - port = 5301 - else: - port = int(port) - - return port diff -Nru bind9-9.16.27/bin/tests/system/shutdown/tests-shutdown.py bind9-9.16.33/bin/tests/system/shutdown/tests-shutdown.py --- bind9-9.16.27/bin/tests/system/shutdown/tests-shutdown.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/shutdown/tests-shutdown.py 2022-09-08 13:01:23.000000000 +0000 @@ -19,46 +19,49 @@ from string import ascii_lowercase as letters import time -import dns.resolver import pytest +pytest.importorskip("dns") +import dns.exception +import dns.resolver + def do_work(named_proc, resolver, rndc_cmd, kill_method, n_workers, n_queries): """Creates a number of A queries to run in parallel - in order simulate a slightly more realistic test scenario. + in order simulate a slightly more realistic test scenario. - The main idea of this function is to create and send a bunch - of A queries to a target named instance and during this process - a request for shutting down named will be issued. + The main idea of this function is to create and send a bunch + of A queries to a target named instance and during this process + a request for shutting down named will be issued. - In the process of shutting down named, a couple control connections - are created (by launching rndc) to ensure that the crash was fixed. + In the process of shutting down named, a couple control connections + are created (by launching rndc) to ensure that the crash was fixed. - if kill_method=="rndc" named will be asked to shutdown by - means of rndc stop. - if kill_method=="sigterm" named will be killed by SIGTERM on - POSIX systems or by TerminateProcess() on Windows systems. + if kill_method=="rndc" named will be asked to shutdown by + means of rndc stop. + if kill_method=="sigterm" named will be killed by SIGTERM on + POSIX systems or by TerminateProcess() on Windows systems. - :param named_proc: named process instance - :type named_proc: subprocess.Popen + :param named_proc: named process instance + :type named_proc: subprocess.Popen - :param resolver: target resolver - :type resolver: dns.resolver.Resolver + :param resolver: target resolver + :type resolver: dns.resolver.Resolver - :param rndc_cmd: rndc command with default arguments - :type rndc_cmd: list of strings, e.g. ["rndc", "-p", "23750"] + :param rndc_cmd: rndc command with default arguments + :type rndc_cmd: list of strings, e.g. ["rndc", "-p", "23750"] - :kill_method: "rndc" or "sigterm" - :type kill_method: str + :kill_method: "rndc" or "sigterm" + :type kill_method: str - :param n_workers: Number of worker threads to create - :type n_workers: int + :param n_workers: Number of worker threads to create + :type n_workers: int - :param n_queries: Total number of queries to send - :type n_queries: int + :param n_queries: Total number of queries to send + :type n_queries: int """ -# pylint: disable-msg=too-many-arguments -# pylint: disable-msg=too-many-locals + # pylint: disable-msg=too-many-arguments + # pylint: disable-msg=too-many-locals # helper function, args must be a list or tuple with arguments to rndc. def launch_rndc(args): @@ -88,21 +91,22 @@ else: tag = "bad" length = random.randint(4, 10) - relname = "".join(letters[ - random.randrange(len(letters))] for i in range(length)) + relname = "".join( + letters[random.randrange(len(letters))] for i in range(length) + ) qname = relname + ".test" - futures[executor.submit(resolver.query, qname, 'A')] = tag + futures[executor.submit(resolver.query, qname, "A")] = tag elif shutdown: # We attempt to stop named in the middle shutdown = False if kill_method == "rndc": - futures[executor.submit(launch_rndc, ['stop'])] = 'stop' + futures[executor.submit(launch_rndc, ["stop"])] = "stop" else: - futures[executor.submit(named_proc.terminate)] = 'kill' + futures[executor.submit(named_proc.terminate)] = "kill" else: # We attempt to send couple rndc commands while named is # being shutdown - futures[executor.submit(launch_rndc, ['status'])] = 'status' + futures[executor.submit(launch_rndc, ["status"])] = "status" ret_code = -1 for future in as_completed(futures): @@ -117,16 +121,17 @@ if futures[future] == "stop": ret_code = result - except (dns.resolver.NXDOMAIN, - dns.resolver.NoNameservers, - dns.exception.Timeout): + except ( + dns.resolver.NXDOMAIN, + dns.resolver.NoNameservers, + dns.exception.Timeout, + ): pass if kill_method == "rndc": assert ret_code == 0 -@pytest.mark.dnspython def test_named_shutdown(named_port, control_port): # pylint: disable-msg=too-many-locals cfg_dir = os.path.join(os.getcwd(), "resolver") @@ -149,12 +154,11 @@ assert os.path.isfile(rndc_cfg) # rndc command with default arguments. - rndc_cmd = [rndc, "-c", rndc_cfg, "-p", str(control_port), - "-s", "10.53.0.3"] + rndc_cmd = [rndc, "-c", rndc_cfg, "-p", str(control_port), "-s", "10.53.0.3"] # We create a resolver instance that will be used to send queries. resolver = dns.resolver.Resolver() - resolver.nameservers = ['10.53.0.3'] + resolver.nameservers = ["10.53.0.3"] resolver.port = named_port # We test named shutting down using two methods: @@ -169,13 +173,14 @@ # wait for named to finish loading for _ in range(10): try: - resolver.query('version.bind', 'TXT', 'CH') + resolver.query("version.bind", "TXT", "CH") break except (dns.resolver.NoNameservers, dns.exception.Timeout): time.sleep(1) - do_work(named_proc, resolver, rndc_cmd, - kill_method, n_workers=12, n_queries=16) + do_work( + named_proc, resolver, rndc_cmd, kill_method, n_workers=12, n_queries=16 + ) # Wait named to exit for a maximum of MAX_TIMEOUT seconds. MAX_TIMEOUT = 10 diff -Nru bind9-9.16.27/bin/tests/system/statschannel/conftest.py bind9-9.16.33/bin/tests/system/statschannel/conftest.py --- bind9-9.16.27/bin/tests/system/statschannel/conftest.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/statschannel/conftest.py 2022-09-08 13:01:23.000000000 +0000 @@ -13,95 +13,13 @@ import pytest -def pytest_configure(config): - config.addinivalue_line( - "markers", "requests: mark tests that need requests to function" - ) - config.addinivalue_line( - "markers", "json: mark tests that need json to function" - ) - config.addinivalue_line( - "markers", "xml: mark tests that need xml.etree to function" - ) - config.addinivalue_line( - "markers", "dnspython: mark tests that need dnspython to function" - ) - - -def pytest_collection_modifyitems(config, items): - # pylint: disable=unused-argument,unused-import,too-many-branches - # pylint: disable=import-outside-toplevel - # Test for requests module - skip_requests = pytest.mark.skip( - reason="need requests module to run") - try: - import requests # noqa: F401 - except ModuleNotFoundError: - for item in items: - if "requests" in item.keywords: - item.add_marker(skip_requests) - # Test for json module - skip_json = pytest.mark.skip( - reason="need json module to run") - try: - import json # noqa: F401 - except ModuleNotFoundError: - for item in items: - if "json" in item.keywords: - item.add_marker(skip_json) - # Test for xml module - skip_xml = pytest.mark.skip( - reason="need xml module to run") - try: - import xml.etree.ElementTree # noqa: F401 - except ModuleNotFoundError: - for item in items: - if "xml" in item.keywords: - item.add_marker(skip_xml) - # Test if JSON statistics channel was enabled - no_jsonstats = pytest.mark.skip( - reason="need JSON statistics to be enabled") - if os.getenv("HAVEJSONSTATS") is None: - for item in items: - if "json" in item.keywords: - item.add_marker(no_jsonstats) - # Test if XML statistics channel was enabled - no_xmlstats = pytest.mark.skip( - reason="need XML statistics to be enabled") - if os.getenv("HAVEXMLSTATS") is None: - for item in items: - if "xml" in item.keywords: - item.add_marker(no_xmlstats) - # Test for dnspython module - skip_dnspython = pytest.mark.skip( - reason="need dnspython module to run") - try: - import dns.query # noqa: F401 - except ModuleNotFoundError: - for item in items: - if "dnspython" in item.keywords: - item.add_marker(skip_dnspython) - - @pytest.fixture def statsport(request): # pylint: disable=unused-argument env_port = os.getenv("EXTRAPORT1") - if port is None: + if env_port is None: env_port = 5301 else: env_port = int(env_port) - return env_port - - -@pytest.fixture -def port(request): - # pylint: disable=unused-argument - env_port = os.getenv("PORT") - if port is None: - env_port = 5300 - else: - env_port = int(env_port) - return env_port diff -Nru bind9-9.16.27/bin/tests/system/statschannel/generic.py bind9-9.16.33/bin/tests/system/statschannel/generic.py --- bind9-9.16.27/bin/tests/system/statschannel/generic.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/statschannel/generic.py 2022-09-08 13:01:23.000000000 +0000 @@ -9,87 +9,102 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -import helper +from datetime import datetime, timedelta +import os -def test_zone_timers_primary(fetch_zones, load_timers, **kwargs): +# ISO datetime format without msec +fmt = "%Y-%m-%dT%H:%M:%SZ" - statsip = kwargs['statsip'] - statsport = kwargs['statsport'] - zonedir = kwargs['zonedir'] +# The constants were taken from BIND 9 source code (lib/dns/zone.c) +max_refresh = timedelta(seconds=2419200) # 4 weeks +max_expires = timedelta(seconds=14515200) # 24 weeks +now = datetime.utcnow().replace(microsecond=0) +dayzero = datetime.utcfromtimestamp(0).replace(microsecond=0) - zones = fetch_zones(statsip, statsport) - for zone in zones: - (name, loaded, expires, refresh) = load_timers(zone, True) - mtime = helper.zone_mtime(zonedir, name) - helper.check_zone_timers(loaded, expires, refresh, mtime) +# Generic helper functions +def check_expires(expires, min_time, max_time): + assert expires >= min_time + assert expires <= max_time -def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs): +def check_refresh(refresh, min_time, max_time): + assert refresh >= min_time + assert refresh <= max_time - statsip = kwargs['statsip'] - statsport = kwargs['statsport'] - zonedir = kwargs['zonedir'] - zones = fetch_zones(statsip, statsport) +def check_loaded(loaded, expected): + # Sanity check the zone timers values + assert loaded == expected + assert loaded < now - for zone in zones: - (name, loaded, expires, refresh) = load_timers(zone, False) - mtime = helper.zone_mtime(zonedir, name) - helper.check_zone_timers(loaded, expires, refresh, mtime) +def check_zone_timers(loaded, expires, refresh, loaded_exp): + # Sanity checks the zone timers values + if expires is not None: + check_expires(expires, now, now + max_expires) + if refresh is not None: + check_refresh(refresh, now, now + max_refresh) + check_loaded(loaded, loaded_exp) -def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): - statsip = kwargs['statsip'] - statsport = kwargs['statsport'] +# +# The output is gibberish, but at least make sure it does not crash. +# +def check_manykeys(name, zone=None): + # pylint: disable=unused-argument + assert name == "manykeys" - zones = fetch_zones(statsip, statsport) - for zone in zones: - name = load_zone(zone) - if name == 'manykeys': - helper.check_manykeys(name) +def zone_mtime(zonedir, name): + + try: + si = os.stat(os.path.join(zonedir, "{}.db".format(name))) + except FileNotFoundError: + return dayzero + + mtime = datetime.utcfromtimestamp(si.st_mtime).replace(microsecond=0) + + return mtime -def test_traffic(fetch_traffic, **kwargs): +def test_zone_timers_primary(fetch_zones, load_timers, **kwargs): - statsip = kwargs['statsip'] - statsport = kwargs['statsport'] - port = kwargs['port'] + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + zonedir = kwargs["zonedir"] - data = fetch_traffic(statsip, statsport) - exp = helper.create_expected(data) + zones = fetch_zones(statsip, statsport) - msg = helper.create_msg("short.example.", "TXT") - helper.update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) - ans = helper.udp_query(statsip, port, msg) - helper.update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) + for zone in zones: + (name, loaded, expires, refresh) = load_timers(zone, True) + mtime = zone_mtime(zonedir, name) + check_zone_timers(loaded, expires, refresh, mtime) - helper.check_traffic(data, exp) - msg = helper.create_msg("long.example.", "TXT") - helper.update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) - ans = helper.udp_query(statsip, port, msg) - helper.update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) +def test_zone_timers_secondary(fetch_zones, load_timers, **kwargs): - helper.check_traffic(data, exp) + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + zonedir = kwargs["zonedir"] - msg = helper.create_msg("short.example.", "TXT") - helper.update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) - ans = helper.tcp_query(statsip, port, msg) - helper.update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) + zones = fetch_zones(statsip, statsport) - helper.check_traffic(data, exp) + for zone in zones: + (name, loaded, expires, refresh) = load_timers(zone, False) + mtime = zone_mtime(zonedir, name) + check_zone_timers(loaded, expires, refresh, mtime) - msg = helper.create_msg("long.example.", "TXT") - helper.update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) - ans = helper.tcp_query(statsip, port, msg) - helper.update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) - data = fetch_traffic(statsip, statsport) - helper.check_traffic(data, exp) +def test_zone_with_many_keys(fetch_zones, load_zone, **kwargs): + + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + + zones = fetch_zones(statsip, statsport) + + for zone in zones: + name = load_zone(zone) + if name == "manykeys": + check_manykeys(name) diff -Nru bind9-9.16.27/bin/tests/system/statschannel/generic_dnspython.py bind9-9.16.33/bin/tests/system/statschannel/generic_dnspython.py --- bind9-9.16.27/bin/tests/system/statschannel/generic_dnspython.py 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/statschannel/generic_dnspython.py 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,131 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from collections import defaultdict + +import dns.message +import dns.query +import dns.rcode + + +TIMEOUT = 10 + + +def create_msg(qname, qtype): + msg = dns.message.make_query( + qname, qtype, want_dnssec=True, use_edns=0, payload=4096 + ) + + return msg + + +def udp_query(ip, port, msg): + + ans = dns.query.udp(msg, ip, TIMEOUT, port=port) + assert ans.rcode() == dns.rcode.NOERROR + + return ans + + +def tcp_query(ip, port, msg): + + ans = dns.query.tcp(msg, ip, TIMEOUT, port=port) + assert ans.rcode() == dns.rcode.NOERROR + + return ans + + +def create_expected(data): + expected = { + "dns-tcp-requests-sizes-received-ipv4": defaultdict(int), + "dns-tcp-responses-sizes-sent-ipv4": defaultdict(int), + "dns-tcp-requests-sizes-received-ipv6": defaultdict(int), + "dns-tcp-responses-sizes-sent-ipv6": defaultdict(int), + "dns-udp-requests-sizes-received-ipv4": defaultdict(int), + "dns-udp-requests-sizes-received-ipv6": defaultdict(int), + "dns-udp-responses-sizes-sent-ipv4": defaultdict(int), + "dns-udp-responses-sizes-sent-ipv6": defaultdict(int), + } + + for k, v in data.items(): + for kk, vv in v.items(): + expected[k][kk] += vv + + return expected + + +def update_expected(expected, key, msg): + msg_len = len(msg.to_wire()) + bucket_num = (msg_len // 16) * 16 + bucket = "{}-{}".format(bucket_num, bucket_num + 15) + + expected[key][bucket] += 1 + + +def check_traffic(data, expected): + def ordered(obj): + if isinstance(obj, dict): + return sorted((k, ordered(v)) for k, v in obj.items()) + if isinstance(obj, list): + return sorted(ordered(x) for x in obj) + return obj + + ordered_data = ordered(data) + ordered_expected = ordered(expected) + + assert len(ordered_data) == 8 + assert len(ordered_expected) == 8 + assert len(data) == len(ordered_data) + assert len(expected) == len(ordered_expected) + + assert ordered_data == ordered_expected + + +def test_traffic(fetch_traffic, **kwargs): + + statsip = kwargs["statsip"] + statsport = kwargs["statsport"] + port = kwargs["port"] + + data = fetch_traffic(statsip, statsport) + exp = create_expected(data) + + msg = create_msg("short.example.", "TXT") + update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) + ans = udp_query(statsip, port, msg) + update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("long.example.", "TXT") + update_expected(exp, "dns-udp-requests-sizes-received-ipv4", msg) + ans = udp_query(statsip, port, msg) + update_expected(exp, "dns-udp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("short.example.", "TXT") + update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) + ans = tcp_query(statsip, port, msg) + update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) + + msg = create_msg("long.example.", "TXT") + update_expected(exp, "dns-tcp-requests-sizes-received-ipv4", msg) + ans = tcp_query(statsip, port, msg) + update_expected(exp, "dns-tcp-responses-sizes-sent-ipv4", ans) + data = fetch_traffic(statsip, statsport) + + check_traffic(data, exp) diff -Nru bind9-9.16.27/bin/tests/system/statschannel/helper.py bind9-9.16.33/bin/tests/system/statschannel/helper.py --- bind9-9.16.27/bin/tests/system/statschannel/helper.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/statschannel/helper.py 1970-01-01 00:00:00.000000000 +0000 @@ -1,146 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -import os -import os.path - -from collections import defaultdict -from datetime import datetime, timedelta - -import dns.message -import dns.query -import dns.rcode - -# ISO datetime format without msec -fmt = '%Y-%m-%dT%H:%M:%SZ' - -# The constants were taken from BIND 9 source code (lib/dns/zone.c) -max_refresh = timedelta(seconds=2419200) # 4 weeks -max_expires = timedelta(seconds=14515200) # 24 weeks -now = datetime.utcnow().replace(microsecond=0) -dayzero = datetime.utcfromtimestamp(0).replace(microsecond=0) - - -TIMEOUT = 10 - - -# Generic helper functions -def check_expires(expires, min_time, max_time): - assert expires >= min_time - assert expires <= max_time - - -def check_refresh(refresh, min_time, max_time): - assert refresh >= min_time - assert refresh <= max_time - - -def check_loaded(loaded, expected): - # Sanity check the zone timers values - assert loaded == expected - assert loaded < now - - -def check_zone_timers(loaded, expires, refresh, loaded_exp): - # Sanity checks the zone timers values - if expires is not None: - check_expires(expires, now, now + max_expires) - if refresh is not None: - check_refresh(refresh, now, now + max_refresh) - check_loaded(loaded, loaded_exp) - - -# -# The output is gibberish, but at least make sure it does not crash. -# -def check_manykeys(name, zone=None): - # pylint: disable=unused-argument - assert name == "manykeys" - - -def zone_mtime(zonedir, name): - - try: - si = os.stat(os.path.join(zonedir, "{}.db".format(name))) - except FileNotFoundError: - return dayzero - - mtime = datetime.utcfromtimestamp(si.st_mtime).replace(microsecond=0) - - return mtime - - -def create_msg(qname, qtype): - msg = dns.message.make_query(qname, qtype, want_dnssec=True, - use_edns=0, payload=4096) - - return msg - - -def udp_query(ip, port, msg): - - ans = dns.query.udp(msg, ip, TIMEOUT, port=port) - assert ans.rcode() == dns.rcode.NOERROR - - return ans - - -def tcp_query(ip, port, msg): - - ans = dns.query.tcp(msg, ip, TIMEOUT, port=port) - assert ans.rcode() == dns.rcode.NOERROR - - return ans - - -def create_expected(data): - expected = {"dns-tcp-requests-sizes-received-ipv4": defaultdict(int), - "dns-tcp-responses-sizes-sent-ipv4": defaultdict(int), - "dns-tcp-requests-sizes-received-ipv6": defaultdict(int), - "dns-tcp-responses-sizes-sent-ipv6": defaultdict(int), - "dns-udp-requests-sizes-received-ipv4": defaultdict(int), - "dns-udp-requests-sizes-received-ipv6": defaultdict(int), - "dns-udp-responses-sizes-sent-ipv4": defaultdict(int), - "dns-udp-responses-sizes-sent-ipv6": defaultdict(int), - } - - for k, v in data.items(): - for kk, vv in v.items(): - expected[k][kk] += vv - - return expected - - -def update_expected(expected, key, msg): - msg_len = len(msg.to_wire()) - bucket_num = (msg_len // 16) * 16 - bucket = "{}-{}".format(bucket_num, bucket_num + 15) - - expected[key][bucket] += 1 - - -def check_traffic(data, expected): - def ordered(obj): - if isinstance(obj, dict): - return sorted((k, ordered(v)) for k, v in obj.items()) - if isinstance(obj, list): - return sorted(ordered(x) for x in obj) - return obj - - ordered_data = ordered(data) - ordered_expected = ordered(expected) - - assert len(ordered_data) == 8 - assert len(ordered_expected) == 8 - assert len(data) == len(ordered_data) - assert len(expected) == len(ordered_expected) - - assert ordered_data == ordered_expected diff -Nru bind9-9.16.27/bin/tests/system/statschannel/tests-json.py bind9-9.16.33/bin/tests/system/statschannel/tests-json.py --- bind9-9.16.27/bin/tests/system/statschannel/tests-json.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/statschannel/tests-json.py 2022-09-08 13:01:23.000000000 +0000 @@ -16,17 +16,21 @@ import os import pytest -import requests import generic -from helper import fmt + +pytestmark = pytest.mark.skipif( + not os.environ.get("HAVEJSONSTATS"), reason="json-c support disabled in the build" +) +requests = pytest.importorskip("requests") # JSON helper functions def fetch_zones_json(statsip, statsport): - r = requests.get("http://{}:{}/json/v1/zones".format(statsip, statsport), - timeout=600) + r = requests.get( + "http://{}:{}/json/v1/zones".format(statsip, statsport), timeout=600 + ) assert r.status_code == 200 data = r.json() @@ -35,8 +39,9 @@ def fetch_traffic_json(statsip, statsport): - r = requests.get("http://{}:{}/json/v1/traffic".format(statsip, statsport), - timeout=600) + r = requests.get( + "http://{}:{}/json/v1/traffic".format(statsip, statsport), timeout=600 + ) assert r.status_code == 200 data = r.json() @@ -46,68 +51,61 @@ def load_timers_json(zone, primary=True): - name = zone['name'] + name = zone["name"] # Check if the primary zone timer exists - assert 'loaded' in zone - loaded = datetime.strptime(zone['loaded'], fmt) + assert "loaded" in zone + loaded = datetime.strptime(zone["loaded"], generic.fmt) if primary: # Check if the secondary zone timers does not exist - assert 'expires' not in zone - assert 'refresh' not in zone + assert "expires" not in zone + assert "refresh" not in zone expires = None refresh = None else: - assert 'expires' in zone - assert 'refresh' in zone - expires = datetime.strptime(zone['expires'], fmt) - refresh = datetime.strptime(zone['refresh'], fmt) + assert "expires" in zone + assert "refresh" in zone + expires = datetime.strptime(zone["expires"], generic.fmt) + refresh = datetime.strptime(zone["refresh"], generic.fmt) return (name, loaded, expires, refresh) def load_zone_json(zone): - name = zone['name'] + name = zone["name"] return name -@pytest.mark.json -@pytest.mark.requests -@pytest.mark.skipif(os.getenv("HAVEJSONSTATS", "unset") != "1", - reason="JSON not configured") def test_zone_timers_primary_json(statsport): - generic.test_zone_timers_primary(fetch_zones_json, load_timers_json, - statsip="10.53.0.1", statsport=statsport, - zonedir="ns1") + generic.test_zone_timers_primary( + fetch_zones_json, + load_timers_json, + statsip="10.53.0.1", + statsport=statsport, + zonedir="ns1", + ) -@pytest.mark.json -@pytest.mark.requests -@pytest.mark.skipif(os.getenv("HAVEJSONSTATS", "unset") != "1", - reason="JSON not configured") def test_zone_timers_secondary_json(statsport): - generic.test_zone_timers_secondary(fetch_zones_json, load_timers_json, - statsip="10.53.0.3", statsport=statsport, - zonedir="ns3") + generic.test_zone_timers_secondary( + fetch_zones_json, + load_timers_json, + statsip="10.53.0.3", + statsport=statsport, + zonedir="ns3", + ) -@pytest.mark.json -@pytest.mark.requests -@pytest.mark.skipif(os.getenv("HAVEJSONSTATS", "unset") != "1", - reason="JSON not configured") def test_zone_with_many_keys_json(statsport): - generic.test_zone_with_many_keys(fetch_zones_json, load_zone_json, - statsip="10.53.0.2", statsport=statsport) + generic.test_zone_with_many_keys( + fetch_zones_json, load_zone_json, statsip="10.53.0.2", statsport=statsport + ) -@pytest.mark.json -@pytest.mark.requests -@pytest.mark.dnspython -@pytest.mark.skipif(os.getenv("HAVEJSONSTATS", "unset") != "1", - reason="JSON not configured") -def test_traffic_json(port, statsport): - generic.test_traffic(fetch_traffic_json, - statsip="10.53.0.2", statsport=statsport, - port=port) +def test_traffic_json(named_port, statsport): + generic_dnspython = pytest.importorskip("generic_dnspython") + generic_dnspython.test_traffic( + fetch_traffic_json, statsip="10.53.0.2", statsport=statsport, port=named_port + ) diff -Nru bind9-9.16.27/bin/tests/system/statschannel/tests-xml.py bind9-9.16.33/bin/tests/system/statschannel/tests-xml.py --- bind9-9.16.27/bin/tests/system/statschannel/tests-xml.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/statschannel/tests-xml.py 2022-09-08 13:01:23.000000000 +0000 @@ -17,42 +17,46 @@ import os import pytest -import requests import generic -from helper import fmt + +pytestmark = pytest.mark.skipif( + not os.environ.get("HAVEXMLSTATS"), reason="libxml2 support disabled in the build" +) +requests = pytest.importorskip("requests") # XML helper functions def fetch_zones_xml(statsip, statsport): - r = requests.get("http://{}:{}/xml/v3/zones".format(statsip, statsport), - timeout=600) + r = requests.get( + "http://{}:{}/xml/v3/zones".format(statsip, statsport), timeout=600 + ) assert r.status_code == 200 root = ET.fromstring(r.text) default_view = None - for view in root.find('views').iter('view'): - if view.attrib['name'] == "_default": + for view in root.find("views").iter("view"): + if view.attrib["name"] == "_default": default_view = view break assert default_view is not None - return default_view.find('zones').findall('zone') + return default_view.find("zones").findall("zone") def fetch_traffic_xml(statsip, statsport): - def load_counters(data): out = {} for counter in data.findall("counter"): - out[counter.attrib['name']] = int(counter.text) + out[counter.attrib["name"]] = int(counter.text) return out - r = requests.get("http://{}:{}/xml/v3/traffic".format(statsip, statsport), - timeout=600) + r = requests.get( + "http://{}:{}/xml/v3/traffic".format(statsip, statsport), timeout=600 + ) assert r.status_code == 200 root = ET.fromstring(r.text) @@ -62,7 +66,7 @@ for proto in ["udp", "tcp"]: proto_root = root.find("traffic").find(ip).find(proto) for counters in proto_root.findall("counters"): - if counters.attrib['type'] == "request-size": + if counters.attrib["type"] == "request-size": key = "dns-{}-requests-sizes-received-{}".format(proto, ip) else: key = "dns-{}-responses-sizes-sent-{}".format(proto, ip) @@ -75,14 +79,14 @@ def load_timers_xml(zone, primary=True): - name = zone.attrib['name'] + name = zone.attrib["name"] - loaded_el = zone.find('loaded') + loaded_el = zone.find("loaded") assert loaded_el is not None - loaded = datetime.strptime(loaded_el.text, fmt) + loaded = datetime.strptime(loaded_el.text, generic.fmt) - expires_el = zone.find('expires') - refresh_el = zone.find('refresh') + expires_el = zone.find("expires") + refresh_el = zone.find("refresh") if primary: assert expires_el is None assert refresh_el is None @@ -91,53 +95,46 @@ else: assert expires_el is not None assert refresh_el is not None - expires = datetime.strptime(expires_el.text, fmt) - refresh = datetime.strptime(refresh_el.text, fmt) + expires = datetime.strptime(expires_el.text, generic.fmt) + refresh = datetime.strptime(refresh_el.text, generic.fmt) return (name, loaded, expires, refresh) def load_zone_xml(zone): - name = zone.attrib['name'] + name = zone.attrib["name"] return name -@pytest.mark.xml -@pytest.mark.requests -@pytest.mark.skipif(os.getenv("HAVEXMLSTATS", "unset") != "1", - reason="XML not configured") def test_zone_timers_primary_xml(statsport): - generic.test_zone_timers_primary(fetch_zones_xml, load_timers_xml, - statsip="10.53.0.1", statsport=statsport, - zonedir="ns1") + generic.test_zone_timers_primary( + fetch_zones_xml, + load_timers_xml, + statsip="10.53.0.1", + statsport=statsport, + zonedir="ns1", + ) -@pytest.mark.xml -@pytest.mark.requests -@pytest.mark.skipif(os.getenv("HAVEXMLSTATS", "unset") != "1", - reason="XML not configured") def test_zone_timers_secondary_xml(statsport): - generic.test_zone_timers_secondary(fetch_zones_xml, load_timers_xml, - statsip="10.53.0.3", statsport=statsport, - zonedir="ns3") + generic.test_zone_timers_secondary( + fetch_zones_xml, + load_timers_xml, + statsip="10.53.0.3", + statsport=statsport, + zonedir="ns3", + ) -@pytest.mark.xml -@pytest.mark.requests -@pytest.mark.skipif(os.getenv("HAVEXMLSTATS", "unset") != "1", - reason="XML not configured") def test_zone_with_many_keys_xml(statsport): - generic.test_zone_with_many_keys(fetch_zones_xml, load_zone_xml, - statsip="10.53.0.2", statsport=statsport) + generic.test_zone_with_many_keys( + fetch_zones_xml, load_zone_xml, statsip="10.53.0.2", statsport=statsport + ) -@pytest.mark.xml -@pytest.mark.requests -@pytest.mark.dnspython -@pytest.mark.skipif(os.getenv("HAVEXMLSTATS", "unset") != "1", - reason="XML not configured") -def test_traffic_xml(port, statsport): - generic.test_traffic(fetch_traffic_xml, - statsip="10.53.0.2", statsport=statsport, - port=port) +def test_traffic_xml(named_port, statsport): + generic_dnspython = pytest.importorskip("generic_dnspython") + generic_dnspython.test_traffic( + fetch_traffic_xml, statsip="10.53.0.2", statsport=statsport, port=named_port + ) diff -Nru bind9-9.16.27/bin/tests/system/tcp/ans6/ans.py bind9-9.16.33/bin/tests/system/tcp/ans6/ans.py --- bind9-9.16.27/bin/tests/system/tcp/ans6/ans.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/tcp/ans6/ans.py 2022-09-08 13:01:23.000000000 +0000 @@ -42,10 +42,11 @@ # Timeout for establishing all connections requested by a single 'open' command. OPEN_TIMEOUT = 2 -VERSION_QUERY = b'\x00\x1e\xaf\xb8\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x07version\x04bind\x00\x00\x10\x00\x03' +VERSION_QUERY = b"\x00\x1e\xaf\xb8\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x07version\x04bind\x00\x00\x10\x00\x03" + def log(msg): - print(datetime.datetime.now().strftime('%d-%b-%Y %H:%M:%S.%f ') + msg) + print(datetime.datetime.now().strftime("%d-%b-%Y %H:%M:%S.%f ") + msg) def open_connections(active_conns, count, host, port): @@ -58,14 +59,14 @@ except socket.error: family = socket.AF_INET6 - log('Opening %d connections...' % count) + log("Opening %d connections..." % count) for _ in range(count): sock = socket.socket(family, socket.SOCK_STREAM) sock.setblocking(0) err = sock.connect_ex((host, port)) if err not in (0, errno.EINPROGRESS): - log('%s on connect for socket %s' % (errno.errorcode[err], sock)) + log("%s on connect for socket %s" % (errno.errorcode[err], sock)) errors.append(sock) else: queued.append(sock) @@ -81,35 +82,35 @@ queued.remove(sock) err = sock.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR) if err: - log('%s for socket %s' % (errno.errorcode[err], sock)) + log("%s for socket %s" % (errno.errorcode[err], sock)) errors.append(sock) else: sock.send(VERSION_QUERY) active_conns.append(sock) if errors: - log('result=FAIL: %d connection(s) failed' % len(errors)) + log("result=FAIL: %d connection(s) failed" % len(errors)) elif queued: - log('result=FAIL: Timed out, aborting %d pending connections' % len(queued)) + log("result=FAIL: Timed out, aborting %d pending connections" % len(queued)) for sock in queued: sock.close() else: - log('result=OK: Successfully opened %d connections' % count) + log("result=OK: Successfully opened %d connections" % count) def close_connections(active_conns, count): - log('Closing %s connections...' % "all" if count == 0 else str(count)) + log("Closing %s connections..." % "all" if count == 0 else str(count)) if count == 0: count = len(active_conns) for _ in range(count): sock = active_conns.pop(0) sock.close() - log('result=OK: Successfully closed %d connections' % count) + log("result=OK: Successfully closed %d connections" % count) def sigterm(*_): - log('SIGTERM received, shutting down') - os.remove('ans.pid') + log("SIGTERM received, shutting down") + os.remove("ans.pid") sys.exit(0) @@ -118,16 +119,16 @@ signal.signal(signal.SIGTERM, sigterm) - with open('ans.pid', 'w') as pidfile: + with open("ans.pid", "w") as pidfile: print(os.getpid(), file=pidfile) - listenip = '10.53.0.6' + listenip = "10.53.0.6" try: - port = int(os.environ['CONTROLPORT']) + port = int(os.environ["CONTROLPORT"]) except KeyError: port = 5309 - log('Listening on %s:%d' % (listenip, port)) + log("Listening on %s:%d" % (listenip, port)) ctlsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ctlsock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) @@ -136,21 +137,21 @@ while True: (clientsock, _) = ctlsock.accept() - log('Accepted control connection from %s' % clientsock) - cmdline = clientsock.recv(512).decode('ascii').strip() + log("Accepted control connection from %s" % clientsock) + cmdline = clientsock.recv(512).decode("ascii").strip() if cmdline: - log('Received command: %s' % cmdline) + log("Received command: %s" % cmdline) cmd = cmdline.split() - if cmd[0] == 'open': + if cmd[0] == "open": count, host, port = cmd[1:] open_connections(active_conns, int(count), host, int(port)) - elif cmd[0] == 'close': - (count, ) = cmd[1:] + elif cmd[0] == "close": + (count,) = cmd[1:] close_connections(active_conns, int(count)) else: - log('result=FAIL: Unknown command') + log("result=FAIL: Unknown command") clientsock.close() -if __name__ == '__main__': +if __name__ == "__main__": main() diff -Nru bind9-9.16.27/bin/tests/system/tcp/clean.sh bind9-9.16.33/bin/tests/system/tcp/clean.sh --- bind9-9.16.27/bin/tests/system/tcp/clean.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/tcp/clean.sh 2022-09-08 13:01:23.000000000 +0000 @@ -11,12 +11,12 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f */named.memstats -rm -f */named.run -rm -f */named.conf -rm -f */named.stats* rm -f ans6/ans.run* rm -f dig.out* rm -f rndc.out* rm -f ns*/named.lock rm -f ns*/managed-keys.bind* +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/named.conf +rm -f ns*/named.stats* diff -Nru bind9-9.16.27/bin/tests/system/tcp/ns7/named.conf.in bind9-9.16.33/bin/tests/system/tcp/ns7/named.conf.in --- bind9-9.16.27/bin/tests/system/tcp/ns7/named.conf.in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/tcp/ns7/named.conf.in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + statistics-file "named.stats"; + tcp-clients 1; + keep-response-order { any; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type primary; + file "root.db"; +}; diff -Nru bind9-9.16.27/bin/tests/system/tcp/ns7/named.dropedns bind9-9.16.33/bin/tests/system/tcp/ns7/named.dropedns --- bind9-9.16.27/bin/tests/system/tcp/ns7/named.dropedns 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/tcp/ns7/named.dropedns 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1 @@ +dropedns diff -Nru bind9-9.16.27/bin/tests/system/tcp/ns7/root.db bind9-9.16.33/bin/tests/system/tcp/ns7/root.db --- bind9-9.16.27/bin/tests/system/tcp/ns7/root.db 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/tcp/ns7/root.db 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.7 + +example. NS ns2.example. +ns2.example. A 10.53.0.2 diff -Nru bind9-9.16.27/bin/tests/system/tcp/setup.sh bind9-9.16.33/bin/tests/system/tcp/setup.sh --- bind9-9.16.27/bin/tests/system/tcp/setup.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/tcp/setup.sh 2022-09-08 13:01:23.000000000 +0000 @@ -21,3 +21,4 @@ copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns7/named.conf.in ns7/named.conf diff -Nru bind9-9.16.27/bin/tests/system/tcp/tests-tcp.py bind9-9.16.33/bin/tests/system/tcp/tests-tcp.py --- bind9-9.16.27/bin/tests/system/tcp/tests-tcp.py 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/tcp/tests-tcp.py 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,72 @@ +#!/usr/bin/python3 + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=unused-variable + +import socket +import time + +import pytest + +pytest.importorskip("dns", minversion="2.0.0") +import dns.message +import dns.query + +TIMEOUT = 10 + + +def create_msg(qname, qtype, edns=-1): + msg = dns.message.make_query(qname, qtype, use_edns=edns) + return msg + + +def timeout(): + return time.time() + TIMEOUT + + +def create_socket(host, port): + sock = socket.create_connection((host, port), timeout=1) + sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, True) + return sock + + +# Regression test for CVE-2022-0396 +def test_close_wait(named_port): + with create_socket("10.53.0.7", named_port) as sock: + + msg = create_msg("a.example.", "A") + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) + + msg = dns.message.make_query("a.example.", "A", use_edns=0, payload=1232) + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + + # Shutdown the socket, but ignore the other side closing the socket + # first because we sent DNS message with EDNS0 + try: + sock.shutdown(socket.SHUT_RDWR) + except ConnectionError: + pass + except OSError: + pass + + # BIND allows one TCP client, the part above sends DNS messaage with EDNS0 + # after the first query. BIND should react adequately because of + # ns7/named.dropedns and close the socket, making room for the next + # request. If it gets stuck in CLOSE_WAIT state, there is no connection + # available for the query below and it will time out. + with create_socket("10.53.0.7", named_port) as sock: + + msg = create_msg("a.example.", "A") + (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) + (response, rtime) = dns.query.receive_tcp(sock, timeout()) diff -Nru bind9-9.16.27/bin/tests/system/timeouts/conftest.py bind9-9.16.33/bin/tests/system/timeouts/conftest.py --- bind9-9.16.27/bin/tests/system/timeouts/conftest.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/timeouts/conftest.py 1970-01-01 00:00:00.000000000 +0000 @@ -1,69 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -import os -import pytest - - -def pytest_configure(config): - config.addinivalue_line( - "markers", "dnspython: mark tests that need dnspython to function" - ) - config.addinivalue_line( - "markers", "dnspython2: mark tests that need dnspython >= 2.0.0" - ) - config.addinivalue_line( - "markers", "long: mark tests that take a long time to run" - ) - - -def pytest_collection_modifyitems(config, items): - # pylint: disable=unused-argument,unused-import,too-many-branches - # pylint: disable=import-outside-toplevel - - # Test for dnspython module - skip_dnspython = pytest.mark.skip( - reason="need dnspython module to run") - try: - import dns.query # noqa: F401 - except ModuleNotFoundError: - for item in items: - if "dnspython" in item.keywords: - item.add_marker(skip_dnspython) - - # Test for dnspython >= 2.0.0 module - skip_dnspython2 = pytest.mark.skip( - reason="need dnspython >= 2.0.0 module to run") - try: - from dns.query import send_tcp # noqa: F401 - except ImportError: - for item in items: - if "dnspython2" in item.keywords: - item.add_marker(skip_dnspython2) - - skip_long_tests = pytest.mark.skip( - reason="need CI_ENABLE_ALL_TESTS environment variable") - if not os.environ.get("CI_ENABLE_ALL_TESTS"): - for item in items: - if "long" in item.keywords: - item.add_marker(skip_long_tests) - - -@pytest.fixture -def port(request): - # pylint: disable=unused-argument - env_port = os.getenv("PORT") - if port is None: - env_port = 5300 - else: - env_port = int(env_port) - - return env_port diff -Nru bind9-9.16.27/bin/tests/system/timeouts/prereq.sh bind9-9.16.33/bin/tests/system/timeouts/prereq.sh --- bind9-9.16.27/bin/tests/system/timeouts/prereq.sh 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/timeouts/prereq.sh 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ if test -n "$PYTHON" then - if $PYTHON -c "from dns.query import send_tcp" 2> /dev/null + if [ "$($PYTHON -c "import dns.version; print(dns.version.MAJOR)" 2> /dev/null)" -ge 2 ] then : else diff -Nru bind9-9.16.27/bin/tests/system/timeouts/tests-tcp.py bind9-9.16.33/bin/tests/system/timeouts/tests-tcp.py --- bind9-9.16.27/bin/tests/system/timeouts/tests-tcp.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/timeouts/tests-tcp.py 2022-09-08 13:01:23.000000000 +0000 @@ -18,13 +18,24 @@ import pytest +pytest.importorskip("dns", minversion="2.0.0") +import dns.edns +import dns.message +import dns.name +import dns.query +import dns.rdataclass +import dns.rdatatype + +import pytest_custom_markers # pylint: disable=import-error + + TIMEOUT = 10 def create_msg(qname, qtype): - import dns.message - msg = dns.message.make_query(qname, qtype, want_dnssec=True, - use_edns=0, payload=4096) + msg = dns.message.make_query( + qname, qtype, want_dnssec=True, use_edns=0, payload=4096 + ) return msg @@ -32,16 +43,12 @@ return time.time() + TIMEOUT -@pytest.mark.dnspython -@pytest.mark.dnspython2 -def test_initial_timeout(port): +def test_initial_timeout(named_port): # # The initial timeout is 2.5 seconds, so this should timeout # - import dns.query - with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: - sock.connect(("10.53.0.1", port)) + sock.connect(("10.53.0.1", named_port)) time.sleep(3) @@ -55,17 +62,13 @@ raise EOFError from e -@pytest.mark.dnspython -@pytest.mark.dnspython2 -def test_idle_timeout(port): +def test_idle_timeout(named_port): # # The idle timeout is 5 seconds, so the third message should fail # - import dns.rcode - msg = create_msg("example.", "A") with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: - sock.connect(("10.53.0.1", port)) + sock.connect(("10.53.0.1", named_port)) time.sleep(1) @@ -87,20 +90,16 @@ raise EOFError from e -@pytest.mark.dnspython -@pytest.mark.dnspython2 -def test_keepalive_timeout(port): +def test_keepalive_timeout(named_port): # # Keepalive is 7 seconds, so the third message should succeed. # - import dns.rcode - msg = create_msg("example.", "A") - kopt = dns.edns.GenericOption(11, b'\x00') + kopt = dns.edns.GenericOption(11, b"\x00") msg.use_edns(edns=True, payload=4096, options=[kopt]) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: - sock.connect(("10.53.0.1", port)) + sock.connect(("10.53.0.1", named_port)) time.sleep(1) @@ -118,17 +117,13 @@ (response, rtime) = dns.query.receive_tcp(sock, timeout()) -@pytest.mark.dnspython -@pytest.mark.dnspython2 -def test_pipelining_timeout(port): +def test_pipelining_timeout(named_port): # # The pipelining should only timeout after the last message is received # - import dns.query - msg = create_msg("example.", "A") with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: - sock.connect(("10.53.0.1", port)) + sock.connect(("10.53.0.1", named_port)) time.sleep(1) @@ -156,49 +151,48 @@ raise EOFError from e -@pytest.mark.dnspython -@pytest.mark.dnspython2 -def test_long_axfr(port): +def test_long_axfr(named_port): # # The timers should not fire during AXFR, thus the connection should not # close abruptly # - import dns.query - import dns.rdataclass - import dns.rdatatype - with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: - sock.connect(("10.53.0.1", port)) + sock.connect(("10.53.0.1", named_port)) name = dns.name.from_text("example.") msg = create_msg("example.", "AXFR") (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) # Receive the initial DNS message with SOA - (response, rtime) = dns.query.receive_tcp(sock, timeout(), - one_rr_per_rrset=True) - soa = response.get_rrset(dns.message.ANSWER, name, - dns.rdataclass.IN, dns.rdatatype.SOA) + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) assert soa is not None # Pull DNS message from wire until the second SOA is received while True: - (response, rtime) = dns.query.receive_tcp(sock, timeout(), - one_rr_per_rrset=True) - soa = response.get_rrset(dns.message.ANSWER, name, - dns.rdataclass.IN, dns.rdatatype.SOA) + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) if soa is not None: break assert soa is not None -@pytest.mark.dnspython -@pytest.mark.dnspython2 -def test_send_timeout(port): - import dns.query - +# This test relies on the maximum socket send buffer size (wmem_max) being set +# to 212992 bytes (the typical default value on Linux systems). Environments +# that use a different value for this setting (for example, FreeBSD defaults to +# 32768 bytes) may need their system-level settings to be tweaked in order for +# this test to pass. +def test_send_timeout(named_port): with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: - sock.connect(("10.53.0.1", port)) + sock.connect(("10.53.0.1", named_port)) # Send and receive single large RDATA over TCP msg = create_msg("large.example.", "TXT") @@ -222,26 +216,22 @@ raise EOFError from e -@pytest.mark.dnspython -@pytest.mark.dnspython2 -@pytest.mark.long -def test_max_transfer_idle_out(port): - import dns.query - import dns.rdataclass - import dns.rdatatype - +@pytest_custom_markers.long_test +def test_max_transfer_idle_out(named_port): with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: - sock.connect(("10.53.0.1", port)) + sock.connect(("10.53.0.1", named_port)) name = dns.name.from_text("example.") msg = create_msg("example.", "AXFR") (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) # Receive the initial DNS message with SOA - (response, rtime) = dns.query.receive_tcp(sock, timeout(), - one_rr_per_rrset=True) - soa = response.get_rrset(dns.message.ANSWER, name, - dns.rdataclass.IN, dns.rdatatype.SOA) + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) assert soa is not None time.sleep(61) # max-transfer-idle-out is 1 minute @@ -249,47 +239,45 @@ with pytest.raises(ConnectionResetError): # Process queued TCP messages while True: - (response, rtime) = \ - dns.query.receive_tcp(sock, timeout(), - one_rr_per_rrset=True) - soa = response.get_rrset(dns.message.ANSWER, name, - dns.rdataclass.IN, dns.rdatatype.SOA) + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) if soa is not None: break assert soa is None -@pytest.mark.dnspython -@pytest.mark.dnspython2 -@pytest.mark.long -def test_max_transfer_time_out(port): - import dns.query - import dns.rdataclass - import dns.rdatatype - +@pytest_custom_markers.long_test +def test_max_transfer_time_out(named_port): with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: - sock.connect(("10.53.0.1", port)) + sock.connect(("10.53.0.1", named_port)) name = dns.name.from_text("example.") msg = create_msg("example.", "AXFR") (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout()) # Receive the initial DNS message with SOA - (response, rtime) = dns.query.receive_tcp(sock, timeout(), - one_rr_per_rrset=True) - soa = response.get_rrset(dns.message.ANSWER, name, - dns.rdataclass.IN, dns.rdatatype.SOA) + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) assert soa is not None # The loop should timeout at the 5 minutes (max-transfer-time-out) with pytest.raises(EOFError): while True: time.sleep(1) - (response, rtime) = \ - dns.query.receive_tcp(sock, timeout(), - one_rr_per_rrset=True) - soa = response.get_rrset(dns.message.ANSWER, name, - dns.rdataclass.IN, dns.rdatatype.SOA) + (response, rtime) = dns.query.receive_tcp( + sock, timeout(), one_rr_per_rrset=True + ) + soa = response.get_rrset( + dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA + ) if soa is not None: break assert soa is None diff -Nru bind9-9.16.27/bin/tests/system/wildcard/conftest.py bind9-9.16.33/bin/tests/system/wildcard/conftest.py --- bind9-9.16.27/bin/tests/system/wildcard/conftest.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/wildcard/conftest.py 1970-01-01 00:00:00.000000000 +0000 @@ -1,18 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -import os -import pytest - - -@pytest.fixture(scope='module') -def named_port(): - return int(os.environ.get("PORT", default=5300)) diff -Nru bind9-9.16.27/bin/tests/system/wildcard/tests-wildcard.py bind9-9.16.33/bin/tests/system/wildcard/tests-wildcard.py --- bind9-9.16.27/bin/tests/system/wildcard/tests-wildcard.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/system/wildcard/tests-wildcard.py 2022-09-08 13:01:23.000000000 +0000 @@ -35,7 +35,9 @@ import dns.name import dns.query import dns.rcode +import dns.rdataclass import dns.rdatatype +import dns.rrset pytest.importorskip("hypothesis") from hypothesis import given @@ -43,19 +45,21 @@ # labels of a zone with * A 192.0.2.1 wildcard -WILDCARD_ZONE = ('allwild', 'test', '') +WILDCARD_ZONE = ("allwild", "test", "") WILDCARD_RDTYPE = dns.rdatatype.A -WILDCARD_RDATA = '192.0.2.1' -IPADDR = '10.53.0.1' +WILDCARD_RDATA = "192.0.2.1" +IPADDR = "10.53.0.1" TIMEOUT = 5 # seconds, just a sanity check # Helpers def is_nonexpanding_rdtype(rdtype): """skip meta types to avoid weird rcodes caused by AXFR etc.; RFC 6895""" - return not(rdtype == WILDCARD_RDTYPE - or dns.rdatatype.is_metatype(rdtype) # known metatypes: OPT ... - or 128 <= rdtype <= 255) # unknown meta types + return not ( + rdtype == WILDCARD_RDTYPE + or dns.rdatatype.is_metatype(rdtype) # known metatypes: OPT ... + or 128 <= rdtype <= 255 + ) # unknown meta types def tcp_query(where, port, qname, qtype): @@ -65,15 +69,16 @@ def query(where, port, label, rdtype): - labels = (label, ) + WILDCARD_ZONE + labels = (label,) + WILDCARD_ZONE qname = dns.name.Name(labels) return tcp_query(where, port, qname, rdtype) # Tests -@given(label=binary(min_size=1, max_size=63), - rdtype=integers(min_value=0, max_value=65535).filter( - is_nonexpanding_rdtype)) +@given( + label=binary(min_size=1, max_size=63), + rdtype=integers(min_value=0, max_value=65535).filter(is_nonexpanding_rdtype), +) def test_wildcard_rdtype_mismatch(label, rdtype, named_port): """any label non-matching rdtype must result in to NODATA""" check_answer_nodata(*query(IPADDR, named_port, label, rdtype)) @@ -95,10 +100,13 @@ assert querymsg.is_response(answer), str(answer) assert answer.rcode() == dns.rcode.NOERROR, str(answer) assert len(querymsg.question) == 1, str(answer) - expected_answer = [dns.rrset.from_text( - querymsg.question[0].name, - 300, # TTL, ignored by dnspython comparison - dns.rdataclass.IN, - WILDCARD_RDTYPE, - WILDCARD_RDATA)] + expected_answer = [ + dns.rrset.from_text( + querymsg.question[0].name, + 300, # TTL, ignored by dnspython comparison + dns.rdataclass.IN, + WILDCARD_RDTYPE, + WILDCARD_RDATA, + ) + ] assert answer.answer == expected_answer, str(answer) diff -Nru bind9-9.16.27/bin/tests/wire_test.c bind9-9.16.33/bin/tests/wire_test.c --- bind9-9.16.27/bin/tests/wire_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tests/wire_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -37,7 +37,7 @@ static isc_result_t printmessage(dns_message_t *msg); -static inline void +static void CHECKRESULT(isc_result_t result, const char *msg) { if (result != ISC_R_SUCCESS) { printf("%s: %s\n", msg, dns_result_totext(result)); @@ -58,7 +58,6 @@ fprintf(stderr, "bad input format: %02x\n", c); exit(3); - /* NOTREACHED */ } static void diff -Nru bind9-9.16.27/bin/tools/dnstap-read.c bind9-9.16.33/bin/tools/dnstap-read.c --- bind9-9.16.27/bin/tools/dnstap-read.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tools/dnstap-read.c 2022-09-08 13:01:23.000000000 +0000 @@ -265,7 +265,7 @@ (void)inet_ntop(ip->len == 4 ? AF_INET : AF_INET6, ip->data, buf, sizeof(buf)); - printf(" query_address: %s\n", buf); + printf(" query_address: \"%s\"\n", buf); } if (m->has_response_address) { @@ -274,7 +274,7 @@ (void)inet_ntop(ip->len == 4 ? AF_INET : AF_INET6, ip->data, buf, sizeof(buf)); - printf(" response_address: %s\n", buf); + printf(" response_address: \"%s\"\n", buf); } if (m->has_query_port) { diff -Nru bind9-9.16.27/bin/tools/mdig.c bind9-9.16.33/bin/tools/mdig.c --- bind9-9.16.27/bin/tools/mdig.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/bin/tools/mdig.c 2022-09-08 13:01:23.000000000 +0000 @@ -332,7 +332,7 @@ if (hash != NULL) { *hash = '\0'; } - printf(" response_address: %s\n", sockstr); + printf(" response_address: \"%s\"\n", sockstr); printf(" response_port: %u\n", sport); } @@ -343,7 +343,7 @@ if (hash != NULL) { *hash = '\0'; } - printf(" query_address: %s\n", sockstr); + printf(" query_address: \"%s\"\n", sockstr); printf(" query_port: %u\n", sport); } @@ -1701,7 +1701,7 @@ have_ipv6 = false; } else { fatal("can't find IPv4 networking"); - /* NOTREACHED */ + UNREACHABLE(); return (false); } break; @@ -1712,7 +1712,7 @@ have_ipv4 = false; } else { fatal("can't find IPv6 networking"); - /* NOTREACHED */ + UNREACHABLE(); return (false); } break; @@ -1820,7 +1820,7 @@ fprintf(stderr, "Invalid option: -%s\n", option); usage(); } - /* NOTREACHED */ + UNREACHABLE(); return (false); } diff -Nru bind9-9.16.27/cocci/unreachable.spatch bind9-9.16.33/cocci/unreachable.spatch --- bind9-9.16.27/cocci/unreachable.spatch 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/cocci/unreachable.spatch 2022-09-08 13:01:23.000000000 +0000 @@ -1,6 +1,19 @@ @@ @@ - INSIST(0); -+ ISC_UNREACHABLE(); - ... when != ISC_UNREACHABLE(); +- INSIST(0); ++ UNREACHABLE(); + ... when != UNREACHABLE(); + +@@ +@@ + +- INSIST(0); +- ISC_UNREACHABLE(); ++ UNREACHABLE(); + +@@ +@@ + +- UNREACHABLE(); + UNREACHABLE(); diff -Nru bind9-9.16.27/config.h.in bind9-9.16.33/config.h.in --- bind9-9.16.27/config.h.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/config.h.in 2022-09-08 13:01:23.000000000 +0000 @@ -519,9 +519,6 @@ /* Define to allow building of objects for dlopen(). */ #undef ISC_DLZ_DLOPEN -/* Define to emulate atomic variables with mutexes. */ -#undef ISC_MUTEX_ATOMICS - /* define if the linker supports --wrap option */ #undef LD_WRAP diff -Nru bind9-9.16.27/configure bind9-9.16.33/configure --- bind9-9.16.27/configure 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/configure 2022-09-08 13:01:23.000000000 +0000 @@ -902,7 +902,6 @@ enable_warn_error enable_developer enable_fuzzing -enable_mutex_atomics with_python with_python_install_dir enable_kqueue @@ -1620,8 +1619,6 @@ --enable-fuzzing= Enable fuzzing using American Fuzzy Lop or libFuzzer (default=no) - --enable-mutex-atomics emulate atomics by mutex-locked variables, useful - for debugging [default=no] --enable-kqueue use BSD kqueue when available [default=yes] --enable-epoll use Linux epoll when available [default=auto] --enable-devpoll use /dev/poll when available [default=yes] @@ -12423,34 +12420,6 @@ fi -# [pairwise: --enable-mutex-atomics, --disable-mutex-atomics] -# Check whether --enable-mutex_atomics was given. -if test "${enable_mutex_atomics+set}" = set; then : - enableval=$enable_mutex_atomics; -else - enable_mutex_atomics=no -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to emulate atomics with mutexes" >&5 -$as_echo_n "checking whether to emulate atomics with mutexes... " >&6; } -case "$enable_mutex_atomics" in -yes) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - -$as_echo "#define ISC_MUTEX_ATOMICS 1" >>confdefs.h - - ;; -no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - ;; -*) - as_fn_error $? "\"--enable-mutex-atomics requires yes or no\"" "$LINENO" 5 - ;; -esac - # # Make very sure that these are the first files processed by # config.status, since we use the processed output as the input for @@ -12681,10 +12650,13 @@ testply='try: import ply except: exit(1)' -testsetup='try: from distutils.core import setup +testsetuptools='try: from setuptools import setup +except: exit(1)' + +testdistutils='try: from distutils.core import setup except: exit(1)' -default_with_python="python python3 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python2 python2.7" +default_with_python="python python3 python3.11 python3.10 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python2 python2.7" @@ -12815,16 +12787,25 @@ continue fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking Python module 'distutils.core setup'" >&5 -$as_echo_n "checking Python module 'distutils.core setup'... " >&6; } - if "$PYTHON" -c "$testsetup" 2>/dev/null; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking Python module 'setuptools'" >&5 +$as_echo_n "checking Python module 'setuptools'... " >&6; } + if "$PYTHON" -c "$testsetuptools" 2>/dev/null; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - unset PYTHON - continue + { $as_echo "$as_me:${as_lineno-$LINENO}: checking Python module 'distutils'" >&5 +$as_echo_n "checking Python module 'distutils'... " >&6; } + if "$PYTHON" -c "$testdistutils" 2>/dev/null; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + unset PYTHON + continue +fi fi # Stop looking any further once we find a Python interpreter @@ -15250,7 +15231,7 @@ MAXMINDDB_LIBS="$MAXMINDDB_LIBS $ac_cv_search_MMDB_open" { $as_echo "$as_me:${as_lineno-$LINENO}: GeoIP2 default database path set to $with_maxminddb/share/GeoIP" >&5 $as_echo "$as_me: GeoIP2 default database path set to $with_maxminddb/share/GeoIP" >&6;} - eval MAXMINDDB_PREFIX=\$$with_maxminddb + MAXMINDDB_PREFIX=$with_maxminddb else as_fn_error $? "GeoIP2 requested, but libmaxminddb not found" "$LINENO" 5 @@ -16233,6 +16214,79 @@ fi + + + CCASFLAGS_libuv_ax_save_flags=$CCASFLAGS + + + + CFLAGS_libuv_ax_save_flags=$CFLAGS + + + + CPPFLAGS_libuv_ax_save_flags=$CPPFLAGS + + + + CXXFLAGS_libuv_ax_save_flags=$CXXFLAGS + + + + ERLCFLAGS_libuv_ax_save_flags=$ERLCFLAGS + + + + FCFLAGS_libuv_ax_save_flags=$FCFLAGS + + + + FCLIBS_libuv_ax_save_flags=$FCLIBS + + + + FFLAGS_libuv_ax_save_flags=$FFLAGS + + + + FLIBS_libuv_ax_save_flags=$FLIBS + + + + GCJFLAGS_libuv_ax_save_flags=$GCJFLAGS + + + + JAVACFLAGS_libuv_ax_save_flags=$JAVACFLAGS + + + + LDFLAGS_libuv_ax_save_flags=$LDFLAGS + + + + LIBS_libuv_ax_save_flags=$LIBS + + + + OBJCFLAGS_libuv_ax_save_flags=$OBJCFLAGS + + + + OBJCXXFLAGS_libuv_ax_save_flags=$OBJCXXFLAGS + + + + UPCFLAGS_libuv_ax_save_flags=$UPCFLAGS + + + + VALAFLAGS_libuv_ax_save_flags=$VALAFLAGS + + + +CFLAGS="$CFLAGS $LIBUV_CFLAGS" +LIBS="$LIBS $LIBUV_LIBS" + # libuv recvmmsg support ac_fn_c_check_decl "$LINENO" "UV_UDP_MMSG_FREE" "ac_cv_have_decl_UV_UDP_MMSG_FREE" "#include " @@ -16294,6 +16348,60 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + CCASFLAGS=$CCASFLAGS_libuv_ax_save_flags + + + CFLAGS=$CFLAGS_libuv_ax_save_flags + + + CPPFLAGS=$CPPFLAGS_libuv_ax_save_flags + + + CXXFLAGS=$CXXFLAGS_libuv_ax_save_flags + + + ERLCFLAGS=$ERLCFLAGS_libuv_ax_save_flags + + + FCFLAGS=$FCFLAGS_libuv_ax_save_flags + + + FCLIBS=$FCLIBS_libuv_ax_save_flags + + + FFLAGS=$FFLAGS_libuv_ax_save_flags + + + FLIBS=$FLIBS_libuv_ax_save_flags + + + GCJFLAGS=$GCJFLAGS_libuv_ax_save_flags + + + JAVACFLAGS=$JAVACFLAGS_libuv_ax_save_flags + + + LDFLAGS=$LDFLAGS_libuv_ax_save_flags + + + LIBS=$LIBS_libuv_ax_save_flags + + + OBJCFLAGS=$OBJCFLAGS_libuv_ax_save_flags + + + OBJCXXFLAGS=$OBJCXXFLAGS_libuv_ax_save_flags + + + UPCFLAGS=$UPCFLAGS_libuv_ax_save_flags + + + VALAFLAGS=$VALAFLAGS_libuv_ax_save_flags + + + + # # flockfile is usually provided by pthreads # diff -Nru bind9-9.16.27/configure.ac bind9-9.16.33/configure.ac --- bind9-9.16.27/configure.ac 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/configure.ac 2022-09-08 13:01:23.000000000 +0000 @@ -145,28 +145,6 @@ [AC_MSG_ERROR([set CC=afl- when --enable-fuzzing=afl is used])]) ]) -# [pairwise: --enable-mutex-atomics, --disable-mutex-atomics] -AC_ARG_ENABLE(mutex_atomics, - AS_HELP_STRING([--enable-mutex-atomics], - [emulate atomics by mutex-locked variables, useful for debugging - [default=no]]), - [], - [enable_mutex_atomics=no]) - -AC_MSG_CHECKING([whether to emulate atomics with mutexes]) -case "$enable_mutex_atomics" in -yes) - AC_MSG_RESULT(yes) - AC_DEFINE(ISC_MUTEX_ATOMICS, 1, [Define to emulate atomic variables with mutexes.]) - ;; -no) - AC_MSG_RESULT(no) - ;; -*) - AC_MSG_ERROR("--enable-mutex-atomics requires yes or no") - ;; -esac - # # Make very sure that these are the first files processed by # config.status, since we use the processed output as the input for @@ -228,10 +206,13 @@ testply='try: import ply except: exit(1)' -testsetup='try: from distutils.core import setup +testsetuptools='try: from setuptools import setup +except: exit(1)' + +testdistutils='try: from distutils.core import setup except: exit(1)' -default_with_python="python python3 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python2 python2.7" +default_with_python="python python3 python3.11 python3.10 python3.9 python3.8 python3.7 python3.6 python3.5 python3.4 python3.3 python3.2 python2 python2.7" AC_ARG_VAR([PYTHON], [path to python executable]) @@ -290,12 +271,16 @@ unset PYTHON continue]) - AC_MSG_CHECKING([Python module 'distutils.core setup']) - AS_IF(["$PYTHON" -c "$testsetup" 2>/dev/null], + AC_MSG_CHECKING([Python module 'setuptools']) + AS_IF(["$PYTHON" -c "$testsetuptools" 2>/dev/null], [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]) - unset PYTHON - continue]) + AC_MSG_CHECKING([Python module 'distutils']) + AS_IF(["$PYTHON" -c "$testdistutils" 2>/dev/null], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + unset PYTHON + continue])]) # Stop looking any further once we find a Python interpreter # satisfying all requirements. @@ -655,7 +640,7 @@ GEOIP2LINKOBJS='${GEOIP2LINKOBJS}' MAXMINDDB_LIBS="$MAXMINDDB_LIBS $ac_cv_search_MMDB_open" AC_MSG_NOTICE([GeoIP2 default database path set to $with_maxminddb/share/GeoIP]) - AS_VAR_COPY([MAXMINDDB_PREFIX], [$with_maxminddb]) + AS_VAR_COPY([MAXMINDDB_PREFIX], [with_maxminddb]) ], [AC_MSG_ERROR([GeoIP2 requested, but libmaxminddb not found])]) AX_RESTORE_FLAGS([maxminddb]) @@ -726,6 +711,10 @@ PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0], [], [AC_MSG_ERROR([libuv not found])]) +AX_SAVE_FLAGS([libuv]) +CFLAGS="$CFLAGS $LIBUV_CFLAGS" +LIBS="$LIBS $LIBUV_LIBS" + # libuv recvmmsg support AC_CHECK_DECLS([UV_UDP_MMSG_FREE, UV_UDP_MMSG_CHUNK], [], [], [[#include ]]) AC_MSG_CHECKING([whether struct msghdr uses padding for alignment]) @@ -737,6 +726,8 @@ [AC_MSG_RESULT([no]) AC_CHECK_DECLS([UV_UDP_RECVMMSG], [], [], [[#include ]])]) +AX_RESTORE_FLAGS([libuv]) + # # flockfile is usually provided by pthreads # diff -Nru bind9-9.16.27/contrib/dlz/drivers/dlz_ldap_driver.c bind9-9.16.33/contrib/dlz/drivers/dlz_ldap_driver.c --- bind9-9.16.27/contrib/dlz/drivers/dlz_ldap_driver.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/drivers/dlz_ldap_driver.c 2022-09-08 13:01:23.000000000 +0000 @@ -957,11 +957,13 @@ if (result != ISC_R_SUCCESS) { return (result); } + FALLTHROUGH; case 11: result = dlz_ldap_checkURL(argv[10], 3, "all nodes"); if (result != ISC_R_SUCCESS) { return (result); } + FALLTHROUGH; case 10: if (strlen(argv[9]) > 0) { result = dlz_ldap_checkURL(argv[9], 3, "authority"); @@ -969,6 +971,7 @@ return (result); } } + FALLTHROUGH; case 9: result = dlz_ldap_checkURL(argv[8], 3, "lookup"); if (result != ISC_R_SUCCESS) { diff -Nru bind9-9.16.27/contrib/dlz/drivers/dlz_mysql_driver.c bind9-9.16.33/contrib/dlz/drivers/dlz_mysql_driver.c --- bind9-9.16.27/contrib/dlz/drivers/dlz_mysql_driver.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/drivers/dlz_mysql_driver.c 2022-09-08 13:01:23.000000000 +0000 @@ -41,9 +41,9 @@ #include #include -#if !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 +#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 typedef bool my_bool; -#endif /* !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 */ +#endif /* !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 */ static dns_sdlzimplementation_t *dlz_mysql = NULL; @@ -289,7 +289,9 @@ break; } for (j = 0; mysql_ping((MYSQL *)dbi->dbconn) != 0 && j < 4; j++) + { ; + } } if (qres == 0) { diff -Nru bind9-9.16.27/contrib/dlz/drivers/dlz_postgres_driver.c bind9-9.16.33/contrib/dlz/drivers/dlz_postgres_driver.c --- bind9-9.16.27/contrib/dlz/drivers/dlz_postgres_driver.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/drivers/dlz_postgres_driver.c 2022-09-08 13:01:23.000000000 +0000 @@ -1108,8 +1108,9 @@ /* if we cannot connect the first time, try 3 more times. */ for (j = 0; PQstatus((PGconn *)dbi->dbconn) != CONNECTION_OK && j < 3; - j++) + j++) { PQreset((PGconn *)dbi->dbconn); + } /* * if multi threaded, let user know which connection diff -Nru bind9-9.16.27/contrib/dlz/drivers/include/dlz/sdlz_helper.h bind9-9.16.33/contrib/dlz/drivers/include/dlz/sdlz_helper.h --- bind9-9.16.27/contrib/dlz/drivers/include/dlz/sdlz_helper.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/drivers/include/dlz/sdlz_helper.h 2022-09-08 13:01:23.000000000 +0000 @@ -36,7 +36,7 @@ * special tokens are %zone%, %record%, %client% */ struct query_segment { - void *sql; + void *sql; unsigned int strlen; bool direct; ISC_LINK(query_segment_t) link; @@ -61,7 +61,7 @@ char *zone; char *record; char *client; - isc_mem_t *mctx; + isc_mem_t *mctx; isc_mutex_t instance_lock; ISC_LINK(dbinstance_t) link; }; diff -Nru bind9-9.16.27/contrib/dlz/example/dlz_example.c bind9-9.16.33/contrib/dlz/example/dlz_example.c --- bind9-9.16.27/contrib/dlz/example/dlz_example.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/example/dlz_example.c 2022-09-08 13:01:23.000000000 +0000 @@ -474,8 +474,9 @@ } if (strcmp(name, "too-long") == 0) { - for (i = 0; i < 511; i++) + for (i = 0; i < 511; i++) { buf[i] = 'x'; + } buf[i] = '\0'; found = true; result = state->putrr(lookup, "TXT", 0, buf); diff -Nru bind9-9.16.27/contrib/dlz/modules/include/dlz_dbi.h bind9-9.16.33/contrib/dlz/modules/include/dlz_dbi.h --- bind9-9.16.27/contrib/dlz/modules/include/dlz_dbi.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/modules/include/dlz_dbi.h 2022-09-08 13:01:23.000000000 +0000 @@ -48,7 +48,7 @@ * special tokens are %zone%, %record%, %client% */ struct query_segment { - void *cmd; + void *cmd; unsigned int strlen; bool direct; DLZ_LINK(query_segment_t) link; diff -Nru bind9-9.16.27/contrib/dlz/modules/include/dlz_minimal.h bind9-9.16.33/contrib/dlz/modules/include/dlz_minimal.h --- bind9-9.16.27/contrib/dlz/modules/include/dlz_minimal.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/modules/include/dlz_minimal.h 2022-09-08 13:01:23.000000000 +0000 @@ -28,6 +28,7 @@ #include #include +#include #include #include @@ -82,12 +83,30 @@ do { \ union { \ const void *k; \ - void *v; \ + void *v; \ } _u; \ _u.k = konst; \ var = _u.v; \ } while (0) +#if !defined(__has_attribute) +#define __has_attribute(x) 0 +#endif /* if !defined(__has_attribute) */ + +#if __GNUC__ >= 7 || __has_attribute(fallthrough) +#define FALLTHROUGH __attribute__((fallthrough)) +#else +/* clang-format off */ +#define FALLTHROUGH do {} while (0) /* FALLTHROUGH */ +/* clang-format on */ +#endif + +#ifdef __GNUC__ +#define UNREACHABLE() __builtin_unreachable() +#else +#define UNREACHABLE() abort() +#endif + /* opaque structures */ typedef void *dns_sdlzlookup_t; typedef void *dns_sdlzallnodes_t; @@ -109,7 +128,7 @@ #endif /* ifdef ISC_PLATFORM_HAVESYSUNH */ } type; unsigned int length; - void *link; + void *link; } isc_sockaddr_t; typedef struct isc_netaddr { @@ -133,16 +152,16 @@ #define DNS_CLIENTINFO_VERSION 3 typedef struct dns_clientinfo { uint16_t version; - void *data; - void *dbversion; + void *data; + void *dbversion; dns_ecs_t ecs; } dns_clientinfo_t; typedef isc_result_t (*dns_clientinfo_sourceip_t)(dns_clientinfo_t *client, - isc_sockaddr_t **addrp); + isc_sockaddr_t **addrp); typedef isc_result_t (*dns_clientinfo_version_t)(dns_clientinfo_t *client, - void **addrp); + void **addrp); #define DNS_CLIENTINFOMETHODS_VERSION 2 #define DNS_CLIENTINFOMETHODS_AGE 1 diff -Nru bind9-9.16.27/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c bind9-9.16.33/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c --- bind9-9.16.27/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/modules/mysql/dlz_mysql_dynamic.c 2022-09-08 13:01:23.000000000 +0000 @@ -44,9 +44,9 @@ #include #include -#if !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 +#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 typedef bool my_bool; -#endif /* !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 */ +#endif /* !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 */ #define dbc_search_limit 30 #define ALLNODES 1 @@ -482,8 +482,9 @@ * ones together. figure out how long to make * string. */ - for (j = 2; j < fields; j++) + for (j = 2; j < fields; j++) { len += strlen(safeGet(row[j])) + 1; + } /* * allocate string memory, allow for NULL to @@ -682,8 +683,9 @@ * more than 4 fields, concatenate the last * ones together. */ - for (j = 3; j < fields; j++) + for (j = 3; j < fields; j++) { len += strlen(safeGet(row[j])) + 1; + } tmpString = malloc(len + 1); if (tmpString == NULL) { diff -Nru bind9-9.16.27/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c bind9-9.16.33/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c --- bind9-9.16.27/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c 2022-09-08 13:01:23.000000000 +0000 @@ -56,9 +56,9 @@ #include #include -#if !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 +#if !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 typedef bool my_bool; -#endif /* !defined(LIBMARIADB) && MYSQL_VERSION_ID >= 80000 */ +#endif /* !defined(MARIADB_BASE_VERSION) && MYSQL_VERSION_ID >= 80000 */ /* * The SQL queries that will be used for lookups and updates are defined @@ -494,7 +494,7 @@ } /* Return a dot if 's' doesn't already end with one */ -static inline const char * +static const char * dot(const char *s) { return (isrelative(s) ? "." : ""); } @@ -706,8 +706,9 @@ /* Make the question into labels */ j = 12; while (packet[j]) { - for (i = j + 1; packet[i] != '\0' && packet[i] != '.'; i++) + for (i = j + 1; packet[i] != '\0' && packet[i] != '.'; i++) { ; + } packet[j] = i - j - 1; j = i; } diff -Nru bind9-9.16.27/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c bind9-9.16.33/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c --- bind9-9.16.27/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c 2022-09-08 13:01:23.000000000 +0000 @@ -551,8 +551,9 @@ * ones together. figure out how long to make * string. */ - for (j = 2; j < fields; j++) + for (j = 2; j < fields; j++) { len += strlen(safeGet(row[j])) + 1; + } /* * allocate string memory, allow for NULL to @@ -753,8 +754,9 @@ * more than 4 fields, concatenate the last * ones together. */ - for (j = 3; j < fields; j++) + for (j = 3; j < fields; j++) { len += strlen(safeGet(row[j])) + 1; + } tmpString = malloc(len + 1); if (tmpString == NULL) { diff -Nru bind9-9.16.27/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c bind9-9.16.33/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c --- bind9-9.16.27/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c 2022-09-08 13:01:23.000000000 +0000 @@ -585,7 +585,7 @@ char *newp; char c, test; - for (stringstart = string;;) + for (stringstart = string;;) { switch (c = *pattern++) { case EOS: if ((flags & FNM_LEADING_DIR) && *string == '/') { @@ -684,7 +684,7 @@ --pattern; } } - /* FALLTHROUGH */ + FALLTHROUGH; default: norm: if (c == *string) { @@ -698,7 +698,8 @@ string++; break; } - /* NOTREACHED */ + } + UNREACHABLE(); } static int diff -Nru bind9-9.16.27/contrib/kasp/kasp2policy.py bind9-9.16.33/contrib/kasp/kasp2policy.py --- bind9-9.16.27/contrib/kasp/kasp2policy.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/contrib/kasp/kasp2policy.py 2022-09-08 13:01:23.000000000 +0000 @@ -28,19 +28,19 @@ class KTLex: # pylint: disable=invalid-name - tokens = ('P', 'T', 'Y', 'M', 'D', 'H', 'S', 'NUM') + tokens = ("P", "T", "Y", "M", "D", "H", "S", "NUM") - t_P = r'(?i)P' - t_T = r'(?i)T' - t_Y = r'(?i)Y' - t_M = r'(?i)M' - t_D = r'(?i)D' - t_H = r'(?i)H' - t_S = r'(?i)S' + t_P = r"(?i)P" + t_T = r"(?i)T" + t_Y = r"(?i)Y" + t_M = r"(?i)M" + t_D = r"(?i)D" + t_H = r"(?i)H" + t_S = r"(?i)S" @staticmethod def t_NUM(t): - r'\d+' + r"\d+" t.value = int(t.value) return t @@ -98,26 +98,26 @@ @staticmethod def p_period(p): - '''period : NUM Y - | NUM M - | NUM D''' - if p[2].lower() == 'y': + """period : NUM Y + | NUM M + | NUM D""" + if p[2].lower() == "y": p[0] = int(p[1]) * 31536000 - elif p[2].lower() == 'm': + elif p[2].lower() == "m": p[0] = int(p[1]) * 2592000 - elif p[2].lower() == 'd': + elif p[2].lower() == "d": p[0] += int(p[1]) * 86400 @staticmethod def p_time(p): - '''time : NUM H - | NUM M - | NUM S''' - if p[2].lower() == 'h': + """time : NUM H + | NUM M + | NUM S""" + if p[2].lower() == "h": p[0] = int(p[1]) * 3600 - elif p[2].lower() == 'm': + elif p[2].lower() == "m": p[0] = int(p[1]) * 60 - elif p[2].lower() == 's': + elif p[2].lower() == "s": p[0] = int(p[1]) @staticmethod @@ -128,7 +128,7 @@ ############################################################################ # Load the contents of a KASP XML file as a python dictionary ############################################################################ -class Kasp(): +class Kasp: # pylint: disable=invalid-name @staticmethod @@ -143,12 +143,12 @@ k = {k: v[0] if len(v) == 1 else v for k, v in dd.items()} d = {t.tag: k} if t.attrib: - d[t.tag].update(('@' + k, v) for k, v in t.attrib.iteritems()) + d[t.tag].update(("@" + k, v) for k, v in t.attrib.iteritems()) if t.text: text = t.text.strip() if children or t.attrib: if text: - d[t.tag]['#text'] = text + d[t.tag]["#text"] = text else: d[t.tag] = text return d @@ -189,35 +189,35 @@ KT = KaspTime() FIRST = True - for policy in KINFO['KASP']['Policy']: - if not policy['@name'] or not policy['Keys']: + for policy in KINFO["KASP"]["Policy"]: + if not policy["@name"] or not policy["Keys"]: continue if not FIRST: print("") FIRST = False - if policy['Description']: - desc = policy['Description'].strip() + if policy["Description"]: + desc = policy["Description"].strip() print("# %s" % re.sub(r"\n\s*", "\n# ", desc)) - print("policy %s {" % policy['@name']) - ksk = policy['Keys']['KSK'] - zsk = policy['Keys']['ZSK'] - kalg = ksk['Algorithm'] - zalg = zsk['Algorithm'] - algnum = kalg['#text'] or zalg['#text'] + print("policy %s {" % policy["@name"]) + ksk = policy["Keys"]["KSK"] + zsk = policy["Keys"]["ZSK"] + kalg = ksk["Algorithm"] + zalg = zsk["Algorithm"] + algnum = kalg["#text"] or zalg["#text"] if algnum: print("\talgorithm %s;" % dnskey.algstr(int(algnum))) - if policy['Keys']['TTL']: - print("\tkeyttl %d;" % KT.parse(policy['Keys']['TTL'])) - if kalg['@length']: - print("\tkey-size ksk %d;" % int(kalg['@length'])) - if zalg['@length']: - print("\tkey-size zsk %d;" % int(zalg['@length'])) - if ksk['Lifetime']: - print("\troll-period ksk %d;" % KT.parse(ksk['Lifetime'])) - if zsk['Lifetime']: - print("\troll-period zsk %d;" % KT.parse(zsk['Lifetime'])) - if ksk['Standby']: - print("\tstandby ksk %d;" % int(ksk['Standby'])) - if zsk['Standby']: - print("\tstandby zsk %d;" % int(zsk['Standby'])) + if policy["Keys"]["TTL"]: + print("\tkeyttl %d;" % KT.parse(policy["Keys"]["TTL"])) + if kalg["@length"]: + print("\tkey-size ksk %d;" % int(kalg["@length"])) + if zalg["@length"]: + print("\tkey-size zsk %d;" % int(zalg["@length"])) + if ksk["Lifetime"]: + print("\troll-period ksk %d;" % KT.parse(ksk["Lifetime"])) + if zsk["Lifetime"]: + print("\troll-period zsk %d;" % KT.parse(zsk["Lifetime"])) + if ksk["Standby"]: + print("\tstandby ksk %d;" % int(ksk["Standby"])) + if zsk["Standby"]: + print("\tstandby zsk %d;" % int(zsk["Standby"])) print("};") diff -Nru bind9-9.16.27/dangerfile.py bind9-9.16.33/dangerfile.py --- bind9-9.16.27/dangerfile.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/dangerfile.py 2022-09-08 13:01:23.000000000 +0000 @@ -13,24 +13,30 @@ # Helper functions and variables + def added_lines(target_branch, paths): import subprocess - subprocess.check_output(['/usr/bin/git', 'fetch', '--depth', '1', 'origin', - target_branch]) - diff = subprocess.check_output(['/usr/bin/git', 'diff', 'FETCH_HEAD..', - '--'] + paths) + + subprocess.check_output( + ["/usr/bin/git", "fetch", "--depth", "1", "origin", target_branch] + ) + diff = subprocess.check_output( + ["/usr/bin/git", "diff", "FETCH_HEAD..", "--"] + paths + ) added_lines = [] for line in diff.splitlines(): - if line.startswith(b'+') and not line.startswith(b'+++'): + if line.startswith(b"+") and not line.startswith(b"+++"): added_lines.append(line) return added_lines + def lines_containing(lines, string): - return [l for l in lines if bytes(string, 'utf-8') in l] + return [l for l in lines if bytes(string, "utf-8") in l] + -changes_issue_or_mr_id_regex = re.compile(br'\[(GL [#!]|RT #)[0-9]+\]') -relnotes_issue_or_mr_id_regex = re.compile(br':gl:`[#!][0-9]+`') -release_notes_regex = re.compile(r'doc/(arm|notes)/notes-.*\.(rst|xml)') +changes_issue_or_mr_id_regex = re.compile(rb"\[(GL [#!]|RT #)[0-9]+\]") +relnotes_issue_or_mr_id_regex = re.compile(rb":gl:`[#!][0-9]+`") +release_notes_regex = re.compile(r"doc/(arm|notes)/notes-.*\.(rst|xml)") modified_files = danger.git.modified_files mr_labels = danger.gitlab.mr.labels @@ -73,33 +79,39 @@ for commit in danger.git.commits: message_lines = commit.message.splitlines() subject = message_lines[0] - if (not fixup_error_logged and - (subject.startswith('fixup!') or - subject.startswith('Apply suggestion'))): - fail('Fixup commits are still present in this merge request. ' - 'Please squash them before merging.') + if not fixup_error_logged and ( + subject.startswith("fixup!") or subject.startswith("Apply suggestion") + ): + fail( + "Fixup commits are still present in this merge request. " + "Please squash them before merging." + ) fixup_error_logged = True - if len(subject) > 72 and not subject.startswith('Merge branch '): + if len(subject) > 72 and not subject.startswith("Merge branch "): warn( - f'Subject line for commit {commit.sha} is too long: ' - f'```{subject}``` ({len(subject)} > 72 characters).' + f"Subject line for commit {commit.sha} is too long: " + f"```{subject}``` ({len(subject)} > 72 characters)." ) - if subject[-1] == '.': - fail(f'Trailing dot found in the subject of commit {commit.sha}.') + if subject[-1] == ".": + fail(f"Trailing dot found in the subject of commit {commit.sha}.") if len(message_lines) > 1 and message_lines[1]: - fail(f'No empty line after subject for commit {commit.sha}.') - if (len(message_lines) < 3 and - 'fixup! ' not in subject and - ' CHANGES ' not in subject and - ' release note' not in subject): - warn(f'Please write a log message for commit {commit.sha}.') + fail(f"No empty line after subject for commit {commit.sha}.") + if ( + len(message_lines) < 3 + and "fixup! " not in subject + and " CHANGES " not in subject + and " release note" not in subject + ): + warn(f"Please write a log message for commit {commit.sha}.") for line in message_lines[2:]: - if (len(line) > 72 and - not line.startswith(' ') and - not re.match(r'\[[0-9]+\]', line)): + if ( + len(line) > 72 + and not line.startswith(" ") + and not re.match(r"\[[0-9]+\]", line) + ): warn( - f'Line too long in log message for commit {commit.sha}: ' - f'```{line}``` ({len(line)} > 72 characters).' + f"Line too long in log message for commit {commit.sha}: " + f"```{line}``` ({len(line)} > 72 characters)." ) ############################################################################### @@ -109,7 +121,7 @@ # FAIL if the merge request is not assigned to any milestone. if not danger.gitlab.mr.milestone: - fail('Please assign this merge request to a milestone.') + fail("Please assign this merge request to a milestone.") ############################################################################### # VERSION LABELS @@ -127,15 +139,19 @@ # request is not a backport, version labels are used for indicating # backporting preferences.) -backport_label_set = 'Backport' in mr_labels -version_labels = [l for l in mr_labels if l.startswith('v9.')] +backport_label_set = "Backport" in mr_labels +version_labels = [l for l in mr_labels if l.startswith("v9.")] if backport_label_set and len(version_labels) != 1: - fail('The *Backport* label is set for this merge request. ' - 'Please also set exactly one version label (*v9.x*).') + fail( + "The *Backport* label is set for this merge request. " + "Please also set exactly one version label (*v9.x*)." + ) if not backport_label_set and not version_labels: - fail('If this merge request is a backport, set the *Backport* label and ' - 'a single version label (*v9.x*) indicating the target branch. ' - 'If not, set version labels for all targeted backport branches.') + fail( + "If this merge request is a backport, set the *Backport* label and " + "a single version label (*v9.x*) indicating the target branch. " + "If not, set version labels for all targeted backport branches." + ) ############################################################################### # OTHER LABELS @@ -149,12 +165,16 @@ # remind developers about the need to set the latter on merge requests which # passed review.) -if 'Review' not in mr_labels: - warn('This merge request does not have the *Review* label set. ' - 'Please set it if you would like the merge request to be reviewed.') -elif 'LGTM (Merge OK)' not in mr_labels: - warn('This merge request is currently in review. ' - 'It should not be merged until it is marked with the *LGTM* label.') +if "Review" not in mr_labels: + warn( + "This merge request does not have the *Review* label set. " + "Please set it if you would like the merge request to be reviewed." + ) +elif "LGTM (Merge OK)" not in mr_labels: + warn( + "This merge request is currently in review. " + "It should not be merged until it is marked with the *LGTM* label." + ) ############################################################################### # 'CHANGES' FILE @@ -176,25 +196,31 @@ # * The merge request adds a new CHANGES entry that is not a placeholder and # does not contain any GitLab/RT issue/MR identifiers. -changes_modified = 'CHANGES' in modified_files -no_changes_label_set = 'No CHANGES' in mr_labels +changes_modified = "CHANGES" in modified_files +no_changes_label_set = "No CHANGES" in mr_labels if not changes_modified and not no_changes_label_set: - fail('This merge request does not modify `CHANGES`. ' - 'Add a `CHANGES` entry or set the *No CHANGES* label.') + fail( + "This merge request does not modify `CHANGES`. " + "Add a `CHANGES` entry or set the *No CHANGES* label." + ) if changes_modified and no_changes_label_set: - fail('This merge request modifies `CHANGES`. ' - 'Revert `CHANGES` modifications or unset the *No Changes* label.') + fail( + "This merge request modifies `CHANGES`. " + "Revert `CHANGES` modifications or unset the *No Changes* label." + ) -changes_added_lines = added_lines(target_branch, ['CHANGES']) -placeholders_added = lines_containing(changes_added_lines, '[placeholder]') +changes_added_lines = added_lines(target_branch, ["CHANGES"]) +placeholders_added = lines_containing(changes_added_lines, "[placeholder]") identifiers_found = filter(changes_issue_or_mr_id_regex.search, changes_added_lines) if changes_added_lines: if placeholders_added: - if target_branch != 'main': - fail('This MR adds at least one placeholder entry to `CHANGES`. ' - 'It should be targeting the `main` branch.') + if target_branch != "main": + fail( + "This MR adds at least one placeholder entry to `CHANGES`. " + "It should be targeting the `main` branch." + ) elif not any(identifiers_found): - fail('No valid issue/MR identifiers found in added `CHANGES` entries.') + fail("No valid issue/MR identifiers found in added `CHANGES` entries.") ############################################################################### # RELEASE NOTES @@ -219,25 +245,31 @@ # identifiers are found in the lines added to the release notes by this # MR. -release_notes_regex = re.compile(r'doc/(arm|notes)/notes-.*\.(rst|xml)') +release_notes_regex = re.compile(r"doc/(arm|notes)/notes-.*\.(rst|xml)") release_notes_changed = list(filter(release_notes_regex.match, modified_files)) -release_notes_label_set = 'Release Notes' in mr_labels +release_notes_label_set = "Release Notes" in mr_labels if not release_notes_changed: if release_notes_label_set: - fail('This merge request has the *Release Notes* label set. ' - 'Add a release note or unset the *Release Notes* label.') - elif 'Customer' in mr_labels: - warn('This merge request has the *Customer* label set. ' - 'Add a release note unless the changes introduced are trivial.') + fail( + "This merge request has the *Release Notes* label set. " + "Add a release note or unset the *Release Notes* label." + ) + elif "Customer" in mr_labels: + warn( + "This merge request has the *Customer* label set. " + "Add a release note unless the changes introduced are trivial." + ) if release_notes_changed and not release_notes_label_set: - fail('This merge request modifies release notes. ' - 'Revert release note modifications or set the *Release Notes* label.') + fail( + "This merge request modifies release notes. " + "Revert release note modifications or set the *Release Notes* label." + ) if release_notes_changed: notes_added_lines = added_lines(target_branch, release_notes_changed) identifiers_found = filter(relnotes_issue_or_mr_id_regex.search, notes_added_lines) if notes_added_lines and not any(identifiers_found): - warn('No valid issue/MR identifiers found in added release notes.') + warn("No valid issue/MR identifiers found in added release notes.") else: notes_added_lines = [] @@ -249,13 +281,17 @@ # identifier is missing from either the added CHANGES entry or the added # release note. -if lines_containing(changes_added_lines, '[security]'): - if not lines_containing(changes_added_lines, '(CVE-20'): - fail('This merge request fixes a security issue. ' - 'Please add a CHANGES entry which includes a CVE identifier.') - if not lines_containing(notes_added_lines, 'CVE-20'): - fail('This merge request fixes a security issue. ' - 'Please add a release note which includes a CVE identifier.') +if lines_containing(changes_added_lines, "[security]"): + if not lines_containing(changes_added_lines, "(CVE-20"): + fail( + "This merge request fixes a security issue. " + "Please add a CHANGES entry which includes a CVE identifier." + ) + if not lines_containing(notes_added_lines, "CVE-20"): + fail( + "This merge request fixes a security issue. " + "Please add a release note which includes a CVE identifier." + ) ############################################################################### # PAIRWISE TESTING @@ -264,10 +300,36 @@ # FAIL if the merge request adds any new ./configure switch without an # associated annotation used for pairwise testing. -configure_added_lines = added_lines(target_branch, ['configure.ac']) -switches_added = (lines_containing(configure_added_lines, 'AC_ARG_ENABLE') + - lines_containing(configure_added_lines, 'AC_ARG_WITH')) -annotations_added = lines_containing(configure_added_lines, '# [pairwise: ') +configure_added_lines = added_lines(target_branch, ["configure.ac"]) +switches_added = lines_containing( + configure_added_lines, "AC_ARG_ENABLE" +) + lines_containing(configure_added_lines, "AC_ARG_WITH") +annotations_added = lines_containing(configure_added_lines, "# [pairwise: ") if len(switches_added) > len(annotations_added): - fail('This merge request adds at least one new `./configure` switch that ' - 'is not annotated for pairwise testing purposes.') + fail( + "This merge request adds at least one new `./configure` switch that " + "is not annotated for pairwise testing purposes." + ) + +############################################################################### +# USER-VISIBLE LOG LEVELS +############################################################################### +# +# WARN if the merge request adds new user-visible log messages (INFO or above) + +user_visible_log_levels = [ + "ISC_LOG_INFO", + "ISC_LOG_NOTICE", + "ISC_LOG_WARNING", + "ISC_LOG_ERROR", + "ISC_LOG_CRITICAL", +] +source_added_lines = added_lines(target_branch, ["*.[ch]"]) +for log_level in user_visible_log_levels: + if lines_containing(source_added_lines, log_level): + warn( + "This merge request adds new user-visible log messages with " + "level INFO or above. Please double-check log levels and make " + "sure none of the messages added is a leftover debug message." + ) + break diff -Nru bind9-9.16.27/debian/changelog bind9-9.16.33/debian/changelog --- bind9-9.16.27/debian/changelog 2022-03-14 14:25:15.000000000 +0000 +++ bind9-9.16.33/debian/changelog 2022-09-21 10:40:02.000000000 +0000 @@ -1,3 +1,20 @@ +bind9 (1:9.16.33-1~deb11u1) bullseye-security; urgency=high + + * New upstream version 9.16.33 + - CVE-2022-2795: Processing large delegations may severely degrade + resolver performance + - CVE-2022-2881: Buffer overread in statistics channel code + - CVE-2022-2906: Memory leaks in code handling Diffie-Hellman key + exchange via TKEY RRs (OpenSSL 3.0.0+ only) + - CVE-2022-3080: BIND 9 resolvers configured to answer from stale + cache with zero stale-answer-client-timeout may terminate unexpectedly + - CVE-2022-38177: Memory leak in ECDSA DNSSEC verification code + - CVE-2022-38178: Memory leaks in EdDSA DNSSEC verification code + * Drop libldap2-dev from Build-Depends (Closes: #1008021) + * Add runtime dependency on libuv1 >= 1.40.0 (Closes: #1009889) + + -- OndÅ™ej Surý Wed, 21 Sep 2022 12:40:02 +0200 + bind9 (1:9.16.27-1~deb11u1) bullseye-security; urgency=high * New upstream version 9.16.27 diff -Nru bind9-9.16.27/debian/control bind9-9.16.33/debian/control --- bind9-9.16.27/debian/control 2022-03-14 14:25:15.000000000 +0000 +++ bind9-9.16.33/debian/control 2022-09-21 10:40:02.000000000 +0000 @@ -17,28 +17,26 @@ libidn2-dev, libjson-c-dev, libkrb5-dev, - libldap2-dev, liblmdb-dev, libmaxminddb-dev (>= 1.3.0), libprotobuf-c-dev, libssl-dev, libtool, - libuv1-dev, + libuv1-dev (>= 1.40.0), libxml2-dev, pkg-config, protobuf-c-compiler, python3, python3-ply, zlib1g-dev -Build-Depends-Indep: - fonts-freefont-otf, - latexmk, - python3-sphinx, - python3-sphinx-rtd-theme, - texlive-fonts-recommended, - texlive-latex-recommended, - texlive-xetex, - xindy, +Build-Depends-Indep: fonts-freefont-otf, + latexmk, + python3-sphinx, + python3-sphinx-rtd-theme, + texlive-fonts-recommended, + texlive-latex-recommended, + texlive-xetex, + xindy Standards-Version: 4.1.2 Vcs-Browser: https://salsa.debian.org/dns-team/bind9 Vcs-Git: https://salsa.debian.org/dns-team/bind9.git @@ -121,7 +119,8 @@ Priority: standard Architecture: any Multi-Arch: same -Depends: ${misc:Depends}, +Depends: libuv1 (>= 1.40.0), + ${misc:Depends}, ${shlibs:Depends} Breaks: bind-libs (<< 1:9.13.6~) Replaces: bind-libs (<< 1:9.13.6~) diff -Nru bind9-9.16.27/debian/patches/0002-python-fix-for-dist-packages.patch bind9-9.16.33/debian/patches/0002-python-fix-for-dist-packages.patch --- bind9-9.16.27/debian/patches/0002-python-fix-for-dist-packages.patch 2022-03-14 14:25:15.000000000 +0000 +++ bind9-9.16.33/debian/patches/0002-python-fix-for-dist-packages.patch 2022-09-21 10:40:02.000000000 +0000 @@ -9,41 +9,41 @@ 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/python/dnssec-checkds.py.in b/bin/python/dnssec-checkds.py.in -index e01a882..6a20e78 100644 +index 3ec15e2..e70d0c4 100644 --- a/bin/python/dnssec-checkds.py.in +++ b/bin/python/dnssec-checkds.py.in -@@ -20,7 +20,7 @@ if os.name != 'nt': - sys.path.insert(1, '@PYTHON_INSTALL_DIR@') - else: - sys.path.insert(1, os.path.join('@prefix@', 'lib', -- 'python' + sys.version[:3], 'site-packages')) -+ 'python' + sys.version[:3], 'dist-packages')) - - import isc.checkds +@@ -22,7 +22,7 @@ if os.name != "nt": + sys.path.insert( + 1, + os.path.join( +- "@prefix@", "lib", "python" + sys.version[:3], "site-packages" ++ "@prefix@", "lib", "python" + sys.version[:3], "dist-packages" + ), + ) diff --git a/bin/python/dnssec-coverage.py.in b/bin/python/dnssec-coverage.py.in -index 085d064..60c8e41 100644 +index a82dfe3..7d4f6ba 100644 --- a/bin/python/dnssec-coverage.py.in +++ b/bin/python/dnssec-coverage.py.in -@@ -20,7 +20,7 @@ if os.name != 'nt': - sys.path.insert(1, '@PYTHON_INSTALL_DIR@') - else: - sys.path.insert(1, os.path.join('@prefix@', 'lib', -- 'python' + sys.version[:3], 'site-packages')) -+ 'python' + sys.version[:3], 'dist-packages')) - - import isc.coverage +@@ -22,7 +22,7 @@ if os.name != "nt": + sys.path.insert( + 1, + os.path.join( +- "@prefix@", "lib", "python" + sys.version[:3], "site-packages" ++ "@prefix@", "lib", "python" + sys.version[:3], "dist-packages" + ), + ) diff --git a/bin/python/dnssec-keymgr.py.in b/bin/python/dnssec-keymgr.py.in -index 410acbf..2b5d822 100644 +index f8ee013..3bfa02e 100644 --- a/bin/python/dnssec-keymgr.py.in +++ b/bin/python/dnssec-keymgr.py.in -@@ -20,7 +20,7 @@ if os.name != 'nt': - sys.path.insert(1, '@PYTHON_INSTALL_DIR@') - else: - sys.path.insert(1, os.path.join('@prefix@', 'lib', -- 'python' + sys.version[:3], 'site-packages')) -+ 'python' + sys.version[:3], 'dist-packages')) - - import isc.keymgr +@@ -22,7 +22,7 @@ if os.name != "nt": + sys.path.insert( + 1, + os.path.join( +- "@prefix@", "lib", "python" + sys.version[:3], "site-packages" ++ "@prefix@", "lib", "python" + sys.version[:3], "dist-packages" + ), + ) diff -Nru bind9-9.16.27/debian/patches/0003-Disable-sphinx-build-strict-mode.patch bind9-9.16.33/debian/patches/0003-Disable-sphinx-build-strict-mode.patch --- bind9-9.16.27/debian/patches/0003-Disable-sphinx-build-strict-mode.patch 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/debian/patches/0003-Disable-sphinx-build-strict-mode.patch 2022-09-21 10:40:02.000000000 +0000 @@ -0,0 +1,33 @@ +From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= +Date: Wed, 21 Sep 2022 12:53:09 +0200 +Subject: Disable sphinx-build strict mode + +--- + doc/arm/Makefile.in | 1 - + doc/man/Makefile.in | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in +index ce365e3..806f577 100644 +--- a/doc/arm/Makefile.in ++++ b/doc/arm/Makefile.in +@@ -29,7 +29,6 @@ SPHINXBUILD = @SPHINX_BUILD@ + SPHINXBUILDDIR = ${builddir}/_build + + common_SPHINXOPTS = \ +- -W \ + -a \ + -v \ + -c "${abs_srcdir}" +diff --git a/doc/man/Makefile.in b/doc/man/Makefile.in +index db25228..7148293 100644 +--- a/doc/man/Makefile.in ++++ b/doc/man/Makefile.in +@@ -160,7 +160,6 @@ SPHINXBUILD = @SPHINX_BUILD@ + SPHINXBUILDDIR = ${builddir}/_build + + common_SPHINXOPTS = \ +- -W \ + -a \ + -v \ + -c "${abs_srcdir}" diff -Nru bind9-9.16.27/debian/patches/series bind9-9.16.33/debian/patches/series --- bind9-9.16.27/debian/patches/series 2022-03-14 14:25:15.000000000 +0000 +++ bind9-9.16.33/debian/patches/series 2022-09-21 10:40:02.000000000 +0000 @@ -1,2 +1,3 @@ 0001-Add_--install-layout=deb_to_setup.py_call.patch 0002-python-fix-for-dist-packages.patch +0003-Disable-sphinx-build-strict-mode.patch diff -Nru bind9-9.16.27/doc/arm/_static/custom.css bind9-9.16.33/doc/arm/_static/custom.css --- bind9-9.16.27/doc/arm/_static/custom.css 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/arm/_static/custom.css 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,25 @@ +/* +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. +*/ + +/* make table content wrappable */ +.wy-table-responsive table td { + white-space:normal; +} + +/* readability improvements */ +.rst-content code.literal { + color: black; +} +.rst-content code.xref { + text-decoration: underline dotted gray; +} diff -Nru bind9-9.16.27/doc/arm/advanced.rst bind9-9.16.33/doc/arm/advanced.rst --- bind9-9.16.27/doc/arm/advanced.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/advanced.rst 2022-09-08 13:01:23.000000000 +0000 @@ -570,216 +570,6 @@ The only tool shipped with BIND 9 that generates SIG(0) signed messages is ``nsupdate``. -.. _DNSSEC: - -DNSSEC ------- - -Cryptographic authentication of DNS information is possible through the -DNS Security ("DNSSEC-bis") extensions, defined in :rfc:`4033`, :rfc:`4034`, -and :rfc:`4035`. This section describes the creation and use of DNSSEC -signed zones. - -In order to set up a DNSSEC secure zone, there are a series of steps -which must be followed. BIND 9 ships with several tools that are used in -this process, which are explained in more detail below. In all cases, -the ``-h`` option prints a full list of parameters. Note that the DNSSEC -tools require the keyset files to be in the working directory or the -directory specified by the ``-d`` option. - -There must also be communication with the administrators of the parent -and/or child zone to transmit keys. A zone's security status must be -indicated by the parent zone for a DNSSEC-capable resolver to trust its -data. This is done through the presence or absence of a ``DS`` record at -the delegation point. - -For other servers to trust data in this zone, they must be -statically configured with either this zone's zone key or the zone key of -another zone above this one in the DNS tree. - -.. _generating_dnssec_keys: - -Generating Keys -~~~~~~~~~~~~~~~ - -The ``dnssec-keygen`` program is used to generate keys. - -A secure zone must contain one or more zone keys. The zone keys -sign all other records in the zone, as well as the zone keys of any -secure delegated zones. Zone keys must have the same name as the zone, have a -name type of ``ZONE``, and be usable for authentication. It is -recommended that zone keys use a cryptographic algorithm designated as -"mandatory to implement" by the IETF. Currently there are two algorithms, -RSASHA256 and ECDSAP256SHA256; ECDSAP256SHA256 is recommended for -current and future deployments. - -The following command generates an ECDSAP256SHA256 key for the -``child.example`` zone: - -``dnssec-keygen -a ECDSAP256SHA256 -n ZONE child.example.`` - -Two output files are produced: ``Kchild.example.+013+12345.key`` and -``Kchild.example.+013+12345.private`` (where 12345 is an example of a -key tag). The key filenames contain the key name (``child.example.``), -the algorithm (5 is RSASHA1, 8 is RSASHA256, 13 is ECDSAP256SHA256, 15 is -ED25519, etc.), and the key tag (12345 in this case). The private key (in -the ``.private`` file) is used to generate signatures, and the public -key (in the ``.key`` file) is used for signature verification. - -To generate another key with the same properties but with a different -key tag, repeat the above command. - -The ``dnssec-keyfromlabel`` program is used to get a key pair from a -crypto hardware device and build the key files. Its usage is similar to -``dnssec-keygen``. - -The public keys should be inserted into the zone file by including the -``.key`` files using ``$INCLUDE`` statements. - -.. _dnssec_zone_signing: - -Signing the Zone -~~~~~~~~~~~~~~~~ - -The ``dnssec-signzone`` program is used to sign a zone. - -Any ``keyset`` files corresponding to secure sub-zones should be -present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG`` -records for the zone, as well as ``DS`` for the child zones if ``-g`` -is specified. If ``-g`` is not specified, then DS RRsets for the -secure child zones need to be added manually. - -By default, all zone keys which have an available private key are used -to generate signatures. The following command signs the zone, assuming -it is in a file called ``zone.child.example``: - -``dnssec-signzone -o child.example zone.child.example`` - -One output file is produced: ``zone.child.example.signed``. This file -should be referenced by ``named.conf`` as the input file for the zone. - -``dnssec-signzone`` also produces keyset and dsset files. These are used -to provide the parent zone administrators with the ``DNSKEYs`` (or their -corresponding ``DS`` records) that are the secure entry point to the zone. - -.. _dnssec_config: - -Configuring Servers for DNSSEC -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To enable ``named`` to validate answers received from other servers, the -``dnssec-validation`` option must be set to either ``yes`` or ``auto``. - -When ``dnssec-validation`` is set to ``auto``, a trust anchor for the -DNS root zone is automatically used. This trust anchor is provided -as part of BIND and is kept up to date using :rfc:`5011` key management. - -When ``dnssec-validation`` is set to ``yes``, DNSSEC validation -only occurs if at least one trust anchor has been explicitly configured -in ``named.conf``, using a ``trust-anchors`` statement (or the -``managed-keys`` and ``trusted-keys`` statements, both deprecated). - -When ``dnssec-validation`` is set to ``no``, DNSSEC validation does not -occur. - -The default is ``auto`` unless BIND is built with -``configure --disable-auto-validation``, in which case the default is -``yes``. - -The keys specified in ``trust-anchors`` are copies of DNSKEY RRs for zones that are -used to form the first link in the cryptographic chain of trust. Keys configured -with the keyword ``static-key`` or ``static-ds`` are loaded directly into the -table of trust anchors, and can only be changed by altering the -configuration. Keys configured with ``initial-key`` or ``initial-ds`` are used -to initialize :rfc:`5011` trust anchor maintenance, and are kept up-to-date -automatically after the first time ``named`` runs. - -``trust-anchors`` is described in more detail later in this document. - -BIND 9 does not verify signatures on load, so zone keys -for authoritative zones do not need to be specified in the configuration -file. - -After DNSSEC is established, a typical DNSSEC configuration looks -something like the following. It has one or more public keys for the -root, which allows answers from outside the organization to be validated. -It also has several keys for parts of the namespace that the -organization controls. These are here to ensure that ``named`` is immune -to compromised security in the DNSSEC components of parent zones. - -:: - - trust-anchors { - /* Root Key */ - "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS - JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh - aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy - 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg - hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp - 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke - g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq - 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ - 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ - dgxbcDTClU0CRBdiieyLMNzXG3"; - /* Key for our organization's forward zone */ - example.com. static-ds 54135 5 2 "8EF922C97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D" - - /* Key for our reverse zone. */ - 2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc - xOdNax071L18QqZnQQQAVVr+i - LhGTnNGp3HoWQLUIzKrJVZ3zg - gy3WwNT6kZo6c0tszYqbtvchm - gQC8CzKojM/W16i6MG/eafGU3 - siaOdS0yOI6BgPsw+YZdzlYMa - IJGf4M4dyoKIhzdZyQ2bYQrjy - Q4LB0lC7aOnsMyYKHHYeRvPxj - IQXmdqgOJGq+vsevG06zW+1xg - YJh9rCIfnm1GX/KMgxLPG2vXT - D/RnLX+D3T3UL7HJYHJhAZD5L - 59VvjSPsZJHeDCUyWYrvPZesZ - DIRvhDD52SKvbheeTJUm6Ehkz - ytNN2SN96QRk8j/iI8ib"; - }; - - options { - ... - dnssec-validation yes; - }; - -.. - -.. note:: - - None of the keys listed in this example are valid. In particular, the - root key is not valid. - -When DNSSEC validation is enabled and properly configured, the resolver -rejects any answers from signed, secure zones which fail to -validate, and returns SERVFAIL to the client. - -Responses may fail to validate for any of several reasons, including -missing, expired, or invalid signatures, a key which does not match the -DS RRset in the parent zone, or an insecure response from a zone which, -according to its parent, should have been secure. - -.. note:: - - When the validator receives a response from an unsigned zone that has - a signed parent, it must confirm with the parent that the zone was - intentionally left unsigned. It does this by verifying, via signed - and validated NSEC/NSEC3 records, that the parent zone contains no DS - records for the child. - - If the validator *can* prove that the zone is insecure, then the - response is accepted. However, if it cannot, the validator must assume an - insecure response to be a forgery; it rejects the response and logs - an error. - - The logged error reads "insecurity proof failed" and "got insecure - response; parent indicates it should be secure." - - -.. include:: dnssec.rst .. include:: managed-keys.rst .. include:: pkcs11.rst .. include:: dlz.rst diff -Nru bind9-9.16.27/doc/arm/conf.py bind9-9.16.33/doc/arm/conf.py --- bind9-9.16.27/doc/arm/conf.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/conf.py 2022-09-08 13:01:23.000000000 +0000 @@ -26,17 +26,18 @@ except ImportError: # pylint: disable=too-few-public-methods class ReferenceRole(roles.GenericRole): - ''' + """ The ReferenceRole class (used as a base class by GitLabRefRole below) is only defined in Sphinx >= 2.0.0. For older Sphinx versions, this stub version of the ReferenceRole class is used instead. - ''' + """ + def __init__(self): - super().__init__('', nodes.strong) + super().__init__("", nodes.strong) -GITLAB_BASE_URL = 'https://gitlab.isc.org/isc-projects/bind9/-/' +GITLAB_BASE_URL = "https://gitlab.isc.org/isc-projects/bind9/-/" # Custom Sphinx role enabling automatic hyperlinking to GitLab issues/MRs. @@ -46,25 +47,26 @@ super().__init__() def run(self) -> Tuple[List[Node], List[system_message]]: - gl_identifier = '[GL %s]' % self.target + gl_identifier = "[GL %s]" % self.target - target_id = 'index-%s' % self.env.new_serialno('index') - entries = [('single', 'GitLab; ' + gl_identifier, target_id, '', None)] + target_id = "index-%s" % self.env.new_serialno("index") + entries = [("single", "GitLab; " + gl_identifier, target_id, "", None)] index = addnodes.index(entries=entries) - target = nodes.target('', '', ids=[target_id]) + target = nodes.target("", "", ids=[target_id]) self.inliner.document.note_explicit_target(target) try: refuri = self.build_uri() - reference = nodes.reference('', '', internal=False, refuri=refuri, - classes=['gl']) + reference = nodes.reference( + "", "", internal=False, refuri=refuri, classes=["gl"] + ) if self.has_explicit_title: reference += nodes.strong(self.title, self.title) else: reference += nodes.strong(gl_identifier, gl_identifier) except ValueError: - error_text = 'invalid GitLab identifier %s' % self.target + error_text = "invalid GitLab identifier %s" % self.target msg = self.inliner.reporter.error(error_text, line=self.lineno) prb = self.inliner.problematic(self.rawtext, self.rawtext, msg) return [prb], [msg] @@ -72,15 +74,19 @@ return [index, target, reference], [] def build_uri(self): - if self.target[0] == '#': - return self.base_url + 'issues/%d' % int(self.target[1:]) - if self.target[0] == '!': - return self.base_url + 'merge_requests/%d' % int(self.target[1:]) + if self.target[0] == "#": + return self.base_url + "issues/%d" % int(self.target[1:]) + if self.target[0] == "!": + return self.base_url + "merge_requests/%d" % int(self.target[1:]) raise ValueError -def setup(_): - roles.register_local_role('gl', GitLabRefRole(GITLAB_BASE_URL)) +def setup(app): + roles.register_local_role("gl", GitLabRefRole(GITLAB_BASE_URL)) + app.add_crossref_type("iscman", "iscman", "pair: %s; manual page") + # ignore :option: references to simplify doc backports to v9_16 branch + app.add_role_to_domain("std", "option", roles.code_role) + # # Configuration file for the Sphinx documentation builder. @@ -102,25 +108,25 @@ # -- Project information ----------------------------------------------------- -project = 'BIND 9' +project = "BIND 9" # pylint: disable=redefined-builtin -copyright = '2022, Internet Systems Consortium' -author = 'Internet Systems Consortium' +copyright = "2022, Internet Systems Consortium" +author = "Internet Systems Consortium" version_vars = {} -with open('../../version', encoding='utf-8') as version_file: +with open("../../version", encoding="utf-8") as version_file: for line in version_file: - match = re.match(r'(?P[A-Z]+)=(?P.*)', line) + match = re.match(r"(?P[A-Z]+)=(?P.*)", line) if match: - version_vars[match.group('key')] = match.group('val') + version_vars[match.group("key")] = match.group("val") -version = '%s.%s.%s%s%s%s' % ( - version_vars['MAJORVER'], - version_vars['MINORVER'], - version_vars['PATCHVER'], - version_vars['RELEASETYPE'], - version_vars['RELEASEVER'], - version_vars['EXTENSIONS'], +version = "%s.%s.%s%s%s%s" % ( + version_vars["MAJORVER"], + version_vars["MINORVER"], + version_vars["PATCHVER"], + version_vars["RELEASETYPE"], + version_vars["RELEASEVER"], + version_vars["EXTENSIONS"], ) release = version @@ -132,45 +138,53 @@ extensions = [] # Add any paths that contain templates here, relative to this directory. -templates_path = ['_templates'] +templates_path = ["_templates"] # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This pattern also affects html_static_path and html_extra_path. exclude_patterns = [ - '_build', - 'Thumbs.db', - '.DS_Store', - '*.grammar.rst', - '*.zoneopts.rst', - 'build.rst', - 'catz.rst', - 'dlz.rst', - 'dnssec.rst', - 'dyndb.rst', - 'logging-categories.rst', - 'managed-keys.rst', - 'pkcs11.rst', - 'platforms.rst', - 'plugins.rst' - ] + "_build", + "Thumbs.db", + ".DS_Store", + "*.grammar.rst", + "*.zoneopts.rst", + "build.rst", + "catz.rst", + "dlz.rst", + "dnssec.rst", + "dyndb.rst", + "logging-categories.rst", + "managed-keys.rst", + "pkcs11.rst", + "platforms.rst", + "plugins.rst", +] # The master toctree document. -master_doc = 'index' +master_doc = "index" # -- Options for HTML output ------------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. # -html_theme = 'sphinx_rtd_theme' +html_theme = "sphinx_rtd_theme" +html_static_path = ["_static"] +html_css_files = ["custom.css"] # -- Options for LaTeX output ------------------------------------------------ -latex_engine = 'xelatex' +latex_engine = "xelatex" # pylint disable=line-too-long latex_documents = [ - (master_doc, 'Bv9ARM.tex', 'BIND 9 Administrator Reference Manual', author, 'manual'), - ] + ( + master_doc, + "Bv9ARM.tex", + "BIND 9 Administrator Reference Manual", + author, + "manual", + ), +] latex_logo = "isc-logo.pdf" diff -Nru bind9-9.16.27/doc/arm/configuration.rst bind9-9.16.33/doc/arm/configuration.rst --- bind9-9.16.27/doc/arm/configuration.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/configuration.rst 2022-09-08 13:01:23.000000000 +0000 @@ -160,25 +160,16 @@ mode, which executes a query for each in a list of several query lines. All query options are accessible from the command line. - ``dig [@server] domain [query-type][query-class][+query-option][-dig-option][%comment]`` - - The usual simple use of ``dig`` takes the form - - ``dig @server domain query-type query-class`` - For more information and a list of available commands and options, - see the ``dig`` man page. + see :ref:`man_dig`. ``host`` The ``host`` utility emphasizes simplicity and ease of use. By default, it converts between host names and Internet addresses, but its functionality can be extended with the use of options. - ``host [-aCdlnrsTwv][-c class][-N ndots][-t type][-W timeout][-R retries] - [-m flag][-4][-6] hostname [server]`` - For more information and a list of available commands and options, - see the ``host`` man page. + see :ref:`man_host`. ``nslookup`` ``nslookup`` has two modes: interactive and non-interactive. @@ -187,17 +178,6 @@ hosts in a domain. Non-interactive mode is used to print just the name and requested information for a host or domain. - ``nslookup [-option][ [host-to-find]|[-[server]] ]`` - - Interactive mode is entered when no arguments are given (the default - name server is used) or when the first argument is a hyphen - (``-``) and the second argument is the host name or Internet address of - a name server. - - Non-interactive mode is used when the name or Internet address of the - host to be looked up is given as the first argument. The optional - second argument specifies the host name or address of a name server. - Due to its arcane user interface and frequently inconsistent behavior, we do not recommend the use of ``nslookup``. Use ``dig`` instead. @@ -214,26 +194,26 @@ The ``named-checkconf`` program checks the syntax of a ``named.conf`` file. - ``named-checkconf [-jvz][-t directory][filename]`` + For more information and a list of available commands and options, + see :ref:`man_named-checkconf`. ``named-checkzone`` The ``named-checkzone`` program checks a zone file for syntax and consistency. - ``named-checkzone [-djqvD][-c class][-o output][-t directory][-w directory] - [-k (ignore|warn|fail)][-n (ignore|warn|fail)][-W (ignore|warn)] zone [filename]`` + For more information and a list of available commands and options, + see :ref:`man_named-checkzone`. ``named-compilezone`` - This tool is similar to ``named-checkzone,`` but it always dumps the zone content + This tool is similar to ``named-checkzone`` but it always dumps the zone content to a specified file (typically in a different format). + For more information and a list of available commands and options, + see :ref:`man_named-compilezone`. + ``rndc`` The remote name daemon control (``rndc``) program allows the system - administrator to control the operation of a name server. If ``rndc`` is run - without any options, it displays a usage message as - follows: - - ``rndc [-c config][-s server][-p port][-y key] command [command...]`` + administrator to control the operation of a name server. See :ref:`man_rndc` for details of the available ``rndc`` commands. diff -Nru bind9-9.16.27/doc/arm/dnssec.inc.rst bind9-9.16.33/doc/arm/dnssec.inc.rst --- bind9-9.16.27/doc/arm/dnssec.inc.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/arm/dnssec.inc.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,516 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. _dnssec: + +DNSSEC +------ +DNS Security Extensions (DNSSEC) provide reliable protection from +`cache poisoning`_ attacks. At the same time these extensions also provide other benefits: +they limit the impact of `random subdomain attacks`_ on resolver caches and authoritative +servers, and provide the foundation for modern applications like `authenticated +and private e-mail transfer`_. + +To achieve this goal, DNSSEC adds `digital signatures`_ to DNS records in +authoritative DNS zones, and DNS resolvers verify the validity of the signatures on the +received records. If the signatures match the received data, the resolver can +be sure that the data was not modified in transit. + +.. note:: + DNSSEC and transport-level encryption are complementary! + Unlike typical transport-level encryption like DNS-over-TLS, DNS-over-HTTPS, + or VPN, DNSSEC makes DNS records verifiable at all points of the DNS + resolution chain. + +This section focuses on ways to deploy DNSSEC using BIND. For a more in-depth +discussion of DNSSEC principles (e.g. :ref:`how_does_dnssec_change_dns_lookup`) +please see :doc:`dnssec-guide`. + +.. _`cache poisoning`: https://en.wikipedia.org/wiki/DNS_cache_poisoning +.. _`random subdomain attacks`: https://www.isc.org/blogs/nsec-caching-should-limit-excessive-queries-to-dns-root/ +.. _`digital signatures`: https://en.wikipedia.org/wiki/Digital_signature +.. _`authenticated and private e-mail transfer`: https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md + + +.. _dnssec_zone_signing: + +Zone Signing +~~~~~~~~~~~~ + +BIND offers several ways to generate signatures and maintain their validity +during the lifetime of a DNS zone: + + - :ref:`dnssec_kasp` - **strongly recommended** + - :ref:`dnssec_dynamic_zones` - only for special needs + - :ref:`dnssec_tools` - discouraged, use only for debugging + +.. _zone_keys: + +Zone keys +^^^^^^^^^ +Regardless of the :ref:`zone-signing ` method in use, cryptographic keys are +stored in files named like :file:`Kdnssec.example.+013+12345.key` and +:file:`Kdnssec.example.+013+12345.private`. +The private key (in the ``.private`` file) is used to generate signatures, and +the public key (in the ``.key`` file) is used for signature verification. +Additionally, the :ref:`dnssec_kasp` method creates a third file, +:file:`Kdnssec.example+013+12345.state`, which is used to track DNSSEC key timings +and to perform key rollovers safely. + +These filenames contain: + + - the key name, which always matches the zone name (``dnssec.example.``), + - the `algorithm number`_ (013 is ECDSAP256SHA256, 008 is RSASHA256, etc.), + - and the key tag, i.e. a non-unique key identifier (12345 in this case). + +.. _`algorithm number`: https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 + + +.. warning:: + Private keys are required for full disaster recovery. Back up key files in a + safe location and protect them from unauthorized access. Anyone with + access to the private key can create fake but seemingly valid DNS data. + + +.. _dnssec_kasp: + +Fully Automated (Key and Signing Policy) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Key and Signing Policy (KASP) is a method of configuration that describes +how to maintain DNSSEC signing keys and how to sign the zone. + +This is the recommended, fully automated way to sign and maintain DNS zones. For +most use cases users can simply use the built-in default policy, which applies +up-to-date DNSSEC practices: + +.. code-block:: none + :emphasize-lines: 4 + + zone "dnssec.example" { + type primary; + file "dnssec.example.db"; + dnssec-policy default; + }; + +This single line is sufficient to create the necessary signing keys, and generate +``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes +care of any DNSSEC maintenance for this zone, including replacing signatures +that are about to expire and managing :ref:`key_rollovers`. + +.. note:: + ``dnssec-policy`` needs write access to the zone. Please see + :ref:`dnssec_policy` for more details about implications for zone storage. + +The default policy creates one key that is used to sign the complete zone, +and uses ``NSEC`` to enable authenticated denial of existence (a secure way +to tell which records do not exist in a zone). This policy is recommended +and typically does not need to be changed. + +If needed, a custom policy can be defined by adding a ``dnssec-policy`` statement +into the configuration: + +.. code-block:: none + + + dnssec-policy "custom" { + dnskey-ttl 600; + keys { + ksk lifetime P1Y algorithm ecdsap384sha384; + zsk lifetime 60d algorithm ecdsap384sha384; + }; + nsec3param iterations 0 optout no salt-length 0; + }; + +This ``custom`` policy, for example: + + - uses a very short ``DNSKEY`` TTL (600 seconds), + - uses two keys to sign the zone: a Key Signing Key (KSK) to sign the key + related RRsets (``DNSKEY``, ``CDS``, and ``CDNSKEY``), and a Zone Signing + Key (ZSK) to sign the rest of the zone. The KSK is automatically + rotated after one year and the ZSK after 60 days. + +Also: + - The configured keys have a lifetime set and use the ECDSAP384SHA384 + algorithm. + - The last line instructs BIND to generate NSEC3 records for + :ref:`Proof of Non-Existence `, + using zero extra iterations and no salt. NSEC3 opt-out is disabled, meaning + insecure delegations also get an NSEC3 record. + +For more information about KASP configuration see :ref:`dnssec_policy_grammar`. + +The :ref:`dnssec_advanced_discussions` section in the DNSSEC Guide discusses the +various policy settings and may be useful for determining values for specific +needs. + +Key Rollover +============ + +When using a ``dnssec-policy``, a key lifetime can be set to trigger +key rollovers. ZSK rollovers are fully automatic, but for KSK and CSK rollovers +a DS record needs to be submitted to the parent. See +:ref:`secure_delegation` for possible ways to do so. + +Once the DS is in the parent (and the DS of the predecessor key is withdrawn), +BIND needs to be told that this event has happened. This can be done automatically +by configuring parental agents: + +.. code-block:: none + :emphasize-lines: 5 + + zone "dnssec.example" { + type primary; + file "dnssec.example.db"; + dnssec-policy default; + parental-agents { 192.0.2.1; }; + }; + +Here one server, ``192.0.2.1``, is configured for BIND to send DS queries to, +to check the DS RRset for ``dnssec-example`` during key rollovers. This needs +to be a trusted server, because BIND does not validate the response. + +If setting up a parental agent is undesirable, it is also possible to tell BIND that the +DS is published in the parent with: +:option:`rndc dnssec -checkds -key 12345 published dnssec.example. `. +and the DS for the predecessor key has been removed with: +:option:`rndc dnssec -checkds -key 54321 withdrawn dnssec.example. `. +where 12345 and 54321 are the key tags of the successor and predecessor key, +respectively. + +To roll a key sooner than scheduled, or to roll a key that +has an unlimited lifetime, use: +:option:`rndc dnssec -rollover -key 12345 dnssec.example. `. + +To revert a signed zone back to an insecure zone, change +the zone configuration to use the built-in "insecure" policy. Detailed +instructions are described in :ref:`revert_to_unsigned`. + +.. _dnssec_dynamic_zones: + +Manual Key Management +^^^^^^^^^^^^^^^^^^^^^ + +.. warning:: + The method described here allows full control over the keys used to sign + the zone. This is required only for very special cases and is generally + discouraged. Under normal circumstances, please use :ref:`dnssec_kasp`. + + +.. _dnssec_dynamic_zones_multisigner_model: + +Multi-Signer Model +================== + +Dynamic zones provide the ability to sign a zone by multiple providers, meaning +each provider signs and serves the same zone independently. Such a setup requires +some coordination between providers when it comes to key rollovers, and may be +better suited to be configured with ``auto-dnssec allow;``. This permits keys to +be updated and the zone to be re-signed only if the user issues the command +:option:`rndc sign zonename `. + +A zone can also be configured with ``auto-dnssec maintain``, which automatically +adjusts the zone's DNSSEC keys on a schedule according to the key timing +metadata. However, keys still need to be generated separately, for +example with :iscman:`dnssec-keygen`. + +Of course, dynamic zones can also use ``dnssec-policy`` to fully automate DNSSEC +maintenance. The next sections assume that more key +management control is needed, and describe how to use dynamic DNS update to perform +various DNSSEC operations. + +.. _dnssec_dynamic_zones_enabling_dnssec: + +Enabling DNSSEC Manually +======================== +As an alternative to fully automated zone signing using :ref:`dnssec-policy +`, a zone can be changed from insecure to secure using a dynamic +DNS update. :iscman:`named` must be configured so that it can see the ``K*`` +files which contain the public and private parts of the `zone keys`_ that are +used to sign the zone. Key files should be placed in the ``key-directory``, as +specified in :iscman:`named.conf`: + +:: + + zone update.example { + type primary; + update-policy local; + auto-dnssec allow; + file "dynamic/update.example.db"; + key-directory "keys/update.example/"; + }; + +If there are both a KSK and a ZSK available (or a CSK), this configuration causes the +zone to be signed. An ``NSEC`` chain is generated as part of the initial signing +process. + +In any secure zone which supports dynamic updates, :iscman:`named` periodically +re-signs RRsets which have not been re-signed as a result of some update action. +The signature lifetimes are adjusted to spread the re-sign load over time rather +than all at once. + +.. _dnssec_dynamic_zones_publishing_dnskey_records: + +Publishing DNSKEY Records +========================= + +To insert the keys via dynamic update: + +:: + + % nsupdate + > ttl 3600 + > update add update.example DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= + > update add update.example DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= + > send + +In order to sign with these keys, the corresponding key files should also be +placed in the ``key-directory``. + +.. _dnssec_dynamic_zones_nsec3: + +NSEC3 +===== + +To sign using :ref:`NSEC3 ` instead of :ref:`NSEC +`, add an NSEC3PARAM record to the initial update +request. The :term:`OPTOUT ` bit in the NSEC3 +chain can be set in the flags field of the +NSEC3PARAM record. + +:: + + % nsupdate + > ttl 3600 + > update add update.example DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= + > update add update.example DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= + > update add update.example NSEC3PARAM 1 0 0 - + > send + +Note that the ``NSEC3PARAM`` record does not show up until :iscman:`named` has +had a chance to build/remove the relevant chain. A private type record is +created to record the state of the operation (see below for more details), and +is removed once the operation completes. + +The ``NSEC3`` chain is generated and the ``NSEC3PARAM`` record is added before +the ``NSEC`` chain is destroyed. + +While the initial signing and ``NSEC``/``NSEC3`` chain generation are occurring, +other updates are possible as well. + +A new ``NSEC3PARAM`` record can be added via dynamic update. When the new +``NSEC3`` chain has been generated, the ``NSEC3PARAM`` flag field is set to +zero. At that point, the old ``NSEC3PARAM`` record can be removed. The old +chain is removed after the update request completes. + +:iscman:`named` only supports creating new ``NSEC3`` chains where all the +``NSEC3`` records in the zone have the same ``OPTOUT`` state. :iscman:`named` +supports updates to zones where the ``NSEC3`` records in the chain have mixed +``OPTOUT`` state. :iscman:`named` does not support changing the ``OPTOUT`` +state of an individual ``NSEC3`` record; if the ``OPTOUT`` state of an +individual ``NSEC3`` needs to be changed, the entire chain must be changed. + +To switch back to ``NSEC``, use :iscman:`nsupdate` to remove any ``NSEC3PARAM`` +records. The ``NSEC`` chain is generated before the ``NSEC3`` chain is removed. + +.. _dnssec_dynamic_zones_dnskey_rollovers: + +DNSKEY Rollovers +================ + +To perform key rollovers via a dynamic update, the ``K*`` files for the new keys +must be added so that :iscman:`named` can find them. The new ``DNSKEY`` RRs can +then be added via dynamic update. When the zones are being signed, they are +signed with the new key set; when the signing is complete, the private type +records are updated so that the last octet is non-zero. + +If this is for a KSK, the parent and any trust anchor repositories of the new +KSK must be informed. + +The maximum TTL in the zone must expire before removing the old ``DNSKEY``. If +it is a KSK that is being updated, the DS RRset in the parent must also be +updated and its TTL allowed to expire. This ensures that all clients are able to +verify at least one signature when the old ``DNSKEY`` is removed. + +The old ``DNSKEY`` can be removed via ``UPDATE``, taking care to specify the +correct key. :iscman:`named` cleans out any signatures generated by the old +key after the update completes. + +.. _dnssec_dynamic_zones_going_insecure: + +Going Insecure +============== + +To convert a signed zone to unsigned using dynamic DNS, delete all the +``DNSKEY`` records from the zone apex using :iscman:`nsupdate`. All signatures, +``NSEC`` or ``NSEC3`` chains, and associated ``NSEC3PARAM`` records are removed +automatically when the zone is supposed to be re-signed. + +This requires the ``dnssec-secure-to-insecure`` option to be set to ``yes`` in +:iscman:`named.conf`. + +In addition, if the ``auto-dnssec maintain`` or a ``dnssec-policy`` is used, it +should be removed or changed to ``allow`` instead; otherwise it will re-sign. + +.. _dnssec_tools: + +Manual Signing +^^^^^^^^^^^^^^ + +There are several tools available to manually sign a zone. + +.. warning:: + + Please note manual procedures are available mainly for backwards + compatibility and should be used only by expert users with specific needs. + +To set up a DNSSEC secure zone manually, a series of steps +must be followed. Please see chapter +:ref:`advanced_discussions_manual_key_management_and_signing` in the +:doc:`dnssec-guide` for more information. + +Monitoring with Private Type Records +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The state of the signing process is signaled by private type records (with a +default type value of 65534). When signing is complete, those records with a +non-zero initial octet have a non-zero value for the final octet. + +If the first octet of a private type record is non-zero, the record indicates +either that the zone needs to be signed with the key matching the record, or +that all signatures that match the record should be removed. Here are the +meanings of the different values of the first octet: + + - algorithm (octet 1) + + - key ID in network order (octet 2 and 3) + + - removal flag (octet 4) + + - complete flag (octet 5) + +Only records flagged as "complete" can be removed via dynamic update; attempts +to remove other private type records are silently ignored. + +If the first octet is zero (this is a reserved algorithm number that should +never appear in a ``DNSKEY`` record), the record indicates that changes to the +``NSEC3`` chains are in progress. The rest of the record contains an +``NSEC3PARAM`` record, while the flag field tells what operation to perform +based on the flag bits: + + 0x01 OPTOUT + + 0x80 CREATE + + 0x40 REMOVE + + 0x20 NONSEC + +.. _secure_delegation: + +Secure Delegation +~~~~~~~~~~~~~~~~~ + +Once a zone is signed on the authoritative servers, the last remaining step +is to establish chain of trust [#validation]_ between the parent zone +(``example.``) and the local zone (``dnssec.example.``). + +Generally the procedure is: + + - **Wait** for stale data to expire from caches. The amount of time required + is equal to the maximum TTL value used in the zone before signing. This + step ensures that unsigned data expire from caches and resolvers do not get + confused by missing signatures. + - Insert/update DS records in the parent zone (``dnssec.example. DS`` record). + +There are multiple ways to update DS records in the parent zone. Refer to the +documentation for the parent zone to find out which options are applicable to +a given case zone. Generally the options are, from most- to least-recommended: + + - Automatically update the DS record in the parent zone using + ``CDS``/``CDNSKEY`` records automatically generated by BIND. This requires + support for :rfc:`7344` in either parent zone, registry, or registrar. In + that case, configure BIND to :ref:`monitor DS records in the parent + zone ` and everything will happen automatically at the right + time. + - Query the zone for automatically generated ``CDS`` or ``CDNSKEY`` records using + :iscman:`dig`, and then insert these records into the parent zone using + the method specified by the parent zone (web form, e-mail, API, ...). + - Generate DS records manually using the :iscman:`dnssec-dsfromkey` utility on + `zone keys`_, and then insert them into the parent zone. + +.. [#validation] For further details on how the chain of trust is used in practice, see + :ref:`dnssec_12_steps` in the :doc:`dnssec-guide`. + + + +DNSSEC Validation +~~~~~~~~~~~~~~~~~ + +The BIND resolver validates answers from authoritative servers by default. This +behavior is controlled by the configuration statement :ref:`dnssec-validation +`. + +By default a trust anchor for the DNS root zone is used. +This trust anchor is provided as part of BIND and is kept up-to-date using +:ref:`rfc5011.support`. + +.. note:: + DNSSEC validation works "out of the box" and does not require + additional configuration. Additional configuration options are intended only + for special cases. + +To validate answers, the resolver needs at least one trusted starting point, +a "trust anchor." Essentially, trust anchors are copies of ``DNSKEY`` RRs for +zones that are used to form the first link in the cryptographic chain of trust. +Alternative trust anchors can be specified using :ref:`trust_anchors`, but +this setup is very unusual and is recommended only for expert use. +For more information, see :ref:`trust_anchors_description` in the +:doc:`dnssec-guide`. + +The BIND authoritative server does not verify signatures on load, so zone keys +for authoritative zones do not need to be specified in the configuration +file. + +Validation Failures +^^^^^^^^^^^^^^^^^^^ + +When DNSSEC validation is configured, the resolver rejects any answers from +signed, secure zones which fail to validate, and returns SERVFAIL to the +client. + +Responses may fail to validate for any of several reasons, including +missing, expired, or invalid signatures; a key which does not match the +DS RRset in the parent zone; or an insecure response from a zone which, +according to its parent, should have been secure. + +For more information see :ref:`dnssec_troubleshooting`. + +Coexistence With Unsigned (Insecure) Zones +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Zones not protected by DNSSEC are called "insecure," and these zones seamlessly +coexist with signed zones. + +When the validator receives a response from an unsigned zone that has +a signed parent, it must confirm with the parent that the zone was +intentionally left unsigned. It does this by verifying, via signed +and validated :ref:`NSEC/NSEC3 records +`, that the parent zone contains no +DS records for the child. + +If the validator *can* prove that the zone is insecure, then the +response is accepted. However, if it cannot, the validator must assume an +insecure response to be a forgery; it rejects the response and logs +an error. + +The logged error reads "insecurity proof failed" and "got insecure +response; parent indicates it should be secure." diff -Nru bind9-9.16.27/doc/arm/dnssec.rst bind9-9.16.33/doc/arm/dnssec.rst --- bind9-9.16.27/doc/arm/dnssec.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/dnssec.rst 1970-01-01 00:00:00.000000000 +0000 @@ -1,290 +0,0 @@ -.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") -.. -.. SPDX-License-Identifier: MPL-2.0 -.. -.. This Source Code Form is subject to the terms of the Mozilla Public -.. License, v. 2.0. If a copy of the MPL was not distributed with this -.. file, you can obtain one at https://mozilla.org/MPL/2.0/. -.. -.. See the COPYRIGHT file distributed with this work for additional -.. information regarding copyright ownership. - -.. _dnssec.dynamic.zones: - -DNSSEC, Dynamic Zones, and Automatic Signing --------------------------------------------- - -Converting From Insecure to Secure -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -A zone can be changed from insecure to secure in three ways: using a -dynamic DNS update, via the ``auto-dnssec`` zone option, or by setting a -DNSSEC policy for the zone with ``dnssec-policy``. - -For any method, ``named`` must be configured so that it can see -the ``K*`` files which contain the public and private parts of the keys -that are used to sign the zone. These files are generated -by ``dnssec-keygen``, or created when needed by ``named`` if -``dnssec-policy`` is used. Keys should be placed in the -key-directory, as specified in ``named.conf``: - -:: - - zone example.net { - type primary; - update-policy local; - file "dynamic/example.net/example.net"; - key-directory "dynamic/example.net"; - }; - -If one KSK and one ZSK DNSKEY key have been generated, this -configuration causes all records in the zone to be signed with the -ZSK, and the DNSKEY RRset to be signed with the KSK. An NSEC -chain is generated as part of the initial signing process. - -With ``dnssec-policy``, it is possible to specify which keys should be -KSK and/or ZSK. To sign all records with a key, a CSK must be specified. -For example: - -:: - - dnssec-policy csk { - keys { - csk lifetime unlimited algorithm 13; - }; - }; - -Dynamic DNS Update Method -~~~~~~~~~~~~~~~~~~~~~~~~~ - -To insert the keys via dynamic update: - -:: - - % nsupdate - > ttl 3600 - > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= - > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= - > send - -While the update request completes almost immediately, the zone is -not completely signed until ``named`` has had time to "walk" the zone -and generate the NSEC and RRSIG records. The NSEC record at the apex -is added last, to signal that there is a complete NSEC chain. - -To sign using NSEC3 instead of NSEC, add an -NSEC3PARAM record to the initial update request. The OPTOUT bit in the NSEC3 -chain can be set in the flags field of the -NSEC3PARAM record. - -:: - - % nsupdate - > ttl 3600 - > update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8= - > update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk= - > update add example.net NSEC3PARAM 1 1 100 1234567890 - > send - -Again, this update request completes almost immediately; however, -the record does not show up until ``named`` has had a chance to -build/remove the relevant chain. A private type record is created -to record the state of the operation (see below for more details), and -is removed once the operation completes. - -While the initial signing and NSEC/NSEC3 chain generation is happening, -other updates are possible as well. - -Fully Automatic Zone Signing -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To enable automatic signing, set a ``dnssec-policy`` or add the -``auto-dnssec`` option to the zone statement in ``named.conf``. -``auto-dnssec`` has two possible arguments: ``allow`` or ``maintain``. - -With ``auto-dnssec allow``, ``named`` can search the key directory for -keys matching the zone, insert them into the zone, and use them to sign -the zone. It does so only when it receives an -``rndc sign ``. - -``auto-dnssec maintain`` includes the above functionality, but also -automatically adjusts the zone's DNSKEY records on a schedule according to -the keys' timing metadata. (See :ref:`man_dnssec-keygen` and -:ref:`man_dnssec-settime` for more information.) - -``dnssec-policy`` is similar to ``auto-dnssec maintain``, but -``dnssec-policy`` also automatically creates new keys when necessary. In -addition, any configuration related to DNSSEC signing is retrieved from the -policy, ignoring existing DNSSEC ``named.conf`` options. - -``named`` periodically searches the key directory for keys matching -the zone; if the keys' metadata indicates that any change should be -made to the zone - such as adding, removing, or revoking a key - then that -action is carried out. By default, the key directory is checked for -changes every 60 minutes; this period can be adjusted with -``dnssec-loadkeys-interval``, up to a maximum of 24 hours. The -``rndc loadkeys`` command forces ``named`` to check for key updates immediately. - -If keys are present in the key directory the first time the zone is -loaded, the zone is signed immediately, without waiting for an -``rndc sign`` or ``rndc loadkeys`` command. Those commands can still be -used when there are unscheduled key changes. - -When new keys are added to a zone, the TTL is set to match that of any -existing DNSKEY RRset. If there is no existing DNSKEY RRset, the -TTL is set to the TTL specified when the key was created (using the -``dnssec-keygen -L`` option), if any, or to the SOA TTL. - -To sign the zone using NSEC3 instead of NSEC, submit an -NSEC3PARAM record via dynamic update prior to the scheduled publication -and activation of the keys. The OPTOUT bit for the NSEC3 chain can be set -in the flags field of the NSEC3PARAM record. The -NSEC3PARAM record does not appear in the zone immediately, but it is -stored for later reference. When the zone is signed and the NSEC3 -chain is completed, the NSEC3PARAM record appears in the zone. - -Using the ``auto-dnssec`` option requires the zone to be configured to -allow dynamic updates, by adding an ``allow-update`` or -``update-policy`` statement to the zone configuration. If this has not -been done, the configuration fails. - -Private Type Records -~~~~~~~~~~~~~~~~~~~~ - -The state of the signing process is signaled by private type records -(with a default type value of 65534). When signing is complete, those -records with a non-zero initial octet have a non-zero value for the final octet. - -If the first octet of a private type record is non-zero, the -record indicates either that the zone needs to be signed with the key matching -the record, or that all signatures that match the record should be -removed. Here are the meanings of the different values of the first octet: - - - algorithm (octet 1) - - - key id in network order (octet 2 and 3) - - - removal flag (octet 4) - - - complete flag (octet 5) - -Only records flagged as "complete" can be removed via dynamic update; attempts -to remove other private type records are silently ignored. - -If the first octet is zero (this is a reserved algorithm number that -should never appear in a DNSKEY record), the record indicates that -changes to the NSEC3 chains are in progress. The rest of the record -contains an NSEC3PARAM record, while the flag field tells what operation to -perform based on the flag bits: - - 0x01 OPTOUT - - 0x80 CREATE - - 0x40 REMOVE - - 0x20 NONSEC - -DNSKEY Rollovers -~~~~~~~~~~~~~~~~ - -As with insecure-to-secure conversions, DNSSEC keyrolls can be done -in two ways: using a dynamic DNS update, or via the ``auto-dnssec`` zone -option. - -Dynamic DNS Update Method -~~~~~~~~~~~~~~~~~~~~~~~~~ - -To perform key rollovers via a dynamic update, the ``K*`` -files for the new keys must be added so that ``named`` can find them. -The new DNSKEY RRs can then be added via dynamic update. ``named`` then causes the -zone to be signed with the new keys; when the signing is complete, the -private type records are updated so that the last octet is non-zero. - -If this is for a KSK, the parent and any trust anchor -repositories of the new KSK must be informed. - -The maximum TTL in the zone must expire before removing the -old DNSKEY. If it is a KSK that is being updated, -the DS RRset in the parent must also be updated and its TTL allowed to expire. This -ensures that all clients are able to verify at least one signature -when the old DNSKEY is removed. - -The old DNSKEY can be removed via UPDATE, taking care to specify the -correct key. ``named`` cleans out any signatures generated by the -old key after the update completes. - -Automatic Key Rollovers -~~~~~~~~~~~~~~~~~~~~~~~ - -When a new key reaches its activation date (as set by ``dnssec-keygen`` -or ``dnssec-settime``), and if the ``auto-dnssec`` zone option is set to -``maintain``, ``named`` automatically carries out the key rollover. -If the key's algorithm has not previously been used to sign the zone, -then the zone is fully signed as quickly as possible. However, if -the new key replaces an existing key of the same algorithm, the -zone is re-signed incrementally, with signatures from the old key -replaced with signatures from the new key as their signature -validity periods expire. By default, this rollover completes in 30 days, -after which it is safe to remove the old key from the DNSKEY RRset. - -NSEC3PARAM Rollovers via UPDATE -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The new NSEC3PARAM record can be added via dynamic update. When the new NSEC3 -chain has been generated, the NSEC3PARAM flag field is set to zero. At -that point, the old NSEC3PARAM record can be removed. The old chain is -removed after the update request completes. - -Converting From NSEC to NSEC3 -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Add a ``nsec3param`` option to your ``dnssec-policy`` and -run ``rndc reconfig``. - -Or use ``nsupdate`` to add an NSEC3PARAM record. - -In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is -added before the NSEC chain is destroyed. - -Converting From NSEC3 to NSEC -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and -run ``rndc reconfig``. - -Or use ``nsupdate`` to remove all NSEC3PARAM records with a -zero flag field. The NSEC chain is generated before the NSEC3 chain -is removed. - -Converting From Secure to Insecure -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To convert a signed zone to unsigned using dynamic DNS, delete all the -DNSKEY records from the zone apex using ``nsupdate``. All signatures, -NSEC or NSEC3 chains, and associated NSEC3PARAM records are removed -automatically. This takes place after the update request completes. - -This requires the ``dnssec-secure-to-insecure`` option to be set to -``yes`` in ``named.conf``. - -In addition, if the ``auto-dnssec maintain`` zone statement is used, it -should be removed or changed to ``allow`` instead; otherwise it will re-sign. - -Periodic Re-signing -~~~~~~~~~~~~~~~~~~~ - -In any secure zone which supports dynamic updates, ``named`` -periodically re-signs RRsets which have not been re-signed as a result of -some update action. The signature lifetimes are adjusted to -spread the re-sign load over time rather than all at once. - -NSEC3 and OPTOUT -~~~~~~~~~~~~~~~~ - -``named`` only supports creating new NSEC3 chains where all the NSEC3 -records in the zone have the same OPTOUT state. ``named`` supports -UPDATES to zones where the NSEC3 records in the chain have mixed OPTOUT -state. ``named`` does not support changing the OPTOUT state of an -individual NSEC3 record; if the -OPTOUT state of an individual NSEC3 needs to be changed, the entire chain must be changed. diff -Nru bind9-9.16.27/doc/arm/index.rst bind9-9.16.33/doc/arm/index.rst --- bind9-9.16.27/doc/arm/index.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/index.rst 2022-09-08 13:01:23.000000000 +0000 @@ -21,6 +21,7 @@ requirements configuration reference + dnssec.inc advanced security troubleshooting diff -Nru bind9-9.16.27/doc/arm/manpages.rst bind9-9.16.33/doc/arm/manpages.rst --- bind9-9.16.27/doc/arm/manpages.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/manpages.rst 2022-09-08 13:01:23.000000000 +0000 @@ -36,6 +36,7 @@ .. include:: ../../bin/tools/mdig.rst .. include:: ../../bin/check/named-checkconf.rst .. include:: ../../bin/check/named-checkzone.rst +.. include:: ../../bin/check/named-compilezone.rst .. include:: ../../bin/tools/named-journalprint.rst .. include:: ../../bin/tools/named-nzd2nzf.rst .. include:: ../../bin/tools/named-rrchecker.rst @@ -51,3 +52,4 @@ .. include:: ../../bin/confgen/rndc-confgen.rst .. include:: ../../bin/rndc/rndc.conf.rst .. include:: ../../bin/rndc/rndc.rst +.. include:: ../../bin/confgen/tsig-keygen.rst diff -Nru bind9-9.16.27/doc/arm/notes.rst bind9-9.16.33/doc/arm/notes.rst --- bind9-9.16.27/doc/arm/notes.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/notes.rst 2022-09-08 13:01:23.000000000 +0000 @@ -44,6 +44,12 @@ information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. +.. include:: ../notes/notes-9.16.33.rst +.. include:: ../notes/notes-9.16.32.rst +.. include:: ../notes/notes-9.16.31.rst +.. include:: ../notes/notes-9.16.30.rst +.. include:: ../notes/notes-9.16.29.rst +.. include:: ../notes/notes-9.16.28.rst .. include:: ../notes/notes-9.16.27.rst .. include:: ../notes/notes-9.16.26.rst .. include:: ../notes/notes-9.16.25.rst diff -Nru bind9-9.16.27/doc/arm/platforms.rst bind9-9.16.33/doc/arm/platforms.rst --- bind9-9.16.27/doc/arm/platforms.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/platforms.rst 2022-09-08 13:01:23.000000000 +0000 @@ -42,16 +42,16 @@ Regularly tested platforms ~~~~~~~~~~~~~~~~~~~~~~~~~~ -As of Dec 2021, BIND 9.16 is fully supported and regularly tested on the +As of August 2022, BIND 9.16 is fully supported and regularly tested on the following systems: -- Debian 9, 10, 11 -- Ubuntu LTS 18.04, 20.04 +- Debian 10, 11 +- Ubuntu LTS 18.04, 20.04, 22.04 - Fedora 35 - Red Hat Enterprise Linux / CentOS / Oracle Linux 7, 8 -- FreeBSD 12.3, 13.0 -- OpenBSD 7.0 -- Alpine Linux 3.15 +- FreeBSD 12.3, 13.1 +- OpenBSD 7.1 +- Alpine Linux 3.16 The amd64, i386, armhf and arm64 CPU architectures are all fully supported. @@ -94,7 +94,7 @@ - Ubuntu 14.04, 16.04 (Ubuntu ESM releases are not supported) - CentOS 6 - - Debian Jessie + - Debian 8 Jessie, 9 Stretch - FreeBSD 10.x, 11.x Unsupported Platforms diff -Nru bind9-9.16.27/doc/arm/reference.rst bind9-9.16.33/doc/arm/reference.rst --- bind9-9.16.27/doc/arm/reference.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/reference.rst 2022-09-08 13:01:23.000000000 +0000 @@ -1516,11 +1516,15 @@ cannot be longer than a week. ``max-zone-ttl`` - This specifies a maximum permissible TTL value in seconds. For - convenience, TTL-style time-unit suffixes may be used to specify the - maximum value. When loading a zone file using a ``masterfile-format`` - of ``text`` or ``raw``, any record encountered with a TTL higher than - ``max-zone-ttl`` causes the zone to be rejected. + + This should now be configured as part of ``dnssec-policy``. + Use of this option in ``options``, ``view`` and ``zone`` blocks has no + effect on any zone for which a ``dnssec-policy`` has also been configured. + + ``max-zone-ttl`` specifies a maximum permissible TTL value in seconds. + For convenience, TTL-style time-unit suffixes may be used to specify the + maximum value. When a zone file is loaded, any record encountered with a + TTL higher than ``max-zone-ttl`` causes the zone to be rejected. This is useful in DNSSEC-signed zones because when rolling to a new DNSKEY, the old key needs to remain available until RRSIG records @@ -1530,8 +1534,8 @@ (Note: because ``map``-format files load directly into memory, this option cannot be used with them.) - The default value is ``unlimited``. A ``max-zone-ttl`` of zero is - treated as ``unlimited``. + The default value is ``unlimited``. Setting ``max-zone-ttl`` to zero is + equivalent to ``unlimited``. ``stale-answer-ttl`` This specifies the TTL to be returned on stale answers. The default is 30 @@ -1691,6 +1695,28 @@ If ``yes``, respond to root key sentinel probes as described in draft-ietf-dnsop-kskroll-sentinel-08. The default is ``yes``. +``reuseport`` + This option enables kernel load-balancing of sockets on systems which support + it, including Linux (SO_REUSEPORT) and FreeBSD (SO_REUSEPORT_LB). This + instructs the kernel to distribute incoming socket connections among the + networking threads based on a hashing scheme. For more information, see the + receive network flow classification options (``rx-flow-hash``) section in the + ``ethtool`` manual page. The default is ``yes``. + + Enabling ``reuseport`` significantly increases general throughput when + incoming traffic is distributed uniformly onto the threads by the + operating system. However, in cases where a worker thread is busy with a + long-lasting operation, such as processing a Response Policy Zone (RPZ) or + Catalog Zone update or an unusually large zone transfer, incoming traffic + that hashes onto that thread may be delayed. On servers where these events + occur frequently, it may be preferable to disable socket load-balancing so + that other threads can pick up the traffic that would have been sent to the + busy thread. + + Note: this option can only be set when ``named`` first starts. + Changes will not take effect during reconfiguration; the server + must be restarted. + ``message-compression`` If ``yes``, DNS name compression is used in responses to regular queries (not including AXFR or IXFR, which always use compression). @@ -2040,6 +2066,9 @@ This option may only be activated at the zone level; if configured at the view or options level, it must be set to ``off``. + The DNSSEC records are written to the zone's filename set in ``file``, + unless ``inline-signing`` is enabled. + ``dnssec-enable`` This option is obsolete and has no effect. @@ -2049,7 +2078,9 @@ This option enables DNSSEC validation in ``named``. If set to ``auto``, DNSSEC validation is enabled and a default trust - anchor for the DNS root zone is used. + anchor for the DNS root zone is used. This trust anchor is provided + as part of BIND and is kept up-to-date using :ref:`rfc5011.support` key + management. If set to ``yes``, DNSSEC validation is enabled, but a trust anchor must be manually configured using a ``trust-anchors`` statement (or the @@ -2385,6 +2416,8 @@ and inherited by zones, this could lead to some zones unintentionally allowing updates. + Updates are written to the zone's filename that is set in ``file``. + ``allow-update-forwarding`` When set in the ``zone`` statement for a secondary zone, this specifies which hosts are allowed to submit Dynamic DNS updates and have them be @@ -2602,9 +2635,6 @@ UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port. -.. note:: Solaris 2.5.1 and earlier does not support setting the source address - for TCP sockets. - .. warning:: Specifying a single port is discouraged, as it removes a layer of protection against spoofing errors. @@ -2745,9 +2775,6 @@ ``transfer-source`` statement within the ``view`` or ``zone`` block in the configuration file. - .. note:: Solaris 2.5.1 and earlier does not support setting the source - address for TCP sockets. - .. warning:: Specifying a single port is discouraged, as it removes a layer of protection against spoofing errors. @@ -2783,9 +2810,6 @@ or per-view basis by including a ``notify-source`` statement within the ``zone`` or ``view`` block in the configuration file. - .. note:: Solaris 2.5.1 and earlier does not support setting the source - address for TCP sockets. - .. warning:: Specifying a single port is discouraged, as it removes a layer of protection against spoofing errors. @@ -4328,18 +4352,20 @@ All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified with -``responses-per-second`` (default 0 or no limit). All empty (NODATA) -responses for a valid domain, regardless of query type, are identical. -Responses in the NODATA class are limited by ``nodata-per-second`` -(default ``responses-per-second``). Requests for any and all undefined -subdomains of a given valid domain result in NXDOMAIN errors, and are -identical regardless of query type. They are limited by -``nxdomains-per-second`` (default ``responses-per-second``). This -controls some attacks using random names, but can be relaxed or turned -off (set to 0) on servers that expect many legitimate NXDOMAIN -responses, such as from anti-spam rejection lists. Referrals or delegations -to the server of a given domain are identical and are limited by -``referrals-per-second`` (default ``responses-per-second``). +``responses-per-second`` (default 0 or no limit). All valid wildcard +domain names are interpreted as the zone's origin name concatenated to +the "*" name. All empty (NODATA) responses for a valid domain, +regardless of query type, are identical. Responses in the NODATA class +are limited by ``nodata-per-second`` (default ``responses-per-second``). +Requests for any and all undefined subdomains of a given valid domain +result in NXDOMAIN errors, and are identical regardless of query type. +They are limited by ``nxdomains-per-second`` (default +``responses-per-second``). This controls some attacks using random +names, but can be relaxed or turned off (set to 0) on servers that +expect many legitimate NXDOMAIN responses, such as from anti-spam +rejection lists. Referrals or delegations to the server of a given +domain are identical and are limited by ``referrals-per-second`` +(default ``responses-per-second``). Responses generated from local wildcards are counted and limited as if they were for the parent domain name. This controls flooding using @@ -4878,6 +4904,13 @@ to a zone, add a ``dnssec-policy`` option to the ``zone`` statement, specifying the name of the policy that should be used. +By default, ``dnssec-policy`` assumes ``inline-signing``. This means that +a signed version of the zone is maintained separately and is written out to +a different file on disk (the zone's filename plus a ``.signed`` extension). + +If the zone is dynamic because it is configured with an ``update-policy`` or +``allow-update``, the DNSSEC records are written to the filename set in the original zone's ``file``, unless ``inline-signing`` is explicitly set. + Key rollover timing is computed for each key according to the key lifetime defined in the KASP. The lifetime may be modified by zone TTLs and propagation delays, to prevent validation failures. When a key @@ -5013,20 +5046,22 @@ The default is ``P2W`` (2 weeks). ``max-zone-ttl`` - Like the ``max-zone-ttl`` zone option, this specifies the maximum - permissible TTL value, in seconds, for the zone. - This is needed in DNSSEC-maintained zones because when rolling to a - new DNSKEY, the old key needs to remain available until RRSIG - records have expired from caches. The ``max-zone-ttl`` option - guarantees that the largest TTL in the zone is no higher than the - set value. + This specifies the maximum permissible TTL value for the zone. When + a zone file is loaded, any record encountered with a TTL higher than + ``max-zone-ttl`` causes the zone to be rejected. + + This ensures that when rolling to a new DNSKEY, the old key will remain + available until RRSIG records have expired from caches. The + ``max-zone-ttl`` option guarantees that the largest TTL in the + zone is no higher than a known and predictable value. .. note:: Because ``map``-format files load directly into memory, this option cannot be used with them. - The default value is ``PT24H`` (24 hours). A ``max-zone-ttl`` of - zero is treated as if the default value were in use. + The default value ``PT24H`` (24 hours). A value of zero is treated + as if the default value were in use. + ``nsec3param`` Use NSEC3 instead of NSEC, and optionally set the NSEC3 parameters. @@ -5037,11 +5072,17 @@ nsec3param iterations 5 optout no salt-length 8; - The default is to use NSEC. The ``iterations``, ``optout`` and + The default is to use NSEC. The ``iterations``, ``optout``, and ``salt-length`` parts are optional, but if not set, the values in - the example above are the default NSEC3 parameters. Note that you don't - specify a specific salt string, ``named`` will create a salt for you - of the provided salt length. + the example above are the default NSEC3 parameters. Note that the + specific salt string is not specified by the user; :iscman:`named` creates a salt + of the indicated length. + + .. warning:: + Do not use extra :term:`iterations`, :term:`salt`, and + :term:`opt-out` unless their implications are fully understood. + A higher number of iterations causes interoperability problems and opens + servers to CPU-exhausting DoS attacks. ``zone-propagation-delay`` This is the expected propagation delay from the time when a zone is @@ -5074,16 +5115,11 @@ The following options apply to DS queries sent to ``parental-agents``: ``parental-source`` - ``parental-source`` determines which local source address, and - optionally UDP port, is used to send parental DS queries. This - address must appear in the secondary server's ``parental-agents`` zone - clause. This statement sets the ``parental-source`` for all zones, but can - be overridden on a per-zone or per-view basis by including a - ``parental-source`` statement within the ``zone`` or ``view`` block in the - configuration file. - - .. note:: Solaris 2.5.1 and earlier does not support setting the source - address for TCP sockets. + ``parental-source`` determines which local source address, and optionally + UDP port, is used to send parental DS queries. This statement sets the + ``parental-source`` for all zones, but can be overridden on a per-zone or + per-view basis by including a ``parental-source`` statement within the + ``zone`` or ``view`` block in the configuration file. .. warning:: Specifying a single port is discouraged, as it removes a layer of protection against spoofing errors. @@ -5755,10 +5791,12 @@ See the description of ``serial-update-method`` in :ref:`options`. ``inline-signing`` - If ``yes``, this enables "bump in the wire" signing of a zone, where - an unsigned zone is transferred in or loaded from disk and a signed + If ``yes``, BIND 9 maintains a separate signed version of the zone. + An unsigned zone is transferred in or loaded from disk and the signed version of the zone is served with, possibly, a different serial - number. This behavior is disabled by default. + number. The signed version of the zone is stored in a file that is + the zone's filename (set in ``file``) with a ``.signed`` extension. + This behavior is disabled by default. ``multi-master`` See the description of ``multi-master`` in :ref:`boolean_options`. @@ -5778,8 +5816,21 @@ ^^^^^^^^^^^^^^^^^^^^^^^ BIND 9 supports two methods of granting clients the right to -perform dynamic updates to a zone, configured by the ``allow-update`` -or ``update-policy`` options. +perform dynamic updates to a zone: + +- ``allow-update`` - a simple access control list +- ``update-policy`` - fine-grained access control + +In both cases, BIND 9 writes the updates to the zone's filename +set in ``file``. + +In the case of a DNSSEC zone, DNSSEC records are also written to +the zone's filename, unless ``inline-signing`` is enabled. + + .. note:: The zone file can no longer be manually updated while ``named`` + is running; it is now necessary to perform :option:`rndc freeze`, edit, + and then perform :option:`rndc thaw`. Comments and formatting + in the zone file are lost when dynamic updates occur. The ``allow-update`` clause is a simple access control list. Any client that matches the ACL is granted permission to update any record in the @@ -6339,12 +6390,76 @@ BIND Primary File Extension: the ``$GENERATE`` Directive ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Syntax: ``$GENERATE`` range lhs [ttl] [class] type rhs [comment] +Syntax: ``$GENERATE`` range owner [ttl] [class] type rdata [comment] ``$GENERATE`` is used to create a series of resource records that only -differ from each other by an iterator. ``$GENERATE`` can be used to -easily generate the sets of records required to support sub-/24 reverse -delegations described in :rfc:`2317`. +differ from each other by an iterator. + +``range`` + This can be one of two forms: start-stop or start-stop/step. + If the first form is used, then step is set to 1. "start", + "stop", and "step" must be positive integers between 0 and + (2^31)-1. "start" must not be larger than "stop". + +``owner`` + This describes the owner name of the resource records to be created. + + The ``owner`` string may include one or more ``$`` (dollar sign) + symbols, which will be replaced with the iterator value when + generating records; see below for details. + +``ttl`` + This specifies the time-to-live of the generated records. If + not specified, this is inherited using the normal TTL inheritance + rules. + + ``class`` and ``ttl`` can be entered in either order. + +``class`` + This specifies the class of the generated records. This must + match the zone class if it is specified. + + ``class`` and ``ttl`` can be entered in either order. + +``type`` + This can be any valid type. + +``rdata`` + This is a string containing the RDATA of the resource record + to be created. As with ``owner``, the ``rdata`` string may + include one or more ``$`` symbols, which are replaced with the + iterator value. ``rdata`` may be quoted if there are spaces in + the string; the quotation marks do not appear in the generated + record. + + Any single ``$`` (dollar sign) symbols within the ``owner`` or + ``rdata`` strings are replaced by the iterator value. To get a ``$`` + in the output, escape the ``$`` using a backslash ``\\``, e.g., + ``\$``. (For compatibility with earlier versions, ``$$`` is also + recognized as indicating a literal ``$`` in the output.) + + The ``$`` may optionally be followed by modifiers which change + the offset from the iterator, field width, and base. Modifiers + are introduced by a ``{`` (left brace) immediately following + the ``$``, as in ``${offset[,width[,base]]}``. For example, + ``${-20,3,d}`` subtracts 20 from the current value and prints + the result as a decimal in a zero-padded field of width 3. + Available output forms are decimal (``d``), octal (``o``), + hexadecimal (``x`` or ``X`` for uppercase), and nibble (``n`` + or ``N`` for uppercase). The modfiier cannot contain whitespace + or newlines. + + The default modifier is ``${0,0,d}``. If the ``owner`` is not + absolute, the current ``$ORIGIN`` is appended to the name. + + In nibble mode, the value is treated as if it were a reversed + hexadecimal string, with each hexadecimal digit as a separate + label. The width field includes the label separator. + +Examples: + +``$GENERATE`` can be used to easily generate the sets of records required +to support sub-/24 reverse delegations described in :rfc:`2317`: :: @@ -6363,9 +6478,8 @@ ... 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA. -Both generate a set of A and MX records. Note the MX's right-hand side is a -quoted string. The quotes are stripped when the right-hand side is -processed. +This example creates a set of A and MX records. Note the MX's ``rdata`` +is a quoted string; the quotes are stripped when ``$GENERATE`` is processed: :: @@ -6387,35 +6501,25 @@ HOST-127.EXAMPLE. A 1.2.3.127 HOST-127.EXAMPLE. MX 0 . -``range`` - This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. "start", "stop", and "step" must be positive integers between 0 and (2^31)-1. "start" must not be larger than "stop". - -``owner`` - This describes the owner name of the resource records to be created. Any single ``$`` (dollar sign) symbols within the ``owner`` string are replaced by the iterator value. To get a ``$`` in the output, escape the ``$`` using a backslash ``\``, e.g., ``\$``. The ``$`` may optionally be followed by modifiers which change the offset from the iterator, field width, and base. - - Modifiers are introduced by a ``{`` (left brace) immediately following the ``$``, as in ``${offset[,width[,base]]}``. For example, ``${-20,3,d}`` subtracts 20 from the current value and prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (``d``), octal (``o``), hexadecimal (``x`` or ``X`` for uppercase), and nibble (``n`` or ``N`` for uppercase). - The default modifier is ``${0,0,d}``. If the ``owner`` is not absolute, the current ``$ORIGIN`` is appended to the name. +This example generates A and AAAA records using modifiers; the AAAA +``owner`` names are generated using nibble mode: - In nibble mode, the value is treated as if it were a reversed hexadecimal string, with each hexadecimal digit as a separate label. The width field includes the label separator. - - For compatibility with earlier versions, ``$$`` is still recognized as indicating a literal $ in the output. - -``ttl`` - This specifies the time-to-live of the generated records. If not specified, this is inherited using the normal TTL inheritance rules. - - ``class`` and ``ttl`` can be entered in either order. - -``class`` - This specifies the class of the generated records. This must match the zone class if it is specified. +:: - ``class`` and ``ttl`` can be entered in either order. + $ORIGIN EXAMPLE. + $GENERATE 0-2 HOST-${0,4,d} A 1.2.3.${1,0,d} + $GENERATE 1024-1026 ${0,3,n} AAAA 2001:db8::${0,4,x} -``type`` - This can be any valid type. +is equivalent to: -``rdata`` - This is a string containing the RDATA of the resource record to be created. It may be quoted if there are spaces in the string; the quotation marks do not appear in the generated record. +:: + HOST-0000.EXAMPLE. A 1.2.3.1 + HOST-0001.EXAMPLE. A 1.2.3.2 + HOST-0002.EXAMPLE. A 1.2.3.3 + 0.0.4.EXAMPLE. AAAA 2001:db8::400 + 1.0.4.EXAMPLE. AAAA 2001:db8::401 + 2.0.4.EXAMPLE. AAAA 2001:db8::402 The ``$GENERATE`` directive is a BIND extension and not part of the standard zone file format. diff -Nru bind9-9.16.27/doc/arm/requirements.txt bind9-9.16.33/doc/arm/requirements.txt --- bind9-9.16.27/doc/arm/requirements.txt 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/arm/requirements.txt 2022-09-08 13:01:23.000000000 +0000 @@ -1,2 +1,5 @@ -Sphinx>=2 -docutils<0.17 +# Make Read the Docs use the exact same package versions as in +# registry.gitlab.isc.org/isc-projects/images/bind9:debian-bullseye-amd64 +Sphinx==4.5.0 +docutils==0.17.1 +sphinx_rtd_theme==1.0.0 diff -Nru bind9-9.16.27/doc/dnssec-guide/advanced-discussions.rst bind9-9.16.33/doc/dnssec-guide/advanced-discussions.rst --- bind9-9.16.27/doc/dnssec-guide/advanced-discussions.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/dnssec-guide/advanced-discussions.rst 2022-09-08 13:01:23.000000000 +0000 @@ -101,6 +101,7 @@ look at the first one, NSEC, next. .. _advanced_discussions_nsec: +.. _NSEC: NSEC ^^^^ @@ -124,7 +125,7 @@ :: - example.com. 300 IN NSEC alice.example.com. A RRSIG NSEC + example.com. 300 IN NSEC alice.example.com. A RRSIG NSEC alice.example.com. 300 IN NSEC edward.example.com. A RRSIG NSEC edward.example.com. 300 IN NSEC susan.example.com. A RRSIG NSEC susan.example.com. 300 IN NSEC example.com. A RRSIG NSEC @@ -168,13 +169,15 @@ in DNS! Consider using DNS views (split DNS) and only display your sensitive names to a select audience. -The second drawback of NSEC is actually increased operational -overhead: there is no opt-out mechanism for insecure child zones. This generally -is a problem for parent-zone operators dealing with a lot of insecure -child zones, such as ``.com``. To learn more about opt-out, please see -:ref:`advanced_discussions_nsec3_optout`. +The second potential drawback of NSEC is a bigger zone file and memory consumption; +there is no opt-out mechanism for insecure child zones, so each name +in the zone will get an additional NSEC record and a RRSIG record to go with +it. In practice this is a problem only for parent-zone operators dealing with +mostly insecure child zones, such as ``com.``. To learn more about opt-out, +please see :ref:`advanced_discussions_nsec3_optout`. .. _advanced_discussions_nsec3: +.. _nsec3: NSEC3 ^^^^^ @@ -204,7 +207,7 @@ NSEC3 basically runs the names through a one-way hash before giving them out, so the recipients can verify the non-existence without any -knowledge of the actual names. +knowledge of the other names in the zone. So let's tell our little story for the third time, this time with NSEC3. In this version, our intern is not given a list of actual @@ -228,99 +231,129 @@ :: - FSK5....example.com. 300 IN NSEC3 1 0 10 1234567890ABCDEF JKMA... A RRSIG - JKMA....example.com. 300 IN NSEC3 1 0 10 1234567890ABCDEF NTQ0... A RRSIG - NTQ0....example.com. 300 IN NSEC3 1 0 10 1234567890ABCDEF FSK5... A RRSIG + FSK5....example.com. 300 IN NSEC3 1 0 0 - JKMA... A RRSIG + JKMA....example.com. 300 IN NSEC3 1 0 0 - NTQ0... A RRSIG + NTQ0....example.com. 300 IN NSEC3 1 0 0 - FSK5... A RRSIG .. note:: Just because we employed one-way hash functions does not mean there is no way for a determined individual to figure out our zone data. - Someone could still gather all of our NSEC3 records and hashed - names and perform an offline brute-force attack by trying all - possible combinations to figure out what the original name is. In our - meat-grinder analogy, this would be like someone - buying all available cuts of meat and grinding them up at home using - the same model of meat grinder, and comparing the output with the meat - you gave him. It is expensive and time-consuming (especially with - real meat), but like everything else in cryptography, if someone has - enough resources and time, nothing is truly private forever. If you - are concerned about someone performing this type of attack on your - zone data, read more about adding salt as described in - :ref:`advanced_discussions_nsec3_salt`. + +Most names published in the DNS are rarely secret or unpredictable. They are +published to be memorable, used and consumed by humans. They are often recorded +in many other network logs such as email logs, certificate transparency logs, +web page links, intrusion detection systems, malware scanners, email archives, +etc. Many times a simple dictionary of commonly used domain-name prefixes +(www, mail, imap, login, database, etc.) can be used to quickly reveal a large +number of labels within a zone. Additionally, if an adversary really wants to +expend significant CPU resources to mount an offline dictionary attack on a +zone's NSEC3 chain, they will likely be able to find most of the "guessable" +names despite any level of hashing. + +Also, it is still possible to gather all of our NSEC3 records and hashed +names and perform an offline brute-force attack by trying all +possible combinations to figure out what the original name is. In our +meat-grinder analogy, this would be like someone +buying all available cuts of meat and grinding them up at home using +the same model of meat grinder, and comparing the output with the meat +you gave him. It is expensive and time-consuming (especially with +real meat), but like everything else in cryptography, if someone has +enough resources and time, nothing is truly private forever. If you +are concerned about someone performing this type of attack on your +zone data, use some of the special techniques described in :rfc:`4470`. .. _advanced_discussions_nsec3param: NSEC3PARAM ++++++++++ -The above NSEC3 examples used four parameters: 1, 0, 10, and -1234567890ABCDEF. 1 represents the algorithm, 0 represents the opt-out -flag, 10 represents the number of iterations, and 1234567890ABCDEF is the +.. warning:: + Before we dive into the details of NSEC3 parametrization, please note: + the defaults should not be changed without a strong justification and a full + understanding of the potential impact. + +The above NSEC3 examples used four parameters: 1, 0, 0, and +zero-length salt. 1 represents the algorithm, 0 represents the opt-out +flag, 0 represents the number of additional iterations, and - is the salt. Let's look at how each one can be configured: -- *Algorithm*: The only currently defined value is 1 for SHA-1, so there - is no configuration field for it. +.. glossary:: -- *Opt-out*: Set this to 1 for NSEC3 opt-out, which we - discuss in :ref:`advanced_discussions_nsec3_optout`. + Algorithm + NSEC3 Hashing Algorithm + The only currently defined value is 1 for SHA-1, so there + is no configuration field for it. + + Opt-out + Setting this bit to 1 enables NSEC3 opt-out, which is + discussed in :ref:`advanced_discussions_nsec3_optout`. + + Iterations + Iterations defines the number of _additional_ times to + apply the algorithm when generating an NSEC3 hash. More iterations + consume more resources for both authoritative servers and validating + resolvers. The considerations here are similar to those seen in + :ref:`key_sizes`, of security versus resources. + + .. warning:: + Do not use values higher than zero. A value of zero provides one round + of SHA-1 hashing and protects from non-determined attackers. + + A greater number of additional iterations causes interoperability problems + and opens servers to CPU-exhausting DoS attacks, while providing + only doubtful security benefits. + + Salt + A salt value, which can be combined with an FQDN to influence the + resulting hash. Salt is discussed in more detail in + :ref:`advanced_discussions_nsec3_salt`. -- *Iterations*: Iterations defines the number of additional times to - apply the algorithm when generating an NSEC3 hash. More iterations - yield more secure results, but consume more resources for both - authoritative servers and validating resolvers. The considerations - here are similar to those seen in :ref:`key_sizes`, of - security versus resources. - -- *Salt*: The salt cannot be configured explicitly, but you can provide - a salt length and ``named`` generates a random salt of the given length. - We learn more about salt in :ref:`advanced_discussions_nsec3_salt`. - -If you want to use these NSEC3 parameters for a zone, you can add the -following configuration to your ``dnssec-policy``. For example, to create an -NSEC3 chain using the SHA-1 hash algorithm, with no opt-out flag, -5 iterations, and a salt that is 8 characters long, use: +.. _advanced_discussions_nsec3_optout: -:: +NSEC3 Opt-Out ++++++++++++++ - dnssec-policy "nsec3" { - ... - nsec3param iterations 5 optout no salt-length 8; - }; +First things first: For most DNS administrators who do not manage a huge number +of insecure delegations, the NSEC3 opt-out featuere is not relevant. -To set the opt-out flag, 15 iterations, and no salt, use: +Opt-out allows for blocks of unsigned delegations to be covered by a single NSEC3 +record. In other words, use of the opt-out allows large registries to only sign as +many NSEC3 records as there are signed DS or other RRsets in the zone; with +opt-out, unsigned delegations do not require additional NSEC3 records. This +sacrifices the tamper-resistance proof of non-existence offered by NSEC3 in +order to reduce memory and CPU overheads, and decreases the effectiveness of the cache +(:rfc:`8198`). + +Why would that ever be desirable? If a significant number of delegations +are not yet securely delegated, meaning they lack DS records and are still +insecure or unsigned, generating DNSSEC records for all their NS records +might consume lots of memory and is not strictly required by the child zones. + +This resource-saving typically makes a difference only for *huge* zones like ``com.``. +Imagine that you are the operator of busy top-level domains such as ``com.``, +with millions of insecure delegated domain names. +As of mid-2022, around 3% of all ``com.`` zones are signed. Basically, +without opt-out, with 1,000,000 delegations, only 30,000 of which are secure, you +still have to generate NSEC RRsets for the other 970,000 delegations; with +NSEC3 opt-out, you will have saved yourself 970,000 sets of records. + +In contrast, for a small zone the difference is operationally negligible +and the drawbacks outweigh the benefits. + +If NSEC3 opt-out is truly essential for a zone, the following +configuration can be added to ``dnssec-policy``; for example, to create an +NSEC3 chain using the SHA-1 hash algorithm, with the opt-out flag, +no additional iterations, and no extra salt, use: -:: +.. code-block:: none dnssec-policy "nsec3" { ... - nsec3param iterations 15 optout yes salt-length 0; + nsec3param iterations 0 optout yes salt-length 0; }; -.. _advanced_discussions_nsec3_optout: -NSEC3 Opt-Out -+++++++++++++ - -One of the advantages of NSEC3 over NSEC is the ability for a parent zone -to publish less information about its child or delegated zones. Why -would you ever want to do that? If a significant number of your -delegations are not yet DNSSEC-aware, meaning they are still insecure or -unsigned, generating DNSSEC-records for their NS and glue records is not -a good use of your precious name server resources. - -The resources may not seem like a lot, but imagine that you are the -operator of busy top-level domains such as ``.com`` or ``.net``, with -millions of insecure delegated domain names: it quickly -adds up. As of mid-2020, less than 1.5% of all ``.com`` zones are -signed. Basically, without opt-out, with 1,000,000 delegations, -only 5 of which are secure, you still have to generate NSEC RRsets for -the other 999,995 delegations; with NSEC3 opt-out, you will have saved -yourself 999,995 sets of records. - -For most DNS administrators who do not manage a large number of -delegations, the decision whether to use NSEC3 opt-out is -probably not relevant. To learn more about how to configure NSEC3 opt-out, please see :ref:`recipes_nsec3_optout`. @@ -330,50 +363,35 @@ NSEC3 Salt ++++++++++ -As described in :ref:`advanced_discussions_nsec3`, while NSEC3 -does not put your zone data in plain public display, it is still not -difficult for an attacker to collect all the hashed names and perform -an offline attack. All that is required is running through all the -combinations to construct a database of plaintext names to hashed names, -also known as a "rainbow table." - -There is one more feature NSEC3 gives us to provide additional -protection: salt. Basically, salt gives us the ability to introduce further -randomness into the hashed results. Whenever the salt is changed, any -pre-computed rainbow table is rendered useless, and a new rainbow table -must be re-computed. If the salt is changed periodically, it -becomes difficult to construct a useful rainbow table, and thus difficult to -walk the DNS zone data programmatically. How often you want to change -your NSEC3 salt is up to you. - -To learn more about the steps to take to change NSEC3, please see -:ref:`recipes_nsec3_salt`. +.. warning:: + Contrary to popular belief, adding salt provides little value. + Each DNS zone is always uniquely salted using the zone name. **Operators should + use a zero-length salt value.** + +The properties of this extra salt are complicated and beyond scope of this +document. For detailed description why the salt in the context of DNSSEC +provides little value please see `IETF draft ietf-dnsop-nsec3-guidance version +10 section 2.4 +`__. .. _advanced_discussions_nsec_or_nsec3: NSEC or NSEC3? ^^^^^^^^^^^^^^ -So which one should you choose: NSEC or NSEC3? There is not a -single right answer here that fits everyone; it comes down to your -network's needs or requirements. - -If you prefer not to make your zone easily enumerable, implementing -NSEC3 paired with a periodically changed salt provides a certain -level of privacy protection. However, someone could still randomly guess -the names in your zone (such as "ftp" or "www"), as in the traditional -insecure DNS. - -If you have many delegations and need to be able to opt-out to save -resources, NSEC3 is for you. - -In other situations, NSEC is typically a good choice for most zone -administrators, as it relieves the authoritative servers of the -additional cryptographic operations that NSEC3 requires, and NSEC is -comparatively easier to troubleshoot than NSEC3. - -NSEC3 in conjunction with ``dnssec-policy`` is supported in BIND -as of version 9.16.9. +So which is better: NSEC or NSEC3? There is no single right +answer here that fits everyone; it comes down to a given network's needs or +requirements. + +In most cases, NSEC is a good choice for zone administrators. It +relieves the authoritative servers and resolver of the additional cryptographic +operations that NSEC3 requires, and NSEC is comparatively easier to +troubleshoot than NSEC3. + +NSEC3 comes with many drawbacks and should be implemented only if zone +enumeration prevention is really needed, or when opt-out provides a +significant reduction in memory and CPU overheads (in other words, with a +huge zone with mostly insecure delegations). .. _advanced_discussions_key_generation: @@ -1049,7 +1067,7 @@ actually signed. What this means is, even if your company's zone is signed today, fewer than 30% of the Internet's servers are taking advantage of this extra security. It gets worse: with less than 1.5% - of the ``.com`` domains signed, even if your DNSSEC validation is enabled today, + of the ``com.`` domains signed, even if your DNSSEC validation is enabled today, it's not likely to buy you or your users a whole lot more protection until these popular domain names decide to sign their zones. diff -Nru bind9-9.16.27/doc/dnssec-guide/commonly-asked-questions.rst bind9-9.16.33/doc/dnssec-guide/commonly-asked-questions.rst --- bind9-9.16.27/doc/dnssec-guide/commonly-asked-questions.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/dnssec-guide/commonly-asked-questions.rst 2022-09-08 13:01:23.000000000 +0000 @@ -14,8 +14,8 @@ Commonly Asked Questions ------------------------ -No questions are too stupid to ask. Below are some common -questions you may have and (hopefully) some answers that help. +Below are some common questions and (hopefully) some answers that +help. Do I need IPv6 to have DNSSEC? No. DNSSEC can be deployed without IPv6. @@ -26,64 +26,67 @@ privacy. Someone who sniffs network traffic can still see all the DNS queries and answers in plain text; DNSSEC just makes it very difficult for the eavesdropper to alter or spoof the DNS responses. + For protection against eavesdropping, the preferred protocol is DNS-over-TLS. + DNS-over-HTTPS can also do the job, but it is more complex. + +If I deploy DNS-over-TLS/HTTPS, can I skip deploying DNSSEC? + No. DNS-over-encrypted-transport stops eavesdroppers on a network, but it does + not protect against cache poisoning and answer manipulation in other parts + of the DNS resolution chain. In other words, these technologies offer protection + only for records when they are in transit between two machines; any + compromised server can still redirect traffic elsewhere (or simply eavesdrop). + However, DNSSEC provides integrity and authenticity for DNS + *records*, even when these records are stored in caches and on disks. Does DNSSEC protect the communication between my laptop and my name server? Unfortunately, not at the moment. DNSSEC is designed to protect the communication between end clients (laptop) and name servers; however, there are few applications or stub resolver libraries as of - mid-2020 that take advantage of this capability. While enabling DNSSEC today - does little to enhance the security of communications between a recursive - server and its clients (commonly called the "last mile"), we hope that - will change in the near future as more applications become DNSSEC-aware. + mid-2020 that take advantage of this capability. Does DNSSEC secure zone transfers? No. You should consider using TSIG to secure zone transfers among your name servers. Does DNSSEC protect my network from malicious websites? - The answer in the early stages of DNSSEC deployment is, unfortunately, - no. DNSSEC is designed to provide - confidence that when you receive a DNS response for www.company.com over - port 53, it really came from Company's name servers and the - answers are authentic. But that does not mean the web server a user visits - over port 80 or port 443 is necessarily safe. Furthermore, 98.5% of - domain name operators (as of this writing in mid-2020) have not yet signed - their zones, so DNSSEC cannot even validate their answers. - - The answer for sometime in - the future is that, as more zones are signed and more - recursive servers validate, DNSSEC will make it much more - difficult for attackers to spoof DNS responses or perform cache - poisoning. It will still not protect against users who visit a malicious - website that an attacker owns and operates, or prevent users from + DNSSEC makes it much more difficult for attackers to spoof DNS responses + or perform cache poisoning. It cannot protect against users who + visit a malicious website that an attacker owns and operates, or prevent users from mistyping a domain name; it will just become less likely that an attacker can hijack other domain names. + In other words, DNSSEC is designed to provide confidence that when + a DNS response is received for www.company.com over port 53, it really came from + Company's name servers and the answers are authentic. But that does not mean + the web server a user visits over port 80 or port 443 is necessarily safe. + If I enable DNSSEC validation, will it break DNS lookup, since most domain names do not yet use DNSSEC? - No, DNSSEC is backwards-compatible to "standard" - DNS. As of this writing (in mid-2020), although 98.5% of the .com domains have yet to - be signed, a DNSSEC-enabled validating resolver can still look up all of - these domain names as it always has under standard DNS. - + No, DNSSEC is backwards-compatible to "standard" DNS. A DNSSEC-enabled + validating resolver can still look up all of these domain names as it always + has under standard DNS. + There are four (4) categories of responses (see :rfc:`4035`): - - *Secure*: - Domains that have DNSSEC deployed correctly. - - *Insecure*: - Domains that have yet to deploy DNSSEC. - - *Bogus*: - Domains that have deployed DNSSEC but have done it incorrectly. - - *Indeterminate*: - Domains for which it is not possible to determine whether these domains use DNSSEC. - - A DNSSEC-enabled validating resolver still resolves #1 and #2; only #3 - and #4 result in a SERVFAIL. You may already be using DNSSEC - validation without realizing it, since some ISPs have begun enabling - DNSSEC validation on their recursive name servers. Google public DNS - (8.8.8.8) also has enabled DNSSEC validation. + + .. glossary:: + + Secure + Domains that have DNSSEC deployed correctly. + + Insecure + Domains that have yet to deploy DNSSEC. + + Bogus + Domains that have deployed DNSSEC but have done it incorrectly. + + Indeterminate + Domains for which it is not possible to determine whether these domains use DNSSEC. + + A DNSSEC-enabled validating resolver still resolves :term:`Secure` and + :term:`Insecure`; only :term:`Bogus` and :term:`Indeterminate` result in a + SERVFAIL. + As of mid-2022, roughly one-third of users worldwide are using DNSSEC validation + on their recursive name servers. Google public DNS (8.8.8.8) also has + enabled DNSSEC validation. Do I need to have special client software to use DNSSEC? No. DNSSEC only changes the communication diff -Nru bind9-9.16.27/doc/dnssec-guide/getting-started.rst bind9-9.16.33/doc/dnssec-guide/getting-started.rst --- bind9-9.16.27/doc/dnssec-guide/getting-started.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/dnssec-guide/getting-started.rst 2022-09-08 13:01:23.000000000 +0000 @@ -19,90 +19,11 @@ Software Requirements ~~~~~~~~~~~~~~~~~~~~~ -.. _bind_version: +This guide assumes BIND 9.16.9 or newer, although the more elaborate manual +procedures do work with all versions of BIND later than 9.9. -BIND Version -^^^^^^^^^^^^ - -Most configuration examples given in this document require BIND version -9.16.0 or newer (although many do work with all versions of BIND -later than 9.9). To check the version of ``named`` you have installed, -use the ``-v`` switch as shown below: - -:: - - # named -v - BIND 9.16.0 (Stable Release) - -Some configuration examples are added in BIND version 9.17 and backported -to 9.16. For example, NSEC3 configuration requires BIND version 9.16.9. - -We recommend you run the latest stable version to get the most complete -DNSSEC configuration, as well as the latest security fixes. - -.. _dnssec_support_in_bind: - -DNSSEC Support in BIND -^^^^^^^^^^^^^^^^^^^^^^ - -All versions of BIND 9 since BIND 9.7 can support DNSSEC, as currently -deployed in the global DNS, so the BIND software you are running most -likely already supports DNSSEC. Run the command ``named -V`` -to see what flags it was built with. If it was built with OpenSSL -(``--with-openssl``), then it supports DNSSEC. Below is an example -of the output from running ``named -V``: - -:: - - $ named -V - BIND 9.16.0 (Stable Release) - running on Linux x86_64 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u4 (2019-07-19) - built by make with defaults - compiled by GCC 6.3.0 20170516 - compiled with OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019 - linked to OpenSSL version: OpenSSL 1.1.0l 10 Sep 2019 - compiled with libxml2 version: 2.9.4 - linked to libxml2 version: 20904 - compiled with json-c version: 0.12.1 - linked to json-c version: 0.12.1 - compiled with zlib version: 1.2.8 - linked to zlib version: 1.2.8 - threads support is enabled - - default paths: - named configuration: /usr/local/etc/named.conf - rndc configuration: /usr/local/etc/rndc.conf - DNSSEC root key: /usr/local/etc/bind.keys - nsupdate session key: /usr/local/var/run/named/session.key - named PID file: /usr/local/var/run/named/named.pid - named lock file: /usr/local/var/run/named/named.lock - -If the BIND 9 software you have does not support DNSSEC, you should -upgrade it. (It has not been possible to build BIND without DNSSEC -support since BIND 9.13, released in 2018.) As well as missing out on -DNSSEC support, you are also missing a number of security fixes -made to the software in recent years. - -.. _system_entropy: - -System Entropy -^^^^^^^^^^^^^^ - -To deploy DNSSEC to your authoritative server, you -need to generate cryptographic keys. The amount of time it takes to -generate the keys depends on the source of randomness, or entropy, on -your systems. On some systems (especially virtual machines) with -insufficient entropy, it may take much longer than one cares to wait to -generate keys. - -There are software packages, such as ``haveged`` for Linux, that -provide additional entropy for a system. Once installed, they -significantly reduce the time needed to generate keys. - -The more entropy there is, the better pseudo-random numbers you get, and -the stronger the keys that are generated. If you want or need high-quality random -numbers, take a look at :ref:`hardware_security_modules` for some of -the hardware-based solutions. +We recommend running the latest stable version to get the most +complete DNSSEC configuration, as well as the latest security fixes. .. _hardware_requirements: @@ -117,33 +38,22 @@ Enabling DNSSEC validation on a recursive server makes it a *validating resolver*. The job of a validating resolver is to fetch additional information that can be used to computationally verify the answer set. -Below are the areas that should be considered for possible hardware -enhancement for a validating resolver: +Contrary to popular belief, the increase in resource consumption is very modest: -1. *CPU*: a validating resolver executes cryptographic functions on many - of the answers returned, which usually leads to increased CPU usage, - unless your recursive server has built-in hardware to perform - cryptographic computations. +1. *CPU*: a validating resolver executes cryptographic functions on cache-miss + answers, which leads to increased CPU usage. Thanks to standard DNS caching + and contemporary CPUs, the increase in CPU-time consumption in a steady + state is negligible - typically on the order of 5%. For a brief period (a few + minutes) after the resolver starts, the increase might be as much as 20%, but it + quickly decreases as the DNS cache fills in. 2. *System memory*: DNSSEC leads to larger answer sets and occupies - more memory space. + more memory space. With typical ISP traffic and the state of the Internet as + of mid-2022, memory consumption for the cache increases by roughly 20%. 3. *Network interfaces*: although DNSSEC does increase the amount of DNS - traffic overall, it is unlikely that you need to upgrade your network - interface card (NIC) on the name server unless you have some truly - outdated hardware. - -One factor to consider is the destinations of your current DNS -traffic. If your current users spend a lot of time visiting ``.gov`` -websites, you should expect a jump in all of the above -categories when validation is enabled, because ``.gov`` is more than 90% -signed. This means that more than 90% of the time, your validating resolver -will be doing what is described in -:ref:`how_does_dnssec_change_dns_lookup`. However, if your users -only care about resources in the ``.com`` domain, which, as of mid-2020, -is under 1.5% signed [#]_, your recursive name server is unlikely -to experience a significant load increase after enabling DNSSEC -validation. + traffic overall, in practice this increase is often within measurement + error. .. _authoritative_server_hardware: @@ -152,8 +62,8 @@ On the authoritative server side, DNSSEC is enabled on a zone-by-zone basis. When a zone is DNSSEC-enabled, it is also known as "signed." -Below are the areas to consider for possible hardware -enhancements for an authoritative server with signed zones: +Below are the expected changes to resource consumption caused by serving +DNSSEC-signed zones: 1. *CPU*: a DNSSEC-signed zone requires periodic re-signing, which is a cryptographic function that is CPU-intensive. If your DNS zone is @@ -162,12 +72,17 @@ 2. *System storage*: A signed zone is definitely larger than an unsigned zone. How much larger? See :ref:`your_zone_before_and_after_dnssec` for a comparison - example. Roughly speaking, you should expect your zone file to grow by at - least three times, and frequently more. + example. The final size depends on the structure of the zone, the signing algorithm, + the number of keys, the choice of NSEC or NSEC3, the ratio of signed delegations, the zone file + format, etc. Usually, the size of a signed zone ranges from a negligible + increase to as much as three times the size of the unsigned zone. 3. *System memory*: Larger DNS zone files take up not only more storage space on the file system, but also more space when they are loaded - into system memory. + into system memory. The final memory consumption also depends on all the + variables listed above: in the typical case the increase is around half of + the unsigned zone memory consumption, but it can be as high as three times + for some corner cases. 4. *Network interfaces*: While your authoritative name servers will begin sending back larger responses, it is unlikely that you need to @@ -175,18 +90,13 @@ you have some truly outdated hardware. One factor to consider, but over which you really have no control, is -the number of users who query your domain name who themselves have DNSSEC enabled. It was -estimated in late 2014 that roughly 10% to 15% of the Internet DNS -queries were DNSSEC-aware. Estimates by `APNIC `__ -suggest that in 2020 about `one-third `__ of all queries are -validating queries, although the percentage varies widely on a -per-country basis. This means that more DNS queries for your domain will +the number of users who query your domain name who themselves have DNSSEC +enabled. As of mid-2022, measurements by `APNIC +`__ show 41% of Internet users send +DNSSEC-aware queries. This means that more DNS queries for your domain will take advantage of the additional security features, which will result in increased system load and possibly network traffic. -.. [#] - https://rick.eng.br/dnssecstat - .. _network_requirements: Network Requirements diff -Nru bind9-9.16.27/doc/dnssec-guide/introduction.rst bind9-9.16.33/doc/dnssec-guide/introduction.rst --- bind9-9.16.27/doc/dnssec-guide/introduction.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/dnssec-guide/introduction.rst 2022-09-08 13:01:23.000000000 +0000 @@ -27,9 +27,9 @@ field. This guide provides basic information on how to configure DNSSEC using -BIND 9.16.0 or later. Most of the information and examples in this guide also +BIND 9.16.9 or later. Most of the information and examples in this guide also apply to versions of BIND later than 9.9.0, but some of the key features described here -were only introduced in version 9.16.0. Readers are assumed to have basic +were only introduced in version 9.16.9. Readers are assumed to have basic working knowledge of the Domain Name System (DNS) and related network infrastructure, such as concepts of TCP/IP. In-depth knowledge of DNS and TCP/IP is not required. The guide assumes no prior knowledge of DNSSEC or diff -Nru bind9-9.16.27/doc/dnssec-guide/recipes.rst bind9-9.16.33/doc/dnssec-guide/recipes.rst --- bind9-9.16.27/doc/dnssec-guide/recipes.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/dnssec-guide/recipes.rst 2022-09-08 13:01:23.000000000 +0000 @@ -795,13 +795,12 @@ To enable NSEC3, update your ``dnssec-policy`` and add the desired NSEC3 parameters. The example below enables NSEC3 for zones with the ``standard`` -DNSSEC policy, using 10 iterations, no opt-out, and a random string that is -16 characters long: +DNSSEC policy, using 0 additional iterations, no opt-out, and a zero-length salt: :: dnssec-policy "standard" { - nsec3param iterations 10 optout no salt-length 16; + nsec3param iterations 0 optout no salt-length 0; }; Then reconfigure the server with ``rndc``. You can tell that it worked if you @@ -810,7 +809,7 @@ :: Oct 21 13:47:21 received control channel command 'reconfig' - Oct 21 13:47:21 zone example.com/IN (signed): zone_addnsec3chain(1,CREATE,10,1234567890ABCDEF) + Oct 21 13:47:21 zone example.com/IN (signed): zone_addnsec3chain(1,CREATE,0,-) You can also verify that it worked by querying for a name that you know does not exist, and checking for the presence of the NSEC3 record. @@ -821,15 +820,15 @@ $ dig @192.168.1.13 thereisnowaythisexists.example.com. A +dnssec +multiline ... - TOM10UQBL336NFAQB3P6MOO53LSVG8UI.example.com. 300 IN NSEC3 1 0 10 1234567890ABCDEF ( + 5A03TL362CS8VSIH69CVA4MJIKRHFQH3.example.com. 300 IN NSEC3 1 0 0 - ( TQ9QBEGA6CROHEOC8KIH1A2C06IVQ5ER NS SOA RRSIG DNSKEY NSEC3PARAM ) ... -Our example used four parameters: 1, 0, 10, and 1234567890ABCDEF, in +Our example used four parameters: 1, 0, 0, and -, in order. 1 represents the algorithm, 0 represents the -opt-out flag, 10 represents the number of iterations, and -1234567890ABCDEF is the salt. To learn more about each of these +opt-out flag, 0 represents the number of additional iterations, and +- denotes no salt is used. To learn more about each of these parameters, please see :ref:`advanced_discussions_nsec3param`. .. _recipes_nsec3_to_nsec: @@ -844,7 +843,7 @@ :: named[14093]: received control channel command 'reconfig' - named[14093]: zone example.com/IN: zone_addnsec3chain(1,REMOVE,10,1234567890ABCDEF) + named[14093]: zone example.com/IN: zone_addnsec3chain(1,REMOVE,0,-) You can also query for a name that you know does not exist, and you should no longer see any traces of NSEC3 records. @@ -859,45 +858,6 @@ ns1.example.com. 300 IN NSEC web.example.com. A RRSIG NSEC ... -.. _recipes_nsec3_salt: - -Changing the NSEC3 Salt -^^^^^^^^^^^^^^^^^^^^^^^ - -In :ref:`advanced_discussions_nsec3_salt`, we discuss the -reasons why you may want to change your salt periodically for better -privacy. In this recipe, we look at what command to execute to -actually change the salt, and how to verify that it has been changed. - -The ``dnssec-policy`` currently has no easy way to re-salt using the -same salt length, so to change your NSEC3 salt you need to change the -``salt-length`` value and reconfigure your server. You should see -the following messages in the log, assuming your old salt was -"1234567890ABCDEF" and ``named`` created "FEDCBA09" (salt length 8) -as the new salt: - -:: - - named[15848]: zone example.com/IN: zone_addnsec3chain(1,REMOVE,10,1234567890ABCDEF) - named[15848]: zone example.com/IN: zone_addnsec3chain(1,CREATE|OPTOUT,10,FEDCBA0987654321) - -To verify that it worked, you can query the name server (192.168.1.13 in our -example) for a name that you know does not exist, and check the NSEC3 record -returned: - -:: - - $ dig @192.168.1.13 thereisnowaythisexists.example.com. A +dnssec +multiline - - ... - TOM10UQBL336NFAQB3P6MOO53LSVG8UI.example.com. 300 IN NSEC3 1 0 10 FEDCBA09 ( - TQ9QBEGA6CROHEOC8KIH1A2C06IVQ5ER - NS SOA RRSIG DNSKEY NSEC3PARAM ) - ... - -If you want to use the same salt length, you can repeat the above steps and -go back to your original length value. - .. _recipes_nsec3_optout: NSEC3 Opt-Out @@ -909,6 +869,15 @@ that can help conserve resources on parent zones with many delegations that have not yet been signed. +.. warning:: + NSEC3 Opt-Out feature brings benefit only to _extremely_ large zones with lots + of insecure delegations. It's use is counterproductive in all other cases as + it decreases tamper-resistance of the zone and also decreases efficiency of + resolver cache (see :rfc:`8198`). + + In other words, don't enable Opt-Out unless you are serving an equivalent of + ``com.`` zone. + Because the NSEC3PARAM record does not keep track of whether opt-out is used, it is hard to check whether changes need to be made to the NSEC3 chain if the flag is changed. Similar to changing the NSEC3 salt, your best option is to change @@ -944,25 +913,25 @@ NSEC3 records; below is the list with the plain text name before the actual NSEC3 record: -- *aaa.example.com*: 9NE0VJGTRTMJOS171EC3EDL6I6GT4P1Q.example.com. +- *aaa.example.com*: IFA1I3IE7EKCTPHM6R58URO3Q846I52M.example.com -- *bbb.example.com*: AESO0NT3N44OOSDQS3PSL0HACHUE1O0U.example.com. +- *bbb.example.com*: ROJUF3VJSJO6LQ2LC1DNSJ5GBAUJPVHE.example.com -- *ccc.example.com*: SF3J3VR29LDDO3ONT1PM6HAPHV372F37.example.com. +- *ccc.example.com*: 0VPUT696LUVDPDS5NIHSHBH9KLV20V5K.example.com -- *ddd.example.com*: TQ9QBEGA6CROHEOC8KIH1A2C06IVQ5ER.example.com. +- *ddd.example.com*: UHPBD5U4HRGB84MLC2NQOVEFNAKJU0CA.example.com -- *eee.example.com*: L16L08NEH48IFQIEIPS1HNRMQ523MJ8G.example.com. +- *eee.example.com*: NF7I61FA4C2UEKPMEDSOC25FE0UJIMKT.example.com -- *ftp.example.com*: JKMAVHL8V7EMCL8JHIEN8KBOAB0MGUK2.example.com. +- *ftp.example.com*: 8P15KCUAT1RHCSDN46HBQVPI5T532IN1.example.com -- *ns1.example.com*: FSK5TK9964BNE7BPHN0QMMD68IUDKT8I.example.com. +- *ns1.example.com*: GUFVRA2SFIO8RSFP7UO41E8AD1KR41FH.example.com -- *web.example.com*: D65CIIG0GTRKQ26Q774DVMRCNHQO6F81.example.com. +- *web.example.com*: CVQ4LA4ALPQIAO2H3N2RB6IR8UHM91E7.example.com -- *www.example.com*: NTQ0CQEJHM0S17POMCUSLG5IOQQEDTBJ.example.com. +- *www.example.com*: MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK.example.com -- *example.com*: TOM10UQBL336NFAQB3P6MOO53LSVG8UI.example.com. +- *example.com*: ONIB9MGUB9H0RML3CDF5BGRJ59DKJHVK.example.com We can enable NSEC3 opt-out with the following configuration, changing the ``optout`` configuration value from ``no`` to ``yes``: @@ -970,31 +939,31 @@ :: dnssec-policy "standard" { - nsec3param iterations 10 optout yes salt-length 16; + nsec3param iterations 0 optout yes salt-length 0; }; After NSEC3 opt-out is enabled, the number of NSEC3 records is reduced. Notice that the unsigned delegations ``aaa``, ``ccc``, ``ddd``, and ``eee`` no longer have corresponding NSEC3 records. -- *bbb.example.com*: AESO0NT3N44OOSDQS3PSL0HACHUE1O0U.example.com. +- *bbb.example.com*: ROJUF3VJSJO6LQ2LC1DNSJ5GBAUJPVHE.example.com -- *ftp.example.com*: JKMAVHL8V7EMCL8JHIEN8KBOAB0MGUK2.example.com. +- *ftp.example.com*: 8P15KCUAT1RHCSDN46HBQVPI5T532IN1.example.com -- *ns1.example.com*: FSK5TK9964BNE7BPHN0QMMD68IUDKT8I.example.com. +- *ns1.example.com*: GUFVRA2SFIO8RSFP7UO41E8AD1KR41FH.example.com -- *web.example.com*: D65CIIG0GTRKQ26Q774DVMRCNHQO6F81.example.com. +- *web.example.com*: CVQ4LA4ALPQIAO2H3N2RB6IR8UHM91E7.example.com -- *www.example.com*: NTQ0CQEJHM0S17POMCUSLG5IOQQEDTBJ.example.com. +- *www.example.com*: MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK.example.com -- *example.com*: TOM10UQBL336NFAQB3P6MOO53LSVG8UI.example.com. +- *example.com*: ONIB9MGUB9H0RML3CDF5BGRJ59DKJHVK.example.com To undo NSEC3 opt-out, change the configuration again: :: dnssec-policy "standard" { - nsec3param iterations 10 optout no salt-length 16; + nsec3param iterations 0 optout no salt-length 0; }; .. note:: @@ -1006,8 +975,8 @@ :: - # nsec3hash 1234567890ABCDEF 1 10 www.example.com. - NTQ0CQEJHM0S17POMCUSLG5IOQQEDTBJ (salt=1234567890ABCDEF, hash=1, iterations=10) + # nsec3hash - 1 0 www.example.com. + MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK (salt=-, hash=1, iterations=0) .. _revert_to_unsigned: @@ -1017,12 +986,40 @@ This recipe describes how to revert from a signed zone (DNSSEC) back to an unsigned (DNS) zone. -Whether the world thinks your zone is signed is determined by the -presence of DS records hosted by your parent zone; if there are no DS records, -the world sees your zone as unsigned. So reverting to unsigned is as -easy as removing all DS records from the parent zone. +Here is what :iscman:`named.conf` looks like when it is signed: + +.. code-block:: none + :emphasize-lines: 4 + + zone "example.com" IN { + type primary; + file "db/example.com.db"; + dnssec-policy "default"; + }; + +To indicate the reversion to unsigned, change the ``dnssec-policy`` line: + +.. code-block:: none + :emphasize-lines: 4 + + zone "example.com" IN { + type primary; + file "db/example.com.db"; + dnssec-policy "insecure"; + }; + +Then use :option:`rndc reload` to reload the zone. + +The "insecure" policy is a built-in policy (like "default"). It makes sure +the zone is still DNSSEC-maintained, to allow for a graceful transition to +unsigned. It also publishes the CDS and CDNSKEY DELETE records automatically +at the appropriate time. + +If the parent zone allows management of DS records via CDS/CDNSKEY, as described in +:rfc:`8078`, the DS record should be removed from the parent automatically. -Below is an example showing how to remove DS records using the +Otherwise, DS records can be removed via the registrar. Below is an example +showing how to remove DS records using the `GoDaddy `__ web-based interface: 1. After logging in, click the green "Launch" button next to the domain @@ -1067,51 +1064,17 @@ Revert to Unsigned Step #4 -To be on the safe side, wait a while before actually deleting -all signed data from your zone, just in case some validating resolvers -have cached information. After you are certain that all cached -information has expired (usually this means one TTL interval has passed), -you may reconfigure your zone. - -Here is what ``named.conf`` looks like when it is signed: - -:: - - zone "example.com" IN { - type primary; - file "db/example.com.db"; - allow-transfer { any; }; - dnssec-policy "default"; - }; - -Change your ``dnssec-policy`` line to indicate you want to revert to unsigned: - -:: - - zone "example.com" IN { - type primary; - file "db/example.com.db"; - allow-transfer { any; }; - dnssec-policy "insecure"; - }; - -Then use ``rndc reload`` to reload the zone. - -The "insecure" policy is a built-in policy (like "default"). It will make sure -the zone is still DNSSEC maintained, to allow for a graceful transition to -unsigned. - When the DS records have been removed from the parent zone, use ``rndc dnssec -checkds -key withdrawn example.com`` to tell ``named`` that the DS is removed, and the remaining DNSSEC records will be removed in a timely -manner. Or if you have parental agents configured, the DNSSEC records will be +manner. Or, if parental agents are configured, the DNSSEC records will be automatically removed after BIND has seen that the parental agents no longer -serves the DS RRset for this zone. +serve the DS RRset for this zone. -After a while, your zone is reverted back to the traditional, insecure DNS -format. You can verify by checking that all DNSKEY and RRSIG records have been +After a while, the zone is reverted back to the traditional, insecure DNS +format. This can be verified by checking that all DNSKEY and RRSIG records have been removed from the zone. -You can then remove the ``dnssec-policy`` line from your ``named.conf`` and -reload the zone. The zone will now no longer be subject to any DNSSEC +The ``dnssec-policy`` line can then be removed from :iscman:`named.conf` and +the zone reloaded. The zone will no longer be subject to any DNSSEC maintenance. diff -Nru bind9-9.16.27/doc/dnssec-guide/signing.rst bind9-9.16.33/doc/dnssec-guide/signing.rst --- bind9-9.16.27/doc/dnssec-guide/signing.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/dnssec-guide/signing.rst 2022-09-08 13:01:23.000000000 +0000 @@ -1099,25 +1099,25 @@ Everything in DNSSEC centers around keys, so we begin by generating our own keys. -:: +.. code-block:: console - # cd /etc/bind - # dnssec-keygen -a RSASHA256 -b 1024 example.com - Generating key pair...........................+++++ ......................+++++ - Kexample.com.+008+34371 - # dnssec-keygen -a RSASHA256 -b 2048 -f KSK example.com - Generating key pair........................+++ ..................................+++ - Kexample.com.+008+00472 + # cd /etc/bind/keys + # dnssec-keygen -a ECDSAP256SHA256 example.com + Generating key pair...........................+++++ ......................+++++ + Kexample.com.+013+34371 + # dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com + Generating key pair........................+++ ..................................+++ + Kexample.com.+013+00472 This command generates four key files in ``/etc/bind/keys``: -- Kexample.com.+008+34371.key +- Kexample.com.+013+34371.key -- Kexample.com.+008+34371.private +- Kexample.com.+013+34371.private -- Kexample.com.+008+00472.key +- Kexample.com.+013+00472.key -- Kexample.com.+008+00472.private +- Kexample.com.+013+00472.private The two files ending in ``.key`` are the public keys. These contain the DNSKEY resource records that appear in the zone. The two files @@ -1128,44 +1128,34 @@ key-signing key (KSK). We can tell which is which by looking at the file contents (the actual keys are shortened here for ease of display): -:: +.. code-block:: console - # cat Kexample.com.+008+34371.key + # cat Kexample.com.+013+34371.key ; This is a zone-signing key, keyid 34371, for example.com. ; Created: 20200616104249 (Tue Jun 16 11:42:49 2020) ; Publish: 20200616104249 (Tue Jun 16 11:42:49 2020) ; Activate: 20200616104249 (Tue Jun 16 11:42:49 2020) - example.com. IN DNSKEY 256 3 8 AwEAAfel66...LqkA7cvn8= - # cat Kexample.com.+008+00472.key + example.com. IN DNSKEY 256 3 13 AwEAAfel66...LqkA7cvn8= + # cat Kexample.com.+013+00472.key ; This is a key-signing key, keyid 472, for example.com. ; Created: 20200616104254 (Tue Jun 16 11:42:54 2020) ; Publish: 20200616104254 (Tue Jun 16 11:42:54 2020) ; Activate: 20200616104254 (Tue Jun 16 11:42:54 2020) - example.com. IN DNSKEY 257 3 8 AwEAAbCR6U...l8xPjokVU= + example.com. IN DNSKEY 257 3 13 AwEAAbCR6U...l8xPjokVU= The first line of each file tells us what type of key it is. Also, by looking at the actual DNSKEY record, we can tell them apart: 256 is ZSK, and 257 is KSK. The name of the file also tells us something -about the contents. The file names are of the form: - -:: +about the contents. See chapter :ref:`zone_keys` for more details. - K++ - -The "zone name" is self-explanatory. The "algorithm ID" is a number assigned -to the algorithm used to construct the key: the number appears in the -DNSKEY resource record. In -our example, 8 means the algorithm RSASHA256. Finally, the "keyid" is -essentially a hash of the key itself. - -Make sure these files are readable by ``named`` and make sure that the +Make sure that these files are readable by ``named`` and that the ``.private`` files are not readable by anyone else. -Refer to :ref:`system_entropy` for information on how to -speed up the key generation process if your random number generator has -insufficient entropy. +Alternativelly, the ``dnssec-keyfromlabel`` program is used to get a key +pair from a crypto hardware device and build the key files. Its usage is +similar to ``dnssec-keygen``. Setting Key Timing Information ++++++++++++++++++++++++++++++ @@ -1184,15 +1174,15 @@ 15 July 2020, and remove it from the zone at the end of July 2021, we can use the following command: -:: +.. code-block:: console - # dnssec-settime -P 20200701 -A 20200715 -I 20210715 -D 20210731 Kexample.com.+008+34371.key - ./Kexample.com.+008+34371.key - ./Kexample.com.+008+34371.private + # dnssec-settime -P 20200701 -A 20200715 -I 20210715 -D 20210731 Kexample.com.+013+34371.key + ./Kexample.com.+013+34371.key + ./Kexample.com.+013+34371.private which would set the contents of the key file to: -:: +.. code-block:: none ; This is a zone-signing key, keyid 34371, for example.com. ; Created: 20200616104249 (Tue Jun 16 11:42:49 2020) @@ -1200,7 +1190,7 @@ ; Activate: 20200715000000 (Wed Jul 15 01:00:00 2020) ; Inactive: 20210715000000 (Thu Jul 15 01:00:00 2021) ; Delete: 20210731000000 (Sat Jul 31 01:00:00 2021) - example.com. IN DNSKEY 256 3 8 AwEAAfel66...LqkA7cvn8= + example.com. IN DNSKEY 256 3 13 AwEAAfel66...LqkA7cvn8= (The actual key is truncated here to improve readability.) @@ -1558,20 +1548,39 @@ but why not use one of the automated methods? Nevertheless, it may be useful for test purposes, so we cover it briefly here. +BIND 9 ships with several tools that are used in +this process, which are explained in more detail below. In all cases, +the ``-h`` option prints a full list of parameters. Note that the DNSSEC +tools require the keyset files to be in the working directory or the +directory specified by the ``-d`` option. + The first step is to create the keys as described in :ref:`generate_keys`. -Then, edit the zone file to make sure -the proper DNSKEY entries are included in your zone file. Finally, use the -command ``dnssec-signzone``: -:: +Then, edit the zone file to make sure the proper DNSKEY entries are included. +The public keys should be inserted into the zone file by +including the ``.key`` files using ``$INCLUDE`` statements. + +Finally, use the command ``dnssec-signzone``. +Any ``keyset`` files corresponding to secure sub-zones should be +present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG`` +records for the zone, as well as ``DS`` for the child zones if +``-g`` is specified. If +``-g`` is not specified, then DS RRsets for the +secure child zones need to be added manually. + +By default, all zone keys which have an available private key are used +to generate signatures. The following command signs the zone, assuming +it is in a file called ``zone.child.example``, using manually specified keys: + +.. code-block:: console # cd /etc/bind/keys/example.com/ - # dnssec-signzone -A -t -N INCREMENT -o example.com -f /etc/bind/db/example.com.signed.db \ - > /etc/bind/db/example.com.db Kexample.com.+008+17694.key Kexample.com.+008+06817.key - Verifying the zone using the following algorithms: RSASHA256. + # dnssec-signzone -t -N INCREMENT -o example.com -f /etc/bind/db/example.com.signed.db \ + /etc/bind/db/example.com.db Kexample.com.+013+17694.key Kexample.com.+013+06817.key + Verifying the zone using the following algorithms: ECDSAP256SHA256. Zone fully signed: - Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked - ZSKs: 1 active, 0 stand-by, 0 revoked + Algorithm: ECDSAP256SHA256: KSKs: 1 active, 0 stand-by, 0 revoked + ZSKs: 1 active, 0 stand-by, 0 revoked /etc/bind/db/example.com.signed.db Signatures generated: 17 Signatures retained: 0 @@ -1587,12 +1596,16 @@ has three parameters: the unsigned zone name (``/etc/bind/db/example.com.db``), the ZSK file name, and the KSK file name. This also generates a plain text file ``/etc/bind/db/example.com.signed.db``, -which you can verify for correctness. +which can be manually verified for correctness. + +``dnssec-signzone`` also produces keyset and dsset files. These are used +to provide the parent zone administrators with the ``DNSKEY`` records (or their +corresponding ``DS`` records) that are the secure entry point to the zone. Finally, you'll need to update ``named.conf`` to load the signed version of the zone, which looks something like this: -:: +.. code-block:: none zone "example.com" IN { type primary; diff -Nru bind9-9.16.27/doc/dnssec-guide/troubleshooting.rst bind9-9.16.33/doc/dnssec-guide/troubleshooting.rst --- bind9-9.16.27/doc/dnssec-guide/troubleshooting.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/dnssec-guide/troubleshooting.rst 2022-09-08 13:01:23.000000000 +0000 @@ -583,5 +583,7 @@ $ nsec3hash 1234567890ABCEDF 1 10 www.example.com RN7I9ME6E1I6BDKIP91B9TCE4FHJ7LKF (salt=1234567890ABCEDF, hash=1, iterations=10) +Zero-length salt can be specified as ``-``. + While it is unlikely you would construct a rainbow table of your own zone data, this tool may be useful when troubleshooting NSEC3 problems. diff -Nru bind9-9.16.27/doc/dnssec-guide/validation.rst bind9-9.16.33/doc/dnssec-guide/validation.rst --- bind9-9.16.27/doc/dnssec-guide/validation.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/dnssec-guide/validation.rst 2022-09-08 13:01:23.000000000 +0000 @@ -52,11 +52,9 @@ Restart ``named`` or run ``rndc reconfig``, and your recursive server is now happily validating each DNS response. If this does not work for you, -and you have already verified DNSSEC support as described in -:ref:`dnssec_support_in_bind`, you may have some other -network-related configurations that need to be adjusted. Take a look at -:ref:`network_requirements` to make sure your network is ready for -DNSSEC. +you may have some other network-related configurations that need to be +adjusted. Take a look at :ref:`network_requirements` to make sure your network +is ready for DNSSEC. .. _effect_of_enabling_validation: diff -Nru bind9-9.16.27/doc/man/Makefile.in bind9-9.16.33/doc/man/Makefile.in --- bind9-9.16.27/doc/man/Makefile.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/Makefile.in 2022-09-08 13:01:23.000000000 +0000 @@ -49,11 +49,13 @@ filter-aaaa.8 \ named-checkconf.8 \ named-checkzone.8 \ + named-compilezone.8 \ named-journalprint.8 \ named.8 \ nsec3hash.8 \ rndc-confgen.8 \ - rndc.8 + rndc.8 \ + tsig-keygen.8 MANPAGES_RST = \ arpaname.rst \ @@ -78,6 +80,7 @@ mdig.rst \ named-checkconf.rst \ named-checkzone.rst \ + named-compilezone.rst \ named-journalprint.rst \ named-nzd2nzf.rst \ named-rrchecker.rst \ @@ -89,6 +92,7 @@ rndc-confgen.rst \ rndc.conf.rst \ rndc.rst \ + tsig-keygen.rst \ pkcs11-destroy.rst \ pkcs11-keygen.rst \ pkcs11-list.rst \ @@ -117,6 +121,7 @@ mdig.1in \ named-checkconf.8in \ named-checkzone.8in \ + named-compilezone.8in \ named-journalprint.8in \ named-nzd2nzf.8in \ named-rrchecker.1in \ @@ -128,6 +133,7 @@ rndc-confgen.8in \ rndc.conf.5in \ rndc.8in \ + tsig-keygen.8in \ pkcs11-destroy.8in \ pkcs11-keygen.8in \ pkcs11-list.8in \ @@ -248,8 +254,6 @@ for m in $(man1_MANS); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man1/; done for m in $(man5_MANS); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man5/; done for m in $(man8_MANS); do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8/; done - ( cd ${DESTDIR}${mandir}/man8/; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8 ) - ( cd ${DESTDIR}${mandir}/man8/; rm -f tsig-keygen.8; ${LINK_PROGRAM} ddns-confgen.8 tsig-keygen.8 ) for m in @DNSTAP_MANS@; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man1/; done for m in @NZD_MANS@; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8/; done for m in @PKCS11_MANS@; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8/; done @@ -258,8 +262,6 @@ for m in $(man1_MANS); do rm -f ${DESTDIR}${mandir}/man1/$$m; done for m in $(man5_MANS); do rm -f ${DESTDIR}${mandir}/man5/$$m; done for m in $(man8_MANS); do rm -f ${DESTDIR}${mandir}/man8/$$m; done - rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8 - rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8 for m in @DNSTAP_MANS@; do rm -f ${DESTDIR}${mandir}/man1/$$m; done for m in @NZD_MANS@; do rm -f ${DESTDIR}${mandir}/man8/$$m; done for m in @PKCS11_MANS@; do rm -f ${DESTDIR}${mandir}/man8/$$m; done diff -Nru bind9-9.16.27/doc/man/conf.py bind9-9.16.33/doc/man/conf.py --- bind9-9.16.27/doc/man/conf.py 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/conf.py 2022-09-08 13:01:23.000000000 +0000 @@ -10,6 +10,8 @@ # information regarding copyright ownership. # flake8: noqa: E501 +import datetime +from docutils.parsers.rst import roles # # Configuration file for the Sphinx documentation builder. @@ -30,13 +32,12 @@ # -- Project information ----------------------------------------------------- -project = 'BIND 9' +project = "BIND 9" # pylint: disable=wrong-import-position -import datetime year = datetime.datetime.now().year # pylint: disable=redefined-builtin copyright = "%d, Internet Systems Consortium" % year -author = 'Internet Systems Consortium' +author = "Internet Systems Consortium" # -- General configuration --------------------------------------------------- @@ -50,57 +51,167 @@ extensions = [] # Add any paths that contain templates here, relative to this directory. -templates_path = ['../arm/_templates'] +templates_path = ["../arm/_templates"] # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This pattern also affects html_static_path and html_extra_path. exclude_patterns = [ - '_build', - 'Thumbs.db', - '.DS_Store', - ] + "_build", + "Thumbs.db", + ".DS_Store", +] # The master toctree document. -master_doc = 'index' +master_doc = "index" # pylint: disable=line-too-long man_pages = [ - ('arpaname', 'arpaname', 'translate IP addresses to the corresponding ARPA names', author, 1), - ('ddns-confgen', 'ddns-confgen', 'ddns key generation tool', author, 8), - ('delv', 'delv', 'DNS lookup and validation utility', author, 1), - ('dig', 'dig', 'DNS lookup utility', author, 1), - ('dnssec-cds', 'dnssec-cds', 'change DS records for a child zone based on CDS/CDNSKEY', author, 8), - ('dnssec-checkds', 'dnssec-checkds', 'DNSSEC delegation consistency checking tool', author, 8), - ('dnssec-coverage', 'dnssec-coverage', 'checks future DNSKEY coverage for a zone', author, 8), - ('dnssec-dsfromkey', 'dnssec-dsfromkey', 'DNSSEC DS RR generation tool', author, 8), - ('dnssec-importkey', 'dnssec-importkey', 'import DNSKEY records from external systems so they can be managed', author, 8), - ('dnssec-keyfromlabel', 'dnssec-keyfromlabel', 'DNSSEC key generation tool', author, 8), - ('dnssec-keygen', 'dnssec-keygen', 'DNSSEC key generation tool', author, 8), - ('dnssec-keymgr', 'dnssec-keymgr', 'ensure correct DNSKEY coverage based on a defined policy', author, 8), - ('dnssec-revoke', 'dnssec-revoke', 'set the REVOKED bit on a DNSSEC key', author, 8), - ('dnssec-settime', 'dnssec-settime', 'set the key timing metadata for a DNSSEC key', author, 8), - ('dnssec-signzone', 'dnssec-signzone', 'DNSSEC zone signing tool', author, 8), - ('dnssec-verify', 'dnssec-verify', 'DNSSEC zone verification tool', author, 8), - ('dnstap-read', 'dnstap-read', 'print dnstap data in human-readable form', author, 1), - ('filter-aaaa', 'filter-aaaa', 'filter AAAA in DNS responses when A is present', author, 8), - ('host', 'host', 'DNS lookup utility', author, 1), - ('mdig', 'mdig', 'DNS pipelined lookup utility', author, 1), - ('named-checkconf', 'named-checkconf', 'named configuration file syntax checking tool', author, 8), - ('named-checkzone', 'named-checkzone', 'zone file validity checking or converting tool', author, 8), - ('named-journalprint', 'named-journalprint', 'print zone journal in human-readable form', author, 8), - ('named-nzd2nzf', 'named-nzd2nzf', 'convert an NZD database to NZF text format', author, 8), - ('named-rrchecker', 'named-rrchecker', 'syntax checker for individual DNS resource records', author, 1), - ('named.conf', 'named.conf', 'configuration file for **named**', author, 5), - ('named', 'named', 'Internet domain name server', author, 8), - ('nsec3hash', 'nsec3hash', 'generate NSEC3 hash', author, 8), - ('nslookup', 'nslookup', 'query Internet name servers interactively', author, 1), - ('nsupdate', 'nsupdate', 'dynamic DNS update utility', author, 1), - ('pkcs11-destroy', 'pkcs11-destroy', 'destroy PKCS#11 objects', author, 8), - ('pkcs11-keygen', 'pkcs11-keygen', 'generate keys on a PKCS#11 device', author, 8), - ('pkcs11-list', 'pkcs11-list', 'list PKCS#11 objects', author, 8), - ('pkcs11-tokens', 'pkcs11-tokens', 'list PKCS#11 available tokens', author, 8), - ('rndc-confgen', 'rndc-confgen', 'rndc key generation tool', author, 8), - ('rndc.conf', 'rndc.conf', 'rndc configuration file', author, 5), - ('rndc', 'rndc', 'name server control utility', author, 8), - ] + ( + "arpaname", + "arpaname", + "translate IP addresses to the corresponding ARPA names", + author, + 1, + ), + ("ddns-confgen", "ddns-confgen", "ddns key generation tool", author, 8), + ("delv", "delv", "DNS lookup and validation utility", author, 1), + ("dig", "dig", "DNS lookup utility", author, 1), + ( + "dnssec-cds", + "dnssec-cds", + "change DS records for a child zone based on CDS/CDNSKEY", + author, + 8, + ), + ( + "dnssec-checkds", + "dnssec-checkds", + "DNSSEC delegation consistency checking tool", + author, + 8, + ), + ( + "dnssec-coverage", + "dnssec-coverage", + "checks future DNSKEY coverage for a zone", + author, + 8, + ), + ("dnssec-dsfromkey", "dnssec-dsfromkey", "DNSSEC DS RR generation tool", author, 8), + ( + "dnssec-importkey", + "dnssec-importkey", + "import DNSKEY records from external systems so they can be managed", + author, + 8, + ), + ( + "dnssec-keyfromlabel", + "dnssec-keyfromlabel", + "DNSSEC key generation tool", + author, + 8, + ), + ("dnssec-keygen", "dnssec-keygen", "DNSSEC key generation tool", author, 8), + ( + "dnssec-keymgr", + "dnssec-keymgr", + "ensure correct DNSKEY coverage based on a defined policy", + author, + 8, + ), + ( + "dnssec-revoke", + "dnssec-revoke", + "set the REVOKED bit on a DNSSEC key", + author, + 8, + ), + ( + "dnssec-settime", + "dnssec-settime", + "set the key timing metadata for a DNSSEC key", + author, + 8, + ), + ("dnssec-signzone", "dnssec-signzone", "DNSSEC zone signing tool", author, 8), + ("dnssec-verify", "dnssec-verify", "DNSSEC zone verification tool", author, 8), + ( + "dnstap-read", + "dnstap-read", + "print dnstap data in human-readable form", + author, + 1, + ), + ( + "filter-aaaa", + "filter-aaaa", + "filter AAAA in DNS responses when A is present", + author, + 8, + ), + ("host", "host", "DNS lookup utility", author, 1), + ("mdig", "mdig", "DNS pipelined lookup utility", author, 1), + ( + "named-checkconf", + "named-checkconf", + "named configuration file syntax checking tool", + author, + 8, + ), + ( + "named-checkzone", + "named-checkzone", + "zone file validity checking or converting tool", + author, + 8, + ), + ( + "named-compilezone", + "named-compilezone", + "zone file validity checking or converting tool", + author, + 8, + ), + ( + "named-journalprint", + "named-journalprint", + "print zone journal in human-readable form", + author, + 8, + ), + ( + "named-nzd2nzf", + "named-nzd2nzf", + "convert an NZD database to NZF text format", + author, + 8, + ), + ( + "named-rrchecker", + "named-rrchecker", + "syntax checker for individual DNS resource records", + author, + 1, + ), + ("named.conf", "named.conf", "configuration file for **named**", author, 5), + ("named", "named", "Internet domain name server", author, 8), + ("nsec3hash", "nsec3hash", "generate NSEC3 hash", author, 8), + ("nslookup", "nslookup", "query Internet name servers interactively", author, 1), + ("nsupdate", "nsupdate", "dynamic DNS update utility", author, 1), + ("pkcs11-destroy", "pkcs11-destroy", "destroy PKCS#11 objects", author, 8), + ("pkcs11-keygen", "pkcs11-keygen", "generate keys on a PKCS#11 device", author, 8), + ("pkcs11-list", "pkcs11-list", "list PKCS#11 objects", author, 8), + ("pkcs11-tokens", "pkcs11-tokens", "list PKCS#11 available tokens", author, 8), + ("rndc-confgen", "rndc-confgen", "rndc key generation tool", author, 8), + ("rndc.conf", "rndc.conf", "rndc configuration file", author, 5), + ("rndc", "rndc", "name server control utility", author, 8), + ("tsig-keygen", "tsig-keygen", "TSIG key generation tool", author, 8), +] + + +def setup(app): + app.add_crossref_type("iscman", "iscman", "pair: %s; manual page") + # ignore :option: references to simplify doc backports to v9_16 branch + app.add_role_to_domain("std", "option", roles.code_role) diff -Nru bind9-9.16.27/doc/man/ddns-confgen.8in bind9-9.16.33/doc/man/ddns-confgen.8in --- bind9-9.16.27/doc/man/ddns-confgen.8in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/ddns-confgen.8in 2022-09-08 13:01:23.000000000 +0000 @@ -32,25 +32,19 @@ ddns-confgen \- ddns key generation tool .SH SYNOPSIS .sp -\fBtsig\-keygen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-r\fP randomfile] [name] -.sp -\fBddns\-confgen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-q\fP] [\fB\-r\fP randomfile] [\fB\-s\fP name] [\fB\-z\fP zone] +\fBddns\-confgen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-q\fP] [\fB\-s\fP name] [\fB\-z\fP zone] .SH DESCRIPTION .sp -\fBtsig\-keygen\fP and \fBddns\-confgen\fP are invocation methods for a -utility that generates keys for use in TSIG signing. The resulting keys -can be used, for example, to secure dynamic DNS updates to a zone or for -the \fBrndc\fP command channel. -.sp -When run as \fBtsig\-keygen\fP, a domain name can be specified on the -command line to be used as the name of the generated key. If no -name is specified, the default is \fBtsig\-key\fP\&. -.sp -When run as \fBddns\-confgen\fP, the generated key is accompanied by -configuration text and instructions that can be used with \fBnsupdate\fP -and \fBnamed\fP when setting up dynamic DNS, including an example -\fBupdate\-policy\fP statement. (This usage is similar to the \fBrndc\-confgen\fP -command for setting up command\-channel security.) +\fBddns\-confgen\fP is an utility that generates keys for use in TSIG signing. +The resulting keys can be used, for example, to secure dynamic DNS updates +to a zone, or for the \fBrndc\fP command channel. +.sp +The key name can specified using \fB\-k\fP parameter and defaults to \fBddns\-key\fP\&. +The generated key is accompanied by configuration text and instructions that +can be used with \fBnsupdate\fP and \fBnamed\fP when setting up dynamic DNS, +including an example \fBupdate\-policy\fP statement. +(This usage is similar to the \fBrndc\-confgen\fP command for setting up +command\-channel security.) .sp Note that \fBnamed\fP itself can configure a local DDNS key for use with \fBnsupdate \-l\fP; it does this when a zone is configured with @@ -61,37 +55,36 @@ .INDENT 0.0 .TP .B \fB\-a algorithm\fP -This option specifies the algorithm to use for the TSIG key. Available choices -are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, and -hmac\-sha512. The default is hmac\-sha256. Options are +This option specifies the algorithm to use for the TSIG key. Available +choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, +and hmac\-sha512. The default is hmac\-sha256. Options are case\-insensitive, and the "hmac\-" prefix may be omitted. .TP .B \fB\-h\fP This option prints a short summary of options and arguments. .TP .B \fB\-k keyname\fP -This option specifies the key name of the DDNS authentication key. The default is -\fBddns\-key\fP when neither the \fB\-s\fP nor \fB\-z\fP option is specified; -otherwise, the default is \fBddns\-key\fP as a separate label followed -by the argument of the option, e.g., \fBddns\-key.example.com.\fP The -key name must have the format of a valid domain name, consisting of +This option specifies the key name of the DDNS authentication key. The +default is \fBddns\-key\fP when neither the \fB\-s\fP nor \fB\-z\fP option is +specified; otherwise, the default is \fBddns\-key\fP as a separate label +followed by the argument of the option, e.g., \fBddns\-key.example.com.\fP +The key name must have the format of a valid domain name, consisting of letters, digits, hyphens, and periods. .TP -.B \fB\-q\fP (\fBddns\-confgen\fP only) +.B \fB\-q\fP This option enables quiet mode, which prints only the key, with no explanatory text or usage examples. This is essentially identical to \fBtsig\-keygen\fP\&. .TP -.B \fB\-s name\fP (\fBddns\-confgen\fP only) -This option generates a configuration example to allow -dynamic updates of a single hostname. The example \fBnamed.conf\fP text -shows how to set an update policy for the specified name using the -"name" nametype. The default key name is \fBddns\-key.name\fP\&. Note that the -"self" nametype cannot be used, since the name to be updated may -differ from the key name. This option cannot be used with the \fB\-z\fP -option. +.B \fB\-s name\fP +This option generates a configuration example to allow dynamic updates +of a single hostname. The example \fBnamed.conf\fP text shows how to set +an update policy for the specified name using the "name" nametype. The +default key name is \fBddns\-key.name\fP\&. Note that the "self" nametype +cannot be used, since the name to be updated may differ from the key +name. This option cannot be used with the \fB\-z\fP option. .TP -.B \fB\-z zone\fP (\fBddns\-confgen\fP only) +.B \fB\-z zone\fP This option generates a configuration example to allow dynamic updates of a zone. The example \fBnamed.conf\fP text shows how to set an update policy for the specified zone using the "zonesub" diff -Nru bind9-9.16.27/doc/man/ddns-confgen.rst bind9-9.16.33/doc/man/ddns-confgen.rst --- bind9-9.16.27/doc/man/ddns-confgen.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/ddns-confgen.rst 2022-09-08 13:01:23.000000000 +0000 @@ -11,4 +11,4 @@ :orphan: -.. include:: ../../bin/confgen/ddns-confgen.rst \ No newline at end of file +.. include:: ../../bin/confgen/ddns-confgen.rst diff -Nru bind9-9.16.27/doc/man/dnssec-keyfromlabel.8in bind9-9.16.33/doc/man/dnssec-keyfromlabel.8in --- bind9-9.16.27/doc/man/dnssec-keyfromlabel.8in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/dnssec-keyfromlabel.8in 2022-09-08 13:01:23.000000000 +0000 @@ -52,20 +52,16 @@ be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. .sp -If no algorithm is specified, RSASHA1 is used by default -unless the \fB\-3\fP option is specified, in which case NSEC3RSASHA1 -is used instead. (If \fB\-3\fP is used and an algorithm is -specified, that algorithm is checked for compatibility with -NSEC3.) -.sp These values are case\-insensitive. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified along with the \fB\-3\fP option, then NSEC3RSASHA1 is used instead. .sp -Since BIND 9.12.0, this option is mandatory except when using the +This option is mandatory except when using the \fB\-S\fP option, which copies the algorithm from the predecessory key. -Previously, the default for newly generated keys was RSASHA1. +.sp +Changed in version 9.12.0: The default value RSASHA1 for newly generated keys was removed. + .TP .B \fB\-3\fP This option uses an NSEC3\-capable algorithm to generate a DNSSEC key. If this diff -Nru bind9-9.16.27/doc/man/dnssec-keygen.8in bind9-9.16.33/doc/man/dnssec-keygen.8in --- bind9-9.16.27/doc/man/dnssec-keygen.8in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/dnssec-keygen.8in 2022-09-08 13:01:23.000000000 +0000 @@ -56,7 +56,7 @@ This option uses an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version is selected; for example, -\fBdnssec\-keygen \-3a RSASHA1\fP specifies the NSEC3RSASHA1 algorithm. +\fBdnssec\-keygen \-3 \-a RSASHA1\fP specifies the NSEC3RSASHA1 algorithm. .TP .B \fB\-a algorithm\fP This option selects the cryptographic algorithm. For DNSSEC keys, the value of diff -Nru bind9-9.16.27/doc/man/dnssec-signzone.8in bind9-9.16.33/doc/man/dnssec-signzone.8in --- bind9-9.16.27/doc/man/dnssec-signzone.8in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/dnssec-signzone.8in 2022-09-08 13:01:23.000000000 +0000 @@ -342,15 +342,36 @@ This option generates an NSEC3 chain with the given hex\-encoded salt. A dash (\-) can be used to indicate that no salt is to be used when generating the NSEC3 chain. +.sp +\fBNOTE:\fP +.INDENT 7.0 +.INDENT 3.5 +\fB\-3 \-\fP is the recommended configuration. Adding salt provides no practical benefits. +.UNINDENT +.UNINDENT .TP .B \fB\-H iterations\fP This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default is 10. +.sp +\fBWARNING:\fP +.INDENT 7.0 +.INDENT 3.5 +Values greater than 0 cause interoperability issues and also increase the risk of CPU\-exhausting DoS attacks. The default value has not been changed because the best practices has changed only after BIND 9.16 reached Extended Support Version status. +.UNINDENT +.UNINDENT .TP .B \fB\-A\fP This option indicates that, when generating an NSEC3 chain, BIND 9 should set the OPTOUT flag on all NSEC3 records and should not generate NSEC3 records for insecure delegations. .sp +\fBWARNING:\fP +.INDENT 7.0 +.INDENT 3.5 +Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to \fBcom.\fP) with sparse secure delegations. +.UNINDENT +.UNINDENT +.sp Using this option twice (i.e., \fB\-AA\fP) turns the OPTOUT flag off for all records. This is useful when using the \fB\-u\fP option to modify an NSEC3 chain which previously had OPTOUT set. diff -Nru bind9-9.16.27/doc/man/named-checkzone.8in bind9-9.16.33/doc/man/named-checkzone.8in --- bind9-9.16.27/doc/man/named-checkzone.8in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/named-checkzone.8in 2022-09-08 13:01:23.000000000 +0000 @@ -33,21 +33,12 @@ .SH SYNOPSIS .sp \fBnamed\-checkzone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-o\fP filename] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {zonename} {filename} -.sp -\fBnamed\-compilezone\fP [\fB\-d\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-C\fP mode] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {\fB\-o\fP filename} {zonename} {filename} .SH DESCRIPTION .sp \fBnamed\-checkzone\fP checks the syntax and integrity of a zone file. It performs the same checks as \fBnamed\fP does when loading a zone. This makes \fBnamed\-checkzone\fP useful for checking zone files before configuring them into a name server. -.sp -\fBnamed\-compilezone\fP is similar to \fBnamed\-checkzone\fP, but it always -dumps the zone contents to a specified file in a specified format. -It also applies stricter check levels by default, since the -dump output is used as an actual zone file loaded by \fBnamed\fP\&. -When manually specified otherwise, the check levels must at least be as -strict as those specified in the \fBnamed\fP configuration file. .SH OPTIONS .INDENT 0.0 .TP @@ -103,8 +94,8 @@ Mode \fBnone\fP disables the checks. .TP .B \fB\-f format\fP -This option specifies the format of the zone file. Possible formats are \fBtext\fP -(the default), \fBraw\fP, and \fBmap\fP\&. +This option specifies the format of the zone file. Possible formats are +\fBtext\fP (the default), \fBraw\fP, and \fBmap\fP\&. .TP .B \fB\-F format\fP This option specifies the format of the output file specified. For @@ -112,17 +103,15 @@ the zone contents. .sp Possible formats are \fBtext\fP (the default), which is the standard -textual representation of the zone, and \fBmap\fP, \fBraw\fP, and -\fBraw=N\fP, which store the zone in a binary format for rapid -loading by \fBnamed\fP\&. \fBraw=N\fP specifies the format version of the -raw zone file: if \fBN\fP is 0, the raw file can be read by any version of -\fBnamed\fP; if N is 1, the file can only be read by release 9.9.0 or -higher. The default is 1. +textual representation of the zone, and \fBmap\fP, \fBraw\fP, and \fBraw=N\fP, which +store the zone in a binary format for rapid loading by \fBnamed\fP\&. +\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is +0, the raw file can be read by any version of \fBnamed\fP; if N is 1, the +file can only be read by release 9.9.0 or higher. The default is 1. .TP .B \fB\-k mode\fP This option performs \fBcheck\-names\fP checks with the specified failure mode. -Possible modes are \fBfail\fP (the default for \fBnamed\-compilezone\fP), -\fBwarn\fP (the default for \fBnamed\-checkzone\fP), and \fBignore\fP\&. +Possible modes are \fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&. .TP .B \fB\-l ttl\fP This option sets a maximum permissible TTL for the input file. Any record with a @@ -145,13 +134,11 @@ .TP .B \fB\-n mode\fP This option specifies whether NS records should be checked to see if they are -addresses. Possible modes are \fBfail\fP (the default for -\fBnamed\-compilezone\fP), \fBwarn\fP (the default for \fBnamed\-checkzone\fP), -and \fBignore\fP\&. +addresses. Possible modes are \fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&. .TP .B \fB\-o filename\fP This option writes the zone output to \fBfilename\fP\&. If \fBfilename\fP is \fB\-\fP, then -the zone output is written to standard output. This is mandatory for \fBnamed\-compilezone\fP\&. +the zone output is written to standard output. .TP .B \fB\-r mode\fP This option checks for records that are treated as different by DNSSEC but are @@ -163,9 +150,9 @@ \fBfull\fP (the default) and \fBrelative\fP\&. The \fBfull\fP format is most suitable for processing automatically by a separate script. The relative format is more human\-readable and is thus -suitable for editing by hand. For \fBnamed\-checkzone\fP, this does not -have any effect unless it dumps the zone contents. It also does not -have any meaning if the output format is not text. +suitable for editing by hand. This does not have any effect unless it dumps +the zone contents. It also does not have any meaning if the output format +is not text. .TP .B \fB\-S mode\fP This option checks whether an SRV record refers to a CNAME. Possible modes are @@ -187,13 +174,12 @@ \fBnamed.conf\fP\&. .TP .B \fB\-D\fP -This option dumps the zone file in canonical format. This is always enabled for -\fBnamed\-compilezone\fP\&. +This option dumps the zone file in canonical format. .TP .B \fB\-W mode\fP This option specifies whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the -wildcard matching algorithm (\fI\%RFC 1034\fP). Possible modes are \fBwarn\fP +wildcard matching algorithm (\fI\%RFC 4592\fP). Possible modes are \fBwarn\fP (the default) and \fBignore\fP\&. .TP .B \fBzonename\fP @@ -208,8 +194,8 @@ and 0 otherwise. .SH SEE ALSO .sp -\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fI\%RFC 1035\fP, BIND 9 Administrator Reference -Manual. +\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-compilezone(8)\fP, +\fI\%RFC 1035\fP, BIND 9 Administrator Reference Manual. .SH AUTHOR Internet Systems Consortium .SH COPYRIGHT diff -Nru bind9-9.16.27/doc/man/named-compilezone.1in bind9-9.16.33/doc/man/named-compilezone.1in --- bind9-9.16.27/doc/man/named-compilezone.1in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/man/named-compilezone.1in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,206 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "NAMED-COMPILEZONE" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" +.SH NAME +named-compilezone \- zone file validity checking or converting tool +.SH SYNOPSIS +.sp +\fBnamed\-compilezone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {\fB\-o\fP filename} {zonename} {filename} +.SH DESCRIPTION +.sp +\fBnamed\-compilezone\fP checks the syntax and integrity of a zone file, +and dumps the zone contents to a specified file in a specified format. +It applies strict check levels by default, since the +dump output is used as an actual zone file loaded by \fBnamed\fP\&. +When manually specified otherwise, the check levels must at least be as +strict as those specified in the \fBnamed\fP configuration file. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-d\fP +This option enables debugging. +.TP +.B \fB\-h\fP +This option prints the usage summary and exits. +.TP +.B \fB\-q\fP +This option sets quiet mode, which only sets an exit code to indicate +successful or failed completion. +.TP +.B \fB\-v\fP +This option prints the version of the \fBnamed\-checkzone\fP program and exits. +.TP +.B \fB\-j\fP +When loading a zone file, this option tells \fBnamed\fP to read the journal if it exists. The journal +file name is assumed to be the zone file name with the +string \fB\&.jnl\fP appended. +.TP +.B \fB\-J filename\fP +When loading the zone file, this option tells \fBnamed\fP to read the journal from the given file, if +it exists. This implies \fB\-j\fP\&. +.TP +.B \fB\-c class\fP +This option specifies the class of the zone. If not specified, \fBIN\fP is assumed. +.TP +.B \fB\-i mode\fP +This option performs post\-load zone integrity checks. Possible modes are +\fBfull\fP (the default), \fBfull\-sibling\fP, \fBlocal\fP, +\fBlocal\-sibling\fP, and \fBnone\fP\&. +.sp +Mode \fBfull\fP checks that MX records refer to A or AAAA records +(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only +checks MX records which refer to in\-zone hostnames. +.sp +Mode \fBfull\fP checks that SRV records refer to A or AAAA records +(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only +checks SRV records which refer to in\-zone hostnames. +.sp +Mode \fBfull\fP checks that delegation NS records refer to A or AAAA +records (both in\-zone and out\-of\-zone hostnames). It also checks that +glue address records in the zone match those advertised by the child. +Mode \fBlocal\fP only checks NS records which refer to in\-zone +hostnames or verifies that some required glue exists, i.e., when the +name server is in a child zone. +.sp +Modes \fBfull\-sibling\fP and \fBlocal\-sibling\fP disable sibling glue +checks, but are otherwise the same as \fBfull\fP and \fBlocal\fP, +respectively. +.sp +Mode \fBnone\fP disables the checks. +.TP +.B \fB\-f format\fP +This option specifies the format of the zone file. Possible formats are +\fBtext\fP (the default), and \fBraw\fP\&. +.TP +.B \fB\-F format\fP +This option specifies the format of the output file specified. For +\fBnamed\-checkzone\fP, this does not have any effect unless it dumps +the zone contents. +.sp +Possible formats are \fBtext\fP (the default), which is the standard +textual representation of the zone, and \fBraw\fP and \fBraw=N\fP, which +store the zone in a binary format for rapid loading by \fBnamed\fP\&. +\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is +0, the raw file can be read by any version of \fBnamed\fP; if N is 1, the +file can only be read by release 9.9.0 or higher. The default is 1. +.TP +.B \fB\-k mode\fP +This option performs \fBcheck\-names\fP checks with the specified failure mode. +Possible modes are \fBfail\fP (the default), \fBwarn\fP, and \fBignore\fP\&. +.TP +.B \fB\-l ttl\fP +This option sets a maximum permissible TTL for the input file. Any record with a +TTL higher than this value causes the zone to be rejected. This +is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&. +.TP +.B \fB\-L serial\fP +When compiling a zone to \fBraw\fP format, this option sets the "source +serial" value in the header to the specified serial number. This is +expected to be used primarily for testing purposes. +.TP +.B \fB\-m mode\fP +This option specifies whether MX records should be checked to see if they are +addresses. Possible modes are \fBfail\fP, \fBwarn\fP (the default), and +\fBignore\fP\&. +.TP +.B \fB\-M mode\fP +This option checks whether a MX record refers to a CNAME. Possible modes are +\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&. +.TP +.B \fB\-n mode\fP +This option specifies whether NS records should be checked to see if they are +addresses. Possible modes are \fBfail\fP (the default), \fBwarn\fP, and +\fBignore\fP\&. +.TP +.B \fB\-o filename\fP +This option writes the zone output to \fBfilename\fP\&. If \fBfilename\fP is \fB\-\fP, then +the zone output is written to standard output. This is mandatory for \fBnamed\-compilezone\fP\&. +.TP +.B \fB\-r mode\fP +This option checks for records that are treated as different by DNSSEC but are +semantically equal in plain DNS. Possible modes are \fBfail\fP, +\fBwarn\fP (the default), and \fBignore\fP\&. +.TP +.B \fB\-s style\fP +This option specifies the style of the dumped zone file. Possible styles are +\fBfull\fP (the default) and \fBrelative\fP\&. The \fBfull\fP format is most +suitable for processing automatically by a separate script. +The relative format is more human\-readable and is thus +suitable for editing by hand. +.TP +.B \fB\-S mode\fP +This option checks whether an SRV record refers to a CNAME. Possible modes are +\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&. +.TP +.B \fB\-t directory\fP +This option tells \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the +configuration file are processed as if run by a similarly chrooted +\fBnamed\fP\&. +.TP +.B \fB\-T mode\fP +This option checks whether Sender Policy Framework (SPF) records exist and issues a +warning if an SPF\-formatted TXT record is not also present. Possible +modes are \fBwarn\fP (the default) and \fBignore\fP\&. +.TP +.B \fB\-w directory\fP +This option instructs \fBnamed\fP to chdir to \fBdirectory\fP, so that relative filenames in master file +\fB$INCLUDE\fP directives work. This is similar to the directory clause in +\fBnamed.conf\fP\&. +.TP +.B \fB\-D\fP +This option dumps the zone file in canonical format. This is always enabled for +\fBnamed\-compilezone\fP\&. +.TP +.B \fB\-W mode\fP +This option specifies whether to check for non\-terminal wildcards. Non\-terminal +wildcards are almost always the result of a failure to understand the +wildcard matching algorithm (\fI\%RFC 4592\fP). Possible modes are \fBwarn\fP +(the default) and \fBignore\fP\&. +.TP +.B \fBzonename\fP +This indicates the domain name of the zone being checked. +.TP +.B \fBfilename\fP +This is the name of the zone file. +.UNINDENT +.SH RETURN VALUES +.sp +\fBnamed\-compilezone\fP returns an exit status of 1 if errors were detected +and 0 otherwise. +.SH SEE ALSO +.sp +\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-checkzone(8)\fP, +\fI\%RFC 1035\fP, BIND 9 Administrator Reference Manual. +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2022, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. diff -Nru bind9-9.16.27/doc/man/named-compilezone.8in bind9-9.16.33/doc/man/named-compilezone.8in --- bind9-9.16.27/doc/man/named-compilezone.8in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/man/named-compilezone.8in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,206 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "NAMED-COMPILEZONE" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9" +.SH NAME +named-compilezone \- zone file validity checking or converting tool +.SH SYNOPSIS +.sp +\fBnamed\-compilezone\fP [\fB\-d\fP] [\fB\-h\fP] [\fB\-j\fP] [\fB\-q\fP] [\fB\-v\fP] [\fB\-c\fP class] [\fB\-f\fP format] [\fB\-F\fP format] [\fB\-J\fP filename] [\fB\-i\fP mode] [\fB\-k\fP mode] [\fB\-m\fP mode] [\fB\-M\fP mode] [\fB\-n\fP mode] [\fB\-l\fP ttl] [\fB\-L\fP serial] [\fB\-r\fP mode] [\fB\-s\fP style] [\fB\-S\fP mode] [\fB\-t\fP directory] [\fB\-T\fP mode] [\fB\-w\fP directory] [\fB\-D\fP] [\fB\-W\fP mode] {\fB\-o\fP filename} {zonename} {filename} +.SH DESCRIPTION +.sp +\fBnamed\-compilezone\fP checks the syntax and integrity of a zone file, +and dumps the zone contents to a specified file in a specified format. +It applies strict check levels by default, since the +dump output is used as an actual zone file loaded by \fBnamed\fP\&. +When manually specified otherwise, the check levels must at least be as +strict as those specified in the \fBnamed\fP configuration file. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-d\fP +This option enables debugging. +.TP +.B \fB\-h\fP +This option prints the usage summary and exits. +.TP +.B \fB\-q\fP +This option sets quiet mode, which only sets an exit code to indicate +successful or failed completion. +.TP +.B \fB\-v\fP +This option prints the version of the \fBnamed\-checkzone\fP program and exits. +.TP +.B \fB\-j\fP +When loading a zone file, this option tells \fBnamed\fP to read the journal if it exists. The journal +file name is assumed to be the zone file name with the +string \fB\&.jnl\fP appended. +.TP +.B \fB\-J filename\fP +When loading the zone file, this option tells \fBnamed\fP to read the journal from the given file, if +it exists. This implies \fB\-j\fP\&. +.TP +.B \fB\-c class\fP +This option specifies the class of the zone. If not specified, \fBIN\fP is assumed. +.TP +.B \fB\-i mode\fP +This option performs post\-load zone integrity checks. Possible modes are +\fBfull\fP (the default), \fBfull\-sibling\fP, \fBlocal\fP, +\fBlocal\-sibling\fP, and \fBnone\fP\&. +.sp +Mode \fBfull\fP checks that MX records refer to A or AAAA records +(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only +checks MX records which refer to in\-zone hostnames. +.sp +Mode \fBfull\fP checks that SRV records refer to A or AAAA records +(both in\-zone and out\-of\-zone hostnames). Mode \fBlocal\fP only +checks SRV records which refer to in\-zone hostnames. +.sp +Mode \fBfull\fP checks that delegation NS records refer to A or AAAA +records (both in\-zone and out\-of\-zone hostnames). It also checks that +glue address records in the zone match those advertised by the child. +Mode \fBlocal\fP only checks NS records which refer to in\-zone +hostnames or verifies that some required glue exists, i.e., when the +name server is in a child zone. +.sp +Modes \fBfull\-sibling\fP and \fBlocal\-sibling\fP disable sibling glue +checks, but are otherwise the same as \fBfull\fP and \fBlocal\fP, +respectively. +.sp +Mode \fBnone\fP disables the checks. +.TP +.B \fB\-f format\fP +This option specifies the format of the zone file. Possible formats are +\fBtext\fP (the default), \fBraw\fP, and \fBmap\fP\&. +.TP +.B \fB\-F format\fP +This option specifies the format of the output file specified. For +\fBnamed\-checkzone\fP, this does not have any effect unless it dumps +the zone contents. +.sp +Possible formats are \fBtext\fP (the default), which is the standard +textual representation of the zone, and \fBmap\fP, \fBraw\fP, and \fBraw=N\fP, which +store the zone in a binary format for rapid loading by \fBnamed\fP\&. +\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is +0, the raw file can be read by any version of \fBnamed\fP; if N is 1, the +file can only be read by release 9.9.0 or higher. The default is 1. +.TP +.B \fB\-k mode\fP +This option performs \fBcheck\-names\fP checks with the specified failure mode. +Possible modes are \fBfail\fP (the default), \fBwarn\fP, and \fBignore\fP\&. +.TP +.B \fB\-l ttl\fP +This option sets a maximum permissible TTL for the input file. Any record with a +TTL higher than this value causes the zone to be rejected. This +is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP\&. +.TP +.B \fB\-L serial\fP +When compiling a zone to \fBraw\fP or \fBmap\fP format, this option sets the "source +serial" value in the header to the specified serial number. This is +expected to be used primarily for testing purposes. +.TP +.B \fB\-m mode\fP +This option specifies whether MX records should be checked to see if they are +addresses. Possible modes are \fBfail\fP, \fBwarn\fP (the default), and +\fBignore\fP\&. +.TP +.B \fB\-M mode\fP +This option checks whether a MX record refers to a CNAME. Possible modes are +\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&. +.TP +.B \fB\-n mode\fP +This option specifies whether NS records should be checked to see if they are +addresses. Possible modes are \fBfail\fP (the default), \fBwarn\fP, and +\fBignore\fP\&. +.TP +.B \fB\-o filename\fP +This option writes the zone output to \fBfilename\fP\&. If \fBfilename\fP is \fB\-\fP, then +the zone output is written to standard output. This is mandatory for \fBnamed\-compilezone\fP\&. +.TP +.B \fB\-r mode\fP +This option checks for records that are treated as different by DNSSEC but are +semantically equal in plain DNS. Possible modes are \fBfail\fP, +\fBwarn\fP (the default), and \fBignore\fP\&. +.TP +.B \fB\-s style\fP +This option specifies the style of the dumped zone file. Possible styles are +\fBfull\fP (the default) and \fBrelative\fP\&. The \fBfull\fP format is most +suitable for processing automatically by a separate script. +The relative format is more human\-readable and is thus +suitable for editing by hand. +.TP +.B \fB\-S mode\fP +This option checks whether an SRV record refers to a CNAME. Possible modes are +\fBfail\fP, \fBwarn\fP (the default), and \fBignore\fP\&. +.TP +.B \fB\-t directory\fP +This option tells \fBnamed\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the +configuration file are processed as if run by a similarly chrooted +\fBnamed\fP\&. +.TP +.B \fB\-T mode\fP +This option checks whether Sender Policy Framework (SPF) records exist and issues a +warning if an SPF\-formatted TXT record is not also present. Possible +modes are \fBwarn\fP (the default) and \fBignore\fP\&. +.TP +.B \fB\-w directory\fP +This option instructs \fBnamed\fP to chdir to \fBdirectory\fP, so that relative filenames in master file +\fB$INCLUDE\fP directives work. This is similar to the directory clause in +\fBnamed.conf\fP\&. +.TP +.B \fB\-D\fP +This option dumps the zone file in canonical format. This is always enabled for +\fBnamed\-compilezone\fP\&. +.TP +.B \fB\-W mode\fP +This option specifies whether to check for non\-terminal wildcards. Non\-terminal +wildcards are almost always the result of a failure to understand the +wildcard matching algorithm (\fI\%RFC 4592\fP). Possible modes are \fBwarn\fP +(the default) and \fBignore\fP\&. +.TP +.B \fBzonename\fP +This indicates the domain name of the zone being checked. +.TP +.B \fBfilename\fP +This is the name of the zone file. +.UNINDENT +.SH RETURN VALUES +.sp +\fBnamed\-compilezone\fP returns an exit status of 1 if errors were detected +and 0 otherwise. +.SH SEE ALSO +.sp +\fBnamed(8)\fP, \fBnamed\-checkconf(8)\fP, \fBnamed\-checkzone(8)\fP, +\fI\%RFC 1035\fP, BIND 9 Administrator Reference Manual. +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2022, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. diff -Nru bind9-9.16.27/doc/man/named-compilezone.rst bind9-9.16.33/doc/man/named-compilezone.rst --- bind9-9.16.27/doc/man/named-compilezone.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/man/named-compilezone.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,14 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +:orphan: + +.. include:: ../../bin/check/named-compilezone.rst diff -Nru bind9-9.16.27/doc/man/named.8in bind9-9.16.33/doc/man/named.8in --- bind9-9.16.27/doc/man/named.8in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/named.8in 2022-09-08 13:01:23.000000000 +0000 @@ -32,7 +32,7 @@ named \- Internet domain name server .SH SYNOPSIS .sp -\fBnamed\fP [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-c\fP config\-file] [\fB\-d\fP debug\-level] [\fB\-D\fP string] [\fB\-E\fP engine\-name] [\fB\-f\fP] [\fB\-g\fP] [\fB\-L\fP logfile] [\fB\-M\fP option] [\fB\-m\fP flag] [\fB\-n\fP #cpus] [\fB\-p\fP port] [\fB\-s\fP] [\fB\-S\fP #max\-socks] [\fB\-t\fP directory] [\fB\-U\fP #listeners] [\fB\-u\fP user] [\fB\-v\fP] [\fB\-V\fP] [\fB\-X\fP lock\-file] [\fB\-x\fP cache\-file] +\fBnamed\fP [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-c\fP config\-file] [\fB\-C\fP] [\fB\-d\fP debug\-level] [\fB\-D\fP string] [\fB\-E\fP engine\-name] [\fB\-f\fP] [\fB\-g\fP] [\fB\-L\fP logfile] [\fB\-M\fP option] [\fB\-m\fP flag] [\fB\-n\fP #cpus] [\fB\-p\fP port] [\fB\-s\fP] [\fB\-S\fP #max\-socks] [\fB\-t\fP directory] [\fB\-U\fP #listeners] [\fB\-u\fP user] [\fB\-v\fP] [\fB\-V\fP] [\fB\-X\fP lock\-file] [\fB\-x\fP cache\-file] .SH DESCRIPTION .sp \fBnamed\fP is a Domain Name System (DNS) server, part of the BIND 9 @@ -59,6 +59,19 @@ can be reloaded after the server has changed its working directory due to to a possible \fBdirectory\fP option in the configuration file, \fBconfig\-file\fP should be an absolute pathname. +.UNINDENT +.sp +\fB\-C\fP +.INDENT 0.0 +.INDENT 3.5 +This option prints out the default built\-in configuration and exits. +.sp +NOTE: This is for debugging purposes only and is not an +accurate representation of the actual configuration used by \fBnamed\fP +at runtime. +.UNINDENT +.UNINDENT +.INDENT 0.0 .TP .B \fB\-d debug\-level\fP This option sets the daemon\(aqs debug level to \fBdebug\-level\fP\&. Debugging traces from @@ -87,15 +100,32 @@ .TP .B \fB\-L logfile\fP This option sets the log to the file \fBlogfile\fP by default, instead of the system log. -.TP -.B \fB\-M option\fP -This option sets the default memory context options. If set to \fBexternal\fP, -the internal memory manager is bypassed in favor of -system\-provided memory allocation functions. If set to \fBfill\fP, blocks -of memory are filled with tag values when allocated or freed, to -assist debugging of memory problems. \fBnofill\fP disables this behavior, -and is the default unless \fBnamed\fP has been compiled with developer -options. +.UNINDENT +.sp +\fB\-M option\fP +.INDENT 0.0 +.INDENT 3.5 +This option sets the default (comma\-separated) memory context +options. The possible flags are: +.INDENT 0.0 +.IP \(bu 2 +\fBexternal\fP: use system\-provided memory allocation functions; this +is the implicit default. +.IP \(bu 2 +\fBinternal\fP: use the internal memory manager. +.IP \(bu 2 +\fBfill\fP: fill blocks of memory with tag values when they are +allocated or freed, to assist debugging of memory problems; this is +the implicit default if \fBnamed\fP has been compiled with +\fB\-\-enable\-developer\fP\&. +.IP \(bu 2 +\fBnofill\fP: disable the behavior enabled by \fBfill\fP; this is the +implicit default unless \fBnamed\fP has been compiled with +\fB\-\-enable\-developer\fP\&. +.UNINDENT +.UNINDENT +.UNINDENT +.INDENT 0.0 .TP .B \fB\-m flag\fP This option turns on memory usage debugging flags. Possible flags are \fBusage\fP, diff -Nru bind9-9.16.27/doc/man/named.conf.5in bind9-9.16.33/doc/man/named.conf.5in --- bind9-9.16.27/doc/man/named.conf.5in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/named.conf.5in 2022-09-08 13:01:23.000000000 +0000 @@ -448,6 +448,7 @@ [ recursive\-only boolean ] [ nsip\-enable boolean ] [ nsdname\-enable boolean ] [ dnsrps\-enable boolean ] [ dnsrps\-options { unspecified\-text } ]; + reuseport boolean; root\-delegation\-only [ exclude { string; ... } ]; root\-key\-sentinel boolean; rrset\-order { [ class string ] [ type string ] [ name diff -Nru bind9-9.16.27/doc/man/rndc.8in bind9-9.16.33/doc/man/rndc.8in --- bind9-9.16.27/doc/man/rndc.8in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/man/rndc.8in 2022-09-08 13:01:23.000000000 +0000 @@ -171,14 +171,16 @@ \fBrndc dnssec \-rollover\fP allows you to schedule key rollover for a specific key (overriding the original key lifetime). .sp -\fBrndc dnssec \-checkds\fP will let \fBnamed\fP know that the DS for the given -key has been seen published into or withdrawn from the parent. This is -required in order to complete a KSK rollover. If the \fB\-key id\fP argument -is specified, look for the key with the given identifier, otherwise if there -is only one key acting as a KSK in the zone, assume the DS of that key (if -there are multiple keys with the same tag, use \fB\-alg algorithm\fP to -select the correct algorithm). The time that the DS has been published or -withdrawn is set to now, unless otherwise specified with the argument \fB\-when time\fP\&. +\fBrndc dnssec \-checkds\fP informs \fBnamed\fP that the DS for +a specified zone\(aqs key\-signing key has been confirmed to be published +in, or withdrawn from, the parent zone. This is required in order to +complete a KSK rollover. The \fB\-key id\fP and \fB\-alg algorithm\fP arguments +can be used to specify a particular KSK, if necessary; if there is only +one key acting as a KSK for the zone, these arguments can be omitted. +The time of publication or withdrawal for the DS is set to the current +time by default, but can be overridden to a specific time with the +argument \fB\-when time\fP, where \fBtime\fP is expressed in YYYYMMDDHHMMSS +notation. .TP \fBdnstap\fP ( \fB\-reopen\fP | \fB\-roll\fP [\fInumber\fP] ) This command closes and re\-opens DNSTAP output files. \fBrndc dnstap \-reopen\fP allows @@ -491,15 +493,21 @@ depending on whether the opt\-out bit in the NSEC3 chain should be set. \fBiterations\fP defines the number of additional times to apply the algorithm when generating an NSEC3 hash. The \fBsalt\fP is a string -of data expressed in hexadecimal, a hyphen (\fI\-\(aq) if no salt is to be -used, or the keyword \(ga\(gaauto\(ga\fP, which causes \fBnamed\fP to generate a +of data expressed in hexadecimal, a hyphen (\fB\-\fP) if no salt is to be +used, or the keyword \fBauto\fP, which causes \fBnamed\fP to generate a random 64\-bit salt. .sp -So, for example, to create an NSEC3 chain using the SHA\-1 hash -algorithm, no opt\-out flag, 10 iterations, and a salt value of -"FFFF", use: \fBrndc signing \-nsec3param 1 0 10 FFFF zone\fP\&. To set -the opt\-out flag, 15 iterations, and no salt, use: -\fBrndc signing \-nsec3param 1 1 15 \- zone\fP\&. +The only recommended configuration is \fBrndc signing \-nsec3param 1 0 0 \- zone\fP, +i.e. no salt, no additional iterations, no opt\-out. +.sp +\fBWARNING:\fP +.INDENT 7.0 +.INDENT 3.5 +Do not use extra iterations, salt, or opt\-out unless all their implications +are fully understood. A higher number of iterations causes interoperability +problems and opens servers to CPU\-exhausting DoS attacks. +.UNINDENT +.UNINDENT .sp \fBrndc signing \-nsec3param none\fP removes an existing NSEC3 chain and replaces it with NSEC. diff -Nru bind9-9.16.27/doc/man/tsig-keygen.8in bind9-9.16.33/doc/man/tsig-keygen.8in --- bind9-9.16.27/doc/man/tsig-keygen.8in 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/man/tsig-keygen.8in 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,64 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "TSIG-KEYGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9" +.SH NAME +tsig-keygen \- TSIG key generation tool +.SH SYNOPSIS +.sp +\fBtsig\-keygen\fP [\fB\-a\fP algorithm] [\fB\-h\fP] [name] +.SH DESCRIPTION +.sp +\fBtsig\-keygen\fP is an utility that generates keys for use in TSIG signing. +The resulting keys can be used, for example, to secure dynamic DNS updates +to a zone, or for the \fBrndc\fP command channel. +.sp +A domain name can be specified on the command line to be used as the name +of the generated key. If no name is specified, the default is \fBtsig\-key\fP\&. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-a algorithm\fP +This option specifies the algorithm to use for the TSIG key. Available +choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, +and hmac\-sha512. The default is hmac\-sha256. Options are +case\-insensitive, and the "hmac\-" prefix may be omitted. +.TP +.B \fB\-h\fP +This option prints a short summary of options and arguments. +.UNINDENT +.SH SEE ALSO +.sp +\fBnsupdate(1)\fP, \fBnamed.conf(5)\fP, \fBnamed(8)\fP, BIND 9 Administrator Reference Manual. +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2022, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. diff -Nru bind9-9.16.27/doc/man/tsig-keygen.rst bind9-9.16.33/doc/man/tsig-keygen.rst --- bind9-9.16.27/doc/man/tsig-keygen.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/man/tsig-keygen.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,14 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +:orphan: + +.. include:: ../../bin/confgen/tsig-keygen.rst diff -Nru bind9-9.16.27/doc/misc/options bind9-9.16.33/doc/misc/options --- bind9-9.16.27/doc/misc/options 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/misc/options 2022-09-08 13:01:23.000000000 +0000 @@ -347,6 +347,7 @@ [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; + reuseport ; rfc2308-type1 ; // ancient root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; diff -Nru bind9-9.16.27/doc/misc/options.active bind9-9.16.33/doc/misc/options.active --- bind9-9.16.27/doc/misc/options.active 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/misc/options.active 2022-09-08 13:01:23.000000000 +0000 @@ -313,6 +313,7 @@ [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; + reuseport ; root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; rrset-order { [ class ] [ type ] [ name diff -Nru bind9-9.16.27/doc/misc/options.grammar.rst bind9-9.16.33/doc/misc/options.grammar.rst --- bind9-9.16.27/doc/misc/options.grammar.rst 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/doc/misc/options.grammar.rst 2022-09-08 13:01:23.000000000 +0000 @@ -93,15 +93,12 @@ dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); - dnstap { ( all | auth | client | forwarder | - resolver | update ) [ ( query | response ) ]; - ... }; - dnstap-identity ( | none | - hostname ); - dnstap-output ( file | unix ) [ - size ( unlimited | ) ] [ versions ( - unlimited | ) ] [ suffix ( increment - | timestamp ) ]; + dnstap { ( all | auth | client | forwarder | resolver | update ) [ + ( query | response ) ]; ... }; + dnstap-identity ( | none | hostname ); + dnstap-output ( file | unix ) [ size ( unlimited | + ) ] [ versions ( unlimited | ) ] [ suffix ( + increment | timestamp ) ]; dnstap-version ( | none ); dscp ; dual-stack-servers [ port ] { ( [ port @@ -253,6 +250,7 @@ [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; + reuseport ; root-delegation-only [ exclude { ; ... } ]; root-key-sentinel ; rrset-order { [ class ] [ type ] [ name diff -Nru bind9-9.16.27/doc/notes/notes-9.16.28.rst bind9-9.16.33/doc/notes/notes-9.16.28.rst --- bind9-9.16.27/doc/notes/notes-9.16.28.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/notes/notes-9.16.28.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,33 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.28 +---------------------- + +New Features +~~~~~~~~~~~~ + +- Add a new configuration option ``reuseport`` to disable load balancing + on sockets in situations where processing of Response Policy Zones + (RPZ), Catalog Zones, or large zone transfers can cause service + disruptions. See the BIND 9 ARM for more detail. :gl:`#3249` + +Bug Fixes +~~~~~~~~~ + +- Invalid ``dnssec-policy`` definitions, where the defined keys did not + cover both KSK and ZSK roles for a given algorithm, were being + accepted. These are now checked, and the ``dnssec-policy`` is rejected + if both roles are not present for all algorithms in use. :gl:`#3142` + +- Handling of TCP write timeouts has been improved to track the timeout + for each TCP write separately, leading to a faster connection teardown + in case the other party is not reading the data. :gl:`#3200` diff -Nru bind9-9.16.27/doc/notes/notes-9.16.29.rst bind9-9.16.33/doc/notes/notes-9.16.29.rst --- bind9-9.16.27/doc/notes/notes-9.16.29.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/notes/notes-9.16.29.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,20 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.29 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- Previously, CDS and CDNSKEY DELETE records were removed from the zone + when configured with the ``auto-dnssec maintain;`` option. This has + been fixed. :gl:`#2931` diff -Nru bind9-9.16.27/doc/notes/notes-9.16.30.rst bind9-9.16.33/doc/notes/notes-9.16.30.rst --- bind9-9.16.27/doc/notes/notes-9.16.30.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/notes/notes-9.16.30.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,30 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.30 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- The ``fetches-per-server`` quota is designed to adjust itself downward + automatically when an authoritative server times out too frequently. + Due to a coding error, that adjustment was applied incorrectly, so + that the quota for a congested server was always set to 1. This has + been fixed. :gl:`#3327` + +- DNSSEC-signed catalog zones were not being processed correctly. This + has been fixed. :gl:`#3380` + +- Key files were updated every time the ``dnssec-policy`` key manager + ran, whether the metadata had changed or not. :iscman:`named` now + checks whether changes were applied before writing out the key files. + :gl:`#3302` diff -Nru bind9-9.16.27/doc/notes/notes-9.16.31.rst bind9-9.16.33/doc/notes/notes-9.16.31.rst --- bind9-9.16.27/doc/notes/notes-9.16.31.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/notes/notes-9.16.31.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,24 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.31 +---------------------- + +Bug Fixes +~~~~~~~~~ + +- An assertion failure caused by a TCP connection closing between a + connect (or accept) and a read from a socket has been fixed. + :gl:`#3400` + +- :iscman:`named` could crash during a very rare situation that could + arise when validating a query which had timed out at that exact + moment. This has been fixed. :gl:`#3398` diff -Nru bind9-9.16.27/doc/notes/notes-9.16.32.rst bind9-9.16.33/doc/notes/notes-9.16.32.rst --- bind9-9.16.27/doc/notes/notes-9.16.32.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/notes/notes-9.16.32.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,49 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.32 +---------------------- + +Feature Changes +~~~~~~~~~~~~~~~ + +- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically + disabled on systems where they are disallowed by the security policy + (e.g. Red Hat Enterprise Linux 9). Primary zones using those + algorithms need to be migrated to new algorithms prior to running on + these systems, as graceful migration to different DNSSEC algorithms is + not possible when RSASHA1 is disallowed by the operating system. + :gl:`#3469` + +- Log messages related to fetch limiting have been improved to provide + more complete information. Specifically, the final counts of allowed + and spilled fetches are now logged before the counter object is + destroyed. :gl:`#3461` + +Bug Fixes +~~~~~~~~~ + +- Non-dynamic zones that inherit ``dnssec-policy`` from the + ``view`` or ``options`` blocks were not + marked as inline-signed and therefore never scheduled to be re-signed. + This has been fixed. :gl:`#3438` + +- The old ``max-zone-ttl`` zone option was meant to be superseded by + the ``max-zone-ttl`` option in ``dnssec-policy``; however, the + latter option was not fully effective. This has been corrected: zones + no longer load if they contain TTLs greater than the limit configured + in ``dnssec-policy``. For zones with both the old + ``max-zone-ttl`` option and ``dnssec-policy`` configured, the + old option is ignored, and a warning is generated. :gl:`#2918` + +- ``rndc dumpdb -expired`` was fixed to include + expired RRsets, even if ``stale-cache-enable`` is set to ``no`` and + the cache-cleaning time window has passed. :gl:`#3462` diff -Nru bind9-9.16.27/doc/notes/notes-9.16.33.rst bind9-9.16.33/doc/notes/notes-9.16.33.rst --- bind9-9.16.27/doc/notes/notes-9.16.33.rst 1970-01-01 00:00:00.000000000 +0000 +++ bind9-9.16.33/doc/notes/notes-9.16.33.rst 2022-09-08 13:01:23.000000000 +0000 @@ -0,0 +1,61 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +Notes for BIND 9.16.33 +---------------------- + +Security Fixes +~~~~~~~~~~~~~~ + +- Previously, there was no limit to the number of database lookups + performed while processing large delegations, which could be abused to + severely impact the performance of :iscman:`named` running as a + recursive resolver. This has been fixed. (CVE-2022-2795) + + ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat + Bremler-Barr & Shani Stajnrod from Reichman University for bringing + this vulnerability to our attention. :gl:`#3394` + +- :iscman:`named` running as a resolver with the + ``stale-answer-client-timeout`` option set to ``0`` could crash with + an assertion failure, when there was a stale CNAME in the cache for + the incoming query. This has been fixed. (CVE-2022-3080) :gl:`#3517` + +- A memory leak was fixed that could be externally triggered in the + DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) + :gl:`#3487` + +- Memory leaks were fixed that could be externally triggered in the + DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) + :gl:`#3487` + +Feature Changes +~~~~~~~~~~~~~~~ + +- Response Rate Limiting (RRL) code now treats all QNAMEs that are + subject to wildcard processing within a given zone as the same name, + to prevent circumventing the limits enforced by RRL. :gl:`#3459` + +- Zones using ``dnssec-policy`` now require dynamic DNS or + ``inline-signing`` to be configured explicitly. :gl:`#3381` + +- A backward-compatible approach was implemented for encoding + internationalized domain names (IDN) in :iscman:`dig` and converting + the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003 + conversion. :gl:`#3485` + +Bug Fixes +~~~~~~~~~ + +- A serve-stale bug was fixed, where BIND would try to return stale data + from cache for lookups that received duplicate queries or queries that + would be dropped. This bug resulted in premature SERVFAIL responses, + and has now been resolved. :gl:`#2982` Binary files /srv/release.debian.org/tmp/x7Frx0ChXd/bind9-9.16.27/fuzz/dns_master_load.in/generate-counter-overflow.db and /srv/release.debian.org/tmp/GG6_iXBfdC/bind9-9.16.33/fuzz/dns_master_load.in/generate-counter-overflow.db differ diff -Nru bind9-9.16.27/lib/bind9/check.c bind9-9.16.33/lib/bind9/check.c --- bind9-9.16.27/lib/bind9/check.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/bind9/check.c 2022-09-08 13:01:23.000000000 +0000 @@ -505,7 +505,14 @@ return (result); } -static const unsigned char zeros[16]; +static void +dns64_error(const cfg_obj_t *obj, isc_log_t *logctx, isc_netaddr_t *netaddr, + unsigned int prefixlen, const char *message) { + char buf[ISC_NETADDR_FORMATSIZE + 1]; + isc_netaddr_format(netaddr, buf, sizeof(buf)); + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "dns64 prefix %s/%u %s", buf, + prefixlen, message); +} static isc_result_t check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions, @@ -544,16 +551,15 @@ cfg_obj_asnetprefix(obj, &na, &prefixlen); if (na.family != AF_INET6) { - cfg_obj_log(map, logctx, ISC_LOG_ERROR, - "dns64 requires a IPv6 prefix"); + dns64_error(map, logctx, &na, prefixlen, + "must be IPv6"); result = ISC_R_FAILURE; continue; } if (na.type.in6.s6_addr[8] != 0) { - cfg_obj_log(map, logctx, ISC_LOG_ERROR, - "invalid prefix, bits [64..71] must be " - "zero"); + dns64_error(map, logctx, &na, prefixlen, + "bits [64..71] must be zero"); result = ISC_R_FAILURE; continue; } @@ -561,9 +567,8 @@ if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 && prefixlen != 56 && prefixlen != 64 && prefixlen != 96) { - cfg_obj_log(map, logctx, ISC_LOG_ERROR, - "bad prefix length %u [32/40/48/56/64/96]", - prefixlen); + dns64_error(map, logctx, &na, prefixlen, + "length is not 32/40/48/56/64/96"); result = ISC_R_FAILURE; continue; } @@ -590,6 +595,7 @@ obj = NULL; (void)cfg_map_get(map, "suffix", &obj); if (obj != NULL) { + static const unsigned char zeros[16]; isc_netaddr_fromsockaddr(&sa, cfg_obj_assockaddr(obj)); if (sa.family != AF_INET6) { cfg_obj_log(map, logctx, ISC_LOG_ERROR, @@ -2164,8 +2170,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } for (element2 = cfg_list_first(typelist); element2 != NULL; @@ -2336,7 +2341,7 @@ const char *target = NULL; unsigned int ztype; const cfg_obj_t *zoptions, *goptions = NULL; - const cfg_obj_t *obj = NULL; + const cfg_obj_t *obj = NULL, *kasp = NULL; const cfg_obj_t *inviewobj = NULL; isc_result_t result = ISC_R_SUCCESS; isc_result_t tresult; @@ -2495,8 +2500,8 @@ } else if (dns_name_isula(zname)) { ula = true; } - tmp += strlen(tmp); len -= strlen(tmp); + tmp += strlen(tmp); (void)snprintf(tmp, len, "%u/%s", zclass, (ztype == CFG_ZONE_INVIEW) ? target : (viewname != NULL) ? viewname @@ -2545,8 +2550,7 @@ break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2627,6 +2631,30 @@ } } } + if (has_dnssecpolicy) { + kasp = obj; + } + } + + /* + * Warn about zones with both dnssec-policy and max-zone-ttl + */ + if (has_dnssecpolicy) { + obj = NULL; + (void)cfg_map_get(zoptions, "max-zone-ttl", &obj); + if (obj == NULL && voptions != NULL) { + (void)cfg_map_get(voptions, "max-zone-ttl", &obj); + } + if (obj == NULL && goptions != NULL) { + (void)cfg_map_get(goptions, "max-zone-ttl", &obj); + } + if (obj != NULL) { + cfg_obj_log(obj, logctx, ISC_LOG_WARNING, + "zone '%s': option 'max-zone-ttl' " + "is ignored when used together with " + "'dnssec-policy'", + znamestr); + } } /* @@ -2903,12 +2931,17 @@ res1 = cfg_map_get(zoptions, "inline-signing", &obj); if (res1 == ISC_R_SUCCESS) { signing = cfg_obj_asboolean(obj); - if (has_dnssecpolicy && !ddns && !signing) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "'inline-signing;' cannot be set " - "to 'no' " - "if dnssec-policy is also set on a " - "non-dynamic DNS zone"); + } + + if (has_dnssecpolicy) { + if (!ddns && !signing) { + cfg_obj_log(kasp, logctx, ISC_LOG_ERROR, + "'dnssec-policy;' requires%s " + "inline-signing to be configured " + "for the zone", + (ztype == CFG_ZONE_PRIMARY) + ? " dynamic DNS or" + : ""); result = ISC_R_FAILURE; } } @@ -2920,7 +2953,7 @@ arg = cfg_obj_asstring(obj); } if (strcasecmp(arg, "off") != 0) { - if (!ddns && !signing && strcasecmp(arg, "off") != 0) { + if (!ddns && !signing && !has_dnssecpolicy) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "'auto-dnssec %s;' requires%s " "inline-signing to be configured " @@ -2932,7 +2965,7 @@ result = ISC_R_FAILURE; } - if (strcasecmp(arg, "off") != 0 && has_dnssecpolicy) { + if (has_dnssecpolicy) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "'auto-dnssec %s;' cannot be " "configured if dnssec-policy is " @@ -3177,8 +3210,7 @@ "masterfile-format: format 'map' is " "deprecated"); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -3244,8 +3276,8 @@ char *tmp = keydirbuf; size_t len = sizeof(keydirbuf); dns_name_format(zname, keydirbuf, sizeof(keydirbuf)); - tmp += strlen(tmp); len -= strlen(tmp); + tmp += strlen(tmp); (void)snprintf(tmp, len, "/%s", (dir == NULL) ? "(null)" : dir); tresult = keydirexist(zconfig, (const char *)keydirbuf, kaspname, keydirs, logctx, mctx); diff -Nru bind9-9.16.27/lib/bind9/getaddresses.c bind9-9.16.33/lib/bind9/getaddresses.c --- bind9-9.16.27/lib/bind9/getaddresses.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/bind9/getaddresses.c 2022-09-08 13:01:23.000000000 +0000 @@ -132,7 +132,7 @@ goto again; } #endif /* ifdef AI_ADDRCONFIG */ - /* FALLTHROUGH */ + FALLTHROUGH; default: return (ISC_R_FAILURE); } diff -Nru bind9-9.16.27/lib/dns/acl.c bind9-9.16.33/lib/dns/acl.c --- bind9-9.16.27/lib/dns/acl.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/acl.c 2022-09-08 13:01:23.000000000 +0000 @@ -405,8 +405,7 @@ return (dns_geoip_match(reqaddr, env->geoip, &e->geoip_elem)); #endif /* if defined(HAVE_GEOIP2) */ default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } result = dns_acl_match(reqaddr, reqsigner, inner, env, &indirectmatch, @@ -587,8 +586,7 @@ return (true); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } diff -Nru bind9-9.16.27/lib/dns/adb.c bind9-9.16.33/lib/dns/adb.c --- bind9-9.16.27/lib/dns/adb.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/adb.c 2022-09-08 13:01:23.000000000 +0000 @@ -280,35 +280,35 @@ /* * Internal functions (and prototypes). */ -static inline dns_adbname_t * +static dns_adbname_t * new_adbname(dns_adb_t *, const dns_name_t *); -static inline void +static void free_adbname(dns_adb_t *, dns_adbname_t **); -static inline dns_adbnamehook_t * +static dns_adbnamehook_t * new_adbnamehook(dns_adb_t *, dns_adbentry_t *); -static inline void +static void free_adbnamehook(dns_adb_t *, dns_adbnamehook_t **); -static inline dns_adblameinfo_t * +static dns_adblameinfo_t * new_adblameinfo(dns_adb_t *, const dns_name_t *, dns_rdatatype_t); -static inline void +static void free_adblameinfo(dns_adb_t *, dns_adblameinfo_t **); -static inline dns_adbentry_t * +static dns_adbentry_t * new_adbentry(dns_adb_t *); -static inline void +static void free_adbentry(dns_adb_t *, dns_adbentry_t **); -static inline dns_adbfind_t * +static dns_adbfind_t * new_adbfind(dns_adb_t *); -static inline bool +static bool free_adbfind(dns_adb_t *, dns_adbfind_t **); -static inline dns_adbaddrinfo_t * +static dns_adbaddrinfo_t * new_adbaddrinfo(dns_adb_t *, dns_adbentry_t *, in_port_t); -static inline dns_adbfetch_t * +static dns_adbfetch_t * new_adbfetch(dns_adb_t *); -static inline void +static void free_adbfetch(dns_adb_t *, dns_adbfetch_t **); -static inline dns_adbname_t * +static dns_adbname_t * find_name_and_lock(dns_adb_t *, const dns_name_t *, unsigned int, int *); -static inline dns_adbentry_t * +static dns_adbentry_t * find_entry_and_lock(dns_adb_t *, const isc_sockaddr_t *, int *, isc_stdtime_t); static void dump_adb(dns_adb_t *, FILE *, bool debug, isc_stdtime_t); @@ -321,17 +321,17 @@ print_find_list(FILE *, dns_adbname_t *); static void print_fetch_list(FILE *, dns_adbname_t *); -static inline bool +static bool dec_adb_irefcnt(dns_adb_t *); -static inline void +static void inc_adb_irefcnt(dns_adb_t *); -static inline void +static void inc_adb_erefcnt(dns_adb_t *); -static inline void +static void inc_entry_refcnt(dns_adb_t *, dns_adbentry_t *, bool); -static inline bool +static bool dec_entry_refcnt(dns_adb_t *, bool, dns_adbentry_t *, bool); -static inline void +static void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *); static bool clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *); @@ -350,7 +350,7 @@ static isc_result_t fetch_name(dns_adbname_t *, bool, unsigned int, isc_counter_t *qc, dns_rdatatype_t); -static inline void +static void check_exit(dns_adb_t *); static void destroy(dns_adb_t *); @@ -358,13 +358,13 @@ shutdown_names(dns_adb_t *); static bool shutdown_entries(dns_adb_t *); -static inline void +static void link_name(dns_adb_t *, int, dns_adbname_t *); -static inline bool +static bool unlink_name(dns_adb_t *, dns_adbname_t *); -static inline void +static void link_entry(dns_adb_t *, int, dns_adbentry_t *); -static inline bool +static bool unlink_entry(dns_adb_t *, dns_adbentry_t *); static bool kill_name(dns_adbname_t **, isc_eventtype_t); @@ -513,7 +513,7 @@ /*% * Increment resolver-related statistics counters. */ -static inline void +static void inc_stats(dns_adb_t *adb, isc_statscounter_t counter) { if (adb->view->resstats != NULL) { isc_stats_increment(adb->view->resstats, counter); @@ -523,28 +523,28 @@ /*% * Set adb-related statistics counters. */ -static inline void +static void set_adbstat(dns_adb_t *adb, uint64_t val, isc_statscounter_t counter) { if (adb->view->adbstats != NULL) { isc_stats_set(adb->view->adbstats, val, counter); } } -static inline void +static void dec_adbstats(dns_adb_t *adb, isc_statscounter_t counter) { if (adb->view->adbstats != NULL) { isc_stats_decrement(adb->view->adbstats, counter); } } -static inline void +static void inc_adbstats(dns_adb_t *adb, isc_statscounter_t counter) { if (adb->view->adbstats != NULL) { isc_stats_increment(adb->view->adbstats, counter); } } -static inline dns_ttl_t +static dns_ttl_t ttlclamp(dns_ttl_t ttl) { if (ttl < ADB_CACHE_MINIMUM) { ttl = ADB_CACHE_MINIMUM; @@ -1167,7 +1167,7 @@ /* * Requires the name's bucket be locked. */ -static inline void +static void link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name) { INSIST(name->lock_bucket == DNS_ADB_INVALIDBUCKET); @@ -1179,7 +1179,7 @@ /* * Requires the name's bucket be locked. */ -static inline bool +static bool unlink_name(dns_adb_t *adb, dns_adbname_t *name) { int bucket; bool result = false; @@ -1204,7 +1204,7 @@ /* * Requires the entry's bucket be locked. */ -static inline void +static void link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) { int i; dns_adbentry_t *e; @@ -1235,7 +1235,7 @@ /* * Requires the entry's bucket be locked. */ -static inline bool +static bool unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) { int bucket; bool result = false; @@ -1257,7 +1257,7 @@ return (result); } -static inline void +static void violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) { if (isc_mutex_trylock(want) != ISC_R_SUCCESS) { UNLOCK(have); @@ -1598,7 +1598,7 @@ DP(ENTER_LEVEL, "EXIT clean_finds_at_name, name %p", name); } -static inline void +static void check_exit(dns_adb_t *adb) { isc_event_t *event; /* @@ -1619,7 +1619,7 @@ } } -static inline bool +static bool dec_adb_irefcnt(dns_adb_t *adb) { isc_event_t *event; isc_task_t *etask; @@ -1648,21 +1648,21 @@ return (result); } -static inline void +static void inc_adb_irefcnt(dns_adb_t *adb) { LOCK(&adb->reflock); adb->irefcnt++; UNLOCK(&adb->reflock); } -static inline void +static void inc_adb_erefcnt(dns_adb_t *adb) { LOCK(&adb->reflock); adb->erefcnt++; UNLOCK(&adb->reflock); } -static inline void +static void inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, bool lock) { int bucket; @@ -1679,7 +1679,7 @@ } } -static inline bool +static bool dec_entry_refcnt(dns_adb_t *adb, bool overmem, dns_adbentry_t *entry, bool lock) { int bucket; @@ -1722,7 +1722,7 @@ return (result); } -static inline dns_adbname_t * +static dns_adbname_t * new_adbname(dns_adb_t *adb, const dns_name_t *dnsname) { dns_adbname_t *name; @@ -1765,7 +1765,7 @@ return (name); } -static inline void +static void free_adbname(dns_adb_t *adb, dns_adbname_t **name) { dns_adbname_t *n; @@ -1791,7 +1791,7 @@ UNLOCK(&adb->namescntlock); } -static inline dns_adbnamehook_t * +static dns_adbnamehook_t * new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry) { dns_adbnamehook_t *nh; @@ -1805,7 +1805,7 @@ return (nh); } -static inline void +static void free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook) { dns_adbnamehook_t *nh; @@ -1822,7 +1822,7 @@ isc_mem_put(adb->mctx, nh, sizeof(*nh)); } -static inline dns_adblameinfo_t * +static dns_adblameinfo_t * new_adblameinfo(dns_adb_t *adb, const dns_name_t *qname, dns_rdatatype_t qtype) { dns_adblameinfo_t *li; @@ -1839,7 +1839,7 @@ return (li); } -static inline void +static void free_adblameinfo(dns_adb_t *adb, dns_adblameinfo_t **lameinfo) { dns_adblameinfo_t *li; @@ -1856,7 +1856,7 @@ isc_mem_put(adb->mctx, li, sizeof(*li)); } -static inline dns_adbentry_t * +static dns_adbentry_t * new_adbentry(dns_adb_t *adb) { dns_adbentry_t *e; @@ -1904,7 +1904,7 @@ return (e); } -static inline void +static void free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) { dns_adbentry_t *e; dns_adblameinfo_t *li; @@ -1937,7 +1937,7 @@ UNLOCK(&adb->entriescntlock); } -static inline dns_adbfind_t * +static dns_adbfind_t * new_adbfind(dns_adb_t *adb) { dns_adbfind_t *h; @@ -1973,7 +1973,7 @@ return (h); } -static inline dns_adbfetch_t * +static dns_adbfetch_t * new_adbfetch(dns_adb_t *adb) { dns_adbfetch_t *f; @@ -1989,7 +1989,7 @@ return (f); } -static inline void +static void free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) { dns_adbfetch_t *f; @@ -2006,7 +2006,7 @@ isc_mem_put(adb->mctx, f, sizeof(*f)); } -static inline bool +static bool free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp) { dns_adbfind_t *find; @@ -2034,7 +2034,7 @@ * must be locked, and the reference count must be bumped up by one * if this function returns a valid pointer. */ -static inline dns_adbaddrinfo_t * +static dns_adbaddrinfo_t * new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry, in_port_t port) { dns_adbaddrinfo_t *ai; @@ -2052,7 +2052,7 @@ return (ai); } -static inline void +static void free_adbaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **ainfo) { dns_adbaddrinfo_t *ai; @@ -2075,7 +2075,7 @@ * On the first call to this function, *bucketp must be set to * DNS_ADB_INVALIDBUCKET. */ -static inline dns_adbname_t * +static dns_adbname_t * find_name_and_lock(dns_adb_t *adb, const dns_name_t *name, unsigned int options, int *bucketp) { dns_adbname_t *adbname; @@ -2118,7 +2118,7 @@ * if this function is called multiple times locking is only done if * the bucket changes. */ -static inline dns_adbentry_t * +static dns_adbentry_t * find_entry_and_lock(dns_adb_t *adb, const isc_sockaddr_t *addr, int *bucketp, isc_stdtime_t now) { dns_adbentry_t *entry, *entry_next; @@ -3675,11 +3675,17 @@ if (debug) { fprintf(f, ";\tHook(%s) %p\n", legend, nh); } +#ifdef __SANITIZE_THREAD__ + LOCK(&adb->entrylocks[nh->entry->lock_bucket]); +#endif dump_entry(f, adb, nh->entry, debug, now); +#ifdef __SANITIZE_THREAD__ + UNLOCK(&adb->entrylocks[nh->entry->lock_bucket]); +#endif } } -static inline void +static void print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) { fprintf(f, "\t\tFetch(%s): %p -> { fetch %p }\n", type, ft, ft->fetch); } @@ -4324,7 +4330,7 @@ uint_fast32_t new_quota = adb->quota * quota_adj[--addr->entry->mode] / 10000; atomic_store_release(&addr->entry->quota, - ISC_MIN(1, new_quota)); + ISC_MAX(1, new_quota)); log_quota(addr->entry, "atr %0.2f, quota increased to %" PRIuFAST32, addr->entry->atr, new_quota); @@ -4334,7 +4340,7 @@ uint_fast32_t new_quota = adb->quota * quota_adj[++addr->entry->mode] / 10000; atomic_store_release(&addr->entry->quota, - ISC_MIN(1, new_quota)); + ISC_MAX(1, new_quota)); log_quota(addr->entry, "atr %0.2f, quota decreased to %" PRIuFAST32, addr->entry->atr, new_quota); diff -Nru bind9-9.16.27/lib/dns/byaddr.c bind9-9.16.33/lib/dns/byaddr.c --- bind9-9.16.27/lib/dns/byaddr.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/byaddr.c 2022-09-08 13:01:23.000000000 +0000 @@ -108,7 +108,7 @@ #define MAX_RESTARTS 16 -static inline isc_result_t +static isc_result_t copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) { isc_result_t result; dns_name_t *name; diff -Nru bind9-9.16.27/lib/dns/cache.c bind9-9.16.33/lib/dns/cache.c --- bind9-9.16.27/lib/dns/cache.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/cache.c 2022-09-08 13:01:23.000000000 +0000 @@ -169,7 +169,7 @@ static void overmem_cleaning_action(isc_task_t *task, isc_event_t *event); -static inline isc_result_t +static isc_result_t cache_create_db(dns_cache_t *cache, dns_db_t **db) { isc_result_t result; result = dns_db_create(cache->mctx, cache->db_type, dns_rootname, diff -Nru bind9-9.16.27/lib/dns/catz.c bind9-9.16.33/lib/dns/catz.c --- bind9-9.16.27/lib/dns/catz.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/catz.c 2022-09-08 13:01:23.000000000 +0000 @@ -406,39 +406,21 @@ dns_name_format(&target->name, czname, DNS_NAME_FORMATSIZE); - result = isc_ht_init(&toadd, target->catzs->mctx, 16); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + isc_ht_init(&toadd, target->catzs->mctx, 16); - result = isc_ht_init(&tomod, target->catzs->mctx, 16); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + isc_ht_init(&tomod, target->catzs->mctx, 16); - result = isc_ht_iter_create(newzone->entries, &iter1); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + isc_ht_iter_create(newzone->entries, &iter1); - result = isc_ht_iter_create(target->entries, &iter2); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + isc_ht_iter_create(target->entries, &iter2); /* * We can create those iterators now, even though toadd and tomod are * empty */ - result = isc_ht_iter_create(toadd, &iteradd); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + isc_ht_iter_create(toadd, &iteradd); - result = isc_ht_iter_create(tomod, &itermod); - if (result != ISC_R_SUCCESS) { - goto cleanup; - } + isc_ht_iter_create(tomod, &itermod); /* * First - walk the new zone and find all nodes that are not in the @@ -586,25 +568,11 @@ result = ISC_R_SUCCESS; -cleanup: - if (iter1 != NULL) { - isc_ht_iter_destroy(&iter1); - } - if (iter2 != NULL) { - isc_ht_iter_destroy(&iter2); - } - if (iteradd != NULL) { - isc_ht_iter_destroy(&iteradd); - } - if (itermod != NULL) { - isc_ht_iter_destroy(&itermod); - } - if (toadd != NULL) { - isc_ht_destroy(&toadd); - } - if (tomod != NULL) { - isc_ht_destroy(&tomod); - } + isc_ht_iter_destroy(&iteradd); + isc_ht_iter_destroy(&itermod); + isc_ht_destroy(&toadd); + isc_ht_destroy(&tomod); + return (result); } @@ -625,10 +593,7 @@ isc_refcount_init(&new_zones->refs, 1); - result = isc_ht_init(&new_zones->zones, mctx, 4); - if (result != ISC_R_SUCCESS) { - goto cleanup_refcount; - } + isc_ht_init(&new_zones->zones, mctx, 4); isc_mem_attach(mctx, &new_zones->mctx); new_zones->zmm = zmm; @@ -646,7 +611,6 @@ cleanup_ht: isc_ht_destroy(&new_zones->zones); -cleanup_refcount: isc_refcount_destroy(&new_zones->refs); isc_mutex_destroy(&new_zones->lock); isc_mem_put(mctx, new_zones, sizeof(*new_zones)); @@ -681,10 +645,7 @@ dns_name_init(&new_zone->name, NULL); dns_name_dup(name, catzs->mctx, &new_zone->name); - result = isc_ht_init(&new_zone->entries, catzs->mctx, 4); - if (result != ISC_R_SUCCESS) { - goto cleanup_name; - } + isc_ht_init(&new_zone->entries, catzs->mctx, 4); new_zone->updatetimer = NULL; result = isc_timer_create(catzs->timermgr, isc_timertype_inactive, NULL, @@ -714,7 +675,6 @@ cleanup_ht: isc_ht_destroy(&new_zone->entries); -cleanup_name: dns_name_free(&new_zone->name, catzs->mctx); isc_mem_put(catzs->mctx, new_zone, sizeof(*new_zone)); @@ -813,8 +773,7 @@ if (zone->entries != NULL) { isc_ht_iter_t *iter = NULL; isc_result_t result; - result = isc_ht_iter_create(zone->entries, &iter); - INSIST(result == ISC_R_SUCCESS); + isc_ht_iter_create(zone->entries, &iter); for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS; result = isc_ht_iter_delcurrent_next(iter)) @@ -870,8 +829,7 @@ if (catzs->zones != NULL) { isc_ht_iter_t *iter = NULL; isc_result_t result; - result = isc_ht_iter_create(catzs->zones, &iter); - INSIST(result == ISC_R_SUCCESS); + isc_ht_iter_create(catzs->zones, &iter); for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;) { dns_catz_zone_t *zone = NULL; @@ -1400,7 +1358,7 @@ return (ISC_R_FAILURE); } -static inline void +static void catz_entry_add_or_mod(dns_catz_zone_t *target, isc_ht_t *ht, unsigned char *key, size_t keysize, dns_catz_entry_t *nentry, dns_catz_entry_t *oentry, const char *msg, @@ -1841,6 +1799,12 @@ return (result); } +static bool +catz_rdatatype_is_processable(const dns_rdatatype_t type) { + return (!dns_rdatatype_isdnssec(type) && type != dns_rdatatype_cds && + type != dns_rdatatype_cdnskey && type != dns_rdatatype_zonemd); +} + void dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { dns_catz_zone_t *oldzone = NULL, *newzone = NULL; @@ -1950,6 +1914,17 @@ result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, &rdataset); + + /* + * Skip processing DNSSEC-related and ZONEMD types, + * because we are not interested in them in the context + * of a catalog zone, and processing them will fail + * and produce an unnecessary warning message. + */ + if (!catz_rdatatype_is_processable(rdataset.type)) { + goto next; + } + result = dns_catz_update_process(catzs, newzone, name, &rdataset); if (result != ISC_R_SUCCESS) { @@ -1972,10 +1947,8 @@ cname, classbuf, typebuf, isc_result_totext(result)); } + next: dns_rdataset_disassociate(&rdataset); - if (result != ISC_R_SUCCESS) { - break; - } result = dns_rdatasetiter_next(rdsiter); } @@ -2031,8 +2004,7 @@ REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); - result = isc_ht_iter_create(catzs->zones, &iter); - INSIST(result == ISC_R_SUCCESS); + isc_ht_iter_create(catzs->zones, &iter); for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS; result = isc_ht_iter_next(iter)) { @@ -2053,8 +2025,7 @@ REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); LOCK(&catzs->lock); - result = isc_ht_iter_create(catzs->zones, &iter); - INSIST(result == ISC_R_SUCCESS); + isc_ht_iter_create(catzs->zones, &iter); for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;) { dns_catz_zone_t *zone = NULL; @@ -2090,8 +2061,9 @@ isc_ht_iter_destroy(&iter); } -isc_result_t +void dns_catz_get_iterator(dns_catz_zone_t *catz, isc_ht_iter_t **itp) { REQUIRE(DNS_CATZ_ZONE_VALID(catz)); - return (isc_ht_iter_create(catz->entries, itp)); + + isc_ht_iter_create(catz->entries, itp); } diff -Nru bind9-9.16.27/lib/dns/client.c bind9-9.16.33/lib/dns/client.c --- bind9-9.16.27/lib/dns/client.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/client.c 2022-09-08 13:01:23.000000000 +0000 @@ -219,8 +219,7 @@ attrs |= DNS_DISPATCHATTR_IPV6; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } attrmask = 0; attrmask |= DNS_DISPATCHATTR_UDP; @@ -566,7 +565,7 @@ client_resfind(rctx, fevent); } -static inline isc_result_t +static isc_result_t start_fetch(resctx_t *rctx) { isc_result_t result; int fopts = 0; diff -Nru bind9-9.16.27/lib/dns/compress.c bind9-9.16.33/lib/dns/compress.c --- bind9-9.16.27/lib/dns/compress.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/compress.c 2022-09-08 13:01:23.000000000 +0000 @@ -364,7 +364,7 @@ return (true); } -static inline unsigned int +static unsigned int name_length(const dns_name_t *name) { isc_region_t r; dns_name_toregion(name, &r); diff -Nru bind9-9.16.27/lib/dns/db.c bind9-9.16.33/lib/dns/db.c --- bind9-9.16.27/lib/dns/db.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/db.c 2022-09-08 13:01:23.000000000 +0000 @@ -80,7 +80,7 @@ ISC_LIST_APPEND(implementations, &rbtimp, link); } -static inline dns_dbimplementation_t * +static dns_dbimplementation_t * impfind(const char *name) { dns_dbimplementation_t *imp; diff -Nru bind9-9.16.27/lib/dns/dbtable.c bind9-9.16.33/lib/dns/dbtable.c --- bind9-9.16.27/lib/dns/dbtable.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/dbtable.c 2022-09-08 13:01:23.000000000 +0000 @@ -82,7 +82,7 @@ return (result); } -static inline void +static void dbtable_free(dns_dbtable_t *dbtable) { /* * Caller must ensure that it is safe to call. diff -Nru bind9-9.16.27/lib/dns/diff.c bind9-9.16.33/lib/dns/diff.c --- bind9-9.16.27/lib/dns/diff.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/diff.c 2022-09-08 13:01:23.000000000 +0000 @@ -372,8 +372,7 @@ &ardataset); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (result == ISC_R_SUCCESS) { diff -Nru bind9-9.16.27/lib/dns/dispatch.c bind9-9.16.33/lib/dns/dispatch.c --- bind9-9.16.27/lib/dns/dispatch.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/dispatch.c 2022-09-08 13:01:23.000000000 +0000 @@ -290,9 +290,9 @@ free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len); static void * allocate_udp_buffer(dns_dispatch_t *disp); -static inline void +static void free_devent(dns_dispatch_t *disp, dns_dispatchevent_t *ev); -static inline dns_dispatchevent_t * +static dns_dispatchevent_t * allocate_devent(dns_dispatch_t *disp); static void do_cancel(dns_dispatch_t *disp); @@ -352,14 +352,14 @@ msgbuf); } -static inline void +static void inc_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) { if (mgr->stats != NULL) { isc_stats_increment(mgr->stats, counter); } } -static inline void +static void dec_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) { if (mgr->stats != NULL) { isc_stats_decrement(mgr->stats, counter); @@ -915,8 +915,7 @@ isc_mem_put(disp->mgr->mctx, buf, buffersize); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -936,14 +935,14 @@ return (isc_mem_get(disp->mgr->mctx, buffersize)); } -static inline void +static void free_sevent(isc_event_t *ev) { isc_mem_t *pool = ev->ev_destroy_arg; isc_socketevent_t *sev = (isc_socketevent_t *)ev; isc_mem_put(pool, sev, sizeof(*sev)); } -static inline isc_socketevent_t * +static isc_socketevent_t * allocate_sevent(dns_dispatch_t *disp, isc_socket_t *sock, isc_eventtype_t type, isc_taskaction_t action, const void *arg) { isc_socketevent_t *ev; @@ -963,7 +962,7 @@ return (ev); } -static inline void +static void free_devent(dns_dispatch_t *disp, dns_dispatchevent_t *ev) { if (disp->failsafe_ev == ev) { INSIST(disp->shutdown_out == 1); @@ -976,7 +975,7 @@ isc_mem_put(disp->mgr->mctx, ev, sizeof(*ev)); } -static inline dns_dispatchevent_t * +static dns_dispatchevent_t * allocate_devent(dns_dispatch_t *disp) { dns_dispatchevent_t *ev; @@ -1586,8 +1585,7 @@ disp->recv_pending = 1; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); diff -Nru bind9-9.16.27/lib/dns/dlz.c bind9-9.16.33/lib/dns/dlz.c --- bind9-9.16.27/lib/dns/dlz.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/dlz.c 2022-09-08 13:01:23.000000000 +0000 @@ -88,7 +88,7 @@ /*% * Searches the dlz_implementations list for a driver matching name. */ -static inline dns_dlzimplementation_t * +static dns_dlzimplementation_t * dlz_impfind(const char *name) { dns_dlzimplementation_t *imp; diff -Nru bind9-9.16.27/lib/dns/dnsrps.c bind9-9.16.33/lib/dns/dnsrps.c --- bind9-9.16.27/lib/dns/dnsrps.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/dnsrps.c 2022-09-08 13:01:23.000000000 +0000 @@ -310,8 +310,7 @@ case LIBRPZ_POLICY_GIVEN: case LIBRPZ_POLICY_DISABLED: default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } diff -Nru bind9-9.16.27/lib/dns/dnssec.c bind9-9.16.33/lib/dns/dnssec.c --- bind9-9.16.27/lib/dns/dnssec.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/dnssec.c 2022-09-08 13:01:23.000000000 +0000 @@ -77,7 +77,7 @@ return (dst_context_adddata(ctx, data)); } -static inline void +static void inc_stat(isc_statscounter_t counter) { if (dns_dnssec_stats != NULL) { isc_stats_increment(dns_dnssec_stats, counter); @@ -445,7 +445,7 @@ inc_stat(dns_dnssecstats_fail); return (DNS_R_SIGINVALID); } - /* FALLTHROUGH */ + FALLTHROUGH; default: if (!dns_name_issubdomain(name, &sig.signer)) { inc_stat(dns_dnssecstats_fail); @@ -2147,7 +2147,7 @@ dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey, dns_name_t *origin, dns_rdataclass_t zclass, dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx, - bool dnssec_insecure) { + bool expect_cds_delete, bool expect_cdnskey_delete) { unsigned char dsbuf[5] = { 0, 0, 0, 0, 0 }; /* CDS DELETE rdata */ unsigned char keybuf[5] = { 0, 0, 3, 0, 0 }; /* CDNSKEY DELETE rdata */ char namebuf[DNS_NAME_FORMATSIZE]; @@ -2167,26 +2167,39 @@ dns_name_format(origin, namebuf, sizeof(namebuf)); - if (dnssec_insecure) { - if (!dns_rdataset_isassociated(cdnskey) || - !exists(cdnskey, &cdnskey_delete)) { + if (expect_cds_delete) { + if (!dns_rdataset_isassociated(cds) || + !exists(cds, &cds_delete)) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO, - "CDNSKEY (DELETE) for zone %s is now " + "CDS (DELETE) for zone %s is now " "published", namebuf); - RETERR(addrdata(&cdnskey_delete, diff, origin, ttl, + RETERR(addrdata(&cds_delete, diff, origin, ttl, mctx)); + } + } else { + if (dns_rdataset_isassociated(cds) && exists(cds, &cds_delete)) + { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO, + "CDS (DELETE) for zone %s is now " + "deleted", + namebuf); + RETERR(delrdata(&cds_delete, diff, origin, cds->ttl, mctx)); } + } - if (!dns_rdataset_isassociated(cds) || - !exists(cds, &cds_delete)) { + if (expect_cdnskey_delete) { + if (!dns_rdataset_isassociated(cdnskey) || + !exists(cdnskey, &cdnskey_delete)) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO, - "CDS (DELETE) for zone %s is now " + "CDNSKEY (DELETE) for zone %s is now " "published", namebuf); - RETERR(addrdata(&cds_delete, diff, origin, ttl, mctx)); + RETERR(addrdata(&cdnskey_delete, diff, origin, ttl, + mctx)); } } else { if (dns_rdataset_isassociated(cdnskey) && @@ -2199,17 +2212,6 @@ RETERR(delrdata(&cdnskey_delete, diff, origin, cdnskey->ttl, mctx)); } - - if (dns_rdataset_isassociated(cds) && exists(cds, &cds_delete)) - { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO, - "CDS (DELETE) for zone %s is now " - "deleted", - namebuf); - RETERR(delrdata(&cds_delete, diff, origin, cds->ttl, - mctx)); - } } result = ISC_R_SUCCESS; diff -Nru bind9-9.16.27/lib/dns/dnstap.c bind9-9.16.33/lib/dns/dnstap.c --- bind9-9.16.27/lib/dns/dnstap.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/dnstap.c 2022-09-08 13:01:23.000000000 +0000 @@ -635,8 +635,7 @@ case DNS_DTTYPE_UR: return (DNSTAP__MESSAGE__TYPE__UPDATE_RESPONSE); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -809,14 +808,15 @@ dm.m.response_time_nsec = isc_time_nanoseconds(t); dm.m.has_response_time_nsec = 1; - cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message); - - /* Types RR and FR get both query and response times */ - if (msgtype == DNS_DTTYPE_CR || msgtype == DNS_DTTYPE_AR) { + /* + * Types RR and FR can fall through and get the query + * time set as well. Any other response type, break. + */ + if (msgtype != DNS_DTTYPE_RR && msgtype != DNS_DTTYPE_FR) { break; } - /* FALLTHROUGH */ + FALLTHROUGH; case DNS_DTTYPE_AQ: case DNS_DTTYPE_CQ: case DNS_DTTYPE_FQ: @@ -832,8 +832,6 @@ dm.m.has_query_time_sec = 1; dm.m.query_time_nsec = isc_time_nanoseconds(t); dm.m.has_query_time_nsec = 1; - - cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message); break; default: isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP, @@ -842,6 +840,13 @@ return; } + /* Query and response messages */ + if ((msgtype & DNS_DTTYPE_QUERY) != 0) { + cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message); + } else if ((msgtype & DNS_DTTYPE_RESPONSE) != 0) { + cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message); + } + /* Zone/bailiwick */ switch (msgtype) { case DNS_DTTYPE_AR: @@ -985,8 +990,7 @@ result = ISC_R_NOTIMPLEMENTED; goto cleanup; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_mem_attach(mctx, &handle->mctx); diff -Nru bind9-9.16.27/lib/dns/ds.c bind9-9.16.33/lib/dns/ds.c --- bind9-9.16.27/lib/dns/ds.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/ds.c 2022-09-08 13:01:23.000000000 +0000 @@ -63,8 +63,7 @@ break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } name = dns_fixedname_initname(&fname); diff -Nru bind9-9.16.27/lib/dns/dst_api.c bind9-9.16.33/lib/dns/dst_api.c --- bind9-9.16.27/lib/dns/dst_api.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/dst_api.c 2022-09-08 13:01:23.000000000 +0000 @@ -482,14 +482,43 @@ void dst_key_setexternal(dst_key_t *key, bool value) { + REQUIRE(VALID_KEY(key)); + key->external = value; } bool dst_key_isexternal(dst_key_t *key) { + REQUIRE(VALID_KEY(key)); + return (key->external); } +void +dst_key_setmodified(dst_key_t *key, bool value) { + REQUIRE(VALID_KEY(key)); + + isc_mutex_lock(&key->mdlock); + key->modified = value; + isc_mutex_unlock(&key->mdlock); +} + +bool +dst_key_ismodified(const dst_key_t *key) { + bool modified; + dst_key_t *k; + + REQUIRE(VALID_KEY(key)); + + DE_CONST(key, k); + + isc_mutex_lock(&k->mdlock); + modified = key->modified; + isc_mutex_unlock(&k->mdlock); + + return (modified); +} + isc_result_t dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type, const char *directory, isc_mem_t *mctx, @@ -637,6 +666,7 @@ (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) { RETERR(computeid(pubkey)); + pubkey->modified = false; *keyp = pubkey; pubkey = NULL; goto out; @@ -690,6 +720,7 @@ RETERR(DST_R_INVALIDPRIVATEKEY); } + key->modified = false; *keyp = key; key = NULL; @@ -1047,6 +1078,8 @@ REQUIRE(type <= DST_MAX_BOOLEAN); isc_mutex_lock(&key->mdlock); + key->modified = key->modified || !key->boolset[type] || + key->bools[type] != value; key->bools[type] = value; key->boolset[type] = true; isc_mutex_unlock(&key->mdlock); @@ -1058,6 +1091,7 @@ REQUIRE(type <= DST_MAX_BOOLEAN); isc_mutex_lock(&key->mdlock); + key->modified = key->modified || key->boolset[type]; key->boolset[type] = false; isc_mutex_unlock(&key->mdlock); } @@ -1089,6 +1123,8 @@ REQUIRE(type <= DST_MAX_NUMERIC); isc_mutex_lock(&key->mdlock); + key->modified = key->modified || !key->numset[type] || + key->nums[type] != value; key->nums[type] = value; key->numset[type] = true; isc_mutex_unlock(&key->mdlock); @@ -1100,6 +1136,7 @@ REQUIRE(type <= DST_MAX_NUMERIC); isc_mutex_lock(&key->mdlock); + key->modified = key->modified || key->numset[type]; key->numset[type] = false; isc_mutex_unlock(&key->mdlock); } @@ -1130,6 +1167,8 @@ REQUIRE(type <= DST_MAX_TIMES); isc_mutex_lock(&key->mdlock); + key->modified = key->modified || !key->timeset[type] || + key->times[type] != when; key->times[type] = when; key->timeset[type] = true; isc_mutex_unlock(&key->mdlock); @@ -1141,6 +1180,7 @@ REQUIRE(type <= DST_MAX_TIMES); isc_mutex_lock(&key->mdlock); + key->modified = key->modified || key->timeset[type]; key->timeset[type] = false; isc_mutex_unlock(&key->mdlock); } @@ -1172,6 +1212,8 @@ REQUIRE(type <= DST_MAX_KEYSTATES); isc_mutex_lock(&key->mdlock); + key->modified = key->modified || !key->keystateset[type] || + key->keystates[type] != state; key->keystates[type] = state; key->keystateset[type] = true; isc_mutex_unlock(&key->mdlock); @@ -1183,6 +1225,7 @@ REQUIRE(type <= DST_MAX_KEYSTATES); isc_mutex_lock(&key->mdlock); + key->modified = key->modified || key->keystateset[type]; key->keystateset[type] = false; isc_mutex_unlock(&key->mdlock); } @@ -2747,4 +2790,6 @@ dst_key_unsetstate(to, i); } } + + dst_key_setmodified(to, dst_key_ismodified(from)); } diff -Nru bind9-9.16.27/lib/dns/dst_internal.h bind9-9.16.33/lib/dns/dst_internal.h --- bind9-9.16.27/lib/dns/dst_internal.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/dst_internal.h 2022-09-08 13:01:23.000000000 +0000 @@ -147,6 +147,7 @@ bool inactive; /*%< private key not present as it is * inactive */ bool external; /*%< external key */ + bool modified; /*%< set to true if key file metadata has changed */ int fmt_major; /*%< private key format, major version * */ diff -Nru bind9-9.16.27/lib/dns/ecs.c bind9-9.16.33/lib/dns/ecs.c --- bind9-9.16.27/lib/dns/ecs.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/ecs.c 2022-09-08 13:01:23.000000000 +0000 @@ -66,8 +66,7 @@ addr2 = (const unsigned char *)&ecs2->addr.type.in6; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* diff -Nru bind9-9.16.27/lib/dns/gssapi_link.c bind9-9.16.33/lib/dns/gssapi_link.c --- bind9-9.16.27/lib/dns/gssapi_link.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/gssapi_link.c 2022-09-08 13:01:23.000000000 +0000 @@ -177,11 +177,10 @@ static isc_result_t gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) { dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx; - isc_region_t message, r; + isc_region_t message; gss_buffer_desc gmessage, gsig; OM_uint32 minor, gret; gss_ctx_id_t gssctx = dctx->key->keydata.gssctx; - unsigned char buf[sig->length]; char err[1024]; /* @@ -190,11 +189,7 @@ */ isc_buffer_usedregion(ctx->buffer, &message); REGION_TO_GBUFFER(message, gmessage); - - memmove(buf, sig->base, sig->length); - r.base = buf; - r.length = sig->length; - REGION_TO_GBUFFER(r, gsig); + REGION_TO_GBUFFER(*sig, gsig); /* * Verify the data. diff -Nru bind9-9.16.27/lib/dns/gssapictx.c bind9-9.16.33/lib/dns/gssapictx.c --- bind9-9.16.27/lib/dns/gssapictx.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/gssapictx.c 2022-09-08 13:01:23.000000000 +0000 @@ -95,7 +95,7 @@ goto out; \ } while (0) -static inline void +static void name_to_gbuffer(const dns_name_t *name, isc_buffer_t *buffer, gss_buffer_desc *gbuffer) { dns_name_t tname; diff -Nru bind9-9.16.27/lib/dns/hmac_link.c bind9-9.16.33/lib/dns/hmac_link.c --- bind9-9.16.27/lib/dns/hmac_link.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/hmac_link.c 2022-09-08 13:01:23.000000000 +0000 @@ -147,7 +147,7 @@ uint8_t key[ISC_MAX_BLOCK_SIZE]; }; -static inline isc_result_t +static isc_result_t getkeybits(dst_key_t *key, struct dst_private_element *element) { uint16_t *bits = (uint16_t *)element->data; @@ -160,7 +160,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t hmac_createctx(const isc_md_type_t *type, const dst_key_t *key, dst_context_t *dctx) { isc_result_t result; @@ -177,7 +177,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void hmac_destroyctx(dst_context_t *dctx) { isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx; REQUIRE(ctx != NULL); @@ -186,7 +186,7 @@ dctx->ctxdata.hmac_ctx = NULL; } -static inline isc_result_t +static isc_result_t hmac_adddata(const dst_context_t *dctx, const isc_region_t *data) { isc_result_t result; isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx; @@ -201,7 +201,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t hmac_sign(const dst_context_t *dctx, isc_buffer_t *sig) { isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx; REQUIRE(ctx != NULL); @@ -225,7 +225,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t hmac_verify(const dst_context_t *dctx, const isc_region_t *sig) { isc_hmac_t *ctx = dctx->ctxdata.hmac_ctx; unsigned int digestlen; @@ -250,7 +250,7 @@ : DST_R_VERIFYFAILURE); } -static inline bool +static bool hmac_compare(const isc_md_type_t *type, const dst_key_t *key1, const dst_key_t *key2) { dst_hmac_key_t *hkey1, *hkey2; @@ -268,7 +268,7 @@ isc_md_type_get_block_size(type))); } -static inline isc_result_t +static isc_result_t hmac_generate(const isc_md_type_t *type, dst_key_t *key) { isc_buffer_t b; isc_result_t ret; @@ -296,13 +296,13 @@ return (ret); } -static inline bool +static bool hmac_isprivate(const dst_key_t *key) { UNUSED(key); return (true); } -static inline void +static void hmac_destroy(dst_key_t *key) { dst_hmac_key_t *hkey = key->keydata.hmac_key; isc_safe_memwipe(hkey, sizeof(*hkey)); @@ -310,7 +310,7 @@ key->keydata.hmac_key = NULL; } -static inline isc_result_t +static isc_result_t hmac_todns(const dst_key_t *key, isc_buffer_t *data) { REQUIRE(key != NULL && key->keydata.hmac_key != NULL); dst_hmac_key_t *hkey = key->keydata.hmac_key; @@ -325,7 +325,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t hmac_fromdns(const isc_md_type_t *type, dst_key_t *key, isc_buffer_t *data) { dst_hmac_key_t *hkey; unsigned int keylen; @@ -360,7 +360,7 @@ return (ISC_R_SUCCESS); } -static inline int +static int hmac__get_tag_key(const isc_md_type_t *type) { if (type == ISC_MD_MD5) { return (TAG_HMACMD5_KEY); @@ -375,12 +375,11 @@ } else if (type == ISC_MD_SHA512) { return (TAG_HMACSHA512_KEY); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } -static inline int +static int hmac__get_tag_bits(const isc_md_type_t *type) { if (type == ISC_MD_MD5) { return (TAG_HMACMD5_BITS); @@ -395,12 +394,11 @@ } else if (type == ISC_MD_SHA512) { return (TAG_HMACSHA512_BITS); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } -static inline isc_result_t +static isc_result_t hmac_tofile(const isc_md_type_t *type, const dst_key_t *key, const char *directory) { dst_hmac_key_t *hkey; @@ -433,7 +431,7 @@ return (dst__privstruct_writefile(key, &priv, directory)); } -static inline int +static int hmac__to_dst_alg(const isc_md_type_t *type) { if (type == ISC_MD_MD5) { return (DST_ALG_HMACMD5); @@ -448,12 +446,11 @@ } else if (type == ISC_MD_SHA512) { return (DST_ALG_HMACSHA512); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } -static inline isc_result_t +static isc_result_t hmac_parse(const isc_md_type_t *type, dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; diff -Nru bind9-9.16.27/lib/dns/include/dns/acl.h bind9-9.16.33/lib/dns/include/dns/acl.h --- bind9-9.16.27/lib/dns/include/dns/acl.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/acl.h 2022-09-08 13:01:23.000000000 +0000 @@ -77,14 +77,14 @@ struct dns_acl { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; isc_refcount_t refcount; - dns_iptable_t *iptable; + dns_iptable_t *iptable; dns_aclelement_t *elements; bool has_negatives; unsigned int alloc; /*%< Elements allocated */ unsigned int length; /*%< Elements initialized */ - char *name; /*%< Temporary use only */ + char *name; /*%< Temporary use only */ ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */ }; diff -Nru bind9-9.16.27/lib/dns/include/dns/adb.h bind9-9.16.33/lib/dns/include/dns/adb.h --- bind9-9.16.27/lib/dns/include/dns/adb.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/adb.h 2022-09-08 13:01:23.000000000 +0000 @@ -120,7 +120,7 @@ int name_bucket; unsigned int flags; dns_adbname_t *adbname; - dns_adb_t *adb; + dns_adb_t *adb; isc_event_t event; ISC_LINK(dns_adbfind_t) plink; }; diff -Nru bind9-9.16.27/lib/dns/include/dns/callbacks.h bind9-9.16.33/lib/dns/include/dns/callbacks.h --- bind9-9.16.27/lib/dns/include/dns/callbacks.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/callbacks.h 2022-09-08 13:01:23.000000000 +0000 @@ -53,7 +53,7 @@ * to pass back information obtained from the file header */ dns_rawdatafunc_t rawdata; - dns_zone_t *zone; + dns_zone_t *zone; /*% * dns_load_master / dns_rdata_fromtext call this to issue a error. diff -Nru bind9-9.16.27/lib/dns/include/dns/catz.h bind9-9.16.33/lib/dns/include/dns/catz.h --- bind9-9.16.27/lib/dns/include/dns/catz.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/catz.h 2022-09-08 13:01:23.000000000 +0000 @@ -324,14 +324,14 @@ /* xxxwpk TODO config! */ typedef isc_result_t (*dns_catz_zoneop_fn_t)(dns_catz_entry_t *entry, dns_catz_zone_t *origin, - dns_view_t *view, - isc_taskmgr_t *taskmgr, - void *udata); + dns_view_t *view, + isc_taskmgr_t *taskmgr, + void *udata); struct dns_catz_zonemodmethods { dns_catz_zoneop_fn_t addzone; dns_catz_zoneop_fn_t modzone; dns_catz_zoneop_fn_t delzone; - void *udata; + void *udata; }; isc_result_t @@ -457,7 +457,7 @@ * \li 'catzs' is a valid dns_catz_zones_t. */ -isc_result_t +void dns_catz_get_iterator(dns_catz_zone_t *catz, isc_ht_iter_t **itp); /*%< * Get the hashtable iterator on catalog zone members, point '*itp' to it. @@ -466,9 +466,6 @@ * \li 'catzs' is a valid dns_catz_zones_t. * \li 'itp' is not NULL and '*itp' is NULL. * - * Returns: - * \li #ISC_R_SUCCESS -- success - * \li Any other value -- failure */ ISC_LANG_ENDDECLS diff -Nru bind9-9.16.27/lib/dns/include/dns/clientinfo.h bind9-9.16.33/lib/dns/include/dns/clientinfo.h --- bind9-9.16.27/lib/dns/include/dns/clientinfo.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/clientinfo.h 2022-09-08 13:01:23.000000000 +0000 @@ -58,13 +58,13 @@ */ typedef struct dns_clientinfo { uint16_t version; - void *data; - void *dbversion; + void *data; + void *dbversion; dns_ecs_t ecs; } dns_clientinfo_t; typedef isc_result_t (*dns_clientinfo_sourceip_t)(dns_clientinfo_t *client, - isc_sockaddr_t **addrp); + isc_sockaddr_t **addrp); #define DNS_CLIENTINFOMETHODS_VERSION 2 #define DNS_CLIENTINFOMETHODS_AGE 1 diff -Nru bind9-9.16.27/lib/dns/include/dns/db.h bind9-9.16.33/lib/dns/include/dns/db.h --- bind9-9.16.27/lib/dns/include/dns/db.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/db.h 2022-09-08 13:01:23.000000000 +0000 @@ -73,13 +73,13 @@ typedef struct dns_dbmethods { void (*attach)(dns_db_t *source, dns_db_t **targetp); void (*detach)(dns_db_t **dbp); - isc_result_t (*beginload)(dns_db_t *db, + isc_result_t (*beginload)(dns_db_t *db, dns_rdatacallbacks_t *callbacks); isc_result_t (*endload)(dns_db_t *db, dns_rdatacallbacks_t *callbacks); isc_result_t (*serialize)(dns_db_t *db, dns_dbversion_t *version, FILE *file); isc_result_t (*dump)(dns_db_t *db, dns_dbversion_t *version, - const char *filename, + const char *filename, dns_masterformat_t masterformat); void (*currentversion)(dns_db_t *db, dns_dbversion_t **versionp); isc_result_t (*newversion)(dns_db_t *db, dns_dbversion_t **versionp); @@ -98,7 +98,7 @@ isc_result_t (*findzonecut)(dns_db_t *db, const dns_name_t *name, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, - dns_name_t *dcname, + dns_name_t *dcname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); void (*attachnode)(dns_db_t *db, dns_dbnode_t *source, @@ -116,7 +116,7 @@ dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); isc_result_t (*allrdatasets)(dns_db_t *db, dns_dbnode_t *node, - dns_dbversion_t *version, + dns_dbversion_t *version, isc_stdtime_t now, dns_rdatasetiter_t **iteratorp); isc_result_t (*addrdataset)(dns_db_t *db, dns_dbnode_t *node, @@ -126,9 +126,9 @@ dns_rdataset_t *addedrdataset); isc_result_t (*subtractrdataset)(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, - dns_rdataset_t *rdataset, + dns_rdataset_t *rdataset, unsigned int options, - dns_rdataset_t *newrdataset); + dns_rdataset_t *newrdataset); isc_result_t (*deleterdataset)(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_rdatatype_t type, @@ -141,12 +141,12 @@ isc_result_t (*getoriginnode)(dns_db_t *db, dns_dbnode_t **nodep); void (*transfernode)(dns_db_t *db, dns_dbnode_t **sourcep, dns_dbnode_t **targetp); - isc_result_t (*getnsec3parameters)(dns_db_t *db, + isc_result_t (*getnsec3parameters)(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash, uint8_t *flags, - uint16_t *iterations, + uint16_t *iterations, unsigned char *salt, - size_t *salt_len); + size_t *salt_len); isc_result_t (*findnsec3node)(dns_db_t *db, const dns_name_t *name, bool create, dns_dbnode_t **nodep); isc_result_t (*setsigningtime)(dns_db_t *db, dns_rdataset_t *rdataset, @@ -162,16 +162,16 @@ isc_result_t (*findnodeext)(dns_db_t *db, const dns_name_t *name, bool create, dns_clientinfomethods_t *methods, - dns_clientinfo_t *clientinfo, - dns_dbnode_t **nodep); + dns_clientinfo_t *clientinfo, + dns_dbnode_t **nodep); isc_result_t (*findext)(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, dns_rdatatype_t type, unsigned int options, isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname, dns_clientinfomethods_t *methods, - dns_clientinfo_t *clientinfo, - dns_rdataset_t *rdataset, - dns_rdataset_t *sigrdataset); + dns_clientinfo_t *clientinfo, + dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset); isc_result_t (*setcachestats)(dns_db_t *db, isc_stats_t *stats); size_t (*hashsize)(dns_db_t *db); isc_result_t (*nodefullname)(dns_db_t *db, dns_dbnode_t *node, @@ -186,7 +186,7 @@ isc_result_t (*adjusthashsize)(dns_db_t *db, size_t size); } dns_dbmethods_t; -typedef isc_result_t (*dns_dbcreatefunc_t)(isc_mem_t *mctx, +typedef isc_result_t (*dns_dbcreatefunc_t)(isc_mem_t *mctx, const dns_name_t *name, dns_dbtype_t type, dns_rdataclass_t rdclass, @@ -214,7 +214,7 @@ uint16_t attributes; dns_rdataclass_t rdclass; dns_name_t origin; - isc_mem_t *mctx; + isc_mem_t *mctx; ISC_LIST(dns_dbonupdatelistener_t) update_listeners; }; @@ -223,7 +223,7 @@ struct dns_dbonupdatelistener { dns_dbupdate_callback_t onupdate; - void *onupdate_arg; + void *onupdate_arg; ISC_LINK(dns_dbonupdatelistener_t) link; }; diff -Nru bind9-9.16.27/lib/dns/include/dns/dbiterator.h bind9-9.16.33/lib/dns/include/dns/dbiterator.h --- bind9-9.16.27/lib/dns/include/dns/dbiterator.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/dbiterator.h 2022-09-08 13:01:23.000000000 +0000 @@ -98,7 +98,7 @@ /* Unlocked. */ unsigned int magic; dns_dbiteratormethods_t *methods; - dns_db_t *db; + dns_db_t *db; bool relative_names; bool cleaning; }; diff -Nru bind9-9.16.27/lib/dns/include/dns/diff.h bind9-9.16.33/lib/dns/include/dns/diff.h --- bind9-9.16.27/lib/dns/include/dns/diff.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/diff.h 2022-09-08 13:01:23.000000000 +0000 @@ -75,7 +75,7 @@ struct dns_difftuple { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; dns_diffop_t op; dns_name_t name; dns_ttl_t ttl; @@ -96,7 +96,7 @@ struct dns_diff { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; dns_difftuplelist_t tuples; }; diff -Nru bind9-9.16.27/lib/dns/include/dns/dispatch.h bind9-9.16.33/lib/dns/include/dns/dispatch.h --- bind9-9.16.27/lib/dns/include/dns/dispatch.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/dispatch.h 2022-09-08 13:01:23.000000000 +0000 @@ -91,7 +91,7 @@ * round-robin fashion. */ struct dns_dispatchset { - isc_mem_t *mctx; + isc_mem_t *mctx; dns_dispatch_t **dispatches; int ndisp; int cur; @@ -200,7 +200,7 @@ void dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr, - dns_portlist_t *portlist); + dns_portlist_t *portlist); /*%< * This function is deprecated. Use dns_dispatchmgr_setavailports() instead. * @@ -414,7 +414,7 @@ */ void -dns_dispatch_removeresponse(dns_dispentry_t **resp, +dns_dispatch_removeresponse(dns_dispentry_t **resp, dns_dispatchevent_t **sockevent); /*%< * Stops the flow of responses for the provided id and destination. diff -Nru bind9-9.16.27/lib/dns/include/dns/dlz.h bind9-9.16.33/lib/dns/include/dns/dlz.h --- bind9-9.16.27/lib/dns/include/dns/dlz.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/dlz.h 2022-09-08 13:01:23.000000000 +0000 @@ -99,11 +99,11 @@ #define DNS_DLZ_VALID(dlz) ISC_MAGIC_VALID(dlz, DNS_DLZ_MAGIC) typedef isc_result_t (*dns_dlzallowzonexfr_t)(void *driverarg, void *dbdata, - isc_mem_t *mctx, + isc_mem_t *mctx, dns_rdataclass_t rdclass, - const dns_name_t *name, + const dns_name_t *name, const isc_sockaddr_t *clientaddr, - dns_db_t **dbp); + dns_db_t **dbp); /*%< * Method prototype. Drivers implementing the DLZ interface MUST @@ -137,12 +137,12 @@ */ typedef isc_result_t (*dns_dlzfindzone_t)(void *driverarg, void *dbdata, - isc_mem_t *mctx, + isc_mem_t *mctx, dns_rdataclass_t rdclass, - const dns_name_t *name, + const dns_name_t *name, dns_clientinfomethods_t *methods, - dns_clientinfo_t *clientinfo, - dns_db_t **dbp); + dns_clientinfo_t *clientinfo, + dns_db_t **dbp); /*%< * Method prototype. Drivers implementing the DLZ interface MUST @@ -178,8 +178,8 @@ * may call configuration functions during the configure call */ -typedef bool (*dns_dlzssumatch_t)(const dns_name_t *signer, - const dns_name_t *name, +typedef bool (*dns_dlzssumatch_t)(const dns_name_t *signer, + const dns_name_t *name, const isc_netaddr_t *tcpaddr, dns_rdatatype_t type, const dst_key_t *key, void *driverarg, void *dbdata); @@ -201,10 +201,10 @@ /*% information about a DLZ driver */ struct dns_dlzimplementation { - const char *name; + const char *name; const dns_dlzmethods_t *methods; - isc_mem_t *mctx; - void *driverarg; + isc_mem_t *mctx; + void *driverarg; ISC_LINK(dns_dlzimplementation_t) link; }; @@ -214,12 +214,12 @@ /*% An instance of a DLZ driver */ struct dns_dlzdb { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; dns_dlzimplementation_t *implementation; - void *dbdata; + void *dbdata; dlzconfigure_callback_t configure_callback; bool search; - char *dlzname; + char *dlzname; ISC_LINK(dns_dlzdb_t) link; dns_ssutable_t *ssutable; }; diff -Nru bind9-9.16.27/lib/dns/include/dns/dlz_dlopen.h bind9-9.16.33/lib/dns/include/dns/dlz_dlopen.h --- bind9-9.16.27/lib/dns/include/dns/dlz_dlopen.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/dlz_dlopen.h 2022-09-08 13:01:23.000000000 +0000 @@ -58,7 +58,7 @@ typedef isc_result_t dlz_dlopen_findzonedb_t(void *dbdata, const char *name, dns_clientinfomethods_t *methods, - dns_clientinfo_t *clientinfo); + dns_clientinfo_t *clientinfo); /* * dlz_dlopen_lookup() is required for all DLZ external drivers diff -Nru bind9-9.16.27/lib/dns/include/dns/dnsrps.h bind9-9.16.33/lib/dns/include/dns/dnsrps.h --- bind9-9.16.27/lib/dns/include/dns/dnsrps.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/dnsrps.h 2022-09-08 13:01:23.000000000 +0000 @@ -51,9 +51,9 @@ int ref_cnt; librpz_result_id_t hit_id; librpz_result_t result; - librpz_rsp_t *rsp; + librpz_rsp_t *rsp; librpz_domain_buf_t origin_buf; - const dns_name_t *qname; + const dns_name_t *qname; rpsnode_t origin_node; rpsnode_t data_node; } rpsdb_t; diff -Nru bind9-9.16.27/lib/dns/include/dns/dnssec.h bind9-9.16.33/lib/dns/include/dns/dnssec.h --- bind9-9.16.27/lib/dns/include/dns/dnssec.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/dnssec.h 2022-09-08 13:01:23.000000000 +0000 @@ -370,11 +370,14 @@ dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey, dns_name_t *origin, dns_rdataclass_t zclass, dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx, - bool dnssec_insecure); + bool expect_cds_delete, bool expect_cdnskey_delete); /*%< * Add or remove the CDS DELETE record and the CDNSKEY DELETE record. - * If 'dnssec_insecure' is true, the DELETE records should be present. - * Otherwise, the DELETE records must be removed from the RRsets (if present). + * If 'expect_cds_delete' is true, the CDS DELETE record should be present. + * Otherwise, the CDS DELETE record must be removed from the RRsets (if + * present). If 'expect_cdnskey_delete' is true, the CDNSKEY DELETE record + * should be present. Otherwise, the CDNSKEY DELETE record must be removed + * from the RRsets (if present). * * Returns: *\li ISC_R_SUCCESS diff -Nru bind9-9.16.27/lib/dns/include/dns/dyndb.h bind9-9.16.33/lib/dns/include/dns/dyndb.h --- bind9-9.16.27/lib/dns/include/dns/dyndb.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/dyndb.h 2022-09-08 13:01:23.000000000 +0000 @@ -35,12 +35,12 @@ */ struct dns_dyndbctx { unsigned int magic; - const void *hashinit; - isc_mem_t *mctx; - isc_log_t *lctx; - dns_view_t *view; + const void *hashinit; + isc_mem_t *mctx; + isc_log_t *lctx; + dns_view_t *view; dns_zonemgr_t *zmgr; - isc_task_t *task; + isc_task_t *task; isc_timermgr_t *timermgr; unsigned int *memdebug; }; diff -Nru bind9-9.16.27/lib/dns/include/dns/geoip.h bind9-9.16.33/lib/dns/include/dns/geoip.h --- bind9-9.16.27/lib/dns/include/dns/geoip.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/geoip.h 2022-09-08 13:01:23.000000000 +0000 @@ -81,7 +81,7 @@ typedef struct dns_geoip_elem { dns_geoip_subtype_t subtype; - void *db; + void *db; union { char as_string[256]; int as_int; @@ -105,7 +105,7 @@ bool dns_geoip_match(const isc_netaddr_t *reqaddr, const dns_geoip_databases_t *geoip, - const dns_geoip_elem_t *elt); + const dns_geoip_elem_t *elt); ISC_LANG_ENDDECLS diff -Nru bind9-9.16.27/lib/dns/include/dns/ipkeylist.h bind9-9.16.33/lib/dns/include/dns/ipkeylist.h --- bind9-9.16.27/lib/dns/include/dns/ipkeylist.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/ipkeylist.h 2022-09-08 13:01:23.000000000 +0000 @@ -26,9 +26,9 @@ */ struct dns_ipkeylist { isc_sockaddr_t *addrs; - isc_dscp_t *dscps; - dns_name_t **keys; - dns_name_t **labels; + isc_dscp_t *dscps; + dns_name_t **keys; + dns_name_t **labels; uint32_t count; uint32_t allocated; }; diff -Nru bind9-9.16.27/lib/dns/include/dns/iptable.h bind9-9.16.33/lib/dns/include/dns/iptable.h --- bind9-9.16.27/lib/dns/include/dns/iptable.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/iptable.h 2022-09-08 13:01:23.000000000 +0000 @@ -25,7 +25,7 @@ struct dns_iptable { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; isc_refcount_t refcount; isc_radix_tree_t *radix; ISC_LINK(dns_iptable_t) nextincache; diff -Nru bind9-9.16.27/lib/dns/include/dns/kasp.h bind9-9.16.33/lib/dns/include/dns/kasp.h --- bind9-9.16.27/lib/dns/include/dns/kasp.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/kasp.h 2022-09-08 13:01:23.000000000 +0000 @@ -62,8 +62,8 @@ /* Stores a DNSSEC policy */ struct dns_kasp { unsigned int magic; - isc_mem_t *mctx; - char *name; + isc_mem_t *mctx; + char *name; /* Internals. */ isc_mutex_t lock; diff -Nru bind9-9.16.27/lib/dns/include/dns/librpz.h bind9-9.16.33/lib/dns/include/dns/librpz.h --- bind9-9.16.27/lib/dns/include/dns/librpz.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/librpz.h 2022-09-08 13:01:23.000000000 +0000 @@ -396,9 +396,9 @@ * @param use_expired: true to not ignore expired zones * @return client handle or NULL if the handle could not be created */ -typedef librpz_client_t *(librpz_client_create_t)(librpz_emsg_t *emsg, +typedef librpz_client_t *(librpz_client_create_t)(librpz_emsg_t *emsg, librpz_clist_t *clist, - const char *cstr, + const char *cstr, bool use_expired); LIBDEF_F(client_create) @@ -495,9 +495,9 @@ * @param[in,out] rsp state from librpz_itr_start() * @return false on error */ -typedef bool(librpz_rsp_clientip_prefix_t)(librpz_emsg_t *emsg, +typedef bool(librpz_rsp_clientip_prefix_t)(librpz_emsg_t *emsg, librpz_prefix_t *prefix, - librpz_rsp_t *rsp); + librpz_rsp_t *rsp); LIBDEF_F(rsp_clientip_prefix) /** @@ -510,9 +510,9 @@ * @param[in,out] rsp state from librpz_itr_start() * @return false on error */ -typedef bool(librpz_rsp_domain_t)(librpz_emsg_t *emsg, +typedef bool(librpz_rsp_domain_t)(librpz_emsg_t *emsg, librpz_domain_buf_t *owner, - librpz_rsp_t *rsp); + librpz_rsp_t *rsp); LIBDEF_F(rsp_domain) /** @@ -768,7 +768,7 @@ in_port_t port); LIBDEF_F(mk_inet_su) -typedef socku_t *(librpz_mk_inet6_su_t)(socku_t *su, +typedef socku_t *(librpz_mk_inet6_su_t)(socku_t *su, const struct in6_addr *addrp, uint32_t scope_id, in_port_t port); LIBDEF_F(mk_inet6_su) @@ -791,57 +791,57 @@ * This is the dlopen() interface to librpz. */ typedef const struct { - const char *dnsrpzd_path; - const char *version; - librpz_parse_log_opt_t *parse_log_opt; - librpz_log_level_val_t *log_level_val; + const char *dnsrpzd_path; + const char *version; + librpz_parse_log_opt_t *parse_log_opt; + librpz_log_level_val_t *log_level_val; librpz_set_log_t *set_log; - librpz_vpemsg_t *vpemsg; - librpz_pemsg_t *pemsg; - librpz_vlog_t *vlog; - librpz_log_t *log; + librpz_vpemsg_t *vpemsg; + librpz_pemsg_t *pemsg; + librpz_vlog_t *vlog; + librpz_log_t *log; librpz_fatal_t *fatal LIBRPZ_NORET; librpz_rpz_assert_t *rpz_assert LIBRPZ_NORET; librpz_rpz_vassert_t *rpz_vassert LIBRPZ_NORET; - librpz_clist_create_t *clist_create; - librpz_clist_detach_t *clist_detach; - librpz_client_create_t *client_create; + librpz_clist_create_t *clist_create; + librpz_clist_detach_t *clist_detach; + librpz_client_create_t *client_create; librpz_connect_t *connect; - librpz_client_detach_t *client_detach; - librpz_rsp_create_t *rsp_create; - librpz_rsp_detach_t *rsp_detach; - librpz_rsp_result_t *rsp_result; - librpz_have_trig_t *have_trig; - librpz_have_ns_trig_t *have_ns_trig; - librpz_rsp_clientip_prefix_t *rsp_clientip_prefix; - librpz_rsp_domain_t *rsp_domain; - librpz_rsp_rr_t *rsp_rr; + librpz_client_detach_t *client_detach; + librpz_rsp_create_t *rsp_create; + librpz_rsp_detach_t *rsp_detach; + librpz_rsp_result_t *rsp_result; + librpz_have_trig_t *have_trig; + librpz_have_ns_trig_t *have_ns_trig; + librpz_rsp_clientip_prefix_t *rsp_clientip_prefix; + librpz_rsp_domain_t *rsp_domain; + librpz_rsp_rr_t *rsp_rr; librpz_rsp_soa_t *rsp_soa; - librpz_soa_serial_t *soa_serial; - librpz_rsp_push_t *rsp_push; + librpz_soa_serial_t *soa_serial; + librpz_rsp_push_t *rsp_push; librpz_rsp_pop_t *rsp_pop; librpz_rsp_pop_discard_t *rsp_pop_discard; librpz_rsp_forget_zone_t *rsp_forget_zone; - librpz_ck_ip_t *ck_ip; - librpz_ck_domain_t *ck_domain; - librpz_zone_refresh_t *zone_refresh; + librpz_ck_ip_t *ck_ip; + librpz_ck_domain_t *ck_domain; + librpz_zone_refresh_t *zone_refresh; librpz_db_info_t *db_info; - librpz_itr_start_t *itr_start; - librpz_mf_stats_t *mf_stats; - librpz_vers_stats_t *vers_stats; - librpz_itr_zone_t *itr_zone; - librpz_itr_node_t *itr_node; - librpz_policy2str_t *policy2str; - librpz_trig2str_t *trig2str; - librpz_secs2str_t *secs2str; - librpz_str2secs_t *str2secs; - librpz_rtype2str_t *rtype2str; - librpz_domain_ntop_t *domain_ntop; - librpz_domain_pton2_t *domain_pton2; - librpz_mk_inet_su_t *mk_inet_su; - librpz_mk_inet6_su_t *mk_inet6_su; - librpz_str2su_t *str2su; - librpz_su2str_t *su2str; + librpz_itr_start_t *itr_start; + librpz_mf_stats_t *mf_stats; + librpz_vers_stats_t *vers_stats; + librpz_itr_zone_t *itr_zone; + librpz_itr_node_t *itr_node; + librpz_policy2str_t *policy2str; + librpz_trig2str_t *trig2str; + librpz_secs2str_t *secs2str; + librpz_str2secs_t *str2secs; + librpz_rtype2str_t *rtype2str; + librpz_domain_ntop_t *domain_ntop; + librpz_domain_pton2_t *domain_pton2; + librpz_mk_inet_su_t *mk_inet_su; + librpz_mk_inet6_su_t *mk_inet6_su; + librpz_str2su_t *str2su; + librpz_su2str_t *su2str; } librpz_0_t; extern librpz_0_t librpz_def_0; @@ -853,7 +853,7 @@ #define LIBRPZ_DEF_STR "librpz_def_0" typedef librpz_0_t librpz_t; -extern librpz_t *librpz; +extern librpz_t *librpz; #if LIBRPZ_LIB_OPEN == 2 #include @@ -867,7 +867,7 @@ */ static inline librpz_t * librpz_lib_open(librpz_emsg_t *emsg, void **dl_handle, const char *path) { - void *handle; + void *handle; librpz_t *new_librpz; emsg->c[0] = '\0'; diff -Nru bind9-9.16.27/lib/dns/include/dns/log.h bind9-9.16.33/lib/dns/include/dns/log.h --- bind9-9.16.27/lib/dns/include/dns/log.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/log.h 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #include #include -LIBDNS_EXTERNAL_DATA extern isc_log_t *dns_lctx; +LIBDNS_EXTERNAL_DATA extern isc_log_t *dns_lctx; LIBDNS_EXTERNAL_DATA extern isc_logcategory_t dns_categories[]; LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[]; diff -Nru bind9-9.16.27/lib/dns/include/dns/lookup.h bind9-9.16.33/lib/dns/include/dns/lookup.h --- bind9-9.16.27/lib/dns/include/dns/lookup.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/lookup.h 2022-09-08 13:01:23.000000000 +0000 @@ -59,10 +59,10 @@ typedef struct dns_lookupevent { ISC_EVENT_COMMON(struct dns_lookupevent); isc_result_t result; - dns_name_t *name; + dns_name_t *name; dns_rdataset_t *rdataset; dns_rdataset_t *sigrdataset; - dns_db_t *db; + dns_db_t *db; dns_dbnode_t *node; } dns_lookupevent_t; diff -Nru bind9-9.16.27/lib/dns/include/dns/masterdump.h bind9-9.16.33/lib/dns/include/dns/masterdump.h --- bind9-9.16.27/lib/dns/include/dns/masterdump.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/masterdump.h 2022-09-08 13:01:23.000000000 +0000 @@ -246,7 +246,7 @@ /*@{*/ isc_result_t dns_master_dumptostreamasync(isc_mem_t *mctx, dns_db_t *db, - dns_dbversion_t *version, + dns_dbversion_t *version, const dns_master_style_t *style, FILE *f, isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg, dns_dumpctx_t **dctxp); @@ -313,7 +313,7 @@ isc_result_t dns_master_rdatasettotext(const dns_name_t *owner_name, - dns_rdataset_t *rdataset, + dns_rdataset_t *rdataset, const dns_master_style_t *style, dns_indent_t *indent, isc_buffer_t *target); /*%< @@ -330,9 +330,9 @@ isc_result_t dns_master_questiontotext(const dns_name_t *owner_name, - dns_rdataset_t *rdataset, + dns_rdataset_t *rdataset, const dns_master_style_t *style, - isc_buffer_t *target); + isc_buffer_t *target); isc_result_t dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db, @@ -349,7 +349,7 @@ dns_master_styleflags(const dns_master_style_t *style); isc_result_t -dns_master_stylecreate(dns_master_style_t **style, +dns_master_stylecreate(dns_master_style_t **style, dns_masterstyle_flags_t flags, unsigned int ttl_column, unsigned int class_column, unsigned int type_column, unsigned int rdata_column, unsigned int line_length, diff -Nru bind9-9.16.27/lib/dns/include/dns/message.h bind9-9.16.33/lib/dns/include/dns/message.h --- bind9-9.16.27/lib/dns/include/dns/message.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/message.h 2022-09-08 13:01:23.000000000 +0000 @@ -196,8 +196,8 @@ typedef struct dns_msgblock dns_msgblock_t; struct dns_sortlist_arg { - dns_aclenv_t *env; - const dns_acl_t *acl; + dns_aclenv_t *env; + const dns_acl_t *acl; const dns_aclelement_t *element; }; @@ -217,7 +217,7 @@ /* private from here down */ dns_namelist_t sections[DNS_SECTION_MAX]; - dns_name_t *cursors[DNS_SECTION_MAX]; + dns_name_t *cursors[DNS_SECTION_MAX]; dns_rdataset_t *opt; dns_rdataset_t *sig0; dns_rdataset_t *tsig; @@ -246,7 +246,7 @@ isc_buffer_t *buffer; dns_compress_t *cctx; - isc_mem_t *mctx; + isc_mem_t *mctx; isc_mempool_t *namepool; isc_mempool_t *rdspool; @@ -272,7 +272,7 @@ dns_name_t *sig0name; /* Owner name of SIG0, if any * */ - dst_key_t *sig0key; + dst_key_t *sig0key; dns_rcode_t sig0status; isc_region_t query; isc_region_t saved; @@ -370,7 +370,7 @@ dns_message_pseudosectiontotext(dns_message_t *msg, dns_pseudosection_t section, const dns_master_style_t *style, dns_messagetextflag_t flags, - isc_buffer_t *target); + isc_buffer_t *target); /*%< * Convert section 'section' or 'pseudosection' of message 'msg' to * a cleartext representation diff -Nru bind9-9.16.27/lib/dns/include/dns/nsec3.h bind9-9.16.33/lib/dns/include/dns/nsec3.h --- bind9-9.16.27/lib/dns/include/dns/nsec3.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/nsec3.h 2022-09-08 13:01:23.000000000 +0000 @@ -109,7 +109,7 @@ isc_result_t dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, - const dns_name_t *name, + const dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param, dns_ttl_t nsecttl, bool unsecure, dns_diff_t *diff); @@ -156,7 +156,7 @@ isc_result_t dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, - const dns_name_t *name, + const dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff); isc_result_t @@ -166,7 +166,7 @@ isc_result_t dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, const dns_name_t *name, dns_rdatatype_t private, - dns_diff_t *diff); + dns_diff_t *diff); /*%< * Remove NSEC3 records for 'name', recording the change in 'diff'. * Adjust previous NSEC3 records, if any, to reflect the removal. diff -Nru bind9-9.16.27/lib/dns/include/dns/nta.h bind9-9.16.33/lib/dns/include/dns/nta.h --- bind9-9.16.27/lib/dns/include/dns/nta.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/nta.h 2022-09-08 13:01:23.000000000 +0000 @@ -47,11 +47,11 @@ struct dns_ntatable { /* Unlocked. */ unsigned int magic; - dns_view_t *view; + dns_view_t *view; isc_rwlock_t rwlock; isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; - isc_task_t *task; + isc_task_t *task; /* Protected by atomics */ isc_refcount_t references; /* Locked by rwlock. */ diff -Nru bind9-9.16.27/lib/dns/include/dns/peer.h bind9-9.16.33/lib/dns/include/dns/peer.h --- bind9-9.16.27/lib/dns/include/dns/peer.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/peer.h 2022-09-08 13:01:23.000000000 +0000 @@ -76,12 +76,12 @@ bool request_expire; bool force_tcp; bool tcp_keepalive; - dns_name_t *key; - isc_sockaddr_t *transfer_source; + dns_name_t *key; + isc_sockaddr_t *transfer_source; isc_dscp_t transfer_dscp; - isc_sockaddr_t *notify_source; + isc_sockaddr_t *notify_source; isc_dscp_t notify_dscp; - isc_sockaddr_t *query_source; + isc_sockaddr_t *query_source; isc_dscp_t query_dscp; uint16_t udpsize; /* receive size */ uint16_t maxudp; /* transmit size */ @@ -215,7 +215,7 @@ dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval); isc_result_t -dns_peer_settransfersource(dns_peer_t *peer, +dns_peer_settransfersource(dns_peer_t *peer, const isc_sockaddr_t *transfer_source); isc_result_t diff -Nru bind9-9.16.27/lib/dns/include/dns/rbt.h bind9-9.16.33/lib/dns/include/dns/rbt.h --- bind9-9.16.27/lib/dns/include/dns/rbt.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/rbt.h 2022-09-08 13:01:23.000000000 +0000 @@ -169,8 +169,8 @@ }; typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node, - dns_name_t *name, - void *callback_arg); + dns_name_t *name, + void *callback_arg); typedef isc_result_t (*dns_rbtdatawriter_t)(FILE *file, unsigned char *data, void *arg, uint64_t *crc); @@ -762,7 +762,7 @@ void dns_rbt_printtext(dns_rbt_t *rbt, void (*data_printer)(FILE *, void *), - FILE *f); + FILE *f); /*%< * Print an ASCII representation of the internal structure of the red-black * tree of trees to the passed stream. diff -Nru bind9-9.16.27/lib/dns/include/dns/rdata.h bind9-9.16.33/lib/dns/include/dns/rdata.h --- bind9-9.16.27/lib/dns/include/dns/rdata.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/rdata.h 2022-09-08 13:01:23.000000000 +0000 @@ -110,7 +110,7 @@ * purpose the client desires. */ struct dns_rdata { - unsigned char *data; + unsigned char *data; unsigned int length; dns_rdataclass_t rdclass; dns_rdatatype_t type; diff -Nru bind9-9.16.27/lib/dns/include/dns/rdatalist.h bind9-9.16.33/lib/dns/include/dns/rdatalist.h --- bind9-9.16.27/lib/dns/include/dns/rdatalist.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/rdatalist.h 2022-09-08 13:01:23.000000000 +0000 @@ -98,7 +98,7 @@ */ isc_result_t -dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset, +dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset, dns_rdatalist_t **rdatalist); /*%< * Point 'rdatalist' to the rdatalist in 'rdataset'. diff -Nru bind9-9.16.27/lib/dns/include/dns/rdataset.h bind9-9.16.33/lib/dns/include/dns/rdataset.h --- bind9-9.16.27/lib/dns/include/dns/rdataset.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/rdataset.h 2022-09-08 13:01:23.000000000 +0000 @@ -70,11 +70,11 @@ void (*current)(dns_rdataset_t *rdataset, dns_rdata_t *rdata); void (*clone)(dns_rdataset_t *source, dns_rdataset_t *target); unsigned int (*count)(dns_rdataset_t *rdataset); - isc_result_t (*addnoqname)(dns_rdataset_t *rdataset, + isc_result_t (*addnoqname)(dns_rdataset_t *rdataset, const dns_name_t *name); isc_result_t (*getnoqname)(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig); - isc_result_t (*addclosest)(dns_rdataset_t *rdataset, + isc_result_t (*addclosest)(dns_rdataset_t *rdataset, const dns_name_t *name); isc_result_t (*getclosest)(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig); @@ -83,7 +83,7 @@ void (*clearprefetch)(dns_rdataset_t *rdataset); void (*setownercase)(dns_rdataset_t *rdataset, const dns_name_t *name); void (*getownercase)(const dns_rdataset_t *rdataset, dns_name_t *name); - isc_result_t (*addglue)(dns_rdataset_t *rdataset, + isc_result_t (*addglue)(dns_rdataset_t *rdataset, dns_dbversion_t *version, dns_message_t *msg); } dns_rdatasetmethods_t; @@ -137,11 +137,11 @@ * These are for use by the rdataset implementation, and MUST NOT * be changed by clients. */ - void *private1; - void *private2; - void *private3; + void *private1; + void *private2; + void *private3; unsigned int privateuint4; - void *private5; + void *private5; const void *private6; const void *private7; /*@}*/ @@ -400,7 +400,7 @@ */ isc_result_t -dns_rdataset_towiresorted(dns_rdataset_t *rdataset, +dns_rdataset_towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, dns_rdatasetorderfunc_t order, const void *order_arg, unsigned int options, @@ -416,7 +416,7 @@ */ isc_result_t -dns_rdataset_towirepartial(dns_rdataset_t *rdataset, +dns_rdataset_towirepartial(dns_rdataset_t *rdataset, const dns_name_t *owner_name, dns_compress_t *cctx, isc_buffer_t *target, dns_rdatasetorderfunc_t order, const void *order_arg, unsigned int options, @@ -440,7 +440,7 @@ */ isc_result_t -dns_rdataset_additionaldata(dns_rdataset_t *rdataset, +dns_rdataset_additionaldata(dns_rdataset_t *rdataset, dns_additionaldatafunc_t add, void *arg); /*%< * For each rdata in rdataset, call 'add' for each name and type in the diff -Nru bind9-9.16.27/lib/dns/include/dns/rdatasetiter.h bind9-9.16.33/lib/dns/include/dns/rdatasetiter.h --- bind9-9.16.27/lib/dns/include/dns/rdatasetiter.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/rdatasetiter.h 2022-09-08 13:01:23.000000000 +0000 @@ -90,9 +90,9 @@ /* Unlocked. */ unsigned int magic; dns_rdatasetitermethods_t *methods; - dns_db_t *db; - dns_dbnode_t *node; - dns_dbversion_t *version; + dns_db_t *db; + dns_dbnode_t *node; + dns_dbversion_t *version; isc_stdtime_t now; }; @@ -145,7 +145,7 @@ void dns_rdatasetiter_current(dns_rdatasetiter_t *iterator, - dns_rdataset_t *rdataset); + dns_rdataset_t *rdataset); /*%< * Return the current rdataset. * diff -Nru bind9-9.16.27/lib/dns/include/dns/resolver.h bind9-9.16.33/lib/dns/include/dns/resolver.h --- bind9-9.16.27/lib/dns/include/dns/resolver.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/resolver.h 2022-09-08 13:01:23.000000000 +0000 @@ -69,13 +69,13 @@ */ typedef struct dns_fetchevent { ISC_EVENT_COMMON(struct dns_fetchevent); - dns_fetch_t *fetch; + dns_fetch_t *fetch; isc_result_t result; dns_rdatatype_t qtype; - dns_db_t *db; + dns_db_t *db; dns_dbnode_t *node; - dns_rdataset_t *rdataset; - dns_rdataset_t *sigrdataset; + dns_rdataset_t *rdataset; + dns_rdataset_t *sigrdataset; dns_fixedname_t foundname; const isc_sockaddr_t *client; dns_messageid_t id; @@ -291,8 +291,8 @@ isc_result_t dns_resolver_createfetch(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, const dns_name_t *domain, - dns_rdataset_t *nameservers, - dns_forwarders_t *forwarders, + dns_rdataset_t *nameservers, + dns_forwarders_t *forwarders, const isc_sockaddr_t *client, dns_messageid_t id, unsigned int options, unsigned int depth, isc_counter_t *qc, isc_task_t *task, @@ -504,7 +504,7 @@ */ bool -dns_resolver_algorithm_supported(dns_resolver_t *resolver, +dns_resolver_algorithm_supported(dns_resolver_t *resolver, const dns_name_t *name, unsigned int alg); /*%< * Check if the given algorithm is supported by this resolver. @@ -514,7 +514,7 @@ */ bool -dns_resolver_ds_digest_supported(dns_resolver_t *resolver, +dns_resolver_ds_digest_supported(dns_resolver_t *resolver, const dns_name_t *name, unsigned int digest_type); /*%< diff -Nru bind9-9.16.27/lib/dns/include/dns/rpz.h bind9-9.16.33/lib/dns/include/dns/rpz.h --- bind9-9.16.27/lib/dns/include/dns/rpz.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/rpz.h 2022-09-08 13:01:23.000000000 +0000 @@ -147,16 +147,16 @@ uint32_t min_update_interval; /* minimal interval between * updates */ - isc_ht_t *nodes; /* entries in zone */ + isc_ht_t *nodes; /* entries in zone */ dns_rpz_zones_t *rpzs; /* owner */ isc_time_t lastupdated; /* last time the zone was processed * */ bool updatepending; /* there is an update * pending/waiting */ bool updaterunning; /* there is an update running */ - dns_db_t *db; /* zones database */ + dns_db_t *db; /* zones database */ dns_dbversion_t *dbversion; /* version we will be updating to */ - dns_db_t *updb; /* zones database we're working on */ + dns_db_t *updb; /* zones database we're working on */ dns_dbversion_t *updbversion; /* version we're currently working * on */ dns_dbiterator_t *updbit; /* iterator to use when updating */ @@ -215,7 +215,7 @@ */ struct dns_rpz_zones { dns_rpz_popt_t p; - dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; + dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES]; /* @@ -251,10 +251,10 @@ */ dns_rpz_triggers_t total_triggers; - isc_mem_t *mctx; + isc_mem_t *mctx; isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; - isc_task_t *updater; + isc_task_t *updater; isc_refcount_t refs; isc_refcount_t irefs; /* @@ -267,7 +267,7 @@ isc_mutex_t maint_lock; dns_rpz_cidr_node_t *cidr; - dns_rbt_t *rbt; + dns_rbt_t *rbt; /* * DNSRPZ librpz configuration string and handle on librpz connection @@ -295,23 +295,23 @@ */ struct { dns_rpz_type_t type; - dns_rpz_zone_t *rpz; + dns_rpz_zone_t *rpz; dns_rpz_prefix_t prefix; dns_rpz_policy_t policy; dns_ttl_t ttl; isc_result_t result; - dns_zone_t *zone; - dns_db_t *db; + dns_zone_t *zone; + dns_db_t *db; dns_dbversion_t *version; - dns_dbnode_t *node; - dns_rdataset_t *rdataset; + dns_dbnode_t *node; + dns_rdataset_t *rdataset; } m; /* * State for chasing IP addresses and NS names including recursion. */ struct { unsigned int label; - dns_db_t *db; + dns_db_t *db; dns_rdataset_t *ns_rdataset; dns_rdatatype_t r_type; isc_result_t r_result; @@ -325,8 +325,8 @@ isc_result_t result; bool is_zone; bool authoritative; - dns_zone_t *zone; - dns_db_t *db; + dns_zone_t *zone; + dns_db_t *db; dns_dbnode_t *node; dns_rdataset_t *rdataset; dns_rdataset_t *sigrdataset; @@ -353,9 +353,9 @@ * r_name: recursing for this name to possible policy triggers * f_name: saved found name from before recursion */ - dns_name_t *p_name; - dns_name_t *r_name; - dns_name_t *fname; + dns_name_t *p_name; + dns_name_t *r_name; + dns_name_t *fname; dns_fixedname_t _p_namef; dns_fixedname_t _r_namef; dns_fixedname_t _fnamef; diff -Nru bind9-9.16.27/lib/dns/include/dns/rriterator.h bind9-9.16.33/lib/dns/include/dns/rriterator.h --- bind9-9.16.27/lib/dns/include/dns/rriterator.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/rriterator.h 2022-09-08 13:01:23.000000000 +0000 @@ -56,11 +56,11 @@ typedef struct dns_rriterator { unsigned int magic; isc_result_t result; - dns_db_t *db; - dns_dbiterator_t *dbit; - dns_dbversion_t *ver; + dns_db_t *db; + dns_dbiterator_t *dbit; + dns_dbversion_t *ver; isc_stdtime_t now; - dns_dbnode_t *node; + dns_dbnode_t *node; dns_fixedname_t fixedname; dns_rdatasetiter_t *rdatasetit; dns_rdataset_t rdataset; diff -Nru bind9-9.16.27/lib/dns/include/dns/rrl.h bind9-9.16.33/lib/dns/include/dns/rrl.h --- bind9-9.16.27/lib/dns/include/dns/rrl.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/rrl.h 2022-09-08 13:01:23.000000000 +0000 @@ -256,8 +256,8 @@ } dns_rrl_result_t; dns_rrl_result_t -dns_rrl(dns_view_t *view, const isc_sockaddr_t *client_addr, bool is_tcp, - dns_rdataclass_t rdclass, dns_rdatatype_t qtype, +dns_rrl(dns_view_t *view, dns_zone_t *zone, const isc_sockaddr_t *client_addr, + bool is_tcp, dns_rdataclass_t rdclass, dns_rdatatype_t qtype, const dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now, bool wouldlog, char *log_buf, unsigned int log_buf_len); diff -Nru bind9-9.16.27/lib/dns/include/dns/sdb.h bind9-9.16.33/lib/dns/include/dns/sdb.h --- bind9-9.16.27/lib/dns/include/dns/sdb.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/sdb.h 2022-09-08 13:01:23.000000000 +0000 @@ -54,13 +54,13 @@ typedef struct dns_sdballnodes dns_sdballnodes_t; typedef isc_result_t (*dns_sdblookupfunc_t)(const char *zone, const char *name, - void *dbdata, + void *dbdata, dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo); -typedef isc_result_t (*dns_sdblookup2func_t)(const dns_name_t *zone, - const dns_name_t *name, - void *dbdata, +typedef isc_result_t (*dns_sdblookup2func_t)(const dns_name_t *zone, + const dns_name_t *name, + void *dbdata, dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo); diff -Nru bind9-9.16.27/lib/dns/include/dns/sdlz.h bind9-9.16.33/lib/dns/include/dns/sdlz.h --- bind9-9.16.27/lib/dns/include/dns/sdlz.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/sdlz.h 2022-09-08 13:01:23.000000000 +0000 @@ -148,9 +148,9 @@ */ typedef isc_result_t (*dns_sdlzfindzone_t)(void *driverarg, void *dbdata, - const char *name, + const char *name, dns_clientinfomethods_t *methods, - dns_clientinfo_t *clientinfo); + dns_clientinfo_t *clientinfo); /*%< * Method prototype. Drivers implementing the SDLZ interface MUST * supply a find zone method. This method is called when the DNS @@ -180,7 +180,7 @@ typedef isc_result_t (*dns_sdlzlookupfunc_t)(const char *zone, const char *name, void *driverarg, void *dbdata, - dns_sdlzlookup_t *lookup, + dns_sdlzlookup_t *lookup, dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo); @@ -223,7 +223,7 @@ * If the call is successful then *versionp should be set to NULL */ -typedef isc_result_t (*dns_sdlzconfigure_t)(dns_view_t *view, +typedef isc_result_t (*dns_sdlzconfigure_t)(dns_view_t *view, dns_dlzdb_t *dlzdb, void *driverarg, void *dbdata); /*%< diff -Nru bind9-9.16.27/lib/dns/include/dns/tcpmsg.h bind9-9.16.33/lib/dns/include/dns/tcpmsg.h --- bind9-9.16.27/lib/dns/include/dns/tcpmsg.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/tcpmsg.h 2022-09-08 13:01:23.000000000 +0000 @@ -28,11 +28,11 @@ uint16_t size; isc_buffer_t buffer; unsigned int maxsize; - isc_mem_t *mctx; - isc_socket_t *sock; - isc_task_t *task; + isc_mem_t *mctx; + isc_socket_t *sock; + isc_task_t *task; isc_taskaction_t action; - void *arg; + void *arg; isc_event_t event; /* public (read-only) */ isc_result_t result; diff -Nru bind9-9.16.27/lib/dns/include/dns/tkey.h bind9-9.16.33/lib/dns/include/dns/tkey.h --- bind9-9.16.27/lib/dns/include/dns/tkey.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/tkey.h 2022-09-08 13:01:23.000000000 +0000 @@ -36,11 +36,11 @@ #define DNS_TKEYMODE_DELETE 5 struct dns_tkeyctx { - dst_key_t *dhkey; - dns_name_t *domain; + dst_key_t *dhkey; + dns_name_t *domain; dns_gss_cred_id_t gsscred; - isc_mem_t *mctx; - char *gssapi_keytab; + isc_mem_t *mctx; + char *gssapi_keytab; }; isc_result_t diff -Nru bind9-9.16.27/lib/dns/include/dns/tsig.h bind9-9.16.33/lib/dns/include/dns/tsig.h --- bind9-9.16.27/lib/dns/include/dns/tsig.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/tsig.h 2022-09-08 13:01:23.000000000 +0000 @@ -56,10 +56,10 @@ #define DNS_TSIG_FUDGE 300 struct dns_tsig_keyring { - dns_rbt_t *keys; + dns_rbt_t *keys; unsigned int writecount; isc_rwlock_t lock; - isc_mem_t *mctx; + isc_mem_t *mctx; /* * LRU list of generated key along with a count of the keys on the * list and a maximum size. @@ -73,10 +73,10 @@ struct dns_tsigkey { /* Unlocked */ unsigned int magic; /*%< Magic number. */ - isc_mem_t *mctx; - dst_key_t *key; /*%< Key */ + isc_mem_t *mctx; + dst_key_t *key; /*%< Key */ dns_name_t name; /*%< Key name */ - const dns_name_t *algorithm; /*%< Algorithm name */ + const dns_name_t *algorithm; /*%< Algorithm name */ dns_name_t *creator; /*%< name that created secret */ bool generated; /*%< was this generated? */ isc_stdtime_t inception; /*%< start of validity period */ diff -Nru bind9-9.16.27/lib/dns/include/dns/types.h bind9-9.16.33/lib/dns/include/dns/types.h --- bind9-9.16.27/lib/dns/include/dns/types.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/types.h 2022-09-08 13:01:23.000000000 +0000 @@ -164,7 +164,7 @@ */ #ifndef GSSAPI typedef struct not_defined_gss_cred_id *gss_cred_id_t; -typedef struct not_defined_gss_ctx *gss_ctx_id_t; +typedef struct not_defined_gss_ctx *gss_ctx_id_t; #endif /* ifndef GSSAPI */ typedef struct dst_gssapi_signverifyctx dst_gssapi_signverifyctx_t; diff -Nru bind9-9.16.27/lib/dns/include/dns/validator.h bind9-9.16.33/lib/dns/include/dns/validator.h --- bind9-9.16.27/lib/dns/include/dns/validator.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/validator.h 2022-09-08 13:01:23.000000000 +0000 @@ -78,7 +78,7 @@ /* * Name and type of the response to be validated. */ - dns_name_t *name; + dns_name_t *name; dns_rdatatype_t type; /* * Rdata and RRSIG (if any) for positive responses. @@ -125,19 +125,19 @@ unsigned int options; unsigned int attributes; dns_validatorevent_t *event; - dns_fetch_t *fetch; - dns_validator_t *subvalidator; - dns_validator_t *parent; - dns_keytable_t *keytable; - dst_key_t *key; - dns_rdata_rrsig_t *siginfo; - isc_task_t *task; + dns_fetch_t *fetch; + dns_validator_t *subvalidator; + dns_validator_t *parent; + dns_keytable_t *keytable; + dst_key_t *key; + dns_rdata_rrsig_t *siginfo; + isc_task_t *task; isc_taskaction_t action; void *arg; unsigned int labels; - dns_rdataset_t *currentset; - dns_rdataset_t *keyset; - dns_rdataset_t *dsset; + dns_rdataset_t *currentset; + dns_rdataset_t *keyset; + dns_rdataset_t *dsset; dns_rdataset_t fdsset; dns_rdataset_t frdataset; dns_rdataset_t fsigrdataset; diff -Nru bind9-9.16.27/lib/dns/include/dns/view.h bind9-9.16.33/lib/dns/include/dns/view.h --- bind9-9.16.27/lib/dns/include/dns/view.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dns/view.h 2022-09-08 13:01:23.000000000 +0000 @@ -83,14 +83,14 @@ struct dns_view { /* Unlocked. */ unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; dns_rdataclass_t rdclass; - char *name; + char *name; dns_zt_t *zonetable; - dns_resolver_t *resolver; - dns_adb_t *adb; + dns_resolver_t *resolver; + dns_adb_t *adb; dns_requestmgr_t *requestmgr; - dns_cache_t *cache; + dns_cache_t *cache; dns_db_t *cachedb; dns_db_t *hints; @@ -115,9 +115,9 @@ /* Configurable data. */ dns_tsig_keyring_t *statickeys; dns_tsig_keyring_t *dynamickeys; - dns_peerlist_t *peers; - dns_order_t *order; - dns_fwdtable_t *fwdtable; + dns_peerlist_t *peers; + dns_order_t *order; + dns_fwdtable_t *fwdtable; bool recursion; bool qminimization; bool qmin_strict; @@ -132,24 +132,24 @@ bool trust_anchor_telemetry; bool root_key_sentinel; dns_transfer_format_t transfer_format; - dns_acl_t *cacheacl; - dns_acl_t *cacheonacl; - dns_acl_t *queryacl; - dns_acl_t *queryonacl; - dns_acl_t *recursionacl; - dns_acl_t *recursiononacl; - dns_acl_t *sortlist; - dns_acl_t *notifyacl; - dns_acl_t *transferacl; - dns_acl_t *updateacl; - dns_acl_t *upfwdacl; - dns_acl_t *denyansweracl; - dns_acl_t *nocasecompress; + dns_acl_t *cacheacl; + dns_acl_t *cacheonacl; + dns_acl_t *queryacl; + dns_acl_t *queryonacl; + dns_acl_t *recursionacl; + dns_acl_t *recursiononacl; + dns_acl_t *sortlist; + dns_acl_t *notifyacl; + dns_acl_t *transferacl; + dns_acl_t *updateacl; + dns_acl_t *upfwdacl; + dns_acl_t *denyansweracl; + dns_acl_t *nocasecompress; bool msgcompression; - dns_rbt_t *answeracl_exclude; - dns_rbt_t *denyanswernames; - dns_rbt_t *answernames_exclude; - dns_rrl_t *rrl; + dns_rbt_t *answeracl_exclude; + dns_rbt_t *denyanswernames; + dns_rbt_t *answernames_exclude; + dns_rrl_t *rrl; bool provideixfr; bool requestnsid; bool sendcookie; @@ -166,9 +166,9 @@ dns_aclenv_t aclenv; dns_rdatatype_t preferred_glue; bool flush; - dns_namelist_t *delonly; + dns_namelist_t *delonly; bool rootdelonly; - dns_namelist_t *rootexclude; + dns_namelist_t *rootexclude; bool checknames; uint16_t maxudp; dns_ttl_t staleanswerttl; @@ -178,16 +178,16 @@ uint32_t staleanswerclienttimeout; uint16_t nocookieudp; uint16_t padding; - dns_acl_t *pad_acl; + dns_acl_t *pad_acl; unsigned int maxbits; dns_dns64list_t dns64; unsigned int dns64cnt; - dns_rpz_zones_t *rpzs; + dns_rpz_zones_t *rpzs; dns_catz_zones_t *catzs; dns_dlzdblist_t dlz_searched; dns_dlzdblist_t dlz_unsearched; uint32_t fail_ttl; - dns_badcache_t *failcache; + dns_badcache_t *failcache; /* * Configurable data for server use only, @@ -220,12 +220,12 @@ * XXX: This should be a pointer to an opaque type that * named implements. */ - char *new_zone_dir; - char *new_zone_file; - char *new_zone_db; - void *new_zone_dbenv; + char *new_zone_dir; + char *new_zone_file; + char *new_zone_db; + void *new_zone_dbenv; uint64_t new_zone_mapsize; - void *new_zone_config; + void *new_zone_config; void (*cfg_destroy)(void **); isc_mutex_t new_zone_lock; diff -Nru bind9-9.16.27/lib/dns/include/dst/dst.h bind9-9.16.33/lib/dns/include/dst/dst.h --- bind9-9.16.27/lib/dns/include/dst/dst.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/include/dst/dst.h 2022-09-08 13:01:23.000000000 +0000 @@ -1107,6 +1107,26 @@ * 'key' to be valid. */ +void +dst_key_setmodified(dst_key_t *key, bool value); +/*%< + * If 'value' is true, this marks the key to indicate that key file metadata + * has been modified. If 'value' is false, this resets the value, for example + * after you have written the key to file. + * + * Requires: + * 'key' to be valid. + */ + +bool +dst_key_ismodified(const dst_key_t *key); +/*%< + * Check if the key file has been modified. + * + * Requires: + * 'key' to be valid. + */ + bool dst_key_haskasp(dst_key_t *key); /*%< diff -Nru bind9-9.16.27/lib/dns/journal.c bind9-9.16.33/lib/dns/journal.c --- bind9-9.16.27/lib/dns/journal.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/journal.c 2022-09-08 13:01:23.000000000 +0000 @@ -109,13 +109,13 @@ static isc_result_t index_to_disk(dns_journal_t *); -static inline uint32_t +static uint32_t decode_uint32(unsigned char *p) { return (((uint32_t)p[0] << 24) + ((uint32_t)p[1] << 16) + ((uint32_t)p[2] << 8) + ((uint32_t)p[3] << 0)); } -static inline void +static void encode_uint32(uint32_t val, unsigned char *p) { p[0] = (uint8_t)(val >> 24); p[1] = (uint8_t)(val >> 16); @@ -824,8 +824,7 @@ aop = 0; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } switch (b->op) { @@ -838,8 +837,7 @@ bop = 0; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } r = bop - aop; diff -Nru bind9-9.16.27/lib/dns/kasp.c bind9-9.16.33/lib/dns/kasp.c --- bind9-9.16.27/lib/dns/kasp.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/kasp.c 2022-09-08 13:01:23.000000000 +0000 @@ -80,7 +80,7 @@ *targetp = source; } -static inline void +static void destroy(dns_kasp_t *kasp) { dns_kasp_key_t *key; dns_kasp_key_t *key_next; diff -Nru bind9-9.16.27/lib/dns/keymgr.c bind9-9.16.33/lib/dns/keymgr.c --- bind9-9.16.27/lib/dns/keymgr.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/keymgr.c 2022-09-08 13:01:23.000000000 +0000 @@ -1367,8 +1367,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); break; } @@ -1513,6 +1512,7 @@ /* It is safe to make the transition. */ dst_key_setstate(dkey->key, i, next_state); dst_key_settime(dkey->key, keystatetimes[i], now); + INSIST(dst_key_ismodified(dkey->key)); changed = true; } } @@ -2184,9 +2184,10 @@ for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring); dkey != NULL; dkey = ISC_LIST_NEXT(dkey, link)) { - if (!dkey->purge) { + if (dst_key_ismodified(dkey->key) && !dkey->purge) { dns_dnssec_get_hints(dkey, now); RETERR(dst_key_tofile(dkey->key, options, directory)); + dst_key_setmodified(dkey->key, false); } } @@ -2206,6 +2207,13 @@ } } + if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { + char namebuf[DNS_NAME_FORMATSIZE]; + dns_name_format(origin, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, + DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(3), + "keymgr: %s done", namebuf); + } return (result); } @@ -2283,6 +2291,9 @@ dns_dnssec_get_hints(ksk_key, now); result = dst_key_tofile(ksk_key->key, options, directory); + if (result == ISC_R_SUCCESS) { + dst_key_setmodified(ksk_key->key, false); + } isc_dir_close(&dir); return (result); @@ -2583,6 +2594,9 @@ dns_dnssec_get_hints(key, now); result = dst_key_tofile(key->key, options, directory); + if (result == ISC_R_SUCCESS) { + dst_key_setmodified(key->key, false); + } isc_dir_close(&dir); return (result); diff -Nru bind9-9.16.27/lib/dns/lookup.c bind9-9.16.33/lib/dns/lookup.c --- bind9-9.16.27/lib/dns/lookup.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/lookup.c 2022-09-08 13:01:23.000000000 +0000 @@ -73,7 +73,7 @@ lookup_find(lookup, fevent); } -static inline isc_result_t +static isc_result_t start_fetch(dns_lookup_t *lookup) { isc_result_t result; diff -Nru bind9-9.16.27/lib/dns/master.c bind9-9.16.33/lib/dns/master.c --- bind9-9.16.27/lib/dns/master.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/master.c 2022-09-08 13:01:23.000000000 +0000 @@ -341,14 +341,14 @@ static dns_name_t const ip6_arpa = DNS_NAME_INITABSOLUTE(ip6_arpa_data, ip6_arpa_offsets); -static inline bool +static bool dns_master_isprimary(dns_loadctx_t *lctx) { return ((lctx->options & DNS_MASTER_ZONE) != 0 && (lctx->options & DNS_MASTER_SLAVE) == 0 && (lctx->options & DNS_MASTER_KEY) == 0); } -static inline isc_result_t +static isc_result_t gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token, bool eol, dns_rdatacallbacks_t *callbacks) { isc_result_t result; @@ -550,8 +550,7 @@ lctx->load = load_map; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (lex != NULL) { @@ -684,7 +683,10 @@ char fmt[sizeof("%04000000000d")]; char numbuf[128]; char *cp; - char mode[2]; + char mode[2] = { 0 }; + char brace[2] = { 0 }; + char comma1[2] = { 0 }; + char comma2[2] = { 0 }; int delta = 0; isc_textregion_t r; unsigned int n; @@ -709,23 +711,31 @@ strlcpy(fmt, "%d", sizeof(fmt)); /* Get format specifier. */ if (*name == '{') { - n = sscanf(name, "{%d,%u,%1[doxXnN]}", &delta, - &width, mode); - switch (n) { - case 1: - break; - case 2: + n = sscanf(name, + "{%d%1[,}]%u%1[,}]%1[doxXnN]%1[}]", + &delta, comma1, &width, comma2, mode, + brace); + if (n < 2 || n > 6) { + return (DNS_R_SYNTAX); + } + if (comma1[0] == '}') { + /* %{delta} */ + } else if (comma1[0] == ',' && comma2[0] == '}') + { + /* %{delta,width} */ n = snprintf(fmt, sizeof(fmt), "%%0%ud", width); - break; - case 3: + } else if (comma1[0] == ',' && + comma2[0] == ',' && mode[0] != 0 && + brace[0] == '}') + { + /* %{delta,width,format} */ if (mode[0] == 'n' || mode[0] == 'N') { nibblemode = true; } n = snprintf(fmt, sizeof(fmt), "%%0%u%c", width, mode[0]); - break; - default: + } else { return (DNS_R_SYNTAX); } if (n >= sizeof(fmt)) { @@ -736,6 +746,13 @@ continue; } } + /* + * 'it' is >= 0 so we don't need to check for + * underflow. + */ + if ((it > 0 && delta > INT_MAX - it)) { + return (ISC_R_RANGE); + } if (nibblemode) { n = nibbles(numbuf, sizeof(numbuf), width, mode[0], it + delta); @@ -801,7 +818,8 @@ isc_buffer_t target; isc_result_t result; isc_textregion_t r; - int i, n, start, stop, step = 0; + int n, start, stop, step = 0; + unsigned int i; dns_incctx_t *ictx; char dummy[2]; @@ -856,7 +874,7 @@ goto insist_cleanup; } - for (i = start; i <= stop; i += step) { + for (i = start; i <= (unsigned int)stop; i += step) { result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS); if (result != ISC_R_SUCCESS) { goto error_cleanup; @@ -2215,7 +2233,7 @@ * Fill/check exists buffer with 'len' bytes. Track remaining bytes to be * read when incrementally filling the buffer. */ -static inline isc_result_t +static isc_result_t read_and_check(bool do_read, isc_buffer_t *buffer, size_t len, FILE *f, uint32_t *totallen) { isc_result_t result; diff -Nru bind9-9.16.27/lib/dns/masterdump.c bind9-9.16.33/lib/dns/masterdump.c --- bind9-9.16.27/lib/dns/masterdump.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/masterdump.c 2022-09-08 13:01:23.000000000 +0000 @@ -706,7 +706,7 @@ isc_buffer_putstr(target, KEYDATA); break; } - /* FALLTHROUGH */ + FALLTHROUGH; default: if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0) { @@ -1600,8 +1600,7 @@ dctx->dumpsets = dump_rdatasets_map; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } result = totext_ctx_init(style, NULL, &dctx->tctx); @@ -1722,8 +1721,7 @@ break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_mem_put(dctx->mctx, buffer.base, buffer.length); diff -Nru bind9-9.16.27/lib/dns/message.c bind9-9.16.33/lib/dns/message.c --- bind9-9.16.27/lib/dns/message.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/message.c 2022-09-08 13:01:23.000000000 +0000 @@ -169,19 +169,19 @@ ISC_LINK(dns_msgblock_t) link; }; /* dynamically sized */ -static inline dns_msgblock_t * +static dns_msgblock_t * msgblock_allocate(isc_mem_t *, unsigned int, unsigned int); #define msgblock_get(block, type) \ ((type *)msgblock_internalget(block, sizeof(type))) -static inline void * +static void * msgblock_internalget(dns_msgblock_t *, unsigned int); -static inline void +static void msgblock_reset(dns_msgblock_t *); -static inline void +static void msgblock_free(isc_mem_t *, dns_msgblock_t *, unsigned int); static void @@ -194,7 +194,7 @@ * Allocate a new dns_msgblock_t, and return a pointer to it. If no memory * is free, return NULL. */ -static inline dns_msgblock_t * +static dns_msgblock_t * msgblock_allocate(isc_mem_t *mctx, unsigned int sizeof_type, unsigned int count) { dns_msgblock_t *block; @@ -216,7 +216,7 @@ * Return an element from the msgblock. If no more are available, return * NULL. */ -static inline void * +static void * msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type) { void *ptr; @@ -232,7 +232,7 @@ return (ptr); } -static inline void +static void msgblock_reset(dns_msgblock_t *block) { block->remaining = block->count; } @@ -240,7 +240,7 @@ /* * Release memory associated with a message block. */ -static inline void +static void msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block, unsigned int sizeof_type) { unsigned int length; @@ -255,7 +255,7 @@ * "current" buffer. (which is always the last on the list, for our * uses) */ -static inline isc_result_t +static isc_result_t newbuffer(dns_message_t *msg, unsigned int size) { isc_buffer_t *dynbuf; @@ -266,7 +266,7 @@ return (ISC_R_SUCCESS); } -static inline isc_buffer_t * +static isc_buffer_t * currentbuffer(dns_message_t *msg) { isc_buffer_t *dynbuf; @@ -276,12 +276,12 @@ return (dynbuf); } -static inline void +static void releaserdata(dns_message_t *msg, dns_rdata_t *rdata) { ISC_LIST_PREPEND(msg->freerdata, rdata, link); } -static inline dns_rdata_t * +static dns_rdata_t * newrdata(dns_message_t *msg) { dns_msgblock_t *msgblock; dns_rdata_t *rdata; @@ -310,12 +310,12 @@ return (rdata); } -static inline void +static void releaserdatalist(dns_message_t *msg, dns_rdatalist_t *rdatalist) { ISC_LIST_PREPEND(msg->freerdatalist, rdatalist, link); } -static inline dns_rdatalist_t * +static dns_rdatalist_t * newrdatalist(dns_message_t *msg) { dns_msgblock_t *msgblock; dns_rdatalist_t *rdatalist; @@ -347,7 +347,7 @@ return (rdatalist); } -static inline dns_offsets_t * +static dns_offsets_t * newoffsets(dns_message_t *msg) { dns_msgblock_t *msgblock; dns_offsets_t *offsets; @@ -369,7 +369,7 @@ return (offsets); } -static inline void +static void msginitheader(dns_message_t *m) { m->id = 0; m->flags = 0; @@ -378,7 +378,7 @@ m->rdclass = 0; } -static inline void +static void msginitprivate(dns_message_t *m) { unsigned int i; @@ -400,7 +400,7 @@ m->buffer = NULL; } -static inline void +static void msginittsig(dns_message_t *m) { m->tsigstatus = dns_rcode_noerror; m->querytsigstatus = dns_rcode_noerror; @@ -416,7 +416,7 @@ * Init elements to default state. Used both when allocating a new element * and when resetting one. */ -static inline void +static void msginit(dns_message_t *m) { msginitheader(m); msginitprivate(m); @@ -445,7 +445,7 @@ m->indent.count = 0; } -static inline void +static void msgresetnames(dns_message_t *msg, unsigned int first_section) { unsigned int i; dns_name_t *name, *next_name; @@ -898,8 +898,7 @@ } } - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } static isc_result_t @@ -1870,7 +1869,7 @@ return (ISC_R_SUCCESS); } -static inline bool +static bool wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) { int pass_needed; @@ -4297,6 +4296,7 @@ INDENT(style); ADD_STRING(target, "QUESTION: "); } else { + INDENT(style); ADD_STRING(target, "ZONE: "); } snprintf(buf, sizeof(buf), "%1u", diff -Nru bind9-9.16.27/lib/dns/name.c bind9-9.16.33/lib/dns/name.c --- bind9-9.16.27/lib/dns/name.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/name.c 2022-09-08 13:01:23.000000000 +0000 @@ -853,12 +853,6 @@ REQUIRE(labels > 0); REQUIRE(dns_name_iswildcard(wname)); -#if defined(__clang__) && \ - (__clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2)) - memset(&tname, 0, sizeof(tname)); -#endif /* if defined(__clang__) && (__clang_major__ < 3 || (__clang_major__ == \ - * 3 \ - * && __clang_minor__ < 2)) */ DNS_NAME_INIT(&tname, NULL); dns_name_getlabelsequence(wname, 1, labels - 1, &tname); if (dns_name_fullcompare(name, &tname, &order, &nlabels) == @@ -1145,7 +1139,7 @@ break; } - /* FALLTHROUGH */ + FALLTHROUGH; case ft_start: label = ndata; ndata++; @@ -1160,7 +1154,7 @@ if (nrem == 0) { return (ISC_R_NOSPACE); } - /* FALLTHROUGH */ + FALLTHROUGH; case ft_ordinary: if (c == '.') { if (count == 0) { @@ -1204,7 +1198,7 @@ } state = ft_escape; POST(state); - /* FALLTHROUGH */ + FALLTHROUGH; case ft_escape: if (!isdigit((unsigned char)c)) { if (count >= 63) { @@ -1224,7 +1218,7 @@ digits = 0; value = 0; state = ft_escdecimal; - /* FALLTHROUGH */ + FALLTHROUGH; case ft_escdecimal: if (!isdigit((unsigned char)c)) { return (DNS_R_BADESCAPE); @@ -1427,7 +1421,7 @@ 0) { goto no_escape; } - /* FALLTHROUGH */ + FALLTHROUGH; case 0x22: /* '"' */ case 0x28: /* '(' */ case 0x29: /* ')' */ @@ -1475,7 +1469,7 @@ } else { FATAL_ERROR(__FILE__, __LINE__, "Unexpected label type %02x", count); - /* NOTREACHED */ + UNREACHABLE(); } /* @@ -1599,7 +1593,7 @@ } else { FATAL_ERROR(__FILE__, __LINE__, "Unexpected label type %02x", count); - /* NOTREACHED */ + UNREACHABLE(); } /* @@ -1977,12 +1971,6 @@ * has one. */ if (name->offsets == NULL) { -#if defined(__clang__) && \ - (__clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2)) - memset(&clname, 0, sizeof(clname)); -#endif /* if defined(__clang__) && (__clang_major__ < 3 || (__clang_major__ == \ - * 3 \ - * && __clang_minor__ < 2)) */ DNS_NAME_INIT(&clname, clo); dns_name_clone(name, &clname); name = &clname; @@ -2301,12 +2289,6 @@ REQUIRE(VALID_NAME(name)); REQUIRE(digest != NULL); -#if defined(__clang__) && \ - (__clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2)) - memset(&downname, 0, sizeof(downname)); -#endif /* if defined(__clang__) && (__clang_major__ < 3 || (__clang_major__ == \ - * 3 \ - * && __clang_minor__ < 2)) */ DNS_NAME_INIT(&downname, NULL); isc_buffer_init(&buffer, data, sizeof(data)); diff -Nru bind9-9.16.27/lib/dns/ncache.c bind9-9.16.33/lib/dns/ncache.c --- bind9-9.16.27/lib/dns/ncache.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/ncache.c 2022-09-08 13:01:23.000000000 +0000 @@ -48,7 +48,7 @@ dns_ttl_t maxttl, bool optout, bool secure, dns_rdataset_t *addedrdataset); -static inline isc_result_t +static isc_result_t copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) { isc_result_t result; unsigned int count; @@ -504,6 +504,7 @@ unsigned char *raw = rdataset->private3; raw[-1] = (unsigned char)trust; + rdataset->trust = trust; } static dns_rdatasetmethods_t rdataset_methods = { diff -Nru bind9-9.16.27/lib/dns/nsec3.c bind9-9.16.33/lib/dns/nsec3.c --- bind9-9.16.27/lib/dns/nsec3.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/nsec3.c 2022-09-08 13:01:23.000000000 +0000 @@ -1833,6 +1833,7 @@ try_private: if (privatetype == 0 || complete) { + dns_db_detachnode(db, &node); *answer = false; return (ISC_R_SUCCESS); } diff -Nru bind9-9.16.27/lib/dns/opensslecdsa_link.c bind9-9.16.33/lib/dns/opensslecdsa_link.c --- bind9-9.16.27/lib/dns/opensslecdsa_link.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/opensslecdsa_link.c 2022-09-08 13:01:23.000000000 +0000 @@ -230,7 +230,7 @@ } if (sig->length != siglen) { - return (DST_R_VERIFYFAILURE); + DST_RET(DST_R_VERIFYFAILURE); } if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) { @@ -657,8 +657,7 @@ group_nid = NID_secp384r1; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } *eckey = EC_KEY_new_by_curve_name(group_nid); if (*eckey == NULL) { diff -Nru bind9-9.16.27/lib/dns/openssleddsa_link.c bind9-9.16.33/lib/dns/openssleddsa_link.c --- bind9-9.16.27/lib/dns/openssleddsa_link.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/openssleddsa_link.c 2022-09-08 13:01:23.000000000 +0000 @@ -236,11 +236,11 @@ } #endif /* if HAVE_OPENSSL_ED448 */ if (siglen == 0) { - return (ISC_R_NOTIMPLEMENTED); + DST_RET(ISC_R_NOTIMPLEMENTED); } if (sig->length != siglen) { - return (DST_R_VERIFYFAILURE); + DST_RET(DST_R_VERIFYFAILURE); } isc_buffer_usedregion(buf, &tbsreg); @@ -396,8 +396,9 @@ return (ISC_R_NOSPACE); } - if (EVP_PKEY_get_raw_public_key(pkey, r.base, &len) != 1) + if (EVP_PKEY_get_raw_public_key(pkey, r.base, &len) != 1) { return (dst__openssl_toresult(ISC_R_FAILURE)); + } isc_buffer_add(data, len); return (ISC_R_SUCCESS); @@ -420,8 +421,9 @@ len = r.length; ret = raw_key_to_ossl(key->key_alg, 0, r.base, &len, &pkey); - if (ret != ISC_R_SUCCESS) + if (ret != ISC_R_SUCCESS) { return ret; + } isc_buffer_forward(data, len); key->keydata.pkey = pkey; @@ -459,8 +461,9 @@ } buf = isc_mem_get(key->mctx, len); if (EVP_PKEY_get_raw_private_key(key->keydata.pkey, buf, - &len) != 1) + &len) != 1) { DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); + } priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY; priv.elements[i].length = len; priv.elements[i].data = buf; diff -Nru bind9-9.16.27/lib/dns/opensslrsa_link.c bind9-9.16.33/lib/dns/opensslrsa_link.c --- bind9-9.16.27/lib/dns/opensslrsa_link.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/opensslrsa_link.c 2022-09-08 13:01:23.000000000 +0000 @@ -220,8 +220,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } evp_md_ctx = EVP_MD_CTX_create(); @@ -241,8 +240,7 @@ type = EVP_sha512(); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) { @@ -483,8 +481,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (rsa == NULL || e == NULL || cb == NULL) { @@ -1182,16 +1179,201 @@ NULL, /*%< restore */ }; +/* + * An RSA public key with 2048 bits + */ +static const unsigned char e_bytes[] = "\x01\x00\x01"; +static const unsigned char n_bytes[] = + "\xc3\x90\x07\xbe\xf1\x85\xfc\x1a\x43\xb1\xa5\x15\xce\x71\x34\xfc\xc1" + "\x87\x27\x28\x38\xa4\xcf\x7c\x1a\x82\xa8\xdc\x04\x14\xd0\x3f\xb4\xfe" + "\x20\x4a\xdd\xd9\x0d\xd7\xcd\x61\x8c\xbd\x61\xa8\x10\xb5\x63\x1c\x29" + "\x15\xcb\x41\xee\x43\x91\x7f\xeb\xa5\x2c\xab\x81\x75\x0d\xa3\x3d\xe4" + "\xc8\x49\xb9\xca\x5a\x55\xa1\xbb\x09\xd1\xfb\xcd\xa2\xd2\x12\xa4\x85" + "\xdf\xa5\x65\xc9\x27\x2d\x8b\xd7\x8b\xfe\x6d\xc4\xd1\xd9\x83\x1c\x91" + "\x7d\x3d\xd0\xa4\xcd\xe1\xe7\xb9\x7a\x11\x38\xf9\x8b\x3c\xec\x30\xb6" + "\x36\xb9\x92\x64\x81\x56\x3c\xbc\xf9\x49\xfb\xba\x82\xb7\xa0\xfa\x65" + "\x79\x83\xb9\x4c\xa7\xfd\x53\x0b\x5a\xe4\xde\xf9\xfc\x38\x7e\xb5\x2c" + "\xa0\xc3\xb2\xfc\x7c\x38\xb0\x63\x50\xaf\x00\xaa\xb2\xad\x49\x54\x1e" + "\x8b\x11\x88\x9b\x6e\xae\x3b\x23\xa3\xdd\x53\x51\x80\x7a\x0b\x91\x4e" + "\x6d\x32\x01\xbd\x17\x81\x12\x64\x9f\x84\xae\x76\x53\x1a\x63\xa0\xda" + "\xcc\x45\x04\x72\xb0\xa7\xfb\xfa\x02\x39\x53\xc1\x83\x1f\x88\x54\x47" + "\x88\x63\x20\x71\x5d\xe2\xaa\x7c\x53\x39\x5e\x35\x25\xee\xe6\x5c\x15" + "\x5e\x14\xbe\x99\xde\x25\x19\xe7\x13\xdb\xce\xa3\xd3\x6c\x5c\xbb\x0e" + "\x6b"; + +static const unsigned char sha1_sig[] = + "\x69\x99\x89\x28\xe0\x38\x34\x91\x29\xb6\xac\x4b\xe9\x51\xbd\xbe\xc8" + "\x1a\x2d\xb6\xca\x99\xa3\x9f\x6a\x8b\x94\x5a\x51\x37\xd5\x8d\xae\x87" + "\xed\xbc\x8e\xb8\xa3\x60\x6b\xf6\xe6\x72\xfc\x26\x2a\x39\x2b\xfe\x88" + "\x1a\xa9\xd1\x93\xc7\xb9\xf8\xb6\x45\xa1\xf9\xa1\x56\x78\x7b\x00\xec" + "\x33\x83\xd4\x93\x25\x48\xb3\x50\x09\xd0\xbc\x7f\xac\x67\xc7\xa2\x7f" + "\xfc\xf6\x5a\xef\xf8\x5a\xad\x52\x74\xf5\x71\x34\xd9\x3d\x33\x8b\x4d" + "\x99\x64\x7e\x14\x59\xbe\xdf\x26\x8a\x67\x96\x6c\x1f\x79\x85\x10\x0d" + "\x7f\xd6\xa4\xba\x57\x41\x03\x71\x4e\x8c\x17\xd5\xc4\xfb\x4a\xbe\x66" + "\x45\x15\x45\x0c\x02\xe0\x10\xe1\xbb\x33\x8d\x90\x34\x3c\x94\xa4\x4c" + "\x7c\xd0\x5e\x90\x76\x80\x59\xb2\xfa\x54\xbf\xa9\x86\xb8\x84\x1e\x28" + "\x48\x60\x2f\x9e\xa4\xbc\xd4\x9c\x20\x27\x16\xac\x33\xcb\xcf\xab\x93" + "\x7a\x3b\x74\xa0\x18\x92\xa1\x4f\xfc\x52\x19\xee\x7a\x13\x73\xba\x36" + "\xaf\x78\x5d\xb6\x1f\x96\x76\x15\x73\xee\x04\xa8\x70\x27\xf7\xe7\xfa" + "\xe8\xf6\xc8\x5f\x4a\x81\x56\x0a\x94\xf3\xc6\x98\xd2\x93\xc4\x0b\x49" + "\x6b\x44\xd3\x73\xa2\xe3\xef\x5d\x9e\x68\xac\xa7\x42\xb1\xbb\x65\xbe" + "\x59"; + +static const unsigned char sha256_sig[] = + "\x0f\x8c\xdb\xe6\xb6\x21\xc8\xc5\x28\x76\x7d\xf6\xf2\x3b\x78\x47\x77" + "\x03\x34\xc5\x5e\xc0\xda\x42\x41\xc0\x0f\x97\xd3\xd0\x53\xa1\xd6\x87" + "\xe4\x16\x29\x9a\xa5\x59\xf4\x01\xad\xc9\x04\xe7\x61\xe2\xcb\x79\x73" + "\xce\xe0\xa6\x85\xe5\x10\x8c\x4b\xc5\x68\x3b\x96\x42\x3f\x56\xb3\x6d" + "\x89\xc4\xff\x72\x36\xf2\x3f\xed\xe9\xb8\xe3\xae\xab\x3c\xb7\xaa\xf7" + "\x1f\x8f\x26\x6b\xee\xc1\xac\x72\x89\x23\x8b\x7a\xd7\x8c\x84\xf3\xf5" + "\x97\xa8\x8d\xd3\xef\xb2\x5e\x06\x04\x21\xdd\x28\xa2\x28\x83\x68\x9b" + "\xac\x34\xdd\x36\x33\xda\xdd\xa4\x59\xc7\x5a\x4d\xf3\x83\x06\xd5\xc0" + "\x0d\x1f\x4f\x47\x2f\x9f\xcc\xc2\x0d\x21\x1e\x82\xb9\x3d\xf3\xa4\x1a" + "\xa6\xd8\x0e\x72\x1d\x71\x17\x1c\x54\xad\x37\x3e\xa4\x0e\x70\x86\x53" + "\xfb\x40\xad\xb9\x14\xf8\x8d\x93\xbb\xd7\xe7\x31\xce\xe0\x98\xda\x27" + "\x1c\x18\x8e\xd8\x85\xcb\xa7\xb1\x18\xac\x8c\xa8\x9d\xa9\xe2\xf6\x30" + "\x95\xa4\x81\xf4\x1c\xa0\x31\xd5\xc7\x9d\x28\x33\xee\x7f\x08\x4f\xcb" + "\xd1\x14\x17\xdf\xd0\x88\x78\x47\x29\xaf\x6c\xb2\x62\xa6\x30\x87\x29" + "\xaa\x80\x19\x7d\x2f\x05\xe3\x7e\x23\x73\x88\x08\xcc\xbd\x50\x46\x09" + "\x2a"; + +static const unsigned char sha512_sig[] = + "\x15\xda\x87\x87\x1f\x76\x08\xd3\x9d\x3a\xb9\xd2\x6a\x0e\x3b\x7d\xdd" + "\xec\x7d\xc4\x6d\x26\xf5\x04\xd3\x76\xc7\x83\xc4\x81\x69\x35\xe9\x47" + "\xbf\x49\xd1\xc0\xf9\x01\x4e\x0a\x34\x5b\xd0\xec\x6e\xe2\x2e\xe9\x2d" + "\x00\xfd\xe0\xa0\x28\x54\x53\x19\x49\x6d\xd2\x58\xb9\x47\xfa\x45\xad" + "\xd2\x1d\x52\xac\x80\xcb\xfc\x91\x97\x84\x58\x5f\xab\x21\x62\x60\x79" + "\xb8\x8a\x83\xe1\xf1\xcb\x05\x4c\x92\x56\x62\xd9\xbf\xa7\x81\x34\x23" + "\xdf\xd7\xa7\xc4\xdf\xde\x96\x00\x57\x4b\x78\x85\xb9\x3b\xdd\x3f\x98" + "\x88\x59\x1d\x48\xcf\x5a\xa8\xb7\x2a\x8b\x77\x93\x8e\x38\x3a\x0c\xa7" + "\x8a\x5f\xe6\x9f\xcb\xf0\x9a\x6b\xb6\x91\x04\x8b\x69\x6a\x37\xee\xa2" + "\xad\x5f\x31\x20\x96\xd6\x51\x80\xbf\x62\x48\xb8\xe4\x94\x10\x86\x4e" + "\xf2\x22\x1e\xa4\xd5\x54\xfe\xe1\x35\x49\xaf\xf8\x62\xfc\x11\xeb\xf7" + "\x3d\xd5\x5e\xaf\x11\xbd\x3d\xa9\x3a\x9f\x7f\xe8\xb4\x0d\xa2\xbb\x1c" + "\xbd\x4c\xed\x9e\x81\xb1\xec\xd3\xea\xaa\x03\xe3\x14\xdf\x8c\xb3\x78" + "\x85\x5e\x87\xad\xec\x41\x1a\xa9\x4f\xd2\xe6\xc6\xbe\xfa\xb8\x10\xea" + "\x74\x25\x36\x0c\x23\xe2\x24\xb7\x21\xb7\x0d\xaf\xf6\xb4\x31\xf5\x75" + "\xf1"; + +static isc_result_t +check_algorithm(unsigned char algorithm) { + BIGNUM *n = NULL, *e = NULL; + EVP_MD_CTX *evp_md_ctx = EVP_MD_CTX_create(); + EVP_PKEY *pkey = NULL; + const EVP_MD *type = NULL; + const unsigned char *sig = NULL; + int status; + isc_result_t ret = ISC_R_SUCCESS; + size_t len; + RSA *rsa = NULL; + + if (evp_md_ctx == NULL) { + DST_RET(ISC_R_NOMEMORY); + } + + switch (algorithm) { + case DST_ALG_RSASHA1: + case DST_ALG_NSEC3RSASHA1: + type = EVP_sha1(); /* SHA1 + RSA */ + sig = sha1_sig; + len = sizeof(sha1_sig) - 1; + break; + case DST_ALG_RSASHA256: + type = EVP_sha256(); /* SHA256 + RSA */ + sig = sha256_sig; + len = sizeof(sha256_sig) - 1; + break; + case DST_ALG_RSASHA512: + type = EVP_sha512(); + sig = sha512_sig; + len = sizeof(sha512_sig) - 1; + break; + default: + DST_RET(ISC_R_NOTIMPLEMENTED); + } + + if (type == NULL) { + DST_RET(ISC_R_NOTIMPLEMENTED); + } + + /* + * Construct pkey. + */ + e = BN_bin2bn(e_bytes, sizeof(e_bytes) - 1, NULL); + n = BN_bin2bn(n_bytes, sizeof(n_bytes) - 1, NULL); + if (e == NULL || n == NULL) { + DST_RET(ISC_R_NOMEMORY); + } + + rsa = RSA_new(); + if (rsa == NULL) { + DST_RET(dst__openssl_toresult2("RSA_new", + DST_R_OPENSSLFAILURE)); + } + status = RSA_set0_key(rsa, n, e, NULL); + if (status != 1) { + DST_RET(dst__openssl_toresult2("RSA_set0_key", + DST_R_OPENSSLFAILURE)); + } + + /* These are now managed by OpenSSL. */ + n = NULL; + e = NULL; + + pkey = EVP_PKEY_new(); + if (pkey == NULL) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_new", + DST_R_OPENSSLFAILURE)); + } + status = EVP_PKEY_set1_RSA(pkey, rsa); + if (status != 1) { + DST_RET(dst__openssl_toresult2("EVP_PKEY_set1_RSA", + DST_R_OPENSSLFAILURE)); + } + + /* + * Check that we can verify the signature. + */ + if (EVP_DigestInit_ex(evp_md_ctx, type, NULL) != 1 || + EVP_DigestUpdate(evp_md_ctx, "test", 4) != 1 || + EVP_VerifyFinal(evp_md_ctx, sig, len, pkey) != 1) + { + DST_RET(ISC_R_NOTIMPLEMENTED); + } + +err: + BN_free(e); + BN_free(n); + if (rsa != NULL) { + RSA_free(rsa); + } + if (pkey != NULL) { + EVP_PKEY_free(pkey); + } + if (evp_md_ctx != NULL) { + EVP_MD_CTX_destroy(evp_md_ctx); + } + ERR_clear_error(); + return (ret); +} + isc_result_t dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { + isc_result_t result; + REQUIRE(funcp != NULL); - UNUSED(algorithm); + result = check_algorithm(algorithm); - if (*funcp == NULL) { - *funcp = &opensslrsa_functions; + if (result == ISC_R_SUCCESS) { + if (*funcp == NULL) { + *funcp = &opensslrsa_functions; + } + } else if (result == ISC_R_NOTIMPLEMENTED) { + result = ISC_R_SUCCESS; } - return (ISC_R_SUCCESS); + + return (result); } #endif /* !USE_PKCS11 */ diff -Nru bind9-9.16.27/lib/dns/order.c bind9-9.16.33/lib/dns/order.c --- bind9-9.16.27/lib/dns/order.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/order.c 2022-09-08 13:01:23.000000000 +0000 @@ -90,7 +90,7 @@ return (ISC_R_SUCCESS); } -static inline bool +static bool match(const dns_name_t *name1, const dns_name_t *name2) { if (dns_name_iswildcard(name2)) { return (dns_name_matcheswildcard(name1, name2)); diff -Nru bind9-9.16.27/lib/dns/peer.c bind9-9.16.33/lib/dns/peer.c --- bind9-9.16.27/lib/dns/peer.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/peer.c 2022-09-08 13:01:23.000000000 +0000 @@ -200,8 +200,7 @@ prefixlen = 128; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (dns_peer_newprefix(mem, addr, prefixlen, peerptr)); diff -Nru bind9-9.16.27/lib/dns/pkcs11ecdsa_link.c bind9-9.16.33/lib/dns/pkcs11ecdsa_link.c --- bind9-9.16.27/lib/dns/pkcs11ecdsa_link.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/pkcs11ecdsa_link.c 2022-09-08 13:01:23.000000000 +0000 @@ -191,8 +191,7 @@ dgstlen = ISC_SHA384_DIGESTLENGTH; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen), @@ -211,6 +210,7 @@ for (attr = pk11_attribute_first(ec); attr != NULL; attr = pk11_attribute_next(ec, attr)) + { switch (attr->type) { case CKA_EC_PARAMS: INSIST(keyTemplate[5].type == attr->type); @@ -229,6 +229,7 @@ keyTemplate[6].ulValueLen = attr->ulValueLen; break; } + } pk11_ctx->object = CK_INVALID_HANDLE; pk11_ctx->ontoken = false; PK11_RET(pkcs_C_CreateObject, @@ -309,8 +310,7 @@ dgstlen = ISC_SHA384_DIGESTLENGTH; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen), @@ -318,6 +318,7 @@ for (attr = pk11_attribute_first(ec); attr != NULL; attr = pk11_attribute_next(ec, attr)) + { switch (attr->type) { case CKA_EC_PARAMS: INSIST(keyTemplate[5].type == attr->type); @@ -336,6 +337,7 @@ keyTemplate[6].ulValueLen = attr->ulValueLen; break; } + } pk11_ctx->object = CK_INVALID_HANDLE; pk11_ctx->ontoken = false; PK11_RET(pkcs_C_CreateObject, @@ -449,8 +451,7 @@ attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); \ break; \ default: \ - INSIST(0); \ - ISC_UNREACHABLE(); \ + UNREACHABLE(); \ } #define FREECURVE() \ @@ -559,8 +560,7 @@ key->key_size = DNS_KEY_ECDSA384SIZE * 4; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -605,6 +605,7 @@ for (attr = pk11_attribute_first(ec); attr != NULL; attr = pk11_attribute_next(ec, attr)) + { switch (attr->type) { case CKA_LABEL: case CKA_ID: @@ -614,6 +615,7 @@ FREECURVE(); break; } + } if (ec->repr != NULL) { memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr)); @@ -640,8 +642,7 @@ len = DNS_KEY_ECDSA384SIZE; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } ec = key->keydata.pkey; @@ -682,8 +683,7 @@ len = DNS_KEY_ECDSA384SIZE; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_buffer_remainingregion(data, &r); @@ -978,8 +978,7 @@ key->key_size = DNS_KEY_ECDSA384SIZE * 4; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -1100,8 +1099,7 @@ key->key_size = DNS_KEY_ECDSA384SIZE * 4; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } pk11_return_session(pk11_ctx); diff -Nru bind9-9.16.27/lib/dns/pkcs11eddsa_link.c bind9-9.16.33/lib/dns/pkcs11eddsa_link.c --- bind9-9.16.27/lib/dns/pkcs11eddsa_link.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/pkcs11eddsa_link.c 2022-09-08 13:01:23.000000000 +0000 @@ -150,8 +150,7 @@ siglen = DNS_SIG_ED448SIZE; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); @@ -180,6 +179,7 @@ for (attr = pk11_attribute_first(ec); attr != NULL; attr = pk11_attribute_next(ec, attr)) + { switch (attr->type) { case CKA_EC_PARAMS: INSIST(keyTemplate[5].type == attr->type); @@ -198,6 +198,7 @@ keyTemplate[6].ulValueLen = attr->ulValueLen; break; } + } pk11_ctx->object = CK_INVALID_HANDLE; pk11_ctx->ontoken = false; PK11_RET(pkcs_C_CreateObject, @@ -289,6 +290,7 @@ for (attr = pk11_attribute_first(ec); attr != NULL; attr = pk11_attribute_next(ec, attr)) + { switch (attr->type) { case CKA_EC_PARAMS: INSIST(keyTemplate[5].type == attr->type); @@ -307,6 +309,7 @@ keyTemplate[6].ulValueLen = attr->ulValueLen; break; } + } pk11_ctx->object = CK_INVALID_HANDLE; pk11_ctx->ontoken = false; PK11_RET(pkcs_C_CreateObject, @@ -421,8 +424,7 @@ attr->ulValueLen = sizeof(PK11_ECX_ED448); \ break; \ default: \ - INSIST(0); \ - ISC_UNREACHABLE(); \ + UNREACHABLE(); \ } #define FREECURVE() \ @@ -531,8 +533,7 @@ key->key_size = DNS_KEY_ED448SIZE * 8; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -577,6 +578,7 @@ for (attr = pk11_attribute_first(ec); attr != NULL; attr = pk11_attribute_next(ec, attr)) + { switch (attr->type) { case CKA_LABEL: case CKA_ID: @@ -586,6 +588,7 @@ FREECURVE(); break; } + } if (ec->repr != NULL) { memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr)); @@ -612,8 +615,7 @@ len = DNS_KEY_ED448SIZE; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } ec = key->keydata.pkey; @@ -653,8 +655,7 @@ len = DNS_KEY_ED448SIZE; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_buffer_remainingregion(data, &r); @@ -948,8 +949,7 @@ key->key_size = DNS_KEY_ED448SIZE * 8; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -1070,8 +1070,7 @@ key->key_size = DNS_KEY_ED448SIZE * 8; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } pk11_return_session(pk11_ctx); diff -Nru bind9-9.16.27/lib/dns/pkcs11rsa_link.c bind9-9.16.33/lib/dns/pkcs11rsa_link.c --- bind9-9.16.27/lib/dns/pkcs11rsa_link.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/pkcs11rsa_link.c 2022-09-08 13:01:23.000000000 +0000 @@ -113,8 +113,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } rsa = key->keydata.pkey; @@ -140,6 +139,7 @@ for (attr = pk11_attribute_first(rsa); attr != NULL; attr = pk11_attribute_next(rsa, attr)) + { switch (attr->type) { case CKA_MODULUS: INSIST(keyTemplate[6].type == attr->type); @@ -206,6 +206,7 @@ keyTemplate[13].ulValueLen = attr->ulValueLen; break; } + } pk11_ctx->object = CK_INVALID_HANDLE; pk11_ctx->ontoken = false; PK11_RET(pkcs_C_CreateObject, @@ -227,8 +228,7 @@ mech.mechanism = CKM_SHA512_RSA_PKCS; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } PK11_RET(pkcs_C_SignInit, (pk11_ctx->session, &mech, pk11_ctx->object), @@ -324,8 +324,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } rsa = key->keydata.pkey; @@ -386,8 +385,7 @@ mech.mechanism = CKM_SHA512_RSA_PKCS; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } PK11_RET(pkcs_C_VerifyInit, @@ -586,8 +584,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } switch (key->key_alg) { @@ -602,8 +599,7 @@ mech.mechanism = CKM_SHA512; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); @@ -730,8 +726,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } switch (key->key_alg) { @@ -752,8 +747,7 @@ hashlen = ISC_SHA512_DIGESTLENGTH; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dgstlen = derlen + hashlen; INSIST(dgstlen <= sizeof(digest)); @@ -776,6 +770,7 @@ for (attr = pk11_attribute_first(rsa); attr != NULL; attr = pk11_attribute_next(rsa, attr)) + { switch (attr->type) { case CKA_MODULUS: INSIST(keyTemplate[6].type == attr->type); @@ -842,6 +837,7 @@ keyTemplate[13].ulValueLen = attr->ulValueLen; break; } + } pk11_ctx->object = CK_INVALID_HANDLE; pk11_ctx->ontoken = false; PK11_RET(pkcs_C_CreateObject, @@ -944,8 +940,7 @@ hashlen = ISC_SHA512_DIGESTLENGTH; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dgstlen = derlen + hashlen; INSIST(dgstlen <= sizeof(digest)); @@ -1142,8 +1137,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); @@ -1259,6 +1253,7 @@ for (attr = pk11_attribute_first(rsa); attr != NULL; attr = pk11_attribute_next(rsa, attr)) + { switch (attr->type) { case CKA_LABEL: case CKA_ID: @@ -1278,6 +1273,7 @@ } break; } + } if (rsa->repr != NULL) { isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr)); isc_mem_put(key->mctx, rsa->repr, rsa->attrcnt * sizeof(*attr)); @@ -1301,6 +1297,7 @@ for (attr = pk11_attribute_first(rsa); attr != NULL; attr = pk11_attribute_next(rsa, attr)) + { switch (attr->type) { case CKA_PUBLIC_EXPONENT: exponent = (CK_BYTE *)attr->pValue; @@ -1311,6 +1308,7 @@ mod_bytes = (unsigned int)attr->ulValueLen; break; } + } REQUIRE((exponent != NULL) && (modulus != NULL)); isc_buffer_availableregion(data, &r); @@ -1440,6 +1438,7 @@ for (attr = pk11_attribute_first(rsa); attr != NULL; attr = pk11_attribute_next(rsa, attr)) + { switch (attr->type) { case CKA_MODULUS: modulus = attr; @@ -1466,6 +1465,7 @@ iqmp = attr; break; } + } if ((modulus == NULL) || (exponent == NULL)) { return (DST_R_NULLKEY); } diff -Nru bind9-9.16.27/lib/dns/private.c bind9-9.16.33/lib/dns/private.c --- bind9-9.16.27/lib/dns/private.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/private.c 2022-09-08 13:01:23.000000000 +0000 @@ -383,7 +383,8 @@ } else if (private->length == 5) { unsigned char alg = private->data[0]; dns_keytag_t keyid = (private->data[2] | private->data[1] << 8); - char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE]; + char keybuf[DNS_SECALG_FORMATSIZE + BUFSIZ], + algbuf[DNS_SECALG_FORMATSIZE]; bool del = private->data[3]; bool complete = private->data[4]; diff -Nru bind9-9.16.27/lib/dns/rbt.c bind9-9.16.33/lib/dns/rbt.c --- bind9-9.16.27/lib/dns/rbt.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rbt.c 2022-09-08 13:01:23.000000000 +0000 @@ -76,7 +76,7 @@ #define HASHSIZE(bits) (UINT64_C(1) << (bits)) -static inline uint32_t +static uint32_t hash_32(uint32_t val, unsigned int bits) { REQUIRE(bits <= RBT_HASH_MAX_BITS); /* High bits are more random. */ @@ -173,7 +173,7 @@ * without having to use an if statement to check to see if that address is * relative or not */ -static inline dns_rbtnode_t * +static dns_rbtnode_t * getparent(dns_rbtnode_t *node, file_header_t *header) { char *adjusted_address = (char *)(node->parent); adjusted_address += node->parent_is_relative * (uintptr_t)header; @@ -181,7 +181,7 @@ return ((dns_rbtnode_t *)adjusted_address); } -static inline dns_rbtnode_t * +static dns_rbtnode_t * getleft(dns_rbtnode_t *node, file_header_t *header) { char *adjusted_address = (char *)(node->left); adjusted_address += node->left_is_relative * (uintptr_t)header; @@ -189,7 +189,7 @@ return ((dns_rbtnode_t *)adjusted_address); } -static inline dns_rbtnode_t * +static dns_rbtnode_t * getright(dns_rbtnode_t *node, file_header_t *header) { char *adjusted_address = (char *)(node->right); adjusted_address += node->right_is_relative * (uintptr_t)header; @@ -197,7 +197,7 @@ return ((dns_rbtnode_t *)adjusted_address); } -static inline dns_rbtnode_t * +static dns_rbtnode_t * getdown(dns_rbtnode_t *node, file_header_t *header) { char *adjusted_address = (char *)(node->down); adjusted_address += node->down_is_relative * (uintptr_t)header; @@ -205,7 +205,7 @@ return ((dns_rbtnode_t *)adjusted_address); } -static inline dns_rbtnode_t * +static dns_rbtnode_t * getdata(dns_rbtnode_t *node, file_header_t *header) { char *adjusted_address = (char *)(node->data); adjusted_address += node->data_is_relative * (uintptr_t)header; @@ -291,7 +291,7 @@ * path of the tree traversal code. */ -static inline void +static void NODENAME(dns_rbtnode_t *node, dns_name_t *name) { name->length = NAMELEN(node); name->labels = OFFSETLEN(node); @@ -348,7 +348,7 @@ * Upper node is the parent of the root of the passed node's * subtree. The passed node must not be NULL. */ -static inline dns_rbtnode_t * +static dns_rbtnode_t * get_upper_node(dns_rbtnode_t *node) { return (UPPERNODE(node)); } @@ -399,10 +399,10 @@ static isc_result_t inithash(dns_rbt_t *rbt); -static inline void +static void hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, const dns_name_t *name); -static inline void +static void unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node); static uint32_t @@ -412,9 +412,9 @@ static void maybe_rehash(dns_rbt_t *rbt, size_t size); -static inline void +static void rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp); -static inline void +static void rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp); static void @@ -1110,7 +1110,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t chain_name(dns_rbtnodechain_t *chain, dns_name_t *name, bool include_chain_end) { dns_name_t nodename; @@ -1137,7 +1137,7 @@ return (result); } -static inline isc_result_t +static isc_result_t move_chain_to_last(dns_rbtnodechain_t *chain, dns_rbtnode_t *node) { do { /* @@ -2325,7 +2325,7 @@ /* * Add a node to the hash table */ -static inline void +static void hash_add_node(dns_rbt_t *rbt, dns_rbtnode_t *node, const dns_name_t *name) { uint32_t hash; @@ -2414,7 +2414,7 @@ * Add a node to the hash table. Rehash the hashtable if the node count * rises above a critical level. */ -static inline void +static void hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, const dns_name_t *name) { REQUIRE(DNS_RBTNODE_VALID(node)); @@ -2428,7 +2428,7 @@ /* * Remove a node from the hash table */ -static inline void +static void unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) { uint32_t bucket; dns_rbtnode_t *bucket_node; @@ -2449,7 +2449,7 @@ } } -static inline void +static void rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) { dns_rbtnode_t *child; @@ -2482,7 +2482,7 @@ PARENT(node) = child; } -static inline void +static void rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) { dns_rbtnode_t *child; diff -Nru bind9-9.16.27/lib/dns/rbtdb.c bind9-9.16.33/lib/dns/rbtdb.c --- bind9-9.16.27/lib/dns/rbtdb.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rbtdb.c 2022-09-08 13:01:23.000000000 +0000 @@ -13,8 +13,6 @@ /*! \file */ -/* #define inline */ - #include #include #include @@ -358,7 +356,7 @@ #define GOLDEN_RATIO_32 0x61C88647 #define HASHSIZE(bits) (UINT64_C(1) << (bits)) -static inline uint32_t +static uint32_t hash_32(uint32_t val, unsigned int bits) { REQUIRE(bits <= RBTDB_GLUE_TABLE_MAX_BITS); /* High bits are more random. */ @@ -593,7 +591,7 @@ static isc_result_t rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name, dns_rdataset_t *neg, dns_rdataset_t *negsig); -static inline bool +static bool need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now); static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now); @@ -603,7 +601,7 @@ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t now, bool tree_locked); -static isc_result_t +static void resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader); static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, @@ -770,7 +768,7 @@ * that indicates that the database does not implement cyclic * processing. */ -static atomic_uint_fast32_t init_count = ATOMIC_VAR_INIT(0); +static atomic_uint_fast32_t init_count = 0; /* * Locking @@ -894,7 +892,8 @@ dns_rdatastatstype_t base = 0; dns_rdatastatstype_t type; rdatasetheader_t *header = &(rdatasetheader_t){ - .type = htype, .attributes = ATOMIC_VAR_INIT(hattributes) + .type = htype, + .attributes = hattributes, }; if (!do_stats(header)) { @@ -1233,7 +1232,7 @@ isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb)); } -static inline void +static void maybe_free_rbtdb(dns_rbtdb_t *rbtdb) { bool want_free = false; unsigned int i; @@ -1320,7 +1319,7 @@ *versionp = (dns_dbversion_t *)version; } -static inline rbtdb_version_t * +static rbtdb_version_t * allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial, unsigned int references, bool writer) { rbtdb_version_t *version; @@ -1437,7 +1436,7 @@ return (changed); } -static inline void +static void free_noqname(isc_mem_t *mctx, struct noqname **noqname) { if (dns_name_dynamic(&(*noqname)->name)) { dns_name_free(&(*noqname)->name, mctx); @@ -1454,7 +1453,7 @@ *noqname = NULL; } -static inline void +static void init_rdataset(dns_rbtdb_t *rbtdb, rdatasetheader_t *h) { ISC_LINK_INIT(h, link); h->heap_index = 0; @@ -1464,11 +1463,9 @@ atomic_init(&h->attributes, 0); atomic_init(&h->last_refresh_fail_ts, 0); -#ifndef ISC_MUTEX_ATOMICS STATIC_ASSERT((sizeof(h->attributes) == 2), "The .attributes field of rdatasetheader_t needs to be " "16-bit int type exactly."); -#endif /* !ISC_MUTEX_ATOMICS */ #if TRACE_HEADER if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) { @@ -1505,7 +1502,7 @@ } } -static inline rdatasetheader_t * +static rdatasetheader_t * new_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx) { rdatasetheader_t *h; @@ -1522,7 +1519,7 @@ return (h); } -static inline void +static void free_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *rdataset) { unsigned int size; int idx; @@ -1562,7 +1559,7 @@ isc_mem_put(mctx, rdataset, size); } -static inline void +static void rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) { rdatasetheader_t *header, *dcurrent; bool make_dirty = false; @@ -1595,7 +1592,7 @@ } } -static inline void +static void mark_header_ancient(dns_rbtdb_t *rbtdb, rdatasetheader_t *header) { uint_least16_t attributes = atomic_load_acquire(&header->attributes); uint_least16_t newattributes = 0; @@ -1624,7 +1621,7 @@ update_rrsetstats(rbtdb, header->type, newattributes, true); } -static inline void +static void mark_header_stale(dns_rbtdb_t *rbtdb, rdatasetheader_t *header) { uint_least16_t attributes = atomic_load_acquire(&header->attributes); uint_least16_t newattributes = 0; @@ -1653,7 +1650,7 @@ update_rrsetstats(rbtdb, header->type, newattributes, true); } -static inline void +static void clean_stale_headers(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *top) { rdatasetheader_t *d, *down_next; @@ -1665,7 +1662,7 @@ top->down = NULL; } -static inline void +static void clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) { rdatasetheader_t *current, *top_prev, *top_next; isc_mem_t *mctx = rbtdb->common.mctx; @@ -1698,7 +1695,7 @@ node->dirty = 0; } -static inline void +static void clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rbtdb_serial_t least_serial) { rdatasetheader_t *current, *dcurrent, *down_next, *dparent; @@ -1912,7 +1909,7 @@ /* * Caller must be holding the node lock. */ -static inline void +static void new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, isc_rwlocktype_t locktype) { if (locktype == isc_rwlocktype_write && ISC_LINK_LINKED(node, deadlink)) @@ -1930,13 +1927,13 @@ /*% * The tree lock must be held for the result to be valid. */ -static inline bool +static bool is_leaf(dns_rbtnode_t *node) { return (node->parent != NULL && node->parent->down == node && node->left == NULL && node->right == NULL); } -static inline void +static void send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, isc_rwlocktype_t locktype) { isc_event_t *ev; @@ -2011,7 +2008,7 @@ * few cases where the node can be in the deadnode list (only empty nodes can * have been added to the list). */ -static inline void +static void reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, isc_rwlocktype_t treelocktype) { isc_rwlocktype_t locktype = isc_rwlocktype_read; @@ -2283,7 +2280,7 @@ detach((dns_db_t **)&rbtdb); } -static inline void +static void make_least_version(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) { /* @@ -2295,7 +2292,7 @@ ISC_LIST_INIT(version->changed_list); } -static inline void +static void cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) { rbtdb_changed_t *changed, *next_changed; @@ -2693,17 +2690,7 @@ lock = &rbtdb->node_locks[header->node->locknum].lock; NODE_LOCK(lock, isc_rwlocktype_write); if (rollback && !IGNORE(header)) { - isc_result_t result; - result = resign_insert(rbtdb, header->node->locknum, - header); - if (result != ISC_R_SUCCESS) { - isc_log_write(dns_lctx, - DNS_LOGCATEGORY_DATABASE, - DNS_LOGMODULE_ZONE, ISC_LOG_ERROR, - "Unable to reinsert header to " - "re-signing heap: %s", - dns_result_totext(result)); - } + resign_insert(rbtdb, header->node->locknum, header); } decrement_reference(rbtdb, header->node, least_serial, isc_rwlocktype_write, isc_rwlocktype_none, @@ -3087,7 +3074,7 @@ return (result); } -static inline void +static void bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rdatasetheader_t *header, isc_stdtime_t now, isc_rwlocktype_t locktype, dns_rdataset_t *rdataset) { @@ -3208,7 +3195,7 @@ } } -static inline isc_result_t +static isc_result_t setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { @@ -3264,7 +3251,7 @@ return (DNS_R_DELEGATION); } -static inline bool +static bool valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type, dns_rbtnode_t *node) { unsigned char *raw; /* RDATASLAB */ @@ -3320,7 +3307,7 @@ return (valid); } -static inline bool +static bool activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain, const dns_name_t *name) { dns_fixedname_t fnext; @@ -3373,7 +3360,7 @@ return (answer); } -static inline bool +static bool activeemptynode(rbtdb_search_t *search, const dns_name_t *qname, dns_name_t *wname) { dns_fixedname_t fnext; @@ -3493,7 +3480,7 @@ return (answer); } -static inline isc_result_t +static isc_result_t find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep, const dns_name_t *qname) { unsigned int i, j; @@ -3693,7 +3680,7 @@ /* * Find node of the NSEC/NSEC3 record that is 'name'. */ -static inline isc_result_t +static isc_result_t previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search, dns_name_t *name, dns_name_t *origin, dns_rbtnode_t **nodep, dns_rbtnodechain_t *nsecchain, @@ -3809,7 +3796,7 @@ * search chain. For NSEC3 records only NSEC3 records that match the * current NSEC3PARAM record are considered. */ -static inline isc_result_t +static isc_result_t find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_rbt_t *tree, @@ -4551,7 +4538,7 @@ FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!"); - /* NOTREACHED */ + UNREACHABLE(); return (ISC_R_NOTIMPLEMENTED); } @@ -4734,7 +4721,7 @@ return (result); } -static inline isc_result_t +static isc_result_t find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node, dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { @@ -6076,16 +6063,13 @@ return (false); } -static isc_result_t +static void resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) { - isc_result_t result; - INSIST(!IS_CACHE(rbtdb)); INSIST(newheader->heap_index == 0); INSIST(!ISC_LINK_LINKED(newheader, link)); - result = isc_heap_insert(rbtdb->heaps[idx], newheader); - return (result); + isc_heap_insert(rbtdb->heaps[idx], newheader); } /* @@ -6109,7 +6093,7 @@ } } -static inline uint64_t +static uint64_t recordsize(rdatasetheader_t *header, unsigned int namelen) { return (dns_rdataslab_rdatasize((unsigned char *)header, sizeof(*header)) + @@ -6508,20 +6492,9 @@ newheader, link); } INSIST(rbtdb->heaps != NULL); - result = isc_heap_insert(rbtdb->heaps[idx], - newheader); - if (result != ISC_R_SUCCESS) { - free_rdataset(rbtdb, rbtdb->common.mctx, - newheader); - return (result); - } + isc_heap_insert(rbtdb->heaps[idx], newheader); } else if (RESIGN(newheader)) { - result = resign_insert(rbtdb, idx, newheader); - if (result != ISC_R_SUCCESS) { - free_rdataset(rbtdb, rbtdb->common.mctx, - newheader); - return (result); - } + resign_insert(rbtdb, idx, newheader); /* * Don't call resign_delete as we don't need * to reverse the delete. The free_rdataset @@ -6551,13 +6524,7 @@ idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { INSIST(rbtdb->heaps != NULL); - result = isc_heap_insert(rbtdb->heaps[idx], - newheader); - if (result != ISC_R_SUCCESS) { - free_rdataset(rbtdb, rbtdb->common.mctx, - newheader); - return (result); - } + isc_heap_insert(rbtdb->heaps[idx], newheader); if (ZEROTTL(newheader)) { ISC_LIST_APPEND(rbtdb->rdatasets[idx], newheader, link); @@ -6566,12 +6533,7 @@ newheader, link); } } else if (RESIGN(newheader)) { - result = resign_insert(rbtdb, idx, newheader); - if (result != ISC_R_SUCCESS) { - free_rdataset(rbtdb, rbtdb->common.mctx, - newheader); - return (result); - } + resign_insert(rbtdb, idx, newheader); resign_delete(rbtdb, rbtversion, header); } if (topheader_prev != NULL) { @@ -6616,12 +6578,7 @@ idx = newheader->node->locknum; if (IS_CACHE(rbtdb)) { - result = isc_heap_insert(rbtdb->heaps[idx], newheader); - if (result != ISC_R_SUCCESS) { - free_rdataset(rbtdb, rbtdb->common.mctx, - newheader); - return (result); - } + isc_heap_insert(rbtdb->heaps[idx], newheader); if (ZEROTTL(newheader)) { ISC_LIST_APPEND(rbtdb->rdatasets[idx], newheader, link); @@ -6630,12 +6587,7 @@ newheader, link); } } else if (RESIGN(newheader)) { - result = resign_insert(rbtdb, idx, newheader); - if (result != ISC_R_SUCCESS) { - free_rdataset(rbtdb, rbtdb->common.mctx, - newheader); - return (result); - } + resign_insert(rbtdb, idx, newheader); resign_delete(rbtdb, rbtversion, header); } @@ -6694,7 +6646,7 @@ return (ISC_R_SUCCESS); } -static inline bool +static bool delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, rbtdb_rdatatype_t type) { if (IS_CACHE(rbtdb)) { @@ -6712,7 +6664,7 @@ return (false); } -static inline isc_result_t +static isc_result_t addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, dns_rdataset_t *rdataset) { struct noqname *noqname; @@ -6757,7 +6709,7 @@ return (result); } -static inline isc_result_t +static isc_result_t addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, dns_rdataset_t *rdataset) { struct noqname *closest; @@ -7162,13 +7114,8 @@ RDATASET_ATTR_RESIGN); newheader->resign = header->resign; newheader->resign_lsb = header->resign_lsb; - result = resign_insert(rbtdb, rbtnode->locknum, - newheader); - if (result != ISC_R_SUCCESS) { - free_rdataset(rbtdb, rbtdb->common.mctx, - newheader); - goto unlock; - } + resign_insert(rbtdb, rbtnode->locknum, + newheader); } /* * We have to set the serial since the rdataslab @@ -7535,7 +7482,6 @@ static isc_result_t rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize, void *arg, uint64_t *crc) { - isc_result_t result; dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)arg; rdatasetheader_t *header; unsigned char *limit = ((unsigned char *)base) + filesize; @@ -7556,17 +7502,11 @@ header->is_mmapped = 1; header->node = rbtnode; header->node_is_relative = 0; -#ifdef ISC_MUTEX_ATOMICS - atomic_init(&header->attributes, header->attributes.v); -#endif if (RESIGN(header) && (header->resign != 0 || header->resign_lsb != 0)) { int idx = header->node->locknum; - result = isc_heap_insert(rbtdb->heaps[idx], header); - if (result != ISC_R_SUCCESS) { - return (result); - } + isc_heap_insert(rbtdb->heaps[idx], header); } if (header->next != NULL) { @@ -8238,7 +8178,6 @@ static isc_result_t setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; - isc_result_t result = ISC_R_SUCCESS; rdatasetheader_t *header, oldheader; REQUIRE(VALID_RBTDB(rbtdb)); @@ -8277,11 +8216,11 @@ } } else if (resign != 0) { RDATASET_ATTR_SET(header, RDATASET_ATTR_RESIGN); - result = resign_insert(rbtdb, header->node->locknum, header); + resign_insert(rbtdb, header->node->locknum, header); } NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock, isc_rwlocktype_write); - return (result); + return (ISC_R_SUCCESS); } static isc_result_t @@ -8693,11 +8632,7 @@ } sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner; for (i = 0; i < (int)rbtdb->node_lock_count; i++) { - result = isc_heap_create(hmctx, sooner, set_index, 0, - &rbtdb->heaps[i]); - if (result != ISC_R_SUCCESS) { - goto cleanup_heaps; - } + isc_heap_create(hmctx, sooner, set_index, 0, &rbtdb->heaps[i]); } /* @@ -8852,26 +8787,6 @@ return (ISC_R_SUCCESS); -cleanup_heaps: - if (rbtdb->heaps != NULL) { - for (i = 0; i < (int)rbtdb->node_lock_count; i++) { - if (rbtdb->heaps[i] != NULL) { - isc_heap_destroy(&rbtdb->heaps[i]); - } - } - isc_mem_put(hmctx, rbtdb->heaps, - rbtdb->node_lock_count * sizeof(isc_heap_t *)); - } - - if (rbtdb->rdatasets != NULL) { - isc_mem_put(mctx, rbtdb->rdatasets, - rbtdb->node_lock_count * - sizeof(rdatasetheaderlist_t)); - } - if (rbtdb->rrsetstats != NULL) { - dns_stats_detach(&rbtdb->rrsetstats); - } - cleanup_node_locks: isc_mem_put(mctx, rbtdb->node_locks, rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t)); @@ -9187,15 +9102,10 @@ dns_rbtnode_t *rbtnode = rbtiterator->common.node; rbtdb_version_t *rbtversion = rbtiterator->common.version; rdatasetheader_t *header, *top_next; - rbtdb_serial_t serial; - isc_stdtime_t now; + rbtdb_serial_t serial = 1; - if (IS_CACHE(rbtdb)) { - serial = 1; - now = rbtiterator->common.now; - } else { + if (!IS_CACHE(rbtdb)) { serial = rbtversion->serial; - now = 0; } NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, @@ -9207,19 +9117,9 @@ if (header->serial <= serial && !IGNORE(header)) { /* * Is this a "this rdataset doesn't exist" - * record? Or is it too old in the cache? - * - * Note: unlike everywhere else, we - * check for now > header->rdh_ttl instead - * of ">=". This allows ANY and RRSIG - * queries for 0 TTL rdatasets to work. - */ - if (NONEXISTENT(header) || - (now != 0 && - (now - RBTDB_VIRTUAL) > - header->rdh_ttl + - rbtdb->serve_stale_ttl)) - { + * record? + */ + if (NONEXISTENT(header)) { header = NULL; } break; @@ -9251,22 +9151,17 @@ dns_rbtnode_t *rbtnode = rbtiterator->common.node; rbtdb_version_t *rbtversion = rbtiterator->common.version; rdatasetheader_t *header, *top_next; - rbtdb_serial_t serial; - isc_stdtime_t now; rbtdb_rdatatype_t type, negtype; dns_rdatatype_t rdtype, covers; + rbtdb_serial_t serial = 1; header = rbtiterator->current; if (header == NULL) { return (ISC_R_NOMORE); } - if (IS_CACHE(rbtdb)) { - serial = 1; - now = rbtiterator->common.now; - } else { + if (!IS_CACHE(rbtdb)) { serial = rbtversion->serial; - now = 0; } NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, @@ -9292,17 +9187,8 @@ /* * Is this a "this rdataset doesn't * exist" record? - * - * Note: unlike everywhere else, we - * check for now > header->ttl instead - * of ">=". This allows ANY and RRSIG - * queries for 0 TTL rdatasets to work. */ - if (NONEXISTENT(header) || - (now != 0 && - (now - RBTDB_VIRTUAL) > - header->rdh_ttl)) - { + if (NONEXISTENT(header)) { header = NULL; } break; @@ -9352,7 +9238,7 @@ * Database Iterator Methods */ -static inline void +static void reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db; dns_rbtnode_t *node = rbtdbiter->node; @@ -9365,7 +9251,7 @@ reactivate_node(rbtdb, node, rbtdbiter->tree_locked); } -static inline void +static void dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db; dns_rbtnode_t *node = rbtdbiter->node; @@ -9434,7 +9320,7 @@ } } -static inline void +static void resume_iteration(rbtdb_dbiterator_t *rbtdbiter) { dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db; @@ -10480,7 +10366,7 @@ * * Caller must hold the node (read or write) lock. */ -static inline bool +static bool need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) { if (RDATASET_ATTR_GET(header, (RDATASET_ATTR_NONEXISTENT | RDATASET_ATTR_ANCIENT | diff -Nru bind9-9.16.27/lib/dns/rdata/any_255/tsig_250.c bind9-9.16.33/lib/dns/rdata/any_255/tsig_250.c --- bind9-9.16.27/lib/dns/rdata/any_255/tsig_250.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/any_255/tsig_250.c 2022-09-08 13:01:23.000000000 +0000 @@ -17,7 +17,7 @@ #define RRTYPE_TSIG_ATTRIBUTES \ (DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_NOTQUESTION) -static inline isc_result_t +static isc_result_t fromtext_any_tsig(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -130,7 +130,7 @@ return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong)); } -static inline isc_result_t +static isc_result_t totext_any_tsig(ARGS_TOTEXT) { isc_region_t sr; isc_region_t sigr; @@ -251,7 +251,7 @@ } } -static inline isc_result_t +static isc_result_t fromwire_any_tsig(ARGS_FROMWIRE) { isc_region_t sr; dns_name_t name; @@ -320,7 +320,7 @@ return (mem_tobuffer(target, sr.base, n + 2)); } -static inline isc_result_t +static isc_result_t towire_any_tsig(ARGS_TOWIRE) { isc_region_t sr; dns_name_t name; @@ -339,7 +339,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_any_tsig(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -369,7 +369,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_any_tsig(ARGS_FROMSTRUCT) { dns_rdata_any_tsig_t *tsig = source; isc_region_t tr; @@ -441,7 +441,7 @@ return (mem_tobuffer(target, tsig->other, tsig->otherlen)); } -static inline isc_result_t +static isc_result_t tostruct_any_tsig(ARGS_TOSTRUCT) { dns_rdata_any_tsig_t *tsig; dns_name_t alg; @@ -541,7 +541,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_any_tsig(ARGS_FREESTRUCT) { dns_rdata_any_tsig_t *tsig = (dns_rdata_any_tsig_t *)source; @@ -563,7 +563,7 @@ tsig->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_any_tsig(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_tsig); REQUIRE(rdata->rdclass == dns_rdataclass_any); @@ -575,7 +575,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_any_tsig(ARGS_DIGEST) { REQUIRE(rdata->type == dns_rdatatype_tsig); REQUIRE(rdata->rdclass == dns_rdataclass_any); @@ -587,7 +587,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline bool +static bool checkowner_any_tsig(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_tsig); REQUIRE(rdclass == dns_rdataclass_any); @@ -600,7 +600,7 @@ return (true); } -static inline bool +static bool checknames_any_tsig(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_tsig); REQUIRE(rdata->rdclass == dns_rdataclass_any); @@ -612,7 +612,7 @@ return (true); } -static inline int +static int casecompare_any_tsig(ARGS_COMPARE) { return (compare_any_tsig(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/ch_3/a_1.c bind9-9.16.33/lib/dns/rdata/ch_3/a_1.c --- bind9-9.16.27/lib/dns/rdata/ch_3/a_1.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/ch_3/a_1.c 2022-09-08 13:01:23.000000000 +0000 @@ -21,7 +21,7 @@ #define RRTYPE_A_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_ch_a(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -64,7 +64,7 @@ return (uint16_tobuffer(token.value.as_ulong, target)); } -static inline isc_result_t +static isc_result_t totext_ch_a(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -93,7 +93,7 @@ return (str_totext(buf, target)); } -static inline isc_result_t +static isc_result_t fromwire_ch_a(ARGS_FROMWIRE) { isc_region_t sregion; isc_region_t tregion; @@ -127,7 +127,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_ch_a(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -158,7 +158,7 @@ return (ISC_R_SUCCESS); } -static inline int +static int compare_ch_a(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -196,7 +196,7 @@ return (order); } -static inline isc_result_t +static isc_result_t fromstruct_ch_a(ARGS_FROMSTRUCT) { dns_rdata_ch_a_t *a = source; isc_region_t region; @@ -215,7 +215,7 @@ return (uint16_tobuffer(ntohs(a->ch_addr), target)); } -static inline isc_result_t +static isc_result_t tostruct_ch_a(ARGS_TOSTRUCT) { dns_rdata_ch_a_t *a = target; isc_region_t region; @@ -242,7 +242,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_ch_a(ARGS_FREESTRUCT) { dns_rdata_ch_a_t *a = source; @@ -257,7 +257,7 @@ a->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_ch_a(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_a); REQUIRE(rdata->rdclass == dns_rdataclass_ch); @@ -269,7 +269,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_ch_a(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -285,7 +285,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_ch_a(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_a); REQUIRE(rdclass == dns_rdataclass_ch); @@ -295,7 +295,7 @@ return (dns_name_ishostname(name, wildcard)); } -static inline bool +static bool checknames_ch_a(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -318,7 +318,7 @@ return (true); } -static inline int +static int casecompare_ch_a(ARGS_COMPARE) { return (compare_ch_a(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/afsdb_18.c bind9-9.16.33/lib/dns/rdata/generic/afsdb_18.c --- bind9-9.16.27/lib/dns/rdata/generic/afsdb_18.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/afsdb_18.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_AFSDB_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_afsdb(ARGS_FROMTEXT) { isc_token_t token; isc_buffer_t buffer; @@ -65,7 +65,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_afsdb(ARGS_TOTEXT) { dns_name_t name; dns_name_t prefix; @@ -90,7 +90,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_afsdb(ARGS_FROMWIRE) { dns_name_t name; isc_region_t sr; @@ -119,7 +119,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_afsdb(ARGS_TOWIRE) { isc_region_t tr; isc_region_t sr; @@ -145,7 +145,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_afsdb(ARGS_COMPARE) { int result; dns_name_t name1; @@ -179,7 +179,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_afsdb(ARGS_FROMSTRUCT) { dns_rdata_afsdb_t *afsdb = source; isc_region_t region; @@ -197,7 +197,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_afsdb(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_afsdb_t *afsdb = target; @@ -226,7 +226,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_afsdb(ARGS_FREESTRUCT) { dns_rdata_afsdb_t *afsdb = source; @@ -241,7 +241,7 @@ afsdb->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_afsdb(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -257,7 +257,7 @@ return ((add)(arg, &name, dns_rdatatype_a)); } -static inline isc_result_t +static isc_result_t digest_afsdb(ARGS_DIGEST) { isc_region_t r1, r2; dns_name_t name; @@ -275,7 +275,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_afsdb(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_afsdb); @@ -287,7 +287,7 @@ return (true); } -static inline bool +static bool checknames_afsdb(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -309,7 +309,7 @@ return (true); } -static inline int +static int casecompare_afsdb(ARGS_COMPARE) { return (compare_afsdb(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/amtrelay_260.c bind9-9.16.33/lib/dns/rdata/generic/amtrelay_260.c --- bind9-9.16.27/lib/dns/rdata/generic/amtrelay_260.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/amtrelay_260.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_AMTRELAY_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_amtrelay(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -116,12 +116,11 @@ return (dns_name_fromtext(&name, &buffer, origin, options, target)); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } -static inline isc_result_t +static isc_result_t totext_amtrelay(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -178,13 +177,12 @@ return (dns_name_totext(&name, false, target)); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_amtrelay(ARGS_FROMWIRE) { dns_name_t name; isc_region_t region; @@ -236,7 +234,7 @@ } } -static inline isc_result_t +static isc_result_t towire_amtrelay(ARGS_TOWIRE) { isc_region_t region; @@ -249,7 +247,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline int +static int compare_amtrelay(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -266,7 +264,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_amtrelay(ARGS_FROMSTRUCT) { dns_rdata_amtrelay_t *amtrelay = source; isc_region_t region; @@ -306,7 +304,7 @@ } } -static inline isc_result_t +static isc_result_t tostruct_amtrelay(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_amtrelay_t *amtrelay = target; @@ -370,7 +368,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_amtrelay(ARGS_FREESTRUCT) { dns_rdata_amtrelay_t *amtrelay = source; @@ -392,7 +390,7 @@ amtrelay->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_amtrelay(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_amtrelay); @@ -403,7 +401,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_amtrelay(ARGS_DIGEST) { isc_region_t region; @@ -413,7 +411,7 @@ return ((digest)(arg, ®ion)); } -static inline bool +static bool checkowner_amtrelay(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_amtrelay); @@ -425,7 +423,7 @@ return (true); } -static inline bool +static bool checknames_amtrelay(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_amtrelay); @@ -436,7 +434,7 @@ return (true); } -static inline int +static int casecompare_amtrelay(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/avc_258.c bind9-9.16.33/lib/dns/rdata/generic/avc_258.c --- bind9-9.16.27/lib/dns/rdata/generic/avc_258.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/avc_258.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,14 +16,14 @@ #define RRTYPE_AVC_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_avc(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_avc); return (generic_fromtext_txt(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_avc(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_avc); @@ -31,14 +31,14 @@ return (generic_totext_txt(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_avc(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_avc); return (generic_fromwire_txt(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_avc(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_avc); @@ -47,7 +47,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_avc(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -61,14 +61,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_avc(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_avc); return (generic_fromstruct_txt(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_avc(ARGS_TOSTRUCT) { dns_rdata_avc_t *avc = target; @@ -82,7 +82,7 @@ return (generic_tostruct_txt(CALL_TOSTRUCT)); } -static inline void +static void freestruct_avc(ARGS_FREESTRUCT) { dns_rdata_avc_t *avc = source; @@ -92,7 +92,7 @@ generic_freestruct_txt(source); } -static inline isc_result_t +static isc_result_t additionaldata_avc(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_avc); @@ -103,7 +103,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_avc(ARGS_DIGEST) { isc_region_t r; @@ -114,7 +114,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_avc(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_avc); @@ -126,7 +126,7 @@ return (true); } -static inline bool +static bool checknames_avc(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_avc); @@ -137,7 +137,7 @@ return (true); } -static inline int +static int casecompare_avc(ARGS_COMPARE) { return (compare_avc(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/caa_257.c bind9-9.16.33/lib/dns/rdata/generic/caa_257.c --- bind9-9.16.27/lib/dns/rdata/generic/caa_257.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/caa_257.c 2022-09-08 13:01:23.000000000 +0000 @@ -275,7 +275,7 @@ 0, }; -static inline isc_result_t +static isc_result_t fromtext_caa(ARGS_FROMTEXT) { isc_token_t token; isc_textregion_t tr; @@ -326,7 +326,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_caa(ARGS_TOTEXT) { isc_region_t region; uint8_t flags; @@ -360,7 +360,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_caa(ARGS_FROMWIRE) { isc_region_t sr; unsigned int len, i; @@ -411,7 +411,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_caa(ARGS_TOWIRE) { isc_region_t region; @@ -425,7 +425,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline int +static int compare_caa(ARGS_COMPARE) { isc_region_t r1, r2; @@ -442,7 +442,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_caa(ARGS_FROMSTRUCT) { dns_rdata_caa_t *caa = source; isc_region_t region; @@ -488,7 +488,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_caa(ARGS_TOSTRUCT) { dns_rdata_caa_t *caa = target; isc_region_t sr; @@ -547,7 +547,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_caa(ARGS_FREESTRUCT) { dns_rdata_caa_t *caa = (dns_rdata_caa_t *)source; @@ -567,7 +567,7 @@ caa->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_caa(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_caa); REQUIRE(rdata->data != NULL); @@ -580,7 +580,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_caa(ARGS_DIGEST) { isc_region_t r; @@ -593,7 +593,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_caa(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_caa); @@ -605,7 +605,7 @@ return (true); } -static inline bool +static bool checknames_caa(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_caa); REQUIRE(rdata->data != NULL); @@ -618,7 +618,7 @@ return (true); } -static inline int +static int casecompare_caa(ARGS_COMPARE) { return (compare_caa(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/cdnskey_60.c bind9-9.16.33/lib/dns/rdata/generic/cdnskey_60.c --- bind9-9.16.27/lib/dns/rdata/generic/cdnskey_60.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/cdnskey_60.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,14 +20,14 @@ #define RRTYPE_CDNSKEY_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_cdnskey(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_cdnskey); return (generic_fromtext_key(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_cdnskey(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_cdnskey); @@ -35,14 +35,14 @@ return (generic_totext_key(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_cdnskey(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_cdnskey); return (generic_fromwire_key(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_cdnskey(ARGS_TOWIRE) { isc_region_t sr; @@ -55,7 +55,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_cdnskey(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -73,14 +73,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_cdnskey(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_cdnskey); return (generic_fromstruct_key(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_cdnskey(ARGS_TOSTRUCT) { dns_rdata_cdnskey_t *dnskey = target; @@ -95,7 +95,7 @@ return (generic_tostruct_key(CALL_TOSTRUCT)); } -static inline void +static void freestruct_cdnskey(ARGS_FREESTRUCT) { dns_rdata_cdnskey_t *dnskey = (dns_rdata_cdnskey_t *)source; @@ -105,7 +105,7 @@ generic_freestruct_key(source); } -static inline isc_result_t +static isc_result_t additionaldata_cdnskey(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_cdnskey); @@ -116,7 +116,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_cdnskey(ARGS_DIGEST) { isc_region_t r; @@ -128,7 +128,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_cdnskey(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_cdnskey); @@ -140,7 +140,7 @@ return (true); } -static inline bool +static bool checknames_cdnskey(ARGS_CHECKNAMES) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_cdnskey); @@ -152,7 +152,7 @@ return (true); } -static inline int +static int casecompare_cdnskey(ARGS_COMPARE) { /* * Treat ALG 253 (private DNS) subtype name case sensitively. diff -Nru bind9-9.16.27/lib/dns/rdata/generic/cds_59.c bind9-9.16.33/lib/dns/rdata/generic/cds_59.c --- bind9-9.16.27/lib/dns/rdata/generic/cds_59.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/cds_59.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,14 +20,14 @@ #include -static inline isc_result_t +static isc_result_t fromtext_cds(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_cds); return (generic_fromtext_ds(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_cds(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_cds); @@ -35,14 +35,14 @@ return (generic_totext_ds(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_cds(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_cds); return (generic_fromwire_ds(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_cds(ARGS_TOWIRE) { isc_region_t sr; @@ -55,7 +55,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_cds(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -71,14 +71,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_cds(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_cds); return (generic_fromstruct_ds(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_cds(ARGS_TOSTRUCT) { dns_rdata_cds_t *cds = target; @@ -96,7 +96,7 @@ return (generic_tostruct_ds(CALL_TOSTRUCT)); } -static inline void +static void freestruct_cds(ARGS_FREESTRUCT) { dns_rdata_cds_t *cds = source; @@ -113,7 +113,7 @@ cds->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_cds(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_cds); @@ -124,7 +124,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_cds(ARGS_DIGEST) { isc_region_t r; @@ -135,7 +135,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_cds(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_cds); @@ -147,7 +147,7 @@ return (true); } -static inline bool +static bool checknames_cds(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_cds); @@ -158,7 +158,7 @@ return (true); } -static inline int +static int casecompare_cds(ARGS_COMPARE) { return (compare_cds(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/cert_37.c bind9-9.16.33/lib/dns/rdata/generic/cert_37.c --- bind9-9.16.27/lib/dns/rdata/generic/cert_37.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/cert_37.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_CERT_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_cert(ARGS_FROMTEXT) { isc_token_t token; dns_secalg_t secalg; @@ -61,7 +61,7 @@ return (isc_base64_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_cert(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("64000 ")]; @@ -115,7 +115,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_cert(ARGS_FROMWIRE) { isc_region_t sr; @@ -135,7 +135,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_cert(ARGS_TOWIRE) { isc_region_t sr; @@ -148,7 +148,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_cert(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -164,7 +164,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_cert(ARGS_FROMSTRUCT) { dns_rdata_cert_t *cert = source; @@ -183,7 +183,7 @@ return (mem_tobuffer(target, cert->certificate, cert->length)); } -static inline isc_result_t +static isc_result_t tostruct_cert(ARGS_TOSTRUCT) { dns_rdata_cert_t *cert = target; isc_region_t region; @@ -215,7 +215,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_cert(ARGS_FREESTRUCT) { dns_rdata_cert_t *cert = source; @@ -232,7 +232,7 @@ cert->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_cert(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_cert); @@ -243,7 +243,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_cert(ARGS_DIGEST) { isc_region_t r; @@ -254,7 +254,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_cert(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_cert); @@ -266,7 +266,7 @@ return (true); } -static inline bool +static bool checknames_cert(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_cert); @@ -277,7 +277,7 @@ return (true); } -static inline int +static int casecompare_cert(ARGS_COMPARE) { return (compare_cert(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/cname_5.c bind9-9.16.33/lib/dns/rdata/generic/cname_5.c --- bind9-9.16.27/lib/dns/rdata/generic/cname_5.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/cname_5.c 2022-09-08 13:01:23.000000000 +0000 @@ -17,7 +17,7 @@ #define RRTYPE_CNAME_ATTRIBUTES \ (DNS_RDATATYPEATTR_EXCLUSIVE | DNS_RDATATYPEATTR_SINGLETON) -static inline isc_result_t +static isc_result_t fromtext_cname(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -41,7 +41,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_cname(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -62,7 +62,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_cname(ARGS_FROMWIRE) { dns_name_t name; @@ -77,7 +77,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_cname(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -95,7 +95,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_cname(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -120,7 +120,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_cname(ARGS_FROMSTRUCT) { dns_rdata_cname_t *cname = source; isc_region_t region; @@ -137,7 +137,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_cname(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_cname_t *cname = target; @@ -160,7 +160,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_cname(ARGS_FREESTRUCT) { dns_rdata_cname_t *cname = source; @@ -174,7 +174,7 @@ cname->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_cname(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -185,7 +185,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_cname(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -199,7 +199,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_cname(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_cname); @@ -211,7 +211,7 @@ return (true); } -static inline bool +static bool checknames_cname(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_cname); @@ -222,7 +222,7 @@ return (true); } -static inline int +static int casecompare_cname(ARGS_COMPARE) { return (compare_cname(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/csync_62.c bind9-9.16.33/lib/dns/rdata/generic/csync_62.c --- bind9-9.16.27/lib/dns/rdata/generic/csync_62.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/csync_62.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_CSYNC_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_csync(ARGS_FROMTEXT) { isc_token_t token; @@ -47,7 +47,7 @@ return (typemap_fromtext(lexer, target, true)); } -static inline isc_result_t +static isc_result_t totext_csync(ARGS_TOTEXT) { unsigned long num; char buf[sizeof("0123456789")]; /* Also TYPE65535 */ @@ -81,7 +81,7 @@ return (typemap_totext(&sr, NULL, target)); } -static /* inline */ isc_result_t +static isc_result_t fromwire_csync(ARGS_FROMWIRE) { isc_region_t sr; @@ -111,7 +111,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_csync(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_csync); REQUIRE(rdata->length >= 6); @@ -121,7 +121,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_csync(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -137,7 +137,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_csync(ARGS_FROMSTRUCT) { dns_rdata_csync_t *csync = source; isc_region_t region; @@ -160,7 +160,7 @@ return (mem_tobuffer(target, csync->typebits, csync->len)); } -static inline isc_result_t +static isc_result_t tostruct_csync(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_csync_t *csync = target; @@ -194,7 +194,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_csync(ARGS_FREESTRUCT) { dns_rdata_csync_t *csync = source; @@ -211,7 +211,7 @@ csync->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_csync(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_csync); @@ -222,7 +222,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_csync(ARGS_DIGEST) { isc_region_t r; @@ -232,7 +232,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_csync(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_csync); @@ -244,7 +244,7 @@ return (true); } -static inline bool +static bool checknames_csync(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_csync); @@ -255,7 +255,7 @@ return (true); } -static inline int +static int casecompare_csync(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/dlv_32769.c bind9-9.16.33/lib/dns/rdata/generic/dlv_32769.c --- bind9-9.16.27/lib/dns/rdata/generic/dlv_32769.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/dlv_32769.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,14 +20,14 @@ #include -static inline isc_result_t +static isc_result_t fromtext_dlv(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_dlv); return (generic_fromtext_ds(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_dlv(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_dlv); @@ -35,14 +35,14 @@ return (generic_totext_ds(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_dlv(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_dlv); return (generic_fromwire_ds(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_dlv(ARGS_TOWIRE) { isc_region_t sr; @@ -55,7 +55,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_dlv(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -71,14 +71,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_dlv(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_dlv); return (generic_fromstruct_ds(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_dlv(ARGS_TOSTRUCT) { dns_rdata_dlv_t *dlv = target; @@ -92,7 +92,7 @@ return (generic_tostruct_ds(CALL_TOSTRUCT)); } -static inline void +static void freestruct_dlv(ARGS_FREESTRUCT) { dns_rdata_dlv_t *dlv = source; @@ -109,7 +109,7 @@ dlv->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_dlv(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_dlv); @@ -120,7 +120,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_dlv(ARGS_DIGEST) { isc_region_t r; @@ -131,7 +131,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_dlv(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_dlv); @@ -143,7 +143,7 @@ return (true); } -static inline bool +static bool checknames_dlv(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_dlv); @@ -154,7 +154,7 @@ return (true); } -static inline int +static int casecompare_dlv(ARGS_COMPARE) { return (compare_dlv(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/dname_39.c bind9-9.16.33/lib/dns/rdata/generic/dname_39.c --- bind9-9.16.27/lib/dns/rdata/generic/dname_39.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/dname_39.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_DNAME_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON) -static inline isc_result_t +static isc_result_t fromtext_dname(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -42,7 +42,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_dname(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -63,7 +63,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_dname(ARGS_FROMWIRE) { dns_name_t name; @@ -78,7 +78,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_dname(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -95,7 +95,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_dname(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -120,7 +120,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_dname(ARGS_FROMSTRUCT) { dns_rdata_dname_t *dname = source; isc_region_t region; @@ -137,7 +137,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_dname(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_dname_t *dname = target; @@ -160,7 +160,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_dname(ARGS_FREESTRUCT) { dns_rdata_dname_t *dname = source; @@ -175,7 +175,7 @@ dname->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_dname(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -186,7 +186,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_dname(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -200,7 +200,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_dname(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_dname); @@ -212,7 +212,7 @@ return (true); } -static inline bool +static bool checknames_dname(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_dname); @@ -223,7 +223,7 @@ return (true); } -static inline int +static int casecompare_dname(ARGS_COMPARE) { return (compare_dname(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/dnskey_48.c bind9-9.16.33/lib/dns/rdata/generic/dnskey_48.c --- bind9-9.16.27/lib/dns/rdata/generic/dnskey_48.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/dnskey_48.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,14 +20,14 @@ #define RRTYPE_DNSKEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC) -static inline isc_result_t +static isc_result_t fromtext_dnskey(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_dnskey); return (generic_fromtext_key(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_dnskey(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_dnskey); @@ -35,14 +35,14 @@ return (generic_totext_key(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_dnskey(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_dnskey); return (generic_fromwire_key(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_dnskey(ARGS_TOWIRE) { isc_region_t sr; @@ -56,7 +56,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_dnskey(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -74,14 +74,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_dnskey(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_dnskey); return (generic_fromstruct_key(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_dnskey(ARGS_TOSTRUCT) { dns_rdata_dnskey_t *dnskey = target; @@ -96,7 +96,7 @@ return (generic_tostruct_key(CALL_TOSTRUCT)); } -static inline void +static void freestruct_dnskey(ARGS_FREESTRUCT) { dns_rdata_dnskey_t *dnskey = (dns_rdata_dnskey_t *)source; @@ -106,7 +106,7 @@ generic_freestruct_key(source); } -static inline isc_result_t +static isc_result_t additionaldata_dnskey(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_dnskey); @@ -117,7 +117,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_dnskey(ARGS_DIGEST) { isc_region_t r; @@ -129,7 +129,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_dnskey(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_dnskey); @@ -141,7 +141,7 @@ return (true); } -static inline bool +static bool checknames_dnskey(ARGS_CHECKNAMES) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_dnskey); @@ -153,7 +153,7 @@ return (true); } -static inline int +static int casecompare_dnskey(ARGS_COMPARE) { /* * Treat ALG 253 (private DNS) subtype name case sensitively. diff -Nru bind9-9.16.27/lib/dns/rdata/generic/doa_259.c bind9-9.16.33/lib/dns/rdata/generic/doa_259.c --- bind9-9.16.27/lib/dns/rdata/generic/doa_259.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/doa_259.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_DOA_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_doa(ARGS_FROMTEXT) { isc_token_t token; @@ -71,7 +71,7 @@ } } -static inline isc_result_t +static isc_result_t totext_doa(ARGS_TOTEXT) { char buf[sizeof("4294967295 ")]; isc_region_t region; @@ -125,7 +125,7 @@ } } -static inline isc_result_t +static isc_result_t fromwire_doa(ARGS_FROMWIRE) { isc_region_t region; @@ -156,7 +156,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline isc_result_t +static isc_result_t towire_doa(ARGS_TOWIRE) { isc_region_t region; @@ -170,7 +170,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline int +static int compare_doa(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -188,7 +188,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_doa(ARGS_FROMSTRUCT) { dns_rdata_doa_t *doa = source; @@ -205,7 +205,7 @@ return (mem_tobuffer(target, doa->data, doa->data_len)); } -static inline isc_result_t +static isc_result_t tostruct_doa(ARGS_TOSTRUCT) { dns_rdata_doa_t *doa = target; isc_region_t region; @@ -287,7 +287,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_doa(ARGS_FREESTRUCT) { dns_rdata_doa_t *doa = source; @@ -308,7 +308,7 @@ doa->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_doa(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -319,7 +319,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_doa(ARGS_DIGEST) { isc_region_t r; @@ -330,7 +330,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_doa(ARGS_CHECKOWNER) { UNUSED(name); UNUSED(type); @@ -342,7 +342,7 @@ return (true); } -static inline bool +static bool checknames_doa(ARGS_CHECKNAMES) { UNUSED(rdata); UNUSED(owner); @@ -353,7 +353,7 @@ return (true); } -static inline int +static int casecompare_doa(ARGS_COMPARE) { return (compare_doa(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/ds_43.c bind9-9.16.33/lib/dns/rdata/generic/ds_43.c --- bind9-9.16.27/lib/dns/rdata/generic/ds_43.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/ds_43.c 2022-09-08 13:01:23.000000000 +0000 @@ -24,7 +24,7 @@ #include -static inline isc_result_t +static isc_result_t generic_fromtext_ds(ARGS_FROMTEXT) { isc_token_t token; unsigned char c; @@ -82,14 +82,14 @@ return (isc_hex_tobuffer(lexer, target, length)); } -static inline isc_result_t +static isc_result_t fromtext_ds(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_ds); return (generic_fromtext_ds(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t generic_totext_ds(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("64000 ")]; @@ -148,7 +148,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_ds(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_ds); @@ -156,7 +156,7 @@ return (generic_totext_ds(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t generic_fromwire_ds(ARGS_FROMWIRE) { isc_region_t sr; @@ -198,14 +198,14 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t fromwire_ds(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_ds); return (generic_fromwire_ds(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_ds(ARGS_TOWIRE) { isc_region_t sr; @@ -218,7 +218,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_ds(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -234,7 +234,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t generic_fromstruct_ds(ARGS_FROMSTRUCT) { dns_rdata_ds_t *ds = source; @@ -264,14 +264,14 @@ return (mem_tobuffer(target, ds->digest, ds->length)); } -static inline isc_result_t +static isc_result_t fromstruct_ds(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_ds); return (generic_fromstruct_ds(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t generic_tostruct_ds(ARGS_TOSTRUCT) { dns_rdata_ds_t *ds = target; isc_region_t region; @@ -301,7 +301,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t tostruct_ds(ARGS_TOSTRUCT) { dns_rdata_ds_t *ds = target; @@ -315,7 +315,7 @@ return (generic_tostruct_ds(CALL_TOSTRUCT)); } -static inline void +static void freestruct_ds(ARGS_FREESTRUCT) { dns_rdata_ds_t *ds = source; @@ -332,7 +332,7 @@ ds->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_ds(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_ds); @@ -343,7 +343,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_ds(ARGS_DIGEST) { isc_region_t r; @@ -354,7 +354,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_ds(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_ds); @@ -366,7 +366,7 @@ return (true); } -static inline bool +static bool checknames_ds(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_ds); @@ -377,7 +377,7 @@ return (true); } -static inline int +static int casecompare_ds(ARGS_COMPARE) { return (compare_ds(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/eui48_108.c bind9-9.16.33/lib/dns/rdata/generic/eui48_108.c --- bind9-9.16.27/lib/dns/rdata/generic/eui48_108.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/eui48_108.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_EUI48_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_eui48(ARGS_FROMTEXT) { isc_token_t token; unsigned char eui48[6]; @@ -52,7 +52,7 @@ return (mem_tobuffer(target, eui48, sizeof(eui48))); } -static inline isc_result_t +static isc_result_t totext_eui48(ARGS_TOTEXT) { char buf[sizeof("xx-xx-xx-xx-xx-xx")]; @@ -67,7 +67,7 @@ return (str_totext(buf, target)); } -static inline isc_result_t +static isc_result_t fromwire_eui48(ARGS_FROMWIRE) { isc_region_t sregion; @@ -86,7 +86,7 @@ return (mem_tobuffer(target, sregion.base, sregion.length)); } -static inline isc_result_t +static isc_result_t towire_eui48(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_eui48); REQUIRE(rdata->length == 6); @@ -96,7 +96,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_eui48(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -112,7 +112,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_eui48(ARGS_FROMSTRUCT) { dns_rdata_eui48_t *eui48 = source; @@ -127,7 +127,7 @@ return (mem_tobuffer(target, eui48->eui48, sizeof(eui48->eui48))); } -static inline isc_result_t +static isc_result_t tostruct_eui48(ARGS_TOSTRUCT) { dns_rdata_eui48_t *eui48 = target; @@ -145,7 +145,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_eui48(ARGS_FREESTRUCT) { dns_rdata_eui48_t *eui48 = source; @@ -155,7 +155,7 @@ return; } -static inline isc_result_t +static isc_result_t additionaldata_eui48(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_eui48); REQUIRE(rdata->length == 6); @@ -167,7 +167,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_eui48(ARGS_DIGEST) { isc_region_t r; @@ -179,7 +179,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_eui48(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_eui48); @@ -191,7 +191,7 @@ return (true); } -static inline bool +static bool checknames_eui48(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_eui48); REQUIRE(rdata->length == 6); @@ -203,7 +203,7 @@ return (true); } -static inline int +static int casecompare_eui48(ARGS_COMPARE) { return (compare_eui48(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/eui64_109.c bind9-9.16.33/lib/dns/rdata/generic/eui64_109.c --- bind9-9.16.27/lib/dns/rdata/generic/eui64_109.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/eui64_109.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_EUI64_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_eui64(ARGS_FROMTEXT) { isc_token_t token; unsigned char eui64[8]; @@ -54,7 +54,7 @@ return (mem_tobuffer(target, eui64, sizeof(eui64))); } -static inline isc_result_t +static isc_result_t totext_eui64(ARGS_TOTEXT) { char buf[sizeof("xx-xx-xx-xx-xx-xx-xx-xx")]; @@ -70,7 +70,7 @@ return (str_totext(buf, target)); } -static inline isc_result_t +static isc_result_t fromwire_eui64(ARGS_FROMWIRE) { isc_region_t sregion; @@ -89,7 +89,7 @@ return (mem_tobuffer(target, sregion.base, sregion.length)); } -static inline isc_result_t +static isc_result_t towire_eui64(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_eui64); REQUIRE(rdata->length == 8); @@ -99,7 +99,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_eui64(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -115,7 +115,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_eui64(ARGS_FROMSTRUCT) { dns_rdata_eui64_t *eui64 = source; @@ -130,7 +130,7 @@ return (mem_tobuffer(target, eui64->eui64, sizeof(eui64->eui64))); } -static inline isc_result_t +static isc_result_t tostruct_eui64(ARGS_TOSTRUCT) { dns_rdata_eui64_t *eui64 = target; @@ -148,7 +148,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_eui64(ARGS_FREESTRUCT) { dns_rdata_eui64_t *eui64 = source; @@ -158,7 +158,7 @@ return; } -static inline isc_result_t +static isc_result_t additionaldata_eui64(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_eui64); REQUIRE(rdata->length == 8); @@ -170,7 +170,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_eui64(ARGS_DIGEST) { isc_region_t r; @@ -182,7 +182,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_eui64(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_eui64); @@ -194,7 +194,7 @@ return (true); } -static inline bool +static bool checknames_eui64(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_eui64); REQUIRE(rdata->length == 8); @@ -206,7 +206,7 @@ return (true); } -static inline int +static int casecompare_eui64(ARGS_COMPARE) { return (compare_eui64(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/gpos_27.c bind9-9.16.33/lib/dns/rdata/generic/gpos_27.c --- bind9-9.16.27/lib/dns/rdata/generic/gpos_27.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/gpos_27.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_GPOS_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_gpos(ARGS_FROMTEXT) { isc_token_t token; int i; @@ -39,7 +39,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_gpos(ARGS_TOTEXT) { isc_region_t region; int i; @@ -61,7 +61,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_gpos(ARGS_FROMWIRE) { int i; @@ -72,12 +72,13 @@ UNUSED(rdclass); UNUSED(options); - for (i = 0; i < 3; i++) + for (i = 0; i < 3; i++) { RETERR(txt_fromwire(source, target)); + } return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_gpos(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_gpos); REQUIRE(rdata->length != 0); @@ -87,7 +88,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_gpos(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -103,7 +104,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_gpos(ARGS_FROMSTRUCT) { dns_rdata_gpos_t *gpos = source; @@ -123,7 +124,7 @@ return (mem_tobuffer(target, gpos->altitude, gpos->alt_len)); } -static inline isc_result_t +static isc_result_t tostruct_gpos(ARGS_TOSTRUCT) { dns_rdata_gpos_t *gpos = target; isc_region_t region; @@ -179,7 +180,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_gpos(ARGS_FREESTRUCT) { dns_rdata_gpos_t *gpos = source; @@ -202,7 +203,7 @@ gpos->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_gpos(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_gpos); @@ -213,7 +214,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_gpos(ARGS_DIGEST) { isc_region_t r; @@ -224,7 +225,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_gpos(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_gpos); @@ -236,7 +237,7 @@ return (true); } -static inline bool +static bool checknames_gpos(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_gpos); @@ -247,7 +248,7 @@ return (true); } -static inline int +static int casecompare_gpos(ARGS_COMPARE) { return (compare_gpos(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/hinfo_13.c bind9-9.16.33/lib/dns/rdata/generic/hinfo_13.c --- bind9-9.16.27/lib/dns/rdata/generic/hinfo_13.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/hinfo_13.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_HINFO_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_hinfo(ARGS_FROMTEXT) { isc_token_t token; int i; @@ -37,7 +37,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_hinfo(ARGS_TOTEXT) { isc_region_t region; @@ -52,7 +52,7 @@ return (txt_totext(®ion, true, target)); } -static inline isc_result_t +static isc_result_t fromwire_hinfo(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_hinfo); @@ -65,7 +65,7 @@ return (txt_fromwire(source, target)); } -static inline isc_result_t +static isc_result_t towire_hinfo(ARGS_TOWIRE) { UNUSED(cctx); @@ -75,7 +75,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_hinfo(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -91,7 +91,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_hinfo(ARGS_FROMSTRUCT) { dns_rdata_hinfo_t *hinfo = source; @@ -109,7 +109,7 @@ return (mem_tobuffer(target, hinfo->os, hinfo->os_len)); } -static inline isc_result_t +static isc_result_t tostruct_hinfo(ARGS_TOSTRUCT) { dns_rdata_hinfo_t *hinfo = target; isc_region_t region; @@ -148,7 +148,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_hinfo(ARGS_FREESTRUCT) { dns_rdata_hinfo_t *hinfo = source; @@ -167,7 +167,7 @@ hinfo->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_hinfo(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_hinfo); @@ -178,7 +178,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_hinfo(ARGS_DIGEST) { isc_region_t r; @@ -189,7 +189,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_hinfo(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_hinfo); @@ -201,7 +201,7 @@ return (true); } -static inline bool +static bool checknames_hinfo(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_hinfo); @@ -212,7 +212,7 @@ return (true); } -static inline int +static int casecompare_hinfo(ARGS_COMPARE) { return (compare_hinfo(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/hip_55.c bind9-9.16.33/lib/dns/rdata/generic/hip_55.c --- bind9-9.16.27/lib/dns/rdata/generic/hip_55.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/hip_55.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_HIP_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_hip(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -117,7 +117,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_hip(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -190,7 +190,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_hip(ARGS_FROMWIRE) { isc_region_t region, rr; dns_name_t name; @@ -235,7 +235,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_hip(ARGS_TOWIRE) { isc_region_t region; @@ -248,7 +248,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline int +static int compare_hip(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -264,7 +264,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_hip(ARGS_FROMSTRUCT) { dns_rdata_hip_t *hip = source; dns_rdata_hip_t myhip; @@ -291,12 +291,14 @@ myhip = *hip; for (result = dns_rdata_hip_first(&myhip); result == ISC_R_SUCCESS; result = dns_rdata_hip_next(&myhip)) - /* empty */; + { + /* initialize the names */ + } return (mem_tobuffer(target, hip->servers, hip->servers_len)); } -static inline isc_result_t +static isc_result_t tostruct_hip(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_hip_t *hip = target; @@ -361,7 +363,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_hip(ARGS_FREESTRUCT) { dns_rdata_hip_t *hip = source; @@ -379,7 +381,7 @@ hip->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_hip(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -390,7 +392,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_hip(ARGS_DIGEST) { isc_region_t r; @@ -400,7 +402,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_hip(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_hip); @@ -412,7 +414,7 @@ return (true); } -static inline bool +static bool checknames_hip(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_hip); @@ -463,7 +465,7 @@ INSIST(name->length + hip->offset <= hip->servers_len); } -static inline int +static int casecompare_hip(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/ipseckey_45.c bind9-9.16.33/lib/dns/rdata/generic/ipseckey_45.c --- bind9-9.16.27/lib/dns/rdata/generic/ipseckey_45.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/ipseckey_45.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_IPSECKEY_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_ipseckey(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -121,7 +121,7 @@ return (isc_base64_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_ipseckey(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -211,7 +211,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_ipseckey(ARGS_FROMWIRE) { dns_name_t name; isc_region_t region; @@ -268,7 +268,7 @@ } } -static inline isc_result_t +static isc_result_t towire_ipseckey(ARGS_TOWIRE) { isc_region_t region; @@ -281,7 +281,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline int +static int compare_ipseckey(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -298,7 +298,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_ipseckey(ARGS_FROMSTRUCT) { dns_rdata_ipseckey_t *ipseckey = source; isc_region_t region; @@ -342,7 +342,7 @@ return (mem_tobuffer(target, ipseckey->key, ipseckey->keylength)); } -static inline isc_result_t +static isc_result_t tostruct_ipseckey(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_ipseckey_t *ipseckey = target; @@ -415,7 +415,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_ipseckey(ARGS_FREESTRUCT) { dns_rdata_ipseckey_t *ipseckey = source; @@ -437,7 +437,7 @@ ipseckey->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_ipseckey(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_ipseckey); @@ -448,7 +448,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_ipseckey(ARGS_DIGEST) { isc_region_t region; @@ -458,7 +458,7 @@ return ((digest)(arg, ®ion)); } -static inline bool +static bool checkowner_ipseckey(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_ipseckey); @@ -470,7 +470,7 @@ return (true); } -static inline bool +static bool checknames_ipseckey(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_ipseckey); @@ -481,7 +481,7 @@ return (true); } -static inline int +static int casecompare_ipseckey(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/isdn_20.c bind9-9.16.33/lib/dns/rdata/generic/isdn_20.c --- bind9-9.16.27/lib/dns/rdata/generic/isdn_20.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/isdn_20.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_ISDN_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_isdn(ARGS_FROMTEXT) { isc_token_t token; @@ -47,7 +47,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_isdn(ARGS_TOTEXT) { isc_region_t region; @@ -65,7 +65,7 @@ return (txt_totext(®ion, true, target)); } -static inline isc_result_t +static isc_result_t fromwire_isdn(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_isdn); @@ -81,7 +81,7 @@ return (txt_fromwire(source, target)); } -static inline isc_result_t +static isc_result_t towire_isdn(ARGS_TOWIRE) { UNUSED(cctx); @@ -91,7 +91,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_isdn(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -107,7 +107,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_isdn(ARGS_FROMSTRUCT) { dns_rdata_isdn_t *isdn = source; @@ -128,7 +128,7 @@ return (mem_tobuffer(target, isdn->subaddress, isdn->subaddress_len)); } -static inline isc_result_t +static isc_result_t tostruct_isdn(ARGS_TOSTRUCT) { dns_rdata_isdn_t *isdn = target; isc_region_t r; @@ -174,7 +174,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_isdn(ARGS_FREESTRUCT) { dns_rdata_isdn_t *isdn = source; @@ -193,7 +193,7 @@ isdn->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_isdn(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_isdn); @@ -204,7 +204,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_isdn(ARGS_DIGEST) { isc_region_t r; @@ -215,7 +215,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_isdn(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_isdn); @@ -227,7 +227,7 @@ return (true); } -static inline bool +static bool checknames_isdn(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_isdn); @@ -238,7 +238,7 @@ return (true); } -static inline int +static int casecompare_isdn(ARGS_COMPARE) { return (compare_isdn(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/key_25.c bind9-9.16.33/lib/dns/rdata/generic/key_25.c --- bind9-9.16.27/lib/dns/rdata/generic/key_25.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/key_25.c 2022-09-08 13:01:23.000000000 +0000 @@ -31,7 +31,7 @@ * DNSKEY - RFC 4034 * RKEY - draft-reid-dnsext-rkey-00 */ -static inline bool +static bool generic_key_nokey(dns_rdatatype_t type, unsigned int flags) { switch (type) { case dns_rdatatype_cdnskey: @@ -44,7 +44,7 @@ } } -static inline isc_result_t +static isc_result_t generic_fromtext_key(ARGS_FROMTEXT) { isc_token_t token; dns_secalg_t alg; @@ -85,7 +85,7 @@ return (isc_base64_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t generic_totext_key(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("[key id = 64000]")]; @@ -190,7 +190,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t generic_fromwire_key(ARGS_FROMWIRE) { unsigned char algorithm; uint16_t flags; @@ -234,14 +234,14 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t fromtext_key(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_key); return (generic_fromtext_key(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_key(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_key); @@ -249,14 +249,14 @@ return (generic_totext_key(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_key(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_key); return (generic_fromwire_key(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_key(ARGS_TOWIRE) { isc_region_t sr; @@ -270,7 +270,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_key(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -288,7 +288,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t generic_fromstruct_key(ARGS_FROMSTRUCT) { dns_rdata_key_t *key = source; @@ -316,7 +316,7 @@ return (mem_tobuffer(target, key->data, key->datalen)); } -static inline isc_result_t +static isc_result_t generic_tostruct_key(ARGS_TOSTRUCT) { dns_rdata_key_t *key = target; isc_region_t sr; @@ -363,7 +363,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void generic_freestruct_key(ARGS_FREESTRUCT) { dns_rdata_key_t *key = (dns_rdata_key_t *)source; @@ -379,14 +379,14 @@ key->mctx = NULL; } -static inline isc_result_t +static isc_result_t fromstruct_key(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_key); return (generic_fromstruct_key(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_key(ARGS_TOSTRUCT) { dns_rdata_key_t *key = target; @@ -401,7 +401,7 @@ return (generic_tostruct_key(CALL_TOSTRUCT)); } -static inline void +static void freestruct_key(ARGS_FREESTRUCT) { dns_rdata_key_t *key = (dns_rdata_key_t *)source; @@ -411,7 +411,7 @@ generic_freestruct_key(source); } -static inline isc_result_t +static isc_result_t additionaldata_key(ARGS_ADDLDATA) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_key); @@ -423,7 +423,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_key(ARGS_DIGEST) { isc_region_t r; @@ -435,7 +435,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_key(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_key); @@ -447,7 +447,7 @@ return (true); } -static inline bool +static bool checknames_key(ARGS_CHECKNAMES) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_key); @@ -459,7 +459,7 @@ return (true); } -static inline int +static int casecompare_key(ARGS_COMPARE) { return (compare_key(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/keydata_65533.c bind9-9.16.33/lib/dns/rdata/generic/keydata_65533.c --- bind9-9.16.27/lib/dns/rdata/generic/keydata_65533.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/keydata_65533.c 2022-09-08 13:01:23.000000000 +0000 @@ -21,7 +21,7 @@ #define RRTYPE_KEYDATA_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_keydata(ARGS_FROMTEXT) { isc_token_t token; dns_secalg_t alg; @@ -86,7 +86,7 @@ return (isc_base64_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_keydata(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("64000")]; @@ -249,7 +249,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_keydata(ARGS_FROMWIRE) { isc_region_t sr; @@ -265,7 +265,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_keydata(ARGS_TOWIRE) { isc_region_t sr; @@ -277,7 +277,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_keydata(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -291,7 +291,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_keydata(ARGS_FROMSTRUCT) { dns_rdata_keydata_t *keydata = source; @@ -325,7 +325,7 @@ return (mem_tobuffer(target, keydata->data, keydata->datalen)); } -static inline isc_result_t +static isc_result_t tostruct_keydata(ARGS_TOSTRUCT) { dns_rdata_keydata_t *keydata = target; isc_region_t sr; @@ -392,7 +392,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_keydata(ARGS_FREESTRUCT) { dns_rdata_keydata_t *keydata = (dns_rdata_keydata_t *)source; @@ -409,7 +409,7 @@ keydata->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_keydata(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_keydata); @@ -420,7 +420,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_keydata(ARGS_DIGEST) { isc_region_t r; @@ -431,7 +431,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_keydata(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_keydata); @@ -443,7 +443,7 @@ return (true); } -static inline bool +static bool checknames_keydata(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_keydata); @@ -454,7 +454,7 @@ return (true); } -static inline int +static int casecompare_keydata(ARGS_COMPARE) { return (compare_keydata(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/l32_105.c bind9-9.16.33/lib/dns/rdata/generic/l32_105.c --- bind9-9.16.27/lib/dns/rdata/generic/l32_105.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/l32_105.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_L32_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_l32(ARGS_FROMTEXT) { isc_token_t token; struct in_addr addr; @@ -56,7 +56,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_l32(ARGS_TOTEXT) { isc_region_t region; char buf[sizeof("65000")]; @@ -78,7 +78,7 @@ return (inet_totext(AF_INET, tctx->flags, ®ion, target)); } -static inline isc_result_t +static isc_result_t fromwire_l32(ARGS_FROMWIRE) { isc_region_t sregion; @@ -97,7 +97,7 @@ return (mem_tobuffer(target, sregion.base, sregion.length)); } -static inline isc_result_t +static isc_result_t towire_l32(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_l32); REQUIRE(rdata->length == 6); @@ -107,7 +107,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_l32(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -123,7 +123,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_l32(ARGS_FROMSTRUCT) { dns_rdata_l32_t *l32 = source; uint32_t n; @@ -141,7 +141,7 @@ return (uint32_tobuffer(n, target)); } -static inline isc_result_t +static isc_result_t tostruct_l32(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_l32_t *l32 = target; @@ -164,7 +164,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_l32(ARGS_FREESTRUCT) { dns_rdata_l32_t *l32 = source; @@ -174,7 +174,7 @@ return; } -static inline isc_result_t +static isc_result_t additionaldata_l32(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_l32); REQUIRE(rdata->length == 6); @@ -186,7 +186,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_l32(ARGS_DIGEST) { isc_region_t r; @@ -198,7 +198,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_l32(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_l32); @@ -210,7 +210,7 @@ return (true); } -static inline bool +static bool checknames_l32(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_l32); REQUIRE(rdata->length == 6); @@ -222,7 +222,7 @@ return (true); } -static inline int +static int casecompare_l32(ARGS_COMPARE) { return (compare_l32(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/l64_106.c bind9-9.16.33/lib/dns/rdata/generic/l64_106.c --- bind9-9.16.27/lib/dns/rdata/generic/l64_106.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/l64_106.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_L64_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_l64(ARGS_FROMTEXT) { isc_token_t token; unsigned char locator[NS_LOCATORSZ]; @@ -49,7 +49,7 @@ return (mem_tobuffer(target, locator, NS_LOCATORSZ)); } -static inline isc_result_t +static isc_result_t totext_l64(ARGS_TOTEXT) { isc_region_t region; char buf[sizeof("xxxx:xxxx:xxxx:xxxx")]; @@ -76,7 +76,7 @@ return (str_totext(buf, target)); } -static inline isc_result_t +static isc_result_t fromwire_l64(ARGS_FROMWIRE) { isc_region_t sregion; @@ -95,7 +95,7 @@ return (mem_tobuffer(target, sregion.base, sregion.length)); } -static inline isc_result_t +static isc_result_t towire_l64(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_l64); REQUIRE(rdata->length == 10); @@ -105,7 +105,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_l64(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -121,7 +121,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_l64(ARGS_FROMSTRUCT) { dns_rdata_l64_t *l64 = source; @@ -137,7 +137,7 @@ return (mem_tobuffer(target, l64->l64, sizeof(l64->l64))); } -static inline isc_result_t +static isc_result_t tostruct_l64(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_l64_t *l64 = target; @@ -158,7 +158,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_l64(ARGS_FREESTRUCT) { dns_rdata_l64_t *l64 = source; @@ -168,7 +168,7 @@ return; } -static inline isc_result_t +static isc_result_t additionaldata_l64(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_l64); REQUIRE(rdata->length == 10); @@ -180,7 +180,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_l64(ARGS_DIGEST) { isc_region_t r; @@ -192,7 +192,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_l64(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_l64); @@ -204,7 +204,7 @@ return (true); } -static inline bool +static bool checknames_l64(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_l64); REQUIRE(rdata->length == 10); @@ -216,7 +216,7 @@ return (true); } -static inline int +static int casecompare_l64(ARGS_COMPARE) { return (compare_l64(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/loc_29.c bind9-9.16.33/lib/dns/rdata/generic/loc_29.c --- bind9-9.16.27/lib/dns/rdata/generic/loc_29.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/loc_29.c 2022-09-08 13:01:23.000000000 +0000 @@ -257,7 +257,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t loc_getlatitude(isc_lex_t *lexer, unsigned long *latitude) { unsigned long d1 = 0, m1 = 0, s1 = 0; int direction = 0; @@ -272,14 +272,13 @@ *latitude = 0x80000000 - (d1 * 3600 + m1 * 60) * 1000 - s1; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t loc_getlongitude(isc_lex_t *lexer, unsigned long *longitude) { unsigned long d2 = 0, m2 = 0, s2 = 0; int direction = 0; @@ -294,14 +293,13 @@ *longitude = 0x80000000 - (d2 * 3600 + m2 * 60) * 1000 - s2; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t loc_getaltitude(isc_lex_t *lexer, unsigned long *altitude) { isc_token_t token; unsigned long cm; @@ -327,7 +325,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t loc_getoptionalprecision(isc_lex_t *lexer, unsigned char *valuep) { isc_token_t token; @@ -343,17 +341,17 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t loc_getsize(isc_lex_t *lexer, unsigned char *sizep) { return (loc_getoptionalprecision(lexer, sizep)); } -static inline isc_result_t +static isc_result_t loc_gethorizontalprecision(isc_lex_t *lexer, unsigned char *hpp) { return (loc_getoptionalprecision(lexer, hpp)); } -static inline isc_result_t +static isc_result_t loc_getverticalprecision(isc_lex_t *lexer, unsigned char *vpp) { return (loc_getoptionalprecision(lexer, vpp)); } @@ -382,7 +380,7 @@ * ZIP/postal code area sizes, since it is often easy to find * approximate geographical location by ZIP/postal code. */ -static inline isc_result_t +static isc_result_t fromtext_loc(ARGS_FROMTEXT) { isc_result_t result = ISC_R_SUCCESS; unsigned long latitude = 0; @@ -435,7 +433,7 @@ return (result); } -static inline isc_result_t +static isc_result_t totext_loc(ARGS_TOTEXT) { int d1, m1, s1, fs1; int d2, m2, s2, fs2; @@ -554,7 +552,7 @@ return (str_totext(buf, target)); } -static inline isc_result_t +static isc_result_t fromwire_loc(ARGS_FROMWIRE) { isc_region_t sr; unsigned char c; @@ -654,7 +652,7 @@ return (mem_tobuffer(target, sr.base, 16)); } -static inline isc_result_t +static isc_result_t towire_loc(ARGS_TOWIRE) { UNUSED(cctx); @@ -664,7 +662,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_loc(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -680,7 +678,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_loc(ARGS_FROMSTRUCT) { dns_rdata_loc_t *loc = source; uint8_t c; @@ -732,7 +730,7 @@ return (uint32_tobuffer(loc->v.v0.altitude, target)); } -static inline isc_result_t +static isc_result_t tostruct_loc(ARGS_TOSTRUCT) { dns_rdata_loc_t *loc = target; isc_region_t r; @@ -771,7 +769,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_loc(ARGS_FREESTRUCT) { dns_rdata_loc_t *loc = source; @@ -782,7 +780,7 @@ UNUSED(loc); } -static inline isc_result_t +static isc_result_t additionaldata_loc(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_loc); @@ -793,7 +791,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_loc(ARGS_DIGEST) { isc_region_t r; @@ -804,7 +802,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_loc(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_loc); @@ -816,7 +814,7 @@ return (true); } -static inline bool +static bool checknames_loc(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_loc); @@ -827,7 +825,7 @@ return (true); } -static inline int +static int casecompare_loc(ARGS_COMPARE) { return (compare_loc(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/lp_107.c bind9-9.16.33/lib/dns/rdata/generic/lp_107.c --- bind9-9.16.27/lib/dns/rdata/generic/lp_107.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/lp_107.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_LP_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_lp(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -50,7 +50,7 @@ return (dns_name_fromtext(&name, &buffer, origin, options, target)); } -static inline isc_result_t +static isc_result_t totext_lp(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -78,7 +78,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_lp(ARGS_FROMWIRE) { dns_name_t name; isc_region_t sregion; @@ -101,7 +101,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_lp(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_lp); REQUIRE(rdata->length != 0); @@ -111,7 +111,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_lp(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -128,7 +128,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_lp(ARGS_FROMSTRUCT) { dns_rdata_lp_t *lp = source; isc_region_t region; @@ -146,7 +146,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_lp(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_lp_t *lp = target; @@ -171,7 +171,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_lp(ARGS_FREESTRUCT) { dns_rdata_lp_t *lp = source; @@ -186,7 +186,7 @@ lp->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_lp(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -207,7 +207,7 @@ return ((add)(arg, &name, dns_rdatatype_l64)); } -static inline isc_result_t +static isc_result_t digest_lp(ARGS_DIGEST) { isc_region_t region; @@ -217,7 +217,7 @@ return ((digest)(arg, ®ion)); } -static inline bool +static bool checkowner_lp(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_lp); @@ -229,7 +229,7 @@ return (true); } -static inline bool +static bool checknames_lp(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_lp); @@ -239,7 +239,7 @@ return (true); } -static inline int +static int casecompare_lp(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/mb_7.c bind9-9.16.33/lib/dns/rdata/generic/mb_7.c --- bind9-9.16.27/lib/dns/rdata/generic/mb_7.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/mb_7.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_MB_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_mb(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -40,7 +40,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_mb(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -61,7 +61,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_mb(ARGS_FROMWIRE) { dns_name_t name; @@ -76,7 +76,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_mb(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -94,7 +94,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_mb(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -119,7 +119,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_mb(ARGS_FROMSTRUCT) { dns_rdata_mb_t *mb = source; isc_region_t region; @@ -136,7 +136,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_mb(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_mb_t *mb = target; @@ -159,7 +159,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_mb(ARGS_FREESTRUCT) { dns_rdata_mb_t *mb = source; @@ -173,7 +173,7 @@ mb->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_mb(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -188,7 +188,7 @@ return ((add)(arg, &name, dns_rdatatype_a)); } -static inline isc_result_t +static isc_result_t digest_mb(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -202,7 +202,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_mb(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_mb); @@ -213,7 +213,7 @@ return (dns_name_ismailbox(name)); } -static inline bool +static bool checknames_mb(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_mb); @@ -224,7 +224,7 @@ return (true); } -static inline int +static int casecompare_mb(ARGS_COMPARE) { return (compare_mb(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/md_3.c bind9-9.16.33/lib/dns/rdata/generic/md_3.c --- bind9-9.16.27/lib/dns/rdata/generic/md_3.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/md_3.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_MD_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_md(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -40,7 +40,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_md(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -61,7 +61,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_md(ARGS_FROMWIRE) { dns_name_t name; @@ -76,7 +76,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_md(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -94,7 +94,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_md(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -119,7 +119,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_md(ARGS_FROMSTRUCT) { dns_rdata_md_t *md = source; isc_region_t region; @@ -136,7 +136,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_md(ARGS_TOSTRUCT) { dns_rdata_md_t *md = target; isc_region_t r; @@ -159,7 +159,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_md(ARGS_FREESTRUCT) { dns_rdata_md_t *md = source; @@ -174,7 +174,7 @@ md->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_md(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -189,7 +189,7 @@ return ((add)(arg, &name, dns_rdatatype_a)); } -static inline isc_result_t +static isc_result_t digest_md(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -203,7 +203,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_md(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_md); @@ -215,7 +215,7 @@ return (true); } -static inline bool +static bool checknames_md(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_md); @@ -226,7 +226,7 @@ return (true); } -static inline int +static int casecompare_md(ARGS_COMPARE) { return (compare_md(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/mf_4.c bind9-9.16.33/lib/dns/rdata/generic/mf_4.c --- bind9-9.16.27/lib/dns/rdata/generic/mf_4.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/mf_4.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_MF_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_mf(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -40,7 +40,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_mf(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -61,7 +61,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_mf(ARGS_FROMWIRE) { dns_name_t name; @@ -76,7 +76,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_mf(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -94,7 +94,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_mf(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -119,7 +119,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_mf(ARGS_FROMSTRUCT) { dns_rdata_mf_t *mf = source; isc_region_t region; @@ -136,7 +136,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_mf(ARGS_TOSTRUCT) { dns_rdata_mf_t *mf = target; isc_region_t r; @@ -159,7 +159,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_mf(ARGS_FREESTRUCT) { dns_rdata_mf_t *mf = source; @@ -173,7 +173,7 @@ mf->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_mf(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -188,7 +188,7 @@ return ((add)(arg, &name, dns_rdatatype_a)); } -static inline isc_result_t +static isc_result_t digest_mf(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -202,7 +202,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_mf(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_mf); @@ -214,7 +214,7 @@ return (true); } -static inline bool +static bool checknames_mf(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_mf); @@ -225,7 +225,7 @@ return (true); } -static inline int +static int casecompare_mf(ARGS_COMPARE) { return (compare_mf(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/mg_8.c bind9-9.16.33/lib/dns/rdata/generic/mg_8.c --- bind9-9.16.27/lib/dns/rdata/generic/mg_8.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/mg_8.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_MG_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_mg(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -40,7 +40,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_mg(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -61,7 +61,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_mg(ARGS_FROMWIRE) { dns_name_t name; @@ -76,7 +76,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_mg(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -94,7 +94,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_mg(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -119,7 +119,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_mg(ARGS_FROMSTRUCT) { dns_rdata_mg_t *mg = source; isc_region_t region; @@ -136,7 +136,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_mg(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_mg_t *mg = target; @@ -159,7 +159,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_mg(ARGS_FREESTRUCT) { dns_rdata_mg_t *mg = source; @@ -173,7 +173,7 @@ mg->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_mg(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_mg); @@ -184,7 +184,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_mg(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -198,7 +198,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_mg(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_mg); @@ -209,7 +209,7 @@ return (dns_name_ismailbox(name)); } -static inline bool +static bool checknames_mg(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_mg); @@ -220,7 +220,7 @@ return (true); } -static inline int +static int casecompare_mg(ARGS_COMPARE) { return (compare_mg(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/minfo_14.c bind9-9.16.33/lib/dns/rdata/generic/minfo_14.c --- bind9-9.16.27/lib/dns/rdata/generic/minfo_14.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/minfo_14.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_MINFO_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_minfo(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -55,7 +55,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_minfo(ARGS_TOTEXT) { isc_region_t region; dns_name_t rmail; @@ -88,7 +88,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_minfo(ARGS_FROMWIRE) { dns_name_t rmail; dns_name_t email; @@ -107,7 +107,7 @@ return (dns_name_fromwire(&email, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_minfo(ARGS_TOWIRE) { isc_region_t region; dns_name_t rmail; @@ -136,7 +136,7 @@ return (dns_name_towire(&rmail, cctx, target)); } -static inline int +static int compare_minfo(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -177,7 +177,7 @@ return (order); } -static inline isc_result_t +static isc_result_t fromstruct_minfo(ARGS_FROMSTRUCT) { dns_rdata_minfo_t *minfo = source; isc_region_t region; @@ -196,7 +196,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_minfo(ARGS_TOSTRUCT) { dns_rdata_minfo_t *minfo = target; isc_region_t region; @@ -234,7 +234,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_minfo(ARGS_FREESTRUCT) { dns_rdata_minfo_t *minfo = source; @@ -250,7 +250,7 @@ minfo->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_minfo(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_minfo); @@ -261,7 +261,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_minfo(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -283,7 +283,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_minfo(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_minfo); @@ -295,7 +295,7 @@ return (true); } -static inline bool +static bool checknames_minfo(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -324,7 +324,7 @@ return (true); } -static inline int +static int casecompare_minfo(ARGS_COMPARE) { return (compare_minfo(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/mr_9.c bind9-9.16.33/lib/dns/rdata/generic/mr_9.c --- bind9-9.16.27/lib/dns/rdata/generic/mr_9.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/mr_9.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_MR_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_mr(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -40,7 +40,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_mr(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -61,7 +61,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_mr(ARGS_FROMWIRE) { dns_name_t name; @@ -76,7 +76,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_mr(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -94,7 +94,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_mr(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -119,7 +119,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_mr(ARGS_FROMSTRUCT) { dns_rdata_mr_t *mr = source; isc_region_t region; @@ -136,7 +136,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_mr(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_mr_t *mr = target; @@ -159,7 +159,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_mr(ARGS_FREESTRUCT) { dns_rdata_mr_t *mr = source; @@ -173,7 +173,7 @@ mr->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_mr(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_mr); @@ -184,7 +184,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_mr(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -198,7 +198,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_mr(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_mr); @@ -210,7 +210,7 @@ return (true); } -static inline bool +static bool checknames_mr(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_mr); @@ -221,7 +221,7 @@ return (true); } -static inline int +static int casecompare_mr(ARGS_COMPARE) { return (compare_mr(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/mx_15.c bind9-9.16.33/lib/dns/rdata/generic/mx_15.c --- bind9-9.16.27/lib/dns/rdata/generic/mx_15.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/mx_15.c 2022-09-08 13:01:23.000000000 +0000 @@ -44,7 +44,7 @@ return (true); } -static inline isc_result_t +static isc_result_t fromtext_mx(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -96,7 +96,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_mx(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -124,7 +124,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_mx(ARGS_FROMWIRE) { dns_name_t name; isc_region_t sregion; @@ -147,7 +147,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_mx(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -168,7 +168,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_mx(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -202,7 +202,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_mx(ARGS_FROMSTRUCT) { dns_rdata_mx_t *mx = source; isc_region_t region; @@ -220,7 +220,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_mx(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_mx_t *mx = target; @@ -245,7 +245,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_mx(ARGS_FREESTRUCT) { dns_rdata_mx_t *mx = source; @@ -265,7 +265,7 @@ static dns_name_t port25 = DNS_NAME_INITNONABSOLUTE(port25_ndata, port25_offset); -static inline isc_result_t +static isc_result_t additionaldata_mx(ARGS_ADDLDATA) { isc_result_t result; dns_fixedname_t fixed; @@ -299,7 +299,7 @@ return ((add)(arg, dns_fixedname_name(&fixed), dns_rdatatype_tlsa)); } -static inline isc_result_t +static isc_result_t digest_mx(ARGS_DIGEST) { isc_region_t r1, r2; dns_name_t name; @@ -316,7 +316,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_mx(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_mx); @@ -326,7 +326,7 @@ return (dns_name_ishostname(name, wildcard)); } -static inline bool +static bool checknames_mx(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -348,7 +348,7 @@ return (true); } -static inline int +static int casecompare_mx(ARGS_COMPARE) { return (compare_mx(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/naptr_35.c bind9-9.16.33/lib/dns/rdata/generic/naptr_35.c --- bind9-9.16.27/lib/dns/rdata/generic/naptr_35.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/naptr_35.c 2022-09-08 13:01:23.000000000 +0000 @@ -24,7 +24,7 @@ * Check the wire format of the Regexp field. * Don't allow embedded NUL's. */ -static inline isc_result_t +static isc_result_t txt_valid_regex(const unsigned char *txt) { unsigned int nsub = 0; char regex[256]; @@ -169,7 +169,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromtext_naptr(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -239,7 +239,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_naptr(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -300,7 +300,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_naptr(ARGS_FROMWIRE) { dns_name_t name; isc_region_t sr; @@ -348,7 +348,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_naptr(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -391,7 +391,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_naptr(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -463,7 +463,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_naptr(ARGS_FROMSTRUCT) { dns_rdata_naptr_t *naptr = source; isc_region_t region; @@ -491,7 +491,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_naptr(ARGS_TOSTRUCT) { dns_rdata_naptr_t *naptr = target; isc_region_t r; @@ -568,7 +568,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_naptr(ARGS_FREESTRUCT) { dns_rdata_naptr_t *naptr = source; @@ -592,7 +592,7 @@ naptr->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_naptr(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -650,7 +650,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_naptr(ARGS_DIGEST) { isc_region_t r1, r2; unsigned int length, n; @@ -709,7 +709,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_naptr(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_naptr); @@ -721,7 +721,7 @@ return (true); } -static inline bool +static bool checknames_naptr(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_naptr); @@ -732,7 +732,7 @@ return (true); } -static inline int +static int casecompare_naptr(ARGS_COMPARE) { return (compare_naptr(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/nid_104.c bind9-9.16.33/lib/dns/rdata/generic/nid_104.c --- bind9-9.16.27/lib/dns/rdata/generic/nid_104.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/nid_104.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_NID_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_nid(ARGS_FROMTEXT) { isc_token_t token; unsigned char locator[NS_LOCATORSZ]; @@ -49,7 +49,7 @@ return (mem_tobuffer(target, locator, NS_LOCATORSZ)); } -static inline isc_result_t +static isc_result_t totext_nid(ARGS_TOTEXT) { isc_region_t region; char buf[sizeof("xxxx:xxxx:xxxx:xxxx")]; @@ -76,7 +76,7 @@ return (str_totext(buf, target)); } -static inline isc_result_t +static isc_result_t fromwire_nid(ARGS_FROMWIRE) { isc_region_t sregion; @@ -95,7 +95,7 @@ return (mem_tobuffer(target, sregion.base, sregion.length)); } -static inline isc_result_t +static isc_result_t towire_nid(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_nid); REQUIRE(rdata->length == 10); @@ -105,7 +105,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_nid(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -121,7 +121,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_nid(ARGS_FROMSTRUCT) { dns_rdata_nid_t *nid = source; @@ -137,7 +137,7 @@ return (mem_tobuffer(target, nid->nid, sizeof(nid->nid))); } -static inline isc_result_t +static isc_result_t tostruct_nid(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_nid_t *nid = target; @@ -158,7 +158,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_nid(ARGS_FREESTRUCT) { dns_rdata_nid_t *nid = source; @@ -168,7 +168,7 @@ return; } -static inline isc_result_t +static isc_result_t additionaldata_nid(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_nid); REQUIRE(rdata->length == 10); @@ -180,7 +180,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_nid(ARGS_DIGEST) { isc_region_t r; @@ -192,7 +192,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_nid(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_nid); @@ -204,7 +204,7 @@ return (true); } -static inline bool +static bool checknames_nid(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_nid); REQUIRE(rdata->length == 10); @@ -216,7 +216,7 @@ return (true); } -static inline int +static int casecompare_nid(ARGS_COMPARE) { return (compare_nid(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/ninfo_56.c bind9-9.16.33/lib/dns/rdata/generic/ninfo_56.c --- bind9-9.16.27/lib/dns/rdata/generic/ninfo_56.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/ninfo_56.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,14 +16,14 @@ #define RRTYPE_NINFO_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_ninfo(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_ninfo); return (generic_fromtext_txt(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_ninfo(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_ninfo); @@ -31,14 +31,14 @@ return (generic_totext_txt(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_ninfo(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_ninfo); return (generic_fromwire_txt(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_ninfo(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_ninfo); @@ -47,7 +47,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_ninfo(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -61,14 +61,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_ninfo(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_ninfo); return (generic_fromstruct_txt(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_ninfo(ARGS_TOSTRUCT) { dns_rdata_ninfo_t *ninfo = target; @@ -82,7 +82,7 @@ return (generic_tostruct_txt(CALL_TOSTRUCT)); } -static inline void +static void freestruct_ninfo(ARGS_FREESTRUCT) { dns_rdata_ninfo_t *ninfo = source; @@ -92,7 +92,7 @@ generic_freestruct_txt(source); } -static inline isc_result_t +static isc_result_t additionaldata_ninfo(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_ninfo); @@ -103,7 +103,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_ninfo(ARGS_DIGEST) { isc_region_t r; @@ -114,7 +114,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_ninfo(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_ninfo); @@ -126,7 +126,7 @@ return (true); } -static inline bool +static bool checknames_ninfo(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_ninfo); @@ -137,7 +137,7 @@ return (true); } -static inline int +static int casecompare_ninfo(ARGS_COMPARE) { return (compare_ninfo(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/ns_2.c bind9-9.16.33/lib/dns/rdata/generic/ns_2.c --- bind9-9.16.27/lib/dns/rdata/generic/ns_2.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/ns_2.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_NS_ATTRIBUTES (DNS_RDATATYPEATTR_ZONECUTAUTH) -static inline isc_result_t +static isc_result_t fromtext_ns(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -51,7 +51,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_ns(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -72,7 +72,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_ns(ARGS_FROMWIRE) { dns_name_t name; @@ -87,7 +87,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_ns(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -105,7 +105,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_ns(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -130,7 +130,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_ns(ARGS_FROMSTRUCT) { dns_rdata_ns_t *ns = source; isc_region_t region; @@ -147,7 +147,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_ns(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_ns_t *ns = target; @@ -170,7 +170,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_ns(ARGS_FREESTRUCT) { dns_rdata_ns_t *ns = source; @@ -184,7 +184,7 @@ ns->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_ns(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -199,7 +199,7 @@ return ((add)(arg, &name, dns_rdatatype_a)); } -static inline isc_result_t +static isc_result_t digest_ns(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -213,7 +213,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_ns(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_ns); @@ -225,7 +225,7 @@ return (true); } -static inline bool +static bool checknames_ns(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -246,7 +246,7 @@ return (true); } -static inline int +static int casecompare_ns(ARGS_COMPARE) { return (compare_ns(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/nsec3_50.c bind9-9.16.33/lib/dns/rdata/generic/nsec3_50.c --- bind9-9.16.27/lib/dns/rdata/generic/nsec3_50.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/nsec3_50.c 2022-09-08 13:01:23.000000000 +0000 @@ -37,7 +37,7 @@ #define RRTYPE_NSEC3_ATTRIBUTES DNS_RDATATYPEATTR_DNSSEC -static inline isc_result_t +static isc_result_t fromtext_nsec3(ARGS_FROMTEXT) { isc_token_t token; unsigned int flags; @@ -105,7 +105,7 @@ return (typemap_fromtext(lexer, target, true)); } -static inline isc_result_t +static isc_result_t totext_nsec3(ARGS_TOTEXT) { isc_region_t sr; unsigned int i, j; @@ -181,7 +181,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_nsec3(ARGS_FROMWIRE) { isc_region_t sr, rr; unsigned int saltlen, hashlen; @@ -226,7 +226,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_nsec3(ARGS_TOWIRE) { isc_region_t sr; @@ -239,7 +239,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_nsec3(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -255,7 +255,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_nsec3(ARGS_FROMSTRUCT) { dns_rdata_nsec3_t *nsec3 = source; isc_region_t region; @@ -284,7 +284,7 @@ return (mem_tobuffer(target, nsec3->typebits, nsec3->len)); } -static inline isc_result_t +static isc_result_t tostruct_nsec3(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_nsec3_t *nsec3 = target; @@ -336,7 +336,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_nsec3(ARGS_FREESTRUCT) { dns_rdata_nsec3_t *nsec3 = source; @@ -359,7 +359,7 @@ nsec3->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_nsec3(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_nsec3); @@ -370,7 +370,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_nsec3(ARGS_DIGEST) { isc_region_t r; @@ -380,7 +380,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_nsec3(ARGS_CHECKOWNER) { unsigned char owner[NSEC3_MAX_HASH_LENGTH]; isc_buffer_t buffer; @@ -405,7 +405,7 @@ return (false); } -static inline bool +static bool checknames_nsec3(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_nsec3); @@ -416,7 +416,7 @@ return (true); } -static inline int +static int casecompare_nsec3(ARGS_COMPARE) { return (compare_nsec3(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/nsec3param_51.c bind9-9.16.33/lib/dns/rdata/generic/nsec3param_51.c --- bind9-9.16.27/lib/dns/rdata/generic/nsec3param_51.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/nsec3param_51.c 2022-09-08 13:01:23.000000000 +0000 @@ -37,7 +37,7 @@ #define RRTYPE_NSEC3PARAM_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC) -static inline isc_result_t +static isc_result_t fromtext_nsec3param(ARGS_FROMTEXT) { isc_token_t token; unsigned int flags = 0; @@ -90,7 +90,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_nsec3param(ARGS_TOTEXT) { isc_region_t sr; unsigned int i, j; @@ -140,7 +140,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_nsec3param(ARGS_FROMWIRE) { isc_region_t sr, rr; unsigned int saltlen; @@ -171,7 +171,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_nsec3param(ARGS_TOWIRE) { isc_region_t sr; @@ -184,7 +184,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_nsec3param(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -200,7 +200,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_nsec3param(ARGS_FROMSTRUCT) { dns_rdata_nsec3param_t *nsec3param = source; @@ -220,7 +220,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t tostruct_nsec3param(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_nsec3param_t *nsec3param = target; @@ -252,7 +252,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_nsec3param(ARGS_FREESTRUCT) { dns_rdata_nsec3param_t *nsec3param = source; @@ -269,7 +269,7 @@ nsec3param->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_nsec3param(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_nsec3param); @@ -280,7 +280,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_nsec3param(ARGS_DIGEST) { isc_region_t r; @@ -290,7 +290,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_nsec3param(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_nsec3param); @@ -302,7 +302,7 @@ return (true); } -static inline bool +static bool checknames_nsec3param(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_nsec3param); @@ -313,7 +313,7 @@ return (true); } -static inline int +static int casecompare_nsec3param(ARGS_COMPARE) { return (compare_nsec3param(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/nsec_47.c bind9-9.16.33/lib/dns/rdata/generic/nsec_47.c --- bind9-9.16.27/lib/dns/rdata/generic/nsec_47.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/nsec_47.c 2022-09-08 13:01:23.000000000 +0000 @@ -24,7 +24,7 @@ (DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH | \ DNS_RDATATYPEATTR_ATCNAME) -static inline isc_result_t +static isc_result_t fromtext_nsec(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -51,7 +51,7 @@ return (typemap_fromtext(lexer, target, false)); } -static inline isc_result_t +static isc_result_t totext_nsec(ARGS_TOTEXT) { isc_region_t sr; dns_name_t name; @@ -75,7 +75,7 @@ return (typemap_totext(&sr, NULL, target)); } -static /* inline */ isc_result_t +static isc_result_t fromwire_nsec(ARGS_FROMWIRE) { isc_region_t sr; dns_name_t name; @@ -97,7 +97,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_nsec(ARGS_TOWIRE) { isc_region_t sr; dns_name_t name; @@ -116,7 +116,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_nsec(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -132,7 +132,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_nsec(ARGS_FROMSTRUCT) { dns_rdata_nsec_t *nsec = source; isc_region_t region; @@ -155,7 +155,7 @@ return (mem_tobuffer(target, nsec->typebits, nsec->len)); } -static inline isc_result_t +static isc_result_t tostruct_nsec(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_nsec_t *nsec = target; @@ -192,7 +192,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_nsec(ARGS_FREESTRUCT) { dns_rdata_nsec_t *nsec = source; @@ -210,7 +210,7 @@ nsec->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_nsec(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_nsec); @@ -221,7 +221,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_nsec(ARGS_DIGEST) { isc_region_t r; @@ -231,7 +231,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_nsec(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_nsec); @@ -243,7 +243,7 @@ return (true); } -static inline bool +static bool checknames_nsec(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_nsec); @@ -254,7 +254,7 @@ return (true); } -static inline int +static int casecompare_nsec(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/null_10.c bind9-9.16.33/lib/dns/rdata/generic/null_10.c --- bind9-9.16.27/lib/dns/rdata/generic/null_10.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/null_10.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_NULL_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_null(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_null); @@ -31,14 +31,14 @@ return (DNS_R_SYNTAX); } -static inline isc_result_t +static isc_result_t totext_null(ARGS_TOTEXT) { REQUIRE(rdata->type == dns_rdatatype_null); return (unknown_totext(rdata, tctx, target)); } -static inline isc_result_t +static isc_result_t fromwire_null(ARGS_FROMWIRE) { isc_region_t sr; @@ -54,7 +54,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_null(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_null); @@ -63,7 +63,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_null(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -77,7 +77,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_null(ARGS_FROMSTRUCT) { dns_rdata_null_t *null = source; @@ -93,7 +93,7 @@ return (mem_tobuffer(target, null->data, null->length)); } -static inline isc_result_t +static isc_result_t tostruct_null(ARGS_TOSTRUCT) { dns_rdata_null_t *null = target; isc_region_t r; @@ -116,7 +116,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_null(ARGS_FREESTRUCT) { dns_rdata_null_t *null = source; @@ -133,7 +133,7 @@ null->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_null(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -144,7 +144,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_null(ARGS_DIGEST) { isc_region_t r; @@ -155,7 +155,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_null(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_null); @@ -167,7 +167,7 @@ return (true); } -static inline bool +static bool checknames_null(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_null); @@ -178,7 +178,7 @@ return (true); } -static inline int +static int casecompare_null(ARGS_COMPARE) { return (compare_null(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/nxt_30.c bind9-9.16.33/lib/dns/rdata/generic/nxt_30.c --- bind9-9.16.27/lib/dns/rdata/generic/nxt_30.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/nxt_30.c 2022-09-08 13:01:23.000000000 +0000 @@ -22,7 +22,7 @@ */ #define RRTYPE_NXT_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_nxt(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -88,7 +88,7 @@ return (mem_tobuffer(target, bm, n)); } -static inline isc_result_t +static isc_result_t totext_nxt(ARGS_TOTEXT) { isc_region_t sr; unsigned int i, j; @@ -134,7 +134,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_nxt(ARGS_FROMWIRE) { isc_region_t sr; dns_name_t name; @@ -160,7 +160,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_nxt(ARGS_TOWIRE) { isc_region_t sr; dns_name_t name; @@ -179,7 +179,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_nxt(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -210,7 +210,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_nxt(ARGS_FROMSTRUCT) { dns_rdata_nxt_t *nxt = source; isc_region_t region; @@ -234,7 +234,7 @@ return (mem_tobuffer(target, nxt->typebits, nxt->len)); } -static inline isc_result_t +static isc_result_t tostruct_nxt(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_nxt_t *nxt = target; @@ -271,7 +271,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_nxt(ARGS_FREESTRUCT) { dns_rdata_nxt_t *nxt = source; @@ -289,7 +289,7 @@ nxt->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_nxt(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_nxt); @@ -300,7 +300,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_nxt(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -320,7 +320,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_nxt(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_nxt); @@ -332,7 +332,7 @@ return (true); } -static inline bool +static bool checknames_nxt(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_nxt); @@ -343,7 +343,7 @@ return (true); } -static inline int +static int casecompare_nxt(ARGS_COMPARE) { return (compare_nxt(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/openpgpkey_61.c bind9-9.16.33/lib/dns/rdata/generic/openpgpkey_61.c --- bind9-9.16.27/lib/dns/rdata/generic/openpgpkey_61.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/openpgpkey_61.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_OPENPGPKEY_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_openpgpkey(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_openpgpkey); @@ -32,7 +32,7 @@ return (isc_base64_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_openpgpkey(ARGS_TOTEXT) { isc_region_t sr; @@ -66,7 +66,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_openpgpkey(ARGS_FROMWIRE) { isc_region_t sr; @@ -88,7 +88,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_openpgpkey(ARGS_TOWIRE) { isc_region_t sr; @@ -101,7 +101,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_openpgpkey(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -117,7 +117,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_openpgpkey(ARGS_FROMSTRUCT) { dns_rdata_openpgpkey_t *sig = source; @@ -136,7 +136,7 @@ return (mem_tobuffer(target, sig->keyring, sig->length)); } -static inline isc_result_t +static isc_result_t tostruct_openpgpkey(ARGS_TOSTRUCT) { isc_region_t sr; dns_rdata_openpgpkey_t *sig = target; @@ -167,7 +167,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_openpgpkey(ARGS_FREESTRUCT) { dns_rdata_openpgpkey_t *sig = (dns_rdata_openpgpkey_t *)source; @@ -184,7 +184,7 @@ sig->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_openpgpkey(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_openpgpkey); @@ -195,7 +195,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_openpgpkey(ARGS_DIGEST) { isc_region_t r; @@ -206,7 +206,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_openpgpkey(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_openpgpkey); @@ -218,7 +218,7 @@ return (true); } -static inline bool +static bool checknames_openpgpkey(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_openpgpkey); @@ -229,7 +229,7 @@ return (true); } -static inline int +static int casecompare_openpgpkey(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/opt_41.c bind9-9.16.33/lib/dns/rdata/generic/opt_41.c --- bind9-9.16.27/lib/dns/rdata/generic/opt_41.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/opt_41.c 2022-09-08 13:01:23.000000000 +0000 @@ -22,7 +22,7 @@ #include -static inline isc_result_t +static isc_result_t fromtext_opt(ARGS_FROMTEXT) { /* * OPT records do not have a text format. @@ -41,7 +41,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline isc_result_t +static isc_result_t totext_opt(ARGS_TOTEXT) { isc_region_t r; isc_region_t or ; @@ -91,7 +91,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_opt(ARGS_FROMWIRE) { isc_region_t sregion; isc_region_t tregion; @@ -233,7 +233,7 @@ isc_region_consume(&sregion, length); break; case DNS_OPT_CLIENT_TAG: - /* FALLTHROUGH */ + FALLTHROUGH; case DNS_OPT_SERVER_TAG: if (length != 2) { return (DNS_R_OPTERR); @@ -259,7 +259,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_opt(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_opt); @@ -268,7 +268,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_opt(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -282,7 +282,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_opt(ARGS_FROMSTRUCT) { dns_rdata_opt_t *opt = source; isc_region_t region; @@ -315,7 +315,7 @@ return (mem_tobuffer(target, opt->options, opt->length)); } -static inline isc_result_t +static isc_result_t tostruct_opt(ARGS_TOSTRUCT) { dns_rdata_opt_t *opt = target; isc_region_t r; @@ -339,7 +339,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_opt(ARGS_FREESTRUCT) { dns_rdata_opt_t *opt = source; @@ -356,7 +356,7 @@ opt->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_opt(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_opt); @@ -367,7 +367,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_opt(ARGS_DIGEST) { /* * OPT records are not digested. @@ -382,7 +382,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline bool +static bool checkowner_opt(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_opt); @@ -393,7 +393,7 @@ return (dns_name_equal(name, dns_rootname)); } -static inline bool +static bool checknames_opt(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_opt); @@ -404,7 +404,7 @@ return (true); } -static inline int +static int casecompare_opt(ARGS_COMPARE) { return (compare_opt(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/proforma.c bind9-9.16.33/lib/dns/rdata/generic/proforma.c --- bind9-9.16.27/lib/dns/rdata/generic/proforma.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/proforma.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_ #_ATTRIBUTES(0) -static inline isc_result_t fromtext_ #(ARGS_FROMTEXT) { +static isc_result_t fromtext_ #(ARGS_FROMTEXT) { isc_token_t token; REQUIRE(type == dns_rdatatype_proforma.c #); @@ -28,7 +28,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline isc_result_t totext_ #(ARGS_TOTEXT) { +static isc_result_t totext_ #(ARGS_TOTEXT) { REQUIRE(rdata->type == dns_rdatatype_proforma.c #); REQUIRE(rdata->rdclass == #); REQUIRE(rdata->length != 0); /* XXX */ @@ -36,7 +36,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline isc_result_t fromwire_ #(ARGS_FROMWIRE) { +static isc_result_t fromwire_ #(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_proforma.c #); REQUIRE(rdclass == #); @@ -46,7 +46,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline isc_result_t towire_ #(ARGS_TOWIRE) { +static isc_result_t towire_ #(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_proforma.c #); REQUIRE(rdata->rdclass == #); REQUIRE(rdata->length != 0); /* XXX */ @@ -57,7 +57,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline int compare_ #(ARGS_COMPARE) { +static int compare_ #(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -73,7 +73,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t fromstruct_ #(ARGS_FROMSTRUCT) { +static isc_result_t fromstruct_ #(ARGS_FROMSTRUCT) { dns_rdata_ #_t *# = source; REQUIRE(type == dns_rdatatype_proforma.c #); @@ -85,7 +85,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline isc_result_t tostruct_ #(ARGS_TOSTRUCT) { +static isc_result_t tostruct_ #(ARGS_TOSTRUCT) { REQUIRE(rdata->type == dns_rdatatype_proforma.c #); REQUIRE(rdata->rdclass == #); REQUIRE(rdata->length != 0); /* XXX */ @@ -93,7 +93,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline void freestruct_ #(ARGS_FREESTRUCT) { +static void freestruct_ #(ARGS_FREESTRUCT) { dns_rdata_ #_t *# = source; REQUIRE(# != NULL); @@ -101,7 +101,7 @@ REQUIRE(#->common.rdclass == #); } -static inline isc_result_t additionaldata_ #(ARGS_ADDLDATA) { +static isc_result_t additionaldata_ #(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_proforma.c #); REQUIRE(rdata->rdclass == #); @@ -111,7 +111,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t digest_ #(ARGS_DIGEST) { +static isc_result_t digest_ #(ARGS_DIGEST) { isc_region_t r; REQUIRE(rdata->type == dns_rdatatype_proforma.c #); @@ -122,7 +122,7 @@ return ((digest)(arg, &r)); } -static inline bool checkowner_ #(ARGS_CHECKOWNER) { +static bool checkowner_ #(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_proforma.c #); REQUIRE(rdclass == #); @@ -134,7 +134,7 @@ return (true); } -static inline bool checknames_ #(ARGS_CHECKNAMES) { +static bool checknames_ #(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_proforma.c #); REQUIRE(rdata->rdclass == #); @@ -145,7 +145,7 @@ return (true); } -static inline int casecompare_ #(ARGS_COMPARE) { +static int casecompare_ #(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/ptr_12.c bind9-9.16.33/lib/dns/rdata/generic/ptr_12.c --- bind9-9.16.27/lib/dns/rdata/generic/ptr_12.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/ptr_12.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_PTR_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_ptr(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -53,7 +53,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_ptr(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -74,7 +74,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_ptr(ARGS_FROMWIRE) { dns_name_t name; @@ -89,7 +89,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_ptr(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -107,7 +107,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_ptr(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -132,7 +132,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_ptr(ARGS_FROMSTRUCT) { dns_rdata_ptr_t *ptr = source; isc_region_t region; @@ -149,7 +149,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_ptr(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_ptr_t *ptr = target; @@ -172,7 +172,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_ptr(ARGS_FREESTRUCT) { dns_rdata_ptr_t *ptr = source; @@ -187,7 +187,7 @@ ptr->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_ptr(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_ptr); @@ -198,7 +198,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_ptr(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -212,7 +212,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_ptr(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_ptr); @@ -239,7 +239,7 @@ static const dns_name_t in_addr_arpa = DNS_NAME_INITABSOLUTE(in_addr_arpa_data, in_addr_arpa_offsets); -static inline bool +static bool checknames_ptr(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -271,7 +271,7 @@ return (true); } -static inline int +static int casecompare_ptr(ARGS_COMPARE) { return (compare_ptr(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/rkey_57.c bind9-9.16.33/lib/dns/rdata/generic/rkey_57.c --- bind9-9.16.27/lib/dns/rdata/generic/rkey_57.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/rkey_57.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,14 +16,14 @@ #define RRTYPE_RKEY_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_rkey(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_rkey); return (generic_fromtext_key(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_rkey(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_rkey); @@ -31,14 +31,14 @@ return (generic_totext_key(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_rkey(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_rkey); return (generic_fromwire_key(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_rkey(ARGS_TOWIRE) { isc_region_t sr; @@ -52,7 +52,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_rkey(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -70,14 +70,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_rkey(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_rkey); return (generic_fromstruct_key(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_rkey(ARGS_TOSTRUCT) { dns_rdata_rkey_t *rkey = target; @@ -92,7 +92,7 @@ return (generic_tostruct_key(CALL_TOSTRUCT)); } -static inline void +static void freestruct_rkey(ARGS_FREESTRUCT) { dns_rdata_rkey_t *rkey = (dns_rdata_rkey_t *)source; @@ -102,7 +102,7 @@ generic_freestruct_key(source); } -static inline isc_result_t +static isc_result_t additionaldata_rkey(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_rkey); @@ -113,7 +113,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_rkey(ARGS_DIGEST) { isc_region_t r; @@ -125,7 +125,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_rkey(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_rkey); @@ -137,7 +137,7 @@ return (true); } -static inline bool +static bool checknames_rkey(ARGS_CHECKNAMES) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_rkey); @@ -149,7 +149,7 @@ return (true); } -static inline int +static int casecompare_rkey(ARGS_COMPARE) { /* * Treat ALG 253 (private DNS) subtype name case sensitively. diff -Nru bind9-9.16.27/lib/dns/rdata/generic/rp_17.c bind9-9.16.33/lib/dns/rdata/generic/rp_17.c --- bind9-9.16.27/lib/dns/rdata/generic/rp_17.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/rp_17.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_RP_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_rp(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -57,7 +57,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_rp(ARGS_TOTEXT) { isc_region_t region; dns_name_t rmail; @@ -89,7 +89,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_rp(ARGS_FROMWIRE) { dns_name_t rmail; dns_name_t email; @@ -108,7 +108,7 @@ return (dns_name_fromwire(&email, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_rp(ARGS_TOWIRE) { isc_region_t region; dns_name_t rmail; @@ -136,7 +136,7 @@ return (dns_name_towire(&rmail, cctx, target)); } -static inline int +static int compare_rp(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -176,7 +176,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_rp(ARGS_FROMSTRUCT) { dns_rdata_rp_t *rp = source; isc_region_t region; @@ -195,7 +195,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_rp(ARGS_TOSTRUCT) { isc_result_t result; isc_region_t region; @@ -233,7 +233,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_rp(ARGS_FREESTRUCT) { dns_rdata_rp_t *rp = source; @@ -249,7 +249,7 @@ rp->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_rp(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_rp); @@ -260,7 +260,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_rp(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -280,7 +280,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_rp(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_rp); @@ -292,7 +292,7 @@ return (true); } -static inline bool +static bool checknames_rp(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -313,7 +313,7 @@ return (true); } -static inline int +static int casecompare_rp(ARGS_COMPARE) { return (compare_rp(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/rrsig_46.c bind9-9.16.33/lib/dns/rdata/generic/rrsig_46.c --- bind9-9.16.27/lib/dns/rdata/generic/rrsig_46.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/rrsig_46.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ (DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH | \ DNS_RDATATYPEATTR_ATCNAME) -static inline isc_result_t +static isc_result_t fromtext_rrsig(ARGS_FROMTEXT) { isc_token_t token; unsigned char c; @@ -157,7 +157,7 @@ return (isc_base64_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_rrsig(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("4294967295")]; /* Also TYPE65000. */ @@ -274,7 +274,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_rrsig(ARGS_FROMWIRE) { isc_region_t sr; dns_name_t name; @@ -320,7 +320,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_rrsig(ARGS_TOWIRE) { isc_region_t sr; dns_name_t name; @@ -357,7 +357,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_rrsig(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -373,7 +373,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_rrsig(ARGS_FROMSTRUCT) { dns_rdata_rrsig_t *sig = source; @@ -432,7 +432,7 @@ return (mem_tobuffer(target, sig->signature, sig->siglen)); } -static inline isc_result_t +static isc_result_t tostruct_rrsig(ARGS_TOSTRUCT) { isc_region_t sr; dns_rdata_rrsig_t *sig = target; @@ -515,7 +515,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_rrsig(ARGS_FREESTRUCT) { dns_rdata_rrsig_t *sig = (dns_rdata_rrsig_t *)source; @@ -533,7 +533,7 @@ sig->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_rrsig(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_rrsig); @@ -544,7 +544,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_rrsig(ARGS_DIGEST) { REQUIRE(rdata->type == dns_rdatatype_rrsig); @@ -555,7 +555,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline dns_rdatatype_t +static dns_rdatatype_t covers_rrsig(dns_rdata_t *rdata) { dns_rdatatype_t type; isc_region_t r; @@ -568,7 +568,7 @@ return (type); } -static inline bool +static bool checkowner_rrsig(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_rrsig); @@ -580,7 +580,7 @@ return (true); } -static inline bool +static bool checknames_rrsig(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_rrsig); @@ -591,7 +591,7 @@ return (true); } -static inline int +static int casecompare_rrsig(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; diff -Nru bind9-9.16.27/lib/dns/rdata/generic/rt_21.c bind9-9.16.33/lib/dns/rdata/generic/rt_21.c --- bind9-9.16.27/lib/dns/rdata/generic/rt_21.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/rt_21.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_RT_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_rt(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -60,7 +60,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_rt(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -86,7 +86,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_rt(ARGS_FROMWIRE) { dns_name_t name; isc_region_t sregion; @@ -115,7 +115,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_rt(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -141,7 +141,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_rt(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -175,7 +175,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_rt(ARGS_FROMSTRUCT) { dns_rdata_rt_t *rt = source; isc_region_t region; @@ -193,7 +193,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_rt(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_rt_t *rt = target; @@ -219,7 +219,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_rt(ARGS_FREESTRUCT) { dns_rdata_rt_t *rt = source; @@ -234,7 +234,7 @@ rt->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_rt(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -259,7 +259,7 @@ return ((add)(arg, &name, dns_rdatatype_a)); } -static inline isc_result_t +static isc_result_t digest_rt(ARGS_DIGEST) { isc_region_t r1, r2; isc_result_t result; @@ -280,7 +280,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_rt(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_rt); @@ -292,7 +292,7 @@ return (true); } -static inline bool +static bool checknames_rt(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -314,7 +314,7 @@ return (true); } -static inline int +static int casecompare_rt(ARGS_COMPARE) { return (compare_rt(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/sig_24.c bind9-9.16.33/lib/dns/rdata/generic/sig_24.c --- bind9-9.16.27/lib/dns/rdata/generic/sig_24.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/sig_24.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_SIG_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_sig(ARGS_FROMTEXT) { isc_token_t token; unsigned char c; @@ -121,7 +121,7 @@ return (isc_base64_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_sig(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("4294967295")]; @@ -237,7 +237,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_sig(ARGS_FROMWIRE) { isc_region_t sr; dns_name_t name; @@ -283,7 +283,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_sig(ARGS_TOWIRE) { isc_region_t sr; dns_name_t name; @@ -320,7 +320,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_sig(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -365,7 +365,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_sig(ARGS_FROMSTRUCT) { dns_rdata_sig_t *sig = source; @@ -424,7 +424,7 @@ return (mem_tobuffer(target, sig->signature, sig->siglen)); } -static inline isc_result_t +static isc_result_t tostruct_sig(ARGS_TOSTRUCT) { isc_region_t sr; dns_rdata_sig_t *sig = target; @@ -507,7 +507,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_sig(ARGS_FREESTRUCT) { dns_rdata_sig_t *sig = (dns_rdata_sig_t *)source; @@ -525,7 +525,7 @@ sig->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_sig(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_sig); @@ -536,7 +536,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_sig(ARGS_DIGEST) { REQUIRE(rdata->type == dns_rdatatype_sig); @@ -547,7 +547,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline dns_rdatatype_t +static dns_rdatatype_t covers_sig(dns_rdata_t *rdata) { dns_rdatatype_t type; isc_region_t r; @@ -560,7 +560,7 @@ return (type); } -static inline bool +static bool checkowner_sig(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_sig); @@ -572,7 +572,7 @@ return (true); } -static inline bool +static bool checknames_sig(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_sig); @@ -583,7 +583,7 @@ return (true); } -static inline int +static int casecompare_sig(ARGS_COMPARE) { return (compare_sig(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/sink_40.c bind9-9.16.33/lib/dns/rdata/generic/sink_40.c --- bind9-9.16.27/lib/dns/rdata/generic/sink_40.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/sink_40.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_SINK_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_sink(ARGS_FROMTEXT) { isc_token_t token; @@ -57,7 +57,7 @@ return (isc_base64_tobuffer(lexer, target, -1)); } -static inline isc_result_t +static isc_result_t totext_sink(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("255 255 255")]; @@ -103,7 +103,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_sink(ARGS_FROMWIRE) { isc_region_t sr; @@ -124,7 +124,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_sink(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_sink); REQUIRE(rdata->length >= 3); @@ -134,7 +134,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_sink(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -150,7 +150,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_sink(ARGS_FROMSTRUCT) { dns_rdata_sink_t *sink = source; @@ -175,7 +175,7 @@ return (mem_tobuffer(target, sink->data, sink->datalen)); } -static inline isc_result_t +static isc_result_t tostruct_sink(ARGS_TOSTRUCT) { dns_rdata_sink_t *sink = target; isc_region_t sr; @@ -222,7 +222,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_sink(ARGS_FREESTRUCT) { dns_rdata_sink_t *sink = (dns_rdata_sink_t *)source; @@ -239,7 +239,7 @@ sink->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_sink(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_sink); @@ -250,7 +250,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_sink(ARGS_DIGEST) { isc_region_t r; @@ -261,7 +261,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_sink(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_sink); @@ -273,7 +273,7 @@ return (true); } -static inline bool +static bool checknames_sink(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_sink); @@ -284,7 +284,7 @@ return (true); } -static inline int +static int casecompare_sink(ARGS_COMPARE) { return (compare_sink(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/smimea_53.c bind9-9.16.33/lib/dns/rdata/generic/smimea_53.c --- bind9-9.16.27/lib/dns/rdata/generic/smimea_53.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/smimea_53.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,14 +16,14 @@ #define RRTYPE_SMIMEA_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_smimea(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_smimea); return (generic_fromtext_tlsa(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_smimea(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_smimea); @@ -31,14 +31,14 @@ return (generic_totext_tlsa(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_smimea(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_smimea); return (generic_fromwire_tlsa(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_smimea(ARGS_TOWIRE) { isc_region_t sr; @@ -51,7 +51,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_smimea(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -67,14 +67,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_smimea(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_smimea); return (generic_fromstruct_tlsa(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_smimea(ARGS_TOSTRUCT) { dns_rdata_smimea_t *smimea = target; @@ -89,7 +89,7 @@ return (generic_tostruct_tlsa(CALL_TOSTRUCT)); } -static inline void +static void freestruct_smimea(ARGS_FREESTRUCT) { dns_rdata_smimea_t *smimea = source; @@ -99,7 +99,7 @@ generic_freestruct_tlsa(source); } -static inline isc_result_t +static isc_result_t additionaldata_smimea(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_smimea); @@ -110,7 +110,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_smimea(ARGS_DIGEST) { isc_region_t r; @@ -121,7 +121,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_smimea(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_smimea); @@ -133,7 +133,7 @@ return (true); } -static inline bool +static bool checknames_smimea(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_smimea); @@ -144,7 +144,7 @@ return (true); } -static inline int +static int casecompare_smimea(ARGS_COMPARE) { return (compare_smimea(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/soa_6.c bind9-9.16.33/lib/dns/rdata/generic/soa_6.c --- bind9-9.16.27/lib/dns/rdata/generic/soa_6.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/soa_6.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_SOA_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON) -static inline isc_result_t +static isc_result_t fromtext_soa(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -79,7 +79,7 @@ static const char *soa_fieldnames[5] = { "serial", "refresh", "retry", "expire", "minimum" }; -static inline isc_result_t +static isc_result_t totext_soa(ARGS_TOTEXT) { isc_region_t dregion; dns_name_t mname; @@ -153,7 +153,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_soa(ARGS_FROMWIRE) { dns_name_t mname; dns_name_t rname; @@ -190,7 +190,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_soa(ARGS_TOWIRE) { isc_region_t sregion; isc_region_t tregion; @@ -227,7 +227,7 @@ return (ISC_R_SUCCESS); } -static inline int +static int compare_soa(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -275,7 +275,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_soa(ARGS_FROMSTRUCT) { dns_rdata_soa_t *soa = source; isc_region_t region; @@ -299,7 +299,7 @@ return (uint32_tobuffer(soa->minimum, target)); } -static inline isc_result_t +static isc_result_t tostruct_soa(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_soa_t *soa = target; @@ -354,7 +354,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_soa(ARGS_FREESTRUCT) { dns_rdata_soa_t *soa = source; @@ -370,7 +370,7 @@ soa->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_soa(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -381,7 +381,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_soa(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -403,7 +403,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_soa(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_soa); @@ -415,7 +415,7 @@ return (true); } -static inline bool +static bool checknames_soa(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -444,7 +444,7 @@ return (true); } -static inline int +static int casecompare_soa(ARGS_COMPARE) { return (compare_soa(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/spf_99.c bind9-9.16.33/lib/dns/rdata/generic/spf_99.c --- bind9-9.16.27/lib/dns/rdata/generic/spf_99.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/spf_99.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,14 +16,14 @@ #define RRTYPE_SPF_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_spf(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_spf); return (generic_fromtext_txt(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_spf(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_spf); @@ -31,14 +31,14 @@ return (generic_totext_txt(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_spf(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_spf); return (generic_fromwire_txt(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_spf(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_spf); @@ -47,7 +47,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_spf(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -61,14 +61,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_spf(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_spf); return (generic_fromstruct_txt(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_spf(ARGS_TOSTRUCT) { dns_rdata_spf_t *spf = target; @@ -83,7 +83,7 @@ return (generic_tostruct_txt(CALL_TOSTRUCT)); } -static inline void +static void freestruct_spf(ARGS_FREESTRUCT) { dns_rdata_spf_t *spf = source; @@ -93,7 +93,7 @@ generic_freestruct_txt(source); } -static inline isc_result_t +static isc_result_t additionaldata_spf(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_spf); @@ -104,7 +104,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_spf(ARGS_DIGEST) { isc_region_t r; @@ -115,7 +115,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_spf(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_spf); @@ -127,7 +127,7 @@ return (true); } -static inline bool +static bool checknames_spf(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_spf); @@ -138,7 +138,7 @@ return (true); } -static inline int +static int casecompare_spf(ARGS_COMPARE) { return (compare_spf(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/sshfp_44.c bind9-9.16.33/lib/dns/rdata/generic/sshfp_44.c --- bind9-9.16.27/lib/dns/rdata/generic/sshfp_44.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/sshfp_44.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_SSHFP_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_sshfp(ARGS_FROMTEXT) { isc_token_t token; int len = -1; @@ -71,7 +71,7 @@ return (isc_hex_tobuffer(lexer, target, len)); } -static inline isc_result_t +static isc_result_t totext_sshfp(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("64000 ")]; @@ -123,7 +123,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_sshfp(ARGS_FROMWIRE) { isc_region_t sr; @@ -149,7 +149,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_sshfp(ARGS_TOWIRE) { isc_region_t sr; @@ -162,7 +162,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_sshfp(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -178,7 +178,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_sshfp(ARGS_FROMSTRUCT) { dns_rdata_sshfp_t *sshfp = source; @@ -196,7 +196,7 @@ return (mem_tobuffer(target, sshfp->digest, sshfp->length)); } -static inline isc_result_t +static isc_result_t tostruct_sshfp(ARGS_TOSTRUCT) { dns_rdata_sshfp_t *sshfp = target; isc_region_t region; @@ -226,7 +226,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_sshfp(ARGS_FREESTRUCT) { dns_rdata_sshfp_t *sshfp = source; @@ -243,7 +243,7 @@ sshfp->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_sshfp(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_sshfp); @@ -254,7 +254,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_sshfp(ARGS_DIGEST) { isc_region_t r; @@ -265,7 +265,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_sshfp(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_sshfp); @@ -277,7 +277,7 @@ return (true); } -static inline bool +static bool checknames_sshfp(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_sshfp); @@ -288,7 +288,7 @@ return (true); } -static inline int +static int casecompare_sshfp(ARGS_COMPARE) { return (compare_sshfp(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/ta_32768.c bind9-9.16.33/lib/dns/rdata/generic/ta_32768.c --- bind9-9.16.27/lib/dns/rdata/generic/ta_32768.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/ta_32768.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,28 +18,28 @@ #define RRTYPE_TA_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_ta(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_ta); return (generic_fromtext_ds(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_ta(ARGS_TOTEXT) { REQUIRE(rdata->type == dns_rdatatype_ta); return (generic_totext_ds(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_ta(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_ta); return (generic_fromwire_ds(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_ta(ARGS_TOWIRE) { isc_region_t sr; @@ -52,7 +52,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_ta(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -68,14 +68,14 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_ta(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_ta); return (generic_fromstruct_ds(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_ta(ARGS_TOSTRUCT) { dns_rdata_ds_t *ds = target; @@ -92,7 +92,7 @@ return (generic_tostruct_ds(CALL_TOSTRUCT)); } -static inline void +static void freestruct_ta(ARGS_FREESTRUCT) { dns_rdata_ta_t *ds = source; @@ -109,7 +109,7 @@ ds->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_ta(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_ta); @@ -120,7 +120,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_ta(ARGS_DIGEST) { isc_region_t r; @@ -131,7 +131,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_ta(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_ta); @@ -143,7 +143,7 @@ return (true); } -static inline bool +static bool checknames_ta(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_ta); @@ -154,7 +154,7 @@ return (true); } -static inline int +static int casecompare_ta(ARGS_COMPARE) { return (compare_ta(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/talink_58.c bind9-9.16.33/lib/dns/rdata/generic/talink_58.c --- bind9-9.16.27/lib/dns/rdata/generic/talink_58.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/talink_58.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_TALINK_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_talink(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -46,7 +46,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_talink(ARGS_TOTEXT) { isc_region_t dregion; dns_name_t prev; @@ -78,7 +78,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_talink(ARGS_FROMWIRE) { dns_name_t prev; dns_name_t next; @@ -97,7 +97,7 @@ return (dns_name_fromwire(&next, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_talink(ARGS_TOWIRE) { isc_region_t sregion; dns_name_t prev; @@ -124,7 +124,7 @@ return (dns_name_towire(&next, cctx, target)); } -static inline int +static int compare_talink(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -140,7 +140,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_talink(ARGS_FROMSTRUCT) { dns_rdata_talink_t *talink = source; isc_region_t region; @@ -159,7 +159,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_talink(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_talink_t *talink = target; @@ -200,7 +200,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_talink(ARGS_FREESTRUCT) { dns_rdata_talink_t *talink = source; @@ -216,7 +216,7 @@ talink->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_talink(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -227,7 +227,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_talink(ARGS_DIGEST) { isc_region_t r; @@ -237,7 +237,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_talink(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_talink); @@ -249,7 +249,7 @@ return (true); } -static inline bool +static bool checknames_talink(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_talink); @@ -259,7 +259,7 @@ return (true); } -static inline int +static int casecompare_talink(ARGS_COMPARE) { return (compare_talink(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/tkey_249.c bind9-9.16.33/lib/dns/rdata/generic/tkey_249.c --- bind9-9.16.27/lib/dns/rdata/generic/tkey_249.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/tkey_249.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_TKEY_ATTRIBUTES (DNS_RDATATYPEATTR_META) -static inline isc_result_t +static isc_result_t fromtext_tkey(ARGS_FROMTEXT) { isc_token_t token; dns_rcode_t rcode; @@ -118,7 +118,7 @@ return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong)); } -static inline isc_result_t +static isc_result_t totext_tkey(ARGS_TOTEXT) { isc_region_t sr, dr; char buf[sizeof("4294967295 ")]; @@ -242,7 +242,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_tkey(ARGS_FROMWIRE) { isc_region_t sr; unsigned long n; @@ -303,7 +303,7 @@ return (mem_tobuffer(target, sr.base, n + 2)); } -static inline isc_result_t +static isc_result_t towire_tkey(ARGS_TOWIRE) { isc_region_t sr; dns_name_t name; @@ -325,7 +325,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_tkey(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -356,7 +356,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_tkey(ARGS_FROMSTRUCT) { dns_rdata_tkey_t *tkey = source; @@ -414,7 +414,7 @@ return (mem_tobuffer(target, tkey->other, tkey->otherlen)); } -static inline isc_result_t +static isc_result_t tostruct_tkey(ARGS_TOSTRUCT) { dns_rdata_tkey_t *tkey = target; dns_name_t alg; @@ -507,7 +507,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_tkey(ARGS_FREESTRUCT) { dns_rdata_tkey_t *tkey = (dns_rdata_tkey_t *)source; @@ -527,7 +527,7 @@ tkey->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_tkey(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -538,7 +538,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_tkey(ARGS_DIGEST) { UNUSED(rdata); UNUSED(digest); @@ -549,7 +549,7 @@ return (ISC_R_NOTIMPLEMENTED); } -static inline bool +static bool checkowner_tkey(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_tkey); @@ -561,7 +561,7 @@ return (true); } -static inline bool +static bool checknames_tkey(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_tkey); @@ -572,7 +572,7 @@ return (true); } -static inline int +static int casecompare_tkey(ARGS_COMPARE) { return (compare_tkey(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/tlsa_52.c bind9-9.16.33/lib/dns/rdata/generic/tlsa_52.c --- bind9-9.16.27/lib/dns/rdata/generic/tlsa_52.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/tlsa_52.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_TLSA_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t generic_fromtext_tlsa(ARGS_FROMTEXT) { isc_token_t token; @@ -64,7 +64,7 @@ return (isc_hex_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t generic_totext_tlsa(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("64000 ")]; @@ -119,7 +119,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t generic_fromwire_tlsa(ARGS_FROMWIRE) { isc_region_t sr; @@ -139,28 +139,28 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t fromtext_tlsa(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_tlsa); return (generic_fromtext_tlsa(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_tlsa(ARGS_TOTEXT) { REQUIRE(rdata->type == dns_rdatatype_tlsa); return (generic_totext_tlsa(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_tlsa(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_tlsa); return (generic_fromwire_tlsa(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_tlsa(ARGS_TOWIRE) { isc_region_t sr; @@ -173,7 +173,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_tlsa(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -189,7 +189,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t generic_fromstruct_tlsa(ARGS_FROMSTRUCT) { dns_rdata_tlsa_t *tlsa = source; @@ -207,7 +207,7 @@ return (mem_tobuffer(target, tlsa->data, tlsa->length)); } -static inline isc_result_t +static isc_result_t generic_tostruct_tlsa(ARGS_TOSTRUCT) { dns_rdata_tlsa_t *tlsa = target; isc_region_t region; @@ -239,7 +239,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void generic_freestruct_tlsa(ARGS_FREESTRUCT) { dns_rdata_tlsa_t *tlsa = source; @@ -255,14 +255,14 @@ tlsa->mctx = NULL; } -static inline isc_result_t +static isc_result_t fromstruct_tlsa(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_tlsa); return (generic_fromstruct_tlsa(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_tlsa(ARGS_TOSTRUCT) { dns_rdata_tlsa_t *tlsa = target; @@ -276,7 +276,7 @@ return (generic_tostruct_tlsa(CALL_TOSTRUCT)); } -static inline void +static void freestruct_tlsa(ARGS_FREESTRUCT) { dns_rdata_tlsa_t *tlsa = source; @@ -286,7 +286,7 @@ generic_freestruct_tlsa(source); } -static inline isc_result_t +static isc_result_t additionaldata_tlsa(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_tlsa); @@ -297,7 +297,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_tlsa(ARGS_DIGEST) { isc_region_t r; @@ -308,7 +308,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_tlsa(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_tlsa); @@ -320,7 +320,7 @@ return (true); } -static inline bool +static bool checknames_tlsa(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_tlsa); @@ -331,7 +331,7 @@ return (true); } -static inline int +static int casecompare_tlsa(ARGS_COMPARE) { return (compare_tlsa(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/txt_16.c bind9-9.16.33/lib/dns/rdata/generic/txt_16.c --- bind9-9.16.27/lib/dns/rdata/generic/txt_16.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/txt_16.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_TXT_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t generic_fromtext_txt(ARGS_FROMTEXT) { isc_token_t token; int strings; @@ -50,7 +50,7 @@ return (strings == 0 ? ISC_R_UNEXPECTEDEND : ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t generic_totext_txt(ARGS_TOTEXT) { isc_region_t region; @@ -68,7 +68,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t generic_fromwire_txt(ARGS_FROMWIRE) { isc_result_t result; @@ -86,14 +86,14 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromtext_txt(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_txt); return (generic_fromtext_txt(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_txt(ARGS_TOTEXT) { REQUIRE(rdata != NULL); REQUIRE(rdata->type == dns_rdatatype_txt); @@ -101,14 +101,14 @@ return (generic_totext_txt(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_txt(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_txt); return (generic_fromwire_txt(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_txt(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_txt); @@ -117,7 +117,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_txt(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -131,7 +131,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t generic_fromstruct_txt(ARGS_FROMSTRUCT) { dns_rdata_txt_t *txt = source; isc_region_t region; @@ -159,7 +159,7 @@ return (mem_tobuffer(target, txt->txt, txt->txt_len)); } -static inline isc_result_t +static isc_result_t generic_tostruct_txt(ARGS_TOSTRUCT) { dns_rdata_txt_t *txt = target; isc_region_t r; @@ -181,7 +181,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void generic_freestruct_txt(ARGS_FREESTRUCT) { dns_rdata_txt_t *txt = source; @@ -197,14 +197,14 @@ txt->mctx = NULL; } -static inline isc_result_t +static isc_result_t fromstruct_txt(ARGS_FROMSTRUCT) { REQUIRE(type == dns_rdatatype_txt); return (generic_fromstruct_txt(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_txt(ARGS_TOSTRUCT) { dns_rdata_txt_t *txt = target; @@ -218,7 +218,7 @@ return (generic_tostruct_txt(CALL_TOSTRUCT)); } -static inline void +static void freestruct_txt(ARGS_FREESTRUCT) { dns_rdata_txt_t *txt = source; @@ -228,7 +228,7 @@ generic_freestruct_txt(source); } -static inline isc_result_t +static isc_result_t additionaldata_txt(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_txt); @@ -239,7 +239,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_txt(ARGS_DIGEST) { isc_region_t r; @@ -250,7 +250,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_txt(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_txt); @@ -262,7 +262,7 @@ return (true); } -static inline bool +static bool checknames_txt(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_txt); @@ -273,7 +273,7 @@ return (true); } -static inline int +static int casecompare_txt(ARGS_COMPARE) { return (compare_txt(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/uri_256.c bind9-9.16.33/lib/dns/rdata/generic/uri_256.c --- bind9-9.16.27/lib/dns/rdata/generic/uri_256.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/uri_256.c 2022-09-08 13:01:23.000000000 +0000 @@ -16,7 +16,7 @@ #define RRTYPE_URI_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_uri(ARGS_FROMTEXT) { isc_token_t token; @@ -60,7 +60,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_uri(ARGS_TOTEXT) { isc_region_t region; unsigned short priority, weight; @@ -96,7 +96,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_uri(ARGS_FROMWIRE) { isc_region_t region; @@ -122,7 +122,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline isc_result_t +static isc_result_t towire_uri(ARGS_TOWIRE) { isc_region_t region; @@ -135,7 +135,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline int +static int compare_uri(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -173,7 +173,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_uri(ARGS_FROMSTRUCT) { dns_rdata_uri_t *uri = source; @@ -202,7 +202,7 @@ return (mem_tobuffer(target, uri->target, uri->tgt_len)); } -static inline isc_result_t +static isc_result_t tostruct_uri(ARGS_TOSTRUCT) { dns_rdata_uri_t *uri = target; isc_region_t sr; @@ -248,7 +248,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_uri(ARGS_FREESTRUCT) { dns_rdata_uri_t *uri = (dns_rdata_uri_t *)source; @@ -265,7 +265,7 @@ uri->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_uri(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_uri); @@ -276,7 +276,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_uri(ARGS_DIGEST) { isc_region_t r; @@ -287,7 +287,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_uri(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_uri); @@ -299,7 +299,7 @@ return (true); } -static inline bool +static bool checknames_uri(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_uri); @@ -310,7 +310,7 @@ return (true); } -static inline int +static int casecompare_uri(ARGS_COMPARE) { return (compare_uri(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/x25_19.c bind9-9.16.33/lib/dns/rdata/generic/x25_19.c --- bind9-9.16.27/lib/dns/rdata/generic/x25_19.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/x25_19.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_X25_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_x25(ARGS_FROMTEXT) { isc_token_t token; unsigned int i; @@ -46,7 +46,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_x25(ARGS_TOTEXT) { isc_region_t region; @@ -59,7 +59,7 @@ return (txt_totext(®ion, true, target)); } -static inline isc_result_t +static isc_result_t fromwire_x25(ARGS_FROMWIRE) { isc_region_t sr; unsigned int i; @@ -83,7 +83,7 @@ return (txt_fromwire(source, target)); } -static inline isc_result_t +static isc_result_t towire_x25(ARGS_TOWIRE) { UNUSED(cctx); @@ -93,7 +93,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_x25(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -109,7 +109,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_x25(ARGS_FROMSTRUCT) { dns_rdata_x25_t *x25 = source; uint8_t i; @@ -137,7 +137,7 @@ return (mem_tobuffer(target, x25->x25, x25->x25_len)); } -static inline isc_result_t +static isc_result_t tostruct_x25(ARGS_TOSTRUCT) { dns_rdata_x25_t *x25 = target; isc_region_t r; @@ -162,7 +162,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_x25(ARGS_FREESTRUCT) { dns_rdata_x25_t *x25 = source; @@ -179,7 +179,7 @@ x25->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_x25(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_x25); @@ -190,7 +190,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_x25(ARGS_DIGEST) { isc_region_t r; @@ -201,7 +201,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_x25(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_x25); @@ -213,7 +213,7 @@ return (true); } -static inline bool +static bool checknames_x25(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_x25); @@ -224,7 +224,7 @@ return (true); } -static inline int +static int casecompare_x25(ARGS_COMPARE) { return (compare_x25(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/generic/zonemd_63.c bind9-9.16.33/lib/dns/rdata/generic/zonemd_63.c --- bind9-9.16.27/lib/dns/rdata/generic/zonemd_63.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/generic/zonemd_63.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_ZONEMD_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_zonemd(ARGS_FROMTEXT) { isc_token_t token; int digest_type, length; @@ -77,7 +77,7 @@ return (result); } -static inline isc_result_t +static isc_result_t totext_zonemd(ARGS_TOTEXT) { isc_region_t sr; char buf[sizeof("0123456789")]; @@ -140,7 +140,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_zonemd(ARGS_FROMWIRE) { isc_region_t sr; size_t digestlen = 0; @@ -192,7 +192,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_zonemd(ARGS_TOWIRE) { isc_region_t sr; @@ -205,7 +205,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_zonemd(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -221,7 +221,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_zonemd(ARGS_FROMSTRUCT) { dns_rdata_zonemd_t *zonemd = source; @@ -248,7 +248,7 @@ return (mem_tobuffer(target, zonemd->digest, zonemd->length)); } -static inline isc_result_t +static isc_result_t tostruct_zonemd(ARGS_TOSTRUCT) { dns_rdata_zonemd_t *zonemd = target; isc_region_t region; @@ -280,7 +280,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_zonemd(ARGS_FREESTRUCT) { dns_rdata_zonemd_t *zonemd = source; @@ -297,7 +297,7 @@ zonemd->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_zonemd(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_zonemd); @@ -308,7 +308,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_zonemd(ARGS_DIGEST) { isc_region_t r; @@ -319,7 +319,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_zonemd(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_zonemd); @@ -331,7 +331,7 @@ return (true); } -static inline bool +static bool checknames_zonemd(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_zonemd); @@ -342,7 +342,7 @@ return (true); } -static inline int +static int casecompare_zonemd(ARGS_COMPARE) { return (compare_zonemd(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/hs_4/a_1.c bind9-9.16.33/lib/dns/rdata/hs_4/a_1.c --- bind9-9.16.27/lib/dns/rdata/hs_4/a_1.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/hs_4/a_1.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_A_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_hs_a(ARGS_FROMTEXT) { isc_token_t token; struct in_addr addr; @@ -48,7 +48,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_hs_a(ARGS_TOTEXT) { isc_region_t region; @@ -62,7 +62,7 @@ return (inet_totext(AF_INET, tctx->flags, ®ion, target)); } -static inline isc_result_t +static isc_result_t fromwire_hs_a(ARGS_FROMWIRE) { isc_region_t sregion; isc_region_t tregion; @@ -90,7 +90,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_hs_a(ARGS_TOWIRE) { isc_region_t region; @@ -109,7 +109,7 @@ return (ISC_R_SUCCESS); } -static inline int +static int compare_hs_a(ARGS_COMPARE) { int order; @@ -128,7 +128,7 @@ return (order); } -static inline isc_result_t +static isc_result_t fromstruct_hs_a(ARGS_FROMSTRUCT) { dns_rdata_hs_a_t *a = source; uint32_t n; @@ -147,7 +147,7 @@ return (uint32_tobuffer(n, target)); } -static inline isc_result_t +static isc_result_t tostruct_hs_a(ARGS_TOSTRUCT) { dns_rdata_hs_a_t *a = target; uint32_t n; @@ -171,14 +171,14 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_hs_a(ARGS_FREESTRUCT) { UNUSED(source); REQUIRE(source != NULL); } -static inline isc_result_t +static isc_result_t additionaldata_hs_a(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_a); REQUIRE(rdata->rdclass == dns_rdataclass_hs); @@ -190,7 +190,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_hs_a(ARGS_DIGEST) { isc_region_t r; @@ -202,7 +202,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_hs_a(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_a); REQUIRE(rdclass == dns_rdataclass_hs); @@ -215,7 +215,7 @@ return (true); } -static inline bool +static bool checknames_hs_a(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_a); REQUIRE(rdata->rdclass == dns_rdataclass_hs); @@ -227,7 +227,7 @@ return (true); } -static inline int +static int casecompare_hs_a(ARGS_COMPARE) { return (compare_hs_a(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/a6_38.c bind9-9.16.33/lib/dns/rdata/in_1/a6_38.c --- bind9-9.16.27/lib/dns/rdata/in_1/a6_38.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/a6_38.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_A6_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_a6(ARGS_FROMTEXT) { isc_token_t token; unsigned char addr[16]; @@ -96,7 +96,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_a6(ARGS_TOTEXT) { isc_region_t sr, ar; unsigned char addr[16]; @@ -144,7 +144,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_in_a6(ARGS_FROMWIRE) { isc_region_t sr; unsigned char prefixlen; @@ -199,7 +199,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_in_a6(ARGS_TOWIRE) { isc_region_t sr; dns_name_t name; @@ -229,7 +229,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_in_a6(ARGS_COMPARE) { int order; unsigned char prefixlen1, prefixlen2; @@ -286,7 +286,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_a6(ARGS_FROMSTRUCT) { dns_rdata_in_a6_t *a6 = source; isc_region_t region; @@ -334,7 +334,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_in_a6(ARGS_TOSTRUCT) { dns_rdata_in_a6_t *a6 = target; unsigned char octets; @@ -379,7 +379,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_a6(ARGS_FREESTRUCT) { dns_rdata_in_a6_t *a6 = source; @@ -397,7 +397,7 @@ a6->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_a6(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_a6); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -409,7 +409,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_a6(ARGS_DIGEST) { isc_region_t r1, r2; unsigned char prefixlen, octets; @@ -439,7 +439,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_in_a6(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_a6); REQUIRE(rdclass == dns_rdataclass_in); @@ -450,7 +450,7 @@ return (dns_name_ishostname(name, wildcard)); } -static inline bool +static bool checknames_in_a6(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -478,7 +478,7 @@ return (true); } -static inline int +static int casecompare_in_a6(ARGS_COMPARE) { return (compare_in_a6(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/a_1.c bind9-9.16.33/lib/dns/rdata/in_1/a_1.c --- bind9-9.16.27/lib/dns/rdata/in_1/a_1.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/a_1.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_A_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_a(ARGS_FROMTEXT) { isc_token_t token; struct in_addr addr; @@ -50,7 +50,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_a(ARGS_TOTEXT) { isc_region_t region; @@ -64,7 +64,7 @@ return (inet_totext(AF_INET, tctx->flags, ®ion, target)); } -static inline isc_result_t +static isc_result_t fromwire_in_a(ARGS_FROMWIRE) { isc_region_t sregion; isc_region_t tregion; @@ -92,7 +92,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_in_a(ARGS_TOWIRE) { isc_region_t region; @@ -111,7 +111,7 @@ return (ISC_R_SUCCESS); } -static inline int +static int compare_in_a(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -128,7 +128,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_a(ARGS_FROMSTRUCT) { dns_rdata_in_a_t *a = source; uint32_t n; @@ -147,7 +147,7 @@ return (uint32_tobuffer(n, target)); } -static inline isc_result_t +static isc_result_t tostruct_in_a(ARGS_TOSTRUCT) { dns_rdata_in_a_t *a = target; uint32_t n; @@ -171,7 +171,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_a(ARGS_FREESTRUCT) { dns_rdata_in_a_t *a = source; @@ -182,7 +182,7 @@ UNUSED(a); } -static inline isc_result_t +static isc_result_t additionaldata_in_a(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_a); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -194,7 +194,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_a(ARGS_DIGEST) { isc_region_t r; @@ -206,7 +206,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_a(ARGS_CHECKOWNER) { dns_name_t prefix, suffix; unsigned int labels, i; @@ -257,7 +257,7 @@ return (dns_name_ishostname(name, wildcard)); } -static inline bool +static bool checknames_in_a(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_a); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -269,7 +269,7 @@ return (true); } -static inline int +static int casecompare_in_a(ARGS_COMPARE) { return (compare_in_a(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/aaaa_28.c bind9-9.16.33/lib/dns/rdata/in_1/aaaa_28.c --- bind9-9.16.27/lib/dns/rdata/in_1/aaaa_28.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/aaaa_28.c 2022-09-08 13:01:23.000000000 +0000 @@ -20,7 +20,7 @@ #define RRTYPE_AAAA_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_aaaa(ARGS_FROMTEXT) { isc_token_t token; unsigned char addr[16]; @@ -50,7 +50,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_aaaa(ARGS_TOTEXT) { isc_region_t region; @@ -80,7 +80,7 @@ return (inet_totext(AF_INET6, tctx->flags, ®ion, target)); } -static inline isc_result_t +static isc_result_t fromwire_in_aaaa(ARGS_FROMWIRE) { isc_region_t sregion; isc_region_t tregion; @@ -108,7 +108,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_in_aaaa(ARGS_TOWIRE) { isc_region_t region; @@ -127,7 +127,7 @@ return (ISC_R_SUCCESS); } -static inline int +static int compare_in_aaaa(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -144,7 +144,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_aaaa(ARGS_FROMSTRUCT) { dns_rdata_in_aaaa_t *aaaa = source; @@ -160,7 +160,7 @@ return (mem_tobuffer(target, aaaa->in6_addr.s6_addr, 16)); } -static inline isc_result_t +static isc_result_t tostruct_in_aaaa(ARGS_TOSTRUCT) { dns_rdata_in_aaaa_t *aaaa = target; isc_region_t r; @@ -183,7 +183,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_aaaa(ARGS_FREESTRUCT) { dns_rdata_in_aaaa_t *aaaa = source; @@ -194,7 +194,7 @@ UNUSED(aaaa); } -static inline isc_result_t +static isc_result_t additionaldata_in_aaaa(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_aaaa); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -206,7 +206,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_aaaa(ARGS_DIGEST) { isc_region_t r; @@ -218,7 +218,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_aaaa(ARGS_CHECKOWNER) { dns_name_t prefix, suffix; @@ -245,7 +245,7 @@ return (dns_name_ishostname(name, wildcard)); } -static inline bool +static bool checknames_in_aaaa(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_aaaa); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -257,7 +257,7 @@ return (true); } -static inline int +static int casecompare_in_aaaa(ARGS_COMPARE) { return (compare_in_aaaa(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/apl_42.c bind9-9.16.33/lib/dns/rdata/in_1/apl_42.c --- bind9-9.16.27/lib/dns/rdata/in_1/apl_42.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/apl_42.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_APL_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_apl(ARGS_FROMTEXT) { isc_token_t token; unsigned char addr[16]; @@ -114,7 +114,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_apl(ARGS_TOTEXT) { isc_region_t sr; isc_region_t ir; @@ -179,7 +179,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_in_apl(ARGS_FROMWIRE) { isc_region_t sr, sr2; isc_region_t tr; @@ -236,7 +236,7 @@ return (mem_tobuffer(target, sr2.base, sr2.length)); } -static inline isc_result_t +static isc_result_t towire_in_apl(ARGS_TOWIRE) { UNUSED(cctx); @@ -246,7 +246,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_in_apl(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -261,7 +261,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_apl(ARGS_FROMSTRUCT) { dns_rdata_in_apl_t *apl = source; isc_buffer_t b; @@ -279,7 +279,7 @@ return (fromwire_in_apl(rdclass, type, &b, NULL, false, target)); } -static inline isc_result_t +static isc_result_t tostruct_in_apl(ARGS_TOSTRUCT) { dns_rdata_in_apl_t *apl = target; isc_region_t r; @@ -304,7 +304,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_apl(ARGS_FREESTRUCT) { dns_rdata_in_apl_t *apl = source; @@ -425,7 +425,7 @@ return (apl->apl_len); } -static inline isc_result_t +static isc_result_t additionaldata_in_apl(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_apl); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -436,7 +436,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_apl(ARGS_DIGEST) { isc_region_t r; @@ -448,7 +448,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_apl(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_apl); REQUIRE(rdclass == dns_rdataclass_in); @@ -461,7 +461,7 @@ return (true); } -static inline bool +static bool checknames_in_apl(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_apl); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -473,7 +473,7 @@ return (true); } -static inline int +static int casecompare_in_apl(ARGS_COMPARE) { return (compare_in_apl(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/atma_34.c bind9-9.16.33/lib/dns/rdata/in_1/atma_34.c --- bind9-9.16.27/lib/dns/rdata/in_1/atma_34.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/atma_34.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_ATMA_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_atma(ARGS_FROMTEXT) { isc_token_t token; isc_textregion_t *sr; @@ -107,7 +107,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_atma(ARGS_TOTEXT) { isc_region_t region; char buf[sizeof("xx")]; @@ -140,7 +140,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_in_atma(ARGS_FROMWIRE) { isc_region_t region; @@ -169,7 +169,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_in_atma(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_atma); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -180,7 +180,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_in_atma(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -197,7 +197,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_atma(ARGS_FROMSTRUCT) { dns_rdata_in_atma_t *atma = source; @@ -215,7 +215,7 @@ return (mem_tobuffer(target, atma->atma, atma->atma_len)); } -static inline isc_result_t +static isc_result_t tostruct_in_atma(ARGS_TOSTRUCT) { dns_rdata_in_atma_t *atma = target; isc_region_t r; @@ -242,7 +242,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_atma(ARGS_FREESTRUCT) { dns_rdata_in_atma_t *atma = source; @@ -260,7 +260,7 @@ atma->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_atma(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_atma); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -272,7 +272,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_atma(ARGS_DIGEST) { isc_region_t r; @@ -284,7 +284,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_atma(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_atma); REQUIRE(rdclass == dns_rdataclass_in); @@ -297,7 +297,7 @@ return (true); } -static inline bool +static bool checknames_in_atma(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_atma); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -309,7 +309,7 @@ return (true); } -static inline int +static int casecompare_in_atma(ARGS_COMPARE) { return (compare_in_atma(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/dhcid_49.c bind9-9.16.33/lib/dns/rdata/in_1/dhcid_49.c --- bind9-9.16.27/lib/dns/rdata/in_1/dhcid_49.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/dhcid_49.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_DHCID_ATTRIBUTES 0 -static inline isc_result_t +static isc_result_t fromtext_in_dhcid(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_dhcid); REQUIRE(rdclass == dns_rdataclass_in); @@ -32,7 +32,7 @@ return (isc_base64_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_in_dhcid(ARGS_TOTEXT) { isc_region_t sr, sr2; /* " ; 64000 255 64000" */ @@ -66,7 +66,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_in_dhcid(ARGS_FROMWIRE) { isc_region_t sr; @@ -87,7 +87,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline isc_result_t +static isc_result_t towire_in_dhcid(ARGS_TOWIRE) { isc_region_t sr; @@ -101,7 +101,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_in_dhcid(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -118,7 +118,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_dhcid(ARGS_FROMSTRUCT) { dns_rdata_in_dhcid_t *dhcid = source; @@ -135,7 +135,7 @@ return (mem_tobuffer(target, dhcid->dhcid, dhcid->length)); } -static inline isc_result_t +static isc_result_t tostruct_in_dhcid(ARGS_TOSTRUCT) { dns_rdata_in_dhcid_t *dhcid = target; isc_region_t region; @@ -160,7 +160,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_dhcid(ARGS_FREESTRUCT) { dns_rdata_in_dhcid_t *dhcid = source; @@ -178,7 +178,7 @@ dhcid->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_dhcid(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_dhcid); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -190,7 +190,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_dhcid(ARGS_DIGEST) { isc_region_t r; @@ -202,7 +202,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_dhcid(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_dhcid); REQUIRE(rdclass == dns_rdataclass_in); @@ -215,7 +215,7 @@ return (true); } -static inline bool +static bool checknames_in_dhcid(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_dhcid); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -227,7 +227,7 @@ return (true); } -static inline int +static int casecompare_in_dhcid(ARGS_COMPARE) { return (compare_in_dhcid(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/eid_31.c bind9-9.16.33/lib/dns/rdata/in_1/eid_31.c --- bind9-9.16.27/lib/dns/rdata/in_1/eid_31.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/eid_31.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_EID_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_eid(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_eid); REQUIRE(rdclass == dns_rdataclass_in); @@ -32,7 +32,7 @@ return (isc_hex_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_in_eid(ARGS_TOTEXT) { isc_region_t region; @@ -57,7 +57,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_in_eid(ARGS_FROMWIRE) { isc_region_t region; @@ -79,7 +79,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_in_eid(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_eid); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -90,7 +90,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_in_eid(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -107,7 +107,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_eid(ARGS_FROMSTRUCT) { dns_rdata_in_eid_t *eid = source; @@ -124,7 +124,7 @@ return (mem_tobuffer(target, eid->eid, eid->eid_len)); } -static inline isc_result_t +static isc_result_t tostruct_in_eid(ARGS_TOSTRUCT) { dns_rdata_in_eid_t *eid = target; isc_region_t r; @@ -149,7 +149,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_eid(ARGS_FREESTRUCT) { dns_rdata_in_eid_t *eid = source; @@ -167,7 +167,7 @@ eid->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_eid(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_eid); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -179,7 +179,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_eid(ARGS_DIGEST) { isc_region_t r; @@ -191,7 +191,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_eid(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_eid); REQUIRE(rdclass == dns_rdataclass_in); @@ -204,7 +204,7 @@ return (true); } -static inline bool +static bool checknames_in_eid(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_eid); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -216,7 +216,7 @@ return (true); } -static inline int +static int casecompare_in_eid(ARGS_COMPARE) { return (compare_in_eid(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/https_65.c bind9-9.16.33/lib/dns/rdata/in_1/https_65.c --- bind9-9.16.27/lib/dns/rdata/in_1/https_65.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/https_65.c 2022-09-08 13:01:23.000000000 +0000 @@ -23,7 +23,7 @@ * since wire and presentation formats are identical. */ -static inline isc_result_t +static isc_result_t fromtext_in_https(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_https); REQUIRE(rdclass == dns_rdataclass_in); @@ -31,7 +31,7 @@ return (generic_fromtext_in_svcb(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t totext_in_https(ARGS_TOTEXT) { REQUIRE(rdata->type == dns_rdatatype_https); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -40,7 +40,7 @@ return (generic_totext_in_svcb(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t fromwire_in_https(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_https); REQUIRE(rdclass == dns_rdataclass_in); @@ -48,7 +48,7 @@ return (generic_fromwire_in_svcb(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t towire_in_https(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_https); REQUIRE(rdata->length != 0); @@ -56,7 +56,7 @@ return (generic_towire_in_svcb(CALL_TOWIRE)); } -static inline int +static int compare_in_https(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -74,7 +74,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_https(ARGS_FROMSTRUCT) { dns_rdata_in_https_t *https = source; @@ -87,7 +87,7 @@ return (generic_fromstruct_in_svcb(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t tostruct_in_https(ARGS_TOSTRUCT) { dns_rdata_in_https_t *https = target; @@ -99,7 +99,7 @@ return (generic_tostruct_in_svcb(CALL_TOSTRUCT)); } -static inline void +static void freestruct_in_https(ARGS_FREESTRUCT) { dns_rdata_in_https_t *https = source; @@ -110,7 +110,7 @@ generic_freestruct_in_svcb(CALL_FREESTRUCT); } -static inline isc_result_t +static isc_result_t additionaldata_in_https(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_https); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -118,7 +118,7 @@ return (generic_additionaldata_in_svcb(CALL_ADDLDATA)); } -static inline isc_result_t +static isc_result_t digest_in_https(ARGS_DIGEST) { isc_region_t region1; @@ -129,7 +129,7 @@ return ((digest)(arg, ®ion1)); } -static inline bool +static bool checkowner_in_https(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_https); REQUIRE(rdclass == dns_rdataclass_in); @@ -142,7 +142,7 @@ return (true); } -static inline bool +static bool checknames_in_https(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_https); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -150,7 +150,7 @@ return (generic_checknames_in_svcb(CALL_CHECKNAMES)); } -static inline int +static int casecompare_in_https(ARGS_COMPARE) { return (compare_in_https(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/kx_36.c bind9-9.16.33/lib/dns/rdata/in_1/kx_36.c --- bind9-9.16.27/lib/dns/rdata/in_1/kx_36.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/kx_36.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_KX_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_kx(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -49,7 +49,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_kx(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -78,7 +78,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_in_kx(ARGS_FROMWIRE) { dns_name_t name; isc_region_t sregion; @@ -102,7 +102,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_in_kx(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -123,7 +123,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_in_kx(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -158,7 +158,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_kx(ARGS_FROMSTRUCT) { dns_rdata_in_kx_t *kx = source; isc_region_t region; @@ -177,7 +177,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_in_kx(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_in_kx_t *kx = target; @@ -205,7 +205,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_kx(ARGS_FREESTRUCT) { dns_rdata_in_kx_t *kx = source; @@ -221,7 +221,7 @@ kx->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_kx(ARGS_ADDLDATA) { dns_name_t name; dns_offsets_t offsets; @@ -238,7 +238,7 @@ return ((add)(arg, &name, dns_rdatatype_a)); } -static inline isc_result_t +static isc_result_t digest_in_kx(ARGS_DIGEST) { isc_region_t r1, r2; dns_name_t name; @@ -256,7 +256,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_in_kx(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_kx); REQUIRE(rdclass == dns_rdataclass_in); @@ -269,7 +269,7 @@ return (true); } -static inline bool +static bool checknames_in_kx(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_kx); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -281,7 +281,7 @@ return (true); } -static inline int +static int casecompare_in_kx(ARGS_COMPARE) { return (compare_in_kx(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/nimloc_32.c bind9-9.16.33/lib/dns/rdata/in_1/nimloc_32.c --- bind9-9.16.27/lib/dns/rdata/in_1/nimloc_32.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/nimloc_32.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_NIMLOC_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_nimloc(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_nimloc); REQUIRE(rdclass == dns_rdataclass_in); @@ -32,7 +32,7 @@ return (isc_hex_tobuffer(lexer, target, -2)); } -static inline isc_result_t +static isc_result_t totext_in_nimloc(ARGS_TOTEXT) { isc_region_t region; @@ -57,7 +57,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_in_nimloc(ARGS_FROMWIRE) { isc_region_t region; @@ -79,7 +79,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_in_nimloc(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_nimloc); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -90,7 +90,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_in_nimloc(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -107,7 +107,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_nimloc(ARGS_FROMSTRUCT) { dns_rdata_in_nimloc_t *nimloc = source; @@ -124,7 +124,7 @@ return (mem_tobuffer(target, nimloc->nimloc, nimloc->nimloc_len)); } -static inline isc_result_t +static isc_result_t tostruct_in_nimloc(ARGS_TOSTRUCT) { dns_rdata_in_nimloc_t *nimloc = target; isc_region_t r; @@ -149,7 +149,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_nimloc(ARGS_FREESTRUCT) { dns_rdata_in_nimloc_t *nimloc = source; @@ -167,7 +167,7 @@ nimloc->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_nimloc(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_nimloc); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -179,7 +179,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_nimloc(ARGS_DIGEST) { isc_region_t r; @@ -191,7 +191,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_nimloc(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_nimloc); REQUIRE(rdclass == dns_rdataclass_in); @@ -204,7 +204,7 @@ return (true); } -static inline bool +static bool checknames_in_nimloc(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_nimloc); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -216,7 +216,7 @@ return (true); } -static inline int +static int casecompare_in_nimloc(ARGS_COMPARE) { return (compare_in_nimloc(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/nsap-ptr_23.c bind9-9.16.33/lib/dns/rdata/in_1/nsap-ptr_23.c --- bind9-9.16.27/lib/dns/rdata/in_1/nsap-ptr_23.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/nsap-ptr_23.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_NSAP_PTR_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_nsap_ptr(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -43,7 +43,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_nsap_ptr(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -65,7 +65,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_in_nsap_ptr(ARGS_FROMWIRE) { dns_name_t name; @@ -81,7 +81,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_in_nsap_ptr(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -99,7 +99,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_in_nsap_ptr(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -125,7 +125,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_nsap_ptr(ARGS_FROMSTRUCT) { dns_rdata_in_nsap_ptr_t *nsap_ptr = source; isc_region_t region; @@ -143,7 +143,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_in_nsap_ptr(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_in_nsap_ptr_t *nsap_ptr = target; @@ -167,7 +167,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_nsap_ptr(ARGS_FREESTRUCT) { dns_rdata_in_nsap_ptr_t *nsap_ptr = source; @@ -183,7 +183,7 @@ nsap_ptr->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_nsap_ptr(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_nsap_ptr); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -195,7 +195,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_nsap_ptr(ARGS_DIGEST) { isc_region_t r; dns_name_t name; @@ -210,7 +210,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_in_nsap_ptr(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_nsap_ptr); REQUIRE(rdclass == dns_rdataclass_in); @@ -223,7 +223,7 @@ return (true); } -static inline bool +static bool checknames_in_nsap_ptr(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_nsap_ptr); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -235,7 +235,7 @@ return (true); } -static inline int +static int casecompare_in_nsap_ptr(ARGS_COMPARE) { return (compare_in_nsap_ptr(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/nsap_22.c bind9-9.16.33/lib/dns/rdata/in_1/nsap_22.c --- bind9-9.16.27/lib/dns/rdata/in_1/nsap_22.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/nsap_22.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_NSAP_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_nsap(ARGS_FROMTEXT) { isc_token_t token; isc_textregion_t *sr; @@ -71,7 +71,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_nsap(ARGS_TOTEXT) { isc_region_t region; char buf[sizeof("xx")]; @@ -92,7 +92,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_in_nsap(ARGS_FROMWIRE) { isc_region_t region; @@ -114,7 +114,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_in_nsap(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_nsap); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -125,7 +125,7 @@ return (mem_tobuffer(target, rdata->data, rdata->length)); } -static inline int +static int compare_in_nsap(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -142,7 +142,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_nsap(ARGS_FROMSTRUCT) { dns_rdata_in_nsap_t *nsap = source; @@ -159,7 +159,7 @@ return (mem_tobuffer(target, nsap->nsap, nsap->nsap_len)); } -static inline isc_result_t +static isc_result_t tostruct_in_nsap(ARGS_TOSTRUCT) { dns_rdata_in_nsap_t *nsap = target; isc_region_t r; @@ -184,7 +184,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_nsap(ARGS_FREESTRUCT) { dns_rdata_in_nsap_t *nsap = source; @@ -202,7 +202,7 @@ nsap->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_nsap(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_nsap); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -214,7 +214,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_nsap(ARGS_DIGEST) { isc_region_t r; @@ -226,7 +226,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_nsap(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_nsap); REQUIRE(rdclass == dns_rdataclass_in); @@ -239,7 +239,7 @@ return (true); } -static inline bool +static bool checknames_in_nsap(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_nsap); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -251,7 +251,7 @@ return (true); } -static inline int +static int casecompare_in_nsap(ARGS_COMPARE) { return (compare_in_nsap(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/px_26.c bind9-9.16.33/lib/dns/rdata/in_1/px_26.c --- bind9-9.16.27/lib/dns/rdata/in_1/px_26.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/px_26.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_PX_ATTRIBUTES (0) -static inline isc_result_t +static isc_result_t fromtext_in_px(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -65,7 +65,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_px(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -108,7 +108,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_in_px(ARGS_FROMWIRE) { dns_name_t name; isc_region_t sregion; @@ -144,7 +144,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_in_px(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -178,7 +178,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_in_px(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -224,7 +224,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_px(ARGS_FROMSTRUCT) { dns_rdata_in_px_t *px = source; isc_region_t region; @@ -245,7 +245,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_in_px(ARGS_TOSTRUCT) { dns_rdata_in_px_t *px = target; dns_name_t name; @@ -287,7 +287,7 @@ return (ISC_R_NOMEMORY); } -static inline void +static void freestruct_in_px(ARGS_FREESTRUCT) { dns_rdata_in_px_t *px = source; @@ -304,7 +304,7 @@ px->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_px(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_px); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -316,7 +316,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_px(ARGS_DIGEST) { isc_region_t r1, r2; dns_name_t name; @@ -346,7 +346,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_in_px(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_px); REQUIRE(rdclass == dns_rdataclass_in); @@ -359,7 +359,7 @@ return (true); } -static inline bool +static bool checknames_in_px(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_px); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -371,7 +371,7 @@ return (true); } -static inline int +static int casecompare_in_px(ARGS_COMPARE) { return (compare_in_px(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/srv_33.c bind9-9.16.33/lib/dns/rdata/in_1/srv_33.c --- bind9-9.16.27/lib/dns/rdata/in_1/srv_33.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/srv_33.c 2022-09-08 13:01:23.000000000 +0000 @@ -18,7 +18,7 @@ #define RRTYPE_SRV_ATTRIBUTES (DNS_RDATATYPEATTR_FOLLOWADDITIONAL) -static inline isc_result_t +static isc_result_t fromtext_in_srv(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -86,7 +86,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_srv(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -138,7 +138,7 @@ return (dns_name_totext(&prefix, sub, target)); } -static inline isc_result_t +static isc_result_t fromwire_in_srv(ARGS_FROMWIRE) { dns_name_t name; isc_region_t sr; @@ -169,7 +169,7 @@ return (dns_name_fromwire(&name, source, dctx, options, target)); } -static inline isc_result_t +static isc_result_t towire_in_srv(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -194,7 +194,7 @@ return (dns_name_towire(&name, cctx, target)); } -static inline int +static int compare_in_srv(ARGS_COMPARE) { dns_name_t name1; dns_name_t name2; @@ -235,7 +235,7 @@ return (dns_name_rdatacompare(&name1, &name2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_srv(ARGS_FROMSTRUCT) { dns_rdata_in_srv_t *srv = source; isc_region_t region; @@ -256,7 +256,7 @@ return (isc_buffer_copyregion(target, ®ion)); } -static inline isc_result_t +static isc_result_t tostruct_in_srv(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_in_srv_t *srv = target; @@ -286,7 +286,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_srv(ARGS_FREESTRUCT) { dns_rdata_in_srv_t *srv = source; @@ -302,7 +302,7 @@ srv->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_srv(ARGS_ADDLDATA) { char buf[sizeof("_65000._tcp")]; dns_fixedname_t fixed; @@ -348,7 +348,7 @@ return ((add)(arg, dns_fixedname_name(&fixed), dns_rdatatype_tlsa)); } -static inline isc_result_t +static isc_result_t digest_in_srv(ARGS_DIGEST) { isc_region_t r1, r2; dns_name_t name; @@ -366,7 +366,7 @@ return (dns_name_digest(&name, digest, arg)); } -static inline bool +static bool checkowner_in_srv(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_srv); REQUIRE(rdclass == dns_rdataclass_in); @@ -379,7 +379,7 @@ return (true); } -static inline bool +static bool checknames_in_srv(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -402,7 +402,7 @@ return (true); } -static inline int +static int casecompare_in_srv(ARGS_COMPARE) { return (compare_in_srv(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/svcb_64.c bind9-9.16.33/lib/dns/rdata/in_1/svcb_64.c --- bind9-9.16.27/lib/dns/rdata/in_1/svcb_64.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/svcb_64.c 2022-09-08 13:01:23.000000000 +0000 @@ -326,8 +326,7 @@ RETERR(svcsortkeylist(target, used)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } len = isc_buffer_usedlength(target) - @@ -528,7 +527,7 @@ } } -static inline isc_result_t +static isc_result_t generic_fromtext_in_svcb(ARGS_FROMTEXT) { isc_token_t token; dns_name_t name; @@ -601,7 +600,7 @@ } } -static inline isc_result_t +static isc_result_t fromtext_in_svcb(ARGS_FROMTEXT) { REQUIRE(type == dns_rdatatype_svcb); REQUIRE(rdclass == dns_rdataclass_in); @@ -612,7 +611,7 @@ return (generic_fromtext_in_svcb(CALL_FROMTEXT)); } -static inline isc_result_t +static isc_result_t generic_totext_in_svcb(ARGS_TOTEXT) { isc_region_t region; dns_name_t name; @@ -736,14 +735,13 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t totext_in_svcb(ARGS_TOTEXT) { REQUIRE(rdata->type == dns_rdatatype_svcb); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -752,7 +750,7 @@ return (generic_totext_in_svcb(CALL_TOTEXT)); } -static inline isc_result_t +static isc_result_t generic_fromwire_in_svcb(ARGS_FROMWIRE) { dns_name_t name; isc_region_t region, man = { .base = NULL, .length = 0 }; @@ -894,7 +892,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_in_svcb(ARGS_FROMWIRE) { REQUIRE(type == dns_rdatatype_svcb); REQUIRE(rdclass == dns_rdataclass_in); @@ -902,7 +900,7 @@ return (generic_fromwire_in_svcb(CALL_FROMWIRE)); } -static inline isc_result_t +static isc_result_t generic_towire_in_svcb(ARGS_TOWIRE) { dns_name_t name; dns_offsets_t offsets; @@ -933,7 +931,7 @@ return (mem_tobuffer(target, region.base, region.length)); } -static inline isc_result_t +static isc_result_t towire_in_svcb(ARGS_TOWIRE) { REQUIRE(rdata->type == dns_rdatatype_svcb); REQUIRE(rdata->length != 0); @@ -941,7 +939,7 @@ return (generic_towire_in_svcb(CALL_TOWIRE)); } -static inline int +static int compare_in_svcb(ARGS_COMPARE) { isc_region_t region1; isc_region_t region2; @@ -959,7 +957,7 @@ return (isc_region_compare(®ion1, ®ion2)); } -static inline isc_result_t +static isc_result_t generic_fromstruct_in_svcb(ARGS_FROMSTRUCT) { dns_rdata_in_svcb_t *svcb = source; isc_region_t region; @@ -978,7 +976,7 @@ return (mem_tobuffer(target, svcb->svc, svcb->svclen)); } -static inline isc_result_t +static isc_result_t fromstruct_in_svcb(ARGS_FROMSTRUCT) { dns_rdata_in_svcb_t *svcb = source; @@ -991,7 +989,7 @@ return (generic_fromstruct_in_svcb(CALL_FROMSTRUCT)); } -static inline isc_result_t +static isc_result_t generic_tostruct_in_svcb(ARGS_TOSTRUCT) { isc_region_t region; dns_rdata_in_svcb_t *svcb = target; @@ -1031,7 +1029,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t tostruct_in_svcb(ARGS_TOSTRUCT) { dns_rdata_in_svcb_t *svcb = target; @@ -1043,7 +1041,7 @@ return (generic_tostruct_in_svcb(CALL_TOSTRUCT)); } -static inline void +static void generic_freestruct_in_svcb(ARGS_FREESTRUCT) { dns_rdata_in_svcb_t *svcb = source; @@ -1058,7 +1056,7 @@ svcb->mctx = NULL; } -static inline void +static void freestruct_in_svcb(ARGS_FREESTRUCT) { dns_rdata_in_svcb_t *svcb = source; @@ -1069,7 +1067,7 @@ generic_freestruct_in_svcb(CALL_FREESTRUCT); } -static inline isc_result_t +static isc_result_t generic_additionaldata_in_svcb(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -1078,7 +1076,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t additionaldata_in_svcb(ARGS_ADDLDATA) { REQUIRE(rdata->type == dns_rdatatype_svcb); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -1086,7 +1084,7 @@ return (generic_additionaldata_in_svcb(CALL_ADDLDATA)); } -static inline isc_result_t +static isc_result_t digest_in_svcb(ARGS_DIGEST) { isc_region_t region1; @@ -1097,7 +1095,7 @@ return ((digest)(arg, ®ion1)); } -static inline bool +static bool checkowner_in_svcb(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_svcb); REQUIRE(rdclass == dns_rdataclass_in); @@ -1110,7 +1108,7 @@ return (true); } -static inline bool +static bool generic_checknames_in_svcb(ARGS_CHECKNAMES) { isc_region_t region; dns_name_t name; @@ -1133,7 +1131,7 @@ return (true); } -static inline bool +static bool checknames_in_svcb(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_svcb); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -1141,7 +1139,7 @@ return (generic_checknames_in_svcb(CALL_CHECKNAMES)); } -static inline int +static int casecompare_in_svcb(ARGS_COMPARE) { return (compare_in_svcb(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata/in_1/wks_11.c bind9-9.16.33/lib/dns/rdata/in_1/wks_11.c --- bind9-9.16.27/lib/dns/rdata/in_1/wks_11.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata/in_1/wks_11.c 2022-09-08 13:01:23.000000000 +0000 @@ -74,7 +74,7 @@ #include #endif /* ifdef _WIN32 */ -static inline isc_result_t +static isc_result_t fromtext_in_wks(ARGS_FROMTEXT) { static isc_once_t once = ISC_ONCE_INIT; isc_token_t token; @@ -206,7 +206,7 @@ return (result); } -static inline isc_result_t +static isc_result_t totext_in_wks(ARGS_TOTEXT) { isc_region_t sr; unsigned short proto; @@ -248,7 +248,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t fromwire_in_wks(ARGS_FROMWIRE) { isc_region_t sr; isc_region_t tr; @@ -284,7 +284,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t towire_in_wks(ARGS_TOWIRE) { isc_region_t sr; @@ -298,7 +298,7 @@ return (mem_tobuffer(target, sr.base, sr.length)); } -static inline int +static int compare_in_wks(ARGS_COMPARE) { isc_region_t r1; isc_region_t r2; @@ -315,7 +315,7 @@ return (isc_region_compare(&r1, &r2)); } -static inline isc_result_t +static isc_result_t fromstruct_in_wks(ARGS_FROMSTRUCT) { dns_rdata_in_wks_t *wks = source; uint32_t a; @@ -337,7 +337,7 @@ return (mem_tobuffer(target, wks->map, wks->map_len)); } -static inline isc_result_t +static isc_result_t tostruct_in_wks(ARGS_TOSTRUCT) { dns_rdata_in_wks_t *wks = target; uint32_t n; @@ -367,7 +367,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void freestruct_in_wks(ARGS_FREESTRUCT) { dns_rdata_in_wks_t *wks = source; @@ -385,7 +385,7 @@ wks->mctx = NULL; } -static inline isc_result_t +static isc_result_t additionaldata_in_wks(ARGS_ADDLDATA) { UNUSED(rdata); UNUSED(add); @@ -397,7 +397,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t digest_in_wks(ARGS_DIGEST) { isc_region_t r; @@ -409,7 +409,7 @@ return ((digest)(arg, &r)); } -static inline bool +static bool checkowner_in_wks(ARGS_CHECKOWNER) { REQUIRE(type == dns_rdatatype_wks); REQUIRE(rdclass == dns_rdataclass_in); @@ -420,7 +420,7 @@ return (dns_name_ishostname(name, wildcard)); } -static inline bool +static bool checknames_in_wks(ARGS_CHECKNAMES) { REQUIRE(rdata->type == dns_rdatatype_wks); REQUIRE(rdata->rdclass == dns_rdataclass_in); @@ -432,7 +432,7 @@ return (true); } -static inline int +static int casecompare_in_wks(ARGS_COMPARE) { return (compare_in_wks(rdata1, rdata2)); } diff -Nru bind9-9.16.27/lib/dns/rdata.c bind9-9.16.33/lib/dns/rdata.c --- bind9-9.16.27/lib/dns/rdata.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdata.c 2022-09-08 13:01:23.000000000 +0000 @@ -256,17 +256,17 @@ unknown_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, isc_buffer_t *target); -static inline isc_result_t generic_fromtext_key(ARGS_FROMTEXT); +static isc_result_t generic_fromtext_key(ARGS_FROMTEXT); -static inline isc_result_t generic_totext_key(ARGS_TOTEXT); +static isc_result_t generic_totext_key(ARGS_TOTEXT); -static inline isc_result_t generic_fromwire_key(ARGS_FROMWIRE); +static isc_result_t generic_fromwire_key(ARGS_FROMWIRE); -static inline isc_result_t generic_fromstruct_key(ARGS_FROMSTRUCT); +static isc_result_t generic_fromstruct_key(ARGS_FROMSTRUCT); -static inline isc_result_t generic_tostruct_key(ARGS_TOSTRUCT); +static isc_result_t generic_tostruct_key(ARGS_TOSTRUCT); -static inline void generic_freestruct_key(ARGS_FREESTRUCT); +static void generic_freestruct_key(ARGS_FREESTRUCT); static isc_result_t generic_fromtext_txt(ARGS_FROMTEXT); @@ -348,7 +348,7 @@ * \note * (1) does not touch `dst' unless it's returning 1. */ -static inline int +static int locator_pton(const char *src, unsigned char *dst) { static const char xdigits_l[] = "0123456789abcdef", xdigits_u[] = "0123456789ABCDEF"; @@ -406,7 +406,7 @@ return (1); } -static inline isc_result_t +static isc_result_t name_duporclone(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) { if (mctx != NULL) { dns_name_dup(source, mctx, target); @@ -416,7 +416,7 @@ return (ISC_R_SUCCESS); } -static inline void * +static void * mem_maybedup(isc_mem_t *mctx, void *source, size_t length) { void *copy; @@ -429,7 +429,7 @@ return (copy); } -static inline isc_result_t +static isc_result_t typemap_fromtext(isc_lex_t *lexer, isc_buffer_t *target, bool allow_empty) { isc_token_t token; unsigned char bm[8 * 1024]; /* 64k bits */ @@ -497,7 +497,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t typemap_totext(isc_region_t *sr, dns_rdata_textctx_t *tctx, isc_buffer_t *target) { unsigned int i, j, k; @@ -1890,9 +1890,9 @@ * parsing, so append 0 in that case. */ if (af == AF_INET6 && (flags & DNS_STYLEFLAG_YAML) != 0) { - isc_textregion_t tr; - isc_buffer_usedregion(target, (isc_region_t *)&tr); - if (tr.base[tr.length - 1] == ':') { + isc_region_t r; + isc_buffer_usedregion(target, &r); + if (r.length > 0 && r.base[r.length - 1] == ':') { if (isc_buffer_availablelength(target) == 0) { return (ISC_R_NOSPACE); } diff -Nru bind9-9.16.27/lib/dns/rdataset.c bind9-9.16.33/lib/dns/rdataset.c --- bind9-9.16.27/lib/dns/rdataset.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdataset.c 2022-09-08 13:01:23.000000000 +0000 @@ -297,7 +297,7 @@ return (a->key - b->key); } -static inline void +static void swap_rdata(dns_rdata_t *in, unsigned int a, unsigned int b) { dns_rdata_t rdata = in[a]; in[a] = in[b]; diff -Nru bind9-9.16.27/lib/dns/rdataslab.c bind9-9.16.33/lib/dns/rdataslab.c --- bind9-9.16.27/lib/dns/rdataslab.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rdataslab.c 2022-09-08 13:01:23.000000000 +0000 @@ -410,7 +410,7 @@ * 'type' and class 'rdclass', and advance '*current' to * point to the next item in the slab. */ -static inline void +static void rdata_from_slab(unsigned char **current, dns_rdataclass_t rdclass, dns_rdatatype_t type, dns_rdata_t *rdata) { unsigned char *tcurrent = *current; @@ -446,7 +446,7 @@ * contains an rdata identical to 'rdata'. This does case insensitive * comparisons per DNSSEC. */ -static inline bool +static bool rdata_in_slab(unsigned char *slab, unsigned int reservelen, dns_rdataclass_t rdclass, dns_rdatatype_t type, dns_rdata_t *rdata) { diff -Nru bind9-9.16.27/lib/dns/request.c bind9-9.16.33/lib/dns/request.c --- bind9-9.16.27/lib/dns/request.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/request.c 2022-09-08 13:01:23.000000000 +0000 @@ -413,7 +413,7 @@ return (requestmgr->hash % DNS_REQUEST_NLOCKS); } -static inline isc_result_t +static isc_result_t req_send(dns_request_t *request, isc_task_t *task, const isc_sockaddr_t *address) { isc_region_t r; diff -Nru bind9-9.16.27/lib/dns/resolver.c bind9-9.16.33/lib/dns/resolver.c --- bind9-9.16.27/lib/dns/resolver.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/resolver.c 2022-09-08 13:01:23.000000000 +0000 @@ -195,6 +195,12 @@ */ #define NS_FAIL_LIMIT 4 #define NS_RR_LIMIT 5 +/* + * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in + * any NS RRset encountered, to avoid excessive resource use while processing + * large delegations. + */ +#define NS_PROCESSING_LIMIT 20 /* Number of hash buckets for zone counters */ #ifndef RES_DOMAIN_BUCKETS @@ -641,12 +647,10 @@ dns_rdataset_t *ardataset, isc_result_t *eresultp); static void validated(isc_task_t *task, isc_event_t *event); -static bool -maybe_destroy(fetchctx_t *fctx, bool locked); static void add_bad(fetchctx_t *fctx, dns_message_t *rmessage, dns_adbaddrinfo_t *addrinfo, isc_result_t reason, badnstype_t badtype); -static inline isc_result_t +static isc_result_t findnoqname(fetchctx_t *fctx, dns_message_t *message, dns_name_t *name, dns_rdatatype_t type, dns_name_t **noqname); static void @@ -882,14 +886,14 @@ /*% * Increment resolver-related statistics counters. */ -static inline void +static void inc_stats(dns_resolver_t *res, isc_statscounter_t counter) { if (res->view->resstats != NULL) { isc_stats_increment(res->view->resstats, counter); } } -static inline void +static void dec_stats(dns_resolver_t *res, isc_statscounter_t counter) { if (res->view->resstats != NULL) { isc_stats_decrement(res->view->resstats, counter); @@ -902,14 +906,16 @@ dns_rdataset_t *sigrdataset, unsigned int valoptions, isc_task_t *task) { dns_validator_t *validator = NULL; - dns_valarg_t *valarg; + dns_valarg_t *valarg = NULL; isc_result_t result; + if (SHUTTINGDOWN(fctx)) { + return (ISC_R_SHUTTINGDOWN); + } + valarg = isc_mem_get(fctx->mctx, sizeof(*valarg)); + *valarg = (dns_valarg_t){ .fctx = fctx, .addrinfo = addrinfo }; - valarg->fctx = fctx; - valarg->addrinfo = addrinfo; - valarg->message = NULL; dns_message_attach(message, &valarg->message); if (!ISC_LIST_EMPTY(fctx->validators)) { @@ -1133,7 +1139,7 @@ return (true); } -static inline isc_result_t +static isc_result_t fctx_starttimer(fetchctx_t *fctx) { /* * Start the lifetime timer for fctx. @@ -1146,7 +1152,7 @@ NULL, true)); } -static inline isc_result_t +static isc_result_t fctx_starttimer_trystale(fetchctx_t *fctx) { /* * Start the stale-answer-client-timeout timer for fctx. @@ -1156,7 +1162,7 @@ &fctx->expires_try_stale, NULL, true)); } -static inline void +static void fctx_stoptimer(fetchctx_t *fctx) { isc_result_t result; @@ -1174,7 +1180,7 @@ } } -static inline void +static void fctx_stoptimer_trystale(fetchctx_t *fctx) { isc_result_t result; @@ -1190,7 +1196,7 @@ } } -static inline isc_result_t +static isc_result_t fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) { /* * Start the idle timer for fctx. The lifetime timer continues @@ -1206,7 +1212,7 @@ */ #define fctx_stopidletimer fctx_starttimer -static inline void +static void resquery_destroy(resquery_t **queryp) { dns_resolver_t *res; bool empty; @@ -1569,7 +1575,7 @@ } } -static inline void +static void fctx_stopqueries(fetchctx_t *fctx, bool no_response, bool age_untried) { FCTXTRACE("stopqueries"); fctx_cancelqueries(fctx, no_response, age_untried); @@ -1577,7 +1583,7 @@ fctx_stoptimer_trystale(fctx); } -static inline void +static void fctx_cleanupall(fetchctx_t *fctx) { fctx_cleanupfinds(fctx); fctx_cleanupaltfinds(fctx); @@ -1586,7 +1592,7 @@ } static void -fcount_logspill(fetchctx_t *fctx, fctxcount_t *counter) { +fcount_logspill(fetchctx_t *fctx, fctxcount_t *counter, bool final) { char dbuf[DNS_NAME_FORMATSIZE]; isc_stdtime_t now; @@ -1594,18 +1600,33 @@ return; } + /* Do not log a message if there were no dropped fetches. */ + if (counter->dropped == 0) { + return; + } + + /* Do not log the cumulative message if the previous log is recent. */ isc_stdtime_get(&now); - if (counter->logged > now - 60) { + if (!final && counter->logged > now - 60) { return; } dns_name_format(&fctx->domain, dbuf, sizeof(dbuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_SPILL, DNS_LOGMODULE_RESOLVER, - ISC_LOG_INFO, - "too many simultaneous fetches for %s " - "(allowed %d spilled %d)", - dbuf, counter->allowed, counter->dropped); + if (!final) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_SPILL, + DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, + "too many simultaneous fetches for %s " + "(allowed %d spilled %d)", + dbuf, counter->allowed, counter->dropped); + } else { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_SPILL, + DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, + "fetch counters for %s now being discarded " + "(allowed %d spilled %d; cumulative since " + "initial trigger event)", + dbuf, counter->allowed, counter->dropped); + } counter->logged = now; } @@ -1652,7 +1673,7 @@ uint_fast32_t spill = atomic_load_acquire(&fctx->res->zspill); if (!force && spill != 0 && counter->count >= spill) { counter->dropped++; - fcount_logspill(fctx, counter); + fcount_logspill(fctx, counter, false); result = ISC_R_QUOTA; } else { counter->count++; @@ -1696,6 +1717,7 @@ fctx->dbucketnum = RES_NOBUCKET; if (counter->count == 0) { + fcount_logspill(fctx, counter, true); ISC_LIST_UNLINK(dbucket->list, counter, link); isc_mem_put(dbucket->mctx, counter, sizeof(*counter)); } @@ -1704,7 +1726,7 @@ UNLOCK(&dbucket->lock); } -static inline void +static void fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) { dns_fetchevent_t *event, *next_event; isc_task_t *task; @@ -1803,7 +1825,7 @@ } } -static inline void +static void log_edns(fetchctx_t *fctx) { char domainbuf[DNS_NAME_FORMATSIZE]; @@ -1986,7 +2008,7 @@ process_sendevent(query, event); } -static inline isc_result_t +static isc_result_t fctx_addopt(dns_message_t *message, unsigned int version, uint16_t udpsize, dns_ednsopt_t *ednsopts, size_t count) { dns_rdataset_t *rdataset = NULL; @@ -2000,7 +2022,7 @@ return (dns_message_setopt(message, rdataset)); } -static inline void +static void fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) { unsigned int seconds; unsigned int us; @@ -2428,7 +2450,7 @@ ISC_LIST_INITANDAPPEND(fctx->edns512, tried, link); } -static inline size_t +static size_t addr2buf(void *buf, const size_t bufsize, const isc_sockaddr_t *sockaddr) { isc_netaddr_t netaddr; isc_netaddr_fromsockaddr(&netaddr, sockaddr); @@ -2442,13 +2464,12 @@ memmove(buf, &netaddr.type.in6, 16); return (16); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (0); } -static inline isc_socket_t * +static isc_socket_t * query2sock(const resquery_t *query) { if (query->exclusivesocket) { return (dns_dispatch_getentrysocket(query->dispentry)); @@ -2457,7 +2478,7 @@ } } -static inline size_t +static size_t add_serveraddr(uint8_t *buf, const size_t bufsize, const resquery_t *query) { return (addr2buf(buf, bufsize, &query->addrinfo->sockaddr)); } @@ -3277,7 +3298,7 @@ } } -static inline bool +static bool bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) { isc_sockaddr_t *sa; @@ -3291,7 +3312,7 @@ return (false); } -static inline bool +static bool mark_bad(fetchctx_t *fctx) { dns_adbfind_t *curr; dns_adbaddrinfo_t *addrinfo; @@ -3696,6 +3717,7 @@ bool need_alternate = false; bool all_spilled = true; unsigned int no_addresses = 0; + unsigned int ns_processed = 0; FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); @@ -3887,6 +3909,11 @@ dns_rdata_reset(&rdata); dns_rdata_freestruct(&ns); + + if (++ns_processed >= NS_PROCESSING_LIMIT) { + result = ISC_R_NOMORE; + break; + } } if (result != ISC_R_NOMORE) { return (result); @@ -3995,7 +4022,7 @@ return (result); } -static inline void +static void possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr) { isc_netaddr_t na; char buf[ISC_NETADDR_FORMATSIZE]; @@ -4062,7 +4089,7 @@ } } -static inline dns_adbaddrinfo_t * +static dns_adbaddrinfo_t * fctx_nextaddress(fetchctx_t *fctx) { dns_adbfind_t *find, *start; dns_adbaddrinfo_t *addrinfo; @@ -4358,9 +4385,9 @@ options, 0, fctx->qc, task, resume_qmin, fctx, &fctx->qminrrset, NULL, &fctx->qminfetch); if (result != ISC_R_SUCCESS) { - LOCK(&fctx->res->buckets[fctx->bucketnum].lock); + LOCK(&res->buckets[bucketnum].lock); RUNTIME_CHECK(!fctx_decreference(fctx)); - UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock); + UNLOCK(&res->buckets[bucketnum].lock); fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); } return; @@ -4435,7 +4462,6 @@ LOCK(&res->buckets[bucketnum].lock); if (SHUTTINGDOWN(fctx)) { - maybe_destroy(fctx, true); UNLOCK(&res->buckets[bucketnum].lock); goto cleanup; } @@ -4973,7 +4999,7 @@ * Fetch Creation, Joining, and Cancellation. */ -static inline isc_result_t +static isc_result_t fctx_join(fetchctx_t *fctx, isc_task_t *task, const isc_sockaddr_t *client, dns_messageid_t id, isc_taskaction_t action, void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, @@ -5022,7 +5048,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void fctx_add_event(fetchctx_t *fctx, isc_task_t *task, const isc_sockaddr_t *client, dns_messageid_t id, isc_taskaction_t action, void *arg, dns_fetch_t *fetch, isc_eventtype_t event_type) { @@ -5050,7 +5076,7 @@ ISC_LIST_APPEND(fctx->events, event, ev_link); } -static inline void +static void log_ns_ttl(fetchctx_t *fctx, const char *where) { char namebuf[DNS_NAME_FORMATSIZE]; char domainbuf[DNS_NAME_FORMATSIZE]; @@ -5453,7 +5479,7 @@ /* * Handle Responses */ -static inline bool +static bool is_lame(fetchctx_t *fctx, dns_message_t *message) { dns_name_t *name; dns_rdataset_t *rdataset; @@ -5505,7 +5531,7 @@ return (false); } -static inline void +static void log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) { char namebuf[DNS_NAME_FORMATSIZE]; char domainbuf[DNS_NAME_FORMATSIZE]; @@ -5520,7 +5546,7 @@ domainbuf, addrbuf); } -static inline void +static void log_formerr(fetchctx_t *fctx, const char *format, ...) { char nsbuf[ISC_SOCKADDR_FORMATSIZE]; char msgbuf[2048]; @@ -5681,58 +5707,6 @@ #define CHECKNAMES(r) (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0) /* - * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has - * no references and is no longer waiting for any events). - * - * Requires: - * '*fctx' is shutting down. - * - * Returns: - * true if the resolver is exiting and this is the last fctx in the bucket. - */ -static bool -maybe_destroy(fetchctx_t *fctx, bool locked) { - unsigned int bucketnum; - bool bucket_empty = false; - dns_resolver_t *res = fctx->res; - dns_validator_t *validator, *next_validator; - bool dodestroy = false; - - bucketnum = fctx->bucketnum; - if (!locked) { - LOCK(&res->buckets[bucketnum].lock); - } - - REQUIRE(SHUTTINGDOWN(fctx)); - - if (fctx->pending != 0 || fctx->nqueries != 0) { - goto unlock; - } - - for (validator = ISC_LIST_HEAD(fctx->validators); validator != NULL; - validator = next_validator) - { - next_validator = ISC_LIST_NEXT(validator, link); - dns_validator_cancel(validator); - } - - if (isc_refcount_current(&fctx->references) == 0 && - ISC_LIST_EMPTY(fctx->validators)) - { - bucket_empty = fctx_unlink(fctx); - dodestroy = true; - } -unlock: - if (!locked) { - UNLOCK(&res->buckets[bucketnum].lock); - } - if (dodestroy) { - fctx_destroy(fctx); - } - return (bucket_empty); -} - -/* * The validator has finished. */ static void @@ -5747,12 +5721,13 @@ dns_rdataset_t *rdataset; dns_rdataset_t *sigrdataset; dns_resolver_t *res; - dns_valarg_t *valarg; + dns_valarg_t *valarg = event->ev_arg; dns_validatorevent_t *vevent; fetchctx_t *fctx; bool chaining; bool negative; bool sentresponse; + bool bucket_empty; isc_result_t eresult = ISC_R_SUCCESS; isc_result_t result = ISC_R_SUCCESS; isc_stdtime_t now; @@ -5766,14 +5741,15 @@ UNUSED(task); /* for now */ REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE); - valarg = event->ev_arg; + REQUIRE(VALID_FCTX(valarg->fctx)); + REQUIRE(!ISC_LIST_EMPTY(valarg->fctx->validators)); + fctx = valarg->fctx; + fctx_increference(fctx); dns_message_attach(valarg->message, &message); - REQUIRE(VALID_FCTX(fctx)); res = fctx->res; addrinfo = valarg->addrinfo; - REQUIRE(!ISC_LIST_EMPTY(fctx->validators)); vevent = (dns_validatorevent_t *)event; fctx->vresult = vevent->result; @@ -5806,17 +5782,10 @@ sentresponse = ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0); /* - * If shutting down, ignore the results. Check to see if we're - * done waiting for validator completions and ADB pending events; if - * so, destroy the fctx. + * If shutting down, ignore the results. */ if (SHUTTINGDOWN(fctx) && !sentresponse) { - bool bucket_empty; - bucket_empty = maybe_destroy(fctx, true); UNLOCK(&res->buckets[bucketnum].lock); - if (bucket_empty) { - empty_bucket(res); - } goto cleanup_event; } @@ -5878,18 +5847,15 @@ (void)dns_db_deleterdataset(fctx->cache, node, NULL, vevent->type, 0); - } - if (result == ISC_R_SUCCESS && - vevent->sigrdataset != NULL) { - (void)dns_db_deleterdataset( - fctx->cache, node, NULL, - dns_rdatatype_rrsig, vevent->type); - } - if (result == ISC_R_SUCCESS) { + if (vevent->sigrdataset != NULL) { + (void)dns_db_deleterdataset( + fctx->cache, node, NULL, + dns_rdatatype_rrsig, + vevent->type); + } dns_db_detachnode(fctx->cache, &node); } - } - if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) { + } else if (!negative) { /* * Cache the data as pending for later validation. */ @@ -5902,20 +5868,16 @@ (void)dns_db_addrdataset( fctx->cache, node, NULL, now, vevent->rdataset, 0, NULL); - } - if (result == ISC_R_SUCCESS && - vevent->sigrdataset != NULL) { - (void)dns_db_addrdataset( - fctx->cache, node, NULL, now, - vevent->sigrdataset, 0, NULL); - } - if (result == ISC_R_SUCCESS) { + if (vevent->sigrdataset != NULL) { + (void)dns_db_addrdataset( + fctx->cache, node, NULL, now, + vevent->sigrdataset, 0, NULL); + } dns_db_detachnode(fctx->cache, &node); } } result = fctx->vresult; add_bad(fctx, message, addrinfo, result, badns_validation); - isc_event_free(&event); UNLOCK(&res->buckets[bucketnum].lock); INSIST(fctx->validator == NULL); fctx->validator = ISC_LIST_HEAD(fctx->validators); @@ -5943,8 +5905,7 @@ fctx_try(fctx, true, true); /* Locks bucket. */ } - dns_message_detach(&message); - return; + goto cleanup_event; } if (negative) { @@ -6058,19 +6019,12 @@ } if (sentresponse) { - bool bucket_empty = false; /* * If we only deferred the destroy because we wanted to cache * the data, destroy now. */ dns_db_detachnode(fctx->cache, &node); - if (SHUTTINGDOWN(fctx)) { - bucket_empty = maybe_destroy(fctx, true); - } UNLOCK(&res->buckets[bucketnum].lock); - if (bucket_empty) { - empty_bucket(res); - } goto cleanup_event; } @@ -6211,6 +6165,13 @@ INSIST(node == NULL); dns_message_detach(&message); isc_event_free(&event); + + LOCK(&res->buckets[bucketnum].lock); + bucket_empty = fctx_decreference(fctx); + UNLOCK(&res->buckets[bucketnum].lock); + if (bucket_empty) { + empty_bucket(res); + } } static void @@ -6228,7 +6189,7 @@ fctx->info, msgbuf); } -static inline isc_result_t +static isc_result_t findnoqname(fetchctx_t *fctx, dns_message_t *message, dns_name_t *name, dns_rdatatype_t type, dns_name_t **noqnamep) { dns_rdataset_t *nrdataset, *next, *sigrdataset; @@ -6360,7 +6321,7 @@ return (result); } -static inline isc_result_t +static isc_result_t cache_name(fetchctx_t *fctx, dns_name_t *name, dns_message_t *message, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now) { dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; @@ -6829,7 +6790,7 @@ return (result); } -static inline isc_result_t +static isc_result_t cache_message(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now) { isc_result_t result; @@ -6929,7 +6890,7 @@ return (result); } -static inline isc_result_t +static isc_result_t ncache_message(fetchctx_t *fctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo, dns_rdatatype_t covers, isc_stdtime_t now) { @@ -7100,7 +7061,7 @@ return (result); } -static inline void +static void mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external, bool gluing) { name->attributes |= DNS_NAMEATTR_CACHE; @@ -7135,7 +7096,7 @@ * subdomain or because it's below a forward declaration or a * locally served zone. */ -static inline bool +static bool name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { isc_result_t result; dns_forwarders_t *forwarders = NULL; @@ -7448,8 +7409,7 @@ RUNTIME_CHECK(result == ISC_R_SUCCESS); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (chainingp != NULL) { @@ -7596,6 +7556,7 @@ dns_resolver_t *res; fetchctx_t *fctx; isc_result_t result; + uint32_t bucketnum; bool bucket_empty; dns_rdataset_t nameservers; dns_fixedname_t fixed; @@ -7606,6 +7567,7 @@ fctx = event->ev_arg; REQUIRE(VALID_FCTX(fctx)); res = fctx->res; + bucketnum = fctx->bucketnum; UNUSED(task); FCTXTRACE("resume_dslookup"); @@ -7733,15 +7695,15 @@ if (dns_rdataset_isassociated(&nameservers)) { dns_rdataset_disassociate(&nameservers); } - LOCK(&res->buckets[fctx->bucketnum].lock); + LOCK(&res->buckets[bucketnum].lock); bucket_empty = fctx_decreference(fctx); - UNLOCK(&res->buckets[fctx->bucketnum].lock); + UNLOCK(&res->buckets[bucketnum].lock); if (bucket_empty) { empty_bucket(res); } } -static inline void +static void checknamessection(dns_message_t *message, dns_section_t section) { isc_result_t result; dns_name_t *name; @@ -7827,7 +7789,7 @@ isc_mem_put(mctx, buf, buflen); } -static inline bool +static bool iscname(dns_message_t *message, dns_name_t *name) { isc_result_t result; @@ -8004,7 +7966,7 @@ if (query->rmessage->counts[DNS_SECTION_QUESTION] == 0) { break; } - /* FALLTHROUGH */ + FALLTHROUGH; case dns_rcode_nxrrset: /* Not expected. */ case dns_rcode_badcookie: case dns_rcode_noerror: @@ -10951,7 +10913,7 @@ } } -static inline bool +static bool fctx_match(fetchctx_t *fctx, const dns_name_t *name, dns_rdatatype_t type, unsigned int options) { /* @@ -10969,7 +10931,7 @@ return (dns_name_equal(&fctx->name, name)); } -static inline void +static void log_fetch(const dns_name_t *name, dns_rdatatype_t type) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; diff -Nru bind9-9.16.27/lib/dns/rootns.c bind9-9.16.33/lib/dns/rootns.c --- bind9-9.16.27/lib/dns/rootns.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rootns.c 2022-09-08 13:01:23.000000000 +0000 @@ -130,7 +130,7 @@ if (dns_name_compare(name, dns_rootname) == 0) { break; } - /* FALLTHROUGH */ + FALLTHROUGH; default: result = ISC_R_FAILURE; goto cleanup; diff -Nru bind9-9.16.27/lib/dns/rpz.c bind9-9.16.33/lib/dns/rpz.c --- bind9-9.16.27/lib/dns/rpz.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rpz.c 2022-09-08 13:01:23.000000000 +0000 @@ -279,9 +279,11 @@ case DNS_RPZ_POLICY_DNS64: str = "DNS64"; break; + case DNS_RPZ_POLICY_ERROR: + str = "ERROR"; + break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (str); } @@ -345,8 +347,7 @@ tgt_set->nsip = zbits; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -363,8 +364,7 @@ tgt_set->ns = DNS_RPZ_ZBIT(rpz_num); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -619,8 +619,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (inc) { @@ -1037,7 +1036,7 @@ * \brief Count Leading Zeros: Find the location of the left-most set * bit. */ -static inline unsigned int +static unsigned int clz(dns_rpz_cidr_word_t w) { unsigned int bit; @@ -1105,7 +1104,7 @@ * Given a hit while searching the radix trees, * clear all bits for higher numbered zones. */ -static inline dns_rpz_zbits_t +static dns_rpz_zbits_t trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) { dns_rpz_zbits_t x; @@ -1540,10 +1539,7 @@ * simplifies update_from_db */ - result = isc_ht_init(&zone->nodes, rpzs->mctx, 1); - if (result != ISC_R_SUCCESS) { - goto cleanup_ht; - } + isc_ht_init(&zone->nodes, rpzs->mctx, 1); dns_name_init(&zone->origin, NULL); dns_name_init(&zone->client_ip, NULL); @@ -1577,9 +1573,6 @@ return (ISC_R_SUCCESS); -cleanup_ht: - isc_timer_detach(&zone->updatetimer); - cleanup_timer: isc_refcount_decrementz(&zone->refs); isc_refcount_destroy(&zone->refs); @@ -1723,14 +1716,7 @@ ISC_LOG_DEBUG(1), "rpz: %s: using hashtable size %d", domain, hashsize); - result = isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize); - if (result != ISC_R_SUCCESS) { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_MASTER, ISC_LOG_ERROR, - "rpz: %s: failed to initialize hashtable - %s", - domain, isc_result_totext(result)); - goto cleanup; - } + isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize); result = dns_db_createiterator(rpz->updb, DNS_DB_NONSEC3, &rpz->updbit); if (result != ISC_R_SUCCESS) { @@ -1837,17 +1823,7 @@ * Iterate over old ht with existing nodes deleted to * delete deleted nodes from RPZ */ - result = isc_ht_iter_create(rpz->nodes, &iter); - if (result != ISC_R_SUCCESS) { - dns_name_format(&rpz->origin, domain, - DNS_NAME_FORMATSIZE); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_MASTER, ISC_LOG_ERROR, - "rpz: %s: failed to create HT " - "iterator - %s", - domain, isc_result_totext(result)); - goto cleanup; - } + isc_ht_iter_create(rpz->nodes, &iter); } name = dns_fixedname_initname(&fname); @@ -2631,8 +2607,7 @@ zbits &= have.nsipv4; break; default: - INSIST(0); - break; + UNREACHABLE(); } } else if (netaddr->family == AF_INET6) { dns_rpz_cidr_key_t src_ip6; @@ -2657,8 +2632,7 @@ zbits &= have.nsipv6; break; default: - INSIST(0); - break; + UNREACHABLE(); } } else { return (DNS_RPZ_INVALID_NUM); @@ -2695,8 +2669,7 @@ rpz_num = zbit_to_num(found->set.nsip & tgt_set.nsip); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } result = ip2name(&found->ip, found->prefix, dns_rootname, ip_name); RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read); @@ -2752,7 +2725,7 @@ found_zbits = nm_data->set.ns; } } - /* FALLTHROUGH */ + FALLTHROUGH; case DNS_R_PARTIALMATCH: i = chain.level_matches; diff -Nru bind9-9.16.27/lib/dns/rrl.c bind9-9.16.33/lib/dns/rrl.c --- bind9-9.16.27/lib/dns/rrl.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/rrl.c 2022-09-08 13:01:23.000000000 +0000 @@ -29,12 +29,14 @@ #include #include +#include #include #include #include #include #include #include +#include static void log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, bool early, char *log_buf, @@ -135,7 +137,7 @@ /* * Convert a timestamp to a number of seconds in the past. */ -static inline int +static int delta_rrl_time(isc_stdtime_t ts, isc_stdtime_t now) { int delta; @@ -157,7 +159,7 @@ return (0); } -static inline int +static int get_age(const dns_rrl_t *rrl, const dns_rrl_entry_t *e, isc_stdtime_t now) { if (!e->ts_valid) { return (DNS_RRL_FOREVER); @@ -165,7 +167,7 @@ return (delta_rrl_time(e->ts + rrl->ts_bases[e->ts_gen], now)); } -static inline void +static void set_age(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_stdtime_t now) { dns_rrl_entry_t *e_old; unsigned int ts_gen; @@ -273,7 +275,7 @@ return (ISC_R_SUCCESS); } -static inline dns_rrl_bin_t * +static dns_rrl_bin_t * get_bin(dns_rrl_hash_t *hash, unsigned int hval) { INSIST(hash != NULL); return (&hash->bins[hval % hash->length]); @@ -382,7 +384,7 @@ } } -static inline bool +static bool key_cmp(const dns_rrl_key_t *a, const dns_rrl_key_t *b) { if (memcmp(a, b, sizeof(dns_rrl_key_t)) == 0) { return (true); @@ -390,7 +392,7 @@ return (false); } -static inline uint32_t +static uint32_t hash_key(const dns_rrl_key_t *key) { uint32_t hval; int i; @@ -413,12 +415,10 @@ */ static void make_key(const dns_rrl_t *rrl, dns_rrl_key_t *key, - const isc_sockaddr_t *client_addr, dns_rdatatype_t qtype, - const dns_name_t *qname, dns_rdataclass_t qclass, - dns_rrl_rtype_t rtype) { - dns_name_t base; - dns_offsets_t base_offsets; - int labels, i; + const isc_sockaddr_t *client_addr, dns_zone_t *zone, + dns_rdatatype_t qtype, const dns_name_t *qname, + dns_rdataclass_t qclass, dns_rrl_rtype_t rtype) { + int i; memset(key, 0, sizeof(*key)); @@ -436,15 +436,30 @@ } if (qname != NULL && qname->labels != 0) { - /* - * Ignore the first label of wildcards. - */ + dns_name_t *origin = NULL; + if ((qname->attributes & DNS_NAMEATTR_WILDCARD) != 0 && - (labels = dns_name_countlabels(qname)) > 1) + zone != NULL && (origin = dns_zone_getorigin(zone)) != NULL) { - dns_name_init(&base, base_offsets); - dns_name_getlabelsequence(qname, 1, labels - 1, &base); - key->s.qname_hash = dns_name_fullhash(&base, false); + dns_fixedname_t fixed; + dns_name_t *wild; + isc_result_t result; + + /* + * Put all wildcard names in one bucket using the zone's + * origin name concatenated to the "*" name. + */ + wild = dns_fixedname_initname(&fixed); + result = dns_name_concatenate(dns_wildcardname, origin, + wild, NULL); + if (result != ISC_R_SUCCESS) { + /* + * Fallback to use the zone's origin name + * instead of the concatenated name. + */ + wild = origin; + } + key->s.qname_hash = dns_name_fullhash(wild, false); } else { key->s.qname_hash = dns_name_fullhash(qname, false); } @@ -466,7 +481,7 @@ } } -static inline dns_rrl_rate_t * +static dns_rrl_rate_t * get_rate(dns_rrl_t *rrl, dns_rrl_rtype_t rtype) { switch (rtype) { case DNS_RRL_RTYPE_QUERY: @@ -482,8 +497,7 @@ case DNS_RRL_RTYPE_ALL: return (&rrl->all_per_second); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -510,7 +524,7 @@ * Search for an entry for a response and optionally create it. */ static dns_rrl_entry_t * -get_entry(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr, +get_entry(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr, dns_zone_t *zone, dns_rdataclass_t qclass, dns_rdatatype_t qtype, const dns_name_t *qname, dns_rrl_rtype_t rtype, isc_stdtime_t now, bool create, char *log_buf, unsigned int log_buf_len) { @@ -521,7 +535,7 @@ dns_rrl_bin_t *new_bin, *old_bin; int probes, age; - make_key(rrl, &key, client_addr, qtype, qname, qclass, rtype); + make_key(rrl, &key, client_addr, zone, qtype, qname, qclass, rtype); hval = hash_key(&key); /* @@ -629,7 +643,7 @@ hash_key(&e->key), age_str, e->responses, action); } -static inline dns_rrl_result_t +static dns_rrl_result_t debit_rrl_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, double qps, double scale, const isc_sockaddr_t *client_addr, isc_stdtime_t now, char *log_buf, unsigned int log_buf_len) { @@ -651,9 +665,9 @@ /* * The limit for clients that have used TCP is not scaled. */ - credit_e = get_entry(rrl, client_addr, 0, dns_rdatatype_none, - NULL, DNS_RRL_RTYPE_TCP, now, false, - log_buf, log_buf_len); + credit_e = get_entry( + rrl, client_addr, NULL, 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_TCP, now, false, log_buf, log_buf_len); if (credit_e != NULL) { age = get_age(rrl, e, now); if (age < rrl->window) { @@ -772,7 +786,7 @@ return (DNS_RRL_RESULT_DROP); } -static inline dns_rrl_qname_buf_t * +static dns_rrl_qname_buf_t * get_qname(dns_rrl_t *rrl, const dns_rrl_entry_t *e) { dns_rrl_qname_buf_t *qbuf; @@ -783,7 +797,7 @@ return (qbuf); } -static inline void +static void free_qname(dns_rrl_t *rrl, dns_rrl_entry_t *e) { dns_rrl_qname_buf_t *qbuf; @@ -852,8 +866,7 @@ ADD_LOG_CSTR(&lb, "slip "); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } switch (e->key.s.rtype) { @@ -881,8 +894,7 @@ ADD_LOG_CSTR(&lb, "all "); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (plural) { @@ -1030,10 +1042,10 @@ * Main rate limit interface. */ dns_rrl_result_t -dns_rrl(dns_view_t *view, const isc_sockaddr_t *client_addr, bool is_tcp, - dns_rdataclass_t qclass, dns_rdatatype_t qtype, const dns_name_t *qname, - isc_result_t resp_result, isc_stdtime_t now, bool wouldlog, - char *log_buf, unsigned int log_buf_len) { +dns_rrl(dns_view_t *view, dns_zone_t *zone, const isc_sockaddr_t *client_addr, + bool is_tcp, dns_rdataclass_t qclass, dns_rdatatype_t qtype, + const dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now, + bool wouldlog, char *log_buf, unsigned int log_buf_len) { dns_rrl_t *rrl; dns_rrl_rtype_t rtype; dns_rrl_entry_t *e; @@ -1106,9 +1118,10 @@ */ if (is_tcp) { if (scale < 1.0) { - e = get_entry(rrl, client_addr, 0, dns_rdatatype_none, - NULL, DNS_RRL_RTYPE_TCP, now, true, - log_buf, log_buf_len); + e = get_entry(rrl, client_addr, NULL, 0, + dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_TCP, now, true, log_buf, + log_buf_len); if (e != NULL) { e->responses = -(rrl->window + 1); set_age(rrl, e, now); @@ -1139,8 +1152,8 @@ rtype = DNS_RRL_RTYPE_ERROR; break; } - e = get_entry(rrl, client_addr, qclass, qtype, qname, rtype, now, true, - log_buf, log_buf_len); + e = get_entry(rrl, client_addr, zone, qclass, qtype, qname, rtype, now, + true, log_buf, log_buf_len); if (e == NULL) { UNLOCK(&rrl->lock); return (DNS_RRL_RESULT_OK); @@ -1174,8 +1187,8 @@ dns_rrl_entry_t *e_all; dns_rrl_result_t rrl_all_result; - e_all = get_entry(rrl, client_addr, 0, dns_rdatatype_none, NULL, - DNS_RRL_RTYPE_ALL, now, true, log_buf, + e_all = get_entry(rrl, client_addr, zone, 0, dns_rdatatype_none, + NULL, DNS_RRL_RTYPE_ALL, now, true, log_buf, log_buf_len); if (e_all == NULL) { UNLOCK(&rrl->lock); diff -Nru bind9-9.16.27/lib/dns/sdb.c bind9-9.16.33/lib/dns/sdb.c --- bind9-9.16.27/lib/dns/sdb.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/sdb.c 2022-09-08 13:01:23.000000000 +0000 @@ -256,7 +256,7 @@ isc_mem_putanddetach(&imp->mctx, imp, sizeof(dns_sdbimplementation_t)); } -static inline unsigned int +static unsigned int initial_size(unsigned int len) { unsigned int size; @@ -1069,8 +1069,7 @@ UNUSED(db); UNUSED(node); UNUSED(now); - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } static void diff -Nru bind9-9.16.27/lib/dns/sdlz.c bind9-9.16.33/lib/dns/sdlz.c --- bind9-9.16.27/lib/dns/sdlz.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/sdlz.c 2022-09-08 13:01:23.000000000 +0000 @@ -251,7 +251,7 @@ } } -static inline unsigned int +static unsigned int initial_size(const char *data) { unsigned int len = (strlen(data) / 64) + 1; return (len * 64 + 64); @@ -736,8 +736,7 @@ UNUSED(db); UNUSED(node); UNUSED(now); - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } static void diff -Nru bind9-9.16.27/lib/dns/soa.c bind9-9.16.33/lib/dns/soa.c --- bind9-9.16.27/lib/dns/soa.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/soa.c 2022-09-08 13:01:23.000000000 +0000 @@ -23,13 +23,13 @@ #include #include -static inline uint32_t +static uint32_t decode_uint32(unsigned char *p) { return (((uint32_t)p[0] << 24) + ((uint32_t)p[1] << 16) + ((uint32_t)p[2] << 8) + ((uint32_t)p[3] << 0)); } -static inline void +static void encode_uint32(uint32_t val, unsigned char *p) { p[0] = (uint8_t)(val >> 24); p[1] = (uint8_t)(val >> 16); diff -Nru bind9-9.16.27/lib/dns/ssu.c bind9-9.16.33/lib/dns/ssu.c --- bind9-9.16.27/lib/dns/ssu.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/ssu.c 2022-09-08 13:01:23.000000000 +0000 @@ -77,7 +77,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void destroy(dns_ssutable_t *table) { isc_mem_t *mctx; @@ -184,7 +184,7 @@ return (ISC_R_SUCCESS); } -static inline bool +static bool isusertype(dns_rdatatype_t type) { return (type != dns_rdatatype_ns && type != dns_rdatatype_soa && type != dns_rdatatype_rrsig); @@ -231,8 +231,7 @@ RUNTIME_CHECK(result < sizeof(buf)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_buffer_init(&b, buf, strlen(buf)); isc_buffer_add(&b, strlen(buf)); @@ -273,8 +272,7 @@ RUNTIME_CHECK(result < sizeof(buf)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_buffer_init(&b, buf, strlen(buf)); isc_buffer_add(&b, strlen(buf)); diff -Nru bind9-9.16.27/lib/dns/stats.c bind9-9.16.33/lib/dns/stats.c --- bind9-9.16.27/lib/dns/stats.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/stats.c 2022-09-08 13:01:23.000000000 +0000 @@ -261,7 +261,7 @@ isc_stats_increment(stats->counters, counter); } -inline static isc_statscounter_t +static isc_statscounter_t rdatatype2counter(dns_rdatatype_t type) { if (type > (dns_rdatatype_t)RDTYPECOUNTER_MAXTYPE) { return (0); @@ -279,7 +279,7 @@ isc_stats_increment(stats->counters, counter); } -static inline void +static void update_rdatasetstats(dns_stats_t *stats, dns_rdatastatstype_t rrsettype, bool increment) { isc_statscounter_t counter; diff -Nru bind9-9.16.27/lib/dns/tests/dispatch_test.c bind9-9.16.33/lib/dns/tests/dispatch_test.c --- bind9-9.16.27/lib/dns/tests/dispatch_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/tests/dispatch_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -217,7 +217,7 @@ static dns_dispatch_t *dispatch = NULL; static dns_dispentry_t *dispentry = NULL; -static atomic_bool first = ATOMIC_VAR_INIT(true); +static atomic_bool first = true; static isc_sockaddr_t local; static atomic_uint_fast32_t responses; diff -Nru bind9-9.16.27/lib/dns/tests/dnstest.c bind9-9.16.33/lib/dns/tests/dnstest.c --- bind9-9.16.27/lib/dns/tests/dnstest.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/tests/dnstest.c 2022-09-08 13:01:23.000000000 +0000 @@ -383,7 +383,6 @@ printf("bad input format: %02x\n", c); exit(3); - /* NOTREACHED */ } /* diff -Nru bind9-9.16.27/lib/dns/tests/geoip_test.c bind9-9.16.33/lib/dns/tests/geoip_test.c --- bind9-9.16.27/lib/dns/tests/geoip_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/tests/geoip_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -122,8 +122,7 @@ } else if (inet_pton(AF_INET, addr, &in4) == 1) { isc_netaddr_fromin(&na, &in4); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } db = geoip2_database(&geoip, fix_subtype(&geoip, subtype)); diff -Nru bind9-9.16.27/lib/dns/tests/private_test.c bind9-9.16.33/lib/dns/tests/private_test.c --- bind9-9.16.27/lib/dns/tests/private_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/tests/private_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -87,14 +87,10 @@ buf[2] = (testcase->keyid & 0xff); buf[3] = testcase->remove; buf[4] = testcase->complete; - private - ->data = buf; - private - ->length = len; - private - ->type = privatetype; - private - ->rdclass = dns_rdataclass_in; + private->data = buf; + private->length = len; + private->type = privatetype; + private->rdclass = dns_rdataclass_in; } static void diff -Nru bind9-9.16.27/lib/dns/tkey.c bind9-9.16.33/lib/dns/tkey.c --- bind9-9.16.27/lib/dns/tkey.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/tkey.c 2022-09-08 13:01:23.000000000 +0000 @@ -226,6 +226,9 @@ while (!ISC_LIST_EMPTY(name->list)) { set = ISC_LIST_HEAD(name->list); ISC_LIST_UNLINK(name->list, set, link); + if (dns_rdataset_isassociated(set)) { + dns_rdataset_disassociate(set); + } dns_message_puttemprdataset(msg, &set); } dns_message_puttempname(msg, &name); @@ -1016,6 +1019,18 @@ if (dynbuf != NULL) { isc_buffer_free(&dynbuf); } + if (rdata != NULL) { + dns_message_puttemprdata(msg, &rdata); + } + if (tkeylist != NULL) { + dns_message_puttemprdatalist(msg, &tkeylist); + } + if (tkeyset != NULL) { + if (dns_rdataset_isassociated(tkeyset)) { + dns_rdataset_disassociate(tkeyset); + } + dns_message_puttemprdataset(msg, &tkeyset); + } return (result); } diff -Nru bind9-9.16.27/lib/dns/tsec.c bind9-9.16.33/lib/dns/tsec.c --- bind9-9.16.27/lib/dns/tsec.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/tsec.c 2022-09-08 13:01:23.000000000 +0000 @@ -93,8 +93,7 @@ tsec->ukey.key = key; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } tsec->magic = DNS_TSEC_MAGIC; @@ -120,8 +119,7 @@ dst_key_free(&tsec->ukey.key); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } tsec->magic = 0; @@ -148,7 +146,6 @@ *(dst_key_t **)keyp = tsec->ukey.key; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } diff -Nru bind9-9.16.27/lib/dns/tsig.c bind9-9.16.33/lib/dns/tsig.c --- bind9-9.16.27/lib/dns/tsig.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/tsig.c 2022-09-08 13:01:23.000000000 +0000 @@ -1149,18 +1149,6 @@ return (ret); } } -#if defined(__clang__) && (__clang_major__ < 3 || \ - (__clang_major__ == 3 && __clang_minor__ < 2) || \ - (__clang_major__ == 4 && __clang_minor__ < 2)) - /* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */ - else - { - memset(&querytsig, 0, sizeof(querytsig)); - } -#endif /* if defined(__clang__) && (__clang_major__ < 3 || (__clang_major__ == \ - * 3 \ - * && __clang_minor__ < 2) || (__clang_major__ == 4 && __clang_minor__ \ - * < 2)) */ /* * Do the key name and algorithm match that of the query? diff -Nru bind9-9.16.27/lib/dns/update.c bind9-9.16.33/lib/dns/update.c --- bind9-9.16.27/lib/dns/update.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/update.c 2022-09-08 13:01:23.000000000 +0000 @@ -1712,7 +1712,7 @@ update_log(log, zone, ISC_LOG_DEBUG(3), "updated data signatures"); - /* FALLTHROUGH */ + FALLTHROUGH; case remove_orphaned: state->state = remove_orphaned; @@ -1744,7 +1744,7 @@ update_log(log, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain"); - /* FALLTHROUGH */ + FALLTHROUGH; case build_chain: state->state = build_chain; /* @@ -1834,7 +1834,7 @@ CHECK(uniqify_name_list(&state->affected)); - /* FALLTHROUGH */ + FALLTHROUGH; case process_nsec: state->state = process_nsec; @@ -1950,7 +1950,7 @@ update_log(log, zone, ISC_LOG_DEBUG(3), "signing rebuilt NSEC chain"); - /* FALLTHROUGH */ + FALLTHROUGH; case sign_nsec: state->state = sign_nsec; /* Update RRSIG NSECs. */ @@ -1971,8 +1971,7 @@ state->keyset_kskonly)); sigs++; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link); ISC_LIST_APPEND(state->work.tuples, t, link); @@ -1982,7 +1981,7 @@ } ISC_LIST_APPENDLIST(state->nsec_mindiff.tuples, state->work.tuples, link); - /* FALLTHROUGH */ + FALLTHROUGH; case update_nsec3: state->state = update_nsec3; @@ -2074,7 +2073,7 @@ } } - /* FALLTHROUGH */ + FALLTHROUGH; case process_nsec3: state->state = process_nsec3; while ((t = ISC_LIST_HEAD(state->affected.tuples)) != NULL) { @@ -2125,7 +2124,7 @@ update_log(log, zone, ISC_LOG_DEBUG(3), "signing rebuilt NSEC3 chain"); - /* FALLTHROUGH */ + FALLTHROUGH; case sign_nsec3: state->state = sign_nsec3; /* Update RRSIG NSEC3s. */ @@ -2146,8 +2145,7 @@ state->keyset_kskonly)); sigs++; } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link); ISC_LIST_APPEND(state->work.tuples, t, link); @@ -2174,8 +2172,7 @@ INSIST(ISC_LIST_EMPTY(state->nsec_mindiff.tuples)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } failure: @@ -2235,8 +2232,7 @@ } return (serial); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2267,8 +2263,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (used != NULL) { diff -Nru bind9-9.16.27/lib/dns/validator.c bind9-9.16.33/lib/dns/validator.c --- bind9-9.16.27/lib/dns/validator.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/validator.c 2022-09-08 13:01:23.000000000 +0000 @@ -172,7 +172,7 @@ * If we are validating a name that is marked as "must be secure", log a * warning and return DNS_R_MUSTBESECURE instead. */ -static inline isc_result_t +static isc_result_t markanswer(dns_validator_t *val, const char *where, const char *mbstext) { if (val->mustbesecure && mbstext != NULL) { validator_log(val, ISC_LOG_WARNING, @@ -195,7 +195,7 @@ /*% * Mark the RRsets in val->event with trust level secure. */ -static inline void +static void marksecure(dns_validatorevent_t *event) { dns_rdataset_settrust(event->rdataset, dns_trust_secure); if (event->sigrdataset != NULL) { @@ -232,7 +232,7 @@ /* * Called when deciding whether to destroy validator 'val'. */ -static inline bool +static bool exit_check(dns_validator_t *val) { /* * Caller must be holding the lock. @@ -529,7 +529,7 @@ goto unexpected; } - /* FALLTHROUGH */ + FALLTHROUGH; case ISC_R_SUCCESS: if (trustchain) { /* @@ -950,7 +950,7 @@ * \li DNS_R_NXDOMAIN * \li DNS_R_BROKENCHAIN */ -static inline isc_result_t +static isc_result_t view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) { dns_fixedname_t fixedname; dns_name_t *foundname; @@ -1000,7 +1000,7 @@ * Checks to make sure we are not going to loop. As we use a SHARED fetch * the validation process will stall if looping was to occur. */ -static inline bool +static bool check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_validator_t *parent; @@ -1031,7 +1031,7 @@ /*% * Start a fetch for the requested name and type. */ -static inline isc_result_t +static isc_result_t create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, isc_taskaction_t callback, const char *caller) { unsigned int fopts = 0; @@ -1062,7 +1062,7 @@ /*% * Start a subvalidation process. */ -static inline isc_result_t +static isc_result_t create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, isc_taskaction_t action, const char *caller) { @@ -3085,8 +3085,7 @@ result = validate_nx(val, false); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (result != DNS_R_WAIT) { diff -Nru bind9-9.16.27/lib/dns/view.c bind9-9.16.33/lib/dns/view.c --- bind9-9.16.27/lib/dns/view.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/view.c 2022-09-08 13:01:23.000000000 +0000 @@ -348,7 +348,7 @@ return (result); } -static inline void +static void destroy(dns_view_t *view) { dns_dns64_t *dns64; dns_dlzdb_t *dlzdb; diff -Nru bind9-9.16.27/lib/dns/win32/libdns.def.in bind9-9.16.33/lib/dns/win32/libdns.def.in --- bind9-9.16.27/lib/dns/win32/libdns.def.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/win32/libdns.def.in 2022-09-08 13:01:23.000000000 +0000 @@ -1491,6 +1491,7 @@ dst_key_is_unused dst_key_inactive dst_key_isexternal +dst_key_ismodified dst_key_isnullkey dst_key_isprivate dst_key_iszonekey @@ -1510,6 +1511,7 @@ dst_key_setexternal dst_key_setflags dst_key_setinactive +dst_key_setmodified dst_key_setnum dst_key_setprivateformat dst_key_setstate diff -Nru bind9-9.16.27/lib/dns/xfrin.c bind9-9.16.33/lib/dns/xfrin.c --- bind9-9.16.27/lib/dns/xfrin.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/xfrin.c 2022-09-08 13:01:23.000000000 +0000 @@ -682,11 +682,9 @@ case XFRST_AXFR_END: case XFRST_IXFR_END: FAIL(DNS_R_EXTRADATA); - /* NOTREACHED */ - /* FALLTHROUGH */ + FALLTHROUGH; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } result = ISC_R_SUCCESS; failure: @@ -1469,7 +1467,7 @@ break; case XFRST_AXFR_END: CHECK(axfr_finalize(xfr)); - /* FALLTHROUGH */ + FALLTHROUGH; case XFRST_IXFR_END: /* * Close the journal. diff -Nru bind9-9.16.27/lib/dns/zone.c bind9-9.16.33/lib/dns/zone.c --- bind9-9.16.27/lib/dns/zone.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/zone.c 2022-09-08 13:01:23.000000000 +0000 @@ -867,9 +867,9 @@ zone_idetach(dns_zone_t **zonep); static isc_result_t zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump); -static inline void +static void zone_attachdb(dns_zone_t *zone, dns_db_t *db); -static inline void +static void zone_detachdb(dns_zone_t *zone); static void zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); @@ -1069,7 +1069,7 @@ /*% * Increment resolver-related statistics counters. Zone must be locked. */ -static inline void +static void inc_stats(dns_zone_t *zone, isc_statscounter_t counter) { if (zone->stats != NULL) { isc_stats_increment(zone->stats, counter); @@ -1397,7 +1397,7 @@ * Returns true iff this the signed side of an inline-signing zone. * Caller should hold zone lock. */ -static inline bool +static bool inline_secure(dns_zone_t *zone) { REQUIRE(DNS_ZONE_VALID(zone)); if (zone->raw != NULL) { @@ -1410,7 +1410,7 @@ * Returns true iff this the unsigned side of an inline-signing zone * Caller should hold zone lock. */ -static inline bool +static bool inline_raw(dns_zone_t *zone) { REQUIRE(DNS_ZONE_VALID(zone)); if (zone->secure != NULL) { @@ -6540,7 +6540,7 @@ UNLOCK_ZONE(zone); } -static inline bool +static bool was_dumping(dns_zone_t *zone) { REQUIRE(LOCKED_ZONE(zone)); @@ -10084,8 +10084,7 @@ &dnskey, &buf); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); } @@ -10144,7 +10143,7 @@ * 1/10 * OrigTTL, * 1/10 * RRSigExpirationInterval)) */ -static inline isc_stdtime_t +static isc_stdtime_t refresh_time(dns_keyfetch_t *kfetch, bool retry) { isc_result_t result; uint32_t t; @@ -11254,7 +11253,7 @@ if (zone->masters == NULL) { break; } - /* FALLTHROUGH */ + FALLTHROUGH; case dns_zone_secondary: case dns_zone_mirror: case dns_zone_stub: @@ -11279,7 +11278,7 @@ if (zone->masters == NULL) { break; } - /* FALLTHROUGH */ + FALLTHROUGH; case dns_zone_secondary: case dns_zone_mirror: case dns_zone_stub: @@ -11644,7 +11643,7 @@ switch (result) { case ISC_R_SUCCESS: *needdump = true; - /* FALLTHROUGH */ + FALLTHROUGH; case DNS_R_UPTODATE: if (dns_journal_recovered(journal)) { *fixjournal = true; @@ -12948,7 +12947,7 @@ /*** *** Private ***/ -static inline isc_result_t +static isc_result_t create_query(dns_zone_t *zone, dns_rdatatype_t rdtype, dns_name_t *name, dns_message_t **messagep) { dns_message_t *message = NULL; @@ -13145,7 +13144,7 @@ isc_buffer_t rb; isc_buffer_init(&rb, opcode, sizeof(opcode)); - (void)dns_opcode_totext(msg->rcode, &rb); + (void)dns_opcode_totext(msg->opcode, &rb); dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: " @@ -13350,7 +13349,7 @@ return (result); } -static inline isc_result_t +static isc_result_t save_nsrrset(dns_message_t *message, dns_name_t *name, struct stub_cb_args *cb_args, dns_db_t *db, dns_dbversion_t *version) { @@ -13574,7 +13573,7 @@ isc_buffer_t rb; isc_buffer_init(&rb, opcode, sizeof(opcode)); - (void)dns_opcode_totext(msg->rcode, &rb); + (void)dns_opcode_totext(msg->opcode, &rb); dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: " @@ -13980,7 +13979,7 @@ isc_buffer_t rb; isc_buffer_init(&rb, opcode, sizeof(opcode)); - (void)dns_opcode_totext(msg->rcode, &rb); + (void)dns_opcode_totext(msg->opcode, &rb); dns_zone_log(zone, ISC_LOG_INFO, "refresh: " @@ -14998,8 +14997,7 @@ if (zone->masters != NULL) { goto treat_as_slave; } - /* FALLTHROUGH */ - + FALLTHROUGH; case dns_zone_primary: if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) || DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) @@ -15062,8 +15060,7 @@ { next = zone->notifytime; } - /* FALLTHROUGH */ - + FALLTHROUGH; case dns_zone_stub: if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOMASTERS) && @@ -17377,7 +17374,7 @@ } /* The caller must hold the dblock as a writer. */ -static inline void +static void zone_attachdb(dns_zone_t *zone, dns_db_t *db) { REQUIRE(zone->db == NULL && db != NULL); @@ -17385,7 +17382,7 @@ } /* The caller must hold the dblock as a writer. */ -static inline void +static void zone_detachdb(dns_zone_t *zone) { REQUIRE(zone->db != NULL); @@ -17435,7 +17432,7 @@ switch (xfrresult) { case ISC_R_SUCCESS: DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); - /* FALLTHROUGH */ + FALLTHROUGH; case DNS_R_UPTODATE: DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER); /* @@ -17593,7 +17590,6 @@ zone->curmaster++; } while (zone->curmaster < zone->masterscnt && zone->mastersok[zone->curmaster]); - /* FALLTHROUGH */ same_master: if (zone->curmaster >= zone->masterscnt) { zone->curmaster = 0; @@ -18014,8 +18010,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } UNLOCK_ZONE(zone); INSIST(isc_sockaddr_pf(&masteraddr) == isc_sockaddr_pf(&sourceaddr)); @@ -18176,7 +18171,7 @@ isc_buffer_t rb; isc_buffer_init(&rb, opcode, sizeof(opcode)); - (void)dns_opcode_totext(msg->rcode, &rb); + (void)dns_opcode_totext(msg->opcode, &rb); dns_zone_log(zone, ISC_LOG_INFO, "forwarding dynamic update: " @@ -18351,7 +18346,7 @@ #define GOLDEN_RATIO_32 0x61C88647 #define HASHSIZE(bits) (UINT64_C(1) << (bits)) -static inline uint32_t +static uint32_t hash_index(uint32_t val, uint32_t bits) { return (val * GOLDEN_RATIO_32 >> (32 - bits)); } @@ -19786,8 +19781,7 @@ DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } UNLOCK_ZONE(zone); } @@ -19869,8 +19863,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read); @@ -21490,16 +21483,69 @@ KASP_UNLOCK(kasp); if (result == ISC_R_SUCCESS) { - bool cds_delete = false; + bool cdsdel = false; + bool cdnskeydel = false; isc_stdtime_t when; /* * Publish CDS/CDNSKEY DELETE records if the zone is * transitioning from secure to insecure. */ - if (kasp != NULL && - strcmp(dns_kasp_getname(kasp), "insecure") == 0) { - cds_delete = true; + if (kasp != NULL) { + if (strcmp(dns_kasp_getname(kasp), "insecure") == 0) { + cdsdel = true; + cdnskeydel = true; + } + } else { + /* Check if there is a CDS DELETE record. */ + if (dns_rdataset_isassociated(&cdsset)) { + for (result = dns_rdataset_first(&cdsset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&cdsset)) + { + dns_rdata_t crdata = DNS_RDATA_INIT; + dns_rdataset_current(&cdsset, &crdata); + /* + * CDS deletion record has this form + * "0 0 0 00" which is 5 zero octets. + */ + if (crdata.length == 5U && + memcmp(crdata.data, + (unsigned char[5]){ 0, 0, 0, + 0, 0 }, + 5) == 0) + { + cdsdel = true; + break; + } + } + } + + /* Check if there is a CDNSKEY DELETE record. */ + if (dns_rdataset_isassociated(&cdnskeyset)) { + for (result = dns_rdataset_first(&cdnskeyset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&cdnskeyset)) + { + dns_rdata_t crdata = DNS_RDATA_INIT; + dns_rdataset_current(&cdnskeyset, + &crdata); + /* + * CDNSKEY deletion record has this form + * "0 3 0 AA==" which is 2 zero octets, + * a 3, and 2 zero octets. + */ + if (crdata.length == 5U && + memcmp(crdata.data, + (unsigned char[5]){ 0, 0, 3, + 0, 0 }, + 5) == 0) + { + cdnskeydel = true; + break; + } + } + } } /* @@ -21536,36 +21582,36 @@ goto failure; } - if (cds_delete) { + if (cdsdel || cdnskeydel) { /* * Only publish CDS/CDNSKEY DELETE records if there is * a KSK that can be used to verify the RRset. This * means there must be a key with the KSK role that is * published and is used for signing. */ - cds_delete = false; + bool allow = false; for (key = ISC_LIST_HEAD(dnskeys); key != NULL; key = ISC_LIST_NEXT(key, link)) { dst_key_t *dstk = key->key; - bool ksk = false; - (void)dst_key_getbool(dstk, DST_BOOL_KSK, &ksk); - if (!ksk) { - continue; - } - if (dst_key_haskasp(dstk) && - dst_key_is_published(dstk, now, &when) && + if (dst_key_is_published(dstk, now, &when) && dst_key_is_signing(dstk, DST_BOOL_KSK, now, &when)) { - cds_delete = true; + allow = true; break; } } + if (cdsdel) { + cdsdel = allow; + } + if (cdnskeydel) { + cdnskeydel = allow; + } } - result = dns_dnssec_syncdelete(&cdsset, &cdnskeyset, - &zone->origin, zone->rdclass, - ttl, &diff, mctx, cds_delete); + result = dns_dnssec_syncdelete( + &cdsset, &cdnskeyset, &zone->origin, zone->rdclass, ttl, + &diff, mctx, cdsdel, cdnskeydel); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_rekey:couldn't update CDS/CDNSKEY " @@ -23282,7 +23328,7 @@ ENTER; if (zone->update_disabled) { - goto failure; + goto disabled; } desired = sse->serial; @@ -23361,6 +23407,8 @@ dns_db_detach(&db); } dns_diff_clear(&diff); + +disabled: isc_event_free(&event); dns_zone_idetach(&zone); @@ -23475,7 +23523,7 @@ return (result); } -static inline dns_ttl_t +static dns_ttl_t zone_nsecttl(dns_zone_t *zone) { REQUIRE(DNS_ZONE_VALID(zone)); diff -Nru bind9-9.16.27/lib/dns/zoneverify.c bind9-9.16.33/lib/dns/zoneverify.c --- bind9-9.16.27/lib/dns/zoneverify.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/dns/zoneverify.c 2022-09-08 13:01:23.000000000 +0000 @@ -101,7 +101,7 @@ * Helper function used to calculate length of variable-length * data section in object pointed to by 'chain'. */ -static inline size_t +static size_t chain_length(struct nsec3_chain_fixed *chain) { return (chain->salt_length + 2 * chain->next_length); } @@ -396,13 +396,12 @@ return (memcmp(e1 + 1, e2 + 1, data_length) == 0); } -static isc_result_t +static void record_nsec3(const vctx_t *vctx, const unsigned char *rawhash, const dns_rdata_nsec3_t *nsec3, isc_heap_t *chains) { - struct nsec3_chain_fixed *element; + struct nsec3_chain_fixed *element = NULL; + unsigned char *cp = NULL; size_t len; - unsigned char *cp; - isc_result_t result; len = sizeof(*element) + nsec3->next_length * 2 + nsec3->salt_length; @@ -418,13 +417,7 @@ memmove(cp, rawhash, nsec3->next_length); cp += nsec3->next_length; memmove(cp, nsec3->next, nsec3->next_length); - result = isc_heap_insert(chains, element); - if (result != ISC_R_SUCCESS) { - zoneverify_log_error(vctx, "isc_heap_insert failed: %s", - isc_result_totext(result)); - isc_mem_put(vctx->mctx, element, len); - } - return (result); + isc_heap_insert(chains, element); } /* @@ -499,12 +492,7 @@ /* * Record chain. */ - result = record_nsec3(vctx, rawhash, &nsec3, vctx->expected_chains); - if (result != ISC_R_SUCCESS) { - zoneverify_log_error(vctx, "record_nsec3(): %s", - isc_result_totext(result)); - return (result); - } + record_nsec3(vctx, rawhash, &nsec3, vctx->expected_chains); /* * Make sure there is only one NSEC3 record with this set of @@ -608,6 +596,7 @@ if (nsec3.next_length != isc_buffer_usedlength(&b)) { continue; } + /* * We only care about NSEC3 records that match a NSEC3PARAM * record. @@ -619,12 +608,7 @@ /* * Record chain. */ - result = record_nsec3(vctx, owner, &nsec3, vctx->found_chains); - if (result != ISC_R_SUCCESS) { - zoneverify_log_error(vctx, "record_nsec3(): %s", - isc_result_totext(result)); - goto cleanup; - } + record_nsec3(vctx, owner, &nsec3, vctx->found_chains); } result = ISC_R_SUCCESS; @@ -1121,7 +1105,7 @@ return (false); } -static inline bool +static bool checknext(isc_mem_t *mctx, const vctx_t *vctx, const struct nsec3_chain_fixed *first, struct nsec3_chain_fixed *prev, const struct nsec3_chain_fixed *cur) { @@ -1134,7 +1118,7 @@ return (result); } -static inline bool +static bool checklast(isc_mem_t *mctx, const vctx_t *vctx, struct nsec3_chain_fixed *first, struct nsec3_chain_fixed *prev) { bool result = _checknext(vctx, prev, first); @@ -1285,11 +1269,9 @@ return (ISC_R_SUCCESS); } -static isc_result_t +static void vctx_init(vctx_t *vctx, isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin, dns_keytable_t *secroots) { - isc_result_t result; - memset(vctx, 0, sizeof(*vctx)); vctx->mctx = mctx; @@ -1311,21 +1293,11 @@ dns_rdataset_init(&vctx->nsec3paramsigs); vctx->expected_chains = NULL; - result = isc_heap_create(mctx, chain_compare, NULL, 1024, - &vctx->expected_chains); - if (result != ISC_R_SUCCESS) { - return (result); - } + isc_heap_create(mctx, chain_compare, NULL, 1024, + &vctx->expected_chains); vctx->found_chains = NULL; - result = isc_heap_create(mctx, chain_compare, NULL, 1024, - &vctx->found_chains); - if (result != ISC_R_SUCCESS) { - isc_heap_destroy(&vctx->expected_chains); - return (result); - } - - return (result); + isc_heap_create(mctx, chain_compare, NULL, 1024, &vctx->found_chains); } static void @@ -1994,10 +1966,7 @@ isc_result_t result, vresult = ISC_R_UNSET; vctx_t vctx; - result = vctx_init(&vctx, mctx, zone, db, ver, origin, secroots); - if (result != ISC_R_SUCCESS) { - return (result); - } + vctx_init(&vctx, mctx, zone, db, ver, origin, secroots); result = check_apex_rrsets(&vctx); if (result != ISC_R_SUCCESS) { diff -Nru bind9-9.16.27/lib/irs/getnameinfo.c bind9-9.16.33/lib/irs/getnameinfo.c --- bind9-9.16.27/lib/irs/getnameinfo.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/irs/getnameinfo.c 2022-09-08 13:01:23.000000000 +0000 @@ -206,8 +206,7 @@ break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } proto = ((flags & NI_DGRAM) != 0) ? "udp" : "tcp"; diff -Nru bind9-9.16.27/lib/irs/win32/include/irs/netdb.h bind9-9.16.33/lib/irs/win32/include/irs/netdb.h --- bind9-9.16.27/lib/irs/win32/include/irs/netdb.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/irs/win32/include/irs/netdb.h 2022-09-08 13:01:23.000000000 +0000 @@ -31,7 +31,7 @@ int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and * IPv6 */ size_t ai_addrlen; /* Length of ai_addr */ - char *ai_canonname; /* Canonical name for hostname */ + char *ai_canonname; /* Canonical name for hostname */ struct sockaddr *ai_addr; /* Binary address */ struct addrinfo *ai_next; /* Next structure in linked list */ }; diff -Nru bind9-9.16.27/lib/isc/Makefile.in bind9-9.16.33/lib/isc/Makefile.in --- bind9-9.16.27/lib/isc/Makefile.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/Makefile.in 2022-09-08 13:01:23.000000000 +0000 @@ -26,6 +26,7 @@ ${OPENSSL_CFLAGS} \ ${JSON_C_CFLAGS} \ ${LIBXML2_CFLAGS} \ + ${LIBUV_CFLAGS} \ ${ZLIB_CFLAGS} CDEFINES = CWARNINGS = @@ -53,14 +54,14 @@ bind9.@O@ buffer.@O@ bufferlist.@O@ \ commandline.@O@ counter.@O@ crc64.@O@ error.@O@ entropy.@O@ \ event.@O@ hash.@O@ ht.@O@ heap.@O@ hex.@O@ \ - hmac.@O@ hp.@O@ httpd.@O@ iterated_hash.@O@ \ + hmac.@O@ httpd.@O@ iterated_hash.@O@ \ lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \ managers.@O@ md.@O@ mem.@O@ mutexblock.@O@ \ netmgr/netmgr.@O@ netmgr/tcp.@O@ netmgr/udp.@O@ \ netmgr/tcpdns.@O@ \ netmgr/uverr2result.@O@ netmgr/uv-compat.@O@ \ netaddr.@O@ netscope.@O@ nonce.@O@ openssl_shim.@O@ pool.@O@ \ - parseint.@O@ portset.@O@ queue.@O@ quota.@O@ \ + parseint.@O@ portset.@O@ quota.@O@ \ radix.@O@ random.@O@ ratelimiter.@O@ \ region.@O@ regex.@O@ result.@O@ rwlock.@O@ \ safe.@O@ serial.@O@ siphash.@O@ sockaddr.@O@ stats.@O@ \ @@ -76,11 +77,11 @@ backtrace.c base32.c base64.c bind9.c \ buffer.c bufferlist.c commandline.c counter.c crc64.c \ entropy.c error.c event.c hash.c ht.c heap.c \ - hex.c hmac.c hp.c httpd.c iterated_hash.c \ + hex.c hmac.c httpd.c iterated_hash.c \ lex.c lfsr.c lib.c log.c \ managers.c md.c mem.c mutexblock.c \ netaddr.c netscope.c nonce.c openssl_shim.c pool.c \ - parseint.c portset.c queue.c quota.c radix.c random.c \ + parseint.c portset.c quota.c radix.c random.c \ ratelimiter.c region.c regex.c result.c rwlock.c \ safe.c serial.c siphash.c sockaddr.c stats.c string.c \ symtab.c task.c taskpool.c timer.c tls.c \ diff -Nru bind9-9.16.27/lib/isc/app.c bind9-9.16.33/lib/isc/app.c --- bind9-9.16.27/lib/isc/app.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/app.c 2022-09-08 13:01:23.000000000 +0000 @@ -52,7 +52,7 @@ */ static isc_thread_t blockedthread; -static atomic_bool is_running = ATOMIC_VAR_INIT(0); +static atomic_bool is_running = 0; #ifdef WIN32 /* @@ -323,8 +323,7 @@ true); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } } else { diff -Nru bind9-9.16.27/lib/isc/assertions.c bind9-9.16.33/lib/isc/assertions.c --- bind9-9.16.27/lib/isc/assertions.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/assertions.c 2022-09-08 13:01:23.000000000 +0000 @@ -47,7 +47,6 @@ const char *cond) { isc_assertion_failed_cb(file, line, type, cond); abort(); - /* NOTREACHED */ } /*% Set callback. */ diff -Nru bind9-9.16.27/lib/isc/base32.c bind9-9.16.33/lib/isc/base32.c --- bind9-9.16.27/lib/isc/base32.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/base32.c 2022-09-08 13:01:23.000000000 +0000 @@ -149,7 +149,7 @@ bool pad; /*%< Expect padding */ } base32_decode_ctx_t; -static inline void +static void base32_decode_init(base32_decode_ctx_t *ctx, int length, const char base[], bool pad, isc_buffer_t *target) { ctx->digits = 0; @@ -161,7 +161,7 @@ ctx->pad = pad; } -static inline isc_result_t +static isc_result_t base32_decode_char(base32_decode_ctx_t *ctx, int c) { const char *s; unsigned int last; @@ -269,7 +269,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t base32_decode_finish(base32_decode_ctx_t *ctx) { if (ctx->length > 0) { return (ISC_R_UNEXPECTEDEND); diff -Nru bind9-9.16.27/lib/isc/base64.c bind9-9.16.33/lib/isc/base64.c --- bind9-9.16.27/lib/isc/base64.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/base64.c 2022-09-08 13:01:23.000000000 +0000 @@ -100,7 +100,7 @@ int val[4]; } base64_decode_ctx_t; -static inline void +static void base64_decode_init(base64_decode_ctx_t *ctx, int length, isc_buffer_t *target) { ctx->digits = 0; ctx->seen_end = false; @@ -108,7 +108,7 @@ ctx->target = target; } -static inline isc_result_t +static isc_result_t base64_decode_char(base64_decode_ctx_t *ctx, int c) { const char *s; @@ -167,7 +167,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t base64_decode_finish(base64_decode_ctx_t *ctx) { if (ctx->length > 0) { return (ISC_R_UNEXPECTEDEND); diff -Nru bind9-9.16.27/lib/isc/heap.c bind9-9.16.33/lib/isc/heap.c --- bind9-9.16.27/lib/isc/heap.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/heap.c 2022-09-08 13:01:23.000000000 +0000 @@ -78,7 +78,7 @@ #define heap_check(x) (void)0 #endif /* ifdef ISC_HEAP_CHECK */ -isc_result_t +void isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare, isc_heapindex_t idx, unsigned int size_increment, isc_heap_t **heapp) { isc_heap_t *heap; @@ -102,8 +102,6 @@ heap->index = idx; *heapp = heap; - - return (ISC_R_SUCCESS); } void @@ -123,7 +121,7 @@ isc_mem_putanddetach(&heap->mctx, heap, sizeof(*heap)); } -static bool +static void resize(isc_heap_t *heap) { void **new_array; unsigned int new_size; @@ -139,8 +137,6 @@ } heap->size = new_size; heap->array = new_array; - - return (true); } static void @@ -194,7 +190,7 @@ heap_check(heap); } -isc_result_t +void isc_heap_insert(isc_heap_t *heap, void *elt) { unsigned int new_last; @@ -203,14 +199,12 @@ heap_check(heap); new_last = heap->last + 1; RUNTIME_CHECK(new_last > 0); /* overflow check */ - if (new_last >= heap->size && !resize(heap)) { - return (ISC_R_NOMEMORY); + if (new_last >= heap->size) { + resize(heap); } heap->last = new_last; float_up(heap, new_last, elt); - - return (ISC_R_SUCCESS); } void diff -Nru bind9-9.16.27/lib/isc/hex.c bind9-9.16.33/lib/isc/hex.c --- bind9-9.16.27/lib/isc/hex.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/hex.c 2022-09-08 13:01:23.000000000 +0000 @@ -77,14 +77,14 @@ int val[2]; } hex_decode_ctx_t; -static inline void +static void hex_decode_init(hex_decode_ctx_t *ctx, int length, isc_buffer_t *target) { ctx->digits = 0; ctx->length = length; ctx->target = target; } -static inline isc_result_t +static isc_result_t hex_decode_char(hex_decode_ctx_t *ctx, int c) { const char *s; @@ -109,7 +109,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t hex_decode_finish(hex_decode_ctx_t *ctx) { if (ctx->length > 0) { return (ISC_R_UNEXPECTEDEND); diff -Nru bind9-9.16.27/lib/isc/hp.c bind9-9.16.33/lib/isc/hp.c --- bind9-9.16.27/lib/isc/hp.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/hp.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,207 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Hazard Pointer implementation. - * - * This work is based on C++ code available from: - * https://github.com/pramalhe/ConcurrencyFreaks/ - * - * Copyright (c) 2014-2016, Pedro Ramalhete, Andreia Correia - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the name of Concurrency Freaks nor the - * names of its contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF - * THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include - -#include -#include -#include -#include -#include -#include -#include - -#define HP_MAX_THREADS 128 -static int isc__hp_max_threads = HP_MAX_THREADS; -#define HP_MAX_HPS 4 /* This is named 'K' in the HP paper */ -#define CLPAD (128 / sizeof(uintptr_t)) -#define HP_THRESHOLD_R 0 /* This is named 'R' in the HP paper */ - -/* Maximum number of retired objects per thread */ -static int isc__hp_max_retired = HP_MAX_THREADS * HP_MAX_HPS; - -typedef struct retirelist { - int size; - uintptr_t *list; -} retirelist_t; - -struct isc_hp { - int max_hps; - isc_mem_t *mctx; - atomic_uintptr_t **hp; - retirelist_t **rl; - isc_hp_deletefunc_t *deletefunc; -}; - -static inline int -tid(void) { - return (isc_tid_v); -} - -void -isc_hp_init(int max_threads) { - isc__hp_max_threads = max_threads; - isc__hp_max_retired = max_threads * HP_MAX_HPS; -} - -isc_hp_t * -isc_hp_new(isc_mem_t *mctx, size_t max_hps, isc_hp_deletefunc_t *deletefunc) { - isc_hp_t *hp = isc_mem_get(mctx, sizeof(*hp)); - - if (max_hps == 0) { - max_hps = HP_MAX_HPS; - } - - *hp = (isc_hp_t){ .max_hps = max_hps, .deletefunc = deletefunc }; - - isc_mem_attach(mctx, &hp->mctx); - - hp->hp = isc_mem_get(mctx, isc__hp_max_threads * sizeof(hp->hp[0])); - hp->rl = isc_mem_get(mctx, isc__hp_max_threads * sizeof(hp->rl[0])); - - for (int i = 0; i < isc__hp_max_threads; i++) { - hp->hp[i] = isc_mem_get(mctx, CLPAD * 2 * sizeof(hp->hp[i][0])); - hp->rl[i] = isc_mem_get(mctx, sizeof(*hp->rl[0])); - *hp->rl[i] = (retirelist_t){ .size = 0 }; - - for (int j = 0; j < hp->max_hps; j++) { - atomic_init(&hp->hp[i][j], 0); - } - hp->rl[i]->list = isc_mem_get( - hp->mctx, isc__hp_max_retired * sizeof(uintptr_t)); - } - - return (hp); -} - -void -isc_hp_destroy(isc_hp_t *hp) { - for (int i = 0; i < isc__hp_max_threads; i++) { - isc_mem_put(hp->mctx, hp->hp[i], - CLPAD * 2 * sizeof(hp->hp[i][0])); - - for (int j = 0; j < hp->rl[i]->size; j++) { - void *data = (void *)hp->rl[i]->list[j]; - hp->deletefunc(data); - } - isc_mem_put(hp->mctx, hp->rl[i]->list, - isc__hp_max_retired * sizeof(uintptr_t)); - isc_mem_put(hp->mctx, hp->rl[i], sizeof(*hp->rl[0])); - } - isc_mem_put(hp->mctx, hp->hp, isc__hp_max_threads * sizeof(hp->hp[0])); - isc_mem_put(hp->mctx, hp->rl, isc__hp_max_threads * sizeof(hp->rl[0])); - - isc_mem_putanddetach(&hp->mctx, hp, sizeof(*hp)); -} - -void -isc_hp_clear(isc_hp_t *hp) { - for (int i = 0; i < hp->max_hps; i++) { - atomic_store_release(&hp->hp[tid()][i], 0); - } -} - -void -isc_hp_clear_one(isc_hp_t *hp, int ihp) { - atomic_store_release(&hp->hp[tid()][ihp], 0); -} - -uintptr_t -isc_hp_protect(isc_hp_t *hp, int ihp, atomic_uintptr_t *atom) { - uintptr_t n = 0; - uintptr_t ret; - while ((ret = atomic_load(atom)) != n) { - atomic_store(&hp->hp[tid()][ihp], ret); - n = ret; - } - return (ret); -} - -uintptr_t -isc_hp_protect_ptr(isc_hp_t *hp, int ihp, atomic_uintptr_t ptr) { - atomic_store(&hp->hp[tid()][ihp], atomic_load(&ptr)); - return (atomic_load(&ptr)); -} - -uintptr_t -isc_hp_protect_release(isc_hp_t *hp, int ihp, atomic_uintptr_t ptr) { - atomic_store_release(&hp->hp[tid()][ihp], atomic_load(&ptr)); - return (atomic_load(&ptr)); -} - -void -isc_hp_retire(isc_hp_t *hp, uintptr_t ptr) { - hp->rl[tid()]->list[hp->rl[tid()]->size++] = ptr; - INSIST(hp->rl[tid()]->size < isc__hp_max_retired); - - if (hp->rl[tid()]->size < HP_THRESHOLD_R) { - return; - } - - for (int iret = 0; iret < hp->rl[tid()]->size; iret++) { - uintptr_t obj = hp->rl[tid()]->list[iret]; - bool can_delete = true; - for (int itid = 0; itid < isc__hp_max_threads && can_delete; - itid++) { - for (int ihp = hp->max_hps - 1; ihp >= 0; ihp--) { - if (atomic_load(&hp->hp[itid][ihp]) == obj) { - can_delete = false; - break; - } - } - } - - if (can_delete) { - size_t bytes = (hp->rl[tid()]->size - iret) * - sizeof(hp->rl[tid()]->list[0]); - memmove(&hp->rl[tid()]->list[iret], - &hp->rl[tid()]->list[iret + 1], bytes); - hp->rl[tid()]->size--; - hp->deletefunc((void *)obj); - } - } -} diff -Nru bind9-9.16.27/lib/isc/ht.c bind9-9.16.33/lib/isc/ht.c --- bind9-9.16.27/lib/isc/ht.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/ht.c 2022-09-08 13:01:23.000000000 +0000 @@ -49,7 +49,7 @@ isc_ht_node_t *cur; }; -isc_result_t +void isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits) { isc_ht_t *ht = NULL; size_t i; @@ -76,7 +76,6 @@ ht->magic = ISC_HT_MAGIC; *htp = ht; - return (ISC_R_SUCCESS); } void @@ -201,7 +200,7 @@ return (ISC_R_NOTFOUND); } -isc_result_t +void isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp) { isc_ht_iter_t *it; @@ -215,8 +214,6 @@ it->cur = NULL; *itp = it; - - return (ISC_R_SUCCESS); } void diff -Nru bind9-9.16.27/lib/isc/httpd.c bind9-9.16.33/lib/isc/httpd.c --- bind9-9.16.27/lib/isc/httpd.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/httpd.c 2022-09-08 13:01:23.000000000 +0000 @@ -240,7 +240,7 @@ } } -static inline void +static void free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) { isc_region_t r; @@ -286,7 +286,7 @@ isc_httpdmgr_detach(&httpdmgr); } -static inline isc_result_t +static isc_result_t httpdmgr_socket_accept(isc_task_t *task, isc_httpdmgr_t *httpdmgr) { isc_result_t result = ISC_R_SUCCESS; @@ -300,7 +300,7 @@ return (result); } -static inline void +static void httpd_socket_recv(isc_httpd_t *httpd, isc_region_t *region, isc_task_t *task) { isc_result_t result = ISC_R_SUCCESS; @@ -313,7 +313,7 @@ } } -static inline void +static void httpd_socket_send(isc_httpd_t *httpd, isc_region_t *region, isc_task_t *task) { isc_result_t result = ISC_R_SUCCESS; diff -Nru bind9-9.16.27/lib/isc/include/isc/Makefile.in bind9-9.16.33/lib/isc/include/isc/Makefile.in --- bind9-9.16.27/lib/isc/include/isc/Makefile.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/Makefile.in 2022-09-08 13:01:23.000000000 +0000 @@ -25,13 +25,13 @@ cmocka.h commandline.h counter.h crc64.h deprecated.h \ endian.h errno.h error.h event.h eventclass.h \ file.h formatcheck.h fsaccess.h fuzz.h \ - hash.h heap.h hex.h hmac.h hp.h ht.h httpd.h \ + hash.h heap.h hex.h hmac.h ht.h httpd.h \ interfaceiter.h iterated_hash.h \ lang.h lex.h lfsr.h lib.h likely.h list.h log.h \ magic.h managers.h md.h mem.h meminfo.h \ - mutexatomic.h mutexblock.h \ + mutexblock.h \ netaddr.h netmgr.h netscope.h nonce.h os.h parseint.h \ - pool.h portset.h print.h queue.h quota.h \ + pool.h portset.h print.h quota.h \ radix.h random.h ratelimiter.h refcount.h regex.h \ region.h resource.h result.h resultclass.h rwlock.h \ safe.h serial.h siphash.h sockaddr.h socket.h \ diff -Nru bind9-9.16.27/lib/isc/include/isc/assertions.h bind9-9.16.33/lib/isc/include/isc/assertions.h --- bind9-9.16.27/lib/isc/include/isc/assertions.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/assertions.h 2022-09-08 13:01:23.000000000 +0000 @@ -69,6 +69,11 @@ isc_assertiontype_invariant, #cond), \ 0))) +#define ISC_UNREACHABLE() \ + (isc_assertion_failed(__FILE__, __LINE__, isc_assertiontype_insist, \ + "unreachable"), \ + __builtin_unreachable()) + ISC_LANG_ENDDECLS #endif /* ISC_ASSERTIONS_H */ diff -Nru bind9-9.16.27/lib/isc/include/isc/atomic.h bind9-9.16.33/lib/isc/include/isc/atomic.h --- bind9-9.16.27/lib/isc/include/isc/atomic.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/atomic.h 2022-09-08 13:01:23.000000000 +0000 @@ -13,15 +13,11 @@ #pragma once -#ifdef ISC_MUTEX_ATOMICS -#include -#else /* ifdef ISC_MUTEX_ATOMICS */ #if HAVE_STDATOMIC_H #include #else /* if HAVE_STDATOMIC_H */ #include #endif /* if HAVE_STDATOMIC_H */ -#endif /* ifdef ISC_MUTEX_ATOMICS */ /* * We define a few additional macros to make things easier diff -Nru bind9-9.16.27/lib/isc/include/isc/backtrace.h bind9-9.16.33/lib/isc/include/isc/backtrace.h --- bind9-9.16.27/lib/isc/include/isc/backtrace.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/backtrace.h 2022-09-08 13:01:23.000000000 +0000 @@ -45,7 +45,7 @@ *** Types ***/ struct isc_backtrace_symmap { - void *addr; + void *addr; const char *symbol; }; diff -Nru bind9-9.16.27/lib/isc/include/isc/buffer.h bind9-9.16.33/lib/isc/include/isc/buffer.h --- bind9-9.16.27/lib/isc/include/isc/buffer.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/buffer.h 2022-09-08 13:01:23.000000000 +0000 @@ -174,7 +174,7 @@ struct isc_buffer { unsigned int magic; - void *base; + void *base; /*@{*/ /*! The following integers are byte offsets from 'base'. */ unsigned int length; @@ -1052,7 +1052,7 @@ #define isc_buffer_constinit(_b, _d, _l) \ do { \ union { \ - void *_var; \ + void *_var; \ const void *_const; \ } _deconst; \ _deconst._const = (_d); \ diff -Nru bind9-9.16.27/lib/isc/include/isc/heap.h bind9-9.16.33/lib/isc/include/isc/heap.h --- bind9-9.16.27/lib/isc/include/isc/heap.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/heap.h 2022-09-08 13:01:23.000000000 +0000 @@ -47,7 +47,7 @@ typedef struct isc_heap isc_heap_t; -isc_result_t +void isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare, isc_heapindex_t index, unsigned int size_increment, isc_heap_t **heapp); @@ -72,10 +72,6 @@ * used, which is currently 1024, allowing space for an additional 1024 * heap elements to be inserted before adding more space. *\li "heapp" is not NULL, and "*heap" is NULL. - * - * Returns: - *\li ISC_R_SUCCESS - success - *\li ISC_R_NOMEMORY - insufficient memory */ void @@ -87,7 +83,7 @@ *\li "heapp" is not NULL and "*heap" points to a valid isc_heap_t. */ -isc_result_t +void isc_heap_insert(isc_heap_t *heap, void *elt); /*!< * \brief Inserts a new element into a heap. diff -Nru bind9-9.16.27/lib/isc/include/isc/hp.h bind9-9.16.33/lib/isc/include/isc/hp.h --- bind9-9.16.27/lib/isc/include/isc/hp.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/hp.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,140 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Hazard Pointer implementation. - * - * This work is based on C++ code available from: - * https://github.com/pramalhe/ConcurrencyFreaks/ - * - * Copyright (c) 2014-2016, Pedro Ramalhete, Andreia Correia - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the name of Concurrency Freaks nor the - * names of its contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF - * THE POSSIBILITY OF SUCH DAMAGE. - */ - -#pragma once - -#include -#include -#include -#include -#include - -/*% - * Hazard pointers are a mechanism for protecting objects in memory - * from being deleted by other threads while in use. This allows - * safe lock-free data structures. - * - * This is an adaptation of the ConcurrencyFreaks implementation in C. - * More details available at https://github.com/pramalhe/ConcurrencyFreaks, - * in the file HazardPointers.hpp. - */ - -typedef void(isc_hp_deletefunc_t)(void *); - -void -isc_hp_init(int max_threads); -/*%< - * Initialize hazard pointer constants - isc__hp_max_threads. If more threads - * will try to access hp it will assert. - */ - -isc_hp_t * -isc_hp_new(isc_mem_t *mctx, size_t max_hps, isc_hp_deletefunc_t *deletefunc); -/*%< - * Create a new hazard pointer array of size 'max_hps' (or a reasonable - * default value if 'max_hps' is 0). The function 'deletefunc' will be - * used to delete objects protected by hazard pointers when it becomes - * safe to retire them. - */ - -void -isc_hp_destroy(isc_hp_t *hp); -/*%< - * Destroy a hazard pointer array and clean up all objects protected - * by hazard pointers. - */ - -void -isc_hp_clear(isc_hp_t *hp); -/*%< - * Clear all hazard pointers in the array for the current thread. - * - * Progress condition: wait-free bounded (by max_hps) - */ - -void -isc_hp_clear_one(isc_hp_t *hp, int ihp); -/*%< - * Clear a specified hazard pointer in the array for the current thread. - * - * Progress condition: wait-free population oblivious. - */ - -uintptr_t -isc_hp_protect(isc_hp_t *hp, int ihp, atomic_uintptr_t *atom); -/*%< - * Protect an object referenced by 'atom' with a hazard pointer for the - * current thread. - * - * Progress condition: lock-free. - */ - -uintptr_t -isc_hp_protect_ptr(isc_hp_t *hp, int ihp, atomic_uintptr_t ptr); -/*%< - * This returns the same value that is passed as ptr, which is sometimes - * useful. - * - * Progress condition: wait-free population oblivious. - */ - -uintptr_t -isc_hp_protect_release(isc_hp_t *hp, int ihp, atomic_uintptr_t ptr); -/*%< - * Same as isc_hp_protect_ptr(), but explicitly uses memory_order_release. - * - * Progress condition: wait-free population oblivious. - */ - -void -isc_hp_retire(isc_hp_t *hp, uintptr_t ptr); -/*%< - * Retire an object that is no longer in use by any thread, calling - * the delete function that was specified in isc_hp_new(). - * - * Progress condition: wait-free bounded (by the number of threads squared) - */ diff -Nru bind9-9.16.27/lib/isc/include/isc/ht.h bind9-9.16.33/lib/isc/include/isc/ht.h --- bind9-9.16.27/lib/isc/include/isc/ht.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/ht.h 2022-09-08 13:01:23.000000000 +0000 @@ -33,11 +33,8 @@ *\li 'mctx' is a valid memory context. *\li 'bits' >=1 and 'bits' <=32 * - * Returns: - *\li #ISC_R_NOMEMORY -- not enough memory to create pool - *\li #ISC_R_SUCCESS -- all is well. */ -isc_result_t +void isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits); /*% @@ -102,7 +99,7 @@ *\li 'ht' is a valid hashtable *\li 'itp' is non NULL and '*itp' is NULL. */ -isc_result_t +void isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp); /*% @@ -121,7 +118,7 @@ *\li 'it' is non NULL. * * Returns: - * \li #ISC_R_SUCCESS -- success + * \li #ISC_R_SUCCESS -- success * \li #ISC_R_NOMORE -- no data in the hashtable */ isc_result_t @@ -134,7 +131,7 @@ *\li 'it' is non NULL. * * Returns: - * \li #ISC_R_SUCCESS -- success + * \li #ISC_R_SUCCESS -- success * \li #ISC_R_NOMORE -- end of hashtable reached */ isc_result_t @@ -147,7 +144,7 @@ *\li 'it' is non NULL. * * Returns: - * \li #ISC_R_SUCCESS -- success + * \li #ISC_R_SUCCESS -- success * \li #ISC_R_NOMORE -- end of hashtable reached */ isc_result_t diff -Nru bind9-9.16.27/lib/isc/include/isc/httpd.h bind9-9.16.33/lib/isc/include/isc/httpd.h --- bind9-9.16.27/lib/isc/include/isc/httpd.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/httpd.h 2022-09-08 13:01:23.000000000 +0000 @@ -33,9 +33,9 @@ * the data cleanup function. */ struct isc_httpdurl { - char *url; + char *url; isc_httpdaction_t *action; - void *action_arg; + void *action_arg; bool isstatic; isc_time_t loadtime; ISC_LINK(isc_httpdurl_t) link; @@ -52,7 +52,7 @@ */ isc_result_t isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task, - isc_httpdclientok_t *client_ok, + isc_httpdclientok_t *client_ok, isc_httpdondestroy_t *ondestory, void *cb_arg, isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp); diff -Nru bind9-9.16.27/lib/isc/include/isc/lex.h bind9-9.16.33/lib/isc/include/isc/lex.h --- bind9-9.16.27/lib/isc/include/isc/lex.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/lex.h 2022-09-08 13:01:23.000000000 +0000 @@ -131,7 +131,7 @@ unsigned long as_ulong; isc_region_t as_region; isc_textregion_t as_textregion; - void *as_pointer; + void *as_pointer; } isc_tokenvalue_t; typedef struct isc_token { diff -Nru bind9-9.16.27/lib/isc/include/isc/lfsr.h bind9-9.16.33/lib/isc/include/isc/lfsr.h --- bind9-9.16.27/lib/isc/include/isc/lfsr.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/lfsr.h 2022-09-08 13:01:23.000000000 +0000 @@ -44,7 +44,7 @@ uint32_t tap; /*%< bit taps */ unsigned int count; /*%< reseed count (in BITS!) */ isc_lfsrreseed_t reseed; /*%< reseed function */ - void *arg; /*%< reseed function argument */ + void *arg; /*%< reseed function argument */ }; ISC_LANG_BEGINDECLS diff -Nru bind9-9.16.27/lib/isc/include/isc/list.h bind9-9.16.33/lib/isc/include/isc/list.h --- bind9-9.16.27/lib/isc/include/isc/list.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/list.h 2022-09-08 13:01:23.000000000 +0000 @@ -11,8 +11,7 @@ * information regarding copyright ownership. */ -#ifndef ISC_LIST_H -#define ISC_LIST_H 1 +#pragma once #include @@ -200,4 +199,16 @@ #define __ISC_LIST_DEQUEUEUNSAFE_TYPE(list, elt, link, type) \ __ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type) -#endif /* ISC_LIST_H */ +#define ISC_LIST_MOVEUNSAFE(dest, src) \ + { \ + (dest).head = (src).head; \ + (dest).tail = (src).tail; \ + (src).head = NULL; \ + (src).tail = NULL; \ + } + +#define ISC_LIST_MOVE(dest, src) \ + { \ + INSIST(ISC_LIST_EMPTY(dest)); \ + ISC_LIST_MOVEUNSAFE(dest, src); \ + } diff -Nru bind9-9.16.27/lib/isc/include/isc/log.h bind9-9.16.33/lib/isc/include/isc/log.h --- bind9-9.16.27/lib/isc/include/isc/log.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/log.h 2022-09-08 13:01:23.000000000 +0000 @@ -162,7 +162,7 @@ * the order of the names. */ LIBISC_EXTERNAL_DATA extern isc_logcategory_t isc_categories[]; -LIBISC_EXTERNAL_DATA extern isc_log_t *isc_lctx; +LIBISC_EXTERNAL_DATA extern isc_log_t *isc_lctx; LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[]; /*@}*/ @@ -444,7 +444,7 @@ isc_result_t isc_log_usechannel(isc_logconfig_t *lcfg, const char *name, const isc_logcategory_t *category, - const isc_logmodule_t *module); + const isc_logmodule_t *module); /*%< * Associate a named logging channel with a category and module that * will use it. diff -Nru bind9-9.16.27/lib/isc/include/isc/mem.h bind9-9.16.33/lib/isc/include/isc/mem.h --- bind9-9.16.27/lib/isc/include/isc/mem.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/mem.h 2022-09-08 13:01:23.000000000 +0000 @@ -130,10 +130,26 @@ #define ISC_MEMFLAG_FILL \ 0x00000004 /* fill with pattern after alloc and frees */ +/*% + * Define ISC_MEM_DEFAULTFILL=1 to turn filling the memory with pattern + * after alloc and free. + */ #if !ISC_MEM_USE_INTERNAL_MALLOC + +#if ISC_MEM_DEFAULTFILL +#define ISC_MEMFLAG_DEFAULT ISC_MEMFLAG_FILL +#else /* if ISC_MEM_DEFAULTFILL */ #define ISC_MEMFLAG_DEFAULT 0 +#endif /* if ISC_MEM_DEFAULTFILL */ + #else /* if !ISC_MEM_USE_INTERNAL_MALLOC */ + +#if ISC_MEM_DEFAULTFILL #define ISC_MEMFLAG_DEFAULT ISC_MEMFLAG_INTERNAL | ISC_MEMFLAG_FILL +#else /* if ISC_MEM_DEFAULTFILL */ +#define ISC_MEMFLAG_DEFAULT ISC_MEMFLAG_INTERNAL +#endif /* if ISC_MEM_DEFAULTFILL */ + #endif /* if !ISC_MEM_USE_INTERNAL_MALLOC */ /*% diff -Nru bind9-9.16.27/lib/isc/include/isc/mutexatomic.h bind9-9.16.33/lib/isc/include/isc/mutexatomic.h --- bind9-9.16.27/lib/isc/include/isc/mutexatomic.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/mutexatomic.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,254 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#pragma once - -#include -#include -#if HAVE_UCHAR_H -#include -#endif /* HAVE_UCHAR_H */ - -#include -#include - -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif /* if !defined(__has_feature) */ - -#if !defined(__has_extension) -#define __has_extension(x) __has_feature(x) -#endif /* if !defined(__has_extension) */ - -#if !defined(__GNUC_PREREQ__) -#if defined(__GNUC__) && defined(__GNUC_MINOR__) -#define __GNUC_PREREQ__(maj, min) \ - ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min)) -#else /* if defined(__GNUC__) && defined(__GNUC_MINOR__) */ -#define __GNUC_PREREQ__(maj, min) 0 -#endif /* if defined(__GNUC__) && defined(__GNUC_MINOR__) */ -#endif /* if !defined(__GNUC_PREREQ__) */ - -#if !defined(__CLANG_ATOMICS) && !defined(__GNUC_ATOMICS) -#if __has_extension(c_atomic) || __has_extension(cxx_atomic) -#define __CLANG_ATOMICS -#elif __GNUC_PREREQ__(4, 7) -#define __GNUC_ATOMICS -#elif !defined(__GNUC__) -#error "isc/stdatomic.h does not support your compiler" -#endif /* if __has_extension(c_atomic) || __has_extension(cxx_atomic) */ -#endif /* if !defined(__CLANG_ATOMICS) && !defined(__GNUC_ATOMICS) */ - -#ifndef __ATOMIC_RELAXED -#define __ATOMIC_RELAXED 0 -#endif /* ifndef __ATOMIC_RELAXED */ -#ifndef __ATOMIC_CONSUME -#define __ATOMIC_CONSUME 1 -#endif /* ifndef __ATOMIC_CONSUME */ -#ifndef __ATOMIC_ACQUIRE -#define __ATOMIC_ACQUIRE 2 -#endif /* ifndef __ATOMIC_ACQUIRE */ -#ifndef __ATOMIC_RELEASE -#define __ATOMIC_RELEASE 3 -#endif /* ifndef __ATOMIC_RELEASE */ -#ifndef __ATOMIC_ACQ_REL -#define __ATOMIC_ACQ_REL 4 -#endif /* ifndef __ATOMIC_ACQ_REL */ -#ifndef __ATOMIC_SEQ_CST -#define __ATOMIC_SEQ_CST 5 -#endif /* ifndef __ATOMIC_SEQ_CST */ - -enum memory_order { - memory_order_relaxed = __ATOMIC_RELAXED, - memory_order_consume = __ATOMIC_CONSUME, - memory_order_acquire = __ATOMIC_ACQUIRE, - memory_order_release = __ATOMIC_RELEASE, - memory_order_acq_rel = __ATOMIC_ACQ_REL, - memory_order_seq_cst = __ATOMIC_SEQ_CST -}; - -typedef enum memory_order memory_order; - -#define ___TYPEDEF(type, name, orig) \ - typedef struct name { \ - isc_mutex_t m; \ - orig v; \ - } type; - -#define _TYPEDEF_S(type) ___TYPEDEF(atomic_##type, atomic_##type##_s, type) -#define _TYPEDEF_O(type, orig) \ - ___TYPEDEF(atomic_##type, atomic_##type##_s, orig) -#define _TYPEDEF_T(type) \ - ___TYPEDEF(atomic_##type##_t, atomic_##type##_s, type##_t) - -#ifndef HAVE_UCHAR_H -typedef uint_least16_t char16_t; -typedef uint_least32_t char32_t; -#endif /* HAVE_UCHAR_H */ - -_TYPEDEF_S(bool); -_TYPEDEF_S(char); -_TYPEDEF_O(schar, signed char); -_TYPEDEF_O(uchar, unsigned char); -_TYPEDEF_S(short); -_TYPEDEF_O(ushort, unsigned short); -_TYPEDEF_S(int); -_TYPEDEF_O(uint, unsigned int); -_TYPEDEF_S(long); -_TYPEDEF_O(ulong, unsigned long); -_TYPEDEF_O(llong, long long); -_TYPEDEF_O(ullong, unsigned long long); -_TYPEDEF_T(char16); -_TYPEDEF_T(char32); -_TYPEDEF_T(wchar); -_TYPEDEF_T(int_least8); -_TYPEDEF_T(uint_least8); -_TYPEDEF_T(int_least16); -_TYPEDEF_T(uint_least16); -_TYPEDEF_T(int_least32); -_TYPEDEF_T(uint_least32); -_TYPEDEF_T(int_least64); -_TYPEDEF_T(uint_least64); -_TYPEDEF_T(int_fast8); -_TYPEDEF_T(uint_fast8); -_TYPEDEF_T(int_fast16); -_TYPEDEF_T(uint_fast16); -_TYPEDEF_T(int_fast32); -_TYPEDEF_T(uint_fast32); -_TYPEDEF_T(int_fast64); -_TYPEDEF_T(uint_fast64); -_TYPEDEF_T(intptr); -_TYPEDEF_T(uintptr); -_TYPEDEF_T(size); -_TYPEDEF_T(ptrdiff); -_TYPEDEF_T(intmax); -_TYPEDEF_T(uintmax); - -#undef ___TYPEDEF -#undef _TYPEDEF_S -#undef _TYPEDEF_T -#undef _TYPEDEF_O - -#define ATOMIC_VAR_INIT(arg) \ - { \ - .m = PTHREAD_MUTEX_INITIALIZER, .v = arg \ - } - -#define atomic_init(obj, desired) \ - { \ - isc_mutex_init(&(obj)->m); \ - (obj)->v = desired; \ - } -#define atomic_load_explicit(obj, order) \ - ({ \ - typeof((obj)->v) ___v; \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v = (obj)->v; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v; \ - }) -#define atomic_store_explicit(obj, desired, order) \ - { \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - (obj)->v = desired; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - } -#define atomic_fetch_add_explicit(obj, arg, order) \ - ({ \ - typeof((obj)->v) ___v; \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v = (obj)->v; \ - (obj)->v += arg; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v; \ - }) -#define atomic_fetch_sub_explicit(obj, arg, order) \ - ({ \ - typeof((obj)->v) ___v; \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v = (obj)->v; \ - (obj)->v -= arg; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v; \ - }) -#define atomic_fetch_and_explicit(obj, arg, order) \ - ({ \ - typeof((obj)->v) ___v; \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v = (obj)->v; \ - (obj)->v &= arg; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v; \ - }) -#define atomic_fetch_or_explicit(obj, arg, order) \ - ({ \ - typeof((obj)->v) ___v; \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v = (obj)->v; \ - (obj)->v |= arg; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v; \ - }) -#define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, \ - fail) \ - ({ \ - bool ___v; \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v = ((obj)->v == *expected); \ - *expected = (obj)->v; \ - (obj)->v = ___v ? desired : (obj)->v; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v; \ - }) -#define atomic_compare_exchange_weak_explicit(obj, expected, desired, succ, \ - fail) \ - ({ \ - bool ___v; \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v = ((obj)->v == *expected); \ - *expected = (obj)->v; \ - (obj)->v = ___v ? desired : (obj)->v; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v; \ - }) - -#define atomic_load(obj) atomic_load_explicit(obj, memory_order_seq_cst) -#define atomic_store(obj, arg) \ - atomic_store_explicit(obj, arg, memory_order_seq_cst) -#define atomic_fetch_add(obj, arg) \ - atomic_fetch_add_explicit(obj, arg, memory_order_seq_cst) -#define atomic_fetch_sub(obj, arg) \ - atomic_fetch_sub_explicit(obj, arg, memory_order_seq_cst) -#define atomic_fetch_and(obj, arg) \ - atomic_fetch_and_explicit(obj, arg, memory_order_seq_cst) -#define atomic_fetch_or(obj, arg) \ - atomic_fetch_or_explicit(obj, arg, memory_order_seq_cst) -#define atomic_compare_exchange_strong(obj, expected, desired) \ - atomic_compare_exchange_strong_explicit(obj, expected, desired, \ - memory_order_seq_cst, \ - memory_order_seq_cst) -#define atomic_compare_exchange_weak(obj, expected, desired) \ - atomic_compare_exchange_weak_explicit(obj, expected, desired, \ - memory_order_seq_cst, \ - memory_order_seq_cst) -#define atomic_exchange_explicit(obj, desired, order) \ - ({ \ - typeof((obj)->v) ___v; \ - REQUIRE(isc_mutex_lock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v = (obj)->v; \ - (obj)->v = desired; \ - REQUIRE(isc_mutex_unlock(&(obj)->m) == ISC_R_SUCCESS); \ - ___v; \ - }) -#define atomic_exchange(obj, desired) \ - atomic_exchange_explicit(obj, desired, memory_order_seq_cst) diff -Nru bind9-9.16.27/lib/isc/include/isc/netmgr.h bind9-9.16.33/lib/isc/include/isc/netmgr.h --- bind9-9.16.27/lib/isc/include/isc/netmgr.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/netmgr.h 2022-09-08 13:01:23.000000000 +0000 @@ -13,11 +13,22 @@ #pragma once +#include + #include #include #include #include +#ifndef _WIN32 +#include +#include +#endif + +#if defined(SO_REUSEPORT_LB) || (defined(SO_REUSEPORT) && defined(__linux__)) +#define HAVE_SO_REUSEPORT_LB 1 +#endif + /* * Replacement for isc_sockettype_t provided by socket.h. */ @@ -404,6 +415,17 @@ * * Requires: * \li 'mgr' is a valid netmgr. + */ + +bool +isc_nm_getloadbalancesockets(isc_nm_t *mgr); +void +isc_nm_setloadbalancesockets(isc_nm_t *mgr, bool enabled); +/*%< + * Get and set value of load balancing of the sockets. + * + * Requires: + * \li 'mgr' is a valid netmgr. */ void diff -Nru bind9-9.16.27/lib/isc/include/isc/queue.h bind9-9.16.33/lib/isc/include/isc/queue.h --- bind9-9.16.27/lib/isc/include/isc/queue.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/queue.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,56 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#pragma once -#include - -typedef struct isc_queue isc_queue_t; - -isc_queue_t * -isc_queue_new(isc_mem_t *mctx, int max_threads); -/*%< - * Create a new fetch-and-add array queue. - * - * 'max_threads' is currently unused. In the future it can be used - * to pass a maximum threads parameter when creating hazard pointers, - * but currently `isc_hp_t` uses a hard-coded value. - */ - -void -isc_queue_enqueue(isc_queue_t *queue, uintptr_t item); -/*%< - * Enqueue an object pointer 'item' at the tail of the queue. - * - * Requires: - * \li 'item' is not null. - */ - -uintptr_t -isc_queue_dequeue(isc_queue_t *queue); -/*%< - * Remove an object pointer from the head of the queue and return the - * pointer. If the queue is empty, return `nulluintptr` (the uintptr_t - * representation of NULL). - * - * Requires: - * \li 'queue' is not null. - */ - -void -isc_queue_destroy(isc_queue_t *queue); -/*%< - * Destroy a queue. - * - * Requires: - * \li 'queue' is not null. - */ diff -Nru bind9-9.16.27/lib/isc/include/isc/quota.h bind9-9.16.33/lib/isc/include/isc/quota.h --- bind9-9.16.27/lib/isc/include/isc/quota.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/quota.h 2022-09-08 13:01:23.000000000 +0000 @@ -49,7 +49,7 @@ struct isc_quota_cb { int magic; isc_quota_cb_func_t cb_func; - void *data; + void *data; ISC_LINK(isc_quota_cb_t) link; }; diff -Nru bind9-9.16.27/lib/isc/include/isc/radix.h bind9-9.16.33/lib/isc/include/isc/radix.h --- bind9-9.16.27/lib/isc/include/isc/radix.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/radix.h 2022-09-08 13:01:23.000000000 +0000 @@ -44,7 +44,7 @@ } while (0) typedef struct isc_prefix { - isc_mem_t *mctx; + isc_mem_t *mctx; unsigned int family; /* AF_INET | AF_INET6, or AF_UNSPEC for * "any" */ unsigned int bitlen; /* 0 for "any" */ @@ -87,12 +87,12 @@ #define ISC_RADIX_FAMILY(p) (((p)->family == AF_INET6) ? RADIX_V6 : RADIX_V4) typedef struct isc_radix_node { - isc_mem_t *mctx; + isc_mem_t *mctx; uint32_t bit; /* bit length of the prefix */ - isc_prefix_t *prefix; /* who we are in radix tree */ + isc_prefix_t *prefix; /* who we are in radix tree */ struct isc_radix_node *l, *r; /* left and right children */ struct isc_radix_node *parent; /* may be used */ - void *data[RADIX_FAMILIES]; /* pointers to IPv4 + void *data[RADIX_FAMILIES]; /* pointers to IPv4 * and IPV6 data */ int node_num[RADIX_FAMILIES]; /* which node * this was in @@ -106,7 +106,7 @@ typedef struct isc_radix_tree { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; isc_radix_node_t *head; uint32_t maxbits; /* for IP, 32 bit addresses */ int num_active_node; /* for debugging purposes */ @@ -198,9 +198,9 @@ #define RADIX_WALK(Xhead, Xnode) \ do { \ - isc_radix_node_t *Xstack[RADIX_MAXBITS + 1]; \ + isc_radix_node_t *Xstack[RADIX_MAXBITS + 1]; \ isc_radix_node_t **Xsp = Xstack; \ - isc_radix_node_t *Xrn = (Xhead); \ + isc_radix_node_t *Xrn = (Xhead); \ while ((Xnode = Xrn)) { \ if (Xnode->prefix) diff -Nru bind9-9.16.27/lib/isc/include/isc/region.h bind9-9.16.33/lib/isc/include/isc/region.h --- bind9-9.16.27/lib/isc/include/isc/region.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/region.h 2022-09-08 13:01:23.000000000 +0000 @@ -25,7 +25,7 @@ }; struct isc_textregion { - char *base; + char *base; unsigned int length; }; diff -Nru bind9-9.16.27/lib/isc/include/isc/socket.h bind9-9.16.33/lib/isc/include/isc/socket.h --- bind9-9.16.27/lib/isc/include/isc/socket.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/socket.h 2022-09-08 13:01:23.000000000 +0000 @@ -906,7 +906,7 @@ /*%< * See isc_socketmgr_create() above. */ -typedef isc_result_t (*isc_socketmgrcreatefunc_t)(isc_mem_t *mctx, +typedef isc_result_t (*isc_socketmgrcreatefunc_t)(isc_mem_t *mctx, isc_socketmgr_t **managerp); ISC_LANG_ENDDECLS diff -Nru bind9-9.16.27/lib/isc/include/isc/symtab.h bind9-9.16.33/lib/isc/include/isc/symtab.h --- bind9-9.16.27/lib/isc/include/isc/symtab.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/symtab.h 2022-09-08 13:01:23.000000000 +0000 @@ -89,7 +89,7 @@ ***/ /*% Symbol table value. */ typedef union isc_symvalue { - void *as_pointer; + void *as_pointer; const void *as_cpointer; int as_integer; unsigned int as_uinteger; diff -Nru bind9-9.16.27/lib/isc/include/isc/types.h bind9-9.16.33/lib/isc/include/isc/types.h --- bind9-9.16.27/lib/isc/include/isc/types.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/types.h 2022-09-08 13:01:23.000000000 +0000 @@ -46,11 +46,9 @@ typedef int16_t isc_dscp_t; /*%< Diffserv code point */ typedef struct isc_event isc_event_t; /*%< Event */ typedef ISC_LIST(isc_event_t) isc_eventlist_t; /*%< Event List */ -typedef unsigned int isc_eventtype_t; /*%< Event Type */ -typedef uint32_t isc_fsaccess_t; /*%< FS Access */ -typedef struct isc_hash isc_hash_t; /*%< Hash */ -typedef struct isc_hp isc_hp_t; /*%< Hazard - * pointer */ +typedef unsigned int isc_eventtype_t; /*%< Event Type */ +typedef uint32_t isc_fsaccess_t; /*%< FS Access */ +typedef struct isc_hash isc_hash_t; /*%< Hash */ typedef struct isc_httpd isc_httpd_t; /*%< HTTP client */ typedef void(isc_httpdfree_t)(isc_buffer_t *, void *); /*%< HTTP free function */ diff -Nru bind9-9.16.27/lib/isc/include/isc/util.h bind9-9.16.33/lib/isc/include/isc/util.h --- bind9-9.16.27/lib/isc/include/isc/util.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/isc/util.h 2022-09-08 13:01:23.000000000 +0000 @@ -29,6 +29,22 @@ */ /*** + *** Clang Compatibility Macros + ***/ + +#if !defined(__has_attribute) +#define __has_attribute(x) 0 +#endif /* if !defined(__has_attribute) */ + +#if !defined(__has_c_attribute) +#define __has_c_attribute(x) 0 +#endif /* if !defined(__has_c_attribute) */ + +#if !defined(__has_feature) +#define __has_feature(x) 0 +#endif /* if !defined(__has_feature) */ + +/*** *** General Macros. ***/ @@ -50,6 +66,16 @@ #define ISC_NONSTRING #endif /* __GNUC__ */ +#if __has_c_attribute(fallthrough) +#define FALLTHROUGH [[fallthrough]] +#elif __GNUC__ >= 7 && !defined(__clang__) +#define FALLTHROUGH __attribute__((fallthrough)) +#else +/* clang-format off */ +#define FALLTHROUGH do {} while (0) /* FALLTHROUGH */ +/* clang-format on */ +#endif + #if HAVE_FUNC_ATTRIBUTE_CONSTRUCTOR && HAVE_FUNC_ATTRIBUTE_DESTRUCTOR #define ISC_CONSTRUCTOR __attribute__((constructor)) #define ISC_DESTRUCTOR __attribute__((destructor)) @@ -80,7 +106,7 @@ do { \ union { \ const void *k; \ - void *v; \ + void *v; \ } _u; \ _u.k = konst; \ var = _u.v; \ @@ -200,16 +226,6 @@ */ #include -#ifdef HAVE_BUILTIN_UNREACHABLE -#define ISC_UNREACHABLE() __builtin_unreachable(); -#else /* ifdef HAVE_BUILTIN_UNREACHABLE */ -#define ISC_UNREACHABLE() -#endif /* ifdef HAVE_BUILTIN_UNREACHABLE */ - -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif /* if !defined(__has_feature) */ - /* GCC defines __SANITIZE_ADDRESS__, so reuse the macro for clang */ #if __has_feature(address_sanitizer) #define __SANITIZE_ADDRESS__ 1 @@ -259,6 +275,8 @@ ((!(expression)) \ ? (mock_assert(0, #expression, __FILE__, __LINE__), abort()) \ : (void)0) +#define UNREACHABLE() \ + (mock_assert(0, "unreachable", __FILE__, __LINE__), abort()) #define _assert_true(c, e, f, l) \ ((c) ? (void)0 : (_assert_true(0, e, f, l), abort())) #define _assert_int_equal(a, b, f, l) \ @@ -283,6 +301,8 @@ /*% Invariant Assertion */ #define INVARIANT(e) ISC_INVARIANT(e) +#define UNREACHABLE() ISC_UNREACHABLE() + #else /* CPPCHECK */ /*% Require Assertion */ @@ -302,6 +322,8 @@ if (!(e)) \ abort() +#define UNREACHABLE() abort() + #endif /* CPPCHECK */ #endif /* UNIT_TESTING */ diff -Nru bind9-9.16.27/lib/isc/include/pk11/pk11.h bind9-9.16.33/lib/isc/include/pk11/pk11.h --- bind9-9.16.27/lib/isc/include/pk11/pk11.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/pk11/pk11.h 2022-09-08 13:01:23.000000000 +0000 @@ -46,11 +46,11 @@ CK_BBOOL ontoken; CK_BBOOL reqlogon; CK_BYTE attrcnt; - CK_ATTRIBUTE *repr; + CK_ATTRIBUTE *repr; }; struct pk11_context { - void *handle; + void *handle; CK_SESSION_HANDLE session; CK_BBOOL ontoken; CK_OBJECT_HANDLE object; diff -Nru bind9-9.16.27/lib/isc/include/pkcs11/pkcs11.h bind9-9.16.33/lib/isc/include/pkcs11/pkcs11.h --- bind9-9.16.27/lib/isc/include/pkcs11/pkcs11.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/include/pkcs11/pkcs11.h 2022-09-08 13:01:23.000000000 +0000 @@ -503,7 +503,7 @@ struct ck_attribute { ck_attribute_type_t type; - void *value; + void *value; unsigned long value_len; }; @@ -888,7 +888,7 @@ struct ck_mechanism { ck_mechanism_type_t mechanism; - void *parameter; + void *parameter; unsigned long parameter_len; }; @@ -936,7 +936,7 @@ ck_mechanism_type_t hash_alg; ck_rsa_pkcs_mgf_type_t mgf; ck_rsa_pkcs_oaep_source_type_t source; - void *source_data; + void *source_data; unsigned long source_data_len; }; @@ -1067,11 +1067,11 @@ _CK_DECLARE_FUNCTION(C_GetSessionInfo, (ck_session_handle_t session, struct ck_session_info *info)); _CK_DECLARE_FUNCTION(C_GetOperationState, (ck_session_handle_t session, - unsigned char *operation_state, + unsigned char *operation_state, unsigned long *operation_state_len)); _CK_DECLARE_FUNCTION(C_SetOperationState, (ck_session_handle_t session, - unsigned char *operation_state, + unsigned char *operation_state, unsigned long operation_state_len, ck_object_handle_t encryption_key, ck_object_handle_t authentiation_key)); @@ -1119,19 +1119,19 @@ unsigned long part_len, unsigned char *encrypted_part, unsigned long *encrypted_part_len)); _CK_DECLARE_FUNCTION(C_EncryptFinal, (ck_session_handle_t session, - unsigned char *last_encrypted_part, + unsigned char *last_encrypted_part, unsigned long *last_encrypted_part_len)); _CK_DECLARE_FUNCTION(C_DecryptInit, (ck_session_handle_t session, struct ck_mechanism *mechanism, ck_object_handle_t key)); _CK_DECLARE_FUNCTION(C_Decrypt, (ck_session_handle_t session, - unsigned char *encrypted_data, + unsigned char *encrypted_data, unsigned long encrypted_data_len, unsigned char *data, unsigned long *data_len)); _CK_DECLARE_FUNCTION(C_DecryptUpdate, (ck_session_handle_t session, - unsigned char *encrypted_part, + unsigned char *encrypted_part, unsigned long encrypted_part_len, unsigned char *part, unsigned long *part_len)); _CK_DECLARE_FUNCTION(C_DecryptFinal, @@ -1200,7 +1200,7 @@ unsigned long *encrypted_part_len)); _CK_DECLARE_FUNCTION(C_DecryptDigestUpdate, (ck_session_handle_t session, - unsigned char *encrypted_part, + unsigned char *encrypted_part, unsigned long encrypted_part_len, unsigned char *part, unsigned long *part_len)); _CK_DECLARE_FUNCTION(C_SignEncryptUpdate, @@ -1209,7 +1209,7 @@ unsigned long *encrypted_part_len)); _CK_DECLARE_FUNCTION(C_DecryptVerifyUpdate, (ck_session_handle_t session, - unsigned char *encrypted_part, + unsigned char *encrypted_part, unsigned long encrypted_part_len, unsigned char *part, unsigned long *part_len)); @@ -1225,8 +1225,8 @@ unsigned long public_key_attribute_count, struct ck_attribute *private_key_template, unsigned long private_key_attribute_count, - ck_object_handle_t *public_key, - ck_object_handle_t *private_key)); + ck_object_handle_t *public_key, + ck_object_handle_t *private_key)); _CK_DECLARE_FUNCTION(C_WrapKey, (ck_session_handle_t session, struct ck_mechanism *mechanism, @@ -1339,7 +1339,7 @@ ck_lockmutex_t lock_mutex; ck_unlockmutex_t unlock_mutex; ck_flags_t flags; - void *reserved; + void *reserved; }; #define CKF_LIBRARY_CANT_CREATE_OS_THREADS (1UL << 0) @@ -1458,12 +1458,12 @@ typedef unsigned char CK_BBOOL; typedef unsigned long int CK_ULONG; typedef long int CK_LONG; -typedef CK_BYTE *CK_BYTE_PTR; -typedef CK_CHAR *CK_CHAR_PTR; -typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR; +typedef CK_BYTE *CK_BYTE_PTR; +typedef CK_CHAR *CK_CHAR_PTR; +typedef CK_UTF8CHAR *CK_UTF8CHAR_PTR; typedef CK_ULONG *CK_ULONG_PTR; -typedef void *CK_VOID_PTR; -typedef void **CK_VOID_PTR_PTR; +typedef void *CK_VOID_PTR; +typedef void **CK_VOID_PTR_PTR; #define CK_FALSE 0 #define CK_TRUE 1 #ifndef CK_DISABLE_TRUE_FALSE @@ -1516,7 +1516,7 @@ typedef struct ck_otp_mechanism_info *CK_OTP_MECHANISM_INFO_PTR; typedef struct ck_function_list CK_FUNCTION_LIST; -typedef struct ck_function_list *CK_FUNCTION_LIST_PTR; +typedef struct ck_function_list *CK_FUNCTION_LIST_PTR; typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; diff -Nru bind9-9.16.27/lib/isc/lex.c bind9-9.16.33/lib/isc/lex.c --- bind9-9.16.27/lib/isc/lex.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/lex.c 2022-09-08 13:01:23.000000000 +0000 @@ -63,7 +63,7 @@ LIST(struct inputsource) sources; }; -static inline isc_result_t +static isc_result_t grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) { char *tmp; @@ -180,7 +180,7 @@ memmove(lex->specials, specials, 256); } -static inline isc_result_t +static isc_result_t new_source(isc_lex_t *lex, bool is_file, bool need_close, void *input, const char *name) { inputsource *source; @@ -684,7 +684,7 @@ state = lexstate_vpairstart; break; } - /* FALLTHROUGH */ + FALLTHROUGH; case lexstate_vpairstart: if (state == lexstate_vpairstart) { if (c == '"' && @@ -695,7 +695,7 @@ } state = lexstate_vpair; } - /* FALLTHROUGH */ + FALLTHROUGH; case lexstate_vpair: /* * EOF needs to be checked before lex->specials[c] diff -Nru bind9-9.16.27/lib/isc/lfsr.c bind9-9.16.33/lib/isc/lfsr.c --- bind9-9.16.27/lib/isc/lfsr.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/lfsr.c 2022-09-08 13:01:23.000000000 +0000 @@ -48,7 +48,7 @@ /*! * Return the next state of the lfsr. */ -static inline uint32_t +static uint32_t lfsr_generate(isc_lfsr_t *lfsr) { /* * If the previous state is zero, we must fill it with something @@ -107,7 +107,7 @@ } } -static inline uint32_t +static uint32_t lfsr_skipgenerate(isc_lfsr_t *lfsr, unsigned int skip) { while (skip--) { (void)lfsr_generate(lfsr); diff -Nru bind9-9.16.27/lib/isc/log.c bind9-9.16.33/lib/isc/log.c --- bind9-9.16.27/lib/isc/log.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/log.c 2022-09-08 13:01:23.000000000 +0000 @@ -706,8 +706,7 @@ break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } ISC_LIST_PREPEND(lcfg->channels, channel, link); @@ -1811,7 +1810,7 @@ } channel->flags &= ~ISC_LOG_OPENERR; } - /* FALLTHROUGH */ + FALLTHROUGH; case ISC_LOG_TOFILEDESC: fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s%s%s%s\n", diff -Nru bind9-9.16.27/lib/isc/managers.c bind9-9.16.33/lib/isc/managers.c --- bind9-9.16.27/lib/isc/managers.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/managers.c 2022-09-08 13:01:23.000000000 +0000 @@ -11,7 +11,6 @@ * information regarding copyright ownership. */ -#include #include #include @@ -25,12 +24,6 @@ isc_taskmgr_t *taskmgr = NULL; isc_nm_t *netmgr = NULL; - /* - * We have ncpus network threads, ncpus old network threads - make - * it 4x just to be on the safe side. - */ - isc_hp_init(4 * workers); - REQUIRE(netmgrp != NULL && *netmgrp == NULL); isc__netmgr_create(mctx, workers, &netmgr); *netmgrp = netmgr; diff -Nru bind9-9.16.27/lib/isc/mem.c bind9-9.16.33/lib/isc/mem.c --- bind9-9.16.27/lib/isc/mem.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/mem.c 2022-09-08 13:01:23.000000000 +0000 @@ -345,12 +345,11 @@ * If we get here, we didn't find the item on the list. We're * screwed. */ - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #endif /* ISC_MEM_TRACKLINES */ -static inline size_t +static size_t rmsize(size_t size) { /* * round down to ALIGNMENT_SIZE @@ -358,7 +357,7 @@ return (size & (~(ALIGNMENT_SIZE - 1))); } -static inline size_t +static size_t quantize(size_t size) { /*! * Round up the result in order to get a size big @@ -372,7 +371,7 @@ return ((size + ALIGNMENT_SIZE - 1) & (~(ALIGNMENT_SIZE - 1))); } -static inline void +static void more_basic_blocks(isc__mem_t *ctx) { void *tmp; unsigned char *curr, *next; @@ -434,7 +433,7 @@ ctx->basic_blocks = tmp; } -static inline void +static void more_frags(isc__mem_t *ctx, size_t new_size) { int frags; size_t total_size; @@ -486,7 +485,7 @@ ctx->freelists[new_size] = tmp; } -static inline void * +static void * mem_getunlocked(isc__mem_t *ctx, size_t size) { size_t new_size = quantize(size); void *ret; @@ -551,7 +550,7 @@ } #if ISC_MEM_CHECKOVERRUN -static inline void +static void check_overrun(void *mem, size_t size, size_t new_size) { unsigned char *cp; @@ -566,7 +565,7 @@ #endif /* if ISC_MEM_CHECKOVERRUN */ /* coverity[+free : arg-1] */ -static inline void +static void mem_putunlocked(isc__mem_t *ctx, void *mem, size_t size) { size_t new_size = quantize(size); @@ -615,7 +614,7 @@ /*! * Perform a malloc, doing memory filling and overrun detection as necessary. */ -static inline void * +static void * mem_get(isc__mem_t *ctx, size_t size) { char *ret; @@ -645,7 +644,7 @@ * Perform a free, doing memory filling and overrun detection as necessary. */ /* coverity[+free : arg-1] */ -static inline void +static void mem_put(isc__mem_t *ctx, void *mem, size_t size) { #if ISC_MEM_CHECKOVERRUN INSIST(((unsigned char *)mem)[size] == 0xbe); @@ -660,7 +659,7 @@ /*! * Update internal counters after a memory get. */ -static inline void +static void mem_getstats(isc__mem_t *ctx, size_t size) { ctx->total += size; ctx->inuse += size; @@ -685,7 +684,7 @@ /*! * Update internal counters after a memory put. */ -static inline void +static void mem_putstats(isc__mem_t *ctx, void *ptr, size_t size) { UNUSED(ptr); @@ -1653,7 +1652,8 @@ mpctx->common.impmagic = MEMPOOL_MAGIC; mpctx->common.magic = ISCAPI_MPOOL_MAGIC; - mpctx->mctx = mctx; + mpctx->mctx = NULL; + isc_mem_attach((isc_mem_t *)mctx, (isc_mem_t **)&mpctx->mctx); /* * Mempools are stored as a linked list of element. */ @@ -1726,13 +1726,8 @@ mpctx->freecount--; item = mpctx->items; mpctx->items = item->next; - - if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) { - mem_putunlocked(mctx, item, mpctx->size); - } else { - mem_putstats(mctx, item, mpctx->size); - mem_put(mctx, item, mpctx->size); - } + mem_putstats(mctx, item, mpctx->size); + mem_put(mctx, item, mpctx->size); } MCTXUNLOCK(mctx); @@ -1747,7 +1742,8 @@ mpctx->common.impmagic = 0; mpctx->common.magic = 0; - isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t)); + isc_mem_putanddetach((isc_mem_t **)&mpctx->mctx, mpctx, + sizeof(isc__mempool_t)); *mpctxp = NULL; } @@ -1993,7 +1989,7 @@ fflush(file); } -static atomic_uintptr_t checkdestroyed = ATOMIC_VAR_INIT(0); +static atomic_uintptr_t checkdestroyed = 0; void isc_mem_checkdestroyed(FILE *file) { @@ -2015,8 +2011,7 @@ print_contexts(file); } #endif /* if ISC_MEM_TRACKLINES */ - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } UNLOCK(&contextslock); } diff -Nru bind9-9.16.27/lib/isc/netaddr.c bind9-9.16.33/lib/isc/netaddr.c --- bind9-9.16.27/lib/isc/netaddr.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/netaddr.c 2022-09-08 13:01:23.000000000 +0000 @@ -364,8 +364,7 @@ break; #endif /* ifdef ISC_PLATFORM_HAVESYSUNH */ default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } diff -Nru bind9-9.16.27/lib/isc/netmgr/netmgr-int.h bind9-9.16.33/lib/isc/netmgr/netmgr-int.h --- bind9-9.16.27/lib/isc/netmgr/netmgr-int.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/netmgr/netmgr-int.h 2022-09-08 13:01:23.000000000 +0000 @@ -27,7 +27,6 @@ #include #include #include -#include #include #include #include @@ -92,10 +91,6 @@ */ #define NM_BIG_BUF ISC_NETMGR_TCP_RECVBUF_SIZE * 2 -#if defined(SO_REUSEPORT_LB) || (defined(SO_REUSEPORT) && defined(__linux__)) -#define HAVE_SO_REUSEPORT_LB 1 -#endif - /* * Define NETMGR_TRACE to activate tracing of handles and sockets. * This will impair performance but enables us to quickly determine, @@ -191,6 +186,17 @@ NETIEVENT_MAX = 4, } netievent_type_t; +typedef struct isc__nm_uvreq isc__nm_uvreq_t; +typedef struct isc__netievent isc__netievent_t; + +typedef ISC_LIST(isc__netievent_t) isc__netievent_list_t; + +typedef struct ievent { + isc_mutex_t lock; + isc_condition_t cond; + isc__netievent_list_t list; +} ievent_t; + /* * Single network event loop worker. */ @@ -200,13 +206,10 @@ uv_loop_t loop; /* libuv loop structure */ uv_async_t async; /* async channel to send * data to this networker */ - isc_mutex_t lock; bool paused; bool finished; isc_thread_t thread; - isc_queue_t *ievents[NETIEVENT_MAX]; - atomic_uint_fast32_t nievents[NETIEVENT_MAX]; - isc_condition_t cond_prio; + ievent_t ievents[NETIEVENT_MAX]; isc_refcount_t references; atomic_int_fast64_t pktcount; @@ -325,15 +328,15 @@ int magic; isc_nmsocket_t *sock; isc_nmhandle_t *handle; - char tcplen[2]; /* The TCP DNS message length */ - uv_buf_t uvbuf; /* translated isc_region_t, to be - * sent or received */ - isc_sockaddr_t local; /* local address */ - isc_sockaddr_t peer; /* peer address */ - isc__nm_cb_t cb; /* callback */ - void *cbarg; /* callback argument */ - uv_pipe_t ipc; /* used for sending socket - * uv_handles to other threads */ + char tcplen[2]; /* The TCP DNS message length */ + uv_buf_t uvbuf; /* translated isc_region_t, to be + * sent or received */ + isc_sockaddr_t local; /* local address */ + isc_sockaddr_t peer; /* peer address */ + isc__nm_cb_t cb; /* callback */ + void *cbarg; /* callback argument */ + isc_nm_timer_t *timer; /* TCP write timer */ + union { uv_handle_t handle; uv_req_t req; @@ -392,11 +395,12 @@ * either in netmgr.c or matching protocol file (e.g. udp.c, tcp.c, etc.) */ -#define NETIEVENT__SOCKET \ - isc__netievent_type type; \ - isc_nmsocket_t *sock; \ - const char *file; \ - unsigned int line; \ +#define NETIEVENT__SOCKET \ + isc__netievent_type type; \ + ISC_LINK(isc__netievent_t) link; \ + isc_nmsocket_t *sock; \ + const char *file; \ + unsigned int line; \ const char *func typedef struct isc__netievent__socket { @@ -460,8 +464,7 @@ } typedef struct isc__netievent__socket_req_result { - isc__netievent_type type; - isc_nmsocket_t *sock; + NETIEVENT__SOCKET; isc__nm_uvreq_t *req; isc_result_t result; } isc__netievent__socket_req_result_t; @@ -560,6 +563,7 @@ typedef struct isc__netievent__task { isc__netievent_type type; + ISC_LINK(isc__netievent_t) link; isc_task_t *task; } isc__netievent__task_t; @@ -596,6 +600,7 @@ typedef struct isc__netievent { isc__netievent_type type; + ISC_LINK(isc__netievent_t) link; } isc__netievent_t; #define NETIEVENT_TYPE(type) typedef isc__netievent_t isc__netievent_##type##_t; @@ -660,6 +665,8 @@ atomic_uint_fast32_t workers_paused; atomic_uint_fast32_t maxudp; + bool load_balance_sockets; + atomic_bool paused; /* @@ -777,9 +784,7 @@ /*% * TCP write timeout timer. */ - uv_timer_t write_timer; uint64_t write_timeout; - int64_t writes; /*% outer socket is for 'wrapped' sockets - e.g. tcpdns in tcp */ isc_nmsocket_t *outer; @@ -1554,11 +1559,11 @@ void isc__nm_tcpdns_read_cb(uv_stream_t *stream, ssize_t nread, const uv_buf_t *buf); -void +isc_result_t isc__nm_start_reading(isc_nmsocket_t *sock); void isc__nm_stop_reading(isc_nmsocket_t *sock); -void +isc_result_t isc__nm_process_sock_buffer(isc_nmsocket_t *sock); void isc__nm_resume_processing(void *arg); @@ -1592,7 +1597,7 @@ void isc__nmsocket_readtimeout_cb(uv_timer_t *timer); void -isc__nmsocket_writetimeout_cb(uv_timer_t *timer); +isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult); /*%< * diff -Nru bind9-9.16.27/lib/isc/netmgr/netmgr.c bind9-9.16.33/lib/isc/netmgr/netmgr.c --- bind9-9.16.27/lib/isc/netmgr/netmgr.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/netmgr/netmgr.c 2022-09-08 13:01:23.000000000 +0000 @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -146,6 +147,7 @@ nm_thread(isc_threadarg_t worker0); static void async_cb(uv_async_t *handle); + static bool process_netievent(isc__networker_t *worker, isc__netievent_t *ievent); static isc_result_t @@ -155,51 +157,6 @@ static void drain_queue(isc__networker_t *worker, netievent_type_t type); -#define ENQUEUE_NETIEVENT(worker, queue, event) \ - isc_queue_enqueue(worker->ievents[queue], (uintptr_t)event) -#define DEQUEUE_NETIEVENT(worker, queue) \ - (isc__netievent_t *)isc_queue_dequeue(worker->ievents[queue]) - -#define ENQUEUE_PRIORITY_NETIEVENT(worker, event) \ - ENQUEUE_NETIEVENT(worker, NETIEVENT_PRIORITY, event) -#define ENQUEUE_PRIVILEGED_NETIEVENT(worker, event) \ - ENQUEUE_NETIEVENT(worker, NETIEVENT_PRIVILEGED, event) -#define ENQUEUE_TASK_NETIEVENT(worker, event) \ - ENQUEUE_NETIEVENT(worker, NETIEVENT_TASK, event) -#define ENQUEUE_NORMAL_NETIEVENT(worker, event) \ - ENQUEUE_NETIEVENT(worker, NETIEVENT_NORMAL, event) - -#define DEQUEUE_PRIORITY_NETIEVENT(worker) \ - DEQUEUE_NETIEVENT(worker, NETIEVENT_PRIORITY) -#define DEQUEUE_PRIVILEGED_NETIEVENT(worker) \ - DEQUEUE_NETIEVENT(worker, NETIEVENT_PRIVILEGED) -#define DEQUEUE_TASK_NETIEVENT(worker) DEQUEUE_NETIEVENT(worker, NETIEVENT_TASK) -#define DEQUEUE_NORMAL_NETIEVENT(worker) \ - DEQUEUE_NETIEVENT(worker, NETIEVENT_NORMAL) - -#define INCREMENT_NETIEVENT(worker, queue) \ - atomic_fetch_add_release(&worker->nievents[queue], 1) -#define DECREMENT_NETIEVENT(worker, queue) \ - atomic_fetch_sub_release(&worker->nievents[queue], 1) - -#define INCREMENT_PRIORITY_NETIEVENT(worker) \ - INCREMENT_NETIEVENT(worker, NETIEVENT_PRIORITY) -#define INCREMENT_PRIVILEGED_NETIEVENT(worker) \ - INCREMENT_NETIEVENT(worker, NETIEVENT_PRIVILEGED) -#define INCREMENT_TASK_NETIEVENT(worker) \ - INCREMENT_NETIEVENT(worker, NETIEVENT_TASK) -#define INCREMENT_NORMAL_NETIEVENT(worker) \ - INCREMENT_NETIEVENT(worker, NETIEVENT_NORMAL) - -#define DECREMENT_PRIORITY_NETIEVENT(worker) \ - DECREMENT_NETIEVENT(worker, NETIEVENT_PRIORITY) -#define DECREMENT_PRIVILEGED_NETIEVENT(worker) \ - DECREMENT_NETIEVENT(worker, NETIEVENT_PRIVILEGED) -#define DECREMENT_TASK_NETIEVENT(worker) \ - DECREMENT_NETIEVENT(worker, NETIEVENT_TASK) -#define DECREMENT_NORMAL_NETIEVENT(worker) \ - DECREMENT_NETIEVENT(worker, NETIEVENT_NORMAL) - static void isc__nm_async_stop(isc__networker_t *worker, isc__netievent_t *ev0); static void @@ -284,6 +241,18 @@ } } +#if HAVE_DECL_UV_UDP_LINUX_RECVERR +#define MINIMAL_UV_VERSION UV_VERSION(1, 42, 0) +#elif HAVE_DECL_UV_UDP_MMSG_FREE +#define MINIMAL_UV_VERSION UV_VERSION(1, 40, 0) +#elif HAVE_DECL_UV_UDP_RECVMMSG +#define MINIMAL_UV_VERSION UV_VERSION(1, 37, 0) +#elif HAVE_DECL_UV_UDP_MMSG_CHUNK +#define MINIMAL_UV_VERSION UV_VERSION(1, 35, 0) +#else +#define MINIMAL_UV_VERSION UV_VERSION(1, 0, 0) +#endif + void isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) { isc_nm_t *mgr = NULL; @@ -291,6 +260,14 @@ REQUIRE(workers > 0); + if (uv_version() < MINIMAL_UV_VERSION) { + isc_error_fatal(__FILE__, __LINE__, + "libuv version too old: running with libuv %s " + "when compiled with libuv %s will lead to " + "libuv failures because of unknown flags", + uv_version_string(), UV_VERSION_STRING); + } + #ifdef WIN32 isc__nm_winsock_initialize(); #endif /* WIN32 */ @@ -310,6 +287,11 @@ atomic_init(&mgr->workers_paused, 0); atomic_init(&mgr->paused, false); atomic_init(&mgr->closing, false); +#if HAVE_SO_REUSEPORT_LB + mgr->load_balance_sockets = true; +#else + mgr->load_balance_sockets = false; +#endif #ifdef NETMGR_TRACE ISC_LIST_INIT(mgr->active_sockets); @@ -345,12 +327,10 @@ r = uv_async_init(&worker->loop, &worker->async, async_cb); UV_RUNTIME_CHECK(uv_async_init, r); - isc_mutex_init(&worker->lock); - isc_condition_init(&worker->cond_prio); - for (size_t type = 0; type < NETIEVENT_MAX; type++) { - worker->ievents[type] = isc_queue_new(mgr->mctx, 128); - atomic_init(&worker->nievents[type], 0); + isc_mutex_init(&worker->ievents[type].lock); + isc_condition_init(&worker->ievents[type].cond); + ISC_LIST_INIT(worker->ievents[type].list); } worker->recvbuf = isc_mem_get(mctx, ISC_NETMGR_RECVBUF_SIZE); @@ -401,28 +381,15 @@ for (int i = 0; i < mgr->nworkers; i++) { isc__networker_t *worker = &mgr->workers[i]; - isc__netievent_t *ievent = NULL; int r; - /* Empty the async event queues */ - while ((ievent = DEQUEUE_PRIORITY_NETIEVENT(worker)) != NULL) { - isc__nm_put_netievent(mgr, ievent); - } - - INSIST(DEQUEUE_PRIVILEGED_NETIEVENT(worker) == NULL); - INSIST(DEQUEUE_TASK_NETIEVENT(worker) == NULL); - - while ((ievent = DEQUEUE_NORMAL_NETIEVENT(worker)) != NULL) { - isc__nm_put_netievent(mgr, ievent); - } - isc_condition_destroy(&worker->cond_prio); - isc_mutex_destroy(&worker->lock); - r = uv_loop_close(&worker->loop); UV_RUNTIME_CHECK(uv_loop_close, r); for (size_t type = 0; type < NETIEVENT_MAX; type++) { - isc_queue_destroy(worker->ievents[type]); + INSIST(ISC_LIST_EMPTY(worker->ievents[type].list)); + isc_condition_destroy(&worker->ievents[type].cond); + isc_mutex_destroy(&worker->ievents[type].lock); } isc_mem_put(mgr->mctx, worker->sendbuf, @@ -617,8 +584,7 @@ #ifdef NETMGR_TRACE if (isc_refcount_current(&mgr->references) > 1) { isc__nm_dump_active(mgr); - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #endif @@ -661,6 +627,24 @@ atomic_store(&mgr->advertised, advertised); } +bool +isc_nm_getloadbalancesockets(isc_nm_t *mgr) { + REQUIRE(VALID_NM(mgr)); + + return (mgr->load_balance_sockets); +} + +void +isc_nm_setloadbalancesockets(isc_nm_t *mgr, bool enabled) { + REQUIRE(VALID_NM(mgr)); + +#if HAVE_SO_REUSEPORT_LB + mgr->load_balance_sockets = enabled; +#else + UNUSED(enabled); +#endif +} + void isc_nm_gettimeouts(isc_nm_t *mgr, uint32_t *initial, uint32_t *idle, uint32_t *keepalive, uint32_t *advertised) { @@ -764,13 +748,17 @@ } /* - * We are shutting down. Process the task queues - * (they may include shutdown events) but do not process - * the netmgr event queue. + * We are shutting down. Drain the queues. */ drain_queue(worker, NETIEVENT_PRIVILEGED); drain_queue(worker, NETIEVENT_TASK); + for (size_t type = 0; type < NETIEVENT_MAX; type++) { + LOCK(&worker->ievents[type].lock); + INSIST(ISC_LIST_EMPTY(worker->ievents[type].list)); + UNLOCK(&worker->ievents[type].lock); + } + LOCK(&mgr->lock); mgr->workers_running--; SIGNAL(&mgr->wkstatecond); @@ -792,7 +780,8 @@ isc_result_t result = process_queue(worker, type); switch (result) { case ISC_R_SUSPEND: - return (true); + reschedule = true; + break; case ISC_R_EMPTY: /* empty queue */ break; @@ -800,8 +789,7 @@ reschedule = true; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -879,42 +867,35 @@ case ISC_R_SUCCESS: return; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } static void wait_for_priority_queue(isc__networker_t *worker) { - isc_condition_t *cond = &worker->cond_prio; - bool wait_for_work = true; - - while (true) { - isc__netievent_t *ievent; - LOCK(&worker->lock); - ievent = DEQUEUE_PRIORITY_NETIEVENT(worker); - if (wait_for_work) { - while (ievent == NULL) { - WAIT(cond, &worker->lock); - ievent = DEQUEUE_PRIORITY_NETIEVENT(worker); - } - } - UNLOCK(&worker->lock); - wait_for_work = false; - - if (ievent == NULL) { - return; - } - DECREMENT_PRIORITY_NETIEVENT(worker); - - (void)process_netievent(worker, ievent); + isc_condition_t *cond = &worker->ievents[NETIEVENT_PRIORITY].cond; + isc_mutex_t *lock = &worker->ievents[NETIEVENT_PRIORITY].lock; + isc__netievent_list_t *list = + &(worker->ievents[NETIEVENT_PRIORITY].list); + + LOCK(lock); + while (ISC_LIST_EMPTY(*list)) { + WAIT(cond, lock); } + UNLOCK(lock); + + drain_queue(worker, NETIEVENT_PRIORITY); } static void drain_queue(isc__networker_t *worker, netievent_type_t type) { - while (process_queue(worker, type) != ISC_R_EMPTY) { - ; + bool empty = false; + while (!empty) { + if (process_queue(worker, type) == ISC_R_EMPTY) { + LOCK(&worker->ievents[type].lock); + empty = ISC_LIST_EMPTY(worker->ievents[type].list); + UNLOCK(&worker->ievents[type].lock); + } } } @@ -989,48 +970,48 @@ NETIEVENT_CASE(resume); NETIEVENT_CASE_NOMORE(pause); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (true); } static isc_result_t process_queue(isc__networker_t *worker, netievent_type_t type) { - /* - * The number of items on the queue is only loosely synchronized with - * the items on the queue. But there's a guarantee that if there's an - * item on the queue, it will be accounted for. However there's a - * possibility that the counter might be higher than the items on the - * queue stored. - */ - uint_fast32_t waiting = atomic_load_acquire(&worker->nievents[type]); - isc__netievent_t *ievent = DEQUEUE_NETIEVENT(worker, type); + isc__netievent_t *ievent = NULL; + isc__netievent_list_t list; + + ISC_LIST_INIT(list); + + LOCK(&worker->ievents[type].lock); + ISC_LIST_MOVE(list, worker->ievents[type].list); + UNLOCK(&worker->ievents[type].lock); - if (ievent == NULL && waiting == 0) { + ievent = ISC_LIST_HEAD(list); + if (ievent == NULL) { /* There's nothing scheduled */ return (ISC_R_EMPTY); - } else if (ievent == NULL) { - /* There's at least one item scheduled, but not on the queue yet - */ - return (ISC_R_SUCCESS); } while (ievent != NULL) { - DECREMENT_NETIEVENT(worker, type); - bool stop = !process_netievent(worker, ievent); + isc__netievent_t *next = ISC_LIST_NEXT(ievent, link); + ISC_LIST_DEQUEUE(list, ievent, link); - if (stop) { - /* Netievent told us to stop */ + if (!process_netievent(worker, ievent)) { + /* The netievent told us to stop */ + if (!ISC_LIST_EMPTY(list)) { + /* + * Reschedule the rest of the unprocessed + * events. + */ + LOCK(&worker->ievents[type].lock); + ISC_LIST_PREPENDLIST(worker->ievents[type].list, + list, link); + UNLOCK(&worker->ievents[type].lock); + } return (ISC_R_SUSPEND); } - if (waiting-- == 0) { - /* We reached this round "quota" */ - break; - } - - ievent = DEQUEUE_NETIEVENT(worker, type); + ievent = next; } /* We processed at least one */ @@ -1043,6 +1024,7 @@ sizeof(*event)); *event = (isc__netievent_storage_t){ .ni.type = type }; + ISC_LINK_INIT(&(event->ni), link); return (event); } @@ -1110,26 +1092,38 @@ void isc__nm_enqueue_ievent(isc__networker_t *worker, isc__netievent_t *event) { + netievent_type_t type; + if (event->type > netievent_prio) { - /* - * We need to make sure this signal will be delivered and - * the queue will be processed. - */ - LOCK(&worker->lock); - INCREMENT_PRIORITY_NETIEVENT(worker); - ENQUEUE_PRIORITY_NETIEVENT(worker, event); - SIGNAL(&worker->cond_prio); - UNLOCK(&worker->lock); - } else if (event->type == netievent_privilegedtask) { - INCREMENT_PRIVILEGED_NETIEVENT(worker); - ENQUEUE_PRIVILEGED_NETIEVENT(worker, event); - } else if (event->type == netievent_task) { - INCREMENT_TASK_NETIEVENT(worker); - ENQUEUE_TASK_NETIEVENT(worker, event); + type = NETIEVENT_PRIORITY; } else { - INCREMENT_NORMAL_NETIEVENT(worker); - ENQUEUE_NORMAL_NETIEVENT(worker, event); + switch (event->type) { + case netievent_prio: + UNREACHABLE(); + break; + case netievent_privilegedtask: + type = NETIEVENT_PRIVILEGED; + break; + case netievent_task: + type = NETIEVENT_TASK; + break; + default: + type = NETIEVENT_NORMAL; + break; + } + } + + /* + * We need to make sure this signal will be delivered and + * the queue will be processed. + */ + LOCK(&worker->ievents[type].lock); + ISC_LIST_ENQUEUE(worker->ievents[type].list, event, link); + if (type == NETIEVENT_PRIORITY) { + SIGNAL(&worker->ievents[type].cond); } + UNLOCK(&worker->ievents[type].lock); + uv_async_send(&worker->async); } @@ -1600,7 +1594,7 @@ if (!atomic_load(&sock->client)) { break; } - /* fallthrough */ + FALLTHROUGH; case isc_nm_tcpsocket: INSIST(sock->statichandle == NULL); @@ -1886,8 +1880,7 @@ isc__nm_tcpdns_failed_read_cb(sock, result); return; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -1943,11 +1936,15 @@ } void -isc__nmsocket_writetimeout_cb(uv_timer_t *timer) { - isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)timer); +isc__nmsocket_writetimeout_cb(void *data, isc_result_t eresult) { + isc__nm_uvreq_t *req = data; + isc_nmsocket_t *sock = NULL; - int r = uv_timer_stop(&sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_stop, r); + REQUIRE(eresult == ISC_R_TIMEDOUT); + REQUIRE(VALID_UVREQ(req)); + REQUIRE(VALID_NMSOCK(req->sock)); + + sock = req->sock; isc__nmsocket_reset(sock); } @@ -2094,8 +2091,7 @@ buf->len = ISC_NETMGR_TCP_RECVBUF_SIZE; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } REQUIRE(buf->len <= ISC_NETMGR_RECVBUF_SIZE); @@ -2104,35 +2100,39 @@ worker->recvbuf_inuse = true; } -void +isc_result_t isc__nm_start_reading(isc_nmsocket_t *sock) { + isc_result_t result = ISC_R_SUCCESS; int r; if (sock->reading) { - return; + return (ISC_R_SUCCESS); } switch (sock->type) { case isc_nm_udpsocket: r = uv_udp_recv_start(&sock->uv_handle.udp, isc__nm_alloc_cb, isc__nm_udp_read_cb); - UV_RUNTIME_CHECK(uv_udp_recv_start, r); break; case isc_nm_tcpsocket: r = uv_read_start(&sock->uv_handle.stream, isc__nm_alloc_cb, isc__nm_tcp_read_cb); - UV_RUNTIME_CHECK(uv_read_start, r); break; case isc_nm_tcpdnssocket: r = uv_read_start(&sock->uv_handle.stream, isc__nm_alloc_cb, isc__nm_tcpdns_read_cb); - UV_RUNTIME_CHECK(uv_read_start, r); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } - sock->reading = true; + + if (r != 0) { + result = isc__nm_uverr2result(r); + } else { + sock->reading = true; + } + + return (result); } void @@ -2154,8 +2154,7 @@ UV_RUNTIME_CHECK(uv_read_stop, r); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } sock->reading = false; } @@ -2178,8 +2177,7 @@ case isc_nm_tcpdnssocket: return (isc__nm_tcpdns_processbuffer(sock)); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2195,7 +2193,7 @@ * limit. In this case we'll be called again by resume_processing() * later. */ -void +isc_result_t isc__nm_process_sock_buffer(isc_nmsocket_t *sock) { for (;;) { int_fast32_t ah = atomic_load(&sock->ah); @@ -2206,7 +2204,10 @@ * Don't reset the timer until we have a * full DNS message. */ - isc__nm_start_reading(sock); + result = isc__nm_start_reading(sock); + if (result != ISC_R_SUCCESS) { + return (result); + } /* * Start the timer only if there are no externally used * active handles, there's always one active handle @@ -2216,11 +2217,11 @@ if (ah == 1) { isc__nmsocket_timer_start(sock); } - return; + goto done; case ISC_R_CANCELED: isc__nmsocket_timer_stop(sock); isc__nm_stop_reading(sock); - return; + goto done; case ISC_R_SUCCESS: /* * Stop the timer on the successful message read, this @@ -2234,13 +2235,15 @@ ah >= STREAM_CLIENTS_PER_CONN) { isc__nm_stop_reading(sock); - return; + goto done; } break; default: - INSIST(0); + UNREACHABLE(); } } +done: + return (ISC_R_SUCCESS); } void @@ -2420,8 +2423,7 @@ isc__nm_tcpdns_send(handle, region, cb, cbarg); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2447,8 +2449,7 @@ isc__nm_tcpdns_read(handle, cb, cbarg); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2467,8 +2468,7 @@ isc__nm_tcpdns_cancelread(handle); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2483,8 +2483,7 @@ isc__nm_tcp_pauseread(handle); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2499,8 +2498,7 @@ isc__nm_tcp_resumeread(handle); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2519,8 +2517,7 @@ isc__nm_tcp_stoplistening(sock); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2677,6 +2674,14 @@ nmhandle_detach_cb(&ievent->handle FLARG_PASS); } +static void +reset_shutdown(uv_handle_t *handle) { + isc_nmsocket_t *sock = uv_handle_get_data(handle); + + isc__nmsocket_shutdown(sock); + isc__nmsocket_detach(&sock); +} + void isc__nmsocket_reset(isc_nmsocket_t *sock) { REQUIRE(VALID_NMSOCK(sock)); @@ -2690,20 +2695,24 @@ REQUIRE(sock->parent == NULL); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); break; } - if (!uv_is_closing(&sock->uv_handle.handle)) { + if (!uv_is_closing(&sock->uv_handle.handle) && + uv_is_active(&sock->uv_handle.handle)) + { /* * The real shutdown will be handled in the respective * close functions. */ - int r = uv_tcp_close_reset(&sock->uv_handle.tcp, NULL); + isc__nmsocket_attach(sock, &(isc_nmsocket_t *){ NULL }); + int r = uv_tcp_close_reset(&sock->uv_handle.tcp, + reset_shutdown); UV_RUNTIME_CHECK(uv_tcp_close_reset, r); + } else { + isc__nmsocket_shutdown(sock); } - isc__nmsocket_shutdown(sock); } void @@ -2724,8 +2733,7 @@ case isc_nm_tcpdnslistener: return; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -2740,18 +2748,32 @@ switch (handle->type) { case UV_UDP: + isc__nmsocket_shutdown(sock); + return; case UV_TCP: - break; + switch (sock->type) { + case isc_nm_tcpsocket: + case isc_nm_tcpdnssocket: + if (sock->parent == NULL) { + /* Reset the TCP connections on shutdown */ + isc__nmsocket_reset(sock); + return; + } + FALLTHROUGH; + default: + isc__nmsocket_shutdown(sock); + } + + return; default: return; } - - isc__nmsocket_shutdown(sock); } void isc__nm_async_shutdown(isc__networker_t *worker, isc__netievent_t *ev0) { UNUSED(ev0); + uv_walk(&worker->loop, shutdown_walk_cb, NULL); } @@ -3238,7 +3260,8 @@ REQUIRE(VALID_NMSOCK(handle->sock)); if (isc_refcount_decrement(&timer->references) == 1) { - uv_timer_stop(&timer->timer); + int r = uv_timer_stop(&timer->timer); + UV_RUNTIME_CHECK(uv_timer_stop, r); uv_close((uv_handle_t *)&timer->timer, timer_destroy); } } @@ -3286,8 +3309,7 @@ case isc_nm_tcpdnssocket: return ("isc_nm_tcpdnssocket"); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } diff -Nru bind9-9.16.27/lib/isc/netmgr/tcp.c bind9-9.16.33/lib/isc/netmgr/tcp.c --- bind9-9.16.27/lib/isc/netmgr/tcp.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/netmgr/tcp.c 2022-09-08 13:01:23.000000000 +0000 @@ -37,7 +37,7 @@ #include "netmgr-int.h" #include "uv-compat.h" -static atomic_uint_fast32_t last_tcpquota_log = ATOMIC_VAR_INIT(0); +static atomic_uint_fast32_t last_tcpquota_log = 0; static bool can_log_tcp_quota(void) { @@ -79,9 +79,6 @@ failed_accept_cb(isc_nmsocket_t *sock, isc_result_t eresult); static void -failed_send_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req, - isc_result_t eresult); -static void stop_tcp_parent(isc_nmsocket_t *sock); static void stop_tcp_child(isc_nmsocket_t *sock); @@ -144,10 +141,6 @@ UV_RUNTIME_CHECK(uv_timer_init, r); uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - r = uv_timer_init(&worker->loop, &sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_init, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd); if (r != 0) { isc__nm_closesocket(sock->fd); @@ -362,7 +355,7 @@ } static uv_os_sock_t -isc__nm_tcp_lb_socket(sa_family_t sa_family) { +isc__nm_tcp_lb_socket(isc_nm_t *mgr, sa_family_t sa_family) { isc_result_t result; uv_os_sock_t sock; @@ -376,9 +369,11 @@ result = isc__nm_socket_reuse(sock); RUNTIME_CHECK(result == ISC_R_SUCCESS); -#if HAVE_SO_REUSEPORT_LB - result = isc__nm_socket_reuse_lb(sock); - RUNTIME_CHECK(result == ISC_R_SUCCESS); +#ifndef _WIN32 + if (mgr->load_balance_sockets) { + result = isc__nm_socket_reuse_lb(sock); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + } #endif return (sock); @@ -404,11 +399,17 @@ csock->pquota = sock->pquota; isc_quota_cb_init(&csock->quotacb, quota_accept_cb, csock); -#if HAVE_SO_REUSEPORT_LB || defined(WIN32) +#ifdef _WIN32 UNUSED(fd); - csock->fd = isc__nm_tcp_lb_socket(iface->type.sa.sa_family); + csock->fd = isc__nm_tcp_lb_socket(mgr, iface->type.sa.sa_family); #else - csock->fd = dup(fd); + if (mgr->load_balance_sockets) { + UNUSED(fd); + csock->fd = isc__nm_tcp_lb_socket(mgr, + iface->type.sa.sa_family); + } else { + csock->fd = dup(fd); + } #endif REQUIRE(csock->fd >= 0); @@ -461,8 +462,10 @@ sock->tid = 0; sock->fd = -1; -#if !HAVE_SO_REUSEPORT_LB && !defined(WIN32) - fd = isc__nm_tcp_lb_socket(iface->type.sa.sa_family); +#ifndef _WIN32 + if (!mgr->load_balance_sockets) { + fd = isc__nm_tcp_lb_socket(mgr, iface->type.sa.sa_family); + } #endif isc_barrier_init(&sock->startlistening, sock->nchildren); @@ -478,8 +481,10 @@ start_tcp_child(mgr, iface, sock, fd, isc_nm_tid()); } -#if !HAVE_SO_REUSEPORT_LB && !defined(WIN32) - isc__nm_closesocket(fd); +#ifndef _WIN32 + if (!mgr->load_balance_sockets) { + isc__nm_closesocket(fd); + } #endif LOCK(&sock->lock); @@ -512,6 +517,7 @@ int flags = 0; isc_nmsocket_t *sock = NULL; isc_result_t result; + isc_nm_t *mgr; REQUIRE(VALID_NMSOCK(ievent->sock)); REQUIRE(ievent->sock->tid == isc_nm_tid()); @@ -519,6 +525,7 @@ sock = ievent->sock; sa_family = sock->iface.type.sa.sa_family; + mgr = sock->mgr; REQUIRE(sock->type == isc_nm_tcpsocket); REQUIRE(sock->parent != NULL); @@ -537,10 +544,6 @@ UV_RUNTIME_CHECK(uv_timer_init, r); uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - r = uv_timer_init(&worker->loop, &sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_init, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - LOCK(&sock->parent->lock); r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd); @@ -555,7 +558,7 @@ flags = UV_TCP_IPV6ONLY; } -#if HAVE_SO_REUSEPORT_LB || defined(WIN32) +#ifdef _WIN32 r = isc_uv_tcp_freebind(&sock->uv_handle.tcp, &sock->iface.type.sa, flags); if (r < 0) { @@ -563,7 +566,7 @@ goto done; } #else - if (sock->parent->fd == -1) { + if (mgr->load_balance_sockets) { r = isc_uv_tcp_freebind(&sock->uv_handle.tcp, &sock->iface.type.sa, flags); if (r < 0) { @@ -571,11 +574,22 @@ sock->statsindex[STATID_BINDFAIL]); goto done; } - sock->parent->uv_handle.tcp.flags = sock->uv_handle.tcp.flags; - sock->parent->fd = sock->fd; } else { - /* The socket is already bound, just copy the flags */ - sock->uv_handle.tcp.flags = sock->parent->uv_handle.tcp.flags; + if (sock->parent->fd == -1) { + r = isc_uv_tcp_freebind(&sock->uv_handle.tcp, + &sock->iface.type.sa, flags); + if (r < 0) { + isc__nm_incstats(sock->mgr, STATID_BINDFAIL); + goto done; + } + sock->parent->uv_handle.tcp.flags = + sock->uv_handle.tcp.flags; + sock->parent->fd = sock->fd; + } else { + /* The socket is already bound, just copy the flags */ + sock->uv_handle.tcp.flags = + sock->parent->uv_handle.tcp.flags; + } } #endif @@ -653,8 +667,7 @@ if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (!isc__nm_in_netthread()) { @@ -713,19 +726,6 @@ } } -static void -failed_send_cb(isc_nmsocket_t *sock, isc__nm_uvreq_t *req, - isc_result_t eresult) { - REQUIRE(VALID_NMSOCK(sock)); - REQUIRE(VALID_UVREQ(req)); - - if (req->cb.send != NULL) { - isc__nm_sendcb(sock, req, eresult, true); - } else { - isc__nm_uvreq_put(&req, sock); - } -} - void isc__nm_tcp_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) { REQUIRE(VALID_NMHANDLE(handle)); @@ -768,18 +768,24 @@ isc__netievent_tcpstartread_t *ievent = (isc__netievent_tcpstartread_t *)ev0; isc_nmsocket_t *sock = ievent->sock; + isc_result_t result; REQUIRE(VALID_NMSOCK(sock)); REQUIRE(sock->tid == isc_nm_tid()); UNUSED(worker); if (isc__nmsocket_closing(sock)) { + result = ISC_R_CANCELED; + } else { + result = isc__nm_start_reading(sock); + } + + if (result != ISC_R_SUCCESS) { sock->reading = true; - isc__nm_tcp_failed_read_cb(sock, ISC_R_CANCELED); + isc__nm_tcp_failed_read_cb(sock, result); return; } - isc__nm_start_reading(sock); isc__nmsocket_timer_start(sock); } @@ -990,10 +996,6 @@ UV_RUNTIME_CHECK(uv_timer_init, r); uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock); - r = uv_timer_init(&worker->loop, &csock->write_timer); - UV_RUNTIME_CHECK(uv_timer_init, r); - uv_handle_set_data((uv_handle_t *)&csock->write_timer, csock); - r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream); if (r != 0) { result = isc__nm_uverr2result(r); @@ -1087,13 +1089,6 @@ uvreq->cb.send = cb; uvreq->cbarg = cbarg; - if (sock->write_timeout == 0) { - sock->write_timeout = - (atomic_load(&sock->keepalive) - ? atomic_load(&sock->mgr->keepalive) - : atomic_load(&sock->mgr->idle)); - } - ievent = isc__nm_get_netievent_tcpsend(sock->mgr, sock, uvreq); isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid], (isc__netievent_t *)ievent); @@ -1104,20 +1099,20 @@ static void tcp_send_cb(uv_write_t *req, int status) { isc__nm_uvreq_t *uvreq = (isc__nm_uvreq_t *)req->data; + isc_nmsocket_t *sock = NULL; REQUIRE(VALID_UVREQ(uvreq)); - REQUIRE(VALID_NMHANDLE(uvreq->handle)); + REQUIRE(VALID_NMSOCK(uvreq->sock)); - isc_nmsocket_t *sock = uvreq->sock; + sock = uvreq->sock; - if (--sock->writes == 0) { - int r = uv_timer_stop(&sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_stop, r); - } + isc_nm_timer_stop(uvreq->timer); + isc_nm_timer_detach(&uvreq->timer); if (status < 0) { isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]); - failed_send_cb(sock, uvreq, isc__nm_uverr2result(status)); + isc__nm_failed_send_cb(sock, uvreq, + isc__nm_uverr2result(status)); return; } @@ -1138,10 +1133,17 @@ REQUIRE(sock->tid == isc_nm_tid()); UNUSED(worker); + if (sock->write_timeout == 0) { + sock->write_timeout = + (atomic_load(&sock->keepalive) + ? atomic_load(&sock->mgr->keepalive) + : atomic_load(&sock->mgr->idle)); + } + result = tcp_send_direct(sock, uvreq); if (result != ISC_R_SUCCESS) { isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]); - failed_send_cb(sock, uvreq, result); + isc__nm_failed_send_cb(sock, uvreq, result); } } @@ -1158,17 +1160,18 @@ return (ISC_R_CANCELED); } - r = uv_timer_start(&sock->write_timer, isc__nmsocket_writetimeout_cb, - sock->write_timeout, 0); - UV_RUNTIME_CHECK(uv_timer_start, r); - RUNTIME_CHECK(sock->writes++ >= 0); - r = uv_write(&req->uv_req.write, &sock->uv_handle.stream, &req->uvbuf, 1, tcp_send_cb); if (r < 0) { return (isc__nm_uverr2result(r)); } + isc_nm_timer_create(req->handle, isc__nmsocket_writetimeout_cb, req, + &req->timer); + if (sock->write_timeout > 0) { + isc_nm_timer_start(req->timer, sock->write_timeout); + } + return (ISC_R_SUCCESS); } @@ -1183,8 +1186,7 @@ if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]); @@ -1202,8 +1204,7 @@ if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]); @@ -1240,17 +1241,6 @@ } static void -write_timer_close_cb(uv_handle_t *timer) { - isc_nmsocket_t *sock = uv_handle_get_data(timer); - uv_handle_set_data(timer, NULL); - - REQUIRE(VALID_NMSOCK(sock)); - - uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb); -} - -static void stop_tcp_child(isc_nmsocket_t *sock) { REQUIRE(sock->type == isc_nm_tcpsocket); REQUIRE(sock->tid == isc_nm_tid()); @@ -1302,8 +1292,6 @@ static void tcp_close_direct(isc_nmsocket_t *sock) { - int r; - REQUIRE(VALID_NMSOCK(sock)); REQUIRE(sock->tid == isc_nm_tid()); REQUIRE(atomic_load(&sock->closing)); @@ -1325,10 +1313,8 @@ isc__nmsocket_timer_stop(sock); isc__nm_stop_reading(sock); - r = uv_timer_stop(&sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_stop, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb); + uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); + uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb); } void diff -Nru bind9-9.16.27/lib/isc/netmgr/tcpdns.c bind9-9.16.33/lib/isc/netmgr/tcpdns.c --- bind9-9.16.27/lib/isc/netmgr/tcpdns.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/netmgr/tcpdns.c 2022-09-08 13:01:23.000000000 +0000 @@ -37,7 +37,7 @@ #include "netmgr-int.h" #include "uv-compat.h" -static atomic_uint_fast32_t last_tcpdnsquota_log = ATOMIC_VAR_INIT(0); +static atomic_uint_fast32_t last_tcpdnsquota_log = 0; static bool can_log_tcpdns_quota(void) { @@ -102,10 +102,6 @@ UV_RUNTIME_CHECK(uv_timer_init, r); uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - r = uv_timer_init(&worker->loop, &sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_init, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - if (isc__nm_closing(sock)) { result = ISC_R_CANCELED; goto error; @@ -322,7 +318,7 @@ } static uv_os_sock_t -isc__nm_tcpdns_lb_socket(sa_family_t sa_family) { +isc__nm_tcpdns_lb_socket(isc_nm_t *mgr, sa_family_t sa_family) { isc_result_t result; uv_os_sock_t sock; @@ -336,9 +332,11 @@ result = isc__nm_socket_reuse(sock); RUNTIME_CHECK(result == ISC_R_SUCCESS); -#if HAVE_SO_REUSEPORT_LB - result = isc__nm_socket_reuse_lb(sock); - RUNTIME_CHECK(result == ISC_R_SUCCESS); +#ifndef _WIN32 + if (mgr->load_balance_sockets) { + result = isc__nm_socket_reuse_lb(sock); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + } #endif return (sock); @@ -374,11 +372,17 @@ csock->pquota = sock->pquota; isc_quota_cb_init(&csock->quotacb, quota_accept_cb, csock); -#if HAVE_SO_REUSEPORT_LB || defined(WIN32) +#ifdef _WIN32 UNUSED(fd); - csock->fd = isc__nm_tcpdns_lb_socket(iface->type.sa.sa_family); + csock->fd = isc__nm_tcpdns_lb_socket(mgr, iface->type.sa.sa_family); #else - csock->fd = dup(fd); + if (mgr->load_balance_sockets) { + UNUSED(fd); + csock->fd = isc__nm_tcpdns_lb_socket(mgr, + iface->type.sa.sa_family); + } else { + csock->fd = dup(fd); + } #endif REQUIRE(csock->fd >= 0); @@ -424,8 +428,10 @@ sock->tid = 0; sock->fd = -1; -#if !HAVE_SO_REUSEPORT_LB && !defined(WIN32) - fd = isc__nm_tcpdns_lb_socket(iface->type.sa.sa_family); +#ifndef _WIN32 + if (!mgr->load_balance_sockets) { + fd = isc__nm_tcpdns_lb_socket(mgr, iface->type.sa.sa_family); + } #endif isc_barrier_init(&sock->startlistening, sock->nchildren); @@ -441,8 +447,10 @@ start_tcpdns_child(mgr, iface, sock, fd, isc_nm_tid()); } -#if !HAVE_SO_REUSEPORT_LB && !defined(WIN32) - isc__nm_closesocket(fd); +#ifndef _WIN32 + if (!mgr->load_balance_sockets) { + isc__nm_closesocket(fd); + } #endif LOCK(&sock->lock); @@ -476,6 +484,7 @@ int flags = 0; isc_nmsocket_t *sock = NULL; isc_result_t result = ISC_R_UNSET; + isc_nm_t *mgr = NULL; REQUIRE(VALID_NMSOCK(ievent->sock)); REQUIRE(ievent->sock->tid == isc_nm_tid()); @@ -483,6 +492,7 @@ sock = ievent->sock; sa_family = sock->iface.type.sa.sa_family; + mgr = sock->mgr; REQUIRE(sock->type == isc_nm_tcpdnssocket); REQUIRE(sock->parent != NULL); @@ -500,10 +510,6 @@ UV_RUNTIME_CHECK(uv_timer_init, r); uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - r = uv_timer_init(&worker->loop, &sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_init, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - LOCK(&sock->parent->lock); r = uv_tcp_open(&sock->uv_handle.tcp, sock->fd); @@ -518,7 +524,7 @@ flags = UV_TCP_IPV6ONLY; } -#if HAVE_SO_REUSEPORT_LB || defined(WIN32) +#ifdef _WIN32 r = isc_uv_tcp_freebind(&sock->uv_handle.tcp, &sock->iface.type.sa, flags); if (r < 0) { @@ -526,7 +532,7 @@ goto done; } #else - if (sock->parent->fd == -1) { + if (mgr->load_balance_sockets) { r = isc_uv_tcp_freebind(&sock->uv_handle.tcp, &sock->iface.type.sa, flags); if (r < 0) { @@ -534,11 +540,22 @@ sock->statsindex[STATID_BINDFAIL]); goto done; } - sock->parent->uv_handle.tcp.flags = sock->uv_handle.tcp.flags; - sock->parent->fd = sock->fd; } else { - /* The socket is already bound, just copy the flags */ - sock->uv_handle.tcp.flags = sock->parent->uv_handle.tcp.flags; + if (sock->parent->fd == -1) { + r = isc_uv_tcp_freebind(&sock->uv_handle.tcp, + &sock->iface.type.sa, flags); + if (r < 0) { + isc__nm_incstats(sock->mgr, STATID_BINDFAIL); + goto done; + } + sock->parent->uv_handle.tcp.flags = + sock->uv_handle.tcp.flags; + sock->parent->fd = sock->fd; + } else { + /* The socket is already bound, just copy the flags */ + sock->uv_handle.tcp.flags = + sock->parent->uv_handle.tcp.flags; + } } #endif @@ -616,8 +633,7 @@ if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (!isc__nm_in_netthread()) { @@ -719,6 +735,7 @@ isc__netievent_tcpdnsread_t *ievent = (isc__netievent_tcpdnsread_t *)ev0; isc_nmsocket_t *sock = ievent->sock; + isc_result_t result; UNUSED(worker); @@ -726,12 +743,15 @@ REQUIRE(sock->tid == isc_nm_tid()); if (isc__nmsocket_closing(sock)) { - sock->reading = true; - isc__nm_failed_read_cb(sock, ISC_R_CANCELED, false); - return; + result = ISC_R_CANCELED; + } else { + result = isc__nm_process_sock_buffer(sock); } - isc__nm_process_sock_buffer(sock); + if (result != ISC_R_SUCCESS) { + sock->reading = true; + isc__nm_failed_read_cb(sock, result, false); + } } /* @@ -823,6 +843,7 @@ isc_nmsocket_t *sock = uv_handle_get_data((uv_handle_t *)stream); uint8_t *base = NULL; size_t len; + isc_result_t result; REQUIRE(VALID_NMSOCK(sock)); REQUIRE(sock->tid == isc_nm_tid()); @@ -866,7 +887,10 @@ sock->read_timeout = atomic_load(&sock->mgr->idle); } - isc__nm_process_sock_buffer(sock); + result = isc__nm_process_sock_buffer(sock); + if (result != ISC_R_SUCCESS) { + isc__nm_failed_read_cb(sock, result, true); + } free: if (nread < 0) { /* @@ -958,10 +982,6 @@ UV_RUNTIME_CHECK(uv_timer_init, r); uv_handle_set_data((uv_handle_t *)&csock->read_timer, csock); - r = uv_timer_init(&worker->loop, &csock->write_timer); - UV_RUNTIME_CHECK(uv_timer_init, r); - uv_handle_set_data((uv_handle_t *)&csock->write_timer, csock); - r = uv_accept(&ssock->uv_handle.stream, &csock->uv_handle.stream); if (r != 0) { result = isc__nm_uverr2result(r); @@ -1022,7 +1042,12 @@ * prep_destroy()->tcpdns_close_direct(). */ isc_nmhandle_attach(handle, &csock->recv_handle); - isc__nm_process_sock_buffer(csock); + result = isc__nm_process_sock_buffer(csock); + if (result != ISC_R_SUCCESS) { + isc_nmhandle_detach(&csock->recv_handle); + isc_nmhandle_detach(&handle); + goto failure; + } /* * The initial timer has been set, update the read timeout for the next @@ -1076,13 +1101,6 @@ uvreq->cb.send = cb; uvreq->cbarg = cbarg; - if (sock->write_timeout == 0) { - sock->write_timeout = - (atomic_load(&sock->keepalive) - ? atomic_load(&sock->mgr->keepalive) - : atomic_load(&sock->mgr->idle)); - } - ievent = isc__nm_get_netievent_tcpdnssend(sock->mgr, sock, uvreq); isc__nm_maybe_enqueue_ievent(&sock->mgr->workers[sock->tid], (isc__netievent_t *)ievent); @@ -1096,14 +1114,12 @@ isc_nmsocket_t *sock = NULL; REQUIRE(VALID_UVREQ(uvreq)); - REQUIRE(VALID_NMHANDLE(uvreq->handle)); + REQUIRE(VALID_NMSOCK(uvreq->sock)); sock = uvreq->sock; - if (--sock->writes == 0) { - int r = uv_timer_stop(&sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_stop, r); - } + isc_nm_timer_stop(uvreq->timer); + isc_nm_timer_detach(&uvreq->timer); if (status < 0) { isc__nm_incstats(sock->mgr, sock->statsindex[STATID_SENDFAIL]); @@ -1131,6 +1147,14 @@ isc_result_t result; isc_nmsocket_t *sock = ievent->sock; isc__nm_uvreq_t *uvreq = ievent->req; + + if (sock->write_timeout == 0) { + sock->write_timeout = + (atomic_load(&sock->keepalive) + ? atomic_load(&sock->mgr->keepalive) + : atomic_load(&sock->mgr->idle)); + } + uv_buf_t bufs[2] = { { .base = uvreq->tcplen, .len = 2 }, { .base = uvreq->uvbuf.base, .len = uvreq->uvbuf.len } }; @@ -1169,11 +1193,6 @@ goto fail; } - r = uv_timer_start(&sock->write_timer, isc__nmsocket_writetimeout_cb, - sock->write_timeout, 0); - UV_RUNTIME_CHECK(uv_timer_start, r); - RUNTIME_CHECK(sock->writes++ >= 0); - r = uv_write(&uvreq->uv_req.write, &sock->uv_handle.stream, bufs, nbufs, tcpdns_send_cb); if (r < 0) { @@ -1181,6 +1200,12 @@ goto fail; } + isc_nm_timer_create(uvreq->handle, isc__nmsocket_writetimeout_cb, uvreq, + &uvreq->timer); + if (sock->write_timeout > 0) { + isc_nm_timer_start(uvreq->timer, sock->write_timeout); + } + return; fail: if (result != ISC_R_SUCCESS) { @@ -1201,8 +1226,7 @@ if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]); @@ -1220,8 +1244,7 @@ if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]); @@ -1261,17 +1284,6 @@ } static void -write_timer_close_cb(uv_handle_t *timer) { - isc_nmsocket_t *sock = uv_handle_get_data(timer); - uv_handle_set_data(timer, NULL); - - REQUIRE(VALID_NMSOCK(sock)); - - uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb); -} - -static void stop_tcpdns_child(isc_nmsocket_t *sock) { REQUIRE(sock->type == isc_nm_tcpdnssocket); REQUIRE(sock->tid == isc_nm_tid()); @@ -1323,7 +1335,6 @@ static void tcpdns_close_direct(isc_nmsocket_t *sock) { - int r; REQUIRE(VALID_NMSOCK(sock)); REQUIRE(sock->tid == isc_nm_tid()); REQUIRE(atomic_load(&sock->closing)); @@ -1339,10 +1350,8 @@ isc__nmsocket_timer_stop(sock); isc__nm_stop_reading(sock); - r = uv_timer_stop(&sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_stop, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb); + uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); + uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb); } void diff -Nru bind9-9.16.27/lib/isc/netmgr/udp.c bind9-9.16.33/lib/isc/netmgr/udp.c --- bind9-9.16.27/lib/isc/netmgr/udp.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/netmgr/udp.c 2022-09-08 13:01:23.000000000 +0000 @@ -51,9 +51,6 @@ read_timer_close_cb(uv_handle_t *handle); static void -write_timer_close_cb(uv_handle_t *handle); - -static void udp_close_direct(isc_nmsocket_t *sock); static void @@ -62,7 +59,7 @@ stop_udp_child(isc_nmsocket_t *sock); static uv_os_sock_t -isc__nm_udp_lb_socket(sa_family_t sa_family) { +isc__nm_udp_lb_socket(isc_nm_t *mgr, sa_family_t sa_family) { isc_result_t result; uv_os_sock_t sock; @@ -75,9 +72,11 @@ result = isc__nm_socket_reuse(sock); RUNTIME_CHECK(result == ISC_R_SUCCESS); -#if HAVE_SO_REUSEPORT_LB - result = isc__nm_socket_reuse_lb(sock); - RUNTIME_CHECK(result == ISC_R_SUCCESS); +#ifndef _WIN32 + if (mgr->load_balance_sockets) { + result = isc__nm_socket_reuse_lb(sock); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + } #endif return (sock); @@ -100,11 +99,17 @@ csock->extrahandlesize = sock->extrahandlesize; csock->tid = tid; -#if HAVE_SO_REUSEPORT_LB || defined(WIN32) +#ifdef _WIN32 UNUSED(fd); - csock->fd = isc__nm_udp_lb_socket(iface->type.sa.sa_family); + csock->fd = isc__nm_udp_lb_socket(mgr, iface->type.sa.sa_family); #else - csock->fd = dup(fd); + if (mgr->load_balance_sockets) { + UNUSED(fd); + csock->fd = isc__nm_udp_lb_socket(mgr, + iface->type.sa.sa_family); + } else { + csock->fd = dup(fd); + } #endif REQUIRE(csock->fd >= 0); @@ -156,8 +161,10 @@ sock->tid = 0; sock->fd = -1; -#if !HAVE_SO_REUSEPORT_LB && !defined(WIN32) - fd = isc__nm_udp_lb_socket(iface->type.sa.sa_family); +#ifndef _WIN32 + if (!mgr->load_balance_sockets) { + fd = isc__nm_udp_lb_socket(mgr, iface->type.sa.sa_family); + } #endif isc_barrier_init(&sock->startlistening, sock->nchildren); @@ -173,8 +180,10 @@ start_udp_child(mgr, iface, sock, fd, isc_nm_tid()); } -#if !HAVE_SO_REUSEPORT_LB && !defined(WIN32) - isc__nm_closesocket(fd); +#ifndef _WIN32 + if (!mgr->load_balance_sockets) { + isc__nm_closesocket(fd); + } #endif LOCK(&sock->lock); @@ -210,6 +219,7 @@ int uv_init_flags = 0; sa_family_t sa_family; isc_result_t result = ISC_R_UNSET; + isc_nm_t *mgr = NULL; REQUIRE(VALID_NMSOCK(ievent->sock)); REQUIRE(ievent->sock->tid == isc_nm_tid()); @@ -217,6 +227,7 @@ sock = ievent->sock; sa_family = sock->iface.type.sa.sa_family; + mgr = sock->mgr; REQUIRE(sock->type == isc_nm_udpsocket); REQUIRE(sock->parent != NULL); @@ -235,10 +246,6 @@ UV_RUNTIME_CHECK(uv_timer_init, r); uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - r = uv_timer_init(&worker->loop, &sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_init, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - LOCK(&sock->parent->lock); r = uv_udp_open(&sock->uv_handle.udp, sock->fd); @@ -253,7 +260,7 @@ uv_bind_flags |= UV_UDP_IPV6ONLY; } -#if HAVE_SO_REUSEPORT_LB || defined(WIN32) +#ifdef _WIN32 r = isc_uv_udp_freebind(&sock->uv_handle.udp, &sock->parent->iface.type.sa, uv_bind_flags); if (r < 0) { @@ -261,8 +268,7 @@ goto done; } #else - if (sock->parent->fd == -1) { - /* This thread is first, bind the socket */ + if (mgr->load_balance_sockets) { r = isc_uv_udp_freebind(&sock->uv_handle.udp, &sock->parent->iface.type.sa, uv_bind_flags); @@ -271,11 +277,24 @@ sock->statsindex[STATID_BINDFAIL]); goto done; } - sock->parent->uv_handle.udp.flags = sock->uv_handle.udp.flags; - sock->parent->fd = sock->fd; } else { - /* The socket is already bound, just copy the flags */ - sock->uv_handle.udp.flags = sock->parent->uv_handle.udp.flags; + if (sock->parent->fd == -1) { + /* This thread is first, bind the socket */ + r = isc_uv_udp_freebind(&sock->uv_handle.udp, + &sock->parent->iface.type.sa, + uv_bind_flags); + if (r < 0) { + isc__nm_incstats(sock->mgr, STATID_BINDFAIL); + goto done; + } + sock->parent->uv_handle.udp.flags = + sock->uv_handle.udp.flags; + sock->parent->fd = sock->fd; + } else { + /* The socket is already bound, just copy the flags */ + sock->uv_handle.udp.flags = + sock->parent->uv_handle.udp.flags; + } } #endif @@ -315,8 +334,7 @@ if (!atomic_compare_exchange_strong(&sock->closing, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (!isc__nm_in_netthread()) { @@ -661,10 +679,6 @@ UV_RUNTIME_CHECK(uv_timer_init, r); uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - r = uv_timer_init(&worker->loop, &sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_init, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - r = uv_udp_open(&sock->uv_handle.udp, sock->fd); if (r != 0) { isc__nm_incstats(sock->mgr, sock->statsindex[STATID_OPENFAIL]); @@ -916,6 +930,7 @@ isc__nm_async_udpread(isc__networker_t *worker, isc__netievent_t *ev0) { isc__netievent_udpread_t *ievent = (isc__netievent_udpread_t *)ev0; isc_nmsocket_t *sock = ievent->sock; + isc_result_t result; UNUSED(worker); @@ -923,12 +938,17 @@ REQUIRE(sock->tid == isc_nm_tid()); if (isc__nmsocket_closing(sock)) { + result = ISC_R_CANCELED; + } else { + result = isc__nm_start_reading(sock); + } + + if (result != ISC_R_SUCCESS) { sock->reading = true; - isc__nm_failed_read_cb(sock, ISC_R_CANCELED, false); + isc__nm_failed_read_cb(sock, result, false); return; } - isc__nm_start_reading(sock); isc__nmsocket_timer_start(sock); } @@ -970,8 +990,7 @@ if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]); @@ -992,8 +1011,7 @@ if (!atomic_compare_exchange_strong(&sock->closed, &(bool){ false }, true)) { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc__nm_incstats(sock->mgr, sock->statsindex[STATID_CLOSE]); @@ -1021,17 +1039,6 @@ } static void -write_timer_close_cb(uv_handle_t *timer) { - isc_nmsocket_t *sock = uv_handle_get_data(timer); - uv_handle_set_data(timer, NULL); - - REQUIRE(VALID_NMSOCK(sock)); - - uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); - uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb); -} - -static void stop_udp_child(isc_nmsocket_t *sock) { REQUIRE(sock->type == isc_nm_udpsocket); REQUIRE(sock->tid == isc_nm_tid()); @@ -1083,14 +1090,11 @@ static void udp_close_direct(isc_nmsocket_t *sock) { - int r; REQUIRE(VALID_NMSOCK(sock)); REQUIRE(sock->tid == isc_nm_tid()); - r = uv_timer_stop(&sock->write_timer); - UV_RUNTIME_CHECK(uv_timer_stop, r); - uv_handle_set_data((uv_handle_t *)&sock->write_timer, sock); - uv_close((uv_handle_t *)&sock->write_timer, write_timer_close_cb); + uv_handle_set_data((uv_handle_t *)&sock->read_timer, sock); + uv_close((uv_handle_t *)&sock->read_timer, read_timer_close_cb); } void diff -Nru bind9-9.16.27/lib/isc/netmgr/uv-compat.h bind9-9.16.33/lib/isc/netmgr/uv-compat.h --- bind9-9.16.27/lib/isc/netmgr/uv-compat.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/netmgr/uv-compat.h 2022-09-08 13:01:23.000000000 +0000 @@ -23,6 +23,23 @@ #define UV_VERSION(major, minor, patch) ((major << 16) | (minor << 8) | (patch)) +/* + * Copied verbatim from libuv/src/version.c + */ + +#define UV_STRINGIFY(v) UV_STRINGIFY_HELPER(v) +#define UV_STRINGIFY_HELPER(v) #v + +#define UV_VERSION_STRING_BASE \ + UV_STRINGIFY(UV_VERSION_MAJOR) \ + "." UV_STRINGIFY(UV_VERSION_MINOR) "." UV_STRINGIFY(UV_VERSION_PATCH) + +#if UV_VERSION_IS_RELEASE +#define UV_VERSION_STRING UV_VERSION_STRING_BASE +#else +#define UV_VERSION_STRING UV_VERSION_STRING_BASE "-" UV_VERSION_SUFFIX +#endif + #if !defined(UV__ERR) #define UV__ERR(x) (-(x)) #endif diff -Nru bind9-9.16.27/lib/isc/portset.c bind9-9.16.33/lib/isc/portset.c --- bind9-9.16.27/lib/isc/portset.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/portset.c 2022-09-08 13:01:23.000000000 +0000 @@ -34,12 +34,12 @@ uint32_t buf[ISC_PORTSET_BUFSIZE]; }; -static inline bool +static bool portset_isset(isc_portset_t *portset, in_port_t port) { return ((portset->buf[port >> 5] & ((uint32_t)1 << (port & 31))) != 0); } -static inline void +static void portset_add(isc_portset_t *portset, in_port_t port) { if (!portset_isset(portset, port)) { portset->nports++; @@ -47,7 +47,7 @@ } } -static inline void +static void portset_remove(isc_portset_t *portset, in_port_t port) { if (portset_isset(portset, port)) { portset->nports--; diff -Nru bind9-9.16.27/lib/isc/pthreads/include/isc/thread.h bind9-9.16.33/lib/isc/pthreads/include/isc/thread.h --- bind9-9.16.27/lib/isc/pthreads/include/isc/thread.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/pthreads/include/isc/thread.h 2022-09-08 13:01:23.000000000 +0000 @@ -35,8 +35,8 @@ ISC_LANG_BEGINDECLS typedef pthread_t isc_thread_t; -typedef void *isc_threadresult_t; -typedef void *isc_threadarg_t; +typedef void *isc_threadresult_t; +typedef void *isc_threadarg_t; typedef isc_threadresult_t (*isc_threadfunc_t)(isc_threadarg_t); void diff -Nru bind9-9.16.27/lib/isc/queue.c bind9-9.16.33/lib/isc/queue.c --- bind9-9.16.27/lib/isc/queue.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/queue.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,234 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#include - -#include -#include -#include -#include -#include -#include - -#define BUFFER_SIZE 1024 - -#define MAX_THREADS 128 - -#define ALIGNMENT 128 - -static uintptr_t nulluintptr = (uintptr_t)NULL; - -typedef struct node { - atomic_uint_fast32_t deqidx; - atomic_uintptr_t items[BUFFER_SIZE]; - atomic_uint_fast32_t enqidx; - atomic_uintptr_t next; - isc_mem_t *mctx; -} node_t; - -/* we just need one Hazard Pointer */ -#define HP_TAIL 0 -#define HP_HEAD 0 - -struct isc_queue { - alignas(ALIGNMENT) atomic_uintptr_t head; - alignas(ALIGNMENT) atomic_uintptr_t tail; - isc_mem_t *mctx; - int max_threads; - int taken; - isc_hp_t *hp; - void *alloced_ptr; -}; - -static node_t * -node_new(isc_mem_t *mctx, uintptr_t item) { - node_t *node = isc_mem_get(mctx, sizeof(*node)); - *node = (node_t){ .mctx = NULL }; - - atomic_init(&node->deqidx, 0); - atomic_init(&node->enqidx, 1); - atomic_init(&node->next, 0); - atomic_init(&node->items[0], item); - - for (int i = 1; i < BUFFER_SIZE; i++) { - atomic_init(&node->items[i], 0); - } - - isc_mem_attach(mctx, &node->mctx); - - return (node); -} - -static void -node_destroy(void *node0) { - node_t *node = (node_t *)node0; - - isc_mem_putanddetach(&node->mctx, node, sizeof(*node)); -} - -static bool -node_cas_next(node_t *node, node_t *cmp, const node_t *val) { - return (atomic_compare_exchange_strong(&node->next, (uintptr_t *)&cmp, - (uintptr_t)val)); -} - -static bool -queue_cas_tail(isc_queue_t *queue, node_t *cmp, const node_t *val) { - return (atomic_compare_exchange_strong(&queue->tail, (uintptr_t *)&cmp, - (uintptr_t)val)); -} - -static bool -queue_cas_head(isc_queue_t *queue, node_t *cmp, const node_t *val) { - return (atomic_compare_exchange_strong(&queue->head, (uintptr_t *)&cmp, - (uintptr_t)val)); -} - -isc_queue_t * -isc_queue_new(isc_mem_t *mctx, int max_threads) { - isc_queue_t *queue = NULL; - node_t *sentinel = NULL; - void *qbuf = NULL; - uintptr_t qptr; - - /* - * A trick to allocate an aligned isc_queue_t structure - */ - qbuf = isc_mem_get(mctx, sizeof(*queue) + ALIGNMENT); - qptr = (uintptr_t)qbuf; - queue = (isc_queue_t *)(qptr + (ALIGNMENT - (qptr % ALIGNMENT))); - - if (max_threads == 0) { - max_threads = MAX_THREADS; - } - - *queue = (isc_queue_t){ - .max_threads = max_threads, - .alloced_ptr = qbuf, - }; - - isc_mem_attach(mctx, &queue->mctx); - - queue->hp = isc_hp_new(mctx, 1, node_destroy); - - sentinel = node_new(mctx, nulluintptr); - atomic_init(&sentinel->enqidx, 0); - - atomic_init(&queue->head, (uintptr_t)sentinel); - atomic_init(&queue->tail, (uintptr_t)sentinel); - - return (queue); -} - -void -isc_queue_enqueue(isc_queue_t *queue, uintptr_t item) { - REQUIRE(item != nulluintptr); - - while (true) { - node_t *lt = NULL; - uint_fast32_t idx; - uintptr_t n = nulluintptr; - - lt = (node_t *)isc_hp_protect(queue->hp, 0, &queue->tail); - idx = atomic_fetch_add(<->enqidx, 1); - if (idx > BUFFER_SIZE - 1) { - node_t *lnext = NULL; - - if (lt != (node_t *)atomic_load(&queue->tail)) { - continue; - } - - lnext = (node_t *)atomic_load(<->next); - if (lnext == NULL) { - node_t *newnode = node_new(queue->mctx, item); - if (node_cas_next(lt, NULL, newnode)) { - queue_cas_tail(queue, lt, newnode); - isc_hp_clear(queue->hp); - return; - } - node_destroy(newnode); - } else { - queue_cas_tail(queue, lt, lnext); - } - - continue; - } - - if (atomic_compare_exchange_strong(<->items[idx], &n, item)) { - isc_hp_clear(queue->hp); - return; - } - } -} - -uintptr_t -isc_queue_dequeue(isc_queue_t *queue) { - REQUIRE(queue != NULL); - - while (true) { - node_t *lh = NULL; - uint_fast32_t idx; - uintptr_t item; - - lh = (node_t *)isc_hp_protect(queue->hp, 0, &queue->head); - if (atomic_load(&lh->deqidx) >= atomic_load(&lh->enqidx) && - atomic_load(&lh->next) == nulluintptr) - { - break; - } - - idx = atomic_fetch_add(&lh->deqidx, 1); - if (idx > BUFFER_SIZE - 1) { - node_t *lnext = (node_t *)atomic_load(&lh->next); - if (lnext == NULL) { - break; - } - if (queue_cas_head(queue, lh, lnext)) { - isc_hp_retire(queue->hp, (uintptr_t)lh); - } - - continue; - } - - item = atomic_exchange(&(lh->items[idx]), - (uintptr_t)&queue->taken); - if (item == nulluintptr) { - continue; - } - - isc_hp_clear(queue->hp); - return (item); - } - - isc_hp_clear(queue->hp); - return (nulluintptr); -} - -void -isc_queue_destroy(isc_queue_t *queue) { - node_t *last = NULL; - void *alloced = NULL; - - REQUIRE(queue != NULL); - - while (isc_queue_dequeue(queue) != nulluintptr) { - /* do nothing */ - } - - last = (node_t *)atomic_load_relaxed(&queue->head); - node_destroy(last); - isc_hp_destroy(queue->hp); - - alloced = queue->alloced_ptr; - isc_mem_putanddetach(&queue->mctx, alloced, sizeof(*queue) + ALIGNMENT); -} diff -Nru bind9-9.16.27/lib/isc/ratelimiter.c bind9-9.16.33/lib/isc/ratelimiter.c --- bind9-9.16.27/lib/isc/ratelimiter.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/ratelimiter.c 2022-09-08 13:01:23.000000000 +0000 @@ -325,7 +325,7 @@ result = isc_timer_reset(rl->timer, isc_timertype_inactive, NULL, NULL, false); RUNTIME_CHECK(result == ISC_R_SUCCESS); - /* FALLTHROUGH */ + FALLTHROUGH; case isc_ratelimiter_idle: case isc_ratelimiter_stalled: rl->state = isc_ratelimiter_stalled; diff -Nru bind9-9.16.27/lib/isc/rwlock.c bind9-9.16.33/lib/isc/rwlock.c --- bind9-9.16.27/lib/isc/rwlock.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/rwlock.c 2022-09-08 13:01:23.000000000 +0000 @@ -63,8 +63,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } return (ISC_R_SUCCESS); } @@ -84,7 +83,7 @@ } break; default: - INSIST(0); + UNREACHABLE(); } switch (ret) { @@ -95,8 +94,7 @@ case EAGAIN: return (ISC_R_LOCKBUSY); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } diff -Nru bind9-9.16.27/lib/isc/siphash.c bind9-9.16.33/lib/isc/siphash.c --- bind9-9.16.27/lib/isc/siphash.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/siphash.c 2022-09-08 13:01:23.000000000 +0000 @@ -120,30 +120,29 @@ switch (left) { case 7: b |= ((uint64_t)in[6]) << 48; - /* FALLTHROUGH */ + FALLTHROUGH; case 6: b |= ((uint64_t)in[5]) << 40; - /* FALLTHROUGH */ + FALLTHROUGH; case 5: b |= ((uint64_t)in[4]) << 32; - /* FALLTHROUGH */ + FALLTHROUGH; case 4: b |= ((uint64_t)in[3]) << 24; - /* FALLTHROUGH */ + FALLTHROUGH; case 3: b |= ((uint64_t)in[2]) << 16; - /* FALLTHROUGH */ + FALLTHROUGH; case 2: b |= ((uint64_t)in[1]) << 8; - /* FALLTHROUGH */ + FALLTHROUGH; case 1: b |= ((uint64_t)in[0]); - /* FALLTHROUGH */ + FALLTHROUGH; case 0: break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } v3 ^= b; @@ -198,18 +197,17 @@ switch (left) { case 3: b |= ((uint32_t)in[2]) << 16; - /* FALLTHROUGH */ + FALLTHROUGH; case 2: b |= ((uint32_t)in[1]) << 8; - /* FALLTHROUGH */ + FALLTHROUGH; case 1: b |= ((uint32_t)in[0]); - /* FALLTHROUGH */ + FALLTHROUGH; case 0: break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } v3 ^= b; diff -Nru bind9-9.16.27/lib/isc/sockaddr.c bind9-9.16.33/lib/isc/sockaddr.c --- bind9-9.16.27/lib/isc/sockaddr.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/sockaddr.c 2022-09-08 13:01:23.000000000 +0000 @@ -300,8 +300,7 @@ isc_sockaddr_any6(sockaddr); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -371,8 +370,7 @@ sockaddr->type.sin6.sin6_port = htons(port); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } ISC_LINK_INIT(sockaddr, link); } diff -Nru bind9-9.16.27/lib/isc/symtab.c bind9-9.16.33/lib/isc/symtab.c --- bind9-9.16.27/lib/isc/symtab.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/symtab.c 2022-09-08 13:01:23.000000000 +0000 @@ -107,7 +107,7 @@ isc_mem_putanddetach(&symtab->mctx, symtab, sizeof(*symtab)); } -static inline unsigned int +static unsigned int hash(const char *key, bool case_sensitive) { const char *s; unsigned int h = 0; diff -Nru bind9-9.16.27/lib/isc/task.c bind9-9.16.33/lib/isc/task.c --- bind9-9.16.27/lib/isc/task.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/task.c 2022-09-08 13:01:23.000000000 +0000 @@ -201,7 +201,7 @@ isc_result_t isc_task_create_bound(isc_taskmgr_t *manager, unsigned int quantum, isc_task_t **taskp, int threadid) { - isc_task_t *task; + isc_task_t *task = NULL; bool exiting; REQUIRE(VALID_MANAGER(manager)); @@ -289,7 +289,7 @@ *targetp = source; } -static inline bool +static bool task_shutdown(isc_task_t *task) { bool was_idle = false; isc_event_t *event, *prev; @@ -333,7 +333,7 @@ * * Caller must NOT hold queue lock. */ -static inline void +static void task_ready(isc_task_t *task) { isc_taskmgr_t *manager = task->manager; REQUIRE(VALID_MANAGER(manager)); @@ -351,7 +351,7 @@ task_ready(task); } -static inline bool +static bool task_detach(isc_task_t *task) { /* * Caller must be holding the task lock. @@ -404,7 +404,7 @@ *taskp = NULL; } -static inline bool +static bool task_send(isc_task_t *task, isc_event_t **eventp, int c) { bool was_idle = false; isc_event_t *event; diff -Nru bind9-9.16.27/lib/isc/tests/heap_test.c bind9-9.16.33/lib/isc/tests/heap_test.c --- bind9-9.16.27/lib/isc/tests/heap_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/tests/heap_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -76,17 +76,14 @@ static void isc_heap_delete_test(void **state) { isc_heap_t *heap = NULL; - isc_result_t result; struct e e1 = { 100, 0 }; UNUSED(state); - result = isc_heap_create(test_mctx, compare, idx, 0, &heap); - assert_int_equal(result, ISC_R_SUCCESS); + isc_heap_create(test_mctx, compare, idx, 0, &heap); assert_non_null(heap); isc_heap_insert(heap, &e1); - assert_int_equal(result, ISC_R_SUCCESS); assert_int_equal(e1.index, 1); isc_heap_delete(heap, e1.index); diff -Nru bind9-9.16.27/lib/isc/tests/ht_test.c bind9-9.16.33/lib/isc/tests/ht_test.c --- bind9-9.16.27/lib/isc/tests/ht_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/tests/ht_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -61,8 +61,7 @@ isc_result_t result; uintptr_t i; - result = isc_ht_init(&ht, test_mctx, bits); - assert_int_equal(result, ISC_R_SUCCESS); + isc_ht_init(&ht, test_mctx, bits); assert_non_null(ht); for (i = 1; i < count; i++) { @@ -207,8 +206,7 @@ unsigned char key[16]; size_t tksize; - result = isc_ht_init(&ht, test_mctx, 16); - assert_int_equal(result, ISC_R_SUCCESS); + isc_ht_init(&ht, test_mctx, 16); assert_non_null(ht); for (i = 1; i <= count; i++) { /* @@ -222,8 +220,7 @@ } walked = 0; - result = isc_ht_iter_create(ht, &iter); - assert_int_equal(result, ISC_R_SUCCESS); + isc_ht_iter_create(ht, &iter); for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS; result = isc_ht_iter_next(iter)) diff -Nru bind9-9.16.27/lib/isc/tests/netmgr_test.c bind9-9.16.33/lib/isc/tests/netmgr_test.c --- bind9-9.16.27/lib/isc/tests/netmgr_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/tests/netmgr_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -23,7 +23,6 @@ #define UNIT_TESTING #include -#include #include #include #include @@ -62,26 +61,26 @@ static uint64_t send_magic = 0; static uint64_t stop_magic = 0; -static uv_buf_t send_msg = { .base = (char *)&send_magic, - .len = sizeof(send_magic) }; +static isc_region_t send_msg = { .base = (unsigned char *)&send_magic, + .length = sizeof(send_magic) }; -static uv_buf_t stop_msg = { .base = (char *)&stop_magic, - .len = sizeof(stop_magic) }; +static isc_region_t stop_msg = { .base = (unsigned char *)&stop_magic, + .length = sizeof(stop_magic) }; -static atomic_bool do_send = ATOMIC_VAR_INIT(false); +static atomic_bool do_send = false; static unsigned int workers = 0; static atomic_int_fast64_t nsends; static int_fast64_t esends; /* expected sends */ -static atomic_int_fast64_t ssends = ATOMIC_VAR_INIT(0); -static atomic_int_fast64_t sreads = ATOMIC_VAR_INIT(0); -static atomic_int_fast64_t saccepts = ATOMIC_VAR_INIT(0); - -static atomic_int_fast64_t cconnects = ATOMIC_VAR_INIT(0); -static atomic_int_fast64_t csends = ATOMIC_VAR_INIT(0); -static atomic_int_fast64_t creads = ATOMIC_VAR_INIT(0); -static atomic_int_fast64_t ctimeouts = ATOMIC_VAR_INIT(0); +static atomic_int_fast64_t ssends = 0; +static atomic_int_fast64_t sreads = 0; +static atomic_int_fast64_t saccepts = 0; + +static atomic_int_fast64_t cconnects = 0; +static atomic_int_fast64_t csends = 0; +static atomic_int_fast64_t creads = 0; +static atomic_int_fast64_t ctimeouts = 0; static isc_refcount_t active_cconnects; static isc_refcount_t active_csends; @@ -206,8 +205,6 @@ return (-1); } - isc_hp_init(4 * workers); - signal(SIGPIPE, SIG_IGN); if (getenv("CI") == NULL || getenv("CI_ENABLE_ALL_TESTS") != NULL) { @@ -420,11 +417,9 @@ isc_nmhandle_attach(handle, &sendhandle); isc_nmhandle_setwritetimeout(handle, T_IDLE); if (atomic_fetch_sub(&nsends, 1) > 1) { - isc_nm_send(sendhandle, (isc_region_t *)&send_msg, - connect_send_cb, NULL); + isc_nm_send(sendhandle, &send_msg, connect_send_cb, NULL); } else { - isc_nm_send(sendhandle, (isc_region_t *)&stop_msg, - connect_send_cb, NULL); + isc_nm_send(sendhandle, &stop_msg, connect_send_cb, NULL); } } @@ -531,8 +526,8 @@ isc_nmhandle_attach(handle, &sendhandle); isc_refcount_increment0(&active_ssends); isc_nmhandle_setwritetimeout(sendhandle, T_IDLE); - isc_nm_send(sendhandle, (isc_region_t *)&send_msg, - listen_send_cb, cbarg); + isc_nm_send(sendhandle, &send_msg, listen_send_cb, + cbarg); } return; } diff -Nru bind9-9.16.27/lib/isc/tests/quota_test.c bind9-9.16.33/lib/isc/tests/quota_test.c --- bind9-9.16.27/lib/isc/tests/quota_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/tests/quota_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -139,7 +139,7 @@ isc_quota_destroy("a); } -static atomic_uint_fast32_t cb_calls = ATOMIC_VAR_INIT(0); +static atomic_uint_fast32_t cb_calls = 0; static isc_quota_cb_t cbs[30]; static isc_quota_t *qp; @@ -253,7 +253,7 @@ isc_quota_cb_t callbacks[100]; } qthreadinfo_t; -static atomic_uint_fast32_t g_tnum = ATOMIC_VAR_INIT(0); +static atomic_uint_fast32_t g_tnum = 0; /* at most 10 * 100 quota_detach threads */ isc_thread_t g_threads[10 * 100]; diff -Nru bind9-9.16.27/lib/isc/tests/timer_test.c bind9-9.16.33/lib/isc/tests/timer_test.c --- bind9-9.16.27/lib/isc/tests/timer_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/tests/timer_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -82,7 +82,7 @@ } static void -shutdown(isc_task_t *task, isc_event_t *event) { +test_shutdown(isc_task_t *task, isc_event_t *event) { isc_result_t result; UNUSED(task); @@ -123,7 +123,7 @@ result = isc_task_create(taskmgr, 0, &task); assert_int_equal(result, ISC_R_SUCCESS); - result = isc_task_onshutdown(task, shutdown, NULL); + result = isc_task_onshutdown(task, test_shutdown, NULL); assert_int_equal(result, ISC_R_SUCCESS); isc_mutex_lock(&lasttime_mx); @@ -149,6 +149,7 @@ isc_task_detach(&task); isc_mutex_destroy(&mx); + isc_mutex_destroy(&lasttime_mx); (void)isc_condition_destroy(&cv); } diff -Nru bind9-9.16.27/lib/isc/tests/uv_wrap.h bind9-9.16.33/lib/isc/tests/uv_wrap.h --- bind9-9.16.27/lib/isc/tests/uv_wrap.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/tests/uv_wrap.h 2022-09-08 13:01:23.000000000 +0000 @@ -94,7 +94,7 @@ * uv_timer_start */ -static atomic_int __state_uv_udp_open = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_udp_open = 0; int __wrap_uv_udp_open(uv_udp_t *handle, uv_os_sock_t sock) { @@ -104,7 +104,7 @@ return (atomic_load(&__state_uv_udp_open)); } -static atomic_int __state_uv_udp_bind = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_udp_bind = 0; int __wrap_uv_udp_bind(uv_udp_t *handle, const struct sockaddr *addr, @@ -115,7 +115,7 @@ return (atomic_load(&__state_uv_udp_bind)); } -static atomic_int __state_uv_udp_connect = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_udp_connect = 0; #if UV_VERSION_HEX >= UV_VERSION(1, 27, 0) int __wrap_uv_udp_connect(uv_udp_t *handle, const struct sockaddr *addr) { @@ -126,7 +126,7 @@ } #endif /* UV_VERSION_HEX >= UV_VERSION(1, 27, 0) */ -static atomic_int __state_uv_udp_getpeername = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_udp_getpeername = 0; #if UV_VERSION_HEX >= UV_VERSION(1, 27, 0) int __wrap_uv_udp_getpeername(const uv_udp_t *handle, struct sockaddr *name, @@ -138,7 +138,7 @@ } #endif /* UV_VERSION_HEX >= UV_VERSION(1, 27, 0) */ -static atomic_int __state_uv_udp_getsockname = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_udp_getsockname = 0; int __wrap_uv_udp_getsockname(const uv_udp_t *handle, struct sockaddr *name, int *namelen) { @@ -148,7 +148,7 @@ return (atomic_load(&__state_uv_udp_getsockname)); } -static atomic_int __state_uv_udp_send = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_udp_send = 0; int __wrap_uv_udp_send(uv_udp_send_t *req, uv_udp_t *handle, const uv_buf_t bufs[], unsigned int nbufs, const struct sockaddr *addr, @@ -159,7 +159,7 @@ return (atomic_load(&__state_uv_udp_send)); } -static atomic_int __state_uv_udp_recv_start = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_udp_recv_start = 0; int __wrap_uv_udp_recv_start(uv_udp_t *handle, uv_alloc_cb alloc_cb, uv_udp_recv_cb recv_cb) { @@ -169,7 +169,7 @@ return (atomic_load(&__state_uv_udp_recv_start)); } -static atomic_int __state_uv_udp_recv_stop = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_udp_recv_stop = 0; int __wrap_uv_udp_recv_stop(uv_udp_t *handle) { if (atomic_load(&__state_uv_udp_recv_stop) == 0) { @@ -178,7 +178,7 @@ return (atomic_load(&__state_uv_udp_recv_stop)); } -static atomic_int __state_uv_tcp_open = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_tcp_open = 0; int __wrap_uv_tcp_open(uv_tcp_t *handle, uv_os_sock_t sock) { if (atomic_load(&__state_uv_tcp_open) == 0) { @@ -187,7 +187,7 @@ return (atomic_load(&__state_uv_tcp_open)); } -static atomic_int __state_uv_tcp_bind = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_tcp_bind = 0; int __wrap_uv_tcp_bind(uv_tcp_t *handle, const struct sockaddr *addr, unsigned int flags) { @@ -197,7 +197,7 @@ return (atomic_load(&__state_uv_tcp_bind)); } -static atomic_int __state_uv_tcp_getsockname = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_tcp_getsockname = 0; int __wrap_uv_tcp_getsockname(const uv_tcp_t *handle, struct sockaddr *name, int *namelen) { @@ -207,7 +207,7 @@ return (atomic_load(&__state_uv_tcp_getsockname)); } -static atomic_int __state_uv_tcp_getpeername = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_tcp_getpeername = 0; int __wrap_uv_tcp_getpeername(const uv_tcp_t *handle, struct sockaddr *name, int *namelen) { @@ -217,7 +217,7 @@ return (atomic_load(&__state_uv_tcp_getpeername)); } -static atomic_int __state_uv_tcp_connect = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_tcp_connect = 0; int __wrap_uv_tcp_connect(uv_connect_t *req, uv_tcp_t *handle, const struct sockaddr *addr, uv_connect_cb cb) { @@ -227,7 +227,7 @@ return (atomic_load(&__state_uv_tcp_connect)); } -static atomic_int __state_uv_listen = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_listen = 0; int __wrap_uv_listen(uv_stream_t *stream, int backlog, uv_connection_cb cb) { if (atomic_load(&__state_uv_listen) == 0) { @@ -236,7 +236,7 @@ return (atomic_load(&__state_uv_listen)); } -static atomic_int __state_uv_accept = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_accept = 0; int __wrap_uv_accept(uv_stream_t *server, uv_stream_t *client) { if (atomic_load(&__state_uv_accept) == 0) { @@ -245,7 +245,7 @@ return (atomic_load(&__state_uv_accept)); } -static atomic_int __state_uv_send_buffer_size = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_send_buffer_size = 0; int __wrap_uv_send_buffer_size(uv_handle_t *handle, int *value) { if (atomic_load(&__state_uv_send_buffer_size) == 0) { @@ -254,7 +254,7 @@ return (atomic_load(&__state_uv_send_buffer_size)); } -static atomic_int __state_uv_recv_buffer_size = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_recv_buffer_size = 0; int __wrap_uv_recv_buffer_size(uv_handle_t *handle, int *value) { if (atomic_load(&__state_uv_recv_buffer_size) == 0) { @@ -263,7 +263,7 @@ return (atomic_load(&__state_uv_recv_buffer_size)); } -static atomic_int __state_uv_fileno = ATOMIC_VAR_INIT(0); +static atomic_int __state_uv_fileno = 0; int __wrap_uv_fileno(const uv_handle_t *handle, uv_os_fd_t *fd) { if (atomic_load(&__state_uv_fileno) == 0) { diff -Nru bind9-9.16.27/lib/isc/timer.c bind9-9.16.33/lib/isc/timer.c --- bind9-9.16.27/lib/isc/timer.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/timer.c 2022-09-08 13:01:23.000000000 +0000 @@ -98,9 +98,8 @@ void isc_timermgr_poke(isc_timermgr_t *manager0); -static inline isc_result_t +static isc_result_t schedule(isc_timer_t *timer, isc_time_t *now, bool signal_ok) { - isc_result_t result; isc_timermgr_t *manager; isc_time_t due; int cmp; @@ -117,7 +116,7 @@ * Compute the new due time. */ if (timer->type != isc_timertype_once) { - result = isc_time_add(now, &timer->interval, &due); + isc_result_t result = isc_time_add(now, &timer->interval, &due); if (result != ISC_R_SUCCESS) { return (result); } @@ -162,11 +161,7 @@ } } else { timer->due = due; - result = isc_heap_insert(manager->heap, timer); - if (result != ISC_R_SUCCESS) { - INSIST(result == ISC_R_NOMEMORY); - return (ISC_R_NOMEMORY); - } + isc_heap_insert(manager->heap, timer); manager->nscheduled++; } @@ -187,7 +182,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void deschedule(isc_timer_t *timer) { bool need_wakeup = false; isc_timermgr_t *manager; @@ -671,7 +666,6 @@ isc_result_t isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) { isc_timermgr_t *manager; - isc_result_t result; /* * Create a timer manager. @@ -688,12 +682,7 @@ manager->nscheduled = 0; isc_time_settoepoch(&manager->due); manager->heap = NULL; - result = isc_heap_create(mctx, sooner, set_index, 0, &manager->heap); - if (result != ISC_R_SUCCESS) { - INSIST(result == ISC_R_NOMEMORY); - isc_mem_put(mctx, manager, sizeof(*manager)); - return (ISC_R_NOMEMORY); - } + isc_heap_create(mctx, sooner, set_index, 0, &manager->heap); isc_mutex_init(&manager->lock); isc_mem_attach(mctx, &manager->mctx); isc_condition_init(&manager->wakeup); diff -Nru bind9-9.16.27/lib/isc/tls.c bind9-9.16.33/lib/isc/tls.c --- bind9-9.16.27/lib/isc/tls.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/tls.c 2022-09-08 13:01:23.000000000 +0000 @@ -34,8 +34,8 @@ static isc_once_t init_once = ISC_ONCE_INIT; static isc_once_t shut_once = ISC_ONCE_INIT; -static atomic_bool init_done = ATOMIC_VAR_INIT(false); -static atomic_bool shut_done = ATOMIC_VAR_INIT(false); +static atomic_bool init_done = false; +static atomic_bool shut_done = false; #if OPENSSL_VERSION_NUMBER < 0x10100000L static isc_mutex_t *locks = NULL; diff -Nru bind9-9.16.27/lib/isc/tm.c bind9-9.16.33/lib/isc/tm.c --- bind9-9.16.27/lib/isc/tm.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/tm.c 2022-09-08 13:01:23.000000000 +0000 @@ -322,7 +322,7 @@ case 'k': /* The hour (24-hour clock representation). */ LEGAL_ALT(0); - /* FALLTHROUGH */ + FALLTHROUGH; case 'H': LEGAL_ALT(ALT_O); if (!(conv_num(&bp, &tm->tm_hour, 0, 23))) { @@ -332,7 +332,7 @@ case 'l': /* The hour (12-hour clock representation). */ LEGAL_ALT(0); - /* FALLTHROUGH */ + FALLTHROUGH; case 'I': LEGAL_ALT(ALT_O); if (!(conv_num(&bp, &tm->tm_hour, 1, 12))) { diff -Nru bind9-9.16.27/lib/isc/trampoline.c bind9-9.16.33/lib/isc/trampoline.c --- bind9-9.16.27/lib/isc/trampoline.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/trampoline.c 2022-09-08 13:01:23.000000000 +0000 @@ -15,9 +15,9 @@ #include #include +#include #include -#include #include #include #include @@ -31,11 +31,29 @@ uintptr_t self; isc_threadfunc_t start; isc_threadarg_t arg; + void *jemalloc_enforce_init; }; -static isc_once_t isc__trampoline_initialize_once = ISC_ONCE_INIT; -static isc_once_t isc__trampoline_shutdown_once = ISC_ONCE_INIT; -static isc_mutex_t isc__trampoline_lock; +/* + * We can't use isc_mem API here, because it's called too + * early and when the isc_mem_debugging flags are changed + * later and ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX flags are + * added, neither isc_mem_put() nor isc_mem_free() can be used + * to free up the memory allocated here because the flags were + * not set when calling isc_mem_get() or isc_mem_allocate() + * here. + * + * Since this is a single allocation at library load and deallocation at library + * unload, using the standard allocator without the tracking is fine for this + * single purpose. + * + * We can't use isc_mutex API either, because we track whether the mutexes get + * properly destroyed, and we intentionally leak the static mutex here without + * destroying it to prevent data race between library destructor running while + * thread is being still created. + */ + +static uv_mutex_t isc__trampoline_lock; static isc__trampoline_t **trampolines; #if defined(HAVE_THREAD_LOCAL) #include @@ -48,19 +66,9 @@ static size_t isc__trampoline_min = 1; static size_t isc__trampoline_max = 65; -/* - * We can't use isc_mem API here, because it's called too - * early and when the isc_mem_debugging flags are changed - * later and ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX flags are - * added, neither isc_mem_put() nor isc_mem_free() can be used - * to free up the memory allocated here because the flags were - * not set when calling isc_mem_get() or isc_mem_allocate() - * here. - * - * Actually, since this is a single allocation at library load - * and deallocation at library unload, using the standard - * allocator without the tracking is fine for this purpose. - */ +static isc_once_t start_once = ISC_ONCE_INIT; +static isc_once_t stop_once = ISC_ONCE_INIT; + static isc__trampoline_t * isc__trampoline_new(int tid, isc_threadfunc_t start, isc_threadarg_t arg) { isc__trampoline_t *trampoline = calloc(1, sizeof(*trampoline)); @@ -77,16 +85,16 @@ } static void -trampoline_initialize(void) { - isc_mutex_init(&isc__trampoline_lock); +do_init(void) { + uv_mutex_init(&isc__trampoline_lock); trampolines = calloc(isc__trampoline_max, sizeof(trampolines[0])); RUNTIME_CHECK(trampolines != NULL); /* Get the trampoline slot 0 for the main thread */ trampolines[0] = isc__trampoline_new(0, NULL, NULL); - trampolines[0]->self = isc_thread_self(); isc_tid_v = trampolines[0]->tid; + trampolines[0]->self = isc_thread_self(); /* Initialize the other trampolines */ for (size_t i = 1; i < isc__trampoline_max; i++) { @@ -97,37 +105,31 @@ void isc__trampoline_initialize(void) { - isc_result_t result = isc_once_do(&isc__trampoline_initialize_once, - trampoline_initialize); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_once_do(&start_once, do_init); } static void -trampoline_shutdown(void) { +do_shutdown(void) { /* * When the program using the library exits abruptly and the library * gets unloaded, there might be some existing trampolines from unjoined * threads. We intentionally ignore those and don't check whether all - * trampolines have been cleared before exiting. + * trampolines have been cleared before exiting, so we leak a little bit + * of resources here, including the lock. */ free(trampolines[0]); - free(trampolines); - trampolines = NULL; - isc_mutex_destroy(&isc__trampoline_lock); } void isc__trampoline_shutdown(void) { - isc_result_t result = isc_once_do(&isc__trampoline_shutdown_once, - trampoline_shutdown); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + isc_once_do(&stop_once, do_shutdown); } isc__trampoline_t * isc__trampoline_get(isc_threadfunc_t start, isc_threadarg_t arg) { isc__trampoline_t **tmp = NULL; isc__trampoline_t *trampoline = NULL; - LOCK(&isc__trampoline_lock); + uv_mutex_lock(&isc__trampoline_lock); again: for (size_t i = isc__trampoline_min; i < isc__trampoline_max; i++) { if (trampolines[i] == NULL) { @@ -151,17 +153,17 @@ goto again; done: INSIST(trampoline != NULL); - UNLOCK(&isc__trampoline_lock); + uv_mutex_unlock(&isc__trampoline_lock); return (trampoline); } void isc__trampoline_detach(isc__trampoline_t *trampoline) { - LOCK(&isc__trampoline_lock); - REQUIRE(trampoline->tid > 0 && - (size_t)trampoline->tid < isc__trampoline_max); + uv_mutex_lock(&isc__trampoline_lock); REQUIRE(trampoline->self == isc_thread_self()); + REQUIRE(trampoline->tid > 0); + REQUIRE((size_t)trampoline->tid < isc__trampoline_max); REQUIRE(trampolines[trampoline->tid] == trampoline); trampolines[trampoline->tid] = NULL; @@ -170,21 +172,34 @@ isc__trampoline_min = trampoline->tid; } + free(trampoline->jemalloc_enforce_init); free(trampoline); - UNLOCK(&isc__trampoline_lock); + uv_mutex_unlock(&isc__trampoline_lock); return; } void isc__trampoline_attach(isc__trampoline_t *trampoline) { - REQUIRE(trampoline->tid > 0 && - (size_t)trampoline->tid < isc__trampoline_max); + uv_mutex_lock(&isc__trampoline_lock); REQUIRE(trampoline->self == ISC__TRAMPOLINE_UNUSED); + REQUIRE(trampoline->tid > 0); + REQUIRE((size_t)trampoline->tid < isc__trampoline_max); + REQUIRE(trampolines[trampoline->tid] == trampoline); /* Initialize the trampoline */ isc_tid_v = trampoline->tid; trampoline->self = isc_thread_self(); + + /* + * Ensure every thread starts with a malloc() call to prevent memory + * bloat caused by a jemalloc quirk. While this dummy allocation is + * not used for anything, free() must not be immediately called for it + * so that an optimizing compiler does not strip away such a pair of + * malloc() + free() calls altogether, as it would foil the fix. + */ + trampoline->jemalloc_enforce_init = malloc(8); + uv_mutex_unlock(&isc__trampoline_lock); } isc_threadresult_t diff -Nru bind9-9.16.27/lib/isc/unix/include/isc/dir.h bind9-9.16.33/lib/isc/unix/include/isc/dir.h --- bind9-9.16.27/lib/isc/unix/include/isc/dir.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/unix/include/isc/dir.h 2022-09-08 13:01:23.000000000 +0000 @@ -35,7 +35,7 @@ unsigned int magic; char dirname[PATH_MAX]; isc_direntry_t entry; - DIR *handle; + DIR *handle; } isc_dir_t; ISC_LANG_BEGINDECLS diff -Nru bind9-9.16.27/lib/isc/unix/include/isc/stdatomic.h bind9-9.16.33/lib/isc/unix/include/isc/stdatomic.h --- bind9-9.16.27/lib/isc/unix/include/isc/stdatomic.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/unix/include/isc/stdatomic.h 2022-09-08 13:01:23.000000000 +0000 @@ -47,8 +47,6 @@ #endif /* if __has_extension(c_atomic) || __has_extension(cxx_atomic) */ #endif /* if !defined(__CLANG_ATOMICS) && !defined(__GNUC_ATOMICS) */ -#define ATOMIC_VAR_INIT(x) x - #ifndef __ATOMIC_RELAXED #define __ATOMIC_RELAXED 0 #endif /* ifndef __ATOMIC_RELAXED */ diff -Nru bind9-9.16.27/lib/isc/unix/interfaceiter.c bind9-9.16.33/lib/isc/unix/interfaceiter.c --- bind9-9.16.27/lib/isc/unix/interfaceiter.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/unix/interfaceiter.c 2022-09-08 13:01:23.000000000 +0000 @@ -123,8 +123,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } diff -Nru bind9-9.16.27/lib/isc/unix/net.c bind9-9.16.33/lib/isc/unix/net.c --- bind9-9.16.27/lib/isc/unix/net.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/unix/net.c 2022-09-08 13:01:23.000000000 +0000 @@ -361,7 +361,7 @@ #if ISC_CMSG_IP_TOS || defined(IPV6_TCLASS) -static inline socklen_t +static socklen_t cmsg_len(socklen_t len) { #ifdef CMSG_LEN return (CMSG_LEN(len)); @@ -377,7 +377,7 @@ #endif /* ifdef CMSG_LEN */ } -static inline socklen_t +static socklen_t cmsg_space(socklen_t len) { #ifdef CMSG_SPACE return (CMSG_SPACE(len)); @@ -508,8 +508,7 @@ break; #endif /* ifdef IPV6_TCLASS */ default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (sendmsg(s, &msg, 0) < 0) { diff -Nru bind9-9.16.27/lib/isc/unix/os.c bind9-9.16.33/lib/isc/unix/os.c --- bind9-9.16.27/lib/isc/unix/os.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/unix/os.c 2022-09-08 13:01:23.000000000 +0000 @@ -17,7 +17,7 @@ #include -static inline long +static long sysconf_ncpus(void) { #if defined(_SC_NPROCESSORS_ONLN) return (sysconf((_SC_NPROCESSORS_ONLN))); diff -Nru bind9-9.16.27/lib/isc/unix/socket.c bind9-9.16.33/lib/isc/unix/socket.c --- bind9-9.16.27/lib/isc/unix/socket.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/unix/socket.c 2022-09-08 13:01:23.000000000 +0000 @@ -646,7 +646,7 @@ /*% * Increment socket-related statistics counters. */ -static inline void +static void inc_stats(isc_stats_t *stats, isc_statscounter_t counterid) { REQUIRE(counterid != -1); @@ -658,7 +658,7 @@ /*% * Decrement socket-related statistics counters. */ -static inline void +static void dec_stats(isc_stats_t *stats, isc_statscounter_t counterid) { REQUIRE(counterid != -1); @@ -667,7 +667,7 @@ } } -static inline isc_result_t +static isc_result_t watch_fd(isc__socketthread_t *thread, int fd, int msg) { isc_result_t result = ISC_R_SUCCESS; @@ -759,7 +759,7 @@ #endif /* ifdef USE_KQUEUE */ } -static inline isc_result_t +static isc_result_t unwatch_fd(isc__socketthread_t *thread, int fd, int msg) { isc_result_t result = ISC_R_SUCCESS; @@ -1028,7 +1028,7 @@ * Note that cmsg_space() could run slow on OSes that do not have * CMSG_SPACE. */ -static inline socklen_t +static socklen_t cmsg_len(socklen_t len) { #ifdef CMSG_LEN return (CMSG_LEN(len)); @@ -1044,7 +1044,7 @@ #endif /* ifdef CMSG_LEN */ } -static inline socklen_t +static socklen_t cmsg_space(socklen_t len) { #ifdef CMSG_SPACE return (CMSG_SPACE(len)); @@ -1463,9 +1463,10 @@ printf("\tname %p, namelen %ld\n", msg->msg_name, (long)msg->msg_namelen); printf("\tiov %p, iovlen %ld\n", msg->msg_iov, (long)msg->msg_iovlen); - for (i = 0; i < (unsigned int)msg->msg_iovlen; i++) + for (i = 0; i < (unsigned int)msg->msg_iovlen; i++) { printf("\t\t%u\tbase %p, len %ld\n", i, msg->msg_iov[i].iov_base, (long)msg->msg_iov[i].iov_len); + } printf("\tcontrol %p, controllen %ld\n", msg->msg_control, (long)msg->msg_controllen); } @@ -1575,8 +1576,7 @@ case isc_sockettype_raw: break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } if (sock->type == isc_sockettype_udp) { @@ -2244,7 +2244,7 @@ isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR, "%s: %s", err, strbuf); - /* fallthrough */ + FALLTHROUGH; case ENOBUFS: inc_stats(manager->stats, sock->statsindex[STATID_OPENFAIL]); @@ -2464,8 +2464,7 @@ sock->statsindex = rawstatsindex; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } sock->pf = pf; @@ -3944,7 +3943,7 @@ case DOIO_EOF: dev->result = ISC_R_EOF; - /* fallthrough */ + FALLTHROUGH; case DOIO_HARD: case DOIO_SUCCESS: @@ -4092,7 +4091,7 @@ break; } - /* FALLTHROUGH */ + FALLTHROUGH; case DOIO_HARD: case DOIO_SUCCESS: @@ -4217,7 +4216,7 @@ if (active) { /* We exited cleanly last time */ break; } - /* intentional fallthrough */ + FALLTHROUGH; default: strerror_r(errno, strbuf, sizeof(strbuf)); isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, @@ -5092,7 +5091,7 @@ void isc_socket_ipv6only(isc_socket_t *sock, bool yes) { -#if defined(IPV6_V6ONLY) +#if defined(IPV6_V6ONLY) && !defined(__OpenBSD__) int onoff = yes ? 1 : 0; #else /* if defined(IPV6_V6ONLY) */ UNUSED(yes); @@ -5102,7 +5101,7 @@ REQUIRE(VALID_SOCKET(sock)); INSIST(!sock->dupped); -#ifdef IPV6_V6ONLY +#if defined(IPV6_V6ONLY) && !defined(__OpenBSD__) if (sock->pf == AF_INET6) { if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY, (void *)&onoff, sizeof(int)) < 0) diff -Nru bind9-9.16.27/lib/isc/unix/time.c bind9-9.16.33/lib/isc/unix/time.c --- bind9-9.16.27/lib/isc/unix/time.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/unix/time.c 2022-09-08 13:01:23.000000000 +0000 @@ -120,7 +120,7 @@ return (false); } -static inline isc_result_t +static isc_result_t time_now(isc_time_t *t, clockid_t clock) { struct timespec ts; char strbuf[ISC_STRERRORSIZE]; diff -Nru bind9-9.16.27/lib/isc/url.c bind9-9.16.33/lib/isc/url.c --- bind9-9.16.27/lib/isc/url.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/url.c 2022-09-08 13:01:23.000000000 +0000 @@ -277,7 +277,7 @@ return (s_dead); } - /* FALLTHROUGH */ + FALLTHROUGH; case s_req_server_start: case s_req_server: if (ch == '/') { @@ -399,7 +399,7 @@ return (s_http_host); } - /* FALLTHROUGH */ + FALLTHROUGH; case s_http_host_v6_end: if (ch == ':') { return (s_http_host_port_start); @@ -412,7 +412,7 @@ return (s_http_host_v6_end); } - /* FALLTHROUGH */ + FALLTHROUGH; case s_http_host_v6_start: if (isxdigit((unsigned char)ch) || ch == ':' || ch == '.') { return (s_http_host_v6); @@ -428,7 +428,7 @@ return (s_http_host_v6_end); } - /* FALLTHROUGH */ + FALLTHROUGH; case s_http_host_v6_zone_start: /* RFC 6874 Zone ID consists of 1*( unreserved / pct-encoded) */ if (isalnum((unsigned char)ch) || ch == '%' || ch == '.' || @@ -578,7 +578,7 @@ case s_req_server_with_at: found_at = 1; - /* FALLTHROUGH */ + FALLTHROUGH; case s_req_server: uf = ISC_UF_HOST; break; @@ -596,8 +596,7 @@ break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* Nothing's changed; soldier on */ diff -Nru bind9-9.16.27/lib/isc/win32/dir.c bind9-9.16.33/lib/isc/win32/dir.c --- bind9-9.16.27/lib/isc/win32/dir.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/win32/dir.c 2022-09-08 13:01:23.000000000 +0000 @@ -256,7 +256,9 @@ */ for (x = templet + strlen(templet) - 1; *x == 'X' && x >= templet; x--, pid /= 10) + { *x = pid % 10 + '0'; + } x++; /* Set x to start of ex-Xs. */ diff -Nru bind9-9.16.27/lib/isc/win32/include/isc/platform.h.in bind9-9.16.33/lib/isc/win32/include/isc/platform.h.in --- bind9-9.16.27/lib/isc/win32/include/isc/platform.h.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/win32/include/isc/platform.h.in 2022-09-08 13:01:23.000000000 +0000 @@ -44,6 +44,8 @@ #endif +#define __builtin_unreachable() __assume(0) + /* * Remove __attribute__ ((foo)) on Windows */ diff -Nru bind9-9.16.27/lib/isc/win32/include/isc/stdatomic.h bind9-9.16.33/lib/isc/win32/include/isc/stdatomic.h --- bind9-9.16.27/lib/isc/win32/include/isc/stdatomic.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/win32/include/isc/stdatomic.h 2022-09-08 13:01:23.000000000 +0000 @@ -31,8 +31,6 @@ #include -#define ATOMIC_VAR_INIT(x) x - #ifndef __ATOMIC_RELAXED #define __ATOMIC_RELAXED 0 #endif /* ifndef __ATOMIC_RELAXED */ @@ -148,8 +146,7 @@ static inline void atomic_store_abort() { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #define atomic_store_explicit(obj, desired, order) \ @@ -209,8 +206,7 @@ static inline int8_t atomic_load_abort() { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #define atomic_load_explicit(obj, order) \ @@ -279,8 +275,7 @@ static inline int8_t atomic_add_abort() { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #define atomic_fetch_add_explicit(obj, arg, order) \ @@ -346,8 +341,7 @@ static inline int8_t atomic_and_abort() { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #define atomic_fetch_and_explicit(obj, arg, order) \ @@ -407,8 +401,7 @@ static inline int8_t atomic_or_abort() { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #define atomic_fetch_or_explicit(obj, arg, order) \ @@ -544,8 +537,7 @@ static inline bool atomic_compare_exchange_abort() { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, \ @@ -584,8 +576,7 @@ static inline bool atomic_exchange_abort() { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } #define atomic_exchange_explicit(obj, desired, order) \ diff -Nru bind9-9.16.27/lib/isc/win32/interfaceiter.c bind9-9.16.33/lib/isc/win32/interfaceiter.c --- bind9-9.16.27/lib/isc/win32/interfaceiter.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/win32/interfaceiter.c 2022-09-08 13:01:23.000000000 +0000 @@ -92,8 +92,7 @@ dst->zone = ((struct sockaddr_in6 *)src)->sin6_scope_id; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -387,8 +386,9 @@ snprintf(iter->current.name, sizeof(iter->current.name), "TCP/IPv6 Interface %u", iter->pos6 + 1); - for (i = 0; i < 16; i++) + for (i = 0; i < 16; i++) { iter->current.netmask.type.in6.s6_addr[i] = 0xff; + } iter->current.netmask.family = AF_INET6; if (IN6_IS_ADDR_LOOPBACK(&iter->current.address.type.in6)) { iter->v6loop = true; diff -Nru bind9-9.16.27/lib/isc/win32/libisc.def.in bind9-9.16.33/lib/isc/win32/libisc.def.in --- bind9-9.16.27/lib/isc/win32/libisc.def.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/win32/libisc.def.in 2022-09-08 13:01:23.000000000 +0000 @@ -249,15 +249,6 @@ isc_hex_decodestring isc_hex_tobuffer isc_hex_totext -isc_hp_clear -isc_hp_clear_one -isc_hp_destroy -isc_hp_init -isc_hp_protect -isc_hp_protect_ptr -isc_hp_protect_release -isc_hp_new -isc_hp_retire isc_hmac isc_hmac_new isc_hmac_free @@ -268,13 +259,6 @@ isc_hmac_get_md_type isc_hmac_get_size isc_hmac_get_block_size -isc_hp_new -isc_hp_destroy -isc_hp_clear -isc_hp_protect -isc_hp_protect_ptr -isc_hp_protect_release -isc_hp_retire isc_ht_add isc_ht_count isc_ht_delete @@ -461,6 +445,7 @@ isc_nm_attach isc_nm_cancelread isc_nm_detach +isc_nm_getloadbalancesockets isc_nm_gettimeouts isc_nm_listentcp isc_nm_listentcpdns @@ -472,6 +457,7 @@ isc_nm_resume isc_nm_resumeread isc_nm_send +isc_nm_setloadbalancesockets isc_nm_setstats isc_nm_settimeouts isc_nm_stoplistening @@ -512,10 +498,6 @@ isc_portset_nports isc_portset_remove isc_portset_removerange -isc_queue_enqueue -isc_queue_dequeue -isc_queue_destroy -isc_queue_new isc_quota_attach isc_quota_attach_cb isc_quota_cb_init diff -Nru bind9-9.16.27/lib/isc/win32/libisc.vcxproj.filters.in bind9-9.16.33/lib/isc/win32/libisc.vcxproj.filters.in --- bind9-9.16.27/lib/isc/win32/libisc.vcxproj.filters.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/win32/libisc.vcxproj.filters.in 2022-09-08 13:01:23.000000000 +0000 @@ -110,9 +110,6 @@ Library Header Files - - Library Header Files - Library Header Files @@ -185,9 +182,6 @@ Library Header Files - - Library Header Files - Library Header Files @@ -527,9 +521,6 @@ Library Source Files - - Library Source Files - Library Source Files @@ -599,9 +590,6 @@ Library Source Files - - Library Source Files - Library Source Files diff -Nru bind9-9.16.27/lib/isc/win32/libisc.vcxproj.in bind9-9.16.33/lib/isc/win32/libisc.vcxproj.in --- bind9-9.16.27/lib/isc/win32/libisc.vcxproj.in 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/win32/libisc.vcxproj.in 2022-09-08 13:01:23.000000000 +0000 @@ -285,7 +285,6 @@ - @@ -311,7 +310,6 @@ - @@ -401,7 +399,6 @@ - @@ -426,7 +423,6 @@ - diff -Nru bind9-9.16.27/lib/isc/win32/socket.c bind9-9.16.33/lib/isc/win32/socket.c --- bind9-9.16.27/lib/isc/win32/socket.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/win32/socket.c 2022-09-08 13:01:23.000000000 +0000 @@ -791,7 +791,7 @@ need_retry = true; break; } - /* FALLTHROUGH */ + FALLTHROUGH; default: isc_result = isc__errno2result(Error); @@ -1028,9 +1028,10 @@ printf("MSGHDR %p, Socket #: %Iu\n", msg, sock->fd); printf("\tname %p, namelen %d\n", msg->msg_name, msg->msg_namelen); printf("\tiov %p, iovlen %d\n", msg->msg_iov, msg->msg_iovlen); - for (i = 0; i < (unsigned int)msg->msg_iovlen; i++) + for (i = 0; i < (unsigned int)msg->msg_iovlen; i++) { printf("\t\t%u\tbase %p, len %u\n", i, msg->msg_iov[i].buf, msg->msg_iov[i].len); + } } #endif /* if defined(ISC_SOCKET_DEBUG) */ diff -Nru bind9-9.16.27/lib/isc/xoshiro128starstar.c bind9-9.16.33/lib/isc/xoshiro128starstar.c --- bind9-9.16.27/lib/isc/xoshiro128starstar.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isc/xoshiro128starstar.c 2022-09-08 13:01:23.000000000 +0000 @@ -38,12 +38,12 @@ */ ISC_THREAD_LOCAL uint32_t seed[4] = { 0 }; -static inline uint32_t +static uint32_t rotl(const uint32_t x, int k) { return ((x << k) | (x >> (32 - k))); } -static inline uint32_t +static uint32_t next(void) { uint32_t result_starstar, t; diff -Nru bind9-9.16.27/lib/isccc/include/isccc/ccmsg.h bind9-9.16.33/lib/isccc/include/isccc/ccmsg.h --- bind9-9.16.27/lib/isccc/include/isccc/ccmsg.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccc/include/isccc/ccmsg.h 2022-09-08 13:01:23.000000000 +0000 @@ -45,11 +45,11 @@ uint32_t size; isc_buffer_t buffer; unsigned int maxsize; - isc_mem_t *mctx; - isc_socket_t *sock; - isc_task_t *task; + isc_mem_t *mctx; + isc_socket_t *sock; + isc_task_t *task; isc_taskaction_t action; - void *arg; + void *arg; isc_event_t event; /* public (read-only) */ isc_result_t result; diff -Nru bind9-9.16.27/lib/isccc/include/isccc/sexpr.h bind9-9.16.33/lib/isccc/include/isccc/sexpr.h --- bind9-9.16.27/lib/isccc/include/isccc/sexpr.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccc/include/isccc/sexpr.h 2022-09-08 13:01:23.000000000 +0000 @@ -51,7 +51,7 @@ struct isccc_sexpr { unsigned int type; union { - char *as_string; + char *as_string; isccc_dottedpair_t as_dottedpair; isccc_region_t as_region; } value; diff -Nru bind9-9.16.27/lib/isccc/include/isccc/symtab.h bind9-9.16.33/lib/isccc/include/isccc/symtab.h --- bind9-9.16.27/lib/isccc/include/isccc/symtab.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccc/include/isccc/symtab.h 2022-09-08 13:01:23.000000000 +0000 @@ -85,18 +85,18 @@ ***/ typedef union isccc_symvalue { - void *as_pointer; + void *as_pointer; int as_integer; unsigned int as_uinteger; } isccc_symvalue_t; typedef void (*isccc_symtabundefaction_t)(char *key, unsigned int type, isccc_symvalue_t value, - void *userarg); + void *userarg); typedef bool (*isccc_symtabforeachaction_t)(char *key, unsigned int type, isccc_symvalue_t value, - void *userarg); + void *userarg); typedef enum { isccc_symexists_reject = 0, diff -Nru bind9-9.16.27/lib/isccc/include/isccc/util.h bind9-9.16.33/lib/isccc/include/isccc/util.h --- bind9-9.16.27/lib/isccc/include/isccc/util.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccc/include/isccc/util.h 2022-09-08 13:01:23.000000000 +0000 @@ -220,7 +220,7 @@ do { \ union { \ const void *k; \ - void *v; \ + void *v; \ } _u; \ _u.k = konst; \ var = _u.v; \ diff -Nru bind9-9.16.27/lib/isccc/sexpr.c bind9-9.16.33/lib/isccc/sexpr.c --- bind9-9.16.27/lib/isccc/sexpr.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccc/sexpr.c 2022-09-08 13:01:23.000000000 +0000 @@ -211,8 +211,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } diff -Nru bind9-9.16.27/lib/isccc/symtab.c bind9-9.16.33/lib/isccc/symtab.c --- bind9-9.16.27/lib/isccc/symtab.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccc/symtab.c 2022-09-08 13:01:23.000000000 +0000 @@ -96,7 +96,7 @@ return (ISC_R_SUCCESS); } -static inline void +static void free_elt(isccc_symtab_t *symtab, unsigned int bucket, elt_t *elt) { ISC_LIST_UNLINK(symtab->table[bucket], elt, link); if (symtab->undefine_action != NULL) { @@ -129,7 +129,7 @@ free(symtab); } -static inline unsigned int +static unsigned int hash(const char *key, bool case_sensitive) { const char *s; unsigned int h = 0; diff -Nru bind9-9.16.27/lib/isccfg/aclconf.c bind9-9.16.33/lib/isccfg/aclconf.c --- bind9-9.16.27/lib/isccfg/aclconf.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccfg/aclconf.c 2022-09-08 13:01:23.000000000 +0000 @@ -401,8 +401,7 @@ } return (subtype); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -428,8 +427,8 @@ if (ctx->geoip->country != NULL) { return (true); } - /* city db can answer these too, so: */ - /* FALLTHROUGH */ + /* city db can answer these too, so: */ + FALLTHROUGH; case dns_geoip_region: case dns_geoip_regionname: case dns_geoip_city_countrycode: diff -Nru bind9-9.16.27/lib/isccfg/include/isccfg/cfg.h bind9-9.16.33/lib/isccfg/include/isccfg/cfg.h --- bind9-9.16.27/lib/isccfg/include/isccfg/cfg.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccfg/include/isccfg/cfg.h 2022-09-08 13:01:23.000000000 +0000 @@ -72,7 +72,7 @@ * that needs to be interpreted at parsing time, like * "directory". */ -typedef isc_result_t (*cfg_parsecallback_t)(const char *clausename, +typedef isc_result_t (*cfg_parsecallback_t)(const char *clausename, const cfg_obj_t *obj, void *arg); /*** @@ -581,9 +581,9 @@ typedef isc_result_t(pluginlist_cb_t)(const cfg_obj_t *config, const cfg_obj_t *obj, - const char *plugin_path, - const char *parameters, - void *callback_data); + const char *plugin_path, + const char *parameters, + void *callback_data); /*%< * Function prototype for the callback used with cfg_pluginlist_foreach(). * Called once for each element of the list passed to cfg_pluginlist_foreach(). diff -Nru bind9-9.16.27/lib/isccfg/include/isccfg/grammar.h bind9-9.16.33/lib/isccfg/include/isccfg/grammar.h --- bind9-9.16.27/lib/isccfg/include/isccfg/grammar.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccfg/include/isccfg/grammar.h 2022-09-08 13:01:23.000000000 +0000 @@ -130,17 +130,17 @@ /*% A configuration object type definition. */ struct cfg_type { - const char *name; /*%< For debugging purposes only */ + const char *name; /*%< For debugging purposes only */ cfg_parsefunc_t parse; cfg_printfunc_t print; cfg_docfunc_t doc; /*%< Print grammar description */ - cfg_rep_t *rep; /*%< Data representation */ - const void *of; /*%< Additional data for meta-types */ + cfg_rep_t *rep; /*%< Data representation */ + const void *of; /*%< Additional data for meta-types */ }; /*% A keyword-type definition, for things like "port ". */ typedef struct { - const char *name; + const char *name; const cfg_type_t *type; } keyword_type_t; @@ -183,7 +183,7 @@ * A configuration data representation. */ struct cfg_rep { - const char *name; /*%< For debugging only */ + const char *name; /*%< For debugging only */ cfg_freefunc_t free; /*%< How to free this kind of data. */ }; @@ -201,7 +201,7 @@ bool boolean; cfg_map_t map; cfg_list_t list; - cfg_obj_t **tuple; + cfg_obj_t **tuple; isc_sockaddr_t sockaddr; struct { isc_sockaddr_t sockaddr; @@ -211,7 +211,7 @@ cfg_duration_t duration; } value; isc_refcount_t references; /*%< reference counter */ - const char *file; + const char *file; unsigned int line; cfg_parser_t *pctx; }; @@ -224,9 +224,9 @@ /*% The parser object. */ struct cfg_parser { - isc_mem_t *mctx; - isc_log_t *lctx; - isc_lex_t *lexer; + isc_mem_t *mctx; + isc_log_t *lctx; + isc_lex_t *lexer; unsigned int errors; unsigned int warnings; isc_token_t token; @@ -280,7 +280,7 @@ isc_refcount_t references; cfg_parsecallback_t callback; - void *callbackarg; + void *callbackarg; }; /* Parser context flags */ diff -Nru bind9-9.16.27/lib/isccfg/kaspconf.c bind9-9.16.33/lib/isccfg/kaspconf.c --- bind9-9.16.27/lib/isccfg/kaspconf.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccfg/kaspconf.c 2022-09-08 13:01:23.000000000 +0000 @@ -262,7 +262,7 @@ const cfg_listelt_t *element = NULL; const char *kaspname = NULL; dns_kasp_t *kasp = NULL; - int i = 0; + size_t i = 0; REQUIRE(kaspp != NULL && *kaspp == NULL); @@ -323,6 +323,9 @@ (void)confget(maps, "keys", &keys); if (keys != NULL) { + char role[256] = { 0 }; + dns_kasp_key_t *kkey = NULL; + for (element = cfg_list_first(keys); element != NULL; element = cfg_list_next(element)) { @@ -333,6 +336,36 @@ } } INSIST(!(dns_kasp_keylist_empty(kasp))); + dns_kasp_freeze(kasp); + for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL; + kkey = ISC_LIST_NEXT(kkey, link)) + { + uint32_t keyalg = dns_kasp_key_algorithm(kkey); + INSIST(keyalg < ARRAY_SIZE(role)); + + if (dns_kasp_key_zsk(kkey)) { + role[keyalg] |= DNS_KASP_KEY_ROLE_ZSK; + } + + if (dns_kasp_key_ksk(kkey)) { + role[keyalg] |= DNS_KASP_KEY_ROLE_KSK; + } + } + dns_kasp_thaw(kasp); + for (i = 0; i < ARRAY_SIZE(role); i++) { + if (role[i] != 0 && role[i] != (DNS_KASP_KEY_ROLE_ZSK | + DNS_KASP_KEY_ROLE_KSK)) + { + cfg_obj_log(keys, logctx, ISC_LOG_ERROR, + "dnssec-policy: algorithm %zu " + "requires both KSK and ZSK roles", + i); + result = ISC_R_FAILURE; + } + } + if (result != ISC_R_SUCCESS) { + goto cleanup; + } } else if (strcmp(kaspname, "insecure") == 0) { /* "dnssec-policy insecure": key list must be empty */ INSIST(strcmp(kaspname, "insecure") == 0); diff -Nru bind9-9.16.27/lib/isccfg/namedconf.c bind9-9.16.33/lib/isccfg/namedconf.c --- bind9-9.16.27/lib/isccfg/namedconf.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccfg/namedconf.c 2022-09-08 13:01:23.000000000 +0000 @@ -1237,6 +1237,7 @@ { "random-device", &cfg_type_qstringornone, 0 }, { "recursing-file", &cfg_type_qstring, 0 }, { "recursive-clients", &cfg_type_uint32, 0 }, + { "reuseport", &cfg_type_boolean, 0 }, { "reserved-sockets", &cfg_type_uint32, 0 }, { "secroots-file", &cfg_type_qstring, 0 }, { "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_ANCIENT }, @@ -3126,8 +3127,7 @@ } else if ((*flagp & CFG_ADDR_V6OK) != 0) { isc_netaddr_any6(&netaddr); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } for (;;) { @@ -3212,8 +3212,7 @@ } else if ((*flagp & CFG_ADDR_V6OK) != 0) { cfg_print_cstr(pctx, ""); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } cfg_print_cstr(pctx, " | * ) [ port ( | * ) ] ) | " "( [ [ address ] ( "); @@ -3222,8 +3221,7 @@ } else if ((*flagp & CFG_ADDR_V6OK) != 0) { cfg_print_cstr(pctx, ""); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } cfg_print_cstr(pctx, " | * ) ] port ( | * ) ) )" " [ dscp ]"); @@ -3850,8 +3848,7 @@ /* no zone type is specified for these */ break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } for (clause = clauses; clause->name != NULL; clause++) { diff -Nru bind9-9.16.27/lib/isccfg/parser.c bind9-9.16.33/lib/isccfg/parser.c --- bind9-9.16.27/lib/isccfg/parser.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/isccfg/parser.c 2022-09-08 13:01:23.000000000 +0000 @@ -421,8 +421,7 @@ return (tupleobj->value.tuple[i]); } } - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_result_t @@ -2702,8 +2701,7 @@ } else if (result == ISC_R_NOTFOUND) { /* do nothing */ } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } } @@ -3038,8 +3036,7 @@ isc_netaddr_any6(na); return (ISC_R_SUCCESS); } else { - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { if ((flags & (CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK)) != 0) { @@ -3322,8 +3319,7 @@ addrlen = 128; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } expectprefix = (result == ISC_R_IPV4PREFIX); CHECK(cfg_peektoken(pctx, 0)); diff -Nru bind9-9.16.27/lib/ns/client.c bind9-9.16.33/lib/ns/client.c --- bind9-9.16.27/lib/ns/client.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/client.c 2022-09-08 13:01:23.000000000 +0000 @@ -12,6 +12,7 @@ */ #include +#include #include #include @@ -64,6 +65,10 @@ #include #include +#ifndef _POSIX_HOST_NAME_MAX +#define _POSIX_HOST_NAME_MAX 255 +#endif + /*** *** Client ***/ @@ -129,11 +134,9 @@ */ #if defined(_WIN32) && !defined(_WIN64) -LIBNS_EXTERNAL_DATA atomic_uint_fast32_t ns_client_requests = - ATOMIC_VAR_INIT(0); +LIBNS_EXTERNAL_DATA atomic_uint_fast32_t ns_client_requests = 0; #else /* if defined(_WIN32) && !defined(_WIN64) */ -LIBNS_EXTERNAL_DATA atomic_uint_fast64_t ns_client_requests = - ATOMIC_VAR_INIT(0); +LIBNS_EXTERNAL_DATA atomic_uint_fast64_t ns_client_requests = 0; #endif /* if defined(_WIN32) && !defined(_WIN64) */ static void @@ -640,8 +643,7 @@ ISC_MIN((int)respsize / 16, 256)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { #ifdef HAVE_DNSTAP @@ -670,8 +672,7 @@ ISC_MIN((int)respsize / 16, 256)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -802,10 +803,11 @@ loglevel = ISC_LOG_DEBUG(1); } wouldlog = isc_log_wouldlog(ns_lctx, loglevel); - rrl_result = dns_rrl( - client->view, &client->peeraddr, TCP_CLIENT(client), - dns_rdataclass_in, dns_rdatatype_none, NULL, result, - client->now, wouldlog, log_buf, sizeof(log_buf)); + rrl_result = dns_rrl(client->view, NULL, &client->peeraddr, + TCP_CLIENT(client), dns_rdataclass_in, + dns_rdatatype_none, NULL, result, + client->now, wouldlog, log_buf, + sizeof(log_buf)); if (rrl_result != DNS_RRL_RESULT_OK) { /* * Log dropped errors in the query category @@ -922,7 +924,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, dns_rdataset_t **opt) { unsigned char ecs[ECS_SIZE]; - char nsid[BUFSIZ], *nsidp; + char nsid[_POSIX_HOST_NAME_MAX + 1], *nsidp = NULL; unsigned char cookie[COOKIE_SIZE]; isc_result_t result; dns_view_t *view; @@ -1034,8 +1036,7 @@ memmove(addr, &client->ecs.addr.type, addrl); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_buffer_init(&buf, ecs, sizeof(ecs)); @@ -1147,8 +1148,7 @@ inputlen = 32; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } isc_siphash24(secret, input, inputlen, digest); @@ -1189,8 +1189,7 @@ digest); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } for (i = 0; i < 8; i++) { digest[i] ^= digest[i + 8]; @@ -1200,8 +1199,7 @@ } default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -1809,8 +1807,7 @@ ISC_MIN((int)reqsize / 16, 18)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } else { switch (isc_sockaddr_pf(&client->peeraddr)) { @@ -1823,8 +1820,7 @@ ISC_MIN((int)reqsize / 16, 18)); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -1970,28 +1966,13 @@ return; } - /* - * Determine the destination address. If the receiving interface is - * bound to a specific address, we simply use it regardless of the - * address family. All IPv4 queries should fall into this case. - * Otherwise, if this is a TCP query, get the address from the - * receiving socket (this needs a system call and can be heavy). - * For IPv6 UDP queries, we get this from the pktinfo structure (if - * supported). - * - * If all the attempts fail (this can happen due to memory shortage, - * etc), we regard this as an error for safety. - */ if ((client->manager->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0) { - isc_netaddr_fromsockaddr(&client->destaddr, - &client->manager->interface->addr); + client->destsockaddr = client->manager->interface->addr; } else { - isc_sockaddr_t sockaddr = isc_nmhandle_localaddr(handle); - isc_netaddr_fromsockaddr(&client->destaddr, &sockaddr); + client->destsockaddr = isc_nmhandle_localaddr(handle); } - - isc_sockaddr_fromnetaddr(&client->destsockaddr, &client->destaddr, 0); + isc_netaddr_fromsockaddr(&client->destaddr, &client->destsockaddr); result = client->sctx->matchingview(&netaddr, &client->destaddr, client->message, env, &sigresult, @@ -3015,7 +2996,7 @@ return (ISC_R_SUCCESS); } -static inline ns_dbversion_t * +static ns_dbversion_t * client_getdbversion(ns_client_t *client) { ns_dbversion_t *dbversion = NULL; diff -Nru bind9-9.16.27/lib/ns/include/ns/client.h bind9-9.16.33/lib/ns/include/ns/client.h --- bind9-9.16.27/lib/ns/include/ns/client.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/include/ns/client.h 2022-09-08 13:01:23.000000000 +0000 @@ -146,11 +146,11 @@ /* Unlocked. */ unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; ns_server_t *sctx; isc_taskmgr_t *taskmgr; isc_timermgr_t *timermgr; - isc_task_t *excl; + isc_task_t *excl; isc_refcount_t references; int ncpus; @@ -174,21 +174,21 @@ /*% nameserver client structure */ struct ns_client { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; bool allocated; /* Do we need to free it? */ - ns_server_t *sctx; - ns_clientmgr_t *manager; + ns_server_t *sctx; + ns_clientmgr_t *manager; ns_clientstate_t state; int nupdates; bool nodetach; bool shuttingdown; unsigned int attributes; - isc_task_t *task; - dns_view_t *view; - dns_dispatch_t *dispatch; - isc_nmhandle_t *handle; /* Permanent pointer to handle */ - isc_nmhandle_t *sendhandle; /* Waiting for send callback */ - isc_nmhandle_t *reqhandle; /* Waiting for request callback + isc_task_t *task; + dns_view_t *view; + dns_dispatch_t *dispatch; + isc_nmhandle_t *handle; /* Permanent pointer to handle */ + isc_nmhandle_t *sendhandle; /* Waiting for send callback */ + isc_nmhandle_t *reqhandle; /* Waiting for request callback (query, update, notify) */ isc_nmhandle_t *fetchhandle; /* Waiting for recursive fetch */ isc_nmhandle_t *prefetchhandle; /* Waiting for prefetch / rpzfetch */ diff -Nru bind9-9.16.27/lib/ns/include/ns/hooks.h bind9-9.16.33/lib/ns/include/ns/hooks.h --- bind9-9.16.27/lib/ns/include/ns/hooks.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/include/ns/hooks.h 2022-09-08 13:01:23.000000000 +0000 @@ -236,9 +236,9 @@ isc_result_t *resultp); typedef struct ns_hook { - isc_mem_t *mctx; + isc_mem_t *mctx; ns_hook_action_t action; - void *action_data; + void *action_data; ISC_LINK(struct ns_hook) link; } ns_hook_t; diff -Nru bind9-9.16.27/lib/ns/include/ns/interfacemgr.h bind9-9.16.33/lib/ns/include/ns/interfacemgr.h --- bind9-9.16.27/lib/ns/include/ns/interfacemgr.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/include/ns/interfacemgr.h 2022-09-08 13:01:23.000000000 +0000 @@ -77,7 +77,7 @@ isc_sockaddr_t addr; /*%< Address and port. */ unsigned int flags; /*%< Interface flags */ char name[32]; /*%< Null terminated. */ - dns_dispatch_t *udpdispatch[MAX_UDP_DISPATCH]; + dns_dispatch_t *udpdispatch[MAX_UDP_DISPATCH]; /*%< UDP dispatchers. */ isc_socket_t *tcpsocket; /*%< TCP socket. */ isc_nmsocket_t *udplistensocket; diff -Nru bind9-9.16.27/lib/ns/include/ns/log.h bind9-9.16.33/lib/ns/include/ns/log.h --- bind9-9.16.27/lib/ns/include/ns/log.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/include/ns/log.h 2022-09-08 13:01:23.000000000 +0000 @@ -19,7 +19,7 @@ #include #include -LIBNS_EXTERNAL_DATA extern isc_log_t *ns_lctx; +LIBNS_EXTERNAL_DATA extern isc_log_t *ns_lctx; LIBNS_EXTERNAL_DATA extern isc_logcategory_t ns_categories[]; LIBNS_EXTERNAL_DATA extern isc_logmodule_t ns_modules[]; diff -Nru bind9-9.16.27/lib/ns/include/ns/query.h bind9-9.16.33/lib/ns/include/ns/query.h --- bind9-9.16.27/lib/ns/include/ns/query.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/include/ns/query.h 2022-09-08 13:01:23.000000000 +0000 @@ -31,7 +31,7 @@ /*% nameserver database version structure */ typedef struct ns_dbversion { - dns_db_t *db; + dns_db_t *db; dns_dbversion_t *version; bool acl_checked; bool queryok; @@ -44,9 +44,9 @@ */ typedef struct ns_query_recparam { dns_rdatatype_t qtype; - dns_name_t *qname; + dns_name_t *qname; dns_fixedname_t fqname; - dns_name_t *qdomain; + dns_name_t *qdomain; dns_fixedname_t fqdomain; } ns_query_recparam_t; @@ -55,36 +55,36 @@ unsigned int attributes; unsigned int restarts; bool timerset; - dns_name_t *qname; - dns_name_t *origqname; + dns_name_t *qname; + dns_name_t *origqname; dns_rdatatype_t qtype; unsigned int dboptions; unsigned int fetchoptions; - dns_db_t *gluedb; - dns_db_t *authdb; - dns_zone_t *authzone; + dns_db_t *gluedb; + dns_db_t *authdb; + dns_zone_t *authzone; bool authdbset; bool isreferral; isc_mutex_t fetchlock; - dns_fetch_t *fetch; - dns_fetch_t *prefetch; - dns_rpz_st_t *rpz_st; + dns_fetch_t *fetch; + dns_fetch_t *prefetch; + dns_rpz_st_t *rpz_st; isc_bufferlist_t namebufs; ISC_LIST(ns_dbversion_t) activeversions; ISC_LIST(ns_dbversion_t) freeversions; dns_rdataset_t *dns64_aaaa; dns_rdataset_t *dns64_sigaaaa; - bool *dns64_aaaaok; + bool *dns64_aaaaok; unsigned int dns64_aaaaoklen; unsigned int dns64_options; unsigned int dns64_ttl; struct { - dns_db_t *db; - dns_zone_t *zone; + dns_db_t *db; + dns_zone_t *zone; dns_dbnode_t *node; dns_rdatatype_t qtype; - dns_name_t *fname; + dns_name_t *fname; dns_fixedname_t fixed; isc_result_t result; dns_rdataset_t *rdataset; @@ -147,6 +147,7 @@ bool authoritative; /* authoritative query? */ bool want_restart; /* CNAME chain or other * restart needed */ + bool refresh_rrset; /* stale RRset refresh needed */ bool need_wildcardproof; /* wildcard proof needed */ bool nxrewrite; /* negative answer from RPZ */ bool findcoveringnsec; /* lookup covering NSEC */ @@ -159,16 +160,16 @@ dns_fetchevent_t *event; /* recursion event */ - dns_db_t *db; /* zone or cache database */ + dns_db_t *db; /* zone or cache database */ dns_dbversion_t *version; /* DB version */ - dns_dbnode_t *node; /* DB node */ + dns_dbnode_t *node; /* DB node */ - dns_db_t *zdb; /* zone DB values, saved */ - dns_dbnode_t *znode; /* while searching cache */ - dns_name_t *zfname; /* for a better answer */ + dns_db_t *zdb; /* zone DB values, saved */ + dns_dbnode_t *znode; /* while searching cache */ + dns_name_t *zfname; /* for a better answer */ dns_dbversion_t *zversion; - dns_rdataset_t *zrdataset; - dns_rdataset_t *zsigrdataset; + dns_rdataset_t *zrdataset; + dns_rdataset_t *zsigrdataset; dns_rpz_st_t *rpz_st; /* RPZ state */ dns_zone_t *zone; /* zone to search */ diff -Nru bind9-9.16.27/lib/ns/include/ns/server.h bind9-9.16.33/lib/ns/include/ns/server.h --- bind9-9.16.27/lib/ns/include/ns/server.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/include/ns/server.h 2022-09-08 13:01:23.000000000 +0000 @@ -72,7 +72,7 @@ */ struct ns_server { unsigned int magic; - isc_mem_t *mctx; + isc_mem_t *mctx; isc_refcount_t references; @@ -90,15 +90,15 @@ /*% Test options and other configurables */ uint32_t options; - dns_acl_t *blackholeacl; - dns_acl_t *keepresporder; + dns_acl_t *blackholeacl; + dns_acl_t *keepresporder; uint16_t udpsize; uint16_t transfer_tcp_message_size; bool interface_auto; dns_tkeyctx_t *tkeyctx; /*% Server id for NSID */ - char *server_id; + char *server_id; ns_hostnamecb_t gethostname; /*% Fuzzer callback */ diff -Nru bind9-9.16.27/lib/ns/include/ns/sortlist.h bind9-9.16.33/lib/ns/include/ns/sortlist.h --- bind9-9.16.27/lib/ns/include/ns/sortlist.h 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/include/ns/sortlist.h 2022-09-08 13:01:23.000000000 +0000 @@ -25,7 +25,7 @@ * Type for callback functions that rank addresses. */ typedef int (*dns_addressorderfunc_t)(const isc_netaddr_t *address, - const void *arg); + const void *arg); /*% * Return value type for setup_sortlist. @@ -70,7 +70,7 @@ void ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, dns_aclenv_t *env, - isc_netaddr_t *client_addr, + isc_netaddr_t *client_addr, dns_addressorderfunc_t *orderp, const void **argp); /*%< * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any. diff -Nru bind9-9.16.27/lib/ns/interfacemgr.c bind9-9.16.33/lib/ns/interfacemgr.c --- bind9-9.16.27/lib/ns/interfacemgr.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/interfacemgr.c 2022-09-08 13:01:23.000000000 +0000 @@ -391,7 +391,7 @@ static isc_result_t ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr, const char *name, ns_interface_t **ifpret) { - ns_interface_t *ifp; + ns_interface_t *ifp = NULL; isc_result_t result; int disp; @@ -422,13 +422,13 @@ ISC_LINK_INIT(ifp, link); ns_interfacemgr_attach(mgr, &ifp->mgr); + isc_refcount_init(&ifp->references, 1); + ifp->magic = IFACE_MAGIC; + LOCK(&mgr->lock); ISC_LIST_APPEND(mgr->interfaces, ifp, link); UNLOCK(&mgr->lock); - isc_refcount_init(&ifp->references, 1); - ifp->magic = IFACE_MAGIC; - result = ns_clientmgr_create(mgr->mctx, mgr->sctx, mgr->taskmgr, mgr->timermgr, ifp, mgr->ncpus, &ifp->clientmgr); @@ -444,11 +444,17 @@ return (ISC_R_SUCCESS); failure: - isc_mutex_destroy(&ifp->lock); + LOCK(&ifp->mgr->lock); + ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link); + UNLOCK(&ifp->mgr->lock); ifp->magic = 0; - isc_mem_put(mgr->mctx, ifp, sizeof(*ifp)); + ns_interfacemgr_detach(&ifp->mgr); + isc_refcount_decrement(&ifp->references); + isc_refcount_destroy(&ifp->references); + isc_mutex_destroy(&ifp->lock); + isc_mem_put(mgr->mctx, ifp, sizeof(*ifp)); return (ISC_R_UNEXPECTED); } diff -Nru bind9-9.16.27/lib/ns/query.c bind9-9.16.33/lib/ns/query.c --- bind9-9.16.27/lib/ns/query.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/query.c 2022-09-08 13:01:23.000000000 +0000 @@ -158,7 +158,7 @@ #define STALE_WINDOW(r) (((r)->attributes & DNS_RDATASETATTR_STALE_WINDOW) != 0) #ifdef WANT_QUERYTRACE -static inline void +static void client_trace(ns_client_t *client, int level, const char *message) { if (client != NULL && client->query.qname != NULL) { if (isc_log_wouldlog(ns_lctx, level)) { @@ -228,7 +228,7 @@ dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_name_t *fname, bool exact, dns_name_t *found); -static inline void +static void log_queryerror(ns_client_t *client, isc_result_t result, int line, int level); static void @@ -246,7 +246,7 @@ * Return the hooktable in use with 'qctx', or if there isn't one * set, return the default hooktable. */ -static inline ns_hooktable_t * +static ns_hooktable_t * get_hooktab(query_ctx_t *qctx) { if (qctx == NULL || qctx->view == NULL || qctx->view->hooktable == NULL) { @@ -263,7 +263,7 @@ * * (Note that a hook function may set the 'result' to ISC_R_SUCCESS but * still terminate processing within the calling function. That's why this - * is a macro instead of an inline function; it needs to be able to use + * is a macro instead of a static function; it needs to be able to use * 'goto cleanup' regardless of the return value.) */ #define CALL_HOOK(_id, _qctx) \ @@ -284,7 +284,7 @@ result = _res; \ goto cleanup; \ default: \ - INSIST(0); \ + UNREACHABLE(); \ } \ } \ } while (false) @@ -295,7 +295,7 @@ * codes are ignored. This is intended for use with initialization and * destruction calls which *must* run in every configured module. * - * (This could be implemented as an inline void function, but is left as a + * (This could be implemented as a static void function, but is left as a * macro for symmetry with CALL_HOOK above.) */ #define CALL_HOOK_NORETURN(_id, _qctx) \ @@ -503,7 +503,7 @@ /* * Increment query statistics counters. */ -static inline void +static void inc_stats(ns_client_t *client, isc_statscounter_t counter) { dns_zone_t *zone = client->query.authzone; dns_rdatatype_t qtype; @@ -624,7 +624,7 @@ } } -static inline void +static void query_freefreeversions(ns_client_t *client, bool everything) { ns_dbversion_t *dbversion, *dbversion_next; unsigned int i; @@ -659,7 +659,7 @@ UNLOCK(&client->query.fetchlock); } -static inline void +static void query_reset(ns_client_t *client, bool everything) { isc_buffer_t *dbuf, *dbuf_next; ns_dbversion_t *dbversion, *dbversion_next; @@ -906,7 +906,7 @@ : DNS_R_REFUSED); } -static inline isc_result_t +static isc_result_t query_validatezonedb(ns_client_t *client, const dns_name_t *name, dns_rdatatype_t qtype, unsigned int options, dns_zone_t *zone, dns_db_t *db, @@ -1069,7 +1069,7 @@ return (ISC_R_SUCCESS); } -static inline isc_result_t +static isc_result_t query_getzonedb(ns_client_t *client, const dns_name_t *name, dns_rdatatype_t qtype, unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) { @@ -1297,7 +1297,7 @@ * Find a cache database to answer the query. This may fail with DNS_R_REFUSED * if the client is not allowed to use the cache. */ -static inline isc_result_t +static isc_result_t query_getcachedb(ns_client_t *client, const dns_name_t *name, dns_rdatatype_t qtype, dns_db_t **dbp, unsigned int options) { isc_result_t result; @@ -1325,7 +1325,7 @@ return (result); } -static inline isc_result_t +static isc_result_t query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, unsigned int options, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, bool *is_zonep) { @@ -1427,7 +1427,7 @@ return (result); } -static inline bool +static bool query_isduplicate(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, dns_name_t **mnamep) { dns_section_t section; @@ -2059,7 +2059,7 @@ /* * Add 'rdataset' to 'name'. */ -static inline void +static void query_addtoname(dns_name_t *name, dns_rdataset_t *rdataset) { ISC_LIST_APPEND(name->list, rdataset, link); } @@ -2486,10 +2486,11 @@ */ if (client->recursionquota != NULL) { isc_quota_detach(&client->recursionquota); - ns_stats_decrement(client->sctx->nsstats, - ns_statscounter_recursclients); } + ns_stats_decrement(client->sctx->nsstats, + ns_statscounter_recursclients); + free_devent(client, &event, &devent); isc_nmhandle_detach(&client->prefetchhandle); } @@ -2517,17 +2518,18 @@ &client->recursionquota); switch (result) { case ISC_R_SUCCESS: - ns_stats_increment(client->sctx->nsstats, - ns_statscounter_recursclients); break; case ISC_R_SOFTQUOTA: isc_quota_detach(&client->recursionquota); - /* FALLTHROUGH */ + FALLTHROUGH; default: return; } } + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_recursclients); + tmprdataset = ns_client_newrdataset(client); if (tmprdataset == NULL) { return; @@ -2555,7 +2557,7 @@ ns_stats_increment(client->sctx->nsstats, ns_statscounter_prefetch); } -static inline void +static void rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp) { if (nodep != NULL && *nodep != NULL) { @@ -2575,13 +2577,13 @@ } } -static inline void +static void rpz_match_clear(dns_rpz_st_t *st) { rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); st->m.version = NULL; } -static inline isc_result_t +static isc_result_t rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) { REQUIRE(rdatasetp != NULL); @@ -2687,8 +2689,7 @@ } break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* @@ -2735,17 +2736,18 @@ &client->recursionquota); switch (result) { case ISC_R_SUCCESS: - ns_stats_increment(client->sctx->nsstats, - ns_statscounter_recursclients); break; case ISC_R_SOFTQUOTA: isc_quota_detach(&client->recursionquota); - /* FALLTHROUGH */ + FALLTHROUGH; default: return; } } + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_recursclients); + tmprdataset = ns_client_newrdataset(client); if (tmprdataset == NULL) { return; @@ -2776,7 +2778,7 @@ */ static isc_result_t rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, - dns_rpz_type_t rpz_type, dns_db_t **dbp, + unsigned int options, dns_rpz_type_t rpz_type, dns_db_t **dbp, dns_dbversion_t *version, dns_rdataset_t **rdatasetp, bool resuming) { dns_rpz_st_t *st; @@ -2845,9 +2847,8 @@ found = dns_fixedname_initname(&fixed); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL, NULL); - result = dns_db_findext(*dbp, name, version, type, DNS_DBFIND_GLUEOK, - client->now, &node, found, &cm, &ci, *rdatasetp, - NULL); + result = dns_db_findext(*dbp, name, version, type, options, client->now, + &node, found, &cm, &ci, *rdatasetp, NULL); if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) { /* * Try the cache if we're authoritative for an @@ -2922,8 +2923,7 @@ suffix = &rpz->nsip; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* @@ -3357,8 +3357,7 @@ recursed = true; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } do { @@ -3408,8 +3407,7 @@ trig = LIBRPZ_TRIG_NSDNAME; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } dns_name_toregion(trig_name, &r); @@ -3590,82 +3588,104 @@ struct in_addr ina; struct in6_addr in6a; isc_result_t result; + unsigned int options = DNS_DBFIND_GLUEOK; + bool done = false; CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset"); - zbits = rpz_get_zbits(client, ip_type, rpz_type); - if (zbits == 0) { - return (ISC_R_SUCCESS); - } + do { + zbits = rpz_get_zbits(client, ip_type, rpz_type); + if (zbits == 0) { + return (ISC_R_SUCCESS); + } - /* - * Get the A or AAAA rdataset. - */ - result = rpz_rrset_find(client, name, ip_type, rpz_type, ip_dbp, - ip_version, ip_rdatasetp, resuming); - switch (result) { - case ISC_R_SUCCESS: - case DNS_R_GLUE: - case DNS_R_ZONECUT: - break; - case DNS_R_EMPTYNAME: - case DNS_R_EMPTYWILD: - case DNS_R_NXDOMAIN: - case DNS_R_NCACHENXDOMAIN: - case DNS_R_NXRRSET: - case DNS_R_NCACHENXRRSET: - case ISC_R_NOTFOUND: - return (ISC_R_SUCCESS); - case DNS_R_DELEGATION: - case DNS_R_DUPLICATE: - case DNS_R_DROP: - return (result); - case DNS_R_CNAME: - case DNS_R_DNAME: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type, - "NS address rewrite rrset", result); - return (ISC_R_SUCCESS); - default: - if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { - client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR; - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + /* + * Get the A or AAAA rdataset. + */ + result = rpz_rrset_find(client, name, ip_type, options, + rpz_type, ip_dbp, ip_version, + ip_rdatasetp, resuming); + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_GLUE: + case DNS_R_ZONECUT: + break; + case DNS_R_EMPTYNAME: + case DNS_R_EMPTYWILD: + case DNS_R_NXDOMAIN: + case DNS_R_NCACHENXDOMAIN: + case DNS_R_NXRRSET: + case DNS_R_NCACHENXRRSET: + case ISC_R_NOTFOUND: + return (ISC_R_SUCCESS); + case DNS_R_DELEGATION: + case DNS_R_DUPLICATE: + case DNS_R_DROP: + return (result); + case DNS_R_CNAME: + case DNS_R_DNAME: + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type, "NS address rewrite rrset", result); + return (ISC_R_SUCCESS); + default: + if (client->query.rpz_st->m.policy != + DNS_RPZ_POLICY_ERROR) { + client->query.rpz_st->m.policy = + DNS_RPZ_POLICY_ERROR; + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, + "NS address rewrite rrset", + result); + } + CTRACE(ISC_LOG_ERROR, + "rpz_rewrite_ip_rrset: unexpected " + "result"); + return (DNS_R_SERVFAIL); } - CTRACE(ISC_LOG_ERROR, "rpz_rewrite_ip_rrset: unexpected " - "result"); - return (DNS_R_SERVFAIL); - } - /* - * Check all of the IP addresses in the rdataset. - */ - for (result = dns_rdataset_first(*ip_rdatasetp); - result == ISC_R_SUCCESS; result = dns_rdataset_next(*ip_rdatasetp)) - { - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_current(*ip_rdatasetp, &rdata); - switch (rdata.type) { - case dns_rdatatype_a: - INSIST(rdata.length == 4); - memmove(&ina.s_addr, rdata.data, 4); - isc_netaddr_fromin(&netaddr, &ina); - break; - case dns_rdatatype_aaaa: - INSIST(rdata.length == 16); - memmove(in6a.s6_addr, rdata.data, 16); - isc_netaddr_fromin6(&netaddr, &in6a); - break; - default: - continue; + /* + * If we are processing glue setup for the next loop + * otherwise we are done. + */ + if (result == DNS_R_GLUE) { + options = 0; + } else { + done = true; } - result = rpz_rewrite_ip(client, &netaddr, qtype, rpz_type, - zbits, p_rdatasetp); - if (result != ISC_R_SUCCESS) { - return (result); + /* + * Check all of the IP addresses in the rdataset. + */ + for (result = dns_rdataset_first(*ip_rdatasetp); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(*ip_rdatasetp)) + { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(*ip_rdatasetp, &rdata); + switch (rdata.type) { + case dns_rdatatype_a: + INSIST(rdata.length == 4); + memmove(&ina.s_addr, rdata.data, 4); + isc_netaddr_fromin(&netaddr, &ina); + break; + case dns_rdatatype_aaaa: + INSIST(rdata.length == 16); + memmove(in6a.s6_addr, rdata.data, 16); + isc_netaddr_fromin6(&netaddr, &in6a); + break; + default: + continue; + } + + result = rpz_rewrite_ip(client, &netaddr, qtype, + rpz_type, zbits, p_rdatasetp); + if (result != ISC_R_SUCCESS) { + return (result); + } } - } + } while (!done && + client->query.rpz_st->m.policy == DNS_RPZ_POLICY_MISS); return (ISC_R_SUCCESS); } @@ -3939,6 +3959,7 @@ dns_rpz_have_t have; dns_rpz_popt_t popt; int rpz_ver; + unsigned int options; #ifdef USE_DNSRPS librpz_emsg_t emsg; #endif /* ifdef USE_DNSRPS */ @@ -4189,7 +4210,9 @@ dns_fixedname_init(&nsnamef); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); + options = DNS_DBFIND_GLUEOK; while (st->r.label > st->popt.min_ns_labels) { + bool was_glue = false; /* * Get NS rrset for each domain in the current qname. */ @@ -4204,7 +4227,7 @@ !dns_rdataset_isassociated(st->r.ns_rdataset)) { dns_db_t *db = NULL; result = rpz_rrset_find(client, nsname, - dns_rdatatype_ns, + dns_rdatatype_ns, options, DNS_RPZ_TYPE_NSDNAME, &db, NULL, &st->r.ns_rdataset, resuming); if (db != NULL) { @@ -4214,6 +4237,9 @@ goto cleanup; } switch (result) { + case DNS_R_GLUE: + was_glue = true; + FALLTHROUGH; case ISC_R_SUCCESS: result = dns_rdataset_first(st->r.ns_rdataset); if (result != ISC_R_SUCCESS) { @@ -4253,6 +4279,7 @@ continue; } } + /* * Check all NS names. */ @@ -4303,7 +4330,17 @@ result = dns_rdataset_next(st->r.ns_rdataset); } while (result == ISC_R_SUCCESS); dns_rdataset_disassociate(st->r.ns_rdataset); - st->r.label--; + + /* + * If we just checked a glue NS RRset retry without allowing + * glue responses, otherwise setup for the next name. + */ + if (was_glue) { + options = 0; + } else { + options = DNS_DBFIND_GLUEOK; + st->r.label--; + } if (rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSDNAME) == 0 && @@ -5700,7 +5737,6 @@ bool dbfind_stale = false; bool stale_timeout = false; bool stale_found = false; - bool refresh_rrset = false; bool stale_refresh_window = false; CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); @@ -5884,8 +5920,7 @@ "%s stale answer used, an attempt to " "refresh the RRset will still be made", namebuf); - refresh_rrset = STALE(qctx->rdataset); - qctx->client->nodetach = refresh_rrset; + qctx->refresh_rrset = STALE(qctx->rdataset); } } else { /* @@ -5923,17 +5958,6 @@ result = query_gotanswer(qctx, result); - if (refresh_rrset) { - /* - * If we reached this point then it means that we have found a - * stale RRset entry in cache and BIND is configured to allow - * queries to be answered with stale data if no active RRset - * is available, i.e. "stale-anwer-client-timeout 0". But, we - * still need to refresh the RRset. - */ - query_refresh_rrset(qctx); - } - cleanup: return (result); } @@ -5998,7 +6022,7 @@ * answered, in order to avoid answering the query twice, when the original * fetch finishes. */ -static inline void +static void query_lookup_stale(ns_client_t *client) { query_ctx_t qctx; @@ -6104,10 +6128,11 @@ if (client->recursionquota != NULL) { isc_quota_detach(&client->recursionquota); - ns_stats_decrement(client->sctx->nsstats, - ns_statscounter_recursclients); } + ns_stats_decrement(client->sctx->nsstats, + ns_statscounter_recursclients); + LOCK(&client->manager->reclock); if (ISC_LINK_LINKED(client, rlink)) { ISC_LIST_UNLINK(client->manager->recursing, client, rlink); @@ -6220,14 +6245,6 @@ } } static atomic_uint_fast32_t last_soft, last_hard; -#ifdef ISC_MUTEX_ATOMICS -static isc_once_t last_once = ISC_ONCE_INIT; -static void -last_init() { - atomic_init(&last_soft, 0); - atomic_init(&last_hard, 0); -} -#endif /* ifdef ISC_MUTEX_ATOMICS */ isc_result_t ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, @@ -6268,15 +6285,7 @@ if (client->recursionquota == NULL) { result = isc_quota_attach(&client->sctx->recursionquota, &client->recursionquota); - if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) { - ns_stats_increment(client->sctx->nsstats, - ns_statscounter_recursclients); - } - if (result == ISC_R_SOFTQUOTA) { -#ifdef ISC_MUTEX_ATOMICS - isc_once_do(&last_once, last_init); -#endif /* ifdef ISC_MUTEX_ATOMICS */ isc_stdtime_t now; isc_stdtime_get(&now); if (now != atomic_load_relaxed(&last_soft)) { @@ -6297,9 +6306,6 @@ ns_client_killoldestquery(client); result = ISC_R_SUCCESS; } else if (result == ISC_R_QUOTA) { -#ifdef ISC_MUTEX_ATOMICS - isc_once_do(&last_once, last_init); -#endif /* ifdef ISC_MUTEX_ATOMICS */ isc_stdtime_t now; isc_stdtime_get(&now); if (now != atomic_load_relaxed(&last_hard)) { @@ -6327,6 +6333,9 @@ ns_client_recursing(client); } + ns_stats_increment(client->sctx->nsstats, + ns_statscounter_recursclients); + /* * Invoke the resolver. */ @@ -6763,10 +6772,10 @@ } rrl_result = dns_rrl( - qctx->view, &qctx->client->peeraddr, TCP(qctx->client), - qctx->client->message->rdclass, qctx->qtype, constname, - resp_result, qctx->client->now, wouldlog, log_buf, - sizeof(log_buf)); + qctx->view, qctx->zone, &qctx->client->peeraddr, + TCP(qctx->client), qctx->client->message->rdclass, + qctx->qtype, constname, resp_result, qctx->client->now, + wouldlog, log_buf, sizeof(log_buf)); if (rrl_result != DNS_RRL_RESULT_OK) { /* * Log dropped or slipped responses in the query @@ -6941,7 +6950,7 @@ break; case DNS_RPZ_POLICY_NODATA: qctx->nxrewrite = true; - /* FALLTHROUGH */ + FALLTHROUGH; case DNS_RPZ_POLICY_DNS64: result = DNS_R_NXRRSET; qctx->rpz = true; @@ -7000,8 +7009,7 @@ qctx->want_restart = true; return (ISC_R_COMPLETE); default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* @@ -7209,6 +7217,14 @@ return (false); } + if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) { + /* + * Don't enable serve-stale if the result signals a duplicate + * query or query that is being dropped. + */ + return (false); + } + qctx_clean(qctx); qctx_freedata(qctx); @@ -7731,11 +7747,14 @@ /* * On normal lookups, clear any rdatasets that were added on a - * lookup due to stale-answer-client-timeout. + * lookup due to stale-answer-client-timeout. Do not clear if we + * are going to refresh the RRset, because the stale contents are + * prioritized. */ if (QUERY_STALEOK(&qctx->client->query) && - !QUERY_STALETIMEOUT(&qctx->client->query)) + !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) { + CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); query_clear_stale(qctx->client); /* * We can clear the attribute to prevent redundant clearing @@ -8900,8 +8919,7 @@ dns64_ttl(qctx->db, qctx->version); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset); @@ -9844,7 +9862,7 @@ { goto cleanup; } - /* FALLTHROUGH */ + FALLTHROUGH; case DNS_R_CNAME: if (!qctx->resuming && !STALE(&rdataset) && rdataset.ttl == 0 && RECURSIONOK(qctx->client)) @@ -11288,8 +11306,7 @@ case NS_SORTLISTTYPE_NONE: break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } } @@ -11297,7 +11314,7 @@ * When sending a referral, if the answer to the question is * in the glue, sort it to the start of the additional section. */ -static inline void +static void query_glueanswer(query_ctx_t *qctx) { const dns_namelist_t *secs = qctx->client->message->sections; const dns_section_t section = DNS_SECTION_ADDITIONAL; @@ -11451,9 +11468,29 @@ /* * Client may have been detached after query_send(), so * we test and store the flag state here, for safety. + * If we are refreshing the RRSet, we must not detach from the client + * in the query_send(), so we need to override the flag. */ + if (qctx->refresh_rrset) { + qctx->client->nodetach = true; + } nodetach = qctx->client->nodetach; query_send(qctx->client); + + if (qctx->refresh_rrset) { + /* + * If we reached this point then it means that we have found a + * stale RRset entry in cache and BIND is configured to allow + * queries to be answered with stale data if no active RRset + * is available, i.e. "stale-anwer-client-timeout 0". But, we + * still need to refresh the RRset. To prevent adding duplicate + * RRsets, clear the RRsets from the message before doing the + * refresh. + */ + message_clearrdataset(qctx->client->message, 0); + query_refresh_rrset(qctx); + } + if (!nodetach) { qctx->detach_client = true; } @@ -11463,7 +11500,7 @@ return (result); } -static inline void +static void log_tat(ns_client_t *client) { char namebuf[DNS_NAME_FORMATSIZE]; char clientbuf[ISC_NETADDR_FORMATSIZE]; @@ -11523,7 +11560,7 @@ } } -static inline void +static void log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; @@ -11569,7 +11606,7 @@ onbuf, ecsbuf); } -static inline void +static void log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) { char namebuf[DNS_NAME_FORMATSIZE]; char typebuf[DNS_RDATATYPE_FORMATSIZE]; diff -Nru bind9-9.16.27/lib/ns/tests/nstest.c bind9-9.16.33/lib/ns/tests/nstest.c --- bind9-9.16.27/lib/ns/tests/nstest.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/tests/nstest.c 2022-09-08 13:01:23.000000000 +0000 @@ -68,7 +68,7 @@ bool app_running = false; int ncpus; bool debug_mem_record = true; -static atomic_bool run_managers = ATOMIC_VAR_INIT(false); +static atomic_bool run_managers = false; static bool dst_active = false; static bool test_running = false; @@ -172,7 +172,7 @@ /* * These need to be shut down from a running task. */ -static atomic_bool shutdown_done = ATOMIC_VAR_INIT(false); +static atomic_bool shutdown_done = false; static void shutdown_managers(isc_task_t *task, isc_event_t *event) { UNUSED(task); @@ -955,7 +955,6 @@ printf("bad input format: %02x\n", c); exit(3); - /* NOTREACHED */ } isc_result_t diff -Nru bind9-9.16.27/lib/ns/tests/query_test.c bind9-9.16.33/lib/ns/tests/query_test.c --- bind9-9.16.27/lib/ns/tests/query_test.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/tests/query_test.c 2022-09-08 13:01:23.000000000 +0000 @@ -418,8 +418,7 @@ test->id.description, test->id.lineno); break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } /* diff -Nru bind9-9.16.27/lib/ns/update.c bind9-9.16.33/lib/ns/update.c --- bind9-9.16.27/lib/ns/update.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/update.c 2022-09-08 13:01:23.000000000 +0000 @@ -314,7 +314,7 @@ /*% * Increment updated-related statistics counters. */ -static inline void +static void inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) { ns_stats_increment(client->sctx->nsstats, counter); @@ -1631,7 +1631,15 @@ result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone); if (result != ISC_R_SUCCESS) { - FAILC(DNS_R_NOTAUTH, "not authoritative for update zone"); + /* + * If we found a zone that is a parent of the update zonename, + * detach it so it isn't mentioned in log - it is irrelevant. + */ + if (zone != NULL) { + dns_zone_detach(&zone); + } + FAILN(DNS_R_NOTAUTH, zonename, + "not authoritative for update zone"); } /* @@ -1663,6 +1671,7 @@ CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone), "update forwarding", zonename, true, false)); + dns_message_clonebuffer(client->message); CHECK(send_forward_event(client, zone)); break; default: diff -Nru bind9-9.16.27/lib/ns/xfrout.c bind9-9.16.33/lib/ns/xfrout.c --- bind9-9.16.27/lib/ns/xfrout.c 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/lib/ns/xfrout.c 2022-09-08 13:01:23.000000000 +0000 @@ -108,7 +108,7 @@ /**************************************************************************/ -static inline void +static void inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) { ns_stats_increment(client->sctx->nsstats, counter); if (zone != NULL) { @@ -758,8 +758,7 @@ mnemonic = "IXFR"; break; default: - INSIST(0); - ISC_UNREACHABLE(); + UNREACHABLE(); } ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT, @@ -1047,7 +1046,7 @@ } if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) { xfrout_log1(client, question_name, question_class, - ISC_LOG_DEBUG(4), + ISC_LOG_INFO, "IXFR version not in journal, " "falling back to AXFR"); mnemonic = "AXFR-style IXFR"; @@ -1062,7 +1061,7 @@ data_stream->methods->destroy(&data_stream); data_stream = NULL; xfrout_log1(client, question_name, - question_class, ISC_LOG_DEBUG(4), + question_class, ISC_LOG_INFO, "IXFR delta size (%zu bytes) " "exceeds the maximum ratio to " "database size " @@ -1172,7 +1171,7 @@ /* Start the timers */ if (xfr->maxtime > 0) { - xfrout_log(xfr, ISC_LOG_ERROR, + xfrout_log(xfr, ISC_LOG_DEBUG(1), "starting maxtime timer %" PRIu64 " ms", xfr->maxtime); isc_nm_timer_start(xfr->maxtime_timer, xfr->maxtime); diff -Nru bind9-9.16.27/srcid bind9-9.16.33/srcid --- bind9-9.16.27/srcid 2022-03-07 08:51:08.000000000 +0000 +++ bind9-9.16.33/srcid 2022-09-08 13:54:50.000000000 +0000 @@ -1 +1 @@ -SRCID=96094c5 +SRCID=35e9c6e diff -Nru bind9-9.16.27/version bind9-9.16.33/version --- bind9-9.16.27/version 2022-03-07 08:48:03.000000000 +0000 +++ bind9-9.16.33/version 2022-09-08 13:01:23.000000000 +0000 @@ -5,7 +5,7 @@ DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=16 -PATCHVER=27 +PATCHVER=33 RELEASETYPE= RELEASEVER= EXTENSIONS=