feat: update bind9 to 1:9.20.21-1~deb13u1

CONTRIBUTING.md

@@ -18,6 +18,7 @@ information regarding copyright ownership.
 1. [Access to source code](#access)
 1. [Reporting bugs](#bugs)
 1. [Contributing code](#contrib)
+1. [Generated code](#generated-code)
 
 ### Introduction
 
@@ -188,6 +189,101 @@ automated testing and cannot merge new code without adequate test coverage.
 Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
 for more information.
 
+### <a name="generated-code"></a>Guidelines for Tool-Generated Content
+
+#### Purpose
+
+BIND 9 contributors have long used tooling to assist in development.
+These tools can increase the volume and velocity of contributions.  At
+the same time, reviewer and maintainer bandwidth is a scarce resource,
+and the stability of DNS software is critical infrastructure.
+Understanding which portions of a contribution come from humans versus
+tools is helpful to maintain those resources, assess risk, and keep
+BIND 9 development healthy.
+
+The goal here is to clarify community expectations around tools,
+particularly LLMs (Large Language Models) and generative AI.  This
+lets everyone become more productive while maintaining high degrees of
+trust between submitters and reviewers.
+
+#### Out of Scope
+
+These guidelines do not apply to tools that make trivial tweaks to
+preexisting content or verify adherence to style guides.  Nor do they
+pertain to AI tooling that helps with menial tasks.  Some examples:
+
+ - Spelling and grammar fix-ups, like rephrasing documentation to the
+   imperative voice.
+ - Typing aids like IDE identifier completion, common boilerplate, or
+   trivial pattern completion.
+ - Purely mechanical transformations like variable renaming across a
+   scope.
+ - Reformatting using the standard BIND 9 clang-format configuration
+   or black (for Python system tests).
+
+Even if your tool use is out of scope, you should still always
+consider if it would assist the review of your contribution if the
+reviewer knows about the tool that you used.
+
+#### In Scope
+
+These guidelines apply when a meaningful amount of content in a BIND 9
+contribution (code, documentation, or tests) was not written by a
+person contributing the patch or merge request, but was instead
+created by a tool.
+
+Detection of a problem and testing the fix for it is also part of the
+development process; if a tool was used to find a problem addressed by
+a change (e.g., a fuzzer or static analyzer), that should be noted in
+the commit message or MR description.  This not only gives credit where
+it is due, it also helps fellow developers find out about these tools.
+
+Some examples:
+
+ - Complex semantic patches generated by Coccinelle scripts.
+ - A chatbot or AI assistant generated a new function in your Merge
+   Request to handle a specific DNS RR type.
+ - A .c file or system test in the MR was originally generated by a
+   coding assistant but cleaned up by hand.
+ - The commit message or MR description was generated by handing the
+   diff to a generative AI tool.
+ - Documentation or comments were translated from another language
+   using an automated tool.
+
+If in doubt, choose transparency and assume these guidelines apply to
+your contribution.
+
+#### Guidelines
+
+You are responsible for the code you submit, regardless of how it was generated.
+When opening a Merge Request, be transparent about the origin of content in the
+MR description and commit messages.  You can be more transparent by adding
+information like this:
+
+ - What tools were used?
+ - The input to the tools you used, like the Coccinelle source script
+   or specific configuration.
+ - If code was largely generated from a single or short set of
+   prompts, include those prompts.  For longer sessions, include a
+   summary of the prompts and the nature of the resulting assistance.
+ - Which portions of the content were affected by that tool?
+ - How is the submission tested? (e.g., "I used tool X to generate a
+   system test case that triggers the bug.")
+
+As with all contributions, BIND 9 maintainers have discretion to
+choose how they handle the contribution.  For example, they might:
+
+ - Treat it just like any other contribution.
+ - Reject it outright if the provenance is unclear or the code quality
+   is low.
+ - Treat the contribution specially, such as reviewing with extra
+   scrutiny regarding memory safety or RFC compliance.
+ - Suggest a better prompt or approach instead of suggesting specific
+   code changes.
+ - Ask the submitter to explain in more detail about the contribution
+   to ensure the submitter fully understands the DNS logic or internal
+   BIND 9 architecture implemented by the tool.
+
 #### Thanks
 
 Thank you for your interest in contributing to the ongoing development

ChangeLog

@@ -18,6 +18,9 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+.. include:: ../changelog/changelog-9.20.21.rst
+.. include:: ../changelog/changelog-9.20.20.rst
+.. include:: ../changelog/changelog-9.20.19.rst
 .. include:: ../changelog/changelog-9.20.18.rst
 .. include:: ../changelog/changelog-9.20.17.rst
 .. include:: ../changelog/changelog-9.20.16.rst

NEWS

@@ -18,6 +18,9 @@ Changelog
    development. Regular users should refer to :ref:`Release Notes <relnotes>`
    for changes relevant to them.
 
+.. include:: ../changelog/changelog-9.20.21.rst
+.. include:: ../changelog/changelog-9.20.20.rst
+.. include:: ../changelog/changelog-9.20.19.rst
 .. include:: ../changelog/changelog-9.20.18.rst
 .. include:: ../changelog/changelog-9.20.17.rst
 .. include:: ../changelog/changelog-9.20.16.rst

bin/delv/delv.c

@@ -1820,7 +1820,7 @@ append_str(const char *text, int len, char **p, char *end) {
 
 static isc_result_t
 reverse_octets(const char *in, char **p, char *end) {
-	char *dot = strchr(in, '.');
+	const char *dot = strchr(in, '.');
 	int len;
 	if (dot != NULL) {
 		isc_result_t result;

bin/dig/dig.rst

@@ -227,7 +227,7 @@ the string ``no`` to negate the meaning of that keyword. Other keywords
 assign values to options, like the timeout interval. They have the form
 ``+keyword=value``. Keywords may be abbreviated, provided the
 abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
-:option:`+cdflag`. The query options are:
+:option:`+cdflag`. Query options are order sensitive. The query options are:
 
 .. option:: +aaflag, +noaaflag
 
@@ -812,6 +812,29 @@ Files
 
 ``${HOME}/.digrc``
 
+Examples
+~~~~~~~~
+
+Only display the IP address(es) for example.com::
+
+   dig +short example.com
+
+Query the nameserver f.gtld-servers.net for example.com::
+
+   dig @f.gtld-servers.net example.com
+
+Look up the TXT record for example.com::
+
+   dig txt example.com
+
+Look up the hostname for an IP with reverse DNS::
+
+   dig -x 192.0.2.1
+
+Display a much shorter output with just the name, record type, TTL, and value for each answer::
+
+   dig +noall +answer example.com
+
 See Also
 ~~~~~~~~
 

bin/dnssec/dnssec-ksr.c

@@ -1211,7 +1211,6 @@ sign(ksr_ctx_t *ksr) {
 		}
 
 		if (strcmp(STR(token), ";;") == 0) {
-			char bundle[KSR_LINESIZE];
 			isc_stdtime_t next_inception;
 
 			CHECK(isc_lex_gettoken(lex, opt, &token));
@@ -1245,9 +1244,8 @@ sign(ksr_ctx_t *ksr) {
 			}
 
 			/* Date and time of bundle */
-			sscanf(STR(token), "%s", bundle);
-			next_inception = strtotime(bundle, ksr->now, ksr->now,
-						   NULL);
+			next_inception = strtotime(STR(token), ksr->now,
+						   ksr->now, NULL);
 
 			if (have_bundle) {
 				/* Sign previous bundle */

bin/named/main.c

@@ -120,6 +120,9 @@ extern unsigned int dns_zone_mkey_hour;
 extern unsigned int dns_zone_mkey_day;
 extern unsigned int dns_zone_mkey_month;
 
+extern unsigned int dns_adb_entrywindow;
+extern unsigned int dns_adb_cachemin;
+
 static bool want_stats = false;
 static char program_name[NAME_MAX] = "named";
 static char absolute_conffile[PATH_MAX];
@@ -802,6 +805,10 @@ parse_T_opt(char *option) {
 		transferstuck = true;
 	} else if (!strncmp(option, "tat=", 4)) {
 		named_g_tat_interval = atoi(option + 4);
+	} else if (!strncmp(option, "adbentrywindow=", 15)) {
+		dns_adb_entrywindow = atoi(option + 15);
+	} else if (!strncmp(option, "adbcachemin=", 12)) {
+		dns_adb_cachemin = atoi(option + 12);
 	} else {
 		fprintf(stderr, "unknown -T flag '%s'\n", option);
 	}

bin/named/server.c

@@ -24,6 +24,8 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include <dns/acl.h>
+
 #ifdef HAVE_DNSTAP
 #include <fstrm.h>
 #endif
@@ -280,10 +282,10 @@ struct zonelistentry {
  * asynchronously.
  */
 typedef struct matching_view_ctx {
-	isc_netaddr_t *srcaddr;
-	isc_netaddr_t *destaddr;
+	isc_netaddr_t srcaddr;
+	isc_netaddr_t destaddr;
 	dns_message_t *message;
-	dns_aclenv_t *env;
+	dns_aclenv_t *aclenv;
 	ns_server_t *sctx;
 	isc_loop_t *loop;
 	isc_job_cb cb;
@@ -8419,7 +8421,7 @@ load_configuration(const char *filename, named_server_t *server,
 	dns_view_t *view_next = NULL;
 	dns_viewlist_t tmpviewlist;
 	dns_viewlist_t viewlist, builtin_viewlist;
-	in_port_t listen_port, udpport_low, udpport_high;
+	in_port_t listen_port, port_low, port_high;
 	int i, backlog;
 	isc_interval_t interval;
 	isc_logconfig_t *logc = NULL;
@@ -8849,28 +8851,18 @@ load_configuration(const char *filename, named_server_t *server,
 	if (usev4ports != NULL) {
 		portset_fromconf(v4portset, usev4ports, true);
 	} else {
-		result = isc_net_getudpportrange(AF_INET, &udpport_low,
-						 &udpport_high);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "get the default UDP/IPv4 port range: %s",
-				      isc_result_totext(result));
-			goto cleanup_v6portset;
-		}
-
-		if (udpport_low == udpport_high) {
-			isc_portset_add(v4portset, udpport_low);
+		isc_net_getportrange(AF_INET, &port_low, &port_high);
+		if (port_low == port_high) {
+			isc_portset_add(v4portset, port_low);
 		} else {
-			isc_portset_addrange(v4portset, udpport_low,
-					     udpport_high);
+			isc_portset_addrange(v4portset, port_low, port_high);
 		}
 		if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE4)) {
 			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
 				      "using default UDP/IPv4 port range: "
 				      "[%d, %d]",
-				      udpport_low, udpport_high);
+				      port_low, port_high);
 		}
 	}
 	(void)named_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
@@ -8882,27 +8874,18 @@ load_configuration(const char *filename, named_server_t *server,
 	if (usev6ports != NULL) {
 		portset_fromconf(v6portset, usev6ports, true);
 	} else {
-		result = isc_net_getudpportrange(AF_INET6, &udpport_low,
-						 &udpport_high);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
-				      NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "get the default UDP/IPv6 port range: %s",
-				      isc_result_totext(result));
-			goto cleanup_v6portset;
-		}
-		if (udpport_low == udpport_high) {
-			isc_portset_add(v6portset, udpport_low);
+		isc_net_getportrange(AF_INET6, &port_low, &port_high);
+		if (port_low == port_high) {
+			isc_portset_add(v6portset, port_low);
 		} else {
-			isc_portset_addrange(v6portset, udpport_low,
-					     udpport_high);
+			isc_portset_addrange(v6portset, port_low, port_high);
 		}
 		if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE6)) {
 			isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
 				      NAMED_LOGMODULE_SERVER, ISC_LOG_INFO,
 				      "using default UDP/IPv6 port range: "
 				      "[%d, %d]",
-				      udpport_low, udpport_high);
+				      port_low, port_high);
 		}
 	}
 	(void)named_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
@@ -10375,6 +10358,8 @@ get_matching_view_done(void *cbarg) {
 
 	mvctx->cb(mvctx->cbarg);
 
+	dns_aclenv_detach(&mvctx->aclenv);
+
 	if (mvctx->quota_result == ISC_R_SUCCESS) {
 		isc_quota_release(&mvctx->sctx->sig0checksquota);
 	}
@@ -10416,10 +10401,10 @@ get_matching_view_continue(void *cbarg, isc_result_t result) {
 		tsig = dns_tsigkey_identity(mvctx->message->tsigkey);
 	}
 
-	if (dns_acl_allowed(mvctx->srcaddr, tsig, mvctx->view->matchclients,
-			    mvctx->env) &&
-	    dns_acl_allowed(mvctx->destaddr, tsig,
-			    mvctx->view->matchdestinations, mvctx->env) &&
+	if (dns_acl_allowed(&mvctx->srcaddr, tsig, mvctx->view->matchclients,
+			    mvctx->aclenv) &&
+	    dns_acl_allowed(&mvctx->destaddr, tsig,
+			    mvctx->view->matchdestinations, mvctx->aclenv) &&
 	    !(mvctx->view->matchrecursiveonly &&
 	      (mvctx->message->flags & DNS_MESSAGEFLAG_RD) == 0))
 	{
@@ -10491,9 +10476,9 @@ get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
 
 	matching_view_ctx_t *mvctx = isc_mem_get(message->mctx, sizeof(*mvctx));
 	*mvctx = (matching_view_ctx_t){
-		.srcaddr = srcaddr,
-		.destaddr = destaddr,
-		.env = env,
+		.srcaddr = *srcaddr,
+		.destaddr = *destaddr,
+		.aclenv = dns_aclenv_ref(env),
 		.cb = cb,
 		.cbarg = cbarg,
 		.sigresult = sigresult,

bin/named/statschannel.c

@@ -58,11 +58,11 @@
 
 #define STATS_XML_VERSION_MAJOR "3"
 #define STATS_XML_VERSION_MINOR "14"
-#define STATS_XML_VERSION	STATS_XML_VERSION_MAJOR "." STATS_XML_VERSION_MINOR
+#define STATS_XML_VERSION STATS_XML_VERSION_MAJOR "." STATS_XML_VERSION_MINOR
 
 #define STATS_JSON_VERSION_MAJOR "1"
 #define STATS_JSON_VERSION_MINOR "8"
-#define STATS_JSON_VERSION	 STATS_JSON_VERSION_MAJOR "." STATS_JSON_VERSION_MINOR
+#define STATS_JSON_VERSION STATS_JSON_VERSION_MAJOR "." STATS_JSON_VERSION_MINOR
 
 struct named_statschannel {
 	/* Unlocked */

bin/nsupdate/nsupdate.c

@@ -771,14 +771,12 @@ set_source_ports(dns_dispatchmgr_t *manager) {
 
 	result = isc_portset_create(gmctx, &v4portset);
 	check_result(result, "isc_portset_create (v4)");
-	result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high);
-	check_result(result, "isc_net_getudpportrange (v4)");
+	isc_net_getportrange(AF_INET, &udpport_low, &udpport_high);
 	isc_portset_addrange(v4portset, udpport_low, udpport_high);
 
 	result = isc_portset_create(gmctx, &v6portset);
 	check_result(result, "isc_portset_create (v6)");
-	result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high);
-	check_result(result, "isc_net_getudpportrange (v6)");
+	isc_net_getportrange(AF_INET6, &udpport_low, &udpport_high);
 	isc_portset_addrange(v6portset, udpport_low, udpport_high);
 
 	result = dns_dispatchmgr_setavailports(manager, v4portset, v6portset);

bin/rndc/rndc.c

@@ -114,6 +114,10 @@ command is one of the following:\n\
   dnssec -status zone [class [view]]\n\
 		Show the DNSSEC signing state for the specified zone.\n\
 		Requires the zone to have a dnssec-policy.\n\
+  dnssec -step zone [class [view]]\n\
+		Run the key manager for a zone configured with a\n\
+		dnssec-policy in manual mode, executing the operations that\n\
+		had previously been blocked (if any).\n\
   dnstap -reopen\n\
 		Close, truncate and re-open the DNSTAP output file.\n\
   dnstap -roll [count]\n\