Commit Graph
12227 Commits
Author SHA1 Message Date
Colin Vidal b61e1a5bcf add DNSSEC EDE test for unsupported digest and alg
A DNSSEC validation can fail in the case where multiple DNSKEY are
available for a zone and none of them are supported, but for different
reasons: one has a DS record in the parent zone using an unsupported
digest while the other one uses an unsupported encryption algorithm.

Add a specific test case covering this flow and making sure that two
extended DNS error are provided: code 1 and 2, each of them highlighting
unsupported algorithm and digest.

(cherry picked from commit 244923b9dc)
2025-01-24 14:27:17 +01:00
Colin Vidal e133411451 tests for support for EDE 1 & 2
(cherry picked from commit 8b50d63fe1)
2025-01-24 14:27:17 +01:00
Michal Nowak d2c8694930 Rename have_* marks to with_*
Marks starting with "with" or "without" make more sense linguistically
than those starting with "have" or "have_not".

(cherry picked from commit df7e9f4ac3)
2025-01-24 08:56:36 +00:00
Nicki KřížekandMichal Nowak e7a469133c Test cipher-suites after zone transfers complete
Ensure the zone transfers have completed (successfully or not) before
running the test cases, because they assume zone transfers have been
done.

(cherry picked from commit 23fb615963)
2025-01-24 08:56:36 +00:00
Nicki KřížekandMichal Nowak 2eb5ce24fb Make servers fixture in pytest module-wide
The servers are setup and torn down once per each test module. All the
logs and server state persists between individual tests within the same
module. The servers fixture representing these servers should be
module-wide as well.

(cherry picked from commit a72ff9fd57)
2025-01-24 08:56:36 +00:00
Michal Nowak f3f7667fc7 Rewrite cipher-suites system test to pytest
The minimal required dnspython version is 2.5.0 because of the need for
the "verify" argument in dns.query.tls().

(cherry picked from commit 100b759863)
2025-01-24 08:56:36 +00:00
Michal Nowak 9f356962ec Add isctest.query.tls() function
When explicitly set to True, the "verify" argument lets dnspython verify
certificates used for the connection. As most certificates in the system
test will inevitably be self-signed, the "verify" argument defaults to
False.

The "verify" argument is present in dnspython since the version 2.5.0.

(cherry picked from commit df8c419058)
2025-01-24 08:56:36 +00:00
Michal Nowak 1a4fb0550b Add "without_fips" mark
The "without_fips" mark disables test function when BIND 9 was built
with the FIPS mode enabled as not everything works in FIPS-enabled
builds.

(cherry picked from commit feecbd8e77)
2025-01-24 08:56:36 +00:00
Matthijs Mekking 9d6302b32c dnssec-signzone retain signature if key is offline
Track inside the dns_dnsseckey structure whether we have seen the
private key, or if this key only has a public key file.

If the key only has a public key file, or a DNSKEY reference in the
zone, mark the key 'pubkey'. In dnssec-signzone, if the key only
has a public key available, consider the key to be offline. Any
signatures that should be refreshed for which the key is not available,
retain the signature.

So in the code, 'expired' becomes 'refresh', and the new 'expired'
is only used to determine whether we need to keep the signature if
the corresponding key is not available (retaining the signature if
it is not expired).

In the 'keysthatsigned' function, we can remove:
  -	key->force_publish = false;
  -	key->force_sign = false;

because they are redundant ('dns_dnsseckey_create' already sets these
values to false).

(cherry picked from commit 5e3aef364f)
2025-01-23 14:04:03 +00:00
Matthijs Mekking cf73c9b1a9 Test dnssec-signzone with private key file missing
Add a test case for the scenario below.

There is a case when signing a zone with dnssec-signzone where the
private key file is moved outside the key directory (for offline
ksk purposes), and then the zone is resigned. The signature of the
DNSKEY needs refreshing, but is not expired.

Rather than removing the signature without having a valid replacement,
leave the signature in the zone (despite it needs to be refreshed).

(cherry picked from commit 0a91321d78)
2025-01-23 14:04:03 +00:00
Matthijs Mekking e36f4b66a3 Clarify dnssec-signzone interval option
There was confusion about whether the interval was calculated from
the validity period provided on the command line (with -s and -e),
or from the signature being replaced.

Add text to clarify that the interval is calculated from the new
validity period.

(cherry picked from commit ae42fa69fa)
2025-01-23 12:08:11 +00:00
Matthijs Mekking 87518b618b Fix possible truncation in dns_keymgr_status()
If the generated status output exceeds 4096 it was silently truncated,
now we output that the status was truncated.

(cherry picked from commit 7ae7851173)
2025-01-23 09:40:39 +00:00
Mark Andrews 2225f96251 Check delv +yaml negative response output
(cherry picked from commit 9c04640def)
2025-01-22 23:58:49 +00:00
Matthijs Mekking 8c9d31edaf Revert "Test that the correct NSEC3 closest encloser is returned"
This reverts commit fd2f1bdf02.
2025-01-13 11:42:26 +01:00
Michał Kępień 1e9eab2b5d Fix default IANA root zone mirror configuration
Commit 4555a31934 renamed the top-level
"primaries" block in bin/named/config.c to "remote-servers".  This
configuration block lists the primary servers used for an IANA root zone
mirror when no primary servers are explicitly specified for it in the
configuration.  However, the relevant part of the named_zone_configure()
function only looks for a top-level "primaries" block and not for any of
its synonyms.  As a result, configuring an IANA root zone mirror with
just:

    zone "." {
        type mirror;
    };

now results in a cryptic fatal error on startup:

    loading configuration: not found
    exiting (due to fatal error)

Fix by using the correct top-level block name in named_zone_configure().

(cherry picked from commit 010d2eb436)
2025-01-09 12:25:33 +01:00
Mark AndrewsandMichal Nowak 40af61428e Adjust number of zones to those in FIPS mode
(cherry picked from commit 17804f5154)
2025-01-02 15:35:39 +00:00
Artem Boldariev 01076f9396 Dig - enable TLS SNI support
This commit ensures that dig enables TLS SNI support for outgoing
connections in order to improve compatibility with other DNS server
software.

(cherry picked from commit e04fb30ee6)
2024-12-26 18:31:20 +02:00
Artem Boldariev 4f8ade0e1e TLS SNI - add low level support for SNI to the networking code
This commit adds support for setting SNI hostnames in outgoing
connections over TLS.

Most of the changes are related to either adapting the code to accept
and extra argument in *connect() functions and a couple of changes to
the TLS Stream to actually make use of the new SNI hostname
information.

(cherry picked from commit 6691a1530d)
2024-12-26 18:31:03 +02:00
Michal Nowak c6c4f8ac92 Apply more SET_IF_NOT_NULL() changes
coccinelle v1.2 found more cases where the SET_IF_NOT_NULL macro
applies.

(cherry picked from commit 57b64dc397)
2024-12-13 13:50:05 +00:00
Matthijs Mekking aa744b5dd9 Add primaries, parental-agents as synonyms
Add back the top blocks 'parental-agents', 'primaries', and 'masters'
to the configuration. Do not document them as so many names for the
same clause is confusing.

This has a slight negative side effect that a top block 'primaries'
can be referred to with a zone statement 'parental-agents' for example,
but that shouldn't be a big issue.

(cherry picked from commit 1b2eadb197)
2024-12-13 11:23:03 +01:00
Matthijs Mekking 4555a31934 Unify parental-agents, primaries to remote-servers
Having zone statements that are also top blocks is confusing, and if
we want to add more in the future (which I suspect will be for
generalized notifications, multi-signer), we need to duplicate a lot
of code.

Remove top blocks 'parental-agents' and 'primaries' and just have one
top block 'remote-servers' that you can refer to with zone statements.

(cherry picked from commit b121f02eac)
2024-12-13 10:39:25 +01:00
Mark Andrews e8ef8eddb8 Fix startup notify rate test
The terminating conditions for the startup notify test would
occasionally get ~20 records or get +10 seconds of records due to
a bad terminating condition.  Additionally 20 samples lead to test
failures.  Fix the terminating condition to use the correct conditional
(-eq -> -ge) and increase the minimum number of log entries to
average over to 40.

(cherry picked from commit 46388d07a2)
2024-12-13 00:07:52 +00:00
Michal Nowak 1bff2cd49c Wait for "all zones loaded" after rndc reload in "database" test
After the rndc reload command finished, we might have queried the
database zone sooner than it was reloaded because rndc reloads zones
asynchronously if no specific zone was provided. We should wait for "all
zones loaded" in the ns1 log to be sure.

(cherry picked from commit 0bdd03db66)
2024-12-12 12:09:30 +00:00
Michal NowakandMark Andrews 945dbad5ed Add rr-related common test artifacts
(cherry picked from commit c607237b77)
2024-12-11 00:38:56 +00:00
Mark Andrews 4bc7d505e8 Use a different burst name to identify test queries
This allows easier identification of which burst is which in
named.run.

(cherry picked from commit e02d66b279)
2024-12-10 21:55:31 +00:00
Colin Vidal 32f5b69703 Add none parameter to query-source and query-source-v6 to disable IPv4 or IPv6 upstream queries
Add a none parameter to named configuration option `query-source` (respectively `query-source-v6`) which forbid usage of IPv4 (respectively IPv6) addresses when named is doing an upstream query.

Closes #4981 Turning-off upstream IPv6 queries while still listening to downstream queries on IPv6.

Merge branch 'colin/querysource-none' into 'main'

See merge request isc-projects/bind9!9727

Backport of MR !9727

Some changes had to be done to the existing 9.20.x code in order to
make this backport compatible:

- first, the 9.20.x branches support the `port` parameter in
  query-source[-v6], where 9.21.x does not. The original changes
  depend on things that can't be backported because that would break
  `port` support.

- second, the changes remove the optional `address` parameter from the
  canonical form. So `query-source address <ip>` is now printed as
  `query-source <ip>`. This means that `named-checkconf -p` will now
  generate different output if users have `query-source address <ip>` or
  `query-source address <ip> port <port>`; it will now generate
  `query-source <ip>` or `query-source <ip> port <port>`. This is a
  non-breaking change, because the parser has been updated to support
  this form as well.
2024-12-10 11:58:20 +01:00
Matthijs Mekking 551d1dd67d Drop single-use RETERR macro
If the RETERR define is only used once in a file, just drop the macro.

(cherry picked from commit b6d031462f)
2024-12-10 08:47:25 +00:00
Mark Andrews 6177eb8c5b Fix static stub subtest description
(cherry picked from commit f173a01454)
2024-12-10 03:16:33 +00:00
Artem BoldarievandMichal Nowak 17dd30ec52 Use FIPS compatible DH-param files
When the tests were added, the files were generated without FIPS
compatibility in mind. That made the tests fail on recent OpenSSL
versions in FIPS mode.

So, the files were regenerated on a FIPS compliant system using the
following stanza:

$ openssl dhparam -out <file> 3072

Apparently, the old files are not valid for FIPS starting with OpneSSL
3.1.X release series as "FIPS 140-3 compliance changes" are mentioned
in the changelog:

https://openssl-library.org/news/openssl-3.1-notes/
(cherry picked from commit 384c92880e)
2024-12-09 12:00:49 +00:00
Ondřej Surý 81d661ffc0 Revert "Attach dnssecsignstats, rcvquerystats, and requeststats"
This reverts commit fb50a71159.

(cherry picked from commit 7a99d1baf8)
2024-12-08 12:03:12 +01:00
Evan Hunt f7d67710e2 preserve cache across reload when using attach-cache
when the attach-cache option is used in the options block
with an arbitrary name, it causes all views to use the same
cache. however, previously, this could cause the cache to be
deleted and a new cache created every time the server was
reconfigured. this did *not* occur when attach-cache was
used at the view level to refer back to another view's cache.

in this commit we correct the problem by checking for
pre-existing caches during reconfiguration, and moving
them from the old server cache list to the new cache list
before cleaning up and freeing the old cache list.

(cherry picked from commit f3af8a7dc3)
2024-12-06 18:19:54 -08:00
Matthijs Mekking cc004b2b8f Add test case for nsupdate hangs on large update
This test case hangs, despite the update being performed on the
name server.

(cherry picked from commit 3adabb4f89)
2024-12-06 08:31:19 +00:00
Michal Nowak dffcf1226c Use os.getenv() instead of os.environ
If ECDSAP256SHA256_SUPPORTED or ECDSAP384SHA384_SUPPORTED variables were
not present in the environment, os.environ would raise KeyError that is
not being handled in the decorator. Use os.getenv() instead.

(cherry picked from commit 1a5683b638)
2024-12-06 07:06:31 +00:00
Michal Nowak 85176a62ca Fix skipif decorators' conditions
The ECDSA256 and ECDSA384 check conditions were switched.

(cherry picked from commit 2a7b8d9795)
2024-12-06 07:06:31 +00:00
Matthijs MekkingandMark Andrews dd098a4b3b Change default max-recursion-queries to 50
Changing the default for max-recursion-queries from 100 to 32 was too
strict in some cases, especially lookups in reverse IPv6 trees started
to fail more frequently. From issue #4921 it looks like 50 is a better
default.

Now that we have 'max-query-count' as a global limit of outgoing queries
per client request, we can increase the default for
'max-recursion-queries' again, as the number of recursive queries is
no longer bound by the multiple of 'max-recursion-queries' and
'max-query-restarts'.

(cherry picked from commit 84df920d9e)
2024-12-06 06:20:33 +00:00
Matthijs MekkingandMark Andrews 1d7ddb5ec4 Add a CAMP test case
This adds a new test directory specifically for CAMP attacks. This first
test in this test directory follows multiple CNAME chains, restarting
the max-recursion-queries counter, but should bail when the global
maximum quota max-query-count is reached.

(cherry picked from commit 73eafaba14)
2024-12-06 06:20:33 +00:00
Matthijs MekkingandMark Andrews 63e5f295fb Add +maxtotalqueries option to delv
The max-query-count value can now be set on the command line in delv
with +maxtotalqueries.

(cherry picked from commit 74f845d62f)
2024-12-06 06:20:33 +00:00
Matthijs MekkingandMark Andrews 492f79560d Implement global limit for outgoing queries
This global limit is not reset on query restarts and is a hard limit
for any client request.

(cherry picked from commit 16b3bd1cc7)
2024-12-06 06:20:33 +00:00
Matthijs MekkingandMark Andrews c233bb9de0 Implement 'max-query-count'
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.

(cherry picked from commit bbc16cc8e6)
2024-12-06 06:20:33 +00:00
Mark Andrews bcf3f8b44d Attach dnssecsignstats, rcvquerystats, and requeststats
In dns_zone_getdnssecsignstats, dns_zone_getrcvquerystats and
dns_zone_getrequeststats attach to the statistics structure.

(cherry picked from commit fb50a71159)
2024-12-06 16:45:52 +11:00
Petr MenšíkandMark Andrews 5a1c39b1b7 Finalize removal of memory debug flags size and mctx
Commit 4b3d0c6600 has removed them, but
did not remove few traces in documentation and help. Remove them from
remaining places.

(cherry picked from commit 65b9eeb39a)
2024-12-06 03:13:14 +00:00
Mark Andrews 3eea26ba37 Check dnssec-signzone behaviour with revoked keys
Only DNSKEY records should be signed with a revoked key.

(cherry picked from commit 30ef6dde05)
2024-12-06 01:00:08 +00:00
Mark Andrews db19675ee9 Do not sign non DNSKEY RRset with revoked keys
It does not make sense to sign RRsets other than DNSKEY with revoked
keys.

(cherry picked from commit 23775c6006)
2024-12-06 01:00:08 +00:00
Michal Nowak e8d6be9c38 Add ns2/managed1.conf to mkeys extra_artifacts
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.

(cherry picked from commit e7d973bd00)
2024-12-05 10:08:34 +00:00
Colin Vidal c586d9a658 Add EDE 22 No reachable authority code
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.

(cherry picked from commit d13e94b930)

Commit amended in order to fix usage of isc_log_write (adding dns_lctx
parameter)
2024-12-05 10:30:28 +01:00
Michal Nowak 211a0eafa9 Rewrite ecdsa system test to pytest
(cherry picked from commit 292e919156)
2024-12-05 07:46:17 +00:00
Ondřej Surý de7312ae5f Remove dns_badcache usage in the resolver (lame-ttl)
The lame-ttl processing was overriden to be disabled in the config,
but the code related to the lame-ttl was still kept in the resolver
code.  More importantly, the DNS_RESOLVER_BADCACHETTL() macro would
cause the entries in the resolver badcache to be always cached for at
least 30 seconds even if the lame-ttl would be set to 0.

Remove the dns_badcache code from the dns_resolver unit, so we save some
processing time and memory in the resolver code.

(cherry picked from commit b61739836d)
2024-11-27 17:07:03 +00:00
Ondřej Surý 6c3f1f09b2 Improve the badcache cleaning by adding LRU and using RCU
Instead of cleaning the dns_badcache opportunistically, add per-loop
LRU, so each thread-loop can clean the expired entries.  This also
allows removal of the atomic operations as the badcache entries are now
immutable, instead of updating the badcache entry in place, the old
entry is now deleted from the hashtable and the LRU list, and the new
entry is inserted in the LRU.

(cherry picked from commit 2cb5a6210f)
2024-11-27 17:07:03 +00:00
Aram Sargsyan bebdabc06c Fix the nslookup system test
The nslookup system test checks the count of resolved addresses in
the CNAME tests using a 'grep' match on the hostname, and ignoring
lines containing the 'canonical name' string. In order to protect
the check from intermittent failures like the 'address in use' warning
message, which then automatically resolves after a retry, edit the
'grep' matching string to also ignore the comments (as the mentioned
warning message is a comment which contains the hostname).

(cherry picked from commit 345b0f9e5c)
2024-11-27 13:35:25 +00:00
Aram Sargsyan 61d49b0731 Test trying of the next primary server
Add test cases which check that when a XoT primary server is
unreachable or is already marked as unreachble then the next
primary server in the list is used.

(cherry picked from commit 12225d125b)
2024-11-27 11:49:02 +00:00