Commit Graph
12145 Commits
Author SHA1 Message Date
Mark Andrews 08f12c70e6 swap ns2 and ns3 rolls in tls notify tests
Still need to regenerate the expired certificate as it has
the wrong IP address

(cherry picked from commit 87e287c984)
2024-10-24 03:11:50 +00:00
Timo EisenmannandMark Andrews 1b59467e82 Add system tests for notify over TLS
We use ns2 as the primary, and ns3 as the secondary server.

(cherry picked from commit e00beca8c5)
2024-10-24 03:11:50 +00:00
Nicki Křížek 2cdb8c90d1 Use UTC timezone when handling keys in kasp test library
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.

(cherry picked from commit f840deba33)
2024-10-22 10:51:53 +02:00
Nicki Křížek fb9a87e8c5 Disable too-many/too-few pylint checks
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.

(cherry picked from commit 7639c58c48)
2024-10-22 09:14:06 +02:00
Matthijs Mekking b46ddad5df Retry dnssec-verify in kasp test code
It is possible that the zone is not yet fully signed because it is
signed in batches. Retry the AXFR and verify command a couple of times.

(cherry picked from commit b8b3df0676)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking f1fc2e1db4 Address pylint issues
(cherry picked from commit 3c6124a093)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking fafb75ff8e Use difflib rather than diff cmd
(cherry picked from commit b7207fa3e7)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking 36ab7489f7 Move algorithm defaults to check_keys()
(cherry picked from commit c9ecd2a618)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking ba2fe0a830 Use f-strings
(cherry picked from commit 55ec9f94bc)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking 3cffc34551 Simplify command invocation
(cherry picked from commit 732a959d9a)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking 00ec96e6e6 Remove unused isctest/kasp code
(cherry picked from commit b5633462bf)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking e806d8c6f5 Rename kasp function to check_*
If a function is expected to assert / raise on failure (rather than
return boolean), its name should start with "check_".

(cherry picked from commit 67957d1f54)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking f5adeb6800 Use convenience wrappers for kasp key operations
(cherry picked from commit 2b0a8fcfb5)
2024-10-22 06:24:42 +00:00
Matthijs Mekking 288dce213a Convert ksr system test to pytest
Move all test cases from tests.sh to tests_ksr.py. The only test that
is not moved is the check that key id's match expected keys. The
shell-based system test checks two earlier set environment variables
against each other that has become redundant in the pytest variant,
because we now check the signed key response against a list of keys
and for each key we take into account the timing metadata. So we
already ensure that each published key is in the correct key bundle.

(cherry picked from commit a15bf6704b)
2024-10-22 06:24:42 +00:00
Matthijs Mekking 5d0144d006 Introduce pytest kasp library
Write initial pytest kasp library. This contains everything that is
required for testing Offline KSK functionality with pytest.

This includes:
- addtime: adding a value to a timing metadata
- get_timing_metdata: retrieve timing metadata from keyfile
- get_metadata/get_keystate: retrieve metadata from statefile
- get_keytag: retrieve keytag from base keyfile string
- get_keyrole: get key role from statefile
- dnskey_equals: compare DNSKEY record from file against a string
- cds_equals: compare CDS derived from file against a string
- zone_is_signed: wait until a zone is completely signed
- dnssec_verify: verify a DNSSEC signed zone with dnssec-verify
- check_dnssecstatus: check rndc dnssec -status output
- check_signatures: check that signatures for a given RRset are correct
- check_dnskeys: check that the published DNSKEY RRset is correct
- check_cds: check that the published CDS RRset is correct
- check_apex: check SOA, DNSKEY, CDNSKEY, and CDS RRset
- check_subdomain: check an RRset below the apex

(cherry picked from commit a3829990fd)
2024-10-22 06:24:42 +00:00
Matthijs Mekking 761758b0b1 Change dnssec-ksr key sorting
Sort keys on algorithm, then keytag. This is more convenient for
testing.

(cherry picked from commit ea1fc5c47b)
2024-10-22 06:24:42 +00:00
Mark Andrews 7116dd327a Add regression test for [GL #4991]
(cherry picked from commit 5a78f6b21b)
2024-10-22 00:12:32 +00:00
Michal Nowak 771a09ea71 Rewrite verify system test to pytest
(cherry picked from commit 091968f5fa)
2024-10-21 12:01:01 +00:00
Michal Nowak f814095b1a xfail upforwd system test if DNSTAP is enabled
(cherry picked from commit 0579e0a429)
2024-10-21 12:58:19 +02:00
Michal Nowak 02ac58e8ea Add with_dnstap mark
(cherry picked from commit a8b70abca1)
2024-10-21 12:58:17 +02:00
Evan Hunt b5475c9cda corrected code style errors
- add missing brackets around one-line statements
- add paretheses around return values
2024-10-18 19:31:56 +00:00
Mark Andrews 0be99decb9 Correctly get final token
(cherry picked from commit df5b4ba894)
2024-10-18 02:10:33 +00:00
Mark Andrews b9a4b97367 Restore seperator values
strtok_r is destructive.  Restore the seperators so that the command
line can be properly displayed.

(cherry picked from commit 609d96aa12)
2024-10-18 02:10:33 +00:00
Mark Andrews 10a599d3e8 Add regression test for [GL #4987]
(cherry picked from commit 677abded6b)
2024-10-17 22:05:22 +00:00
Michal Nowak 369bbd9dad Remove unused sbytes, stime, n, response, and rtime variables
(cherry picked from commit 4857da271d)
2024-10-15 18:49:29 +00:00
Michal Nowak b5118a7e70 Rewrite tools system test to pytest
(cherry picked from commit 3f8e59330d)
2024-10-15 17:28:37 +00:00
Nicki Křížek 1dbeee61f8 Support dnspython 2.7.0
CookieOption with new .server/.client attributes (rather than .data) was
added to dnspython. Adjust the code to use the new attributes if
available and fall back to the old code for dnspython<2.7.0
compatibility.

(cherry picked from commit 0d90b13646)
2024-10-15 10:29:57 +00:00
Mark Andrews fd2f1bdf02 Test that the correct NSEC3 closest encloser is returned
(cherry picked from commit b457f64d4a)
2024-10-14 23:55:09 +00:00
Matthijs Mekking 25f39228e0 Test removing DNSKEYs from other providers
In a multi-signer setup, removing DNSKEY records from the zone should
not be treated as a key that previously exists in the keyring, thus
blocking the keymgr. Add a test case to make sure.

(cherry picked from commit 5f552293d7)
2024-10-14 10:03:59 +02:00
Matthijs Mekking 80d5b3877a Add additional test case with purged key
Test that if a key to be purged is in the keyring, it does not
prevent the keymgr from running. Normally a key that is in the keyring
should be available again on the next run, but that is not true for
a key that can be purged.

In addition, fix some wait_for_log calls, by adding the missing
'|| ret=1' parts.

(cherry picked from commit a2317425bc)
2024-10-14 10:03:19 +02:00
Matthijs Mekking 24e8e4294a Fix some system test cases
Some test cases were working but for the wrong reasons. These started
to fail when I implemented the first approach for #4763, where the
existence of a DNSKEY together with an empty keyring is suspicious and
would prevent the keymgr from running.

These are:

1. kasp: The multisigner-model2.kasp zone has ZSKs from other providers
   in the zone, but not yet its own keys. Pregenerate signing keys and
   add them to the unsigned zone as well.

2. kasp: The dynamic-signed-inline-signing.kasp zone has a key generated
   and added in the raw version of the zone. But the key file is stored
   outside the key-directory for the given zone. Add '-K keys' to the
   dnssec-keygen command.

(cherry picked from commit d1e263ef13)
2024-10-14 10:03:12 +02:00
Matthijs Mekking 2494275a8e Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.

(cherry picked from commit 5fdad05a8a)
2024-10-14 10:03:00 +02:00
Matthijs Mekking 04ae34cff6 Add test for missing key files, don't roll
In this specific case the key files are temporary unavailable, for
example because of an operator error, or a mount failure). In such
cases, BIND should not try to roll over these keys.

(cherry picked from commit a3afbd9d6f)
2024-10-14 07:19:37 +00:00
Artem Boldariev 3585a004b9 dig: always set the default port when doing a UDP query
This commit ensures that the port is set before attempting a UDP
query. Before that a situation could appear when previous query have
completed over a different transport (that uses a dedicated port) and
then a UDP query will be attempted over the port of the previous
transport.

(cherry picked from commit e390ed4421)
2024-10-10 22:13:55 +03:00
Matthijs Mekking d768dd1f5d Revert "fix: chg: Improve performance when looking for the closest encloser when returning NSEC3 proofs"
This reverts merge request !9436

(cherry picked from commit 0396bf98ee)
2024-10-10 09:29:52 +00:00
Aram Sargsyan ca966c396a Don't ignore the local port number in dns_dispatch_add() for TCP
The dns_dispatch_add() function registers the 'resp' entry in
'disp->mgr->qids' hash table with 'resp->port' being 0, but in
tcp_recv_success(), when looking up an entry in the hash table
after a successfully received data the port is used, so if the
local port was set (i.e. it was not 0) it fails to find the
entry and results in an unexpected error.

Set the 'resp->port' to the given local port value extracted from
'disp->local'.

(cherry picked from commit d49a8f518a)
2024-10-02 09:53:45 +00:00
Michal Nowak 8252f8cbc4 Replace dns.query module with isctest.query
(cherry picked from commit dfec69b4a2)
2024-10-01 12:06:40 +00:00
Michal Nowak b5bdc3ff30 Add isctest.check.notimp()
(cherry picked from commit a2d2d9c0d3)
2024-10-01 12:06:40 +00:00
Michal Nowak 8f5fcf6441 Report expected and last returned rcode on query timeout
Sometimes it's useful to see what was the server returning that did not
match the expected rcode.

(cherry picked from commit 4cb52f072e)
2024-10-01 12:06:40 +00:00
Mark Andrews 39afab41f0 Check responselog behaviour
Extends the resolver system test to to check whether responses are
logged to the query log in addition to the queries.

(cherry picked from commit 61415432ec)
2024-09-30 00:10:47 +00:00
Evan HuntandMark Andrews b9f4a1b029 Reduce code duplication
combined named_server_togglequerylog() and
named_server_toggleresponselog() into named_server_setortoggle().

(cherry picked from commit c4b7dce376)
2024-09-30 00:10:47 +00:00
Mark Andrews 3968813724 Log the rcode returned to for a query
Log to the querylog the rcode of a previous query using
the identifier 'response:' to diffenciate queries from
responses.

(cherry picked from commit 5fad79c92f)
2024-09-30 00:10:47 +00:00
Mark Andrews 00287db8ed Add examples of WALLET records
(cherry picked from commit 9b358e6e8b)
2024-09-25 12:07:52 +00:00
Mark Andrews c6045acc41 Add the new record type WALLET (262)
This provides a mapping from a domain name to a cryptographic
currency wallet and is a clone of TXT.

(cherry picked from commit b919b9b4f3)
2024-09-25 12:07:52 +00:00
Aram Sargsyan cc038054e1 Test 'rndc dumpdb' with an unwritable dump-file
Check that with a preexisting dump file without a write permission
no actual dump happens, and rndc returns an error result.

Also add a couple of missing entries in the cleaning script.

(cherry picked from commit 63bddd7192)
2024-09-25 09:11:49 +00:00
Aram Sargsyan 782a570052 Do not ignore named_server_dumpdb() result code
The named_server_dumpdb() function, which is called when a 'rndc dumpdb'
command is issued, returns a 'isc_result_t' result code and it has been
always ignored since its introduction in
eb8713ed94, where it was still called
ns_server_dumpdb(). The orignal reasoning is not preserved, but it could
have been also a simple copy-paste mistake, as there are commands, which
return 'void' and require manually setting 'result = ISC_R_SUCCESS;', as
it was done here. Anyway, named will now return the actual result, and
'rndc' will report an error, when the 'dumpdb' command fails.

(cherry picked from commit 8b866ba8a0)
2024-09-25 09:11:49 +00:00
Mark Andrews 2952f8339d Check read value in upforwd/ans4
The ans4 server wasn't shutting down cleanly sometimes.  Check that
read returns the expected value for the message length or exit read
loop.

(cherry picked from commit 21baad0a8f)
2024-09-24 07:29:29 +00:00
Michal Nowak e7dd232320 Print correct udp/tcp function name in generic_query()
(cherry picked from commit 1c637e96d1)
2024-09-23 15:40:40 +00:00
Michal Nowak 69b116b788 Downgrade "timeout" and "attempts" arguments in shutdown
The shutdown system test sends queries when named is shutting down, not
in an attempt to get answers but to destabilize the server into a crash.
With isctest.query.udp() defaulting to try up to ten times with a
ten-second timeout to get a response we don't care about from a likely
terminated server, we make the test run much longer than needed because
of retries and long timeouts.

(cherry picked from commit 463ab2f3f5)
2024-09-23 15:40:39 +00:00
Aram Sargsyan 80dad234ba Add a statistics channel check in the forward system test
Check that the fix in the previous commit works and that the
'ServerQuota' counter in the statistics channel is still unset
after a SERVFAIL result in a 'forward only' zone.

(cherry picked from commit 81b3c5d908)
2024-09-16 09:31:38 +00:00