Commit Graph

8320 Commits

Author SHA1 Message Date
Michał Kępień
12bedaef75 Do not spam console if "git status --ignored" fails during tests
The "git status" command in Git versions before 1.7.2 does not support
the "--ignored" option.  Prevent spamming the console when running
system tests from a Git repository on a host with an ancient Git version
installed.

(cherry picked from commit 2be97feb46)
2018-07-13 12:15:36 +02:00
Michał Kępień
e0dbc27c0d Remove IDN subtest from the "digdelv" system test
The output of certain "dig +idnout" invocations may be locale-dependent.
Remove the "dig +idnout" subtest from the "digdelv" system test as IDN
support is already thoroughly tested by the "idna" system test.

(cherry picked from commit fd30a03f2b)
2018-07-13 12:15:36 +02:00
Michał Kępień
4fdee34a0b Improve error handling in idn_ace_to_locale()
While idn2_to_unicode_8zlz() takes a 'flags' argument, it is ignored and
thus cannot be used to perform IDN checks on the output string.

The bug in libidn2 versions before 2.0.5 was not that a call to
idn2_to_unicode_8zlz() with certain flags set did not cause IDN checks
to be performed.  The bug was that idn2_to_unicode_8zlz() did not check
whether a conversion can be performed between UTF-8 and the current
locale's character encoding.  In other words, with libidn2 version
2.0.5+, if the current locale's character encoding is ASCII, then
idn2_to_unicode_8zlz() will fail when it is passed any Punycode string
which decodes to a non-ASCII string, even if it is a valid IDNA2008
name.

Rework idn_ace_to_locale() so that invalid IDNA2008 names are properly
and consistently detected for all libidn2 versions and locales.

Update the "idna" system test accordingly.  Add checks for processing a
server response containing Punycode which decodes to an invalid IDNA2008
name.  Fix invalid subtest description.

(cherry picked from commit 7fe0f00a3b)
2018-07-13 12:15:03 +02:00
Michał Kępień
a996e26b8b Include conf.sh from all prereq.sh scripts
Every prereq.sh script must include bin/tests/system/conf.sh, otherwise
if some prerequisite is not met, errors about echo_i not being found
will be printed instead of actual error messages.

(cherry picked from commit cc0e8cda71)
2018-07-13 08:24:55 +02:00
Ondřej Surý
d4baf8b117 Add .gitignore for PKCS#11 test files
(cherry picked from commit 96907d636d)
2018-07-12 12:18:33 -04:00
Mark Andrews
41a632bae1 add test for bad dig option '+ednsopt=:' being handled gracefully
(cherry picked from commit ad86878d61)
(cherry picked from commit 9f126bac32)
2018-07-11 12:12:32 -07:00
Bill Parker
d7d3383573 check code is non NULL
(cherry picked from commit 408bcf9c07)
(cherry picked from commit 62d047658a)
2018-07-11 12:11:46 -07:00
Mukund Sivaraman
a829bb3f1b Add system tests for "tcp-self" update-policy
(cherry picked from commit a7e6a584ea)
2018-07-11 11:13:24 -07:00
Michał Kępień
d4a6cb321b Send upstream TAT queries for locally served zones
Trying to resolve a trust anchor telemetry query for a locally served
zone does not cause upstream queries to be sent as the response is
determined just by consulting local data.  Work around this issue by
calling dns_view_findzonecut() first in order to determine the NS RRset
for a given domain name and then passing the zone cut found to
dns_resolver_createfetch().

Note that this change only applies to TAT queries generated by the
resolver itself, not to ones received from downstream resolvers.

(cherry picked from commit 873c091408)
2018-07-11 09:14:11 +02:00
Michał Kępień
4fdd248f53 Extract TAT QNAME preparation to a separate function
Extract the part of dotat() reponsible for preparing the QNAME for a TAT
query to a separate function in order to limit the number of local
variables used by each function and improve code readability.

Rename 'name' to 'origin' to better convey the purpose of that variable.

(cherry picked from commit 2e7dd0d61f)
2018-07-11 09:14:09 +02:00
Mark Andrews
40cfb519f6 use extracted netaddr rather than client->destaddr
(cherry picked from commit 69fd3f5ba4)
2018-07-10 18:29:30 -07:00
Mark Andrews
b2ccc58206 fix category trust-anchor-telemetry spelling 2018-07-10 18:11:02 -07:00
Bill Parker
48aa0659f7 check param_template[i].pValue is non NULL
(cherry picked from commit 8ac0152651)
2018-07-10 14:39:30 -07:00
Michał Kępień
740b3a9118 Fix a Net::DNS version quirk in the "resolver" system test
Net::DNS versions older than 0.68 insert a ./ANY RR into the QUESTION
section if the latter is empty.  Since the latest Net::DNS version
available with stock RHEL/CentOS 6 packages is 0.65 and we officially
support that operating system, bin/tests/system/resolver/ans8/ans.pl
should behave consistently for various Net::DNS versions.  Ensure that
by making handleUDP() return the query ID and flags generated by
Net::DNS with 8 zero bytes appended.

(cherry picked from commit 6c3c6aea37)
2018-07-10 15:08:05 +02:00
Mark Andrews
6fbbe4ef7e free rbuf
(cherry picked from commit ecb2f20324)
2018-07-10 14:38:05 +10:00
Tinderbox User
3bbd725a2c prep 9.11.4rc2 2018-06-28 05:07:42 +00:00
Mukund Sivaraman
49cd7552be return FORMERR when question section is empty if COOKIE is not present
(cherry picked from commit 06d3106002)
(cherry picked from commit ed29b84e16)
2018-06-26 14:44:18 -07:00
Mark Andrews
c45fb6d92a CHANGES, copyright
(cherry picked from commit f7d346357e)
2018-06-26 10:55:44 -07:00
Mark Andrews
316eebb699 construct a symtab of valid in-view targets then check that the target exists
(cherry picked from commit e01a4bcb20)
2018-06-26 10:53:59 -07:00
Michał Kępień
4b0129f34b Only request permitted capabilities in non-libcap builds
While libcap-enabled builds check whether any capability named requests
is within the permitted capability set, non-libcap builds just try
requesting them, which potentially causes a misleading error message to
be output ("Operation not permitted: please ensure that the capset
kernel module is loaded").  Ensure non-libcap builds also check whether
any requested capability is within the permitted capability set.

(cherry picked from commit 8c66f32e53)
2018-06-26 13:19:58 +02:00
Mark Andrews
ffc58bede6 log the remaining -V info at startup 2018-06-25 15:18:18 -07:00
Mark Andrews
d3982afe5c the client cookie was being hashed twice when computing the server cookie for sha1 and sha256
(cherry picked from commit 4795f0ca89)
2018-06-22 17:45:32 +10:00
Evan Hunt
a1690b24bc prepare 9.11.4rc1 2018-06-21 18:54:43 +02:00
Evan Hunt
b330bcb8a1 add a regression test for default allow-recursion settings 2018-06-14 14:47:11 +02:00
Evan Hunt
3d71785ef1 allow-recursion could incorrectly inherit from the default allow-query 2018-06-14 14:47:11 +02:00
Mark Andrews
0c3ddaafb5 Pull out the saving of the zone cut into a separate function
(cherry picked from commit 899e56068e)
2018-06-13 12:58:57 +02:00
Michał Kępień
6d8a514ecb Treat records below a DNAME as out-of-zone data
DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains.  Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records.  Check that DNAME-obscured
records are not signed.

(cherry picked from commit ff7015a0f8)
2018-06-13 12:58:27 +02:00
Michał Kępień
da430b5f36 Add helper variables in mkeys system test
The keyfile and key ID for the original managed key do not change
throughout the mkeys system test.  Keep them in helper variables to
prevent calling "cat" multiple times and improve code readability.

(cherry picked from commit 2cad382552)
2018-06-13 08:08:25 +02:00
Michał Kępień
a23e9821d6 Replace duplicated code snippet with calls to helper functions
Reduce code duplication by replacing a code snippet repeated throughout
system tests using "trusted-keys" and/or "managed-keys" configuration
sections with calls to keyfile_to_{managed,trusted}_keys() helper
functions.

(cherry picked from commit dce66f7635)
2018-06-13 08:08:25 +02:00
Michał Kępień
36d6a6cc76 Add helper functions for converting keyfile data into configuration sections
Add a set of helper functions for system test scripts which enable
converting key data from a set of keyfiles to either a "trusted-keys"
section or a "managed-keys" section suitable for including in a
resolver's configuration file.

(cherry picked from commit 21d3658bcb)
2018-06-13 08:08:25 +02:00
Evan Hunt
5bf319c107 complete strtok fix
(cherry picked from commit 74c3b9d3b2)
2018-06-09 23:04:18 -07:00
Evan Hunt
2960bf1a9f use strtok() instead of strtok_r() in command line processing
(cherry picked from commit 1734f1b3b9)
2018-06-09 22:36:46 -07:00
Evan Hunt
7a00ce2e77 ensure we try to validate glue records so RRSIG TTLs will be capped 2018-06-08 11:41:48 -07:00
Mukund Sivaraman
db12b1a9f9 Add system test
(cherry picked from commit a5933fa2bb)
2018-06-08 17:29:45 +10:00
Mukund Sivaraman
441de7dbe3 Add a answer-cookie named config option
(cherry picked from commit 2930507357)
2018-06-08 17:29:28 +10:00
Mark Andrews
34bfd20348 Add support for marking a option as deprecated.
(cherry picked from commit befff9452c)
2018-06-08 15:56:01 +10:00
Mark Andrews
1710e5cfca add duplicate signature test
(cherry picked from commit 0db5b087ed)
(cherry picked from commit 1783fa5aba)
2018-06-06 17:21:29 +10:00
Mark Andrews
dd05287a31 add support -T sigvalinsecs
(cherry picked from commit 87a3dc8ab9)
(cherry picked from commit 69340b5ac5)
2018-06-06 17:17:48 +10:00
Mark Andrews
deee1574da move -T parsing to its own function
(cherry picked from commit b491ceeb50)
2018-06-06 15:30:55 +10:00
Evan Hunt
81c2298665 use "ip" on linux, falling back to "ifconfig" when it isn't available
(cherry picked from commit d7c5400798)
(cherry picked from commit 3e1a0c2b62)
2018-06-05 21:46:08 -07:00
Evan Hunt
35f4aafb20 expand address range in ifconfig.sh to include more than one subnet
(cherry picked from commit 41b29a436b)
(cherry picked from commit e4487b160c)
2018-06-05 21:46:08 -07:00
Evan Hunt
e229ae6999 add prerequisite check 2018-06-04 17:41:22 -04:00
Mark Andrews
9448c4fd21 add system test for root-key-sentinel
(cherry picked from commit a23b305e6b)
(cherry picked from commit b9e6b124aa)
2018-06-04 17:41:22 -04:00
Mark Andrews
9a5f308287 add named.conf option root-key-sentinel
(cherry picked from commit 68e9315c7d)
(cherry picked from commit ee763ef281)
2018-06-04 17:41:22 -04:00
Mark Andrews
afa97c6552 detect and process root-key-sentinel labels.
(cherry picked from commit 8fc9f64df9)
(cherry picked from commit 7111eff80c)
2018-06-04 17:41:21 -04:00
Mark Andrews
f9d19cab7f 4699. [func] Multiple cookie-secret clauses can now be specified.
The first one specified is used to generate new
                        server cookies.  [RT #45672]
2018-06-04 13:16:28 -07:00
Evan Hunt
32681598cd attempt to validate glue, but don't drop it if it can't be validated 2018-06-04 01:12:18 -04:00
Mukund Sivaraman
22ff9c9199 Fix acache case too 2018-06-04 01:12:18 -04:00
Mukund Sivaraman
3d62545657 Add system test
(cherry picked from commit 303391ea41)
2018-06-04 01:12:18 -04:00
Mukund Sivaraman
3f59d6c251 Don't validate non-pending glue when adding to the additional section
(cherry picked from commit 31bd3147d1)
2018-06-04 01:12:18 -04:00