Commit Graph
329 Commits
Author SHA1 Message Date
Evan Hunt 053e01b9f0 implement 'max-query-restarts'
implement, document, and test the 'max-query-restarts' option
which specifies the query restart limit - the number of times
we can follow CNAMEs before terminating resolution.

(cherry picked from commit 104f3b82fb)
2024-08-07 21:12:34 +00:00
Tom KrizekandNicki Křížek 257730f30b Replace testcrypto.sh invocations in tests
Use the provided environment variables instead.

(cherry picked from commit fc84bf80e4)
2024-08-05 17:54:11 +02:00
Aram SargsyanandNicki Křížek c7f79a0353 Add a quota for SIG(0) signature checks
In order to protect from a malicious DNS client that sends many
queries with a SIG(0)-signed message, add a quota of simultaneously
running SIG(0) checks.

This protection can only help when named is using more than one worker
threads. For example, if named is running with the '-n 4' option, and
'sig0checks-quota 2;' is used, then named will make sure to not use
more than 2 workers for the SIG(0) signature checks in parallel, thus
leaving the other workers to serve the remaining clients which do not
use SIG(0)-signed messages.

That limitation is going to change when SIG(0) signature checks are
offloaded to "slow" threads in a future commit.

The 'sig0checks-quota-exempt' ACL option can be used to exempt certain
clients from the quota requirements using their IP or network addresses.

The 'sig0checks-quota-maxwait-ms' option is used to define a maximum
amount of time for named to wait for a quota to appear. If during that
time no new quota becomes available, named will answer to the client
with DNS_R_REFUSED.
2024-06-10 17:33:08 +02:00
Matthijs Mekking c3d8932f79 Add checkconf check for signatures-jitter
Having a value higher than signatures-validity does not make sense
and should be treated as a configuration error.
2024-04-18 09:50:33 +02:00
Matthijs Mekking 2a4daaedca Add signatures-jitter option
Add an option to speficy signatures jitter.
2024-04-18 09:50:10 +02:00
Ondřej Surý 304b5ec1ad Deprecate fixed value for the rrset-order option
Mark the "fixed" value for the "rrset-order" option deprecated, so we
can remove it in the future.
2024-04-02 15:21:00 +00:00
Ondřej Surý 7c96bf3e71 Deprecate sortlist option
Mark the sortlist option deprecated, so we can remove it in the
future.
2024-04-02 16:26:39 +02:00
Matthijs Mekking e39de45adc Detect invalid durations
Be stricter in durations that are accepted. Basically we accept ISO 8601
formats, but fail to detect garbage after the integers in such strings.

For example, 'P7.5D' will be treated as 7 days. Pass 'endptr' to
'strtoll' and check if the endptr is at the correct suffix.
2024-03-14 08:51:46 +01:00
Evan Hunt 05398c1488 move RRL broken-config check to checkconf
the RRL test included a test case that tried to start named with
a broken configuration.  the same error could be found with
named-checkconf, so it should have been tested in the checkconf
system test.
2024-03-01 14:29:30 -08:00
Aram Sargsyan 0d47f565ea Test trusted anchors configurations for 'dnssec-validation yes'
Add checks into the  'checkconf' system test to make sure that the
'dnssec-validation yes' option fails without configured trusted
anchors, and succeeds with configured non-empty, as well as empty
trusted anchors.
2024-02-02 19:53:45 +00:00
Evan Hunt 86fdc66ed3 check range of fetch-quota-param parameters
the 'low', 'high' and 'discount' parameters to 'fetch-quota-param'
are meant to be ratios with values between zero and one, but higher
values can be assigned. this could potentially lead to an assertion
in maybe_adjust_quota().
2024-01-31 18:19:38 -08:00
Matthijs Mekking cb12b42839 Rename "uri" to "pkcs11-uri"
The name "uri" was considered to be too generic and could potentially
clash with a future URI configuration option. Renamed to "pkcs11-uri".

Note that this option name was also preferred over "pkcs11uri", the
dash is considered to be the more clearer form.
2024-01-25 15:37:40 +01:00
Matthijs Mekking 155aba5bd5 Fix a checkconf bug
The check for printing zone list failed because of these additional
lines in the output:

good.conf:22: dnssec-policy: key algorithm 13 has predefined length; \
  ignoring length value 256

I am not sure why this failure hasn't happened before already.
2024-01-25 14:41:25 +01:00
Matthijs Mekking 792670c991 Check if key-store directory is not reused
Similar to key-directory, check for zones in different views and
different key and signing policies. Zones must be using different key
directories to store key files on disk.

Now that a key directory can be linked with a dnssec-policy key, the
'keydirexist' checking needs to be reshuffled.

Add tests for bad configuration examples, named-checkconf should catch
those. Also add test cases for a mix of key-directory and key-store
directory.
2024-01-25 14:41:24 +01:00
Matthijs Mekking 22d1fde1a5 Check if key-store directory exists
Similar to key-directory, check if the key-store directory exists and
if it is an actual directory.

This commit fixes an accidental test bug in checkconf where if
the "warn key-dir" test failed, the result was ignored.
2024-01-25 14:38:12 +01:00
Matthijs Mekking 594d4a81f1 Check if key-store exists
Add checkconf check to ensure that the used key-store in the keys
section exists. Error if that is not the case. We also don't allow
the special keyword 'key-directory' as that is internally used to
signal that the zone's key-directory should be used.
2024-01-25 14:38:12 +01:00
Matthijs Mekking a035f3b10e Add configuration for key-store
Add new configuration for setting key stores. The new 'key-store'
statement allows users to configure key store backends. These can be
of type 'file' (that works the same as 'key-directory') or of type
'pkcs11'. In the latter case, keys should be stored in a HSM that is
accessible through a PKCS#11 interface.

Keys configured within 'dnssec-policy' can now also use the 'key-store'
option to set a specific key store.

Update the checkconf test to accomodate for the new configuration.
2024-01-25 14:38:11 +01:00
Artem Boldariev ed546007c9 Add TLS 'cipher-suites' checkconf test
This commit adds a set of valid and invalid configuration files
samples that use the new 'cipher-suites' option of the 'tls'
statement.
2024-01-12 13:27:59 +02:00
Artem Boldariev 0e8d5c9c6b Add checkonf tests for the PROXYv2 related options
This commit adds necessary PROXYv2 configuration options checks.
2023-12-06 15:15:25 +02:00
Matthijs Mekking 3c08fbc79f Change NSEC3 iterations to 0 in system tests
The system tests need to be updated because non-zero iterations are no
longer accepted.

The autosign system test changes its iterations from 1 to 0 in one
test case. This requires the hash to be updated.

The checkconf system test needs to change the iterations in the good
configuration files to 0, and in the bad ones to 1 (any non-zero value
would suffice, but we test the corner case here). Also, the expected
failure message is change, so needs to be adjusted.

The nsec3 system test also needs iteration configuration adjustments.
In addition, the test script no longer needs the ITERATIONS environment
variable.

In the process of updating the system tests, I noticed an error
in the dnssec-policy "nsec3-other", where the salt length in one
configuration file is different than in the other (they need to be
the same). Furthermore, the 'rndc signing -nsec3param' test case
is operated on the zone 'nsec-change.kasp', so is moved so that the
tests on the same zone are grouped together.
2023-12-05 14:58:58 +00:00
Ondřej Surý f8e264ba6d Remove the lock-file configuration and -X argument to named
The lock-file configuration (both from configuration file and -X
argument to named) has better alternatives nowadays.  Modern process
supervisor should be used to ensure that a single named process is
running on a given configuration.

Alternatively, it's possible to wrap the named with flock(1).
2023-10-26 22:42:37 +02:00
Tom Krizek 4cb8b13987 Reformat shell scripts with shfmt
All changes in this commit were automated using the command:

  shfmt -w -i 2 -ci -bn . $(find . -name "*.sh.in")

By default, only *.sh and files without extension are checked, so
*.sh.in files have to be added additionally. (See mvdan/sh#944)
2023-10-26 10:23:50 +02:00
Mark Andrews 1bf62b1c88 Check that duplicate control sockets are caught 2023-10-05 11:32:01 +11:00
Ondřej Surý 7aebbec653 Completely remove the Unix Domain Socket support from BIND 9
The Unix Domain Sockets support in BIND 9 has been completely disabled
since BIND 9.18 and it has been a fatal error since then.  Cleanup the
code and the documentation that suggest that Unix Domain Sockets are
supported.
2023-09-19 18:51:35 +02:00
Ondřej Surý 9e0b348a2b Deprecate 'dnssec-must-be-secure' option
The dnssec-must-be-secure feature was added in the early days of BIND 9
and DNSSEC and it makes sense only as a debugging feature.

Remove the feature to simplify the code.
2023-09-04 13:38:14 +02:00
Evan Hunt eeeccec67c deprecate "dialup" and "heartbeat-interval"
these options concentrate zone maintenance actions into
bursts for the benefit of servers with intermittent connections.
that's no longer something we really need to optimize.
2023-08-01 18:10:44 -07:00
Matthijs Mekking 62ddc3dca0 Remove redundant inline-signing lines from tests
Now that inline-signing is explicitly set in dnssec-policy, remove
the redundant "inline-signing yes;" lines from the system tests.
2023-08-01 06:55:48 +00:00
Matthijs Mekking 495597a91b Update inline-signing checkconf code
When using automated DNSSEC management, it is required that the zone
is dynamic, or that inline-signing is enabled (or both). Update the
checkconf code to also allow inline-signing to be enabled within
dnssec-policy.
2023-08-01 06:55:48 +00:00
Matthijs Mekking bbfdcc36c8 Add inline-signing to dnssec-policy
Add an option to enable/disable inline-signing inside the
dnssec-policy clause. The existing inline-signing option that is
set in the zone clause takes priority, but if it is omitted, then the
value that is set in dnssec-policy is taken.

The built-in policies use inline-signing.

This means that if you want to use the default policy without
inline-signing you either have to set it explicitly in the zone
clause:

    zone "example" {
        ...
        dnssec-policy default;
        inline-signing no;
    };

Or create a new policy, only overriding the inline-signing option:

    dnssec-policy "default-dynamic" {
        inline-signing no;
    };

    zone "example" {
        ...
        dnssec-policy default-dynamic;
    };

This also means that if you are going insecure with a dynamic zone,
the built-in "insecure" policy needs to be accompanied with
"inline-signing no;".
2023-08-01 06:55:48 +00:00
Tom Krizek 062dfac28e Clean up keys directory in checkconf test
The keys directory should be cleaned up in clean.sh. Doing that in the
test itself isn't reliable which may lead to failing mkdir which causes
the test to fail with set -e.
2023-07-25 09:19:55 +02:00
Matthijs Mekking 042c89ac69 Obsolete dnssec-update-mode
We no longer support 'no-resign' and thus the configuration option
becomes obsolete. Remove the corresponding dnssec system test cases.
2023-07-20 12:44:19 +02:00
Matthijs Mekking 3e49223a67 Obsolete dnssec-dnskey-kskonly update-check-ksk
These two configuration options worked in conjunction with 'auto-dnssec'
to determine KSK usage, and thus are now obsoleted.

However, in the code we keep KSK processing so that when a zone is
reconfigured from using 'dnssec-policy' immediately to 'none' (without
going through 'insecure'), the zone is not immediately made bogus.

Add one more test case for going straight to none, now with a dynamic
zone (no inline-signing).
2023-07-20 12:40:54 +02:00
Matthijs Mekking 88a687106f Obsolete sig-validity-interval dnskey-sig-validity
These two configuration options worked in conjunction with 'auto-dnssec'
to set the signature validity, and thus are now obsoleted.
2023-07-20 11:04:24 +02:00
Matthijs Mekking 33db82cf20 Remove auto-dnssec checkconf tests
Any checkconf tests related to auto-dnssec can be removed, as this
option will be removed too.
2023-07-20 11:04:23 +02:00
Tom Krizek 05baf7206b Use $(...) notation for subshells in system tests
The changes were mostly done with sed:

find . -name '*.sh' | xargs sed -i 's/`\([^`]*\)`/$(\1)/g'

There have been a few manual changes where the regex wasn't sufficient
(e.g. backslashes inside the `...`) or wrong (`...` referring to docs or
in comments).
2023-07-14 15:49:18 +02:00
Tom Krizek 4a87b44196 Handle non-zero return codes in checkconf test 2023-07-14 15:49:17 +02:00
Tom Krizek 837c190d9e Make $? compatible with set -e in system tests
Ensure handling of return code from previous command doesn't cause the
script to halt if that code is non-zero when running with `set -e`.
2023-07-14 15:49:15 +02:00
Tom Krizek 4d42bdc245 Use arithmetic expansion in system tests
Change the way arithmetic operations are performed in system test shell
scripts from using `expr` to `$(())`. This ensures that updating the
variable won't end up with a non-zero exit code, which would case the
script to exit prematurely when `set -e` is in effect.

The following replacements were performed using sed in all text files
(git grep -Il '' | xargs sed -i):

s/status=`expr $status + $ret`/status=$((status + ret))/g
s/n=`expr $n + 1`/n=$((n + 1))/g
s/t=`expr $t + 1`/t=$((t + 1))/g
s/status=`expr $status + 1`/status=$((status + 1))/g
s/try=`expr $try + 1`/try=$((try + 1))/g
2023-07-14 15:49:13 +02:00
Tom Krizek 01bc805f89 Run system tests with set -e
Ensure all shell system tests are executed with the errexit option set.
This prevents unchecked return codes from commands in the test from
interfering with the tests, since any failures need to be handled
explicitly.
2023-07-14 15:07:25 +02:00
Tom Krizek 5893debf46 Remove trailing whitespace from all text files
I've used the following command to remove the trailing whitespace for
all tracked text files:

git grep -Il '' | xargs sed -i 's/[ \t]*$//'
2023-06-13 15:05:40 +02:00
Tom Krizek 2f5bf6d971 Add pytest functions for shell system tests
In order to run the shell system tests, the pytest runner has to pick
them up somehow. Adding an extra python file with a single function
for the shell tests for each system test proved to be the most
compatible way of running the shell tests across older pytest/xdist
versions.

Modify the legacy run.sh script to ignore these pytest-runner specific
glue files when executing tests written in pytest.
2023-05-22 14:11:39 +02:00
Matthijs Mekking 8be61d1845 Add configuration option 'cdnskey'
Add the 'cdnskey' configuration option to 'dnssec-policy'.
2023-05-11 17:07:51 +02:00
Matthijs Mekking 06cd8b52db Add new 'checkds' configuration option
Add a new configuration option to set how the checkds method should
work. Acceptable values are 'yes', 'no', and 'explicit'.

When set to 'yes', the checkds method is to lookup the parental agents
by querying the NS records of the parent zone.

When set to 'no', no checkds method is enabled. Users should run
the 'rndc checkds' command to signal that DS records are published and
withdrawn.

When set to 'explicit', the parental agents are explicitly configured
with the 'parental-agents' configuration option.
2023-04-03 14:01:22 +00:00
Mark Andrews bcb3846603 nsec3: use fips configuration if rsasha1 is not supported 2023-04-03 12:44:27 +10:00
Mark Andrews d42b636d5a named-checkconf needs to know if named will be running in FIPS mode
Call dst_lib_init to set FIPS mode if it was turned on at configure
time.

Check that named-checkconf report that dnssec policies that wont
work in FIPS mode are reported if named would be running in FIPS
mode.
2023-04-03 12:06:04 +10:00
Mark Andrews 805da5bf8f make cfg_kaspkey_fromconfig FIPS aware
- RSASHA1 (5) and NSEC3RSASHA1 (7) are not accepted in FIPS mode
- minimum RSA key size is set to 2048 bit

adjust kasp and checkconf system tests to ensure non FIPS
compliant configurations are not used in FIPS mode
2023-04-03 12:06:04 +10:00
Matthijs Mekking 106497b011 Fix kasp system test bug
This test was succeeding for the wrong reason (policy not found, rather
than bad key length).
2023-03-31 08:33:01 +00:00
Evan Hunt 833ca463d4 remove {root-}delegation-only
complete the removal of the delegation-only and root-delegation-only
options, and the delegation-only zone type.
2023-03-23 12:57:01 -07:00
Evan HuntandOndřej Surý 2399556bee deprecate delegation-only and root-delegation only
These options and zone type were created to address the
SiteFinder controversy, in which certain TLD's redirected queries
rather than returning NXDOMAIN. since TLD's are now DNSSEC-signed,
this is no longer likely to be a problem.

The deprecation message for 'type delegation-only' is issued from
the configuration checker rather than the parser. therefore,
isccfg_check_namedconf() has been modified to take a 'nodeprecate'
parameter to suppress the warning when named-checkconf is used with
the command-line option to ignore warnings on deprecated options (-i).
2023-03-23 19:16:24 +01:00
Matthijs Mekking c0b606885e Make cds-digest-type plural
Allow for configuring multiple CDS records with different digest
types (currently only SHA-256 and SHA-384 are allowed).
2023-02-28 09:38:17 +01:00