Commit Graph
42227 Commits
Author SHA1 Message Date
Colin Vidal 23a9bed310 [9.20] fix: dev: Split and simplify the use of EDE list implementation
Instead of mixing the dns_resolver and dns_validator units directly with
the EDE code, split-out the dns_ede functionality into own separate
compilation unit and hide the implementation details behind abstraction.

Additionally, the new dns_edelist_t doesn't have to be copied into all
responses as those are attached to the fetch context, but it could be
only passed by reference.

This makes the dns_ede implementation simpler to use, although sligtly
more complicated on the inside.

Closes #5141

Backport of MR !10016

Merge branch 'backport-5141-ede-mem-fix-v2-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10030
2025-01-30 13:12:16 +00:00
Colin Vidal 7b04c80183 manually add dns_lctx to isc_log_write in ede.c
Because the new introduced code in main doesn't use the log context
anymore, manually add the log context for isc_log_write usages in the
new ede.c file.
2025-01-30 12:37:55 +00:00
Colin Vidal ccafa27b44 Use DNS_EDE_OTHER instead of its literal value
(cherry picked from commit 7c5678bb03)
2025-01-30 12:37:55 +00:00
Colin Vidal 3bc6de9265 update EDE copy and add dup tests
Update EDE tests to exercise the bitmap and next ede index logic

(cherry picked from commit c7b0fe5bec)
2025-01-30 12:37:55 +00:00
Colin Vidal e5fc9f5fcb detect dup EDE with bitmap and store next pos
In order to avoid to loop to find the next position to store an EDE in
a dns_edectx_t, add a "nextede" state which holds the next available
position.

Also, in order ot avoid to loop to find if an EDE is already existing in
a dns_edectx_t, and avoid a duplicate, use a bitmap to immediately know
if the EDE is there or not.

Those both changes applies for adding or copying EDE.

Also make the direction of dns_ede_copy more explicit/avoid errors by
making "edectx_from" a const pointer.

(cherry picked from commit 9021f9d802)
2025-01-30 12:37:55 +00:00
Colin Vidal f390108f8c add lib/dns/ede.c documentation
Add documentation usage of EDE compilation unit as well as centralize
all EDE-related macros in the same lib/dns/include/dns/ede.h header.

(cherry picked from commit 7b01cbfb04)
2025-01-30 12:37:55 +00:00
Colin Vidal 7e3a650ae2 Refactor test covering dns_ede API
Migrate tests cases in client_test code which were exclusively testing
code which is now all wrapped inside ede compilation unit. Those are
testing maximum number of EDE, duplicate EDE as well as truncation of
text of an EDE.

Also add coverage for the copy of EDE from an edectx to another one, as
well as checking the assertion of the maximum EDE info code which can be
used.

(cherry picked from commit f9f41190b3)
2025-01-30 12:37:55 +00:00
Ondřej SurýandColin Vidal 1ffb67a135 Split and simplify the use of EDE list implementation
Instead of mixing the dns_resolver and dns_validator units directly with
the EDE code, split-out the dns_ede functionality into own separate
compilation unit and hide the implementation details behind abstraction.

Additionally, the EDE codes are directly copied into the ns_client
buffers by passing the EDE context to dns_resolver_createfetch().

This makes the dns_ede implementation simpler to use, although sligtly
more complicated on the inside.

Co-authored-by: Colin Vidal <colin@isc.org>
Co-authored-by: Ondřej Surý <ondrej@isc.org>
(cherry picked from commit 2f8e0edf3b)
2025-01-30 12:37:55 +00:00
Andoni Duarte 77c4107bcd [9.20] fix: ci: remove allow failure in cross version config tests
From https://gitlab.isc.org/isc-projects/bind9/-/issues/5087, the relevant MRs have been merged in the January 2025 release. Hence this MR removes `allow_failure: true` in CI.

Backport of MR !10026

Merge branch 'backport-andoni/remove-allow-failure-in-cross-version-config-tests-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10027
2025-01-30 12:31:11 +00:00
Andoni Duarte Pintado bd03265d0c Update cross-version-config-tests CI
Remove `allow_failure: true` from .gitlab-ci.yaml, as the relevant
MRs have been merged in the January 2025 release.

(cherry picked from commit 5d07df807a)
2025-01-30 11:36:29 +01:00
Andoni Duarte Pintado 2d0323e006 Merge tag 'v9.20.5' into bind-9.20 2025-01-29 17:21:44 +01:00
Nicki Křížek c753376b2e [9.20] chg: ci: Use make clean to reduce artifacts in successful jobs
Reduce the amount of artifacts stored by running make clean at the end
of unit and system test run. If any of the previous commands fail, the
runner will stop executing the commands in `script` immediately, so the
cleanup only happens if none of the previous commands failed.

The build artifacts from unit and system tests are re-used anywhere and
should be safe to throw away immediately.

Backport of MR !10015

Merge branch 'backport-nicki/reduce-ci-artifacts-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10018
2025-01-29 14:45:23 +00:00
Nicki Křížek 5d45acaa2f Enable unit test artifacts for gcov jobs
Without using the build artifacts from the unit test jobs in the
bookworm tests, the gcov would be incomplete.

(cherry picked from commit e5636598a5)
2025-01-29 14:11:59 +00:00
Nicki Křížek 9410fd815a Use make clean to reduce artifacts in successful jobs
Reduce the amount of artifacts stored by running make clean at the end
of unit and system test run. If any of the previous commands fail, the
runner will stop executing the commands in `script` immediately, so the
cleanup only happens if none of the previous commands failed.

The build artifacts from unit and system tests are re-used anywhere and
should be safe to throw away immediately. Same for respdiff.

(cherry picked from commit e59bc5b366)
2025-01-29 14:11:59 +00:00
Michal Nowak 0285a0447f [9.20] fix: doc: Use archived version of draft-icann-dnssec-keymgmt-01.txt
The iana.org link is gone.

Backport of MR !10010

Merge branch 'backport-mnowak/linkcheck-fix-draft-icann-dnssec-keymgmt-01.txt-link-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10011
2025-01-28 13:41:27 +00:00
Michal Nowak 2134b35557 Use archived version of draft-icann-dnssec-keymgmt-01.txt
The iana.org link is gone.

(cherry picked from commit 5dbc87730e)
2025-01-28 13:41:05 +00:00
Nicki Křížek ea4a113375 [9.20] fix: ci: Run merged-metadata job for release branches in private repo
The prior regex didn't match the actual names we use for release
branches in the private repo. This caused the merged-metadata job to not
be created upon merging to a release branch, resulting in the private MR
not being properly milestoned.

Use the correct regex along with protecting the v9.*-release branches in
the gitlab UI so that they have access to the token used to perform the
required API operations.

Backport of MR !10003

Merge branch 'backport-nicki/ci-fix-post-merge-in-private-repo-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10013
2025-01-28 13:40:34 +00:00
Nicki Křížek 54e53a9bc9 Run merged-metadata job for release branches in private repo
The prior regex didn't match the actual names we use for release
branches in the private repo. This caused the merged-metadata job to not
be created upon merging to a release branch, resulting in the private MR
not being properly milestoned.

Use the correct regex along with protecting the v9.*-release branches in
the gitlab UI so that they have access to the token used to perform the
required API operations.

(cherry picked from commit 2e5a3bde7e)
2025-01-28 13:36:55 +00:00
Michal Nowak 0cea21019e [9.20] chg: test: Add stress tests with DoH and DoT
Backport of MR !5800

Merge branch 'backport-mnowak/stress-test-with-doh-dot-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10007
2025-01-28 10:54:16 +00:00
Michal Nowak fa941f01b5 Add DoH and DoT stress tests, generate test configurations
Add DoH and DoT stress test jobs. The DoH scenario on FreeBSD is omitted
because all Flamethrower's DoH queries timeout on this platform.

Since the response rate of DoT queries is lower than that of DoH and
TCP, the expected TCP response rate is 80%.

Due to the large number of similar stress test configurations, the
"util/generate-stress-test-configs.py" script now generates them as part
of a downstream pipeline. The script is expected to be run exclusively
within the CI environment, which sources all environmental variables and
files.

This refactoring brought the following changes:

- To start a stress test immediately and not wait for artifacts of the
  autoreconf job, run the "autoreconf -fi" command as part of every job.

- Drop the BIND_STRESS_TEST_* variables as they were rarely used and
  conflicted with mode and platform selection in the configuration
  generator.

- Most pipelines now include a few short, randomly selected stress test
  jobs. To schedule all stress tests, set the ALL_BIND_STRESS_TESTS
  environmental variable, push a tag to CI, or run a scheduled pipeline.

- Set the BIND_STRESS_TESTS_RUN_TIME environmental variable to pick the
  stress test runtime of your choosing, set the BIND_STRESS_TESTS_RATE
  environmental variable to set different than the default query rate.

- Job timeout is set to 30 minutes plus stress test runtime in minutes.

(cherry picked from commit 9756292a5f)
2025-01-27 20:10:36 +00:00
Michal Nowak cf51840753 [9.20] new: doc: Add linkcheck to CI
Backport of MR !9680

Merge branch 'backport-mnowak/rtd-add-linkcheck-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9994
2025-01-27 09:50:45 +00:00
Michal Nowak c429cfa3b2 Disable anchor checking for GitHub 2025-01-27 09:42:47 +00:00
Michal Nowak bd3b24ab7a Add linkcheck job
(cherry picked from commit 48eab76427)
2025-01-27 09:42:47 +00:00
Michal Nowak 10aed4344c Fix broken links in documentation
Some detected links are not to be verified (127.*, dnssec-or-not.com)
and some I can't fix (flaticon, godaddy, icann), but they are not
crucial.

(cherry picked from commit 8302469507)
2025-01-27 09:42:47 +00:00
Nicki Křížek ccd45042d7 [9.20] chg: ci: Ensure changelog job builds docs with the new entry
The changelog job is supposed to test that the text from GitLab MR
title&description is valid rst syntax and can be built with sphinx. In
49128fc1, the way gitchangelog generates entries was changed - it no
longer writes to the changelog file, but generates output on stdout
instead. Ensure the generated notes is actually written to (some)
rendered file which is part of the docs so that the subsequent sphinx
build attempts to render the note.

Backport of MR !9804

Merge branch 'backport-nicki/ci-fix-changelog-job-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9997
2025-01-27 09:35:37 +00:00
Nicki Křížek 02cf566312 Ensure changelog job builds docs with the new entry
The changelog job is supposed to test that the text from GitLab MR
title&description is valid rst syntax and can be built with sphinx. In
49128fc1, the way gitchangelog generates entries was changed - it no
longer writes to the changelog file, but generates output on stdout
instead. Ensure the generated notes is actually written to (some)
rendered file which is part of the docs so that the subsequent sphinx
build attempts to render the note.

(cherry picked from commit 380a30ba8d)
2025-01-24 18:11:11 +00:00
Colin Vidal b3eab79bc1 [9.20] new: usr: adds support for EDE code 1 and 2
Add support for EDE codes 1 & 2 which might occurs during DNSSEC validation in case of unsupported RRSIG algorithm or DNSKEY digest.

See #2715

Backport of MR !9948

Merge branch 'backport-2715-ede-unsupported-digest-alg-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9996
2025-01-24 14:58:46 +00:00
Colin Vidal b61e1a5bcf add DNSSEC EDE test for unsupported digest and alg
A DNSSEC validation can fail in the case where multiple DNSKEY are
available for a zone and none of them are supported, but for different
reasons: one has a DS record in the parent zone using an unsupported
digest while the other one uses an unsupported encryption algorithm.

Add a specific test case covering this flow and making sure that two
extended DNS error are provided: code 1 and 2, each of them highlighting
unsupported algorithm and digest.

(cherry picked from commit 244923b9dc)
2025-01-24 14:27:17 +01:00
Colin Vidal e133411451 tests for support for EDE 1 & 2
(cherry picked from commit 8b50d63fe1)
2025-01-24 14:27:17 +01:00
Colin Vidal 6c65d70ce5 add support for EDE code 1 and 2
Add support for EDE codes 1 (Unsupported DNSKEY Algorithm) and 2
(Unsupported DS Digest Type) which might occurs during DNSSEC
validation in case of unsupported DNSKEY algorithm or DS digest type.

Because DNSSEC internally kicks off various fetches, we need to copy
all encountered extended errors from fetch responses to the fetch
context. Upon an event, the errors from the fetch context are copied
to the client response.

(cherry picked from commit 46a58acdf5)
2025-01-24 14:27:16 +01:00
Michal Nowak 20057d587f [9.20] chg: test: Rewrite cipher-suites system test to pytest
The minimal dnspython version to run this test is 2.5.0.

Backport of MR !8662

Merge branch 'backport-mnowak/pytest_rewrite_cipher-suites-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9992
2025-01-24 09:31:16 +00:00
Michal Nowak d2c8694930 Rename have_* marks to with_*
Marks starting with "with" or "without" make more sense linguistically
than those starting with "have" or "have_not".

(cherry picked from commit df7e9f4ac3)
2025-01-24 08:56:36 +00:00
Nicki KřížekandMichal Nowak e7a469133c Test cipher-suites after zone transfers complete
Ensure the zone transfers have completed (successfully or not) before
running the test cases, because they assume zone transfers have been
done.

(cherry picked from commit 23fb615963)
2025-01-24 08:56:36 +00:00
Nicki KřížekandMichal Nowak 2eb5ce24fb Make servers fixture in pytest module-wide
The servers are setup and torn down once per each test module. All the
logs and server state persists between individual tests within the same
module. The servers fixture representing these servers should be
module-wide as well.

(cherry picked from commit a72ff9fd57)
2025-01-24 08:56:36 +00:00
Michal Nowak f3f7667fc7 Rewrite cipher-suites system test to pytest
The minimal required dnspython version is 2.5.0 because of the need for
the "verify" argument in dns.query.tls().

(cherry picked from commit 100b759863)
2025-01-24 08:56:36 +00:00
Michal Nowak 3047cc9a25 Use Debian "sid" for pylint and mypy jobs to get recent dnspython
The base image tends to have a rather old dnspython version and when
used with pylint and mypy it produces errors about newer dnspython
features the old version does not know about.

    $ mypy "bin/tests/system/isctest/"
    bin/tests/system/isctest/query.py:55: error: Unexpected keyword argument "verify" for "tls"  [call-arg]
    /usr/lib/python3/dist-packages/dns/query.py:958: note: "tls" defined here

    $ pylint --rcfile $CI_PROJECT_DIR/.pylintrc --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE 'ans\.py')
    ************* Module isctest.query
    bin/tests/system/isctest/query.py:55:11: E1123: Unexpected keyword argument 'verify' in function call (unexpected-keyword-arg)

(cherry picked from commit b2964cc922)
2025-01-24 08:56:36 +00:00
Michal Nowak 9f356962ec Add isctest.query.tls() function
When explicitly set to True, the "verify" argument lets dnspython verify
certificates used for the connection. As most certificates in the system
test will inevitably be self-signed, the "verify" argument defaults to
False.

The "verify" argument is present in dnspython since the version 2.5.0.

(cherry picked from commit df8c419058)
2025-01-24 08:56:36 +00:00
Michal Nowak 1a4fb0550b Add "without_fips" mark
The "without_fips" mark disables test function when BIND 9 was built
with the FIPS mode enabled as not everything works in FIPS-enabled
builds.

(cherry picked from commit feecbd8e77)
2025-01-24 08:56:36 +00:00
Nicki Křížek d79b113f93 [9.20] chg: ci: Set stricter limits for respdiff testing
Adjust the limit of maximum disagreements in respdiff results based on
recent pipeline results.

The respdiff and respdiff:asan seem to have almost identical results,
typically around 0.07 % of differences with ocassional spikes up to
around 0.11 %. Similar results are for respdiff:tsan, perhaps with more
common spikes with values up to around 0.12 %. Set the limit to 0.15 %
to allow for some tolerance due to network conditions, time of day etc.

The respdiff:third-party has a slightly higher disagreements average,
with typical values being around 0.12 %. Set the limit to 0.2 %.

Exceeding either of those values should be quite clear indication that
some resolution behaviour has changed, since the values appear to be
very stable within the newly configured limits.

Backport of MR !9950

Merge branch 'backport-nicki/ci-respdiff-limits-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9989
2025-01-23 17:48:09 +00:00
Nicki Křížek a4f480ba04 Set stricter limits for respdiff testing
Adjust the limit of maximum disagreements in respdiff results based on
recent pipeline results.

The respdiff and respdiff:asan seem to have almost identical results,
typically around 0.07 % of differences with ocassional spikes up to
around 0.11 %. Similar results are for respdiff:tsan, perhaps with more
common spikes with values up to around 0.12 %. Set the limit to 0.15 %
to allow for some tolerance due to network conditions, time of day etc.

The respdiff:third-party has a slightly higher disagreements average,
with typical values being around 0.12 %. Set the limit to 0.2 %.

Exceeding either of those values should be quite clear indication that
some resolution behaviour has changed, since the values appear to be
very stable within the newly configured limits.

(cherry picked from commit 0584d3f65f)
2025-01-23 18:29:31 +01:00
Matthijs Mekking fe95badcd0 [9.20] chg: doc: Document how secondaries refresh a zone in the ARM
Closes #5123

Backport of MR !9966

Merge branch 'backport-5123-document-refreshing-a-secondary-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9986
2025-01-23 16:27:45 +00:00
Matthijs Mekking 049ac923b7 Document how secondaries refresh a zone in the ARM
We have a KB article that describes this, put a condensed version into
the ARM.

(cherry picked from commit 8daf3782d1)
2025-01-23 15:53:54 +00:00
Matthijs Mekking ddda6cb59e [9.20] fix: usr: Fix a bug in dnssec-signzone related to keys being offline
In the case when `dnssec-signzone` is called on an already signed zone, and the private key file is unavailable, a signature that needs to be refreshed may be dropped without being able to generate a replacement. This has been fixed.

Closes #5126

Backport of MR !9951

Merge branch 'backport-5126-dnssec-signzone-retain-rrsig-if-key-is-offline-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9982
2025-01-23 15:46:27 +00:00
Matthijs Mekking 9d6302b32c dnssec-signzone retain signature if key is offline
Track inside the dns_dnsseckey structure whether we have seen the
private key, or if this key only has a public key file.

If the key only has a public key file, or a DNSKEY reference in the
zone, mark the key 'pubkey'. In dnssec-signzone, if the key only
has a public key available, consider the key to be offline. Any
signatures that should be refreshed for which the key is not available,
retain the signature.

So in the code, 'expired' becomes 'refresh', and the new 'expired'
is only used to determine whether we need to keep the signature if
the corresponding key is not available (retaining the signature if
it is not expired).

In the 'keysthatsigned' function, we can remove:
  -	key->force_publish = false;
  -	key->force_sign = false;

because they are redundant ('dns_dnsseckey_create' already sets these
values to false).

(cherry picked from commit 5e3aef364f)
2025-01-23 14:04:03 +00:00
Matthijs Mekking cf73c9b1a9 Test dnssec-signzone with private key file missing
Add a test case for the scenario below.

There is a case when signing a zone with dnssec-signzone where the
private key file is moved outside the key directory (for offline
ksk purposes), and then the zone is resigned. The signature of the
DNSKEY needs refreshing, but is not expired.

Rather than removing the signature without having a valid replacement,
leave the signature in the zone (despite it needs to be refreshed).

(cherry picked from commit 0a91321d78)
2025-01-23 14:04:03 +00:00
Colin Vidal 4d945128dc [9.20] new: usr: Add support for multiple extended DNS errors
Extended DNS error mechanism (EDE) may have several errors raised during a DNS resolution. `named` is now able to add up to three EDE codes in a DNS response. In the case of duplicate error codes, only the first one will be part of the DNS response.

Closes #5085

Backport of MR !9952

Merge branch 'backport-5085-multiple-ede-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9978
2025-01-23 13:46:03 +00:00
Colin Vidal 01bbc357c7 add unit tests covering multiple EDE support
(cherry picked from commit 950a0cffb3)
2025-01-23 13:12:53 +00:00
Colin Vidal e685443c74 add support for multiple EDE
Extended DNS error mechanism (EDE) enables to have several EDE raised
during a DNS resolution (typically, a DNSSEC query will do multiple
fetches which each of them can have an error). Add support to up to 3
EDE errors in an DNS response. If duplicates occur (two EDEs with the
same code, the extra text is not compared), only the first one will be
part of the DNS answer.

Because the maximum number of EDE is statically fixed, `ns_client_t`
object own a static vector of `DNS_DE_MAX_ERRORS` (instead of a linked
list, for instance). The array can be fully filled (all slots point to
an allocated `dns_ednsopt_t` object) or partially filled (or
empty). In such case, the first NULL slot means there is no more EDE
objects.

(cherry picked from commit 4096f27130)
2025-01-23 13:12:53 +00:00
Matthijs Mekking 2bbb30156b [9.20] fix: doc: Clarify dnssec-signzone interval option
There was confusion about whether the interval was calculated from
the validity period provided on the command line (with -s and -e),
or from the signature being replaced.

Add text to clarify that the interval is calculated from the new
validity period.

Closes #5128

Backport of MR !9955

Merge branch 'backport-5128-clarify-dnssec-signzone-interval-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9983
2025-01-23 12:08:20 +00:00
Matthijs Mekking e36f4b66a3 Clarify dnssec-signzone interval option
There was confusion about whether the interval was calculated from
the validity period provided on the command line (with -s and -e),
or from the signature being replaced.

Add text to clarify that the interval is calculated from the new
validity period.

(cherry picked from commit ae42fa69fa)
2025-01-23 12:08:11 +00:00