Commit Graph
4973 Commits
Author SHA1 Message Date
Mark Andrews 2a8bf4f6bb Fix gratuitious DNS protocol errors in the ANS servers
The ANS servers were not to written to handle NS queries at the
QNAME resulting in gratuitious protocol errors that will break tests
when NS requests are made for the QNAME.

(cherry picked from commit 0680eb6f64)
2025-02-04 02:37:34 +00:00
Ondřej Surý b32512a232 In cache, set rdataset TTL to 0 when the header is not active
When the header has been marked as ANCIENT, but the ttl hasn't been
reset (this happens in couple of places), the rdataset TTL would be
set to the header timestamp instead to a reasonable TTL value.

Since this header has been already expired (ANCIENT is set), set the
rdataset TTL to 0 and don't reuse this field to print the expiration
time when dumping the cache.  Instead of printing the time, we now
just print 'expired (awaiting cleanup'.

(cherry picked from commit 1bbb57f81b)
2025-02-03 15:53:34 +01:00
Evan HuntandOndřej Surý 1e818d368f fix the cache findzonecut implementation
the search for the deepest known zone cut in the cache could
improperly reject a node containing stale data, even if the
NS rdataset wasn't the data that was stale.

this change also improves the efficiency of the search by
stopping it when both NS and RRSIG(NS) have been found.

(cherry picked from commit 1f095b902c)
2025-02-02 20:01:52 +01:00
Colin Vidal 588924bbb5 update serve-stale test to support EDE 22
When EDE 3 (stale answer) was added the serve-stale tests were checking
for those exclusively, i.e. grepping for no "EDE" in the dig output when
no stale answer was expected.

However, some stale tests disable stale answers and make the
authoritative server unresponsive, effectively triggering a timed out
request thus an EDE 22. Update those tests so they still tests the
absence of EDE 3 error, but also the presence of EDE 22.

(cherry picked from commit 27f3b8950a)
2025-01-30 14:43:25 +00:00
Colin Vidal edd6f0eb35 add new EDE 22 system tests
This re-do a previously existing EDE 22 system test as well as add
another one making sure the timed out flow detection works also on UDP
when the resolver is contacting the authoritative server. (the existing
test was using TCP to contact the authoritative servers).

(cherry picked from commit 7cb8a028fe)
2025-01-30 14:43:25 +00:00
Colin Vidal b03cedc754 fix DNSSEC EDE system tests on FIPS platform
Changes !9948 introducing the support of extended DNS error code 1 and 2
uses SHA-1 digest for some tests which break FIPS platform. The digest
itself was irrelevant, another digest is used.

(cherry picked from commit d82262d293)
2025-01-30 13:32:38 +00:00
Andoni Duarte Pintado 2d0323e006 Merge tag 'v9.20.5' into bind-9.20 2025-01-29 17:21:44 +01:00
Colin Vidal b61e1a5bcf add DNSSEC EDE test for unsupported digest and alg
A DNSSEC validation can fail in the case where multiple DNSKEY are
available for a zone and none of them are supported, but for different
reasons: one has a DS record in the parent zone using an unsupported
digest while the other one uses an unsupported encryption algorithm.

Add a specific test case covering this flow and making sure that two
extended DNS error are provided: code 1 and 2, each of them highlighting
unsupported algorithm and digest.

(cherry picked from commit 244923b9dc)
2025-01-24 14:27:17 +01:00
Colin Vidal e133411451 tests for support for EDE 1 & 2
(cherry picked from commit 8b50d63fe1)
2025-01-24 14:27:17 +01:00
Michal Nowak d2c8694930 Rename have_* marks to with_*
Marks starting with "with" or "without" make more sense linguistically
than those starting with "have" or "have_not".

(cherry picked from commit df7e9f4ac3)
2025-01-24 08:56:36 +00:00
Nicki KřížekandMichal Nowak e7a469133c Test cipher-suites after zone transfers complete
Ensure the zone transfers have completed (successfully or not) before
running the test cases, because they assume zone transfers have been
done.

(cherry picked from commit 23fb615963)
2025-01-24 08:56:36 +00:00
Nicki KřížekandMichal Nowak 2eb5ce24fb Make servers fixture in pytest module-wide
The servers are setup and torn down once per each test module. All the
logs and server state persists between individual tests within the same
module. The servers fixture representing these servers should be
module-wide as well.

(cherry picked from commit a72ff9fd57)
2025-01-24 08:56:36 +00:00
Michal Nowak f3f7667fc7 Rewrite cipher-suites system test to pytest
The minimal required dnspython version is 2.5.0 because of the need for
the "verify" argument in dns.query.tls().

(cherry picked from commit 100b759863)
2025-01-24 08:56:36 +00:00
Michal Nowak 9f356962ec Add isctest.query.tls() function
When explicitly set to True, the "verify" argument lets dnspython verify
certificates used for the connection. As most certificates in the system
test will inevitably be self-signed, the "verify" argument defaults to
False.

The "verify" argument is present in dnspython since the version 2.5.0.

(cherry picked from commit df8c419058)
2025-01-24 08:56:36 +00:00
Michal Nowak 1a4fb0550b Add "without_fips" mark
The "without_fips" mark disables test function when BIND 9 was built
with the FIPS mode enabled as not everything works in FIPS-enabled
builds.

(cherry picked from commit feecbd8e77)
2025-01-24 08:56:36 +00:00
Matthijs Mekking 9d6302b32c dnssec-signzone retain signature if key is offline
Track inside the dns_dnsseckey structure whether we have seen the
private key, or if this key only has a public key file.

If the key only has a public key file, or a DNSKEY reference in the
zone, mark the key 'pubkey'. In dnssec-signzone, if the key only
has a public key available, consider the key to be offline. Any
signatures that should be refreshed for which the key is not available,
retain the signature.

So in the code, 'expired' becomes 'refresh', and the new 'expired'
is only used to determine whether we need to keep the signature if
the corresponding key is not available (retaining the signature if
it is not expired).

In the 'keysthatsigned' function, we can remove:
  -	key->force_publish = false;
  -	key->force_sign = false;

because they are redundant ('dns_dnsseckey_create' already sets these
values to false).

(cherry picked from commit 5e3aef364f)
2025-01-23 14:04:03 +00:00
Matthijs Mekking cf73c9b1a9 Test dnssec-signzone with private key file missing
Add a test case for the scenario below.

There is a case when signing a zone with dnssec-signzone where the
private key file is moved outside the key directory (for offline
ksk purposes), and then the zone is resigned. The signature of the
DNSKEY needs refreshing, but is not expired.

Rather than removing the signature without having a valid replacement,
leave the signature in the zone (despite it needs to be refreshed).

(cherry picked from commit 0a91321d78)
2025-01-23 14:04:03 +00:00
Mark Andrews 2225f96251 Check delv +yaml negative response output
(cherry picked from commit 9c04640def)
2025-01-22 23:58:49 +00:00
Ondřej SurýandAndoni Duarte Pintado 1b531c17a5 Limit the additional processing for large RDATA sets
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA.  This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.

Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.

(cherry picked from commit a1982cf1bb)
2025-01-15 13:57:27 +01:00
Ondřej SurýandAndoni Duarte Pintado e7d4e27337 Isolate using the -T noaa flag only for part of the resolver test
Instead of running the whole resolver/ns4 server with -T noaa flag,
use it only for the part where it is actually needed.  The -T noaa
could interfere with other parts of the test because the answers don't
have the authoritative-answer bit set, and we could have false
positives (or false negatives) in the test because the authoritative
server doesn't follow the DNS protocol for all the tests in the resolver
system test.

(cherry picked from commit e51d4d3b88)
2025-01-15 13:57:16 +01:00
Matthijs Mekking 8c9d31edaf Revert "Test that the correct NSEC3 closest encloser is returned"
This reverts commit fd2f1bdf02.
2025-01-13 11:42:26 +01:00
Mark AndrewsandMichal Nowak 40af61428e Adjust number of zones to those in FIPS mode
(cherry picked from commit 17804f5154)
2025-01-02 15:35:39 +00:00
Matthijs Mekking aa744b5dd9 Add primaries, parental-agents as synonyms
Add back the top blocks 'parental-agents', 'primaries', and 'masters'
to the configuration. Do not document them as so many names for the
same clause is confusing.

This has a slight negative side effect that a top block 'primaries'
can be referred to with a zone statement 'parental-agents' for example,
but that shouldn't be a big issue.

(cherry picked from commit 1b2eadb197)
2024-12-13 11:23:03 +01:00
Matthijs Mekking 4555a31934 Unify parental-agents, primaries to remote-servers
Having zone statements that are also top blocks is confusing, and if
we want to add more in the future (which I suspect will be for
generalized notifications, multi-signer), we need to duplicate a lot
of code.

Remove top blocks 'parental-agents' and 'primaries' and just have one
top block 'remote-servers' that you can refer to with zone statements.

(cherry picked from commit b121f02eac)
2024-12-13 10:39:25 +01:00
Mark Andrews e8ef8eddb8 Fix startup notify rate test
The terminating conditions for the startup notify test would
occasionally get ~20 records or get +10 seconds of records due to
a bad terminating condition.  Additionally 20 samples lead to test
failures.  Fix the terminating condition to use the correct conditional
(-eq -> -ge) and increase the minimum number of log entries to
average over to 40.

(cherry picked from commit 46388d07a2)
2024-12-13 00:07:52 +00:00
Michal Nowak 1bff2cd49c Wait for "all zones loaded" after rndc reload in "database" test
After the rndc reload command finished, we might have queried the
database zone sooner than it was reloaded because rndc reloads zones
asynchronously if no specific zone was provided. We should wait for "all
zones loaded" in the ns1 log to be sure.

(cherry picked from commit 0bdd03db66)
2024-12-12 12:09:30 +00:00
Michal NowakandMark Andrews 945dbad5ed Add rr-related common test artifacts
(cherry picked from commit c607237b77)
2024-12-11 00:38:56 +00:00
Mark Andrews 4bc7d505e8 Use a different burst name to identify test queries
This allows easier identification of which burst is which in
named.run.

(cherry picked from commit e02d66b279)
2024-12-10 21:55:31 +00:00
Colin Vidal 32f5b69703 Add none parameter to query-source and query-source-v6 to disable IPv4 or IPv6 upstream queries
Add a none parameter to named configuration option `query-source` (respectively `query-source-v6`) which forbid usage of IPv4 (respectively IPv6) addresses when named is doing an upstream query.

Closes #4981 Turning-off upstream IPv6 queries while still listening to downstream queries on IPv6.

Merge branch 'colin/querysource-none' into 'main'

See merge request isc-projects/bind9!9727

Backport of MR !9727

Some changes had to be done to the existing 9.20.x code in order to
make this backport compatible:

- first, the 9.20.x branches support the `port` parameter in
  query-source[-v6], where 9.21.x does not. The original changes
  depend on things that can't be backported because that would break
  `port` support.

- second, the changes remove the optional `address` parameter from the
  canonical form. So `query-source address <ip>` is now printed as
  `query-source <ip>`. This means that `named-checkconf -p` will now
  generate different output if users have `query-source address <ip>` or
  `query-source address <ip> port <port>`; it will now generate
  `query-source <ip>` or `query-source <ip> port <port>`. This is a
  non-breaking change, because the parser has been updated to support
  this form as well.
2024-12-10 11:58:20 +01:00
Mark Andrews 6177eb8c5b Fix static stub subtest description
(cherry picked from commit f173a01454)
2024-12-10 03:16:33 +00:00
Artem BoldarievandMichal Nowak 17dd30ec52 Use FIPS compatible DH-param files
When the tests were added, the files were generated without FIPS
compatibility in mind. That made the tests fail on recent OpenSSL
versions in FIPS mode.

So, the files were regenerated on a FIPS compliant system using the
following stanza:

$ openssl dhparam -out <file> 3072

Apparently, the old files are not valid for FIPS starting with OpneSSL
3.1.X release series as "FIPS 140-3 compliance changes" are mentioned
in the changelog:

https://openssl-library.org/news/openssl-3.1-notes/
(cherry picked from commit 384c92880e)
2024-12-09 12:00:49 +00:00
Evan Hunt f7d67710e2 preserve cache across reload when using attach-cache
when the attach-cache option is used in the options block
with an arbitrary name, it causes all views to use the same
cache. however, previously, this could cause the cache to be
deleted and a new cache created every time the server was
reconfigured. this did *not* occur when attach-cache was
used at the view level to refer back to another view's cache.

in this commit we correct the problem by checking for
pre-existing caches during reconfiguration, and moving
them from the old server cache list to the new cache list
before cleaning up and freeing the old cache list.

(cherry picked from commit f3af8a7dc3)
2024-12-06 18:19:54 -08:00
Matthijs Mekking cc004b2b8f Add test case for nsupdate hangs on large update
This test case hangs, despite the update being performed on the
name server.

(cherry picked from commit 3adabb4f89)
2024-12-06 08:31:19 +00:00
Michal Nowak dffcf1226c Use os.getenv() instead of os.environ
If ECDSAP256SHA256_SUPPORTED or ECDSAP384SHA384_SUPPORTED variables were
not present in the environment, os.environ would raise KeyError that is
not being handled in the decorator. Use os.getenv() instead.

(cherry picked from commit 1a5683b638)
2024-12-06 07:06:31 +00:00
Michal Nowak 85176a62ca Fix skipif decorators' conditions
The ECDSA256 and ECDSA384 check conditions were switched.

(cherry picked from commit 2a7b8d9795)
2024-12-06 07:06:31 +00:00
Matthijs MekkingandMark Andrews 1d7ddb5ec4 Add a CAMP test case
This adds a new test directory specifically for CAMP attacks. This first
test in this test directory follows multiple CNAME chains, restarting
the max-recursion-queries counter, but should bail when the global
maximum quota max-query-count is reached.

(cherry picked from commit 73eafaba14)
2024-12-06 06:20:33 +00:00
Matthijs MekkingandMark Andrews c233bb9de0 Implement 'max-query-count'
Add another option to configure how many outgoing queries per
client request is allowed. The existing 'max-recursion-queries' is
per restart, this one is a global limit.

(cherry picked from commit bbc16cc8e6)
2024-12-06 06:20:33 +00:00
Mark Andrews 3eea26ba37 Check dnssec-signzone behaviour with revoked keys
Only DNSKEY records should be signed with a revoked key.

(cherry picked from commit 30ef6dde05)
2024-12-06 01:00:08 +00:00
Michal Nowak e8d6be9c38 Add ns2/managed1.conf to mkeys extra_artifacts
The ns2/managed1.conf file is created by the setup.sh script. Then, in
the tests.sh script it is moved to ns2/managed.conf. The latter file
name is in mkeys extra_artifacts, but the former one is not. This is a
problem when pytest is started with the --setup-only option as it only
runs the setup.sh script (e.g., in the cross-version-config-tests CI
job) and thus failing the "Unexpected files found" assertion.

(cherry picked from commit e7d973bd00)
2024-12-05 10:08:34 +00:00
Colin Vidal c586d9a658 Add EDE 22 No reachable authority code
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.

(cherry picked from commit d13e94b930)

Commit amended in order to fix usage of isc_log_write (adding dns_lctx
parameter)
2024-12-05 10:30:28 +01:00
Michal Nowak 211a0eafa9 Rewrite ecdsa system test to pytest
(cherry picked from commit 292e919156)
2024-12-05 07:46:17 +00:00
Ondřej Surý 6c3f1f09b2 Improve the badcache cleaning by adding LRU and using RCU
Instead of cleaning the dns_badcache opportunistically, add per-loop
LRU, so each thread-loop can clean the expired entries.  This also
allows removal of the atomic operations as the badcache entries are now
immutable, instead of updating the badcache entry in place, the old
entry is now deleted from the hashtable and the LRU list, and the new
entry is inserted in the LRU.

(cherry picked from commit 2cb5a6210f)
2024-11-27 17:07:03 +00:00
Aram Sargsyan bebdabc06c Fix the nslookup system test
The nslookup system test checks the count of resolved addresses in
the CNAME tests using a 'grep' match on the hostname, and ignoring
lines containing the 'canonical name' string. In order to protect
the check from intermittent failures like the 'address in use' warning
message, which then automatically resolves after a retry, edit the
'grep' matching string to also ignore the comments (as the mentioned
warning message is a comment which contains the hostname).

(cherry picked from commit 345b0f9e5c)
2024-11-27 13:35:25 +00:00
Aram Sargsyan 61d49b0731 Test trying of the next primary server
Add test cases which check that when a XoT primary server is
unreachable or is already marked as unreachble then the next
primary server in the list is used.

(cherry picked from commit 12225d125b)
2024-11-27 11:49:02 +00:00
Aram Sargsyan 375bd8ec75 xfrin: refactor and fix the ISC_R_CANCELED case handling
Previously a ISC_R_CANCELED result code switch-case has been added to
the zone.c:zone_xfrdone() function, which did two things:

1. Schedule a new zone transfer if there's a scheduled force reload of
   the zone.

2. Reset the primaries list.

This proved to be not a well-thought change and causes problems,
because the ISC_R_CANCELED code is used not only when the whole transfer
is canceled, but also when, for example, a particular primary server is
unreachable, and named still needs to continue the transfer process by
trying the next server, which it now no longer does in some cases. To
solve this issue, three changes are made:

1. Make sure dns_zone_refresh() runs on the zone's loop, so that the
   sequential calls of dns_zone_stopxfr() and dns_zone_forcexfr()
   functions (like done in 'rndc retransfer -force') run in intended
   order and don't race with each other.

2. Since starting the new transfer is now guaranteed to run after the
   previous transfer is shut down (see the previous change), remove the
   special handling of the ISC_R_CANCELED case, and let the default
   handler to handle it like before. This will bring back the ability to
   try the next primary if the current one was interrupted with a
   ISC_R_CANCELED result code.

3. Change the xfrin.c:xfrin_shutdown() function to pass the
   ISC_R_SHUTTINGDOWN result code instead of ISC_R_CANCELED, as it makes
   more sense.

(cherry picked from commit 3262ebd0f3)
2024-11-27 11:49:01 +00:00
JINMEI TatuyaandMark Andrews c862555b66 update system tests to confirm new log messages
(cherry picked from commit 000720fe14)
2024-11-27 11:17:34 +11:00
Michal Nowak 58316503b6 Rewrite emptyzones system test to pytest
(cherry picked from commit 3ace62472c)
2024-11-26 17:03:30 +00:00
Michal Nowak a506a04c98 Add isctest.check.refused()
(cherry picked from commit 7bedd1c296)
2024-11-26 17:03:30 +00:00
Michal Nowak 5d28efecfc Rewrite database system test to pytest
(cherry picked from commit 8005ad0dcd)
2024-11-26 12:12:26 +00:00
Michal Nowak 3cb61b1252 Revert "xfail upforwd system test if DNSTAP is enabled"
This reverts commit 0579e0a429.

(cherry picked from commit e7e73da39a)
2024-11-26 10:50:15 +00:00