Commit Graph

3824 Commits

Author SHA1 Message Date
Michał Kępień
2cd5954745 Make "plain" server setup checks more similar
Send a test TCP query to the "plain" server during its setup check to
improve its consistency with the setup check for the "plain + no TCP"
server.

(cherry picked from commit bb939a03ff)
2019-05-29 11:11:46 +02:00
Michał Kępień
45d2833684 Add more EDNS checks for dig output files
In the "legacy" system test, in order to make server setup checks more
consistent with each other, add further checks for either presence or
absence of the EDNS OPT pseudo-RR in the responses returned by the
tested named instances.

(cherry picked from commit 56ed1275c6)
2019-05-29 11:11:43 +02:00
Michał Kępień
c7f5ba42f8 Do not ignore dig exit codes
Make sure the "legacy" system test fails if any exit code returned by
dig does not match the expected one.

(cherry picked from commit 4dea5cb799)
2019-05-29 11:11:40 +02:00
Michał Kępień
abbe8c9649 Use helper functions for checking resolution
Extract repeated dig and grep calls into two helper shell functions,
resolution_succeeds() and resolution_fails(), in order to reduce code
duplication in the "legacy" system test, emphasize the similarity
between all the resolution checks in that test, and make the conditions
for success and failure uniform for all resolution checks in that test.

(cherry picked from commit effd16ab25)
2019-05-29 11:11:37 +02:00
Michał Kępień
35cccf0729 Use +dnssec instead of separate TXT records
When testing named instances which are configured to drop outgoing UDP
responses larger than 512 bytes, querying with DO=1 may be used instead
of querying for large TXT records as the effect achieved will be
identical: an unsigned response for a SOA query will be below 512 bytes
in size while a signed response for the same query will be over 512
bytes in size.  Doing this makes all resolution checks in the "legacy"
system test more similar.  Add checks for the TC flag being set in UDP
responses which are expected to be truncated to further make sure that
tested named instances behave as expected.

(cherry picked from commit aaf81ca6ef)
2019-05-29 11:11:31 +02:00
Michał Kępień
551f796313 Fix the name of the file to inspect
One of the checks in the "legacy" system test inspects dig.out.1.test$n
instead of dig.out.2.test$n.  Fix the file name used in that check.

(cherry picked from commit 3e7fa15ca3)
2019-05-29 11:11:25 +02:00
Michał Kępień
fdc84ea63e Ensure queries expected to time out really do
Make sure that the "legacy" system test fails if queries which are
expected to time out do not really time out.

(cherry picked from commit 6283c1cc7e)
2019-05-29 11:11:21 +02:00
Michał Kępień
5094902487 Properly test servers with TCP support disabled
Sending TCP queries to test named instances with TCP support disabled
should cause dig output to contain the phrase "connection refused", not
"connection timed out", as such instances never open the relevant
sockets.  Make sure that the "legacy" system test fails if the expected
phrase is not found in any of the relevant files containing dig output.

(cherry picked from commit 9491616e5c)
2019-05-29 11:11:03 +02:00
Evan Hunt
3b122f8d33 fix missing test counter 2019-05-18 21:14:33 -07:00
Witold Kręcicki
71d3823dab Remove UNSPEC rrtype
(cherry picked from commit a8e2ca6f7d)
2019-05-13 10:54:10 +07:00
Michał Kępień
f04f107b7e Make NTAs work with validating forwarders
If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders.  As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.

(cherry picked from commit 5e80488270)
2019-05-09 21:05:50 -07:00
Mark Andrews
10c53d2873 Recognise EDNS Client Tag and EDNS Server Tag
(cherry picked from commit ee7cf180b3)
2019-05-09 18:24:57 +10:00
Evan Hunt
722d0f57ed warn about the use of trusted-keys and managed-keys for the same name 2019-05-08 23:02:42 -07:00
Mark Andrews
d72f659a35 add test for 'provide-ixfr no;' ; add forensics support
(cherry picked from commit d547465af5)
2019-05-07 14:34:00 +10:00
Evan Hunt
50dfe1aa2b enable parallel system tests on windows
this moves the creation of "parallel.mk" into a separate shell script
instead of bin/tests/system/Makefile. that shell script can now be
executed by runall.sh, allowing us to make use of the cygwin "make"
command, which supports parallel execution.

(cherry picked from commit bbae24c140)
2019-05-06 18:38:34 -07:00
Evan Hunt
111c692efd RPZ test had spurious references to DNSRPS, which isn't in 9.11 2019-05-06 18:05:49 -07:00
Mark Andrews
c26a421aab check that delv -t any works
(cherry picked from commit 6999bee7ef)
2019-05-07 10:34:30 +10:00
Michał Kępień
72c7bc03c9 Simplify trailing period handling in system tests
Windows systems do not allow a trailing period in file names while Unix
systems do.  When BIND system tests are run, the $TP environment
variable is set to an empty string on Windows systems and to "." on Unix
systems.  This environment variable is then used by system test scripts
for handling this discrepancy properly.

In multiple system test scripts, a variable holding a zone name is set
to a string with a trailing period while the names of the zone's
corresponding dlvset-* and/or dsset-* files are determined using
numerous sed invocations like the following one:

    dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"

In order to improve code readability, use zone names without trailing
periods and replace sed invocations with variable substitutions.

To retain local consistency, also remove the trailing period from
certain other zone names used in system tests that are not subsequently
processed using sed.

(cherry picked from commit da2c1b74ad)
2019-04-26 20:50:55 +02:00
Matthijs Mekking
3c9a7ffac8 Wait for correct log message in dnssec/tests.sh
In 9.11 there are some log messages not existing, but the tests
rely on.  Adjust the grep call that gives confidence the rollover
step has occurred.
2019-04-24 09:41:22 +02:00
Matthijs Mekking
9c77cd8306 Harden grep key ID calls
Key IDs may accidentally match dig output that is not the key ID (for
example the RRSIG inception or expiration time, the query ID, ...).
Search for key ID + signer name should prevent that, as that is what
only should occur in the RRSIG record, and signer name always follows
the key ID.

(cherry picked from commit 83473b9758)
2019-04-24 09:41:22 +02:00
Matthijs Mekking
d8de28610d Remove sleeps
Remove sleep calls from test, rely on wait_for_log().  Make
wait_for_log() and dnssec_loadkeys_on() fail the test if the
appropriate log line is not found.

Slightly adjust the echo_i() lines to print only the key ID (not the
key name).

(cherry picked from commit 67f0635f3c)
2019-04-24 09:41:22 +02:00
Michał Kępień
4e2cc911d2 Wait more than 1 second for NSEC3 chain changes
One second may not be enough for an NSEC3 chain change triggered by an
UPDATE message to complete.  Wait up to 10 seconds when checking whether
a given NSEC3 chain change is complete in the "nsupdate" system test.

(cherry picked from commit f8746cddbc)
2019-04-23 14:59:30 +02:00
Michał Kępień
5d8147fa70 Remove redundant sleeps
In the "nsupdate" system test, do not sleep before checking results of
changes which are expected to be processed synchronously, i.e. before
nsupdate returns.

(cherry picked from commit 1c8e5ea333)
2019-04-23 14:59:29 +02:00
Michał Kępień
f78f6439b7 Update interface lists in ifconfig scripts
Make bin/tests/system/ifconfig.bat also configure addresses ending with
9 and 10, so that the script is in sync with its Unix counterpart.

Update comments listing the interfaces created by ifconfig.{bat,sh} so
that they do not include addresses whose last octet is zero (since an
address like 10.53.1.0/24 is not a valid host address and thus the
aforementioned scripts do not even attempt configuring them).

(cherry picked from commit b6c1cdfffe)
2019-04-19 11:30:32 +02:00
Michał Kępień
4f992ab35f Fix the "dnssec" system test on Windows
On Windows, the bin/tests/system/dnssec/signer/example.db.signed file
contains carriage return characters at the end of each line.  Remove
them before passing the aforementioned file to the awk script extracting
key IDs so that the latter can work properly.

(cherry picked from commit e4280ed9f5)
2019-04-19 11:30:27 +02:00
Michał Kępień
d9688b58c8 Do not wait for lock file cleanup on Windows
As signals are currently not handled by named on Windows, instances
terminated using signals are not able to perform a clean shutdown, which
involves e.g. removing the lock file.  Thus, waiting for a given
instance's lock file to be removed beforing assuming it is shut down
is pointless on Windows, so do not even attempt it.

(cherry picked from commit 761ba4514f)
2019-04-19 11:29:44 +02:00
Matthijs Mekking
93f33cdd0f Add documentation
(cherry picked from commit a67dac5d21)
2019-04-19 08:45:12 +02:00
Matthijs Mekking
d07f643557 DLV tests unsupported/disabled algorithms
This tests both the cases when the DLV trust anchor is of an
unsupported or disabled algorithm, as well as if the DLV zone
contains a key with an unsupported or disabled algorithm.

(cherry picked from commit 3b7c849a3f)
2019-04-19 08:45:12 +02:00
Matthijs Mekking
a97061c939 Ignore unsupported trust anchors
(cherry picked from commit 1d45ad8f39)

Some adaptations were made to make the code compile and tests pass.
2019-04-19 08:45:12 +02:00
Matthijs Mekking
469ef284b3 Add inline test related to unsupported algorithms
(cherry picked from commit 924fdad0e5)
2019-04-18 15:12:04 +02:00
Matthijs Mekking
8cef3952b6 System tests for tools and unsupported algorithms
(cherry picked from commit dfcf9bb0ed)
2019-04-18 15:12:04 +02:00
Matthijs Mekking
ce3d35d950 Fix dnssec test
The following changes were needed:

* Remove dnskey-sig-validity option (added in 9.12)
* Replace rndccmd, dig_with_opts with export variables
* Remove tests for CDNSKEY and CDS (in 9.11 always signed with ZSK)
2019-04-12 15:57:31 +02:00
Matthijs Mekking
c5e1bfc6f9 Fix copyrights 2019-04-12 15:57:31 +02:00
Matthijs Mekking
944c2b5a74 Add detail on echo message in autosign test
(cherry picked from commit d330986374)
(cherry picked from commit d281d9ae99985772db13fb3dce0c0e7e2fb5f5b8)
2019-04-12 15:57:15 +02:00
Matthijs Mekking
537a88e403 Add test for ZSK rollover while KSK offline
This commit adds a lengthy test where the ZSK is rolled but the
KSK is offline (except for when the DNSKEY RRset is changed).  The
specific scenario has the `dnskey-kskonly` configuration option set
meaning the DNSKEY RRset should only be signed with the KSK.

A new zone `updatecheck-kskonly.secure` is added to test against,
that can be dynamically updated, and that can be controlled with rndc
to load the DNSSEC keys.

There are some pre-checks for this test to make sure everything is
fine before the ZSK roll, after the new ZSK is published, and after
the old ZSK is deleted.  Note there are actually two ZSK rolls in
quick succession.

When the latest added ZSK becomes active and its predecessor becomes
inactive, the KSK is offline.  However, the DNSKEY RRset did not
change and it has a good signature that is valid for long enough.
The expected behavior is that the DNSKEY RRset stays signed with
the KSK only (signature does not need to change).  However, the
test will fail because after reconfiguring the keys for the zone,
it wants to add re-sign tasks for the new active keys (in sign_apex).
Because the KSK is offline, named determines that the only other
active key, the latest ZSK, will be used to resign the DNSKEY RRset,
in addition to keeping the RRSIG of the KSK.

The question is: Why do we need to resign the DNSKEY RRset
immediately when a new key becomes active?  This is not required,
only once the next resign task is triggered the new active key
should replace signatures that are in need of refreshing.

(cherry-picked from commit c48b85d0a3c34480179d44e736e3e535dbae1001)
2019-04-12 15:57:15 +02:00
Evan Hunt
fbcaadb22e dnstap: if recursion is not available, log queries as AQ instead of CQ
(cherry picked from commit 1f578cdb12)
(cherry picked from commit f6c3b13522)
2019-04-11 19:12:47 -07:00
Matthijs Mekking
c272e6799f Check dig TTLs.
(cherry picked from commit 195277ca6d)
2019-04-10 16:19:32 +10:00
Mark Andrews
8015e95b77 Check delv TTLs.
(cherry picked from commit 146202d6a8)
2019-04-10 16:10:39 +10:00
Mark Andrews
b35eacbad2 for rkey flags MUST be zero
(cherry picked from commit 82d4931440)
2019-04-09 14:27:11 +10:00
Michał Kępień
68601bd70f Do not rely on default dig options in system tests
Some system tests assume dig's default setings are in effect.  While
these defaults may only be silently overridden (because of specific
options set in /etc/resolv.conf) for BIND releases using liblwres for
parsing /etc/resolv.conf (i.e. BIND 9.11 and older), it is arguably
prudent to make sure that tests relying on specific +timeout and +tries
settings specify these explicitly in their dig invocations, in order to
prevent test failures from being triggered by any potential changes to
current defaults.

(cherry picked from commit b6cce0fb8b)
2019-04-03 13:00:23 +02:00
Michał Kępień
59e1329e9b Add "-r $RANDFILE" where it is missing
If the path to the source of random data is not passed explicitly to
dnssec-keygen or dnssec-signzone and the --with-randomdev compile-time
switch is not used, the aforementioned utilities will hang if the
default source of random data (/dev/random) runs out of entropy.  Use
"-r $RANDFILE" to prevent that from happening in affected system tests.
2019-04-02 13:09:08 +02:00
Michał Kępień
de1eba6a0f Fix key ID extraction in the "dnssec" system test
Simply looking for the key ID surrounded by spaces in the tested
dnssec-signzone output file is not a precise enough method of checking
for signatures prepared using a given key ID: it can be tripped up by
cross-algorithm key ID collisions and certain low key IDs (e.g. 60, the
TTL specified in bin/tests/system/dnssec/signer/example.db.in), which
triggers false positives for the "dnssec" system test.  Make key ID
extraction precise by using an awk script which operates on specific
fields.

(cherry picked from commit a40c60e4c1)
2019-03-21 08:12:52 +01:00
Michał Kępień
537765df80 Make stop.pl wait for lock file cleanup
bin/tests/system/stop.pl only waits for the PID file to be cleaned up
while named cleans up the lock file after the PID file.  Thus, the
aforementioned script may consider a named instance to be fully shut
down when in fact it is not.

Fix by also checking whether the lock file exists when determining a
given instance's shutdown status.  This change assumes that if a named
instance uses a lock file, it is called "named.lock", and that if an
lwresd instance uses a lock file, it is called "lwresd.lock".

Also rename clean_pid_file() to pid_file_exists(), so that it is called
more appropriately (it does not clean up the PID file itself, it only
returns the server's identifier if its PID file is not yet cleaned up).

(cherry picked from commit c787a539d2)
2019-03-19 11:03:46 +01:00
Michał Kępień
ebedeffa25 Correctly invoke stop.pl when start.pl fails
MR !1141 broke the way stop.pl is invoked when start.pl fails:

  - start.pl changes the working directory to $testdir/$server before
    attempting to start $server,

  - commit 27ee629e6b causes the $testdir
    variable in stop.pl to be determined using the $SYSTEMTESTTOP
    environment variable, which is set to ".." by all tests.sh scripts,

  - commit e227815af5 makes start.pl pass
    $test (the test's name) rather than $testdir (the path to the test's
    directory) to stop.pl when a given server fails to start.

Thus, when a server is restarted from within a tests.sh script and such
a restart fails, stop.pl attempts to look for the server directory in a
nonexistent location ($testdir/$server/../$test, i.e. $testdir/$test,
instead of $testdir/../$test).  Fix the issue by changing the working
directory before stop.pl is invoked in the scenario described above.

(cherry picked from commit 4afad2a047)
2019-03-19 10:28:59 +01:00
Matthijs Mekking
1461accf9c Add test for rpz zone load fail 2019-03-15 09:16:49 +01:00
Matthijs Mekking
97118d59ba Make RPZ tests more readable 2019-03-15 08:32:03 +01:00
Matthijs Mekking
a8f20871c4 Add README to RPZ tests 2019-03-15 08:32:03 +01:00
Mark Andrews
3756a08d30 check that state and state->log are non NULL before calling state->log
(cherry picked from commit 7bf6750330)
2019-03-14 12:57:21 -07:00
Michał Kępień
42a210b7cf Silence a Perl warning output by stop.pl
On Unix systems, the CYGWIN environment variable is not set at all when
BIND system tests are run.  If a named instance crashes on shutdown or
otherwise fails to clean up its pidfile and the CYGWIN environment
variable is not set, stop.pl will print an uninitialized value warning
on standard error.  Prevent this by using defined().

(cherry picked from commit 91e5a99b9b)
2019-03-12 08:43:13 +01:00
Petr Menšík
1f32ad6064 Allow ifconfig to be called from any directory
ifconfig.sh depends on config.guess for platform guessing. It uses it to
choose between ifconfig or ip tools to configure interfaces. If
system-wide automake script is installed and local was not found, use
platform guess. It should work well on mostly any sane platform. Still
prefers local guess, but passes when if cannot find it.

(cherry picked from commit 38301052e1)
2019-03-12 14:11:03 +11:00