Commit Graph

11530 Commits

Author SHA1 Message Date
Nicki Křížek
347db7c40d Replace clean.sh files with extra_artifacts mark
The artifact lists in clean.sh and extra_artifacts might be slightly
different. The list was updated for each test to reflect the current
state.

(cherry picked from commit 7c259fe254)
2024-11-11 15:04:52 +01:00
Michał Kępień
ddb75fc4d8 Add pytest fixture for checking test artifacts
Prior to introducing the pytest runner, clean.sh files were used as a
list of files that the test is expected to leave around as artifacts and
check that no extra files were created.

With the pytest runner, those scripts are no longer used, but the
ability to detect extraneous files is still useful. Add a new
"extra_artifacts" mark which can be used for the same purpose.

(cherry picked from commit 3a9f4edddc)
2024-11-11 15:04:52 +01:00
Mark Andrews
1affa9c2ac Remove named_g_sessionkey and named_g_sessionkeyname
They are only declared and cleaned up but otherwise unused.

(cherry picked from commit f70ff727ec)
2024-11-07 02:18:52 +00:00
Michal Nowak
45dd10f5a1 Rewrite rsabigexponent system test to pytest
(cherry picked from commit cacff68e78)
2024-10-31 18:15:20 +00:00
Nicki Křížek
89866d148a Support jinja2 templates in pytest runner
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.

Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.

New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.

(cherry picked from commit 60e118c4fb)
2024-10-31 14:01:12 +01:00
Nicki Křížek
2a0c3c8c14 Make system tests compatible with pytest 8.0.0+
The pytest collection mechanism has been overhauled in pytest 8.0.0,
resulting in a different node tree when collecting the tests. Ensure the
paths / names we're using that are derived from the node tree are
consistent across different pytest versions.

Particularly, this has affected the convenience symlink name (which is
supposed to be in the form of e.g. dns64_sh_dns64 for the dns64 module
and tests_sh_dns64.py module) and the test name that's logged at the
start of the test, which is supposed to include the system test
directory relative to the root system test directory as well as the
module name (e.g. dns64/tests_sh_dns64.py).

Related https://github.com/pytest-dev/pytest/issues/7777

(cherry picked from commit 7118cbed98)
2024-10-24 13:57:41 +02:00
Matthijs Mekking
e5c711fd43 Add inline-signing warning for upgrading to 9.20
For dynamic zones that do not set inline-signing explicitly, add a
warning that the default value for inline-signing has changed. Dynamic
zones that want to be able to reuse the zone (and not trigger a full
resign) should explicitly configure "inline-signing no;".
2024-10-23 10:34:49 +00:00
Michal Nowak
82712ad7fc Rewrite verify system test to pytest
(cherry picked from commit 091968f5fa)
2024-10-21 14:11:46 +02:00
Mark Andrews
a05508b0c4 Correctly get final token
(cherry picked from commit df5b4ba894)
2024-10-18 02:10:39 +00:00
Mark Andrews
b22134fd74 Restore seperator values
strtok_r is destructive.  Restore the seperators so that the command
line can be properly displayed.

(cherry picked from commit 609d96aa12)
2024-10-18 02:10:38 +00:00
Nicki Křížek
9ca6fcc4d5 Disable too-many/too-few pylint checks
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.

(cherry picked from commit 7639c58c48)
2024-10-17 13:42:08 +02:00
Michal Nowak
03cf294d06 Remove unused sbytes, stime, n, response, and rtime variables
(cherry picked from commit 4857da271d)
2024-10-15 18:50:06 +00:00
Michal Nowak
eb8a56c90c Rewrite tools system test to pytest
(cherry picked from commit 3f8e59330d)
2024-10-15 17:28:42 +00:00
Nicki Křížek
ef508f5052 Support dnspython 2.7.0
CookieOption with new .server/.client attributes (rather than .data) was
added to dnspython. Adjust the code to use the new attributes if
available and fall back to the old code for dnspython<2.7.0
compatibility.

(cherry picked from commit 0d90b13646)
2024-10-15 10:30:02 +00:00
Mark Andrews
74b6aa8dd2 Test that the correct NSEC3 closest encloser is returned
(cherry picked from commit b457f64d4a)
2024-10-15 11:00:03 +11:00
Matthijs Mekking
39e4576341 Test removing DNSKEYs from other providers
In a multi-signer setup, removing DNSKEY records from the zone should
not be treated as a key that previously exists in the keyring, thus
blocking the keymgr. Add a test case to make sure.

(cherry picked from commit 5f552293d7)
2024-10-14 13:54:09 +00:00
Matthijs Mekking
5be6acb63d Add additional test case with purged key
Test that if a key to be purged is in the keyring, it does not
prevent the keymgr from running. Normally a key that is in the keyring
should be available again on the next run, but that is not true for
a key that can be purged.

In addition, fix some wait_for_log calls, by adding the missing
'|| ret=1' parts.

(cherry picked from commit a2317425bc)
2024-10-14 13:54:09 +00:00
Matthijs Mekking
65cd5d5c32 Fix some system test cases
Some test cases were working but for the wrong reasons. These started
to fail when I implemented the first approach for #4763, where the
existence of a DNSKEY together with an empty keyring is suspicious and
would prevent the keymgr from running.

These are:

1. kasp: The multisigner-model2.kasp zone has ZSKs from other providers
   in the zone, but not yet its own keys. Pregenerate signing keys and
   add them to the unsigned zone as well.

2. kasp: The dynamic-signed-inline-signing.kasp zone has a key generated
   and added in the raw version of the zone. But the key file is stored
   outside the key-directory for the given zone. Add '-K keys' to the
   dnssec-keygen command.

(cherry picked from commit d1e263ef13)
2024-10-14 13:54:09 +00:00
Matthijs Mekking
4091177181 Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.

(cherry picked from commit 5fdad05a8a)
2024-10-14 13:54:09 +00:00
Matthijs Mekking
29be6a82f3 Add test for missing key files, don't roll
In this specific case the key files are temporary unavailable, for
example because of an operator error, or a mount failure). In such
cases, BIND should not try to roll over these keys.

(cherry picked from commit a3afbd9d6f)
2024-10-14 13:54:09 +00:00
Artem Boldariev
cecd3a75ec dig: always set the default port when doing a UDP query
This commit ensures that the port is set before attempting a UDP
query. Before that a situation could appear when previous query have
completed over a different transport (that uses a dedicated port) and
then a UDP query will be attempted over the port of the previous
transport.

(cherry picked from commit e390ed4421)
2024-10-10 22:31:52 +03:00
Matthijs Mekking
60bd3bc051 Revert "fix: chg: Improve performance when looking for the closest encloser"
The 9.18 code does not have the rbtdb refactoring. Rather than
backporting from MR !9611, this reverts directly from commit
5d81a258e3.
2024-10-10 14:26:13 +02:00
Michal Nowak
aa7087ca9b Replace dns.query module with isctest.query
(cherry picked from commit dfec69b4a2)
2024-10-01 16:33:42 +02:00
Michal Nowak
a5cc3bfbe3 Add isctest.check.notimp()
(cherry picked from commit a2d2d9c0d3)
2024-10-01 12:06:47 +00:00
Michal Nowak
077b2b56d9 Report expected and last returned rcode on query timeout
Sometimes it's useful to see what was the server returning that did not
match the expected rcode.

(cherry picked from commit 4cb52f072e)
2024-10-01 12:06:47 +00:00
Mark Andrews
1a68cc6cfa Add examples of WALLET records
(cherry picked from commit 9b358e6e8b)
2024-09-25 12:07:57 +00:00
Mark Andrews
314ff56081 Add the new record type WALLET (262)
This provides a mapping from a domain name to a cryptographic
currency wallet and is a clone of TXT.

(cherry picked from commit b919b9b4f3)
2024-09-25 12:07:57 +00:00
Mark Andrews
a0522653ca Check read value in upforwd/ans4
The ans4 server wasn't shutting down cleanly sometimes.  Check that
read returns the expected value for the message length or exit read
loop.

(cherry picked from commit 21baad0a8f)
2024-09-24 09:22:22 +00:00
Michal Nowak
20cab85f41 Print correct udp/tcp function name in generic_query()
(cherry picked from commit 1c637e96d1)
2024-09-23 15:40:44 +00:00
Michal Nowak
86c7bb4a0c Downgrade "timeout" and "attempts" arguments in shutdown
The shutdown system test sends queries when named is shutting down, not
in an attempt to get answers but to destabilize the server into a crash.
With isctest.query.udp() defaulting to try up to ten times with a
ten-second timeout to get a response we don't care about from a likely
terminated server, we make the test run much longer than needed because
of retries and long timeouts.

(cherry picked from commit 463ab2f3f5)
2024-09-23 15:40:44 +00:00
Aram Sargsyan
904940167c Update the resolver system test
The 'bin/tests/system/resolver.c' tool used in the resolver system
test uses the 'dns_client_setservers()' function, which sets up a
resolution in 'forward only' mode. Since a bug was just fixed in
'fctx_getaddresses()', two expected failures in the resolver system
test now fail with a different failure message, because
'fctx_getaddresses()' returns 'ISC_R_FAILURE' instead of
'res->quotaresp[dns_quotatype_server]', which is 'DNS_R_SERVFAIL'
by default. Change the expected failure message.
2024-09-18 01:25:01 +00:00
Aram Sargsyan
8f617d7971 Add a statistics channel check in the forward system test
Check that the fix in the previous commit works and that the
'ServerQuota' counter in the statistics channel is still unset
after a SERVFAIL result in a 'forward only' zone.

(cherry picked from commit 81b3c5d908)
2024-09-18 01:25:01 +00:00
Mark Andrews
4d23018660 Remove 'statslock' from dnssec-signzone
Silence Coverity CID 468757 and 468767 (DATA RACE read not locked)
by converting dnssec-signzone to use atomics for statistics counters
rather than using a lock.  This should be marginally faster than
using the lock as well when statistics are requested.

(cherry picked from commit 473cbd4e87)
2024-09-16 13:25:07 +10:00
Michal Nowak
6addaef7fc Extract dns.rcode compatibility code to isctest.compat
(cherry picked from commit 8b55d0709d)
2024-09-12 19:48:31 +02:00
Michal Nowak
aa302dfe24 Turn off deadline for wildcard tests
Tests that query BIND need much longer deadline to account for retries,
the default 200ms won't work.

(cherry picked from commit d2e0043ec3)
2024-09-12 19:48:31 +02:00
Michal Nowak
4e3cc58eba Extract "custom" named instances support to isctest.run module
(cherry picked from commit 2cec1de43b)
2024-09-12 19:48:31 +02:00
Michal Nowak
1220435e27 Rework query functions to retry by default
(cherry picked from commit 5929ba0f54)
2024-09-12 18:35:59 +02:00
Michal Nowak
f082e6800b Replace dns.resolver module in system tests
(cherry picked from commit bfe338b965)
2024-09-12 18:35:59 +02:00
Mark Andrews
047fa205d7 Only configure statistics-channels if supported
(cherry picked from commit d0c8c6d7ef)
2024-09-12 13:39:36 +10:00
Mark Andrews
e5ff972167 Don't create the HTTP server if libxml and libjson-c are unavailable
(cherry picked from commit 31650d9440)
2024-09-12 03:27:43 +00:00
Mark Andrews
350a15e702 Don't return the style sheet unless libxml2 is supported
If not statistics are available we don't want the style sheet
returned.

(cherry picked from commit ed81b3ae93)
2024-09-12 03:27:43 +00:00
Mark Andrews
3333f9c94d Properly detect when libxml2 or json-c is not available
(cherry picked from commit 7de939609b)
2024-09-12 09:18:38 +10:00
Nicki Křížek
b42420ab09 Skip some tests on problematic OpenSSL version
The keyfromlabel and enginepkcs11 system tests are affected by a bug in
OpenSSL 3.0.13, currently shipped by debian bookworm.
2024-09-10 15:50:21 +02:00
JINMEI Tatuya
a93b6f2040 allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS
This change allows fallback from an IXFR failure to AXFR when the
reason is DNS_R_TOOMANYRECORDS. This is because this error condition
could be temporary only in an intermediate version of IXFR
transactions and it's possible that the latest version of the zone
doesn't have that condition. In such a case, the secondary would never
be able to update the zone (even if it could) without this fallback.

This fallback behavior is particularly useful with the recently
introduced max-records-per-type and max-types-per-name options:
the primary may not have these limitations and may temporarily
introduce "too many" records, breaking IXFR. If the primary side
subsequently deletes these records, this fallback will help recover
the zone transfer failure automatically; without it, the secondary
side would first need to increase the limit, which requires more
operational overhead and has its own adverse effect.

This change also fixes a minor glitch that DNS_R_TOOMANYRECORDS wasn't
logged in xfrin_fail.

(cherry picked from commit 7289090683)
2024-09-10 14:54:57 +02:00
Ondřej Surý
441de680c7 Be more patient when stopping servers in the system tests
When the TCP test is run on the busy server, the server might take a
while to wind the server down because it might still be processing all
that 300k invalid XFR requests.

Increate the rncd wait time to 120 seconds, the SIGTERM time to 300
seconds, and reduce the time to wait for ans servers from 1200 second
to just 120 seconds.

(cherry picked from commit d971472321)
2024-09-10 12:31:21 +02:00
Ondřej Surý
c8f1fa0e47 Follow the number of CPU set by taskset/cpuset
Administrators may wish to constrain the set of cores that BIND 9 runs
on via the 'taskset', 'cpuset' or 'numactl' programs (or equivalent on
other O/S), for example to achieve higher (or more stable) performance
by more closely associating threads with individual NIC rx queues. If
the admin has used taskset, it follows that BIND ought to
automatically use the given number of CPUs rather than the system wide
count.

Co-Authored-By: Ray Bellis <ray@isc.org>
(cherry picked from commit 5a2df8caf5)
2024-09-03 14:54:40 +02:00
Mark Andrews
5d81a258e3 Return partial match when requested
Return partial match from dns_db_find/dns_db_find when requested
to short circuit the closest encloser discover process.  Most of the
time this will be the actual closest encloser but may not be when
there yet to be committed / cleaned up versions of the zone with
names below the actual closest encloser.

(cherry picked from commit d42ea08f16)
2024-08-29 21:05:54 +00:00
Michal Nowak
5a802a22b5 Bump max-recursion-queries to 100 in resolver system test
With max-recursion-queries set to 50 the resolver system test was
unstable in the "checking query resolution for a domain with a valid
glueless delegation chain" check as ns1 replied with SERVFAIL.

(cherry picked from commit 8e0244d300)
2024-08-29 14:41:52 +00:00
Nicki Křížek
c75d9734e7 Revert "Mark the keyfromlabel&enginepkcs11 tests as xfail"
This reverts commit ff983ed647.
2024-08-26 10:09:41 +02:00
Matthijs Mekking
9e1bed5bdb Adjust kasp system test to get keys which signed
If there is a keytag conflict between keys with different algorithms,
we need to supply what key algorithm is used so we can get the right
public key.

For clarity, print the algorithm on the found keys after 'check_keys'.

(cherry picked from commit 7bb6d82505)
2024-08-22 10:15:01 +00:00